AWS SCS-C01 Certified Security Speciality Practice Exam Set 3

Your company has a set of resources defined in the AWS Cloud. Their IT audit department has requested to get a list of resource have been defined across the account. How can this be achieved in the easiest manner?


Options are :

  • Use Cloud Trail to get the list of all resources
  • Create a power shell script using the AWS CLI. Query for all resources with the tag of production.
  • Create a bash shell script with the AWS CLI. Query for all resources in all regions. Store the results in an 53 bucket.
  • Use AWS Configure to get the list of all resources (Correct)

Answer : Use AWS Configure to get the list of all resources

You have a bucket and a VPC defined in AWS. You need to ensure that the bucket can only be accessed by the VPC endpoint. How can you accomplish this? Please select:


Options are :

  • Modify the lAM Policy for the bucket to allow access for the VPC endpoint
  • Modify the route tables to allow access for the VPC endpoint
  • Modify the bucket Policy for the bucket to allow access for the VPC endpoint (Correct)
  • Modify the security groups for the VPC to allow access to the S3 bucket

Answer : Modify the bucket Policy for the bucket to allow access for the VPC endpoint

AWS DVA-C00 Certified Developer Associate Practice Exam Set 7

You want to track access requests for a particular 53 bucket. How can you achieve this in the easiest possible way?


Options are :

  • Enable Cloud watch metrics for the bucket
  • Enable Cloud watch logs for the bucket
  • Enable server access logging for the bucket (Correct)
  • Enable AWS Config for the 53 bucket

Answer : Enable server access logging for the bucket

You are hosting a web site via website hosting on an S3 bucket - http:!/demo.s3-websiteus-east-1 .amazonaws.com. You have some web pages that use Java script that access resources in another bucket which has web site hosting also enabled. But when users access the web pages, they are getting a blocked Java script error. How can you rectify this?


Options are :

  • Enable versioning for the bucket
  • Enable CRR for the bucket
  • Enable CORS for the bucket (Correct)
  • Enable MFA for the bucket

Answer : Enable CORS for the bucket

A company wants to have a secure way of generating, storing and managing cryptographic keys. But they want to have exclusive access for the keys. Which of the following can be used for this purpose? Please select:


Options are :

  • Use 53 Server Side encryption
  • Use KMS and the normal KMS encryption keys
  • Use KMS and use an external key material
  • Use Cloud 1-ISM (Correct)

Answer : Use Cloud 1-ISM

AWS Develops Engineer Professional Practice Final File Exam Set 12

You have a 2 tier application hosted in AWS. It consists of a web server and database server (SQL Server) hosted on separate EC2 Instances. You are devising the security groups for these EC2 Instances. The Web tier needs to be accessed by users across the Internet. You have created a web security group(wg-1 23) and database security group(db.345). Which combination of the following security group rules will allow the application to be secure and functional. Choose 2 answers from the options given below. Please select:


Options are :

  • db-345 - Allow port 1433 from wg-1 23 1 (Correct)
  • db-345 - Allow ports 1433 from 0.0.0.0/0
  • wg-1 23 - Allow port 1433 from wg-1 23
  • wg-1 23 - Allow ports 80 and 443 from 0.0.0.0/0 (Correct)

Answer : db-345 - Allow port 1433 from wg-1 23 1 wg-1 23 - Allow ports 80 and 443 from 0.0.0.0/0

Your company has just started using AWS and created an AWS account. They are aware of the potential issues when root access is enabled. How can they best safeguard the account when it comes to root access? Choose 2 answers from the options given below Please select:


Options are :

  • Delete the root access keys (Correct)
  • Create an Admin lAM user with the necessary permissions (Correct)
  • Delete the root access account
  • Change the password for the root account.

Answer : Delete the root access keys Create an Admin lAM user with the necessary permissions

You have a vendor that needs access to an AWS resource. You create an AWS user account. You want to restrict access to the resou using a policy for just that user over a brief period. Which of the following would be an ideal policy to use?


Options are :

  • Abucket ACL
  • An Inline Policy (Correct)
  • A Bucket Policy
  • An AWS Managed Policy

Answer : An Inline Policy

AWS Devops Engineer Professional Certified Practice Exam Set 8

An application running on EC2 instances must use a username and password to access a database. The developer has stored those secrets in the SSM Parameter Store with type Secure String using the default KMS CMK. Which combination of configuration steps will allow the application to access the secrets via the API? Select 2 answers from the options below Please select:


Options are :

  • Add the SSM service role as a trusted service to the EC2 instance role.
  • Add permission to use the KMS key to decrypt to the EC2 instance role (Correct)
  • Add permission to read the SSM parameter to the EC2 instance role (Correct)
  • Add permission to use the KMS key to decrypt to the SSM service role.
  • Add the EC2 instance role as a trusted service to the SSM service role.

Answer : Add permission to use the KMS key to decrypt to the EC2 instance role Add permission to read the SSM parameter to the EC2 instance role

An auditor needs access to logs that record all API events on AWS. The auditor only needs read-only access to the log files and does not need access to each AWS account. The company has multiple AWS accounts, and the auditor needs access to all the logs for all the accounts. What Is the best way to configure access for the auditor to view event logs from all accounts? Choose the correct answer from the options below


Options are :

  • Configure the Cloud Trail service in the primary AWS account and configure consolidated billing for all the secondary accounts. Then grant the auditor access to the 53 bucket that receives the Cloud Trail log files.
  • Configure the Cloud Trail service In each AWS account and enable consolidated logging inside of CloudTrail.
  • Configure the Cloud Trail service In each AWS account. and have the logs delivered to an AWS bucket on each account, while granting the auditor permissions to the bucket via roles In the secondary accounts and a single primary lAM account that can assume a read-only role in the secondary AWS accounts.
  • Configure the CloudTrail service in each AWS account and have the logs delivered to a single AWS bucket in the primary account and grant the auditor access to that single bucket in the primary account. (Correct)

Answer : Configure the CloudTrail service in each AWS account and have the logs delivered to a single AWS bucket in the primary account and grant the auditor access to that single bucket in the primary account.

Your company has a set of EBS volumes defined in AWS. The security mandate is that all EBS volumes are encrypted. What can be done to notify the IT admin staff if there are any unencrypted volumes in the account?


Options are :

  • Use AWS Guard duty to check for the unencrypted EBS volumes
  • Use AWS Lambda to check for the unencrypted EBS volumes
  • Use AWS Inspector to inspect all the EBS volumes
  • Use AWS Conflg to check for unencrypteci EBS volumes (Correct)

Answer : Use AWS Conflg to check for unencrypteci EBS volumes

Certification : Get AWS Certified Solutions Architect in 1 Day (2018 Update) Set 3

You have just developed a new mobile application that handles analytics workloads on large scale datasets that are stored on Amazon Red shift. Consequently, the application needs to access Amazon Red shift tables. Which of the below methods would be the best, both practically and security-wise, to access the tables? Choose the correct answer from the options below ?


Options are :

  • Create an HSM client certificate in Red shift and authenticate using this certificate.
  • Use roles that allow a web identity federated user to assume a role that allows access to the RedShift table by providing temporary credentials. (Correct)
  • Create a RedShift read-only access policy in lAM and embed those credentials in the application.
  • Create an lAM user and generate encryption keys for that user. Create a policy for RedShift read-only access. Embed the keys in the application.

Answer : Use roles that allow a web identity federated user to assume a role that allows access to the RedShift table by providing temporary credentials.

Your company has a hybrid environment, with on-premise servers and servers hosted in the AWS cloud. They are planning to use the Systems Manager for patching servers. Which of the following is a pre-requisite for this to work?


Options are :

  • Ensure that an lAM Group is created for the on-premise servers
  • Ensure that an lAM service role Is created (Correct)
  • Ensure that an lAM User is created
  • Ensure that the on-premise servers are running on Hyper-V.

Answer : Ensure that an lAM service role Is created

Your company has a requirement to monitor all root user activity by notification. How can this best be achieved? Choose 2 answers from the options given below. Each answer forms part of the solution Sh Please select?


Options are :

  • Create a Cloud watch Logs Rule (Correct)
  • Use a Lambda function
  • Create a Cloud watch Events Rule
  • Use Cloud trail API call

Answer : Create a Cloud watch Logs Rule

Certification : Get AWS Certified Solutions Architect in 1 Day (2018 Update) Set 12

Your company has an EC2 Instance that is hosted in an AWS VPC. There is a requirement to ensure that logs files from the EC2 Instance are stored accordingly. The access should also be limited for the destination of the log files. How can this be accomplished? Choose 2 answers from the options given below. Each answer forms part of the solution


Options are :

  • Stream the log files to a separate Cloudwatch Log group (Correct)
  • Stream the log files to a separate Cloudtrail trail
  • Create an lAM policy that gives the desired level of access to the Cloud trail.
  • Create an lAM policy that gives the desired level of access to the Cloud watch Log group (Correct)

Answer : Stream the log files to a separate Cloudwatch Log group Create an lAM policy that gives the desired level of access to the Cloud watch Log group

You have an Ec2 Instance in a private subnet which needs to access the KMS service. Which of the following methods can help fulfill this requirement keeping security in perspective Please select:


Options are :

  • Attach a VPN connection to the VPC
  • Use VPC Peering
  • Attach an Internet gateway to the subnet
  • Use a VPC endpoint (Correct)

Answer : Use a VPC endpoint

You have an S3 bucket hosted in AWS. This is used to host promotional videos uploaded by yourself. You need to provide access to users for a limited duration of time. How can this be achieved?


Options are :

  • Use versioning and enable a time starnp for each version
  • Use Pre signed URL?s (Correct)
  • Use IAM Roles with a timestamp to limit the access
  • Use IAM policies with a timestamp to limit the access

Answer : Use Pre signed URL?s

AWS Develops Engineer Professional Practice Final File Exam Set 12

Your company hosts a large section of EC2 instances in AWS. There are strict security rules governing the EC2 Instances. During a potential security breach , you need to ensure quick investigation of the underlying EC2 Instance. Which of the following service can help you quickly provision a test environment to look Into the breached instance?


Options are :

  • AWS Cloud formation (Correct)
  • AWS Cloud watch
  • AWS Cloud trail
  • AWS Config

Answer : AWS Cloud formation

Your application currently use AWS Cognito for authenticating users. Your application consists of different types of users. Some users are only allowed read access to the application and others are given contributor access. How would you manage the access effectively?


Options are :

  • This needs to be managed via Web security tokens
  • Create different cognito groups. one for the readers and the other for the contributors. (Correct)
  • You need to manage this within the application itself
  • Create different cognito endpoints, one for the readers and the other for the contributors. (Correct)

Answer : Create different cognito groups. one for the readers and the other for the contributors. Create different cognito endpoints, one for the readers and the other for the contributors.

Your company has defined privileged users for their AWS Account. These users are administrators for key resources defined in tle company. There is now a mandate to enhance the security authentication for these users, How can this be accomplished? Please select:


Options are :

  • Enable version Ing for these user accounts
  • Enable MEA for these user accounts (Correct)
  • Enable accidental deletion for these user accounts
  • Disable root access for the users

Answer : Enable MEA for these user accounts

AWS DVA-C00 Certified Developer Associate Practice Exam Set 3

You are responsible to deploying a critical application onto AWS. Part of the requirements for this application is to ensure that the controls set for this application met PCI compliance. Also there Is a need to monitor web application logs to identify any malicious activity. Which of the following services can be used to fulfill this requirement. Choose 2 answers from the options given below ?


Options are :

  • Amazon VPC Flow Logs
  • Amazon AWS Configure
  • Amazon Cloud watch Logs (Correct)
  • Amazon Cloud trail

Answer : Amazon Cloud watch Logs

AWS SAP-C00 Certified Solution Architect Professional Exam Set 6

You have setup a set of applications across 2 VPC?s. You have also setup VPC Peering. The applications are still not able to communicate across the Peering connection. Which network troubleshooting steps should be taken to resolve the issue? Please select:


Options are :

  • Ensure the applications are hosted in a public subnet (Correct)
  • Check to see if the VPC has a NAT gateway attached
  • Check to see if the VPC has an Internet gateway attached.
  • Check the Route tables for the VPCs

Answer : Ensure the applications are hosted in a public subnet

A company wishes to enable Single Sign On (SSO) so its employees can login to the management console using their corporate directory identity. Which steps below are required as part of the process?


Options are :

  • Create IAM users that can be mapped to the employees? corporate identities
  • Create a Lambda function to assign IAM roles to the temporary security tokens provided to the users.
  • Create a Direct Connect connection
  • Create an IAM role that establishes a trust relationship between IAM and the corporate directory identity
  • Create IAM policies that can be mapped to group memberships In the corporate directory. (Correct)

Answer : Create IAM policies that can be mapped to group memberships In the corporate directory.

Your company makes use of S3 buckets for storing data. There is a company policy that all services should have logging enabled. How can you ensure that logging is always enabled for created 53 buckets in the AWS Account?


Options are :

  • Use AWS Inspector to inspect all S3 buckets and enable logging for those where it is not enabled
  • Use AWS Cloud watch metrics to check whether logging is enabled for buckets
  • Use AWS Configure Rules to check whether logging is enabled for buckets (Correct)
  • Use AWS Cloud watch logs to check whether logging is enabled for buckets

Answer : Use AWS Configure Rules to check whether logging is enabled for buckets

Certification : Get AWS Certified Solutions Architect in 1 Day (2018 Update) Set 9

You have an instance setup in a test environment in AWS. You installed the required application and the promoted the server to a production environment. Your IT Security team has advised that there maybe traffic flowing in from an unknown IP address to port 22. How can this be mitigated immediately?


Options are :

  • Shutdown the instance
  • Change the Instance type for the Instance
  • Change the AMI for the instance
  • Remove the rule for incoming traffic on port 22 for the Security Group (Correct)

Answer : Remove the rule for incoming traffic on port 22 for the Security Group

A new application will be deployed on EC2 instances in private subnets. The application will transfer sensitive data to and from an S3 bucket. Compliance requirements state that the data must not traverse the public Internet. Which solution meets the compliance requirement?


Options are :

  • Access the 53 bucket through a proxy server
  • Access the 53 bucket through the SSL protected 53 endpoint
  • Access the 53 bucket through a NAT gateway.
  • Access the 53 bucket through a VPC endpo Ent for 53 (Correct)

Answer : Access the 53 bucket through a VPC endpo Ent for 53

Your current setup in AWS consists of the following architecture. 2 public subnets, one subnet which has the web servers accessed by users across the internet and the other subnet for the database server. Which of the following changes to the architecture would add a better security boundary to the resources hosted In your setup Please select:


Options are :

  • Consider moving the web server to a private subnet
  • Consider moving both the web and database server to a private subnet
  • Consider moving the database server to a private subnet (Correct)
  • Consider creating a private subnet and adding a NAT instance to that subnet

Answer : Consider moving the database server to a private subnet

Certification : Get AWS Certified Solutions Architect in 1 Day (2018 Update) Set 9

A company requires that data stored in AWS be encrypted at rest. Which of the following approaches achieve this requirement? Sek 2 answers from the options given below. Please select:


Options are :

  • When storing data in Amazon LBS. use only EBS-optimized Amazon EC2 instances.
  • When storing data in Amazon EC2 Instance Store, encrypt the volume by using KMS.
  • When storing data in 53. enable server-side encryption (Correct)
  • When storing data In Amazon 53, use object versioning and MFA Delete
  • When storing data in LBS. encrypt the volume by using AWS KMS

Answer : When storing data in 53. enable server-side encryption

You have just recently set up a web and database tier in a VPC and hosted the application. When testing the application , you are not able to reach the home page for the app. You have verified the security groups. What can help you diagnose the Issue. Please select:


Options are :

  • Use AWS Guard Duty to analyze the traffic
  • Use the AWS Trusted Advisor to see what can be done.
  • Use VPC Flow logs to diagnose the traffic (Correct)
  • Use AWS WAF to analyze the traffic

Answer : Use VPC Flow logs to diagnose the traffic

A company is using Cloud Trail to log all AWS API activity for all regions in all of its accounts. The CISO has asked that additional steps be taken to protect the Integrity of the log files. What combination of steps will protect the log files from intentional or unintentional alteration? Choose 2 answers from the options given below Please select?


Options are :

  • Write a Lambda function that queries the Trusted Advisor Cloud Trail checks. Run the function every 10 minutes.
  • Create an S3 bucket In a dedicated log account and grant the other accounts write only access. Deliver all log files from every account t this S3 bucket. (Correct)
  • Use Systems Manager Configuration Compliance to continually monitor the access policies of S3 buckets containing Cloud Trail logs.
  • Enable Cloud Trail log file integrity validation , (Correct)
  • Create a Security Group that blocks all traffic except calls from the Cloud Trail service. Associate the security group with all the Cloud Trail destination S3 buckets.

Answer : Create an S3 bucket In a dedicated log account and grant the other accounts write only access. Deliver all log files from every account t this S3 bucket. Enable Cloud Trail log file integrity validation ,

AWS SOA-C00 Certified Sys Ops Administrator Associate Exam Set 10

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions