Domain 2

Question 1

You are hosting a MySQL database on Amazon RDS. Are you responsible for patching the database engine on an Amazon RDS database instance or is AWS responsible for this security patching?

Answer 1

AWS is responsible for patching on Amazon RDS.

Question 2

You have a database running on Amazon EC2? Who would be responsible for patching of the Amazon EC2 instance?

Answer 2

You are responsible for the patching of your Amazon EC2 instance.

Question 3

Where can you find information about compliance on AWS?

Answer 3

AWS compliance programs such as AWS Artifact, the Security Center, and the AWS Knowledge Center.

Question 4

What AWS service helps to identify an IAM user who deleted an Amazon EC2 instance in your production environment?

Answer 4

AWS CloudTrail is a service for governance, compliance, operational auditing, and risk auditing of your AWS account that continuously monitors, and retains account activity related to actions across your AWS infrastructure.

Question 5

What are some actions you can perform as the account root user of your AWS account?

Answer 5

As the account root user, you can change your account settings, restore IAM user permissions, activate access to the AWS Billing and Cost Management console, register as a seller, configure an S3 bucket to enable multi-factor authentication, close your AWS account, and more.

Question 6

What identity in AWS has associated usernames and passwords?

Answer 6

IAM users.

Question 7

What AWS service would you choose if you need to create rules to filter web traffic based on conditions such as IP addresses, HTTP headers, or custom URLs?

Answer 7

AWS WAF helps to control traffic with rules that you define that block common attack patterns such as SQL injections or cross-site scripting.

Question 8

Can you conduct security assessments and penetration testing without prior approval against your AWS resources?

Answer 8

Yes, but only for certain services.

Question 9

Which of the following is the customer responsible for updating and patching, according to the AWS shared responsibility model?
a. Amazon FSx for Windows File Server
b. Amazon WorkSpaces virtual Windows desktop
c. AWS Directory Service for Microsoft Active Directory
d. Amazon RDS for Microsoft SQL Server

Answer 9

b. Amazon WorkSpaces virtual Windows desktop
WorkSpaces provides a managed Desktop as a Service offering. WorkSpaces gives users the ability to interact with a virtual desktop. It is the responsibility of the customer to update and patch the operating system and any software installed by the customer in WorkSpaces. You can schedule maintenance windows or manually make the update yourself.

Question 10

What is Amazon FSx for Windows File Server?

Answer 10

FSx for Windows File Server is a fully managed service that provides shared storage built on a Windows Server. AWS is responsible for updates and patches of the server.

Question 11

What is AWS Directory Service for Microsoft Active Directory?

Answer 11

AWS Managed Microsoft AD is a managed service that gives you the ability to connect to your existing active directory or to migrate workloads. AWS is responsible for updates and patches for AWS Managed Microsoft AD.

Question 12

Which service provides risk auditing by continuously monitoring and logging API requests to resources in an account, which includes user actions in the AWS Management Console and AWS SDKs?

Answer 12

AWS CloudTrail
CloudTrail helps to provide governance, compliance, and operational risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface (AWS CLI), and AWS SDKs and APIs.

Question 13

What is AWS Config?

Answer 13

AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This view includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time. However, AWS Config does not log API calls to resources.

Question 14

What is AWS Health?

Answer 14

AWS Health provides ongoing visibility into your resource performance and the availability of your AWS services and accounts. You can use AWS Health events to learn how service and resource changes might affect your applications that run on AWS. AWS Health provides relevant and timely information to help you manage events in progress. However, AWS Health does not log API calls to resources.

Question 15

A cloud practitioner wants to explicitly deny network traffic to a subnet inside of an Amazon VPC.

Which solution will meet this requirement?
a. Network ACLs
b. Security Groups
c. Transit Gateway
d. Route Table

Answer 15

a. Network ACLs
Network ACLs are firewalls that you can use to deny traffic on the VPC subnet level.
A network access control list (ACL) allows or denies specific inbound or outbound traffic at the subnet level. You can use the default network ACL for your VPC, or you can create a custom network ACL for your VPC with rules that are similar to the rules for your security groups in order to add an additional layer of security to your VPC.

There is no additional charge for using network ACLs.

Question 16

What are security groups?

Answer 16

Security groups are firewalls that you can use on the resource level inside of a VPC subnet. You can use security groups to control inbound and outbound traffic to a resource.
A security group controls the traffic that is allowed to reach and leave the resources that it is associated with. For example, after you associate a security group with an EC2 instance, it controls the inbound and outbound traffic for the instance.

Question 17

What is a transit gateway?

Answer 17

You can use a transit gateway to interconnect your VPC and on-premises networks through a central hub. You cannot use transit gateways to deny traffic on the subnet level.
A transit gateway is a network transit hub that you can use to interconnect your virtual private clouds (VPCs) and on-premises networks. As your cloud infrastructure expands globally, inter-Region peering connects transit gateways together using the AWS Global Infrastructure. All network traffic between AWS data centers is automatically encrypted at the physical layer.

Question 18

What is a route table?

Answer 18

You can use a route table to direct traffic from your subnet and gateway. Route tables cannot explicitly block network traffic inside of a VPC.
A route table contains a set of rules, called routes, that determine where network traffic from your subnet or gateway is directed.

Question 19

A cloud practitioner must define the AWS shared responsibility model.

What is the customer’s responsibility? (Select TWO.)
a. Configure IAM users for least-privilege access
b. Install patches to the database of Amazon RDS DB instances
c. Determine which services have access to an Amazon DynamoDB table
d. Patch the physical AWS network equipment
e. Patch the operating system used by AWS Lambda functions

Answer 19

a. Configure IAM users for least-privilege access & c. Determine which services have access to an Amazon DynamoDB table

AWS provides the functionality of AWS Identity and Access Management (IAM). However, the customer determines who receives specific access rights. The customer defines IAM users and assigns policies to those users.

The customer is responsible for controlling access between services. Access between services represents security in the cloud.

Question 20

Which service or feature will enhance the security of access to the AWS Management Console? (Select TWO.)
a. AWS Secrets Manager
b. AWS Certificate Manager (ACM)
c. Multi-factor authentication (MFA)
d. Security groups
e. Complex password requirements

Answer 20

c. Multi-factor authentication (MFA) & e. Complex password requirements

MFA is a simple best practice that adds an extra layer of protection on top of your username and password. When you configure MFA, a user who signs in to the AWS Management Console will be prompted for their username and password. This is the first factor of what they know. The user will then be prompted for an authentication code from their MFA device. This is the second factor of what they have. MFA provides increased security for your AWS account settings and resources.

Complex password requirements help protect against improper access to the AWS Management Console by making passwords more difficult to guess.

Question 21

Which service should someone use to turn on single sign-on (SSO) to the AWS Management Console?

Answer 21

AWS IAM Identity Center
IAM Identity Center provides you with the ability to manage sign-in security for your workforce users. IAM Identity Center can be used for SSO integration to access the AWS Management Console.

Question 22

What is AWS Directory Service?

Answer 22

Directory Service is a managed directory service that provides a way to organize information related to your company. Directory Service does not provide the ability for SSO integration to access the AWS Management Console.

Question 23

A company has a new requirement to log actions taken in a production account.

Which AWS service should meet that requirement?

Answer 23

AWS CloudTrail
Actions performed in AWS are recorded as events in CloudTrail. You can use CloudTrail to log actions taken in a production account, such as actions taken in the AWS Management Console, AWS CLI, and AWS SDKs.

Question 24

What is Amazon CloudWatch?

Answer 24

CloudWatch is used to monitor resources and applications that you run on AWS in near real time. CloudWatch can collect and track metrics to measure specific resource concerns, but it does not log actions taken in an account.

Question 25

What is Amazon Inspector?

Answer 25

Amazon Inspector is used to scan AWS workloads for software vulnerabilities and unintended network exposure based on industry standards. Amazon Inspector does not log actions taken in an account.

Question 26

What is AWS Application Discovery Service?

Answer 26

Application Discovery Service collects usage and configuration data about your on-premises servers to help plan a migration. Application Discovery Service does not log actions taken in an account.

Question 27

Which task is the customer’s responsibility for AWS Lambda, according to the AWS shared responsibility model?
a. Encryption of the application data at rest
b. Management of the application
c. Patching of the guest operating system
d. Security of the physical infrastructure

Answer 27

Encryption of the application data at rest
Although Lambda is a fully managed service, customers are still responsible for application data. Therefore, the customer is responsible for protection and encryption of application data at rest.

Question 28

Which security-related services or features does AWS offer? (Select TWO.)
a. Complete PCI compliance for customer applications that run on AWS
b. AWS Trusted Advisor security checks
c. Data encryption
d. Automated penetration testing
e. Amazon S3 copyrighted content detection

Answer 28

b. AWS Trusted Advisor security checks & c. Data encryption

Trusted Advisor draws upon best practices learned from serving hundreds of thousands of AWS customers. These best practices include security checks.
Many AWS services support data encryption, including Amazon Elastic Block Store (Amazon EBS) and Amazon S3. Encryption adds another layer of security to your data.

Question 29

Which AWS service uses machine learning to help discover, monitor, and protect sensitive data that is stored in Amazon S3 buckets?

Answer 29

Amazon Macie
Macie provides data security by using machine learning to discover, monitor, and provide automated protection of sensitive data that is stored in Amazon S3.

Question 30

What is Amazon Shield?

Answer 30

AWS Shield provides protection against a wide range of known DDoS attack vectors and zero-day attack vectors. Shield detection and mitigation is designed to provide coverage against threats even if they are not explicitly known to the service at the time of detection. Shield Standard is provided automatically and at no extra charge when you use AWS.
A DDoS attack is an attack in which multiple compromised systems try to flood a target with traffic. A DDoS attack can prevent legitimate end users from accessing the target services and can cause the target to crash due to overwhelming traffic volume.

Question 31

What is AWS Network Firewall?

Answer 31

Network Firewall is a managed network firewall service that provides intrusion detection and prevention for your VPC.
With Network Firewall, you can filter traffic at the perimeter of your VPC. This includes filtering traffic going to and coming from an internet gateway, NAT gateway, or over VPN or AWS Direct Connect. Network Firewall uses the open source intrusion prevention system (IPS), Suricata, for stateful inspection.

Question 32

Which AWS service provides managed threat detection that will identify compromised instances and accounts?

Answer 32

Amazon GuardDuty
GuardDuty provides continuous monitoring and threat detection services. GuardDuty uses threat intelligence feeds and machine learning to identify unauthorized and malicious activity within your AWS environment. You can use GuardDuty to identify compromised instances and accounts.

Question 33

During a compliance review, one of the auditors requires a copy of the AWS SOC 2 report.

Which service should be used to submit this request?

Answer 33

AWS Artifact
AWS Artifact is a web service that allows you to download AWS security and compliance documents such as ISO certifications and SOC reports.

Question 34

What is AWS Health Dashboard?

Answer 34

The AWS Health Dashboard provides alerts and remediation guidance when AWS is experiencing events that might impact you and the performance of your AWS services and accounts.

AWS Health provides relevant and timely information to help you manage events in progress. AWS Health also helps you be aware of and to prepare for planned activities. The service delivers alerts and notifications triggered by changes in the health of AWS resources, so that you get near-instant event visibility and guidance to help accelerate troubleshooting.
All customers can use the AWS Health Dashboard, powered by the AWS Health API. The dashboard requires no setup, and it’s ready to use for authenticated AWS users.

Question 35

Which AWS service provides a quick and automated way to create and manage AWS accounts?

Answer 35

AWS Organizations
Organizations offers an API to create and manage AWS accounts. Organizations can control permissions that are available to accounts and can consolidate billing.

Question 36

What is Amazon Lightsail?

Answer 36

Amazon Lightsail is a virtual private server (VPS) provider and is the easiest way to get started with AWS for developers, small businesses, students, and other users who need a solution to build and host their applications on cloud. Lightsail provides developers compute, storage, and networking capacity and capabilities to deploy and manage websites and web applications in the cloud.

Question 37

A company wants to add a virtual firewall to an Amazon VPC. The company wants all instances inside a specific subnet to be automatically covered under this firewall.

Which feature meets these requirements?

Answer 37

Network ACLs
Network ACLs are used to allow or deny specific traffic to a VPC at the subnet level. Network ACLs operate at the subnet level and meet the requirements to add a layer of security that acts as a firewall.