Security Flashcards
Q: What should a solutions architect do to grant the necessary permissions for an AWS Lambda function to access an Amazon DynamoDB table securely?
A: Create an IAM role that has the required permissions to read and write from the DynamoDB tables. Add the role to the EC2 instance profile, and associate the instance profile with the application instances.
Q: How should a solutions architect configure access for Amazon EC2 instances to access an Amazon S3 bucket securely without using the public internet?
A: Create a gateway VPC endpoint for Amazon S3. Configure the route table for the private subnet to use the gateway endpoint as the route for all S3 traffic.
Q: How should a solutions architect design a secure solution to store sensitive database credentials for an application running on Amazon EC2 instances?
A: Store the database credentials as secrets in AWS Secrets Manager. Grant the necessary IAM permissions to the EC2 instance role to access the secrets.
Q: What should a solutions architect do to ensure that the principle of least privilege is applied when granting permissions to IAM users in a multi-account AWS environment?
A: Create an IAM role with the necessary permissions and have the IAM users assume the role when performing actions, instead of directly attaching policies to the IAM users.
Q: What should a solutions architect do to ensure that all objects uploaded to an Amazon S3 bucket are encrypted?
A: Update the bucket policy to deny PutObject requests if the x-amz-server-side-encryption header is not set.
Q: How should a solutions architect design a secure solution to control access to the content of a web application hosted on AWS?
A: Use Amazon Cognito for authentication and Amazon CloudFront with signed URLs or signed cookies for content access control.
Q: What should a solutions architect do to meet the security requirements of encrypting data at rest and in transit for a serverless application using AWS Lambda and Amazon API Gateway?
A: Use AWS KMS customer managed keys for encrypting data at rest. Configure the API Gateway stage to only accept HTTPS traffic.
