Which of the following is the customer responsible for updating and patching, according to the AWS shared responsibility model?
A. Amazon FSx for Windows File Server
B. Amazon WorkSpaces virtual Windows desktop
C. AWS Directory Service for Microsoft Active Directory
D. Amazon RDS for Microsoft SQL Server
B. Amazon WorkSpaces virtual Windows desktop
WorkSpaces provides a managed Desktop as a Service offering. WorkSpaces gives users the ability to interact with a virtual desktop. It is the responsibility of the customer to update and patch the operating system and any software installed by the customer in WorkSpaces. You can schedule maintenance windows or manually make the update yourself.
Which AWS service provides a quick and automated way to create and manage AWS accounts?
A. Amazon QuickSight
B. Amazon Lightsail
C. AWS Organizations
D. Amazon Connect
A. Amazon QuickSight
QuickSight is a business analytics service to build visualizations, perform one-time analysis, and quickly get business insights from data. QuickSight is not used for account creation and management.
A company has a new requirement to log actions taken in a production account.
Which AWS service should meet that requirement?
A. AWS CloudTrail
B. Amazon CloudWatch
C. Amazon Inspector
D. AWS Application Discovery Service
A. AWS CloudTrail
Actions performed in AWS are recorded as events in CloudTrail. You can use CloudTrail to log actions taken in a production account, such as actions taken in the AWS Management Console, AWS CLI, and AWS SDKs.
During a compliance review, one of the auditors requires a copy of the AWS SOC 2 report.
Which service should be used to submit this request?
A. AWS Health Dashboard
B. AWS Trusted Advisor
C. AWS Artifact
D. Amazon S3
C. AWS Artifact
AWS Artifact is a web service that allows you to download AWS security and compliance documents such as ISO certifications and SOC reports.
Which security-related services or features does AWS offer? (Select TWO.)
A. Complete PCI compliance for customer applications that run on AWS
B. AWS Trusted Advisor security checks
C. Data encryption
D. Automated penetration testing
E. Amazon S3 copyrighted content detection
B. AWS Trusted Advisor security checks
Trusted Advisor draws upon best practices learned from serving hundreds of thousands of AWS customers. These best practices include security checks.
C. Data encryption
Many AWS services support data encryption, including Amazon Elastic Block Store (Amazon EBS) and Amazon S3. Encryption adds another layer of security to your data.
A cloud practitioner must define the AWS shared responsibility model.
What is the customer’s responsibility? (Select TWO.)
A. Configure IAM users for least-privilege access
B. Install patches to the database of Amazon RDS DB instances
C. Determine which services have access to an Amazon DynamoDB table
D. Patch the physical AWS network equipment
E. Patch the operating system used by AWS Lambda functions
A. Configure IAM users for least-privilege access
AWS provides the functionality of AWS Identity and Access Management (IAM). However, the customer determines who receives specific access rights. The customer defines IAM users and assigns policies to those users.
C. Determine which services have access to an Amazon DynamoDB table
The customer is responsible for controlling access between services. Access between services represents security in the cloud.
Which service should someone use to turn on single sign-on (SSO) to the AWS Management Console?
A. Amazon Cognito
B. AWS Directory Service
C. AWS IAM Identity Center
D. Amazon API Gateway
C. AWS IAM Identity Center
IAM Identity Center provides you with the ability to manage sign-in security for your workforce users. IAM Identity Center can be used for SSO integration to access the AWS Management Console.
Which service provides risk auditing by continuously monitoring and logging API requests to resources in an account, which includes user actions in the AWS Management Console and AWS SDKs?
A. Amazon CloudWatch
B. AWS CloudTrail
C. AWS Config
D. AWS Health
B. AWS CloudTrail
CloudTrail helps to provide governance, compliance, and operational risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface (AWS CLI), and AWS SDKs and APIs.
Which AWS service provides managed threat detection that will identify compromised instances and accounts?
A. Amazon Macie
B. Amazon Inspector
C. Amazon GuardDuty
D. AWS Shield
C. Amazon GuardDuty
GuardDuty provides continuous monitoring and threat detection services. GuardDuty uses threat intelligence feeds and machine learning to identify unauthorized and malicious activity within your AWS environment. You can use GuardDuty to identify compromised instances and accounts.
A company wants to add a virtual firewall to an Amazon VPC. The company wants all instances inside a specific subnet to be automatically covered under this firewall.
Which feature meets these requirements?
A. IAM role
B. Security groups
C. Network ACLs
D. VPC Flow Logs
C. Network ACLs
Network ACLs are used to allow or deny specific traffic to a VPC at the subnet level. Network ACLs operate at the subnet level and meet the requirements to add a layer of security that acts as a firewall.
Which task is AWS responsible for in the AWS shared responsibility model for security and compliance?
A. Granting access to individuals and services
B. Ensuring payment card industry (PCI) compliance of user applications hosted on AWS
C. Updating Amazon EC2 hardware
D. Updating a guest operating system deployed on Amazon EC2
C. Updating Amazon EC2 hardware
It is the responsibility of AWS to update EC2 hardware based on the AWS shared responsibility model.
A cloud practitioner wants to explicitly deny network traffic to a subnet inside of an Amazon VPC.
Which solution will meet this requirement?
A. Network ACLs
B. Security groups
C. Transit gateway
D. Route table
A. Network ACLs
Network ACLs are firewalls that you can use to deny traffic on the VPC subnet level.
Which service or feature will enhance the security of access to the AWS Management Console? (Select TWO.)
A. AWS Secrets Manager
B. AWS Certificate Manager (ACM)
C. Multi-factor authentication (MFA)
D. Security groups
E. Complex password requirements
C. Multi-factor authentication (MFA)
MFA is a simple best practice that adds an extra layer of protection on top of your username and password. When you configure MFA, a user who signs in to the AWS Management Console will be prompted for their username and password. This is the first factor of what they know. The user will then be prompted for an authentication code from their MFA device. This is the second factor of what they have. MFA provides increased security for your AWS account settings and resources.
E. Complex password requirements
Complex password requirements help protect against improper access to the AWS Management Console by making passwords more difficult to guess.
Which task is the customer’s responsibility for AWS Lambda, according to the AWS shared responsibility model?
A. Encryption of the application data at rest
B. Management of the application platform
C. Patching of the guest operating system
D. Security of the physical infrastructure
A. Encryption of the application data at rest
Although Lambda is a fully managed service, customers are still responsible for application data. Therefore, the customer is responsible for protection and encryption of application data at rest.
Which AWS service uses machine learning to help discover, monitor, and protect sensitive data that is stored in Amazon S3 buckets?
A. AWS Shield
B. Amazon Macie
C. AWS Network Firewall
D. Amazon Cognito
B. Amazon Macie
Macie provides data security by using machine learning to discover, monitor, and provide automated protection of sensitive data that is stored in Amazon S3.
