Ch3

Question 1

1. When creating a new security group, which of the following are true? (Choose two.)

All inbound traffic is allowed by default.
All outbound traffic is allowed by default.
Connections that are allowed in must also explicitly be allowed back out.
Connections that are allowed in are automatically allowed back out.

Answer 1

B, D. Default security groups prevent all traffic in and allow all traffic out.

Question 2

2. You have a government-regulated system that will store a large amount of data on S3 standard. You must encrypt all data and preserve a clear audit trail for traceability and third-party auditing. Security policies dictate that encryption must be consistent across the entire data store. Which of the following encryption approaches would be best?

SSE-C
SSE-KMS
SSE-C
Encrypt the data prior to upload to S3 and decrypt the data when returning it to the client.

Answer 2

B. D is not a good answer because relying on encryption outside of S3 does not best address the concerns around consistency. It is generally better to allow AWS to handle encryption in cases where you want to ensure all encryption is the same across a data store. SSE-C, SSE-KMS, and SSE-C all provide this. However, among those three, KMS is the best option for providing clear audit trails.

Question 3

3. You are creating a bastion host to allow SSH access to a set of EC2 instances in a private subnet within your organization’s VPC. Which of the following should be done as part of configuring the bastion host? (Choose two.)

Ensure that the bastion host is exposed directly to the Internet.
Place the bastion host within the private subnet.
Add a route from the bastion host IP into the private subnet into the subnet’s NACLs.
Ensure that the bastion host is within the same security group as the hosts within the private subnet.

Answer 3

A, C. A bastion host is a publicly accessible host that allows traffic to connect to it. Then, an additional connection is made from the bastion host into a private subnet and the hosts within that subnet. Because the bastion must be accessed by public clients, it must be exposed to the Internet (A). If it is within a private subnet (B), it will not be accessible, making that answer incorrect. There also must be an explicit route from the bastion host into the private subnet (C); this is usually within a NACL. Finally, the security of the bastion must be different from the hosts in the private subnet. The bastion host should be hardened significantly as it is public, but also accessible; this is in many ways the opposite of the security requirements of hosts within a private subnet.

Question 4

4. Which of the following are invalid IAM actions? (Choose two.)

Limiting the root account SSH access to all EC2 instances
Allowing a user account SSH access to all EC2 instances
Removing console access for the root account
Removing console access for all non-root user accounts

Answer 4

A, C. AWS sometimes asks questions like this to ensure that you understand that the root account is truly a root account and you cannot restrict that account’s access. Anything that involves removing access for the root account is always invalid.

Question 5

7. You have a private subnet in a VPC within AWS. The instances within the subnet are unable to access the Internet. You have created a NAT gateway to solve this problem. What additional steps do you need to perform to allow the instances Internet access? (Choose two.)

Ensure that the NAT gateway is in the same subnet as the instances that cannot access the Internet.
Add a route in the private subnet to route traffic aimed at 0.0.0.0/0 at the NAT gateway.
Add a route in the public subnet to route traffic aimed at 0.0.0.0/0 at the NAT gateway.
Ensure that the NAT gateway is in a public subnet.

Answer 5

B, D. There are two pairs of answers here, and you need to choose the correct pair in each case. For private subnet instances, you need a route out to a NAT gateway, and that NAT gateway must be in a public subnet—otherwise, it would not itself be able to provide outbound traffic access to the Internet. That means option D is correct, as is answer B: 0.0.0.0/0 means “traffic with a destination in the Internet at large,” more or less.

Question 6

8. Which of the following statements regarding NAT instances and NAT gateways are false? (Choose two.)

Both NAT instances and NAT gateways are highly available.
You must choose the instance type and size when creating a NAT gateway but not when creating a NAT instance.
It is your responsibility to patch a NAT instance and AWS’s responsibility to patch a NAT gateway.
You assign a security group to a NAT instance but not to a NAT gateway.

Answer 6

A, B. The easiest way to handle this question is by thinking of a NAT gateway as essentially a managed service and a NAT instance as an instance (which you manage) for networking. That helps identify B as false (you never choose instance types and sizes for managed services) and C as true (AWS patches managed services). Further, since AWS manages NAT gateways, they are automatically highly available and do not need you to associate security groups. This means that A is false—NAT instances can be made highly available, but not without your manual intervention—and D is true.

Question 7

14. What types of rules does a security group allow? (Choose two.)

Allow rules
Prevent rules
Deny rules
Inbound rules

Answer 7

A, D. Security groups only contain allow rules, not deny rules (and prevent rules are not an actual rule type). Then, you can create both inbound and outbound rules.

Question 8

15. Which of the following are true about security groups? (Choose two.)

You can specify deny rules, but not allow rules.
By default, a security group includes an outbound rule that allows all outbound traffic.
You can specify specific separate rules for inbound and outbound traffic.
Security groups are stateless.

Answer 8

B, C. You specify allow rules for security groups, so A is false. B and C are true: Default security groups allow all outbound traffic, and you specify separate inbound and outbound rules. Finally, security groups are stateful, not stateless, so D is false.

Question 9

16. Which of the following are not true about security groups? (Choose two.)

Allow rules take priority over deny rules.
Responses to allowed inbound traffic are allowed to flow back out.
You can specify specific separate rules for inbound and outbound traffic.
If there are no outbound rules, then all outbound traffic is allowed to flow out.

Answer 9

A, D. A is false, as security groups don’t provide for deny rules. B and C are both true (and therefore are not correct answers). D is false, because without specific outbound rules, nothing is allowed to flow out. (Note that by default, there is an allowance for all outgoing traffic in security groups, although that can be removed.)

Question 10

17. Which of the following must a security group have when you create it? (Choose two.)

At least one inbound rule
A name
A description
At least one outbound rule

Answer 10

B, C. A security group can actually have no inbound or outbound rules, so A and D are not required. A security group does require a name and description, though.

Question 11

18. Which of the following is a security group associated with?

An ELB
A network interface
An ALB
A network access list

Answer 11

B. A security group can be attached to multiple constructs, like an EC2 instance, but is ultimately associated with a network interface, which in turn is attached to individual instances. This is a tough question and probably at the very edge of what the exam might ask.

Question 12

19. Which of the following are default rules on a default security group, such as the one that comes with the default VPC? (Choose two.)

Outbound: 0.0.0.0/0 for all protocols allowed
Inbound: 0.0.0.0/0 for all protocols allowed
Outbound: ::/0 for all protocols allowed
Inbound: ::/0 for all protocols allowed

Answer 12

A, C. The easiest way to work this is to recognize that default security groups never allow broad inbound traffic. That eliminates B and D and leaves rules that allow all outbound traffic for both IPv4 (A) and IPv6 (C).

Question 13

20. Which of the following are parts of a security group rule? (Choose two.)

A protocol
A subnet
An instance ID
A description

Answer 13

A, D. Security group rules have a protocol and a description. They do not have a subnet, although they can have CIDR blocks or single IP addresses. Instances can associate with a security group, but a security group does not itself refer to a specific instance.

Question 14

23. Which of the following describes server-side encryption for S3 bucket data?

You encrypt and upload data to S3, managing the encryption process yourself.
You encrypt and upload data to S3, allowing AWS to manage the encryption process.
You request AWS to encrypt an object before saving it to S3.
You encrypt an object, but AWS uploads and decrypts the object.

Answer 14

C

Question 15

24. Which of the following are valid steps in enabling client-side encryption for S3? (Choose two.)

Download the AWS CLI and SSH to your S3 key store.
Use a KMS-managed customer master key.
Download an AWS SDK for encrypting data on the client side.
Turn on bucket encryption for the target S3 buckets.

Answer 15

B, C. For client-side encryption, you’ll need a master key, which can either be a KMS-managed key (option B) or a client-side master key. You’ll also need an SDK for encrypting the client-side data (C).

Question 16

25. Which of the following is not a way to manage server-side encryption keys for S3?

SSE-S3
SSE-KMS
SSE-E
SSE-C

Answer 16

C. You’ll probably simply need to memorize this one. SSE-S3, SSE-KMS, and SSE-C are all valid approaches to S3 encryption; SSE-E is made up.

Question 17

27. Which of the following encryption key management options is best for managing keys but allowing S3 to handle the actual encryption of data?

SSE-S3
SSE-KMS
Client-side encryption keys
SSE-C

Answer 17

D. SSE-C allows the customer (the C in SSE-C) to manage keys, but S3 then handles the actual encryption of data.

Question 18

28. You have a customer that has a legacy security group that is very suspicious of all things security in the cloud. The customer wants to use S3, but doesn’t trust AWS encryption, and you need to enable its migration to the cloud. What option would you recommend to address the company’s concerns?

SSE-S3
SSE-KMS
Client-side encryption keys
SSE-C

Answer 18

C. Client-side encryption allows the customer to manage keys and encrypt data themselves, then store the data on S3 already encrypted. There’s a lot of overhead with this approach, but it’s ideal for the use case described.

Question 19

29. You want to begin encrypting your S3 data, but your organization is new to encryption. Which option is a low-cost approach that still offloads most of the work to AWS rather than the organization new to encryption?

SSE-S3
SSE-KMS
Client-side encryption keys
SSE-C

Answer 19

A. In general, SSE-S3 is the “starter” option for encryption. It’s by no means a simple or amateur approach to security, but it is low cost compared to KMS and has much less overhead than client-side or SSE-C encryption keys.

Question 20

31. Which of the following options could be used to provide availability-zone-resilient fault-tolerant storage that complies with EU privacy laws? (Choose two.)

S3 buckets in US West 1
S3 buckets in EU West 2
S3-IA buckets in EU Central 1
S3 One Zone-IA buckets in EU-West-1

Answer 20

B, C. Option A isn’t valid because US-West isn’t an EU region. Options B and C are valid as they both provide EU regions, and S3 and S3-IA both can survive the loss of an availability zone; option D would not survive the loss of an AZ.

Question 21

36. What is AWS Trusted Advisor?

An online resource to help you improve performance
An online resource to help you reduce cost
An online resource to help you improve security
All of the above

Answer 21

D. AWS Trusted Advisor does all three of the above: improve performance, reduce cost, and improve security.

Question 22

37. On which of the following does AWS Trusted Advisor not provide recommendations?

Reducing cost
Improving fault tolerance
Improving security
Organizing accounts

Answer 22

D. AWS Trusted Advisor provides advice on cost, fault tolerance, performance, and security but does not address account organization.

Question 23

38. Which of the following are included in the core AWS Trusted Advisor checks? (Choose two.)

S3 bucket permissions
MFA on root account
Quantity of CloudWatch alarms
Use of VPC endpoints

Answer 23

A, B. Here, it’s not reasonable to memorize the seven core AWS Trusted Advisor checks. Instead, consider which of these are valid improvements that Trusted Advisor might make. A and B relate to security and permissions, while both C and D are pretty far afield of cost, security, or performance suggestions.

Question 24

40. Which of the following is not possible using IAM policies?

Requiring MFA for the root account
Denying the root account access to EC2 instances
Disabling S3 access for users in a group
Restricting SSH access to EC2 instances to a specific user

Answer 24

B. The only one of these that’s not possible with IAM is denying the root account access to EC2 instances. That’s not possible—with IAM or any other mechanism.

Question 25

41. Which of the following are not true about S3 encryption? (Choose two.) S3 applies AWS-256 encryption to data when server-side encryption is enabled. S3 encryption will use a client key if it is supplied with data. Encrypted EBS volumes can only be stored if server-side encryption is enabled. S3 will accept locally encrypted data if client-side encryption is enabled.

Answer 25

B, C. A is true, and D is true; if you know this, choosing B and C is simple. Otherwise, you need to recognize that just supplying a client key to S3 is not enough; some form of client-side encryption or server-side encryption using client keys must be enabled. EBS volumes can be encrypted outside of S3 and stored regardless of how S3 is encrypting data.

Question 26

42. What types of data are encrypted when you create an encrypted EBS volume? (Choose two.) Data at rest inside the volume Data moving between the volume and the attached instance Data inside S3 buckets that store the encrypted instance Data in an EFS on instances attached to the volume

Answer 26

A, B. There are four types of data encrypted when an EBS volume is encrypted: data at rest on the volume, data moving between the volume and the instance, any snapshots created from the volume, and any volumes created from those snapshots.

Question 27

43. What types of data are not automatically encrypted when you create an encrypted EBS volume? (Choose two.) A snapshot created from the EBS volume Any data on additional volumes attached to the same instance as the encrypted volume Data created on an instance that has the encrypted volume attached Data moving between the volume and the attached instance

Answer 27

B, C. This is tricky, as both answers that involve unencrypted data have some tricky wording. First, B is not a case of encryption; if data never touches the encrypted volume, it is not automatically encrypted. Second, for C, data that is on the instance but never moves to the encrypted volume is also not automatically encrypted.

Question 28

44. What of the following types of data is not encrypted automatically when an encrypted EBS volume is attached to an EC2 instance? Data in transit to the volume Data at rest on the volume Data in transit from the volume All of these are encrypted.

Answer 28

D. All of these are encrypted. Data moving to and from the volume as well as data at rest on the volume are all encrypted.

Question 29

45. What encryption service is used by encrypted EBS volumes? S3-KMS S3-C KMS Customer-managed keys

Answer 29

C. KMS is used as the encryption service, but this is not the S3-KMS that is specific to S3 encryption. You will also sometimes see this KMS referenced as AWS-KMS.

Question 30

48. If you take a snapshot of an encrypted EBS volume, which of the following must you do to use that snapshot as a volume in a separate region? (Choose two.) Copy the snapshot to the new region. Delete the snapshot from the old region. Unencrypt the snapshot once it is in the new region. Create a new volume from the snapshot in the new region.

Answer 30

A, D. The only steps required here are to copy the snapshot to the new region (usually via the console), and then create a new volume from it.

Question 31

51. Which of the following will allow you to bring a non-encrypted RDS instance into compliance with an “all data must be encrypted at rest” policy? Snapshot the RDS instance and restore it, encrypting the new copy upon restoration. Use the AWS Database Migration Service to migrate the data from the instance to an encrypted instance. Create a new encrypted instance and manually move data into it. None of these will encrypt all data on the instance.

Answer 31

C. The only option here is the manual one. You must set up encryption when creating a new instance from scratch (snapshots won’t work) and then move data into it so that this data is encrypted as it moves into the new instance.

Question 32

52. Which of the following will allow you to bring a non-encrypted EBS volume into compliance with an “all data must be encrypted at rest” policy? Stop the volume, snapshot it, and encrypt a copy of the snapshot. Then restore from the encrypted snapshot. Stop the volume, select “Turn on encryption,” and restart the volume. Encrypt the volume via the AWS API and turn on the “encrypt existing data” flag. None of these will encrypt all data on the volume.

Answer 32

A. You cannot encrypt an existing volume “on the fly.” You must create a snapshot and then encrypt that snapshot as you copy it to another, encrypted snapshot. You can then restore from that new snapshot.

Question 33

53. Which of the following will allow you to bring a non-encrypted EBS volume into compliance with an “all data must be encrypted at rest” policy? Stop the volume, create a snapshot, and restart from the snapshot, selecting “Encrypt this volume.” Stop the volume, select “Turn on encryption,” and restart the volume. Encrypt the volume via the AWS API and turn on the “encrypt existing data” flag. None of these will encrypt all data on the volume.

Answer 33

D. None of these will work. The important thing to remember for a question like this is that you must make a copy of an unencrypted snapshot to apply encryption. There is no in-place encryption mechanism for volumes or snapshots.

Question 34

54. Which of the following will allow you to bring a non-encrypted EBS volume into compliance with an “all data must be encrypted at rest” policy? Create a new volume, attach the new volume to an EC2 instance, copy the data from the non-encrypted volume to the new volume, and then encrypt the new volume. Create a new volume with encryption turned on, attach the new volume to an EC2 instance, and copy the data from the non-encrypted volume to the new volume. Create a new volume, attach the new volume to an EC2 instance, and use the encrypted-copy command to copy the data from the non-encrypted volume to the new volume. None of these will encrypt all data on the volume.

Answer 34

B. The only way to encrypt an EBS volume is to encrypt it at creation time. Remembering this one detail will help on lots of questions in this vein.

Question 35

55. Which of the following are valid options on an EBS volume? (Choose two.) Encrypt the volume. Encrypt a snapshot of the volume. Encrypt a copy of a snapshot of the volume. Restore an encrypted snapshot to an encrypted volume.

Answer 35

C, D. You cannot encrypt an existing EBS volume, so A is incorrect. And you cannot encrypt a snapshot that is unencrypted, so B is incorrect. You can encrypt a copy of a snapshot and restore an encrypted snapshot to a volume that is encrypted (C and D).

Question 36

57. Can you copy a snapshot across AWS accounts? Yes Yes, but you first have to modify the snapshot’s access permissions. Yes, but you have to be the owner of both AWS accounts. No

Answer 36

B. You can copy snapshots across accounts, but the default permissions do not allow this. So you have to modify those permissions, and then the snapshot can be copied to any other AWS account, regardless of account owner.

Question 37

59. Can you copy an EBS snapshot across regions? Yes, as long as the snapshot is not encrypted. Yes, as long as the snapshot is marked for multi-region use. Yes No

Answer 37

C. You can copy a snapshot to a different region without any special considerations.

Question 38

61. How many security groups can you attach to a single instance in a VPC? None, security groups aren’t attached to instances. 1 1 or more 2 or more

Answer 38

C. An instance must have a security group but can have more than that.

Question 39

64. What do you use to permit and restrict control of a NACL? VPC WAF AWS Organizations IAM

Answer 39

D. IAM roles and permissions control access to NACLs.

Question 40

69. In which order are NACLs and security groups evaluated? NACLs and security groups are evaluated in parallel. A NACL is evaluated first, and then the security group. A security group is evaluated first, and then the NACL. It depends on the VPC setup.

Answer 40

B. NACLs are always evaluated first because they exist at the border of a subnet. As security groups are attached to instances, they are not processed until traffic passes through the NACL and into the instance’s subnet.

Question 41

70. Which of these statements are true? (Choose two.) A security group can apply to two instances at the same time. A NACL applies to all instances within a subnet at the same time. A security group can apply to only one instance at the same time. A NACL can apply to only one instance at the same time.

Answer 41

A, B. Both security groups and NACLs can—and usually do—apply to multiple instances in a subnet. The NACL applies to all instances within the associate subnet, and a security group can be associated with multiple instances.

Question 42

72. Which of the following are true about the default NACL that comes with the default VPC? (Choose two.) It allows all inbound traffic. It allows all outbound traffic. It disallows all inbound traffic. It disallows all outbound traffic.

Answer 42

A, B. The default NACL allows in and out all traffic, which is somewhat unintuitive. Keep in mind that the default security group disallows inbound traffic, but the default NACL allows that traffic in.

Question 43

73. Which of the following are true about a user-created NACL? (Choose two.) It allows all inbound traffic. It allows all outbound traffic. It disallows all inbound traffic. It disallows all outbound traffic.

Answer 43

C, D. Unlike the default NACL that comes with the default VPC, custom NACLs disallow all inbound and outbound traffic by default.

Question 44

75. Which of the following statements is not true? (Choose two.) A network ACL has separate inbound and outbound rules. Network ACLs are stateful. Each subnet in your VPC must be associated with a NACL. A network ACL can only be associated with a single subnet.

Answer 44

B, D. A and C are true. B is false; NACLs are stateless. D is false, because a NACL can be associated with multiple subnets.

Question 45

78. What happens when you associate a NACL with a subnet that already is associated with a different NACL? Nothing, both NACLs are associated with the subnet. You receive an error. You must remove the first NACL to associate the new one. You receive an error. You must first merge the two NACLs to apply them to a subnet. The new NACL replaces the previous NACL, and the subnet still only has one NACL association.

Answer 45

D. A subnet is associated with a NACL but can only be associated to a single NACL at a time.

Question 46

79. Which of the following are part of a network ACL rule? (Choose two.) An ASCII code A rule number An IAM group A protocol

Answer 46

B, D. NACL rules have a rule number, a protocol, a choice of ALLOW or DENY, and a CIDR range and port or port range for inbound and outbound traffic.

Question 47

80. Which of the following are part of a network ACL rule? (Choose two.) An ALLOW or DENY specification A CIDR range An IP address A VPC identifier

Answer 47

A, B. NACL rules have a rule number, a protocol, a choice of ALLOW or DENY, and a CIDR range and port or port range for inbound and outbound traffic.

Question 48

81. Which of the following inbound rules of a custom NACL would be evaluated first? Rule #800 // HTTP // TCP // 80 // 0.0.0.0/0 -> ALLOW. Rule #100 // HTTPS // TCP // 443 // 0.0.0.0/0 -> ALLOW. Rule * // All // All // All // 0.0.0.0/0 -> DENY. Rule #130 // RDP // TCP // 3389 // 192.0.2.0/24 -> ALLOW.

Answer 48

B. Almost none of this detail actually matters. The only key parameter is the rule number. NACLs evaluate lowest-numbered rules first, so Rule #100 would go first, option B.

Question 49

83. If all of the following inbound rules existed on the default VPC’s default NACL, would SSH traffic be allowed? Rule #800 // HTTP // TCP // 80 // 0.0.0.0/0 -> ALLOW Rule #100 // HTTPS // TCP // 443 // 0.0.0.0/0 -> ALLOW Yes, the default VPC’s default NACL allows all inbound traffic by default. Yes, SSH is included in the HTTPS protocol. Only if the SSH access permission in IAM is granted. No

Answer 49

A. SSH is not explicitly mentioned, but because the question asks about the default NACL on the default VPC, all traffic is allowed in unless explicitly denied.

Question 50

86. Which of the following is the most accurate statement about what the following inbound rule on a NACL will do? Rule #120 // SSH // TCP // 22 // 192.0.2.0/24 -> ALLOW Allows inbound SSH traffic to the associated subnets Allows inbound TCP traffic to the associated subnets Allows inbound TCP traffic to the associated subnets from the CIDR block 192.0.2.0/24 Allows inbound SSH traffic to the associated subnets from the CIDR block 192.0.2.0/24

Answer 50

D. Technically, B and C are correct; SSH is a type of TCP traffic. However, that is not the most specific answer, which is what the question asks. A is partially correct but does not call out the CIDR block limitation that D does. Therefore, D is the most accurate answer.

Question 51

87. Which of the following is the most accurate statement about what the following inbound rule on a NACL will do? Rule #120 // HTTP // TCP // 80 // 0.0.0.0/0 -> ALLOW Allows inbound HTTP traffic to the associated subnets Allows inbound IPv4 HTTP traffic to the associated subnets as long as it is not prevented by lower-numbered rules Allows inbound IPv4 HTTP traffic to the associated subnets Allows inbound IPv4 TCP traffic to the associated subnets

Answer 51

B. The most accurate answer here includes several components: the type of TCP traffic (HTTP), the allowed source CIDR block (the entire Internet), and IPv4. This rule does not explicitly allow IPv6 traffic. Further, this rule is only effective if there are no lower-numbered rules that short-circuit this rule.

Question 52

90. Which of the following rules allows IPv6 outbound traffic to flow to the entire Internet through a NAT gateway with the ID nat-123456789? 0.0.0.0/0 -> NAT -> nat-123456789 ::/0 -> nat-123456789 0.0.0.0/0 -> nat-123456789 ::/0 -> NAT -> nat-123456789

Answer 52

B. ::/0 represents IPv6 addresses, so the answer must be either B or D. The route should go from all IPv6 addresses to the ID of the NAT gateway, which is nat-123456789. There is no intermediate -> NAT that should be inserted into the routes.

Question 53

91. How many availability zones in a single region does a single VPC span? None, VPCs do not span availability zones. One At least two All of them

Answer 53

D. A VPC spans all the availability zones in a region.

Question 54

92. Which of these must be specified when creating a new VPC? (Choose two.) An availability zone A region A CIDR block A security group

Answer 54

B, C. You must always select a region to create a VPC, and you must always provide a CIDR block. VPCs span all the AZs in a region, so that is not required, and security groups are associated at the instance level rather than at the VPC level.

Question 55

93. How many subnets can be added to an availability zone within a VPC? None One One or more At least two

Answer 55

C. For a single VPC, you can add one or more subnets to each availability zone within that VPC.

Question 56

94. To how many availability zones within a region can a single subnet in a VPC be added? None One One or more At least two

Answer 56

B. A subnet cannot span availability zones. It can be added to a single AZ.

Question 57

95. How many availability zones can a subnet span? None One One or more At least two

Answer 57

B. A subnet cannot span availability zones. It can be added to a single AZ and can only exist within that single AZ.

Question 58

96. How many IPv6 CIDR blocks can be assigned to a single VPC? None One One or more At least two

Answer 58

B. A VPC can have a single primary CIDR block assigned to it for IPv4 addresses and an optional IPv6 CIDR block. While you can add secondary IPv4 CIDR blocks, you cannot add additional CIDR blocks for IPv6 at this time.

Question 59

97. How many IPv4 CIDR blocks can be assigned to a single VPC? None One One or more At least two

Answer 59

C. A VPC can have a single primary CIDR block assigned to it for IPv4 addresses and an optional IPv6 CIDR block. However, you can add additional secondary CIDR blocks to a VPC (up to four).

Question 60

98. You have a VPC in US East 1 with three subnets. One of those subnets’ traffic is routed to an internet gateway. What does this make the subnet? A private subnet A restricted subnet The master subnet of that VPC A public subnet

Answer 60

D. Any subnet that routes traffic through an internet gateway is a public subnet by definition.

Question 61

99. You have a public subnet in a VPC and an EC2 instance serving web traffic within that public subnet. Can that EC2 instance be reached via the Internet? Yes Yes, as long as it has a public IPv4 address. Yes, as long as the VPC is marked as public. No

Answer 61

B. Instances in a public subnet are not automatically reachable. They must have either a public IPv4 or IPv6 address (B) or an elastic IP address.

Question 62

100. You have a public subnet within your VPC. Within that subnet are three instances, each running a web-accessible API. Two of the instances are responding to requests from Internet clients, but one is not. What could be the problem? The VPC needs to be marked as public-facing. The three instances should be moved into an Auto Scaling group. There is no internet gateway available for the VPC. The unavailable instance needs an elastic IP.

Answer 62

D. A public subnet, as well as existing Internet-accessible instances, indicates a working internet gateway, so C is not correct. A is not an actual AWS option, and B—Auto Scaling—would not address public accessibility. This leaves D, which is correct: Instances in a public subnet that are intended to be Internet accessible need either a public IP address or an elastic IP address assigned to the instance.

Question 63

101. Which of the following are allowed when creating a new VPC? (Choose two.) An IPv4 CIDR block VPC description An IPv6 CIDR block A security group

Answer 63

A, C. When creating a VPC, you can specify an option name, a required IPv4 CIDR block, and an optional IPv6 CIDR block.

Question 64

102. Which of the following is not a required part of creating a custom VPC? (Choose two.) An IPv6 CIDR block A VPC name A set of VPC tags An IPv4 CIDR block

Answer 64

A, C. When creating a VPC, you can specify an option name, a required IPv4 CIDR block, and an optional IPv6 CIDR block. You cannot assign tags to a VPC at creation time.

Question 65

103. Which of the following defines a subnet as a public subnet? (Choose two.) A security group that allows inbound public traffic A routing table that routes traffic through the internet gateway Instances with public IP addresses An internet gateway

Answer 65

B, D. A public subnet is one in which traffic is routed (via a routing table, B) to an internet gateway (D).

Question 66

105. Which of the following are required components in a VPN-only subnet? (Choose two.) A routing table A virtual private gateway An elastic IP address An internet gateway

Answer 66

A, B. At a minimum, a VPC-only subnet must have a routing table routing traffic and a virtual private gateway to which traffic is routed. Neither elastic IP addresses nor internet gateways are required.

Question 67

106. By default, how many VPCs can you create per region? 1 5 20 200

Answer 67

B. You can only create 5 VPCs per region by default. Creating more requires a request to AWS.

Question 68

107. By default, how many subnets can you create per VPC? 1 5 20 200

Answer 68

D. This is a high number, but accurate: You can create 200 subnets per VPC.

Question 69

108. By default, how many IPv4 CIDR blocks can you create per VPC? 1 5 20 200

Answer 69

B. This is a very hard question, but it can come up, albeit rarely. This limit is your primary CIDR block and then, in addition, 4 secondary CIDR blocks.

Question 70

109. By default, how many elastic IPs can you create per region? 1 5 20 200

Answer 70

B. You’re allowed 5 elastic IP addresses per region, unless you have the default limits raised by AWS.

Question 71

112. An Amazon VPC VPN connection links your on-site network to which of the following? A customer gateway An internet gateway An Amazon VPC A virtual private gateway

Answer 71

C. A VPC VPN connection links your on-site network to a VPC within the AWS cloud.

Question 72

116. You want to ensure that no incoming traffic reaches just the database instances in a particular subnet within your VPC. Which of the following is your best option to prevent this type of traffic? A blacklist A NACL A virtual private gateway A security group

Answer 72

D. Anytime you are protecting or limiting traffic to or from specific instances, a security group is your best choice. Security groups are associated with specific instances, so they can effectively limit traffic to some instances while allowing other instances—using different security groups—to still be accessible.

Question 73

119. If you have a NACL and a security group, at what two levels is security functioning? (Choose two.) The VPN level The service level The subnet level The instance level

Answer 73

C, D. A security group operates at the instance level, and a NACL operates at the subnet level.

Question 74

120. What type of filtering does a security group perform? Stateful Synchronous Whitelist Stateless

Answer 74

A. A security group performs stateful filtering, meaning that traffic allowed in is automatically allowed back out, without the need for an explicit outbound rule.

Question 75

124. You have an instance within a custom VPC, and that instance needs to communicate with an API published by an instance in another VPC. How can you make this possible? (Choose two.) Enable cross-VPC communication via the AWS console. Configure routing from the source instance to the API-serving instance. Add a security group to the source instance. Add an internet gateway or virtual private gateway to the source VPC.

Answer 75

B, D. As long as there is a gateway (internet or virtual private) on the source VPC, and routing through that gateway, an instance in a VPC can communicate with other instances. So in this case, you’d want B and D. There is no “cross-VPC communication” option, and security groups won’t actually help this scenario.

Question 76

125. Which of the following could be used to allow instances within one VPC to communicate with instances in another region? (Choose two.) VPN connections NACLs Internet gateways Public IP addresses

Answer 76

A, D. This is a little difficult, but it comes down to accessibility: How can the target instance be reached? Of the answers available, a public IP would make the target available, as would a VPN connection.

Question 77

132. To which of the following can a VPC endpoint not attach? S3 SNS Internet gateway DynamoDB

Answer 77

C. A VPC endpoint is for attaching to AWS services and explicitly does not require an internet gateway (C).

Question 78

139. For a bastion host intended to provide shell access to your private instances, what protocols should you allow via a security group? SSH and RDP Just SSH Just RDP Just HTTPS

Answer 78

B. Shell access only requires SSH, and you should therefore only allow that protocol. Always allow only what is absolutely required for bastion hosts.

Question 79

140. Which of the following statements about internet gateways is false? They scale horizontally. They are automatically redundant. They are automatically highly available. They scale vertically.

Answer 79

D. Internet gateways scale horizontally, not vertically. They are also redundant and highly available automatically.

Question 80

144. Which of the following is not necessary for an instance to have IPv6 communication over the Internet? A VPC with an associated IPv6 CIDR block A public IPv6 assigned to the instance A subnet with an associated IPv6 CIDR block A virtual private gateway with IPv6 enabled

Answer 80

D. An instance must have IPv6 communication from itself (with a public IP address) through a subnet with IPv6 addresses, in a VPC with IPv6 addresses, to reach the Internet via IPv6. A virtual private gateway is not connected with any of these.

Question 81

149. At what OSI layer does a network load balancer operate? 4 7 4 and 7 6

Answer 81

A. Application load balancers operate at the Application layer, which is layer 7 of the OSI model. ELBs (classic load balancers) operate at the Transport layer, layer 4, as well as layer 7, and network load balancers operate at layer 4 as well.

Question 82

150. At what OSI layer does a classic load balancer operate? 4 7 4 and 7 6

Answer 82

C. Application load balancers operate at the Application layer, which is layer 7 of the OSI model. ELBs (classic load balancers) operate at the Transport layer, layer 4, as well as layer 7, and network load balancers operate at Level 4 as well.

Question 83

153. What type of subnets are the default subnets in the default VPC? Private Hybrid Public Transport

Answer 83

C. By default, subnets in the default VPC are public. The default VPC has an internet gateway attached and the default subnets are public as a result.

Question 84

154. What type of subnets are the default subnets in a custom VPC? Private Hybrid Public Transport

Answer 84

A. By default, subnets in custom VPCs are private. Other than the default VPC, custom VPCs don’t have internet gateways attached by default, and created subnets don’t have public access.

Question 85

155. Which of the following is not automatically created for an instance launched into a non-default subnet? A private IPv4 address A security group A public IPv4 address A route to other instances in the subnet

Answer 85

C. Instances launched into non-default subnets have a private IPv4 address, but not a public one, so C is correct. All instances have a security group created or associated, and instances can always talk to other instances in the subnet by default.

Question 86

158. Which of the following would you use to allow outbound Internet traffic while preventing unsolicited inbound connections? A NAT device A bastion host A VPC endpoint A VPN

Answer 86

A. A NAT device—network address translation—provides routing for instances to an internet gateway but can prevent undesired inbound traffic.

Question 87

157. Which of the following would you need to add or create to allow an instance launched into a default subnet in the default VPC Internet access? A public IPv4 address An internet gateway An elastic IP address None of these

Answer 87

D. Instances launched into default subnets in the default VPC can automatically reach out to the public Internet, as that VPC has an internet gateway and instances get a public IPv4 address.

Question 88

161. Which of the following requires selecting an AMI? (Choose two.) Launching an EC2 instance Backing up an EBS volume Creating an EBS volume Launching a NAT instance

Answer 88

A, D. Instances always require an AMI. In this question, the two instances are EC2 instances (A) and NAT instances (D).

Question 89

164. Which of the following, without proper security, could be most dangerous to your private instances? Bastion host VPC endpoint Internet gateway NAT instance

Answer 89

A. Of these options, only bastion hosts and NAT instances are unmanaged services, making them the only two possible answers. A bastion host typically has SSH routing and permissions to private instances, making it the most important to properly secure. While a NAT instance is usually available to private instances, traffic flows out from the NAT instance and not into the private instances.

Question 90

165. Which of the following could be used as a bastion host? NAT gateway VPC endpoint Internet gateway NAT instance

Answer 90

D. A NAT instance is a candidate for a bastion server. The other options are all managed services.

Question 91

167. You are building out a site-to-site VPN connection from an on-site network to a custom VPC. Which of the following might you need for this connection to function properly? (Choose two.) A NAT instance A DynamoDB instance A private subnet An internet gateway

Answer 91

A, C. A site-to-site connection is going to require a private subnet on the AWS side (C), with private instances within it. Further, you’ll need a NAT instance (A) or similar device to route traffic and receive traffic as a static IP holder.

Question 92

168. With which of the following is an egress-only internet gateway most closely associated? IPv4 IPv6 A NAT instance A NAT gateway

Answer 92

B. An egress-only gateway is for use with IPv6 traffic only.

Question 93

169. You are responsible for securing an EC2 instance with an IPv6 address that resides in a public subnet. You want to allow traffic from the instance to the Internet but restrict access to the instance. Which of the following would you suggest? VPC endpoint Internet gateway Egress-only internet gateway A NAT gateway

Answer 93

C. An egress-only gateway is for use with IPv6 traffic and only allows outbound traffic. A VPC endpoint connects to managed AWS services, and an internet gateway (that isn’t egress only) allows both inbound and outbound traffic. A NAT gateway is for allowing outbound traffic from a private subnet rather than a public subnet.

Question 94

170. You have just created a NAT instance and want to launch the instance into a subnet. Which of these need to be true of the subnet into which you want to deploy? (Choose two.) The subnet is public. The subnet is private. The subnet has routing into the private subnets in your VPC. The subnet has routing to the public subnets in your VPC.

Answer 94

A, C. A NAT instance must be in a public subnet so that it is accessible from the Internet. It also must have access to private instances in private subnets in your VPC.

Question 95

171. Which of the following are true about an egress-only internet gateway? (Choose two.) It only supports IPv4 traffic. It is stateful. It only supports IPv6 traffic. It is stateless.

Answer 95

B, C. Egress-only internet gateways are stateful and support IPv6 traffic. This is a matter of memorization, although you can somewhat reason that the gateway—absent a NACL—allows responses to come back to instances that use it to communicate with the public Internet.

Question 96

172. Which of these would be used as the destination address in a routing table for a VPC that uses an egress-only internet gateway? 0.0.0.0/0 0.0.0.0/16 ::/0 ::/24

Answer 96

C. The most important thing here is to remember that egress-only internet gateways only work with IPv6 addresses. This eliminates A and B. Then, only C addresses the entire public Internet in an IPv6 format.

Question 97

173. Which of the following are true about IPv6 addresses? (Choose two.) They are globally unique. They are in the format x.y.z.w. They require underlying IPv4 addresses. They are public by default.

Answer 97

A, D. IPv6 addresses are public by default (D) because they are globally unique. There is no need to have private IPv6 addresses because the range is so large.

Question 98

174. What is an elastic network interface? (Choose two.) A hardware network interface on an EC2 instance A virtual network interface An interface that can have one or more IPv6 addresses An interface that does not have a MAC address

Answer 98

B, C. An elastic network interface is virtual and can have multiple IPv4 and IPv6 addresses as well as security groups, a MAC address, and a source/destination check flag.

Question 99

175. Which of the following is not part of an elastic network interface? A primary IPv4 address A MAC address A source/destination check flag A NACL

Answer 99

D. An elastic network interface is virtual and can have multiple IPv4 and IPv6 addresses as well as security groups, a MAC address, and a source/destination check flag. NACLs apply to subnets, though, not network interfaces on instances.

Question 100

176. How many network interfaces can a single instance have? None One and only one One or more At least two, up to five

Answer 100

C. An instance has a primary network interface in all cases but can have additional network interfaces attached, so the answer is C, one or more.

Question 101

177. If an elastic network interface is moved from one instance to another, what happens to network traffic directed at the interface? It is redirected to the elastic network interface that has moved to the new instance. It is redirected to the primary network interface on the original instance. It is redirected to the primary network interface on the new instance. It is lost and must be re-sent to the elastic network interface on the new instance.

Answer 101

A. Traffic follows the network interface rather than sticking to any particular instance. So in this case, traffic is redirected to the new instance but stays targeted at the elastic network interface (A).

Question 102

178. To how many instances can an elastic network interface be attached? One and only one One or more One at a time, but it can be moved from one instance to another. Up to five

Answer 102

C. An elastic network interface can only be attached to a single instance at one time but can be moved from one instance to another.

Question 103

179. Which of these is not a reason to attach multiple network interfaces to an instance? You are creating a management network. You are attempting to increase network throughput to the instance. You need a high-availability solution and have a low budget. You need dual-homed instances.

Answer 103

B. You actually can’t increase network throughput with multiple interfaces, making B false. All three other options are legitimate reasons to attach multiple interfaces to an instance.

Question 104

180. Which of the following can you not do with regard to network interfaces? Detach a secondary interface from an instance. Attach an elastic network interface to an instance with an existing interface. Detach a primary interface from an instance. Attach an elastic network interface to a different instance than originally

Answer 104

C. An instance’s primary network interface cannot be detached (C), making that the correct answer. You can detach secondary interfaces (A), attach multiple interfaces (B), and move network interfaces (D).

Question 105

181. Which of the following is not a valid attribute for an elastic network interface? An IPv6 address An IPv4 address A source/destination check flag A routing table

Answer 105

D. Elastic network interfaces do not have routing tables, but they do have (or can have) IPv4 and IPv6 addresses and a source/destination check flag.

Question 106

182. Why might you use an elastic IP address? You need an IPv4 address for a specific instance. You need an IPv6 address for a specific instance. You want to mask the failure of an instance to network clients. You want to avoid making changes to your security groups.

Answer 106

C. Elastic IP addresses are specifically for avoiding being tied to a specific instance, so A and B are not correct. Security groups are typically not associated with a specific IP address (D). This leaves C, a valid reason for an elastic IP address: It can move from one instance (if the instance fails) to another.

Question 107

184. Which of the following are advantages of an elastic IP? (Choose two.) Reduces the number of IP addresses your VPC uses Provides protection in case of an instance failure Allows all attributes of a network interface to be moved at one time Provides multiple IP addresses for a single instance

Answer 107

B, C. An elastic IP can mask the failure of an instance (B) by moving traffic to another running instance transparently. It also allows all the network interface attributes to be moved at one time (C).

Question 108

186. Which of these is not a valid means of working with an Amazon EBS snapshot? The AWS API The AWS CLI The AWS console The AWS EBS management tool

Answer 108

D. There is not such thing as an “EBS management tool” separate from the AWS API, CLI, and console.

Question 109

187. Where are individual instances provisioned? In a VPC In a region In an availability zone In an Auto Scaling group

Answer 109

C. Although instances exist in a region and VPC, and can be part of an Auto Scaling group, they are provisioned into specific availability zones (C).

Question 110

188. How are EBS snapshots backed up to S3? Incrementally In full, every time they are changed EBS snapshots are backed up to RDS. Sequentially

Answer 110

A. EBS snapshots are backed up to S3 incrementally.

Question 111

191. How can you attach multiple IAM roles to a single instance? (Choose two.) You can attach as many roles as you want to an instance. You cannot, but you can combine the policies each role uses into a single new role and assign that. You can assign two IAM roles to an instance, but no more than that. You cannot; only one role can be assigned to an instance.

Answer 111

B, D. You can only assign a single role to an instance (D), but you can also create a new role that combines the desired policies (B).

Question 112

194. How can you delete a snapshot of an EBS volume when it’s used as the root device of a registered AMI? You can’t. You can, but only using the AWS API or CLI. Delete the snapshot using the AWS console. Ensure that you have correct IAM privileges and delete the AMI.

Answer 112

A. If a snapshot is the root device of a registered AMI, it cannot be deleted.

Question 113

192. You need to make a change to a role attached to a running instance. What do you need to do to ensure the least amount of downtime? (Choose two.) Update the IAM role via the console or AWS API or CLI. Re-attach the updated role to the instance. Restart the instance. Other than updating the role, no additional changes are needed.

Answer 113

A, D. You always need to make the actual role changes (A). There are then no more actions required for these changes to take effect on the instances.

Question 114

194. How can you delete a snapshot of an EBS volume when it’s used as the root device of a registered AMI? You can’t. You can, but only using the AWS API or CLI. Delete the snapshot using the AWS console. Ensure that you have correct IAM privileges and delete the AMI.

Answer 114

A. If a snapshot is the root device of a registered AMI, it cannot be deleted.

Question 115

195. Which of these is the best option for encrypting data at rest on an EBS volume? Configure the volume’s encryption at creation time. Configure AES 256 encryption on the volume once it’s been started. Configure encryption using the OS tools on the attached EC2 instance. Back up the data in the volume to an encrypted S3 bucket.

Answer 115

A. Encryption can only be applied to EBS volumes at creation time, so A is correct.

Question 116

196. How can you ensure that an EBS root volume persists beyond the life of an EC2 instance, in the event that the instance is terminated? The volume will persist automatically. Configure the EC2 instance to not terminate its root volume and the EBS volume to persist. You cannot; root volumes always are deleted when the attached EC2 instance is terminated. Ensure that encryption is enabled on the volume and it will automatically persist.

Answer 116

B. By default, root volumes do get deleted when the associated instance terminates. However, you can configure this to not be the case using the AWS console or CLI (B).

Question 117

198. Which of the following should you attempt to automate, according to the AWS well- architected framework? (Choose two.) Security best practices Scaling instances Responses to security events IAM policy creation

Answer 117

A, C. The well-architected framework recommends automating security best practices and responses to security events.

Question 118

201. For which of the following is AWS not responsible for security? Networking infrastructure RDS database installations S3 buckets Networking traffic

Answer 118

D. AWS is responsible for networks, but not the actual traffic across those networks (D).

Question 119

202. For which of the following are you not responsible for security? DynamoDB Operating system configuration Server-side encryption Application keys

Answer 119

A. AWS manages DynamoDB as a managed service. All the other options are your responsibility as a customer of AWS.

Question 120

203. Which of the following is not included in the well-architected framework’s definition of security? Data protection Infrastructure protection Reduction of privileges Defective controls

Answer 120

C. The well-architected framework includes four areas for security in the cloud: data protection, infrastructure protection, privilege management, and defective controls.

Question 121

204. Which of the following is a principle of the well-architected framework’s security section? Encrypt the least amount of data possible. Always encrypt the most important data. Encrypt everything where possible. Encrypt data at rest.

Answer 121

C. The well-architected framework suggests encrypting everything where possible, whether it is at rest or in transit.

Question 122

206. Who is responsible for encrypting data in the cloud? You AWS AWS provides mechanisms such as key rotation for which they are responsible, but you are responsible for appropriate usage of those mechanisms. AWS provides an API, but you are responsible for security when using that API.

Answer 122

C. While you are ultimately responsible for the security of your data, AWS provides and accepts responsibility for tools to enable security.

Question 123

209. Which of the following can be part of a strategy to avoid accidental data overwriting of S3 data? IAM roles MFA Delete Versioning All of these

Answer 123

D. S3 data can be protected via MFA Delete and versioning, both of which provide a layer of protection against accidental deletes. Additionally, IAM roles can ensure that only those who should be able to delete data can delete data.

Question 124

210. Which of the following should always be done to protect your AWS environment? (Choose two.) Enable MFA on the root account. Enable MFA Delete on your S3 buckets. Set a password rotation policy for users. Create custom IAM roles for all users.

Answer 124

A, C. All of these options are valid, but only two should be done for all environments: enabling MFA on the root account and setting a password rotation policy. Enabling MFA Delete on S3 is a good idea but may not apply to all situations. Further, not all users may need an IAM role; some, for example, are fine with the default roles.

Question 125

211. At what level does infrastructure protection exist in AWS? The physical hardware layer OSI layer 4 The VPC layer OSI layer 7

Answer 125

C. AWS infrastructure operates at the VPC layer and is almost entirely virtual.

Question 126

212. Which of the following might be used to detect or identify a security breach in AWS? (Choose two.) CloudWatch CloudFormation CloudTrail Trusted Advisor

Answer 126

A, C. CloudWatch and CloudTrail both provide monitoring and logging, both of which can identify security breaches. CloudFormation is a deployment mechanism, and Trusted Advisor can identify potential holes, but not actual breaches.

Question 127

214. Which of the following AWS services is associated with privilege management? Internet gateway S3-IA CloudTrail MFA

Answer 127

D. MFA is Multi-Factor Authentication, which adds a layer of protection related to privilege management.

Question 128

215. Which of the following AWS services is associated with identifying potential security holes? Trusted Advisor CloudFormation Security Detector Security Advisor

Answer 128

A. Trusted Advisor is AWS’s service for looking at your system and finding standard “holes” in your infrastructure that might allow for security breaches and then to suggest remediation.

Question 129

218. Which of the following is not one of the security principles recommended by AWS’s well-architected framework? Automate security best practices. Enable traceability. Apply security at the highest layers. Protect data in transit and at rest.

Answer 129

C. C is a misstatement of the correct principle; apply security at all layers. Security should be present at all layers, not just at the highest layers.

Question 130

219. Which of the following is one of the security principles recommended by AWS’s well-architected framework? Make sure all users have passwords. Only protect data at rest. Turn on MFA Delete for S3 buckets. Keep people away from data.

Answer 130

D. While A and C are both good ideas, they are more specific than the well-architected framework’s principles. B is a part of a principle, but data should be protected at rest and in transit. This leaves D, and people should be kept away from direct access to data. Instead, tools and APIs should provide a layer between users and data.

Question 131

220. The AWS’s well-architected framework defines five areas to consider with respect to security. Choose the two that are part of this set. (Choose two.) Identity and Access Management User management Virtual private networks Incident response

Answer 131

A, D. The five areas are Identity and Access Management (A), detective controls, infrastructure protection, data protection, and incident response (D).

Question 132

222. Which of the following statements about the root account in an AWS account are true? (Choose two.) It is the first account created. It is ideal for everyday tasks. It is intended primarily for creating other users and groups. It has access keys that are important to keep.

Answer 132

A, C. The root account is the first account in every account (A), but it should only be used for creating other users and groups (C). It is not intended for everyday tasks (B), and once account setup is complete, you are encouraged by AWS to delete any access keys (D).

Question 133

223. Which of the following are appropriate password policy requirements? (Choose two.) Maximum length Recovery Minimum length Complexity

Answer 133

C, D. A good password policy has minimum length and complexity requirements.

Question 134

225. Which of the following provide a means of federating users from an existing organization? (Choose two.) SAML 2.0 Web identities LDAP UML 2.0

Answer 134

A, B. SAML 2.0 and web identities both provide a means of working with an existing organizational identity provider.

Question 135

228. What is an AWS Organizations SCP? Service control policy Service control permissions Standard controlling permissions Service conversion policy

Answer 135

A. An SCP in AWS Organizations is a service control policy and can be applied to an organizational unit (OU) to affect all users within that OU. It effectively applies permissions at an organizational level, much the way that a group applies them at a user level.

Question 136

229. To which of the following constructs is an AWS Organizations SCP applied? To a service control policy To an IAM role To an organizational unit To a SAML user store

Answer 136

C. Service control policies (SCPs) are applied to OUs (organizational units) in AWS Organizations.

Question 137

230. Which of the following can be used to centrally control AWS services across multiple AWS accounts? A service control policy An organizational unit An LDAP user store IAM roles

Answer 137

A. Service control policies (SCPs) provide for working across AWS accounts (A). Organizational units (OUs) are groupings of accounts, and IAM roles are applied to users and groups, not cross-account structures.

Question 138

231. What AWS service would you use for managing and enforcing policies for multiple AWS accounts? AWS Config AWS Trusted Advisor AWS Organizations IAM

Answer 138

C. AWS Organizations offers a means of organizing and managing policies that span AWS accounts.

Question 139

232. Which of the following does AWS provide to increase privacy and control network access? Network firewalls built into Amazon VPC Encryption in transit with TLS across all services Connections that enable private and dedicated connections from an on-premises environment All of these You

Answer 139

D. AWS provides all of the above options as a means of providing security of the AWS environment.

Question 140

233. You have an application that uses S3 standard for storing large data. Your company wants to ensure that all data is encrypted at rest while avoiding adding work to your current development sprints. Which S3 encryption solution should you use? SSE-C SSE-S3 SSE-KMS Amazon S3 Encryption Client

Answer 140

B. SSE-S3 offers encryption at rest while deferring key management to AWS. SSE-KMS does the same but has a higher cost and is more suitable for stringent auditing. The other two options involve work on the client side, which the question states is undesirable.

Question 141

234. You are the architect of an application that allows users to send private messages back and forth. You want to ensure encryption of the messages when stored in S3 and a strong auditing trail in case of a breach. You also want to capture any failed attempts to access data. What Amazon encryption solution would you use? SSE-C SSE-S3 SSE-KMS Amazon S3 Encryption Client

Answer 141

C. SSE-KMS is the best solution for any encryption problem that requires a strong audit trail.

Question 142

235. Your company has just hired three new developers. They need immediate access to a suite of AWS services. What is the best approach to giving these developers access? Give the developers the admin credentials and change the admin password when they are finished for the day. Create a new IAM user for each developer and assign the required permissions to each user. Create a new IAM user for each developer, create a single group with the required permissions, and assign each user to that group. Create a new SCP and assign the SCP to an OU with each user’s credentials within that OU.

Answer 142

C. New users should be given a new IAM user, and when permissions are the same across users, a group should be used instead of individually assigning permissions.

Question 143

237. Which of the following provides SSL for data in transit? S3 standard S3 One Zone-IA Glacier All of these

Answer 143

D. All S3 storage classes provide SSL for data at transit as well as encryption of data at rest.

Question 144

240. Which of the following is not one of the types of services that AWS offers, according to the shared responsibility model? Infrastructure services Managed services Containers services Abstracted services

Answer 144

B. This is pretty tough unless you’ve read the AWS shared responsibility white papers and FAQs. It’s really a matter of memorization and knowing that while AWS uses the term managed services in lots of areas, that term is not used in the shared responsibility model as one of the core types of services.

Question 145

241. For which of the following are you not responsible for security? Operating systems Credentials Virtualization infrastructure AMIs

Answer 145

C. AWS is responsible for the security of virtualization infrastructure. All other items in this list are your responsibility. As a hint on questions like this and related to the AWS shared responsibility model, AWS is typically responsible for anything with the word infrastructure, although there are some exclusions (for example, application infrastructure).

Question 146

242. Which of the following is used to allow EC2 instances to access S3 buckets? IAM role IAM policy IAM user AWS organizational unit

Answer 146

A. An IAM role is assumed by an EC2 instance when it needs to access other AWS services, and that role has permissions associated with it. While these permissions are formally defined in a policy (B), it is the role that is used by the instance for actual service access.

Question 147

243. You have a task within a Docker container deployed via AWS ECS. The application cannot access data stored in an S3 bucket. What might be the problem? (Choose two.) The IAM role associated with the task doesn’t have permissions to access S3. The task is not in a security group with inbound access allowed from S3. The task does not have access to an S3 VPC endpoint. There is no policy defined to allow ECS tasks to access S3.

Answer 147

A, D. Just as is the case with a compute instance (EC2), a task in a container needs an IAM role with permissions to access S3 (A), which in turn requires a policy specifying a permission that lets ECS tasks access S3 (D). Both of these are required to ensure access. Security groups apply to network traffic and would not affect S3 access, and while a VPC endpoint could be used (C), it is not required.

Question 148

244. What is the default security on a newly created S3 bucket? Read-only Read and write is permitted from EC2 instances in the same region. Completely private, reads and writes are disallowed. There is no policy defined to allow ECS tasks to access S3.

Answer 148

C. By default, newly created S3 buckets are private. They can only be accessed by a user that has been granted explicit access.