Domain 2: Security and Compliance

Question 1

Which AWS service provides central governance and management across multiple AWS accounts?

Answer 1

AWS Organizations

Question 2

Configuring user permissions so that users can access only the resources they need to do their job follows what principle?

Answer 2

Principle of Least Privilege

Question 3

In Identity and Access Management, which term applies to a person or application that uses the AWS account root user, an IAM user, or an IAM role to sign in and make requests to AWS?

Answer 3

Principal

Question 4

A new application needs temporary access to resources in AWS. How can this best be achieved?

Answer 4

Create an IAM Role and have the application assume the role.

Question 5

Your company has recently migrated large amounts of data to the AWS cloud in S3 buckets. But it is necessary to discover and protect the sensitive data in these buckets. Which AWS service can do that?

Answer 5

Amazon Macie

Question 6

After configuring your VPC and all of the resources within it, you want to add an extra layer of security at the subnet level. Which will you use to add this security?

Answer 6

Network ACL

Question 7

You are working with IAM and need to attach policies to users, groups, and roles. Which will you be attaching these policies to?

Answer 7

Identities

Question 8

You are concerned about access to your top-secret application by stolen passwords. What additional layer of security can you add for logging in to AWS Management Console, in addition to user passwords?

Answer 8

Multi-Factor Authentication

Question 9

Users need to access AWS resources from the command-line interface. Which IAM option can be used for authentication?

Answer 9

Access Keys

Question 10

AWS uses the shared responsibility model. For security, which of the following are the responsibilities of AWS?

Answer 10

Network patching
Physically securing compute resources
Disk disposal

Question 11

A small startup is configuring its AWS cloud environment. Which AWS service will allow grouping these users together and applying permissions to them as a group?

Answer 11

AWS IAM

Question 12

You are creating a few IAM policies. This is the first time you have worked with IAM policies. Which tool can you use to test IAM policies?

Answer 12

IAM Policy Simulator

Question 13

Microsoft has announced a new patch for its operating system. For a Platform as a Service solution, who would be responsible for applying the patch?

Answer 13

AWS

Question 14

As an AWS account administrator, you are in charge of creating AWS accounts and securing those accounts. What steps can you take?

Answer 14

Create multi-factor authentication for the root account.

Add IP restrictions for all accounts

Question 15

A software development team has requested IAM access to be able to work with AWS from the CLI. What will you provide these developers?

Answer 15

Access Keys

Question 16

A company is configuring IAM for its new AWS account. There are 5 departments with between 5 to 10 users in each department. How can they efficiently apply access permissions for each of these departments and simplify management of these users?

Answer 16

Create policies for each department that define the permissions needed. Create an IAM group for each department and attach the policy to each group. Add each department’s members to their respective IAM group.

Question 17

A company has a large number of S3 buckets and needs to manage and automate tasks on these buckets at one time. Which AWS feature can do this?

Answer 17

Resource Groups

Question 18

As an AWS account administrator, you are in charge of creating AWS accounts and securing those accounts. What steps can you take?

Add IP restrictions for all accounts

Store the root account credentials in sharepoint.

Grant admin access to all users.

Create multi-factor authentication for the root account.

Create functional groups for each department and use a common password for each group.

Answer 18

Add IP restrictions for all accounts

Create multi-factor authentication for the root account.

Question 19

After configuring your VPC and all of the resources within it, you want to add an extra layer of security at the subnet level. Which will you use to add this security?

Answer 19

Network ACL

A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. You might set up network ACLs with rules similar to your security groups to add an additional layer of security to your VPC.

Question 20

In Identity and Access Management, which term refers to the IAM resource objects that AWS uses for authentication?

Answer 20

Entities

IAM entities are the users (IAM users and federated users) and roles that are created and used for authentication.

Question 21

You need to set up a virtual firewall for your EC2 instance. Which would you use?

Answer 21

Security Group

A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign up to five security groups to the instance. Security groups act at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC can be assigned to a different set of security groups.

Question 22

Which policy will provide information on performing penetration testing on your EC2 instances?

Answer 22

Customer Service Policy for Penetration Testing

Question 23

You are creating a few IAM policies. This is the first time you have worked with IAM policies. Which tool can you use to test IAM policies?

Answer 23

IAM Policy Simulator

Question 24

Which AWS service can be used to detect and prevent Distributed Denial of Service attacks against services hosted on AWS?

Answer 24

AWS Shield