Ch3 Flashcards
- When creating a new security group, which of the following are true? (Choose two.)
All inbound traffic is allowed by default.
All outbound traffic is allowed by default.
Connections that are allowed in must also explicitly be allowed back out.
Connections that are allowed in are automatically allowed back out.
B, D. Default security groups prevent all traffic in and allow all traffic out.
- You have a government-regulated system that will store a large amount of data on S3 standard. You must encrypt all data and preserve a clear audit trail for traceability and third-party auditing. Security policies dictate that encryption must be consistent across the entire data store. Which of the following encryption approaches would be best?
SSE-C
SSE-KMS
SSE-C
Encrypt the data prior to upload to S3 and decrypt the data when returning it to the client.
B. D is not a good answer because relying on encryption outside of S3 does not best address the concerns around consistency. It is generally better to allow AWS to handle encryption in cases where you want to ensure all encryption is the same across a data store. SSE-C, SSE-KMS, and SSE-C all provide this. However, among those three, KMS is the best option for providing clear audit trails.
- You are creating a bastion host to allow SSH access to a set of EC2 instances in a private subnet within your organization’s VPC. Which of the following should be done as part of configuring the bastion host? (Choose two.)
Ensure that the bastion host is exposed directly to the Internet.
Place the bastion host within the private subnet.
Add a route from the bastion host IP into the private subnet into the subnet’s NACLs.
Ensure that the bastion host is within the same security group as the hosts within the private subnet.
A, C. A bastion host is a publicly accessible host that allows traffic to connect to it. Then, an additional connection is made from the bastion host into a private subnet and the hosts within that subnet. Because the bastion must be accessed by public clients, it must be exposed to the Internet (A). If it is within a private subnet (B), it will not be accessible, making that answer incorrect. There also must be an explicit route from the bastion host into the private subnet (C); this is usually within a NACL. Finally, the security of the bastion must be different from the hosts in the private subnet. The bastion host should be hardened significantly as it is public, but also accessible; this is in many ways the opposite of the security requirements of hosts within a private subnet.
- Which of the following are invalid IAM actions? (Choose two.)
Limiting the root account SSH access to all EC2 instances
Allowing a user account SSH access to all EC2 instances
Removing console access for the root account
Removing console access for all non-root user accounts
A, C. AWS sometimes asks questions like this to ensure that you understand that the root account is truly a root account and you cannot restrict that account’s access. Anything that involves removing access for the root account is always invalid.
- You have a private subnet in a VPC within AWS. The instances within the subnet are unable to access the Internet. You have created a NAT gateway to solve this problem. What additional steps do you need to perform to allow the instances Internet access? (Choose two.)
Ensure that the NAT gateway is in the same subnet as the instances that cannot access the Internet.
Add a route in the private subnet to route traffic aimed at 0.0.0.0/0 at the NAT gateway.
Add a route in the public subnet to route traffic aimed at 0.0.0.0/0 at the NAT gateway.
Ensure that the NAT gateway is in a public subnet.
B, D. There are two pairs of answers here, and you need to choose the correct pair in each case. For private subnet instances, you need a route out to a NAT gateway, and that NAT gateway must be in a public subnet—otherwise, it would not itself be able to provide outbound traffic access to the Internet. That means option D is correct, as is answer B: 0.0.0.0/0 means “traffic with a destination in the Internet at large,” more or less.
- Which of the following statements regarding NAT instances and NAT gateways are false? (Choose two.)
Both NAT instances and NAT gateways are highly available.
You must choose the instance type and size when creating a NAT gateway but not when creating a NAT instance.
It is your responsibility to patch a NAT instance and AWS’s responsibility to patch a NAT gateway.
You assign a security group to a NAT instance but not to a NAT gateway.
A, B. The easiest way to handle this question is by thinking of a NAT gateway as essentially a managed service and a NAT instance as an instance (which you manage) for networking. That helps identify B as false (you never choose instance types and sizes for managed services) and C as true (AWS patches managed services). Further, since AWS manages NAT gateways, they are automatically highly available and do not need you to associate security groups. This means that A is false—NAT instances can be made highly available, but not without your manual intervention—and D is true.
- What types of rules does a security group allow? (Choose two.)
Allow rules
Prevent rules
Deny rules
Inbound rules
A, D. Security groups only contain allow rules, not deny rules (and prevent rules are not an actual rule type). Then, you can create both inbound and outbound rules.
- Which of the following are true about security groups? (Choose two.)
You can specify deny rules, but not allow rules.
By default, a security group includes an outbound rule that allows all outbound traffic.
You can specify specific separate rules for inbound and outbound traffic.
Security groups are stateless.
B, C. You specify allow rules for security groups, so A is false. B and C are true: Default security groups allow all outbound traffic, and you specify separate inbound and outbound rules. Finally, security groups are stateful, not stateless, so D is false.
- Which of the following are not true about security groups? (Choose two.)
Allow rules take priority over deny rules.
Responses to allowed inbound traffic are allowed to flow back out.
You can specify specific separate rules for inbound and outbound traffic.
If there are no outbound rules, then all outbound traffic is allowed to flow out.
A, D. A is false, as security groups don’t provide for deny rules. B and C are both true (and therefore are not correct answers). D is false, because without specific outbound rules, nothing is allowed to flow out. (Note that by default, there is an allowance for all outgoing traffic in security groups, although that can be removed.)
- Which of the following must a security group have when you create it? (Choose two.)
At least one inbound rule
A name
A description
At least one outbound rule
B, C. A security group can actually have no inbound or outbound rules, so A and D are not required. A security group does require a name and description, though.
- Which of the following is a security group associated with?
An ELB
A network interface
An ALB
A network access list
B. A security group can be attached to multiple constructs, like an EC2 instance, but is ultimately associated with a network interface, which in turn is attached to individual instances. This is a tough question and probably at the very edge of what the exam might ask.
- Which of the following are default rules on a default security group, such as the one that comes with the default VPC? (Choose two.)
Outbound: 0.0.0.0/0 for all protocols allowed
Inbound: 0.0.0.0/0 for all protocols allowed
Outbound: ::/0 for all protocols allowed
Inbound: ::/0 for all protocols allowed
A, C. The easiest way to work this is to recognize that default security groups never allow broad inbound traffic. That eliminates B and D and leaves rules that allow all outbound traffic for both IPv4 (A) and IPv6 (C).
- Which of the following are parts of a security group rule? (Choose two.)
A protocol
A subnet
An instance ID
A description
A, D. Security group rules have a protocol and a description. They do not have a subnet, although they can have CIDR blocks or single IP addresses. Instances can associate with a security group, but a security group does not itself refer to a specific instance.
- Which of the following describes server-side encryption for S3 bucket data?
You encrypt and upload data to S3, managing the encryption process yourself.
You encrypt and upload data to S3, allowing AWS to manage the encryption process.
You request AWS to encrypt an object before saving it to S3.
You encrypt an object, but AWS uploads and decrypts the object.
C
- Which of the following are valid steps in enabling client-side encryption for S3? (Choose two.)
Download the AWS CLI and SSH to your S3 key store.
Use a KMS-managed customer master key.
Download an AWS SDK for encrypting data on the client side.
Turn on bucket encryption for the target S3 buckets.
B, C. For client-side encryption, you’ll need a master key, which can either be a KMS-managed key (option B) or a client-side master key. You’ll also need an SDK for encrypting the client-side data (C).
- Which of the following is not a way to manage server-side encryption keys for S3?
SSE-S3
SSE-KMS
SSE-E
SSE-C
C. You’ll probably simply need to memorize this one. SSE-S3, SSE-KMS, and SSE-C are all valid approaches to S3 encryption; SSE-E is made up.
- Which of the following encryption key management options is best for managing keys but allowing S3 to handle the actual encryption of data?
SSE-S3
SSE-KMS
Client-side encryption keys
SSE-C
D. SSE-C allows the customer (the C in SSE-C) to manage keys, but S3 then handles the actual encryption of data.
- You have a customer that has a legacy security group that is very suspicious of all things security in the cloud. The customer wants to use S3, but doesn’t trust AWS encryption, and you need to enable its migration to the cloud. What option would you recommend to address the company’s concerns?
SSE-S3
SSE-KMS
Client-side encryption keys
SSE-C
C. Client-side encryption allows the customer to manage keys and encrypt data themselves, then store the data on S3 already encrypted. There’s a lot of overhead with this approach, but it’s ideal for the use case described.
- You want to begin encrypting your S3 data, but your organization is new to encryption. Which option is a low-cost approach that still offloads most of the work to AWS rather than the organization new to encryption?
SSE-S3
SSE-KMS
Client-side encryption keys
SSE-C
A. In general, SSE-S3 is the “starter” option for encryption. It’s by no means a simple or amateur approach to security, but it is low cost compared to KMS and has much less overhead than client-side or SSE-C encryption keys.
- Which of the following options could be used to provide availability-zone-resilient fault-tolerant storage that complies with EU privacy laws? (Choose two.)
S3 buckets in US West 1
S3 buckets in EU West 2
S3-IA buckets in EU Central 1
S3 One Zone-IA buckets in EU-West-1
B, C. Option A isn’t valid because US-West isn’t an EU region. Options B and C are valid as they both provide EU regions, and S3 and S3-IA both can survive the loss of an availability zone; option D would not survive the loss of an AZ.
- What is AWS Trusted Advisor?
An online resource to help you improve performance
An online resource to help you reduce cost
An online resource to help you improve security
All of the above
D. AWS Trusted Advisor does all three of the above: improve performance, reduce cost, and improve security.
- On which of the following does AWS Trusted Advisor not provide recommendations?
Reducing cost
Improving fault tolerance
Improving security
Organizing accounts
D. AWS Trusted Advisor provides advice on cost, fault tolerance, performance, and security but does not address account organization.
- Which of the following are included in the core AWS Trusted Advisor checks? (Choose two.)
S3 bucket permissions
MFA on root account
Quantity of CloudWatch alarms
Use of VPC endpoints
A, B. Here, it’s not reasonable to memorize the seven core AWS Trusted Advisor checks. Instead, consider which of these are valid improvements that Trusted Advisor might make. A and B relate to security and permissions, while both C and D are pretty far afield of cost, security, or performance suggestions.
- Which of the following is not possible using IAM policies?
Requiring MFA for the root account
Denying the root account access to EC2 instances
Disabling S3 access for users in a group
Restricting SSH access to EC2 instances to a specific user
B. The only one of these that’s not possible with IAM is denying the root account access to EC2 instances. That’s not possible—with IAM or any other mechanism.
- Which of the following are not true about S3 encryption? (Choose two.)
S3 applies AWS-256 encryption to data when server-side encryption is enabled.
S3 encryption will use a client key if it is supplied with data.
Encrypted EBS volumes can only be stored if server-side encryption is enabled.
S3 will accept locally encrypted data if client-side encryption is enabled.
B, C. A is true, and D is true; if you know this, choosing B and C is simple. Otherwise, you need to recognize that just supplying a client key to S3 is not enough; some form of client-side encryption or server-side encryption using client keys must be enabled. EBS volumes can be encrypted outside of S3 and stored regardless of how S3 is encrypting data.
- What types of data are encrypted when you create an encrypted EBS volume? (Choose two.)
Data at rest inside the volume
Data moving between the volume and the attached instance
Data inside S3 buckets that store the encrypted instance
Data in an EFS on instances attached to the volume
A, B. There are four types of data encrypted when an EBS volume is encrypted: data at rest on the volume, data moving between the volume and the instance, any snapshots created from the volume, and any volumes created from those snapshots.
- What types of data are not automatically encrypted when you create an encrypted EBS volume? (Choose two.)
A snapshot created from the EBS volume
Any data on additional volumes attached to the same instance as the encrypted volume
Data created on an instance that has the encrypted volume attached
Data moving between the volume and the attached instance
B, C. This is tricky, as both answers that involve unencrypted data have some tricky wording. First, B is not a case of encryption; if data never touches the encrypted volume, it is not automatically encrypted. Second, for C, data that is on the instance but never moves to the encrypted volume is also not automatically encrypted.
- What of the following types of data is not encrypted automatically when an encrypted EBS volume is attached to an EC2 instance?
Data in transit to the volume
Data at rest on the volume
Data in transit from the volume
All of these are encrypted.
D. All of these are encrypted. Data moving to and from the volume as well as data at rest on the volume are all encrypted.
- What encryption service is used by encrypted EBS volumes?
S3-KMS
S3-C
KMS
Customer-managed keys
C. KMS is used as the encryption service, but this is not the S3-KMS that is specific to S3 encryption. You will also sometimes see this KMS referenced as AWS-KMS.
- If you take a snapshot of an encrypted EBS volume, which of the following must you do to use that snapshot as a volume in a separate region? (Choose two.)
Copy the snapshot to the new region.
Delete the snapshot from the old region.
Unencrypt the snapshot once it is in the new region.
Create a new volume from the snapshot in the new region.
A, D. The only steps required here are to copy the snapshot to the new region (usually via the console), and then create a new volume from it.
- Which of the following will allow you to bring a non-encrypted RDS instance into compliance with an “all data must be encrypted at rest” policy?
Snapshot the RDS instance and restore it, encrypting the new copy upon restoration.
Use the AWS Database Migration Service to migrate the data from the instance to an encrypted instance.
Create a new encrypted instance and manually move data into it.
None of these will encrypt all data on the instance.
C. The only option here is the manual one. You must set up encryption when creating a new instance from scratch (snapshots won’t work) and then move data into it so that this data is encrypted as it moves into the new instance.
- Which of the following will allow you to bring a non-encrypted EBS volume into compliance with an “all data must be encrypted at rest” policy?
Stop the volume, snapshot it, and encrypt a copy of the snapshot. Then restore from the encrypted snapshot.
Stop the volume, select “Turn on encryption,” and restart the volume.
Encrypt the volume via the AWS API and turn on the “encrypt existing data” flag.
None of these will encrypt all data on the volume.
A. You cannot encrypt an existing volume “on the fly.” You must create a snapshot and then encrypt that snapshot as you copy it to another, encrypted snapshot. You can then restore from that new snapshot.
- Which of the following will allow you to bring a non-encrypted EBS volume into compliance with an “all data must be encrypted at rest” policy?
Stop the volume, create a snapshot, and restart from the snapshot, selecting “Encrypt this volume.”
Stop the volume, select “Turn on encryption,” and restart the volume.
Encrypt the volume via the AWS API and turn on the “encrypt existing data” flag.
None of these will encrypt all data on the volume.
D. None of these will work. The important thing to remember for a question like this is that you must make a copy of an unencrypted snapshot to apply encryption. There is no in-place encryption mechanism for volumes or snapshots.
- Which of the following will allow you to bring a non-encrypted EBS volume into compliance with an “all data must be encrypted at rest” policy?
Create a new volume, attach the new volume to an EC2 instance, copy the data from the non-encrypted volume to the new volume, and then encrypt the new volume.
Create a new volume with encryption turned on, attach the new volume to an EC2 instance, and copy the data from the non-encrypted volume to the new volume.
Create a new volume, attach the new volume to an EC2 instance, and use the encrypted-copy command to copy the data from the non-encrypted volume to the new volume.
None of these will encrypt all data on the volume.
B. The only way to encrypt an EBS volume is to encrypt it at creation time. Remembering this one detail will help on lots of questions in this vein.
- Which of the following are valid options on an EBS volume? (Choose two.)
Encrypt the volume.
Encrypt a snapshot of the volume.
Encrypt a copy of a snapshot of the volume.
Restore an encrypted snapshot to an encrypted volume.
C, D. You cannot encrypt an existing EBS volume, so A is incorrect. And you cannot encrypt a snapshot that is unencrypted, so B is incorrect. You can encrypt a copy of a snapshot and restore an encrypted snapshot to a volume that is encrypted (C and D).
- Can you copy a snapshot across AWS accounts?
Yes
Yes, but you first have to modify the snapshot’s access permissions.
Yes, but you have to be the owner of both AWS accounts.
No
B. You can copy snapshots across accounts, but the default permissions do not allow this. So you have to modify those permissions, and then the snapshot can be copied to any other AWS account, regardless of account owner.
- Can you copy an EBS snapshot across regions?
Yes, as long as the snapshot is not encrypted.
Yes, as long as the snapshot is marked for multi-region use.
Yes
No
C. You can copy a snapshot to a different region without any special considerations.
- How many security groups can you attach to a single instance in a VPC?
None, security groups aren’t attached to instances.
1
1 or more
2 or more
C. An instance must have a security group but can have more than that.
- What do you use to permit and restrict control of a NACL?
VPC
WAF
AWS Organizations
IAM
D. IAM roles and permissions control access to NACLs.
- In which order are NACLs and security groups evaluated?
NACLs and security groups are evaluated in parallel.
A NACL is evaluated first, and then the security group.
A security group is evaluated first, and then the NACL.
It depends on the VPC setup.
B. NACLs are always evaluated first because they exist at the border of a subnet. As security groups are attached to instances, they are not processed until traffic passes through the NACL and into the instance’s subnet.
- Which of these statements are true? (Choose two.)
A security group can apply to two instances at the same time.
A NACL applies to all instances within a subnet at the same time.
A security group can apply to only one instance at the same time.
A NACL can apply to only one instance at the same time.
A, B. Both security groups and NACLs can—and usually do—apply to multiple instances in a subnet. The NACL applies to all instances within the associate subnet, and a security group can be associated with multiple instances.
- Which of the following are true about the default NACL that comes with the default VPC? (Choose two.)
It allows all inbound traffic.
It allows all outbound traffic.
It disallows all inbound traffic.
It disallows all outbound traffic.
A, B. The default NACL allows in and out all traffic, which is somewhat unintuitive. Keep in mind that the default security group disallows inbound traffic, but the default NACL allows that traffic in.
- Which of the following are true about a user-created NACL? (Choose two.)
It allows all inbound traffic.
It allows all outbound traffic.
It disallows all inbound traffic.
It disallows all outbound traffic.
C, D. Unlike the default NACL that comes with the default VPC, custom NACLs disallow all inbound and outbound traffic by default.
- Which of the following statements is not true? (Choose two.)
A network ACL has separate inbound and outbound rules.
Network ACLs are stateful.
Each subnet in your VPC must be associated with a NACL.
A network ACL can only be associated with a single subnet.
B, D. A and C are true. B is false; NACLs are stateless. D is false, because a NACL can be associated with multiple subnets.
- What happens when you associate a NACL with a subnet that already is associated with a different NACL?
Nothing, both NACLs are associated with the subnet.
You receive an error. You must remove the first NACL to associate the new one.
You receive an error. You must first merge the two NACLs to apply them to a subnet.
The new NACL replaces the previous NACL, and the subnet still only has one NACL association.
D. A subnet is associated with a NACL but can only be associated to a single NACL at a time.
- Which of the following are part of a network ACL rule? (Choose two.)
An ASCII code
A rule number
An IAM group
A protocol
B, D. NACL rules have a rule number, a protocol, a choice of ALLOW or DENY, and a CIDR range and port or port range for inbound and outbound traffic.
- Which of the following are part of a network ACL rule? (Choose two.)
An ALLOW or DENY specification
A CIDR range
An IP address
A VPC identifier
A, B. NACL rules have a rule number, a protocol, a choice of ALLOW or DENY, and a CIDR range and port or port range for inbound and outbound traffic.
- Which of the following inbound rules of a custom NACL would be evaluated first?
Rule #800 // HTTP // TCP // 80 // 0.0.0.0/0 -> ALLOW.
Rule #100 // HTTPS // TCP // 443 // 0.0.0.0/0 -> ALLOW.
Rule * // All // All // All // 0.0.0.0/0 -> DENY.
Rule #130 // RDP // TCP // 3389 // 192.0.2.0/24 -> ALLOW.
B. Almost none of this detail actually matters. The only key parameter is the rule number. NACLs evaluate lowest-numbered rules first, so Rule #100 would go first, option B.
- If all of the following inbound rules existed on the default VPC’s default NACL, would SSH traffic be allowed?
Rule #800 // HTTP // TCP // 80 // 0.0.0.0/0 -> ALLOW
Rule #100 // HTTPS // TCP // 443 // 0.0.0.0/0 -> ALLOW
Yes, the default VPC’s default NACL allows all inbound traffic by default.
Yes, SSH is included in the HTTPS protocol.
Only if the SSH access permission in IAM is granted.
No
A. SSH is not explicitly mentioned, but because the question asks about the default NACL on the default VPC, all traffic is allowed in unless explicitly denied.
- Which of the following is the most accurate statement about what the following inbound rule on a NACL will do?
Rule #120 // SSH // TCP // 22 // 192.0.2.0/24 -> ALLOW
Allows inbound SSH traffic to the associated subnets
Allows inbound TCP traffic to the associated subnets
Allows inbound TCP traffic to the associated subnets from the CIDR block 192.0.2.0/24
Allows inbound SSH traffic to the associated subnets from the CIDR block 192.0.2.0/24
D. Technically, B and C are correct; SSH is a type of TCP traffic. However, that is not the most specific answer, which is what the question asks. A is partially correct but does not call out the CIDR block limitation that D does. Therefore, D is the most accurate answer.
- Which of the following is the most accurate statement about what the following inbound rule on a NACL will do?
Rule #120 // HTTP // TCP // 80 // 0.0.0.0/0 -> ALLOW
Allows inbound HTTP traffic to the associated subnets
Allows inbound IPv4 HTTP traffic to the associated subnets as long as it is not prevented by lower-numbered rules
Allows inbound IPv4 HTTP traffic to the associated subnets
Allows inbound IPv4 TCP traffic to the associated subnets
B. The most accurate answer here includes several components: the type of TCP traffic (HTTP), the allowed source CIDR block (the entire Internet), and IPv4. This rule does not explicitly allow IPv6 traffic. Further, this rule is only effective if there are no lower-numbered rules that short-circuit this rule.
- Which of the following rules allows IPv6 outbound traffic to flow to the entire Internet through a NAT gateway with the ID nat-123456789?
0.0.0.0/0 -> NAT -> nat-123456789
::/0 -> nat-123456789
0.0.0.0/0 -> nat-123456789
::/0 -> NAT -> nat-123456789
B. ::/0 represents IPv6 addresses, so the answer must be either B or D. The route should go from all IPv6 addresses to the ID of the NAT gateway, which is nat-123456789. There is no intermediate -> NAT that should be inserted into the routes.
- How many availability zones in a single region does a single VPC span?
None, VPCs do not span availability zones.
One
At least two
All of them
D. A VPC spans all the availability zones in a region.
- Which of these must be specified when creating a new VPC? (Choose two.)
An availability zone
A region
A CIDR block
A security group
B, C. You must always select a region to create a VPC, and you must always provide a CIDR block. VPCs span all the AZs in a region, so that is not required, and security groups are associated at the instance level rather than at the VPC level.
- How many subnets can be added to an availability zone within a VPC?
None
One
One or more
At least two
C. For a single VPC, you can add one or more subnets to each availability zone within that VPC.
- To how many availability zones within a region can a single subnet in a VPC be added?
None
One
One or more
At least two
B. A subnet cannot span availability zones. It can be added to a single AZ.
- How many availability zones can a subnet span?
None
One
One or more
At least two
B. A subnet cannot span availability zones. It can be added to a single AZ and can only exist within that single AZ.
- How many IPv6 CIDR blocks can be assigned to a single VPC?
None
One
One or more
At least two
B. A VPC can have a single primary CIDR block assigned to it for IPv4 addresses and an optional IPv6 CIDR block. While you can add secondary IPv4 CIDR blocks, you cannot add additional CIDR blocks for IPv6 at this time.
- How many IPv4 CIDR blocks can be assigned to a single VPC?
None
One
One or more
At least two
C. A VPC can have a single primary CIDR block assigned to it for IPv4 addresses and an optional IPv6 CIDR block. However, you can add additional secondary CIDR blocks to a VPC (up to four).
