CLF-C02 Exam - AWS Certified Cloud Practitioner

NEW QUESTION 1

A developer has been hired by a large company and needs AWS credentials. Which are security best practices that should be followed? (Select TWO.)

• A. Grant the developer access to only the AWS resources needed to perform the job.
• B. Share the AWS account root user credentials with the developer.
• C. Add the developer to the administrator's group in AWS IAM.
• D. Configure a password policy that ensures the developer's password cannot be changed.
• E. Ensure the account password policy requires a minimum length.

Answer: AE

Explanation:
The security best practices that should be followed are A and E.
* A. Grant the developer access to only the AWS resources needed to perform the job. This is an example of the principle of least privilege, which means giving the minimum permissions necessary to achieve a task. This reduces the risk of unauthorized access, data leakage, or accidental damage to AWS resources. You can use AWS Identity and Access Management (IAM) to create users, groups, roles, and policies that grant fine- grained access to AWS resources12.
* E. Ensure the account password policy requires a minimum length. This is a basic security measure that helps prevent brute-force attacks or guessing of passwords. A longer password is harder to crack than a shorter one. You can use IAM to configure a password policy that enforces a minimum password length, as well as other requirements such as complexity, expiration, and history34.
* B. Share the AWS account root user credentials with the developer. This is a bad practice that should be avoided. The root user has full access to all AWS resources and services, and can perform sensitive actions such as changing billing information, closing the account, or deleting all resources. Sharing the root user credentials exposes your account to potential compromise or misuse. You should never share your root user credentials with anyone, and use them only for account administration tasks5 .
* C. Add the developer to the administrator’s group in IAM. This is also a bad practice that should be avoided. The administrator’s group has full access to all AWS resources and services, which is more than what a developer needs to perform their job. Adding the developer to the administrator’s group violates the principle of least privilege and increases the risk of unauthorized access, data leakage, or accidental damage to AWS resources. You should create a custom group for the developer that grants only the necessary permissions for their role12.
* D. Configure a password policy that ensures the developer’s password cannot be changed. This is another bad practice that should be avoided. Preventing the developer from changing their password reduces their ability to protect their credentials and comply with security policies. For example, if the developer’s password is compromised, they cannot change it to prevent further unauthorized access. Or if the company requires periodic password rotation, they cannot update their password to meet this requirement. You should allow the developer to change their password as needed, and enforce a password policy that sets reasonable rules for password management34.

NEW QUESTION 2

A company manages factory machines in real time. The company wants to use AWS technology to deploy its monitoring applications as close to the factory machines as possible.
Which AWS solution will meet these requirements with the LEAST latency?

• A. AWS Outposts
• B. Amazon EC2
• C. AWS App Runner
• D. AWS Batch

Answer: A

Explanation:
AWS Outposts is a fully managed service that extends AWS infrastructure, AWS services, APIs, and tools to virtually any datacenter, co-location space, or on- premises facility for a truly consistent hybrid experience. AWS Outposts enables you to run AWS services in your on-premises data center1.

NEW QUESTION 3

A manufacturing company has a critical application that runs at a remote site that has a slow internet connection. The company wants to migrate the workload to AWS. The application is sensitive to latency and interruptions in connectivity. The company wants a solution that can host this application with minimum latency.
Which AWS service or feature should the company use to meet these requirements?

• A. Availability Zones
• B. AWS Local Zones
• C. AWS Wavelength
• D. AWS Outposts

Answer: D

Explanation:
AWS Outposts is a service that offers fully managed and configurable compute and storage racks built with AWS-designed hardware that allow you to run your workloads on premises and seamlessly connect to AWS services in the cloud. AWS Outposts is ideal for workloads that require low latency, local data processing, or local data storage. With AWS Outposts, you can use the same AWS APIs, tools, and infrastructure across on premises and the cloud to deliver a truly consistent hybrid experience5. Availability Zones are isolated locations within each AWS Region that are engineered to be fault-tolerant and provide high availability. AWS Local Zones are extensions of AWS Regions that are placed closer to large population, industry, and IT centers where no AWS Region exists today. AWS Wavelength is a service that enables developers to build applications that deliver ultra-low latency to mobile devices and users by deploying AWS compute and storage at the edge of the 5G network. None of these services or features can help you host a critical application with minimum latency at a remote site that has a slow internet connection.

NEW QUESTION 4

A company website is experiencing DDoS attacks.
Which AWS service can help protect the company website against these attacks?

• A. AWS Resource Access Manager
• B. AWS Amplify
• C. AWS Shield
• D. Amazon GuardDuty

Answer: C

Explanation:
AWS Shield is a managed DDoS protection service that safeguards applications running on AWS from distributed denial of service (DDoS) attacks. DDoS attacks are malicious attempts to disrupt the normal functioning of a website or application by overwhelming it with a large volume of traffic from multiple sources. AWS Shield provides two tiers of protection: Standard and Advanced. AWS Shield Standard is automatically enabled for all AWS customers at no additional cost. It protects your AWS resources, such as Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53, from the most common and frequently occurring network and transport layer DDoS attacks. AWS Shield Advanced is an optional paid service that provides additional protection for your AWS resources and applications, such as Amazon Elastic Compute Cloud (Amazon EC2), Elastic Load Balancing (ELB), Amazon Simple Storage Service (Amazon S3), Amazon Relational Database Service (Amazon RDS), and AWS Elastic Beanstalk. AWS Shield Advanced offers enhanced detection and mitigation capabilities, 24/7 access to the AWS DDoS Response Team (DRT), real-time visibility and reporting, and cost protection against DDoS-related spikes in your AWS bill12
References: AWS Shield, What is a DDOS Attack & How to Protect Your Site Against One

NEW QUESTION 5

A company is migrating an application that includes an Oracle database to AWS. The company cannot rewrite the application.
To which AWS service could the company migrate the database?

• A. Amazon Athena
• B. Amazon DynamoDB®
• C. Amazon RDS
• D. Amazon DocumentDB (with MongoDB compatibility)

Answer: C

Explanation:
Amazon Relational Database Service (Amazon RDS) is a service that provides fully managed relational database engines. Amazon RDS supports several database engines, including Oracle, MySQL, PostgreSQL, MariaDB, SQL Server, and Amazon Aurora. Amazon RDS can be used to migrate an application that includes an Oracle database to AWS without rewriting the application, as long as the application is compatible with the Oracle version and edition supported by Amazon RDS. Amazon RDS can also provide benefits such as high availability, scalability, security, backup and restore, and performance optimization. [Amazon RDS Overview] AWS Certified Cloud Practitioner - aws.amazon.com

NEW QUESTION 6

A company wants to create a chatbot and integrate the chatbot with its current web application.
Which AWS service will meet these requirements?

• A. AmazonKendra
• B. Amazon Lex
• C. AmazonTextract
• D. AmazonPolly

Answer: B

Explanation:
The AWS service that will meet the requirements of the company that wants to create a chatbot and integrate the chatbot with its current web application is Amazon Lex. Amazon Lex is a service that helps customers build conversational interfaces using voice and text. The company can use Amazon Lex to create a chatbot that can understand natural language and respond to user requests, using the same deep learning technologies that power Amazon Alexa. Amazon Lex also provides easy integration with other AWS services, such as Amazon Comprehend, Amazon Polly, and AWS Lambda, as well as popular platforms, such as Facebook Messenger, Slack, and Twilio. Amazon Lex helps customers create engaging and interactive chatbots for their web applications. Amazon Kendra, Amazon Textract, and Amazon Polly are not the best services to use for this purpose. Amazon Kendra is a service that helps customers provide accurate and natural answers to natural language queries using machine learning. Amazon Textract is a service that helps customers extract text and data from scanned documents using optical character recognition (OCR) and machine learning. Amazon Polly is a service that helps customers convert text into lifelike speech using deep learning. These services are more useful for different types of natural language processing and generation tasks, rather than creating and integrating chatbots.

NEW QUESTION 7

A company needs help managing multiple AWS linked accounts that are reported on a consolidated bill.
Which AWS Support plan includes an AWS concierge whom the company can ask for assistance?

• A. AWS Developer Support
• B. AWS Enterprise Support
• C. AWS Business Support
• D. AWS Basic Support

Answer: B

Explanation:
AWS Enterprise Support is the AWS Support plan that includes an AWS concierge whom the company can ask for assistance. According to the AWS Support Plans page, AWS Enterprise Support provides "a dedicated Technical Account Manager (TAM) who provides advocacy and guidance to help plan and build solutions using best practices, coordinate access to subject matter experts, and proactively keep your AWS environment operationally healthy."2 AWS Business Support, AWS Developer Support, and AWS Basic Support do not include a TAM or a concierge service.

NEW QUESTION 8

A company must be able to develop, test, and launch an application in the AWS Cloud quickly.
Which advantage of cloud computing will meet these requirements?

• A. Stop guessing capacity
• B. Trade fixed expense for variable expense
• C. Achieve economies of scale
• D. Increase speed and agility

Answer: D

Explanation:
One of the benefits of cloud computing is that it enables customers to increase speed and agility in developing, testing, and launching applications. Cloud computing provides on-demand access to a variety of IT resources, such as compute, storage, networking, databases, and analytics, without requiring upfront investments or long-term commitments. Customers can provision and release resources in minutes, scale up and down as needed, and experiment with new technologies and features. This allows customers to accelerate their innovation cycles, deliver faster time-to-market, and respond to changing customer needs and demands

NEW QUESTION 9

Which AWS service or tool does AWS Control Tower use to create resources?

• A. AWS CloudFormation
• B. AWS Trusted Advisor
• C. AWS Directory Service
• D. AWS Cost Explorer

Answer: A

Explanation:
AWS Control Tower uses AWS CloudFormation to create resources in your landing zone. AWS CloudFormation is a service that helps you model and set up your AWS resources using templates. AWS Control Tower supports creating AWS::ControlTower::EnabledControl resources in AWS CloudFormation. Therefore, the correct answer is A. You can learn more about AWS Control Tower and AWS CloudFormation from this page.

NEW QUESTION 10

Which AWS service requires the customer to be fully responsible for applying operating system patches?

• A. Amazon DynamoDB
• B. AWS Lambda
• C. AWS Fargate
• D. Amazon EC2

Answer: D

Explanation:
Amazon EC2 is the AWS service that requires the customer to be fully responsible for applying operating system patches. Amazon EC2 is a service that provides secure, resizable compute capacity in the cloud. Customers can launch virtual servers called instances and choose from various configurations of CPU, memory, storage, and networking resources1. Customers have full control and access to their instances, which means they are also responsible for managing and maintaining them, including applying
operating system patches2. Customers can use AWS Systems Manager Patch Manager, a feature of AWS Systems Manager, to automate the process of patching their EC2 instances with both security-related updates and other types of updates3.

NEW QUESTION 11

Which AWS features will meet these requirements? (Select TWO.)

• A. Security groups
• B. Network ACLs
• C. S3 bucket policies
• D. IAM user policies
• E. S3 bucket versioning

Answer: CD

Explanation:
The correct answers are C and D because S3 bucket policies and IAM user policies are AWS features that will meet the requirements. S3 bucket policies are access policies that can be attached to Amazon S3 buckets to grant or deny permissions to the bucket and the objects it contains. S3 bucket policies can be used to control who has permission to read, write, or delete objects that the company stores in the S3 bucket. IAM user policies are access policies that can be attached to IAM users to grant or deny permissions to AWS resources and actions. IAM user policies can be used to control who has permission to read, write, or delete objects that the company stores in the S3 bucket. The other options are incorrect because they are not AWS features that will meet the requirements. Security groups and network ACLs are AWS features that act as firewalls to control inbound and outbound traffic to and from Amazon EC2 instances and subnets. Security groups and network ACLs do not control who has permission to read, write, or delete objects that the company stores in the S3 bucket. S3 bucket versioning is an AWS feature that enables users to keep multiple versions of the same object in the same bucket. S3 bucket versioning can be used to recover from accidental overwrites or deletions of objects, but it does not control who has permission to read, write, or delete objects that the company stores in the S3 bucket. Reference: Using Bucket Policies and User Policies, Security Groups for Your VPC, Network ACLs, [Using Versioning]

NEW QUESTION 12

A company wants to develop a shopping application that records customer orders. The application needs to use an AWS managed database service to store data.
Which AWS service should the company use to meet these requirements?

• A. Amazon RDS
• B. Amazon Redshift
• C. Amazon ElastiCache
• D. Amazon Neptune

Answer: A

Explanation:
A is correct because Amazon RDS is the AWS service that provides a managed relational database service that supports various database engines, such as MySQL, PostgreSQL, Oracle, and SQL Server. B is incorrect because Amazon Redshift is the AWS service that provides a managed data warehouse service that is optimized for analytical queries. C is incorrect because Amazon ElastiCache is the AWS service that provides a managed in-memory data store service that supports Redis and Memcached. D is incorrect because Amazon Neptune is the AWS service that provides a managed graph database service that supports property graph and RDF models.

NEW QUESTION 13

Which AWS service can identify when an Amazon EC2 instance was terminated?

• A. AWS Identity and Access Management (IAM)
• B. AWS CloudTrail
• C. AWS Compute Optimizer
• D. Amazon EventBridge

Answer: B

Explanation:
AWS CloudTrail is the AWS service that can identify when an Amazon EC2 instance was terminated. AWS CloudTrail is a service that records API calls and events for AWS accounts and resources. AWS CloudTrail can capture the TerminateInstances event, which is triggered when an EC2 instance is terminated by a user or an AWS service. The event contains information such as the instance ID, the user identity, the source IP address, the time, and the reason for the termination12. Customers can use the CloudTrail console, the AWS CLI, or the AWS SDKs to view and search for the TerminateInstances events in their event history or in their S3 buckets where they store their CloudTrail logs13.

NEW QUESTION 14

Which AWS services allow users to monitor and retain records of account activities that include governance, compliance, and auditing?
(Select TWO.)

• A. Amazon CloudWatch
• B. AWS CloudTrail
• C. Amazon GuardDuty
• D. AWS Shield
• E. AWS WAF

Answer: AB

Explanation:
Amazon CloudWatch and AWS CloudTrail are the AWS services that allow users to monitor and retain records of account activities that include governance, compliance, and auditing. Amazon CloudWatch is a service that collects and tracks metrics, collects and monitors log files, and sets alarms. AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. Amazon GuardDuty, AWS Shield, and AWS WAF are AWS services that provide security and protection for AWS resources, but they do not monitor and retain records of
account activities. These concepts are explained in the AWS Cloud Practitioner Essentials course3.

NEW QUESTION 15

Which activity is a customer responsibility in the AWS Cloud according to the AWS shared responsibility model?

• A. Ensuring network connectivity from AWS to the internet
• B. Patching and fixing flaws within the AWS Cloud infrastructure
• C. Ensuring the physical security of cloud data centers
• D. Ensuring Amazon EBS volumes are backed up

Answer: D

Explanation:
The AWS shared responsibility model describes how AWS and the customer share responsibility for security and compliance of the AWS environment. AWS is responsible for the security of the cloud, which includes the physical security of AWS facilities, the infrastructure, hardware, software, and networking that run AWS services. The customer is responsible for security in the cloud, which includes the configuration of security groups, the encryption of customer data on AWS, the management of AWS Lambda infrastructure, and the management of network throughput of each AWS Region. One of the customer responsibilities is to ensure that Amazon EBS volumes are backed up.

NEW QUESTION 16

A company is running an application on AWS. The company wants to identify and prevent the accidental
Which AWS service or feature will meet these requirements?

• A. Amazon GuardDuty
• B. Network ACL
• C. AWS WAF
• D. AWS Network Firewall

Answer: A

Explanation:
Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3. With the cloud, the collection and aggregation of account and network activities is simplified, but it can be time consuming for security teams to continuously analyze event log data for potential threats. With GuardDuty, you can automate anomaly detection and get actionable findings to help you protect your AWS resources4.

NEW QUESTION 17

A company wants an automated process to continuously scan its Amazon EC2 instances for software vulnerabilities.
Which AWS service will meet these requirements?

• A. Amazon GuardDuty
• B. Amazon Inspector
• C. Amazon Detective
• D. Amazon Cognito

Answer: B

Explanation:
Amazon Inspector is the AWS service that can be used to perform vulnerability scans on AWS EC2 instances for software vulnerabilities automatically in a periodic fashion. Amazon Inspector automatically discovers EC2 instances and scans them for software vulnerabilities and unintended network exposure. Amazon Inspector uses AWS Systems Manager (SSM) and the SSM Agent to collect information about the software application inventory of the EC2 instances. This data is then scanned by Amazon Inspector for software vulnerabilities12. Amazon Inspector also integrates with other AWS services, such as Amazon EventBridge and AWS Security Hub, to automate discovery, expedite vulnerability routing, and shorten mean time to remediate (MTTR) vulnerabilities2.

NEW QUESTION 18
......