What features are required to prevent users from bypassing AWS CloudFront
security?
A. Bastion host
B. signed URL
C. IP whitelist
D. signed cookies
E. origin access identity (OAI)
What features are required to prevent users from bypassing AWS CloudFront
security?
A. Bastion host
B. signed URL
C. IP whitelist
D. signed cookies
E. origin access identity (OAI)
What IAM class enables an EC2 instance to access a file object in an S3
bucket?
What IAM class enables an EC2 instance to access a file object in an S3
bucket?
Where are IAM permissions granted to invoke and execute a Lambda
function for S3 access?
A. S3 bucket
B. EC2 instance
C. Lambda function
D. IAM role
E. event mapping
Where are IAM permissions granted to invoke and execute a Lambda
function for S3 access?
A. S3 bucket
B. EC2 instance
C. Lambda function
D. IAM role
E. event mapping
You have configured a security group to allow ICMP, SSH and RDP inbound
and assigned the security group to all instances in a subnet. There is no access
to any Linux-based or Windows-based instances and you cannot Ping any
instances. The network ACL for the subnet is configured to allow all inbound
traffic to the subnet. What is the most probable cause?
You have configured a security group to allow ICMP, SSH and RDP inbound
and assigned the security group to all instances in a subnet. There is no access
to any Linux-based or Windows-based instances and you cannot Ping any
instances. The network ACL for the subnet is configured to allow all inbound
traffic to the subnet. What is the most probable cause?
What statements correctly describe security groups within a VPC?
A. default security group only permit inbound traffic
B. security groups are stateful firewalls
C. only allow rules are supported
D. allow and deny rules are supported
E. security groups are associated to network interfaces
What statements correctly describe security groups within a VPC?
A. default security group only permit inbound traffic
B. security groups are stateful firewalls
C. only allow rules are supported
D. allow and deny rules are supported
E. security groups are associated to network interfaces
What statement correctly describes IAM architecture?
What statement correctly describes IAM architecture?
What are two advantages of customer-managed encryption keys (CMK)?
A. create and rotate encryption keys
B. AES-128 cipher for data at rest
C. audit encryption keys
D. encrypts data in-transit for server-side encryption only
What are two advantages of customer-managed encryption keys (CMK)?
A. create and rotate encryption keys
B. AES-128 cipher for data at rest
C. audit encryption keys
D. encrypts data in-transit for server-side encryption only
What are three recommended solutions that provide protection and mitigation
from distributed denial of service (DDoS) attacks?
A. security groups
B. CloudWatch
C. encryption
D. WAF
E. data replication
F. Auto-Scaling
What are three recommended solutions that provide protection and mitigation
from distributed denial of service (DDoS) attacks?
A. security groups
B. CloudWatch
C. encryption
D. WAF
E. data replication
F. Auto-Scaling
What two steps are required to grant cross-account permissions between AWS
accounts?
A. create an IAM user
B. attach a trust policy to S3
C. create a transitive policy
D. attach a trust policy to the role
E. create an IAM role
What two steps are required to grant cross-account permissions between AWS
accounts?
A. create an IAM user
B. attach a trust policy to S3
C. create a transitive policy
D. attach a trust policy to the role
E. create an IAM role
What three items are required to configure a security group rule?
A. protocol type
B. VPC name
C. port number
D. source IP
E. destination IP
F. description
What three items are required to configure a security group rule?
A. protocol type
B. VPC name
C. port number
D. source IP
E. destination IP
F. description
What feature is not available with AWS Trusted Advisor?
What feature is not available with AWS Trusted Advisor?
What happens to the security permissions of a tenant when an IAM role is
granted?
A. tenant inherits only permissions assigned to the IAM role temporarily
B. add security permissions of the IAM role to existing permissions
C. previous security permissions are no longer in effect
D. previous security permissions are deleted unless reconfigured
E. tenant inherits only read permissions assigned to the IAM role
What happens to the security permissions of a tenant when an IAM role is
granted?
A. tenant inherits only permissions assigned to the IAM role temporarily
B. add security permissions of the IAM role to existing permissions
C. previous security permissions are no longer in effect
D. previous security permissions are deleted unless reconfigured
E. tenant inherits only read permissions assigned to the IAM role
Distinguish network ACLs from security groups within a VPC?
A. ACL filters at the subnet level
B. ACL is based on deny rules only
C. ACL is applied to instances and subnets
D. ACL is stateless
E. ACL supports a numbered list for filtering
Distinguish network ACLs from security groups within a VPC?
A. ACL filters at the subnet level
B. ACL is based on deny rules only
C. ACL is applied to instances and subnets
D. ACL is stateless
E. ACL supports a numbered list for filtering
What AWS service provides vulnerability assessment services to tenants
within the cloud?
What AWS service provides vulnerability assessment services to tenants
within the cloud?
What two methods are used to request temporary credentials based on AWS
Security Token Service (STS)?
A. Web Identity Federation
B. LDAP
C. IAM identity
D. dynamic ACL
E. private key rotation
What two methods are used to request temporary credentials based on AWS
Security Token Service (STS)?
A. Web Identity Federation
B. LDAP
C. IAM identity
D. dynamic ACL
E. private key rotation
What are two reasons for deploying Origin Access Identity (OAI) when
enabling CloudFront?
A. prevent users from deleting objects in S3 buckets
B. mitigate distributed denial of service attacks (DDoS)
C. prevent users from accessing objects with Amazon S3 URL
D. prevent users from accessing objects with CloudFront URL
E. replace IAM for internet-based customer authentication
What are two reasons for deploying Origin Access Identity (OAI) when
enabling CloudFront?
A. prevent users from deleting objects in S3 buckets
B. mitigate distributed denial of service attacks (DDoS)
C. prevent users from accessing objects with Amazon S3 URL
D. prevent users from accessing objects with CloudFront URL
E. replace IAM for internet-based customer authentication
What feature is part of Amazon Trusted Advisor?
What feature is part of Amazon Trusted Advisor?
What two source IP address types are permitted in a security group rule?
A. only CIDR blocks with /16 subnet mask
B. source IP address 0.0.0.0/0
C. single source IP address with /24 subnet mask
D. security group id
E. IPv6 address with /64 prefix length
What two source IP address types are permitted in a security group rule?
A. only CIDR blocks with /16 subnet mask
B. source IP address 0.0.0.0/0
C. single source IP address with /24 subnet mask
D. security group id
E. IPv6 address with /64 prefix length
What security authentication is required before configuring or modifying EC2
instances?
A. authentication at the operating system level
B. EC2 instance authentication with asymmetric keys
C. authentication at the application level
D. Telnet username and password
E. SSH/RDP session connection
What security authentication is required before configuring or modifying EC2
instances?
A. authentication at the operating system level
B. EC2 instance authentication with asymmetric keys
C. authentication at the application level
D. Telnet username and password
E. SSH/RDP session connection
What are three recommended best practices when configuring Identity and
Access Management (IAM) security services?
A. Lock or delete your root access keys when not required
B. IAM groups are not recommended for storage security
C. create an IAM user with administrator privileges
D. share your password and/or access keys with members of your group
only
E. delete any AWS account where the access keys are unknown
What are three recommended best practices when configuring Identity and
Access Management (IAM) security services?
A. Lock or delete your root access keys when not required
B. IAM groups are not recommended for storage security
C. create an IAM user with administrator privileges
D. share your password and/or access keys with members of your group
only
E. delete any AWS account where the access keys are unknown
What authentication method provides Federated Single Sign-On (SSO) for
cloud applications?
What authentication method provides Federated Single Sign-On (SSO) for
cloud applications?
What is required to Ping from a source instance to a destination instance?
What is required to Ping from a source instance to a destination instance?
Based on the Amazon security model, what infrastructure configuration and
associated security is the responsibility of tenants and not Amazon AWS?
A. dedicated cloud server
B. hypervisor
C. operating system level
D. application level
E. upstream physical switch
Based on the Amazon security model, what infrastructure configuration and
associated security is the responsibility of tenants and not Amazon AWS?
A. dedicated cloud server
B. hypervisor
C. operating system level
D. application level
E. upstream physical switch
What is the advantage of resource-based policies for cross-account access?
What is the advantage of resource-based policies for cross-account access?
What AWS feature is recommended for optimizing data security?
What AWS feature is recommended for optimizing data security?
What two components are required for enabling SAML authentication
requests to AWS Identity and Access Management (IAM)?
A. access keys
B. session token
C. SSO
D. identity provider (IdP)
E. SAML provider entity
What two components are required for enabling SAML authentication
requests to AWS Identity and Access Management (IAM)?
A. access keys
B. session token
C. SSO
D. identity provider (IdP)
E. SAML provider entity
You have some developers working on code for an application and they
require temporary access to AWS cloud up to an hour. What is the easiest
web-based solution from AWS to provides access and minimize security
exposure?
You have some developers working on code for an application and they
require temporary access to AWS cloud up to an hour. What is the easiest
web-based solution from AWS to provides access and minimize security
exposure?
What protocols must be enabled for remote access to Linux-based and
Windows-based EC2 instances?
What protocols must be enabled for remote access to Linux-based and
Windows-based EC2 instances?
-
-
-
-
What are two primary differences between AD Connector and Simple AD for
cloud directory services?
A. Simple AD requires an on-premises ADS directory
B. Simple AD is fully managed and setup in minutes
C. AD Connector requires an on-premises ADS directory
D. Simple AD is more scalable than AD Connector
E. Simple AD provides enhanced integration with IAM
What are two primary differences between AD Connector and Simple AD for
cloud directory services?
A. Simple AD requires an on-premises ADS directory
B. Simple AD is fully managed and setup in minutes
C. AD Connector requires an on-premises ADS directory
D. Simple AD is more scalable than AD Connector
E. Simple AD provides enhanced integration with IAM
What rule must be added to the security group assigned to a mount target
instance that enables EFS access from an EC2 instance?
What rule must be added to the security group assigned to a mount target
instance that enables EFS access from an EC2 instance?
-
-
-
-
What are two best practices for account management within Amazon AWS?
A. do not use root account for common administrative tasks
B. create a single AWS account with multiple IAM users that have root
privilege
C. create multiple AWS accounts with multiple IAM users per AWS
account
D. use root account for all administrative tasks
E. create multiple root user accounts for redundancy
What are two best practices for account management within Amazon AWS?
A. do not use root account for common administrative tasks
B. create a single AWS account with multiple IAM users that have root
privilege
C. create multiple AWS accounts with multiple IAM users per AWS
account
D. use root account for all administrative tasks
E. create multiple root user accounts for redundancy
What solutions are recommended to mitigate DDoS attacks?
A. host-based firewall
B. elastic load balancer
C. WAF
D. SSL/TLS
E. Bastion host
F. NAT gateway
What solutions are recommended to mitigate DDoS attacks?
A. host-based firewall
B. elastic load balancer
C. WAF
D. SSL/TLS
E. Bastion host
F. NAT gateway
Select three requirements for configuring a Bastion host?
A. EIP
B. SSH inbound permission
C. default route
D. CloudWatch logs group
E. VPN
F. Auto-Scaling
Select three requirements for configuring a Bastion host?
A. EIP
B. SSH inbound permission
C. default route
D. CloudWatch logs group
E. VPN
F. Auto-Scaling
What statement correctly describes support for AWS encryption of S3
objects?
What statement correctly describes support for AWS encryption of S3
objects?
What two features create security zones between EC2 instances within a
VPC?
A. security groups
B. Virtual Security Gateway
C. network ACL
D. WAF
What two features create security zones between EC2 instances within a
VPC?
A. security groups
B. Virtual Security Gateway
C. network ACL
D. WAF