Ch12 Security

Question 1

Which is an operational process performed by AWS for data security?
A. Advanced Encryption Standard (AES)-256 encryption of data stored on any shared
storage device
B. Decommissioning of storage devices using industry-standard practices
C. Background virus scans of Amazon Elastic Block Store (Amazon EBS) volumes and
Amazon EBS snapshots
D. Replication of data across multiple AWS regions
E. Secure wiping of Amazon EBS data when an Amazon EBS volume is unmounted

Answer 1

B. All decommissioned magnetic storage devices are degaussed and physically destroyed
in accordance with industry-standard practices.

Question 2

You have launched a Windows Amazon Elastic Compute Cloud (Amazon EC2) instance
and specified an Amazon EC2 key pair for the instance at launch. Which of the following
accurately describes how to log in to the instance?
A. Use the Amazon EC2 key pair to securely connect to the instance via Secure Shell
(SSH).
B. Use your AWS Identity and Access Management (IAM) user X.509 certificate to log
in to the instance.
C. Use the Amazon EC2 key pair to decrypt the administrator password and then
securely connect to the instance via Remote Desktop Protocol (RDP) as the
administrator.
D. A key pair is not needed. Securely connect to the instance via RDP.

Answer 2

C. The administrator password is encrypted with the public key of the key pair, and you
provide the private key to decrypt the password. Then log in to the instance as the
administrator with the decrypted password.

Question 3

A Database security group controls network access to a database instance that is inside a
Virtual Private Cloud (VPC) and by default allows access from?
A. Access from any IP address for the standard ports that the database uses is provided
by default.
B. Access from any IP address for any port is provided by default in the DB security
group.
C. No access is provided by default, and any access must be explicitly added with a rule
to the DB security group.
D. Access for the database connection string is provided by default in the DB security
group.

Answer 3

C. By default, network access is turned off to a DB Instance. You can specify rules in a
security group that allows access from an IP address range, port, or Amazon Elastic
Compute Cloud (Amazon EC2) security group.

Question 4

Which encryption algorithm is used by Amazon Simple Storage Service (Amazon S3) to
encrypt data at rest with Service-Side Encryption (SSE)?
A. Advanced Encryption Standard (AES)-256
B. RSA 1024
C. RSA 2048
D. AES-128

Answer 4

A. Amazon S3 SSE uses one of the strongest block ciphers available, 256-bit AES.

Question 5

How many access keys may an AWS Identity and Access Management (IAM) user have
active at one time?
A. 0
B. 1
C. 2
D. 3

Answer 5

C. IAM permits users to have no more than two active access keys at one time.

Question 6

Which of the following is the name of the security model employed by AWS with its
customers?
A. The shared secret model
B. The shared responsibility model
C. The shared secret key model
D. The secret key responsibility model

Answer 6

B. The shared responsibility model is the name of the model employed by AWS with its
customers.

Question 7

Which of the following describes the scheme used by an Amazon Redshift cluster
leveraging AWS Key Management Service (AWS KMS) to encrypt data-at-rest?
A. Amazon Redshift uses a one-tier, key-based architecture for encryption.
B. Amazon Redshift uses a two-tier, key-based architecture for encryption.
C. Amazon Redshift uses a three-tier, key-based architecture for encryption.
D. Amazon Redshift uses a four-tier, key-based architecture for encryption.

Answer 7

D. When you choose AWS KMS for key management with Amazon Redshift, there is a
four-tier hierarchy of encryption keys. These keys are the master key, a cluster key, a
database key, and data encryption keys.

Question 8

Which of the following Elastic Load Balancing options ensure that the load balancer
determines which cipher is used for a Secure Sockets Layer (SSL) connection?
A. Client Server Cipher Suite
B. Server Cipher Only
C. First Server Cipher
D. Server Order Preference

Answer 8

D. Elastic Load Balancing supports the Server Order Preference option for negotiating
connections between a client and a load balancer. During the SSL connection negotiation
process, the client and the load balancer present a list of ciphers and protocols that they
each support, in order of preference. By default, the first cipher on the client’s list that
matches any one of the load balancer’s ciphers is selected for the SSL connection. If the
load balancer is configured to support Server Order Preference, then the load balancer
selects the first cipher in its list that is in the client’s list of ciphers. This ensures that the
load balancer determines which cipher is used for SSL connection. If you do not enable
Server Order Preference, the order of ciphers presented by the client is used to negotiate
connections between the client and the load balancer.

Question 9

Which technology does Amazon WorkSpaces use to provide data security?
A. Secure Sockets Layer (SSL)/Transport Layer Security (TLS)
B. Advanced Encryption Standard (AES)-256
C. PC-over-IP (PCoIP)
D. AES-128

Answer 9

C. Amazon WorkSpaces uses PCoIP, which provides an interactive video stream without
transmitting actual data.

Question 10

As a Solutions Architect, how should you architect systems on AWS?
A. You should architect for least cost.
B. You should architect your AWS usage to take advantage of Amazon Simple Storage
Service’s (Amazon S3) durability.
C. You should architect your AWS usage to take advantage of multiple regions and
Availability Zones.
D. You should architect with Amazon Elastic Compute Cloud (Amazon EC2) Auto
Scaling to ensure capacity is available when needed.

Answer 10

C. Distributing applications across multiple Availability Zones provides the ability to
remain resilient in the face of most failure modes, including natural disasters or system
failures.

Question 11

Which security scheme is used by the AWS Multi-Factor Authentication (AWS MFA)
token?
A. Time-Based One-Time Password (TOTP)
B. Perfect Forward Secrecy (PFC)
C. Ephemeral Diffie Hellman (EDH)
D. Split-Key Encryption (SKE)

Answer 11

A. A virtual MFA device uses a software application that generates six-digit
authentication codes that are compatible with the TOTP standard, as described in RFC
6238.

Question 12

DynamoDB tables may contain sensitive data that needs to be protected. Which of the
following is a way for you to protect DynamoDB table content? (Choose 2 answers)
A. DynamoDB encrypts all data server-side by default so nothing is required.
B. DynamoDB can store data encrypted with a client-side encryption library solution
before storing the data in DynamoDB.
C. DynamoDB obfuscates all data stored so encryption is not required.
D. DynamoDB can be used with the AWS Key Management Service to encrypt the data
before storing the data in DynamoDB.
E. DynamoDB should not be used to store sensitive information requiring protection.

Answer 12

B, D. Amazon DynamoDB does not have a server-side feature to encrypt items within a
table. You need to use a solution outside of DynamoDB such as a client-side library to
encrypt items before storing them, or a key management service like AWS Key
Management Service to manage keys that are used to encrypt items before storing them
in DynamoDB.

Question 13

You have launched an Amazon Linux Elastic Compute Cloud (Amazon EC2) instance
into EC2-Classic, and the instance has successfully passed the System Status Check and
Instance Status Check. You attempt to securely connect to the instance via Secure Shell
(SSH) and receive the response, “WARNING: UNPROTECTED PRIVATE KEY FILE,”
after which the login fails. Which of the following is the cause of the failed login?
A. You are using the wrong private key.
B. The permissions for the private key are too insecure for the key to be trusted.
C. A security group rule is blocking the connection.
D. A security group rule has not been associated with the private key.

Answer 13

B. If your private key can be read or written to by anyone but you, then SSH ignores your
key.

Question 14

Which of the following public identity providers are supported by Amazon Cognito
Identity?
A. Amazon
B. Google
C. Facebook
D. All of the above

Answer 14

D. Amazon Cognito Identity supports public identity providers—Amazon, Facebook, and
Google—as well as unauthenticated identities.

Question 15

Which feature of AWS is designed to permit calls to the platform from an Amazon Elastic
Compute Cloud (Amazon EC2) instance without needing access keys placed on the
instance?
A. AWS Identity and Access Management (IAM) instance profile
B. IAM groups
C. IAM roles
D. Amazon EC2 key pairs

Answer 15

A. An instance profile is a container for an IAM role that you can use to pass role
information to an Amazon EC2 instance when the instance starts.

Question 16

Which of the following Amazon Virtual Private Cloud (Amazon VPC) elements acts as a
stateless firewall?
A. Security group
B. Network Access Control List (ACL)
C. Network Address Translation (NAT) instance
D. An Amazon VPC endpoint

Answer 16

B. A network ACL is an optional layer of security for your Amazon VPC that acts as a
firewall for controlling traffic in and out of one or more subnets. You might set up
network ACLs with rules similar to your security groups in order to add an additional
layer of security to your Amazon VPC.

Question 17

Which of the following is the most recent version of the AWS digital signature
calculation process?
A. Signature Version 1
B. Signature Version 2
C. Signature Version 3
D. Signature Version 4

Answer 17

D. The Signature Version 4 signing process describes how to add authentication
information to AWS requests. For security, most requests to AWS must be signed with
an access key (Access Key ID [AKI] and Secret Access Key [SAK]). If you use the AWS
Command Line Interface (AWS CLI) or one of the AWS Software Development Kits
(SDKs), those tools automatically sign requests for you based on credentials that you
specify when you configure the tools. However, if you make direct HTTP or HTTPS calls
to AWS, you must sign the requests yourself.

Question 18

Which of the following is the name of the feature within Amazon Virtual Private Cloud
(Amazon VPC) that allows you to launch Amazon Elastic Compute Cloud (Amazon EC2)
instances on hardware dedicated to a single customer?
A. Amazon VPC-based tenancy
B. Dedicated tenancy
C. Default tenancy
D. Host-based tenancy

Answer 18

B. Dedicated instances are physically isolated at the host hardware level from your
instances that aren’t dedicated instances and from instances that belong to other AWS
accounts.

Question 19

Which of the following describes how Amazon Elastic MapReduce (Amazon EMR)
protects access to the cluster?
A. The master node and the slave nodes are launched into an Amazon Virtual Private
Cloud (Amazon VPC).
B. The master node supports a Virtual Private Network (VPN) connection from the key
specified at cluster launch.
C. The master node is launched into a security group that allows Secure Shell (SSH)
and service access, while the slave nodes are launched into a separate security group
that only permits communication with the master node.
D. The master node and slave nodes are launched into a security group that allows SSH
and service access.

Answer 19

C. Amazon EMR starts your instances in two Amazon Elastic Compute Cloud (Amazon
EC2) security groups, one for the master and another for the slaves. The master security
group has a port open for communication with the service. It also has the SSH port open
to allow you to securely connect to the instances via SSH using the key specified at
startup. The slaves start in a separate security group, which only allows interaction with
the master instance. By default, both security groups are set up to prevent access from
external sources, including Amazon EC2 instances belonging to other customers.
Because these are security groups in your account, you can reconfigure them using the
standard Amazon EC2 tools or dashboard.

Question 20

To help prevent data loss due to the failure of any single hardware component, Amazon
Elastic Block Storage (Amazon EBS) automatically replicates EBS volume data to which
of the following?
A. Amazon EBS replicates EBS volume data within the same Availability Zone in a
region.
B. Amazon EBS replicates EBS volume data across other Availability Zones within the
same region.
C. Amazon EBS replicates EBS volume data across Availability Zones in the same
region and in Availability Zones in one other region.
D. Amazon EBS replicates EBS volume data across Availability Zones in the same
region and in Availability Zones in every other region.

Answer 20

A. When you create an Amazon EBS volume in an Availability Zone, it is automatically
replicated within that Availability Zone to prevent data loss due to failure of any single
hardware component. An EBS Snapshot creates a copy of an EBS volume to Amazon S3
so that copies of the volume can reside in different Availability Zones within a region.