Domain 3: Design Secure Applications and Architectures Flashcards
Scenario:
Encrypt EBS volumes restored from the unencrypted
EBS snapshots
Solution:
Copy the snapshot and enable encryption with a
new symmetric CMK while creating an EBS volume
using the snapshot.
Scenario:
Limit the maximum number of requests from a single
IP address.
Solution:
Create a rate-based rule i n AWS WAF and set the
rate l imit.
Scenario:
Grant the bucket owner full access to all uploaded
objects i n the S3 bucket.
Solution:
Create a bucket policy that requires users to set the
object’s ACL to bucket-owner-full-control.
Scenario:
Protect objects i n the S3 bucket from accidental
deletion or overwrite.
Solution:
Enable versioning and MFA delete.
Scenario:
Access resources on both on-premises and AWS
using on-premises credentials that are stored in Active
Directory.
Solution:
Set up SAML 2.0-Based Federation by using a
Microsoft Active Directory Federation Service.
Scenario:
Secure the sensitive data stored in EBS volumes
Solution:
Enable EBS Encryption
Scenario:
Ensure that the data-in-transit and data-at-rest of the
Amazon S3 bucket i s always encrypted
Solution:
Enable Amazon S3 Server-Side or use Client-Side
Encryption
Scenario:
Secure the web application by allowing multiple
domains to serve SSL traffic over the same IP
address.
Solution:
Use AWS Certificate Manager to generate an SSL
certificate. Associate the certificate to the
CloudFront distribution and enable Server Name
Indication (SNI).
Scenario:
Control the access for several S3 buckets by using a
gateway endpoint to allow access to trusted buckets.
Solution:
Create an endpoint policy for trusted S3 buckets.
Scenario:
Enforce strict compliance by tracking all the
configuration changes made to any AWS services.
Solution:
Set up a rule i n AWS Config to i dentify compliant
and non-compliant services.
Scenario:
Provide short-lived access tokens that acts as
temporary security credentials to allow access to AWS
resources.
Solution:
Use AWS Security Token Service
Scenario:
Encrypt and rotate all the database credentials, API
keys, and other secrets on a regular basis.
Solution:
Use AWS Secrets Manager and enable automatic
rotation of credentials.
Scenario:
A cost-effective solution for over-provisioning of
resources.
Solution:
Configure a target tracking scalingn ASG.
