CLF-C02: AWS Certified Cloud Practitioner

44%

Question 131

A company hosts an application on an Amazon EC2 instance. The EC2 instance needs to access several AWS resources, including Amazon S3 and Amazon DynamoDB.

What is the MOST operationally efficient solution to delegate permissions?
Create an IAM role with the required permissions. Attach the role to the EC2 instance.
Create an IAM user and use its access key and secret access key in the application.
Create an IAM user and use its access key and secret access key to create a CLI profile in the EC2 instance
Create an IAM role with the required permissions. Attach the role to the administrative IAM user.




Answer is Create an IAM role with the required permissions. Attach the role to the EC2 instance.

You can and should use an IAM role to manage temporary credentials for applications that run on an Amazon EC2 instance. When you use a role, you don't have to distribute long-term credentials (such as a user name and password or access keys) to an Amazon EC2 instance.

Reference:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html

Question 132

A large organization has a single AWS account.

What are the advantages of reconfiguring the single account into multiple AWS accounts? (Choose two.)
It allows for administrative isolation between different workloads.
Discounts can be applied on a quarterly basis by submitting cases in the AWS Management Console.
Transitioning objects from Amazon S3 to Amazon S3 Glacier in separate AWS accounts will be less expensive.
Having multiple accounts reduces the risks associated with malicious activity targeted at a single account.
Amazon QuickSight offers access to a cost tool that provides application-specific recommendations for environments running in multiple accounts.




Answers are;
A. It allows for administrative isolation between different workloads.
D. Having multiple accounts reduces the risks associated with malicious activity targeted at a single account.

Group workloads based on business purpose and ownership
Constrain access to sensitive data

Reference:
https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/benefits-of-using-multiple-aws-accounts.html

Question 133

A retail company has recently migrated its website to AWS. The company wants to ensure that it is protected from SQL injection attacks. The website uses an Application Load Balancer to distribute traffic to multiple Amazon EC2 instances.

Which AWS service or feature can be used to create a custom rule that blocks SQL injection attacks?
Security groups
AWS WAF
Network ACLs
AWS Shield




Answer is AWS WAF

You can also use AWS WAF to block or allow requests based on conditions that you specify, such as the IP addresses that requests originate from or values in the requests.

Reference:
https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-sqli-match.html

Question 134

Why is an AWS Well-Architected review a critical part of the cloud design process?
A Well-Architected review is mandatory before a workload can run on AWS.
A Well-Architected review helps identify design gaps and helps evaluate design decisions and related documents.
A Well-Architected review is an audit mechanism that is a part of requirements for service level agreements.
A Well-Architected review eliminates the need for ongoing auditing and compliance tests.




Answer is A Well-Architected review helps identify design gaps and helps evaluate design decisions and related documents.


Question 135

A company implements an Amazon EC2 Auto Scaling policy along with an Application Load Balancer to automatically recover unhealthy applications that run on Amazon EC2 instances.

Which pillar of the AWS Well-Architected Framework does this action cover?
Security
Performance efficiency
Operational excellence
Reliability




Answer is Reliability

Keyword: to recover unhealthy applications
The reliability pillar includes the ability of a system to recover from infrastructure or service disruptions

Reference:
https://docs.aws.amazon.com/wellarchitected/latest/reliability-pillar/wellarchitected-reliability-pillar.pdf

Question 136

A company needs to design an AWS disaster recovery plan to cover multiple geographic areas.

Which action will meet this requirement?
Configure multiple AWS accounts.
Configure the architecture across multiple Availability Zones in an AWS Region.
Configure the architecture across multiple AWS Regions.
Configure the architecture among many edge locations.




Answer is Configure the architecture across multiple AWS Regions.

AWS multi-Region disaster recovery (DR) allows a company to replicate their data and applications across multiple AWS Regions. This enables a company to maintain high availability and quickly failover to another Region in the event of a disaster or outage. This approach is the most comprehensive for disaster recovery plan that covers multiple geographic areas and can ensure data durability and availability even in case of a complete regional failure.

In addition to data, you must also back up the configuration and infrastructure necessary to redeploy your workload and meet your Recovery Time Objective (RTO). AWS CloudFormation provides Infrastructure as Code (IaC), and enables you to define all of the AWS resources in your workload so you can reliably deploy and redeploy to multiple AWS accounts and AWS Regions.

Reference:
https://docs.aws.amazon.com/whitepapers/latest/disaster-recovery-workloads-on-aws/disaster-recovery-options-in-the-cloud.html

Question 137

Which AWS service monitors AWS accounts for security threats?
Amazon GuardDuty
AWS Secrets Manager
Amazon Cognito
AWS Certificate Manager (ACM)




Answer is Amazon GuardDuty

Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation

Reference:
https://www.amazonaws.cn/en/guardduty/

Question 138

A company requires an isolated environment within AWS for security purposes.

Which action can be taken to accomplish this?
Create a separate Availability Zone to host the resources.
Create a separate VPC to host the resources.
Create a placement group to host the resources.
Create an AWS Direct Connect connection between the company and AWS.




Answer is Create a separate VPC to host the resources.

To create an isolated environment within AWS for security purposes, the company can create a separate Virtual Private Cloud (VPC). A VPC is a logically isolated section of the AWS Cloud where the company can launch AWS resources in a virtual network that is dedicated to their account. By creating a separate VPC, the company can control the network settings, IP address ranges, subnets, route tables, and security settings specific to their isolated environment.

Reference:
https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/infrastructure-security.html

Question 139

Which of the following is an AWS best practice for managing an AWS account root user?
Keep the root user password with the security team.
Enable multi-factor authentication (MFA) for the root user.
Create an access key for the root user.
Keep the root user password consistent for compliance purposes.




Answer is Enable multi-factor authentication (MFA) for the root user.

Enabling multi-factor authentication (MFA) for the root user is considered an AWS best practice for managing an AWS account. MFA adds an extra layer of security to the account by requiring an additional authentication factor, such as a physical token or a virtual MFA device, in addition to the password. This helps protect the root user from unauthorized access and reduces the risk of compromise.

Reference:
https://docs.aws.amazon.com/accounts/latest/reference/best-practices-root-user.html

Question 140

A company wants to improve its security and audit posture by limiting Amazon EC2 inbound access.

What should the company use to access instances remotely instead of opening inbound SSH ports and managing SSH keys?
EC2 key pairs
AWS Systems Manager Session Manager
AWS Identity and Access Management (IAM)
Network ACLs




Answer is AWS Systems Manager Session Manager

AWS Systems Manager Session Manager is a fully managed service that provides secure and auditable remote shell access to EC2 instances directly through the AWS Management Console, CLI, or SDKs. With Session Manager, you can access your instances without opening inbound SSH ports or managing SSH keys.

By using Session Manager, you can centrally manage access to instances, enforce fine-grained permissions using IAM policies, and record all session activity in CloudTrail for auditing and compliance purposes. It provides a secure and convenient way to access your EC2 instances without exposing them to inbound SSH traffic.

Reference:
https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html

< Previous PageNext Page >

Quick access to all questions in this exam