Secured Architecture Flashcards

Question 1

Q

When creating a new security group, which of the following are true? (Choose two.)

A) All inbound traffic is allowed by default.
B) All outbound traffic is allowed by default.
C) Connections that are allowed in must also explicitly be allowed back out.
D) Connections that are allowed in are automatically allowed back out.

Answer

A

B, D. Option A is false, but option B is true. Default security groups prevent all traffic in and allow all traffic out. Options C and D are about whether or not a security group is stateful: whether an incoming connection automatically can get back out. Security groups are stateful, so D is true. If the subject of the question was a NACL, then option C would be true, as NACLs are stateless.

Question 2

Q

You have a government-regulated system that will store a large amount of data on S3 standard. You must encrypt all data and preserve a clear audit trail for traceability and third-party auditing. Security policies dictate that encryption must be consistent across the entire data store. Which of the following encryption approaches would be best?

A) SSE-C
B) SSE-KMS
C) SSE-C
D) Encrypt the data prior to upload to S3 and decrypt the data when returning it to the client.

Answer

A

B. D is not a good answer because relying on encryption outside of S3 does not best address the concerns around consistency. It is generally better to allow AWS to handle encryption in cases where you want to ensure all encryption is the same across a data store. SSE-C, SSE-KMS, and SSE-C all provide this. However, among those three, KMS is the best option for providing clear audit trails.

Question 3

Q

You are creating a bastion host to allow SSH access to a set of EC2 instances in a private subnet within your organization’s VPC. Which of the following should be done as part of configuring the bastion host? (Choose two.)

A) Ensure that the bastion host is exposed directly to the Internet.
B) Place the bastion host within the private subnet.
C) Add a route from the bastion host IP into the private subnet into the subnet’s NACLs.
D) Ensure that the bastion host is within the same security group as the hosts within the private subnet.

Answer

A

A, C. A bastion host is a publicly accessible host that allows traffic to connect to it. Then, an additional connection is made from the bastion host into a private subnet and the hosts within that subnet. Because the bastion must be accessed by public clients, it must be exposed to the Internet (A). If it is within a private subnet (B), it will not be accessible, making that answer incorrect. There also must be an explicit route from the bastion host into the private subnet (C); this is usually within a NACL. Finally, the security of the bastion must be different from the hosts in the private subnet. The bastion host should be hardened significantly as it is public, but also accessible; this is in many ways the opposite of the security requirements of hosts within a private subnet.

Question 4

Q

Which of the following are invalid IAM actions? (Choose two.)

A) Limiting the root account SSH access to all EC2 instances
B) Allowing a user account SSH access to all EC2 instances
C) Removing console access for the root account
D) Removing console access for all non-root user accounts

Answer

A

A, C. AWS sometimes asks questions like this to ensure that you understand that the root account is truly a root account and you cannot restrict that account’s access. Anything that involves removing access for the root account is always invalid.

Question 5

Q

Which of the following statements is true?

A) You should store application keys only in your application’s .aws file.
B) You should never store your application keys on an instance, in an AMI, or anywhere else permanent on the cloud.
C) You should only store application keys in an encrypted AMI.
D) You should only use your application key to log in to the AWS console.

Answer

A

B. This is a “gimme question” that AWS will often ask on exams. You should never store your application keys on an instance, in an AMI, or anywhere else permanent on the cloud—meaning option B is true. Additionally, D makes no sense; application keys are for programmatic access, not console access.

Question 6

Q

Your company is setting up a VPN connection to connect its local network to an AWS VPC. Which of the following components are not necessary for this setup? (Choose two.)

A) A NAT instance
B) A virtual private gateway
C) A private subnet in the AWS VPC
D) A customer gateway

Answer

A

A, C. Site-to-site VPN connections require a virtual private gateway (on the AWS side) and a customer gateway (on the local side). A private subnet is optional, but not required, as is a NAT instance.

Question 7

Q

You have a private subnet in a VPC within AWS. The instances within the subnet are unable to access the Internet. You have created a NAT gateway to solve this problem. What additional steps do you need to perform to allow the instances Internet access? (Choose two.)

A) Ensure that the NAT gateway is in the same subnet as the instances that cannot access the Internet.
B) Add a route in the private subnet to route traffic aimed at 0.0.0.0/0 at the NAT gateway.
C) Add a route in the public subnet to route traffic aimed at 0.0.0.0/0 at the NAT gateway.
D) Ensure that the NAT gateway is in a public subnet.

Answer

A

B, D. There are two pairs of answers here, and you need to choose the correct pair in each case. For private subnet instances, you need a route out to a NAT gateway, and that NAT gateway must be in a public subnet—otherwise, it would not itself be able to provide outbound traffic access to the Internet. That means option D is correct, as is answer B: 0.0.0.0/0 means “traffic with a destination in the Internet at large,” more or less.

Question 8

Q

Which of the following statements regarding NAT instances and NAT gateways are false? (Choose two.)

A) Both NAT instances and NAT gateways are highly available.
B) You must choose the instance type and size when creating a NAT gateway but not when creating a NAT instance.
C) It is your responsibility to patch a NAT instance and AWS’s responsibility to patch a NAT gateway.
D) You assign a security group to a NAT instance but not to a NAT gateway.

Answer

A

A, B. The easiest way to handle this question is by thinking of a NAT gateway as essentially a managed service and a NAT instance as an instance (which you manage) for networking. That helps identify B as false (you never choose instance types and sizes for managed services) and C as true (AWS patches managed services). Further, since AWS manages NAT gateways, they are automatically highly available and do not need you to associate security groups. This means that A is false—NAT instances can be made highly available, but not without your manual intervention—and D is true.

Question 9

Q

Which of the following statements is true?

A) A VPC’s default NACLs allow all inbound and outbound traffic.
B) NACLs are stateful.
C) Security groups are stateless.
D) Traffic allowed into a NACL is automatically allowed back out.

Answer

A

A. Option A is true, and if you know that, this is an easy question. However, it doesn’t seem obvious, as all custom NACLs disallow all inbound and outbound traffic. It is only a VPC’s default NACL that has an “allow all” policy. As for B and C, these are both reversed: NACLs are stateless (allowing independent configuration of inbound and outbound traffic) and security groups are stateful. This also explains why D is false: NACLs are stateless.

Question 10

Q

You have changed the permissions associated with a role, and that role is assigned to an existing running EC2 instance. When will the permissions you updated take effect for the instance?

A) Immediately
B) Within 5 minutes
C) Within 1 hour
D) The next time the EC2 instance is restarted

Answer

A

A. Permission changes to a role now take place immediately and apply to all instances using that role.

Question 11

Q

Which of the following statements is true?

A) When creating a new security group, by default, all traffic is allowed in, including SSH.
B) If you need inbound HTTP and HTTPS access, create a new security group and accept the default settings.
C) You must explicitly allow any inbound traffic into a new security group.
D) Security groups are stateless.

Answer

A

C. If an allow-everything doesn’t set off alarm bells, the reference to SSH should. Security groups, by default, don’t allow any traffic in. They require you to explicitly allow inbound traffic (C); the other options are all false. And security groups are stateful—remember this, as it will come up in almost every single exam.

Question 12

Q

Which of the following statements is not true?

A) When creating a new security group, by default, no inbound traffic is allowed.
B) When creating a new security group, by default, all traffic is allowed out, including SSH.
C) When creating a new security group, by default, all traffic is allowed out, with the exception of SSH.
D) When creating a new security group, inbound HTTPS traffic is not allowed.

Answer

A

C. All outbound traffic is allowed to pass out of a VPC by default, although no inbound traffic is allowed.

Question 13

Q

How would you enable encryption of your EBS volumes?

A) Use the AWS CLI with the aws security command.
B) Take a snapshot of the EBS volume and copy it to an encrypted S3 bucket.
C) Select the encryption option when creating the EBS volume.
D) Encrypt the volume using the encryption tools of the operating system of the EC2 instance that has mounted the EBS volume.

Answer

A

C. EBS volumes can be encrypted when they are created. All other options typically affect snapshots of the volume, but not the volume itself.

Question 14

Q

What types of rules does a security group allow? (Choose two.)

A) Allow rules
B) Prevent rules
C) Deny rules
D) Inbound rules

Answer

A

A, D. Security groups only contain allow rules, not deny rules (and prevent rules are not an actual rule type). Then, you can create both inbound and outbound rules.

Question 15

Q

Which of the following are true about security groups? (Choose two.)

A) You can specify deny rules, but not allow rules.
B) By default, a security group includes an outbound rule that allows all outbound traffic.
C) You can specify specific separate rules for inbound and outbound traffic.
D) Security groups are stateless.

Answer

A

B, C. You specify allow rules for security groups, so A is false. B and C are true: Default security groups allow all outbound traffic, and you specify separate inbound and outbound rules. Finally, security groups are stateful, not stateless, so D is false.

Question 16

Q

Which of the following are not true about security groups? (Choose two.)

A) Allow rules take priority over deny rules.
B) Responses to allowed inbound traffic are allowed to flow back out.
C) You can specify specific separate rules for inbound and outbound traffic.
D) If there are no outbound rules, then all outbound traffic is allowed to flow out.

Answer

A

A, D. A is false, as security groups don’t provide for deny rules. B and C are both true (and therefore are not correct answers). D is false, because without specific outbound rules, nothing is allowed to flow out. (Note that by default, there is an allowance for all outgoing traffic in security groups, although that can be removed.)

Question 17

Q

Which of the following must a security group have when you create it? (Choose two.)

A) At least one inbound rule
B) A name
C) A description
D) At least one outbound rule

Answer

A

B, C. A security group can actually have no inbound or outbound rules, so A and D are not required. A security group does require a name and description, though.

Question 18

Q

Which of the following is a security group associated with?

A) An ELB
B) A network interface
C) An ALB
D) A network access list

Answer

A

B. A security group can be attached to multiple constructs, like an EC2 instance, but is ultimately associated with a network interface, which in turn is attached to individual instances. This is a tough question and probably at the very edge of what the exam might ask.

Question 19

Q

Which of the following are default rules on a default security group, such as the one that comes with the default VPC? (Choose two.)

A) Outbound: 0.0.0.0/0 for all protocols allowed
B) Inbound: 0.0.0.0/0 for all protocols allowed
C) Outbound: ::/0 for all protocols allowed
D) Inbound: ::/0 for all protocols allowed

Answer

A

A, C. The easiest way to work this is to recognize that default security groups never allow broad inbound traffic. That eliminates B and D and leaves rules that allow all outbound traffic for both IPv4 (A) and IPv6 (C).

Question 20

Q

Which of the following are parts of a security group rule? (Choose two.)

A) A protocol
B) A subnet
C) An instance ID
D) A description

Answer

A

A, D. Security group rules have a protocol and a description. They do not have a subnet, although they can have CIDR blocks or single IP addresses. Instances can associate with a security group, but a security group does not itself refer to a specific instance.

Question 21

Q

Which of the following allows you to securely upload data to S3? (Choose two.)

A) HTTP endpoints using HTTP
B) SSL endpoints using HTTPS
C) HTTP endpoints using HTTPS
D) SSL endpoints using HTTP

Answer

A

B, C. They key here is not the endpoint, but the actual protocol used to access the endpoint. In this case, HTTPS is secure, while HTTP is not, so the answers using HTTPS—B and C—are correct.

Question 22

Q

Which of the following describes client-side encryption for S3 bucket data?

A) You encrypt and upload data to S3, managing the encryption process yourself.
B) You encrypt and upload data to S3, allowing AWS to manage the encryption process.
C) You request AWS to encrypt an object before saving it to S3.
D) You encrypt an object, but AWS uploads and decrypts the object.

Answer

A

A. Client-side encryption involves the client (you, in this example) managing the entire encryption and decryption process. AWS only provides storage.

Question 23

Q

Which of the following describes server-side encryption for S3 bucket data?

A) You encrypt and upload data to S3, managing the encryption process yourself.
B) You encrypt and upload data to S3, allowing AWS to manage the encryption process.
C) You request AWS to encrypt an object before saving it to S3.
D) You encrypt an object, but AWS uploads and decrypts the object.

Answer

A

C. With server-side encryption, AWS handles all the object encryption and decryption.

Question 24

Q

Which of the following are valid steps in enabling client-side encryption for S3? (Choose two.)

A) Download the AWS CLI and SSH to your S3 key store.
B) Use a KMS-managed customer master key.
C) Download an AWS SDK for encrypting data on the client side.
D) Turn on bucket encryption for the target S3 buckets.

Answer

A

B, C. For client-side encryption, you’ll need a master key, which can either be a KMS-managed key (option B) or a client-side master key. You’ll also need an SDK for encrypting the client-side data (C).

Question 25

Q

Which of the following is not a way to manage server-side encryption keys for S3?

A) SSE-S3
B) SSE-KMS
C) SSE-E
D) SSE-C

Answer

A

C. You’ll probably simply need to memorize this one. SSE-S3, SSE-KMS, and SSE-C are all valid approaches to S3 encryption; SSE-E is made up.

Question 26

Q

Which of the following encryption key management options is best for ensuring strong audit trails?

A) SSE-S3
B) SSE-KMS
C) Client-side encryption keys
D) SSE-C

Answer

A

B. The word audit should be a trigger for you: always choose KMS when you see a need for strong auditing. SSE-KMS provides a very good audit trail and security, perhaps the best of all these options for most use cases.

Question 27

Q

Which of the following encryption key management options is best for managing keys but allowing S3 to handle the actual encryption of data?

A) SSE-S3
B) SSE-KMS
C) Client-side encryption keys
D) SSE-C

Answer

A

D. SSE-C allows the customer (the C in SSE-C) to manage keys, but S3 then handles the actual encryption of data.

Question 28

Q

You have a customer that has a legacy security group that is very suspicious of all things security in the cloud. The customer wants to use S3, but doesn’t trust AWS encryption, and you need to enable its migration to the cloud. What option would you recommend to address the company’s concerns?

A) SSE-S3
B) SSE-KMS
C) Client-side encryption keys
D) SSE-C

Answer

A

C. Client-side encryption allows the customer to manage keys and encrypt data themselves, then store the data on S3 already encrypted. There’s a lot of overhead with this approach, but it’s ideal for the use case described.

Question 29

Q

You want to begin encrypting your S3 data, but your organization is new to encryption. Which option is a low-cost approach that still offloads most of the work to AWS rather than the organization new to encryption?

A) SSE-S3
B) SSE-KMS
C) Client-side encryption keys
D) SSE-C

Answer

A

A. In general, SSE-S3 is the “starter” option for encryption. It’s by no means a simple or amateur approach to security, but it is low cost compared to KMS and has much less overhead than client-side or SSE-C encryption keys.

Question 30

Q

You are the architect for a company whose data must comply with current EU privacy restrictions. Which of the following S3 buckets are valid options? (Choose two.)

A) Buckets in EU Central 1
B) Buckets in US East 2
C) Buckets in EU West 1
D) Buckets in SA East 1

Answer

A

A, C. Here, you must recognize that EU West and EU Central are both EU regions and the other two options are not.

Question 31

Q

Which of the following options could be used to provide availability-zone-resilient fault-tolerant storage that complies with EU privacy laws? (Choose two.)

A) S3 buckets in US West 1
B) S3 buckets in EU West 2
C) S3-IA buckets in EU Central 1
D) S3 One Zone-IA buckets in EU-West-1

Answer

A

B, C. Option A isn’t valid because US-West isn’t an EU region. Options B and C are valid as they both provide EU regions, and S3 and S3-IA both can survive the loss of an availability zone; option D would not survive the loss of an AZ.

Question 32

Q

What type of replication will your Multi-AZ RDS instances use?

A) Offline replication
B) Synchronous replication
C) Push replication
D) Asynchronous replication

Answer

A

B. Multi-AZ RDS instances use synchronous replication to push changes.

Question 33

Q

You want to provide maximum protection against data in your S3 object storage being deleted accidentally. What should you do?

A) Enable versioning on your EBS volumes.
B) Turn on MFA Delete on your S3 buckets.
C) Set up a Lambda job to monitor and block delete requests to S3.
D) Turn off the DELETE endpoints on the S3 REST API.

Answer

A

B. MFA Delete is the most powerful anti-deletion protection you can provide without disabling delete via IAM roles. Option A doesn’t affect your object storage—EBS is block storage. Options C and D both won’t help; delete requests can’t be blocked by Lambda, and there is no “DELETE endpoint” on the S3 API.

Question 34

Q

You want to provide maximum protection against data in your S3 object storage being deleted accidentally. What steps should you take? (Choose two.)

A) Enable versioning on your S3 buckets.
B) Turn on MFA Delete on your S3 buckets.
C) Enable versioning in CloudWatch’s S3 API.
D) Remove IAM permissions for deleting objects for all users.

Answer

A

A, B. MFA Delete is the right option here (B), but A is a required step to enable MFA Delete. Option C doesn’t actually make sense, and while option D would technically prevent all deletions, it isn’t what the question is asking: You must prevent accidental deletions, not remove the ability to delete objects altogether.

Question 35

Q

You want to enable MFA Delete on your S3 buckets in the US East 1 region. What step must you take before enabling MFA Delete?

A) Disable the REST API for the buckets on which you want MFA Delete.
B) Enable cross-region replication on the buckets on which you want MFA Delete.
C) Move the buckets to a region that supports MFA Delete, such as US West 1.
D) Enable versioning on the buckets on which you want MFA Delete.

Answer

A

D. You must enable versioning to enable MFA Delete. The region of the bucket doesn’t have any effect here (B and C), and there is no way to disable the REST API (A), although you could remove programmatic access via IAM or removal of access keys.

Question 36

Q

What is AWS Trusted Advisor?

A) An online resource to help you improve performance
B) An online resource to help you reduce cost
C) An online resource to help you improve security
D) All of the above

Answer

A

D. AWS Trusted Advisor does all three of the above: improve performance, reduce cost, and improve security.

Question 37

Q

On which of the following does AWS Trusted Advisor not provide recommendations?

A) Reducing cost
B) Improving fault tolerance
C) Improving security
D) Organizing accounts

Answer

A

D. AWS Trusted Advisor provides advice on cost, fault tolerance, performance, and security but does not address account organization.

Question 38

Q

Which of the following are included in the core AWS Trusted Advisor checks? (Choose two.)

A) S3 bucket permissions
B) MFA on root account
C) Quantity of CloudWatch alarms
D) Use of VPC endpoints

Answer

A

A, B. Here, it’s not reasonable to memorize the seven core AWS Trusted Advisor checks. Instead, consider which of these are valid improvements that Trusted Advisor might make. A and B relate to security and permissions, while both C and D are pretty far afield of cost, security, or performance suggestions.

Question 39

Q

Which of the following recommendations might AWS Trusted Advisor make? (Choose two.)

A) Turn on MFA for the root account.
B) Turn on antivirus protection for EC2 instances.
C) Update S3 buckets with public write access.
D) Update NAT instances to NAT gateways.

Answer

A

A, C. This is tricky. First, MFA on the root account is a standard recommendation, so you can select that. For the remaining three answers, the one that is most directly a “common security recommendation” would have to be S3 buckets with write access, and that is the correct answer.

Question 40

Q

Which of the following is not possible using IAM policies?

A) Requiring MFA for the root account
B) Denying the root account access to EC2 instances
C) Disabling S3 access for users in a group
D) Restricting SSH access to EC2 instances to a specific user

Answer

A

B. The only one of these that’s not possible with IAM is denying the root account access to EC2 instances. That’s not possible—with IAM or any other mechanism.

Question 41

Q

Which of the following are not true about S3 encryption? (Choose two.)

A) S3 applies AWS-256 encryption to data when server-side encryption is enabled.
B) S3 encryption will use a client key if it is supplied with data.
C) Encrypted EBS volumes can only be stored if server-side encryption is enabled.
D) S3 will accept locally encrypted data if client-side encryption is enabled.

Answer

A

B, C. A is true, and D is true; if you know this, choosing B and C is simple. Otherwise, you need to recognize that just supplying a client key to S3 is not enough; some form of client-side encryption or server-side encryption using client keys must be enabled. EBS volumes can be encrypted outside of S3 and stored regardless of how S3 is encrypting data.

Question 42

Q

What types of data are encrypted when you create an encrypted EBS volume? (Choose two.)

A) Data at rest inside the volume
B) Data moving between the volume and the attached instance
C) Data inside S3 buckets that store the encrypted instance
D) Data in an EFS on instances attached to the volume

Answer

A

A, B. There are four types of data encrypted when an EBS volume is encrypted: data at rest on the volume, data moving between the volume and the instance, any snapshots created from the volume, and any volumes created from those snapshots.

Question 43

Q

What types of data are not automatically encrypted when you create an encrypted EBS volume? (Choose two.)

A) A snapshot created from the EBS volume
B) Any data on additional volumes attached to the same instance as the encrypted volume
C) Data created on an instance that has the encrypted volume attached
D) Data moving between the volume and the attached instance

Answer

A

B, C. This is tricky, as both answers that involve unencrypted data have some tricky wording. First, B is not a case of encryption; if data never touches the encrypted volume, it is not automatically encrypted. Second, for C, data that is on the instance but never moves to the encrypted volume is also not automatically encrypted.

Question 44

Q

What of the following types of data is not encrypted automatically when an encrypted EBS volume is attached to an EC2 instance?

A) Data in transit to the volume
B) Data at rest on the volume
C) Data in transit from the volume
D) All of these are encrypted.

Answer

A

D. All of these are encrypted. Data moving to and from the volume as well as data at rest on the volume are all encrypted.

Question 45

Q

What encryption service is used by encrypted EBS volumes?

A) S3-KMS
B) S3-C
C) KMS
D) Customer-managed keys

Answer

A

C. KMS is used as the encryption service, but this is not the S3-KMS that is specific to S3 encryption. You will also sometimes see this KMS referenced as AWS-KMS.

Question 46

Q

How can you access the private IP address of a running EC2 instance?

A) http://169.254.169.254/latest/user-data/
B) http://169.254.169.254/latest/instance-data/
C) http://169.254.169.254/latest/meta-data/
D) http://169.254.169.254/latest/ec2-data/

Answer

A

C. This is a case of pure memorization. The URL is always http://169.254.169.254 and the metadata, which is what you want, is at /latest/meta-data/.

Question 47

Q

If you take a snapshot of an encrypted EBS volume, which of the following will be true? (Choose two.)

A) The snapshot will be encrypted.
B) All data on the bucket on which the snapshot is stored will be encrypted.
C) Any instances using the snapshot will be encrypted.
D) Any volumes created from the snapshot will be encrypted.

Answer

A

A, D. Encryption of a volume affects snapshots of the volume and instances created from that snapshot, but nothing else.

Question 48

Q

If you take a snapshot of an encrypted EBS volume, which of the following must you do to use that snapshot as a volume in a separate region? (Choose two.)

A) Copy the snapshot to the new region.
B) Delete the snapshot from the old region.
C) Unencrypt the snapshot once it is in the new region.
D) Create a new volume from the snapshot in the new region.

Answer

A

A, D. The only steps required here are to copy the snapshot to the new region (usually via the console), and then create a new volume from it.

Question 49

Q

How do you encrypt an RDS instance?

A) Enable encryption on the running instance via the CLI.
B) Enable encryption on the running instance via the console.
C) Run the encryption process on the running instance via the console.
D) Enable encryption when creating the instance.

Answer

A

D. You cannot encrypt a running instance; you have to create the instance with encryption enabled.

Question 50

Q

Which of the following will ensure that data on your RDS instance is encrypted?

A) Use client-side encryption keys.
B) Enable encryption on the running RDS instance via the AWS API.
C) Encrypt the instance on which RDS is running.
D) None of these will encrypt all data on the instance.

Answer

A

D. You cannot encrypt a running RDS instance, so B is incorrect, and you have no access to the underlying instance for RDS, so C is also incorrect. Option A sounds possible, but it will not address any data created by the database itself (such as indices, references to other data in the database, etc.). The only way to encrypt an RDS instance is to encrypt it at creation of the instance.

Question 51

Q

Which of the following will allow you to bring a non-encrypted RDS instance into compliance with an “all data must be encrypted at rest” policy?

A) Snapshot the RDS instance and restore it, encrypting the new copy upon restoration.
B) Use the AWS Database Migration Service to migrate the data from the instance to an encrypted instance.
C) Create a new encrypted instance and manually move data into it.
D) None of these will encrypt all data on the instance.

Answer

A

C. The only option here is the manual one. You must set up encryption when creating a new instance from scratch (snapshots won’t work) and then move data into it so that this data is encrypted as it moves into the new instance.

Question 52

Q

Which of the following will allow you to bring a non-encrypted EBS volume into compliance with an “all data must be encrypted at rest” policy?

A) Stop the volume, snapshot it, and encrypt a copy of the snapshot. Then restore from the encrypted snapshot.
B) Stop the volume, select “Turn on encryption,” and restart the volume.
C) Encrypt the volume via the AWS API and turn on the “encrypt existing data” flag.
D) None of these will encrypt all data on the volume.

Answer

A

A. You cannot encrypt an existing volume “on the fly.” You must create a snapshot and then encrypt that snapshot as you copy it to another, encrypted snapshot. You can then restore from that new snapshot.

Question 53

Q

Which of the following will allow you to bring a non-encrypted EBS volume into compliance with an “all data must be encrypted at rest” policy?

A) Stop the volume, create a snapshot, and restart from the snapshot, selecting “Encrypt this volume.”
B) Stop the volume, select “Turn on encryption,” and restart the volume.
C) Encrypt the volume via the AWS API and turn on the “encrypt existing data” flag.
D) None of these will encrypt all data on the volume.

Answer

A

D. None of these will work. The important thing to remember for a question like this is that you must make a copy of an unencrypted snapshot to apply encryption. There is no in-place encryption mechanism for volumes or snapshots.

Question 54

Q

Which of the following will allow you to bring a non-encrypted EBS volume into compliance with an “all data must be encrypted at rest” policy?

A) Create a new volume, attach the new volume to an EC2 instance, copy the data from the non-encrypted volume to the new volume, and then encrypt the new volume.
B) Create a new volume with encryption turned on, attach the new volume to an EC2 instance, and copy the data from the non-encrypted volume to the new volume.
C) Create a new volume, attach the new volume to an EC2 instance, and use the encrypted-copy command to copy the data from the non-encrypted volume to the new volume.
D) None of these will encrypt all data on the volume.

Answer

A

B. The only way to encrypt an EBS volume is to encrypt it at creation time. Remembering this one detail will help on lots of questions in this vein.

Question 55

Q

Which of the following are valid options on an EBS volume? (Choose two.)

A) Encrypt the volume.
B) Encrypt a snapshot of the volume.
C) Encrypt a copy of a snapshot of the volume.
D) Restore an encrypted snapshot to an encrypted volume.

Answer

A

C, D. You cannot encrypt an existing EBS volume, so A is incorrect. And you cannot encrypt a snapshot that is unencrypted, so B is incorrect. You can encrypt a copy of a snapshot and restore an encrypted snapshot to a volume that is encrypted (C and D).

Question 56

Q

Which of the following are not true about EBS snapshots? (Choose two.)

A) Snapshots of encrypted volumes are automatically encrypted.
B) When you copy an encrypted snapshot, the copy is not encrypted unless you explicitly specify.
C) You cannot copy an encrypted snapshot unless you unencrypt the snapshot first.
D) Volumes that are created from encrypted snapshots are automatically encrypted.

Answer

A

B, C. Snapshots of encrypted volumes stay encrypted—whether you copy them (B and C) or create volumes from them (D). So A and D are true, while B and C are false.

Question 57

Q

Can you copy a snapshot across AWS accounts?

A) Yes
B) Yes, but you first have to modify the snapshot’s access permissions.
C) Yes, but you have to be the owner of both AWS accounts.
D) No

Answer

A

B. You can copy snapshots across accounts, but the default permissions do not allow this. So you have to modify those permissions, and then the snapshot can be copied to any other AWS account, regardless of account owner.

Question 58

Q

You have a snapshot of an EBS volume in US East 2. You want to create a volume from this snapshot in US West 1. Is this possible?

A) Yes, create the volume in US West 1 based upon the snapshot in US East 2.
B) Yes, but you’ll need to copy the snapshot to US West 1 first.
C) Yes, but you’ll need to create the instance in US East 2 and then move it to US West 1.
D) No

Answer

A

B. You can only create volumes from snapshots in the same region. Since the instance is desired in US West 1, a copy of the snapshot must be made in that region first, so B is correct.

Question 59

Q

Can you copy an EBS snapshot across regions?

A) Yes, as long as the snapshot is not encrypted.
B) Yes, as long as the snapshot is marked for multi-region use.
C) Yes
D) No

Answer

A

C. You can copy a snapshot to a different region without any special considerations.

Question 60

Q

Which of the following does a security group attached to an instance control? (Choose two.)

A) Inbound traffic
B) HTTP error messages
C) Outbound traffic
D) Access control lists

Answer

A

A, C. Security groups control the inbound and outbound traffic allowed into and out of instances.

Question 61

Q

How many security groups can you attach to a single instance in a VPC?

A) None, security groups aren’t attached to instances.
B) 1
C) 1 or more
D) 2 or more

Answer

A

C. An instance must have a security group but can have more than that.

Question 62

Q

Which of the following can be added to a VPC, in addition to security groups on included instances, to further secure the VPC?

A) A NACL
B) A port filter
C) An ALB
D) A flow log

Answer

A

A. In addition to security groups, NACLs (network access control lists) can be used to further refine inbound and outbound routing into and out of a VPC. Security groups are attached to instances, and NACLs to VPCs, building a complete security picture of your VPC and its instances.

Question 63

Q

Which of the following statements is true about a custom, user-created NACL?

A) A NACL by default allows all traffic out of a VPC.
B) A NACL by default allows all traffic into a VPC.
C) A NACL is a virtual firewall for associated subnets.
D) A NACL functions at the instance level.

Answer

A

C. NACLs are virtual firewalls, and they operate at the subnet and VPC level rather than at an individual instance level. Also note the words custom, user-created. The default NACL does allow in and out all traffic; created NACLs do not.

Question 64

Q

What do you use to permit and restrict control of a NACL?

A) VPC
B) WAF
C) AWS Organizations
D) IAM

Answer

A

D. IAM roles and permissions control access to NACLs.

Answer 65

A

B, C. Security groups support only allow rules (A is false). They do evaluate all rules (B is true) and operate at the instance level (C is true). D is false, as security groups aren’t associated with a subnet.

Answer 66

A

A, D. Security groups are stateful and are associated with an instance (or instances), so A and D are true. They are not stateless, and they process all rules rather than processing rules in order.

Answer 67

A

B, C. NACLs are stateless; rules must be specified for traffic going both in and out (so A is false, and B is true). They also process rules in order (C is true). They’re associated with subnets, not a particular instance (so D is false).

Answer 68

A

A, C. NACLs are associated with a subnet (A) and support both allow and deny rules (C). B is false; NACLs and security groups work together. D is false, as rules are processed in order.

Answer 69

A

B. NACLs are always evaluated first because they exist at the border of a subnet. As security groups are attached to instances, they are not processed until traffic passes through the NACL and into the instance’s subnet.

Answer 70

A

A, B. Both security groups and NACLs can—and usually do—apply to multiple instances in a subnet. The NACL applies to all instances within the associate subnet, and a security group can be associated with multiple instances.

Answer 71

A

B. NACLs are associated with subnets.

Answer 72

A

A, B. The default NACL allows in and out all traffic, which is somewhat unintuitive. Keep in mind that the default security group disallows inbound traffic, but the default NACL allows that traffic in.

Answer 73

A

C, D. Unlike the default NACL that comes with the default VPC, custom NACLs disallow all inbound and outbound traffic by default.

Answer 74

A

A. Each rule in a NACL has a number, and those rules are evaluated using those numbers, moving from low to high.

Answer 75

A

B, D. A and C are true. B is false; NACLs are stateless. D is false, because a NACL can be associated with multiple subnets.

Answer 76

A

B. A NACL is associated with a subnet, not an instance or VPC. It can be associated with a single subnet or multiple subnets.

Answer 77

A

A. A subnet is associated with a NACL. However, a subnet can only be associated to a single NACL at a time.

Answer 78

A

D. A subnet is associated with a NACL but can only be associated to a single NACL at a time.

Answer 79

A

B, D. NACL rules have a rule number, a protocol, a choice of ALLOW or DENY, and a CIDR range and port or port range for inbound and outbound traffic.

Answer 80

A

A, B. NACL rules have a rule number, a protocol, a choice of ALLOW or DENY, and a CIDR range and port or port range for inbound and outbound traffic.

Answer 81

A

B. Almost none of this detail actually matters. The only key parameter is the rule number. NACLs evaluate lowest-numbered rules first, so Rule #100 would go first, option B.

Answer 82

A

D. SSH is not explicitly mentioned, so it is not allowed on a custom NACL. Every protocol must explicitly be mentioned.

Answer 83

A

A. SSH is not explicitly mentioned, but because the question asks about the default NACL on the default VPC, all traffic is allowed in unless explicitly denied.

Answer 84

A

B. SSH is allowed here, but only from a specific CIDR block.

Answer 85

A

D. While there is a rule allowing SSH from the CIDR block 192.0.2.0/24, that rule would be evaluated after the lower-numbered rule 110, which disallows any traffic not allowed in from lower-numbered rules (in this case, just rule #100).

Answer 86

A

D. Technically, B and C are correct; SSH is a type of TCP traffic. However, that is not the most specific answer, which is what the question asks. A is partially correct but does not call out the CIDR block limitation that D does. Therefore, D is the most accurate answer.

Answer 87

A

B. The most accurate answer here includes several components: the type of TCP traffic (HTTP), the allowed source CIDR block (the entire Internet), and IPv4. This rule does not explicitly allow IPv6 traffic. Further, this rule is only effective if there are no lower-numbered rules that short-circuit this rule.

Answer 88

A

B. 0.0.0.0/0 represents IPv4 addresses, and the entire Internet. However, a CIDR block does not represent any type of traffic, inbound or outbound.

Answer 89

A

C. ::/0 represents IPv6 addresses, and the entire Internet. However, a CIDR block does not represent any type of traffic, inbound or outbound.

Answer 90

A

B. ::/0 represents IPv6 addresses, so the answer must be either B or D. The route should go from all IPv6 addresses to the ID of the NAT gateway, which is nat-123456789. There is no intermediate -> NAT that should be inserted into the routes.

Answer 91

A

D. A VPC spans all the availability zones in a region.

Answer 92

A

B, C. You must always select a region to create a VPC, and you must always provide a CIDR block. VPCs span all the AZs in a region, so that is not required, and security groups are associated at the instance level rather than at the VPC level.

Answer 93

A

C. For a single VPC, you can add one or more subnets to each availability zone within that VPC.

Answer 94

A

B. A subnet cannot span availability zones. It can be added to a single AZ.

Answer 95

A

B. A subnet cannot span availability zones. It can be added to a single AZ and can only exist within that single AZ.

Answer 96

A

B. A VPC can have a single primary CIDR block assigned to it for IPv4 addresses and an optional IPv6 CIDR block. While you can add secondary IPv4 CIDR blocks, you cannot add additional CIDR blocks for IPv6 at this time.

Answer 97

A

C. A VPC can have a single primary CIDR block assigned to it for IPv4 addresses and an optional IPv6 CIDR block. However, you can add additional secondary CIDR blocks to a VPC (up to four).

Answer 98

A

D. Any subnet that routes traffic through an internet gateway is a public subnet by definition.

Answer 99

A

B. Instances in a public subnet are not automatically reachable. They must have either a public IPv4 or IPv6 address (B) or an elastic IP address.

Answer 100

A

D. A public subnet, as well as existing Internet-accessible instances, indicates a working internet gateway, so C is not correct. A is not an actual AWS option, and B—Auto Scaling—would not address public accessibility. This leaves D, which is correct: Instances in a public subnet that are intended to be Internet accessible need either a public IP address or an elastic IP address assigned to the instance.

Answer 101

A

A, C. When creating a VPC, you can specify an option name, a required IPv4 CIDR block, and an optional IPv6 CIDR block.

Answer 102

A

A, C. When creating a VPC, you can specify an option name, a required IPv4 CIDR block, and an optional IPv6 CIDR block. You cannot assign tags to a VPC at creation time.

Answer 103

A

B, D. A public subnet is one in which traffic is routed (via a routing table, B) to an internet gateway (D).

Answer 104

A

B, C. A VPN-only subnet routes traffic through a virtual private gateway rather than an internet gateway.

Answer 105

A

A, B. At a minimum, a VPC-only subnet must have a routing table routing traffic and a virtual private gateway to which traffic is routed. Neither elastic IP addresses nor internet gateways are required.

Answer 106

A

B. You can only create 5 VPCs per region by default. Creating more requires a request to AWS.

Answer 107

A

D. This is a high number, but accurate: You can create 200 subnets per VPC.

Answer 108

A

B. This is a very hard question, but it can come up, albeit rarely. This limit is your primary CIDR block and then, in addition, 4 secondary CIDR blocks.

Answer 109

A

B. You’re allowed 5 elastic IP addresses per region, unless you have the default limits raised by AWS.

Answer 110

A

B, D. Subnets must have CIDR blocks (so D is false), and the block must be the same as or smaller than the CIDR block for the VPC within which it exists, so while A and C are true, B is false.

Answer 111

A

C. A VPC peering connection connects one VPC to another VPC via networking and routing.

Answer 112

A

C. A VPC VPN connection links your on-site network to a VPC within the AWS cloud.

Answer 113

A

A, C. A VPC VPN connection requires a customer gateway, a VPN connection, and a virtual private gateway.

Answer 114

A

B, D. Customer gateways (A) and virtual private gateways (C) are used in VPN connections. For security, a NACL (B) is used at the subnet level, and a security group (D) can be used at the instance level.

Answer 115

A

B. A NACL is best for dealing with all traffic at a subnet or VPC level, as it is associated at the subnet level.

Answer 116

A

D. Anytime you are protecting or limiting traffic to or from specific instances, a security group is your best choice. Security groups are associated with specific instances, so they can effectively limit traffic to some instances while allowing other instances—using different security groups—to still be accessible.

Answer 117

A

A, C. This takes a little careful reading. First, it is not considered a good practice to mix private and public instances within a subnet—although this is not a hard-and-fast rule. So C, moving the private database instances into a different subnet, is at least worth considering. D is not helpful in this case. If you have two subnets, one private and one public, then A is a good idea: NACLs can protect one subnet and keep another public. Finally, B is not valid, because of the word single. You cannot have a single security group that allows traffic to one instance but not to another. This leaves A and C as the best combined solution.

Answer 118

A

C. A security group denies all traffic unless explicitly allowed. This means it functions as a whitelist: Only specific rules allow in traffic, and all other traffic is denied.

Answer 119

A

C, D. A security group operates at the instance level, and a NACL operates at the subnet level.

Answer 120

A

A. A security group performs stateful filtering, meaning that traffic allowed in is automatically allowed back out, without the need for an explicit outbound rule.

Answer 121

A

D. Network ACLs are stateless. Inbound traffic is not automatically allowed back out; an explicit rule must be present for traffic to move from within a subnet back out of that subnet.

Answer 122

A

D. VPC peering allows a VPC to connect with any other VPC: in the same region, in a different region, or in a different account altogether.

Answer 123

A

B, D. VPC peering allows a VPC to connect with any other VPC, so the options that don’t involve VPCs are incorrect: B and D.

Answer 124

A

B, D. As long as there is a gateway (internet or virtual private) on the source VPC, and routing through that gateway, an instance in a VPC can communicate with other instances. So in this case, you’d want B and D. There is no “cross-VPC communication” option, and security groups won’t actually help this scenario.

Answer 125

A

A, D. This is a little difficult, but it comes down to accessibility: How can the target instance be reached? Of the answers available, a public IP would make the target available, as would a VPN connection.

Answer 126

A

D. VPCs are fundamental to AWS networking and are available in all AWS regions.

Answer 127

A

D. A VPC automatically spans all the availability zones within the region in which it exists.

Answer 128

A

B. When you launch an instance, you must specify an availability zone. This could be as simple as accepting the AWS default, but it is your choice.

Answer 129

A

B. EBS volumes can be encrypted, but it must be done at launch time (B).

Answer 130

A

D. A VPC endpoint is a connection to an AWS service and explicitly does not use internet gateways, VPN connections, or NAT devices.

Answer 131

A

B. A VPC endpoint is a virtual device, not a physical one.

Answer 132

A

C. A VPC endpoint is for attaching to AWS services and explicitly does not require an internet gateway (C).

Answer 133

A

C. By default, IAM users don’t have permissions to work with endpoints. You may need to create an IAM role. You would not need a NAT device (A or B) or a security group (D) to use a VPC endpoint.

Answer 134

A

B. A private subnet is not accessible without a bastion host or other connection and routing from the public Internet to an accessible host and finally into private instances.

Answer 135

A

B. Bastion hosts should be in a public subnet so that they can be accessed via the public Internet. They can then route traffic into a private subnet.

Answer 136

A

C. Bastion hosts are also sometimes called jump servers, because they allow a connection to “jump” to the bastion and then into a private subnet.

Answer 137

A

D. Bastion hosts are intended to provide access to private instances in private subnets; in other words, instances inaccessible via the public Internet in any other way.

Answer 138

A

D. Bastion hosts are publicly accessible and have access to your private hosts. Therefore, they must be the most secure hosts on your network. Use a network ACL for the subnet in which it resides, a security group for the instance, and OS hardening to reduce access within the instance itself.

Answer 139

A

B. Shell access only requires SSH, and you should therefore only allow that protocol. Always allow only what is absolutely required for bastion hosts.

Answer 140

A

D. Internet gateways scale horizontally, not vertically. They are also redundant and highly available automatically.

Answer 141

A

C. Internet gateways attach to VPCs and serve multiple subnets (if needed).

Answer 142

A

B. The route 0.0.0.0/0 catches all IPv4 traffic intended for the public Internet. ::/0 is for IPv6, 0.0.0.0/24 limits traffic to a certain CIDR block, and D is an internal IP address.

Answer 143

A

C. The route ::/0 catches all IPv6 traffic intended for the public Internet. 0.0.0.0/0 is for IPv6, 0.0.0.0/24 limits traffic to a certain CIDR block, and D is an internal IP address.

Answer 144

A

D. An instance must have IPv6 communication from itself (with a public IP address) through a subnet with IPv6 addresses, in a VPC with IPv6 addresses, to reach the Internet via IPv6. A virtual private gateway is not connected with any of these.

Answer 145

A

A, B. For an instance to reach and be reached to and from the public Internet, the instance must have either a public IP address or an elastic IP address associated with it. IAM roles do not provide public access, and NACLs are attached to subnets, not instances.

Answer 146

A

A, C. A public subnet, by definition, is a subnet with an internet gateway attached. And the default VPC has an internet gateway automatically attached.

Answer 147

A

B. ALB stands for application load balancer.

Answer 148

A

B. Application load balancers operate at the Application layer, which is layer 7 of the OSI model. ELBs (classic load balancers) operate at the Transport layer, layer 4, as well as layer 7, and network load balancers operate at layer 4 as well.

Answer 149

A

A. Application load balancers operate at the Application layer, which is layer 7 of the OSI model. ELBs (classic load balancers) operate at the Transport layer, layer 4, as well as layer 7, and network load balancers operate at layer 4 as well.

Answer 150

A

C. Application load balancers operate at the Application layer, which is layer 7 of the OSI model. ELBs (classic load balancers) operate at the Transport layer, layer 4, as well as layer 7, and network load balancers operate at Level 4 as well.

Answer 151

A

D. Both network and classic load balancers operate at the Transport layer. Classic load balancers also operate at layer 7, the Application layer. Application load balancers operate at the Application layer, which is layer 7 of the OSI model.

Answer 152

A

D. Both classic and application load balancers operate at the Application layer. Classic load balancers also operate at layer 4, the Transport layer. Network load balancers operate at the Transport layer, which is layer 4 of the OSI model.

Answer 153

A

C. By default, subnets in the default VPC are public. The default VPC has an internet gateway attached and the default subnets are public as a result.

Answer 154

A

A. By default, subnets in custom VPCs are private. Other than the default VPC, custom VPCs don’t have internet gateways attached by default, and created subnets don’t have public access.

Answer 155

A

C. Instances launched into non-default subnets have a private IPv4 address, but not a public one, so C is correct. All instances have a security group created or associated, and instances can always talk to other instances in the subnet by default.

Answer 156

A

C, D. Instances launched into non-default subnets have a private IPv4 address, but not a public one, so they need an elastic IP address, as answer C indicates. (A public IP address would work as well.) You’d also need an internet gateway for the instance (D).

Answer 157

A

D. Instances launched into default subnets in the default VPC can automatically reach out to the public Internet, as that VPC has an internet gateway and instances get a public IPv4 address.

Answer 158

A

A. A NAT device—network address translation—provides routing for instances to an internet gateway but can prevent undesired inbound traffic.

Answer 159

A

D. A NAT device provides access to the Internet from private instances—they allow outgoing traffic rather than incoming traffic.

Answer 160

A

B, C. AWS offers two NAT devices: a NAT instance and a NAT gateway.

Answer 161

A

A, D. Instances always require an AMI. In this question, the two instances are EC2 instances (A) and NAT instances (D).

Answer 162

A

B. A NAT gateway is an entirely managed device from AWS. All the other options require maintenance by the user of OS-level patches and updates.

Answer 163

A

B. A NAT instance does not provide automatic scaling, whereas DynamoDB and NAT gateways are managed services and do. There is really no such thing as “scaling” of an SNS topic, although SNS as a service does do some scaling in the background to ensure that demand is met.

Answer 164

A

A. Of these options, only bastion hosts and NAT instances are unmanaged services, making them the only two possible answers. A bastion host typically has SSH routing and permissions to private instances, making it the most important to properly secure. While a NAT instance is usually available to private instances, traffic flows out from the NAT instance and not into the private instances.

Answer 165

A

D. A NAT instance is a candidate for a bastion server. The other options are all managed services.

Answer 166

A

C, D. A site-to-site VPN connection requires a virtual private gateway on the VPC side (C) and a customer gateway on the on-site side (D).

Answer 167

A

A, C. A site-to-site connection is going to require a private subnet on the AWS side (C), with private instances within it. Further, you’ll need a NAT instance (A) or similar device to route traffic and receive traffic as a static IP holder.

Answer 168

A

B. An egress-only gateway is for use with IPv6 traffic only.

Answer 169

A

C. An egress-only gateway is for use with IPv6 traffic and only allows outbound traffic. A VPC endpoint connects to managed AWS services, and an internet gateway (that isn’t egress only) allows both inbound and outbound traffic. A NAT gateway is for allowing outbound traffic from a private subnet rather than a public subnet.

Answer 170

A

A, C. A NAT instance must be in a public subnet so that it is accessible from the Internet. It also must have access to private instances in private subnets in your VPC.

Answer 171

A

B, C. Egress-only internet gateways are stateful and support IPv6 traffic. This is a matter of memorization, although you can somewhat reason that the gateway—absent a NACL—allows responses to come back to instances that use it to communicate with the public Internet.

Answer 172

A

C. The most important thing here is to remember that egress-only internet gateways only work with IPv6 addresses. This eliminates A and B. Then, only C addresses the entire public Internet in an IPv6 format.

Answer 173

A

A, D. IPv6 addresses are public by default (D) because they are globally unique. There is no need to have private IPv6 addresses because the range is so large.

Answer 174

A

B, C. An elastic network interface is virtual and can have multiple IPv4 and IPv6 addresses as well as security groups, a MAC address, and a source/destination check flag.

Answer 175

A

D. An elastic network interface is virtual and can have multiple IPv4 and IPv6 addresses as well as security groups, a MAC address, and a source/destination check flag. NACLs apply to subnets, though, not network interfaces on instances.

Answer 176

A

C. An instance has a primary network interface in all cases but can have additional network interfaces attached, so the answer is C, one or more.

Answer 177

A

A. Traffic follows the network interface rather than sticking to any particular instance. So in this case, traffic is redirected to the new instance but stays targeted at the elastic network interface (A).

Answer 178

A

C. An elastic network interface can only be attached to a single instance at one time but can be moved from one instance to another.

Answer 179

A

B. You actually can’t increase network throughput with multiple interfaces, making B false. All three other options are legitimate reasons to attach multiple interfaces to an instance.

Answer 180

A

C. An instance’s primary network interface cannot be detached (C), making that the correct answer. You can detach secondary interfaces (A), attach multiple interfaces (B), and move network interfaces (D).

Answer 181

A

D. Elastic network interfaces do not have routing tables, but they do have (or can have) IPv4 and IPv6 addresses and a source/destination check flag.

Answer 182

A

C. Elastic IP addresses are specifically for avoiding being tied to a specific instance, so A and B are not correct. Security groups are typically not associated with a specific IP address (D). This leaves C, a valid reason for an elastic IP address: It can move from one instance (if the instance fails) to another.

Answer 183

A

A. Elastic IP addresses are, by definition, an IP address that will not change, so A is correct—you cannot change the IP address while it is in use. You can move elastic IPs (B), including across VPCs (C), and you absolutely would associate it with a single instance (D).

Answer 184

A

B, C. An elastic IP can mask the failure of an instance (B) by moving traffic to another running instance transparently. It also allows all the network interface attributes to be moved at one time (C).

Answer 185

A

A, D. To use an elastic IP, you must first allocate it for use in a VPC and then associate it with an instance in that VPC (A and D). Route 53 is not involved at this stage, and you cannot detach the primary network interface on an instance.

Answer 186

A

D. There is not such thing as an “EBS management tool” separate from the AWS API, CLI, and console.

Answer 187

A

C. Although instances exist in a region and VPC, and can be part of an Auto Scaling group, they are provisioned into specific availability zones (C).

Answer 188

A

A. EBS snapshots are backed up to S3 incrementally.

Answer 189

A

A. Changes to IAM roles take place immediately.

Answer 190

A

A. You can only assign a single role to an instance.

Answer 191

A

B, D. You can only assign a single role to an instance (D), but you can also create a new role that combines the desired policies (B).

Answer 192

A

A, D. You always need to make the actual role changes (A). There are then no more actions required for these changes to take effect on the instances.

Answer 193

A

B, D. You’ll first need to create an IAM role with the desired permissions (B). Then, you can attach the role to a running instance to avoid downtime completely (D). Note that this is relatively new; older versions of AWS required restarting the instance.

Answer 194

A

A. If a snapshot is the root device of a registered AMI, it cannot be deleted.

Answer 195

A

A. Encryption can only be applied to EBS volumes at creation time, so A is correct.

Answer 196

A

B. By default, root volumes do get deleted when the associated instance terminates. However, you can configure this to not be the case using the AWS console or CLI (B).

Answer 197

A

C. Using defaults is not part of the well-architected framework, and it often is not the most secure approach.

Answer 198

A

A, C. The well-architected framework recommends automating security best practices and responses to security events.

Answer 199

A

A, B. AWS is responsible for securing the cloud itself, and then you as a customer are responsible for securing your resources and data in the cloud.

Answer 200

A

A, D. AWS is responsible for securing the cloud itself, which means anything that is infrastructure, such as edge locations and availability zones.

Answer 201

A

D. AWS is responsible for networks, but not the actual traffic across those networks (D).

Answer 202

A

A. AWS manages DynamoDB as a managed service. All the other options are your responsibility as a customer of AWS.

Answer 203

A

C. The well-architected framework includes four areas for security in the cloud: data protection, infrastructure protection, privilege management, and defective controls.

Answer 204

A

C. The well-architected framework suggests encrypting everything where possible, whether it is at rest or in transit.

Answer 205

A

A, B. The well-architected framework suggests encrypting everything where possible, whether the data is at rest or in transit.

Answer 206

A

C. While you are ultimately responsible for the security of your data, AWS provides and accepts responsibility for tools to enable security.

Answer 207

A

B. S3 durability is 99.999999999%, which is often called “11 9s” (or sometimes “11 nines”) of durability.

Answer 208

A

C. AWS will never initiate the movement of data between regions. Content in a region must be moved by the customer or moved in response to a customer action.

Answer 209

A

D. S3 data can be protected via MFA Delete and versioning, both of which provide a layer of protection against accidental deletes. Additionally, IAM roles can ensure that only those who should be able to delete data can delete data.

Answer 210

A

A, C. All of these options are valid, but only two should be done for all environments: enabling MFA on the root account and setting a password rotation policy. Enabling MFA Delete on S3 is a good idea but may not apply to all situations. Further, not all users may need an IAM role; some, for example, are fine with the default roles.

Answer 211

A

C. AWS infrastructure operates at the VPC layer and is almost entirely virtual.

Answer 212

A

A, C. CloudWatch and CloudTrail both provide monitoring and logging, both of which can identify security breaches. CloudFormation is a deployment mechanism, and Trusted Advisor can identify potential holes, but not actual breaches.

Answer 213

A

C. IAM provides access management through users, roles, and permissions, all of which are related to privileges.

Answer 214

A

D. MFA is Multi-Factor Authentication, which adds a layer of protection related to privilege management.

Answer 215

A

A. Trusted Advisor is AWS’s service for looking at your system and finding standard “holes” in your infrastructure that might allow for security breaches and then to suggest remediation.

Answer 216

A

C. AWS’s well-architected framework provides for five pillars: operational excellence, security, reliability, performance efficiency, and cost optimization. Organizational issues are considered outside of this framework (C).

Answer 217

A

B. AWS’s well-architected framework provides for five pillars: operational excellence, security, reliability, performance efficiency, and cost optimization. Usability is not a key concern of the cloud (B), although it is important for applications hosted within the cloud.

Answer 218

A

C. C is a misstatement of the correct principle; apply security at all layers. Security should be present at all layers, not just at the highest layers.

Answer 219

A

D. While A and C are both good ideas, they are more specific than the well-architected framework’s principles. B is a part of a principle, but data should be protected at rest and in transit. This leaves D, and people should be kept away from direct access to data. Instead, tools and APIs should provide a layer between users and data.

Answer 220

A

A, D. The five areas are Identity and Access Management (A), detective controls, infrastructure protection, data protection, and incident response (D).

Answer 221

A

A. AWS takes responsibility for physically securing cloud infrastructure.

Answer 222

A

A, C. The root account is the first account in every account (A), but it should only be used for creating other users and groups (C). It is not intended for everyday tasks (B), and once account setup is complete, you are encouraged by AWS to delete any access keys (D).

Answer 223

A

C, D. A good password policy has minimum length and complexity requirements.

Answer 224

A

C. Users with console access are more privileged users and should be required to use MFA (C). Password policies apply to all users, so A is incorrect. Further, passwords are the mechanism for logging into the console, so B is wrong in that access keys are not used for console login.

Answer 225

A

A, B. SAML 2.0 and web identities both provide a means of working with an existing organizational identity provider.

Answer 226

A

C. The principle of least privilege suggests that users only be allowed to do what they have to in order to perform their job functions.

Answer 227

A

B. AWS Organizations groups accounts into organizational units (OUs), allowing for groupings of permissions and roles.

Answer 228

A

A. An SCP in AWS Organizations is a service control policy and can be applied to an organizational unit (OU) to affect all users within that OU. It effectively applies permissions at an organizational level, much the way that a group applies them at a user level.

Answer 229

A

C. Service control policies (SCPs) are applied to OUs (organizational units) in AWS Organizations.

Answer 230

A

A. Service control policies (SCPs) provide for working across AWS accounts (A). Organizational units (OUs) are groupings of accounts, and IAM roles are applied to users and groups, not cross-account structures.

Answer 231

A

C. AWS Organizations offers a means of organizing and managing policies that span AWS accounts.

Answer 232

A

D. AWS provides all of the above options as a means of providing security of the AWS environment.

Answer 233

A

B. SSE-S3 offers encryption at rest while deferring key management to AWS. SSE-KMS does the same but has a higher cost and is more suitable for stringent auditing. The other two options involve work on the client side, which the question states is undesirable.

Answer 234

A

C. SSE-KMS is the best solution for any encryption problem that requires a strong audit trail.

Answer 235

A

C. New users should be given a new IAM user, and when permissions are the same across users, a group should be used instead of individually assigning permissions.

Answer 236

A

B. Most of these answers are overly complicated. S3 is highly available by default, so simply setting up a bucket in an EU region is sufficient.

Answer 237

A

D. All S3 storage classes provide SSL for data at transit as well as encryption of data at rest.

Answer 238

A

D. All S3 storage classes provide SSL for data at transit as well as encryption of data at rest.

Answer 239

A

A. The shared responsibility model defines the portions of the cloud that AWS secures, and the portions that you, the AWS customer, must secure.

Answer 240

A

B. This is pretty tough unless you’ve read the AWS shared responsibility white papers and FAQs. It’s really a matter of memorization and knowing that while AWS uses the term managed services in lots of areas, that term is not used in the shared responsibility model as one of the core types of services.

Answer 241

A

C. AWS is responsible for the security of virtualization infrastructure. All other items in this list are your responsibility. As a hint on questions like this and related to the AWS shared responsibility model, AWS is typically responsible for anything with the word infrastructure, although there are some exclusions (for example, application infrastructure).

Answer 242

A

A. An IAM role is assumed by an EC2 instance when it needs to access other AWS services, and that role has permissions associated with it. While these permissions are formally defined in a policy (B), it is the role that is used by the instance for actual service access.

Answer 243

A

A, D. Just as is the case with a compute instance (EC2), a task in a container needs an IAM role with permissions to access S3 (A), which in turn requires a policy specifying a permission that lets ECS tasks access S3 (D). Both of these are required to ensure access. Security groups apply to network traffic and would not affect S3 access, and while a VPC endpoint could be used (C), it is not required.

Answer 244

A

C. By default, newly created S3 buckets are private. They can only be accessed by a user that has been granted explicit access.

Brainscape's Knowledge GenomeTM

Secured Architecture Flashcards

Brainscape's Knowledge Genome^TM