Identity and Access Management and Security
Hummel 05 Distinguish network ACLs from security groups within a VPC? (Select three) A. ACL filters at the subnet level B. ACL is based on deny rules only C. ACL is applied to instances and subnets D. ACL is stateless E. ACL supports a numbered list for filtering
A, D, E
Baron Chapter 6 - 07 Which of the following are based on temporary security tokens? (Choose 2 answers) A. Amazon EC2 roles B. MFA C. Root user D. Federation
A, D. Amazon EC2 roles provide a temporary token to applications running on the instance; federation maps policies to identities from other sources via temporary tokens.
Hummel 28 What feature is part of Amazon Trusted Advisor? A. Security compliance B. Troubleshooting tool C. EC2 configuration tool D. Security certificates
A
Hummel 30 What AWS feature is recommended for optimizing data security? A. Multi-factor authentication B. Username and encrypted password C. Two-factor authentication D. SAML E. Federated LDAP
A
Kroonenburg 03 You have created a new AWS account for your company, and you have also configured multi-factor authentication on the root account. You are about to create your new users. What strategy should you consider in order to ensure that there is good security on this account. A. Enact a strong password policy: user passwords must be changed every 45 days, with each password containing a combination of capital letters, lower case letters, numbers, and special symbols. B. Restrict login to the corporate network only. C. Give all users the same password so that if they forget their password they can just ask their co-workers. D. Require users to only be able to log in using biometric authentication.
A
Kroonenburg 10 A new employee has just started work, and it is your job to give her administrator access to the AWS console. You have given her a user name, an access key ID, a secret access key, and you have generated a password for her. She is now able to log in to the AWS console, but she is unable to interact with any AWS services. What should you do next? A. Grant her Administrator access by adding her to the Administrators' group. B. Require multi-factor authentication for her user account. C. Ensure she is logging in to the AWS console from your corporate network and not the normal internet. D. Tell her to log out and try logging back in again.
A
Kroonenburg 12 You are a security administrator working for a hotel chain. You have a new member of staff who has started as a systems administrator, and she will need full access to the AWS console. You have created the user account and generated the access key id and the secret access key. You have moved this user into the group where the other administrators are, and you have provided the new user with their secret access key and their access key id. However, when she tries to log in to the AWS console, she cannot. Why might that be? A. You cannot log in to the AWS console using the Access Key ID / Secret Access Key pair. Instead, you must generate a password for the user, and supply the user with this password and your organization's unique AWS console login URL. B. You have not applied the "log in from console" policy document to the user. You must apply this first so that they can log in. C. You have not yet activated multi-factor authentication for the user, so by default they will not be able to log in. D. Your user is trying to log in from the AWS console from outside the corporate network. This is not possible.
A
Kroonenburg 15 Using SAML (Security Assertion Markup Language 2.0), you can give your federated users single sign-on (SSO) access to the AWS Management Console. A. True B. False
A
Kroonenburg 19 A __________ is a document that provides a formal statement of one or more permissions. A. Policy B. Role C. User D. Group
A
Baron Chapter 12 - 11 Which security scheme is used by the AWS Multi-Factor Authentication (AWS MFA) token? A. Time-Based One-Time Password (TOTP) B. Perfect Forward Secrecy (PFC) C. Ephemeral Diffie Hellman (EDH) D. Split-Key Encryption (SKE)
A A virtual MFA device uses a software application that generates six-digit authentication codes that are compatible with the TOTP standard, as described in RFC 6238.
Whizlabs Test 1 - 05 There is a requirement for Block-level storage to store 500GB of data. Data Encryption is also required. Which of the following can be used in such a case? A. AWS EBS Volumes B. AWS S3 C. AWS Glacier D. AWS EFS
A AWS EBS is a Block-level storage service. Options B and C are incorrect since they are Object-level storage services. Option D is incorrect since this is a File-level storage service.
Baron Chapter 12 - 04 Which encryption algorithm is used by Amazon Simple Storage Service (Amazon S3) to encrypt data at rest with Service-Side Encryption (SSE)? A. Advanced Encryption Standard (AES)-256 B. RSA 1024 C. RSA 2048 D. AES-128
A Amazon S3 SSE uses one of the strongest block ciphers available, 256-bit AES.
Hummel 25 What authentication method provides Federated Single Sign-On (SSO) for cloud applications? A. ADS B. ISE C. Radius D. Tacacs E. SAML
E
Kroonenburg 17 Every user you create in the IAM systems starts with ________. A. Partial Permissions B. No Permissions C. Full Permissions
B
Banerjee - 07 An IAM policy takes which form? A. Python script B. Written in C language C. JSON code D. XML code
C It is written in JSON.
Baron Chapter 12 - 15 Which feature of AWS is designed to permit calls to the platform from an Amazon Elastic Compute Cloud (Amazon EC2) instance without needing access keys placed on the instance? A. AWS Identity and Access Management (IAM) instance profile B. IAM groups C. IAM roles D. Amazon EC2 key pairs
A An instance profile is a container for an IAM role that you can use to pass role information to an Amazon EC2 instance when the instance starts.
Hummel 14 What is the advantage of resource-based policies for cross-account access? A. Trusted account permissions are not replaced B. Trusted account permissions are replaced C. Resource-based policies are easier to deploy D. Trusting account manages all permissions
A Identity-based policies are attached to an IAM user, group, or role. These policies let you specify what that identity can do (its permissions). Resource-based policies are attached to a resource. For example, you can attach resource-based policies to Amazon S3 buckets, Amazon SQS queues, and AWS Key Management Service encryption keys.
Banerjee - 03 What happens if you delete an IAM role that is associated with a running EC2 instance? A. Any application running on the instance that is using the role will be denied access immediately. B. The application continues to use that role until the EC2 server is shut down. C. The application will have the access until the session is alive. D. The application will continue to have access.
A The application will be denied access.
Baron Chapter 12 - 20 To help prevent data loss due to the failure of any single hardware component, Amazon Elastic Block Storage (Amazon EBS) automatically replicates EBS volume data to which of the following? A. Amazon EBS replicates EBS volume data within the same Availability Zone in a region. B. Amazon EBS replicates EBS volume data across other Availability Zones within the same region. C. Amazon EBS replicates EBS volume data across Availability Zones in the same region and in Availability Zones in one other region. D. Amazon EBS replicates EBS volume data across Availability Zones in the same region and in Availability Zones in every other region.
A When you create an Amazon EBS volume in an Availability Zone, it is automatically replicated within that Availability Zone to prevent data loss due to failure of any single hardware component. An EBS Snapshot creates a copy of an EBS volume to Amazon S3 so that copies of the volume can reside in different Availability Zones within a region.
Whizlabs Test 1 - 02 The security policy of an organization requires an application to encrypt data before writing to the disk. Which solution should the organization use to meet this requirement? A. AWS KMS API B. AWS Certificate Manager C. API Gateway with STS D. 1AM Access Key
A You can use roles to delegate access to users, applications, or services that don't normally have access to your AWS resources. It is not a good practice to use IAM credentials for a production based application. A good practice however, is to use IAM Roles.
Hummel 34 What two features create security zones between EC2 instances within a VPC? A. Security groups B. Virtual Security Gateway C. Network ACL D. WAF
A, B Check Point Security Gateway for Amazon Web Services delivers a security cloud computing platform that enables customers to deploy flexible multilayer security in the cloud. It extends the latest security technology to Amazon's cloud, protects assets in the cloud from attacks, and enable security connectivity. Based on the latest Check Point GAiA 64-bit operating system, it also enforces a consistent security policy across the organization by protecting data between the corporate network and Amazon Virtual Private Cloud and inspects data entering and leaving the private subnet in the Amazon's VPC. Check Point Software Blade architecture meets an organization's cloud security needs with flexible and manageable security options; the Firewall, IPS, Application Control, Antivirus and Anti-Bot Software Blades protect services in the public cloud from unauthorized access and attacks. The Application Control Software Blade helps prevent application layer denial of service attacks and protects your cloud services.
Banerjee - 04 For implementing security features, which of the following would you choose (Choose all that apply)? A. Username/password B. MFA C. Using multiple S3 buckets D. Login using the root user
A, B Using multiple buckets won't help in terms of security. Similarly, leveraging multiple regions won't help to address the security.
Hummel 23 What three techniques provide authentication security on S3 volumes? A. Bucket policies B. Network ACL C. Identity and Access Management (IAM) D. Encryption E. AES256
A, B, C
Hummel 15 Select three requirements for configuring a Bastion host? A. EIP B. SSH inbound permission C. Default route D. CloudWatch logs group E. VPN F. Auto-Scaling
A, B, D
Hummel 32 What are three recommended solutions that provide protection and mitigation from distributed denial of service (DDoS) attacks? A. Security groups B. CloudWatch C. Encryption D. WAF E. Data replication F. Auth-Scaling
A, B, D
Hummel 27 What security authentication is required before configuring or modifying EC2 instances? (select three) A. Authentication at the operating system level B. EC2 instance authentication with asymmetric keys C. Authentication at the application level D. Telnet username and password E. SSH/RDP session connection
A, B, E
Hummel 06 What happens to the security permissions of a tenant when an IAM role is granted? (Select two) A. Tenant inherits only permissions assigned to the IAM role temporarily B. Add security permissions of the IAM role to existing permissions C. Previous security permissions are no longer in effect D. Previous security permissions are deleted unless reconfigured E. Tenant inherits only read permissions assigned to the IAM role.
A, C
Hummel 18 What are the two advantages of customer-managed encryption keys (CMK)? A. Create and rotate encryption keys B. AES-128 cipher for data at rest C. Audit encryption keys D. Encrypts data in-transit for server-side encryption only
A, C
Hummel 29 What are two best practices for account management within Amazon AWS? A. Do not use root account for common administrative tasks B. Create a single AWS account with multiple IAM users that have root privilege C. Create multiple AWS accounts with multiple IAM user per AWS account D. Use root account for all administrative tasks E. Create multiple root user accounts for redundancy.
A, C
Hummel 09 What two methods are used to request temporary credentials based on AWS Security Token Service (STS)? A. Web identity Federation B. LDAP C. IAM identity D. Dynamic ACL E. Private key rotation
A, C AWS Identity and Access Management (IAM) supports identity federation, which enables external identities, such as users in your corporate directory, to sign in to the AWS Management Console via single sign-on (SSO).
Banerjee - 08 If an administrator who has root access leaves the company, what should you do to protect your account? (Choose two.) A. Add MFA to root B. Delete all the IAM accounts C. Change the passwords for all the IAM accounts and rotate keys D. Delete all the EC2 instances created by the administrator
A, C Deleting all the IAM accounts is going to be a bigger painful task. You are going to lose all the users. Similarly, you can't delete all the EC2 instances; they must be running some critical application or something meaningful.
Hummel 02 What three items are required to configure a security group rule? A. Protocol type B. VPC name C. Port number D. Source IP E. Destination IP F. description
A, C, D
Baron Chapter 6 - 08 Your security team is very concerned about the vulnerability of the IAM administrator user accounts (the accounts used to configure all IAM features and accounts). What steps can be taken to lock down these accounts? (Choose 3 answers) A. Add multi-factor authentication (MFA) to the accounts. B. Limit logins to a particular U.S. state. C. Implement a password policy on the AWS account. D. Apply a source IP address condition to the policy that only grants permissions when the user is on the corporate network. E. Add a CAPTCHA test to the accounts.
A, C, D. Neither B nor E are features supported by IAM.
Hummel 33 What are three recommended best practices when configuring Identity and Access Management (IAM)security services? A. Lock or delete your root access keys when not required B. IAM groups are not recommended for storage security C. Create an IAM user with administrator privileges D. Share your password and/or access keys with members of your group only E. Delete any AWS account where the access keys are unknown
A, C, E
Baron Chapter 6 - 03 Your AWS account administrator left your company today. The administrator had access to the root user and a personal IAM administrator account. With these accounts, he generated other IAM accounts and keys. Which of the following should you do today to protect your AWS infrastructure? (Choose 3 answers) A. Change the password and add MFA to the root user. B. Put an IP restriction on the root user. C. Rotate keys and change passwords for IAM accounts. D. Delete all IAM accounts. E. Delete the administrator's personal IAM account. F. Relaunch all Amazon EC2 instances with new roles.
A, C, E. Locking down your root user and all accounts to which the administrator had access is the key here. Deleting all IAM accounts is not necessary, and it would cause great disruption to your operations. Amazon EC2 roles use temporary security tokens, so relaunching Amazon EC2 instances is not necessary.
Baron Chapter 6 - 05 Which of the following are IAM security features? (Choose 2 answers) A. Password policies B. Amazon DynamoDB global secondary indexes C. MFA D. Consolidated Billing
A, C. Amazon DynamoDB global secondary indexes are a performance feature of Amazon DynamoDB; Consolidated Billing is an accounting feature allowing all bills to roll up under a single account. While both are very valuable features, neither is a security feature.
Baron Chapter 6 - 02 Which of the following are found in an IAM policy? (Choose 2 answers) A. Service Name B. Region C. Action D. Password
A, C. IAM policies are independent of region, so no region is specified in the policy. IAM policies are about authorization for an already-authenticated principal, so no password is needed.
Hummel 07 Where are IAM permissions granted to invoke and execute a Lambda function for S3 access? (Select two) A. S3 bucket B. EC2 instance C. Lambda function D. IAM role E. Event mapping
A, D
Kroonenburg 05 You are a developer at a fast growing start up. Until now, you have used the root account to log in to the AWS console. However, as you have taken on more staff, you will now need to stop sharing the root account to prevent accidental damage to your AWS infrastructure. What should you do so that everyone can access the AWS resources they need to do their jobs? (Choose 2) A. Create individual user accounts with minimum necessary rights and tell the staff to log in to the console using the credentials provided. B. Create an additional AWS root account for each new user. C. Give your users the root account credentials so that they can also sign in. D. Create a customized sign in link such as "yourcompany.signin.aws.amazon.com/console" for your new users to use to sign in with.
A, D
Whizlabs Test 1 - 03 A retailer exports data daily from its transactional databases into an S3 bucket in the Sydney region. The retailer's Data Warehousing team wants to import this data into an existing Amazon Redshift cluster in their VPC at Sydney. Corporate security policy mandates that data can only be transported within a VPC. What combination of the following steps will satisfy the security policy? Choose 2 answers from the options given below. A. Enable Amazon Redshift Enhanced VPC Routing. B. Create a Cluster Security Group to allow the Amazon Redshift cluster to access Amazon S3. C. Create a NAT gateway in a public subnet to allow the Amazon Redshift cluster to access Amazon S3. D. Create and configure an Amazon S3 VPC endpoint.
A, D Amazon Redshift Enhanced VPC Routing provides VPC resources, the access to Redshift. Redshift will not be able to access the S3 VPC endpoints without enabling Enhanced VPC routing, so one option is not to support the scenario if another is not selected. NAT instance (the proposed answer) cannot be reached by Redshift without enabling Enhanced VPC Routing.
Banerjee - 09 Using the shared security model, the customer is responsible for which of the following? (Choose two.) A. The security of the data running inside the database hosted in EC2 B. Maintaining the physical security of the data center C. Making sure the hypervisor is patched correctly D. Making sure the operating system is patched correctly
A, D The customer is responsible for the security of anything running on the hypervisor, and therefore the operating system and the security of data are the customer's responsibility.
Hummel 24 What statement correctly describes support for AWS encryption of S3 objects? A. Tenants manage encryption for server-side encryption of S3 objects B. Amazon manages encryption for server-side encryption of S3 objects C. Client-side encryption of S3 objects is not supported D. S3 buckets are encrypted only E. SSL is only supported with Glacier storage
B
Kroonenburg 02 To save administration headaches, Amazon recommends that you leave all security groups in web facing subnets open on port 22 to 0.0.0.0/0 CIDR. That way, you can connect wherever you are in the world. A. True B. False
B
Kroonenburg 06 In what language are policy documents written? A. Node.js B. JSON C. Python D. Java
B
Kroonenburg 07 You are a solutions architect working for a large engineering company who are moving from a legacy infrastructure to AWS. You have configured the company's first AWS account and you have set up IAM. Your company is based in Andorra, but there will be a small subsidiary operating out of South Korea, so that office will need its own AWS environment. Which of the following statements is true? A. You will then need to configure Users and Policy Documents for each region respectively. B. You will need to configure Users and Policy Documents only once, as these are applied globally. C. You will need to configure your users regionally, however your policy documents are global. D. You will need to configure your policy documents regionally, however your users are global.
B
Kroonenburg 11 Which of the following is not a component of IAM? A. Groups B. Organizational Units C. Users D. Roles
B
Kroonenburg 14 Which statement best describes IAM? A. IAM allows you to manage users' passwords only. AWS staff must create new users for your organization. This is done by raising a ticket. B. IAM allows you to manage users, groups, roles, and their corresponding level of access to the AWS Platform. C. IAM stands for Improvised Application Management, and it allows you to deploy and manage applications in the AWS Cloud. D. IAM allows you to manage permissions for AWS resources only.
B
Baron Chapter 12 - 16 Which of the following Amazon Virtual Private Cloud (Amazon VPC) elements acts as a stateless firewall? A. Security group B. Network Access Control List (ACL) C. Network Address Translation (NAT) instance D. An Amazon VPC endpoint
B A network ACL is an optional layer of security for your Amazon VPC that acts as a firewall for controlling traffic in and out of one or more subnets. You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your Amazon VPC.
Baron Chapter 12 - 01 Which is an operational process performed by AWS for data security? A. Advanced Encryption Standard (AES)-256 encryption of data stored on any shared storage device B. Decommissioning of storage devices using industry-standard practices C. Background virus scans of Amazon Elastic Block Store (Amazon EBS) volumes and Amazon EBS snapshots D. Replication of data across multiple AWS regions
B All decommissioned magnetic storage devices are degaussed and physically destroyed in accordance with industry-standard practices.
Hummel 35 What AWS service provides vulnerability assessment services to tenants within the cloud? A. Amazon WAF B. Amazon Inspector C. Amazon Cloud Logic D. Amazon Trusted Advisor
B Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for vulnerabilities or deviations from best practices.
Whizlabs Test 1 - 04 A company is using a Redshift cluster to store their data warehouse. There is a requirement from the Internal IT Security team to encrypt data for the Redshift database. How can this be achieved? A. Encrypt the EBS volumes of the underlying EC2 Instances. B. Use AWSKMS Customer Default master key. C. Use SSL/TLS for encrypting the data. D. Use S3 Encryption.
B Amazon Redshift uses a hierarchy of encryption keys to encrypt the database. You can use either AWS Key Management Service (AWS KMS) or a hardware security module (HSM) to manage the top-level encryption keys in this hierarchy. The process that Amazon Redshift uses for encryption differs depending on how you manage keys.
Baron Chapter 12 - 18 Which of the following is the name of the feature within Amazon Virtual Private Cloud (Amazon VPC) that allows you to launch Amazon Elastic Compute Cloud (Amazon EC2) instances on hardware dedicated to a single customer? A. Amazon VPC-based tenancy B. Dedicated tenancy C. Default tenancy D. Host-based tenancy
B Dedicated instances are physically isolated at the host hardware level from your instances that aren't dedicated instances and from instances that belong to other AWS accounts.
Baron Chapter 12 - 13 You have launched an Amazon Linux Elastic Compute Cloud (Amazon EC2) instance into EC2-Classic, and the instance has successfully passed the System Status Check and Instance Status Check. You attempt to securely connect to the instance via Secure Shell (SSH) and receive the response, "WARNING: UNPROTECTED PRIVATE KEY FILE," after which the login fails. Which of the following is the cause of the failed login? A. You are using the wrong private key. B. The permissions for the private key are too insecure for the key to be trusted. C. A security group rule is blocking the connection. D. A security group rule has not been associated with the private key.
B If your private key can be read or written to by anyone but you, then SSH ignores your key.
Banerjee - 01 Can you add an IAM role to an IAM group? A. Yes B. No C. Yes, if there are ten members in the group D. Yes, if the group allows adding a role
B No, you can't add an IAM role to an IAM group.
Banerjee - 10 In Amazon RDS, who is responsible for patching the database? A. Customer. B. Amazon. C. In RDS you don't have to patch the database. D. RDS does not come under the shared security model.
B RDS does come under a shared security model. Since it is a managed service, the patching of the database is taken care of by Amazon.
Baron Chapter 12 - 06 Which of the following is the name of the security model employed by AWS with its customers? A. The shared secret model B. The shared responsibility model C. The shared secret key model D. The secret key responsibility model
B The shared responsibility model is the name of the model employed by AWS with its customers.
Hummel 04 What protocols must be enabled for remote access to Linux-based and Windows-based EC2 instances? A. SSH, ICMP, Telnet B. SSH, HTTP, RDP C. SSH, HTTP, SSL D. SSH, RDP, ICMP
D
Hummel 11 What are the two reasons for deploying Origin Access Identity (OAI) when enabling CloudFront? A. Prevent users from deleting objects in S3 buckets B. Mitigate distributed denial of service attacks (DDoS) C. Prevent users from accessing objects with Amazon S3 URL D. Prevent users from accessing objects with CloudFront URL E. Replace IAM for internet-based customer authentication
B, C
Banerjee - 02 An IAM policy contains which of the following? (Choose two.) A. Username B. Action C. Service name D. AZ
B, C A policy is not location specific and is not limited to a user.
Hummel 36 What are two primary differences between AD Connector and Simple AD for cloud directory services? A. Simple AD requires an on-premises ADS directory B. Simple AD is fully managed and setup in minutes C. AD connector requires an on-premises ADS directory D. Simple AD is more scalable than AD Connector E. Simple AD provides enhanced integration with IAM
B, C AD Connector is a dual Availability Zone proxy service that connects AWS apps to your on-premises directory. ... This account is used by AWS to enable seamless domain join, single sign-on (SSO), and AWS Applications (WorkSpaces, WorkDocs, and WorkMail) functionality.
Hummel 01 What statements correctly describe security groups within a VPC? (Select three) A. default security group only permit inbound traffic B. security groups are stateful firewalls C. only allow rules are supported D. allow and deny rules are supported E. security groups are associated to network interfaces
B, C, E
Hummel 12 What solutions are recommended to mitigate DDoS attacks? (Select three) A. Host-based firewall B. Elastic load balancer C. WAF D. SSL/TLS E. Bastion host F. NAT gateway
B, C, E A web application firewall filters, monitors, and blocks HTTP traffic to and from a web application. A WAF is differentiated from a regular firewall in that a WAF is able to filter the content of specific web applications while regular firewalls serve as a safety gate between servers
Baron Chapter 6 - 09 You want to grant the individuals on your network team the ability to fully manipulate Amazon EC2 instances. Which of the following accomplish this goal? (Choose 2 answers) A. Create a new policy allowing EC2:* actions, and name the policy NetworkTeam. B. Assign the managed policy, EC2FullAccess, to a group named NetworkTeam, and assign all the team members' IAM user accounts to that group. C. Create a new policy that grants EC2:* actions on all resources, and assign that policy to each individual's IAM user account on the network team. D. Create a NetworkTeam IAM group, and have each team member log in to the AWS Management Console using the user name/ password for the group.
B, C. Access requires an appropriate policy associated with a principal. Response A is merely a policy with no principal, and response D is not a principal as IAM groups do not have user names and passwords. Response B is the best solution; response C will also work but it is much harder to manage.
Baron Chapter 6 - 06 Which of the following are benefits of using Amazon EC2 roles? (Choose 2 answers) A. No policies are required. B. Credentials do not need to be stored on the Amazon EC2 instance. C. Key rotation is not necessary. D. Integration with Active Directory is automatic.
B, C. Amazon EC2 roles must still be assigned a policy. Integration with Active Directory involves integration between Active Directory and IAM via SAML.
Baron Chapter 6 - 01 Which of the following methods will allow an application using an AWS SDK to be authenticated as a principal to access AWS Cloud services? (Choose 2 answers) A. Create an IAM user and store the user name and password for the user in the application's configuration. B. Create an IAM user and store both parts of the access key for the user in the application's configuration. C. Run the application on an Amazon EC2 instance with an assigned IAM role. D. Make all the API calls over an SSL connection.
B, C. Programmatic access is authenticated with an access key, not with user names/ passwords. IAM roles provide a temporary security token to an application using an SDK.
Hummel 03 What two source IP address types are permitted in a security group rule? A. Only CIDR blocks with /16 subnet mask B. Source IP address 0.0.0.0/0 C. Single source IP address with /24 subnet mask D. Security group id E. IPv6 address with /64 prefix length
B, D
Baron Chapter 12 - 12 DynamoDB tables may contain sensitive data that needs to be protected. Which of the following is a way for you to protect DynamoDB table content? (Choose 2 answers) A. DynamoDB encrypts all data server-side by default so nothing is required. B. DynamoDB can store data encrypted with a client-side encryption library solution before storing the data in DynamoDB. C. DynamoDB obfuscates all data stored so encryption is not required. D. DynamoDB can be used with the AWS Key Management Service to encrypt the data before storing the data in DynamoDB. E. DynamoDB should not be used to store sensitive information requiring protection.
B, D Amazon DynamoDB does not have a server-side feature to encrypt items within a table. You need to use a solution outside of DynamoDB such as a client-side library to encrypt items before storing them, or a key management service like AWS Key Management Service to manage keys that are used to encrypt items before storing them in DynamoDB.
Banerjee - 05 Which is based on temporary security tokens? (Choose two.) A. Amazon EC2 roles B. Federation C. Username password D. Using AWS STS
B, D The username password is not a temporary security token. Federation enables you to manage access to your AWS Cloud resources centrally. ... AWS offers multiple options for federating your identities in the AWS Cloud. You can use AWS Identity and Access Management (IAM) to enable users to sign in to their AWS accounts with their existing corporate credentials.
Hummel 13 What features are required to prevent users from bypassing AWS CloudFront security? (Select three) A. Bastion host B. Signed URL C. IP whitelist D. Signed cookies E. Origin access identity (OAI)
B, D, E
Baron Chapter 6 - 04 Which of the following actions can be authorized by IAM? (Choose 2 answers) A. Installing ASP.NET on a Windows Server B. Launching an Amazon Linux EC2 instance C. Querying an Oracle database D. Adding a message to an Amazon Simple Queue Service (Amazon SQS) queue
B, D. IAM controls access to AWS resources only. Installing ASP.NET will require Windows operating system authorization, and querying an Oracle database will require Oracle authorization.
Kroonenburg 18 What is the default level of access a newly created IAM User is granted? A. Administrator access to all AWS services. B. Read only access to all AWS services. C. No access to any AWS services. D. Power user access to all AWS services.
C
Hummel 16 What rule must be added to the security group assigned to a mount target instance that enables EFS access from an EC2 instance? A. Type = EC2, protocol = IP, port + 2049, source = remote security group id B. Type = EC2, protocol = EFS, port = 2049, source= 0.0.0.0/0 C. Type = NFS, protocol = UDP, port = 2049, source = remote security group ID D. Type=NFSv4, protocol = UDP, port = 2049, source = remote security group id
C
Hummel 17 What statement correctly describes IAM architecture? A. IAM security is unified per region and replicated based on requirements for an AWS tenant account B. IAM security is defined per region for roles only on an AWS tenant account C. IAM security is globally unified across the AWS cloud for an AWS tenant account D. IAM security is defined separately per region and cross-region security enabled for an AWS tenant account
C
Hummel 19 What feature is not available with AWS Trusted Advisor? A. Cost optimization B. Infrastructure best practices C. Vulnerability assessment D. Monitor application metrics
C
Hummel 20 What is required to Ping from a source instance to a destination instance? A. Network ACL: not required Security Group: allow ICMP outbound on source/destination EC2 instances B. Network ACL: allow ICMP inbound/outbound on source/destination subnets Security group: not required C. Network ACL: allow ICMP inbound/outbound-on source/destination subnets Security group: allow ICMP outbound on source EC2 instance Security Group: allow ICMP inbound on destination EC2 instance D. Network ACL: allow TCP inbound/outbound on source/destination subnets Security Group: allow TCP and ICMP inbound on source EC2 instance
C
Hummel 22 You have configured a security group to allow ICMP, SSH and RDP inbound and assigned the security group to all instances in a subnet. There is no access to any Linux-based or Windows-based instances and you cannot Ping any instances. The network ACL for the subnet is configured to allow all inbound traffic to the subnet. What is the most probably cause? A. On-premises firewall rules B. Security group and network ACL outbound rules C. Security group outbound rules D. Bastion host required
C
Hummel 31 What IAM class enables an EC2 instance to access a file object in an S3 bucket? A. User B. Root C. Role D. Group
C
Kroonenburg 01 Which of the following is not a feature of IAM? A. IAM offers centralized control of your AWS account. B. IAM integrates with existing active directory account allowing single sign-on. C. IAM allows you to setup biometric authentication, so that no passwords are required. D. IAM offers fine-grained access control to AWS resources.
C
Kroonenburg 08 You have a client who is considering a move to AWS. In establishing a new account, what is the first thing the company should do? A. Set up an account using Cloud Search. B. Set up an account via SNS (Simple Notification Service) C. Set up an account using their company email address. D. Set up an account via SQS (Simple Queue Service).
C
Kroonenburg 13 Power User Access allows ________. A. Users to inspect the source code of the AWS platform B. Full Access to all AWS services and resources. C. Access to all AWS services except the management of groups and users within IAM. D. Read Only access to all AWS services and resources.
C
Kroonenburg 16 What is an additional way to secure the AWS accounts of both the root account and new users alike? A. Configure the AWS Console so that you can only log in to it from a specific IP Address range B. Configure the AWS Console so that you can only log in to it from your internal network IP address range. C. Implement Multi-Factor Authentication for all accounts. D. Store the access key id and secret access key of all users in a publicly accessible plain text document on S3 of which only you and members of your organization know the address to.
C
Whizlabs Test 1 - 01 You are deploying an application on Amazon EC2, which must call AWS APIs. What method should you use to securely pass credentials to the application? A. Pass API credentials to the instance using Instance userdata. B. Store API credentials as an object in Amazon S3. C. Embed the API credentials into your application. D. Assign I AM roles to the EC2 Instances.
C
Banerjee - 06 You want EC2 instances to give access without any username or password to S3 buckets. What is the easiest way of doing this? A. By using a VPC S3 endpoint B. By using a signed URL C. By using roles D. By sharing the keys between S3 and EC2
C A VPC endpoint is going to create a path between the EC2 instance and the Amazon S3 bucket. A signed URL won't help EC2 instances from accessing S3 buckets. You cannot share the keys between S3 and EC2.
Baron Chapter 12 - 19 Which of the following describes how Amazon Elastic MapReduce (Amazon EMR) protects access to the cluster? A. The master node and the slave nodes are launched into an Amazon Virtual Private Cloud (Amazon VPC). B. The master node supports a Virtual Private Network (VPN) connection from the key specified at cluster launch. C. The master node is launched into a security group that allows Secure Shell (SSH) and service access, while the slave nodes are launched into a separate security group that only permits communication with the master node. D. The master node and slave nodes are launched into a security group that allows SSH and service access.
C Amazon EMR starts your instances in two Amazon Elastic Compute Cloud (Amazon EC2) security groups, one for the master and another for the slaves. The master security group has a port open for communication with the service. It also has the SSH port open to allow you to securely connect to the instances via SSH using the key specified at startup. The slaves start in a separate security group, which only allows interaction with the master instance. By default, both security groups are set up to prevent access from external sources, including Amazon EC2 instances belonging to other customers. Because these are security groups in your account, you can reconfigure them using the standard Amazon EC2 tools or dashboard.
Baron Chapter 12 - 09 Which technology does Amazon WorkSpaces use to provide data security? A. Secure Sockets Layer (SSL)/ Transport Layer Security (TLS) B. Advanced Encryption Standard (AES)-256 C. PC-over-IP (PCoIP) D. AES-128
C Amazon WorkSpaces uses PCoIP, which provides an interactive video stream without transmitting actual data. An Amazon WorkSpace is a cloud-based virtual desktop that can act as a replacement for a traditional desktop. A WorkSpace is available as a bundle of operating system, compute resources, storage space, and software applications that allow a user to perform day-to-day tasks just like using a traditional desktop.
Kroonenburg 04 What level of access does the "root" account have? A. Read Only Access B. No Access C. Administrator Access D. Power User Access
C An "administrator" has full access to the account with all permissions including account maintenance, users, and subscriptions. A "power user" has similar permissions to an administrator except they can't edit or view subscriptions or other users.
Baron Chapter 12 - 03 A Database security group controls network access to a database instance that is inside a Virtual Private Cloud (VPC) and by default allows access from? A. Access from any IP address for the standard ports that the database uses is provided by default. B. Access from any IP address for any port is provided by default in the DB security group. C. No access is provided by default, and any access must be explicitly added with a rule to the DB security group. D. Access for the database connection string is provided by default in the DB security group.
C By default, network access is turned off to a DB Instance. You can specify rules in a security group that allows access from an IP address range, port, or Amazon Elastic Compute Cloud (Amazon EC2) security group.
Baron Chapter 12 - 10 As a Solutions Architect, how should you architect systems on AWS? A. You should architect for least cost. B. You should architect your AWS usage to take advantage of Amazon Simple Storage Service's (Amazon S3) durability. C. You should architect your AWS usage to take advantage of multiple regions and Availability Zones. D. You should architect with Amazon Elastic Compute Cloud (Amazon EC2) Auto Scaling to ensure capacity is available when needed.
C Distributing applications across multiple Availability Zones provides the ability to remain resilient in the face of most failure modes, including natural disasters or system failures.
Baron Chapter 12 - 05 How many access keys may an AWS Identity and Access Management (IAM) user have active at one time? A. 0 B. 1 C. 2 D. 3
C IAM permits users to have no more than two active access keys at one time.
Baron Chapter 12 - 02 Secure wiping of Amazon EBS data when an Amazon EBS volume is unmounted You have launched a Windows Amazon Elastic Compute Cloud (Amazon EC2) instance and specified an Amazon EC2 key pair for the instance at launch. Which of the following accurately describes how to log in to the instance? A. Use the Amazon EC2 key pair to securely connect to the instance via Secure Shell (SSH). B. Use your AWS Identity and Access Management (IAM) user X. 509 certificate to log in to the instance. C. Use the Amazon EC2 key pair to decrypt the administrator password and then securely connect to the instance via Remote Desktop Protocol (RDP) as the administrator. D. A key pair is not needed. Securely connect to the instance via RDP.
C The administrator password is encrypted with the public key of the key pair, and you provide the private key to decrypt the password. Then log in to the instance as the administrator with the decrypted password.
Kroonenburg 09 When you create a new user, that user ________. A. Will be able to log in to the console only after multi-factor authentication is enabled on their account. B. Will be able to log in to the console anywhere in the world, using their access key ID and secret access key. C. Will be able to interact with AWS using their access key ID and secret access key using the API, CLI, or the AWS SDKs. D. Will only be able to log in to the console in the region in which that user was created.
C To access the console you use an account and password combination. To access AWS programmatically you use a Key and Secret Key combination.
Hummel 26 Based on the Amazon security model, what infrastructure configuration and associated security is the responsibility of tenants and not Amazon AWS? (Select two) A. Dedicated cloud server B. Hypervisor C. Operating system level D. Application level E. Upstream physical switch
C, D
Baron Chapter 6 - 10 What is the format of an IAM policy? A. XML B. Key/ value pairs C. JSON D. Tab-delimited text
C. An IAM policy is a JSON document.
Hummel 08 You have some developers working on code for an application and they require temporary access to AWS cloud up to an hour. What is the easiest web-based solution from AWS to provide access and minimize security exposure? A. ACL B. Security group C. IAM group D. STS E. EFS
D
Baron Chapter 12 - 14 Which of the following public identity providers are supported by Amazon Cognito Identity? A. Amazon B. Google C. Facebook D. All of the above
D Amazon Cognito Identity supports public identity providers— Amazon, Facebook, and Google— as well as unauthenticated identities. Amazon Cognito is an Amazon Web Services (AWS) product that controls user authentication and access for mobile applications on internet-connected devices.
Baron Chapter 12 - 08 Which of the following Elastic Load Balancing options ensure that the load balancer determines which cipher is used for a Secure Sockets Layer (SSL) connection? A. Client Server Cipher Suite B. Server Cipher Only C. First Server Cipher D. Server Order Preference
D Elastic Load Balancing supports the Server Order Preference option for negotiating connections between a client and a load balancer. During the SSL connection negotiation process, the client and the load balancer present a list of ciphers and protocols that they each support, in order of preference. By default, the first cipher on the client's list that matches any one of the load balancer's ciphers is selected for the SSL connection. If the load balancer is configured to support Server Order Preference, then the load balancer selects the first cipher in its list that is in the client's list of ciphers. This ensures that the load balancer determines which cipher is used for SSL connection. If you do not enable Server Order Preference, the order of ciphers presented by the client is used to negotiate connections between the client and the load balancer.
Baron Chapter 12 - 17 Which of the following is the most recent version of the AWS digital signature calculation process? A. Signature Version 1 B. Signature Version 2 C. Signature Version 3 D. Signature Version 4
D The Signature Version 4 signing process describes how to add authentication information to AWS requests. For security, most requests to AWS must be signed with an access key (Access Key ID [AKI] and Secret Access Key [SAK]). If you use the AWS Command Line Interface (AWS CLI) or one of the AWS Software Development Kits (SDKs), those tools automatically sign requests for you based on credentials that you specify when you configure the tools. However, if you make direct HTTP or HTTPS calls to AWS, you must sign the requests yourself.
Baron Chapter 12 - 07 Which of the following describes the scheme used by an Amazon Redshift cluster leveraging AWS Key Management Service (AWS KMS) to encrypt data-at-rest? A. Amazon Redshift uses a one-tier, key-based architecture for encryption. B. Amazon Redshift uses a two-tier, key-based architecture for encryption. C. Amazon Redshift uses a three-tier, key-based architecture for encryption. D. Amazon Redshift uses a four-tier, key-based architecture for encryption.
D When you choose AWS KMS for key management with Amazon Redshift, there is a four-tier hierarchy of encryption keys. These keys are the master key, a cluster key, a database key, and data encryption keys. Amazon Redshift uses a four-tier, key-based architecture for encryption. The architecture consists of data encryption keys, a database key, a cluster key, and a master key. Data encryption keys encrypt data blocks in the cluster. Each data block is assigned a randomly-generated AES-256 key.
Hummel 21 What two steps are required to grant cross-account permissions between AWS accounts? A. Create an IAM user B. Attach a trust policy to S3 C. Create a transitive policy D. Attach a trust policy to the role E. Create an IAM role
D, E
Hummel 10 What two components are required for enabling SAML authentication requests to AWS Identity and Access Management (IAM)? A. Access keys B. Sessiontoken C. SSO D. Identity provider (IdP) E. SAML provider entity
D, E Security Assertion Markup Language (SAML) is an open standard that allows identity providers (IdP) to pass authorization credentials to service providers (SP). ... SAML is the link between the authentication of a user's identity and the authorization to use a service.