AWS Security Exam Questions - version 1
You are designing an e-commerce application which will run on a number of EC2 instances behind and Application Load Balancer, storing product and customer data in DynamoDB and product images in S3. In your previous role at another company, your systems were frequently targeted by SQL injection and cross-site scripting attacks. Which of the following can be used to protect against this type of attack?
AWS WAF AWS Trusted Advisor Amazon Inspector AWS Shield
Your application is running on an EC2 instance in a private subnet. You have added a number of image files to an S3 bucket and you now want to your application to be able to access the files. you have configured an IAM role with permission to read files in the S3 bucket and associated this role with your EC2 instance. This is a secure internal application and your CEO has already informed you that the system must be as secure as possible. How can you configure the communication between your EC2 instance and the S3 bucket in the most secure way?
Access the bucket using AWS PrivateLink Configure the bucket policy to only allow read only access to the IAM role and deny access to all other users Create an S3 Endpoint and access the bucket using the S3 Endpoint Create a Direct Connect Endpoint and access the bucket using Direct Connect
AWS Systems Manager Parameter Store provides secure, hierarchical storage for configuration data and secrets management. Which of the following AWS services natively support Parameter Store? (Choose 3)
Amazon EC2 AWS CloudFormation Amazon RDS AWS Lambda
You have added the following statement to your S3 bucket policy, to give a user access to all items in the bucket called mys3bucket: { "Effect": "Allow", "Action": "*", "Resource":"arn:aws:s3:::myS3bucket" } However when you try to add the policy, you get the following error: Action does not apply to any resource(s) in statement. What do you need to do resolve this?
Change the resource section to: "Resource":"arn:aws:s3:::myS3bucket/" Change the resource section to: "Resource":"arn:aws:s3:::myS3/bucket/" Change the resource section to: "Resource":"arn:aws:s3:::/S3/myS3bucket" Change the resource section to: "Resource":"arn:aws:s3:::myS3bucket/*"
You have developed a number of Lambda functions to run automated housekeeping tasks in your environment, however you suspect that some of these functions are failing to launch or not completing properly as a lot of the tasks have failed to run. Which of the following tools can you use to investigate this?
Check for errors in Trusted Advisor Check for errors in CloudTrail Check for errors in the VPC Flow Logs Check for errors in CloudWatch
You are using a CMK with imported key material. You have been asked by the head of Security to start rotating your key on an annual basis. The key has already been in use for over a year and you have been asked to perform the first rotation this week. How should you do this?
Configure automatic key rotation Manually import new key material into the CMK Create a new key with new key material and delete the old key Manually rotate the key
You need to allow users in your corporate Active Directory to access the AWS console. Which of the following configuration are valid configuration steps?
Create an IAM user for every Active Directory user Create a role with appropriate permissions In ADFS, configure a trust with Active Directory as the relying party In ADFS, configure a trust with AWS as the relying party In AWS, configure the Active Directory instance as an Identity Provider
You suspect that your AWS account has been compromised. Which of the following actions should you take immediately? (Choose 3)
Disable the root user account Delete any potentially compromised IAM users Delete any IAM users that you didn't create yourself Change your root user password Delete your AWS account
One of your team has mistakenly leaked their access key and secret access key on GitHub. What should you do immediately to secure your account?
Isolate all EC2 instances associated with the account Make the access key inactive or delete it Quarantine the account Create a new access key
You have just completed the move of a Microsoft SQL Server database over to a Windows Server EC2 instance. Rather than logging in periodically to check for patches, you want something more proactive. Which of the following would be the most appropriate for this?
Make use of Patch Manager and the AWS-DefaultPatchBaseline pre-defined baselineSELECTED Make use of Server Manager and the AWS-LinuxWindowsDefaultPatchBaseline pre-defined baseline Make use of Patch Manager to apply patches as you have defined in the Patch Groups Make use of AWS Batch to apply patches as they appear on the RSS feed from Microsoft Answer
You have discovered that your AWS account may have been compromised. What steps should you carry out immediately in order to secure your account? (Choose 2)
Rotate all passwords and IAM access Keys Delete any resources in your account that you didn't create yourself Rotate all CMKs Delete all IAM user accounts
An external auditor is reviewing your process documentation for a Payment Card Industry (PCI) audit. The scope of this audit will extend to your immediate vendors where you store, transmit or process cardholder data. Because you do store cardholder data in the AWS Cloud, the auditor would like to review AWS's PCI DSS Attestation of Compliance and Responsibility. How would you go about getting this document?
Submit a Support Case requesting the document AWS WorkDocs AWS Artifact AWS Legal Services website AWS IAM Console AWS Macie
You are attempting to access an encrypted file which is stored in S3 using AWS-KMS. You can see the contents of the bucket but when you try to open the file, you get an Access Denied error and you cannot open the file. What could the problem be?
The CMK was rotated You do not have read access to the bucket You are not the key administrator You are not permitted to use the CMK to decrypt the file
You are developing a photo sharing website which uses a Lambda function to add metadata to images stored in S3 based on user account details stored in DynamoDB every time a photo is uploaded to S3. However you have noticed that the function is failing to add the metadata and you decide to check CloudWatch Logs to see if you can spot anything unusual. However when you check CloudWatch, nothing has been written to the log. What could be causing the logs to be empty?
The CloudWatch resource policy doesn't give Lambda permission to write to CloudWatch Logs The function policy doesn't include permission to write to CloudWatch The Lambda execution role does not have permission to write to CloudWatch The execution role doesn't allow S3 to invoke the function
You have configured your AWS account to enable federation with your corporate Active Directory environment located in your own data center. Which of the following best describes the user authentication process?
The user authenticates using the AWS console, ADFS authenticates the user against Active Directory and provides a SAML token which is passed to AWS STS, STS returns temporary credentials to allow the user to access the console. The user authenticates using the ADFS portal, ADFS authenticates the user against Active Directory and provides a SAML token which is passed to AWS STS, STS returns temporary credentials to allow the user to access the console. The user authenticates against Active Directory and provides a SAML token which is passed to AWS STS, STS returns temporary credentials to allow the user to access the console. The user authenticates using the Security Token Service, STS authenticates the user against Active Directory and returns temporary credentials to allow the user to access the console. Answer
You are trying to SSH into your EC2 instance and you get a "Permission denied (publickey)" error. Which of the following are the most likely causes of this error? (Choose 2)
There is an issue with the AWS infrastructure. You have supplied an invalid or otherwise improper private key (.pem) file. You have provided an incorrect username for your AMI type. The instance's security group is misconfigured.
You have noticed some unusual activity in your AWS account you suspect that at least one of your instances has been compromised and is being controlled by a malicious third party. You need to quickly assess the situation, understand the extent of the problem and would like to continually monitor your infrastructure so that you can be alerted about similar attacks. Which AWS tool can you use?
Turn on CloudTrail and check if any of your instances are exhibiting unusual behavior Run Trusted Advisor to check if any of your instances are exhibiting unusual behavior Use GuardDuty and check if any of your instances are exhibiting unusual behavior Run Amazon Inspector to check if any of your instances are exhibiting unusual behavior
You have been asked to create a WORM - Write Once Read Many - archive using AWS. Which of the following services can you use to configure this?
Use S3 bucket policies and lifecycle rules Use Glacier resource policies and lifecycle rules Configure a Vault Lock policy Use Glacier lifecycle rules
You are the Head of Security for the Gaming division of a large software company responsible for developing augmented reality games that users can play on their smartphones. Due to the popularity of your latest release, your organization is growing rapidly and as the infrastructure grows, you want to ensure that all new projects have complete segregation between Development, Testing and Production environments, to avoid sharing resources across different environments. Which of the following is the best option to achieve this?
Use a single account to centralize information security management and minimize overhead, then use separate VPCs to segregate each different environment. Use a single account to centralize information security management and minimize overhead, then use IAM Users, Groups and Roles to control access to each environment. Create one AWS account for production services, one for development, and one for testing. Create a single AWS account for common project resources. Then create separate AWS accounts on a per project basis.
You are trying to debug your Lambda function, however you notice that you are not receiving data level events from either Lambda or S3. What could be the reason for this? (Choose 2)
Your function does not have permission to write data events to CloudWatch, or your S3 bucket is not authorized to log data events to CloudWatch Your function does not have permission to write data events and you need to enable cross origin resource sharing to allow S3 to send data events to CloudTrail You need to enable data events in CloudWatch Data events are disabled by default You need to enable data events in Lambda and S3
When accessing specific AWS resources, you encounter some problems with permissions. Select all possible reasons for those issues. (Choose 2)
Your request to a resource is implicitly denied because there is no explicit ALLOW statement in the permissions boundary policy for the applicable user or role. You checked that you have sufficient permissions but then switched roles. Since no permissions boundary or STS assume role policy exists, applicable permissions policies alone control access. These are checked together and always in the following order: Identity-based policies first, then resource-based and finally ACLs. Your API request to the resource is denied because of an AWS Organizations permissions boundary defined by a service control policy which has a relevant DENY statement in it. However, you are not a member of an account that is a member of that organization.
Your application servers need to connect to a third party partner to access stock market data using TCP port 8194 and the following IP address: 90.10.52.154. Your subnet CIDR range is 10.0.1.0/24 and network traffic is controlled using Security Groups and Network Access Control Lists. Which of the following configurations will enable this connectivity?
A security group outbound rule to 90.10.52.154 on port 8194, a security group inbound rule from 90.10.52.154 on ephemeral ports, a Network ACL outbound rule to 90.10.52.154 on port 8194 A security group outbound rule to 90.10.52.154 on port 8194, a Network ACL outbound rule to 90.10.52.154 on port 8194 and a Network ACL inbound rule from 90.10.52.154 using ephemeral ports A security group outbound rule to 90.10.52.154 on port 8194, a Network ACL outbound rule to 90.10.52.154 on port 8194 and a Network ACL inbound rule from 10.0.1.0/24 using ephemeral ports A security group outbound rule to 90.10.52.154 on port 8194, a Network ACL outbound rule to 90.10.52.154 on port 8194 and a Network ACL inbound rule from 90.10.52.154 on port 8194
You have been asked to investigate a security incident which occurred 2 weeks ago. You suspect that someone has been provisioning unauthorized instances in your account in order to try to create a backdoor into your VPC. Which of the following tools will you use to determine what has happened?
AWS Config Trusted Advisor CloudWatch Logs CloudTrail
Your company website uses a combination of EC2 instances and S3. Your Head Of Security has asked you to implement a solution to help protect the website from DDoS attacks. Which of the following AWS Services would you recommend? (Choose 3)Amazon Inspector
AWS WAF AWS Trusted Advisor AWS Shield CloudFront Amazon GuardDuty
You are working as a Security Architect at a large retail bank, designing a new secure website which will enable customers to apply for a personal loan online. You would like to protect your application from attacks such as SQL injection and cross-site scripting. Which of the following AWS services would you consider using when planning this website? (Choose 3)
CloudFront AWS Shield CloudWatch AWS WAF Network Load Balancer Application Load Balancer
You have noticed some strange activity in your AWS accounts and have engaged an external consultancy to review your accounts and try to understand what is going on. The consultant has asked to review all the API events in your account over the next two weeks. Your department currently has a number of different accounts, and you are struggling to keep track of everything. The consultant needs to check what is going on in each of these accounts. Which of the following options is the best way to enable this?
Configure CloudWatch Logs in each account and send the logs to a single S3 bucket. Grant read only access to the S3 bucket for the consultant. Create a new AWS Organization, add each account to the Organization, then create a single CloudTrail which covers all accounts. Grant read only access to CloudTrail and the S3 bucket for the consultant. Create a new AWS Organization, add each account to the Organization, then enable CloudTrail in each account. Grant the consultant read only access to CloudWatch and the S3 bucket. Configure CloudTrail in each account and send the logs to a separate S3 bucket. Grant read only access to CloudTrail and the S3 bucket for the consultant.
You are working for an investment bank which is designing a new application to analyse historical trading data, and use machine learning to predict stock market performance. The application is running in AWS and needs to access the historical data stored in a proprietary time series database located in your data center. This information is highly confidential and could cause serious repercussions if any data was ever leaked to the public or your competitors. The application itself is extremely sensitive to network inconsistencies and during testing it frequently crashes if the network is not reliable. How should you configure the network connectivity for this application?
Configure a Direct Connect connection between the VPC and your data center Use a VPC Endpoint so that the data never leaves Amazon's network Access the data using a secure port on the times series database so that the data is encrypted in transit Configure a VPN between your VPC and the data center and access the time series database using a secure port Configure a VPN between your VPC and the data center over a Direct Connect connection
You are consulting for a large multi-national company that is designing their AWS account structure. The company policy says that they must maintain a centralized logging repository but localized security management. For economic efficiency, they also require all sub-account charges to roll up under one invoice. Which of the following solutions most efficiently addresses these requirements?
Configure billing for each account to load into a consolidated RedShift instance. Create a centralized security account and establish trust relationships between each sub-account. Configure admin roles within IAM of each sub-account for local administrators. Create a stand-alone consolidated logging account and configure all sub-account CloudWatch and CloudTrail activity to route to that account. Create a stand-alone consolidated logging account and configure all sub-account CloudWatch and CloudTrail activity to route to that account. Create localized IAM policies to restrict modification of CloudWatch and CloudTrail configuration. Configure consolidated billing under a single account and register all sub-accounts to that billing account. Create a centralized security account and establish trust relationships between each sub-account. Create a stand-alone consolidated logging account and configure all sub-account CloudWatch and CloudTrail activity to route to that account. Use a Service Control Policy to restrict sub-accounts from changing CloudWatch and CloudTrail configuration. Configure consolidated billing under a single account and register all sub-accounts to that billing account. Create localized IAM Admin accounts for each sub-account. Create a stand-alone consolidated logging account and configure all sub-account CloudWatch and CloudTrail activity to route to that account. Use ACLs to restrict sub-accounts from changing CloudWatch and CloudTrail configuration. Configure consolidated billing under a single account and register all sub-accounts to that billing account. Create localized IAM Admin accounts for each sub-account. Establish trust relationships between the Consolidated Billing account and all sub-accounts. Answer
A client has asked you to review their system architecture in advance of a compliance audit. Their production environment is setup in a single AWS account that can only be accessed through a monitored and audited bastion host. Their EC2 Linux instances currently use AWS-encrypted EBS volumes and the web server instances sit in a private subnet behind an ALB that terminates TLS using a certificate from ACM. All their web servers share a single Security Group, and their application and data layer servers similarly share one Security Group each. Their S3 objects are stored with SSE-S3. The auditors will require all data to be encrypted at rest and will expect the system to secure against the possibility that TLS certificates might be stolen by would-be spoofers. How would you help this client pass their audit in a cost effective way? (Choose 3)
Continue to use the ACM for the TLS certificate. Leave the S3 objects alone. Make no changes to the EBS volumes. Deploy CloudHSM and migrate the TLS keys to that service. Encrypt the S3 objects with OpenPGP locally before re-uploading them to S3. Reconfigure the EC2 EBS volumes to use LUKS OS-Level encryption.
You are working for a large software company, developing machine learning algorithms for the healthcare industry. Your department stores the majority of its data in S3 and all data in S3 must be encrypted at rest using SSE-KMS using a CMK that you manage. Your Head of Security has just asked to you to implement controls to ensure that the same encryption key is not used for longer than 3 months. Which of the following options is the best approach?
Create a CloudWatch scheduled event to create a new CMK, every three months. Update the Key alias and delete the old key. Enable automatic key rotation on the CMK, set the rotation schedule to every three months Use a CloudWatch scheduled event to trigger a Lambda function to create a new CMK every three months. Keep the old key. Configure an S3 lifecycle policy to schedule key rotation every three months
You have a number of AWS accounts, one for each department in your company. Your Head of Security has asked you to make sure that nobody has access to disable CloudTrail in any of your accounts. How should you do this?
Create a Service Control Policy in each account which includes a permissions boundary restricting write access to CloudTrail Create a CloudWatch Events rule that is triggered if any user disables CloudTrail, create a Lambda function to re-enable CloudTrail Create a new AWS Organization, group the accounts under a single OU and use a Service Control Policy to restrict any account in the OU from stopping CloudTrail Create a new AWS Organization, group the accounts under a single OU and use an IAM policy in each account to restrict users from stopping CloudTrail
You are using a CMK with imported key material. One of your administrators accidentally deleted the key material and you can now no longer access any of your encrypted files. What can you do to fix this?
Create a new CMK, import the original key material into the new CMK Re-import the same key material to your CMK Import new key material into the CMK Create a new CMK with new key material
You would like to use your own DNS server rather than using the Amazon DNS server. Which of the following are valid steps to configuring this?
Create a new DHCP option set for your VPC, specifying the name of your own DNS server Create a new DHCP option set for your VPC, specifying the IP address your own DNS server Update your Security Groups and Network ACLs to prevent applications from querying the Amazon DNS Server Update the DHCP option set for your VPC, specifying the IP address your own DNS server
You are working as the lead Security Architect for a large retail bank and you have an external auditor visiting from your regulating body. The auditor will be spending the next two weeks with your team and needs access to read your CloudTrail logs in order to complete their assessment and they already have their own AWS account. How can you configure access for the Auditor to complete their assessment?
Create an new guest user account with administrator level access and supply the login credentials to the auditor. When the auditor has completed her work, delete the account. Create an IAM role in your account with an access policy allowing read-only access to the log files. Configure a trust policy in the external account allowing the Auditor's AWS account to assume the role in your account. Create a trust policy enabling read-only access to the log files for the external account. Configure an IAM role in your account allowing the Auditor's AWS account to assume the role. Create an IAM role in your account with an access policy allowing read-only access to the log files. Configure a trust policy in your account allowing the Auditor's AWS account to assume the role.
You have been asked to help develop a process for monitoring and alerting staff when malicious or unauthorized activity occurs. Your Chief Security Officer is asking for a solution that is both fast to implement but also very low maintenance. Which option best fits these requirements?
Enable AWS GuardDuty to monitor for malicious and unauthorized behavior. Configure a custom blocklist for the IPs which you have seen suspect activity in the past. Setup a Lambda function triggered from a CloudWatch event when anomalies are detected. Enable AWS Macie to monitor for malicious and unauthorized behavior. Configure a custom allow list for the IPs that were wrongly flagged. Setup a Lambda function triggered from a CloudWatch event when anomalies are detected. Use Lambda to periodically reviews CloudFront logs for malicious and unauthorized behavior. Trigger an SES email to the Security Officer. Configure VPC Flow Logs to capture all traffic going in and out of the VPC. Use ElastiSearch to process the logs and trigger a Lambda function whenever malicious or unauthorized behavior is found. Configure CloudWatch to create an event whenever malicious or unauthorized behavior is observed. Trigger an SMS message via SNS to the Security Officer whenever the event happens.
You work for a large organization and many of your departments have access to the AWS console. The company has been using AWS for a number of years, and user permissions have been managed with different designs during that time. You have already reviewed the IAM accounts and policies and deleted any accounts that are no longer required, but your CTO still suspects that many of the users have greater access than they need for their role, with many users having the ability to launch EC2 instances and change Security Group settings at any time, which is against the company Security Policy. What measures can you suggest?
Implement event based security using Lambda and CloudWatch Events to alert when a user performs an action which is against company policy and sends an SNS notification Implement event based security using CloudWatch Logs and CloudWatch Events which alerts when a user performs an action which is against company policy and sends an SNS notification Implement event based security using CloudTrail and CloudWatch Events which alerts when a user performs an action which is against company policy and sends an SNS notification Implement event based security using GuardDuty and CloudWatch Events which alerts when a user performs an action which is against company policy and sends an SNS notification
Your Head of Networks suspects that some of your EC2 instances are performing unauthorized port scanning in your environment. What can you do to learn more about what is going on in your AWS account?
Install an IDS / IPS system to report on possible port scanning activity Check the logs in your AWS WAF to see if any of your instances is trying to connect to multiple ports over a short period of time Check your VPC flow logs to see if any of your instances is trying to connect to multiple ports over a short period of time Use GuardDuty to detect if any of your instances are engaged in a possible port scan attack
You have designed a travel website which allows users to share their photos from their trip and subscribe to receive notifications every time another member uploads a photo of one of their favourite destinations. Users upload their images to the website, which stores them in S3 and writes metadata about each photo in a DynamoDB table. When a photo is uploaded, a Lambda function will read the metadata from DynamoDB and send a notification to an SNS topic which notifies the subscribed users. During testing, you notice users are not being notified after a photo has been successfully uploaded, however when you test the Lambda function in isolation, it works perfectly. What might be causing this?
Lambda does not have permission to read the S3 object metadata S3 does not have permission to invoke the Lambda function SNS does not have permission to read the S3 object Lambda does not have permission to read the DynamoDB table Answer
You are working for a charity which is working to monitor global climate change. You have created a VPC which has a private subnet and a public subnet with a NAT Gateway. You have been asked to provision a number of EC2 instances which will run an application which needs to download publicly available climate statistics from a government website. Which of the following options is the most secure way to configure this?
Launch the EC2 instances in the public subnet, route internet-bound traffic to the NAT Gateway to access the government website Launch the EC2 instances in the public subnet, launch a NAT Gateway in the private subnet, route internet-bound traffic to the NAT gateway to access the government website Launch the EC2 instances and a NAT Gateway in the public subnet, route internet-bound traffic to the NAT gateway to access the government website Launch the EC2 instances in the private subnet, launch a NAT Gateway in the private subnet, route internet-bound traffic to the NAT gateway to access the government website Launch the EC2 instances in the private subnet, route internet-bound traffic to the NAT Gateway in the public subnet to access the government website
Your company website uses an S3 bucket configured as a website endpoint behind a CloudFront distribution, using a custom domain name. Users are only allowed to access the website using HTTPS. You want to ensure that the traffic is encrypted end-to-end between your users and the S3 bucket. Which of the following are valid steps that you will you need to do in order to configure this?
Provide a custom SSL Certificate in CloudFront Provide a custom SSL Certificate in CloudFront and configure your S3 bucket to use SSE-S3 Use the default CloudFront certificate and configure your S3 bucket to use SSE-S3 Use the default CloudFront certificate and configure your S3 bucket to use SSE-KMS Provide a custom SSL Certificate in CloudFront and configure your S3 bucket to use SSE-KMS
You are helping a client migrate over an internal application from on-prem to AWS. The application landscape on AWS will consist of a fleet of EC2 instances behind an Application Load Balancer. The application client is an in-house custom application that communicates to the server via HTTPS and is used by around 40,000 users globally across several business units. The same exact application and landscape will be deployed in US-WEST-2 as well as EU-CENTRAL-1. Route 53 will then be used to redirect users to the closest region. When the application was originally built, they chose to use a self-signed 2048-bit RSA X.509 certificate (SSL/TLS server certificate) and embedded the self-signed certificate information into the in-house custom client application. Regarding the SSL certificate, which activities are both feasible and minimize extra administrative work?
Purchase a new public SSL/TLS certificate from a third-party CA. Upload the certificate to Certificate Manager and assign that certificate to the Application Load Balancers. Create a new Certificate Authority within Certificate Manager and import the existing certificate. Generate a new certificate, CA chain and private key and push an update for the application. Assign the new certificate to the Application Load Balancers in all regions. Import the existing certificate and private key into Certificate Manager in both regions. Assign that imported certificate to the Application Load Balancers using their respective regionally imported certificate. Create a new public SSL/TLS certificate using Certificate Manager and configure the common name and OU to match the existing certificate. Assign the new certificate to the Application Load Balancers in all regions. Use Service Catalog to push an update of the in-house app which includes an updated certificate and CA chain. Generate a new private certificate using OpenSSL. Import the new certificate to Certificate Manager in US-EAST-1. Assign the new certificate to the Application Load Balancers in all regions. Answer
You have been asked to investigate whether unrestricted SSH access is enabled to any of your EC2 instances. How should you approach this?
Run a manual check on each EC2 instance Use AWS Config to check which Security Groups are configured with unrestricted access Use Kali Linux to run a penetration test Use Trusted Advisor to report Security Groups configured with unrestricted access
You are running your web application on a number of EC2 instances behind an Application Load Balancer. You have configured the application to send error logs and security logs to CloudWatch logs. Persistent data generated by the application is stored in DynamoDB and website images and static content is stored in S3. Over the weekend the application crashed a number of times, causing a serious system outage. The application support team managed to get the system back online, but on Monday morning when they tried to access the logs to analyze what went wrong, they discover that no logs exist for this application. What might be the problem? (Choose 3)
The CloudWatch Logs agent does not have permission to read DynamoDB tables The CloudWatch Logs agent is not running The CloudWatch Logs agent is not installed DynamoDB does not have permission to write to CloudWatch Logs The Instance role does not have permission to write to CloudWatch Logs The IAM user does not have permission to write to CloudWatch Logs Answer
Your Chief Security Officer has mandated that all software license keys for your application must to be stored centrally, in an encrypted format in SSM Parameter Store. It is now time to upgrade the software and in order to get access to the free upgrade, your application needs to access the licence key string. You scheduled the upgrade for last weekend, however most of the upgrades failed. What do you suspect the problem could be? (Choose 2)
The EC2 instance role does not have permission to use KMS to decrypt the parameter The EC2 instance role does not have permission to read the parameter in SSM Parameter Store The EC2 instance role does not have permission to use KMS to encrypt parameter SSM Parameter Store does not have permission to use KMS to decrypt the parameter
You have multiple separate AWS accounts for each department in your company. You have enabled CloudTrail logging for each of these accounts and configured each one to send logs to the same S3 bucket. However some of your accounts have not been sending any logs. What do you think the problem is?
The accounts do not have permission to write to the S3 bucket You need to configure cross origin resource sharing to enable CloudTrail to write to an S3 bucket in another account For security reasons, is not possible to send CloudTrail logs to a bucket that is not owned by the same AWS account generating the logs You need to configure an origin access identity with permission to write to the S3 bucket
A client is trying to setup a new VPC from scratch. They are not able to reach the Amazon Linux web server instance launched in their VPC from their on-prem network using a web browser. You have verified the internet gateway is attached and the main route table is configured to route 0.0.0.0/0 to the internet gateway properly. The instance also is being assigned a public IP address. Which of the following would be another potential cause of the problem?
The inbound security group allows port 80 and 22 only. The IAM role assigned to the LAMP instances does not have any policies assigned. The default route to the internet gateway is incorrect. The instance does not have an elastic IP address assigned. The outbound network ACL allows port 80 and 22 only. The customer has disabled the ec2-user account on the Amazon Linux instance.
A number of users are trying to access objects in your S3 bucket, however they are receiving the error : HTTP 403: Access Denied. You have already checked the bucket ACLs and bucket policy and they look fine. You checked the IAM permissions of the users and they all have read access to the bucket. What else could be the problem? (Choose 2)
The objects are encrypted using KMS and the users do not have permission to decrypt them The users permissions are being restricted by the bucket policy The S3 lifecycle policy has moved the objects to a different class of storage The users permissions are being restricted by a Service Control Policy The objects have been compressed and the users do not have permission to extract the files
You are reviewing the Key policy attached to one of your CMKs and you notice the following statement: { "Effect": "Deny", "Principal": { "AWS": "arn:aws:iam::111122223333:user/betty" }, "Action": [ "kms:Encrypt" ], "Resource": "*", "Condition": { "StringEquals": { "kms:ViaService": [ "lambda.us-west-2.amazonaws.com" ] What does this mean?
The policy prevents the CMK from being used for any encrypt operations unless the request comes from Lambda in us-west-2 The policy prevents the CMK from being used for encrypt operations when the request comes from AWS Lambda on behalf of the user betty The policy allows the CMK from being used for encrypt operations unless the request comes from Lambda in us-west-2 The policy prevents the CMK from being used for encrypt operations if the request comes from the user betty The policy prevents the CMK from being used for encrypt operations unless the request comes from the user betty The policy prevents the CMK from being used when the request comes from AWS Lambda on behalf of the user betty
You need to temporarily delegate access to your internal auditor to decrypt encrypted files stored in S3. How can you do this in AWS?
Update the S3 bucket policy to add permission for to decrypt the files Use a KMS Grant to grant access to use the CMK Update the Key policy permissions to add permission to use the CMK Update the user's IAM permissions to add permission to use the CMK
You have created a vault lock policy which is now in an in-progress state. Later on that day, you decide to alter the policy. What process can you follow in order to update the policy?
Update the lock policy while it is in-progress then validate the policy to complete the lock You will not be able to change the vault lock once it is in-progress Validate the lock policy to complete the lock then update the policy Abort the lock and start again Answer
Your web application is running on an auto-scaling group of EC2 instances behind an Elastic Load Balancer. You are receiving reports of multiple malicious requests which are attempting to perform a SQL injection attack. The requests are coming from a group of IP addresses in the same range. Which of the following could you do to block these requests to prevent them from impacting your application? (Choose 2)
Use AWS Inspector to block traffic from this IP address range Use AWS WAF to block SQL traffic from this IP address range Use AWS GuardDuty to block traffic from this IP address range Use a NACL to block traffic from this IP range Answer
Your Head of Security has asked you to recommend a solution to protect your website against DDoS attacks, SQL injection and cross-site scripting attacks. Which of the following services do you recommend? (Choose 3)
Use AWS Shield to protect against SQL injection Use AWS Shield to protect against cross-site scripting Use AWS WAF to protect against cross-site scripting Use AWS Shield to protect against DDoS attacks Use AWS WAF to protect against DDoS attacks Use AWS WAF to protect against SQL injection Answer
You have requested that your development team do not provision any new EC2 instances over the next few weekends while you are completing a security audit of your development environment. Last weekend, many of the developers worked over time and most of them disregarded your request, which has invalidated a lot of the work you have completed so far. You have decided to take action to prevent this happening again and you have convinced the CTO to give you permission to automatically terminate any instances that the development team launches over the coming weekend. You want to accomplish this in the simplest way that will ensure any newly created EC2 instances are terminated as soon as possible to minimize the impact on your work. How do you plan to implement this?
Use CloudTrail to detect when a user launches a new instance. Develop a Lambda function to terminate EC2 instances that are launched between 08:00 on Saturday morning and 20:00 on Sunday evening. Use CloudWatch scheduled events to trigger a Lambda Function once every hour to terminate any instances which were launched between 08:00 on Saturday morning and 20:00 on Sunday evening. Use SNS to send a notification when a user launches a new instance. Develop a Lambda function to terminate EC2 instances that are launched between 08:00 on Saturday morning and 20:00 on Sunday evening. Use AWS Config to automatically terminate any new instances that are created between 08:00 on Saturday morning and 20:00 on Sunday evening.
You are working for a government agency and your team would like to store confidential documents in S3. Your department head agrees but insists that you design an automated approach to making sure all S3 buckets remains private. How can you ensure that this policy is adhered to in an automated way?
Use CloudTrail to report any API activity which changes the public access permissions on any of your S3 buckets. Use a CloudWatch Event rule to trigger a Lambda function to remove public access permissions for any S3 buckets found to be publicly accessible. Use AWS Config to report on any changes to the public access permissions on any of your S3 buckets. Use CloudWatch Events rule to trigger a Lambda function to remove public access permissions for any S3 buckets found to be publicly accessible. Use AWS Trusted Advisor to report on any publicly accessible S3 buckets. Use Lambda to remove public access permissions for any S3 buckets found to be publicly accessible. Use CloudWatch to report on any changes to the public access permissions on any of your S3 buckets. Use CloudWatch Events rule to trigger a Lambda function to remove public access permissions for any S3 buckets found to be publicly accessible. Answer
You are working as a Security Architect at a large pharmaceutical company. You are responsible for the security of a large fleet of EC2 instances which run a proprietary data processing algorithm. This is a mission critical system which has taken your data scientists many years to develop. Your CISO is extremely concerned about intellectual property theft from industry competitors and has asked you to come up with a solution to protect your application from unauthorized and malicious activity and detect compromised instances. Which of the following is the best approach?
Use CloudTrail to report on any unusual API activity and AWS Shield to protect your EC2 instances Use CloudTrail to report on any unusual API activity and use Amazon Inspector to report on any compromised EC2 instances Use Amazon GuardDuty to report on any unusual API calls and detect compromised EC2 instances Use AWS WAF to block IP traffic from known malicious domains and use Trusted Advisor to report on any compromised EC2 instances
You are working on a strictly confidential project and your Chief Information Security Officer has mandated that you must make sure that none of the EC2 instances, which are being used for your project, have a public IP address. You have been told that you are responsible for enforcing this and project funding will be withdrawn if the team does not comply. How can you enforce this? (Choose 3)
Use CloudTrail to trigger a Lambda function to remove any public IP addresses Use AWS Config to monitor for compliance Use CloudWatch Events to trigger a Lambda function to remove any public IP addresses Use IAM policies to deny your administrators the ability to add a public IP address Use Trusted Advisor to trigger a Lambda function to remove any public IP addresses Run a manual check on each EC2 instance and remove any public IP addresses Use Athena to query CloudTrail logs and generate a report of any public IP addresses that have been created Answer
You are responsible for the security profile of a number of mission critical applications at a large global telecommunications company. Your team lead asks you to propose a solution to trace all changes made to the AWS infrastructure. You must also prevent any evidence from tampering or deletion by malicious actors attempting to conceal unauthorized activities. Which of the following approaches do you propose? (Choose 2)
Use CloudWatch Logs to log any changes made to your AWS infrastructure. Send logs to a dedicated S3 bucket. Grant read only access to the Security Team members who need to review the logs. Enable CloudTrail in all AWS regions and send logs to a dedicated S3 bucket. Grant read only access to the Security Team members who need to review the logs. Only allow the Security Team permission to make changes in CloudTrail. Verify the MD5 checksum value of the log files to check if they have been tampered with Use AWS Config to notify you of any changes made to your AWS infrastructure. Send logs to a dedicated S3 bucket. Grant read only access to the Security Team members who need to review the logs.
You are working for an online retail company selling bathroom accessories. Your applications store a lot of data in S3 including customer related data, marketing preferences as well as supplier contact details and credit referencing data. Your Head of Security has asked you to prepare a presentation to the leadership team explaining the controls you have in place for storing PII, including a list of all S3 buckets which include files containing PII. How will you approach this?
Use Macie to identify files containing PII in your S3 buckets Create a Lambda function which calls Amazon Comprehend to perform natural language processing on each file to identify files containing PII in your S3 buckets Use Amazon Inspector to identify files containing PII in your S3 buckets Use Athena to query the data in your S3 buckets and identify any files containing PII
You have an application running in AWS which needs to import a large amount of data stored on legacy systems in your on premises data center. Your CEO has requested that you make sure the network connection is private, with reasonably consistent performance to prevent the application timing out. Which of the following approaches do you recommend?
Use VPC peering between your VPC and the data center Use Direct Connect Use a site-to-site VPN Transfer the data over the internet using CloudFront and HTTPS
You have been asked to make sure that insecure protocols like Telnet and FTP are disabled on all of your EC2 instances. You would like to perform a regular automated review of your environment. Which of the following solutions will meet this requirement?
Use a CloudWatch Event to trigger AWS Config to evaluate the restricted-common-ports rule for every EC2 instance. Use a Lambda scheduled event to launch Trusted Advisor to run a check on security best practices Use a scheduled Lambda event to trigger AWS Config to evaluate the restricted-common-ports rule for every EC2 instance. Use CloudWatch Events to schedule Amazon Inspector to complete a Runtime Behaviour Analysis check on every EC2 instance.
What is the recommended approach to configuring a mobile application to allow users to sign-in and sign-up to your application via Facebook?
Use a custom Lambda function to act as an Identity Broker between your application and the Web Identity Provider Use Cognito as an Identity Broker between your application and the Web Identity Provider Use IAM as an Identity Broker between your application and the Web Identity Provider Use encrypted AWS credentials within your application code and store them locally on the device
You are about to begin using KMS to encrypt data in your AWS account. Your CTO asks you to create a key which can be automatically rotated once per year. Which type of key should you use?
Use an AWS owned CMK Use an AWS managed CMK Use a CMK managed by you Use a CMK with imported key material
Your smartphone, which you use as a virtual MFA device, has been stolen. You are very concerned because that phone is only protected by a weak 4 digit pin and setup with your work email that you used to sign up for your AWS account. Select all correct answers that describe how to allow you to sign in again in order to change your AWS password? (Choose 2)
You can still sign in from anywhere by just using your email address and password As an IAM user, you need to contact your AWS account administrator who then must deactivate (using the console, AWS CLI or API) the MFA device first before you can sign in. For security reasons, you cannot sign in as an AWS account root user using alternative methods of authentication and you must contact AWS Support. AWS recommends to do so as soon as possible. As an IAM user, you can complete the AWS Unusable MFA Device online form and provide a phone number. AWS will then call you within 15 minutes of your request for assistance and help you. You borrow your friends phone and (temporarily) configure his MFA software app to use the same virtual MFA by utilizing the copy of QR code or the secret key which you printed and kept in a secure place.. Answer
You are trying to debug a Lambda function which writes S3 metadata to a DynamoDB table. All logs from the function should be going to CloudWatch Logs however the function never seems to be sending any logs. What could be the problem?
You have not launched your function properly Your function does not have permission to write to DynamoDB Your function does not have read permission for S3 Your function does not have permission to write to CloudWatch
You've migrated a legacy workflow application that is written in Java 1.4 from an on-premise server to a single EC2 instance configured in an auto scaling group with a max-size of 1 across multiple AZs in the Asia Pacific (Sydney) region. It periodically checks a database for new and updated records and sends out email notifications. In the logs, you see frequent timeout errors. What could be a possible cause and how can you fix this? (Choose 2)
You might have reached your Amazon email sending limits. To increase that, open a Sending Limit case in the AWS Support Center. The app uses the standard JavaMail API on port 25. Amazon EC2 throttles traffic on that port of all EC2 instances by default, but you can request for this throttle to be removed. You change an application properties file and update the currently used port from 25 to 2587, build a new AMI with that new version and configure your launch configuration to use that. Amazon SES Endpoints are only available in the US East (N. Virginia), US West (Oregon) and EU (Ireland) regions. You cannot migrate your legacy app until SES becomes available in Australia. Amazon SES Endpoints are only available in the US East (N. Virginia), US West (Oregon) and EU (Ireland) regions. You cannot migrate your legacy app until SES becomes available in Australia.
