AWS Certified Solutions Architect Practice Questions, Exams of Computer Networks

A set of practice questions for the aws certified solutions architect exam, focusing on key areas such as aws identity and access management (iam), amazon ec2, amazon ebs, amazon s3, and amazon emr. Each question is followed by a detailed explanation of the correct answer, offering insights into cloud architecture and best practices. The questions cover topics like temporary security tokens, ec2 instance login, ebs volume association, data migration to s3, and the use of services like kinesis firehose and aws data pipeline for data analysis. This resource is designed to help candidates prepare for the exam by testing their knowledge and understanding of aws services and their applications in real-world scenarios. Useful for university students and lifelong learners.

Typology: Exams

2024/2025

Available from 07/06/2025

winnie-kagwi
winnie-kagwi 🇺🇸

345 documents

1 / 26

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
AWS Certified Solutions Architect 2025 Practice
Test Bundle: Realistic Scenario-Based Questions
with Answer Keys, Exam Domains Coverage, and
Cloud Architecture Insights
Which of the following are not found in an AWS Identity and Access Management (IAM)
policy?
1. Action
2. Temporary security token
3. Effect (deny/allow)
4. Source IP address - - correct ans- -2
<strong>B.</strong><br>A temporary security token is a temporary principal with which
a policy is associated through an IAM role. The Source IP address can be referenced in a
condition.
What does AWS Identity and Access Management (IAM) control?
1. Database permissions
2. Operating system logon
3. Application authorization
4. Access to AWS resources - - correct ans- -4
<strong>D.</strong><br>IAM is only for accessing the AWS Application Programming
Interface (API) through the AWS Management Console, Command Line Interface (CLI),
or Software Development Kit (SDK).
EC2) Windows instance using RDP?
1. Use an AWS Identity and Access Management (IAM) user with Amazon EC2 login
permissions.
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a

Partial preview of the text

Download AWS Certified Solutions Architect Practice Questions and more Exams Computer Networks in PDF only on Docsity!

AWS Certified Solutions Architect 2025 Practice

Test Bundle: Realistic Scenario-Based Questions

with Answer Keys, Exam Domains Coverage, and

Cloud Architecture Insights

Which of the following are not found in an AWS Identity and Access Management (IAM) policy?

  1. Action
  2. Temporary security token
  3. Effect (deny/allow)
  4. Source IP address - - correct ans- - 2 B.
    A temporary security token is a temporary principal with which a policy is associated through an IAM role. The Source IP address can be referenced in a condition. What does AWS Identity and Access Management (IAM) control?
  5. Database permissions
  6. Operating system logon
  7. Application authorization
  8. Access to AWS resources - - correct ans- - 4 D.
    IAM is only for accessing the AWS Application Programming Interface (API) through the AWS Management Console, Command Line Interface (CLI), or Software Development Kit (SDK). EC2) Windows instance using RDP?
  9. Use an AWS Identity and Access Management (IAM) user with Amazon EC2 login permissions.
  1. Specify the administrator password as an input parameter upon launch.
  2. Decrypt the administrator password for the instance using the private half of the key pair associated with the instance.
  3. You cannot log in directly to an Amazon EC2 Windows instance. - - correct ans- - 3 C.
    When Amazon EC2 Windows instances are launched, a randomized password for the administrator account is created and encrypted using the public half of the key pair associated with the instance. Decrypting this with the private half of the key pair allows you to log in. Logging in depends on Windows-based authentication/authorization, so IAM credentials will not work. There is no mechanism to specify the administrator password as an input parameter to the launch instance operation. Which of the following are true about temporary security tokens? (Choose 2 answers)
  4. They are stored in the AWS Key Management Service (AWS KMS).
  5. 2.

    They control traffic between instances. 3. They are only valid for a specified period of time. 4. They are the underlying implementation of AWS Identity and Access Management (IAM) roles for Amazon Elastic Compute Cloud (Amazon EC2). 5. They grant initial Secure Shell (SSH) access to Linux instances. - - correct ans- - 3, C, D.
    AWS KMS stores and manages encryption keys. Security groups, network Access Control Lists (ACLs), and operating system firewalls control traffic between instances. The duration of a temporary security token is passed when a token is requested. IAM roles for Amazon EC2 provide authorization to applications on an Amazon EC2 instance with a temporary security token. You downloaded a 25 GB video to the z:\ drive of your Amazon Elastic Compute Cloud (Amazon EC2) instance. To get more compute, you stopped the instance to change the instance type, then restarted the instance. When you connect to your instance again, you notice that the video is no longer on the z:\ drive. What is the likely cause? 1. The public IP address changed when the instance was stopped and started.

AWS Storage Gateway makes no IOPS claims, so it cannot be relied upon to provide this level of performance. Spreading the data across two Amazon EBS Provisioned IOPS volumes can spread the IOPS across two volumes, creating total IOPS for the volume of 40,000. What method will allow you to log in to a new Amazon Elastic Compute Cloud (Amazon Your company needs to perform a tech refresh on 200 TB of on-premises storage and has decided to move the data to Amazon Simple Storage Service (Amazon S3). Your data center Internet connection has an average of 1 Gbps of available bandwidth. What is the best way to move your data to Amazon S3?

  1. Use the Command Line Interface (CLI) to transfer the data over the Internet.
  2. Write a custom program to transfer the data using multi-part upload.
  3. Use three AWS Import/Export Snowball appliances.
  4. Use AWS Data Pipeline. - - correct ans- - 3 C.
    Any transfer over the Internet is going to take nearly 20 days of continuous data transfer, constricting any peak traffic during the entire interval. Transferring data with three 80 GB Snowball appliances is simple, fast, secure, and can be as little as one-fifth the cost of high-speed Internet. Your company receives information on every sale from thousands of Point-of-Sale (POS) machines, resulting in 5,000–10,000 messages per second and 20 TB of new data every day. Every night this information must be analyzed and summary results stored in a MySQL database for display in a management dashboard. What combination of services will address this use case?
  5. Amazon Kinesis Firehose, Amazon Simple Storage Service (Amazon S3), Amazon Elastic MapReduce (Amazon EMR), AWS Data Pipeline, and Amazon Relational Database Service (Amazon RDS)
  6. Amazon Kinesis Firehose, Amazon Elastic Block Store (Amazon EBS), Amazon EMR, AWS Data Pipeline, and Amazon RDS
  7. AWS Direct Connect, Amazon Simple Storage Service (Amazon S3, Amazon EMR, AWS Data Pipeline, and Amazon RDS
  8. Amazon Kinesis Firehose, Amazon Glacier, Amazon EMR, AWS Data Pipeline, and Amazon RDS - - correct ans- - 1

A.
Amazon Kinesis Firehose can ingest the stream, saving it to Amazon S3. Amazon EMR can run MapReduce algorithms on the data stored in Amazon S3 and output the results to a different Amazon S3 bucket. AWS Data Pipeline can run regular ETL jobs to copy the resultant data into a MySQL database running on Amazon RDS. Amazon EBS has an upper limit of 16 TB, so it is a poor choice for the hundreds of TB of data that will be ingested and is significantly more expensive on top of that. AWS Direct Connect provides a private connection to your AWS infrastructure, but it has no ingestion functionality. Amazon Glacier requires 3–5 hours to retrieve requested objects and would not work in this scenario. When you launch an Amazon Elastic MapReduce (Amazon EMR) cluster, what must you specify? (Choose 3 answers)

  1. The instance type of the nodes in your cluster
  2. The database connection string
  3. The number of nodes in your cluster
  4. A Domain Name Service (DNS) name for the cluster
  5. The version of Hadoop you want to run - - correct ans- - 1,3, A, C, E.
    These are required values when you launch a cluster. You have an application that indexes documents and makes them available via a browser-based interface. The documents are stored on a block storage device accessed by the application over an iSCSI interface, but time of retrieval is not a critical factor. As the number of documents grows, you have been tasked with increasing the capacity of the application, as well as providing durable backup for the documents. What service can meet your requirements?
  6. AWS Storage Gateway – gateway-stored volume
  7. Amazon Simple Storage Service (Amazon S3) bucket
  8. AWS Storage Gateway – gateway-cached volume
  9. Amazon Redshift - - correct ans- - 3 C.
    Neither Amazon S3 nor Amazon Redshift are block storage. AWS Storage Gateway – gateway-cached volumes provide an iSCSI interface to block storage and copy all files to Amazon S3 for durability. Gateway-cached volumes also store only the most frequently used files locally, allowing you to store more data on your AWS Storage Gateway than would fit on your local physical storage.

Your company’s web application recently had a service interruption when the CPU usage spiked. When reviewing the logs, you found that the five-minute interval between Amazon CloudWatch metrics prevented you from fully analyzing the problem. What can you do to ensure that you have more granular visibility in the future?

  1. Set up an Amazon CloudWatch alarm on CPU utilization.
  2. Deploy new instances of a larger instance type in the same instance family.
  3. Use Dedicated Instances.
  4. Deploy new instances with detailed monitoring enabled. - - correct ans- - 4 D.
    Instances with detailed monitoring report their metric values every minute instead of every five minutes. Which of the following measured values requires a custom metric to be logged by Amazon CloudWatch?
  5. Network traffic
  6. CPU utilization
  7. Number of requests handled by a web server
  8. Disk write operations - - correct ans- - 3 C.
    The shared responsibility model prevents Amazon CloudWatch from seeing values internal to your instances. Network traffic, CPU utilization, and disk IO can all be recorded without access to the operating system. Number of requests can only be seen within the operating system, so it requires a custom metric or CloudWatch Logs to view. Which of the following are appropriate use cases for Amazon Simple Storage Service (Amazon S3)? (Choose 2 answers)
  9. Storing the data files for a MySQL database
  10. Hosting a static website
  11. Storing a library of video files
  12. Storing CAD files being edited by multiple users at the same time
  13. Implementing a cache in front of a database - - correct ans- - 2,

B, C.
Amazon S3 is object storage, so there is no interface that allows the random read/write block storage. Responses A and D both require block storage and are inappropriate workloads for Amazon S3. Your company has 1 PB of scientific research data that has been summarized and the results stored in a MySQL database. While there is no need to access the raw measurements, they must be retained indefinitely. Which of the following storage plans meets these needs in the most cost-efficient manner?

  1. Store the data on Amazon Elastic Block Store (Amazon EBS) Magnetic volumes.
  2. Store the data on Amazon Glacier.
  3. Store the data on Amazon Simple Storage Service (Amazon S3).
  4. Store the data on Amazon Simple Storage Service (Amazon S3) Reduced Redundancy Storage (RRS). - - correct ans- - 2 B.
    Amazon Glacier is the most cost-efficient AWS storage service, providing all the durability of Amazon S3. The 3–5 hour retrieval delay will not be a problem for raw data that is essentially never accessed. Your company maintains a photo library with 100 million photos available for licensing. The total storage requirement for the photos themselves is 200 GB. There is also a low- resolution version of each photo generated, with those versions taking up a total of 10 GB. Your company runs on very low margins, so minimizing cost is important. What is a cost-effective way to store all your photos?
  5. Store the original photos on Amazon Simple Storage Service (Amazon S3) and the low-resolution versions on Amazon Elastic Block Store (Amazon EBS).
  6. Store the original photos on Amazon Simple Storage Service (Amazon S3) and the low-resolution versions on Amazon S3 Reduced Redundancy Storage (RRS).
  7. Store the original photos Amazon S3 Reduced Redundancy Storage (RRS) and the low-resolution versions on Amazon Simple Storage Service (Amazon S3).
  8. Store the original versions on Amazon Glacier and the low-resolution versions on - - correct ans- - 2 B.
    The originals cannot be replaced, so they must be stored on Amazon S3 because it is the most durable. Nothing can be stored on Amazon Glacier as customers can’t wait 3–5 hours for their photos. Since the low-resolution versions can be recreated, using the less durable Amazon S3 RRS storage is a good

Your company faces a compliance requirement dictating that none of your Amazon Elastic Compute Cloud (Amazon EC2) instances can be hosted on hardware shared with any other AWS customer. Which two services allow this?

  1. Dedicated Instances
  2. Placement groups
  3. Security groups
  4. Dedicated Hosts - - correct ans- - 1, A, D.
    Dedicated Instances run on hardware that’s dedicated to a single customer. As a customer runs more Dedicated Instances, more underlying hardware may be dedicated to their account. Dedicated Hosts are physical servers with Amazon EC2 instance capacity fully dedicated to a single customer’s use. A shipping company tracks the location of every package using bar code readers that transfer over wireless back to the main tracking system. The resulting traffic averages 10,000 scans a second. What service will process the incoming stream of scans and update the data in the tracking system on a near real-time basis?
  5. Kinesis Fire hose
  6. Kinesis Stream
  7. Amazon Data Pipeline
  8. Amazon Elastic Map Reduce (Amazon EMR) - - correct ans- - 2 B.
    Kinesis Stream allows you to create custom applications to analyze big data streams in real time. Which of the following are possible destinations for data ingested with Kinesis Firehose? (Choose 3 answers)
  9. Amazon Simple Storage Service (Amazon S3)
  10. Amazon Red shift
  11. Amazon Glacier
  12. Amazon Elastic search Service
  13. Amazon Elastic Block Store (Amazon EBS) - - correct ans- - 1,2,

A, B, and D.
Amazon S3, Amazon Redshift, and Amazon Elastic search Service are the three possible destinations for Amazon Firehose data. Your company stores click stream logs from your website on Amazon Simple Storage Service (Amazon S3) nightly, averaging 20 TB of new data a night. Your data scientists would like to analyze this data to segment users and understand user preferences. Which service is well suited to meet their needs?

  1. Amazon Elastic Map Reduce (Amazon EMR)
  2. Amazon Kinesis Streams
  3. AWS Cloud Trail
  4. Amazon Cloud Watch - - correct ans- - 1 A.
    Amazon EMR is an excellent choice to analyze data at read, such as logs stored on Amazon S3. Amazon Kinesis Streams can analyze streams of data in real time, which is not the scenario here. Neither AWS Cloud Trail nor Amazon Cloud Watch are analysis services. Your company uses an architectural drawing program and stores the drawings on an on- premises server with an attached iSCSI drive. Your company wants to replicate all of the drawings to the cloud for a durable backup and disaster recovery. Since the users interact directly with the files, latency is critical and the files must all reside locally. What AWS Cloud service can meet your requirements?
  5. Amazon Storage Gateway – Gateway Stored Volume
  6. Amazon Simple Storage Service (Amazon S3) bucket
  7. Amazon Storage Gateway – Gateway Cached Volume
  8. Amazon Red shift - - correct ans- - 1 Answer: A
    Amazon Storage Gateway – Gateway Stored Volumes replicate all data to the cloud while storing it all locally to reduce latency. Amazon Storage Gateway – Gateway Cached Volumes provide an iSCSI interface to block storage, but copies all files to Amazon S3 for durability and retains only the recently used files locally. Neither Amazon S3 nor Amazon Red shift are block storage. Which of the following can be configured as an origin for an Amazon Cloud Front distribution? (Choose 3 answers)

you the ability to install an agent that can export otherwise internal logs to Amazon Cloud Watch. AWS Support cannot see inside your instance and does not have a monitoring service offering. AWS Config tracks the configuration of your AWS infrastructure and does not monitor its health. How long does it take to retrieve an object from Amazon Glacier?

  1. The object is available immediately upon request
  2. Three to five hours
  3. One to two days
  4. Between overnight and one business week, depending on the class of the shipping service - - correct ans- - 2 B.
    Amazon Glacier objects are retrieved online (not shipped) and will be available in three to five hours. Which of the following are differences between Amazon Simple Storage Service (Amazon S3) and Amazon Elastic Block Store (Amazon EBS)? (Choose 3 answers)
  5. Amazon S3 buckets can hold a virtually unlimited amount of data; Amazon EBS volumes have a maximum size.
  6. Amazon S3 is object storage; Amazon EBS is block storage.
  7. Amazon S3 is block storage; Amazon EBS is object storage.
  8. Amazon S3 is accessed via a REST API; Amazon EBS is accessed from an attached Amazon Elastic Compute Cloud (EC2) instance.
  9. Amazon S3 can be encrypted using the Amazon Key Management Service (KMS); Amazon EBS cannot. - - correct ans- - 1,2, A, B, and D.
    These answers are factual. Response C reverses the nature of the storage between the two services. Response E is incorrect because both Amazon S3 and Amazon EBS can be encrypted using Amazon KMS. Which of the following can be used to control access to objects in Amazon Simple Storage Service (Amazon S3)? (Choose 3 answers)
  10. Amazon S3 bucket policies
  11. AWS Identity and Access Management (IAM) policies
  1. Linux Iptables
  2. Amazon S3 Access Control List (ACL)
  3. Amazon S3 firewalls
  4. Security groups - - correct ans- - 1,2, A, B, and D.
    These are the three access control services for Amazon S3. What options are available for Server Side Encryption (SSE) on Amazon Simple Storage Service (Amazon S3)? (Choose 3 answers)
  5. Use Amazon S3 Managed Keys
  6. Use Amazon Identity and Access Management (IAM) access keys
  7. Use AWS Key Management System (KMS) managed keys
  8. Use customer-provided keys
  9. Use Amazon Elastic Compute Cloud (Amazon EC2) key pairs - - correct ans- - 1,3, A, C, and D.
    Access keys are for authentication, not encryption. Amazon EC2 key pairs provide initial access to Amazon EC2 instances and are not integrated with Amazon S3. Your company stores financial records in Amazon Simple Storage Service (Amazon S3), but wants to minimize costs. Once created, the records are accessed regularly for the first two months, then used rarely for summary reporting for up to one year. After that they must be retained for compliance reasons for seven years, but only accessed in response to discovery requests or other legal actions. What lifecycle policies should you implement?
  10. Store data in Amazon S3, migrate to Amazon S3 Reduced Redundancy Storage (RRS) after two months, migrate to Amazon Glacier after one year, and then delete after seven years
  11. Store data in Amazon S3, migrate to Amazon Glacier after two months, and then delete after seven years
  12. Store data in Amazon S3 Infrequent Access (IA) after two months, migrate to Amazon Glacier after one year, and then delete after seven years
  13. Store data in Amazon S3, migrate to Amazon S3 Infrequent Ac - - correct ans- - 4
  1. AWS Directory Service for Microsoft Active Directory (Enterprise Edition)
  2. Simple AD
  3. AD Connector
  4. AWS LDAP - - correct ans- - 3 C.
    AD Connector is a proxy service for connecting your on- premises Microsoft Active Directory to the AWS Cloud without requiring complex directory synchronization or the cost and complexity of hosting a federation infrastructure. Which of the following AWS Cloud services provide you the ability to manage your own symmetric and asymmetric keys? (Choose 2 answers)
  5. AWS Identity and Access Management (IAM)
  6. AWS Key Management Service (AWS KMS)
  7. AWS Certificate Manager (AWS ACM)
  8. Amazon Simple Storage Service (Amazon S3)
  9. AWS CloudHSM - - correct ans- - 2,

B and E.

AWS KMS is a managed service that makes it easy for you to create and control the symmetric encryption keys used to encrypt your data. AWS CloudHSM is a service that makes it easy for you to create and control both symmetric and asymmetric keys used to encrypt and decrypt data. How long does it take AWS CloudTrail to deliver an event for an Application Programming Interface (API) call? 1. Typically within 15 minutes 2. Typically within 30 minutes 3. Always 15 minutes after the event occurred 4. Always 30 minutes after the event occurred - - correct ans- - 1 A.
CloudTrail typically delivers an event within 15 minutes of the event occurring.

Which of the following network actions are not possible within AWS? (Choose 2 answers)

  1. Store and forward
  2. Prerendering
  3. IP spoofing
  4. Promiscuous packet sniffing
  5. Packet streaming - - correct ans- - 3,

C and D.

Amazon Elastic Compute Cloud (Amazon EC2) instances cannot send spoofed network traffic and they can only receive packets that are destined for their IP address. The Signature Version 4 digital signature calculation process provides which security benefits? (Choose 2 answers) 1. Data confidentiality 2. Message integrity 3. Replay attack prevention 4. Certification 5. Recertification - - correct ans- - 2, B and C.
The Signature Version 4 digital signature calculation process provides message integrity and prevents against replay attacks. Amazon Elastic Compute Cloud (Amazon EC2) supports which type of key pair? 1. X.509 certificate key pair 2. Symmetric key pair 3. RSA 1024 SSH-2 key pair 4. RSA 2048 SSH-2 key pair - - correct ans- - 4

  1. A VPC subnet
  2. A VPC
  3. A VPC’s Internet Gateway (IGW) - - correct ans- - 2 B.
    An ENI is associated with a VPC subnet. Which of the following describes AWS OpsWorks components?
  4. Stacks, layers, and apps
  5. Stacks and layers
  6. Stacks, layers, Chef recipes, instances, and apps
  7. Stacks, layers, instances, and apps - - correct ans- - 3 C.
    AWS OpsWorks comprises stacks, layers, Chef recipes, instances, and apps. Which of the following policies must be specified on an AWS CloudFormation resource in order to ensure that the resource is not deleted when the stack is deleted?
  8. Deletion policy
  9. Retention policy
  10. Keep alive policy
  11. Preserve policy - - correct ans- - 1 A.
    A deletion policy must be applied to an AWS CloudFormation resource in order to ensure that the resource is not deleted when the stack is deleted. AWS Trusted Advisor is available through which AWS Application Programming Interface (API)?
  12. AWS Trusted Advisor
  13. AWS Support
  14. Amazon Elastic Compute Cloud (Amazon EC2)
  15. Amazon Relational Database Service (Amazon RDS) - - correct ans- - 2

B.

AWS Trusted Advisor data is available within the AWS Support API. Which of the following provides an automated way to send log data to CloudWatch Logs for Amazon Elastic Compute Cloud (Amazon EC2) instances running Amazon Linux or Ubuntu?

  1. CloudLog
  2. CloudLogs agent
  3. AWS CloudTrail
  4. CloudWatch Logs agent - - correct ans- - 4 D.
    The CloudWatch Logs agent is available to download and install on Amazon EC2 instances running Amazon Linux or Ubuntu that can be configured to send log file data to CloudWatch Logs. Which of the following explains why referencing an Elastic Load Balancing load balancer by its Domain Name System (DNS) Canonical Name (CNAME) is a best practice?
  5. Referencing an Elastic Load Balancing load balancer by its DNS CNAME is not a best practice.
  6. An Elastic Load Balancing load balancer’s DNS CNAME will change over time, but a subsequent call to Amazon CloudWatch will return the current IP address for the load balancer.
  7. An Elastic Load Balancing load balancer’s DNS CNAME will not change over time, providing you with a single fixed addressing entry, regardless of the pool of IPs referenced by the CNAME.
  8. An Elastic Load Balancing load balancer’s DNS CNAME will not change over time, providing you with a single fixed addressing entry, and DNS queries will return the single IP address referenced by the CNAME. - - correct ans- - 3 C.
    An Elastic Load Balancing load balancer’s DNS CNAME provides you with a single DNS entry that references a dynamic set of IP addresses that are used by the load balancer based on traffic demand.