Mock Tests

Mock exam 1

  1. When IAM policies are being evaluated for their logic of access, which two of the following statements are incorrect?
    1. Explicit denies are always overruled by an explicit allow.
    2. The order in which the policies are evaluated does not matter regarding the end result.
    3. Explicit allows are always overruled by an explicit deny.
    4. Access to all resources is denied by default until access is granted.
    5. Access to all resources is allowed by default until access is denied.
  2. Your security team has been tasked with implementing a solution to monitor your EC2 fleet of instances. Upon review, you decide to implement Amazon Inspector. What are the three prerequisites that you would need to implement before using Amazon Inspector? (Choose three answers)
    1. Deploy Amazon Inspector agents to your EC2 fleet.
    2. Create an IAM service-linked role that allows Amazon Inspector to access your EC2 feet.
    3. Create an Assessment Target group for your EC2 fleet.
    4. Deploy an Amazon Inspector log file to your EC2 fleet.
    5. Configure Amazon Inspector so that it runs at the root of your AWS account.
    6. Create an IAM group for your EC2 fleet.
  1. After analyzing VPC flow logs, you notice that restricted network traffic is entering a private subnet. After reviewing your Network Access Control Lists (NACLs), you verify that a custom NACL does exist that should be blocking this restricted traffic. What should you check to resolve the issue to ensure that the traffic is blocked at the subnet level?
    1. Check the inbound security group of the instances in the private subnet to ensure it is blocking the traffic.
    2. Check to see if the custom NACL has the restrictions associated with the private subnet.
    3. Check your VPC flow log configuration to see if it is configured to block the restricted traffic.
    4. Check the Main NACL associated with your VPC to see if it is conflicting with your custom NACL.
  2. When using AWS Shield, which type of rule counts the number of requests received from a particular IP address over a time period of 5 minutes?
    1. Standard-based
    2. Flow-based
    3. Rate-based
    4. Integer-based
  3. Following a breach on your network, an instance was compromised and you need to perform a forensic investigation of the affected instance. You decide to move the EC2 instance to your forensic account. Which steps would you take to carry out this process?
    1. Create an AMI from the affected EC2 instance and then share that AMI image with your forensic account. From within your forensic account, locate the AMI and create a new instance from the shared AMI.
    2. Create an AMI from the affected EC2 instance and then copy that AMI image to your forensic account. From within your forensic account, locate the AMI and create a new instance from the shared AMI.
    3. Create an EBS snapshot of the affected EC2 instance and then share that snapshot with your forensic account. From within your forensic account, launch a new instance and create a new volume using the snapshot and attach it to the instance.
    4. Create an EBS snapshot of the affected EC2 instance and then copy that snapshot to your forensic account. From within your forensic account, launch a new instance and create a new volume using the snapshot and attach it to the instance.

  

  1. What is the Log Delivery Group account used for within Amazon S3?
    1. This is a customer-defined group that's used to deliver AWS CloudTrail logs to a bucket.
    2. This is a predefined group by AWS that's used to deliver S3 server access logs to a bucket.
    3. This is a predefined group by AWS that's used to deliver AWS CloudTrail logs to a bucket.
    4. This is a customer-defined group by AWS that's used to deliver S3 server access logs to a bucket.
  2. After reviewing the following excerpt from a CloudTrail log, which statement is true?
                    "awsRegion": "eu-west-1",
                    "eventID": "6ce47c89-5908-452d-87cc-a7c251ac4ac0",
                    "eventName": "PutObject",
                    "eventSource": "s3.amazonaws.com",
                    "eventTime": "2019-11-27T23:54:21Z",
                    "eventType": "AwsApiCall",
                    "eventVersion": "1.05",
                    "readOnly": false,
                    "recipientAccountId": "730739171055",
                    "requestID": "95BAC3B3C83CCC5D",
                    "requestParameters": {
                            "bucketName": "cloudtrailpackt",
                            "Host": "cloudtrailpackt.s3.eu-west-1.amazonaws.com",
                            "key": "Packt/AWSLogs/730739171055/CloudTrail/eu-                west-1/2019/11/27/730739171055_CloudTrail_eu-west-1_20191127T2321Z_oDOj4tmndoN0pCW3.json.gz",
                     "x-amz-acl": "bucket-owner-full-control",
                     "x-amz-server-side-encryption": "AES256"
    1. A PutObject operation was performed in the cloudtrailpackt bucket without encryption.
    2. A PutObject operation was performed in the cloudtrailpackt bucket in the eu-west-2 region.
    3. A PutObject operation was performed in account 730739171055 using encryption.
    4. A PutObject operation was performed on 2019-11-27 in the packt bucket using encryption.
  1. You have just joined a new startup organization as a security lead. Processes dictate that all your RDS databases must be deployed with Multi-AZ configured. For any new RDS deployments, you want to check whether high availability is enabled for your Amazon RDS DB instances. What should you configure to ensure that this process is being followed?
    1. Use AWS Config to set up the rds-multi-az compliance check.
    2. Use CloudWatch logs to detect RDS single AZ deployments.
    3. Use CloudTrail logs to search for RDS deployments with the rds-multi-az=false parameter.
    4. Use SNS so that you're emailed every time an RDS single AZ deployment is configured.
  2. Which of the following is NOT considered a security best practice?
    1. Enable Multi-Factor Authentication (MFA).
    2. Remove the root account access keys.
    3. Associate IAM users with a single resource-based policy.
    4. Enable AWS CloudTrail.
  3. You are using the KMS service called encrypt_me to perform encryption within Amazon S3 using a customer created CMK in eu-west-1. A colleague explains that they are unable to see the CMK when they try to use it to encrypt data in a bucket named encrypt_me_too in us-east-1. What is the most likely cause of this?
    1. Your colleague does not have permission to encrypt with the CMK.
    2. CMKs are regional, so it will not appear in us-east-1.
    3. If a CMK has been used on one bucket, it can't be used on another.
    4. The CMK has become corrupt and it will need to be recreated within KMS.
  4. A developer in your organization requires access to perform cryptographic functions using a customer-managed CMK. What do you need to update so that you can add permissions for the developer to allow them to use the CMK?
    1. KMS policy.
    2. CMK policy.
    3. Key policy.
    4. Encryption policy.
  1. KMS Key Policies allow you to configure access and the use of the CMKs in a variety of ways. Due to this, you can configure access to the CMK in many different ways. Which of the following is NOT a method of allowing access?
    1. Via Key Policies all access is governed by the Key policy alone.
    2. Via Key Policies and IAM – access is governed by the Key policy in addition to IAM identity-based policies, allowing you to manage access via groups and other IAM features.
    3. Via Key Policies and Grants – access is governed by the Key policy with the added ability to delegate access to others so they can use the CMK.
    4. Via Key Policies and IAM Roles – associating the Key policy with the role, thereby granting permissions to resources and identities that the role is associated with.
  2. Which is NOT a valid method of S3 encryption?
    1. Server-Side Encryption with S3 Managed Keys (SSE-S3)
    2. Server-Side Encryption with CMK Managed Keys (SSE-CMK)
    3. Server-Side Encryption with KMS Managed Keys (SSE-KMS)
    4. Server-Side Encryption with Customer Managed Keys (SSE-C)
    5. Client-Side Encryption with KMS Managed Keys (CSE-KMS)
    6. Client-Side Encryption with Customer Managed Keys (CSE-C)
  3. Your IAM administrator has created 20 IAM users within your organization's production AWS account. All users must be able to access AWS resources using the AWS Management Console, in addition to programmatic access via the AWS CLI. Which steps must be implemented to allow both methods of access? (Choose two.)
    1. Associate each user with a role that grants permissions that allows programmatic access.
    2. Create a user account with their own IAM credentials and password.
    3. Create an access key and secret access key for every user.
    4. Add the user to the power users group.
    5. Implement Multi Factor Authentication (MFA) for each user and configure their virtual MFA device.
  1. You are configuring a number of different service roles to be associated with EC2 instances. During the creation of these roles, two components are established: the role itself and one other. Which component is also created, following the creation of a service role?
    1. An IAM group that the role is attached to
    2. An instance profile
    3. Temporary instance access keys
    4. A new instance associated with the new service role
  2. Microsoft Active Directory Federation Services (ADFS) can be used as an Identity Provider (IdP) to enable federated access to the AWS Management Console. As part of the authentication process, which API is used to request temporary credentials to enable access?
    1. AssumeRoleWithSAML
    2. AssumeIDP
    3. AssumeADFS
    4. AssumeRoleUsingADFS
    5. AssumeFederationRole
  3. When configuring your IdP from within IAM, which document do you need to provide that includes the issuer's name, expiration information, and keys that can be used to validate the SAML authentication response (assertions) that are received from the IdP?
    1. SAML response document
    2. Metadata document
    3. IDP federation document
    4. IDP document
  4. Your CTO has asked you to find a simple and secure way to perform administrative tasks and configurational changes remotely against a selection of EC2 instances within your production environment. Which option should you choose?
    1. Use the Run command in AWS Systems Manager.
    2. Use built-in insights in AWS Systems Manager.
    3. Use State Manager in AWS Systems Manager.
    4. Use Session Manager in AWS Systems Manager.
  1. Your organization is running a global retail e-commerce website in which customers from around the world search your website, adding products to their shopping cart before ordering and paying for the items. During a meeting to redesign the infrastructure, you have been instructed to define a solution where routing APIs to microservices can be managed, in addition to adding security features so that users can manage authentication and access control and monitor all requests that are made from concurrent API calls. Which service should you implement to manage these requirements?
    1. Amazon CloudFront
    2. AWS Lambda@Edge
    3. AWS API Gateway
    4. AWS API Manager
    5. AWS Shield
  2. Your organization has been the victim of a massive DDoS attack. You have decided to use the AWS DDoS Response Team (DRT) for extra support to help you analyze and monitor malicious activity within your account.  To help the DRT team with your investigations, they need access to your AWS WAF rules web ACLs. How can you provide this access?
    1. Using an IAM role with the AWSShieldDRTAccessPolicy managed policy attached, which trusts the service principal of drt.shield.amazonaws.com to use the role
    2. Using an IAM role with the AWSShieldAccessPolicy managed policy attached, which trusts the service principal of shield.drt.amazonaws.com to use the role
    3. Using an IAM role with the ShieldDRTAccessPolicy managed policy attached, which trusts the service principal of drt.shied.amazonaws.com to use the role
    4. Using an IAM role with the AWSShielDRTAccess managed policy attached, which trusts the service principal of drt.amazonaws.com to use the role
  1. One of your instances within a private subnet of your production network may have been compromised. Since you work within the incident team, you have been asked to isolate the instance from other resources immediately, without affecting other production EC2 instances in the same subnet. Which approaches should be followed in this situation? (Choose two.)
    1. Delete the key pair associated with the EC2 instance.
    2. Remove any role associated with the EC2 instance.
    3. Update the route table of the subnet associated with the EC2 instance to remove the entry for the NAT gateway.
    4. Change the security group of the instance to a restricted security group, thereby preventing any access to or from the instance.
    5. Move the EC2 instance to the public subnet.
  2. You have implemented a VPN connection between your data center and your AWS VPC. You then enabled route propagation to ensure that all the other routes to networks represented across your site-to site VPN connection are automatically added within your route table. However, you notice that you now have overlapping CIDR blocks between your propagated routes and existing static routes. Which statement is true?
    1. The routes will be automatically deleted from your route table as having overlapping CIDR blocks is not possible in a route table.
    2. Your static routes will take precedence over propagated routes.
    3. Your propagated routes will take precedence over your static routes.
    4. The longest prefix match will determine which route takes precedence.
  3. Your CTO has explained that they are looking for a solution to be able to monitor network packets across your VPC. You suggest VPC flow logs, but the CTO wants to implement a solution whereby captured traffic is sent to a Network Load Balancer, using UDP as a listener, which sits in front of a fleet of appliances dedicated to network analysis. What solution would you suggest to the CTO?
    1. Use the AWS Transit Gateway to capture packets and use the NLB as a Target.
    2. Use Traffic Mirroring to capture packets and use the NLB as a Target.
    3. Use VPC Tunneling to capture packets and use the NLB as a Target.
    4. Use Traffic Capture to capture packets and use the NLB as a Target.
    5. Use VPC Transit to capture packets and use the NLB as a Target.
  1. You have been tasked with defining a central repository that enables you to view real-time logging information from different AWS services that can be filtered and queried to search for specific events or error codes. Which of the following would you use?
    1. Amazon GuardDuty
    2. Amazon S3 Server Access logs
    3. Amazon Kinesis
    4. Amazon CloudWatch logs
    5. AWS Config logs
  2. Which feature of AWS CloudTrail can be used for forensic investigation to confirm that your log files have not been tampered with?
    1. Select Encrypt Log Files with SEE-KMS.
    2. Select Log File Validation.
    3. Select Encrypt Log Validation.
    4. Select Enable Log Tamper Detection.
  3. Which service is being described here? "________ is a fully managed intelligent threat detection service, powered by machine learning, that continually provides insights into unusual and/or expected behavioral patterns that could be considered malicious within your account."
    1. AWS Config
    2. Amazon Inspector
    3. AWS Trusted Advisor
    4. Amazon GuardDuty
  4. When it comes to data encryption, it is important to understand the difference between asymmetric and symmetric key encryption. Select the statements that are true. (Choose two.)
    1. Symmetric encryption uses a single key to encrypt and decrypt data.
    2. Asymmetric encryption uses a single key to encrypt and decrypt data.
    3. Symmetric encryption keys use two keys to perform the encryption.
    4. Asymmetric encryption keys use two keys to perform the encryption.
  5. You need to encrypt data being stored across your EBS volumes in your VPC with minimal management, but you want to be able to audit and track their usage. Which type of AWS KMS key will you use?
    1. AWS owned
    2. AWS managed
    3. Customer managed
    4. Customer owned
  1. You have been asked to ensure that your organization's data is encrypted when stored on S3. The requirements specify that encryption must happen before the object is uploaded using keys managed by AWS. Which S3 encryption option is best suited for this?
    1. SSE-KMS
    2. CSE-KMS
    3. SSE-S3
    4. CSE-C
    5. SSE-C
  2. What is the disadvantage of importing your own key material into a customer-managed CMK?
    1. It does not support automatic key rotation.
    2. It does not support the creation of data encryption keys.
    3. The key material automatically expires after 12 months.
    4. You are unable to define additional key administrators.
  3. When encrypting an EBS group, which kind of keys can be used? (Choose three.)
    1. AWS managed CMK key
    2. AWS owned CMK key
    3. AWS created CMK key
    4. Customer CMK key
    5. Customer DEK key
  4. You have been tasked with granting permissions for your IT corporate workforce of 500+ users so that they can access the AWS Management Console to administer and deploy AWS resources. Your organization currently uses Microsoft Active Directory (MSAD) to authenticate users internally. None of your users currently have IAM user accounts and your manager has asked you to configure their AWS access with the least administrative effort. Which method would be best?
    1. Create 500 AWS users accounts and assign permissions to each account accordingly.
    2. Configure web identity federation with LDAP, allowing it to query MSAD as your authentication into your AWS account. This is used in configuration with AWS roles.
    3. Configure SAML 2.0 federation with LDAP, allowing it to query MSAD as your authentication into your AWS account. This is used in conjunction with AWS roles.
    4. Share access keys and secret access keys across your user base, allowing AWS Management Console access.
  1. Take a look at the following IAM policy associated with a role. Which statement is true?
{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Principal": {"AWS": "arn:aws:iam::356903128354:user/Stuart"},
    "Action": "sts:AssumeRole",
    "Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}}
 }
}
    1. The user "Stuart" is denied access to assume the role.
    2. Any users can assume the role if the user has used MFA to verify their credentials.
    3. The role can be assumed for the user "Stuart" if the user uses MFA as an authentication method.
    4. The principal is allowed to assume the role using existing permissions granted by MFA.
  1. Which policies do NOT require a principal parameter within the context of the policy? (Choose two.)
    1. An Amazon S3 bucket policy.
    2. A key policy within KMS associated with a customer created CMK.
    3. An inline IAM policy.
    4. A service control policy (SCP).
    5. A CloudHSM encryption policy.
  2. You have just joined a new startup as a security engineer. One of your first tasks is to implement authentication for a new mobile application that is likely to scale to over a million users within the first few months. Which option is the best for handling scaling with minimal management?
    1. Implement Amazon Cognito with Enterprise Federation.
    2. Implement Amazon Cognito with SAML Federation.
    3. Implement Amazon Cognito with Social Federation.
    4. Implement Amazon Cognito with Mobile Federation.
  1. Your engineering team has come to you to explain that they have lost the private key associated with one of their Linux instance-stored backed root volume EC2 instances, and they can no longer connect to and access the instance. Which statement is true in this circumstance?
    1. It is still possible to recover access as it has an instance-stored backed root volume
    2. When you lose your private key to an EC2 instance that has an instance-stored root volume, there is no way to reestablish connectivity to the instance
    3. Recreate a new key-pair for the instance using the aws ec2 create-key-pair --key-name MyNewKeyPair AWS CLI command
    4. Request a replacement private key from AWS using the associated public key
  2. You are explaining the differences between security groups and Network Access Control Lists to a customer. What key points are important to understand when understanding how these two security controls differ from each other? (Choose three)
    1. Security groups are stateful by design and NACLs are not.
    2. NACLs are stateful by design and security groups are not.
    3. Security groups allow you to add a Deny action within the ruleset.
    4. NACLs allow you to add a Deny action within the ruleset.
    5. Security groups control access at the instance level.
    6. NACLs control access at the instance level.
  3. Your new startup is deploying a highly-scalable multi-tiered application. Your VPC is using both public and private subnets, along with an application load balancer. Your CTO has defined the following requirements:
    • All the EC2 instances must only have a private IP address.
    • All EC2 instances must have internet access.

What configuration is required to meet these requirements? (Choose two.)

    1. A NAT gateway should be deployed in the private subnet.
    2. A NAT gateway should be deployed in the public subnet.
    3. Add a rule to your main route table, directing all outbound traffic via the ALB.
    4. Launch the EC2 instances in the private subnet.
    5. Register EC2 instances with the NAT gateway.
  1. You are experiencing an increase in the level of attacks across multiple different AWS accounts against your applications from the internet. This includes XSS and SQL injection attacks. As the security architect for your organization, you are responsible for implementing a solution to help reduce and minimize these threats. Which AWS services should you implement to help protect against these attacks? (Choose two.)
    1. AWS Shield
    2. AWS Firewall Manager
    3. AWS Web Application Firewall
    4. AWS Secrets Manager
    5. AWS Systems Manager
  2. During the deployment of a new application, you are implementing a public-facing Elastic Load Balancer (ELB). Due to the exposed risk, you need to implement encryption across your ELB, so you select HTTPS as the protocol listener. During this configuration, you will need to select a certificate from a certificate authority (CA). Which CA is the recommended choice for creating the X.509 certificate?
    1. AWS Certificate Manager within AWS Systems Manager
    2. AWS Certificate Manager
    3. Select a certificate from IAM
    4. AWS Certificate Authority Manager
    5. Certificate Authority Manager within AWS Shield
  3. Recently, you have noticed an increase in the number of DDoS attacks against your public web servers. You decide to implement AWS Shield Advanced to help protect your EC2 instances. Which configurational change do you need to implement before you can protect your instance using the advanced features?
    1. You must assign the EC2 instances within their own Public Shield subnet.
    2. Assign an EIP to the EC2 instance.
    3. Install the CloudFront Logging Agent on the EC2 instances.
    4. Install the SSM Agent on your EC2 instance.
  1. Which layer of the OSI model do both Amazon CloudFront (with AWS WAF) and Route 53 offer attack mitigation against? (Choose three.)
    1. 2
    2. 3
    3. 4
    4. 5
    5. 6
    6. 7
  2. Looking at the following route table, which target would be selected for a packet being sent to a host with the IP address of 172.16.1.34?

Destination

Target

10.0.0.0/16

Local

172.16.0.0/16

pcx-1234abcd

172.16.1.0/24

vgw-wxyz6789

 

    • The first route is the local route of the VPC that's found in every route table.
    • The second route points to a target related to a VPC peering connection.
    • The third route points to a VPN Gateway that then connects to a remote location.

Your options are as follows:

    1. 10.0.0.0/16
    2. 172.16.0.0/16
    3. 172.16.1.0/24
    4. There is no feasible route
  1. You have just joined a new network team. You are responsible for making configurational changes to your Direct Connect infrastructure that connects from your corporate data center to your AWS infrastructure. Take a look at the following policy detailing your access. Which statement is correct?

    1. You have full access to make configurational changes as required to Direct Connect.
    2. You have read-only access to Direct Connect.
    3. You have full access to configure components related to Direct Connect Describe.
    4. You have read-only access to Direct Connect, but you do have full access to VPN Gateways and Transit Gateway configurations.
  1. An engineer has raised a concern regarding one of your buckets and wants to understand details about when a particular bucket has been accessed to help ascertain the frequency and by whom. Which method would be the MOST appropriate to get the data required?
    1. Analyze AWS CloudTrail log data.
    2. Analyze AWS Config log data.
    3. Analyze S3 Server access logs.
    4. Analyze VPC flow logs.
  2. Amazon S3 object-level logging integrates with which other AWS service?
    1. Amazon CloudWatch
    2. Amazon Glacier
    3. Amazon EC2
    4. AWS Config
    5. AWS CloudTrail
  1. You are currently monitoring the traffic flow between a number of different subnets using VPC flow logs. Currently, the configuration of the capture is capturing ALL packets. However, to refine the flow log details, you want to modify the configuration of the flow log so that it only captures rejected packets instead. Which of the following statements is true?
    1. You can't capture rejected packets in a VPC flow log.
    2. You can't change the configuration of an existing flow log once it's been created.
    3. The VPC flow log can be modified with these changes without any packets being dropped.
    4. The VPC flow log must be stopped before you can make configuration changes.
  2. Your CTO is concerned about the sensitivity of the data being captured by AWS CloudTrail. As a result, you suggest encrypting the log files when they are sent to S3. Which encryption mechanism is available to you during the configuration of your Trail?
    1. SSE-S3
    2. SSE-KMS
    3. SSE-C
    4. CSE-KMS
    5. CSE-C
  3. As part of your security procedures, you need to ensure that, when using the Elastic File System (EFS), you enable encryption-in-transit using TLS as a mount option, which uses a client tunnel process. Assuming your filesystem is fs-12345678 and your filesystem's identifier is /mnt/efs, which command would you enter to mount the EFS file stems with encryption enabled?
    1. sudo mount -t efs  tls fs-12345678: -o / /mnt/efs
    2. sudo mount -t tls efs fs-12345678:/ /mnt/efs
    3. sudo mount -t efs  -o tls fs-12345678:/ /mnt/efs
    4. sudo mount -t ssl  tls fs-12345678:/ /mnt/efs
  1. You are configuring your AWS environment in preparation for downloading and installing the CloudWatch agent to offer additional monitoring. Which two tasks should you complete prior to installing the agent?
    1. Ensure that your EC2 instance is running the latest version of the SSM agent.
    2. Ensure that your EC2 instances have outbound internet access.
    3. Ensure that your EC2 instances all have the same tags.
    4. Ensure that any public EC2 instances are configured with an ENI.
    5. Ensure CloudWatch is configured for CloudWatch logging in your region.
  2. You have been approached by your compliance team to define what data is encrypted on an EBS volume when EBS encryption has been enabled. Which of the following should you choose? (Choose three.)
    1. The root and data volume
    2. Just the data volume
    3. All data moving between the EBS volume and the associated EC2 instance
    4. All snapshots of the EBS volume
    5. Just the root volume
    6. The ephemeral volume associated with the EC2 instances
  3. You are being audited by an external auditor against PCI-DSS, who is accessing your solutions that utilize AWS. You have been asked to provide evidence that certain controls are being met against infrastructure that is maintained by AWS. What is the best way to provide this evidence?
    1. Contact your AWS account management team, asking them to speak with the auditor.
    2. As a customer, you have no control over the AWS infrastructure or if it meets certain compliance programs.
    3. Use AWS Auditing to download the appropriate compliance reports.
    4. Use AWS Artifact to download the appropriate compliance records.
  4. Which part of AWS CloudHSM can carry out the following functions?
    • Perform encryption and decryption.
    • Create, delete, wrap, unwrap, and modify attributes of keys.
    • Sign and verify.
    • Generate digests and HMACs.

Your options are as follows:

    1. Crypto Office (CO)
    2. Crypto User (CU)
    3. Precrypto Office (PRECO)
    4. Appliance User (AU)
  1. You have a VPC without any EC2 instances, and for security reasons, this VPC must never have any EC2 instances running. If an EC2 instance is created, it would create a security breach. What could you implement to automatically detect if an EC2 instance is launched and then notify you of that resource?
    1. Use AWS CloudTrail to capture the launch of an EC2 instance, with Amazon SNS configure as a target for notification.
    2. Use CloudWatch Events to detect the launch of an EC2 instance, with Amazon SNS configured as a target for notification.
    3. Use AWS GuardDuty to detect the launch of an EC2 instance, with an AWS Lambda function configured as a target for notification.
    4. Use AWS Systems Manager to detect the launch of an EC2 instance, with Amazon SNS configured as a target for notification.
  2. Which AWS CloudHSM user contains a default username and password when you first configure your CloudHSM?
    1. Crypto Office
    2. Crypto User
    3. Precrypto Office
    4. Appliance User
  3. Amazon GuardDuty uses different logs to process and analyze millions of events that are then referenced against numerous threat detection feeds, many of which contain known sources of malicious activity, including specific URLs and IP addresses. Which of the following logs are NOT used by Amazon GuardDuty? (Choose two.)
    1. VPC flow logs
    2. S3 Server Access logs
    3. DNS logs
    4. CloudTrail logs
    5. CloudWatch Event logs
  1. Which statement is true about a KMS key policy?
    1. It is an identity-based policy.
    2. It is a resource-based policy.
    3. You can only apply the resource using an IAM role.
    4. The same policy can be attached to multiple KMS keys in the same region.
  2. You have just joined a company working within the security team that are utilizing third-party tools such as Sumo Logic and Splunk, in addition to a number of AWS security services, including AWS IAM and Firewall Manager. Your manager has asked you to review solutions in order to centralize findings from all toolsets and services. Which of the following solutions would you recommend?
    1. AWS Detector 
    2. Amazon Macie
    3. Amazon GuardDuty
    4. Amazon Inspector
    5. AWS Security Hub
  3. You have been asked to upload the company's own key material instead of using the key material generated by KMS. In preparation for doing this, you download the public key and import token. What format must your key material be in prior to it being uploaded?
    1. JSON
    2. Binary
    3. TAR
    4. TIFF
  4. When configuring your access policies within IAM, what should you always consider as a security best practice?
    1. Always add an implicit "Deny" at the end of the policy statement.
    2. Implement the principle of least privilege (PoLP).
    3. Only add a single statement within a policy.
    4. Implement identity-based policies instead of resource-based policies.
  5. Which of the following is NOT considered an asymmetric key encryption mechanism?
    1. Diffie-Hellman
    2. Advanced Encryption Standard (AES)
    3. Digital Signature Algorithm
    4. RSA
  1. AWS Trusted Advisor helps customers optimize their AWS environment through recommended best practices. Which of the following is NOT one of the five categories that it checks in your account?
    1. Cost Optimization
    2. Monitoring
    3. Performance
    4. Security
    5. Fault Tolerance
    6. Service Limits
  2. Which of the following keys shows an AWS managed key when using Amazon S3 SSE-KMS?
    1. aws/s3
    2. aws/kms/s3
    3. s3/kms
    4. kms/s3
  3. Which keys used in conjunction with KMS are used outside of the KMS platform to perform encryption against your data?
    1. Customer master key
    2. Data encryption key
    3. Data decryption key
    4. Customer data encryption key
  4. Your organization is storing some sensitive data on Amazon S3. Using encryption, you have implemented a level of protection across this data. The encryption method you used was SSE-S3. Which type of key does this use?
    1. AWS owned
    2. AWS managed
    3. Customer managed
    4. Customer owned

Answers

 

1: 1,5

11: 3

21: 2,4

31: 1,2,4

41: 2

51: 1,3,4

61: 2

2: 1,2,3

12: 4

22: 2

32: 3

42: 2,3,6

52: 4

62: 2

3:

13: 2

23: 2

33: 3

43: 3

53: 2

63: 1

4: 3

14: 2,3

24: 4

34: 3,4

44: 2

54: 2

64: 2

5: 1

15: 2

25: 2

35: 3

45: 3

55: 3

65: 1

6: 2

16: 1

26: 4

36: 2

46: 5

56: 2,5

7: 3

17: 2

27: 1,4

37: 1,4,5

47: 2

57: 2

8: 1

18: 1

28: 2

38: 2,4

48: 2

58: 5

9: 3

19: 3

29: 2

39: 2,3

49: 3

59: 2

10: 2

20: 1

30: 1

40: 2

50: 1,2

60: 2

Mock exam 2

  1. New security policies state that specific IAM users require a higher level of authentication due to their enhanced level of permissions. Acting as the company's security administrator, what could you introduce to follow these new corporate guidelines?
    1. MFA
    2. TLS
    3. SSL
    4. SNS
    5. SQS
  2. You have tried to configure your VPC with multiple subnets: a single public subnet and multiple private subnets. You have created an Internet Gateway (IGW) and are trying to update the route table associated with your subnet that you want to act as a public subnet as you wish this to point to the IGW as the target. However, you are unable to see the IGW. What is the most likely cause of this problem?
    1. You do not have permission to view IGWs.
    2. You have not associated the IGW with your region.
    3. You have not associated the IGW with your VPC.
    4. You have not associated the IGW with your subnet.

  1. Your operations team is using AWS WAF to protect your CloudFront distributions. As part of configuring the web ACLs, the team is adding multiple condition statements to a single rule. Which three statements are true when combining statements within one rule?
    1. The conditions are ANDed together.
    2. All conditions must be met for the rule to be effective.
    3. If one condition is met the rule is effective.
    4. AWS WAF will not allow you to add multiple conditions to a single rule.
    5. Only one action can be applied to the rule.
  2. You currently have a multi-account AWS environment that focuses heavily on web applications. As part of your security measures, you are looking to implement an advanced level of DDoS protection across all accounts. How would you implement a solution with cost optimization in mind that offers DDoS protection across all accounts?
    1. Activate AWS Shield Advanced on each AWS account.
    2. Activate AWS Shield Advanced on one account and set up VPC peering for all the other accounts.
    3. Configure consolidated billing for all the accounts and activate AWS Shield Advanced in each account.
    4. Configure AWS Security Hub to manage each account and activate AWS Shield Advanced within AWS Security Hub.
  3. Your engineering team is trying to configure Amazon S3 server access logging. They want to use a source bucket named MyBucket within account A in eu-west-2, with a target bucket named MyTarget in account B in eu-west-2.  However, they are not able to configure access logging. What is the most logical reason for this?
    1. The engineering team does not have cross-account access to the buckets.
    2. The source and target buckets need to be in the same account.
    3. The bucket permissions are restricting the engineering team's access.
    4. The source and target buckets need to be in different regions.
  4. How can you enhance the security of your AWS CloudTrail logs? (Choose two.)
    1. Encrypt log files using CSE-KMS.
    2. Enable log file verification     .
    3. Encrypt log files using SSE-KMS.
    4. Enable log file validation.
  1. As the IAM administrator, you have been asked to create a new role to allow an existing fleet of EC2 instances to access Amazon S3 directly with PutObject and GetObject permissions. Which of the following roles types would you create to do this?
    1. Another AWS account
    2. Web Identity
    3. SAML 2.0 Federation
    4. AWS Service
    5. Service Integration
  2. You have been asked to assess your fleet of EC2 instances for security weaknesses while the instances are in operational use. Which of the following rule packages that can be used within Amazon Inspector would you recommend to run?
    1. Center for Internet Security (CIS) benchmarks
    2. Common Vulnerabilities and Exposures (CVEs)
    3. Security best practices
    4. Runtime behavior analysis
    5. Network reachability
  3. Which of the following resources within your environment can be protected by the AWS Web Application Firewall service? (Choose three.)
    1. Amazon EC2
    2. Network Load Balancer
    3. Application Load Balancer
    4. API Gateway
    5. AWS NAT gateway
    6. Amazon CloudFront Distributions
  4. You have configured some AWS VPC flow logs so that they capture network traffic across your infrastructure. Which of the following options are available as destinations that store the captured VPC flow logs? (Choose two.)
    1. Amazon S3 Bucket
    2. AWS Config
    3. Amazon Macie
    4. AWS Security Hub
    5. Kinesis Stream
    6. CloudWatch logs
  1. Which AWS support plans provide the full capabilities of AWS Trusted within your AWS account? (Choose two.)
    1. Business
    2. Developer
    3. Basic
    4. Enterprise
    5. Corporate
  2. Which of the following policies governs the maximum permissions that an identity-based policy can associate with any user or role, but does not apply permissions to users or roles themselves?
    1. Resource-based policies
    2. Organization Service Control Policies
    3. ACLs
    4. Permission boundaries
  3. One of the subnets within your VPC is configured with the following NACL:

An instance in the subnet is configured with the following security group:

Which of the following connections would be allowed?

    1. A host with an IP address of 86.171.161.10 trying to SSH to your EC2 instance
    2. An engineer using the source IP address of 86.171.161.10 trying to RDP to the EC2 instance
    3. If anyone, anywhere, was trying to use HTTP to get to the EC2 instance

Your options are as follows:

    1. 1 and 2
    2. 1, 2, and 3
    3. 3
    4. 2 and 3
    5. 1 and 3
  1. Which of the following services would fall under the abstract part of the Shared Responsibility Model? (Choose two.)
    1. Amazon Simple Queue Service (SQS)
    2. Amazon Elastic Compute Cloud (EC2)
    3. Amazon Simple Storage Service (S3)
    4. Amazon DynamoDB
    5. Amazon Relational Database Service
  2. The following AWS Organizations SCP is in place for your account:
{   
 "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "SCPPolicy",
      "Effect": "Deny",
      "Action": [
        "iam:AttachRolePolicy",
        "iam:DeleteRole",
        "iam:DeleteRolePermissionsBoundary",
        "iam:DeleteRolePolicy",
        "iam:DetachRolePolicy",
        "iam:PutRolePermissionsBoundary",
        "iam:PutRolePolicy",
        "iam:UpdateAssumeRolePolicy",
        "iam:UpdateRole",
        "iam:UpdateRoleDescription"
      ],
      "Resource": [
        "arn:aws:iam::*:role/IAM-Packt"
      ]
    }
  ]
}

Which statements are true? (Choose twoo)

    1. All access is denied to delete all IAM roles.
    2. All access is denied to update the IAM-Packt role.
    3. All access is denied to assume the IAM-Packt role.
    4. All access is denied to DetachRolePolicy for all roles.
    5. All access is denied to DeleteRolePermissionsBoundary for the IAM-Packt role.
  1. You currently have a number of resources based within your corporate data center and you also utilize some AWS resources within a VPC. Over the coming months, you are looking to incorporate more of your on-premise solutions with the cloud. From a security perspective, your CTO wants to implement a more reliable and secure method of connecting to your VPC. Which connectivity methods would you recommend in order to maintain a higher level of security? (Choose two)
    1. Virtual Private Gateway
    2. Virtual Private Network
    3. Direct Connect
    4. Connect Direct
    5. Customer Private Gateway
  2. Your company is looking to implement a link to AWS using AWS Direct Connect as the solutions architect. You explain that there are a number of prerequisites that need to be met from your own internal network. Which of the following is NOT a prerequisite for Direct Connect?
    1. For authentication, your router must support both BGP and BGP MD5 authentication.
    2. Your network infrastructure MUST use single-mode fiber.
    3. The port on your device must have automatically configured speed and half-duplex mode enabled.
    4. You must ensure that you have 802.1Q VLAN encapsulation support across your network infrastructure.
  1. You have configured AWS Config rules to implement another level of compliance check. Your s3-bucket-server-side-encryption-enabled check has found five non-compliant resources. What action is taken by AWS Config?
    1. The default Amazon S3 encryption method is automatically applied to the non-compliant bucket.
    2. No further objects will be allowed to be saved in this bucket until the non-compliance associated with the bucket has been made compliant.
    3. No action will be taken; the non-compliance is for informational purposes.
    4. Objects in the non-compliant bucket will be moved to a different storage class.
  2. You have been asked to present an AWS security introduction course to some of the business managers in your organization. As part of this process, you are going to explain the AWS Shared Responsibility Model. Currently, your organization works heavily with AWS Elastic MapReduce (EMR), AWS Relational Database Service (RDS), and AWS Elastic Beanstalk (EB), so you will be focusing on the model that represents these services the most. Out of the different models, which of these services fit into them the best?
    1. Infrastructure
    2. Container
    3. Abstract
    4. Platform
  3. Which statements are true regarding Amazon EC2 Key Pairs? (Choose three.)
    1. Key pairs use symmetric cryptography.
    2. Key pairs use public-key cryptography,
    3. The public key is maintained by the customer and must be downloaded,
    4. The public key encrypts the credentials.
    5. The private key decrypts credentials.
  4. Which component of AWS Systems Manager can help you gain an overview of how the resources within your resource groups are operating and integrating with the following:
    • AWS Config
    • CloudTrail
    • Personal Health Dashboard
    • Trusted Advisor

Your options are as follows:

    1. Resource Groups
    2. Run Command
    3. Built-in Insights
    4. State Manager
    5. Session Manager
  1. When implementing a VPN connection between your corporate network and your AWS VPC, which components are essential to establishing a secure connection? (Choose two.)
    1. A VPN Gateway attached to your AWS architecture
    2. A Customer Gateway attached to your AWS architecture
    3. A Private Gateway attached to your AWS architecture
    4. A VPN Gateway attached to your corporate network
    5. A Customer Gateway attached to your corporate network
    6. A Private Gateway attached to your corporate network
  2. AWS Trusted Advisor provides a "Service Limit" category. This category checks whether any of your services have reached a certain percentage or more against the allotted service limit. What is the percentage set at before an alert is triggered?
    1. 70%
    2. 75%
    3. 80%
    4. 85%
  3. You are looking to implement AWS Firewall Manager within your organization as a way to manage your WebACL across multiple AWS accounts. As a prerequisite to using this service, you have enabled AWS Config. What two other prerequisites must be met before you can use AWS Firewall Manager?
    1. Enable CloudTrail logs.
    2. Add your AWS account to an AWS organization that has ALL features enabled.
    3. Add your AWS account to an AWS organization that has consolidated billing enabled ONLY.
    4. Select your primary account to act as the Firewall Manager Administrative account
    5. Enable AWS Shield across all AWS accounts.
  1. What is the recommended running time for an AWS Amazon Inspector assessment?
    1. 1 hour
    2. 6 hours
    3. 12 hours
    4. 24 hours
  2. You have just updated your KMS Key policy for one of your customer-managed CMKs. Within the Sid Allow access for Key Administrators section, you added the principal ARN of two of your engineers to maintain the same access as other key administrators. However, they complain, explaining that they are unable to use the CMK to perform cryptographic operations. What is the cause of this?
    1. The CMK is configured with kms:encrypt -deny.
    2. Key administrators are not able to use the CMK for cryptographic operations.
    3. The role associated with the engineers prevents the users from using KMS.
    4. You need to update the encryption policy for the CMK in the same region to provide access.
  3. Which of the following are NOT actions that can be set within an AWS Web Application Firewall rule? (Choose two.)
    1. Reject
    2. Allow
    3. Deny
    4. Block
    5. Count
  4. When using social federated access, any IdP that is OpenID Connect (OIDC) compatible can be used for authentication. Which of the following is not used for social federation?
    1. ADFS
    2. Facebook
    3. Amazon
    4. Google
  5. Which of the following security policies are NOT written in JSON format?
    1. AWS IAM identity-based policies
    2. AWS KMS key policies
    3. AWS Organizational Service Control Policies
    4. AWS Amazon S3 ACLs
  1. You have configured Amazon Inspector to run all the rules packages against your fleet of EC2 instances, which are running on both Linux-based and Windows operating systems. After examining the findings, you notice that there are no findings for Windows-based operating systems for the "Security Best Practices" rules package. What could be the explanation for this?
    1. The Security Best Practices rules package only discovers Linux-based operating systems.
    2. There were no issues found with the Windows-based EC2 instances.
    3. The Amazon Inspector agent on the Windows-based OS was not configured to detect this rules package.
    4. The role associated with Amazon Inspector did not permit this level of access.
  2. You have configured a bastion host within the public subnet of your VPC. To connect to your Linux instances in your private subnet, you need to use the private key that is not currently stored on the bastion host. What method of connectivity can you use to gain access to the Linux instance?
    1. Copy the *.pem file from your localhost to your bastion host and then connect to your Linux instance.
    2. Use SSH forwarding.
    3. Connect to your bastion using SSL to encrypt the *.pem file, then connect to your Linux instance using the encrypted *.pem file.
    4. Use AWS Secrets Manager to maintain the *.pem files and call it using an API via the bastion host while it's connecting to your Linux instance.
  3. You need to retrieve a secret stored in AWS Secrets Manager to gain access to an RDS database. You do not have access to the AWS Management Console, so you need to retrieve it programmatically. Which command should you use for this when using the AWS CLI?
    1. get-secret-value-rds
    2. get-rds-secret-value
    3. get-rds-value
    4. get-secret-value
  1. Which of the following services and features of AWS do NOT offer DDoS protection or mitigation? (Choose one.)
    1. AWS CloudTrail
    2. Application Load Balancer
    3. Amazon CloudFront
    4. Amazon Route 53
    5. AWS WAF
  2. To provide a single-pane-of-glass approach to the security notifications across your accounts, your organization has decided to implement AWS Security Hub. The first step of activating this service requires you to select a security standard. Which standards are available for you to select? (Choose two.)
    1. CIS AWS Foundations Benchmark
    2. PCI DSS
    3. ISO
    4. FedRamp
    5. SOC 2
  3. To simplify authentication to specific AWS resources, you have decided to implement Web Identity Federation. Prior to configuration, what information do you need to obtain from the IdP first?
    1. Federated Sequence ID
    2. Federation Number
    3. Application ID/Audience
    4. Application Notice
  4. Which AWS VPC secure networking component is being described here?
“A hardened EC2 instance with restrictive controls that acts as an ingress gateway between the internet and your private subnets without directly exchanging packets between the two environments.”
    1. Bastion Host
    2. NAT gateway
    3. NAT Instance
    4. Internet Gateway
  1. When trying to protect web applications, there are many different attacks that can be experienced, as explained within the OWASP top 10. Which type of attack is being described here?
“These are malicious scripts that are embedded in seemingly trusted web pages that the browser then executes. This can then allow a malicious attacker to gain access to any sensitive client-side data, such as cookie information.”
    1. SQL injection attack
    2. String and regex matching
    3. Cross-Site Scripting (XSS)
    4. Broken access control
  2. One of the key components of Amazon Macie is how it classifies data to help determine its level of sensitivity and criticality to your business through a series of automatic content classification mechanisms. It performs its classification using the object-level API data events it collated from CloudTrail logs. Currently, there are five levels of classification, but one of them is hidden from the console. Which one?
    1. Content type
    2. Support vector machine-based
    3. Theme
    4. File extension
    5. Regex
  3. Using Amazon Macie, you need to classify your S3 data based on a list of predefined keywords that exist within the actual content of the object being stored. What would be the best content classification type to use to capture this information?
    1. Theme
    2. File Extension
    3. Regex
    4. Content type
  1. When working with cross-account access, you must configure a Trusting account and a Trusted account. A user, "Stuart", in account A needs to gain access to an Amazon RDS database in account B. To configure access, cross-account access needs to be configured. Which steps need to take place? (Choose two.)
    1. From the Trusting account, create a cross-account access role.
    2. From the Trusted account, create a cross-account access role.
    3. Create a policy to assume the role in the Trusted account.
    4. Create a policy to assume the role in the Trusting account.
  2. You are responsible for designing security solutions for protecting web applications using AWS Web Application Firewall. During a meeting with senior management, you are asked to highlight the core elements that construct the service. Which components would you highlight to the team? (Choose three.)
    1. Conditions
    2. Values
    3. Rules
    4. Web ACLs
    5. Thresholds
  3. Which of the following traffic types are NOT captured by VPC flow logs?
    1. Ingress traffic to private subnets
    2. Egress traffic from public subnets
    3. Traffic to the reserved IP address for the default VPC router
    4. Traffic to the private IPv4 address of a NAT gateway
  4. Which is NOT a method of installing the Amazon Inspector agent?
    1. A manual install via a script being run on the instance
    2. Using the Run command from within System Manager
    3. Installing the agent as a part of the initial assessment when defining your target
    4. Using an Amazon AMI that already has the agent installed
    5. Using the Deploy command from AWS Security Hub
  5. Amazon GuardDuty has the ability to perform remediation of findings through automation. Which AWS service or feature does GuardDuty integrate with to allow this?
    1. AWS Security Hub
    2. AWS CloudWatch Events
    3. AWS CloudTrail
    4. AWS KMS
  1. Your organization requires the use of MFA, but virtual MFA devices are not allowed. What other device options could you use? (Choose two.)
    1. U2F Security Keys
    2. Gemalto Token
    3. CMK keys
    4. SCP Token
    5. GuardDuty Security Keys
  2. When AWS evaluates the permissions of an IAM user, a level of policy evaluation logic is applied to determine their resulting permission level. Which order are policies evaluated in?
    1. Resource-based, Identity-based, IAM Permission boundaries, and SCPs
    2. IAM Permission boundaries, Identity-based, Resource-based, and SCPs
    3. Identity-based, Resource-based, IAM Permission boundaries, and SCPs
    4. SCPs, Identity-based, Resource-based, and IAM Permission boundaries
  3. Your systems engineers explain that they have deleted a key pair from the EC2 management console. However, they can still connect to EC2 instances that had this key pair associated with the instance. They are confused as to how this connectivity is still possible, even though the key pair was deleted. What explanation do you give them?
    1. When you delete a key pair from the EC2 Management Console, it will automatically reinstate it if AWS detects it is currently associated with existing EC2 instances to maintain connectivity.
    2. When you delete a key pair from the EC2 Management Console, it just deletes the copy of the public key that AWS holds; it does not delete the public keys that are attached to existing EC2 instances.
    3. When you delete a key pair from the EC2 Management Console, it removes the associated public key from the EC2 instance. It also allows open access until you create another key pair to associate with the instance.
    4. When you attempt to delete an active key pair from the EC2 Management Console, it is marked with a "hidden" tag, but NOT deleted. Only inactive key pairs are removed from the console.
  1. As the lead security engineer, you have been asked to review how credentials associated with your RDS databases are managed and ensure there are no details hardcoded within your processes and applications. You need to implement a solution that offers greater protection that also enables the automatic rotation of credentials. Which services would you be using within your solution?
    1. AWS Security Hub with AWS KMS integration
    2. AWS Config with AWS Lambda and AWS KMS integration
    3. AWS Trusted Advisor with AWS KMS integration
    4. AWS Security Systems Manager with AWS Lambda integration
    5. AWS Secrets Manager with AWS KMS and AWS Lambda integration
  2. S3 object-level logging integrates with which other AWS service component to record both read and write API activity?
    1. AWS CloudWatch Events
    2. AWS CloudTrail Data events
    3. AWS Config Rules
    4. AWS Trusted Advisor
  3. As the AWS security lead, you are concerned that your IAM users have overly permissive permissions. Which element of IAM would you check to determine if permissions were not being used to allow you to implement the principle of least privilege?
    1. Permissions
    2. Policy Usage
    3. Policy Versions
    4. Access Advisor
  4. You have been asked by your CTO to provide a list of all the EC2 instances within your production network that have missing patches. Which approach would be best to obtain this list?
    1. Use AWS Config to find a list of non-compliant patches across your EC2 fleet.
    2. Search AWS CloudTrail Patch logs to determine which patches are missing.
    3. Use Patch Manager within AWS Systems Manager.
    4. Use Query the Patch versions using Amazon CloudWatch metrics.
  1. The security perspective of the AWS Cloud Adoption Framework covers four primary control areas: Directive controls, preventive controls, detective controls, and which other?
    1. Responsive controls
    2. Reactive controls
    3. Security controls
    4. Access controls
  2. To maintain a high level of security across a VPN connection, it consists of two ________ tunnels, allowing a cryptographic method of communication between two endpoints. Select the missing word:
    1. SSL
    2. TLS
    3. IPsec
    4. AES256
  3. A team of developers is currently assuming a role that has AmazonS3FullAccess permissions, in addition to varying levels of permissions to Amazon CloudWatch, Amazon SQS, AWS Lambda, and Amazon SNS. However, temporarily, you need to limit the developers in your AWS account to only read-only access to Amazon S3 while maintaining all other permissions. Which method would be best for this that also has the least administrative effort?
    1. Create a new role with the same access to Amazon CloudWatch, Amazon SQS, AWS Lambda, and Amazon SNS, in addition to AmazonS3ReadOnlyAccess.
    2. Set an in-line policy against the role with AmazonS3ReadOnlyAccess.
    3. Set a permission boundary against the role with AmazonS3ReadOnlyAccess.
    4. Set an AWS Organizations policy to AmazonS3ReadOnlyAccess and associate it with the AWS account containing the developers.
  1. When working with the security components of VPCs, there are some key elements: Network Access Control Lists and security groups. Understanding the difference between them is key. Which of the following statements are true? (Choose three.)
    1. NACLs are stateless
    2. Security groups are stateless.
    3. There are no Deny rules for security groups.
    4. There are no Deny rules for NACLs.
    5. There is a Rule# field for NACLs.
    6. There is a Rule# field for security groups.
  2. In a three-way handshake where a client-server is establishing a connection, which is the correct order for the operations to be carried out in?
    1. Syn, Syn-Ack, Ack
    2. Syn-Ack, Syn, Ack
    3. Ack, Syn, Syn, Ack
    4. Syn, Ack, Syn, Ack
  3. Working at a mobile gaming company, you have just launched a new game with the hope that it will go viral. Using Amazon Cognito, you assigned permissions to users so that they can access the AWS resources that are used within the mobile app by using temporary credentials. This access can be granted to both federated users and anonymous guest users. Which component of Amazon Cognito enables you to assign permissions?
    1. User Pools
    2. Resource Pools
    3. Identity Pools
    4. IAM Pools
  1. What action is being carried out against AWS Secrets Manager using this AWS CLI command?
aws secretsmanager put-resource-policy --secret-id My_RDS_Secret --resource-policy file://resource.json
    1. An identity-based policy is being applied to a group named My_RDS_secret.
    2. A resource-based policy is being applied to a secret named My_RDS_Secret.
    3. A resource-based policy named My_RDS_secret is being applied to a secret named resource.json.
    4. An identity-based policy is being applied to a secret named My_RDS_Secret using the resource.json resource policy file.
  1. From a threat detection and management perspective, which AWS service would you use to provide a single-pane-of-glass view across your infrastructure, thus bringing all of your security statistical data into a single place and presented in a series of tables and graphs?
    1. Amazon GuardDuty
    2. Amazon Detective
    3. Amazon Macie
    4. AWS Security Hub
  2. You have just completed a large deployment of patches to your EC2 instances to ensure they all have the latest patches to minimize security vulnerabilities across your fleet. Your manager has asked you for compliance data to confirm your environment meets the patching criteria set out by the business. Which methods can be used to view compliance data? (Choose three.)
    1. AWS Systems Manager Artifact
    2. AWS Systems Manager Explore
    3. AWS Systems Manager Configuration Compliance
    4. AWS Systems Manager Managed Instances
  1. You have been asked to implement an additional level of security within some of your IAM identity-based policies to restrict access based on the source IP address of 10.0.0.0/16 of the request. What optional parameter could you add to the policies to enforce this restriction?
1. “Criteria”: {
             “IpAddress”: {
                   “aws:SourceIp”: “10.0.0.0/16”
2. “Condition”: {
              “IpAddress”: {
                      “aws:SourceIp”: “10.0.0.0/16”
3. “State”: {
           “IpAddress”: {
                  “aws:SourceIp”: “10.0.0.0/16”
4. “Context”: {
             “IpAddress”: {
                  “aws:SourceIp”: “10.0.0.0/16”
  1. To enhance the security of your APIs that are being used with the AWS API Gateway service, which method can't be used to control authentication and authorization?
    1. Resource-based policies
    2. VPC Endpoint Policies
    3. Lambda Authorizers
    4. AWS Config Rules
  2. Which AWS Service can be used during SAML Federation connectivity to your AWS Management Console to gain temporary credentials and to create a console sign-in URL using the credentials generated by the service?
    1. AWS SQS
    2. AWS STS
    3. AWS SWS
    4. AWS SNS
  1. To help you maintain a consistent and measurable condition of your EC2 instances, such as network settings, the installation of agents, and joining a Windows domain, you look to use AWS Systems Manager to help you manage operations. Which element of the service would you use to maintain these settings?
    1. State Manager
    2. Session Manager
    3. Resource Groups
    4. Patch Manager
  2. You have to meet a requirement that states you must allow your private instances to access the internet. The solution must be highly available and involve minimal maintenance, and it must also have high bandwidth capabilities. A secure method of implementing this access would be to implement a NAT. Which NAT would you implement to meet these requirements?
    1. NAT Threshold
    2. NAT Instance
    3. NAT gateway
    4. NAT Transit

Answers

 

1: 1

11: 1,4

21: 3

31: 2

41: 1,3,4

51: 3

61: 2

2: 3

12: 4

22: 1,5

32: 4

42: 3

52: 1

62: 4

3: 1,2,5

13: 4

23: 4

33: 1

43: 4

53: 3

63: 2

4: 3

14: 1,3,4

24: 2,4

34: 1,2

44: 2

54: 3

64: 1

5: 2

15: 2,5

25: 4

35: 3

45: 1,2

55: 1,3,5

65: 3

6: 3,4

16: 2,4

26: 2

36: 1

46: 3

56: 1

7: 4

17: 3

27: 1,3

37: 3

47: 2

57: 3

8: 4

18: 3

28: 1

38: 2

48: 5

58: 2

9: 3,4,6

19: 2

29: 4

39: 1

49: 2

59: 4

10: 1,6

20: 2,4,5

30: 1

40: 1,3

50: 4

60: 2,3,4
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.188.154.252