1Which component of the AWS Global Infrastructure consists of one or more discrete data centers with redundant power, networking, and connectivity?
A.AWS Region
B.Availability Zone
C.Edge Location
D.Local Zone
Correct Answer: Availability Zone
Explanation:An Availability Zone (AZ) is a distinct location within an AWS Region that consists of one or more physical data centers.
Incorrect! Try again.
2Which factor should primarily be considered when choosing an AWS Region to reduce latency for end-users?
A.Cost of services
B.Proximity to the end-users
C.Number of Availability Zones
D.Compliance requirements
Correct Answer: Proximity to the end-users
Explanation:To minimize latency, you should select an AWS Region that is geographically closest to your user base.
Incorrect! Try again.
3What is the primary function of AWS Edge Locations?
A.To host EC2 instances
B.To provide low-latency content delivery via CloudFront
C.To store cold data archives
D.To manage IAM policies
Correct Answer: To provide low-latency content delivery via CloudFront
Explanation:Edge Locations are used by Amazon CloudFront to cache content closer to users to reduce latency.
Incorrect! Try again.
4Which pillar of the AWS Well-Architected Framework focuses on the ability to run and monitor systems to deliver business value and to continually improve processes and procedures?
A.Security
B.Reliability
C.Operational Excellence
D.Performance Efficiency
Correct Answer: Operational Excellence
Explanation:The Operational Excellence pillar focuses on running and monitoring systems to deliver business value and continually improving processes.
Incorrect! Try again.
5Which design principle is recommended by the AWS Well-Architected Framework regarding capacity planning?
A.Guess capacity needs based on averages
B.Stop guessing capacity needs
C.Always over-provision to ensure performance
D.Manually adjust capacity once a month
Correct Answer: Stop guessing capacity needs
Explanation:Cloud computing allows you to stop guessing capacity needs by using auto-scaling to match supply with demand.
Incorrect! Try again.
6In the Shared Responsibility Model, which of the following is the customer's responsibility?
A.Physical security of data centers
B.Patching the underlying host infrastructure
C.Client-side data encryption
D. decommissioning storage devices
Correct Answer: Client-side data encryption
Explanation:Customers are responsible for security 'in' the cloud, which includes data encryption, while AWS handles security 'of' the cloud (physical hardware).
Incorrect! Try again.
7What is the primary purpose of AWS Identity and Access Management (IAM)?
A.To manage DNS records
B.To securely control access to AWS services and resources
C.To monitor network traffic
D.To deploy applications
Correct Answer: To securely control access to AWS services and resources
Explanation:IAM is used to manage identities (users, groups, roles) and permissions (policies) to control access to AWS resources.
Incorrect! Try again.
8Which IAM entity represents a person or service that interacts with AWS?
A.IAM Policy
B.IAM Group
C.IAM User
D.IAM Role
Correct Answer: IAM User
Explanation:An IAM User is an entity that you create in AWS to represent the person or application that uses it to interact with AWS.
Incorrect! Try again.
9What is the recommended best practice for the AWS account root user?
A.Use it for daily administrative tasks
B.Share the password with the development team
C.Enable Multi-Factor Authentication (MFA) and lock away credentials
D.Create access keys for the root user for API access
Correct Answer: Enable Multi-Factor Authentication (MFA) and lock away credentials
Explanation:The root user has unlimited access. Best practice dictates protecting it with MFA and only using it to create the first IAM user, not for daily tasks.
Incorrect! Try again.
10Which IAM feature allows you to associate permissions with a collection of users?
A.IAM Role
B.IAM Group
C.IAM Policy
D.Access Key
Correct Answer: IAM Group
Explanation:An IAM Group is a collection of IAM users. Permissions attached to the group apply to all users within that group.
Incorrect! Try again.
11What format are IAM policies written in?
A.XML
B.YAML
C.JSON
D.HTML
Correct Answer: JSON
Explanation:AWS IAM policies are JSON (JavaScript Object Notation) documents that define permissions.
Incorrect! Try again.
12Which principle suggests granting only the permissions required to perform a task?
A.Principle of Maximum Authority
B.Principle of Least Privilege
C.Principle of Root Access
D.Principle of Shared Responsibility
Correct Answer: Principle of Least Privilege
Explanation:The Principle of Least Privilege states that you should grant only the permissions necessary to perform a specific task and no more.
Incorrect! Try again.
13An IAM Role is best described as:
A.A permanent identity with long-term credentials
B.An identity with permission policies that can be assumed by a user or service
C.A group of users with shared permissions
D.A document defining password policies
Correct Answer: An identity with permission policies that can be assumed by a user or service
Explanation:An IAM Role is an identity intended to be assumable by anyone who needs it, providing temporary security credentials rather than long-term keys.
Incorrect! Try again.
14What is the default effect of an IAM policy if no Allow or Deny is explicitly stated?
A.Implicit Allow
B.Implicit Deny
C.Explicit Deny
D.Conditional Allow
Correct Answer: Implicit Deny
Explanation:By default, all requests are implicitly denied. An explicit Allow is required to grant access.
Incorrect! Try again.
15Which AWS service enables you to manage access across multiple AWS accounts centrally?
A.AWS Organizations
B.Amazon Inspector
C.AWS Config
D.Amazon CloudWatch
Correct Answer: AWS Organizations
Explanation:AWS Organizations allows you to centrally manage and govern your environment as you grow and scale your AWS resources across multiple accounts.
Incorrect! Try again.
16What mechanism allows users from an external identity provider (IdP) like Active Directory to access AWS resources without creating IAM users?
A.IAM Groups
B.Identity Federation
C.Access Keys
D.MFA
Correct Answer: Identity Federation
Explanation:Identity Federation allows you to manage users in a central IdP (like AD) and grant them access to AWS resources using temporary credentials.
Incorrect! Try again.
17Which industry standard is commonly used for federating users into AWS?
A.HTML5
B.SAML 2.0
C.HTTP
D.FTP
Correct Answer: SAML 2.0
Explanation:Security Assertion Markup Language 2.0 (SAML 2.0) is an open standard used for exchanging authentication and authorization data between an IdP and AWS.
Incorrect! Try again.
18To allow an application running on an EC2 instance to access an S3 bucket securely, what should you configure?
A.Embed Access Keys in the application code
B.Attach an IAM Role to the EC2 instance
C.Create a new IAM User for the instance
D.Make the S3 bucket public
Correct Answer: Attach an IAM Role to the EC2 instance
Explanation:Using an IAM Role attached to the EC2 instance allows the application to retrieve temporary credentials securely without storing long-term keys.
Incorrect! Try again.
19Which API call is used to obtain temporary security credentials when assuming a role?
A.sts:GetSessionToken
B.sts:AssumeRole
C.iam:CreateUser
D.iam:GetRole
Correct Answer: sts:AssumeRole
Explanation:The sts:AssumeRole API call returns a set of temporary security credentials that you can use to access AWS resources.
Incorrect! Try again.
20What is the primary service used for creating and managing cryptographic keys in AWS?
A.AWS Secrets Manager
B.AWS Shield
C.AWS Key Management Service (KMS)
D.Amazon Macie
Correct Answer: AWS Key Management Service (KMS)
Explanation:AWS KMS is a managed service that makes it easy for you to create and control the cryptographic keys used to encrypt your data.
Incorrect! Try again.
21Which type of encryption protects data while it is stored on a disk?
A.Encryption in Transit
B.Encryption at Rest
C.End-to-End Encryption
D.SSL/TLS
Correct Answer: Encryption at Rest
Explanation:Encryption at Rest protects data that is stored physically on disk (e.g., in S3, EBS, or RDS).
Incorrect! Try again.
22What does Server-Side Encryption (SSE) on Amazon S3 imply?
A.The user encrypts data before uploading
B.AWS encrypts the data after it is received and before saving it to disk
C.The data is encrypted during transfer over the internet only
D.AWS stores the encryption keys on the user's computer
Correct Answer: AWS encrypts the data after it is received and before saving it to disk
Explanation:With SSE, Amazon S3 encrypts your data at the object level as it writes it to disks in its data centers and decrypts it when you access it.
Incorrect! Try again.
23Which AWS service protects against Distributed Denial of Service (DDoS) attacks?
A.AWS WAF
B.AWS Shield
C.Amazon Inspector
D.AWS Artifact
Correct Answer: AWS Shield
Explanation:AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS.
Incorrect! Try again.
24Which service helps protect your web applications from common web exploits like SQL injection and cross-site scripting?
A.AWS Shield
B.AWS WAF
C.AWS Firewall Manager
D.Amazon GuardDuty
Correct Answer: AWS WAF
Explanation:AWS Web Application Firewall (WAF) helps protect web applications or APIs against common web exploits that may affect availability, compromise security, or consume excessive resources.
Incorrect! Try again.
25Amazon GuardDuty is best described as:
A.A firewall for EC2 instances
B.An automated vulnerability assessment service
C.An intelligent threat detection service
D.A compliance reporting tool
Correct Answer: An intelligent threat detection service
Explanation:Amazon GuardDuty allows for intelligent threat detection by monitoring for malicious activity and unauthorized behavior.
Incorrect! Try again.
26Which service automatically discovers, classifies, and protects sensitive data (like PII) in AWS?
A.Amazon Macie
B.Amazon Inspector
C.AWS Config
D.AWS Secrets Manager
Correct Answer: Amazon Macie
Explanation:Amazon Macie uses machine learning to automatically discover, classify, and protect sensitive data in AWS.
Incorrect! Try again.
27Which service is used to assess applications for exposure, vulnerabilities, and deviations from best practices?
A.Amazon Inspector
B.AWS Trusted Advisor
C.AWS Shield
D.AWS WAF
Correct Answer: Amazon Inspector
Explanation:Amazon Inspector is an automated vulnerability management service that continually scans AWS workloads for software vulnerabilities and unintended network exposure.
Incorrect! Try again.
28What does the 'Sustainability' pillar of the Well-Architected Framework focus on?
A.Reducing cost
B.Minimizing the environmental impacts of running cloud workloads
C.Ensuring high availability
D.Managing access controls
Correct Answer: Minimizing the environmental impacts of running cloud workloads
Explanation:The Sustainability pillar focuses on minimizing the environmental impact of running cloud workloads.
Incorrect! Try again.
29Which AWS service records API calls for your account and delivers log files to you?
A.Amazon CloudWatch
B.AWS CloudTrail
C.AWS X-Ray
D.AWS Config
Correct Answer: AWS CloudTrail
Explanation:AWS CloudTrail provides a record of actions taken by a user, role, or an AWS service (API auditing).
Incorrect! Try again.
30In IAM, what is the 'PowerUserAccess' managed policy?
A.Full access to all services including IAM
B.Full access to all services excluding IAM management
C.Read-only access to all services
D.Access to billing information only
Correct Answer: Full access to all services excluding IAM management
Explanation:PowerUserAccess provides full access to AWS services and resources, but does not allow management of Users and Groups (IAM).
Incorrect! Try again.
31What feature allows you to grant cross-account access to S3 resources explicitly within the S3 service?
A.Bucket Policies
B.Security Groups
C.NACLs
D.Service Control Policies
Correct Answer: Bucket Policies
Explanation:S3 Bucket Policies are resource-based policies that can specify which principals (including those in other accounts) can access the bucket.
Incorrect! Try again.
32Which cryptographic method uses a public key for encryption and a private key for decryption?
A.Symmetric encryption
B.Asymmetric encryption
C.Hashing
D.Obfuscation
Correct Answer: Asymmetric encryption
Explanation:Asymmetric encryption uses a key pair: a public key to encrypt data and a private key to decrypt it.
Incorrect! Try again.
33What is 'Envelope Encryption'?
A.Encrypting the email used to send keys
B.Encrypting plaintext data with a data key, then encrypting the data key with a master key
C.Wrapping a physical hard drive in a secure envelope
D.Encrypting data only at the network edge
Correct Answer: Encrypting plaintext data with a data key, then encrypting the data key with a master key
Explanation:Envelope encryption is the practice of encrypting plaintext data with a data key, and then encrypting the data key under another key (Master Key).
Incorrect! Try again.
34Which AWS feature can be used to ensure that EBS volumes created by users are always encrypted?
A.AWS Config Rules
B.IAM Roles
C.VPC Flow Logs
D.EBS Snapshots
Correct Answer: AWS Config Rules
Explanation:AWS Config can monitor compliance and check if EBS volumes are encrypted, flagging those that are not.
Incorrect! Try again.
35When designing for failure in the Cloud, what is a key concept?
A.Single point of failure
B.Tightly coupled components
C.Decoupling components
D.Vertical scaling only
Correct Answer: Decoupling components
Explanation:Decoupling components (e.g., using SQS) ensures that if one component fails, it does not immediately cause the failure of other components.
Incorrect! Try again.
36What is the purpose of Service Control Policies (SCPs) in AWS Organizations?
A.To grant permissions to IAM users
B.To define the maximum available permissions for member accounts
C.To configure firewall rules
D.To manage encryption keys
Correct Answer: To define the maximum available permissions for member accounts
Explanation:SCPs act as guardrails that define the maximum permissions for account members of an organization or organizational unit (OU).
Incorrect! Try again.
37Which credential is required for programmatic access to AWS via the CLI?
A.User Name and Password
B.Access Key ID and Secret Access Key
C.MFA Token only
D.SSH Key Pair
Correct Answer: Access Key ID and Secret Access Key
Explanation:Programmatic access (CLI, SDKs) requires an Access Key ID and a Secret Access Key.
Incorrect! Try again.
38What is the function of AWS Secrets Manager?
A.To store IAM user passwords
B.To rotate, manage, and retrieve database credentials and API keys
C.To encrypt EBS volumes
D.To firewall web applications
Correct Answer: To rotate, manage, and retrieve database credentials and API keys
Explanation:Secrets Manager helps you protect secrets needed to access your applications, services, and IT resources, with built-in rotation features.
Incorrect! Try again.
39Which pillar of the Well-Architected Framework focuses on the ability to prevent financial loss?
A.Cost Optimization
B.Reliability
C.Security
D.Performance Efficiency
Correct Answer: Cost Optimization
Explanation:The Cost Optimization pillar focuses on avoiding unnecessary costs and delivering business value at the lowest price point.
Incorrect! Try again.
40Which security service provides on-demand access to AWS compliance reports (e.g., SOC, PCI)?
A.AWS Artifact
B.AWS Config
C.Amazon Inspector
D.AWS Shield
Correct Answer: AWS Artifact
Explanation:AWS Artifact is your go-to, central resource for compliance-related information and reports.
Incorrect! Try again.
41In IAM, what is the 'Principal' in a policy statement?
A.The action being performed
B.The resource being accessed
C.The entity (user/role) allowed or denied access
D.The condition under which access is granted
Correct Answer: The entity (user/role) allowed or denied access
Explanation:The Principal element specifies the user, account, service, or other entity that is allowed or denied access to a resource.
Incorrect! Try again.
42What is the difference between a Security Group and a Network ACL (NACL)?
A.Security Groups are stateless; NACLs are stateful
B.Security Groups act at the subnet level; NACLs act at the instance level
C.Security Groups are stateful; NACLs are stateless
D.There is no difference
Correct Answer: Security Groups are stateful; NACLs are stateless
Explanation:Security Groups are stateful (return traffic is automatically allowed), while NACLs are stateless (return traffic must be explicitly allowed).
Incorrect! Try again.
43Which AWS service allows you to manage encryption keys in a dedicated, single-tenant hardware security module (HSM)?
A.AWS KMS
B.AWS CloudHSM
C.AWS Secrets Manager
D.Amazon S3
Correct Answer: AWS CloudHSM
Explanation:AWS CloudHSM provides a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud.
Incorrect! Try again.
44How often should IAM Access Keys be rotated according to best practices?
A.Never
B.Once every 10 years
C.Regularly
D.Only when a breach occurs
Correct Answer: Regularly
Explanation:Rotating access keys regularly reduces the window of opportunity for an attacker to use a compromised key.
Incorrect! Try again.
45Which IAM tool helps you identify unused credentials and excessive permissions?
A.IAM Credential Report / Access Analyzer
B.AWS Cost Explorer
C.AWS CloudFormation
D.Route 53
Correct Answer: IAM Credential Report / Access Analyzer
Explanation:IAM Credential Reports list all users and the status of their credentials, while Access Analyzer helps identify unintended external access.
Incorrect! Try again.
46If an explicit Deny and an explicit Allow exist for the same request, which one takes precedence?
A.Explicit Allow
B.Explicit Deny
C.The most recent policy
D.The policy with the most permissions
Correct Answer: Explicit Deny
Explanation:In AWS IAM evaluation logic, an Explicit Deny always overrides an Explicit Allow.
Incorrect! Try again.
47Which is a valid use case for Web Identity Federation?
A.Authenticating users via Google or Facebook to access AWS resources
B.Connecting an on-premise data center to VPC
C.Encrypting S3 buckets
D.Managing EC2 instances
Correct Answer: Authenticating users via Google or Facebook to access AWS resources
Explanation:Web Identity Federation allows users to assume an identity and access AWS resources after successfully authenticating with a web identity provider like Amazon, Facebook, or Google.
Incorrect! Try again.
48What is the 'Condition' element in an IAM JSON policy used for?
A.To define who can access the resource
B.To specify the resource ARN
C.To specify circumstances under which the policy grants permission
D.To list the allowed actions
Correct Answer: To specify circumstances under which the policy grants permission
Explanation:Conditions are used to specify when a policy is in effect (e.g., only if the request comes from a specific IP range or requires MFA).
Incorrect! Try again.
49Which service acts as a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads?
A.Amazon GuardDuty
B.AWS WAF
C.AWS Shield
D.Amazon Macie
Correct Answer: Amazon GuardDuty
Explanation:GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior.
Incorrect! Try again.
50What type of scaling is described as adding more power (CPU, RAM) to an existing machine?
A.Horizontal Scaling
B.Vertical Scaling
C.Diagonal Scaling
D.Auto Scaling
Correct Answer: Vertical Scaling
Explanation:Vertical scaling (scaling up) involves increasing the specifications (CPU/RAM) of an individual resource, whereas horizontal scaling (scaling out) involves adding more instances.
Incorrect! Try again.
Give Feedback
Help us improve by sharing your thoughts or reporting issues.