AWS Developer Associate (DVA-C02)
A company has a static website running in an Auto Scaling group of EC2 instances which they want to convert as a dynamic e-commerce web portal. One of the requirements is to use HTTPS to improve the security of their portal and also improve their search ranking as a reputable and secure site. A developer recently requested an SSL/TLS certificate from a third-party certificate authority (CA) which is ready to be imported to AWS. Which of the following services can the developer use to safely import the SSL/TLS certificate? (Select TWO.)
- AWS Certificate Manager - IAM certificate store
You are a software developer for a multinational investment bank which has a hybrid cloud architecture with AWS. To improve the security of their applications, they decided to use AWS Key Management Service (KMS) to create and manage their encryption keys across a wide range of AWS services. You were given the responsibility to integrate AWS KMS with the financial applications of the company. Which of the following are the recommended steps to locally encrypt data using AWS KMS that you should follow? (Select TWO.)
- Erase the plaintext data key from memory and store the encrypted data key alongside the locally encrypted data. - Use the GenerateDataKey operation to get a data encryption key then use the plaintext data key in the response to encrypt data locally.
A company has recently adopted a hybrid cloud architecture to augment their on-premises data center with virtual private clouds (VPCs) in AWS. You were assigned to manage all of the company's cloud infrastructure including the security of their resources using IAM. In this scenario, which of the following are best practices in managing security in AWS? (Select TWO.)
- Grant only the permissions required by the resource to perform a task. - Delete root user access keys.
A developer is designing a multi-tiered system which utilizes various AWS resources. The application will be hosted in Elastic Beanstalk, which uses an RDS database and an S3 bucket that is configured to use Server-Side Encryption with Customer-Provided Encryption Keys (SSE-C). In this configuration, Amazon S3 does not store the encryption key you provide but instead, stores a randomly salted hash-based message authentication code (HMAC) value of the encryption key in order to validate future requests. Which of the following is a valid consideration that the developer should keep in mind when implementing this architecture?
- If you lose the encryption key, you lose the object.
A developer runs a shell script that uses the AWS CLI to upload a large file to an S3 bucket, which includes an AWS KMS key. An Access Denied error always shows up whenever the developer uploads a file with a size of 100 GB or more. However, when he tried to upload a smaller file with the KMS key, the upload succeeds. Which of the following are possible reasons why this issue is happening?
- The AWS CLI S3 commands perform a multipart upload when the file is large. - The developer does not have the kms:Decrypt permission.
A developer is working on an application that will process files encrypted with a data key generated from a KMS key. The application needs to decrypt the files locally before it can proceed with the processing of the files. Which of the following are valid and secure steps in decrypting data? (Select TWO.)
- Use the plaintext data key to decrypt data locally, then erase the plaintext data key from memory. - Use the Decrypt operation to decrypt the encrypted data key.
Document Types
A document type can represent a complex structure with nested attributes, such as you would find in a JSON document. The document types are `list` and `map`
Scalar Types
A scalar type can represent exactly one value. The scalar types are number, string, binary, Boolean, and null
Set Types
A set type can represent multiple scalar values. The set types are string set, number set, and binary set
A developer needs to be able to repeatedly provision AWS infrastructure resources such as VPCs, Internet Gateways, and Security Groups in several regions. Which AWS service can make implementing this infrastructure easier and more consistent?
AWS CloudFormation
An application hosted in an Auto Scaling group of On-Demand EC2 instances is used to process data polled from an SQS queue and the generated output is stored in an S3 bucket. To improve security, you were tasked to ensure that all objects in the S3 bucket are encrypted at rest using server-side encryption with AWS KMS-Managed Keys (SSE-KMS). Which of the following is required to properly implement this requirement?
Add a bucket policy which denies any s3:PutObject action unless the request includes the x-amz-server-side-encryption header.
A startup has recently launched a high-quality photo sharing portal using Amazon Lightsail and S3. They noticed that there are other external websites which are linking and using their photos without permission. This has caused an increase on their data transfer cost and potential revenue loss. Which of the following is the MOST effective method to solve this issue?
Configure the S3 bucket to remove public read access and use pre-signed URLs with expiry dates.
A developer is building an application that will be hosted in ECS and must be configured to run tasks and services using the Fargate launch type. The application will have four different tasks, each of which will access different AWS resources than the others. Which of the following is the MOST efficient solution that can provide your application in ECS access to the required AWS resources?
Create 4 different IAM Roles with the required permissions and attach them to each of the 4 ECS tasks.
A serverless application is composed of several Lambda functions which reads data from RDS. These functions must share the same connection string that should be encrypted to improve data security. Which of the following is the MOST secure way to meet the above requirement?
Create a Secure String Parameter using the AWS Systems Manager Parameter Store.
A company is currently in the process of integrating their on-premises data center to their cloud infrastructure in AWS. One of the requirements is to integrate the on-premises Lightweight Directory Access Protocol (LDAP) directory service to their AWS VPC using IAM. Which of the following provides the MOST suitable solution to implement if the identity store that they are using is not compatible with SAML?
Create a custom identity broker application in your on-premises data center and use STS to issue short-lived AWS credentials.
How can a developer deploy updated code to an Elastic Beanstalk environment?
Create a new application version - An application version is a very specific reference to a section of deployable code
To improve their information security management system (ISMS), a company recently released a new policy which requires all database credentials to be encrypted and be automatically rotated to avoid unauthorized access. Which of the following is the MOST appropriate solution to secure the credentials?
Create a secret in AWS Secrets Manager and enable automatic rotation of the database credentials
You work for a software development company where the teams are divided into distinct projects. The management wants to have separation on their AWS resources, which will have a detailed report on the costs of each project. Which of the following options is the recommended way to implement this?
Create separate AWS accounts for each project and use consolidated billing.
A web application is currently using an on-premises Microsoft SQL Server 2019 Enterprise Edition database. Your manager instructed you to migrate the application to Elastic Beanstalk and the database to RDS. For additional security, you must configure your database to automatically encrypt data before it is written to storage, and automatically decrypt data when the data is read from storage. Which of the following services will you use to achieve this?
Enable Transparent Data Encryption (TDE).
Your development team is currently developing a financial application in AWS. One of the requirements is to create and control the encryption keys used to encrypt your data using the envelope encryption strategy to comply with the strict IT security policy of the company. Which of the following correctly describes the process of envelope encryption?
Encrypt plaintext data with a data key and then encrypt the data key with a top-level plaintext master key.
A programmer is developing a Node.js application that will be run on a Linux server in their on-premises data center. The application will access various AWS services such as S3, DynamoDB, and ElastiCache using the AWS SDK. Which of the following is the MOST suitable way to provide access for the developer to accomplish the specified task?
Go to the AWS Console and create a new IAM user with programmatic access. In the application server, create the credentials file at ~/.aws/credentials with the access keys of the IAM user.
A company has different AWS accounts, namely Account A, Account B, and Account C, which are used for their Development, Test, and Production environments respectively. A developer needs access to perform an audit whenever a new version of the application has been deployed to the Test (Account B) and production (Account C) environments. What is the MOST efficient way to provide the developer access to execute the specified task?
Grant the developer cross-account access to the resources of Accounts B and C.
A company has a website hosted in a multicontainer Docker environment in Elastic Beanstalk. There is a requirement to integrate the website with API Gateway, where it simply passes client-submitted method requests to the backend. It is important that the client and backend interact directly with no intervention from API Gateway after the API method is set up, except for known issues such as unsupported characters. Which of the following integration types is the MOST suitable one to use to meet this requirement?
HTTP_PROXY
A company is using AWS Organizations to manage its multiple AWS accounts which is being used by its various departments. To avoid security issues, it is of utmost importance to test the impact of service control policies (SCPs) on your IAM policies and resource policies before applying them. Which of the following services can you use to test and troubleshoot IAM and resource-based policies?
IAM Policy Simulator
A cryptocurrency exchange portal has a key management service hosted in their on-premises data center, which stores encryption keys and uses an RSA asymmetric encryption algorithm. The company has recently implemented a hybrid cloud architecture in AWS and you were assigned to migrate the exchange portal to their cloud infrastructure. For security compliance, the keys should be stored in dedicated, third-party validated hardware security modules under your exclusive control. Which of the following is the BEST solution that you should implement to meet the above requirement?
Import the encryption keys from your on-premises key management service to AWS CloudHSM.
A developer has defined some extensions for an Elastic Beanstalk environment in a .config file. Where must the file be placed?
In the .ebextensions folder
You are developing a new batch job for the enterprise application suite in your company, which is hosted in an Auto Scaling group of EC2 instances behind an ELB. The application is using an S3 bucket configured with Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS). The batch job must upload files to the bucket using the default AWS KMS key to protect the data at rest. What should you do to satisfy this requirement with the LEAST amount of configuration?
Include the x-amz-server-side-encryption header with a value of aws:kms in your upload request.
A financial mobile application has a serverless backend API which consists of DynamoDB, Lambda, and Cognito. Due to the confidential financial transactions handled by the mobile application, there is a new requirement provided by the company to add a second authentication method that doesn't rely solely on user name and password. Which of the following is the MOST suitable solution that the developer should implement?
Integrate multi-factor authentication (MFA) to a user pool in Cognito to protect the identity of your users.
A software engineer is building a serverless application in AWS consisting of Lambda, API Gateway, and DynamoDB. She needs to implement a custom authorization scheme that uses a bearer token authentication strategy such as OAuth or SAML to determine the caller's identity. Which of the features of API Gateway is the MOST suitable one that she should use to build this feature?
Lambda Authorizers
A developer is using API Gateway Lambda Authorizer to securely authenticate the API requests to their web application. The authentication process should be implemented using a custom authorization scheme which accepts header and query string parameters from the API caller. Which of the following methods should the developer use to properly implement the above requirement?
Request Parameter-based Authorization
Which component of AWS CloudFormation template is mandatory and is used to declare the AWS services that will be created?
Resources - The required resources section declares AWS resources that you want to include in the stack, such as an Amazon EC2 instance or an Amazon S3 bucket.
A developer is using API Gateway Lambda Authorizer to provide authentication for every API request and control access to your API. The requirement is to implement an authentication strategy which is similar to OAuth or SAML. Which of the following is the MOST suitable method that the developer should use in this scenario?
Token-based Authorization - There are two types of Lambda authorizers: - A token-based Lambda authorizer (also called a TOKEN authorizer) receives the caller's identity in a bearer token, such as a JSON Web Token (JWT) or an OAuth token. - A request parameter-based Lambda authorizer (also called a REQUEST authorizer) receives the caller's identity in a combination of headers, query string parameters, stageVariables, and $context variables.
A company has a suite of web applications that is heavily using RDS database in Multi-AZ Deployments configuration with several Read Replicas. For improved security, you were instructed to ensure that all of their database credentials, API keys, and other secrets are encrypted and rotated on a regular basis. You should also configure your applications to use the latest version of the encrypted credentials when connecting to the RDS database. Which of the following is the MOST appropriate solution to secure the credentials?
Use AWS Secrets Manager to store and encrypt the credentials and enable automatic rotation.
Your team is developing a serverless application, which is composed of multiple Lambda functions which process data from an SQS queue and stores the results to an RDS database. To comply with the strict IT policy of the company, you were instructed to configure these functions to share the same connection string that should be properly secured and encrypted. What should you do to protect, encrypt, and share your database credentials in AWS?
Use AWS Systems Manager Parameter Store as a Secure String Parameter.
How can a developer view proposed changes to an AWS CloudFormation stack before committing to implementing the change?
Use a Change Set
A developer is building the cloud architecture of an application which will be hosted in a large EC2 instance. The application will process the data and it will upload results to an S3 bucket. Which of the following is the SAFEST way to implement this architecture?
Use an IAM Role to grant the application the necessary permissions to upload data to S3.
A web application is uploading large files, which are over 4 GB in size, in an S3 bucket called data.tutorialsdojo.com every 30 minutes. You want to minimize the time required to upload each file. Which of the following should you do to minimize upload time?
Use the Multipart upload API.
What type of Elastic Beanstalk environment should be used for long-running tasks?
Worker environment
A developer needs to encrypt all objects being uploaded by their application to the S3 bucket to comply with the company's security policy. The bucket will use server-side encryption with Amazon S3-Managed encryption keys (SSE-S3) to encrypt the data using 256-bit Advanced Encryption Standard (AES-256) block cipher. Which of the following request headers should the developer use?
x-amz-server-side-encryption
Your manager assigned you a task of implementing server-side encryption with customer-provided encryption keys (SSE-C) to your S3 bucket, which will allow you to set your own encryption keys. Amazon S3 will manage both the encryption and decryption process using your key when you access your objects, which will remove the burden of maintaining any code to perform data encryption and decryption. To properly upload data to this bucket, which of the following headers must be included in your request?
x-amz-server-side-encryption-customer-algorithm, x-amz-server-side-encryption-customer-key and x-amz-server-side-encryption-customer-key-MD5 headers