Exam Practice Quiz 01

Question 1 of 71

1. Question

George has launched three EC2 instances inside the US-East-1a zone with his AWS account. Ray has launched two EC2 instances in the US-East-1a zone with his AWS account. Which of the below mentioned statements will help George and Ray understand the availability zone (AZ) concept better?

The instances of George and Ray will be running in the same data center
All the instances of George and Ray can communicate over a private IP with a minimal cost
All the instances of George and Ray can communicate over a private IP without any cost
US-East-1a region of George and Ray can be different availability zones

Question 2 of 71

2. Question

Which service enables AWS customers to manage users and permissions in AWS?

AWS Access Control SERVICE (ACS)
AWS Identity and Access Management (IAM)
AWS Identity Manager (AIM)

Question 3 of 71

3. Question

IAM provides several policy templates you can use to automatically assign permissions to the groups you create. The _____ policy template gives the Admins group permission to access all account resources, except your AWS account information

Read Only Access
Power User Access
AWS Cloud Formation Read Only Access
Administrator Access

Question 4 of 71

4. Question

Every user you create in the IAM system starts with _________.

Partial permissions
Full permissions
No permissions

Question 5 of 71

5. Question

Groups can’t _____.

be nested more than 3 levels
be nested at all
be nested more than 4 levels
be nested more than 2 levels

Question 6 of 71

6. Question

The _____ service is targeted at organizations with multiple users or systems that use AWS products such as Amazon EC2, Amazon Simple DB, and the AWS Management Console.

Amazon RDS
AWS Integrity Management
AWS Identity and Access Management
Amazon EMR

Question 7 of 71

7. Question

An AWS customer is deploying an application that is composed of an Auto Scaling group of EC2 Instances. The customer’s security policy requires that every outbound connection from these instances to any other service within the customers Virtual Private Cloud must be authenticated using a unique x 509 certificate that contains the specific instance id. In addition, an x 509 certificates must Designed by the customer’s Key management service in order to be trusted for authentication. Which of the following configurations will support these requirements?

Configure an IAM Role that grants access to an Amazon S3 object containing a signed certificate and configure the Auto Scaling group to launch instances with this role Have the instances bootstrap get the certificate from Amazon S3 upon first boot.
Embed a certificate into the Amazon Machine Image that is used by the Auto Scaling Group Have the launched instances generate a certificate signature request with the instance’s assigned instance-id to the Key management service for signature.
Configure the Auto Scaling group to send an SNS notification of the launch of a new instance to the trusted key management service. Have the Key management service generate a signed certificate and send it directly to the newly launched instance.
Configure the launched instances to generate a new certificate upon first boot Have the Key management service poll the Auto Scaling group for associated instances and send new instances a certificate signature (hat contains the specific instance-id

Question 8 of 71

8. Question

When assessing an organization AWS use of AWS API access credentials which of the following three credentials should be evaluated? Choose 3 answers

Key pairs
Console passwords
Access keys
Signing certificates
Security Group memberships

Question 9 of 71

9. Question

An organization has created 50 IAM users. The organization wants that each user can change their password but cannot change their access keys. How can the organization achieve this?

The organization has to create a special password policy and attach it to each user
The root account owner has to use CLI which forces each IAM user to change their password on first login
By default each IAM user can modify their passwords
Root account owner can set the policy from the IAM console under the password policy screen

Question 10 of 71

10. Question

An organization has created 50 IAM users. The organization has introduced a new policy which will change the access of an IAM user. How can the organization implement this effectively so that there is no need to apply the policy at the individual user level?

Use the IAM groups and add users as per their role to different groups and apply policy to group
The user can create a policy and apply it to multiple users in a single go with the AWS CLI
Add each user to the IAM role as per their organization role to achieve effective policy setup
Use the IAM role and implement access at the role level

Question 11 of 71

11. Question

Your organization’s security policy requires that all privileged users either use frequently rotated passwords or one-time access credentials in addition to username/password. Which two of the following options would allow an organization to enforce this policy for AWS users? (Choose 2 answers)

Configure multi-factor authentication for privileged IAM users
Create IAM users for privileged accounts
Implement identity federation between your organization’s Identity provider leveraging the IAM Security Token Service
Enable the IAM single-use password policy option for privileged users

Question 12 of 71

12. Question

Your organization is preparing for a security assessment of your use of AWS. In preparation for this assessment, which two IAM best practices should you consider implementing? (Choose 2 answers)

Create individual IAM users for everyone in your organization
Configure MFA on the root account and for privileged IAM users
Assign IAM users and groups configured with policies granting least privilege access
Ensure all users have been assigned and are frequently rotating a password, access ID/secret key, and X.509 certificate

Question 13 of 71

13. Question

A company needs to deploy services to an AWS region which they have not previously used The company currently has an AWS identity and Access Management (IAM) role for the Amazon EC2 instances, which permits the instance to have access to Amazon Dynamo DB The company wants their EC2 instances in the new region to have the same privileges. How should the company achieve this?

Create a new IAM role and associated policies within the new region
Assign the existing IAM role to the Amazon EC2 instances in the new region
Copy the IAM role and associated policies to the new region and attach it to the instances
Create an Amazon Machine Image (AMI) of the instance and copy it to the desired region using the AMI Copy feature

Question 14 of 71

14. Question

After creating a new IAM user which of the following must be done before they can successfully make API calls?

Add a password to the user.
Enable Multi-Factor Authentication for the user.
Assign a Password Policy to the user.
Create a set of Access Keys for the user

Question 15 of 71

15. Question

An organization is planning to create a user with IAM. They are trying to understand the limitations of IAM so that they can plan accordingly. Which of the below mentioned statements is not true with respect to the limitations of IAM?

One IAM user can be a part of a maximum of 10 groups
Organization can create 100 groups per AWS account
One AWS account can have a maximum of 5000 IAM users
One AWS account can have 250 roles

Question 16 of 71

16. Question

Within the IAM service a GROUP is regarded as a:

A collection of AWS accounts
It’s the group of EC2 machines that gain the permissions specified in the GROUP.
There’s no GROUP in IAM, but only USERS and RESOURCES.
A collection of users.

Question 17 of 71

17. Question

Is there a limit to the number of groups you can have?

Yes for all users except root
No
Yes unless special permission granted
Yes for all users

Question 18 of 71

18. Question

What is the default maximum number of MFA devices in use per AWS account (at the root account level)?

1
5
15
10

Question 19 of 71

19. Question

When you use the AWS Management Console to delete an IAM user, IAM also deletes any signing certificates and any access keys belonging to the user.

FALSE
This is configurable
TRUE

Question 20 of 71

20. Question

You are setting up a blog on AWS. In which of the following scenarios will you need AWS credentials? (Choose 3)

Sign in to the AWS management console to launch an Amazon EC2 instance
Sign in to the running instance to instance some software
Launch an Amazon RDS instance
Log into your blog’s content management system to write a blog post
Post pictures to your blog on Amazon S3

Question 21 of 71

21. Question

IAM’s Policy Evaluation Logic always starts with a default ____________ for every request, except for those that use the AWS account’s root security credentials by

Permit
Deny
Cancel

Question 22 of 71

22. Question

An organization has created 10 IAM users. The organization wants each of the IAM users to have access to a separate Dynamo DB table. All the users are added to the same group and the organization wants to setup a group level policy for this. How can the organization achieve this?

Define the group policy and add a condition which allows the access based on the IAM name
Create a Dynamo DB table with the same name as the IAM user name and define the policy rule which grants access based on the Dynamo DB ARN using a variable
Create a separate Dynamo DB database for each user and configure a policy in the group based on the DB variable
It is not possible to have a group level policy which allows different IAM users to different Dynamo DB Tables

Question 23 of 71

23. Question

An organization has setup multiple IAM users. The organization wants that each IAM user accesses the IAM console only within the organization and not from outside. How can it achieve this?

Create an IAM policy with the security group and use that security group for AWS console login
Create an IAM policy with a condition which denies access when the IP address range is not from the organization
Configure the EC2 instance security group which allows traffic only from the organization’s IP range
Create an IAM policy with VPC and allow a secure gateway between the organization and AWS Console

Question 24 of 71

24. Question

Can I attach more than one policy to a particular entity?

Yes always
Only if within GovCloud
No
Only if within VPC

Question 25 of 71

25. Question

A __________ is a document that provides a formal statement of one or more

permissions.
policy
permission
Role
resource

Question 26 of 71

26. Question

A __________ is the concept of allowing (or disallowing) an entity such as a user, group, or role some type of access to one or more resources.

user
AWS Account
resource
permission

Question 27 of 71

27. Question

True or False: When using IAM to control access to your RDS resources, the key names that can be used are case sensitive. For example, aws:CurrentTime is NOT equivalent to AWS:currenttime.

TRUE
FALSE

Question 28 of 71

28. Question

What are the recommended best practices for IAM? (Choose 3 answers)

Grant least privilege
User the AWS account(root) for regular user
Use Multi-Factor Authentication (MFA)
Store access key/private key in GIT
Rotate credentials regularly

Question 29 of 71

29. Question

A company is building software on AWS that requires access to various AWS services. Which configuration should be used to ensure that AWS credentials (i.e., Access Key ID/Secret Access Key combination) are not compromised?

Enable Multi-Factor Authentication for your AWS root account.
Assign an IAM role to the Amazon EC2 instance.
Store the AWS Access Key ID/Secret Access Key combination in software comments.
Assign an IAM user to the Amazon EC2 Instance.

Question 30 of 71

30. Question

A photo-sharing service stores pictures in Amazon Simple Storage Service (S3) and allows application sign-in using an OpenID Connect-compatible identity provider. Which AWS Security Token Service approach to temporary access should you use for the Amazon S3 operations?

SAML-based Identity Federation
Cross-Account Access
AWS IAM users
Web Identity Federation

Question 31 of 71

31. Question

A company is preparing to give AWS Management Console access to developers. Company policy mandates identity federation and role-based access control. Roles are currently assigned using groups in the corporate Active Directory. What combination of the following will give developers access to the AWS console? (Select 2)

AWS Directory Service AD Connector
AWS Directory Service Simple AD
AWS Identity and Access Management groups
AWS identity and Access Management roles
AWS identity and Access Management users

Question 32 of 71

32. Question

A customer needs corporate IT governance and cost oversight of all AWS resources consumed by its divisions. The divisions want to maintain administrative control of the discrete AWS resources they consume and keep those resources separate from the resources of other divisions. Which of the following options, when used together will support the autonomy/control of divisions while enabling corporate IT to maintain governance and cost oversight? (Choose 2 answers)

Use AWS Consolidated Billing and disable AWS root account access for the child accounts.
Enable IAM cross-account access for all corporate IT administrators in each child account.
Create separate VPCs for each division within the corporate IT AWS account.
Use AWS Consolidated Billing to link the divisions’ accounts to a parent corporate account.
Write all child AWS CloudTrail and Amazon CloudWatch logs to each child account’s Amazon S3 ‘Log’ bucket.

Question 33 of 71

33. Question

Which of the following items are required to allow an application deployed on an EC2 instance to write data to a DynamoDB table? Assume that no security keys are allowed to be stored on the EC2 instance. (Choose 2 answers)

Create an IAM Role that allows write access to the DynamoDB table
Add an IAM Role to a running EC2 instance.
Create an IAM User that allows write access to the DynamoDB table.
Add an IAM User to a running EC2 instance.
Launch an EC2 Instance with the IAM Role included in the launch configuration

Question 34 of 71

34. Question

Which technique can be used to integrate AWS IAM (Identity and Access Management) with an on-premise LDAP (Lightweight Directory Access Protocol) directory service?

Use an IAM policy that references the LDAP account identifiers and the AWS credentials.
Use SAML (Security Assertion Markup Language) to enable single sign-on between AWS and LDAP
Use AWS Security Token Service from an identity broker to issue short-lived AWS credentials.
Use IAM roles to automatically rotate the IAM credentials when LDAP credentials are updated
Use the LDAP credentials to restrict a group of users from launching specific EC2 instance types

Question 35 of 71

35. Question

You are looking to migrate your Development (Dev) and Test environments to AWS. You have decided to use separate AWS accounts to host each environment. You plan to link each accounts bill to a Master AWS account using Consolidated Billing. To make sure you Keep within budget you would like to implement a way for administrators in the Master account to have access to stop, delete and/or terminate resources in both the Dev and Test accounts. Identify which option will allow you to achieve this goal.

Create IAM users in the Master account with full Admin permissions. Create cross-account roles in the Dev and Test accounts that grant the Master account access to the resources in the account by inheriting permissions from the Master account.
Create IAM users and a cross-account role in the Master account that grants full Admin permissions to the Dev and Test accounts.
Create IAM users in the Master account Create cross-account roles in the Dev and Test accounts that have full Admin permissions and grant the Master account access
Link the accounts using Consolidated Billing. This will give IAM users in the Master account access to resources in the Dev and Test accounts

Question 36 of 71

36. Question

You have an application running on an EC2 Instance which will allow users to download flies from a private S3 bucket using a pre-assigned URL. Before generating the URL the application should verify the existence of the file in S3. How should the application use AWS credentials to access the S3 bucket securely?

Use the AWS account access Keys the application retrieves the credentials from the source code of the application.
Create a IAM user for the application with permissions that allow list access to the S3 bucket launch the instance as the IAM user and retrieve the IAM user’s credentials from the EC2 instance user data
Create an IAM role for EC2 that allows list access to objects in the S3 bucket. Launch the instance with the role, and retrieve the role’s credentials from the EC2 Instance metadata
Create an IAM user for the application with permissions that allow list access to the S3 bucket. The application retrieves the IAM user credentials from a temporary directory with permissions that allow read access only to the application user.

Question 37 of 71

37. Question

You are designing a photo sharing mobile app the application will store all pictures in a single Amazon S3 bucket. Users will upload pictures from their mobile device directly to Amazon S3 and will be able to view and download their own pictures directly from Amazon S3. You want to configure security to handle potentially millions of users in the most secure manner possible. What should your server-side application do when a new user registers on the photo-sharing mobile application?

Create a set of long-term credentials using AWS Security Token Service with appropriate permissions Store these credentials in the mobile app and use them to access Amazon S3.
Record the user’s Information in Amazon RDS and create a role in IAM with appropriate permissions. When the user uses their mobile app create temporary credentials using the AWS Security Token Service ‘AssumeRole’ function Store these credentials in the mobile app’s memory and use them to access Amazon S3 Generate new credentials the next time the user runs the mobile app.
Record the user’s Information In Amazon DynamoDB When the user uses their mobile app create temporary credentials using AWS Security Token Service with appropriate permissions Store these credentials in the mobile app’s memory and use them to access Amazon S3 Generate new credentials the next time the user runs the mobile app.
Create IAM user. Assign appropriate permissions to the IAM user Generate an access key and secret key for the IAM user, store them in the mobile app and use these credentials to access Amazon S3.
Create an IAM user. Update the bucket policy with appropriate permissions for the IAM user Generate an access Key and secret Key for the IAM user, store them In the mobile app and use these credentials to access Amazon S3.

Question 38 of 71

38. Question

Your company has recently extended its datacenter into a VPC on AWS to add burst computing capacity as needed Members of your Network Operations Center need to be able to go to the AWS Management Console and administer Amazon EC2 instances as necessary You don’t want to create new IAM users for each NOC member and make those users sign in again to the AWS Management Console Which option below will meet the needs for your NOC members?

Use OAuth 2 0 to retrieve temporary AWS security credentials to enable your NOC members to sign in to the AVVS Management Console.
Use web Identity Federation to retrieve AWS temporary security credentials to enable your NOC members to sign in to the AWS Management Console.
Use your on-premises SAML 2.O-compliant identity provider (IDP) to grant the NOC members federated access to the AWS Management Console via the AWS single sign-on (SSO) endpoint.
Use your on-premises SAML 2.0-compliant identity provider (IDP) to retrieve temporary security credentials to enable NOC members to sign in to the AWS Management Console

Question 39 of 71

39. Question

An administrator is using Amazon CloudFormation to deploy a three tier web application that consists of a web tier and application tier that will utilize Amazon DynamoDB for storage when creating the CloudFormation template which of the following would allow the application instance access to the DynamoDB tables without exposing API credentials?

Create an Identity and Access Management Role that has the required permissions to read and write from the required DynamoDB table and associate the Role to the application instances by referencing an instance profile.
Use the Parameter section in the Cloud Formation template to nave the user input Access and Secret Keys from an already created IAM user that has me permissions required to read and write from the required DynamoDB table.
Create an Identity and Access Management Role that has the required permissions to read and write from the required DynamoDB table and reference the Role in the instance profile property of the application instance.

Question 40 of 71

40. Question

An enterprise wants to use a third-party SaaS application. The SaaS application needs to have access to issue several API commands to discover Amazon EC2 resources running within the enterprise’s account. The enterprise has internal security policies that require any outside access to their environment must conform to the principles of least privilege and there must be controls in place to ensure that the credentials used by the SaaS vendor cannot be used by any other third party. Which of the following would meet all of these conditions?

From the AWS Management Console, navigate to the Security Credentials page and retrieve the access and secret key for your account.
Create an IAM user within the enterprise account assign a user policy to the IAM user that allows only the actions required by the SaaS application create a new access and secret key for the user and provide these credentials to the SaaS provider.
Create an IAM role for cross-account access allows the SaaS provider’s account to assume the role and assign it a policy that allows only the actions required by the SaaS application.
Create an IAM role for EC2 instances, assign it a policy mat allows only the actions required tor the Saas application to work, provide the role ARM to the SaaS provider to use when launching their application instances.

Question 41 of 71

41. Question

A corporate web application is deployed within an Amazon Virtual Private Cloud (VPC) and is connected to the corporate data center via an IPsec VPN. The application must authenticate against the on-premises LDAP server. After authentication, each logged-in user can only access an Amazon Simple Storage Space (S3) key space specific to that user. Which two approaches can satisfy these objectives? (Choose 2 answers)

Develop an identity broker that authenticates against IAM security Token service to assume a IAM role in order to get temporary AWS security credentials. The application calls the identity broker to get AWS temporary security credentials with access to the appropriate S3 bucket
The application authenticates against LDAP and retrieves the name of an IAM role associated with the user. The application then calls the IAM Security Token Service to assume that IAM role. The application can use the temporary credentials to access the appropriate S3 bucket
Develop an identity broker that authenticates against LDAP and then calls IAM Security Token Service to get IAM federated user credentials The application calls the identity broker to get IAM federated user credentials with access to the appropriate S3 bucket
The application authenticates against LDAP the application then calls the AWS identity and Access Management (IAM) Security Token service to log in to IAM using the LDAP credentials the application can use the IAM temporary credentials to access the appropriate S3 bucket
The application authenticates against IAM Security Token Service using the LDAP credentials the application uses those temporary AWS security credentials to access the appropriate S3 bucket

Question 42 of 71

42. Question

Company B is launching a new game app for mobile devices. Users will log into the game using their existing social media account to streamline data capture. Company B would like to directly save player data and scoring information from the mobile app to a DynamoDB table named Score Data When a user saves their game the progress data will be stored to the Game state S3 bucket. What is the best approach for storing data to DynamoDB and S3?

Use an EC2 Instance that is launched with an EC2 role providing access to the Score Data DynamoDB table and the GameState S3 bucket that communicates with the mobile app via web services.
Use temporary security credentials that assume a role providing access to the Score Data DynamoDB table and the Game State S3 bucket using web identity federation
Use Login with Amazon allowing users to sign in with an Amazon account providing the mobile app with access to the Score Data DynamoDB table and the Game State S3 bucket.
Use an IAM user with access credentials assigned a role providing access to the Score Data DynamoDB table and the Game State S3 bucket for distribution with the mobile app.

Question 43 of 71

43. Question

A user has created an application which will be hosted on EC2. The application makes calls to DynamoDB to fetch certain data. The application is using the DynamoDB SDK to connect with from the EC2 instance. Which of the below mentioned statements is true with respect to the best practice for security in this scenario?

The user should attach an IAM role with DynamoDB access to the EC2 instance
The user should create an IAM user with DynamoDB access and use its credentials within the application to connect with DynamoDB
The user should create an IAM role, which has EC2 access so that it will allow deploying the application
The user should create an IAM user with DynamoDB and EC2 access. Attach the user with the application so that it does not use the root account credentials

Question 44 of 71

44. Question

A user has created a mobile application which makes calls to DynamoDB to fetch certain data the application is using the DynamoDB SDK and root account access/secret access key to connect to DynamoDB from mobile. Which of the below mentioned statements is true with respect to the best practice for security in this scenario?

User should create a separate IAM user for each mobile application and provide DynamoDB access with it
User should create an IAM role with DynamoDB and EC2 access. Attach the role with EC2 and route all calls from the mobile through EC2
The application should use an IAM role with web identity federation which validates calls to DynamoDB with identity providers, such as Google, Amazon, and Facebook
Create an IAM Role with DynamoDB access and attach it with the mobile application

Question 45 of 71

45. Question

You are managing the AWS account of a big organization. The organization has more than 1000+ employees and they want to provide access to the various services to most of the employees. Which of the below mentioned options is the best possible solution in this case?

The user should create a separate IAM user for each employee and provide access to them as per the policy
The user should create an IAM role and attach STS with the role. The user should attach that role to the EC2 instance and setup AWS authentication on that server
The user should create IAM groups as per the organization’s departments and add each user to the group for better access control
Attach an IAM role with the organization’s authentication service to authorize each user for various AWS services

Question 46 of 71

46. Question

Your fortune 500 company has under taken a TCO analysis evaluating the use of Amazon S3 versus acquiring more hardware The outcome was that all employees would be granted access to use Amazon S3 for storage of their personal documents Which of the following will you need to consider so you can set up a solution that incorporates single sign-on from your corporate AD or LDAP directory and restricts access for each user to a designated user folder in a bucket? (Choose 3 Answers)

Setting up a federation proxy or identity provider
Using AWS Security Token Service to generate temporary tokens
Tagging each folder in the bucket
Configuring IAM role
Setting up a matching IAM user for every user in your corporate directory that needs access to a folder in the bucket

Question 47 of 71

47. Question

You’ve been hired to enhance the overall security posture for a very large e-commerce site. They have a well architected multi-tier application running in a VPC that uses ELBs in front of both the web and the app tier with static assets served directly from S3. They are using a combination of RDS and DynamoDB for their dynamic data and then archiving nightly into S3 for further processing with EMR. They are concerned because they found questionable log entries and suspect someone is attempting to gain unauthorized access. Which approach provides a cost effective scalable mitigation to this kind of attack?

Recommend mat they lease space at a DirectConnect partner location and establish a 1G DirectConnect connection to their VPC they would then establish Internet connectivity into their space, filter the traffic in hardware Web Application Firewall (WAF). And then pass the traffic through the DirectConnect connection into their application running in their VPC
Add previously identified hostile source IPs as an explicit INBOUND DENY NACL to the web tier subnet
Add a WAF tier by creating a new ELB and an AutoScaling group of EC2 Instances running a host-based WAF. They would redirect Route 53 to resolve to the new WAF tier ELB. The WAF tier would then pass the traffic to the current web tier. Web tier Security Groups would be updated to only allow traffic from the WAF tier Security Group
Remove all but TLS 1.2 from the web tier ELB and enable Advanced Protocol Filtering This will enable the ELB itself to perform WAF functionality

Question 48 of 71

48. Question

You are designing a social media site and are considering how to mitigate distributed denial-of-service (DDoS) attacks. Which of the below are viable mitigation techniques? (Choose 3 answers)

Add multiple elastic network interfaces (ENIs) to each EC2 instance to increase the network bandwidth.
Use dedicated instances to ensure that each instance has the maximum performance possible.
Use an Amazon CloudFront distribution for both static and dynamic content.
Use an Elastic Load Balancer with auto scaling groups at the web app and Amazon Relational Database Service (RDS) tiers
Add alert Amazon CloudWatch to look for high Network in and CPU utilization.
Create processes and capabilities to quickly add and remove rules to the instance OS firewall.

Question 49 of 71

49. Question

When preparing for a compliance assessment of your system built inside of AWS. What are three best practices for you to prepare for an audit? Choose 3 answers

Gather evidence of your IT operational controls
Request and obtain applicable third-party audited AWS compliance reports and certifications
Request and obtain a compliance and security tour of an AWS data center for a pre-assessment security review
Request and obtain approval from AWS to perform relevant network scans and in-depth penetration tests of your system’s Instances and endpoints
Schedule meetings with AWS’s third-party auditors to provide evidence of AWS compliance that maps to your control objectives

Question 50 of 71

50. Question

In the shared security model, AWS is responsible for which of the following security best practices (check all that apply)

Penetration testing
Operating system account security management
Threat modeling
User group access management
Static code analysis

Question 51 of 71

51. Question

You are running a web-application on AWS consisting of the following components an Elastic Load Balancer (ELB) an Auto-Scaling Group of EC2 instances running Linux/PHP/Apache, and Relational Database Service (RDS) MySQL. Which security measures fall into AWS’s responsibility?

Protect the EC2 instances against unsolicited access by enforcing the principle of least-privilege access
Protect against IP spoofing or packet sniffing
Assure all communication between EC2 instances and ELB is encrypted
Install latest security patches on ELB, RDS and EC2 instances

Question 52 of 71

52. Question

Which of the following statements is true about achieving PCI certification on the AWS platform? (Choose 2)

Your organization owns the compliance initiatives related to anything placed on the AWS infrastructure
Amazon EC2 instances must run on a single-tenancy environment (dedicated instance)
AWS manages card-holder environments
AWS Compliance provides assurance related to the underlying infrastructure

Question 53 of 71

53. Question

What does RRS stand for when talking about S3?

Redundancy Removal System
Relational Rights Storage
Regional Rights Standard
Reduced Redundancy Storage

Question 54 of 71

54. Question

What is the durability of S3 RRS?

99.99%
99.95%
99.995%
99.999999999%

Question 55 of 71

55. Question

What is the Reduced Redundancy option in Amazon S3?

Less redundancy for a lower cost.
It doesn’t exist in Amazon S3, but in Amazon EBS.
It allows you to destroy any copy of your files outside a specific jurisdiction.
It doesn’t exist at all.

Question 56 of 71

56. Question

An application is generating a log file every 5 minutes. The log file is not critical but may be required only for verification in case of some major issue. The file should be accessible over the internet whenever required which of the below mentioned options is a best possible storage solution for it?

AWS Glacier
AWS S3
AWS RDS
AWS S3 RRS

Question 57 of 71

57. Question

A user has moved an object to Glacier using the life cycle rules. The user requests to restore the archive after 6 months. When the restore request is completed the user accesses that archive. Which of the below mentioned statements is not true in this condition?

The archive will be available as an object for the duration specified by the user during the restoration request
The restored object’s storage class will be RRS
The user can modify the restoration period only by issuing a new restore request with the updated period
The user needs to pay storage for both RRS (restore d) and Glacier (Archive) Rates

Question 58 of 71

58. Question

Which set of Amazon S3 features helps to prevent and recover from accidental data loss?

Object lifecycle and service access logging
Object versioning and Multi-factor authentication
Access controls and server-side encryption
Website hosting and Amazon S3 policies

Question 59 of 71

59. Question

You use S3 to store critical data for your company Several users within your group currently have full permissions to your S3 buckets. You need to come up with a solution that does not impact your users and also protect against the accidental deletion of objects. Which two options will address this issue? (Choose 2 answers)

Enable versioning on your S3 Buckets
Configure your S3 Buckets with MFA delete
Create a Bucket policy and only allow read only permissions to all users at the bucket level
Enable object life cycle policies and configure the data older than 3 months to be archived in Glacier

Question 60 of 71

60. Question

A company is storing data on Amazon Simple Storage Service (S3). The company’s security policy mandates that data is encrypted at rest. Which of the following methods can achieve this? (Choose 3 answers)

Use Amazon S3 server-side encryption with AWS Key Management Service managed keys
Use Amazon S3 server-side encryption with customer-provided keys
Use Amazon S3 server-side encryption with EC2 key pair.
Use Amazon S3 bucket policies to restrict access to the data at rest.
Encrypt the data on the client-side before ingesting to Amazon S3 using their own master key
Use SSL to encrypt the data while in transit to Amazon S3.

Question 61 of 71

61. Question

A user has enabled versioning on an S3 bucket. The user is using server side encryption for data at Rest. If the user is supplying his own keys for encryption (SSE-C) which of the below mentioned statements is true?

The user should use the same encryption key for all versions of the same object
It is possible to have different encryption keys for different versions of the same object
AWS S3 does not allow the user to upload his own keys for server side encryption
The SSE-C does not work when versioning is enabled

Question 62 of 71

62. Question

A storage admin wants to encrypt all the objects stored in S3 using server side encryption. The user does not want to use the AES 256 encryption key provided by S3. How can the user achieve this?

The admin should upload his secret key to the AWS console and let S3 decrypt the objects
The admin should use CLI or API to upload the encryption key to the S3 bucket. When making a call to the S3 API mention the encryption key URL in each request
S3 does not support client supplied encryption keys for server side encryption
The admin should send the keys and encryption algorithm with each API call

Question 63 of 71

63. Question

A user has enabled versioning on an S3 bucket. The user is using server side encryption for data at rest. If the user is supplying his own keys for encryption (SSE-C), what is recommended to the user for the purpose of security?

User should not use his own security key as it is not secure
Configure S3 to rotate the user’s encryption key at regular intervals
Configure S3 to store the user’s keys securely with SSL
Keep rotating the encryption key manually at the client side

Question 64 of 71

64. Question

A system admin is planning to encrypt all objects being uploaded to S3 from an application. The system admin does not want to implement his own encryption algorithm; instead he is planning to use server side encryption by supplying his own key (SSE-C). Which parameter is not required while making a call for SSE-C?

x-amz-server-side-encryption-customer-key-AES-256
x-amz-server-side-encryption-customer-key
x-amz-server-side-encryption-customer-algorithm
x-amz-server-side-encryption-customer-key-MD5

Question 65 of 71

65. Question

A customer is leveraging Amazon Simple Storage Service in eu-west-1 to store static content for a web-based property. The customer is storing objects using the Standard Storage class. Where are the customers objects replicated?

A single facility in eu-west-1 and a single facility in eu-central-1
A single facility in eu-west-1 and a single facility in us-east-1
Multiple facilities in eu-west-1
A single facility in eu-west-1

Question 66 of 71

66. Question

Which features can be used to restrict access to data in S3? Choose 2 answers

Set an S3 ACL on the bucket or the object.
Create a CloudFront distribution for the bucket.
Set an S3 bucket policy.
Enable IAM Identity Federation
Use S3 Virtual Hosting

Question 67 of 71

67. Question

Which method can be used to prevent an IP address block from accessing public objects in an S3 bucket?

Create a bucket policy and apply it to the bucket
Create a NACL and attach it to the VPC of the bucket
Create an ACL and apply it to all objects in the bucket
Modify the IAM policies of any users that would access the bucket

Question 68 of 71

68. Question

A user has granted read/write permission of his S3 bucket using ACL. Which of the below mentioned options is a valid ID to grant permission to other AWS accounts (grantee. using ACL?

IAM User ID
S3 Secure ID
Access ID
Canonical user ID

Question 69 of 71

69. Question

A root account owner has given full access of his S3 bucket to one of the IAM users using the bucket ACL. When the IAM user logs in to the S3 console, which actions can he perform?

He can just view the content of the bucket
He can do all the operations on the bucket
It is not possible to give access to an IAM user using ACL
The IAM user can perform all operations on the bucket using only API/SDK

Question 70 of 71

70. Question

A root AWS account owner is trying to understand various options to set the permission to AWS S3. Which of the below mentioned options is not the right option to grant permission for S3?

User Access Policy
S3 Object Policy
S3 Bucket Policy
S3 ACL

Question 71 of 71

71. Question

A system admin is managing buckets, objects and folders with AWS S3. Which of the below mentioned statements is true and should be taken in consideration by the sysadmin?

Folders support only ACL
Both the object and bucket can have an Access Policy but folder cannot have policy
Folders can have a policy
Both the object and bucket can have ACL but folders cannot have ACL

Exam Practice Quiz 01