Security

Question 1

Server side encryption means that the data is sent encrypted to the server first

Answer 1

False

Question 2

In server side encryption, only the encryption happens on the server. Where does the decryption happen?

• The Server
• The Client

Answer 2

The Server

Question 3

We need to gain access to a Role in another AWS account. How is it done?

• We should ask for them to create a user for us
• We should ask for them to send us access key
• We should use the STS service to gain temporary credentials

Answer 3

We should use the STS service to gain temporary credentials

Question 4

You have a mobile application and would like to give your users access to their own personal space in Amazon S3. How do you achieve that?

Answer 4

Use Cognito Identity Federation

Question 5

You need an encryption service that supports asymmetric encryption schemes. Which service could you use?

Answer 5

CloudHSM

Question 6

We’d like to encrypt 100MB of data client side before uploading it to S3. We should use

Answer 6

Envelope Encryption

Question 7

You would like to ensure data is encrypted client side before being sent to Kinesis. What should you use?

Answer 7

You must create custom code

Question 8

Which technology allows you to access the AWS service from your private subnets without the need to have an outgoing internet connection?

Answer 8

VPC Endpoints

Question 9

What do you need to attach to an IoT rule’s engine action to ensure it’s capable of sending data directly into Kinesis?

Answer 9

An IAM role

Question 10

Which of the following statement is wrong?

• DynamoDB Streams cannot be encrypted
• DynamoDB security is done through IAM
• Users must be created within DynamoDB
• DynamoDB supports only table creation, not database creation

Answer 10

Users must be created within DynamoDB (The entire security in DynamoDB is managed through IAM, we don’t need to create users within DynamoDB (unlike RDS))

Question 11

Which of the following services is accessed through a VPC Endpoint of type Interface ?

• Kinesis
• DynamoDB
• S3

Answer 11

Kinesis

Question 12

What security mechanism does not exist for RDS?

• KMS at rest encryption
• CloudHSM at rest encryption
• SSL encryption
• Transparent Data Encryption

Answer 12

CloudHSM at rest encryption

Question 13

You would like to deploy a Lambda function to privately access your RDS database. Under the default options, your Lambda function cannot reach your RDS database due to a network issue. How can you resolve it?

Answer 13

Deploy your Lambda function in your VPC

Question 14

Which statement about EMR security is incorrect?

• You can SSH into your cluster nodes.
• EMRFS supports S3 encryption
• Apache Ranger is packaged within EMR
• EMR supports LUKS encryption
• EMR supports Kerberos
• There are two security groups assigned between your different cluster nodes

Answer 14

Apache Ranger is packaged within EMR (If you choose to use Ranger, it must be installed externally from your EMR cluster. Recommended read: https://aws.amazon.com/blogs/big-data/best-practices-for-securing-amazon-emr/)

Question 15

Which of the following login is not supported by Kibana?

• Using and IAM user
• Using Cognito
• Using an email / password combination

Answer 15

Using an email / password combination

Question 16

Which at rest encryption is not supported by Redshift?

• KMS
• CloudHSM
• External HSM
• LUKS

Answer 16

LUKS (this is for EMR)

Question 17

Your users are federated using the web identity provider amazon.com. What does the following policy do?
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": ["arn:aws:s3:::mybucket/${www.amazon.com:user_id}/*"]
    }
  ]
}

Answer 17

Allow users federated through amazon.com to upload and download objects from a bucket that is named after their username

Question 18

Someone has deleted your Redshift cluster and you would like to find out who or what it was. How can you do it?

Answer 18

Use CloudTrail

Question 19

You have enabled encryption for your Redshift cluster and loaded 7 TBs of data into the cluster. It turns out that encryption was not required on this cluster after all. You want to make a change and ensure that the cluster is not encrypted. What are your options? (Choose 2)

• Restore from the latest snapshot.
• Delete the KMS managed keys.
• Unload the data into S3 and reload it into a cluster that is not encrypted.
• Create a new cluster that is not encrypted and reload the data.
• Check the decrypt checkbox in the Redshift modification options.

Answer 19

• Unload the data into S3 and reload it into a cluster that is not encrypted.
• Create a new cluster that is not encrypted and reload the data.

(Once you enable encryption for a Redshift cluster upon launch, you can cannot then change it to an unencrypted cluster. You’ll have to unload the data and reload the data into a new cluster with your new encryption setting. Alternatively, if you still have the data in S3 or other supported source, then load the data into a new cluster with your new encryption setting. When you encrypt a Redshift cluster, data blocks and system metadata are encrypted for the cluster and its snapshots.)

Question 20

Which of the following mechanisms work together to encrypt data at rest on instance store volumes and EBS volumes? (Choose 2)

• TrueCrypt
• Open-source HDFS Encryption
• LUKS
• DriveCrypt

Answer 20

• Open-source HDFS Encryption

- LUKS

Question 21

Your organization is going to use EMR with EMRFS. However, your security team requires that you both encrypt all data before sending it to S3 and that you maintain the keys. Which encryption option should be used?

• CSE-KMS
• SSE-S3
• CSE-Custom
• SSE-KMS

Answer 21

-CSE-Custom

(In this case, you would use CSE-Custom, where you would encrypt the data before sending it to S3 and also manage the client-side master key. The other encryption options available are: S3 Server-Side Encryption (SSE-S3), S3 manages keys for you; Server-Side Encryption with KMS–Managed Keys (SSE-KMS), S3 uses a customer master key that is managed in the Key Management Service to encrypt and decrypt the data before saving it to an S3 bucket; Client-Side Encryption with KMS-Managed Keys (CSE-KMS), the EMR cluster uses a customer master key to encrypt data before sending it to Amazon S3 for storage and to decrypt the data after it is downloaded.)

Question 22

True or False: AWS Key Management Service supports both symmetric and asymmetric encryption.

Answer 22

False

(The Key Management Service supports symmetric encryption only. Symmetric encryption is when the same keys are used to perform encryption and decryption.)

Question 23

Which of the following are not characteristics of CloudHSM? (Choose 2)

• Usage-based pricing
• Supports symmetric and asymmetric encryption
• Highly available and durable
• Customer-managed root of trust
• Single-tenancy

Answer 23

• Usage-based pricing
• Highly available and durable

(Usage-based pricing and high availability/durability are characteristics of the Key Management Service.)

Question 24

True or False: When using a hardware security module with Redshift, you can only use CloudHSM.

Answer 24

False

(You can use either an on-prem HSM or you can use CloudHSM, or both, to ensure high-availability and access to the keys. Further information: http://docs.aws.amazon.com/cloudhsm/latest/userguide/configuring-ha.html)

Question 25

What is Hadoop Encrypted Shuffle?

Answer 25

Data in-transit between nodes is encrypted.

Question 26

True or False: An EMR cluster must be launched in a public subnet. It cannot be used with S3 or other AWS public endpoints if it is launched in a private subnet.

Answer 26

False

(Due to compliance or security requirements, you may need to a run an EMR cluster in a private subnet. You can run an EMR cluster in a private subnet with no public IP addresses or attached Internet Gateway. In order to run an EMR cluster in a private subnet, you would need an endpoint for S3 in your VPC in order to access S3 or create a NAT instance for your cluster to interact with other AWS services that do not currently support endpoints in VPC. To connect to the EMR cluster in the private subnet, your local network should be connected to your VPC using VPN or Direct Connect. Alternately, you can use a bastion host to connect to your EMR cluster in a private subnet.)

Question 27

A company needs to deploy a data lake solution for their data scientists in which all company data isaccessibleandstored in a central S3 bucket. The company segregates the data by business unit,using specific prefixes. Scientists can only access the data from their own business unit. The company needs a single sign-onidentity and management solution based on Microsoft Active Directory (AD) to manage access to the data in Amazon S3.

Which method meets these requirements?

• Use AWS IAM Federation functions and specify the associated role based on the users’ groups in AD.
• Create bucket policies that only allow access to the authorized prefixes based on the users’ group name in Active Directory.
• Deploy the AD Synchronization service to create AWS IAM users and groups based on AD information.
• Use Amazon S3 API integration with AD to impersonate the users on access in a transparent manner.

Answer 27

-Use AWS IAM Federation functions and specify the associated role based on the users’ groups in AD.

(A -Identity Federation allows organizations to associate temporary credentials to users authenticated throughan external identity provider such as Microsoft Active Directory (AD). These temporary credentials are linkedto AWS IAM rolesthat grant access to the S3 bucket.Option B does not work because bucket policiesare linked to IAM principles andcannot recognize AD attributes. Option C does not work because AD Synchronization will not sync directly with AWS IAM, and custom synchronization would not result in Amazon S3 being able to see group information. D isn’t possible becausethere is no feature to integrate Amazon S3 directly with external identity providers.)

Question 28

A data engineer needs to architect a data warehouse foran online retail company to store historic purchases.The data engineer needs to use Amazon Redshift. To comply with PCI:DSS and meet corporate data protection standards, the data engineer must ensure hat data is encrypted at rest and that the keys are managed by a corporate on-premises HSM.Which approach meets these requirements in the most cost-effective manner?

• Create a VPC,and then establish a VPN connection between the VPC and the on-premises network. Launch the Amazon Redshift cluster in the VPC,and configure it to use your corporate HSM.
• Use the AWS CloudHSM service to establish a trust relationship between the CloudHSM and the corporate HSM over a Direct Connect connection. Configure Amazon Redshift to use the CloudHSM device.
• Configure the AWS Key Management Service to point to the corporate HSM device,and then launch the Amazon Redshift cluster with the KMS managing the encryption keys.
• Use AWS Import/Export to import the corporate HSM device into the AWS Region where the Amazon Redshift cluster will launch, and configure Redshift to use the imported HSM.

Answer 28

-Create a VPC,and then establish a VPN connection between the VPC and the on-premises network. Launch the Amazon Redshift cluster in the VPC,and configure it to use your corporate HSM.

(Amazon Redshift can use an on-premises HSM for key management over the VPN, which ensures that the encryption keys are locally managed. Option B is possible: CloudHSM can cluster to an on-premises HSM. Butthen key management could be performed on either the on-premises HSM or CloudHSM, and that doesn’t meet the design goal. Option C does not describe a valid feature of KMS and violates the requirement for the corporate HSM to manage the keys requirement,even if it were possible. Option D is not possible because you cannot put hardware into an AWS Region.)