Design Secure Applications and Architectures Flashcards
A web application, which is used by your clients around the world, is hosted in an Auto Scaling group of EC2 instances behind a Classic Load Balancer. You need to secure your application by allowing multiple domains to serve SSL traffic over the same IP address.
Which of the following should you do to meet the above requirement?
A. Use Server Name Indication (SNI) on your Classic Load Balancer by adding multiple SSL certificates to allow multiple domains to serve SSL traffic.
B. It is not possible to allow multiple domains to serve SSL traffic over the same IP address in AWS.
C. Generate an SSL certificate with AWS Certificate Manager and create a CloudFront web distribution. Associate the certificate with your web distribution and enable the support for Server Name Indication (SNI).
D. Use an Elastic IP and upload multiple 3rd party certificates in your Classic Load Balancer using the AWS Certificate Manager.
The correct answer is C - Generate an SSL certificate with AWS Certificate Manager and create a CloudFront web distribution. Associate the certificate with your web distribution and enable the support for Server Name Indication (SNI).
A and D are incorrect because Classic Load Balancer does not support Server Name Indication (SNI) and the use of an EIP is not a suitable solution
A company developed a meal planning application that provides meal recommendations for the week as well as the food consumption of the users. The application resides on an EC2 instance which requires access to various AWS services for its day-to-day operations.
Which of the following is the best way to allow the EC2 instance to access the S3 bucket and other AWS services?
A. Create a role in IAM and assign it to the EC2 instance.
B. Store the API credentials in the EC2 instance.
C. Add the API Credentials in the Security Group and assign it to the EC2 instance.
D. Store the API credentials in a bastion host.
The correct answer is A - Create a role in IAM and assign it to the EC2 instance.
B and C are incorrect because It is not secure to store nor use the API credentials from an EC2 instance.
A company is using multiple AWS accounts that are consolidated using AWS Organizations. They want to copy several S3 objects to another S3 bucket that belonged to a different AWS account which they also own. The Solutions Architect was instructed to set up the necessary permissions for this task and to ensure that the destination account owns the copied objects and not the account it was sent from.
How can the Architect accomplish this requirement?
A. Enable the Requester Pays feature in the source S3 bucket. The fees would be waived through
Consolidated Billing since both AWS accounts are part of AWS Organizations.
B. Configure cross-account permissions in S3 by creating an IAM customer-managed policy that allows an IAM user or role to copy objects from the source bucket in one account to the destination bucket in the other account. Then attach the policy to the IAM user or role that you want to use to copy objects between accounts.
C. Set up cross-origin resource sharing (CORS) in S3 by creating a bucket policy that allows an IAM user or role to copy objects from the source bucket in one account to the destination bucket in the other account.
D. Connect the two S3 buckets from two different AWS accounts to Amazon WorkDocs. Set up cross-account access to integrate the two S3 buckets. Use the Amazon WorkDocs console to copy the objects from one account to the other with modified object ownership assigned to the destination account.
The correct answer is B - Configure cross-account permissions in S3 by creating an IAM customer-managed policy that allows an IAM user or role to copy objects from the source bucket in one account to the destination bucket in the other account. Then attach the policy to the IAM user or role that you want to use to copy objects between accounts.
C is incorrect because CORS simply defines a way for client web app that are loaded in one domain to interact with resources in a different domain and not on a different AWS account.
