- (Topic 3)
For which AWS service is the customer responsible for maintaining the underlying operating system?

1. A. Amazon DynamoDB
2. B. Amazon S3
3. C. Amazon EC2
4. D. AWS Lambda

Correct Answer: C
Amazon EC2 is a service that provides resizable compute capacity in the cloud. Users can launch and manage virtual servers, known as instances, that run on the AWS infrastructure. Users are responsible for maintaining the underlying operating system of the instances, as well as any applications or software that run on them. Amazon DynamoDB is a service that provides a fully managed NoSQL database that delivers fast and consistent performance at any scale. Users do not need to manage the underlying operating system or the database software. Amazon S3 is a service that provides scalable and durable object storage in the cloud. Users do not need to manage the underlying operating system or the storage infrastructure. AWS Lambda is a service that allows users to run code without provisioning or managing servers. Users only need to upload their code and configure the triggers and parameters. AWS Lambda takes care of the underlying operating system and the execution environment.

- (Topic 1)
A company's information security manager is supervising a move to AWS and wants to ensure that AWS best practices are followed. The manager has concerns about the potential misuse of AWS account root user credentials.
Which of the following is an AWS best practice for using the AWS account root user credentials?

1. A. Allow only the manager to use the account root user credentials for normal activities.
2. B. Use the account root user credentials only for Amazon EC2 instances from the AWS Free Tier.
3. C. Use the account root user credentials only when they alone must be used to perform a requiredfunction.
4. D. Use the account root user credentials only for the creation of private VPC subnets.

Correct Answer: C
The AWS best practice for using the AWS account root user credentials is to use them only when they alone must be used to perform a required function. The AWS account root user credentials have full access to all the resources in the account, and therefore pose a security risk if compromised or misused. You should create individual IAM users with the minimum necessary permissions for everyday tasks, and use AWS Organizations to manage multiple accounts. You should also enable multi-factor authentication (MFA) and rotate the password for the root user regularly. Some of the functions that require the root user credentials are changing the account name, closing the account, changing the support plan, and restoring an IAM user’s access.

- (Topic 2)
A company is running an application that is hosted on Amazon EC2 instances. The usage of the EC2 instances is higher during daytime hours than nighttime hours. The company wants to optimize the number of EC2 instances based on this usage pattern.
Which AWS service or instance purchasing option should the company use to meet these requirements?

1. A. Spot Instances
2. B. Reserved Instances
3. C. AWS CloudFormation
4. D. AWS Auto Scaling

Correct Answer: D
AWS Auto Scaling is the AWS service that allows users to optimize the number of EC2 instances based on the usage pattern, as it automatically adjusts the capacity to maintain steady and predictable performance at the lowest possible cost. Spot Instances are a way to reduce the cost of EC2 instances by bidding on unused EC2 capacity, but they are not suitable for applications that require steady and reliable performance. Reserved Instances are a way to reduce the cost of EC2 instances by committing to a certain amount of usage for a period of time, but they are not flexible to adjust to the usage pattern. AWS CloudFormation is a way to automate the creation and management of AWS resources, but it does not optimize the number of EC2 instances based on the usage pattern. These concepts are explained in the AWS Cloud Practitioner Essentials course3.

- (Topic 3)
A company needs to block SQL injection attacks.
Which AWS service or feature can meet this requirement?

1. A. AWS WAF
2. B. AWS Shield
3. C. Network ACLs
4. D. Security groups

Correct Answer: A
AWS WAF is a web application firewall that helps protect web applications from common web exploits, such as SQL injection attacks. It allows customers to create custom rules that block malicious requests. AWS Shield is a managed service that protects against distributed denial of service (DDoS) attacks, not SQL injection attacks. Network ACLs and security groups are network-level security features that filter traffic based on IP addresses and ports, not web requests or SQL queries. References: [AWS WAF], [AWS Shield], [Network ACLs], [Security groups]

- (Topic 3)
A company encourages its teams to test failure scenarios regularly and to validate their understanding of the impact of potential failures.
Which pillar of the AWS Well-Architected Framework does this philosophy represent?

1. A. Operational excellence
2. B. Cost optimization
3. C. Performance efficiency
4. D. Security

Correct Answer: A
This is the pillar of the AWS Well-Architected Framework that represents the philosophy of testing failure scenarios regularly and validating the understanding of the impact of potential failures. The operational excellence pillar covers the best practices for designing, running, monitoring, and improving systems in the AWS Cloud. Testing failure scenarios is one of the ways to improve the system’s resilience, reliability, and recovery. You can learn more about the operational excellence pillar from this whitepaper or this digital course.