Which of the following options can you not set in a password policy? (Choose two.)
A) Maximum length
B) Require the use of numbers
C) Prevent multiple users from using the same password
D) Require an administrator to reset an expired password
A, C. A password policy can specify a minimum password length but not a maximum. It
can prevent a user from reusing a password they used before but not one that another user
has used. A password policy can require a password to contain numbers. It can also require
administrator approval to reset an expired password.
An IAM user is attached to a customer-managed policy granting them sufficient access to
carry out their duties. You want to require multifactor authentication (MFA) for this user to
use the AWS CLI. What element should you change in the policy?
A) Resource
B) Condition
C) Action
D) Principal
B. The Condition element lets you require MFA to grant the permissions defined in the
policy. The Resource and Action elements define what those permissions are but not the conditions under which those permissions are granted. The Principal element is not used in an
identity-based policy
You created an IAM policy that another administrator subsequently modified. You need
to restore the policy to its original state but don’t remember how it was configured. What
should you do to restore the policy? (Choose two.)
A) Consult CloudTrail global management event logs.
B) Restore the policy from a snapshot.
C) Consult CloudTrail data event logs.
D) Revert to the previous policy version.
A, D. IAM keeps five versions of every customer-managed policy. When CloudTrail is configured to log global management events, it will record any policy changes in the request parameters of the CreatePolicyVersion operation. There is no such thing as a policy snapshot.
CloudTrail data event logs will not log IAM events.
An IAM user with full access to all EC2 actions in all regions assumes a role that has access
to only the EC2 RunInstances operation in the us-east-1 region. What will the user be able to
do under the assumed role?
A) Create a new instance in any region.
B) Create a new instance in the us-east-1 region.
C) Start an existing instance in the us-east-1 region.
D) Start an existing instance in any region.
B. When an IAM user assumes a role, the user gains the permissions assigned to that role but
loses the permissions assigned to the IAM user. The RunInstances action launches a new
instance. Because the role can perform the RunInstances action in the us-east-1 region,
the user, upon assuming the role, can create a new instance in the us-east-1 region but
cannot perform any other actions. StartInstances starts an existing instance but doesn’t
launch a new one.
Several objects in a S3 bucket are encrypted using a KMS customer master key. Which of the
following will give an IAM user permission to decrypt these objects?
A) Add the user to the key policy as a key user.
B) Grant the user access to the key using an IAM policy.
C) Add the user to the key policy as a key administrator.
D) Add the user as a principal to the bucket policy.
A. Granting a user access to use a KMS key to decrypt data requires adding the user to the
key policy as a key user. Adding the user as a key administrator is insufficient to grant this
access, as is granting the user access to the key using an IAM policy. Adding the user to a
bucket policy can grant the user permission to access encrypted objects in the bucket but
doesn’t necessarily give the user the ability to decrypt those objects.
You run a public-facing application on EC2 instances. The application is backed by a database running on RDS. Users access it using multiple domain names that are hosted in Route
53. You want to get an idea of what IP addresses are accessing your application. Which of the
following would you stream to CloudWatch Logs to get this information?
A) RDS logs
B) DNS query logs
C) VPC flow logs
D) CloudTrail logs
C. VPC flow logs record source IP address information for traffic coming into your
VPC. DNS query logs record the IP addresses of DNS queries, but those won’t necessarily
be the same IP addresses accessing your application. Because users won’t directly connect to your RDS instance, RDS logs won’t record their IP addresses. CloudTrail logs can record the
source IP address of API requests but not connections to an EC2 instance.
You’re running a web server that keeps a detailed log of web requests. You want to determine
which IP address has made the most requests in the last 24 hours. What should you do to
accomplish this? (Choose two.)
A) Create a metric filter.
B) Stream the web server logs to CloudWatch Logs.
C) Upload the web server log to S3.
D) Use Athena to query the data.
C, D. Athena lets you perform advanced SQL queries against data stored in S3. A metric
filter can increment based on the occurrence of a value in a CloudWatch log group but can’t
tell you the most frequently occurring IP address.
An application running on an EC2 instance has been updated to send large amounts of data
to a server in your datacenter for backup. Previously, the instance generated very little traffic.
Which GuardDuty finding type is this likely to trigger?
A) Behavior
B) Backdoor
C) Stealth
D) ResourceConsumption
A. The Behavior finding type is triggered by an instance sending abnormally large amounts
of data or communicating on a protocol and port that it typically doesn’t. The Backdoor
finding type indicates that an instance has resolved a DNS name associated with a commandand-control server or is communicating on TCP port 25. The Stealth finding type is triggered
by weakening password policies or modifying a CloudTrail configuration. The ResourceConsumption finding type is triggered when an IAM user launches an EC2 instance when they’ve
never done so.
You’ve set up an AWS Config managed rule to check whether a particular security group
is attached to every instance in a VPC. You receive an SNS notification that an instance is
out of compliance. But when you check the instance a few hours later, the security group is
attached. Which of the following may help explain the apparent discrepancy? (Choose two.)
A) The AWS Config timeline
B) Lambda logs
C) CloudTrail management event logs
D) VPC flow logs
A, C. The AWS Config timeline will show every configuration change that occurred on
the instance, including the attachment and detachment of security groups. CloudTrail
management event logs will also show the actions that detached and attached the security group. Although AWS Config rules use Lambda functions, the Lambda logs for AWS
managed rules are not available to you. VPC flow logs capture traffic ingressing a VPC, but
not API events.
You want to use Amazon Inspector to analyze the security posture of your EC2 instances
running Windows. Which rules package should you not use in your assessment?
A) Common Vulnerabilities and Exposures
B) Center for Internet Security Benchmarks
C) Runtime Behavior Analysis
D) Security Best Practices
D. The Security Best Practices rules package has rules that apply to only Linux instances. The
other rules contain rules for both Windows and Linux instances.
You have a distributed application running in datacenters around the world. The application connects to a public Simple Queue Service (SQS) endpoint to send messages to a queue.
How can you prevent an attacker from using this endpoint to gain unauthorized access to the
queue? (Choose two.)
A) Network access control lists
B) Security groups
C) IAM policies
D) SQS access policies
C, D. You can use an IAM policy or SQS access policy to restrict queue access to certain
principals or those coming from a specified IP range. You cannot use network access control
lists or security groups to restrict access to a public endpoint.
You’re using a public-facing application load balancer to forward traffic to EC2 instances in
an Auto Scaling group. What can you do to ensure users on the Internet can reach the load
balancer over HTTPS without reaching your instances directly? (Choose two.)
A) Create a security group that allows all inbound traffic to TCP port 443.
B) Attach the security group to the instances.
C) Attach the security group to the load balancer.
D) Remove the Internet gateway from the VPC.
E) Create a security group that allows all inbound traffic to TCP port 80.
A, C. HTTPS traffic traverses TCP port 443, so the security group should allow inbound
access to this protocol and port. HTTP traffic uses TCP port 80. Because users need to
reach the ALB but not the instances directly, the security group should be attached to the
ALB. Removing the Internet gateway would prevent users from reaching the ALB as well as
the EC2 instances directly
You’re running a UDP-based application on an EC2 instance. How can you protect it against
a DDoS attack?
A) Place the instance behind a network load balancer.
B) Implement a security group to restrict inbound access to the instance.
C) Place the instance behind an application load balancer.
D) Enable AWS Shield Standard.
B. A security group to restrict inbound access to authorized sources is sufficient to guard
against a UDP-based DDoS attack. Elastic load balancers do not provide UDP listeners, only
TCP. AWS Shield is enabled by default and protects against those UDP-based attacks from
sources that are allowed by the security group.
You’re running a web application on six EC2 instances behind a network load balancer. The
web application uses a MySQL database. How can you protect your application against SQL
injection attacks? (Choose two.)
A) Enable WAF.
B) Assign elastic IP addresses to the instances.
C) Place the instances behind an application load balancer.
D) Block TCP port 3306.
A, C. WAF can block SQL injection attacks against your application, but only if it’s behind
an application load balancer. It’s not necessary for the EC2 instances to have an elastic IP
address. Blocking access to TCP port 3306, which is the port that MySQL listens on for database connections, may prevent direct access to the database server but won’t prevent a SQL
injection attack.
Which services protect against an HTTP flood attack?
A) GuardDuty
B) WAF
C) Shield Standard
D) Shield Advanced
B, D. Both WAF and Shield Advanced can protect against HTTP flood attacks, which are
marked by excessive or malformed requests. Shield Advanced includes WAF at no charge.
Shield Standard does not offer protection against Layer 7 attacks. GuardDuty looks for signs
of an attack but does not prevent one.
Your security policy requires that you use a KMS key for encrypting S3 objects. It further
requires this key be rotated once a year and revoked when misuse is detected. Which key type
should you use? (Choose two.)
A) Customer-managed CMK
B) AWS-managed CMK
C) S3-managed key
D) Customer-provided key
A, D. You can revoke and rotate both a customer-managed CMK and a customer-provided
key at will. You can’t revoke or rotate an AWS-managed CMK or an S3-managed key.
A developer is designing an application to run on AWS and has asked for your input in
deciding whether to use a SQL database or DynamoDB for storing highly transactional application data. Your security policy requires all application data to be encrypted and encryption
keys to be rotated every 90 days. Which AWS service should you recommend for storing
application data? (Choose two.)
A) KMS
B) RedShift
C) DynamoDB
D) RDS
C, D. Customer-managed Customer Master Keys (CMKs) can be rotated at will, whereas
AWS-managed CMKs are rotated only once a year. RDS and DynamoDB let you use a
customer-managed CMK to encrypt data. RedShift is not designed for highly transactional
databases and is not appropriate for the application. KMS stores and manages encryption
keys but doesn’t store application data.
You need to copy the data from an unencrypted EBS volume to another region and encrypt
it. How can you accomplish this? (Choose two.)
A) Create an encrypted snapshot of the unencrypted volume.
B) Simultaneously encrypt and copy the snapshot to the destination region.
C) Copy the encrypted snapshot to the destination region.
D) Create an unencrypted snapshot of the unencrypted volume
B, D. To encrypt data on an unencrypted EBS volume, you must first take a snapshot. The
snapshot will inherit the encryption characteristics of the source volume, so an unencrypted
EBS volume will always yield an unencrypted snapshot. You can then simultaneously encrypt
the snapshot as you copy it to another region.
An instance with an unencrypted EBS volume has an unencrypted EFS filesystem mounted on
it. You need to encrypt the data on an existing EFS filesystem using a KMS key. How can you
accomplish this?
A) Encrypt the EBS volume of the instance.
B) Create a new encrypted EFS filesystem and copy the data to it.
C) Enable encryption on the existing EFS filesystem.
D) Use a third-party encryption program to encrypt the data.
B. You can enable encryption on an EFS filesystem only when you create it; therefore, the
only option to encrypt the data using KMS is to create a new EFS filesystem and copy the
data to it. A third-party encryption program can’t use KMS keys to encrypt data. Encrypting
the EBS volume will encrypt the data stored on the volume, but not on the EFS filesystem.
On which of the following can you not use an ACM-generated TLS certificate? (Choose two.)
A) An S3 bucket
B) A CloudFront distribution
C) An application load balancer
D) An EC2 instance
A, D. You can install an ACM-generated certificate on a CloudFront distribution or application load balancer. You can’t export the private key of an ACM-generated certificate, so you
can’t install it on an EC2 instance. AWS manages the TLS certificates used by S3.
Which of the following assesses the security posture of your AWS resources against AWS best
practices?
A) Detective
B) Macie
C) Security Hub
D) GuardDuty
C. Security Hub checks the configuration of your AWS services against AWS best practices.
-
Chapter 1 - Intro to cloud computing and AWS12
-
Chapter 2 - Compute Services24
-
Chapter 3 - AWS Storage20
-
Chapter 4 - Amazon Virtual Private Cloud (VPC)24
-
Chapter 5 - Database Services24
-
Chapter 6 - Authentication and Authorization - AWS Identity and Access Management20
-
Chapter 7 - CloudTrail, CloudWatch, and AWS Config21
-
Chapter 8 - The Domain Name System and Network Routing: Amazon Route 53 and Amazon CloudFront20
-
Chapter 9 - Data Ingestion, Transformation, and Analytics20
-
Chapter 10 - Resilient Architectures30
-
Chapter 11 - High-Performing Architectures24
-
Chapter 12 - Secure Architectures21
-
Chapter 13 - Cost-Optimized Architectures20
