Chapter 3
Domain 3: Specify Secure Applications and Architectures

  1. ✓ Subdomain: 3.1 Determine how to secure application tiers.
  2. ✓ Subdomain: 3.2 Determine how to secure data.
  3. ✓ Subdomain: 3.3 Define the networking infrastructure for a single VPC application.

Review Questions

  1. When creating a new security group, which of the following are true? (Choose two.)

    1. All inbound traffic is allowed by default.
    2. All outbound traffic is allowed by default.
    3. Connections that are allowed in must also explicitly be allowed back out.
    4. Connections that are allowed in are automatically allowed back out.

  2. You have a government-regulated system that will store a large amount of data on S3 standard. You must encrypt all data and preserve a clear audit trail for traceability and third-party auditing. Security policies dictate that encryption must be consistent across the entire data store. Which of the following encryption approaches would be best?

    1. SSE-C
    2. SSE-KMS
    3. SSE-C
    4. Encrypt the data prior to upload to S3 and decrypt the data when returning it to the client.

  3. You are creating a bastion host to allow SSH access to a set of EC2 instances in a private subnet within your organization’s VPC. Which of the following should be done as part of configuring the bastion host? (Choose two.)

    1. Ensure that the bastion host is exposed directly to the Internet.
    2. Place the bastion host within the private subnet.
    3. Add a route from the bastion host IP into the private subnet into the subnet’s NACLs.
    4. Ensure that the bastion host is within the same security group as the hosts within the private subnet.

  4. Which of the following are invalid IAM actions? (Choose two.)

    1. Limiting the root account SSH access to all EC2 instances
    2. Allowing a user account SSH access to all EC2 instances
    3. Removing console access for the root account
    4. Removing console access for all non-root user accounts

  5. Which of the following statements is true?

    1. You should store application keys only in your application’s .aws file.
    2. You should never store your application keys on an instance, in an AMI, or anywhere else permanent on the cloud.
    3. You should only store application keys in an encrypted AMI.
    4. You should only use your application key to log in to the AWS console.

  6. Your company is setting up a VPN connection to connect its local network to an AWS VPC. Which of the following components are not necessary for this setup? (Choose two.)

    1. A NAT instance
    2. A virtual private gateway
    3. A private subnet in the AWS VPC
    4. A customer gateway

  7. You have a private subnet in a VPC within AWS. The instances within the subnet are unable to access the Internet. You have created a NAT gateway to solve this problem. What additional steps do you need to perform to allow the instances Internet access? (Choose two.)

    1. Ensure that the NAT gateway is in the same subnet as the instances that cannot access the Internet.
    2. Add a route in the private subnet to route traffic aimed at 0.0.0.0/0 at the NAT gateway.
    3. Add a route in the public subnet to route traffic aimed at 0.0.0.0/0 at the NAT gateway.
    4. Ensure that the NAT gateway is in a public subnet.

  8. Which of the following statements regarding NAT instances and NAT gateways are false? (Choose two.)

    1. Both NAT instances and NAT gateways are highly available.
    2. You must choose the instance type and size when creating a NAT gateway but not when creating a NAT instance.
    3. It is your responsibility to patch a NAT instance and AWS’s responsibility to patch a NAT gateway.
    4. You assign a security group to a NAT instance but not to a NAT gateway.

  9. Which of the following statements is true?

    1. A VPC’s default NACLs allow all inbound and outbound traffic.
    2. NACLs are stateful.
    3. Security groups are stateless.
    4. Traffic allowed into a NACL is automatically allowed back out.

  10. You have changed the permissions associated with a role, and that role is assigned to an existing running EC2 instance. When will the permissions you updated take effect for the instance?

    1. Immediately
    2. Within 5 minutes
    3. Within 1 hour
    4. The next time the EC2 instance is restarted

  11. Which of the following statements is true?

    1. When creating a new security group, by default, all traffic is allowed in, including SSH.
    2. If you need inbound HTTP and HTTPS access, create a new security group and accept the default settings.
    3. You must explicitly allow any inbound traffic into a new security group.
    4. Security groups are stateless.

  12. Which of the following statements is not true?

    1. When creating a new security group, by default, no inbound traffic is allowed.
    2. When creating a new security group, by default, all traffic is allowed out, including SSH.
    3. When creating a new security group, by default, all traffic is allowed out, with the exception of SSH.
    4. When creating a new security group, inbound HTTPS traffic is not allowed.

  13. How would you enable encryption of your EBS volumes?

    1. Use the AWS CLI with the aws security command.
    2. Take a snapshot of the EBS volume and copy it to an encrypted S3 bucket.
    3. Select the encryption option when creating the EBS volume.
    4. Encrypt the volume using the encryption tools of the operating system of the EC2 instance that has mounted the EBS volume.

  14. What types of rules does a security group allow? (Choose two.)

    1. Allow rules
    2. Prevent rules
    3. Deny rules
    4. Inbound rules

  15. Which of the following are true about security groups? (Choose two.)

    1. You can specify deny rules, but not allow rules.
    2. By default, a security group includes an outbound rule that allows all outbound traffic.
    3. You can specify specific separate rules for inbound and outbound traffic.
    4. Security groups are stateless.

  16. Which of the following are not true about security groups? (Choose two.)

    1. Allow rules take priority over deny rules.
    2. Responses to allowed inbound traffic are allowed to flow back out.
    3. You can specify specific separate rules for inbound and outbound traffic.
    4. If there are no outbound rules, then all outbound traffic is allowed to flow out.

  17. Which of the following must a security group have when you create it? (Choose two.)

    1. At least one inbound rule
    2. A name
    3. A description
    4. At least one outbound rule

  18. Which of the following is a security group associated with?

    1. An ELB
    2. A network interface
    3. An ALB
    4. A network access list

  19. Which of the following are default rules on a default security group, such as the one that comes with the default VPC? (Choose two.)

    1. Outbound: 0.0.0.0/0 for all protocols allowed
    2. Inbound: 0.0.0.0/0 for all protocols allowed
    3. Outbound: ::/0 for all protocols allowed
    4. Inbound: ::/0 for all protocols allowed

  20. Which of the following are parts of a security group rule? (Choose two.)

    1. A protocol
    2. A subnet
    3. An instance ID
    4. A description

  21. Which of the following allows you to securely upload data to S3? (Choose two.)

    1. HTTP endpoints using HTTP
    2. SSL endpoints using HTTPS
    3. HTTP endpoints using HTTPS
    4. SSL endpoints using HTTP

  22. Which of the following describes client-side encryption for S3 bucket data?

    1. You encrypt and upload data to S3, managing the encryption process yourself.
    2. You encrypt and upload data to S3, allowing AWS to manage the encryption process.
    3. You request AWS to encrypt an object before saving it to S3.
    4. You encrypt an object, but AWS uploads and decrypts the object.

  23. Which of the following describes server-side encryption for S3 bucket data?

    1. You encrypt and upload data to S3, managing the encryption process yourself.
    2. You encrypt and upload data to S3, allowing AWS to manage the encryption process.
    3. You request AWS to encrypt an object before saving it to S3.
    4. You encrypt an object, but AWS uploads and decrypts the object.

  24. Which of the following are valid steps in enabling client-side encryption for S3? (Choose two.)

    1. Download the AWS CLI and SSH to your S3 key store.
    2. Use a KMS-managed customer master key.
    3. Download an AWS SDK for encrypting data on the client side.
    4. Turn on bucket encryption for the target S3 buckets.

  25. Which of the following is not a way to manage server-side encryption keys for S3?

    1. SSE-S3
    2. SSE-KMS
    3. SSE-E
    4. SSE-C

  26. Which of the following encryption key management options is best for ensuring strong audit trails?

    1. SSE-S3
    2. SSE-KMS
    3. Client-side encryption keys
    4. SSE-C

  27. Which of the following encryption key management options is best for managing keys but allowing S3 to handle the actual encryption of data?

    1. SSE-S3
    2. SSE-KMS
    3. Client-side encryption keys
    4. SSE-C

  28. You have a customer that has a legacy security group that is very suspicious of all things security in the cloud. The customer wants to use S3, but doesn’t trust AWS encryption, and you need to enable its migration to the cloud. What option would you recommend to address the company’s concerns?

    1. SSE-S3
    2. SSE-KMS
    3. Client-side encryption keys
    4. SSE-C

  29. You want to begin encrypting your S3 data, but your organization is new to encryption. Which option is a low-cost approach that still offloads most of the work to AWS rather than the organization new to encryption?

    1. SSE-S3
    2. SSE-KMS
    3. Client-side encryption keys
    4. SSE-C

  30. You are the architect for a company whose data must comply with current EU privacy restrictions. Which of the following S3 buckets are valid options? (Choose two.)

    1. Buckets in EU Central 1
    2. Buckets in US East 2
    3. Buckets in EU West 1
    4. Buckets in SA East 1

  31. Which of the following options could be used to provide availability-zone-resilient fault-tolerant storage that complies with EU privacy laws? (Choose two.)

    1. S3 buckets in US West 1
    2. S3 buckets in EU West 2
    3. S3-IA buckets in EU Central 1
    4. S3 One Zone-IA buckets in EU-West-1

  32. What type of replication will your Multi-AZ RDS instances use?

    1. Offline replication
    2. Synchronous replication
    3. Push replication
    4. Asynchronous replication

  33. You want to provide maximum protection against data in your S3 object storage being deleted accidentally. What should you do?

    1. Enable versioning on your EBS volumes.
    2. Turn on MFA Delete on your S3 buckets.
    3. Set up a Lambda job to monitor and block delete requests to S3.
    4. Turn off the DELETE endpoints on the S3 REST API.

  34. You want to provide maximum protection against data in your S3 object storage being deleted accidentally. What steps should you take? (Choose two.)

    1. Enable versioning on your S3 buckets.
    2. Turn on MFA Delete on your S3 buckets.
    3. Enable versioning in CloudWatch’s S3 API.
    4. Remove IAM permissions for deleting objects for all users.

  35. You want to enable MFA Delete on your S3 buckets in the US East 1 region. What step must you take before enabling MFA Delete?

    1. Disable the REST API for the buckets on which you want MFA Delete.
    2. Enable cross-region replication on the buckets on which you want MFA Delete.
    3. Move the buckets to a region that supports MFA Delete, such as US West 1.
    4. Enable versioning on the buckets on which you want MFA Delete.

  36. What is AWS Trusted Advisor?

    1. An online resource to help you improve performance
    2. An online resource to help you reduce cost
    3. An online resource to help you improve security
    4. All of the above

  37. On which of the following does AWS Trusted Advisor not provide recommendations?

    1. Reducing cost
    2. Improving fault tolerance
    3. Improving security
    4. Organizing accounts

  38. Which of the following are included in the core AWS Trusted Advisor checks? (Choose two.)

    1. S3 bucket permissions
    2. MFA on root account
    3. Quantity of CloudWatch alarms
    4. Use of VPC endpoints

  39. Which of the following recommendations might AWS Trusted Advisor make? (Choose two.)

    1. Turn on MFA for the root account.
    2. Turn on antivirus protection for EC2 instances.
    3. Update S3 buckets with public write access.
    4. Update NAT instances to NAT gateways.

  40. Which of the following is not possible using IAM policies?

    1. Requiring MFA for the root account
    2. Denying the root account access to EC2 instances
    3. Disabling S3 access for users in a group
    4. Restricting SSH access to EC2 instances to a specific user

  41. Which of the following are not true about S3 encryption? (Choose two.)

    1. S3 applies AWS-256 encryption to data when server-side encryption is enabled.
    2. S3 encryption will use a client key if it is supplied with data.
    3. Encrypted EBS volumes can only be stored if server-side encryption is enabled.
    4. S3 will accept locally encrypted data if client-side encryption is enabled.

  42. What types of data are encrypted when you create an encrypted EBS volume? (Choose two.)

    1. Data at rest inside the volume
    2. Data moving between the volume and the attached instance
    3. Data inside S3 buckets that store the encrypted instance
    4. Data in an EFS on instances attached to the volume

  43. What types of data are not automatically encrypted when you create an encrypted EBS volume? (Choose two.)

    1. A snapshot created from the EBS volume
    2. Any data on additional volumes attached to the same instance as the encrypted volume
    3. Data created on an instance that has the encrypted volume attached
    4. Data moving between the volume and the attached instance

  44. What of the following types of data is not encrypted automatically when an encrypted EBS volume is attached to an EC2 instance?

    1. Data in transit to the volume
    2. Data at rest on the volume
    3. Data in transit from the volume
    4. All of these are encrypted.

  45. What encryption service is used by encrypted EBS volumes?

    1. S3-KMS
    2. S3-C
    3. KMS
    4. Customer-managed keys

  46. How can you access the private IP address of a running EC2 instance?

    1. http://169.254.169.254/latest/user-data/
    2. http://169.254.169.254/latest/instance-data/
    3. http://169.254.169.254/latest/meta-data/
    4. http://169.254.169.254/latest/ec2-data/

  47. If you take a snapshot of an encrypted EBS volume, which of the following will be true? (Choose two.)

    1. The snapshot will be encrypted.
    2. All data on the bucket on which the snapshot is stored will be encrypted.
    3. Any instances using the snapshot will be encrypted.
    4. Any volumes created from the snapshot will be encrypted.

  48. If you take a snapshot of an encrypted EBS volume, which of the following must you do to use that snapshot as a volume in a separate region? (Choose two.)

    1. Copy the snapshot to the new region.
    2. Delete the snapshot from the old region.
    3. Unencrypt the snapshot once it is in the new region.
    4. Create a new volume from the snapshot in the new region.

  49. How do you encrypt an RDS instance?

    1. Enable encryption on the running instance via the CLI.
    2. Enable encryption on the running instance via the console.
    3. Run the encryption process on the running instance via the console.
    4. Enable encryption when creating the instance.

  50. Which of the following will ensure that data on your RDS instance is encrypted?

    1. Use client-side encryption keys.
    2. Enable encryption on the running RDS instance via the AWS API.
    3. Encrypt the instance on which RDS is running.
    4. None of these will encrypt all data on the instance.

  51. Which of the following will allow you to bring a non-encrypted RDS instance into compliance with an “all data must be encrypted at rest” policy?

    1. Snapshot the RDS instance and restore it, encrypting the new copy upon restoration.
    2. Use the AWS Database Migration Service to migrate the data from the instance to an encrypted instance.
    3. Create a new encrypted instance and manually move data into it.
    4. None of these will encrypt all data on the instance.

  52. Which of the following will allow you to bring a non-encrypted EBS volume into compliance with an “all data must be encrypted at rest” policy?

    1. Stop the volume, snapshot it, and encrypt a copy of the snapshot. Then restore from the encrypted snapshot.
    2. Stop the volume, select “Turn on encryption,” and restart the volume.
    3. Encrypt the volume via the AWS API and turn on the “encrypt existing data” flag.
    4. None of these will encrypt all data on the volume.

  53. Which of the following will allow you to bring a non-encrypted EBS volume into compliance with an “all data must be encrypted at rest” policy?

    1. Stop the volume, create a snapshot, and restart from the snapshot, selecting “Encrypt this volume.”
    2. Stop the volume, select “Turn on encryption,” and restart the volume.
    3. Encrypt the volume via the AWS API and turn on the “encrypt existing data” flag.
    4. None of these will encrypt all data on the volume.

  54. Which of the following will allow you to bring a non-encrypted EBS volume into compliance with an “all data must be encrypted at rest” policy?

    1. Create a new volume, attach the new volume to an EC2 instance, copy the data from the non-encrypted volume to the new volume, and then encrypt the new volume.
    2. Create a new volume with encryption turned on, attach the new volume to an EC2 instance, and copy the data from the non-encrypted volume to the new volume.
    3. Create a new volume, attach the new volume to an EC2 instance, and use the encrypted-copy command to copy the data from the non-encrypted volume to the new volume.
    4. None of these will encrypt all data on the volume.

  55. Which of the following are valid options on an EBS volume? (Choose two.)

    1. Encrypt the volume.
    2. Encrypt a snapshot of the volume.
    3. Encrypt a copy of a snapshot of the volume.
    4. Restore an encrypted snapshot to an encrypted volume.

  56. Which of the following are not true about EBS snapshots? (Choose two.)

    1. Snapshots of encrypted volumes are automatically encrypted.
    2. When you copy an encrypted snapshot, the copy is not encrypted unless you explicitly specify.
    3. You cannot copy an encrypted snapshot unless you unencrypt the snapshot first.
    4. Volumes that are created from encrypted snapshots are automatically encrypted.

  57. Can you copy a snapshot across AWS accounts?

    1. Yes
    2. Yes, but you first have to modify the snapshot’s access permissions.
    3. Yes, but you have to be the owner of both AWS accounts.
    4. No

  58. You have a snapshot of an EBS volume in US East 2. You want to create a volume from this snapshot in US West 1. Is this possible?

    1. Yes, create the volume in US West 1 based upon the snapshot in US East 2.
    2. Yes, but you’ll need to copy the snapshot to US West 1 first.
    3. Yes, but you’ll need to create the instance in US East 2 and then move it to US West 1.
    4. No

  59. Can you copy an EBS snapshot across regions?

    1. Yes, as long as the snapshot is not encrypted.
    2. Yes, as long as the snapshot is marked for multi-region use.
    3. Yes
    4. No

  60. Which of the following does a security group attached to an instance control? (Choose two.)

    1. Inbound traffic
    2. HTTP error messages
    3. Outbound traffic
    4. Access control lists

  61. How many security groups can you attach to a single instance in a VPC?

    1. None, security groups aren’t attached to instances.
    2. 1
    3. 1 or more
    4. 2 or more

  62. Which of the following can be added to a VPC, in addition to security groups on included instances, to further secure the VPC?

    1. A NACL
    2. A port filter
    3. An ALB
    4. A flow log

  63. Which of the following statements is true about a custom, user-created NACL?

    1. A NACL by default allows all traffic out of a VPC.
    2. A NACL by default allows all traffic into a VPC.
    3. A NACL is a virtual firewall for associated subnets.
    4. A NACL functions at the instance level.

  64. What do you use to permit and restrict control of a NACL?

    1. VPC
    2. WAF
    3. AWS Organizations
    4. IAM

  65. Which of these are true about security groups? (Choose two.)

    1. Support allow and deny rules
    2. Evaluate all rules before deciding whether to allow traffic
    3. Operate at the instance level
    4. Apply to all instances in the associated subnet

  66. Which of these are true about security groups? (Choose two.)

    1. Stateful
    2. Stateless
    3. Process rules in order
    4. Associated with an instance

  67. Which of these are true about NACLs? (Choose two.)

    1. Stateful
    2. Stateless
    3. Process rules in order
    4. Associated with an instance

  68. Which of these are true about NACLs? (Choose two.)

    1. Apply to all instances in an associated subnet
    2. Only apply if no security group is present
    3. Support allow and deny rules
    4. Evaluate all rules before deciding whether to allow or disallow traffic

  69. In which order are NACLs and security groups evaluated?

    1. NACLs and security groups are evaluated in parallel.
    2. A NACL is evaluated first, and then the security group.
    3. A security group is evaluated first, and then the NACL.
    4. It depends on the VPC setup.

  70. Which of these statements are true? (Choose two.)

    1. A security group can apply to two instances at the same time.
    2. A NACL applies to all instances within a subnet at the same time.
    3. A security group can apply to only one instance at the same time.
    4. A NACL can apply to only one instance at the same time.

  71. With which of the following is a NACL associated?

    1. An instance
    2. A subnet
    3. A VPC
    4. A NACL can be associated with all of these.

  72. Which of the following are true about the default NACL that comes with the default VPC? (Choose two.)

    1. It allows all inbound traffic.
    2. It allows all outbound traffic.
    3. It disallows all inbound traffic.
    4. It disallows all outbound traffic.

  73. Which of the following are true about a user-created NACL? (Choose two.)

    1. It allows all inbound traffic.
    2. It allows all outbound traffic.
    3. It disallows all inbound traffic.
    4. It disallows all outbound traffic.

  74. In which order are rules in a NACL evaluated?

    1. From low to high, using the number on the rule
    2. From high to low, using the number on the rule
    3. From low to high, using the port of the rule
    4. From high to low, using the port of the rule

  75. Which of the following statements is not true? (Choose two.)

    1. A network ACL has separate inbound and outbound rules.
    2. Network ACLs are stateful.
    3. Each subnet in your VPC must be associated with a NACL.
    4. A network ACL can only be associated with a single subnet.

  76. With how many subnets can a NACL be associated?

    1. One
    2. One or more
    3. A NACL is associated with instances, not subnets.
    4. A NACL is associated with VPCs, not subnets.

  77. With how many NACLs can a subnet be associated?

    1. One
    2. One or more
    3. A subnet is associated with security groups, not NACLs.
    4. A subnet is associated with VPCs, not NACLs.

  78. What happens when you associate a NACL with a subnet that already is associated with a different NACL?

    1. Nothing, both NACLs are associated with the subnet.
    2. You receive an error. You must remove the first NACL to associate the new one.
    3. You receive an error. You must first merge the two NACLs to apply them to a subnet.
    4. The new NACL replaces the previous NACL, and the subnet still only has one NACL association.

  79. Which of the following are part of a network ACL rule? (Choose two.)

    1. An ASCII code
    2. A rule number
    3. An IAM group
    4. A protocol

  80. Which of the following are part of a network ACL rule? (Choose two.)

    1. An ALLOW or DENY specification
    2. A CIDR range
    3. An IP address
    4. A VPC identifier

  81. Which of the following inbound rules of a custom NACL would be evaluated first?

    1. Rule #800 // HTTP // TCP // 80 // 0.0.0.0/0 -> ALLOW.
    2. Rule #100 // HTTPS // TCP // 443 // 0.0.0.0/0 -> ALLOW.
    3. Rule * // All // All // All // 0.0.0.0/0 -> DENY.
    4. Rule #130 // RDP // TCP // 3389 // 192.0.2.0/24 -> ALLOW.

  82. If all of the following inbound rules existed on a custom NACL, would SSH traffic be allowed?

    • Rule #800 // HTTP // TCP // 80 // 0.0.0.0/0 -> ALLOW
    • Rule #100 // HTTPS // TCP // 443 // 0.0.0.0/0 -> ALLOW
    • Rule * // All // All // All // 0.0.0.0/0 -> DENY
    • Rule #130 // RDP // TCP // 3389 // 192.0.2.0/24 -> ALLOW

    1. Yes, SSH is included as a default protocol on NACLs.
    2. Yes, SSH is included in the HTTPS protocol.
    3. Only if the SSH access permission in IAM is granted.
    4. No

  83. If all of the following inbound rules existed on the default VPC’s default NACL, would SSH traffic be allowed?

    • Rule #800 // HTTP // TCP // 80 // 0.0.0.0/0 -> ALLOW
    • Rule #100 // HTTPS // TCP // 443 // 0.0.0.0/0 -> ALLOW

    1. Yes, the default VPC’s default NACL allows all inbound traffic by default.
    2. Yes, SSH is included in the HTTPS protocol.
    3. Only if the SSH access permission in IAM is granted.
    4. No

  84. If all of the following inbound rules existed on a custom NACL, would SSH traffic be allowed?

    • Rule #800 // HTTP // TCP // 80 // 0.0.0.0/0 -> ALLOW
    • Rule #100 // HTTPS // TCP // 443 // 0.0.0.0/0 -> ALLOW
    • Rule #140 // All // All // All // 0.0.0.0/0 -> DENY
    • Rule #120 // SSH // TCP // 22 // 192.0.2.0/24 -> ALLOW

    1. Yes
    2. Yes, but only from the CIDR block 192.0.2.0/24.
    3. Only if the SSH access permission in IAM is granted.
    4. No

  85. If all of the following inbound rules existed on a custom NACL, would SSH traffic be allowed?

    • Rule #800 // HTTP // TCP // 80 // 0.0.0.0/0 -> ALLOW
    • Rule #100 // HTTPS // TCP // 443 // 0.0.0.0/0 -> ALLOW
    • Rule #110 // All // All // All // 0.0.0.0/0 -> DENY
    • Rule #120 // SSH // TCP // 22 // 192.0.2.0/24 -> ALLOW

    1. Yes
    2. Yes, but only from the CIDR block 192.0.2.0/24.
    3. Only if the SSH access permission in IAM is granted.
    4. No

  86. Which of the following is the most accurate statement about what the following inbound rule on a NACL will do?

    • Rule #120 // SSH // TCP // 22 // 192.0.2.0/24 -> ALLOW

    1. Allows inbound SSH traffic to the associated subnets
    2. Allows inbound TCP traffic to the associated subnets
    3. Allows inbound TCP traffic to the associated subnets from the CIDR block 192.0.2.0/24
    4. Allows inbound SSH traffic to the associated subnets from the CIDR block 192.0.2.0/24

  87. Which of the following is the most accurate statement about what the following inbound rule on a NACL will do?

    • Rule #120 // HTTP // TCP // 80 // 0.0.0.0/0 -> ALLOW

    1. Allows inbound HTTP traffic to the associated subnets
    2. Allows inbound IPv4 HTTP traffic to the associated subnets as long as it is not prevented by lower-numbered rules
    3. Allows inbound IPv4 HTTP traffic to the associated subnets
    4. Allows inbound IPv4 TCP traffic to the associated subnets

  88. What does the CIDR block 0.0.0.0/0 represent?

    1. The entire Internet
    2. The entire Internet, limited to IPv4 addresses
    3. The entire Internet, limited to IPv6 addresses
    4. Inbound traffic from the entire Internet

  89. What does the CIDR block ::/0 represent?

    1. The entire Internet
    2. The entire Internet, limited to IPv4 addresses
    3. The entire Internet, limited to IPv6 addresses
    4. Inbound traffic from the entire Internet

  90. Which of the following rules allows IPv6 outbound traffic to flow to the entire Internet through a NAT gateway with the ID nat-123456789?

    1. 0.0.0.0/0 -> NAT -> nat-123456789
    2. ::/0 -> nat-123456789
    3. 0.0.0.0/0 -> nat-123456789
    4. ::/0 -> NAT -> nat-123456789

  91. How many availability zones in a single region does a single VPC span?

    1. None, VPCs do not span availability zones.
    2. One
    3. At least two
    4. All of them

  92. Which of these must be specified when creating a new VPC? (Choose two.)

    1. An availability zone
    2. A region
    3. A CIDR block
    4. A security group

  93. How many subnets can be added to an availability zone within a VPC?

    1. None
    2. One
    3. One or more
    4. At least two

  94. To how many availability zones within a region can a single subnet in a VPC be added?

    1. None
    2. One
    3. One or more
    4. At least two

  95. How many availability zones can a subnet span?

    1. None
    2. One
    3. One or more
    4. At least two

  96. How many IPv6 CIDR blocks can be assigned to a single VPC?

    1. None
    2. One
    3. One or more
    4. At least two

  97. How many IPv4 CIDR blocks can be assigned to a single VPC?

    1. None
    2. One
    3. One or more
    4. At least two

  98. You have a VPC in US East 1 with three subnets. One of those subnets’ traffic is routed to an internet gateway. What does this make the subnet?

    1. A private subnet
    2. A restricted subnet
    3. The master subnet of that VPC
    4. A public subnet

  99. You have a public subnet in a VPC and an EC2 instance serving web traffic within that public subnet. Can that EC2 instance be reached via the Internet?

    1. Yes
    2. Yes, as long as it has a public IPv4 address.
    3. Yes, as long as the VPC is marked as public.
    4. No

  100. You have a public subnet within your VPC. Within that subnet are three instances, each running a web-accessible API. Two of the instances are responding to requests from Internet clients, but one is not. What could be the problem?

    1. The VPC needs to be marked as public-facing.
    2. The three instances should be moved into an Auto Scaling group.
    3. There is no internet gateway available for the VPC.
    4. The unavailable instance needs an elastic IP.

  101. Which of the following are allowed when creating a new VPC? (Choose two.)

    1. An IPv4 CIDR block
    2. VPC description
    3. An IPv6 CIDR block
    4. A security group

  102. Which of the following is not a required part of creating a custom VPC? (Choose two.)

    1. An IPv6 CIDR block
    2. A VPC name
    3. A set of VPC tags
    4. An IPv4 CIDR block

  103. Which of the following defines a subnet as a public subnet? (Choose two.)

    1. A security group that allows inbound public traffic
    2. A routing table that routes traffic through the internet gateway
    3. Instances with public IP addresses
    4. An internet gateway

  104. Which of the following defines a VPN-only subnet? (Choose two.)

    1. A routing table that routes traffic through the internet gateway
    2. A routing table that routes traffic through the virtual private gateway
    3. A virtual private gateway
    4. An internet gateway

  105. Which of the following are required components in a VPN-only subnet? (Choose two.)

    1. A routing table
    2. A virtual private gateway
    3. An elastic IP address
    4. An internet gateway

  106. By default, how many VPCs can you create per region?

    1. 1
    2. 5
    3. 20
    4. 200

  107. By default, how many subnets can you create per VPC?

    1. 1
    2. 5
    3. 20
    4. 200

  108. By default, how many IPv4 CIDR blocks can you create per VPC?

    1. 1
    2. 5
    3. 20
    4. 200

  109. By default, how many elastic IPs can you create per region?

    1. 1
    2. 5
    3. 20
    4. 200

  110. Which of the following is not true? (Choose two.)

    1. A subnet can have the same CIDR block as the VPC within which it exists.
    2. A subnet can have a larger CIDR block than the VPC within which it exists.
    3. A subnet can have a smaller CIDR block than the VPC within which it exists.
    4. A subnet does not have to have a CIDR block specified.

  111. A VPC peering connection connects a VPC to which of the following?

    1. A subnet within another VPC
    2. A specific instance within another VPC
    3. Another VPC
    4. A virtual private gateway

  112. An Amazon VPC VPN connection links your on-site network to which of the following?

    1. A customer gateway
    2. An internet gateway
    3. An Amazon VPC
    4. A virtual private gateway

  113. Which of the following are required for a VPC VPN connection? (Choose two.)

    1. A customer gateway
    2. An internet gateway
    3. A virtual private gateway
    4. A public subnet

  114. Which of the following would you use to secure a VPC and its instances? (Choose two.)

    1. A customer gateway
    2. A NACL
    3. A virtual private gateway
    4. A security group

  115. You want to ensure that no incoming traffic reaches any instances in your VPC. Which of the following is your best option to prevent this type of traffic?

    1. A blacklist
    2. A NACL
    3. A virtual private gateway
    4. A security group

  116. You want to ensure that no incoming traffic reaches just the database instances in a particular subnet within your VPC. Which of the following is your best option to prevent this type of traffic?

    1. A blacklist
    2. A NACL
    3. A virtual private gateway
    4. A security group

  117. You have a subnet with five instances within it. Two are serving public APIs and three are providing backend compute power through database instances. What is the best way to secure these instances? (Choose two.)

    1. Apply NACLs at the subnet level.
    2. Attach a single security group to all the instances.
    3. Move the two backend database instances into a different subnet.
    4. Attach an internet gateway to the VPC.

  118. Security groups operate most like which of the following?

    1. A blacklist
    2. A NACL
    3. A whitelist
    4. A greylist

  119. If you have a NACL and a security group, at what two levels is security functioning? (Choose two.)

    1. The VPN level
    2. The service level
    3. The subnet level
    4. The instance level

  120. What type of filtering does a security group perform?

    1. Stateful
    2. Synchronous
    3. Whitelist
    4. Stateless

  121. What type of filtering does a network ACL perform?

    1. Stateful
    2. Synchronous
    3. Whitelist
    4. Stateless

  122. With which of the following can you create a VPC peering connection?

    1. A VPC in the same AWS account and same region
    2. A VPC in another AWS account
    3. A VPC in the same AWS account but in another region
    4. All of these

  123. With which of the following can you not create a VPC peering connection? (Choose two.)

    1. A VPC in another AWS account
    2. An instance in the same region
    3. A VPC in the same region
    4. An internet gateway

  124. You have an instance within a custom VPC, and that instance needs to communicate with an API published by an instance in another VPC. How can you make this possible? (Choose two.)

    1. Enable cross-VPC communication via the AWS console.
    2. Configure routing from the source instance to the API-serving instance.
    3. Add a security group to the source instance.
    4. Add an internet gateway or virtual private gateway to the source VPC.

  125. Which of the following could be used to allow instances within one VPC to communicate with instances in another region? (Choose two.)

    1. VPN connections
    2. NACLs
    3. Internet gateways
    4. Public IP addresses

  126. Which region does not currently support VPCs?

    1. US East 1
    2. EU West 1
    3. SA East 1
    4. VPC is supported in all AWS regions.

  127. How many availability zones can a VPC span?

    1. None, VPCs don’t exist within availability zones.
    2. One
    3. Two or more
    4. All the availability zones within a region

  128. When you launch an instance within a VPC, in which availability zone is it launched?

    1. The default availability zone
    2. You must specify an availability zone.
    3. The first availability zone without an instance
    4. The availability zone with the least resources utilized

  129. You are the architect at a company that requires all data at rest to be encrypted. You discover several EBS-backed EC2 instances that will be commissioned in the next week. How can you ensure that data on these volumes will be encrypted?

    1. Use OS-level tools on the instance to encrypt the volumes.
    2. Specify via the AWS console that the volumes should be encrypted when they are created.
    3. You cannot enable encryption on a specific EBS volume.
    4. Start the instances with the volumes and then encrypt them via the AWS console.

  130. Which of the following is required to use a VPC endpoint?

    1. An internet gateway
    2. A VPN connection
    3. A NAT instance
    4. A VPC endpoint does not require any of these.

  131. Which of the following is not true about a VPC endpoint?

    1. A VPC endpoint can attach to an S3 bucket.
    2. A VPC endpoint is a hardware device.
    3. A VPC endpoint does not require an internet gateway.
    4. Traffic to a VPC endpoint does not travel over the Internet.

  132. To which of the following can a VPC endpoint not attach?

    1. S3
    2. SNS
    3. Internet gateway
    4. DynamoDB

  133. Which of the following might you need to create for using a VPC endpoint attached to S3?

    1. A NAT instance
    2. A NAT gateway
    3. An IAM role
    4. A security group

  134. Is it possible to SSH into a subnet with no public instances?

    1. Yes
    2. Yes, as long as you have a bastion host and correct routing.
    3. Yes, as long as you have an AWS Direct Connect.
    4. No

  135. Where should a bastion host be located?

    1. In a private subnet
    2. In a public subnet
    3. In a private VPC
    4. In a VPC with a virtual private gateway

  136. What is another name for a bastion host?

    1. A remote host
    2. A box host
    3. A jump server
    4. A bastion connection

  137. To which of the following might a bastion host be used to connect?

    1. A public instance in a public subnet
    2. A public instance in a private subnet
    3. A private instance in a public subnet
    4. A private instance in a private subnet

  138. Which of these would you use to secure a bastion host?

    1. A network ACL
    2. A security group
    3. OS hardening
    4. All of the above

  139. For a bastion host intended to provide shell access to your private instances, what protocols should you allow via a security group?

    1. SSH and RDP
    2. Just SSH
    3. Just RDP
    4. Just HTTPS

  140. Which of the following statements about internet gateways is false?

    1. They scale horizontally.
    2. They are automatically redundant.
    3. They are automatically highly available.
    4. They scale vertically.

  141. To which of the following does an internet gateway attach?

    1. An AWS account
    2. A subnet within a VPC
    3. A VPC
    4. An instance within a subnet

  142. Which of the following destination routes would be used for routing IPv4 traffic to an internet gateway?

    1. 0.0.0.0/24
    2. 0.0.0.0/0
    3. ::/0
    4. 192.168.1.1

  143. Which of the following destination routes would be used for routing IPv6 traffic to an internet gateway?

    1. 0.0.0.0/24
    2. 0.0.0.0/0
    3. ::/0
    4. 192.168.1.1

  144. Which of the following is not necessary for an instance to have IPv6 communication over the Internet?

    1. A VPC with an associated IPv6 CIDR block
    2. A public IPv6 assigned to the instance
    3. A subnet with an associated IPv6 CIDR block
    4. A virtual private gateway with IPv6 enabled

  145. Which of the following are possible options for assigning to an instance that needs public access? (Choose two.)

    1. A public IP address
    2. An elastic IP address
    3. An IAM role
    4. A NACL

  146. Which of the following will have internet gateways available? (Choose two.)

    1. A public subnet
    2. An IPv6 elastic IP address
    3. The default VPC
    4. An ALB

  147. What does ALB stand for?

    1. Access load balancer
    2. Application load balancer
    3. Adaptive load balancer
    4. Applied load balancer

  148. At what OSI layer does an application load balancer operate?

    1. 4
    2. 7
    3. 4 and 7
    4. 6

  149. At what OSI layer does a network load balancer operate?

    1. 4
    2. 7
    3. 4 and 7
    4. 6

  150. At what OSI layer does a classic load balancer operate?

    1. 4
    2. 7
    3. 4 and 7
    4. 6

  151. Which type of load balancer operates at the Transport layer?

    1. Classic load balancer
    2. Application load balancer
    3. Network load balancer
    4. Both classic and network load balancers

  152. Which type of load balancer operates at the Application layer?

    1. Classic load balancer
    2. Application load balancer
    3. Network load balancer
    4. Both classic and application load balancers

  153. What type of subnets are the default subnets in the default VPC?

    1. Private
    2. Hybrid
    3. Public
    4. Transport

  154. What type of subnets are the default subnets in a custom VPC?

    1. Private
    2. Hybrid
    3. Public
    4. Transport

  155. Which of the following is not automatically created for an instance launched into a non-default subnet?

    1. A private IPv4 address
    2. A security group
    3. A public IPv4 address
    4. A route to other instances in the subnet

  156. Which of the following would be needed to allow an instance launched into a non-default subnet Internet access? (Choose two.)

    1. A private IPv4 address
    2. A security group
    3. An elastic IP address
    4. An internet gateway

  157. Which of the following would you need to add or create to allow an instance launched into a default subnet in the default VPC Internet access?

    1. A public IPv4 address
    2. An internet gateway
    3. An elastic IP address
    4. None of these

  158. Which of the following would you use to allow outbound Internet traffic while preventing unsolicited inbound connections?

    1. A NAT device
    2. A bastion host
    3. A VPC endpoint
    4. A VPN

  159. What does a NAT device allow?

    1. Incoming traffic from the Internet to reach private instances
    2. Incoming traffic from other VPCs to reach private instances
    3. Outgoing traffic to other VPCs from private instances
    4. Outgoing traffic to the Internet from private instances

  160. Which of the following are NAT devices offered by AWS? (Choose two.)

    1. NAT router
    2. NAT instance
    3. NAT gateway
    4. NAT load balancer

  161. Which of the following requires selecting an AMI? (Choose two.)

    1. Launching an EC2 instance
    2. Backing up an EBS volume
    3. Creating an EBS volume
    4. Launching a NAT instance

  162. For which of the following do you not need to worry about operating system updates?

    1. NAT instance
    2. NAT gateway
    3. EC2 instance
    4. ECS container

  163. Which of the following does not automatically scale to meet demand?

    1. DynamoDB
    2. NAT instance
    3. SNS topic
    4. NAT gateway

  164. Which of the following, without proper security, could be most dangerous to your private instances?

    1. Bastion host
    2. VPC endpoint
    3. Internet gateway
    4. NAT instance

  165. Which of the following could be used as a bastion host?

    1. NAT gateway
    2. VPC endpoint
    3. Internet gateway
    4. NAT instance

  166. You are building out a site-to-site VPN connection from an on-site network to a private subnet within a custom VPC. Which of the following might you need for this connection to function properly? (Choose two.)

    1. An internet gateway
    2. A public subnet
    3. A virtual private gateway
    4. A customer gateway

  167. You are building out a site-to-site VPN connection from an on-site network to a custom VPC. Which of the following might you need for this connection to function properly? (Choose two.)

    1. A NAT instance
    2. A DynamoDB instance
    3. A private subnet
    4. An internet gateway

  168. With which of the following is an egress-only internet gateway most closely associated?

    1. IPv4
    2. IPv6
    3. A NAT instance
    4. A NAT gateway

  169. You are responsible for securing an EC2 instance with an IPv6 address that resides in a public subnet. You want to allow traffic from the instance to the Internet but restrict access to the instance. Which of the following would you suggest?

    1. VPC endpoint
    2. Internet gateway
    3. Egress-only internet gateway
    4. A NAT gateway

  170. You have just created a NAT instance and want to launch the instance into a subnet. Which of these need to be true of the subnet into which you want to deploy? (Choose two.)

    1. The subnet is public.
    2. The subnet is private.
    3. The subnet has routing into the private subnets in your VPC.
    4. The subnet has routing to the public subnets in your VPC.

  171. Which of the following are true about an egress-only internet gateway? (Choose two.)

    1. It only supports IPv4 traffic.
    2. It is stateful.
    3. It only supports IPv6 traffic.
    4. It is stateless.

  172. Which of these would be used as the destination address in a routing table for a VPC that uses an egress-only internet gateway?

    1. 0.0.0.0/0
    2. 0.0.0.0/16
    3. ::/0
    4. ::/24

  173. Which of the following are true about IPv6 addresses? (Choose two.)

    1. They are globally unique.
    2. They are in the format x.y.z.w.
    3. They require underlying IPv4 addresses.
    4. They are public by default.

  174. What is an elastic network interface? (Choose two.)

    1. A hardware network interface on an EC2 instance
    2. A virtual network interface
    3. An interface that can have one or more IPv6 addresses
    4. An interface that does not have a MAC address

  175. Which of the following is not part of an elastic network interface?

    1. A primary IPv4 address
    2. A MAC address
    3. A source/destination check flag
    4. A NACL

  176. How many network interfaces can a single instance have?

    1. None
    2. One and only one
    3. One or more
    4. At least two, up to five

  177. If an elastic network interface is moved from one instance to another, what happens to network traffic directed at the interface?

    1. It is redirected to the elastic network interface that has moved to the new instance.
    2. It is redirected to the primary network interface on the original instance.
    3. It is redirected to the primary network interface on the new instance.
    4. It is lost and must be re-sent to the elastic network interface on the new instance.

  178. To how many instances can an elastic network interface be attached?

    1. One and only one
    2. One or more
    3. One at a time, but it can be moved from one instance to another.
    4. Up to five

  179. Which of these is not a reason to attach multiple network interfaces to an instance?

    1. You are creating a management network.
    2. You are attempting to increase network throughput to the instance.
    3. You need a high-availability solution and have a low budget.
    4. You need dual-homed instances.

  180. Which of the following can you not do with regard to network interfaces?

    1. Detach a secondary interface from an instance.
    2. Attach an elastic network interface to an instance with an existing interface.
    3. Detach a primary interface from an instance.
    4. Attach an elastic network interface to a different instance than originally attached.

  181. Which of the following is not a valid attribute for an elastic network interface?

    1. An IPv6 address
    2. An IPv4 address
    3. A source/destination check flag
    4. A routing table

  182. Why might you use an elastic IP address?

    1. You need an IPv4 address for a specific instance.
    2. You need an IPv6 address for a specific instance.
    3. You want to mask the failure of an instance to network clients.
    4. You want to avoid making changes to your security groups.

  183. Which of the following can you not do with an elastic IP address?

    1. Change the IP address associated with it while it is in use.
    2. Move it from one instance to another.
    3. Move it across VPCs.
    4. Associate it with a single instance in a VPC.

  184. Which of the following are advantages of an elastic IP? (Choose two.)

    1. Reduces the number of IP addresses your VPC uses
    2. Provides protection in case of an instance failure
    3. Allows all attributes of a network interface to be moved at one time
    4. Provides multiple IP addresses for a single instance

  185. Which of the following would you need to do to create an elastic IP address? (Choose two.)

    1. Allocate an elastic IP address for use in a VPC.
    2. Allocate an IP address in Route 53.
    3. Detach the primary network interface on an instance.
    4. Associate the elastic IP to an instance in your VPC.

  186. Which of these is not a valid means of working with an Amazon EBS snapshot?

    1. The AWS API
    2. The AWS CLI
    3. The AWS console
    4. The AWS EBS management tool

  187. Where are individual instances provisioned?

    1. In a VPC
    2. In a region
    3. In an availability zone
    4. In an Auto Scaling group

  188. How are EBS snapshots backed up to S3?

    1. Incrementally
    2. In full, every time they are changed
    3. EBS snapshots are backed up to RDS.
    4. Sequentially

  189. You have an existing IAM role in use by several instances in your VPC. You make a change in the role, removing permissions to access S3. When does this change take effect on the instances already attached to the role?

    1. Immediately
    2. Within 60 seconds
    3. The next time the instances are restarted
    4. The instances preserve the pre-change permissions indefinitely.

  190. How many IAM roles can you attach to a single instance?

    1. One
    2. One or two
    3. As many as you want
    4. None, roles are not assigned to instances.

  191. How can you attach multiple IAM roles to a single instance? (Choose two.)

    1. You can attach as many roles as you want to an instance.
    2. You cannot, but you can combine the policies each role uses into a single new role and assign that.
    3. You can assign two IAM roles to an instance, but no more than that.
    4. You cannot; only one role can be assigned to an instance.

  192. You need to make a change to a role attached to a running instance. What do you need to do to ensure the least amount of downtime? (Choose two.)

    1. Update the IAM role via the console or AWS API or CLI.
    2. Re-attach the updated role to the instance.
    3. Restart the instance.
    4. Other than updating the role, no additional changes are needed.

  193. You have a new set of permissions that you want to attach to a running instance. What do you need to do to ensure the least amount of downtime? (Choose two.)

    1. Remove the instance’s IAM role via the console or AWS API or CLI.
    2. Create a new IAM role with the desired permissions.
    3. Stop the instance, assign the role, and restart the instance.
    4. Attach the new role to the running instance.

  194. How can you delete a snapshot of an EBS volume when it’s used as the root device of a registered AMI?

    1. You can’t.
    2. You can, but only using the AWS API or CLI.
    3. Delete the snapshot using the AWS console.
    4. Ensure that you have correct IAM privileges and delete the AMI.

  195. Which of these is the best option for encrypting data at rest on an EBS volume?

    1. Configure the volume’s encryption at creation time.
    2. Configure AES 256 encryption on the volume once it’s been started.
    3. Configure encryption using the OS tools on the attached EC2 instance.
    4. Back up the data in the volume to an encrypted S3 bucket.

  196. How can you ensure that an EBS root volume persists beyond the life of an EC2 instance, in the event that the instance is terminated?

    1. The volume will persist automatically.
    2. Configure the EC2 instance to not terminate its root volume and the EBS volume to persist.
    3. You cannot; root volumes always are deleted when the attached EC2 instance is terminated.
    4. Ensure that encryption is enabled on the volume and it will automatically persist.

  197. Which of the following is not part of the well-architected framework?

    1. Apply security at all layers.
    2. Enable traceability.
    3. Use defaults whenever possible.
    4. Automate responses to security events.

  198. Which of the following should you attempt to automate, according to the AWS well- architected framework? (Choose two.)

    1. Security best practices
    2. Scaling instances
    3. Responses to security events
    4. IAM policy creation

  199. Which of the following statements are true? (Choose two.)

    1. You are responsible for security in the cloud.
    2. AWS is responsible for security of the cloud.
    3. AWS is responsible for security in the cloud.
    4. You are responsible for security of the cloud.

  200. For which of the following is AWS responsible for security? (Choose two.)

    1. Edge locations
    2. Firewall configuration
    3. Network traffic
    4. Availability zones

  201. For which of the following is AWS not responsible for security?

    1. Networking infrastructure
    2. RDS database installations
    3. S3 buckets
    4. Networking traffic

  202. For which of the following are you not responsible for security?

    1. DynamoDB
    2. Operating system configuration
    3. Server-side encryption
    4. Application keys

  203. Which of the following is not included in the well-architected framework’s definition of security?

    1. Data protection
    2. Infrastructure protection
    3. Reduction of privileges
    4. Defective controls

  204. Which of the following is a principle of the well-architected framework’s security section?

    1. Encrypt the least amount of data possible.
    2. Always encrypt the most important data.
    3. Encrypt everything where possible.
    4. Encrypt data at rest.

  205. Which of the following are principles of the well-architected framework’s security section? (Choose two.)

    1. Encrypt data at rest.
    2. Encrypt data in transit.
    3. Encrypt data in groups rather than individually.
    4. Encrypt data at the destination.

  206. Who is responsible for encrypting data in the cloud?

    1. You
    2. AWS
    3. AWS provides mechanisms such as key rotation for which they are responsible, but you are responsible for appropriate usage of those mechanisms.
    4. AWS provides an API, but you are responsible for security when using that API.

  207. What is the term used to represent the resiliency of data stored in S3?

    1. 9 9s
    2. 11 9s
    3. 7 9s
    4. 99th percentile

  208. Which of these statements is not true?

    1. AWS recommends encrypting data at rest and in transit.
    2. AWS will never move data between regions unless initiated by the customer.
    3. AWS will initiate moving data between regions if needed.
    4. Customers move data between regions rather than AWS.

  209. Which of the following can be part of a strategy to avoid accidental data overwriting of S3 data?

    1. IAM roles
    2. MFA Delete
    3. Versioning
    4. All of these

  210. Which of the following should always be done to protect your AWS environment? (Choose two.)

    1. Enable MFA on the root account.
    2. Enable MFA Delete on your S3 buckets.
    3. Set a password rotation policy for users.
    4. Create custom IAM roles for all users.

  211. At what level does infrastructure protection exist in AWS?

    1. The physical hardware layer
    2. OSI layer 4
    3. The VPC layer
    4. OSI layer 7

  212. Which of the following might be used to detect or identify a security breach in AWS? (Choose two.)

    1. CloudWatch
    2. CloudFormation
    3. CloudTrail
    4. Trusted Advisor

  213. Which of the following AWS services is associated with privilege management?

    1. AWS Config
    2. RDS
    3. IAM
    4. VPC

  214. Which of the following AWS services is associated with privilege management?

    1. Internet gateway
    2. S3-IA
    3. CloudTrail
    4. MFA

  215. Which of the following AWS services is associated with identifying potential security holes?

    1. Trusted Advisor
    2. CloudFormation
    3. Security Detector
    4. Security Advisor

  216. Which of the following is not one of the five pillars in the cloud defined by the AWS well-architected framework?

    1. Operational excellence
    2. Performance efficiency
    3. Organizational blueprint
    4. Cost optimization

  217. Which of the following is not one of the five pillars in the cloud defined by the AWS well-architected framework?

    1. Performance efficiency
    2. Usability
    3. Security
    4. Reliability

  218. Which of the following is not one of the security principles recommended by AWS’s well-architected framework?

    1. Automate security best practices.
    2. Enable traceability.
    3. Apply security at the highest layers.
    4. Protect data in transit and at rest.

  219. Which of the following is one of the security principles recommended by AWS’s well-architected framework?

    1. Make sure all users have passwords.
    2. Only protect data at rest.
    3. Turn on MFA Delete for S3 buckets.
    4. Keep people away from data.

  220. The AWS’s well-architected framework defines five areas to consider with respect to security. Choose the two that are part of this set. (Choose two.)

    1. Identity and Access Management
    2. User management
    3. Virtual private networks
    4. Incident response

  221. Who is responsible for physically securing the infrastructure that supports cloud services?

    1. AWS
    2. You
    3. Your users
    4. AWS and you have joint responsibility.

  222. Which of the following statements about the root account in an AWS account are true? (Choose two.)

    1. It is the first account created.
    2. It is ideal for everyday tasks.
    3. It is intended primarily for creating other users and groups.
    4. It has access keys that are important to keep.

  223. Which of the following are appropriate password policy requirements? (Choose two.)

    1. Maximum length
    2. Recovery
    3. Minimum length
    4. Complexity

  224. What additional requirements should users that can access the AWS console have?

    1. Users with console access should have more stringent password policy requirements.
    2. Users with console access should have to use their access keys to log in.
    3. Users with console access should be required to use MFA.
    4. None. These users should be treated the same as other users.

  225. Which of the following provide a means of federating users from an existing organization? (Choose two.)

    1. SAML 2.0
    2. Web identities
    3. LDAP
    4. UML 2.0

  226. Which of the following principles suggests ensuring that authenticated identities are only permitted to perform the most minimal set of functions necessary?

    1. Principle of lowest privilege
    2. Principle of least priority
    3. Principle of least privilege
    4. Principle of highest privilege

  227. What is an AWS Organizations OU?

    1. Orchestration unit
    2. Organizational unit
    3. Operational unit
    4. Offer of urgency

  228. What is an AWS Organizations SCP?

    1. Service control policy
    2. Service control permissions
    3. Standard controlling permissions
    4. Service conversion policy

  229. To which of the following constructs is an AWS Organizations SCP applied?

    1. To a service control policy
    2. To an IAM role
    3. To an organizational unit
    4. To a SAML user store

  230. Which of the following can be used to centrally control AWS services across multiple AWS accounts?

    1. A service control policy
    2. An organizational unit
    3. An LDAP user store
    4. IAM roles

  231. What AWS service would you use for managing and enforcing policies for multiple AWS accounts?

    1. AWS Config
    2. AWS Trusted Advisor
    3. AWS Organizations
    4. IAM

  232. Which of the following does AWS provide to increase privacy and control network access?

    1. Network firewalls built into Amazon VPC
    2. Encryption in transit with TLS across all services
    3. Connections that enable private and dedicated connections from an on-premises environment
    4. All of these

  233. You have an application that uses S3 standard for storing large data. Your company wants to ensure that all data is encrypted at rest while avoiding adding work to your current development sprints. Which S3 encryption solution should you use?

    1. SSE-C
    2. SSE-S3
    3. SSE-KMS
    4. Amazon S3 Encryption Client

  234. You are the architect of an application that allows users to send private messages back and forth. You want to ensure encryption of the messages when stored in S3 and a strong auditing trail in case of a breach. You also want to capture any failed attempts to access data. What Amazon encryption solution would you use?

    1. SSE-C
    2. SSE-S3
    3. SSE-KMS
    4. Amazon S3 Encryption Client

  235. Your company has just hired three new developers. They need immediate access to a suite of AWS services. What is the best approach to giving these developers access?

    1. Give the developers the admin credentials and change the admin password when they are finished for the day.
    2. Create a new IAM user for each developer and assign the required permissions to each user.
    3. Create a new IAM user for each developer, create a single group with the required permissions, and assign each user to that group.
    4. Create a new SCP and assign the SCP to an OU with each user’s credentials within that OU.

  236. Your application requires a highly available storage solution. Further, the application will serve customers in the EU and must comply with EU privacy laws. What should you do to provide this storage?

    1. Create a new EC2 instance in EU-Central-1 and set up EBS volumes in a RAID configuration attached to that instance.
    2. Create a new S3 standard bucket in EU-West-1.
    3. Create a new Glacier vault in EU-South-1.
    4. Create a new Auto Scaling group in EU-West-1 with at least three EC2 instances, each with an attached Provisioned IOPS EBS volume.

  237. Which of the following provides SSL for data in transit?

    1. S3 standard
    2. S3 One Zone-IA
    3. Glacier
    4. All of these

  238. Which of the following does not provide encryption of data at rest?

    1. S3 standard
    2. S3 One Zone-IA
    3. Glacier
    4. All of these encrypt data at rest.

  239. What is the AWS shared responsibility model?

    1. A model that defines which components AWS secures and which you as an AWS customer must secure
    2. A model that defines which components you secure and which components your customers must secure
    3. A model that defines how connections between offices or on-premises data centers and the cloud must work together to secure data that moves between the two
    4. A model that defines how the five pillars of the AWS well-architected framework interact

  240. Which of the following is not one of the types of services that AWS offers, according to the shared responsibility model?

    1. Infrastructure services
    2. Managed services
    3. Containers services
    4. Abstracted services

  241. For which of the following are you not responsible for security?

    1. Operating systems
    2. Credentials
    3. Virtualization infrastructure
    4. AMIs

  242. Which of the following is used to allow EC2 instances to access S3 buckets?

    1. IAM role
    2. IAM policy
    3. IAM user
    4. AWS organizational unit

  243. You have a task within a Docker container deployed via AWS ECS. The application cannot access data stored in an S3 bucket. What might be the problem? (Choose two.)

    1. The IAM role associated with the task doesn’t have permissions to access S3.
    2. The task is not in a security group with inbound access allowed from S3.
    3. The task does not have access to an S3 VPC endpoint.
    4. There is no policy defined to allow ECS tasks to access S3.

  244. What is the default security on a newly created S3 bucket?

    1. Read-only
    2. Read and write is permitted from EC2 instances in the same region.
    3. Completely private, reads and writes are disallowed.
    4. There is no policy defined to allow ECS tasks to access S3.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.191.235.176