Security
A developer is managing an application hosted in EC2, which stores data in an S3 bucket. To comply with the new security policy, the developer must ensure that the data should be encrypted at rest using an encryption key that is provided and managed by the company. The change should also provide AES-256 encryption to their data. Which of the following actions should the developer take to achieve this?
- Implement Amazon S3 server-side encryption with customer-provided keys (SSE-C). - Encrypt the data on the client-side before sending to Amazon S3 using their own master key.
You are a software developer for a multinational investment bank which has a hybrid cloud architecture with AWS. To improve the security of their applications, they decided to use AWS Key Management Service (KMS) to create and manage their encryption keys across a wide range of AWS services. You were given the responsibility to integrate AWS KMS with the financial applications of the company. Which of the following are the recommended steps to locally encrypt data using AWS KMS that you should follow?
- Use the GenerateDataKey operation to get a data encryption key then use the plaintext data key in the response to encrypt data locally. - Erase the plaintext data key from memory and store the encrypted data key alongside the locally encrypted data.
You are developing an application that will be hosted in an EC2 instance, which will process encrypted files stored on its EBS volume. The files should first be decrypted locally before the application can proceed with the processing of the files. Which of the following are valid and secure steps in decrypting data?
- Use the plaintext data key to decrypt data locally, then erase the plaintext data key from memory. - Use the Decrypt operation to decrypt the encrypted data key.
A company has a static website running in an Auto Scaling group of EC2 instances which they want to convert as a dynamic e-commerce web portal. One of the requirements is to use HTTPS to improve the security of their portal and to also improve their search ranking as a reputable and secure site. A developer recently requested for an SSL/TLS certificate from a third-party certificate authority (CA) which is ready to be imported to AWS. Which of the following services can the developer use to safely import the SSL/TLS certificate?
AWS Certificate Manager or IAM certificate store
An application hosted in an Auto Scaling group of On-Demand EC2 instances is used to process data polled from an SQS queue and the generated output is stored in an S3 bucket. To improve security, you were tasked to ensure that all objects in the S3 bucket are encrypted at rest using server-side encryption with AWS KMS-Managed Keys (SSE-KMS). Which of the following is required to properly implement this requirement?
Add a bucket policy which denies any s3:PutObject action unless the request includes the x-amz-server-side-encryption header
A developer is preparing the application specification (AppSpec) file in CodeDeploy, which will be used to deploy her Lambda functions to AWS. In the deployment, she needs to configure CodeDeploy to run a task before the traffic is shifted to the deployed Lambda function version. Which deployment lifecycle event should she configure in this scenario?
BeforeAllowTraffic
A startup has recently launched a high-quality photo sharing portal using Amazon Lightsail and S3. They noticed that there are other external websites which are linking and using their photos without permission. This has caused an increase on their data transfer cost and potential revenue loss. Which of the following is the MOST effective method to solve this issue?
Configure the S3 bucket to remove public read access and use pre-signed URLs with expiry dates.
A developer is building an application that will be hosted in ECS which needs to configured to run its tasks and services using the Fargate launch type. The application will have four different tasks where each task will access various AWS resources that are different from the other tasks. Which of the following is the MOST efficient solution that can provide your application in ECS access to the required AWS resources?
Create 4 different IAM Roles with the required permissions and attach them to each of the 4 ECS tasks.
A serverless application is composed of several Lambda functions which reads data from RDS. These functions must share the same connection string that should be encrypted to improve data security. Which of the following is the MOST secure way to meet the above requirement?
Create a Secure String Parameter using the AWS Systems Manager Parameter Store.
A company is currently in the process of integrating their on-premises data center to their cloud infrastructure in AWS. One of the requirements is to integrate the on-premises Lightweight Directory Access Protocol (LDAP) directory service to their AWS VPC using IAM. Which of the following provides the MOST suitable solution to implement if the identity store that they are using is not compatible with SAML?
Create a custom identity broker application in your on-premises data center and use STS to issue short-lived AWS credentials.
To improve their information security management system (ISMS), a company recently released a new policy which requires all database credentials to be encrypted and be automatically rotated to avoid unauthorized access. Which of the following is the MOST appropriate solution to secure the credentials?
Create a secret in AWS Secrets Manager and enable automatic rotation of the database credentials.
The users of a social media website must be authenticated using social identity providers such as Twitter, Facebook, and Google. Users can login to the site which will allow them to upload their selfies, memes, and other media files in an S3 bucket. As an additional feature, you should also enable guest user access to certain sections of the website. Which of the following should you do to accomplish this task? Create a User Pool in Amazon Cognito and enable access to unauthenticated identities. (Incorrect)
Create an Identity Pool in Amazon Cognito and enable access to unauthenticated identities.
You work for a software development company where the teams are divided into distinct projects. The management wants to have separation on their AWS resources, which will have a detailed report on the costs of each project. Which of the following options is the recommended way to implement this?
Create separate AWS accounts for each project and use consolidated billing.
A company has recently adopted a hybrid cloud architecture to augment their on-premises data center with virtual private clouds (VPCs) in AWS. You were assigned to manage all of the company's cloud infrastructure including the security of their resources using IAM. In this scenario, which of the following are best practices in managing security in AWS?
Delete root user access keys and grant only the permissions required by the resource to perform a task
A web application is currently using an on-premises Microsoft SQL Server 2017 Enterprise Edition database. Your manager instructed you to migrate the application to Elastic Beanstalk and the database to RDS. For additional security, you must configure your database to automatically encrypt data before it is written to storage, and automatically decrypt data when the data is read from storage. Which of the following services will you use to achieve this?
Enable Transparent Data Encryption (TDE)
Your development team is currently developing a financial application in AWS. One of the requirements is to create and control the encryption keys used to encrypt your data using the envelope encryption strategy to comply with the strict IT security policy of the company. Which of the following correctly describes the process of envelope encryption?
Encrypt plaintext data with a data key and then encrypt the data key with a top-level plaintext master key.
You are building a distributed system using KMS where you need to encrypt data at a later time. An API must be called that returns only the encrypted copy of the data key which you will use for encryption. After an hour, you will decrypt the data key by calling the Decrypt API then using the returned plaintext data key to finally encrypt the data. Which is the MOST suitable KMS API that the system should use to securely implement the requirements described above?
GenerateDataKeyWithoutPlaintext
A programmer is developing a Node.js application which will be run in a Linux server on their on-premises data center. The application will access various AWS services such as S3, DynamoDB, and ElastiCache using the AWS SDK. Which of the following is the MOST suitable way to provide access to the developer in order to accomplish the specified task?
Go to the AWS Console and create a new IAM user with programmatic access. In the application server, create the credentials file at ~/.aws/credentials with the access keys of the IAM user
A company has different AWS accounts, namely Account A, Account B, and Account C, which are used for their Development, Test, and Production environments respectively. A developer needs access to perform an audit whenever a new version of the application has been deployed to the Test (Account B) and production (Account C) environments. What is the MOST efficient way to provide the developer access to execute the specified task?
Grant the developer cross-account access to the resources of Accounts B and C.
A company is using AWS Organizations to manage its multiple AWS accounts which is being used by its various departments. To avoid security issues, it is of utmost importance to test the impact of service control policies (SCPs) on your IAM policies and resource policies before applying them. Which of the following services can you use to test and troubleshoot IAM and resource-based policies?
IAM Policy Simulator
A developer is designing a multitiered system which utilizes various AWS resources. The application will be hosted in Elastic Beanstalk, which uses an RDS database and an S3 bucket that is configured to use Server-Side Encryption with Customer-Provided Encryption Keys (SSE-C). In this configuration, Amazon S3 does not store the encryption key you provide but instead, stores a randomly salted hash-based message authentication code (HMAC) value of the encryption key in order to validate future requests. Which of the following is a valid consideration that the developer should keep in mind when implementing this architecture?
If you lose the encryption key, you lose the object.
A cryptocurrency exchange portal has a key management service hosted in their on-premises data center, which stores encryption keys and uses an RSA asymmetric encryption algorithm. The company has recently implemented a hybrid cloud architecture in AWS and you were assigned to migrate the exchange portal to their cloud infrastructure. For security compliance, the keys should be stored in dedicated, third-party validated hardware security modules under your exclusive control. Which of the following is the BEST solution that you should implement to meet the above requirement?
Import the encryption keys from your on-premises key management service to AWS CloudHSM.
You are developing a new batch job for the enterprise application suite in your company, which is hosted in an Auto Scaling group of EC2 instances behind an ELB. The application is using an S3 bucket configured with Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS). The batch job must upload files to the bucket using the default AWS KMS key to protect the data at rest. What should you do to satisfy this requirement with the LEAST amount of configuration?
Include the x-amz-server-side-encryption header with a value of aws:kms in your upload request
A financial mobile application has a serverless backend API which consists of DynamoDB, Lambda, and Cognito. Due to the confidential financial transactions handled by the mobile application, there is a new requirement provided by the company to add a second authentication method that doesn't rely solely on user name and password. Which of the following is the MOST suitable solution that the developer should implement?
Integrate multi-factor authentication (MFA) to a user pool in Cognito to protect the identity of your users.
A software engineer is building a serverless application in AWS consisting of Lambda, API Gateway, and DynamoDB. She needs to implement a custom authorization scheme that uses a bearer token authentication strategy such as OAuth or SAML to determine the caller's identity. Which of the features of API Gateway is the MOST suitable one that she should use to build this feature?
Lambda Authorizers
You have a private S3 bucket that stores application logs and the bucket contents are accessible to all members of the Developer IAM group. However, you want to make an object inside the bucket which should only be accessible to the members of Admin IAM group. How can you apply an S3 bucket policy to this object using AWS CLI?
None of the above.
A developer is using API Gateway Lambda Authorizer to securely authenticate the API requests to their web application. The authentication process should be implemented using a custom authorization scheme which accepts header and query string parameters from the API caller. Which of the following methods should the developer use to properly implement the above requirement?
Request Parameter-based Authorization
A prototype application is hosted in an EC2 instance, which has an assigned IAM Role to store data from both the development and production S3 buckets. The instance also has an AWS CLI installed to handle other ad hoc tasks. You assigned a new IAM Role to the instance which has the permission to access the development bucket only. However, upon testing, the instance can still store files to both buckets. What is the MOST likely root cause of this issue?
The application is still using the IAM role that is configured in the AWS CLI
A developer runs a shell script that uses the AWS CLI to upload a large file to an S3 bucket, which includes an AWS KMS key. An Access Denied error always shows up whenever the developer uploads a file with a size of 100 GB or more. However, when he tried to upload a smaller file with the KMS key, the upload succeeds. Which of the following are possible reasons why this issue is happening?
The developer does not have the kms:Decrypt permission, or the AWS CLI S3 commands perform a multipart upload when the file is large
A developer is using API Gateway Lambda Authorizer to provide authentication for every API request and control access to your API. The requirement is to implement an authentication strategy which is similar to OAuth or SAML. Which of the following is the MOST suitable method that the developer should use in this scenario?
Token-based Authorization
A company has a suite of web applications that is heavily using RDS database in Multi-AZ Deployments configuration with several Read Replicas. For improved security, you were instructed to ensure that all of their database credentials, API keys, and other secrets are encrypted and rotated on a regular basis. You should also configure your applications to use the latest version of the encrypted credentials when connecting to the RDS database. Which of the following is the MOST appropriate solution to secure the credentials?
Use AWS Secrets Manager to store and encrypt the credentials and enable automatic rotation.
Your team is developing a serverless application, which is composed of multiple Lambda functions which process data from an SQS queue and stores the results to an RDS database. To comply with the strict IT policy of the company, you were instructed to configure these functions to share the same connection string that should be properly secured and encrypted. What should you do to protect, encrypt, and share your database credentials in AWS?
Use AWS Systems Manager Parameter Store as a Secure String Parameter.
A developer is building the cloud architecture of an application which will be hosted in a large EC2 instance. The application will process the data and it will upload results to an S3 bucket. Which of the following is the SAFEST way to implement this architecture?
Use an IAM Role to grant the application the necessary permissions to upload data to S3.
A developer needs to encrypt all objects being uploaded by their application to the S3 bucket to comply with the company's security policy. The bucket will use server-side encryption with Amazon S3-Managed encryption keys (SSE-S3) to encrypt the data using 256-bit Advanced Encryption Standard (AES-256) block cipher. Which of the following request headers should the developer use?
x-amz-server-side-encryption
Your manager assigned you a task of implementing server-side encryption with customer-provided encryption keys (SSE-C) to your S3 bucket, which will allow you to set your own encryption keys. Amazon S3 will manage both the encryption and decryption process using your key when you access your objects, which will remove the burden of maintaining any code to perform data encryption and decryption. To properly upload data to this bucket, which of the following headers must be included in your request?
x-amz-server-side-encryption-customer-algorithm, x-amz-server-side-encryption-customer-key and x-amz-server-side-encryption-customer-key-MD5 headers