1Which component of the AWS Global Infrastructure consists of one or more discrete data centers with redundant power, networking, and connectivity?
A.AWS Region
B.Availability Zone
C.Local Zone
D.Edge Location
Correct Answer: Availability Zone
Explanation:
An Availability Zone (AZ) is a distinct location within an AWS Region that consists of one or more physical data centers.
Incorrect! Try again.
2Which factor should primarily be considered when choosing an AWS Region to reduce latency for end-users?
A.Proximity to the end-users
B.Compliance requirements
C.Number of Availability Zones
D.Cost of services
Correct Answer: Proximity to the end-users
Explanation:
To minimize latency, you should select an AWS Region that is geographically closest to your user base.
Incorrect! Try again.
3What is the primary function of AWS Edge Locations?
A.To provide low-latency content delivery via CloudFront
B.To host EC2 instances
C.To store cold data archives
D.To manage IAM policies
Correct Answer: To provide low-latency content delivery via CloudFront
Explanation:
Edge Locations are used by Amazon CloudFront to cache content closer to users to reduce latency.
Incorrect! Try again.
4Which pillar of the AWS Well-Architected Framework focuses on the ability to run and monitor systems to deliver business value and to continually improve processes and procedures?
A.Operational Excellence
B.Reliability
C.Performance Efficiency
D.Security
Correct Answer: Operational Excellence
Explanation:
The Operational Excellence pillar focuses on running and monitoring systems to deliver business value and continually improving processes.
Incorrect! Try again.
5Which design principle is recommended by the AWS Well-Architected Framework regarding capacity planning?
A.Guess capacity needs based on averages
B.Stop guessing capacity needs
C.Manually adjust capacity once a month
D.Always over-provision to ensure performance
Correct Answer: Stop guessing capacity needs
Explanation:
Cloud computing allows you to stop guessing capacity needs by using auto-scaling to match supply with demand.
Incorrect! Try again.
6In the Shared Responsibility Model, which of the following is the customer's responsibility?
A.Patching the underlying host infrastructure
B.Physical security of data centers
C.Client-side data encryption
D. decommissioning storage devices
Correct Answer: Client-side data encryption
Explanation:
Customers are responsible for security 'in' the cloud, which includes data encryption, while AWS handles security 'of' the cloud (physical hardware).
Incorrect! Try again.
7What is the primary purpose of AWS Identity and Access Management (IAM)?
A.To securely control access to AWS services and resources
B.To manage DNS records
C.To monitor network traffic
D.To deploy applications
Correct Answer: To securely control access to AWS services and resources
Explanation:
IAM is used to manage identities (users, groups, roles) and permissions (policies) to control access to AWS resources.
Incorrect! Try again.
8Which IAM entity represents a person or service that interacts with AWS?
A.IAM User
B.IAM Policy
C.IAM Group
D.IAM Role
Correct Answer: IAM User
Explanation:
An IAM User is an entity that you create in AWS to represent the person or application that uses it to interact with AWS.
Incorrect! Try again.
9What is the recommended best practice for the AWS account root user?
A.Create access keys for the root user for API access
B.Share the password with the development team
C.Use it for daily administrative tasks
D.Enable Multi-Factor Authentication (MFA) and lock away credentials
Correct Answer: Enable Multi-Factor Authentication (MFA) and lock away credentials
Explanation:
The root user has unlimited access. Best practice dictates protecting it with MFA and only using it to create the first IAM user, not for daily tasks.
Incorrect! Try again.
10Which IAM feature allows you to associate permissions with a collection of users?
A.Access Key
B.IAM Group
C.IAM Role
D.IAM Policy
Correct Answer: IAM Group
Explanation:
An IAM Group is a collection of IAM users. Permissions attached to the group apply to all users within that group.
Incorrect! Try again.
11What format are IAM policies written in?
A.HTML
B.XML
C.YAML
D.JSON
Correct Answer: JSON
Explanation:
AWS IAM policies are JSON (JavaScript Object Notation) documents that define permissions.
Incorrect! Try again.
12Which principle suggests granting only the permissions required to perform a task?
A.Principle of Least Privilege
B.Principle of Root Access
C.Principle of Maximum Authority
D.Principle of Shared Responsibility
Correct Answer: Principle of Least Privilege
Explanation:
The Principle of Least Privilege states that you should grant only the permissions necessary to perform a specific task and no more.
Incorrect! Try again.
13An IAM Role is best described as:
A.A group of users with shared permissions
B.An identity with permission policies that can be assumed by a user or service
C.A document defining password policies
D.A permanent identity with long-term credentials
Correct Answer: An identity with permission policies that can be assumed by a user or service
Explanation:
An IAM Role is an identity intended to be assumable by anyone who needs it, providing temporary security credentials rather than long-term keys.
Incorrect! Try again.
14What is the default effect of an IAM policy if no Allow or Deny is explicitly stated?
A.Conditional Allow
B.Implicit Deny
C.Explicit Deny
D.Implicit Allow
Correct Answer: Implicit Deny
Explanation:
By default, all requests are implicitly denied. An explicit Allow is required to grant access.
Incorrect! Try again.
15Which AWS service enables you to manage access across multiple AWS accounts centrally?
A.AWS Config
B.Amazon CloudWatch
C.AWS Organizations
D.Amazon Inspector
Correct Answer: AWS Organizations
Explanation:
AWS Organizations allows you to centrally manage and govern your environment as you grow and scale your AWS resources across multiple accounts.
Incorrect! Try again.
16What mechanism allows users from an external identity provider (IdP) like Active Directory to access AWS resources without creating IAM users?
A.Identity Federation
B.Access Keys
C.MFA
D.IAM Groups
Correct Answer: Identity Federation
Explanation:
Identity Federation allows you to manage users in a central IdP (like AD) and grant them access to AWS resources using temporary credentials.
Incorrect! Try again.
17Which industry standard is commonly used for federating users into AWS?
A.HTTP
B.SAML 2.0
C.FTP
D.HTML5
Correct Answer: SAML 2.0
Explanation:
Security Assertion Markup Language 2.0 (SAML 2.0) is an open standard used for exchanging authentication and authorization data between an IdP and AWS.
Incorrect! Try again.
18To allow an application running on an EC2 instance to access an S3 bucket securely, what should you configure?
A.Embed Access Keys in the application code
B.Make the S3 bucket public
C.Create a new IAM User for the instance
D.Attach an IAM Role to the EC2 instance
Correct Answer: Attach an IAM Role to the EC2 instance
Explanation:
Using an IAM Role attached to the EC2 instance allows the application to retrieve temporary credentials securely without storing long-term keys.
Incorrect! Try again.
19Which API call is used to obtain temporary security credentials when assuming a role?
A.sts:GetSessionToken
B.iam:GetRole
C.iam:CreateUser
D.sts:AssumeRole
Correct Answer: sts:AssumeRole
Explanation:
The sts:AssumeRole API call returns a set of temporary security credentials that you can use to access AWS resources.
Incorrect! Try again.
20What is the primary service used for creating and managing cryptographic keys in AWS?
A.AWS Secrets Manager
B.AWS Key Management Service (KMS)
C.Amazon Macie
D.AWS Shield
Correct Answer: AWS Key Management Service (KMS)
Explanation:
AWS KMS is a managed service that makes it easy for you to create and control the cryptographic keys used to encrypt your data.
Incorrect! Try again.
21Which type of encryption protects data while it is stored on a disk?
A.End-to-End Encryption
B.SSL/TLS
C.Encryption at Rest
D.Encryption in Transit
Correct Answer: Encryption at Rest
Explanation:
Encryption at Rest protects data that is stored physically on disk (e.g., in S3, EBS, or RDS).
Incorrect! Try again.
22What does Server-Side Encryption (SSE) on Amazon S3 imply?
A.AWS encrypts the data after it is received and before saving it to disk
B.AWS stores the encryption keys on the user's computer
C.The user encrypts data before uploading
D.The data is encrypted during transfer over the internet only
Correct Answer: AWS encrypts the data after it is received and before saving it to disk
Explanation:
With SSE, Amazon S3 encrypts your data at the object level as it writes it to disks in its data centers and decrypts it when you access it.
Incorrect! Try again.
23Which AWS service protects against Distributed Denial of Service (DDoS) attacks?
A.AWS WAF
B.Amazon Inspector
C.AWS Artifact
D.AWS Shield
Correct Answer: AWS Shield
Explanation:
AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS.
Incorrect! Try again.
24Which service helps protect your web applications from common web exploits like SQL injection and cross-site scripting?
A.AWS Firewall Manager
B.AWS WAF
C.AWS Shield
D.Amazon GuardDuty
Correct Answer: AWS WAF
Explanation:
AWS Web Application Firewall (WAF) helps protect web applications or APIs against common web exploits that may affect availability, compromise security, or consume excessive resources.
Incorrect! Try again.
25Amazon GuardDuty is best described as:
A.A firewall for EC2 instances
B.A compliance reporting tool
C.An intelligent threat detection service
D.An automated vulnerability assessment service
Correct Answer: An intelligent threat detection service
Explanation:
Amazon GuardDuty allows for intelligent threat detection by monitoring for malicious activity and unauthorized behavior.
Incorrect! Try again.
26Which service automatically discovers, classifies, and protects sensitive data (like PII) in AWS?
A.Amazon Macie
B.Amazon Inspector
C.AWS Secrets Manager
D.AWS Config
Correct Answer: Amazon Macie
Explanation:
Amazon Macie uses machine learning to automatically discover, classify, and protect sensitive data in AWS.
Incorrect! Try again.
27Which service is used to assess applications for exposure, vulnerabilities, and deviations from best practices?
A.Amazon Inspector
B.AWS Trusted Advisor
C.AWS WAF
D.AWS Shield
Correct Answer: Amazon Inspector
Explanation:
Amazon Inspector is an automated vulnerability management service that continually scans AWS workloads for software vulnerabilities and unintended network exposure.
Incorrect! Try again.
28What does the 'Sustainability' pillar of the Well-Architected Framework focus on?
A.Reducing cost
B.Ensuring high availability
C.Managing access controls
D.Minimizing the environmental impacts of running cloud workloads
Correct Answer: Minimizing the environmental impacts of running cloud workloads
Explanation:
The Sustainability pillar focuses on minimizing the environmental impact of running cloud workloads.
Incorrect! Try again.
29Which AWS service records API calls for your account and delivers log files to you?
A.AWS CloudTrail
B.AWS X-Ray
C.Amazon CloudWatch
D.AWS Config
Correct Answer: AWS CloudTrail
Explanation:
AWS CloudTrail provides a record of actions taken by a user, role, or an AWS service (API auditing).
Incorrect! Try again.
30In IAM, what is the 'PowerUserAccess' managed policy?
A.Read-only access to all services
B.Full access to all services excluding IAM management
C.Full access to all services including IAM
D.Access to billing information only
Correct Answer: Full access to all services excluding IAM management
Explanation:
PowerUserAccess provides full access to AWS services and resources, but does not allow management of Users and Groups (IAM).
Incorrect! Try again.
31What feature allows you to grant cross-account access to S3 resources explicitly within the S3 service?
A.NACLs
B.Bucket Policies
C.Security Groups
D.Service Control Policies
Correct Answer: Bucket Policies
Explanation:
S3 Bucket Policies are resource-based policies that can specify which principals (including those in other accounts) can access the bucket.
Incorrect! Try again.
32Which cryptographic method uses a public key for encryption and a private key for decryption?
A.Symmetric encryption
B.Asymmetric encryption
C.Hashing
D.Obfuscation
Correct Answer: Asymmetric encryption
Explanation:
Asymmetric encryption uses a key pair: a public key to encrypt data and a private key to decrypt it.
Incorrect! Try again.
33What is 'Envelope Encryption'?
A.Wrapping a physical hard drive in a secure envelope
B.Encrypting the email used to send keys
C.Encrypting data only at the network edge
D.Encrypting plaintext data with a data key, then encrypting the data key with a master key
Correct Answer: Encrypting plaintext data with a data key, then encrypting the data key with a master key
Explanation:
Envelope encryption is the practice of encrypting plaintext data with a data key, and then encrypting the data key under another key (Master Key).
Incorrect! Try again.
34Which AWS feature can be used to ensure that EBS volumes created by users are always encrypted?
A.IAM Roles
B.AWS Config Rules
C.EBS Snapshots
D.VPC Flow Logs
Correct Answer: AWS Config Rules
Explanation:
AWS Config can monitor compliance and check if EBS volumes are encrypted, flagging those that are not.
Incorrect! Try again.
35When designing for failure in the Cloud, what is a key concept?
A.Single point of failure
B.Decoupling components
C.Vertical scaling only
D.Tightly coupled components
Correct Answer: Decoupling components
Explanation:
Decoupling components (e.g., using SQS) ensures that if one component fails, it does not immediately cause the failure of other components.
Incorrect! Try again.
36What is the purpose of Service Control Policies (SCPs) in AWS Organizations?
A.To grant permissions to IAM users
B.To configure firewall rules
C.To manage encryption keys
D.To define the maximum available permissions for member accounts
Correct Answer: To define the maximum available permissions for member accounts
Explanation:
SCPs act as guardrails that define the maximum permissions for account members of an organization or organizational unit (OU).
Incorrect! Try again.
37Which credential is required for programmatic access to AWS via the CLI?
A.Access Key ID and Secret Access Key
B.User Name and Password
C.SSH Key Pair
D.MFA Token only
Correct Answer: Access Key ID and Secret Access Key
Explanation:
Programmatic access (CLI, SDKs) requires an Access Key ID and a Secret Access Key.
Incorrect! Try again.
38What is the function of AWS Secrets Manager?
A.To rotate, manage, and retrieve database credentials and API keys
B.To firewall web applications
C.To store IAM user passwords
D.To encrypt EBS volumes
Correct Answer: To rotate, manage, and retrieve database credentials and API keys
Explanation:
Secrets Manager helps you protect secrets needed to access your applications, services, and IT resources, with built-in rotation features.
Incorrect! Try again.
39Which pillar of the Well-Architected Framework focuses on the ability to prevent financial loss?
A.Cost Optimization
B.Reliability
C.Performance Efficiency
D.Security
Correct Answer: Cost Optimization
Explanation:
The Cost Optimization pillar focuses on avoiding unnecessary costs and delivering business value at the lowest price point.
Incorrect! Try again.
40Which security service provides on-demand access to AWS compliance reports (e.g., SOC, PCI)?
A.AWS Artifact
B.AWS Shield
C.Amazon Inspector
D.AWS Config
Correct Answer: AWS Artifact
Explanation:
AWS Artifact is your go-to, central resource for compliance-related information and reports.
Incorrect! Try again.
41In IAM, what is the 'Principal' in a policy statement?
A.The entity (user/role) allowed or denied access
B.The action being performed
C.The resource being accessed
D.The condition under which access is granted
Correct Answer: The entity (user/role) allowed or denied access
Explanation:
The Principal element specifies the user, account, service, or other entity that is allowed or denied access to a resource.
Incorrect! Try again.
42What is the difference between a Security Group and a Network ACL (NACL)?
A.Security Groups are stateless; NACLs are stateful
B.There is no difference
C.Security Groups act at the subnet level; NACLs act at the instance level
D.Security Groups are stateful; NACLs are stateless
Correct Answer: Security Groups are stateful; NACLs are stateless
Explanation:
Security Groups are stateful (return traffic is automatically allowed), while NACLs are stateless (return traffic must be explicitly allowed).
Incorrect! Try again.
43Which AWS service allows you to manage encryption keys in a dedicated, single-tenant hardware security module (HSM)?
A.AWS KMS
B.AWS Secrets Manager
C.AWS CloudHSM
D.Amazon S3
Correct Answer: AWS CloudHSM
Explanation:
AWS CloudHSM provides a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud.
Incorrect! Try again.
44How often should IAM Access Keys be rotated according to best practices?
A.Regularly
B.Once every 10 years
C.Never
D.Only when a breach occurs
Correct Answer: Regularly
Explanation:
Rotating access keys regularly reduces the window of opportunity for an attacker to use a compromised key.
Incorrect! Try again.
45Which IAM tool helps you identify unused credentials and excessive permissions?
A.AWS CloudFormation
B.IAM Credential Report / Access Analyzer
C.Route 53
D.AWS Cost Explorer
Correct Answer: IAM Credential Report / Access Analyzer
Explanation:
IAM Credential Reports list all users and the status of their credentials, while Access Analyzer helps identify unintended external access.
Incorrect! Try again.
46If an explicit Deny and an explicit Allow exist for the same request, which one takes precedence?
A.Explicit Allow
B.The most recent policy
C.The policy with the most permissions
D.Explicit Deny
Correct Answer: Explicit Deny
Explanation:
In AWS IAM evaluation logic, an Explicit Deny always overrides an Explicit Allow.
Incorrect! Try again.
47Which is a valid use case for Web Identity Federation?
A.Connecting an on-premise data center to VPC
B.Managing EC2 instances
C.Encrypting S3 buckets
D.Authenticating users via Google or Facebook to access AWS resources
Correct Answer: Authenticating users via Google or Facebook to access AWS resources
Explanation:
Web Identity Federation allows users to assume an identity and access AWS resources after successfully authenticating with a web identity provider like Amazon, Facebook, or Google.
Incorrect! Try again.
48What is the 'Condition' element in an IAM JSON policy used for?
A.To specify circumstances under which the policy grants permission
B.To define who can access the resource
C.To list the allowed actions
D.To specify the resource ARN
Correct Answer: To specify circumstances under which the policy grants permission
Explanation:
Conditions are used to specify when a policy is in effect (e.g., only if the request comes from a specific IP range or requires MFA).
Incorrect! Try again.
49Which service acts as a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads?
A.Amazon GuardDuty
B.Amazon Macie
C.AWS WAF
D.AWS Shield
Correct Answer: Amazon GuardDuty
Explanation:
GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior.
Incorrect! Try again.
50What type of scaling is described as adding more power (CPU, RAM) to an existing machine?
A.Diagonal Scaling
B.Horizontal Scaling
C.Vertical Scaling
D.Auto Scaling
Correct Answer: Vertical Scaling
Explanation:
Vertical scaling (scaling up) involves increasing the specifications (CPU/RAM) of an individual resource, whereas horizontal scaling (scaling out) involves adding more instances.