AWS Practice Exam 6 (Design Secure Architectures)
As a Solutions Architect, you have been hired to work with the engineering team at a company to create a REST API using the serverless architecture. Which of the following solutions will you recommend to move the company to the serverless architecture?
API Gateway exposing Lambda Functionality
A developer in your team has set up a classic 3 tier architecture composed of an Application Load Balancer, an Auto Scaling group managing a fleet of EC2 instances, and an Aurora database. As a Solutions Architect, you would like to adhere to the security pillar of the well-architected framework. How do you configure the security group of the Aurora database to only allow traffic coming from the EC2 instances?
Add a rule authorizing the EC2 security group
A DevOps engineer at an IT company was recently added to the admin group of the company's AWS account. The AdministratorAccess managed policy is attached to this group. Can you identify the AWS tasks that the DevOps engineer CANNOT perform even though he has full Administrator privileges (Select two)?
Configure an Amazon S3 bucket to enable MFA (Multi Factor Authentication) delete Close the company's AWS account
An application hosted on Amazon EC2 contains sensitive personal information about all its customers and needs to be protected from all types of cyber-attacks. The company is considering using the AWS Web Application Firewall (WAF) to handle this requirement. Can you identify the correct solution leveraging the capabilities of WAF?
Create a CloudFront distribution for the application on Amazon EC2 instances. Deploy AWS WAF on Amazon CloudFront to provide the necessary safety measures
An online gaming company wants to block access to its application from specific countries; however, the company wants to allow its remote development team (from one of the blocked countries) to have access to the application. The application is deployed on EC2 instances running under an Application Load Balancer (ALB) with AWS WAF. As a solutions architect, which of the following solutions can be combined to address the given use-case? (Select two)
Use WAF geo match statement listing the countries that you want to block Use WAF IP set statement that specifies the IP addresses that you want to allow through
A silicon valley based healthcare startup uses AWS Cloud for its IT infrastructure. The startup stores patient health records on Amazon S3. The engineering team needs to implement an archival solution based on Amazon S3 Glacier to enforce regulatory and compliance controls on data access. As a solutions architect, which of the following solutions would you recommend?
Use S3 Glacier vault to store the sensitive archived data and then use a vault lock policy to enforce compliance controls
A retail company wants to establish encrypted network connectivity between its on-premises data center and AWS Cloud. The company wants to get the solution up and running in the fastest possible time and it should also support encryption in transit. As a solutions architect, which of the following solutions would you suggest to the company?
Use Site-to-Site VPN to establish encrypted network connectivity between the on-premises data center and AWS Cloud
A mobile chat application uses DynamoDB as its database service to provide low latency chat updates. A new developer has joined the team and is reviewing the configuration settings for DynamoDB which have been tweaked for certain technical requirements. CloudTrail service has been enabled on all the resources used for the project. Yet, DynamoDB encryption details are nowhere to be found. Which of the following options can explain the root cause for the given issue?
By default, all DynamoDB tables are encrypted under an AWS owned customer master key (CMK), which do not write to CloudTrail logs
A pharmaceutical company is considering moving to AWS Cloud to accelerate the research and development process. Most of the daily workflows would be centered around running batch jobs on EC2 instances with storage on EBS volumes. The CTO is concerned about meeting HIPAA compliance norms for sensitive data stored on EBS. Which of the following options outline the correct capabilities of an encrypted EBS volume? (Select three)
Data at rest inside the volume is encrypted Any snapshot created from the volume is encrypted Data moving between the volume and the instance is encrypted
A pharma company is working on developing a vaccine for the COVID-19 virus. The researchers at the company want to process the reference healthcare data in a highly available as well as HIPAA compliant in-memory database that supports caching results of SQL queries. As a solutions architect, which of the following AWS services would you recommend for this task?
ElastiCache for Redis/Memcached
A financial services company is moving its IT infrastructure to AWS Cloud and wants to enforce adequate data protection mechanisms on Amazon S3 to meet compliance guidelines. The engineering team has hired you as a solutions architect to build a solution for this requirement. Can you help the team identify the INCORRECT option from the choices below?
S3 can encrypt object metadata by using Server-Side Encryption
A silicon valley based startup helps its users legally sign highly confidential contracts. To meet the compliance guidelines, the startup must ensure that the signed contracts are encrypted using the AES-256 algorithm via an encryption key that is generated internally. The startup is now migrating to AWS Cloud and would like the data to be encrypted on AWS. The startup wants to continue using their existing encryption key generation mechanism. What do you recommend?
SSE-C
While troubleshooting, a cloud architect realized that the Amazon EC2 instance is unable to connect to the internet using the Internet Gateway. Which conditions should be met for internet connectivity to be established? (Select two)
The network ACLs associated with the subnet must have rules to allow inbound and outbound traffic The route table in the instance's subnet should have a route to an Internet Gateway
An e-commerce company uses a two-tier architecture with application servers in the public subnet and an RDS MySQL DB in a private subnet. The development team can use a bastion host in the public subnet to access the MySQL DB and run queries from the bastion host. However, end-users are reporting application errors. Upon inspecting application logs, the team notices several "could not connect to server: connection timed out" error messages. Which of the following options represent the root cause for this issue?
The security group configuration for the DB instance does not have the correct rules to allow inbound connections from the application servers
A global media company uses a fleet of EC2 instances (behind an Application Load Balancer) to power its video streaming application. To improve the performance of the application, the engineering team has also created a CloudFront distribution with the Application Load Balancer as the custom origin. The security team at the company has noticed a spike in the number and types of SQL injection and cross-site scripting attack vectors on the application. As a solutions architect, which of the following solutions would you recommend as the MOST effective in countering these malicious attacks?
Use Web Application Firewall (WAF) with CloudFront distribution
The infrastructure team at a company maintains 5 different VPCs (let's call these VPCs A, B, C, D, E) for resource isolation. Due to the changed organizational structure, the team wants to interconnect all VPCs together. To facilitate this, the team has set up VPC peering connections between VPC A and all other VPCs in a hub and spoke model with VPC A at the center. However, the team has still failed to establish connectivity between all VPCs. As a solutions architect, which of the following would you recommend as the MOST resource-efficient and scalable solution?
Use a transit gateway to interconnect the VPCs
