[Full Version] Free Download Of Lead2pass AWS-SysOps Real Exam Questions (121-140)

22 Feb

2017 February Amazon Official New Released AWS-SysOps Dumps in Lead2pass.com!

100% Free Download! 100% Pass Guaranteed!

Lead2pass updates Amazon AWS-SysOps exam questions, adds some new changed questions from Amazon Official Exam Center. Want to know 2017 AWS-SysOps exam test points? Download the following free Lead2pass latest exam questions today!

Following questions and answers are all new published by Amazon Official Exam Center: http://www.lead2pass.com/aws-sysops.html

QUESTION 121
A user has launched an EC2 instance and deployed a production application in it.
The user wants to prohibit any mistakes from the production team to avoid accidental termination.
How can the user achieve this?

A.    The user can the set DisableApiTermination attribute to avoid accidental termination
B.    It is not possible to avoid accidental termination
C.    The user can set the Deletion termination flag to avoid accidental termination
D.    The user can set the InstanceInitiatedShutdownBehavior flag to avoid accidental termination

Answer: A
Explanation:
It is always possible that someone can terminate an EC2 instance using the Amazon EC2 console, command line interface or API by mistake. If the admin wants to prevent the instance from being accidentally terminated, he can enable termination protection for that instance. The DisableApiTermination attribute controls whether the instance can be terminated using the console, CLI or API. By default, termination protection is disabled for an EC2 instance. When it is set it will not allow the user to terminate the instance from CLI, API or the console.

QUESTION 122
A user has provisioned 2000 IOPS to the EBS volume.
The application hosted on that EBS is experiencing less IOPS than provisioned.
Which of the below mentioned options does not affect the IOPS of the volume?

A.    The application does not have enough IO for the volume
B.    The instance is EBS optimized
C.    The EC2 instance has 10 Gigabit Network connectivity
D.    The volume size is too large

Answer: D
Explanation:
When the application does not experience the expected IOPS or throughput of the PIOPS EBS volume that was provisioned, the possible root cause could be that the EC2 bandwidth is the limiting factor and the instance might not be either EBS-optimized or might not have 10 Gigabit network connectivity. Another possible cause for not experiencing the expected IOPS could also be that the user is not driving enough I/O to the EBS volumes.
The size of the volume may not affect IOPS.

QUESTION 123
A user is planning to use AWS services for his web application.
If the user is trying to set up his own billing management system for AWS, how can he configure it?

A.    Set up programmatic billing access. Download and parse the bill as per the requirement
B.    It is not possible for the user to create his own billing management service with AWS
C.    Enable the AWS CloudWatch alarm which will provide APIs to download the alarm data
D.    Use AWS billing APIs to download the usage report of each service from the AWS billing
console

Answer: A
Explanation:
AWS provides an option to have programmatic access to billing. Programmatic Billing Access leverages the existing Amazon Simple Storage Service (Amazon S3. APIs. Thus, the user can build applications that reference his billing data from a CSV (comma-separated value. file stored in an Amazon S3 bucket. AWS will upload the bill to the bucket every few hours and the user can download the bill CSV from the bucket, parse itand create a billing system as per the requirement.

QUESTION 124
A user has created a VPC with a subnet and a security group.
The user has launched an instance in that subnet and attached a public IP.
The user is still unable to connect to the instance.
The internet gateway has also been created.
What can be the reason for the error?

A.    The internet gateway is not configured with the route table
B.    The private IP is not present
C.    The outbound traffic on the security group is disabled
D.    The internet gateway is not configured with the security group

Answer: A
Explanation:
A Virtual Private Cloud (VPC. is a virtual network dedicated to the user’s AWS account. AWS provides two features the user can use to increase security in VPC: security groups and network ACLs. Security groups work at the instance level. When a user launches an instance and wants to connect to an instance, he needs an internet gateway. The internet gateway should be configured with the route table to allow traffic from the internet.

QUESTION 125
A user has enabled session stickiness with ELB.
The user does not want ELB to manage the cookie; instead he wants the application to manage the cookie.
What will happen when the server instance, which is bound to a cookie, crashes?

A.    The response will have a cookie but stickiness will be deleted
B.    The session will not be sticky until a new cookie is inserted
C.    ELB will throw an error due to cookie unavailability
D.    The session will be sticky and ELB will route requests to another server as ELB keeps
replicating the Cookie

Answer: B
Explanation:
With Elastic Load Balancer, if the admin has enabled a sticky session with application controlled stickiness, the load balancer uses a special cookie generated by the application to associate the session with the original server which handles the request. ELB follows the lifetime of the application-generated cookie corresponding to the cookie name specified in the ELB policy configuration. The load balancer only inserts a new stickiness cookie if the application response includes a new application cookie. The load balancer stickiness cookie does not update with each request. If the application cookie is explicitly removed or expires, the session stops being sticky until a new application cookie is issued.

QUESTION 126
An organization (Account ID 123412341234. has attached the below mentioned IAM policy to a user.
What does this policy statement entitle the user to perform?

{
“Version”: “2012-10-17”,
“Statement”: [{
“Sid”: “AllowUsersAllActionsForCredentials”,
“Effect”: “Allow”,
“Action”: [
“iam:*LoginProfile”,
“iam:*AccessKey*”,
“iam:*SigningCertificate*”
],
“Resource”: [“arn:aws:iam:: 123412341234:user/${aws:username}”]
}]
}

A.    The policy allows the IAM user to modify all IAM user’s credentials using the console, SDK,
CLI or APIs
B.    The policy will give an invalid resource error
C.    The policy allows the IAM user to modify all credentials using only the console
D.    The policy allows the user to modify all IAM user’s password, sign in certificates and access
keys using only CLI, SDK or APIs

Answer: D
Explanation:
WS Identity and Access Management is a web service which allows organizations to manage users and user permissions for various AWS services. If the organization (Account ID 123412341234. wants some of their users to manage credentials (access keys, password, and sing in certificates. of all IAM users, they should set an applicable policy to that user or group of users. The below mentioned policy allows the IAM user to modify the credentials of all IAM user’s using only CLI, SDK or APIs. The user cannot use the AWS console for this activity since he does not have list permission for the IAM users.

{
“Version”: “2012-10-17”,
“Statement”: [{
“Sid”: “AllowUsersAllActionsForCredentials”,
“Effect”: “Allow”
“Action”: [
“iam:*LoginProfile”,
“iam:*AccessKey*”,
“iam:*SigningCertificate*”
],
“Resource”: [“arn:aws:iam::123412341234:user/${aws:username}”] }]
}

QUESTION 127
A sys admin is trying to understand the sticky session algorithm.
Please select the correct sequence of steps, both when the cookie is present and when it is not, to help the admin understand the implementation of the sticky session:

1. ELB inserts the cookie in the response
2. ELB chooses the instance based on the load balancing algorithm
3. Check the cookie in the service request
4. The cookie is found in the request
5. The cookie is not found in the request

A.    3,1,4,2 [Cookie is not Present] & 3,1,5,2 [Cookie is Present]
B.    3,4,1,2 [Cookie is not Present] & 3,5,1,2 [Cookie is Present]
C.    3,5,2,1 [Cookie is not Present] & 3,4,2,1 [Cookie is Present]
D.    3,2,5,4 [Cookie is not Present] & 3,2,4,5 [Cookie is Present]

Answer: C
Explanation:
Generally AWS ELB routes each request to a zone with the minimum load. The Elastic Load Balancer provides a feature called sticky session which binds the user’s session with a specific EC2 instance. The load balancer uses a special load-balancer-generated cookie to track the application instance for each request. When the load balancer receives a request, it first checks to see if this cookie is present in the request. If so, the request is sent to the application instance specified in the cookie. If there is no cookie, the load balancer chooses an application instance based on the existing load balancing algorithm. A cookie is inserted into the response for binding subsequent requests from the same user to that application instance.

QUESTION 128
A user is using the AWS SQS to decouple the services.
Which of the below mentioned operations is not supported by SQS?

A.    SendMessageBatch
B.    DeleteMessageBatch
C.    CreateQueue
D.    DeleteMessageQueue

Answer: D
Explanation:
Amazon Simple Queue Service (SQS. is a fast, reliable, scalable, and fully managed message queuing service. SQS provides a simple and cost-effective way to decouple the components of an application. The user can perform the following set of operations using the Amazon SQS:
CreateQueue, ListQueues, DeleteQueue, SendMessage, SendMessageBatch, ReceiveMessage, DeleteMessage, DeleteMessageBatch, ChangeMessageVisibility, ChangeMessageVisibilityBatch, SetQueueAttributes, GetQueueAttributes, GetQueueUrl, AddPermission and RemovePermission. Operations can be performed only by the AWS account owner or an AWS account that the account owner has delegated to.

QUESTION 129
An organization has created 10 IAM users.
The organization wants each of the IAM users to have access to a separate DyanmoDB table.
All the users are added to the same group and the organization wants to setup a group level policy for this.
How can the organization achieve this?

A.    Define the group policy and add a condition which allows the access based on the IAM
name
B.    Create a DynamoDB table with the same name as the IAM user name and define the policy
rule which grants access based on the DynamoDB ARN using a variable
C.    Create a separate DynamoDB database for each user and configure a policy in the group
based on the DB variable
D.    It is not possible to have a group level policy which allows different IAM users to different DynamoDB Tables

Answer: B
Explanation:
AWS Identity and Access Management is a web service which allows organizations to manage users and user permissions for various AWS services. AWS DynamoDB has only tables and the organization cannot makeseparate databases. The organization should create a table with the same name as the IAM user name and use the ARN of DynamoDB as part of the group policy. The sample policy is shown below:

{
“Version”: “2012-10-17”,
“Statement”: [{
“Effect”: “Allow”,
“Action”: [“dynamodb:*”],
“Resource”: “arn:aws:dynamodb:region:account-number-without-hyphens:table/${aws:username}”
}
]
}

QUESTION 130
A user has created a VPC with two subnets: one public and one private.
The user is planning to run the patch update for the instances in the private subnet.
How can the instances in the private subnet connect to theinternet?

A.    Use the internet gateway with a private IP
B.    Allow outbound traffic in the security group for port 80 to allow internet updates
C.    The private subnet can never connect to the internet
D.    Use NAT with an elastic IP

Answer: D
Explanation:
A Virtual Private Cloud (VPC. is a virtual network dedicated to the user’s AWS account. A user can create a subnet with VPC and launch instances inside that subnet. If the user has created two subnets (one private and one public., he would need a Network Address Translation (NAT. instance with the elastic IP address. This enables the instances in the private subnet to send requests to the internet (for example, to perform software updates..

QUESTION 131
A user has created a VPC with the public and private subnets using the VPC wizard.
The VPC has CIDR 20.0.0.0/16.
The public subnet uses CIDR 20.0.1.0/24.
The user is planning to host a web server in the public subnet (port 80. and a DB server in the private subnet (port 3306..
The user is configuring a security group for the public subnet (WebSecGrp. and the private subnet (DBSecGrp..
Which of the below mentioned entries is required in the private subnet database security group (DBSecGrp.?

A.    Allow Inbound on port 3306 for Source Web Server Security Group (WebSecGrp.
B.    Allow Inbound on port 3306 from source 20.0.0.0/16
C.    Allow Outbound on port 3306 for Destination Web Server Security Group (WebSecGrp.
D.    Allow Outbound on port 80 for Destination NAT Instance IP

Answer: A
Explanation:
A user can create a subnet with VPC and launch instances inside that subnet. If the user has created a public private subnet to host the web server and DB server respectively, the user should configure that the instances in the private subnet can receive inbound traffic from the public subnet on the DB port. Thus, configure port 3306 in Inbound with the source as the Web Server Security Group (WebSecGrp.. The user should configure ports 80 and 443 for Destination 0.0.0.0/0 as the route table directs traffic to the NAT instance from the private subnet.

QUESTION 132
A user is trying to setup a security policy for ELB.
The user wants ELB to meet the cipher supported by the client by configuring the server order preference in ELB security policy.
Which of the below mentioned preconfigured policies supports this feature?

A.    ELBSecurity Policy-2014-01
B.    ELBSecurity Policy-2011-08
C.    ELBDefault Negotiation Policy
D.    ELBSample-OpenSSLDefault Cipher Policy

Answer: A
Explanation:
Elastic Load Balancing uses a Secure Socket Layer (SSL. negotiation configuration which is known as a Security Policy. It is used to negotiate the SSL connections between a client and the load balancer. If the load balancer is configured to support the Server Order Preference, then the load balancer gets to select the first cipher in its list that matches any one of the ciphers in the client’s list. When the user verifies the preconfigured policies supported by ELB, the policy “ELBSecurity Policy-2014-01” supports server order preference.

QUESTION 133
A user is receiving a notification from the RDS DB whenever there is a change in the DB security group.
The user does not want to receive these notifications for only a month.
Thus, he does not want to delete the notification.
How can the user configure this?

A.    Change the Disable button for notification to “Yes” in the RDS console
B.    Set the send mail flag to false in the DB event notification console
C.    The only option is to delete the notification from the console
D.    Change the Enable button for notification to “No” in the RDS console

Answer: D
Explanation:
Amazon RDS uses the Amazon Simple Notification Service to provide a notification when an Amazon RDS event occurs. Event notifications are sent to the addresses that the user has provided while creating the subscription. The user can easily turn off the notification without deleting a subscription by setting the Enabled radio button to No in the Amazon RDS console or by setting the Enabled parameter to false using the CLI or Amazon RDS API.

QUESTION 134
A user has launched an EC2 instance from an instance store backed AMI.
The infrastructure team wants to create an AMI from the running instance.
Which of the below mentioned credentials is not required while creating the AMI?

A.    AWS account ID
B.    X.509 certificate and private key
C.    AWS login ID to login to the console
D.    Access key and secret access key

Answer: C
Explanation:
When the user has launched an EC2 instance from an instance store backed AMI and the admin team wants to create an AMI from it, the user needs to setup the AWS AMI or the API tools first. Once the tool is setup the user will need the following credentials:

– AWS account ID;
– AWS access and secret access key;
– X.509 certificate with private key.

QUESTION 135
A user has created a VPC with CIDR 20.0.0.0/16.
The user has created one subnet with CIDR 20.0.0.0/16 by mistake.
The user is trying to create another subnet of CIDR 20.0.0.1/24.
How can the user create the second subnet?

A.    There is no need to update the subnet as VPC automatically adjusts the CIDR of the first
subnet based on the second subnet’s CIDR
B.    The user can modify the first subnet CIDR from the console
C.    It is not possible to create a second subnet as one subnet with the same CIDR as the VPC
has been created
D.    The user can modify the first subnet CIDR with AWS CLI

Answer: C
Explanation:
A Virtual Private Cloud (VPC. is a virtual network dedicated to the user’s AWS account. A user can create a subnet with VPC and launch instances inside the subnet. The user can create a subnet with the same size of VPC. However, he cannot create any other subnet since the CIDR of the second subnet will conflict with the first subnet. The user cannot modify the CIDR of a subnet once it is created. Thus, in this case if required, the user has to delete the subnet and create new subnets.

QUESTION 136
Which of the below mentioned AWS RDS logs cannot be viewed from the console for MySQL?

A.    Error Log
B.    Slow Query Log
C.    Transaction Log
D.    General Log

Answer: C
Explanation:
The user can view, download, and watch the database logs using the Amazon RDS console, the Command Line Interface (CLI., or the Amazon RDS API. For the MySQL RDS, the user can view the error log, slow querylog, and general logs. RDS does not support viewing the transaction logs.

QUESTION 137
An organization has configured two single availability zones.
The Auto Scaling groups are configured in separate zones.
The user wants to merge the groups such that one group spans across multiple zones.
How can the user configure this?

A.    Run the command as-join-auto-scaling-group to join the two groups
B.    Run the command as-update-auto-scaling-group to configure one group to span across
zones and delete the other group
C.    Run the command as-copy-auto-scaling-group to join the two groups
D.    Run the command as-merge-auto-scaling-group to merge the groups

Answer: B
Explanation:
If the user has configured two separate single availability zone Auto Scaling groups and wants to merge them then he should update one of the groups and delete the other one. While updating the first group it is recommended that the user should increase the size of the minimum, maximum and desired capacity as a summation of both the groups.

QUESTION 138
A user has created a VPC with public and private subnets using the VPC wizard.
Which of the below mentioned statements is true in this scenario?

A.    The AWS VPC will automatically create a NAT instance with the micro size
B.    VPC bounds the main route table with a private subnet and a custom route table with a
public subnet
C.    The user has to manually create a NAT instance
D.    VPC bounds the main route table with a public subnet and a custom route table with a
private subnet

Answer: B
Explanation:
A Virtual Private Cloud (VPC. is a virtual network dedicated to the user’s AWS account. A user can create a subnet with VPC and launch instances inside that subnet. If the user has created a public private subnet, the instances in the public subnet can receive inbound traffic directly from the internet, whereas the instances in the private subnet cannot. If these subnets are created with Wizard, AWS will create a NAT instance of a smaller or higher size, respectively. The VPC has an implied router and the VPC wizard updates the main route table used with the private subnet, creates a custom route table and associates it with the public subnet.

QUESTION 139
A user has created a mobile application which makes calls to DynamoDB to fetch certain data. The application is using the DynamoDB SDK and root account access/secret access key to connect to DynamoDB from mobile.
Which of the below mentioned statements is true with respect to the best practice for security in this scenario?

A.    The user should create a separate IAM user for each mobile application and provide
DynamoDB access with it
B.    The user should create an IAM role with DynamoDB and EC2 access.
Attach the role with EC2 and route all calls from the mobile through EC2
C.    The application should use an IAM role with web identity federation which validates calls to DynamoDB with identity providers, such as Google, Amazon, and Facebook
D.    Create an IAM Role with DynamoDB access and attach it with the mobile application

Answer: C
Explanation:
With AWS IAM a user is creating an application which runs on an EC2 instance and makes requests to AWS, such as DynamoDB or S3 calls. Here it is recommended that the user should not create an IAM user and pass the user’s credentials to the application or embed those credentials inside the application. If the user is creating an app that runs on a mobile phone and makes requests to AWS, the user should not create an IAMuser and distribute the user’s access key with the app. Instead, he should use an identity provider, such as Login with Amazon, Facebook, or Google to authenticate the users, and then use that identity to get temporary security credentials.

QUESTION 140
The CFO of a company wants to allow one of his employees to view only the AWS usage report page.
Which of the below mentioned IAM policy statements allows the user to have access to the AWS usage report page?

A.    “Effect”: “Allow”, “Action”: [“Describe”], “Resource”: “Billing”
B.    “Effect”: “Allow”, “Action”: [“AccountUsage], “Resource”: “*”
C.    “Effect”: “Allow”, “Action”: [“aws-portal:ViewUsage”], “Resource”:
“*”
D.    “Effect”: “Allow”, “Action”: [“aws-portal: ViewBilling”], “Resource”: “*”

Answer: C
Explanation:
AWS Identity and Access Management is a web service which allows organizations to manage users and user permissions for various AWS services. If the CFO wants to allow only AWS usage report page access, the policy for that IAM user will be as given below:

{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: [
“aws-portal:ViewUsage”
],
“Resource”: “*”
}
]
}

Lead2pass promise that all AWS-SysOps exam questions are the latest updated, we aim to provide latest and guaranteed questions for all certifications. You just need to be braved in trying then we will help you arrange all later things! 100% pass all exams you want or full money back! Do you want to have a try on passing AWS-SysOps?

AWS-SysOps new questions on Google Drive: https://drive.google.com/open?id=0B3Syig5i8gpDekE1aUpSVGNHbWM

2017 Amazon AWS-SysOps exam dumps (All 332 Q&As) from Lead2pass:

http://www.lead2pass.com/aws-sysops.html [100% Exam Pass Guaranteed]