Practice Test #2
65問と90分の制限時間で実際の試験をシミュレーションしましょう。AI検証済み解答と詳細な解説で学習できます。
65問題90分700/1000合格点
AI搭載
3重AI検証済み解答&解説
すべての解答は3つの主要AIモデルで交差検証され、最高の精度を保証します。選択肢ごとの詳細な解説と深い問題分析を提供します。
GPT Pro
Claude Opus
65問と90分の制限時間で実際の試験をシミュレーションしましょう。AI検証済み解答と詳細な解説で学習できます。
AI搭載
すべての解答は3つの主要AIモデルで交差検証され、最高の精度を保証します。選択肢ごとの詳細な解説と深い問題分析を提供します。
A 240-employee retail analytics company plans to migrate 120 on-premises workloads to AWS within 6 months, and the CIO asks which AWS Cloud Adoption Framework (AWS CAF) People perspective capabilities should be prioritized to realign leadership objectives across three product lines and redesign team structures to address a 15% cloud skills gap without changing governance or security processes (Choose two).
Organizational alignment is a People perspective capability focused on aligning leadership objectives, incentives, and priorities across business units or product lines. The prompt explicitly requires “realign leadership objectives across three product lines,” which is a direct match. This capability helps ensure consistent sponsorship, decision-making, and shared outcomes for the migration without requiring changes to governance or security processes.
Portfolio management is primarily associated with the Business perspective in AWS CAF, covering how to prioritize initiatives, manage investment, and track value across a portfolio of applications. While 120 workloads in 6 months suggests portfolio planning, the question specifically asks for People perspective capabilities and emphasizes leadership alignment and team redesign rather than funding/value management.
Organization design is a People perspective capability that addresses how teams are structured, roles and responsibilities, operating model changes, and workforce planning. The requirement to “redesign team structures” and address a “15% cloud skills gap” maps directly here. It supports creating or evolving functions like a cloud enablement team/CCoE and defining new cloud roles without changing governance/security processes.
Risk management aligns more closely with Governance (and often Security) concerns: identifying, assessing, and mitigating risks through controls and processes. The prompt explicitly says not to change governance or security processes, making this a poor fit. Although migration risk exists, the question is about people capabilities (alignment and org structure), not risk control frameworks.
Modern application development is generally a Platform perspective capability focused on engineering practices and tooling (e.g., CI/CD, microservices, containers, serverless patterns). It can help long-term cloud success, but it does not directly address leadership objective alignment or organizational restructuring to close a skills gap. The question is explicitly scoped to People perspective capabilities.
Core Concept - This question tests knowledge of the AWS Cloud Adoption Framework (AWS CAF), specifically the People perspective capabilities. The People perspective focuses on organizational change management: aligning stakeholders, evolving operating models, and ensuring teams have the right skills to execute the cloud migration. Why the Answer is Correct - The scenario has two explicit needs: (1) “realign leadership objectives across three product lines” and (2) “redesign team structures to address a 15% cloud skills gap,” while explicitly not changing governance or security processes. In AWS CAF People perspective, Organizational alignment addresses aligning leadership goals, incentives, and priorities across business units/product lines so the migration has a shared direction and consistent decision-making. Organization design addresses how to structure teams (e.g., platform teams, product teams, cloud enablement team/CCoE patterns), define roles/responsibilities, and plan workforce changes to close skills gaps. Key AWS Features / Best Practices - Although not a service question, AWS CAF maps to best practices used in real migrations: establish a Cloud Center of Excellence (or a cloud enablement function) to drive standards and coaching; define a target operating model (product-aligned teams, platform engineering, SRE/DevOps responsibilities); create role-based training plans (AWS Skill Builder, AWS Training and Certification) and hands-on enablement to close the 15% gap. Importantly, because governance and security processes are not to change, the focus stays on people/structure and leadership alignment rather than policy redesign. Common Misconceptions - Portfolio management can sound relevant because there are 120 workloads and a 6-month timeline, but it is primarily a Business perspective capability (prioritization, funding, value tracking), not the People perspective focus requested. Risk management aligns more with Governance and Security perspectives and would imply changes to risk controls/processes, which the prompt explicitly avoids. Modern application development is a Platform perspective capability and relates to engineering practices and tooling, not leadership alignment or org redesign. Exam Tips - When AWS CAF is mentioned, first identify the perspective being asked (People here). Then map keywords: “align leadership/objectives” -> Organizational alignment; “team structures/roles/skills gap” -> Organization design. If the question says “without changing governance or security,” avoid Governance/Security capabilities even if they seem broadly relevant.
A real-time sports highlights platform must deliver 120 MB images and 8-minute video clips to viewers in over 50 countries with startup latency under 100 ms; which AWS service uses a global network of edge locations to cache this content close to users?
Amazon Kinesis is used for real-time streaming data ingestion and processing (e.g., clickstreams, telemetry, live event data pipelines). It helps build real-time analytics and event-driven architectures, but it is not a CDN and does not cache or serve large media files from edge locations to viewers. Kinesis would be relevant for processing sports events metadata, not for delivering images and video with sub-100 ms startup latency.
Amazon SQS is a fully managed message queue that decouples producers and consumers, buffers workloads, and improves reliability in distributed systems. It is not designed to deliver content to end users and provides no edge caching or global media distribution capabilities. SQS might be used behind the scenes to coordinate video processing jobs or notifications, but it cannot meet the requirement to cache and serve media close to viewers worldwide.
Amazon CloudFront is AWS’s CDN that uses a global network of edge locations to cache and deliver content with low latency. It is purpose-built for distributing static and dynamic content, including large images and video, to users across many countries. CloudFront reduces startup latency by serving content from the nearest edge, supports S3/ALB/MediaPackage origins, and offers cache controls, security features, and performance optimizations for global media delivery.
Amazon Route 53 is a highly available DNS service that can route users to endpoints using policies like latency-based routing, geolocation, and health checks. While it helps direct users to the best endpoint and can reduce DNS lookup time, it does not cache or deliver the actual media content at edge locations. Route 53 is often used alongside CloudFront, but it cannot replace a CDN for global caching and low-latency delivery.
Core Concept: This question tests content delivery and edge caching using a Content Delivery Network (CDN). For globally distributed viewers and very low startup latency, AWS’s CDN service is Amazon CloudFront, which uses a worldwide network of edge locations to cache and serve content close to end users. Why the Answer is Correct: The platform must deliver large static objects (120 MB images) and video clips (8 minutes) to viewers in 50+ countries with startup latency under 100 ms. CloudFront is designed to reduce latency by caching content at edge locations and serving requests from the nearest edge. For video, CloudFront supports HTTP-based delivery (progressive download) and integrates with streaming workflows (e.g., HLS/DASH via MediaPackage or S3 origins). By keeping frequently accessed highlights at the edge, CloudFront minimizes round-trip time to the origin and improves time-to-first-byte and startup performance. Key AWS Features: CloudFront provides edge caching with configurable TTLs, cache policies, and origin request policies. It supports multiple origins (Amazon S3, ALB/EC2, MediaPackage), signed URLs/cookies for access control, geo-restriction, and AWS Shield/WAF integration for protection. For large objects and video, features like Origin Shield (additional caching layer), regional edge caches, and compression (where applicable) help optimize performance and reduce origin load. CloudFront also supports HTTPS, HTTP/2/3, and detailed metrics/logging for performance tuning. Common Misconceptions: Route 53 is global and improves DNS resolution and routing decisions, but it does not cache or deliver the actual image/video bytes at edge locations. Kinesis is for real-time data streaming ingestion/processing, not content distribution. SQS is a message queue for decoupling applications, not for serving media to end users. Exam Tips: When you see “global network of edge locations,” “cache content close to users,” “low latency content delivery,” or “video/images to worldwide viewers,” think CloudFront. Route 53 often appears as a distractor for “global,” but it’s DNS/routing, not a CDN. Pair CloudFront with S3 for static assets, and with MediaPackage/MediaStore for streaming architectures when needed.
A fintech startup with a 12-month runway is choosing between buying $180,000 of on-premises hardware depreciated over 5 years and using AWS where projected demand varies from 20 to 120 vCPUs per day and storage grows by 2 TB each month; which two statements best describe the cost-effectiveness of using AWS in this scenario? (Choose two.)
Correct. AWS replaces large upfront capital expenditures (buying servers and storage) with pay-as-you-go operational expenses. In this scenario, compute demand varies widely (20–120 vCPUs/day), so paying only for what is used avoids overprovisioning and stranded capacity. With only a 12-month runway, reducing upfront cash outlay and aligning spend to actual usage is a major cost-effectiveness advantage.
Incorrect for cost-effectiveness. The ability to launch in multiple Regions quickly is an agility and resiliency feature, not primarily a cost advantage. Multi-Region architectures can actually increase cost due to duplicated resources, data transfer, and operational complexity. While speed of deployment is valuable, the question asks specifically about cost-effectiveness versus on-prem hardware economics.
Incorrect for cost-effectiveness. Faster experimentation and agility are key cloud benefits, but they are not the best cost-focused statements here. The scenario’s strongest cost drivers are variable compute demand and limited runway, which map more directly to variable pricing (OpEx) and avoiding overprovisioning. Agility can indirectly reduce costs, but it’s not the primary economic comparison in this question.
Incorrect for cost-effectiveness. AWS does not universally “handle patching” for all infrastructure; patching responsibility depends on the service (e.g., AWS patches underlying hosts for managed services, but customers patch EC2 guest OS). This is more about operational responsibility and security posture than direct cost-effectiveness. It also doesn’t address the core financial comparison of CapEx vs pay-as-you-go.
Correct. AWS’s economies of scale typically provide lower per-unit costs than a small startup can achieve buying and operating its own hardware (compute, storage, networking, facilities, and procurement). This matters as storage grows by 2 TB/month and compute scales up and down. Combined with right-sizing and pricing options (Savings Plans/Spot), AWS can reduce unit costs and total cost of ownership.
Core Concept: This question tests AWS cloud economics and pricing models versus on-premises CapEx—specifically the shift to variable OpEx (pay-as-you-go) and the benefit of economies of scale (lower unit costs). It aligns with AWS Cloud Value Proposition and the Cost Optimization pillar of the AWS Well-Architected Framework. Why the Answer is Correct: The startup has a 12-month runway and highly variable compute demand (20–120 vCPUs/day) plus steadily growing storage (2 TB/month). On-prem hardware requires a large upfront purchase ($180,000) and is depreciated over 5 years, but the business only has 12 months of runway—creating cash-flow risk and potential stranded capacity if demand is lower than expected. AWS allows matching capacity to actual daily demand and scaling down when not needed, converting fixed costs into variable costs (A). Additionally, AWS aggregates demand across many customers and negotiates infrastructure at massive scale, which generally reduces per-unit pricing compared to what a small startup can achieve on its own (E). This is especially relevant for storage growth and compute that can use right-sized instances, Savings Plans/Reserved Instances for predictable baselines, and On-Demand/Spot for spikes. Key AWS Features: For compute variability, Auto Scaling with EC2, ECS, or EKS can scale between 20 and 120 vCPUs; mixed purchase options (On-Demand for bursts, Spot for flexible workloads, and Savings Plans for baseline) optimize cost. For storage growth, services like Amazon S3 with lifecycle policies (e.g., S3 Standard to IA/Glacier) and EBS volume right-sizing help manage increasing TB/month. Cost visibility tools (AWS Cost Explorer, Budgets) support runway management. Common Misconceptions: Options like multi-Region speed (B), agility (C), and managed patching (D) are real AWS benefits, but they are not the best descriptors of cost-effectiveness in this scenario. They relate more to operational agility and shared responsibility than direct cost structure and unit economics. Exam Tips: When a question emphasizes upfront hardware purchase, depreciation, runway, and variable demand, look for answers about CapEx-to-OpEx shift and economies of scale. If it mentions fluctuating usage, pay-as-you-go and elasticity are usually central. Separate “cost-effectiveness” from “operational convenience” benefits (like patching or rapid global deployment).
A healthcare analytics firm undergoing a quarterly audit must download official AWS SOC 2 Type II and ISO 27001 compliance reports for the underlying cloud infrastructure within the next 10 minutes without opening a support case or deploying any agents; which AWS service provides on-demand, self-service access to these security and compliance documents?
Amazon GuardDuty is a managed threat detection service that analyzes logs (e.g., VPC Flow Logs, DNS logs, CloudTrail) to identify suspicious activity and potential compromise. It helps with security operations and incident response, not with retrieving official AWS compliance audit reports like SOC 2 Type II or ISO 27001. GuardDuty findings may support your security posture, but they are not auditor-issued compliance documents.
AWS Security Hub aggregates, normalizes, and prioritizes security findings from AWS services and partner tools, and it can run security standards checks (e.g., CIS AWS Foundations Benchmark, PCI DSS). While it supports continuous compliance monitoring, it does not provide downloadable, official AWS SOC/ISO compliance reports for the AWS infrastructure. It’s about your account’s security posture, not AWS’s third-party audit artifacts.
AWS Artifact is the correct service because it provides on-demand, self-service access to AWS security and compliance documents, including SOC 2 Type II reports and ISO 27001 certifications. It is designed for audit and compliance needs, enabling customers to quickly download official reports without opening a support case or deploying agents. This matches the time-sensitive quarterly audit requirement exactly.
AWS Shield is a managed DDoS protection service (Standard and Advanced) that helps protect applications running on AWS from distributed denial-of-service attacks. It focuses on availability and attack mitigation, not compliance reporting. Shield does not provide SOC 2 Type II or ISO 27001 documents; those are obtained through AWS Artifact.
Core Concept: This question tests knowledge of where customers obtain official AWS compliance documentation, such as SOC reports and ISO certifications, for AWS’s underlying cloud infrastructure. The correct service is AWS Artifact, which is AWS’s self-service portal for security and compliance reports and certain agreements. Why Correct: AWS Artifact allows customers to immediately download AWS-issued audit artifacts such as SOC 2 Type II reports and ISO 27001 certifications without opening a support case. The scenario emphasizes urgent access within 10 minutes and no agent deployment, which aligns exactly with Artifact’s purpose as an on-demand document repository. Key Features: 1. Artifact Reports: Provides downloadable compliance reports and certifications, including SOC, ISO, PCI, and other audit documents. 2. Artifact Agreements: Lets customers review, accept, and manage certain compliance-related agreements, such as a Business Associate Addendum where applicable. 3. Self-service access: Available directly through the AWS Management Console with IAM-based access control, making it suitable for audit and governance workflows. 4. Official AWS documentation: Supplies the formal reports auditors expect when validating AWS infrastructure controls. Common Misconceptions: GuardDuty and Security Hub are security services, but they focus on findings, threat detection, and posture management within a customer environment rather than providing AWS’s third-party audit reports. AWS Shield protects against DDoS attacks and is unrelated to downloading compliance documentation. A common exam trap is confusing compliance monitoring tools with compliance report repositories. Exam Tips: If a question asks for SOC reports, ISO certifications, audit artifacts, or self-service compliance documents from AWS, think AWS Artifact immediately. If the question instead asks about threat detection, choose GuardDuty; for centralized security findings and posture checks, choose Security Hub; and for DDoS protection, choose Shield. Keywords like 'official reports,' 'auditor,' 'download,' and 'no support case' strongly indicate AWS Artifact.
During an audit of a multi-account AWS environment with 3 production accounts where IAM user passwords rotate every 90 days and 50 TB of data is being migrated across 2 AWS Regions, the team asks what 'security of the cloud' refers to in the AWS shared responsibility model—specifically the protection of the global infrastructure (data centers, hardware, and networking) that operates all AWS services.
This option is incorrect because 'security of the cloud' specifically refers to AWS protecting the underlying global infrastructure that runs AWS services, such as data centers, hardware, and foundational networking. Although AWS is responsible for the availability and operation of the EC2 service itself, the phrase in this option describes service uptime rather than infrastructure security. Customers are still responsible for designing resilient workloads, monitoring instance health, and configuring features such as Auto Scaling and Multi-AZ deployments, so this does not match the definition being tested.
This is correct. “Security of the cloud” in the shared responsibility model means AWS secures the underlying infrastructure that runs all AWS services: physical data centers, hardware, and foundational networking/virtualization. Customers do not manage or secure these physical components; AWS designs, operates, and audits these controls as part of its global infrastructure security and compliance posture.
Enforcing IAM password policies (including 90-day rotation) is a customer responsibility and falls under “security in the cloud.” IAM configuration, credential management, MFA, least privilege, and account governance are controlled by the customer. AWS provides the IAM service and its availability, but customers decide and implement the policies and operational processes for their identities.
Using third-party AWS Network Firewall partners (or even AWS Network Firewall itself) is about protecting customer workloads and VPC traffic flows—customer responsibility “in the cloud.” It does not describe AWS’s responsibility to protect the global infrastructure (data centers, physical hardware, and core networking). Network firewalls are configuration choices customers make to secure their own environments.
Core Concept: This question tests the AWS Shared Responsibility Model, specifically the distinction between “security of the cloud” (AWS’s responsibility) and “security in the cloud” (the customer’s responsibility). “Security of the cloud” refers to protecting the underlying global infrastructure that runs AWS services—facilities, physical hardware, and foundational networking. Why the Answer is Correct: Option B directly matches AWS’s definition: AWS is responsible for securing the infrastructure that runs all AWS services. This includes the physical security of data centers, environmental controls, physical access controls, secure disposal of media, and the design/operation of the global network and virtualization layer that provides the service foundation. Customers consume these services without managing the physical layer. Key AWS Features / Practices to Know: AWS implements and audits these controls under compliance programs (e.g., SOC reports, ISO certifications) and provides artifacts through AWS Artifact. While customers must configure services securely (IAM, security groups, encryption, logging), AWS ensures the underlying infrastructure is protected and resilient. In multi-account environments and cross-Region migrations, customers still own identity governance, data protection configurations, and workload hardening, but AWS owns the physical and foundational layer. Common Misconceptions: Options about keeping EC2 running or configuring IAM password rotation can feel “security-related,” but they are customer-side operational/security controls (“in the cloud”). Similarly, using network firewalls (AWS Network Firewall or partner solutions) protects customer VPC traffic and workloads—again customer responsibility—rather than AWS’s responsibility for global infrastructure. Exam Tips: When you see phrases like “global infrastructure,” “data centers,” “hardware,” “networking that operates all AWS services,” map them to AWS responsibility (“security of the cloud”). When you see IAM policies, password rotation, security groups, encryption settings, patching guest OS, or firewall rules, map them to customer responsibility (“security in the cloud”).
外出先でもすべての問題を解きたいですか?
Cloud Passを無料でダウンロード — 模擬試験、学習進捗の追跡などを提供します。
A retail analytics company with 220 employees is deploying a microservices app on AWS across 3 Availability Zones in a single Region, must patch OS instances within 48 hours and configure least-privilege security groups, and uses AES-256 to encrypt sensitive data on client devices; under the AWS shared responsibility model, which task is AWS responsible for by default?
Incorrect. AWS provides the VPC construct and the capability to use network ACLs and security groups, but customers are responsible for configuring them according to least privilege. AWS does not know your application’s required ports, sources, or segmentation needs. This falls under “security in the cloud,” meaning customer configuration and ongoing governance.
Incorrect. Client-side encryption on mobile or desktop apps happens on customer-managed endpoints and within customer application code. AWS can provide encryption libraries, KMS, and best-practice guidance, but AWS is not responsible for implementing encryption in your client applications. This is entirely within the customer’s control and responsibility.
Incorrect. Creating and managing IAM users, groups, roles, policies, and MFA enforcement is a customer responsibility. AWS operates the IAM service and ensures its availability and durability, but the customer must define identities, permissions, and authentication requirements. Misconfigurations here are a common cause of security incidents and are explicitly “security in the cloud.”
Correct. AWS is responsible for maintaining the physical facilities, hardware, power, cooling, and the global network that run AWS services. This is “security of the cloud” and is handled by AWS by default for all customers. Customers cannot patch or configure these components; they rely on AWS to operate them securely and reliably.
Core Concept: This question tests the AWS Shared Responsibility Model. AWS is responsible for “security of the cloud” (the underlying infrastructure), while customers are responsible for “security in the cloud” (how they configure and use AWS services, plus anything on their endpoints). Why the Answer is Correct: Option D describes AWS’s default responsibilities: maintaining and operating the physical data centers, hardware, power, cooling, and the global network that supports AWS services. These are foundational controls customers cannot access or manage directly. Regardless of whether the workload is microservices across three Availability Zones, or whether the company has strict patching and least-privilege requirements, AWS still owns the physical and environmental security and the backbone network operations. Key AWS Features / Responsibilities: AWS handles data center physical security (controlled access, surveillance, environmental safeguards), hardware lifecycle, and the networking fabric between Regions/AZs. AWS also manages the virtualization layer for many services and provides compliance reports (e.g., SOC, ISO) via AWS Artifact, but the core point is that the underlying facilities and infrastructure are AWS-owned. Common Misconceptions: Many candidates confuse “network security” with AWS responsibility. While AWS provides tools (security groups, NACLs, IAM), customers must configure them. Similarly, client-side encryption on mobile/desktop devices is entirely customer-controlled because it occurs outside AWS. OS patching depends on the service model: for EC2, the customer patches the guest OS; for managed services (e.g., RDS), AWS patches the underlying infrastructure and often the engine depending on configuration, but the question explicitly mentions OS instances, implying EC2-style responsibility. Exam Tips: When asked “by default, what is AWS responsible for,” look for answers about physical infrastructure and the underlying cloud platform. Anything involving customer configuration (IAM, security groups, NACLs), data classification, encryption choices, endpoint security, or guest OS patching is typically the customer’s responsibility—especially for IaaS like Amazon EC2.
A fitness startup plans to launch a wearable companion application and is deciding between deploying to a co-located on-premises rack or the AWS Cloud, targeting 50,000 active users within the first 3 months and expecting traffic surges during weekend challenges. Which benefits of using the AWS Cloud apply in this case? (Choose two.)
Incorrect. Large upfront hardware purchases are a hallmark of traditional on-premises or co-located deployments (CapEx). One of the primary AWS Cloud benefits is shifting to variable, pay-as-you-go pricing (OpEx) and avoiding overprovisioning for peak demand. For a startup with uncertain growth and weekend spikes, upfront purchases increase risk and reduce flexibility.
Correct. AWS enables faster experimentation because resources can be provisioned in minutes (compute, databases, networking) rather than waiting weeks for procurement and installation. This supports rapid feature iteration for a new wearable companion app. Using managed services and Infrastructure as Code further accelerates development cycles and reduces time-to-market.
Incorrect. Complete, direct control of badge access and camera surveillance is an on-premises/co-location benefit. In AWS, physical security of data centers is handled by AWS as part of the shared responsibility model. Customers retain control over logical security (IAM, security groups, encryption), but not direct control over facility access systems.
Correct. Elasticity is a core AWS advantage: you can scale capacity up or down within minutes to match demand. This is ideal for weekend challenge surges, allowing Auto Scaling, load balancing, and serverless scaling to handle peaks without permanently running (and paying for) peak-sized infrastructure during off-peak periods.
Incorrect. Customers choose Regions and Availability Zones for latency, compliance, and resiliency, but they do not select the exact physical buildings hosting servers. This option describes a co-location/on-premises scenario. AWS abstracts the underlying facilities while providing high availability constructs (multi-AZ, multi-Region) for architecture design.
Core Concept: This question tests foundational AWS Cloud value propositions: agility (on-demand resources) and elasticity (rapid scaling). These are core Cloud Concepts emphasized in AWS Cloud Practitioner-style domains and align with the AWS Well-Architected Framework’s Performance Efficiency and Cost Optimization pillars. Why the Answer is Correct: The startup expects rapid growth to 50,000 active users and predictable-but-spiky weekend surges. AWS enables teams to provision infrastructure on demand and iterate quickly without waiting for hardware procurement, racking, and capacity planning cycles. That directly supports faster experimentation and feature iteration (B). Additionally, AWS provides elasticity: capacity can be scaled up and down within minutes to meet demand spikes (D), which is ideal for weekend challenges where traffic surges are time-bound. Key AWS Features: On-demand provisioning is enabled through services like Amazon EC2, Amazon ECS/EKS, AWS Lambda, and managed databases (Amazon RDS/Aurora, DynamoDB). Infrastructure as Code (AWS CloudFormation, AWS CDK, Terraform) accelerates repeatable environments for dev/test/prod. For scaling within minutes, AWS Auto Scaling (EC2 Auto Scaling, ECS Service Auto Scaling), Application Load Balancer, and serverless concurrency scaling (Lambda) are common patterns. Using managed services reduces operational overhead and improves time-to-market. Common Misconceptions: Some may think buying hardware upfront (A) is beneficial because it can reduce long-term unit cost, but it contradicts the cloud benefit of avoiding large capital expenditure and instead paying for what you use. Options about physical control (C, E) reflect on-premises advantages; in AWS you use the shared responsibility model—AWS manages physical facilities, while customers manage configuration and data security. Exam Tips: When you see “traffic surges,” “spiky demand,” “rapid growth,” or “launching soon,” look for elasticity and agility keywords: “scale within minutes,” “on-demand,” “pay-as-you-go,” and “faster experimentation.” Conversely, statements about direct physical access, choosing exact buildings, or large upfront purchases usually indicate on-premises characteristics, not cloud benefits.
Due to a company policy that requires password rotation every 90 days, a support engineer must change their own IAM user password within the next 24 hours while working remotely and having access only to a web browser and a terminal with AWS CLI v2 configured with their IAM credentials. Which AWS services or interfaces can the engineer use to change their password? (Choose two.)
Correct. The AWS CLI can change the current IAM user’s console password using the IAM ChangePassword API (for example, "aws iam change-password"). This requires that the CLI is configured with that user’s access keys and that the user has permission for iam:ChangePassword. It is a self-service operation and does not require access to the AWS Management Console.
Incorrect. AWS KMS is used to create and manage encryption keys and control cryptographic operations. It does not manage IAM user authentication credentials like console passwords. KMS might protect secrets or encrypt data, but it cannot be used to change an IAM user’s password or enforce password rotation policies.
Correct. The AWS Management Console provides a built-in interface for an IAM user to change their own password while signed in. This aligns with typical password rotation workflows and IAM account password policies. It’s the most direct browser-based method and does not require additional services beyond IAM and the console UI.
Incorrect. AWS Resource Access Manager (RAM) is for sharing AWS resources (such as subnets, Transit Gateways, or license configurations) across AWS accounts or within an organization. It has no functionality for IAM user credential management and cannot be used to change or rotate IAM user passwords.
Incorrect. AWS Secrets Manager stores and rotates secrets like database passwords, API keys, and other application credentials, often via Lambda-based rotation. It does not integrate with IAM to change an IAM user’s console password. IAM user password rotation is handled through IAM policies, password policy, and IAM interfaces (console/CLI/API).
Core Concept: This question tests IAM credential management for an IAM user, specifically how a user can change their own console password. In AWS, an IAM user password is the credential used to sign in to the AWS Management Console. Password rotation is typically enforced via IAM account password policy and operational processes. Why the Answer is Correct: C (AWS Management Console) is correct because IAM users can change their own password through the console UI (for example, via the user menu or IAM user security credentials pages), assuming they are signed in with that IAM user and have permission to perform the self-service action. This is the most common and straightforward method when only a web browser is available. A (AWS CLI) is also correct because IAM provides an API operation to change the current user’s password (ChangePassword). With AWS CLI v2 configured using the engineer’s IAM user access keys, the engineer can run a command such as "aws iam change-password --old-password ... --new-password ...". This is specifically designed for a user to change their own password without needing administrative access to manage other users. Key AWS Features: - IAM ChangePassword API: Allows a user to change their own password; it does not allow changing other users’ passwords. - IAM permissions: The user must be allowed to call iam:ChangePassword (often granted by default in self-management policies). If denied, an admin must update permissions. - Account password policy: Enforces rotation, complexity, reuse prevention, and expiration; users must comply when setting the new password. Common Misconceptions: - AWS Secrets Manager (E) manages application secrets and can rotate database/API credentials, but it does not change an IAM user’s console password. - AWS KMS (B) encrypts data and manages keys; it is unrelated to IAM user password changes. - AWS RAM (D) shares resources across accounts; it has no role in IAM authentication credentials. Exam Tips: For IAM user password tasks, think “IAM + Console/CLI/API.” If the question is about changing one’s own password, look for the Management Console and the IAM ChangePassword capability via CLI/SDK. If it’s about rotating access keys, that’s a different IAM operation (create/update/delete access keys). If it’s about application credential rotation, that’s where Secrets Manager is typically relevant.
To plan a migration, a finance team needs to estimate the monthly AWS cost of a proposed analytics stack that will use 20 m5.large Amazon EC2 instances behind two Application Load Balancers and about 8 TB per month of data transfer out to the internet; which AWS service or feature should they use?
Amazon Detective is a security analytics service that helps investigate potential security issues by analyzing AWS logs (e.g., VPC Flow Logs, CloudTrail) and building entity behavior graphs. It is used for incident investigation and threat detection, not for estimating AWS costs. It would not help a finance team model EC2, ALB, or internet egress charges for a proposed migration.
AWS Budgets is used to set cost and usage budgets and receive alerts when actual or forecasted spending exceeds thresholds. It’s valuable after workloads run (or once Cost Explorer has data) to control spend, but it is not the best tool to create an itemized pre-deployment estimate for a new architecture. For migration planning estimates, Pricing Calculator is the correct choice.
AWS Resource Explorer helps you search and discover AWS resources across regions and accounts (inventory and governance use cases). It does not provide pricing or cost estimation capabilities. Because the question is about forecasting monthly costs for a proposed stack, a resource discovery tool is not relevant.
AWS Pricing Calculator is the correct tool for estimating monthly AWS costs for a planned architecture. It can model 20 m5.large EC2 instances, two Application Load Balancers (including LB-hours and LCU assumptions), and ~8 TB/month of internet data transfer out with region-specific pricing. It produces an itemized estimate that finance teams can use for migration planning and approvals.
Core Concept: This question tests AWS cost estimation for a planned (not yet deployed) workload. The primary service for forecasting monthly costs based on chosen AWS services, instance types, load balancers, and data transfer is AWS Pricing Calculator. Why the Answer is Correct: The finance team needs to estimate the monthly AWS cost of a proposed analytics stack: 20 m5.large EC2 instances, two Application Load Balancers (ALBs), and ~8 TB/month of internet data transfer out. AWS Pricing Calculator is designed to model these exact inputs before migration. It lets you select EC2 instance type and count, expected usage hours, EBS assumptions, ALB hours/LCU usage, and outbound data transfer, then produces an itemized monthly estimate. This is the standard pre-deployment tool used in migration planning and business cases. Key AWS Features: Pricing Calculator supports: - Service-by-service estimates (EC2, ELB/ALB, data transfer, storage, etc.) - Region-specific pricing (critical because rates vary by region) - Usage assumptions (on-demand vs Savings Plans/Reserved Instances, hours/month) - Export/share estimates for stakeholders (useful for finance approvals) For ALB, costs include load balancer-hours and LCUs; for data transfer, it accounts for tiered internet egress pricing. These are common exam details: compute + load balancing + egress are separate line items. Common Misconceptions: AWS Budgets is often confused with estimation, but it monitors and alerts on actual or forecasted spend in an AWS account after you set budgets; it’s not the primary tool to build a detailed pre-migration quote from scratch. Detective and Resource Explorer are unrelated to pricing. Exam Tips: When the question says “estimate” or “plan a migration” and provides a hypothetical architecture with instance counts and data transfer, choose AWS Pricing Calculator. If it says “set alerts/thresholds” or “track spend over time,” choose AWS Budgets. Also remember data transfer out to the internet is a major cost driver and is explicitly modeled in Pricing Calculator.
A startup plans to store 5 TB of customer records in Amazon S3, attach 20 Amazon EBS volumes to its EC2 instances, and run a production Amazon RDS database, and it needs a single AWS-managed service that integrates with these services to centrally create and manage keys for encrypting data at rest across all of them; which service should it use?
AWS Key Management Service (AWS KMS) is the correct choice because it is the AWS-managed service for creating and managing cryptographic keys used for encryption at rest across AWS services. It integrates directly with Amazon S3 (SSE-KMS), Amazon EBS (volume and snapshot encryption), and Amazon RDS (DB instance and backup encryption). It also provides key policies, IAM integration, CloudTrail auditing, and optional key rotation.
AWS Certificate Manager (ACM) manages SSL/TLS certificates for securing network communications (encryption in transit), such as HTTPS for load balancers, CloudFront, and API endpoints. While certificates contain public/private keys, ACM is not used to centrally manage data-at-rest encryption keys for S3 objects, EBS volumes, or RDS storage. Therefore it does not satisfy the requirement for encrypting stored data across these services.
AWS Identity and Access Management (IAM) is used to manage users, roles, and permissions, including controlling who can use KMS keys or access encrypted resources. However, IAM does not create, store, rotate, or perform cryptographic operations with encryption keys for data at rest. It is an access control service, not a centralized key management service, so it cannot meet the stated requirement by itself.
AWS Security Hub aggregates, normalizes, and prioritizes security findings from AWS services (like GuardDuty, Inspector) and partner tools, and it helps with security posture management against standards. It does not provide key creation or key lifecycle management for encryption at rest. While it can report on encryption-related controls, it cannot be used as the single service to create and manage encryption keys.
Core Concept: This question tests centralized key management for encryption at rest across multiple AWS storage and database services. The AWS-managed service designed specifically to create, store, and control cryptographic keys used by other AWS services is AWS Key Management Service (AWS KMS). Why the Answer is Correct: The startup needs a single AWS-managed service that integrates with Amazon S3, Amazon EBS, and Amazon RDS to centrally create and manage encryption keys. AWS KMS provides customer managed keys and AWS managed keys that can be used directly by these services for server-side encryption. With KMS, S3 can use SSE-KMS, EBS can encrypt volumes and snapshots with KMS keys, and RDS can encrypt DB instances, storage, snapshots, and automated backups using KMS. This meets the requirement for one centralized, AWS-managed key service spanning all three. Key AWS Features: KMS integrates with IAM for authorization, enabling fine-grained control via key policies and IAM policies. It provides auditability through AWS CloudTrail logs of key usage, supports automatic key rotation for customer managed keys, and uses envelope encryption patterns where services protect data keys with a KMS key. For compliance-sensitive workloads, KMS can use HSM-backed key material managed by AWS, and some advanced scenarios can integrate with AWS CloudHSM. Best practice is to use least privilege on key policies and separate keys by environment or data classification. Common Misconceptions: ACM is often confused with KMS because both deal with cryptographic material, but ACM manages TLS/SSL certificates for data in transit, not encryption-at-rest keys for S3, EBS, or RDS. IAM controls identities and permissions, but it does not generate or centrally manage encryption keys for these services. Security Hub centralizes security findings and posture management; it does not provide encryption key creation or lifecycle management. Exam Tips: When you see 'centrally create and manage keys' and 'encrypt data at rest' across AWS services, think AWS KMS. Map services to their KMS integrations: S3 (SSE-KMS), EBS (volume and snapshot encryption), and RDS (DB encryption). If the question mentions certificates or HTTPS, that points to ACM; if it mentions permissions, users, or roles, that points to IAM; if it mentions aggregating security alerts, that points to Security Hub.
学習期間: 2 months
기초만 따로 공부하고 무한으로 문제 돌렸습니다. 믿을만한 앱임
学習期間: 2 months
I have very similar questions on my exam, and some of them were nearly identical to the original questions.
学習期間: 2 months
다음에 또 이용할게요
学習期間: 2 months
Would vouch for this practice questions!!!
学習期間: 1 month
도메인별 문제들이 잘 구성되어 있어서 좋았고, 강의만 듣고 시험보기엔 불안했는데 잘 이용했네요
Cloud Passをダウンロードして、すべてのAWS Certified Cloud Practitioner (CLF-C02)練習問題を無料で利用しましょう。
外出先でもすべての問題を解きたいですか?
無料アプリを入手
Cloud Passを無料でダウンロード — 模擬試験、学習進捗の追跡などを提供します。