Practice Free CLF-C02 Exam Online Questions
Question #121
A company is looking for a managed machine learning (ML) service that can recommend products
based on a customer’s previous behaviors.
Which AWS service meets this requirement?
- A . Amazon Personalize
- B . Amazon SageMaker
- C . Amazon Pinpoint
- D . Amazon Comprehend
Correct Answer: A
A
Explanation:
The AWS service that meets the requirement of providing a managed machine learning (ML) service that can recommend products based on a customer’s previous behaviors is Amazon Personalize. Amazon Personalize is a fully managed service that enables developers to create personalized recommendations for customers using their own data. Amazon Personalize can automatically process and examine the data, identify what is meaningful, select the right algorithms, and train and optimize a personalized recommendation model2. Amazon SageMaker, Amazon Pinpoint, and Amazon Comprehend are other AWS services related to machine learning, but they do not provide the specific functionality of product recommendation.
A
Explanation:
The AWS service that meets the requirement of providing a managed machine learning (ML) service that can recommend products based on a customer’s previous behaviors is Amazon Personalize. Amazon Personalize is a fully managed service that enables developers to create personalized recommendations for customers using their own data. Amazon Personalize can automatically process and examine the data, identify what is meaningful, select the right algorithms, and train and optimize a personalized recommendation model2. Amazon SageMaker, Amazon Pinpoint, and Amazon Comprehend are other AWS services related to machine learning, but they do not provide the specific functionality of product recommendation.
Question #122
A company has a social media platform in which users upload and share photos with other users. The company wants to identify and remove inappropriate photos. The company has no machine learning (ML) scientists and must build this detection capability with no ML expertise.
Which AWS service should the company use to build this capability?
- A . Amazon SageMaker
- B . Amazon Textract
- C . Amazon Rekognition
- D . Amazon Comprehend
Correct Answer: C
C
Explanation:
Amazon Rekognition is the AWS service that the company should use to build the capability of identifying and removing inappropriate photos. Amazon Rekognition is a service that uses deep learning technology to analyze images and videos for various purposes, such as face detection, object recognition, text extraction, and content moderation. Amazon Rekognition can help users detect unsafe or inappropriate content in images and videos, such as nudity, violence, or drugs, and provide confidence scores for each label. Amazon Rekognition does not require any machine learning expertise, and users can easily integrate it with other AWS services
C
Explanation:
Amazon Rekognition is the AWS service that the company should use to build the capability of identifying and removing inappropriate photos. Amazon Rekognition is a service that uses deep learning technology to analyze images and videos for various purposes, such as face detection, object recognition, text extraction, and content moderation. Amazon Rekognition can help users detect unsafe or inappropriate content in images and videos, such as nudity, violence, or drugs, and provide confidence scores for each label. Amazon Rekognition does not require any machine learning expertise, and users can easily integrate it with other AWS services
Question #123
A company has deployed applications on Amazon EC2 instances. The company needs to assess application vulnerabilities and must identify infrastructure deployments that do not meet best practices.
Which AWS service can the company use to meet these requirements?
- A . AWS Trusted Advisor
- B . Amazon Inspector
- C . AWS Config
- D . Amazon GuardDuty
Correct Answer: B
B
Explanation:
Amazon Inspector is a service that provides automated security assessment and management for AWS resources, such as Amazon EC2 instances. Amazon Inspector can scan applications for common vulnerabilities, such as SQL injection, cross-site scripting, and remote code execution. Amazon Inspector can also check the configuration of AWS resources against security best practices, such as the CIS Benchmarks and the AWS Security Best Practices. Amazon Inspector can help customers identify and remediate security issues, comply with security standards, and improve the security posture of their AWS environment12.
Reference: Amazon Inspector Improved, Automated Vulnerability Management for Cloud Workloads with a New Amazon Inspector | AWS News Blog
B
Explanation:
Amazon Inspector is a service that provides automated security assessment and management for AWS resources, such as Amazon EC2 instances. Amazon Inspector can scan applications for common vulnerabilities, such as SQL injection, cross-site scripting, and remote code execution. Amazon Inspector can also check the configuration of AWS resources against security best practices, such as the CIS Benchmarks and the AWS Security Best Practices. Amazon Inspector can help customers identify and remediate security issues, comply with security standards, and improve the security posture of their AWS environment12.
Reference: Amazon Inspector Improved, Automated Vulnerability Management for Cloud Workloads with a New Amazon Inspector | AWS News Blog
Question #124
A company is running a reporting web server application on Amazon EC2 instances. The application runs once every week and once again at the end of the month. The EC2 instances can be shut down when they are not in use.
What is the MOST cost-effective billing model for this use case?
- A . Standard Reserved Instances
- B . Convertible Reserved Instances
- C . On-Demand Capacity Reservations
- D . On-Demand Instances
Correct Answer: D
D
Explanation:
For a reporting application that runs only periodically, On-Demand Instances are the most cost-effective choice because they allow the company to pay only for the compute capacity used, without long-term commitments. Reserved Instances are less flexible due to the need for upfront payment or long-term contracts, which would not be cost-effective given the application’s intermittent usage. On-Demand Capacity Reservations would also be more costly, as they hold capacity regardless of usage.
D
Explanation:
For a reporting application that runs only periodically, On-Demand Instances are the most cost-effective choice because they allow the company to pay only for the compute capacity used, without long-term commitments. Reserved Instances are less flexible due to the need for upfront payment or long-term contracts, which would not be cost-effective given the application’s intermittent usage. On-Demand Capacity Reservations would also be more costly, as they hold capacity regardless of usage.
Question #125
A social media company wants to protect its web application from common web exploits such as SQL injections and cross-site scripting.
Which AWS service will meet these requirements?
- A . Amazon Inspector
- B . AWS WAF
- C . Amazon GuardDuty
- D . Amazon CloudWatch
Correct Answer: B
B
Explanation:
AWS WAF is a web application firewall service that helps protect web applications from common web exploits that could affect availability, compromise security, or consume excessive resources.
AWS WAF gives you control over which traffic to allow or block to your web applications by defining customizable web security rules. You can use AWS WAF to create rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that filter out specific traffic patterns you define1. AWS WAF also integrates with other AWS services, such as Amazon CloudFront, Amazon API Gateway, AWS AppSync, and AWS Load Balancer, to provide a comprehensive defense against web attacks2. Therefore, AWS WAF meets the requirements of the social media company, compared to the other options.
The other options are not suitable for the social media company’s requirements, because: Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for exposure, vulnerabilities, and deviations from best practices. However, Amazon Inspector does not provide a web application firewall service that can block malicious web requests3.
Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3. Amazon GuardDuty analyzes and processes the following data sources: VPC Flow Logs, AWS CloudTrail event logs, and DNS logs. However, Amazon GuardDuty does not provide a web application firewall service that can block malicious web requests4.
Amazon CloudWatch is a monitoring and observability service that provides data and actionable insights to monitor your applications, respond to system-wide performance changes, optimize resource utilization, and get a unified view of operational health. Amazon CloudWatch collects monitoring and operational data in the form of logs, metrics, and events, and visualizes it using automated dashboards, alarms, and notifications. However, Amazon CloudWatch does not provide a web application firewall service that can block malicious web requests:
What Is AWS WAF? – AWS WAF, AWS Firewall Manager, and AWS Shield Advanced AWS WAF Features – AWS WAF, AWS Firewall Manager, and AWS Shield Advanced What Is Amazon Inspector? – Amazon Inspector What Is Amazon GuardDuty? – Amazon GuardDuty
[What Is Amazon CloudWatch? – Amazon CloudWatch]
B
Explanation:
AWS WAF is a web application firewall service that helps protect web applications from common web exploits that could affect availability, compromise security, or consume excessive resources.
AWS WAF gives you control over which traffic to allow or block to your web applications by defining customizable web security rules. You can use AWS WAF to create rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that filter out specific traffic patterns you define1. AWS WAF also integrates with other AWS services, such as Amazon CloudFront, Amazon API Gateway, AWS AppSync, and AWS Load Balancer, to provide a comprehensive defense against web attacks2. Therefore, AWS WAF meets the requirements of the social media company, compared to the other options.
The other options are not suitable for the social media company’s requirements, because: Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for exposure, vulnerabilities, and deviations from best practices. However, Amazon Inspector does not provide a web application firewall service that can block malicious web requests3.
Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3. Amazon GuardDuty analyzes and processes the following data sources: VPC Flow Logs, AWS CloudTrail event logs, and DNS logs. However, Amazon GuardDuty does not provide a web application firewall service that can block malicious web requests4.
Amazon CloudWatch is a monitoring and observability service that provides data and actionable insights to monitor your applications, respond to system-wide performance changes, optimize resource utilization, and get a unified view of operational health. Amazon CloudWatch collects monitoring and operational data in the form of logs, metrics, and events, and visualizes it using automated dashboards, alarms, and notifications. However, Amazon CloudWatch does not provide a web application firewall service that can block malicious web requests:
What Is AWS WAF? – AWS WAF, AWS Firewall Manager, and AWS Shield Advanced AWS WAF Features – AWS WAF, AWS Firewall Manager, and AWS Shield Advanced What Is Amazon Inspector? – Amazon Inspector What Is Amazon GuardDuty? – Amazon GuardDuty
[What Is Amazon CloudWatch? – Amazon CloudWatch]
Question #126
Which of the following are components of an AWS Site-to-Site VPN connection? (Select TWO.)
- A . AWS Storage Gateway
- B . Virtual private gateway
- C . NAT gateway
- D . Customer gateway
- E . Internet gateway
Correct Answer: B,D
B,D
Explanation:
The correct answers are B and D because a virtual private gateway and a customer gateway are components of an AWS Site-to-Site VPN connection. A virtual private gateway is the AWS side of the VPN connection that attaches to the customer’s VPC. A customer gateway is the customer side of the VPN connection that resides in the customer’s network. The other options are incorrect because they are not components of an AWS Site-to-Site VPN connection. AWS Storage Gateway is a service that connects on-premises software applications with cloud-based storage. NAT gateway is a service that enables instances in a private subnet to connect to the internet or other AWS services, but prevents the internet from initiating a connection with those instances. Internet gateway is a service that enables communication between instances in a VPC and the internet.
Reference: [What is AWS Site-to-Site VPN?]
B,D
Explanation:
The correct answers are B and D because a virtual private gateway and a customer gateway are components of an AWS Site-to-Site VPN connection. A virtual private gateway is the AWS side of the VPN connection that attaches to the customer’s VPC. A customer gateway is the customer side of the VPN connection that resides in the customer’s network. The other options are incorrect because they are not components of an AWS Site-to-Site VPN connection. AWS Storage Gateway is a service that connects on-premises software applications with cloud-based storage. NAT gateway is a service that enables instances in a private subnet to connect to the internet or other AWS services, but prevents the internet from initiating a connection with those instances. Internet gateway is a service that enables communication between instances in a VPC and the internet.
Reference: [What is AWS Site-to-Site VPN?]
Question #127
A company is planning to migrate applications to the AWS Cloud. During a system audit, the company finds that its content management system (CMS) application is incompatible with cloud environments.
Which migration strategies will help the company to migrate the CMS application with the LEAST effort? (Select TWO.)
- A . Retire
- B . Rehost
- C . Repurchase
- D . Replat form
- E . Refactor
Correct Answer: B,C
B,C
Explanation:
Rehosting ("lift and shift") is a migration strategy where applications are moved to the cloud with minimal changes, making it the least effort-intensive method for applications incompatible with the cloud. Repurchasing involves moving to a different product, often a SaaS solution, which can also minimize migration effort by avoiding the need for application-level changes. Retiring, replat forming, and refactoring require significant effort either in terms of analyzing and shutting down the application, making changes to the underlying platform, or redesigning the application architecture, respectively.
Reference: AWS Migration Strategies
B,C
Explanation:
Rehosting ("lift and shift") is a migration strategy where applications are moved to the cloud with minimal changes, making it the least effort-intensive method for applications incompatible with the cloud. Repurchasing involves moving to a different product, often a SaaS solution, which can also minimize migration effort by avoiding the need for application-level changes. Retiring, replat forming, and refactoring require significant effort either in terms of analyzing and shutting down the application, making changes to the underlying platform, or redesigning the application architecture, respectively.
Reference: AWS Migration Strategies
Question #128
A company is running Amazon EC2 instances in a private subnet in a VPC.
Which AWS service or feature can provide the EC2 instances with network connections to the internet?
- A . Gateway endpoint
- B . NAT gateway
- C . Network Load Balancer
- D . Amazon Route 53
Correct Answer: B
Question #129
Which AWS services or features can control VPC traffic? (Select TWO.)
- A . Security groups
- B . AWS Direct Connect
- C . Amazon GuardDuty
- D . Network ACLs
- E . Amazon Connect
Correct Answer: A,D
A,D
Explanation:
The AWS services or features that can control VPC traffic are security groups and network ACLs. Security groups are stateful firewalls that control the inbound and outbound traffic at the instance level. You can assign one or more security groups to each instance in a VPC, and specify the rules that allow or deny traffic based on the protocol, port, and source or destination. Network ACLs are stateless firewalls that control the inbound and outbound traffic at the subnet level. You can associate one network ACL with each subnet in a VPC, and specify the rules that allow or deny traffic based on the protocol, port, and source or destination. AWS Direct Connect, Amazon GuardDuty, and Amazon Connect are not services or features that can control VPC traffic. AWS Direct Connect is a service that establishes a dedicated network connection between your premises and AWS. Amazon GuardDuty is a service that monitors your AWS account and workloads for malicious or unauthorized activity. Amazon Connect is a service that provides a cloud-based contact center solution.
A,D
Explanation:
The AWS services or features that can control VPC traffic are security groups and network ACLs. Security groups are stateful firewalls that control the inbound and outbound traffic at the instance level. You can assign one or more security groups to each instance in a VPC, and specify the rules that allow or deny traffic based on the protocol, port, and source or destination. Network ACLs are stateless firewalls that control the inbound and outbound traffic at the subnet level. You can associate one network ACL with each subnet in a VPC, and specify the rules that allow or deny traffic based on the protocol, port, and source or destination. AWS Direct Connect, Amazon GuardDuty, and Amazon Connect are not services or features that can control VPC traffic. AWS Direct Connect is a service that establishes a dedicated network connection between your premises and AWS. Amazon GuardDuty is a service that monitors your AWS account and workloads for malicious or unauthorized activity. Amazon Connect is a service that provides a cloud-based contact center solution.
Question #130
A company wants to launch its web application in a second AWS Region. The company needs to determine which services must be regionally configured for this launch.
Which AWS services can be configured at the Region level? (Select TWO.)
- A . Amazon EC2
- B . Amazon Route 53
- C . Amazon CloudFront
- D . AWS WAF
- E . Amazon DynamoDB
Correct Answer: B,D
B,D
Explanation:
Amazon Route 53 and AWS WAF are AWS services that can be configured at the Region level. Amazon Route 53 is a highly available and scalable cloud Domain Name System (DNS) web service that lets you register domain names, route traffic to resources, and check the health of your resources. AWS WAF is a web application firewall that helps protect your web applications or APIs against common web exploits that may affect availability, compromise security, or consume excessive resources. Amazon EC2, Amazon CloudFront, and Amazon DynamoDB are AWS services that can be configured at the global level or the Availability Zone level.
B,D
Explanation:
Amazon Route 53 and AWS WAF are AWS services that can be configured at the Region level. Amazon Route 53 is a highly available and scalable cloud Domain Name System (DNS) web service that lets you register domain names, route traffic to resources, and check the health of your resources. AWS WAF is a web application firewall that helps protect your web applications or APIs against common web exploits that may affect availability, compromise security, or consume excessive resources. Amazon EC2, Amazon CloudFront, and Amazon DynamoDB are AWS services that can be configured at the global level or the Availability Zone level.