AWS Developer Associate – Free Practice Exam Questions

The correct answer is D. “Use an Amazon Cognito identity pool, federate with the SAML provider, and use a trust policy with an IAM condition key to limit employee access”.

Explanation:

Amazon Cognito leverages IAM roles to generate temporary credentials for your application’s users. Access to permissions is controlled by a role’s trust relationships.

In this example the Developer must limit access to specific identities in the SAML directory. The Developer can create a trust policy with an IAM condition key that limits access to a specific set of app users by checking the value of cognito-identity.amazonaws.com:sub:

A. “Create the application within an Amazon VPC and use a VPC endpoint with a trust policy to grant access to the employees” is incorrect. You cannot provide access to an on-premises SAML directory using a VPC endpoint.

B. “Use Amazon Cognito user pools, federate with the SAML provider, and use user pool groups with an IAM policy” is incorrect. A user pool can be used to authenticate but the identity pool is used to provide authorized access to AWS services.

C: “Create a unique IAM role for each employee and have each employee assume the role to access the application so they can access their personal data only” is incorrect. This is not an integration into the SAML directory and would be very difficult to manage.

References:

https://docs.aws.amazon.com/cognito/latest/Developerguide/role-trust-and-permissions.html

https://docs.aws.amazon.com/cognito/latest/Developerguide/iam-roles.html

https://digitalcloud.training/certification-training/aws-Developer-associate/aws-security-identity-and-compliance/aws-cognito/

The correct answer is D. “A VPC endpoint should be provisioned for S3”.

Explanation:

Please note that the question specifically asks how to enable connectivity so this is not about permissions. When using a private subnet with no Internet connectivity there are only two options available for connecting to Amazon S3 (which remember, is a service with a public endpoint, it’s not in your VPC).

The first option is to enable Internet connectivity through either a NAT Gateway or a NAT Instance. However, there is no answer offering either of these as a solution. The other option is to enable a VPC endpoint for S3.

The specific type of VPC endpoint to S3 is a Gateway Endpoint. EC2 instances running in private subnets of a VPC can use the endpoint to enable controlled access to S3 buckets, objects, and API functions that are in the same region as the VPC. You can then use an S3 bucket policy to indicate which VPCs and which VPC Endpoints have access to your S3 buckets.

In the following diagram, instances in subnet 2 can access Amazon S3 through the gateway endpoint.

Therefore, the only answer that presents a solution to this challenge is to provision an VPC endpoint for S3.

A. “An IAM role must be added to the instance that has permissions to write to the S3 bucket” is incorrect. You do need to do this, but the question is asking about connectivity, not permissions.

B. “A bucket policy needs to be added specifying the principles that are allowed to write data to the bucket” is incorrect. You may choose to use a bucket policy to enable permissions but the question is asking about connectivity, not permissions.

C. “A VPN should be established to enable private connectivity to S3” is incorrect. You can create a VPN to establish an encrypted tunnel into a VPC from a location outside of AWS. However, you cannot create a VPN connection from a subnet within a VPC to Amazon S3.

References:

https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-s3.html

https://digitalcloud.training/certification-training/aws-developer-associate/aws-storage/amazon-s3/

The correct answer is D. “Rolling with additional batch”.

Explanation:

AWS Elastic Beanstalk provides several options for how deployments are processed, including deployment policies (All at once, Rolling, Rolling with additional batch, and Immutable) and options that let you configure batch size and health check behavior during deployments.

For this scenario, we need to ensure we do not reduce the capacity of the application but we also need to minimize cost. In the table below you can see the different deployment policies available and how they impact capacity and cost:

The Rolling with additional batch deployment policy does require extra cost but the extra cost is the size of a batch of instances, therefore you can reduce cost by reducing the batch size. The Immutable deployment policy requires a total deployment of new instances – i.e. if you have 4 instances this will double to 8 instances.

Therefore, the best deployment policy to use for this scenario is the Rolling with additional batch.

A. “Immutable” is incorrect as this would require a higher cost as you need a total deployment of new instances.

B. “Rolling” is incorrect as this will result in a reduction in capacity which will affect performance.

C. “All at once” is incorrect as this results in a total reduction in capacity, i.e. your entire application is taken down at once while the application update is installed.

References:

https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/using-features.rolling-version-deploy.html

https://digitalcloud.training/certification-training/aws-developer-associate/aws-compute/elastic-beanstalk/