Practice questions · AWS

AWS Practice Questions

Free AWS practice questions with answers and plain-English explanations. Browse the PDF, video and online mock test.

Free sample · AWSQ1
A company has deployed several relational databases on Amazon RDS. Every month, the database software vendor releases new security patches that need to be applied to the database.<br/><br/>What is the MOST efficient way to apply the security patches?
Correct — D. Periodically, Amazon RDS performs maintenance on Amazon RDS resources. Maintenance most often involves updates to the DB instance's underlying hardware, underlying operating system (OS), or database engine version. Updates to the operating system most often occur for security issues and should be done as soon as possible.<br/><br/>Required patching is automatically scheduled only for patches that are related to security and instance reliability. Such patching occurs infrequently (typically once every few months) and seldom requires more than a fraction of your maintenance window.<br/><br/><img src="asset:assets/questions/7a77e37196bbb338.jpg"><br/><br/>All you need to do to get enable patching is specify the maintenance window in which the patching will take place. This can be done at instance creation time or at any time afterwards.<br/><br/><strong>CORRECT: </strong>"Enable automatic patching for the instances using the Amazon RDS console" is the correct answer.<br/><br/><strong>INCORRECT:</strong> "Connect to each database instance on a monthly basis, and download and apply the necessary security patches from the vendor" is incorrect. Amazon RDS is a managed service and you do not need to do this manually.<br/><br/><strong>INCORRECT:</strong> "In AWS Config, configure a rule for the instances and the required patch level" is incorrect. This service is used for auditing and evaluating resource configurations.<br/><br/><strong>INCORRECT:</strong> "Use AWS Systems Manager to automate database patching according to a schedule" is incorrect. Systems Manager can be used to manage EC2 instances but it cannot be used to patch RDS instances.
↑ Tap an answer to check it
Free questions

AWS Questions

Open each answer, read the explanation, then continue into the full practice flow.

  1. Q1A company has deployed several relational databases on Amazon RDS. Every month, the database software vendor releases new security patches that need to be applied to the database.<br/><br/>What is the MOST efficient way to apply the security patches?

    Show answer

    ✓ Correct answer: Enable automatic patching for the instances using the Amazon RDS console

    Periodically, Amazon RDS performs maintenance on Amazon RDS resources. Maintenance most often involves updates to the DB instance's underlying hardware, underlying operating system (OS), or database engine version. Updates to the operating system most often occur for security issues and should be done as soon as possible.<br/><br/>Required patching is automatically scheduled only for patches that are related to security and instance reliability. Such patching occurs infrequently (typically once every few months) and seldom requires more than a fraction of your maintenance window.<br/><br/><img src="asset:assets/questions/7a77e37196bbb338.jpg"><br/><br/>All you need to do to get enable patching is specify the maintenance window in which the patching will take place. This can be done at instance creation time or at any time afterwards.<br/><br/><strong>CORRECT: </strong>"Enable automatic patching for the instances using the Amazon RDS console" is the correct answer.<br/><br/><strong>INCORRECT:</strong> "Connect to each database instance on a monthly basis, and download and apply the necessary security patches from the vendor" is incorrect. Amazon RDS is a managed service and you do not need to do this manually.<br/><br/><strong>INCORRECT:</strong> "In AWS Config, configure a rule for the instances and the required patch level" is incorrect. This service is used for auditing and evaluating resource configurations.<br/><br/><strong>INCORRECT:</strong> "Use AWS Systems Manager to automate database patching according to a schedule" is incorrect. Systems Manager can be used to manage EC2 instances but it cannot be used to patch RDS instances.

    Open the full explanation page →

  2. Q2Security and Compliance is a shared responsibility between AWS and the customer. <br/><br/>Which amongst the below-listed options are AWS responsibilities? (Select TWO)

    Show answer

    ✓ Correct answer: Security of the AWS cloud

    Amazon Elastic Compute Cloud (Amazon EC2) is categorized as Infrastructure as a Service (IaaS). Hence this is the customer's responsibility. AWS is responsible for patching and fixing flaws within the infrastructure. But customers are responsible for patching their guest OS and applications. Security of the data in the cloud is the customer's responsibility. Security of the cloud is AWS’s responsibility. AWS is responsible for patching and fixing flaws within the infrastructure.

    Open the full explanation page →

  3. Q3Which of the following services can be used to block network traffic to an instance? (Select TWO.)

    Show answer

    ✓ Correct answer: Security groups

    <a target="_blank" href="https://www.bing.com/aclick?ld=e86ns1BXUKxOqC12wno4QM7zVUCUxFxCkVSzlpCGKPTw7gOpC2OQ8CwOPmuxKsVjqHvqd76tBdqhoBKF-DuTEkVCrALAWRuQDzt1TU-iEmT5dBtyQAkZqW_ZiTLgz5arvhGnyHbQ8HEpwO0f96vMzvm69X0Ygb2wAzzZtkeP_DJ4wCgT3XLh_0GMGvdUThJwR3agDV4WHOVdE3mW5HVVIYD1DShts_ej5S3BP4U2jYm_QuUyS0-kIuhEg6YDE9oH1OQNapyM44toat-sX7-1rl8r_gy2E&amp;u=aHR0cHMlM2ElMmYlMmZhd3MuYW1hem9uLmNvbSUyZmZyZWUlMmYlM2ZhbGwtZnJlZS10aWVyLnNvcnQtYnklM2RpdGVtLmFkZGl0aW9uYWxGaWVsZHMuU29ydFJhbmslMjZhbGwtZnJlZS10aWVyLnNvcnQtb3JkZXIlM2Rhc2MlMjZhd3NmLkZyZWUlMjUyMFRpZXIlMjUyMFR5cGVzJTNkKmFsbCUyNmF3c2YuRnJlZSUyNTIwVGllciUyNTIwQ2F0ZWdvcmllcyUzZGNhdGVnb3JpZXMlMjUyM2NvbXB1dGUlMjZ0cmslM2RiNTI4YWY3NC02NDUzLTQ4ZmMtYjVlMy00ZDBmZjU3ZDFmMjMlMjZzY19jaGFubmVsJTNkcHMlMjZzX2t3Y2lkJTNkQUwhNDQyMiExMCE3MTk0OTUyMDEyMDEwMCE3MTk1MDA0Mjk2MzAwNyUyNmVmX2lkJTNkZmE0MTQzN2EyZDNkMTgxMzViY2YyNjAyMzIxNjNhMTYlM2FHJTNhcw&amp;rlid=fa41437a2d3d18135bcf260232163a16">Security groups and network ACLs are two AWS services that can be used to block network traffic to an instance. Security groups are virtual firewalls that control the inbound and outbound traffic for your instances at the instance level. You can specify which protocols, ports, and source or destination IP addresses are allowed or denied for each instance.Security groups are stateful, which means that they automatically allow return traffic for any allowed inbound or outbound traffic123. Network ACLs are virtual firewalls that control the inbound and outbound traffic for your subnets at the subnet level. You can create rules to allow or deny traffic based on protocols, ports, and source or destination IP addresses.Network ACLs are stateless, which means that you have to explicitly allow return traffic for any allowed inbound or outbound traffic456.

    Open the full explanation page →

  4. Q4Which of the below allows you to restrict access to individual objects in an S3 bucket?

    Show answer

    ✓ Correct answer: Access Control Lists

    Access Control Lists let you control access to individual objects within an S3 bucket, whereas Bucket Policies allow you to control access to entire buckets. In relation to S3, Bucket Control Lists and Access Policies do not exist as configuration items.

    Open the full explanation page →

  5. Q5A company has been using an AWS managed IAM policy for granting permissions to users but needs to add some permissions.<br/><br/>How can this be achieved?

    Show answer

    ✓ Correct answer: Create a custom IAM policy.

    AWS managed policies cannot be edited so if you need to add permissions to users that are not granted in the policy you must create your own custom IAM policy.<br/><br/><strong>CORRECT: </strong>"Create a custom IAM policy" is the correct answer.<br/><br/><strong>INCORRECT:</strong> "Edit the AWS managed policy" is incorrect. You cannot edit AWS managed policies.<br/><br/><strong>INCORRECT:</strong> "Create a Service Control Policy" is incorrect. SCPs are used in AWS Organizations to restrict available permissions. They do not grant permissions.<br/><br/><strong>INCORRECT:</strong> "Create a rule in AWS WAF" is incorrect. WAF is a web application firewall used for protecting resources from web-based attacks.

    Open the full explanation page →

  6. Q6In AWS, which service assists with governance, compliance, and risk auditing?

    Show answer

    ✓ Correct answer: AWS CloudTrail

    AWS CloudTrail is a service that allows you to manage your AWS account's governance, compliance, operational auditing, and risk auditing.<br/><br/>You can track, monitor, and retain account activity associated with actions throughout your AWS infrastructure with CloudTrail. CloudTrail logs all actions made through the AWS Management Console, AWS SDKs, command line tools, and other AWS services.<br/><br/>Security analysis, resource change tracking, and troubleshooting are all made easier with this event history.

    Open the full explanation page →

  7. Q7A company specializing in medical data storage is expanding their infrastructure on a cloud provider and must adhere to the Health Insurance Portability and Accountability Act (HIPAA) regulations. Which resource should they use to confirm the provider's services are in compliance with the required healthcare industry standards?

    Show answer

    ✓ Correct answer: AWS Artifact

    The company should utilize the service that offers access to compliance documentation and reports to verify that the cloud provider's offerings adhere to HIPAA and other necessary standards. 'AWS Artifact' is that service, as it provides on-demand access to the necessary security and compliance information. 'Amazon Inspector' is an automated security assessment service that helps improve the security and compliance of applications deployed on the cloud but does not provide documentation for industry compliance. 'AWS Certificate Manager' handles SSL/TLS certificates and is unrelated to regulatory compliance documentation. 'Amazon Macie' is a data security service that uses machine learning to discover and protect sensitive data but it also isn't a source for compliance documentation.

    Open the full explanation page →

  8. Q8Which AWS security tool uses an agent installed in EC2 instances and assesses applications for vulnerabilities and deviations from best practices?

    Show answer

    ✓ Correct answer: AWS Inspector

    Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Inspector automatically assesses applications for vulnerabilities or deviations from best practices. Inspector uses an agent installed on EC2 instances.<br/><br/><strong>CORRECT: </strong>"AWS Inspector" is the correct answer.<br/><br/><strong>INCORRECT:</strong> "AWS Trusted Advisor" is incorrect. Trusted Advisor is an online resource that helps to reduce cost, increase performance and improve security by optimizing your AWS environment.<br/><br/><strong>INCORRECT:</strong> "AWS Personal Health Dashboard" is incorrect. AWS Personal Health Dashboard provides alerts and remediation guidance when AWS is experiencing events that may impact you.<br/><br/><strong>INCORRECT:</strong> "AWS TCO Calculator" is incorrect. The AWS TCO calculator can be used to compare the cost of running your applications in an on-premises or colocation environment to AWS.

    Open the full explanation page →

  9. Q9During the process of encrypting EBS volumes, which service is used?

    Show answer

    ✓ Correct answer: AWS KMS

    Amazon EBS encryption provides a simple encryption solution for your EBS resources without the need to build, maintain, or secure your own key management infrastructure. The AWS Key Management Service (AWS KMS) can be used to generate and manage the encryption keys that are used to encrypt your data. AWS Key Management Service is also integrated with other AWS services such as Amazon S3 and Amazon Redshift, making it easy to encrypt your data with encryption keys that you control.

    Open the full explanation page →

  10. Q10Your company has deployed a web application on Amazon EC2 instances. As part of your security compliance checks, you want to ensure that the operating system patches are up to date. Whose responsibility is it to maintain the operating system in this scenario?

    Show answer

    ✓ Correct answer: It is the customer's responsibility to maintain the operating system.

    When using Amazon EC2, AWS is responsible for the infrastructure that runs all of the services offered in the AWS Cloud. This includes the hardware, the software that runs the virtualization environment, and the physical security of the data centers. However, the customer is responsible for the security <em>in</em> the cloud, which includes the operating system, applications, and data on the EC2 instances. Therefore, it falls to the customer to ensure that the operating system patches are kept up to date.

    Open the full explanation page →

Unlock everything

Full AWS bank + unlimited mocks

Try 30 questions free. Unlock the complete AWS question bank, every explanation, and unlimited timed mock exams. Practice on any device.

Unlock AWS →
Cramming?
$2.99
/ week · per exam
Best value
$6.99
/ month · per exam