Which of the following is a valid best practices for using the AWS Identity and Access Management IAM Service Select 2?

Which services are integrated with KMS encryption? (choose 2)1. Amazon RDS2. Amazon EC23. Amazon EBS4. Amazon SWF

5. AWS CloudFormation

1. Amazon RDS3. Amazon EBS

• https://aws.amazon.com/kms/features/

Under the AWS shared responsibility model what is the customer responsible for? (choose 2)1. Physical security of the data center2. Replacement and disposal of disk drives3. Configuration of security groups4. Patch management of infrastructure

5. Encryption of customer data

3. Configuration of security groups5. Encryption of customer data• AWS are responsible for “Security of the Cloud”

• Customers are responsible for “Security in the Cloud”

Which service records API activity on your account and delivers log files to an Amazon S3 bucket?1. Amazon CloudWatch2. Amazon S3 Event Notifications3. Amazon CloudTrail

4. Amazon CloudWatch Logs

3. Amazon CloudTrail• AWS CloudTrail is a web service that records activity made on your account and delivers log files to an Amazon S3 bucket

• CloudTrail is for auditing (CloudWatch is for performance monitoring)

The IAM service can be used to manage which objects? (choose 2)1. Security groups2. Access policies3. Roles4. Network ACLs

5. Key pairs

2. Access policies3. Roles• Access policies are objects that you attach to entities and resources to define their permissions• Roles are created and then “assumed” by trusted entities and define a set of permissions for making AWS service requests

• Security groups and network ACLs are used as instance-level and subnet-level firewalls respectively

Under the shared responsibility model, what are examples of shared controls? (choose 2)1. Patch management2. Storage system patching3. Physical and environmental4. Configuration management

5. Service and Communications Protection

1. Patch management4. Configuration management• Shared Controls– Controls which apply to both the infrastructure layer and customer layers, but in completely separate contexts or perspectives • Patch Management– AWS is responsible for patching and fixing flaws within the infrastructure, but customers are responsible for patching their guest OS and applications

• Configuration Management– AWS maintains the configuration of its infrastructure devices, but a customer is responsible for configuring their own guest operating systems, databases, and applications

Which of the following are features of Amazon CloudWatch? (choose 2)1. Used to gain system-wide visibility into resource utilization2. Records account activity and service events from most AWS services3. Used for auditing of API calls4. Can be accessed via API, command-line interface, AWS SDKs, and the AWS Management Console

5. Provides visibility into user activity by recording actions taken on your account

1. Used to gain system-wide visibility into resource utilization4. Can be accessed via API, command-line interface, AWS SDKs, and the AWS Management Console• Amazon CloudWatch is a monitoring service for AWS cloud resources and the applications you run on AWS• CloudWatch is for performance monitoring (CloudTrail is for auditing)• CloudTrail is for auditing (CloudWatch is for performance monitoring)

• CloudTrail records account activity and service events from most AWS services

Which statement below is incorrect in relation to Security Groups?1. Operate at the instance level2. Support allow rules only3. Stateless

4. Evaluate all rules

3. Stateless

• Security groups are stateful meaning that if traffic is allowed in one direction, the return traffic is automatically allowed regardless of whether there is a matching rule for the traffic

What constraints apply to customers when performing penetration testing? (choose 2)1. Permission is required for all penetration tests2. You can perform penetration testing on your own systems at any time without prior authorization3. You must complete and submit the AWS Vulnerability / Penetration Testing Request Form to request authorization4. Penetration testing can be performed against any AWS resources

5. Penetration testing must be performed by a certified security consultant

1. Permission is required for all penetration tests3. You must complete and submit the AWS Vulnerability / Penetration Testing Request Form to request authorization• There is a limited set of resources on which penetration testing can be performed

• https://digitalcloud.training/certification-training/aws-certified-cloud-practitioner/cloud-security/

Which statement below is incorrect in relation to Network ACLs?1. Operate at the Availability Zone level2. Support allow and deny rules3. Stateless

4. Process rules in order

1. Operate at the Availability Zone level• Network ACLS operate at the subnet level

• https://digitalcloud.training/certification-training/aws-certified-cloud-practitioner/aws-networking/

Which feature can you use to grant read/write access to an Amazon S3 bucket?1. IAM Role2. IAM Policy3. IAM Group

4. IAM User

2. IAM Policy• IAM Policies are documents that define permissions and can be applied to users, groups and roles• IAM policies can be written to grant access to Amazon S3 buckets• IAM Roles are created and then “assumed” by trusted entities and define a set of permissions for making AWS service requests

• IAM Groups are collections of users and have policies attached to them

Which AWS service is used to enable multi-factor authentication?1. Amazon STS2. AWS IAM3. Amazon EC2

4. AWS KMS

2. AWS IAM• IAM is used to securely control individual and group access to AWS resources• The AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for IAM users or for users that you authenticate (federated users)• AWS Key Management Service (KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data

• Amazon EC2 is used for running operating systems instances in the cloud

Which AWS service gives you centralized control over the encryption keys used to protect your data?1. AWS STS2. AWS KMS3. AWS DMS

4. Amazon EBS

2. AWS KMS• AWS Key Management Service gives you centralized control over the encryption keys used to protect your data. You can create, import, rotate, disable, delete, define usage policies for, and audit the use of encryption keys used to encrypt your data• The AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users• AWS Database Migration Service (DMS) helps you migrate databases to AWS quickly and securely

• Amazon Elastic Block Store (Amazon EBS) provides persistent block storage volumes for use withAmazon EC2instances in the AWS Cloud

How can a security compliance officer retrieve AWS compliance documentation such as a SOC 2 report?1. Using AWS Artifact2. Using AWS Trusted Advisor3. Using AWS Inspector

4. Using the AWS Personal Health Dashboard

1. Using AWS Artifact• AWS Artifact, available in the console, is a self-service audit artifact retrieval portal that provides our customers with on-demand access to AWS’ compliance documentation and AWS agreements

• You can use AWS Artifact Reports to download AWS security and compliance documents, such as AWS ISO certifications, Payment Card Industry (PCI), and System and Organization Control (SOC) reports

Which service provides visibility into user activity by recording actions taken on your account?1. Amazon CloudWatch2. Amazon CloudFormation3. Amazon CloudTrail

4. Amazon CloudHSM

3. Amazon CloudTrail• CloudTrail is a web service that records activity made on your account and delivers log files to an Amazon S3 bucket• CloudTrail is for auditing (CloudWatch is for performance monitoring)• CloudFormation is used for deploying infrastructure through code

• CloudHSM is a hardware security module for generating, managing and storing encryption keys

A new user is unable to access any AWS services, what is the most likely explanation?1. The user needs to login with a key pair2. The services are currently unavailable3. By default new users are created without access to any AWS services

4. The default limit for user logons has been reached

3. By default new users are created without access to any AWS services• By default new users are created with NO access to any AWS services – they can only login to the AWS console

• https://digitalcloud.training/certification-training/aws-certified-cloud-practitioner/identity-and-access-management/

Which of the following compliance programs allows the AWS environment to process, maintain, and store protected health information?1. ISO 270012. PCI DSS3. HIPAA

4. SOC 1

3. HIPAA• AWS enables covered entities and their business associates subject to the U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA) to use the secure AWS environment to process, maintain, and store protected health information

Which file format is used to write AWS Identity and Access Management (IAM) policies?1. DOC2. XML3. JBOD

4. JSON

4. JSON

• You manage access in AWS by creating policies and attaching them to IAM identities or AWS resources. A policy is an object in AWS that, when associated with an entity or resource, defines their permissions. AWS evaluates these policies when a principal, such as a user, makes a request. Permissions in the policies determine whether the request is allowed or denied. Most policies are stored in AWS as JSON documents

At what level is a Network ACL applied?1. Instance level2. Region level3. Availability Zone level

4. Subnet level

4. Subnet level• Network Access Control Lists (ACLs) provide a firewall/security layer at the subnet level

• Security Groups provide a firewall/security layer at the instance level

Which AWS service protects against common exploits that could compromise application availability, compromise security or consume excessive resources?1. AWS WAF2. AWS Shield3. Security Group

4. Network ACL

1. AWS WAF• AWS WAF is a web application firewall that protects against common exploits that could compromise application availability, compromise security or consume excessive resources• AWS Shield is a managed Distributed Denial of Service (DDoS) protection service

• Security groups and Network ACLs are firewalls protecting at the instance and subnet level respectively

How can an organization assess application for vulnerabilities and deviations from best practice?1. Use AWS Artifact2. Use AWS Inspector3. Use AWS Shield

4. Use AWS WAF

2. Use AWS Inspector• Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Inspector automatically assesses applications for vulnerabilities or deviations from best practices• AWS Artifact is your go-to, central resource for compliance-related information that matters to you• AWS Shield is a managed Distributed Denial of Service (DDoS) protection service

• AWS WAF is a web application firewall

Which of the following is NOT one of the five AWS Trusted Advisor categories?1. Cost Optimization2. Performance3. Security

4. Application transformation

4. Application transformation

• The five categories are cost optimization, performance, security, fault tolerance and service limits

Which of the following are AWS recommended best practices in relation to IAM? (choose 2)1. Assign permissions to users2. Create individual IAM users3. Embed access keys in application code4. Enable MFA for all users

5. Grant least privilege

2. Create individual IAM users5. Grant least privilege• AWS recommend creating individual IAM users and assigning the least privileges necessary for them to perform their role

• You should use groups to assign permissions to IAM users, should avoid embedding access keys in application code, and should enable MFA for privileged users (not everyone)

Which of the following security operations tasks must be performed by AWS customers? (choose 2)1. Collecting syslog messages from physical firewalls2. Issuing data center access keycards3. Installing security updates on EC2 instances4. Enabling multi-factor authentication (MFA) for privileged users

5. Installing security updates for server firmware

3. Installing security updates on EC2 instances4. Enabling multi-factor authentication (MFA) for privileged users

• The customer is responsible for installing security updates on EC2 instances and enabling MFA. AWS is responsible for security of the physical data center and the infrastructure upon which customer services run

Which services are involved with security? (choose 2)1. AWS CloudHSM2. AWS DMS3. AWS KMS4. AWS SMS

5. Amazon ELB

1. AWS CloudHSM3. AWS KMS• AWS CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud

• AWS Key Management Service gives you centralized control over the encryption keys used to protect your data

Which information security standard applies to entities that store, process or transmit credit cardholder data?1. ISO 270012. HIPAA3. NIST

4. PCI DSS

4. PCI DSS• The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard administered by thePCI Security Standards Council• AWS enables covered entities and their business associates subject to the U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA) to use the secure AWS environment to process, maintain, and store protected health information• TheNational Institute of Standards and Technology (NIST) 800-53 security controls are generally applicable to US Federal Information Systems

• ISO/IEC 27001:2013 is a security management standard that specifies security management best practices and comprehensive security controls following the ISO/IEC 27002 best practice guidance

Which services provide protection measures against distributed denial of service (DDoS) attacks? (choose 2)1. AWS CloudHSM2. Amazon CloudFront3. AWS WAF4. Internet Gateway

5. Managed VPN

2. Amazon CloudFront3. AWS WAF• AWS offers globally distributed, high network bandwidth and resilient services that, when used in conjunction with application-specific strategies, are key to mitigating DDoS attacks• AWS WAFis a web application firewall that helps protect web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources• Amazon CloudFront distributes traffic across multiple edge locations and filters requests to ensure that only valid HTTP(S) requests will be forwarded to backend hosts. CloudFront also supports geoblocking, which you can use to prevent requests from particular geographic locations from being served

• Internet Gateways, Managed VPN and CloudHSM do not help to mitigate DDoS attacks

When using Amazon IAM, what authentication methods are available to use? (choose 2)1. Client certificates2. Access keys3. Amazon KMS4. Server certificates

5. AES 256

2. Access keys4. Server certificates• Supported authentication methods include console passwords, access keys and server certificates• Access keys are a combination of an access key ID and a secret access key and can be used to make programmatic calls to AWS• Server certificates are SSL/TLS certificates that you can use to authenticate with some AWS services• Client certificates are not a valid IAM authentication method• Amazon Key Management Service (KMS) is used for managing encryption keys and is not used for authentication

• AES 256 is an encryption algorithm, not an authentication method

To ensure the security of your AWS account, what are two AWS best practices for managing access keys? (choose 2)1. Don’t create any access keys, use IAM roles instead2. Don’t generate an access key for the root account user3. Where possible, use IAM roles with temporary security credentials4. Rotate access keys daily

5. Use MFA for access keys

2. Don’t generate an access key for the root account user3. Where possible, use IAM roles with temporary security credentials• Best practices include: – Don’t generate an access key for the root account user – Use Temporary Security Credentials (IAM Roles) Instead of Long-Term Access Keys – Manage IAM User Access Keys Properly• Rotating access keys is a recommended practice, but doing it daily would be excessive and hard to manage• You can use MFA for securing privileged accounts, but it does not secure access keys

• You should use IAM roles where possible, but AWS do not recommend that you don’t create any access keys as they also have a purpose

Which feature of Amazon S3 adds a layer of additional security to prevent accidental deletion?1. Versioning2. Encryption3. MFA delete

4. Lifecycle management

3. MFA delete• MFA delete adds an additional layer of security as users must include the x-amz-mfarequest header in requests to permanently delete an object version or change the versioning state of the bucket. This header must include the authentication code from a multi-factor authentication device• Versioning helps to mitigate the impact of deleting objects as older versions are retained however it does not prevent deletion• Encryption protects against unauthorized agents reading your data, it does not protect it from deletion

• Lifecycle management can also reduce the impact of deleting objects as they may have been archived, but again it does not stop you from deleting them

Which of the options below are recommendations in the security pillar of the well-architected framework? (choose 2)1. Enable traceability2. Apply security at the application layer3. Automate security best practices4. Protect data when it is at rest only

5. Expect to be secure

1. Enable traceability3. Automate security best practices• The security pillar includes the ability to protect information, systems, and assets while delivering business value through risk assessments and mitigation strategies• There are six design principles for security in the cloud: – Implement a strong identity foundation – Enable traceability – Apply security at all layers – Automate security best practices – Protect data in transit and at rest

– Prepare for security events

What does an organization need to do in Amazon IAM to enable user access to services being launched in new region?1. Update the user accounts to allow access from another region2. Create new user accounts in the new region3. Enable global mode in IAM to provision the required access

4. Nothing, IAM is global

4. Nothing, IAM is global

• IAM is used to securely control individual and group access to AWS resources. IAM is universal (global) and does not apply to regions

What can be assigned to an IAM user? (choose 2)1. An access key ID and secret access key2. A password for logging into Linux3. A password for access to the management console4. A key pair

5. An SSL/TLS certificate

1. An access key ID and secret access key3. A password for access to the management console• An IAM user is an entity that represents a person or service. Users can be assigned an access key ID and secret access key for programmatic access to the AWS API, CLI, SDK, and other development tools and a password for access to the management console• Key pairs are used with Amazon EC2 as a method of using public key encryption to securely access EC2 instances• You cannot assign an IAM user with a password for logging into a Linux instance

• You cannot assign an SSL/TLS certificate to a user

Which of the below are valid use cases for using AWS services to implement real-time auditing? (choose 2)1. Use Amazon Inspector to monitor for compliance2. Use Amazon CloudWatch for monitoring API calls3. Use Amazon CloudTrail to monitor application performance4. Use AWS IAM to store log files

5. Use AWS Lambda to scan log files

1. Use Amazon Inspector to monitor for compliance5. Use AWS Lambda to scan log files• Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for exposure, vulnerabilities, and deviations from best practices• You can use AWS Lambda, Amazon EMR, the Amazon Elasticsearch Service, or third- party tools from the AWS Marketplace to scan logs to detect things like unused permissions, overuse of privileged accounts, usage of keys, anomalous logins, policy violations, and system abuse• CloudWatch is used for performance monitoring whereas CloudTrail is used for logging API calls

• AWS IAM is not used for storage of log files

Which type of security control can be used to deny network access from a specific IP address?1. Security Group2. Network ACL3. AWS WAF

4. AWS Shield

2. Network ACL• A Network ACL supports allow and deny rules. You can create a deny rule specifying a specific IP address that you would like to block• A Security Group only supports allow rules• AWS WAF is a web application firewall

• AWS Shield is a managed Distributed Denial of Service (DDoS) protection service

Which of the following security related activities are AWS customers responsible for? (choose 2)1. Installing patches on network devices2. Implementing data center access controls3. Implementing IAM password policies4. Installing patches on Windows operating systems

5. Secure disposal of faulty disk drives

3. Implementing IAM password policies4. Installing patches on Windows operating systems• Customers are responsible for configuring their own IAM password policies and installing operating system patches on Amazon EC2 instances

• AWS are responsible for installing patches on physical hardware devices, data center access controls and secure disposal of disk drives

Which feature of AWS IAM enables you to identify unnecessary permissions that have been assigned to users?1. Role Advisor2. Access Advisor3. Permissions Advisor

4. Group Advisor

2. Access Advisor• The IAM console provides information about when IAM users and roles last attempted to access AWS services. This information is calledservice last accessed data. This data can help you identify unnecessary permissions so that you can refine your IAM policies to better adhere to the principle of “least privilege.” That means granting the minimum permissions required to perform a specific task. You can find the data on the Access Advisor tab in the IAM console by examining the detail view for any IAM user, group, role, or managed policy

• https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor.html

How can you enable access to AWS accounts using credentials from an on-premise corporate directory?1. SSO using Cognito2. Federation using IAM3. Replication using Simple AD

4. AWS Organizations

2. Federation using IAM• You can enable single sign-on (SSO) to your AWS accounts by using federation and AWS Identity and Access Management (IAM). By federating your AWS accounts, users can sign in to the AWS Management Console and AWS Command Line Interface (CLI) using credentials from your corporate directory• Amazon Cognito helps you add user sign-up and sign-in to your mobile and web apps easily, it is not used for connecting corporate directories• Simple AD is an inexpensive Active Directory-compatible service with common directory features. It is a standalone directory on AWS and cannot replicate with an on-premise directory

• AWS Organizations offers policy-based management for multiple AWS accounts. With Organizations, you can create groups of accounts, automate account creation, apply and manage policies for those group. It is not used for SSO

Which service can be used to assign a policy to a group?1. AWS IAM2. Amazon Cognito3. Amazon STS

4. AWS Shield

1. AWS IAM• IAM is used to securely control individual and group access to AWS resources. Groups are collections of users and have policies attached to them. You can use IAM to attach a policy to a group• Amazon Cognito is used for authentication using mobile apps• The AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for IAM users or for users that you authenticate (federated users)

• AWS Shieldis a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS

Which AWS service uses a highly secure hardware storage device to store encryption keys?1. AWS WAF2. AWS IAM3. AWS CloudHSM

4. Amazon Cloud Directory

3. AWS CloudHSM• AWS CloudHSM is a cloud-based hardware security module (HSM) that allows you to easily add secure key storage and high-performance crypto operations to your AWS applications• Amazon Cloud Directory enables you to build flexible cloud-native directories for organizing hierarchies of data along multiple dimensions• AWS WAF is a web application firewall that helps protect your web applications from common web exploits

• AWS Identity and Access Management (IAM) is used for managing users, groups, and roles in AWS

Which security service only requires a rule to be created in one direction as it automatically allows return traffic?1. VPC Router2. Network ACL3. Security Group

4. AWS Shield

3. Security Group• Security groups are stateful so if you allow traffic to pass through, the return traffic is automatically allowed even if no rule matches the traffic• Network ACLs are stateless so you must create rules in both directions to allow traffic through• A VPC router is not a security service

• AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS

What is required to decrypt the Administrator password of a newly launched Amazon EC2 Windows instance?1. Key pair2. Access key and secret ID3. KMS key

4. IAM role

1. Key pair• You use a key pair to decrypt the Administrator password through the console or using the CLI• An access key and secret ID are associated with IAM accounts and are used for signing programmatic requests• KMS is used for managing encryption keys, a “KMS key” is incorrect• IAM roles cannot be used for decrypting the Administrator password

• https://aws.amazon.com/premiumsupport/knowledge-center/retrieve-windows-admin-password/

What modifications can be made to an IAM access key once created? (choose 2)1. Change user2. Make active3. Add user4. Change scope

5. Make inactive

2. Make active5. Make inactive

• All you can do with an access key once it has been generated is to make active, make inactive, or delete the access key

What is the name of the online, self-service portal that AWS provides to enable customers to view reports and, such as PCI reports, and accept agreements?1. AWS Compliance Portal2. AWS Documentation Portal3. AWS Artifact

4. AWS DocuFact

3. AWS Artifact• AWS Artifact is your go-to, central resource for compliance-related information that matters to you. It provides on-demand access to AWS’ security and compliance reports and select online agreements. Reports available in AWS Artifact include our Service Organization Control (SOC) reports, Payment Card Industry (PCI) reports, and certifications from accreditation bodies across geographies and compliance verticals that validate the implementation and operating effectiveness of AWS security controls.• Agreements available in AWS Artifact include the Business Associate Addendum (BAA) and the Nondisclosure Agreement (NDA)

• All other options are made up and do not exist

Which AWS IAM best practice recommends applying the minimum permissions necessary to perform a task when creating IAM policies?1. Create individual IAM users2. Use roles to delegate permissions3. Grant least privilege

4. Enable MFA for privileged users

3. Grant least privilege

• When you create IAM policies, follow the standard security advice of granting least privilege—that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks

What are the benefits of using IAM roles for applications that run on EC2 instances? (choose 2)1. Easier to configure than using storing access keys within the EC2 instance2. More secure than storing access keys within applications3. Can apply multiple roles to a single instance4. It is easier to manage IAM roles

5. Role credentials are permanent

2. More secure than storing access keys within applications4. It is easier to manage IAM roles• Using IAM roles instead of storing credentials within EC2 instances is more secure It is also easier to manage roles• It is not easier to configure as there are extra steps that need to be completed• You cannot apply multiple roles to a single instance

• Role credentials are temporary, not permanent, and are rotated automatically

A web server is being maliciously targeted, how can a systems administrator deny access from a list of known attacker IP addresses? (choose 2)1. Using a local firewall such as iptables2. Using a rule on the Internet Gateway3. Using a Security Group deny rule4. Using a Network ACL deny rule

5. Through VPC route table configuration

1. Using a local firewall such as iptables4. Using a Network ACL deny rule• To block access to a known list of IP addresses you can configure a local firewall on the web server or use Network ACL deny rules• You cannot create deny rules with Security Groups (only allow rules)

• Internet Gateways do not have allow/deny rules and route table configuration could not be used to break connections with specific addresses

Which of the following is not a best practice for protecting the root user of an AWS account?1. Don’t share the root user credentials2. Enable MFA3. Remove administrative permissions

4. Lock away the AWS root user access keys

3. Remove administrative permissions

• You cannot remove administrative permissions from the root user of an AWS account. Therefore, you must protect the account through creating a complex password, enabling MFA, locking away access keys (assuming they’re even required), and not sharing the account details

What types of rules can be defined in a security group? (choose 2)1. Inbound2. Deny3. Tags4. Outbound

5. Stateful

1. Inbound4. Outbound• You can create inbound and outbound rules in a security group• You can tag a security group but this is not a type of rule• You cannot create deny rules with a security group, all rules entries allow traffic

• A security group is stateful but this is not a rule type

Which AWS security tool uses an agent installed in EC2 instances and assesses applications for vulnerabilities and deviations from best practices?1. AWS Trusted Advisor2. AWS Personal Health Dashboard3. AWS TCO Calculator

4. AWS Inspector

4. AWS Inspector• Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Inspector automatically assesses applications for vulnerabilities or deviations from best practices. Uses an agent installed on EC2 instances• Trusted Advisor is an online resource that helps to reduce cost, increase performance and improve security by optimizing your AWS environment• AWS Personal Health Dashboard provides alerts and remediation guidance when AWS is experiencing events that may impact you

• The AWS TCO calculator can be used to compare the cost of running your applications in an on-premises or colocation environment to AWS

Up to what layer of the OSI model does AWS Web Application Firewall operate?1. Layer 32. Layer 43. Layer 5

4. Layer 7

4. Layer 7• The AWS Web Application Firewall operates up to the application layer (layer 7). You can use AWS WAF to create custom rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that are designed for your specific application

• https://aws.amazon.com/waf/

What do you need to log into the AWS console?1. User name and password2. Key pair3. Access key and secret ID

4. Certificate

1. User name and password• You can log into the AWS console using a user name and password

• You cannot log in to the AWS console using a key pair, access key & secret ID or certificate

Your manager has asked you to explain the benefits of using IAM groups. Which of the below statements are valid benefits? (choose 2)1. You can restrict access to the subnets in your VPC2. Groups let you specify permissions for multiple users, which can make it easier to manage the permissions for those users3. Provide the ability to create custom permission policies4. Enables you to attach IAM permission policies to more than one user at a time

5. Provide the ability to nest groups to create an organizational hierarchy

2. Groups let you specify permissions for multiple users, which can make it easier to manage the permissions for those users4. Enables you to attach IAM permission policies to more than one user at a time• Groups are collections of users and have policies attached to them• A group is not an identity and cannot be identified as a principal in an IAM policy• Use groups to assign permissions to users• Use the principal of least privilege when assigning permissions

• You cannot nest groups (groups within groups)

Which of the authentication options below can be used to authenticate using AWS APIs? (choose 2)1. Key pairs2. Access keys3. Server passwords4. Security groups

5. Server certificates

2. Access keys4. Security groups• Key pairs are used for encrypting logon information when accessing EC2 instances• Access keys are a combination of an access key ID and a secret access key• A server password cannot be used to authenticate with an API• Server certificates are SSL/TLS certificates that you can use to authenticate with some AWS services• Security groups are an instance-level firewall used for controlling access to AWS resources

• https://digitalcloud.training/certification-training/aws-certified-cloud-practitioner/identity-and-access-management/

Which of the following are NOT features of AWS IAM? (choose 2)1. Shared access to your AWS account2. Logon using local user accounts3. Identity federation4. PCI DSS compliance

5. Charged for what you use

2. Logon using local user accounts5. Charged for what you use• You cannot use IAM to create local user accounts on any system. You are also not charged for what you use, IAM is free to use

• The other options are all features of AWS IAM

Which of the following records are captured by Amazon CloudTrail? (choose 2)1. The identity of the API caller2. The CPU usage of the instance3. Custom metrics generated by applications4. The request parameters

5. Billing information

1. The identity of the API caller4. The request parameters• AWS CloudTrail is a web service that records activity made on your account and delivers log files to an Amazon S3 bucket. CloudTrail is about logging and saves a history of API calls for your AWS account• CloudTrail records account activity and service events from most AWS services and logs the following records: – The identity of the API caller – The time of the API call – The source IP address of the API caller – The request parameters – The response elements returned by the AWS service• All other options are metrics that can be recorded using CloudWatch

• https://digitalcloud.training/certification-training/aws-certified-cloud-practitioner/monitoring-and-logging-services/

Your manager has asked you to explain some of the security features available in the AWS cloud. How can you describe the function of Amazon CloudHSM?1. It is a Public Key Infrastructure (PKI)2. It provides server-side encryption for S3 objects3. It can be used to generate, use and manage encryption keys in the cloud

4. it is a firewall for use with web applications

3. It can be used to generate, use and manage encryption keys in the cloud• AWS CloudHSM is a cloud-based hardware security module (HSM) that allows you to easily add secure key storage and high-performance crypto operations to your AWS applications• CloudHSM has no upfront costs and provides the ability to start and stop HSMs on-demand, allowing you to provision capacity when and where it is needed quickly and cost-effectively• CloudHSM is a managed service that automates time-consuming administrative tasks, such as hardware provisioning, software patching, high availability, and backups

• https://aws.amazon.com/cloudhsm/details/

When using Identity and Access Management (IAM) what is the process of gaining access to a resource?1. First you authenticate, then you are authorized, and then you gain access2. First you are authorized, then you authenticate, and then you gain access3. First you authenticate, then you gain access, and then you are authorized

4. With IAM you do not need to authenticate or be authorized

1. First you authenticate, then you are authorized, and then you gain access• The process is that you are first authenticated (the system checks you are who you say you are), then you are authorized (the system determined the resources you are allowed to access), and then you are able to access the resources

• https://digitalcloud.training/certification-training/aws-certified-cloud-practitioner/identity-and-access-management/