Here’s my write-up of the official CSA example questions. Be aware that the provided answers are a personal interpretation and could have errors in them, Amazon do not provide the official correct answers.
Going through them is just a way to get a feel of the question format and shows the thought process of picking the right answers.
1) Amazon Glacier is designed for: (Choose 2 answers)
A. active database storage.
B. infrequently accessed data.
C. data archives.
D. frequently accessed data.
E. cached session data.
Correct answers are B and C. Glacier’s whole purpose is for data archival since it has lower cost storage compared to S3 or EBS, almost by the definition of an archive it’s only useful for infrequently accessed data, it provides retrieval times of several hours. This info immediately invalidates answers A, D and E.
2) Your web application front end consists of multiple EC2 instances behind an Elastic Load Balancer. You configured ELB to perform health checks on these EC2 instances. If an instance fails to pass health checks, which statement will be true?
A. The instance is replaced automatically by the ELB.
B. The instance gets terminated automatically by the ELB.
C. The ELB stops sending traffic to the instance that failed its health check.
D. The instance gets quarantined by the ELB for root cause analysis
Correct answer is C. This question basically tests if you understand the different responsibilities of the different components that provide Auto Scaling. The ELB itself is not responsible for anything else but determining to which instance it should or should not route traffic to. Answers A and B are incorrect since the ELB doesn’t take actions on EC2 instances, as explained it’s only responsible for health checks and routing. Answer D is basically a bogus answer since Quarantining is unheard of in this context.
3) You are building a system to distribute confidential training videos to employees. Using CloudFront, what method could be used to serve content that is stored in S3, but not publically accessible from S3 directly?
A. Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket to that OAI.
B. Add the CloudFront account security group “amazon-cf/amazon-cf-sg” to the appropriate S3 bucket policy.
C. Create an Identity and Access Management (IAM) User for CloudFront and grant access to the objects in your S3 bucket to that IAM User.
D. Create a S3 bucket policy that lists the CloudFront distribution ID as the Principal and the target bucket as the Amazon Resource Name (ARN).
Correct answer is A. OAI is a special identity you can create for CloudFront distributions, you can assign the same OAI to multiple distributions. This OAI can then be used in your S3 bucket policies to restrict access to CloudFront only. Answer B is nonsense. Answer C is almost correct but an OAI is not an IAM user, answer D is also almost correct but you just can’t use a CloudFront distribution id as the Principal.
Using an OAI
4) Which of the following will occur when an EC2 instance in a VPC (Virtual Private Cloud) with an associated Elastic IP is stopped and started? (Choose 2 answers)
A. The Elastic IP will be dissociated from the instance
B. All data on instance-store devices will be lost
C. All data on EBS (Elastic Block Store) devices will be lost
D. The ENI (Elastic Network Interface) is detached
E. The underlying host for the instance is changed
Correct answers are B and E. Answer B is completely correct, instance storage or ephemeral store is lost on shutdown. Answer E is actually the only other answer that makes any sense but is still a bit weird since you don’t actually know for sure what goes on within EC2 but is the best answer by elimination. Answer A is simply untrue, Elastic IP’s will not be dissociated unless you explicitly do so. Answer C is exactly the opposite of the purpose of EBS backed storage. Answer D is simply untrue, ENI’s do not become detached on EC2 stop.
EC2 Instance Lifecycle
5) In the basic monitoring package for EC2, Amazon CloudWatch provides the following metrics:
A. web server visible metrics such as number failed transaction requests
B. operating system visible metrics such as memory utilization
C. database visible metrics such as number of connections
D. hypervisor visible metrics such as CPU utilization
Correct answer is D. This is actually a simple but brilliant question when you think about it, Answer D is correct since Amazon is only aware of the Hypervisor. Answers A, B and C imply that they are aware of things that run WITHIN the Hypervisor which is untrue. This question catches a lot of people off-guard since we see Memory Utilization for example as such an obvious metric we would assume it’s in any basic monitoring package.
6) Which is an operational process performed by AWS for data security?
A. AES-256 encryption of data stored on any shared storage device
B. Decommissioning of storage devices using industry-standard practices
C. Background virus scans of EBS volumes and EBS snapshots
D. Replication of data across multiple AWS Regions
E. Secure wiping of EBS data when an EBS volume is unmounted
Correct answer is B. This questions implicitly tests your knowledge of the Shared Responsibility Model that AWS uses for Security. Answer B falls within their responsibility so they take care of it, Answers A, C and D are the customer’s responsibility. Answer E is untrue since EBS data isn’t deleted after an unmount.
7) To protect S3 data from both accidental deletion and accidental overwriting, you should:
A. enable S3 versioning on the bucket
B. access S3 data using only signed URLs
C. disable S3 delete using an IAM bucket policy
D. enable S3 Reduced Redundancy Storage
E. enable Multi-Factor Authentication (MFA) protected access
Correct answer is A. Enabling versioning will allow you to recover from both accidental deletion and accidental overwriting.