CLF-C01 Exam - AWS Certified Cloud Practitioner

NEW QUESTION 1

Which AWS service provides highly durable object storage?

• A. Amazon S3
• B. Amazon Elastic File System (Amazon EFS)
• C. Amazon Elastic Block Store (Amazon EBS)
• D. Amazon FSx

Answer: A

Explanation:
Amazon S3 is the AWS service that provides highly durable object storage. Amazon S3 is designed to provide 99.999999999% durability of objects over a given year.
This means that you can store your data with high confidence that it will not be lost. Amazon S3 also provides high availability, scalability, security, and performance for your data. You can use Amazon S3 to store and retrieve any amount of data, at any time, from anywhere on the web5.

NEW QUESTION 2

A company is migrating its workloads to the AWS Cloud. The company must retain full control of patch management for the guest operating systems that host its applications.
Which AWS service should the company use to meet these requirements?

• A. Amazon DynamoDB
• B. Amazon EC2
• C. AWS Lambda
• D. Amazon RDS

Answer: B

Explanation:
Amazon EC2 is the AWS service that the company should use to meet its requirements of retaining full control of patch management for the guest operating systems that host its applications. Amazon EC2 is a service that provides secure, resizable compute capacity in the cloud. Users can launch virtual servers, called instances, that run various operating systems, such as Linux, Windows, macOS, and more. Users have full administrative access to their instances and can install and configure any software, including patches and updates, on their instances. Users are responsible for managing the security and maintenance of their instances, including patching the guest operating system and applications. Users can also use AWS Systems Manager to automate and simplify the patching process for their EC2 instances. AWS Systems Manager is a service that helps users manage their AWS and on-premises resources at scale. Users can use AWS Systems Manager Patch Manager to scan their instances for missing patches, define patch baselines and maintenance windows, and apply patches automatically or manually across their instances. Users can also use AWS Systems Manager to monitor the patch compliance status and patching history of their instances. References: What is Amazon EC2?, AWS Systems Manager Patch Manager

NEW QUESTION 3

In which of the following AWS services should database credentials be stored for maximum security?

• A. AWS Identity and Access Management (IAM)
• B. AWS Secrets Manager
• C. Amazon S3
• D. AWS Key Management Service (AWS KMS)

Answer: B

Explanation:
AWS Secrets Manager is the AWS service where database credentials should be stored for maximum security. AWS Secrets Manager helps to protect the secrets, such as database credentials, passwords, API keys, and tokens, that are used to access applications, services, and resources. AWS Secrets Manager enables secure storage, encryption, rotation, and retrieval of the secrets. AWS Secrets Manager also integrates with other AWS services, such as AWS Identity and Access Management (IAM), AWS Key Management Service (AWS KMS), and AWS Lambda. For more information, see [What is AWS Secrets Manager?] and [Getting Started with AWS Secrets Manager].

NEW QUESTION 4

A company is using a third-party service to back up 10 TB of data to a tape library. The on- premises backup server is running out of space. The company wants to use AWS services for the backups without changing its existing backup workflows.
Which AWS service should the company use to meet these requirements?

• A. Amazon Elastic Block Store (Amazon EBS)
• B. AWS Storage Gateway
• C. Amazon Elastic Container Service (Amazon ECS)
• D. AWS Lambda

Answer: B

Explanation:
The correct answer is B because AWS Storage Gateway is a service that should be used by the company to meet the requirements. AWS Storage Gateway is a service that connects on-premises software applications with cloud-based storage. AWS Storage Gateway supports three types of gateways: file gateway, volume gateway, and tape gateway. The tape gateway type enables users to back up and archive data to virtual tapes in AWS without changing their existing backup workflows. Users can use their existing backup applications and tape libraries to store data on virtual tapes in Amazon S3 or Amazon S3 Glacier. The other options are incorrect because they are not services that should be used by the company to meet the requirements. Amazon Elastic Block Store (Amazon EBS) is a service that provides block-level storage volumes for Amazon EC2 instances. Amazon Elastic Container Service (Amazon ECS) is a service that enables users to run, scale, and secure containerized applications on AWS. AWS Lambda is a service that enables users to run code without provisioning or managing servers. Reference: AWS Storage Gateway FAQs

NEW QUESTION 5

Which actions are best practices for an AWS account root user? (Select TWO.)

• A. Share root user credentials with team members.
• B. Create multiple root users for the account, separated by environment.
• C. Enable multi-factor authentication (MFA) on the root user.
• D. Create an IAM user with administrator privileges for daily administrative tasks, instead of using the root user.
• E. Use programmatic access instead of the root user and password.

Answer: CD

Explanation:
The AWS account root user is the identity that has complete access to all AWS services and resources in the account. It is accessed by signing in with the email address and password that were used to create the account1. The root user should be protected and used only for a few account and service management tasks that require it1. Therefore, the following actions are best practices for an AWS account root user:
✑ Enable multi-factor authentication (MFA) on the root user. MFA is a security feature that requires users to provide two or more pieces of information to authenticate themselves, such as a password and a code from a device. MFA adds an extra layer of protection for the root user credentials, which can access sensitive information and perform critical operations in the account2.
✑ Create an IAM user with administrator privileges for daily administrative tasks, instead of using the root user. IAM is a service that helps customers manage access to AWS resources for users and groups. Customers can create IAM users and assign them permissions to perform specific tasks on specific
resources. Customers can also create IAM roles and policies to delegate access to other AWS services or external entities3. By creating an IAM user with administrator privileges, customers can avoid using the root user for everyday tasks and reduce the risk of accidental or malicious changes to the account1.

NEW QUESTION 6

A company needs an automated vulnerability management service that continually scans AWS workloads for software vulnerabilities.
Which AWS service will meet these requirements?

• A. Amazon GuardDuty
• B. Amazon Inspector
• C. AWS Security Hub
• D. AWS Shield

Answer: B

Explanation:
The correct answer is B. Amazon Inspector.
Amazon Inspector is an automated vulnerability management service that continually scans AWS workloads for software vulnerabilities and unintended network exposure. Amazon Inspector automatically discovers workloads, such as Amazon EC2 instances, containers, and Lambda functions, and scans them for software vulnerabilities and unintended network exposure12.
Amazon GuardDuty is a threat detection service that monitors your AWS accounts and workloads for malicious or unauthorized activity. Amazon GuardDuty does not scan for software vulnerabilities, but rather analyzes AWS CloudTrail, Amazon VPC Flow Logs, and DNS logs to detect threats such as compromised credentials, backdoors, or crypto mining3.
AWS Security Hub is a security and compliance service that aggregates and prioritizes security findings from multiple AWS services and partner solutions. AWS Security Hub does not scan for software vulnerabilities, but rather provides a comprehensive view of your security posture across your AWS accounts4.
AWS Shield is a managed service that protects your web applications and network resources from distributed denial-of-service (DDoS) attacks. AWS Shield does not scan for software vulnerabilities, but rather provides detection and mitigation of DDoS attacks at the network and application layers5.
References:
1: Automated Software Vulnerability Management - Amazon Inspector - AWS 3: [Amazon GuardDuty – Intelligent Threat Detection Made Easy] 2: AWS Re-Launches Amazon Inspector with New Architecture and Features - InfoQ 4: [AWS Security Hub – Unified Security and Compliance Center] 5: [AWS Shield – Managed DDoS Protection]

NEW QUESTION 7

A company wants durable storage for static content and infinitely scalable data storage infrastructure at the lowest cost.
Which AWS service should the company choose?

• A. Amazon Elastic Block Store (Amazon EBS)
• B. Amazon S3
• C. AWS Storage Gateway
• D. Amazon Elastic File System (Amazon EFS)

Answer: B

Explanation:
Amazon S3 is a service that provides durable storage for static content and infinitely scalable data storage infrastructure at the lowest cost. Amazon S3 is an object storage service that allows you to store and retrieve any amount of data from anywhere on the internet. Amazon S3 offers industry-leading scalability, availability, and performance, as well as 99.999999999% (11 9s) of durability and multi-AZ resilience. Amazon S3 also provides various storage classes that offer different levels of performance and cost optimization, such as S3 Standard, S3 Intelligent-Tiering, S3 Standard-Infrequent Access (S3 Standard-IA), S3 One Zone-Infrequent Access (S3 One Zone-IA), and S3 Glacier456. Amazon S3 is ideal for storing static content, such as images, videos, documents, and web pages, as well as building data lakes, backup and archive solutions, big data analytics, and machine learning applications456. References: 4: Cloud Storage on AWS, 5: Object Storage - Amazon Simple Storage Service (S3) - AWS, 6: Amazon S3 Documentation

NEW QUESTION 8

Which option is the default pricing model for Amazon EC2 instances?

• A. On-Demand Instances
• B. Savings Plans
• C. Spot Instances
• D. Reserved Instances

Answer: A

Explanation:
On-Demand Instances are the default pricing model for Amazon EC2 instances. They allow users to pay for compute capacity by the second, with no long-term commitments or upfront payments. They are suitable for applications with short-term, irregular, or unpredictable workloads that cannot be interrupted3. Savings Plans are a pricing model that offer significant savings on Amazon EC2 and AWS Fargate usage, in exchange for a commitment to a consistent amount of usage (measured in $/hour) for a 1- year or 3-year term. Spot Instances are a pricing model that offer spare Amazon EC2 compute capacity at up to 90% discount compared to On-Demand prices, but they can be interrupted by AWS with a two-minute notice when the demand exceeds the supply. Reserved Instances are a pricing model that offer up to 75% discount compared to On- Demand prices, in exchange for a commitment to use a specific instance type and size in a specific region for a 1-year or 3-year term.

NEW QUESTION 9

A company wants to use the AWS Cloud to deploy an application globally.
Which architecture deployment model should the company use to meet this requirement?

• A. Multi-Region
• B. Single-Region
• C. Multi-AZ
• D. Single-AZ

Answer: A

Explanation:
The architecture deployment model that the company should use to meet this requirement is A. Multi-Region.
A multi-region deployment model is a cloud computing architecture that distributes an application and its data across multiple geographic regions. A multi-region deployment model enables a company to achieve global reach, high availability, disaster recovery, and performance optimization. By deploying an application in multiple regions, a company can serve customers from the nearest region, reduce latency, increase redundancy, and comply with data sovereignty regulations12.
A single-region deployment model is a cloud computing architecture that runs an application and its data within a single geographic region. A single-region deployment model is simpler and cheaper than a multi-region deployment model, but it has limited scalability, availability, and performance. A single-region deployment model may not be suitable for a company that wants to deploy an application globally, as it may face challenges such as network latency, regional outages, or regulatory compliance12.
A multi-AZ (Availability Zone) deployment model is a cloud computing architecture that distributes an application and its data across multiple isolated locations within a single region. An Availability Zone is a physically separate location within an AWS Region that has independent power, cooling, and networking. A multi-AZ deployment model enhances the availability and durability of an application by providing redundancy and fault tolerance within a region34.
A single-AZ deployment model is a cloud computing architecture that runs an application and its data within a single Availability Zone. A single-AZ deployment model is the simplest and most cost-effective option, but it has no redundancy or fault tolerance. A single-AZ deployment model may not be suitable for a company that wants to deploy an application globally, as it may face challenges such as network latency, regional outages, or regulatory compliance34.
References:
1: AWS Cloud Computing - W3Schools 2: Understand the Different Cloud Computing Deployment Models Unit - Trailhead 3: Regions and Availability Zones - Amazon Elastic Compute Cloud 4: AWS Reference Architecture Diagrams

NEW QUESTION 10

Which of the following is a benefit of operating in the AWS Cloud?

• A. The ability to migrate on-premises network devices to the AWS Cloud
• B. The ability to expand compute, storage, and memory when needed
• C. The ability to host custom hardware in the AWS Cloud
• D. The ability to customize the underlying hypervisor layer for Amazon EC2

Answer: B

Explanation:
One of the benefits of operating in the AWS Cloud is the ability to expand compute, storage, and memory when needed, which enables users to scale their applications and resources up or down based on demand. This also helps users optimize their costs and performance. The ability to migrate on-premises network devices to the AWS Cloud, the ability to host custom hardware in the AWS Cloud, and the ability to customize the underlying hypervisor layer for Amazon EC2 are not benefits of operating in the AWS Cloud, as they are either not possible or not recommended by AWS .

NEW QUESTION 11

An Availability Zone consists of:

• A. one or more data centers in a single location.
• B. two or more data centers in multiple locations.
• C. one or more physical hosts in a single data center.
• D. two or more physical hosts in multiple data centers.

Answer: A

Explanation:
The correct answer is A because an Availability Zone consists of one or more data centers in a single location. An Availability Zone is an isolated location within an AWS Region that has independent power, cooling, and networking. Each Availability Zone has one or more data centers that host the physical servers and storage devices that run the AWS services. The other options are incorrect because they are not accurate descriptions of an Availability Zone. Two or more data centers in multiple locations are not an Availability Zone, but rather multiple Availability Zones within an AWS Region. One or more physical hosts in a single data center are not an Availability Zone, but rather the components of a data center within an Availability Zone. Two or more physical hosts in multiple data centers are not an Availability Zone, but rather the components of multiple data centers within one or more Availability Zones. Reference: [Regions, Availability Zones, and Local Zones]

NEW QUESTION 12

A security engineer wants a single-tenant AWS solution to create, control, and manage their own cryptographic keys to meet regulatory compliance requirements for data security.
Which AWS service should the engineer use?

• A. AWS Key Management Service (AWS KMS)
• B. AWS Certificate Manager (ACM)
• C. AWS CloudHSM
• D. AWS Systems Manager

Answer: C

Explanation:
The correct answer is C because AWS CloudHSM is an AWS service that enables the security engineer to meet the requirements. AWS CloudHSM is a service that provides customers with dedicated hardware security modules (HSMs) to create, control, and manage their own cryptographic keys in the AWS Cloud. AWS CloudHSM allows customers to meet strict regulatory compliance requirements for data security, such as FIPS 140-2 Level 3, PCI-DSS, and HIPAA. The other options are incorrect because they are not AWS services that enable the security engineer to meet the requirements. AWS Key Management Service (AWS KMS) is a service that provides customers with a fully managed, scalable, and integrated key management system to create and control encryption keys for AWS services and applications. AWS KMS does not provide customers with single-tenant or dedicated HSMs. AWS Certificate Manager (ACM) is a service that provides customers with a simple and secure way to provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and internal connected resources. ACM does not provide customers with HSMs or cryptographic keys. AWS Systems Manager is a service that provides customers with a unified user interface to view operational data from multiple AWS services and automate operational tasks across their AWS resources. AWS Systems Manager does not provide customers with HSMs or cryptographic keys. Reference: AWS CloudHSM FAQs

NEW QUESTION 13

A company has deployed an Amazon EC2 instance.
Which option is an AWS responsibility under the AWS shared responsibility model?

• A. Managing and encrypting application data
• B. Installing updates and security patches of guest operating system
• C. Configuration of infrastructure devices
• D. Configuration of security groups on each instance

Answer: C

Explanation:
According to the AWS shared responsibility model, AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud, such as data centers, hardware, software, networking, and facilities1. This includes the configuration of infrastructure devices, such as routers, switches, firewalls, and load balancers2. Customers are responsible for managing their data, applications, operating systems, security groups, and other aspects of their AWS environment1. Therefore, options A, B, and D are customer responsibilities, not AWS responsibilities. References: 1: AWS Well-Architected Framework - Elasticity; 2: Reactive Systems on AWS - Elastic

NEW QUESTION 14

A company needs to apply security rules to specific Amazon EC2 instances. Which AWS service or feature provides this functionality?

• A. AWS Shield
• B. Network ACLs
• C. Security groups
• D. AWS Firewall Manager

Answer: C

Explanation:
Security groups act as a firewall for associated Amazon EC2 instances, controlling both inbound and outbound traffic at the instance level. You can use security groups to set rules that allow or deny traffic to or from your instances. You can modify the rules for a security group at any time; the new rules are automatically applied to all instances that are associated with the security group.

NEW QUESTION 15

An ecommerce company wants to use Amazon EC2 Auto Scaling to add and remove EC2 instances based on CPU utilization.
Which AWS service or feature can initiate an Amazon EC2 Auto Scaling action to achieve this goal?

• A. Amazon Simple Queue Service (Amazon SQS)
• B. Amazon Simple Notification Service (Amazon SNS)
• C. AWS Systems Manager
• D. Amazon CloudWatch alarm

Answer: D

Explanation:
Amazon CloudWatch alarm is an AWS service or feature that can initiate an Amazon EC2 Auto Scaling action based on CPU utilization. Amazon CloudWatch is a monitoring and observability service that collects and tracks metrics, logs, events, and alarms for your AWS resources and applications. Amazon CloudWatch alarms are actions that you can configure to send notifications or automatically make changes to the resources you are monitoring based on rules that you define67.
Amazon EC2 Auto Scaling is a service that helps you maintain application availability and allows you to automatically add or remove EC2 instances according to definable conditions. You can create dynamic scaling policies that track a specific CloudWatch metric, such as CPU utilization, and define what action to take when the associated CloudWatch alarm is in ALARM. When the policy is in effect, Amazon EC2 Auto Scaling adjusts the group’s desired capacity up or down when the threshold of an alarm is
breached89. References: 6: Cloud Monitoring - Amazon CloudWatch - AWS, 7: Amazon
CloudWatch Documentation, 8: Dynamic scaling for Amazon EC2 Auto Scaling, 9: Amazon EC2 Auto Scaling Documentation

NEW QUESTION 16
SIMULATION
A company runs thousands of simultaneous simulations using AWS Batch. Each simulation is stateless, is fault tolerant, and runs for up to 3 hours.
Which pricing model enables the company to optimize costs and meet these requirements?

• A. Reserved Instances
• B. Spot Instances
• C. On-Demand Instances
• D. Dedicated Instances

Answer: B

Explanation:

The correct answer is B because Spot Instances enable the company to optimize costs and meet the requirements. Spot Instances are spare EC2 instances that are available at up to 90% discount compared to On-Demand prices. Spot Instances are suitable for stateless, fault-tolerant, and flexible applications that can run for any duration. The other options are incorrect because they do not enable the company to optimize costs and meet the requirements. Reserved Instances are EC2 instances that are reserved for a specific period of time (one or three years) in exchange for a lower hourly rate. Reserved Instances are suitable for steady-state or predictable workloads that run for a long duration. On- Demand Instances are EC2 instances that are launched and billed at a fixed hourly rate.
On-Demand Instances are suitable for short-term, irregular, or unpredictable workloads that cannot be interrupted. Dedicated Instances are EC2 instances that run on hardware that is dedicated to a single customer. Dedicated Instances are suitable for workloads that require regulatory compliance or data isolation. Reference: [Amazon EC2 Instance Purchasing Options]

NEW QUESTION 17
......