Domain 1: Design Secure Architectures Flashcards
You have a secure web application hosted on AWS using Application Load Balancers, Auto Scaling, and a fleet of EC2 instances connected to an RDS database. You need to ensure that your RDS database can only be accessed using the profile credentials specific to your EC2 instances (via an authentication token). How can you achieve this?
Using IAM roles
Using Active Directory federation via Amazon Inspector
Using Amazon Cognito
Using IAM database authentication
Using IAM roles
IAM roles are used to grant access to AWS services from other AWS services. You would be better using IAM database authentication.
Selected
Using IAM database authentication
IAM has database authentication capabilities that would allow an RDS database to only be accessed using the profile credentials specific to your EC2 instances.
You work for a Fintech company that is launching a new cryptocurrency trading platform hosted on AWS. Because of the nature of the cryptocurrency industry, you have been asked to implement a Cloud Security Posture Management (CSPM) service that performs security best practice checks, aggregates alerts, and enables automated remediation. Which AWS service would meet this requirement?
Amazon Inspector
Amazon GuardDuty
AWS Trusted Advisor
AWS Security Hub
Amazon GuardDuty
Amazon GuardDuty is a continuous security monitoring service that analyzes and processes the following data sources: AWS CloudTrail management event logs, AWS CloudTrail data events for S3, DNS logs, EKS audit logs, and VPC flow logs. It uses threat intelligence feeds, such as lists of malicious IP addresses and domains, and machine learning to identify unexpected and potentially unauthorized and malicious activity within your AWS environment. It is not a Cloud Security Posture Management service.
Selected
AWS Security Hub
AWS Security Hub is a Cloud Security Posture Management service that performs security best practice checks, aggregates alerts, and enables automated remediation.
You work for an online bank that is migrating a customer portal to AWS. Because of the legislative requirements, you need a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. Which service should you use?
Amazon GuardDuty
Amazon GuardDuty is a continuous security monitoring service that analyzes and processes the following data sources: AWS CloudTrail management event logs, AWS CloudTrail data events for S3, DNS logs, EKS audit logs, and VPC flow logs. It uses threat intelligence feeds, such as lists of malicious IP addresses and domains, and machine learning to identify unexpected and potentially unauthorized and malicious activity within your AWS environment.
Amazon Inspector
AWS Shield
AWS CloudTrail
Amazon GuardDuty
Amazon GuardDuty is a continuous security monitoring service that analyzes and processes the following data sources: AWS CloudTrail management event logs, AWS CloudTrail data events for S3, DNS logs, EKS audit logs, and VPC flow logs. It uses threat intelligence feeds, such as lists of malicious IP addresses and domains, and machine learning to identify unexpected and potentially unauthorized and malicious activity within your AWS environment.
Amazon Inspector
Amazon Inspector is a vulnerability management service that continuously scans your AWS workloads for vulnerabilities. It is not an intrusion detection service.
Selected
Your company has a small web application hosted on an EC2 instance. The application has just been deployed but no one is able to connect to the web application from a browser. You had recently ssh’d into this EC2 instance to perform a small update, but you also cannot browse to the application from Google Chrome. You have checked and there is an internet gateway attached to the VPC and a route in the route table to the internet gateway. Which situation most likely exists?
The instance security group has no ingress on port 22 or port 80.
The instance security group has ingress on port 443 but not port 22.
The instance security group has ingress on port 80 but not port 22.
The instance security group has ingress on port 22 but not port 80.
The instance security group has no ingress on port 22 or port 80.
The scenario states that you ssh’d into the instance, so port 22 must be open.
Selected
The instance security group has ingress on port 22 but not port 80.
The following are the basic characteristics of security groups for your VPC: There are quotas on the number of security groups that you can create per VPC, the number of rules that you can add to each security group, and the number of security groups that you can associate with a network interface. For more information, see Amazon VPC quotas. You can specify allow rules, but not deny rules. You can specify separate rules for inbound and outbound traffic. When you create a security group, it has no inbound rules. Therefore, no inbound traffic originating from another host to your instance is allowed until you add inbound rules to the security group. By default, a security group includes an outbound rule that allows all outbound traffic. You can remove the rule and add outbound rules that allow specific outbound traffic only. If your security group has no outbound rules, no outbound traffic originating from your instance is allowed. Security groups are stateful. If you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules. Responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules. https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules
A recent audit of IT services deployed within many of the AWS Organization member accounts in your company has caused numerous remediation tasks for the SecOps team, as well as the member account owners. Post-remediation efforts, the CISO has asked you to identify a solution within AWS for preventing this from repeating. They would like you to instead find a way to allow end users in the accounts to deploy preapproved services within AWS to avoid them accidentally using the offending services. Which of the following is the optimal approach for this solution? CHOOSE 2
Create a CloudFormation Stack Set for each approved IT service. Have an organization administrator manually deploy these templates to the targeted accounts after approval.
Create approved CloudFormation templates containing the required services that can be used throughout the organization. Load the templates to a shared catalog within AWS Service Catalog. List the templates as products, and then share the catalog with your Organization.
Create approved CloudFormation templates containing the required services that are used throughout the organization. Send email templates out to the account owners, so they can reference them as needed.
Create approved Terraform templates containing the required services that are used throughout the organization. Create a shared catalog within AWS Service Catalog, list the templates as products, and then share the catalog with your Organization.
Create approved CloudFormation templates containing the required services that can be used throughout the organization. Load the templates to a shared catalog within AWS Service Catalog. List the templates as products, and then share the catalog with your Organization.
AWS Service Catalog offers a way to control which services are being deployed to AWS accounts. You create CloudFormation templates that get uploaded to a catalog that you can share with an organization. End users can then use this catalog to deploy preapproved IT services into their AWS accounts. Reference: Using the end user console view Using the Provisioned products page
Selected
Create approved Terraform templates containing the required services that are used throughout the organization. Create a shared catalog within AWS Service Catalog, list the templates as products, and then share the catalog with your Organization.
Using AWS Service Catalog (with CloudFormation or Terraform) can be optimal depending on the specific context of the organization. It is key to weigh the benefits and potential limitations of each approach against the organization’s current state and future plans. The choice should align with the organization’s strategic direction, existing expertise, and technological roadmap.
Selected
You work for a pharmaceutical company that recently had a major outage due to a sophisticated DDoS attack. They need you to implement DDoS mitigation to prevent this from happening again. They require you to have near real-time visibility into attacks, as well as 24/7 access to a dedicated team who can help mitigate this in the future. Which AWS service should you recommend?
AWS Shield
AWS Shield Advanced
AWS DDoS Prevention Advanced
AWS DDoS Prevention Standard
AWS Shield Advanced
AWS Shield Advanced has a dedicated team to help you respond to attacks.
A financial institution has begun using AWS services and plans to migrate as much of their IT infrastructure and applications to AWS as possible. The nature of the business dictates that strict compliance practices be in place. The AWS team has configured AWS CloudTrail to help meet compliance requirements and be ready for any upcoming audits. Which item is not a feature of AWS CloudTrail?
Answer simple questions about user activity.
Enables compliance.
Monitor Auto Scaling Groups and optimize resource utilization.
Track changes to resources.
Monitor Auto Scaling Groups and optimize resource utilization.
Correct: This is a feature provided by CloudWatch.
Selected
You need to be able to perform vulnerability scans on your large fleet of EC2 instances. Which AWS service should you choose?
AWS Trusted Advisor
Amazon Inspector
Amazon Athena
Amazon Macie
Amazon Inspector
Amazon Inspector would be the best solution to run vulnerability scans.
Selected
You work for an insurance company that stores a lot of confidential medical data. They are migrating to AWS and have an encryption requirement where you need to manage the hardware security modules (HSMs) that generate and store the encryption keys. You also create the symmetric keys and asymmetric key pairs that the HSM stores. Which AWS service should you use to meet these requirements?
AWS Key Management Service (KMS)
AWS CloudTrail
AWS Trusted Key Advisor
AWS CloudHSM
AWS CloudHSM
With AWS CloudHSM, you can generate both symmetric keys and asymmetric key pairs. You can also manage the HSM that generates and stores your encryption keys.
Selected
You are a solutions architect for an online gambling company. You notice a series of web-layer DDoS attacks. This is coming from a large number of multiple IP addresses. In order to mitigate these web-layer DDoS attacks, you have been asked to implement a rule capable of blocking all IPs that have more than 2,000 requests in the last 5 minute interval. What should you do?
Use AWS Trusted Advisor to filter the traffic
Create a rate-based rule on your AWS WAF and associate the web access control list (ACL) to the Application Load Balancer
Create a standard rule on your AWS WAF and associate the web access control list (ACL) to the Application Load Balancer
Update your VPC’s network access control list (NACL) and block access to the IP addresses as and when they come in
Create a rate-based rule on your AWS WAF and associate the web access control list (ACL) to the Application Load Balancer
A rate-based rule tracks the rate of requests for each originating IP address, and triggers the rule action on IPs with rates that go over a limit. You set the limit as the number of requests per 5-minute time span. You can use this type of rule to put a temporary block on requests from an IP address that’s sending excessive requests. AWS Documentation: Rate-based rule statement.
Selected
A small startup is beginning to configure IAM for their organization. The user logins have been created and now the focus will shift to the permissions to grant to those users. An admin starts creating identity-based policies. To which item can an identity-based policy not be attached?
groups
roles
users
resources
resources
Resource-based policies are attached to a resource. For example, you can attach resource-based policies to Amazon S3 buckets, Amazon SQS queues, and AWS Key Management Service encryption keys. For a list of services that support resource-based policies, see AWS services that work with IAM. Reference: Identity-based policies and resource-based policies.
Selected
You have a serverless image-sharing website that utilizes S3 to store high-quality images. Unfortunately, your competitors start linking to your website and borrowing your photos. How can you best prevent unauthorized access?
Store the images in an RDS database and restrict access.
Restrict public access to the bucket and turn on presigned URLs with expiry dates.
Enable CloudFront on the website.
Block the IP addresses of the websites using AWS WAF.
Restrict public access to the bucket and turn on presigned URLs with expiry dates.
This would prevent access to your photos without authorization.
Selected
You work for a startup that has recently been acquired by a large insurance company. As per the insurance company’s internal security controls, you need to be able to monitor and record all API calls made in your AWS infrastructure. What AWS service should you use to achieve this?
AWS CloudTrail
AWS Trusted Advisor
Amazon CloudWatch
AWS Cloud Audit
AWS CloudTrail
AWS CloudTrail is used to monitor and record all API calls made in your AWS infrastructure.
Selected
You work at a mortgage brokerage firm in New York City. An intern has recently joined the company and you discover that they have been storing customer data in public S3 buckets. Because the company uses so many different S3 buckets, you need to identify a quick and efficient way to discover what personally identifiable information (PII) is being stored in S3. Which AWS service should you use?
Amazon Inspector
Amazon Macie
AWS Trusted Advisor
Amazon Athena
Amazon Macie
Amazon Macie is a quick and efficient way to discover what personally identifiable information (PII) is being stored in S3.
Selected
Janelle works as a cloud solutions architect for a large enterprise that has begun the process of migrating to AWS for all of their application needs. The CTO and CISO have already decided that AWS Organizations is a required service for the multi-account environment that will be put into place. Janelle has been brought in to help solve the primary concern of member AWS accounts not following the required compliance rules set forth by the company. They want to both send alerts on configuration changes and prevent specific actions from occurring. Which solution would be the most efficient in solving this projected problem?
Install third-party SIEM software on Amazon EC2 instances in each account. Attach to them a Read-Only IAM instance profile within the respective account. Have them generate alerts for each flagged activity.
Create new AWS accounts using AWS Control Tower. Leverage the preventative and detective guardrails that come with it to prevent governance drift as well as send alerts on suspicious activities.
Create individual AWS Config rules in each AWS account. Set up AWS Lambda functions in each AWS account to remediate any suspected drift.
Create a set of Global AWS Config rules that can cover all Regions in the management account that apply to the member accounts. Set up an AWS Lambda function in the management AWS account to alert an administrator when drift is detected.
Create new AWS accounts using AWS Control Tower. Leverage the preventative and detective guardrails that come with it to prevent governance drift as well as send alerts on suspicious activities.
AWS Control Tower allows you to implement account governance and compliance enforcement for an AWS organization. It leverages SCPs for preventative guardrails and AWS Config for detective guardrails. Reference: What Is AWS Control Tower? Guardrails in AWS Control Tower
Selected
