QUEST

AWS CERTIFIED SOLUTIONS

ARCHITECT PRACTICE QUIZ
Presented by Linux Academy
QUESTION 1

AWS CSA Quiz:

WHAT BEST DESCRIBES THE CONCEPT
OF HIGH AVAILABILITY?
Correct Answer • A durable system that can operate for long periods of
time without failure
• The ability of the system to easily increase in size
• Following proper security procedures
• Always finding what you are looking for

EXPLANATION: High availability refers to a system that has been tested to be

durable and has its components highly or always available to its users.
QUESTION 2

AWS CSA Quiz:

WHAT IS A POSSIBLE EXPLANATION

FOR THIS?
You work for a large consulting firm that has just hired a junior consultant named Jessica, who will be
working on a large AWS project. She will be working remotely and, therefore, is not present in the
office. You create a new IAM user for her named "Jessica" in your company’s AWS account. On
Jessica's first day, you ask her to make a change to a CloudWatch alarm in an Auto Scaling group.
Jessica reports back that she does not have access to CloudWatch or auto scaling in the aws
console.
• Because she is working remotely, she would need to SSH
into the instances in the Auto Scaling group via her
terminal to make the changes
• Only IAM account admins can make changes to Auto
Scaling groups
Correct Answer • You have not added the appropriate IAM permissions
and access policies to her user; there is a non-explicit
deny to all new users
• When you created the new user, you forgot to assign
access keys
• Always finding what you are looking for

EXPLANATION: When a new IAM user is created, that user has NO access to any
AWS services. This is called a non-explicit deny. For that user, access must be
explicitly allowed via IAM permission and access policies.
QUESTION 3

AWS CSA Quiz:

You have been tasked with auditing the security of your VPC. As part of this process,
you need to start by analyzing what traffic is allowed to and from various EC2 instances.

WHAT TWO PARTS OF THE VPC DO YOU NEED

TO CHECK TO ACCOMPLISH THIS TASK?
• NACLs and Subnets
• Security Groups and Internet Gateways
• NACLs and Route Tables
Correct Answer • Security Groups and NACLs

EXPLANATION: Security Groups and NACLs are the two parts of the VPC Security
Layers. Security Groups are a firewall on the instance level, and NACLs are a firewall
on the subnet level.
QUESTION 4

AWS CSA Quiz:

IF YOU ARE DESIGNING AN APPLICATION

THAT REQUIRES FAST (10GBPS),
LOW-LATENCY CONNECTIONS BETWEEN
EC2 INSTANCES, WHAT EC2 FEATURE
SHOULD YOU USE?
• Snapshots
Correct Answer • Placement groups
• Instance store volumes
• IOPS provisioned instances

EXPLANATION: Placement groups are a clustering of EC2 instances in one

Availability Zone with fast (10Gbps) connections between them. This service is used
for applications that need extremely low-latency connections between instances.
QUESTION 5

AWS CSA Quiz:

WHAT ARE THE TWO MAIN COMPONENTS OF

AWS AUTO SCALING?
• Elastic Load Balancer and Auto Scaling groups
Correct Answer • Launch configuration and Auto Scaling groups
• Auto Scaling groups and instance types
• Launch configuration and elasticity

EXPLANATION: A launch configuration is an EC2 template that will be used by the

Auto Scaling group.
QUESTION 6

AWS CSA Quiz:

You have provisioned several EC2 instances into private subnets; however, you now
have the problem of not being able to download any new software packages or updates.

WHICH OF THE FOLLOWING PROVIDES THE

BEST SOLUTION?
• Create a bastion host in a public subnet to allow the instance
in the private subnets with route to the internet
• Create a NAT Gateway in a private subnet, then create a route
to it in the route table associated with the private subnets
• Change the associated route table of the private subnets to a
route table with a route to an IGW, thus making the subnets
public
Correct Answer • Create a NAT Gateway in a public subnet and create a route
to it in the route table associated with the private subnets

EXPLANATION: A NAT gateway provides the most secure solution for granting EC2
instances in private subnet the ability to download software packages. However, the
NAT gateway MUST be placed in a public subnet, and a route to it must be created in
the route table associated with the private subnets.
QUESTION 7

AWS CSA Quiz:

IF YOU HAVE AN EBS VOLUME IN
AVAILABILITY ZONE US-EAST-1D AND
YOU WANT TO ATTACH IT TO AN EC2
INSTANCE IN AVAILABILITY ZONE
US-EAST-1A, WHAT PROCEDURE
SHOULD YOU FOLLOW?
• Make a copy of the volume and have it placed in us-east-1a,
then attach it to the instance
• Select the volume and simply attach it to the instance in
us-east-1a
• EBS Volumes cannot be moved between Availability Zones
Correct Answer • Create a snapshot of the volume in us-east-1d, then
create a new volume from the snapshot, choosing to
place it in us-east-1a. Attach the new volume to the
instance

EXPLANATION: EBS volumes cannot be used across Availability Zones; however,

since snapshots are stored in S3, new volumes can be created from a snapshot
and placed into any Availability Zone.
QUESTION 8

AWS CSA Quiz:

You work for a hospital that is required to store patient's medical records for a
minimum of 10 years. Most of these records will never be accessed but must be
made available upon request (within a few hours).

WHAT IS THE MOST COST-EFFECTIVE

STORAGE OPTION?
Correct Answer • Glacier
• S3-IA (infrequent access)
• AWS Import/Export
• Reduced redundancy storage

EXPLANATION: Glacier is an AWS solution for archival storage, which is designed

for long-term storage of data that is very rarely accessed.
QUESTION 9

AWS CSA Quiz:

IF YOU NEED A DEDICATED, LOW LATENCY
CONNECTION TO AWS FROM YOUR
ON-PREMISES DATA CENTER, WHAT
SOLUTION SHOULD YOU CHOOSE?

• AWS Virtual Private Network

• AWS Storage Gateway
• AWS Virtual Private Gateway
Correct Answer • AWS Direct Connect

EXPLANATION: AWS Direct Connect is a service that provides a dedicated

network connection between your data center and one of AWS's Direct Connect
locations. One of the main benefits of Direct Connect is a low-latency connection.
QUESTION 10

AWS CSA Quiz:

The Availability Zone that your RDS database instance is located in is suffering from
outages, and you have lost access to the database.

WHAT COULD YOU HAVE DONE TO

PREVENT LOSING ACCESS TO YOUR
DATABASE (IN THE EVENT OF THIS TYPE
OF FAILURE) WITHOUT ANY DOWNTIME?

• Created a read replica

Correct Answer • Enabled multi-AZ failover
• Increased the database instance size
• Made a snapshot of it

EXPLANATION: If multi-AZ failover is enabled, a duplicate copy of the database

is kept in a separate AZ. If there is a failure in the primary database's AZ, AWS will
automatically swatch the CNAME DNS record from the primary to the failover
backup instance.
QUESTION 11

AWS CSA Quiz:

WHAT SERVICE SHOULD YOU CHOOSE IF
YOU WANT TO SEND NOTIFICATIONS VIA
TEXT MESSAGE TO A SYSTEM
ADMINISTRATOR?

• SWF
• SQS
Correct Answer • SNS
• CloudWatch

EXPLANATION: SNS (Simple Notification Service) is the AWS service that

provides the ability to send notifications to various endpoints, with SMS (text
messages) being one of them.
QUESTION 12

AWS CSA Quiz:

WHICH OF THE FOLLOWING CLOUDWATCH
EC2 METRICS WILL REQUIRE A CUSTOM
SCRIPT TO ENABLE?
• CPU Utilization
Correct Answer • Memory Utilization
• CPU Credit Usage
• Network Out

EXPLANATION: Custom scripts are needed to enable OS-level monitoring of EC2

instances. Memory Utilization falls into that category, while Network Out, CPU Credit
Usage and Utilization do not (those are host-level metrics).
QUESTION 13

AWS CSA Quiz:

WHAT AWS SERVICE ALLOWS YOU TO TREAT
YOUR INFRASTRUCTURE AS CODE?
• CloudWatch
• Elastic BeanStalk
• CloudTrail
Correct Answer • CloudFormation

EXPLANATION: CloudFormation allows you to turn your infrastructure into JSON or

YAML formatted templates.
QUESTION 14

AWS CSA Quiz:

WHAT IS THE PURPOSE OF A KINESIS
PRODUCER?
• To analyze data in the Kinesis stream
• To store data for the Kinesis stream
Correct Answer • To collect and send data into a Kinesis stream
• To consume the processed Kinesis data

EXPLANATION: Kinesis producers include things like IoT sensors and mobile
devices that collect data and send it into the Kinesis stream.
QUESTION 15

AWS CSA Quiz:

WHAT IS RESPONSIBLE FOR STARTING AND
STOPPING TASKS ON AN ECS CONTAINER
INSTANCE?
• Task Definition
Correct Answer • ECS Agent
• Dockerfile
• Container Registry

EXPLANATION: The ECS Agent is responsible for starting/stopping tasks. It also

monitors tasks and resource utilization.
QUESTION 16

AWS CSA Quiz:

In order to establish a successful site-to-site VPN connection from your on-premises
network to the VPC (Virtual Private Cloud),

WHICH OF THE FOLLOWING NEEDS TO BE

CONFIGURED INSIDE OF THE VPC?

• A dedicated NAT instance in a public subnet

Correct Answer • A public IP address on the customer gateway for the
on-premise network
• An Elastic IP address to the Virtual Private Gateway
• The main route table to route traffic through a NAT instance

EXPLANATION: When you configure a VPN, you're configuring it from the VPC and
from the on-premises network. You are taking information (the public IP) from the
on-premises network and configuring it inside of the VPC.
QUESTION 17

AWS CSA Quiz:

WHAT BEST DESCRIBES THE CONCEPT OF
ELASTICITY?

• The ability to stretch your AWS budget to meet your goals

Correct Answer • The ability of a system to increase and decrease in size
• The ability of a system to increase in size
• The ability of a system to always be available

EXPLANATION: Elasticity is defined as the ability to both increase and decrease. In

architecting applications, this usually refers to the ability of an application to increase
and decrease server capacity on demand.
QUESTION 18

AWS CSA Quiz:

You have created a new VPC in your AWS account and have launched an EC2 instance
into a subnet. After the instance is provisioned, you try to connect to it via SSH but
receive a "connection timed out" error.

AS YOU TROUBLESHOOT THE ISSUE, WHAT

IS MOST LIKELY CAUSING THE ERROR?
• The security group associated with the instance does not
explicitly allow return (outbound) SSH traffic over the
ephemeral port ranges
Correct Answer • The NACL associated with the subnet does not explicitly
allow return (outbound) SSH traffic over the ephemeral
port ranges
• You have too many internet gateways attached to the VPC and
the traffic doesn't know which one to use
• You are not using the instances private IP address to connect

EXPLANATION: SSH will travel over port 22 for inbound request. However, return
(outbound) SSH travel can travel over any of the ephemeral ports (1024-65535). So
it is important that those port ranges be allowed on NACL outbound rules if you want
to communicate using SSH.
QUESTION 19

AWS CSA Quiz:

WHAT BEST DESCRIBES THE
CHARACTERISTICS OF EBS VOLUMES?

Correct Answer • They are persistent and can live past the lifetime of the
instance
• They will be deleted anytime the instance is stopped
• They are ephemeral and only live during the lifetime of the
instance
• They cannot be used as an instance's root storage device

EXPLANATION: EBS volumes are network-attached, persistent storage volumes.

They are designed to live past the life of an EC2 instance and be attached/detached
at will.
QUESTION 20

AWS CSA Quiz:

You are asked to perform a security audit on a company’s AWS environment. You log in
to their AWS account with the root user credentials and discover that they are using a
VPN to connect to and manage their private EC2 instances. Upon further inspection, you
find that they are not regularly patching their RDS instances. Finally, you notice that they
are using IAM policies rather than bucket policies to manage access to their S3 buckets.

WHAT DO YOU CITE AS THE MOST CRITICAL

SECURITY RISK IN YOUR REPORT?
• The company’s employees are not using a bastion host to
connect to their private EC2 instances
• The company is not using bucket policies to manage S3
bucket access
• The company has not been patching their RDS instances
Correct Answer • The company allows people to log in with their AWS
account’s root user

EXPLANATION: A bastion host is not more secure than a VPN as a means of

connecting to private instances. IAM policies and S3 bucket policies are both
acceptable means of controlling S3 bucket access. It is AWS's responsibility to patch
RDS instances. After initial account setup, AWS account administration should be
performed by IAM users rather than the root user account.
QUESTION 21

AWS CSA Quiz:

WHAT BEST DESCRIBES A SCALING
POLICY?
Correct Answer • A set of CloudWatch metric thresholds that dictate when
to add or remove instances from the Auto Scaling group
• The percentage at which an ELB will send traffic to an instance
before it sends traffic to a different instance
• The IAM access policy granted to an Auto Scaling group
• An SNS notification alert

EXPLANATION: Scaling policies belong to the Auto Scaling group. The policies
themselves dictate (via chosen CloudWatch metrics thresholds) when instances
should be added or removed.
QUESTION 22

AWS CSA Quiz:

You keep getting an error when you try to attach an IGW to a VPC.

WHAT IS THE MOST LIKELY CAUSE OF

THE ERROR?

• The IGW isn't in the same Availability Zone as the VPC

Correct Answer • An IGW is already attached to the VPC
• The IGW is most likely broken and a new one should be
created
• The IGW needs to be associate with a route table before it can
be attached to a VPC

EXPLANATION: A VPC can only have one IGW attached to it at a time.

QUESTION 23

AWS CSA Quiz:

WHICH OF THE FOLLOWING IS NOT

EXPECTED BEHAVIOR FROM SQS AND MAY
INDICATE A PROBLEM WITH YOUR
APPLICATION?

Correct Answer • Messages in JSON format fail to be created in the SQS

queue
• A message in your SQS queue is duplicated
• A 500 KB message fails to be created in an SQS queue
• Messages are retrieved from your SQS queue in a different
order than they were created

EXPLANATION: JSON is an acceptable message format. Failure to create a message

in JSON format may indicate a permissions issue or the message size may be larger
than the 256 KB SQS maximum message size.
QUESTION 24

AWS CSA Quiz:

THROUGH WHAT PROCESS ARE OBJECTS

MOVED FROM THE STANDARD STORAGE
CLASS TO GLACIER?
• S3 events
• Selecting a different storage class
• Object versioning
Correct Answer • Lifecycle policies

EXPLANATION: Objects uploaded and stored using the standard storage class must
use lifecycles to move them to Glacier.
QUESTION 25

AWS CSA Quiz:

Your AWS environment contains several on-demand EC2 instances dedicated to a
project that has just been cancelled. Your supervisor does not want to incur charges
for these on-demand instances but also does not want to lose the data just yet
because there is a chance the project may be revived in the next few days.

WHAT SHOULD YOU DO TO MINIMIZE

CHARGES FOR THESE INSTANCES IN THE
MEANTIME?
• Terminate the instances as soon as possible
• Contact AWS and explain the situation
• Sell the instances on the AWS On-Demand Instance
Marketplace. You can buy them back later if needed
Correct Answer • Stop the instances as soon as possible

EXPLANATION: You should not terminate an instance that you may need to place
back into production in a few days. The best way to minimize charges is to stop the
instances to avoid any data transfer charges that the instance might incur if left running.
5 TIPS
PASSING YOUR AWS CERTIFIED
SOLUTIONS ARCHITECT EXAM
1 UNDERSTAND THE QUESTIONS – Our practice quiz is just a starting point. AWS
also provides exam blueprints to help you prepare for the exam. Knowing what
type of questions will be asked is key because it allows you to create a strategy for
how to answer them.

2 CREATE A STUDY PLAN – We get it, everyone is busy, but it’s important to set
aside a fixed amount of time per week for studying. When you’re creating your
plan, write down what topics you want to study and when you’ll study them. Even
20 minutes a day can make a difference, and sticking to your schedule makes
sure that you stay on track to meet your learning goals.

3 FIND A STUDY PARTNER – Studies have shown that people learn best
together. Finding a buddy can help complement your weaknesses and hold you
accountable to your study plan. We recommend looking for an AWS meetup in
your area or joining an online community like the ones on Linux Academy and
Cloud Assessments.

4 APPLY WHAT YOU LEARN – Reviewing the material on paper isn’t enough. When
you become a Certified Solutions Architect, you’ll be expected to use AWS
services in real environments, so it makes sense that you’d use the services
when practicing as well. With Cloud Assessments, you can do just that – prove your
skills through hands-on Challenges and Learning Activities to make sure you
know the platform inside and out.

5 FOCUS ON YOUR WEAKNESSES – Why would you spend hours going over
material you already know? Part of being a Solutions Architect means being
well-rounded and knowing many different AWS services. Knowing which topics to
study can be a challenge of its own, and that’s where Cloud Assessments comes in.
Our engine uses artificial intelligence to create custom learning journeys based
on what you already know and what you need to practice.

EARNING AN AWS CERTIFICATION IS A GREAT WAY TO BOOST YOUR CAREER,

or even start a new one. We’ve seen the ways that technology can change lives, and
would love to help you change yours. For more study tips, AWS news, and hands-on
learning activities, check out Cloud Assessments and embark on your own cloud
journey today.
 QUEST

THANK YOU

Linux Academy, Inc.

125 Bear Creek Pkwy. Keller. TX. 76248

linuxacademy.com