In CloudFormation, if you want to map an Amazon Elastic Block Store to an Amazon EC2 instance, _________.
A
In AWS CloudFormation, if you want to map an Amazon Elastic Block Store to an Amazon EC2 instance, you reference the logical IDs to associate the block stores with the instance.
Reference:
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/concept-resources.html
An organization hosts an app on EC2 instances which multiple developers need access to in order to perform updates.
The organization plans to implement some security best practices related to instance access.
Which one of the following recommendations will not help improve its security in this way?
B
Since AWS is a public cloud any application hosted on EC2 is prone to hacker attacks. It becomes extremely important for a user to setup a proper security mechanism on the EC2 instances. A few of the security measures are listed below:
✑ Always keep the OS updated with the latest patch
✑ Always create separate users with in OS if they need to connect with the EC2 instances, create their keys and disable their password
✑ Create a procedure using which the admin can revoke the access of the user when the business work on the EC2 instance is completed. . Lock down unnecessary ports
✑ Audit any proprietary applications that the user may be running on the EC2 instance. Provide temporary escalated privileges, such as sudo for users who need to perform occasional privileged tasks
IAM is useful when users are required to work with AWS resources and actions, such as launching an instance. It is not useful in this case because it does not manage who can connect via RDP or SSH with an instance.
Reference:
http://aws.amazon.com/articles/1233/
A user has configured two security groups which allow traffic as given below: 1: SecGrp1:
Inbound on port 80 for 0.0.0.0/0 Inbound on port 22 for 0.0.0.0/0 2: SecGrp2:
Inbound on port 22 for 10.10.10.1/32
If both the security groups are associated with the same instance, which of the below mentioned statements is true?
C
A user can attach more than one security group to a single EC2 instance. In this case, the rules from each security group are effectively aggregated to create one set of rules. AWS uses this set of rules to determine whether to allow access or not. Thus, here the rule for port 22 with IP 10.10.10.1/32 will merge with IP
0.0.0.0/0 and open ports 22 and 80 for all.
Reference:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html
You have a website which requires international presence and consequently you have set it up as follows.
It is hosted on 30 EC2 instances.
It is on in 15 regions around the globe. Each region has 2 instances.
All the instances are a public hosted zone.
Which of the following is the best way to configure your site to maintain availability with minimum downtime if one of the 15 regions was to lose network connectivity for an extended period? (Choose two.)
AB
It is best to use the latency routing policy when you have resources in multiple Amazon EC2 data centers that perform the same function and you want Amazon
Route 53 to respond to DNS queries with the resources that provide the best latency. You could also use the failover routing policy (for public hosted zones only) when you want to configure an active-passive failover, in which one resource takes all traffic when it's available and the other resource takes all traffic when the first resource isn't available.
Reference:
http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy.html#routing-policy-latency
A user is accessing an EC2 instance on the SSH port for IP 10.20.30.40/32.
Which one is a secure way to configure that the instance can be accessed only from this IP?
C
In AWS EC2, while configuring a security group, the user needs to specify the IP address in CIDR notation. The CIDR IP range 10.20.30.40/32 says it is for a single IP 10.20.30.40. If the user specifies the IP as 10.20.30.40 only, the security group will not accept and ask for it in a CIDR format.
Reference:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html
While assigning a tag to an instance, which of the below mentioned options is not a valid tag key/value pair?
B
In Amazon Web Services, to help manage EC2 instances as well their usage in a better way, the user can tag the instances. The tags are metadata assigned by the user which consists of a key and value. The tag key cannot have a prefix as "aws:", although it can have only "aws".
Reference:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html
Will you be able to access EC2 snapshots using the regular Amazon S3 APIs?
D
No, snapshots are only available through the Amazon EC2 APIs.
Reference:
https://aws.amazon.com/ec2/faqs/
A user has created an AWS AMI. The user wants the AMI to be available only to his friend and not anyone else. How can the user manage this?
C
In Amazon Web Services, if a user has created an AMI and wants to share with his friends and colleagues he can share the AMI with their AWS account ID. Once the AMI is shared the other user can access it from the community AMIs under private AMIs options.
Reference:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html
A user is planning to launch multiple EC2 instance same as current running instance.
Which of the below mentioned parameters is not copied by Amazon EC2 in the launch wizard when the user has selected the option "Launch more like this"?
C
The Amazon EC2 console provides a "Launch more like this" wizard option that enables the user to use a current instance as a template for launching other instances. This option automatically populates the Amazon EC2 launch wizard with certain configuration details from the selected instance.
The following configuration details are copied from the selected instance into the launch wizard: AMI ID
Instance type -
Availability Zone, or the VPC and subnet in which the selected instance is located Public IPv4 address. If the selected instance currently has a public IPv4 address, the new instance receives a public IPv4 address - regardless of the selected instance's default public IPv4 address setting.
For more information about public IPv4 addresses, see Public IPv4 Addresses and External DNS Hostnames.
Placement group, if applicable -
IAM role associated with the instance, if applicable Shutdown behavior setting (stop or terminate) Termination protection setting (true or false)
CloudWatch monitoring (enabled or disabled) Amazon EBS-optimization setting (true or false)
Tenancy setting, if launching into a VPC (shared or dedicated) Kernel ID and RAM disk ID, if applicable
User data, if specified -
Tags associated with the instance, if applicable Security groups associated with the instance
The following configuration details are not copied from your selected instance; instead, the wizard applies their default settings or behavior:
(VPC only) Number of network interfaces: The default is one network interface, which is the primary network interface (eth0).
Storage: The default storage configuration is determined by the AMI and the instance type.
Reference:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/launching-instance.html
A user has launched an EBS optimized instance with EC2. Which of the below mentioned options is the correct statement?
A
An Amazon EBS-optimized instance uses an optimized configuration stack and provides additional, dedicated capacity for the Amazon EBS I/O. This optimization provides the best performance for the user's Amazon EBS volumes by minimizing contention between the Amazon EBS I/O and other traffic from the user's instance.
Reference:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSOptimized.html
