Domain 3 - Design Secure Applications and Architectures Flashcards
The CIO of a company is concerned about the security of the root user of their AWS account. How can the CIO ensure that the root account follows the best practices for securely login in? (SELECT TWO)
A: Enforce the use of an access key ID and secret access key for the root user logins/
B: Enforce the use of MFA for the root user logins
C: Enforce the root user to assume a role to access the root user’s own resources
D: Enforce the use of complex passwords for member account root user logins
E: Enforce the deletion of the root account so that it can’t be used
A: Wrong. These are used for programmatic requests.
B: Correct.
C: Wrong. Root users can’t assume roles to their own account
D: Correct.
E: Wrong. If root account is deleted, all resources are deleted.
An SA needs to design a secure environment for AWS resources that are being deployed to EC2 in a VPC. The solution should support a three-tier architecture consisting of web servers, app servers, and a database cluster. The VPC needs to allow resources in the web tier to be accessible from the internet with only the HTTPS protocol.
Which combination of actions would meet these requirements? (Select TWO)
A: Attach Amazon API Gateway to the VPC. Create private subnets for the web, app, and database tiers
B: Attach an internet gateway to the VPC. Create public subnets for the web tier. Create private subnets for the app and data base tiers
C: Attach a virtual private gateway to the VPC. Create public subnets for the web and app tiers. Create private subnets for the database tiers
D: Create a web server security group that allows all traffic from the internet. Create an app server security group that allows requests only from the Amazon API Gateway on the application port. Create a database cluster security group that allows TCP connections from the app security group on the database port only.
E: Create a web server security group that allows HTTPS requests from the internet. Create an app server security group that allows requests from the web security group only. Create a database cluster security group that allows TCP connections from the app security group on the database port only.
A: Wrong. No option for web access B: Correct. C: Wrong. Does not secure app tier D: Wrong. Allows all internet traffic, and not JUST HTTPS E: Correct.
A company needs to implement a secure data encryption solution to meet regulatory requirements. The solution must provide security and durability in generating, storing, and controlling cryptographic data keys. Which action should be take to provide the MOST secure solution?
A: Use Key Management Service to generate KMS keys and data keys. use KMS key policies to control access to the KMS keys
B: Use KMS to generate cryptographic keys and import the keys to Certificate Manager. Use IAM policies to control access to the keys
C: Use a third-party solution from Marketplace to generate the cryptographic keys and store them on encrypted instanced store volumes. Use IAM policies to control access to the encryption key APIs
D: Use OpenSSL to generate the cryptographic keys and upload the keys to an S3 bucket with encryption enablesd. Apply KMS key policies to control access to the keys
A: Correct.
B: Wrong. Certificate manager is for SSL keys, not data keys
C: Wrong. instance store volumes are ephemeral and do not meet the durability requirement.
D: Wrong. Can’t do key management directly from S3 and KMS policies only work with keys stored in KMS
