Few sample questions I grabbed from the interwebs to prepare for AWS CSA Exam. Hope it helps others in their preparation. Answers are the bottom of the post.
- What does Amazon Route53 provide?
- A global Content Delivery Network.
- None of these.
- A scalable Domain Name System
- An SSH endpoint for Amazon EC2.
- Does Amazon Route 53 support NS Records?
- Yes, it supports Name Service records.
- It supports only MX records.
- Yes, it supports Name Server records.
- Does Route 53 support MX Records?
- It supports CNAME records, but not MX records.
- Only Primary MX records. Secondary MX records are not supported.
- Which of the following statements are true about Amazon Route 53 resource records? Choose 2 answers
- An Alias record can map one DNS name to another Amazon Route 53 DNS name.
- A CNAME record can be created for your zone apex.
- An Amazon Route 53 CNAME record can point to any DNS record hosted anywhere.
- TTL can be set for an Alias record in Amazon Route 53.
- An Amazon Route 53 Alias record can point to any DNS record hosted anywhere.
- Which statements are true about Amazon Route 53? (Choose 2 answers)
- Amazon Route 53 is a region-level service
- You can register your domain name
- Amazon Route 53 can perform health checks and failovers to a backup site in the even of the primary site failure
- Amazon Route 53 only supports Latency-based routing
- A customer is hosting their company website on a cluster of web servers that are behind a public-facing load balancer. The customer also uses Amazon Route 53 to manage their public DNS. How should the customer configure the DNS zone apex record to point to the load balancer?
- Create an A record pointing to the IP address of the load balancer
- Create a CNAME record pointing to the load balancer DNS name.
- Create a CNAME record aliased to the load balancer DNS name.
- Create an A record aliased to the load balancer DNS name
- A user has configured ELB with three instances. The user wants to achieve High Availability as well as redundancy with ELB. Which of the below mentioned AWS services helps the user achieve this for ELB?
- Route 53
- AWS Mechanical Turk
- Auto Scaling
- AWS EMR
- How can the domain’s zone apex for example “myzoneapexdomain com” be pointed towards an Elastic Load Balancer?
- By using an AAAA record
- By using an A record
- By using an Amazon Route 53 CNAME record
- By using an Amazon Route 53 Alias record
- You have deployed a web application targeting a global audience across multiple AWS Regions under the domain name.example.com. You decide to use Route53 Latency-Based Routing to serve web requests to users from the region closest to the user. To provide business continuity in the event of server downtime you configure weighted record sets associated with two web servers in separate Availability Zones per region. During a DR test you notice that when you disable all web servers in one of the regions Route53 does not automatically direct all users to the other region. What could be happening? (Choose 2 answers)
- Latency resource record sets cannot be used in combination with weighted resource record sets.
- You did not setup an http health check for one or more of the weighted resource record sets associated with the disabled web servers
- The value of the weight associated with the latency alias resource record set in the region with the disabled servers is higher than the weight for the other region.
- One of the two working web servers in the other region did not pass its HTTP health check
- You did not set “Evaluate Target Health” to “Yes” on the latency alias resource record set associated with example com in the region where you disabled the servers.
- The compliance department within your multi-national organization requires that all data for your customers that reside in the European Union (EU) must not leave the EU and also data for customers that reside in the US must not leave the US without explicit authorization. What must you do to comply with this requirement for a web based profile management application running on EC2?
- Run EC2 instances in multiple AWS Availability Zones in single Region and leverage an Elastic Load Balancer with session stickiness to route traffic to the appropriate zone to create their profile (should be in 2 different regions – US and Europe)
- Run EC2 instances in multiple Regions and leverage Route 53’s Latency Based Routing capabilities to route traffic to the appropriate region to create their profile (Latency based routing policy would not guarantee the compliance requirement)
- Run EC2 instances in multiple Regions and leverage a third party data provider to determine if a user needs to be redirect to the appropriate region to create their profile
- Run EC2 instances in multiple AWS Availability Zones in a single Region and leverage a third party data provider to determine if a user needs to be redirect to the appropriate zone to create their profile(should be in 2 different regions – US and Europe)
- A US-based company is expanding their web presence into Europe. The company wants to extend their AWS infrastructure from Northern Virginia (us-east-1) into the Dublin (eu-west-1) region. Which of the following options would enable an equivalent experience for users on both continents?
- Use a public-facing load balancer per region to load-balance web traffic, and enable HTTP health checks.
- Use a public-facing load balancer per region to load-balance web traffic, and enable sticky sessions.
- Use Amazon Route 53, and apply a geolocation routing policy to distribute traffic across both regions
- Use Amazon Route 53, and apply a weighted routing policy to distribute traffic across both regions.
- You have been asked to propose a multi-region deployment of a web-facing application where a controlled portion of your traffic is being processed by an alternate region. Which configuration would achieve that goal?
- Route 53 record sets with weighted routing policy
- Route 53 record sets with latency based routing policy
- Auto Scaling with scheduled scaling actions set
- Elastic Load Balancing with health checks enabled
- Your company Is moving towards tracking web page users with a small tracking Image loaded on each page Currently you are serving this image out of US-East, but are starting to get concerned about the time It takes to load the image for users on the west coast. What are the two best ways to speed up serving this image? Choose 2 answers
- Use Route 53’s Latency Based Routing and serve the image out of US-West-2 as well as US-East-1
- Serve the image out through CloudFront
- Serve the image out of S3 so that it isn’t being served of your web application tier
- Use EBS PIOPs to serve the image faster out of your EC2 instances
- Which service enables AWS customers to manage users and permissions in AWS?
- AWS Access Control Service (ACS)
- AWS Identity and Access Management (IAM)
- AWS Identity Manager (AIM)
- IAM provides several policy templates you can use to automatically assign permissions to the groups you create. The _____ policy template gives the Admins group permission to access all account resources, except your AWS account information
- Read Only Access
- Power User Access
- AWS Cloud Formation Read Only Access
- Administrator Access
- Every user you create in the IAM system starts with _________.
- Partial permissions
- Full permissions
- No permissions
- Groups can’t _____.
- be nested more than 3 levels
- be nested at all
- be nested more than 4 levels
- be nested more than 2 levels
- The _____ service is targeted at organizations with multiple users or systems that use AWS products such as Amazon EC2, Amazon SimpleDB, and the AWS Management Console.
- Amazon RDS
- AWS Integrity Management
- AWS Identity and Access Management
- Amazon EMR
- An AWS customer is deploying an application that is composed of an AutoScaling group of EC2 Instances. The customers security policy requires that every outbound connection from these instances to any other service within the customers Virtual Private Cloud must be authenticated using a unique x 509 certificate that contains the specific instance ID. In addition an x 509 certificates must Designed by the customer’s Key management service in order to be trusted for authentication. Which of the following configurations will support these requirements?
- Configure an IAM Role that grants access to an Amazon S3 object containing a signed certificate and configure the Auto Scaling group to launch instances with this role Have the instances bootstrap get the certificate from Amazon S3 upon first boot.
- Embed a certificate into the Amazon Machine Image that is used by the Auto Scaling group Have the launched instances generate a certificate signature request with the instance’s assigned instance-id to the Key management service for signature.
- Configure the Auto Scaling group to send an SNS notification of the launch of a new instance to the trusted key management service. Have the Key management service generate a signed certificate and send it directly to the newly launched instance.
- Configure the launched instances to generate a new certificate upon first boot Have the Key management service poll the AutoScaling group for associated instances and send new instances a certificate signature (hat contains the specific instance-id.
- When assessing an organization AWS use of AWS API access credentials which of the following three credentials should be evaluated? Choose 3 answers
- Key pairs
- Console passwords (required only for management console)
- Access keys
- Signing certificates
- Security Group memberships (required for EC2 instance access)
- An organization has created 50 IAM users. The organization wants that each user can change their password but cannot change their access keys. How can the organization achieve this?
- The organization has to create a special password policy and attach it to each user
- The root account owner has to use CLI which forces each IAM user to change their password on first login
- By default each IAM user can modify their passwords
- Root account owner can set the policy from the IAM console under the password policy screen
- An organization has created 50 IAM users. The organization has introduced a new policy which will change the access of an IAM user. How can the organization implement this effectively so that there is no need to apply the policy at the individual user level?
- Use the IAM groups and add users as per their role to different groups and apply policy to group
- The user can create a policy and apply it to multiple users in a single go with the AWS CLI
- Add each user to the IAM role as per their organization role to achieve effective policy setup
- Use the IAM role and implement access at the role level
- Your organization’s security policy requires that all privileged users either use frequently rotated passwords or one-time access credentials in addition to username/password. Which two of the following options would allow an organization to enforce this policy for AWS users? Choose 2 answers
- Configure multi-factor authentication for privileged IAM users
- Create IAM users for privileged accounts
- Implement identity federation between your organization’s Identity provider leveraging the IAM Security Token Service
- Enable the IAM single-use password policy option for privileged users (no such option the password expiration can be set from 1 to 1095 days)
- Your organization is preparing for a security assessment of your use of AWS. In preparation for this assessment, which two IAM best practices should you consider implementing? Choose 2 answers
- Create individual IAM users for everyone in your organization
- Configure MFA on the root account and for privileged IAM users
- Assign IAM users and groups configured with policies granting least privilege access
- Ensure all users have been assigned and are frequently rotating a password, access ID/secret key, and X.509 certificate
- A company needs to deploy services to an AWS region which they have not previously used. The company currently has an AWS identity and Access Management (IAM) role for the Amazon EC2 instances, which permits the instance to have access to Amazon DynamoDB. The company wants their EC2 instances in the new region to have the same privileges. How should the company achieve this?
- Create a new IAM role and associated policies within the new region
- Assign the existing IAM role to the Amazon EC2 instances in the new region
- Copy the IAM role and associated policies to the new region and attach it to the instances
- Create an Amazon Machine Image (AMI) of the instance and copy it to the desired region using the AMI Copy feature
- After creating a new IAM user which of the following must be done before they can successfully make API calls?
- Add a password to the user.
- Enable Multi-Factor Authentication for the user.
- Assign a Password Policy to the user.
- Create a set of Access Keys for the user
- An organization is planning to create a user with IAM. They are trying to understand the limitations of IAM so that they can plan accordingly. Which of the below mentioned statements is not true with respect to the limitations of IAM?
- One IAM user can be a part of a maximum of 10 groups
- Organization can create 100 groups per AWS account
- One AWS account can have a maximum of 5000 IAM users
- One AWS account can have 250 roles
- Within the IAM service a GROUP is regarded as a:
- A collection of AWS accounts
- It’s the group of EC2 machines that gain the permissions specified in the GROUP.
- There’s no GROUP in IAM, but only USERS and RESOURCES.
- A collection of users.
- Is there a limit to the number of groups you can have?
- Yes for all users except root
- Yes unless special permission granted
- Yes for all users
- What is the default maximum number of MFA devices in use per AWS account (at the root account level)?
- When you use the AWS Management Console to delete an IAM user, IAM also deletes any signing certificates and any access keys belonging to the user.
- This is configurable
- You are setting up a blog on AWS. In which of the following scenarios will you need AWS credentials? (Choose 3)
- Sign in to the AWS management console to launch an Amazon EC2 instance
- Sign in to the running instance to instance some software
- Launch an Amazon RDS instance
- Log into your blog’s content management system to write a blog post
- Post pictures to your blog on Amazon S3
- IAM’s Policy Evaluation Logic always starts with a default ____________ for every request, except for those that use the AWS account’s root security credentials b
- An organization has created 10 IAM users. The organization wants each of the IAM users to have access to a separate DynamoDB table. All the users are added to the same group and the organization wants to setup a group level policy for this. How can the organization achieve this?
- Define the group policy and add a condition which allows the access based on the IAM name
- Create a DynamoDB table with the same name as the IAM user name and define the policy rule which grants access based on the DynamoDB ARN using a variable
- Create a separate DynamoDB database for each user and configure a policy in the group based on the DB variable
- It is not possible to have a group level policy which allows different IAM users to different DynamoDB Tables
- An organization has setup multiple IAM users. The organization wants that each IAM user accesses the IAM console only within the organization and not from outside. How can it achieve this?
- Create an IAM policy with the security group and use that security group for AWS console login
- Create an IAM policy with a condition which denies access when the IP address range is not from the organization
- Configure the EC2 instance security group which allows traffic only from the organization’s IP range
- Create an IAM policy with VPC and allow a secure gateway between the organization and AWS Console
- Can I attach more than one policy to a particular entity?
- Yes always
- Only if within GovCloud
- Only if within VPC
- A __________ is a document that provides a formal statement of one or more
- A __________ is the concept of allowing (or disallowing) an entity such as a user, group, or role some type of access to one or more resources.
- AWS Account
- True or False: When using IAM to control access to your RDS resources, the key names that can be used are case sensitive. For example, aws:CurrentTime is NOT equivalent to AWS:currenttime.
4: 1, 3
5: 2, 3
9: 2, 5
13: 1, 2
20: 1, 3, 4
23: 1, 2
24: 2, 3
32: 1, 3, 5