Domain 1: Design Secure Architectures Flashcards

1
Q

A consultant is hired by a small company to configure an AWS environment. The consultant begins working with the VPC and launching EC2 instances within the VPC. The initial instances will be placed in a public subnet. The consultant begins to create security groups. What is true of the default security group?

You can delete this group or you can change the group’s rules.

You can’t delete this group, however, you can change the group’s rules.

You can’t delete this group, nor can you change the group’s rules.

You can delete this group, however, you can’t change the group’s rules.

A

You can delete this group or you can change the group’s rules.

Incorrect. You cannot delete this group.

Selected
You can’t delete this group, however, you can change the group’s rules.

Your VPC includes a default security group. You can’t delete this group, however, you can change the group’s rules. The procedure is the same as modifying any other security group. For more information, see Adding, removing, and updating rules. https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

A consultant is hired by a small company to configure an AWS environment. The consultant begins working with the VPC and launching EC2 instances within the VPC. The initial instances will be placed in a public subnet. The consultant begins to create security groups. How many security groups can be attached by default to an EC2 instance that has one network interface?

You can only assign one security group to an instance.

You can assign up to five security groups to the instance.

Instances in private subnets cannot have multiple security groups.

You can assign two security groups to an instance.

A

You can only assign one security group to an instance.

Incorrect. You can assign up to five security groups to the instance.

Selected
You can assign up to five security groups to the instance.

A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign up to five security groups to the instance. Security groups act at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC can be assigned to a different set of security groups. If you launch an instance using the Amazon EC2 API or a command-line tool and you don’t specify a security group, the instance is automatically assigned to the default security group for the VPC. If you launch an instance using the Amazon EC2 console, you have an option to create a new security group for the instance. For each security group, you add rules that control the inbound traffic to instances and a separate set of rules that control the outbound traffic. This section describes the basic things that you need to know about security groups for your VPC and their rules. https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

You work in healthcare for an IVF clinic. You host an application on AWS, which allows patients to track their medication during IVF cycles. The application also allows them to view test results, which contain sensitive medical data. You have a regulatory requirement that the application is secure and you must use a firewall managed by AWS that enables control and visibility over VPC-to-VPC traffic and prevents the VPCs hosting your sensitive application resources from accessing domains using unauthorized protocols. What AWS service would support this?

AWS Firewall Manager

AWS Network Firewall

AWS WAF

AWS PrivateLink

A

AWS Network Firewall

The AWS Network Firewall infrastructure is managed by AWS, so you don’t have to worry about building and maintaining your own network security infrastructure. AWS Network Firewall’s stateful firewall can incorporate context from traffic flows, like tracking connections and protocol identification, to enforce policies such as preventing your VPCs from accessing domains using an unauthorized protocol. AWS Network Firewall gives you control and visibility of VPC-to-VPC traffic to logically separate networks hosting sensitive applications or line-of-business resources.

AWS WAF

AWS WAF is a web application firewall that helps protect web applications from attacks by allowing you to configure rules that allow, block, or monitor (count) web requests based on conditions that you define. These conditions include IP addresses, HTTP headers, HTTP body, URI strings, SQL injection and cross-site scripting.

Selected

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

You have been evaluating the NACLs in your company. Most of the NACLs are configured the same:

100 All Traffic Allow
200 All Traffic Deny
* All Traffic Deny
How can the last rule * All Traffic Deny be edited?

You can’t modify or remove this rule.

It’s a placeholder and can be deleted.

The Deny can be changed to Allow.

Any number can replace the *.

A

You can’t modify or remove this rule.

The default network ACL is configured to allow all traffic to flow in and out of the subnets with which it is associated. Each network ACL also includes a rule whose rule number is an asterisk. This rule ensures that if a packet doesn’t match any of the other numbered rules, it’s denied. You can’t modify or remove this rule. https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html

The Deny can be changed to Allow.

Incorrect. You cannot modify or remove this rule.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

You work for an organization that has multiple AWS accounts in multiple regions and multiple applications. You have been tasked with making sure that all your firewall rules across these multiple accounts and regions are consistent. You need to do this as quickly and efficiently as possible. Which AWS service would help you achieve this?

Amazon Detective

AWS Web Application Firewall (AWS WAF)

AWS Firewall Manager

AWS Network Firewall

A

AWS Firewall Manager

AWS Firewall Manager is a security management service in a single pane of glass. This allows you to centrally set up and manage firewall rules across multiple AWS accounts and applications in AWS Organizations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

You have been evaluating the NACLs in your company. Currently, you are looking at the default network ACL. What is true about the default network ACL?

The default NACL denies all traffic.

You can only edit the default NACL if it is the only NACL in the VPC.

You cannot edit the default NACL.

You can add or remove rules from the default network ACL.

A

You can add or remove rules from the default network ACL.

The default network ACL is configured to allow all traffic to flow in and out of the subnets with which it is associated. You are able to add and remove your own rules from the default network ACL. However, each network ACL also includes a rule whose rule number is an asterisk. This rule ensures that if a packet doesn’t match any of the other numbered rules, it’s denied. You can’t modify or remove this rule. https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#default-network-acl

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

The company you work for has reshuffled teams a bit and you’ve been moved from the AWS IAM team to the AWS network team. One of your first assignments is to review the subnets in the main VPCs. You have recommended that the company add some private subnets and segregate databases from public traffic. What differentiates a public subnet from a private subnet?

Public subnets are meant to house EC2 instances with public IP addresses.

Public subnets are associated with public Availability zones.

A public subnet has a public IP address.

If a subnet’s traffic is routed to an internet gateway, the subnet is known as a public subnet.

A

If a subnet’s traffic is routed to an internet gateway, the subnet is known as a public subnet.

A public subnet is a subnet that’s associated with a route table that has a route to an internet gateway. Reference: VPC with public and private subnets (NAT) - Overview.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

You work for an online cloud education provider that provides hands-on labs for training students. Recently, you noticed a spike in CPU activity for one of your EC2 instances and you suspect it is being used to mine bitcoin rather than for educational purposes. Somehow, your production environment has been compromised and you need to quickly identify the root cause of this compromise. Which AWS service would be best suited to identify the root cause?

AWS Artifact

Amazon CloudWatch

Amazon Detective

AWS Trusted Advisor

A

Amazon Detective

Using Amazon Detective, you can analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

You work for an online education company that offers a 7-day unlimited access free trial for all new users. You discover that someone has been taking advantage of this and has created a script to register a new user every time the 7-day trial ends. They also use this script to download large amounts of video files, which they then put up on popular pirate websites. You need to find a way to automate the detection of fraud like this using machine learning and artificial intelligence. Which AWS service would best suit this?

Amazon Rekognition

Amazon Fraud Detector

Amazon Inspector

Amazon Detective

A

Amazon Fraud Detector

Amazon Fraud Detector is an AWS AI service that is built to detect fraud in your data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

You have been evaluating the NACLs in your company. Currently, you are looking at the default network ACL. Which statement is true regarding subnets and NACLs?

The default NACL will always be associated with each subnet.

Each subnet in your VPC must be associated with a network ACL. If you don’t explicitly associate a subnet with a network ACL, the subnet is automatically associated with the default network ACL.

You have to delete the default NACL before creating a custom NACL to associate with a subnet.

Only public subnets can use the default NACL.

A

Each subnet in your VPC must be associated with a network ACL. If you don’t explicitly associate a subnet with a network ACL, the subnet is automatically associated with the default network ACL.

Each subnet in your VPC must be associated with a network ACL. If you don’t explicitly associate a subnet with a network ACL, the subnet is automatically associated with the default network ACL. https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#default-network-acl

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

You work for a company that needs to pursue a FedRAMP assessment and accreditation. They need to generate a FedRAMP Customer Package, which is a report designed to get accreditation. The report contains a number of sections, such as AWS East/West and GovCloud Executive Briefing, Control Implementation Summary (CIS), Customer Responsibility Matrix (CRM), and E-Authentication. You need this information as quickly as possible. Which AWS service should you use to find this information?

Call your AWS Technical Account Manager (TAM) and ask for this information.

Use AWS Trusted Advisor to generate the report.

Use AWS Certificate Manager to generate the report.

Use AWS Artifact to download the report.

A

Use AWS Artifact to download the report.

AWS Artifact is a single source you can visit to get the compliance-related information that matters to you, such as AWS security and compliance reports or select online agreements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

A small company has nearly 200 users who already have AWS accounts in the company AWS environment. A new S3 bucket has been created which will need to allow roughly a third of all users access to sensitive information in the bucket. What is the most time efficient way to get these users access to the bucket?

Create a new policy which will grant permissions to the bucket. Create a role and attach the policy to that role. Add the users to this role.

Create a new policy which will grant permissions to the bucket. Create a group and attach the policy to that group. Add the users to this group.

Create a new bucket policy granting the appropriate permissions and attach it to the bucket.

Create a new role which will grant permissions to the bucket. Create a group and attach the role to that group. Add the users to this group.

A

Create a new policy which will grant permissions to the bucket. Create a group and attach the policy to that group. Add the users to this group.

An IAM group is a collection of IAM users. Groups let you specify permissions for multiple users, which can make it easier to manage the permissions for those users. For example, you could have a group called Admins and give that group the types of permissions that administrators typically need. Any user in that group automatically has the permissions that are assigned to the group. If a new user joins your organization and needs administrator privileges, you can assign the appropriate permissions by adding the user to that group. Similarly, if a person changes jobs in your organization, instead of editing that user’s permissions, you can remove him or her from the old groups and add him or her to the appropriate new groups. Note that a group is not truly an “identity” in IAM because it cannot be identified as a Principal in a permission policy. It is simply a way to attach policies to multiple users at one time. Following are some important characteristics of groups:

A group can contain many users, and a user can belong to multiple groups.
Groups can’t be nested; they can contain only users, not other groups.
There’s no default group that automatically includes all users in the AWS account. If you want to have a group like that, you need to create it and assign each new user to it.
There’s a limit to the number of groups you can have, and a limit to how many groups a user can be in. For more information, see IAM and STS Limits. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

An international company has many clients around the world. These clients need to transfer gigabytes to terabytes of data quickly and on a regular basis to an S3 bucket. Which S3 feature will enable these long distance data transfers in a secure and fast manner?

Cross-account replication

Multipart upload

AWS Snowmobile

Transfer Acceleration

A

Transfer Acceleration

You might want to use Transfer Acceleration on a bucket for various reasons, including the following: You have customers that upload to a centralized bucket from all over the world. You transfer gigabytes to terabytes of data on a regular basis across continents. You are unable to utilize all of your available bandwidth over the Internet when uploading to Amazon S3. https://docs.aws.amazon.com/AmazonS3/latest/dev/transfer-acceleration.html

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

A small software team is creating an application which will give subscribers real-time weather updates. The application will run on EC2 and will make several requests to AWS services such as S3 and DynamoDB. What is the best way to grant permissions to these other AWS services?

Embed the appropriate credentials to access AWS services in the application.

Create an IAM role that you attach to the EC2 instance to give temporary security credentials to applications running on the instance.

Create an IAM policy that you attach to the EC2 instance to give temporary security credentials to applications running on the instance.

Create an IAM user, grant the user permissions, and pass the user credentials to the application.

A

Create an IAM role that you attach to the EC2 instance to give temporary security credentials to applications running on the instance.

Create an IAM role in the following situations: You’re creating an application that runs on an Amazon Elastic Compute Cloud (Amazon EC2) instance and that application makes requests to AWS. Don’t create an IAM user and pass the user’s credentials to the application or embed the credentials in the application. Instead, create an IAM role that you attach to the EC2 instance to give temporary security credentials to applications running on the instance. When an application uses these credentials in AWS, it can perform all of the operations that are allowed by the policies attached to the role. For details, see Using an IAM Role to Grant Permissions to Applications Running on Amazon EC2 Instances. https://docs.aws.amazon.com/IAM/latest/UserGuide/id.html#id_which-to-choose_role

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

You have configured a VPC with both a public and a private subnet. You need to deploy a web server and a database. You want the web server to be accessed from the Internet by customers. Which is the proper configuration for this architecture?

Web server outside of VPC for internet access, database in private subnet.

Web server in public subnet, database in private subnet.

Database outside the VPC for decoupling from web server, and web server in public subnet for internet access.

Both web server and database in public subnets to facilitate internet access.

A

Web server in public subnet, database in private subnet.

Correct. In a best-practice VPC architecture, you launch the web servers or elastic load balancers in the public subnet and the database servers in the private subnet. https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

You are managing S3 buckets in your organization. One of the buckets in your organization has gotten some bizarre uploads and you would like to be aware of these types of uploads as soon as possible. Because of that, you configure event notifications for this bucket. Which of the following is NOT a supported destination for event notifications?

SNS

SQS

Lambda function

SES

A

SES

Correct. SES is a NOT supported destination for S3 event notifications. The Amazon S3 notification feature enables you to receive notifications when certain events happen in your bucket. To enable notifications, you must first add a notification configuration that identifies the events you want Amazon S3 to publish and the destinations where you want Amazon S3 to send the notifications. Amazon S3 can send event notification messages to the following destinations. You specify the ARN value of these destinations in the notification configuration.

Publish event messages to an Amazon Simple Notification Service (Amazon SNS) topic
Publish event messages to an Amazon Simple Queue Service (Amazon SQS) queue Note that if the destination queue or topic is SSE enabled, Amazon S3 will need access to the associated AWS Key Management Service (AWS KMS) customer master key (CMK) to enable message encryption.
Publish event messages to AWS Lambda by invoking a Lambda function and providing the event message as an argument https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html#notification-how-to-event-types-and-destinations

17
Q

The company you work for has reshuffled teams a bit and you’ve been moved from the AWS IAM team to the AWS Network team. One of your first assignments is to review the subnets in the main VPCs. What are two key concepts regarding subnets? CHOOSE 2

Each subnet maps to a single Availability Zone.

Every subnet you create is associated with the main route table for the VPC.

Each subnet is associated with one security group.

A subnet spans all the Availability Zones in a Region.

Private subnets can only hold databases.

A

Each subnet maps to a single Availability Zone.

When you create a subnet, you specify the CIDR block for the subnet, which is a subset of the VPC CIDR block. Each subnet must reside entirely within one Availability Zone and cannot span zones.

Reference: VPC and subnet basics

Selected
Every subnet you create is associated with the main route table for the VPC.

Each subnet must be associated with a route table, which specifies the allowed routes for outbound traffic leaving the subnet. Every subnet that you create is automatically associated with the main route table for the VPC. You can change the association, and you can change the contents of the main route table.

Reference: Subnet routing

Selected

18
Q

Recent worldwide events have dictated that you perform your duties as a Solutions Architect from home. You need to be able to manage several EC2 instances while working from home and have been testing the ability to SSH into these instances. One instance in particular has been a problem and you cannot SSH into this instance. What should you check first to troubleshoot this issue?

Make sure that the Security Group for the instance allows inbound on port 443 from your home IP address

Make sure that the security group for the instance allows inbound on port 80 from your home IP address

Make sure that your VPC has a connected Virtual Private Gateway

Make sure that the security group for the instance allows inbound on port 22 from your home IP address

A

Make sure that the security group for the instance allows inbound on port 22 from your home IP address

A rule that allows access to TCP port 22 (SSH) from your home IP address enables you to SSH into the instances associated with the security group. AWS Documentation: Security group rules.

19
Q

Your company is storing highly sensitive data in S3 Buckets. The data includes personal and financial information. An audit has determined that this data must be stored in a secured manner and any data stored in the buckets already or data coming into the buckets must be analyzed and alerts sent out flagging improperly stored data. Which AWS service can be used to meet this requirement?

Amazon Macie

AWS Trusted Advisor

AWS GuardDuty

AWS Inspector

A

Amazon Macie

Correct. Amazon Macie is a fully-managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS. Macie automatically provides an inventory of Amazon S3 buckets including a list of unencrypted buckets, publicly accessible buckets, and buckets shared with AWS accounts outside those you have defined in AWS Organizations. Then, Macie applies machine learning and pattern matching techniques to the buckets you select to identify and alert you to sensitive data, such as personally identifiable information (PII). Macie’s alerts, or findings, can be searched and filtered in the AWS Management Console and sent to Amazon CloudWatch Events for easy integration with existing workflow or event management systems, or to be used in combination with AWS services, such as AWS Step Functions to take automated remediation actions. Reference - https://aws.amazon.com/macie/

20
Q

A new startup company decides to use AWS to host their web application. They configure a VPC as well as two subnets within the VPC. They also attach an internet gateway to the VPC. In the first subnet, they create the EC2 instance which will host their web application. They finish the configuration by making the application accessible from the Internet. The second subnet has an instance hosting a smaller, secondary application. But this application is not currently accessible from the Internet. What could be potential problems? CHOOSE 2

The EC2 instance is not attached to an internet gateway.

The second subnet does not have a route in the route table to the internet gateway.

The second subnet does not have a public IP address.

The EC2 instance does not have a public IP address.

The second subnet does not have a route in the route table to the virtual private gateway.

A

he second subnet does not have a route in the route table to the internet gateway.

To enable access to or from the internet for instances in a subnet in a VPC, you must do the following:

Attach an internet gateway to your VPC.
Add a route to your subnet’s route table that directs internet-bound traffic to the internet gateway. If a subnet is associated with a route table that has a route to an internet gateway, it’s known as a public subnet. If a subnet is associated with a route table that does not have a route to an internet gateway, it’s known as a private subnet.
Ensure that instances in your subnet have a globally unique IP address (public IPv4 address, Elastic IP address, or IPv6 address).
Ensure that your network access control lists and security group rules allow the relevant traffic to flow to and from your instance. https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html
Selected

The EC2 instance does not have a public IP address.

To enable access to or from the internet for instances in a subnet in a VPC, you must do the following:

Attach an internet gateway to your VPC.
Add a route to your subnet’s route table that directs internet-bound traffic to the internet gateway. If a subnet is associated with a route table that has a route to an internet gateway, it’s known as a public subnet. If a subnet is associated with a route table that does not have a route to an internet gateway, it’s known as a private subnet.
Ensure that instances in your subnet have a globally unique IP address (public IPv4 address, Elastic IP address, or IPv6 address).
Ensure that your network access control lists and security group rules allow the relevant traffic to flow to and from your instance. https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html