Chapter 3 Domain 3: Specify Secure Applications and Architectures
✓ Subdomain: 3.1 Determine how to secure application tiers.
✓ Subdomain: 3.2 Determine how to secure data.
✓ Subdomain: 3.3 Define the networking infrastructure for a single VPC application.
Review Questions
When creating a new security group, which of the following are true? (Choose two.)
All inbound traffic is allowed by default.
All outbound traffic is allowed by default.
Connections that are allowed in must also explicitly be allowed back out.
Connections that are allowed in are automatically allowed back out.
You have a government-regulated system that will store a large amount of data on S3 standard. You must encrypt all data and preserve a clear audit trail for traceability and third-party auditing. Security policies dictate that encryption must be consistent across the entire data store. Which of the following encryption approaches would be best?
SSE-C
SSE-KMS
SSE-C
Encrypt the data prior to upload to S3 and decrypt the data when returning it to the client.
You are creating a bastion host to allow SSH access to a set of EC2 instances in a private subnet within your organization’s VPC. Which of the following should be done as part of configuring the bastion host? (Choose two.)
Ensure that the bastion host is exposed directly to the Internet.
Place the bastion host within the private subnet.
Add a route from the bastion host IP into the private subnet into the subnet’s NACLs.
Ensure that the bastion host is within the same security group as the hosts within the private subnet.
Which of the following are invalid IAM actions? (Choose two.)
Limiting the root account SSH access to all EC2 instances
Allowing a user account SSH access to all EC2 instances
Removing console access for the root account
Removing console access for all non-root user accounts
Which of the following statements is true?
You should store application keys only in your application’s .aws file.
You should never store your application keys on an instance, in an AMI, or anywhere else permanent on the cloud.
You should only store application keys in an encrypted AMI.
You should only use your application key to log in to the AWS console.
Your company is setting up a VPN connection to connect its local network to an AWS VPC. Which of the following components are not necessary for this setup? (Choose two.)
A NAT instance
A virtual private gateway
A private subnet in the AWS VPC
A customer gateway
You have a private subnet in a VPC within AWS. The instances within the subnet are unable to access the Internet. You have created a NAT gateway to solve this problem. What additional steps do you need to perform to allow the instances Internet access? (Choose two.)
Ensure that the NAT gateway is in the same subnet as the instances that cannot access the Internet.
Add a route in the private subnet to route traffic aimed at 0.0.0.0/0 at the NAT gateway.
Add a route in the public subnet to route traffic aimed at 0.0.0.0/0 at the NAT gateway.
Ensure that the NAT gateway is in a public subnet.
Which of the following statements regarding NAT instances and NAT gateways are false? (Choose two.)
Both NAT instances and NAT gateways are highly available.
You must choose the instance type and size when creating a NAT gateway but not when creating a NAT instance.
It is your responsibility to patch a NAT instance and AWS’s responsibility to patch a NAT gateway.
You assign a security group to a NAT instance but not to a NAT gateway.
Which of the following statements is true?
A VPC’s default NACLs allow all inbound and outbound traffic.
NACLs are stateful.
Security groups are stateless.
Traffic allowed into a NACL is automatically allowed back out.
You have changed the permissions associated with a role, and that role is assigned to an existing running EC2 instance. When will the permissions you updated take effect for the instance?
Immediately
Within 5 minutes
Within 1 hour
The next time the EC2 instance is restarted
Which of the following statements is true?
When creating a new security group, by default, all traffic is allowed in, including SSH.
If you need inbound HTTP and HTTPS access, create a new security group and accept the default settings.
You must explicitly allow any inbound traffic into a new security group.
Security groups are stateless.
Which of the following statements is not true?
When creating a new security group, by default, no inbound traffic is allowed.
When creating a new security group, by default, all traffic is allowed out, including SSH.
When creating a new security group, by default, all traffic is allowed out, with the exception of SSH.
When creating a new security group, inbound HTTPS traffic is not allowed.
How would you enable encryption of your EBS volumes?
Use the AWS CLI with the aws security command.
Take a snapshot of the EBS volume and copy it to an encrypted S3 bucket.
Select the encryption option when creating the EBS volume.
Encrypt the volume using the encryption tools of the operating system of the EC2 instance that has mounted the EBS volume.
What types of rules does a security group allow? (Choose two.)
Allow rules
Prevent rules
Deny rules
Inbound rules
Which of the following are true about security groups? (Choose two.)
You can specify deny rules, but not allow rules.
By default, a security group includes an outbound rule that allows all outbound traffic.
You can specify specific separate rules for inbound and outbound traffic.
Security groups are stateless.
Which of the following are not true about security groups? (Choose two.)
Allow rules take priority over deny rules.
Responses to allowed inbound traffic are allowed to flow back out.
You can specify specific separate rules for inbound and outbound traffic.
If there are no outbound rules, then all outbound traffic is allowed to flow out.
Which of the following must a security group have when you create it? (Choose two.)
At least one inbound rule
A name
A description
At least one outbound rule
Which of the following is a security group associated with?
An ELB
A network interface
An ALB
A network access list
Which of the following are default rules on a default security group, such as the one that comes with the default VPC? (Choose two.)
Outbound: 0.0.0.0/0 for all protocols allowed
Inbound: 0.0.0.0/0 for all protocols allowed
Outbound: ::/0 for all protocols allowed
Inbound: ::/0 for all protocols allowed
Which of the following are parts of a security group rule? (Choose two.)
A protocol
A subnet
An instance ID
A description
Which of the following allows you to securely upload data to S3? (Choose two.)
HTTP endpoints using HTTP
SSL endpoints using HTTPS
HTTP endpoints using HTTPS
SSL endpoints using HTTP
Which of the following describes client-side encryption for S3 bucket data?
You encrypt and upload data to S3, managing the encryption process yourself.
You encrypt and upload data to S3, allowing AWS to manage the encryption process.
You request AWS to encrypt an object before saving it to S3.
You encrypt an object, but AWS uploads and decrypts the object.
Which of the following describes server-side encryption for S3 bucket data?
You encrypt and upload data to S3, managing the encryption process yourself.
You encrypt and upload data to S3, allowing AWS to manage the encryption process.
You request AWS to encrypt an object before saving it to S3.
You encrypt an object, but AWS uploads and decrypts the object.
Which of the following are valid steps in enabling client-side encryption for S3? (Choose two.)
Download the AWS CLI and SSH to your S3 key store.
Use a KMS-managed customer master key.
Download an AWS SDK for encrypting data on the client side.
Turn on bucket encryption for the target S3 buckets.
Which of the following is not a way to manage server-side encryption keys for S3?
SSE-S3
SSE-KMS
SSE-E
SSE-C
Which of the following encryption key management options is best for ensuring strong audit trails?
SSE-S3
SSE-KMS
Client-side encryption keys
SSE-C
Which of the following encryption key management options is best for managing keys but allowing S3 to handle the actual encryption of data?
SSE-S3
SSE-KMS
Client-side encryption keys
SSE-C
You have a customer that has a legacy security group that is very suspicious of all things security in the cloud. The customer wants to use S3, but doesn’t trust AWS encryption, and you need to enable its migration to the cloud. What option would you recommend to address the company’s concerns?
SSE-S3
SSE-KMS
Client-side encryption keys
SSE-C
You want to begin encrypting your S3 data, but your organization is new to encryption. Which option is a low-cost approach that still offloads most of the work to AWS rather than the organization new to encryption?
SSE-S3
SSE-KMS
Client-side encryption keys
SSE-C
You are the architect for a company whose data must comply with current EU privacy restrictions. Which of the following S3 buckets are valid options? (Choose two.)
Buckets in EU Central 1
Buckets in US East 2
Buckets in EU West 1
Buckets in SA East 1
Which of the following options could be used to provide availability-zone-resilient fault-tolerant storage that complies with EU privacy laws? (Choose two.)
S3 buckets in US West 1
S3 buckets in EU West 2
S3-IA buckets in EU Central 1
S3 One Zone-IA buckets in EU-West-1
What type of replication will your Multi-AZ RDS instances use?
Offline replication
Synchronous replication
Push replication
Asynchronous replication
You want to provide maximum protection against data in your S3 object storage being deleted accidentally. What should you do?
Enable versioning on your EBS volumes.
Turn on MFA Delete on your S3 buckets.
Set up a Lambda job to monitor and block delete requests to S3.
Turn off the DELETE endpoints on the S3 REST API.
You want to provide maximum protection against data in your S3 object storage being deleted accidentally. What steps should you take? (Choose two.)
Enable versioning on your S3 buckets.
Turn on MFA Delete on your S3 buckets.
Enable versioning in CloudWatch’s S3 API.
Remove IAM permissions for deleting objects for all users.
You want to enable MFA Delete on your S3 buckets in the US East 1 region. What step must you take before enabling MFA Delete?
Disable the REST API for the buckets on which you want MFA Delete.
Enable cross-region replication on the buckets on which you want MFA Delete.
Move the buckets to a region that supports MFA Delete, such as US West 1.
Enable versioning on the buckets on which you want MFA Delete.
What is AWS Trusted Advisor?
An online resource to help you improve performance
An online resource to help you reduce cost
An online resource to help you improve security
All of the above
On which of the following does AWS Trusted Advisor not provide recommendations?
Reducing cost
Improving fault tolerance
Improving security
Organizing accounts
Which of the following are included in the core AWS Trusted Advisor checks? (Choose two.)
S3 bucket permissions
MFA on root account
Quantity of CloudWatch alarms
Use of VPC endpoints
Which of the following recommendations might AWS Trusted Advisor make? (Choose two.)
Turn on MFA for the root account.
Turn on antivirus protection for EC2 instances.
Update S3 buckets with public write access.
Update NAT instances to NAT gateways.
Which of the following is not possible using IAM policies?
Requiring MFA for the root account
Denying the root account access to EC2 instances
Disabling S3 access for users in a group
Restricting SSH access to EC2 instances to a specific user
Which of the following are not true about S3 encryption? (Choose two.)
S3 applies AWS-256 encryption to data when server-side encryption is enabled.
S3 encryption will use a client key if it is supplied with data.
Encrypted EBS volumes can only be stored if server-side encryption is enabled.
S3 will accept locally encrypted data if client-side encryption is enabled.
What types of data are encrypted when you create an encrypted EBS volume? (Choose two.)
Data at rest inside the volume
Data moving between the volume and the attached instance
Data inside S3 buckets that store the encrypted instance
Data in an EFS on instances attached to the volume
What types of data are not automatically encrypted when you create an encrypted EBS volume? (Choose two.)
A snapshot created from the EBS volume
Any data on additional volumes attached to the same instance as the encrypted volume
Data created on an instance that has the encrypted volume attached
Data moving between the volume and the attached instance
What of the following types of data is not encrypted automatically when an encrypted EBS volume is attached to an EC2 instance?
Data in transit to the volume
Data at rest on the volume
Data in transit from the volume
All of these are encrypted.
What encryption service is used by encrypted EBS volumes?
S3-KMS
S3-C
KMS
Customer-managed keys
How can you access the private IP address of a running EC2 instance?
If you take a snapshot of an encrypted EBS volume, which of the following will be true? (Choose two.)
The snapshot will be encrypted.
All data on the bucket on which the snapshot is stored will be encrypted.
Any instances using the snapshot will be encrypted.
Any volumes created from the snapshot will be encrypted.
If you take a snapshot of an encrypted EBS volume, which of the following must you do to use that snapshot as a volume in a separate region? (Choose two.)
Copy the snapshot to the new region.
Delete the snapshot from the old region.
Unencrypt the snapshot once it is in the new region.
Create a new volume from the snapshot in the new region.
How do you encrypt an RDS instance?
Enable encryption on the running instance via the CLI.
Enable encryption on the running instance via the console.
Run the encryption process on the running instance via the console.
Enable encryption when creating the instance.
Which of the following will ensure that data on your RDS instance is encrypted?
Use client-side encryption keys.
Enable encryption on the running RDS instance via the AWS API.
Encrypt the instance on which RDS is running.
None of these will encrypt all data on the instance.
Which of the following will allow you to bring a non-encrypted RDS instance into compliance with an “all data must be encrypted at rest” policy?
Snapshot the RDS instance and restore it, encrypting the new copy upon restoration.
Use the AWS Database Migration Service to migrate the data from the instance to an encrypted instance.
Create a new encrypted instance and manually move data into it.
None of these will encrypt all data on the instance.
Which of the following will allow you to bring a non-encrypted EBS volume into compliance with an “all data must be encrypted at rest” policy?
Stop the volume, snapshot it, and encrypt a copy of the snapshot. Then restore from the encrypted snapshot.
Stop the volume, select “Turn on encryption,” and restart the volume.
Encrypt the volume via the AWS API and turn on the “encrypt existing data” flag.
None of these will encrypt all data on the volume.
Which of the following will allow you to bring a non-encrypted EBS volume into compliance with an “all data must be encrypted at rest” policy?
Stop the volume, create a snapshot, and restart from the snapshot, selecting “Encrypt this volume.”
Stop the volume, select “Turn on encryption,” and restart the volume.
Encrypt the volume via the AWS API and turn on the “encrypt existing data” flag.
None of these will encrypt all data on the volume.
Which of the following will allow you to bring a non-encrypted EBS volume into compliance with an “all data must be encrypted at rest” policy?
Create a new volume, attach the new volume to an EC2 instance, copy the data from the non-encrypted volume to the new volume, and then encrypt the new volume.
Create a new volume with encryption turned on, attach the new volume to an EC2 instance, and copy the data from the non-encrypted volume to the new volume.
Create a new volume, attach the new volume to an EC2 instance, and use the encrypted-copy command to copy the data from the non-encrypted volume to the new volume.
None of these will encrypt all data on the volume.
Which of the following are valid options on an EBS volume? (Choose two.)
Encrypt the volume.
Encrypt a snapshot of the volume.
Encrypt a copy of a snapshot of the volume.
Restore an encrypted snapshot to an encrypted volume.
Which of the following are not true about EBS snapshots? (Choose two.)
Snapshots of encrypted volumes are automatically encrypted.
When you copy an encrypted snapshot, the copy is not encrypted unless you explicitly specify.
You cannot copy an encrypted snapshot unless you unencrypt the snapshot first.
Volumes that are created from encrypted snapshots are automatically encrypted.
Can you copy a snapshot across AWS accounts?
Yes
Yes, but you first have to modify the snapshot’s access permissions.
Yes, but you have to be the owner of both AWS accounts.
No
You have a snapshot of an EBS volume in US East 2. You want to create a volume from this snapshot in US West 1. Is this possible?
Yes, create the volume in US West 1 based upon the snapshot in US East 2.
Yes, but you’ll need to copy the snapshot to US West 1 first.
Yes, but you’ll need to create the instance in US East 2 and then move it to US West 1.
No
Can you copy an EBS snapshot across regions?
Yes, as long as the snapshot is not encrypted.
Yes, as long as the snapshot is marked for multi-region use.
Yes
No
Which of the following does a security group attached to an instance control? (Choose two.)
Inbound traffic
HTTP error messages
Outbound traffic
Access control lists
How many security groups can you attach to a single instance in a VPC?
None, security groups aren’t attached to instances.
1
1 or more
2 or more
Which of the following can be added to a VPC, in addition to security groups on included instances, to further secure the VPC?
A NACL
A port filter
An ALB
A flow log
Which of the following statements is true about a custom, user-created NACL?
A NACL by default allows all traffic out of a VPC.
A NACL by default allows all traffic into a VPC.
A NACL is a virtual firewall for associated subnets.
A NACL functions at the instance level.
What do you use to permit and restrict control of a NACL?
VPC
WAF
AWS Organizations
IAM
Which of these are true about security groups? (Choose two.)
Support allow and deny rules
Evaluate all rules before deciding whether to allow traffic
Operate at the instance level
Apply to all instances in the associated subnet
Which of these are true about security groups? (Choose two.)
Stateful
Stateless
Process rules in order
Associated with an instance
Which of these are true about NACLs? (Choose two.)
Stateful
Stateless
Process rules in order
Associated with an instance
Which of these are true about NACLs? (Choose two.)
Apply to all instances in an associated subnet
Only apply if no security group is present
Support allow and deny rules
Evaluate all rules before deciding whether to allow or disallow traffic
In which order are NACLs and security groups evaluated?
NACLs and security groups are evaluated in parallel.
A NACL is evaluated first, and then the security group.
A security group is evaluated first, and then the NACL.
It depends on the VPC setup.
Which of these statements are true? (Choose two.)
A security group can apply to two instances at the same time.
A NACL applies to all instances within a subnet at the same time.
A security group can apply to only one instance at the same time.
A NACL can apply to only one instance at the same time.
With which of the following is a NACL associated?
An instance
A subnet
A VPC
A NACL can be associated with all of these.
Which of the following are true about the default NACL that comes with the default VPC? (Choose two.)
It allows all inbound traffic.
It allows all outbound traffic.
It disallows all inbound traffic.
It disallows all outbound traffic.
Which of the following are true about a user-created NACL? (Choose two.)
It allows all inbound traffic.
It allows all outbound traffic.
It disallows all inbound traffic.
It disallows all outbound traffic.
In which order are rules in a NACL evaluated?
From low to high, using the number on the rule
From high to low, using the number on the rule
From low to high, using the port of the rule
From high to low, using the port of the rule
Which of the following statements is not true? (Choose two.)
A network ACL has separate inbound and outbound rules.
Network ACLs are stateful.
Each subnet in your VPC must be associated with a NACL.
A network ACL can only be associated with a single subnet.
With how many subnets can a NACL be associated?
One
One or more
A NACL is associated with instances, not subnets.
A NACL is associated with VPCs, not subnets.
With how many NACLs can a subnet be associated?
One
One or more
A subnet is associated with security groups, not NACLs.
A subnet is associated with VPCs, not NACLs.
What happens when you associate a NACL with a subnet that already is associated with a different NACL?
Nothing, both NACLs are associated with the subnet.
You receive an error. You must remove the first NACL to associate the new one.
You receive an error. You must first merge the two NACLs to apply them to a subnet.
The new NACL replaces the previous NACL, and the subnet still only has one NACL association.
Which of the following are part of a network ACL rule? (Choose two.)
An ASCII code
A rule number
An IAM group
A protocol
Which of the following are part of a network ACL rule? (Choose two.)
An ALLOW or DENY specification
A CIDR range
An IP address
A VPC identifier
Which of the following inbound rules of a custom NACL would be evaluated first?
Allows inbound HTTP traffic to the associated subnets
Allows inbound IPv4 HTTP traffic to the associated subnets as long as it is not prevented by lower-numbered rules
Allows inbound IPv4 HTTP traffic to the associated subnets
Allows inbound IPv4 TCP traffic to the associated subnets
What does the CIDR block 0.0.0.0/0 represent?
The entire Internet
The entire Internet, limited to IPv4 addresses
The entire Internet, limited to IPv6 addresses
Inbound traffic from the entire Internet
What does the CIDR block ::/0 represent?
The entire Internet
The entire Internet, limited to IPv4 addresses
The entire Internet, limited to IPv6 addresses
Inbound traffic from the entire Internet
Which of the following rules allows IPv6 outbound traffic to flow to the entire Internet through a NAT gateway with the ID nat-123456789?
0.0.0.0/0 -> NAT -> nat-123456789
::/0 -> nat-123456789
0.0.0.0/0 -> nat-123456789
::/0 -> NAT -> nat-123456789
How many availability zones in a single region does a single VPC span?
None, VPCs do not span availability zones.
One
At least two
All of them
Which of these must be specified when creating a new VPC? (Choose two.)
An availability zone
A region
A CIDR block
A security group
How many subnets can be added to an availability zone within a VPC?
None
One
One or more
At least two
To how many availability zones within a region can a single subnet in a VPC be added?
None
One
One or more
At least two
How many availability zones can a subnet span?
None
One
One or more
At least two
How many IPv6 CIDR blocks can be assigned to a single VPC?
None
One
One or more
At least two
How many IPv4 CIDR blocks can be assigned to a single VPC?
None
One
One or more
At least two
You have a VPC in US East 1 with three subnets. One of those subnets’ traffic is routed to an internet gateway. What does this make the subnet?
A private subnet
A restricted subnet
The master subnet of that VPC
A public subnet
You have a public subnet in a VPC and an EC2 instance serving web traffic within that public subnet. Can that EC2 instance be reached via the Internet?
Yes
Yes, as long as it has a public IPv4 address.
Yes, as long as the VPC is marked as public.
No
You have a public subnet within your VPC. Within that subnet are three instances, each running a web-accessible API. Two of the instances are responding to requests from Internet clients, but one is not. What could be the problem?
The VPC needs to be marked as public-facing.
The three instances should be moved into an Auto Scaling group.
There is no internet gateway available for the VPC.
The unavailable instance needs an elastic IP.
Which of the following are allowed when creating a new VPC? (Choose two.)
An IPv4 CIDR block
VPC description
An IPv6 CIDR block
A security group
Which of the following is not a required part of creating a custom VPC? (Choose two.)
An IPv6 CIDR block
A VPC name
A set of VPC tags
An IPv4 CIDR block
Which of the following defines a subnet as a public subnet? (Choose two.)
A security group that allows inbound public traffic
A routing table that routes traffic through the internet gateway
Instances with public IP addresses
An internet gateway
Which of the following defines a VPN-only subnet? (Choose two.)
A routing table that routes traffic through the internet gateway
A routing table that routes traffic through the virtual private gateway
A virtual private gateway
An internet gateway
Which of the following are required components in a VPN-only subnet? (Choose two.)
A routing table
A virtual private gateway
An elastic IP address
An internet gateway
By default, how many VPCs can you create per region?
1
5
20
200
By default, how many subnets can you create per VPC?
1
5
20
200
By default, how many IPv4 CIDR blocks can you create per VPC?
1
5
20
200
By default, how many elastic IPs can you create per region?
1
5
20
200
Which of the following is not true? (Choose two.)
A subnet can have the same CIDR block as the VPC within which it exists.
A subnet can have a larger CIDR block than the VPC within which it exists.
A subnet can have a smaller CIDR block than the VPC within which it exists.
A subnet does not have to have a CIDR block specified.
A VPC peering connection connects a VPC to which of the following?
A subnet within another VPC
A specific instance within another VPC
Another VPC
A virtual private gateway
An Amazon VPC VPN connection links your on-site network to which of the following?
A customer gateway
An internet gateway
An Amazon VPC
A virtual private gateway
Which of the following are required for a VPC VPN connection? (Choose two.)
A customer gateway
An internet gateway
A virtual private gateway
A public subnet
Which of the following would you use to secure a VPC and its instances? (Choose two.)
A customer gateway
A NACL
A virtual private gateway
A security group
You want to ensure that no incoming traffic reaches any instances in your VPC. Which of the following is your best option to prevent this type of traffic?
A blacklist
A NACL
A virtual private gateway
A security group
You want to ensure that no incoming traffic reaches just the database instances in a particular subnet within your VPC. Which of the following is your best option to prevent this type of traffic?
A blacklist
A NACL
A virtual private gateway
A security group
You have a subnet with five instances within it. Two are serving public APIs and three are providing backend compute power through database instances. What is the best way to secure these instances? (Choose two.)
Apply NACLs at the subnet level.
Attach a single security group to all the instances.
Move the two backend database instances into a different subnet.
Attach an internet gateway to the VPC.
Security groups operate most like which of the following?
A blacklist
A NACL
A whitelist
A greylist
If you have a NACL and a security group, at what two levels is security functioning? (Choose two.)
The VPN level
The service level
The subnet level
The instance level
What type of filtering does a security group perform?
Stateful
Synchronous
Whitelist
Stateless
What type of filtering does a network ACL perform?
Stateful
Synchronous
Whitelist
Stateless
With which of the following can you create a VPC peering connection?
A VPC in the same AWS account and same region
A VPC in another AWS account
A VPC in the same AWS account but in another region
All of these
With which of the following can you not create a VPC peering connection? (Choose two.)
A VPC in another AWS account
An instance in the same region
A VPC in the same region
An internet gateway
You have an instance within a custom VPC, and that instance needs to communicate with an API published by an instance in another VPC. How can you make this possible? (Choose two.)
Enable cross-VPC communication via the AWS console.
Configure routing from the source instance to the API-serving instance.
Add a security group to the source instance.
Add an internet gateway or virtual private gateway to the source VPC.
Which of the following could be used to allow instances within one VPC to communicate with instances in another region? (Choose two.)
VPN connections
NACLs
Internet gateways
Public IP addresses
Which region does not currently support VPCs?
US East 1
EU West 1
SA East 1
VPC is supported in all AWS regions.
How many availability zones can a VPC span?
None, VPCs don’t exist within availability zones.
One
Two or more
All the availability zones within a region
When you launch an instance within a VPC, in which availability zone is it launched?
The default availability zone
You must specify an availability zone.
The first availability zone without an instance
The availability zone with the least resources utilized
You are the architect at a company that requires all data at rest to be encrypted. You discover several EBS-backed EC2 instances that will be commissioned in the next week. How can you ensure that data on these volumes will be encrypted?
Use OS-level tools on the instance to encrypt the volumes.
Specify via the AWS console that the volumes should be encrypted when they are created.
You cannot enable encryption on a specific EBS volume.
Start the instances with the volumes and then encrypt them via the AWS console.
Which of the following is required to use a VPC endpoint?
An internet gateway
A VPN connection
A NAT instance
A VPC endpoint does not require any of these.
Which of the following is not true about a VPC endpoint?
A VPC endpoint can attach to an S3 bucket.
A VPC endpoint is a hardware device.
A VPC endpoint does not require an internet gateway.
Traffic to a VPC endpoint does not travel over the Internet.
To which of the following can a VPC endpoint not attach?
S3
SNS
Internet gateway
DynamoDB
Which of the following might you need to create for using a VPC endpoint attached to S3?
A NAT instance
A NAT gateway
An IAM role
A security group
Is it possible to SSH into a subnet with no public instances?
Yes
Yes, as long as you have a bastion host and correct routing.
Yes, as long as you have an AWS Direct Connect.
No
Where should a bastion host be located?
In a private subnet
In a public subnet
In a private VPC
In a VPC with a virtual private gateway
What is another name for a bastion host?
A remote host
A box host
A jump server
A bastion connection
To which of the following might a bastion host be used to connect?
A public instance in a public subnet
A public instance in a private subnet
A private instance in a public subnet
A private instance in a private subnet
Which of these would you use to secure a bastion host?
A network ACL
A security group
OS hardening
All of the above
For a bastion host intended to provide shell access to your private instances, what protocols should you allow via a security group?
SSH and RDP
Just SSH
Just RDP
Just HTTPS
Which of the following statements about internet gateways is false?
They scale horizontally.
They are automatically redundant.
They are automatically highly available.
They scale vertically.
To which of the following does an internet gateway attach?
An AWS account
A subnet within a VPC
A VPC
An instance within a subnet
Which of the following destination routes would be used for routing IPv4 traffic to an internet gateway?
0.0.0.0/24
0.0.0.0/0
::/0
192.168.1.1
Which of the following destination routes would be used for routing IPv6 traffic to an internet gateway?
0.0.0.0/24
0.0.0.0/0
::/0
192.168.1.1
Which of the following is not necessary for an instance to have IPv6 communication over the Internet?
A VPC with an associated IPv6 CIDR block
A public IPv6 assigned to the instance
A subnet with an associated IPv6 CIDR block
A virtual private gateway with IPv6 enabled
Which of the following are possible options for assigning to an instance that needs public access? (Choose two.)
A public IP address
An elastic IP address
An IAM role
A NACL
Which of the following will have internet gateways available? (Choose two.)
A public subnet
An IPv6 elastic IP address
The default VPC
An ALB
What does ALB stand for?
Access load balancer
Application load balancer
Adaptive load balancer
Applied load balancer
At what OSI layer does an application load balancer operate?
4
7
4 and 7
6
At what OSI layer does a network load balancer operate?
4
7
4 and 7
6
At what OSI layer does a classic load balancer operate?
4
7
4 and 7
6
Which type of load balancer operates at the Transport layer?
Classic load balancer
Application load balancer
Network load balancer
Both classic and network load balancers
Which type of load balancer operates at the Application layer?
Classic load balancer
Application load balancer
Network load balancer
Both classic and application load balancers
What type of subnets are the default subnets in the default VPC?
Private
Hybrid
Public
Transport
What type of subnets are the default subnets in a custom VPC?
Private
Hybrid
Public
Transport
Which of the following is not automatically created for an instance launched into a non-default subnet?
A private IPv4 address
A security group
A public IPv4 address
A route to other instances in the subnet
Which of the following would be needed to allow an instance launched into a non-default subnet Internet access? (Choose two.)
A private IPv4 address
A security group
An elastic IP address
An internet gateway
Which of the following would you need to add or create to allow an instance launched into a default subnet in the default VPC Internet access?
A public IPv4 address
An internet gateway
An elastic IP address
None of these
Which of the following would you use to allow outbound Internet traffic while preventing unsolicited inbound connections?
A NAT device
A bastion host
A VPC endpoint
A VPN
What does a NAT device allow?
Incoming traffic from the Internet to reach private instances
Incoming traffic from other VPCs to reach private instances
Outgoing traffic to other VPCs from private instances
Outgoing traffic to the Internet from private instances
Which of the following are NAT devices offered by AWS? (Choose two.)
NAT router
NAT instance
NAT gateway
NAT load balancer
Which of the following requires selecting an AMI? (Choose two.)
Launching an EC2 instance
Backing up an EBS volume
Creating an EBS volume
Launching a NAT instance
For which of the following do you not need to worry about operating system updates?
NAT instance
NAT gateway
EC2 instance
ECS container
Which of the following does not automatically scale to meet demand?
DynamoDB
NAT instance
SNS topic
NAT gateway
Which of the following, without proper security, could be most dangerous to your private instances?
Bastion host
VPC endpoint
Internet gateway
NAT instance
Which of the following could be used as a bastion host?
NAT gateway
VPC endpoint
Internet gateway
NAT instance
You are building out a site-to-site VPN connection from an on-site network to a private subnet within a custom VPC. Which of the following might you need for this connection to function properly? (Choose two.)
An internet gateway
A public subnet
A virtual private gateway
A customer gateway
You are building out a site-to-site VPN connection from an on-site network to a custom VPC. Which of the following might you need for this connection to function properly? (Choose two.)
A NAT instance
A DynamoDB instance
A private subnet
An internet gateway
With which of the following is an egress-only internet gateway most closely associated?
IPv4
IPv6
A NAT instance
A NAT gateway
You are responsible for securing an EC2 instance with an IPv6 address that resides in a public subnet. You want to allow traffic from the instance to the Internet but restrict access to the instance. Which of the following would you suggest?
VPC endpoint
Internet gateway
Egress-only internet gateway
A NAT gateway
You have just created a NAT instance and want to launch the instance into a subnet. Which of these need to be true of the subnet into which you want to deploy? (Choose two.)
The subnet is public.
The subnet is private.
The subnet has routing into the private subnets in your VPC.
The subnet has routing to the public subnets in your VPC.
Which of the following are true about an egress-only internet gateway? (Choose two.)
It only supports IPv4 traffic.
It is stateful.
It only supports IPv6 traffic.
It is stateless.
Which of these would be used as the destination address in a routing table for a VPC that uses an egress-only internet gateway?
0.0.0.0/0
0.0.0.0/16
::/0
::/24
Which of the following are true about IPv6 addresses? (Choose two.)
They are globally unique.
They are in the format x.y.z.w.
They require underlying IPv4 addresses.
They are public by default.
What is an elastic network interface? (Choose two.)
A hardware network interface on an EC2 instance
A virtual network interface
An interface that can have one or more IPv6 addresses
An interface that does not have a MAC address
Which of the following is not part of an elastic network interface?
A primary IPv4 address
A MAC address
A source/destination check flag
A NACL
How many network interfaces can a single instance have?
None
One and only one
One or more
At least two, up to five
If an elastic network interface is moved from one instance to another, what happens to network traffic directed at the interface?
It is redirected to the elastic network interface that has moved to the new instance.
It is redirected to the primary network interface on the original instance.
It is redirected to the primary network interface on the new instance.
It is lost and must be re-sent to the elastic network interface on the new instance.
To how many instances can an elastic network interface be attached?
One and only one
One or more
One at a time, but it can be moved from one instance to another.
Up to five
Which of these is not a reason to attach multiple network interfaces to an instance?
You are creating a management network.
You are attempting to increase network throughput to the instance.
You need a high-availability solution and have a low budget.
You need dual-homed instances.
Which of the following can you not do with regard to network interfaces?
Detach a secondary interface from an instance.
Attach an elastic network interface to an instance with an existing interface.
Detach a primary interface from an instance.
Attach an elastic network interface to a different instance than originally attached.
Which of the following is not a valid attribute for an elastic network interface?
An IPv6 address
An IPv4 address
A source/destination check flag
A routing table
Why might you use an elastic IP address?
You need an IPv4 address for a specific instance.
You need an IPv6 address for a specific instance.
You want to mask the failure of an instance to network clients.
You want to avoid making changes to your security groups.
Which of the following can you not do with an elastic IP address?
Change the IP address associated with it while it is in use.
Move it from one instance to another.
Move it across VPCs.
Associate it with a single instance in a VPC.
Which of the following are advantages of an elastic IP? (Choose two.)
Reduces the number of IP addresses your VPC uses
Provides protection in case of an instance failure
Allows all attributes of a network interface to be moved at one time
Provides multiple IP addresses for a single instance
Which of the following would you need to do to create an elastic IP address? (Choose two.)
Allocate an elastic IP address for use in a VPC.
Allocate an IP address in Route 53.
Detach the primary network interface on an instance.
Associate the elastic IP to an instance in your VPC.
Which of these is not a valid means of working with an Amazon EBS snapshot?
The AWS API
The AWS CLI
The AWS console
The AWS EBS management tool
Where are individual instances provisioned?
In a VPC
In a region
In an availability zone
In an Auto Scaling group
How are EBS snapshots backed up to S3?
Incrementally
In full, every time they are changed
EBS snapshots are backed up to RDS.
Sequentially
You have an existing IAM role in use by several instances in your VPC. You make a change in the role, removing permissions to access S3. When does this change take effect on the instances already attached to the role?
Immediately
Within 60 seconds
The next time the instances are restarted
The instances preserve the pre-change permissions indefinitely.
How many IAM roles can you attach to a single instance?
One
One or two
As many as you want
None, roles are not assigned to instances.
How can you attach multiple IAM roles to a single instance? (Choose two.)
You can attach as many roles as you want to an instance.
You cannot, but you can combine the policies each role uses into a single new role and assign that.
You can assign two IAM roles to an instance, but no more than that.
You cannot; only one role can be assigned to an instance.
You need to make a change to a role attached to a running instance. What do you need to do to ensure the least amount of downtime? (Choose two.)
Update the IAM role via the console or AWS API or CLI.
Re-attach the updated role to the instance.
Restart the instance.
Other than updating the role, no additional changes are needed.
You have a new set of permissions that you want to attach to a running instance. What do you need to do to ensure the least amount of downtime? (Choose two.)
Remove the instance’s IAM role via the console or AWS API or CLI.
Create a new IAM role with the desired permissions.
Stop the instance, assign the role, and restart the instance.
Attach the new role to the running instance.
How can you delete a snapshot of an EBS volume when it’s used as the root device of a registered AMI?
You can’t.
You can, but only using the AWS API or CLI.
Delete the snapshot using the AWS console.
Ensure that you have correct IAM privileges and delete the AMI.
Which of these is the best option for encrypting data at rest on an EBS volume?
Configure the volume’s encryption at creation time.
Configure AES 256 encryption on the volume once it’s been started.
Configure encryption using the OS tools on the attached EC2 instance.
Back up the data in the volume to an encrypted S3 bucket.
How can you ensure that an EBS root volume persists beyond the life of an EC2 instance, in the event that the instance is terminated?
The volume will persist automatically.
Configure the EC2 instance to not terminate its root volume and the EBS volume to persist.
You cannot; root volumes always are deleted when the attached EC2 instance is terminated.
Ensure that encryption is enabled on the volume and it will automatically persist.
Which of the following is not part of the well-architected framework?
Apply security at all layers.
Enable traceability.
Use defaults whenever possible.
Automate responses to security events.
Which of the following should you attempt to automate, according to the AWS well- architected framework? (Choose two.)
Security best practices
Scaling instances
Responses to security events
IAM policy creation
Which of the following statements are true? (Choose two.)
You are responsible for security in the cloud.
AWS is responsible for security of the cloud.
AWS is responsible for security in the cloud.
You are responsible for security of the cloud.
For which of the following is AWS responsible for security? (Choose two.)
Edge locations
Firewall configuration
Network traffic
Availability zones
For which of the following is AWS not responsible for security?
Networking infrastructure
RDS database installations
S3 buckets
Networking traffic
For which of the following are you not responsible for security?
DynamoDB
Operating system configuration
Server-side encryption
Application keys
Which of the following is not included in the well-architected framework’s definition of security?
Data protection
Infrastructure protection
Reduction of privileges
Defective controls
Which of the following is a principle of the well-architected framework’s security section?
Encrypt the least amount of data possible.
Always encrypt the most important data.
Encrypt everything where possible.
Encrypt data at rest.
Which of the following are principles of the well-architected framework’s security section? (Choose two.)
Encrypt data at rest.
Encrypt data in transit.
Encrypt data in groups rather than individually.
Encrypt data at the destination.
Who is responsible for encrypting data in the cloud?
You
AWS
AWS provides mechanisms such as key rotation for which they are responsible, but you are responsible for appropriate usage of those mechanisms.
AWS provides an API, but you are responsible for security when using that API.
What is the term used to represent the resiliency of data stored in S3?
9 9s
11 9s
7 9s
99th percentile
Which of these statements is not true?
AWS recommends encrypting data at rest and in transit.
AWS will never move data between regions unless initiated by the customer.
AWS will initiate moving data between regions if needed.
Customers move data between regions rather than AWS.
Which of the following can be part of a strategy to avoid accidental data overwriting of S3 data?
IAM roles
MFA Delete
Versioning
All of these
Which of the following should always be done to protect your AWS environment? (Choose two.)
Enable MFA on the root account.
Enable MFA Delete on your S3 buckets.
Set a password rotation policy for users.
Create custom IAM roles for all users.
At what level does infrastructure protection exist in AWS?
The physical hardware layer
OSI layer 4
The VPC layer
OSI layer 7
Which of the following might be used to detect or identify a security breach in AWS? (Choose two.)
CloudWatch
CloudFormation
CloudTrail
Trusted Advisor
Which of the following AWS services is associated with privilege management?
AWS Config
RDS
IAM
VPC
Which of the following AWS services is associated with privilege management?
Internet gateway
S3-IA
CloudTrail
MFA
Which of the following AWS services is associated with identifying potential security holes?
Trusted Advisor
CloudFormation
Security Detector
Security Advisor
Which of the following is not one of the five pillars in the cloud defined by the AWS well-architected framework?
Operational excellence
Performance efficiency
Organizational blueprint
Cost optimization
Which of the following is not one of the five pillars in the cloud defined by the AWS well-architected framework?
Performance efficiency
Usability
Security
Reliability
Which of the following is not one of the security principles recommended by AWS’s well-architected framework?
Automate security best practices.
Enable traceability.
Apply security at the highest layers.
Protect data in transit and at rest.
Which of the following is one of the security principles recommended by AWS’s well-architected framework?
Make sure all users have passwords.
Only protect data at rest.
Turn on MFA Delete for S3 buckets.
Keep people away from data.
The AWS’s well-architected framework defines five areas to consider with respect to security. Choose the two that are part of this set. (Choose two.)
Identity and Access Management
User management
Virtual private networks
Incident response
Who is responsible for physically securing the infrastructure that supports cloud services?
AWS
You
Your users
AWS and you have joint responsibility.
Which of the following statements about the root account in an AWS account are true? (Choose two.)
It is the first account created.
It is ideal for everyday tasks.
It is intended primarily for creating other users and groups.
It has access keys that are important to keep.
Which of the following are appropriate password policy requirements? (Choose two.)
Maximum length
Recovery
Minimum length
Complexity
What additional requirements should users that can access the AWS console have?
Users with console access should have more stringent password policy requirements.
Users with console access should have to use their access keys to log in.
Users with console access should be required to use MFA.
None. These users should be treated the same as other users.
Which of the following provide a means of federating users from an existing organization? (Choose two.)
SAML 2.0
Web identities
LDAP
UML 2.0
Which of the following principles suggests ensuring that authenticated identities are only permitted to perform the most minimal set of functions necessary?
Principle of lowest privilege
Principle of least priority
Principle of least privilege
Principle of highest privilege
What is an AWS Organizations OU?
Orchestration unit
Organizational unit
Operational unit
Offer of urgency
What is an AWS Organizations SCP?
Service control policy
Service control permissions
Standard controlling permissions
Service conversion policy
To which of the following constructs is an AWS Organizations SCP applied?
To a service control policy
To an IAM role
To an organizational unit
To a SAML user store
Which of the following can be used to centrally control AWS services across multiple AWS accounts?
A service control policy
An organizational unit
An LDAP user store
IAM roles
What AWS service would you use for managing and enforcing policies for multiple AWS accounts?
AWS Config
AWS Trusted Advisor
AWS Organizations
IAM
Which of the following does AWS provide to increase privacy and control network access?
Network firewalls built into Amazon VPC
Encryption in transit with TLS across all services
Connections that enable private and dedicated connections from an on-premises environment
All of these
You have an application that uses S3 standard for storing large data. Your company wants to ensure that all data is encrypted at rest while avoiding adding work to your current development sprints. Which S3 encryption solution should you use?
SSE-C
SSE-S3
SSE-KMS
Amazon S3 Encryption Client
You are the architect of an application that allows users to send private messages back and forth. You want to ensure encryption of the messages when stored in S3 and a strong auditing trail in case of a breach. You also want to capture any failed attempts to access data. What Amazon encryption solution would you use?
SSE-C
SSE-S3
SSE-KMS
Amazon S3 Encryption Client
Your company has just hired three new developers. They need immediate access to a suite of AWS services. What is the best approach to giving these developers access?
Give the developers the admin credentials and change the admin password when they are finished for the day.
Create a new IAM user for each developer and assign the required permissions to each user.
Create a new IAM user for each developer, create a single group with the required permissions, and assign each user to that group.
Create a new SCP and assign the SCP to an OU with each user’s credentials within that OU.
Your application requires a highly available storage solution. Further, the application will serve customers in the EU and must comply with EU privacy laws. What should you do to provide this storage?
Create a new EC2 instance in EU-Central-1 and set up EBS volumes in a RAID configuration attached to that instance.
Create a new S3 standard bucket in EU-West-1.
Create a new Glacier vault in EU-South-1.
Create a new Auto Scaling group in EU-West-1 with at least three EC2 instances, each with an attached Provisioned IOPS EBS volume.
Which of the following provides SSL for data in transit?
S3 standard
S3 One Zone-IA
Glacier
All of these
Which of the following does not provide encryption of data at rest?
S3 standard
S3 One Zone-IA
Glacier
All of these encrypt data at rest.
What is the AWS shared responsibility model?
A model that defines which components AWS secures and which you as an AWS customer must secure
A model that defines which components you secure and which components your customers must secure
A model that defines how connections between offices or on-premises data centers and the cloud must work together to secure data that moves between the two
A model that defines how the five pillars of the AWS well-architected framework interact
Which of the following is not one of the types of services that AWS offers, according to the shared responsibility model?
Infrastructure services
Managed services
Containers services
Abstracted services
For which of the following are you not responsible for security?
Operating systems
Credentials
Virtualization infrastructure
AMIs
Which of the following is used to allow EC2 instances to access S3 buckets?
IAM role
IAM policy
IAM user
AWS organizational unit
You have a task within a Docker container deployed via AWS ECS. The application cannot access data stored in an S3 bucket. What might be the problem? (Choose two.)
The IAM role associated with the task doesn’t have permissions to access S3.
The task is not in a security group with inbound access allowed from S3.
The task does not have access to an S3 VPC endpoint.
There is no policy defined to allow ECS tasks to access S3.
What is the default security on a newly created S3 bucket?
Read-only
Read and write is permitted from EC2 instances in the same region.
Completely private, reads and writes are disallowed.
There is no policy defined to allow ECS tasks to access S3.