Practice Free CLF-C02 Exam Online Questions
Question #121
A company needs to block SQL injection attacks.
Which AWS service or feature can meet this requirement?
- A . AWS WAF
- B . AWS Shield
- C . Network ACLs
- D . Security groups
Correct Answer: A
A
Explanation:
AWS WAF is a web application firewall that helps protect web applications from common web exploits, such as SQL injection attacks. It allows customers to create custom rules that block malicious requests. AWS Shield is a managed service that protects against distributed denial of service (DDoS) attacks, not SQL injection attacks. Network ACLs and security groups are network-level security features that filter traffic based on IP addresses and ports, not web requests or SQL queries.
References: [AWS WAF], [AWS Shield], [Network ACLs], [Security groups]
A
Explanation:
AWS WAF is a web application firewall that helps protect web applications from common web exploits, such as SQL injection attacks. It allows customers to create custom rules that block malicious requests. AWS Shield is a managed service that protects against distributed denial of service (DDoS) attacks, not SQL injection attacks. Network ACLs and security groups are network-level security features that filter traffic based on IP addresses and ports, not web requests or SQL queries.
References: [AWS WAF], [AWS Shield], [Network ACLs], [Security groups]
Question #122
A company wants to test a new application.
Which AWS principle will help the company test the application?
- A . Make long-term commitments in exchange for a cost discount.
- B . Scale up and down when needed without any long-term commitments.
- C . Have total control over the application infrastructure.
- D . Manage all of the maintenance tasks associated with the cloud.
Correct Answer: B
B
Explanation:
AWS provides the flexibility to scale resources up or down on demand, enabling companies to test new applications without making long-term commitments. This principle allows for cost efficiency and agility during testing and development. The other options do not specifically highlight the benefits of flexible, on-demand resource scaling.
B
Explanation:
AWS provides the flexibility to scale resources up or down on demand, enabling companies to test new applications without making long-term commitments. This principle allows for cost efficiency and agility during testing and development. The other options do not specifically highlight the benefits of flexible, on-demand resource scaling.
Question #123
A company website is experiencing DDoS attacks.
Which AWS service can help protect the company website against these attacks?
- A . AWS Resource Access Manager
- B . AWS Amplify
- C . AWS Shield
- D . Amazon GuardDuty
Correct Answer: C
C
Explanation:
AWS Shield is a managed DDoS protection service that safeguards applications running on AWS from distributed denial of service (DDoS) attacks. DDoS attacks are malicious attempts to disrupt the normal functioning of a website or application by overwhelming it with a large volume of traffic from multiple sources. AWS Shield provides two tiers of protection: Standard and Advanced. AWS Shield Standard is automatically enabled for all AWS customers at no additional cost. It protects your AWS resources, such as Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53, from the most common and frequently occurring network and transport layer DDoS attacks. AWS Shield Advanced is an optional paid service that provides additional protection for your AWS resources and applications, such as Amazon Elastic Compute Cloud (Amazon EC2), Elastic Load Balancing (ELB), Amazon Simple Storage Service (Amazon S3), Amazon Relational Database Service (Amazon RDS), and AWS Elastic Beanstalk. AWS Shield Advanced offers enhanced detection and mitigation capabilities, 24/7 access to the AWS DDoS Response Team (DRT), real-time visibility and reporting, and cost protection against DDoS-related spikes in your AWS bill12
References: AWS Shield, What is a DDOS Attack & How to Protect Your Site Against One
C
Explanation:
AWS Shield is a managed DDoS protection service that safeguards applications running on AWS from distributed denial of service (DDoS) attacks. DDoS attacks are malicious attempts to disrupt the normal functioning of a website or application by overwhelming it with a large volume of traffic from multiple sources. AWS Shield provides two tiers of protection: Standard and Advanced. AWS Shield Standard is automatically enabled for all AWS customers at no additional cost. It protects your AWS resources, such as Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53, from the most common and frequently occurring network and transport layer DDoS attacks. AWS Shield Advanced is an optional paid service that provides additional protection for your AWS resources and applications, such as Amazon Elastic Compute Cloud (Amazon EC2), Elastic Load Balancing (ELB), Amazon Simple Storage Service (Amazon S3), Amazon Relational Database Service (Amazon RDS), and AWS Elastic Beanstalk. AWS Shield Advanced offers enhanced detection and mitigation capabilities, 24/7 access to the AWS DDoS Response Team (DRT), real-time visibility and reporting, and cost protection against DDoS-related spikes in your AWS bill12
References: AWS Shield, What is a DDOS Attack & How to Protect Your Site Against One
49 1. A company wants a customized assessment of its current on-premises environment. The company wants to understand its projected running costs in the AWS Cloud .
Which AWS service or tool will meet these requirements?
Question #124
Which AWS features will meet these requirements? (Select TWO.)
- A . Security groups
- B . Network ACLs
- C . S3 bucket policies
- D . IAM user policies
- E . S3 bucket versioning
Correct Answer: C, D
C, D
Explanation:
The correct answers are C and D because S3 bucket policies and IAM user policies are AWS features that will meet the requirements. S3 bucket policies are access policies that can be attached to Amazon S3 buckets to grant or deny permissions to the bucket and the objects it contains. S3 bucket policies can be used to control who has permission to read, write, or delete objects that the company stores in the S3 bucket. IAM user policies are access policies that can be attached to IAM users to grant or deny permissions to AWS resources and actions. IAM user policies can be used to control who has permission to read, write, or delete objects that the company stores in the S3 bucket. The other options are incorrect because they are not AWS features that will meet the requirements.
Security groups and network ACLs are AWS features that act as firewalls to control inbound and outbound traffic to and from Amazon EC2 instances and subnets. Security groups and network ACLs do not control who has permission to read, write, or delete objects that the company stores in the S3 bucket. S3 bucket versioning is an AWS feature that enables users to keep multiple versions of the same object in the same bucket. S3 bucket versioning can be used to recover from accidental overwrites or deletions of objects, but it does not control who has permission to read, write, or delete objects that the company stores in the S3 bucket.
Reference: Using Bucket Policies and User Policies, Security Groups for Your VPC, Network ACLs, [Using Versioning]
C, D
Explanation:
The correct answers are C and D because S3 bucket policies and IAM user policies are AWS features that will meet the requirements. S3 bucket policies are access policies that can be attached to Amazon S3 buckets to grant or deny permissions to the bucket and the objects it contains. S3 bucket policies can be used to control who has permission to read, write, or delete objects that the company stores in the S3 bucket. IAM user policies are access policies that can be attached to IAM users to grant or deny permissions to AWS resources and actions. IAM user policies can be used to control who has permission to read, write, or delete objects that the company stores in the S3 bucket. The other options are incorrect because they are not AWS features that will meet the requirements.
Security groups and network ACLs are AWS features that act as firewalls to control inbound and outbound traffic to and from Amazon EC2 instances and subnets. Security groups and network ACLs do not control who has permission to read, write, or delete objects that the company stores in the S3 bucket. S3 bucket versioning is an AWS feature that enables users to keep multiple versions of the same object in the same bucket. S3 bucket versioning can be used to recover from accidental overwrites or deletions of objects, but it does not control who has permission to read, write, or delete objects that the company stores in the S3 bucket.
Reference: Using Bucket Policies and User Policies, Security Groups for Your VPC, Network ACLs, [Using Versioning]
Question #125
Which AWS services or features give users the ability to create a network connection between two VPCs? (Select TWO.)
- A . VPC endpoints
- B . Amazon Route 53
- C . VPC peering
- D . AWS Direct Connect
- E . AWS Transit Gateway
Correct Answer: CE
CE
Explanation:
VPC peering and AWS Transit Gateway are two AWS services or features that give users the ability to create a network connection between two VPCs. VPC peering is a networking connection between two VPCs that enables you to route traffic between them privately. You can create a VPC peering connection between your own VPCs, with a VPC in another AWS account, or with a VPC in a different AWS Region. Traffic between peered VPCs never traverses the public internet. VPC peering does not support transitive peering relationships, which means that if VPC A is peered with VPC B, and VPC B is peered with VPC C, then VPC A and VPC C are not automatically peered789. AWS Transit Gateway is a networking service that acts as a regional router for your VPCs and on-premises networks. You can attach up to 5,000 VPCs and VPN connections to a single transit gateway and route traffic between them. AWS Transit Gateway simplifies the management and scalability of your network architecture, as you only need to create and manage a single connection from the central transit gateway to each connected network. AWS Transit Gateway supports transitive routing, which means that any network that is attached to the transit gateway can communicate with any other network that is attached to the same transit gateway.
References: 7: VPC peering – Amazon Virtual Private Cloud, 8: Connect VPCs using VPC peering – Amazon Virtual Private Cloud, 9: Amazon VPC-to-Amazon VPC connectivity options – Amazon Virtual Private Cloud, : [AWS Transit Gateway – Amazon Web Services], : [Connect VPCs using AWS Transit Gateway – Amazon Virtual Private Cloud], : [AWS Transit Gateway: Simplify Your Network Architecture]
CE
Explanation:
VPC peering and AWS Transit Gateway are two AWS services or features that give users the ability to create a network connection between two VPCs. VPC peering is a networking connection between two VPCs that enables you to route traffic between them privately. You can create a VPC peering connection between your own VPCs, with a VPC in another AWS account, or with a VPC in a different AWS Region. Traffic between peered VPCs never traverses the public internet. VPC peering does not support transitive peering relationships, which means that if VPC A is peered with VPC B, and VPC B is peered with VPC C, then VPC A and VPC C are not automatically peered789. AWS Transit Gateway is a networking service that acts as a regional router for your VPCs and on-premises networks. You can attach up to 5,000 VPCs and VPN connections to a single transit gateway and route traffic between them. AWS Transit Gateway simplifies the management and scalability of your network architecture, as you only need to create and manage a single connection from the central transit gateway to each connected network. AWS Transit Gateway supports transitive routing, which means that any network that is attached to the transit gateway can communicate with any other network that is attached to the same transit gateway.
References: 7: VPC peering – Amazon Virtual Private Cloud, 8: Connect VPCs using VPC peering – Amazon Virtual Private Cloud, 9: Amazon VPC-to-Amazon VPC connectivity options – Amazon Virtual Private Cloud, : [AWS Transit Gateway – Amazon Web Services], : [Connect VPCs using AWS Transit Gateway – Amazon Virtual Private Cloud], : [AWS Transit Gateway: Simplify Your Network Architecture]
Question #126
A company is using AWS Organizations to configure AWS accounts.
A company is planning its migration to the AWS Cloud. The company is identifying its capability gaps by using the AWS Cloud Adoption Framework (AWS CAF) perspectives.
Which phase of the cloud transformation journey includes these identification activities?
- A . Envision
- B . Align
- C . Scale
- D . Launch
Correct Answer: A
A
Explanation:
The Envision phase of the cloud transformation journey is where the company defines its vision, business drivers, and desired outcomes for the cloud adoption. The company also identifies its capability gaps by using the AWS Cloud Adoption Framework (AWS CAF) perspectives, which are business, people, governance, platform, security, and operations2.
A
Explanation:
The Envision phase of the cloud transformation journey is where the company defines its vision, business drivers, and desired outcomes for the cloud adoption. The company also identifies its capability gaps by using the AWS Cloud Adoption Framework (AWS CAF) perspectives, which are business, people, governance, platform, security, and operations2.
Question #127
A company is migrating to the AWS Cloud and plans to run experimental workloads for 3 to 6 months on AWS .
Which pricing model will meet these requirements?
- A . Use Savings Plans for a 3-year term.
- B . Use Dedicated Hosts.
- C . Buy Reserved Instances.
- D . Use On-Demand Instances.
Correct Answer: D
D
Explanation:
On-Demand Instances are the most flexible and cost-effective pricing model for short-term, experimental, or unpredictable workloads on AWS. On-Demand Instances let you pay only for the resources you use, without any long-term commitments or upfront fees. You can easily start and stop instances as needed, and scale up or down depending on your demand.
Savings Plans, Reserved Instances, and Dedicated Hosts are all pricing models that require a commitment for a certain amount of usage or capacity for a one- or three-year term. These pricing models offer lower prices than On-Demand Instances, but they are not suitable for workloads that only run for 3 to 6 months or have variable usage patterns. Savings Plans and Reserved Instances also offer flexibility to change instance types, sizes, or regions within the same family or pool, while Dedicated Hosts are physical servers that can only run specific instance types.
D
Explanation:
On-Demand Instances are the most flexible and cost-effective pricing model for short-term, experimental, or unpredictable workloads on AWS. On-Demand Instances let you pay only for the resources you use, without any long-term commitments or upfront fees. You can easily start and stop instances as needed, and scale up or down depending on your demand.
Savings Plans, Reserved Instances, and Dedicated Hosts are all pricing models that require a commitment for a certain amount of usage or capacity for a one- or three-year term. These pricing models offer lower prices than On-Demand Instances, but they are not suitable for workloads that only run for 3 to 6 months or have variable usage patterns. Savings Plans and Reserved Instances also offer flexibility to change instance types, sizes, or regions within the same family or pool, while Dedicated Hosts are physical servers that can only run specific instance types.
Question #128
A company needs a bridge between technology and business to help evolve to a culture of continuous growth and learning.
Which perspective in the AWS Cloud Adoption Framework (AWS CAF) serves as this bridge?
- A . People
- B . Governance
- C . Operations
- D . Security
Correct Answer: A
A
Explanation:
The People perspective in the AWS Cloud Adoption Framework (AWS CAF) serves as a bridge between technology and business, accelerating the cloud journey to help organizations more rapidly evolve to a culture of continuous growth, learning, and where change becomes business-as-normal, with focus on culture, organizational structure, leadership, and workforce 1.
References: People Perspective – AWS Cloud Adoption Framework
A
Explanation:
The People perspective in the AWS Cloud Adoption Framework (AWS CAF) serves as a bridge between technology and business, accelerating the cloud journey to help organizations more rapidly evolve to a culture of continuous growth, learning, and where change becomes business-as-normal, with focus on culture, organizational structure, leadership, and workforce 1.
References: People Perspective – AWS Cloud Adoption Framework
Question #129
For which use case are Amazon EC2 On-Demand Instances MOST cost-effective?
- A . Compute-intensive video transcoding that can be restarted it necessary
- B . An instance in continual use for 1 month to conduct quality assurance tests
- C . An instance that runs a web server that will run for 1 year
- D . An instance that runs a database that will run for 3 years
Correct Answer: B
B
Explanation:
On-Demand Instances are most cost-effective for short-term, steady, and unpredictable workloads.
Using them for a one-month testing period allows flexibility without a long-term commitment.
For long-term workloads (like a year or more), Reserved Instances or Savings Plans would be more cost-effective. Spot Instances are better for interruptible, flexible workloads.
B
Explanation:
On-Demand Instances are most cost-effective for short-term, steady, and unpredictable workloads.
Using them for a one-month testing period allows flexibility without a long-term commitment.
For long-term workloads (like a year or more), Reserved Instances or Savings Plans would be more cost-effective. Spot Instances are better for interruptible, flexible workloads.
78 1. A company wants to log in securely to Linux Amazon EC2 instances.
How can the company accomplish this goal?
Question #130
A company moves a workload to AWS to run on Amazon EC2 instances. The company needs to run the workload in the most cost-effective way.
What can the company do to meet this requirement?
- A . Use AWS Key Management Service (AWS KMS).
- B . Use multiple AWS accounts and consolidated billing.
- C . Use AWS CloudFormation to deploy the infrastructure.
- D . Rightsized all the EC2 instances that are used in the deployment.
Correct Answer: D
D
Explanation:
Rightsizing all the EC2 instances that are used in the deployment is the best way to run the workload in the most cost-effective way. Rightsizing means choosing the optimal instance type and size for the workload based on the performance and capacity requirements. Rightsizing helps to avoid over-provisioning or under-provisioning of the EC2 instances, which can result in wasted resources or poor performance. Rightsizing also helps to take advantage of the different pricing models and features that AWS offers, such as On-Demand, Reserved, and Spot Instances, and Auto Scaling. For more information, see Rightsizing Your Instances and [Cost Optimization with AWS].
D
Explanation:
Rightsizing all the EC2 instances that are used in the deployment is the best way to run the workload in the most cost-effective way. Rightsizing means choosing the optimal instance type and size for the workload based on the performance and capacity requirements. Rightsizing helps to avoid over-provisioning or under-provisioning of the EC2 instances, which can result in wasted resources or poor performance. Rightsizing also helps to take advantage of the different pricing models and features that AWS offers, such as On-Demand, Reserved, and Spot Instances, and Auto Scaling. For more information, see Rightsizing Your Instances and [Cost Optimization with AWS].