Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

AWS Study Deck - SAA > Chapter 8 - Security and Compliance > Flashcards

Chapter 8 - Security and Compliance Flashcards

1
Q

What protection Aws Shield provide?

  1. Block common attack patterns, such as SQL injection or cross-site scripting
  2. Protection against Distributed Denial of Service (DDoS) attacks
  3. Protection against In-Transit data spoofing Protection against EC2 hacking
  4. Protection against encryption key loss
A
  1. Block common attack patterns, such as SQL injection or cross-site scripting
  2. Protection against Distributed Denial of Service (DDoS) attacks
  3. Protection against In-Transit data spoofing Protection against EC2 hacking
  4. Protection against encryption key loss
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is difference between AWS Shield Standard and AWS Shield Advanced? Choose 2.

  1. AWS Shield Standard provides protection for all AWS customers against common and most frequently occurring infrastructure (layer 3 and 4) attacks like SYN/UDP floods, reflection attacks.
  2. AWS Shield Advanced provides protection for all AWS customers against common and most frequently occurring infrastructure (layer 3 and 4) attacks like SYN/UDP floods, reflection attacks.
  3. AWS Shield Standard provides enhanced protections for your applications running on protected Amazon EC2, Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, and Route 53 resources against more sophisticated and larger attacks.
  4. AWS Shield Advanced provides enhanced protections for your applications running on protected Amazon EC2, Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, and Route 53 resources against more sophisticated and larger attacks.
A
  1. AWS Shield Standard provides protection for all AWS customers against common and most frequently occurring infrastructure (layer 3 and 4) attacks like SYN/UDP floods, reflection attacks.
  2. AWS Shield Advanced provides protection for all AWS customers against common and most frequently occurring infrastructure (layer 3 and 4) attacks like SYN/UDP floods, reflection attacks.
  3. AWS Shield Standard provides enhanced protections for your applications running on protected Amazon EC2, Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, and Route 53 resources against more sophisticated and larger attacks.
  4. AWS Shield Advanced provides enhanced protections for your applications running on protected Amazon EC2, Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, and Route 53 resources against more sophisticated and larger attacks.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which AWS service lets you monitor the HTTP and HTTPS requests that are forwarded to an Amazon API Gateway, Amazon CloudFront or an Application Load Balancer and gives you control over which traffic to allow or block to your web applications by defining customizable web security rules?

  1. AWS Shield
  2. AWS Cloudtrail
  3. AWS Cloudwatch
  4. AWS WAF
A
  1. AWS Shield
  2. AWS Cloudtrail
  3. AWS Cloudwatch
  4. AWS WAF
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are the different conditions you can define in AWS WAF to watch for in web requests? Choose 4.

  1. Cross-site scripting: Scripts that are likely to be malicious. Attackers embed scripts that can exploit vulnerabilities in web applications.
  2. IP addresses or address ranges, country or geographical location that requests originate from.
  3. Length of specified parts of the request, such as the query string. Strings that appear in the request.
  4. User credentials authentication.
  5. SQL injection: SQL code that is likely to be malicious. Attackers try to extract data from your database by embedding malicious SQL code in a web request.
A
  1. Cross-site scripting: Scripts that are likely to be malicious. Attackers embed scripts that can exploit vulnerabilities in web applications.
  2. IP addresses or address ranges, country or geographical location that requests originate from.
  3. Length of specified parts of the request, such as the query string. Strings that appear in the request.
  4. User credentials authentication.
  5. SQL injection: SQL code that is likely to be malicious. Attackers try to extract data from your database by embedding malicious SQL code in a web request.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which Amazon service offers threat detection that enables you to continuously monitor and protect your AWS accounts and workloads by continuously analyzing streams of meta-data generated from your account and network activity found in AWS CloudTrail Events, Amazon VPC Flow Logs, and DNS Logs?

  1. AWS WAF
  2. AWS Shield
  3. Amazon GuardDuty
  4. Amazon Macie
A
  1. AWS WAF
  2. AWS Shield
  3. Amazon GuardDuty
  4. Amazon Macie
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is Rate-based Rule in AWS WAF? Choose 2.

  1. Allows you to specify the number of web requests that are allowed by a client IP in a trailing, continuously updated, 15 minute period.
  2. Allows you to specify the number of web requests that are allowed by a client IP in a trailing, continuously updated, 5 minute period.
  3. If an IP address breaches the configured limit, new requests will be blocked until the request rate falls below the configured threshold.
  4. If an IP address breaches the configured limit, new requests will be blocked for 5 minutes.
A
  1. Allows you to specify the number of web requests that are allowed by a client IP in a trailing, continuously updated, 15 minute period.
  2. Allows you to specify the number of web requests that are allowed by a client IP in a trailing, continuously updated, 5 minute period.
  3. If an IP address breaches the configured limit, new requests will be blocked until the request rate falls below the configured threshold.
  4. If an IP address breaches the configured limit, new requests will be blocked for 5 minutes.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is AWS security shared responsibility model? Choose 3.

  1. Security of the cloud – AWS is responsible for protecting the infrastructure that runs AWS services in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services.
  2. AWS compliance programs doesn’t includes testing by third party auditors who verify the effectiveness of security.
  3. Security in the cloud – Your responsibility is determined by the AWS service that you use. This determines the amount of configuration work the customer must perform as part of their security responsibilities.
  4. Security in the cloud -You are also responsible for other factors including the sensitivity of your data, your organization’s requirements, and applicable laws and regulations.
A
  1. Security of the cloud – AWS is responsible for protecting the infrastructure that runs AWS services in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services.
  2. AWS compliance programs doesn’t includes testing by third party auditors who verify the effectiveness of security.
  3. Security in the cloud – Your responsibility is determined by the AWS service that you use. This determines the amount of configuration work the customer must perform as part of their security responsibilities.
  4. Security in the cloud -You are also responsible for other factors including the sensitivity of your data, your organization’s requirements, and applicable laws and regulations.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the different types of policy types available in AWS? Choose 6.

  1. Identity-based policies
  2. Certificate based policies
  3. Resource-based policies
  4. Permissions boundaries
  5. User Policies
  6. Organizations SCPs
  7. Access control lists (ACLs)
  8. Session policies
A
  1. Identity-based policies
  2. Certificate based policies
  3. Resource-based policies
  4. Permissions boundaries
  5. User Policies
  6. Organizations SCPs
  7. Access control lists (ACLs)
  8. Session policies
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Based on recent pattern of brute attack on your web site, you have analyzed that the requests come from 192.0.2.44 and they contain the value BadBot in the User-Agent header. You just don’t want to block the ip-address but want to block it only when there is more than 1000 requests from the ip in a duration of 5 minutes. How can you set up this rule?

  1. Create a rate based rule in AWS Shield
  2. Create a rate based rule in AWS Firewall Manager
  3. Create a rate based rule in AWS WAF
  4. Create a rate based rule in EC2
A
  1. Create a rate based rule in AWS Shield
  2. Create a rate based rule in AWS Firewall Manager
  3. Create a rate based rule in AWS WAF
  4. Create a rate based rule in EC2
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

How can you use WAF Rate-based rule to limit access to certain parts of your web login page? Choose from following rate-based rule configuration: String match Condition settings:

    1. The “Part of the request to filter” on is URI.
    1. The “Match Type” is Starts with.
    1. A “Value to match” is login
  • Rate limit setting:
    1. A Rate limit of 1000. IP match Condition settings:
    1. Specify the IPv4 address 192.0.2.44/32.
  1. 1,2,3,4
  2. 13,4,5
  3. 3,4,5
  4. 2,3,4,5
A
  1. 1,2,3,4
  2. 13,4,5
  3. 3,4,5
  4. 2,3,4,5
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which AWS service simplifies your AWS WAF, AWS Shield Advanced, and Amazon VPC security group’s administration and maintenance tasks across multiple accounts and resources?

  1. AWS System Manager
  2. AWS Trusted Advisor
  3. AWS Firewall Manager
  4. AWS Security
A
  1. AWS System Manager
  2. AWS Trusted Advisor
  3. AWS Firewall Manager
  4. AWS Security
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which AWS Directory Service is a Microsoft Active Directory compatible directory that is powered by Samba 4 and hosted on the AWS cloud?

  1. AWS Managed Microsoft AD
  2. AD Connector
  3. Amazon Cloud Directory
  4. Simple AD
A
  1. AWS Managed Microsoft AD
  2. AD Connector
  3. Amazon Cloud Directory
  4. Simple AD
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which AWS Directory Service provides an easy way to connect compatible AWS applications to your existing on-premises Microsoft Active Directory?

  1. AWS Managed Microsoft AD
  2. AD Connector
  3. Amazon Cloud Directory
  4. Amazon Cognito
A
  1. AWS Managed Microsoft AD
  2. AD Connector
  3. Amazon Cloud Directory
  4. Amazon Cognito
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which AWS Directory Service is best choice if you have more than 5,000 users and need a trust relationship set up between an AWS hosted directory and your on-premises directories?

  1. AWS Managed Microsoft AD
  2. AD Connector
  3. Amazon Cloud Directory
  4. Simple AD
A
  1. AWS Managed Microsoft AD
  2. AD Connector
  3. Amazon Cloud Directory
  4. Simple AD
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Your company has around 3000 users and want to use Microsoft Active Directory compatible features to manage their EC2 instances running Windows and other AWS applications such as Amazon workspaces, Amazon Workdocs or Amazon WorkMail. You don’t want to set a trust relationship with on-premise AD. Which AWS service will you use?

  1. AWS Managed Microsoft AD
  2. AD Connector
  3. Amazon Cloud Directory
  4. Simple AD
A
  1. AWS Managed Microsoft AD
  2. AD Connector
  3. Amazon Cloud Directory
  4. Simple AD
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

How is web identity federation i.e. providing access to externally authenticated users supported in AWS? Choose 3.

  1. Using Amazon Cognito as an identity broker which does much of the federation work.
  2. If you are creating a mobile app or web-based app it blocks users who have Login with Amazon, Facebook, Google, or any OpenID Connect (OIDC) compatible identity provider.
  3. You can create a mobile app or web-based app that can let users identify themselves through an Internet identity provider like Login with Amazon, Facebook, Google, or any OpenID Connect (OIDC) compatible identity provider, the app can use federation to access AWS.
  4. Using Web Identity Federation API Operations for Mobile Apps.
A
  1. Using Amazon Cognito as an identity broker which does much of the federation work.
  2. If you are creating a mobile app or web-based app it blocks users who have Login with Amazon, Facebook, Google, or any OpenID Connect (OIDC) compatible identity provider.
  3. You can create a mobile app or web-based app that can let users identify themselves through an Internet identity provider like Login with Amazon, Facebook, Google, or any OpenID Connect (OIDC) compatible identity provider, the app can use federation to access AWS.
  4. Using Web Identity Federation API Operations for Mobile Apps.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What are IAM Identity-based and Resource-based Policies? Choose 2.

  1. Identity-based policies are permissions policies that you attach to an IAM identity, such as an IAM user, group, or role.
  2. Resource-based policies are permissions policies that you attach to a resource such as an Amazon S3 bucket or an IAM role trust policy.
  3. Identity-based policies are permissions policies that you attach to an IAM identity, such an Amazon S3 bucket or an IAM role trust policy.
  4. Resource-based policies are permissions policies that you attach to a resource such as an IAM user, group, or role.
A
  1. Identity-based policies are permissions policies that you attach to an IAM identity, such as an IAM user, group, or role.
  2. Resource-based policies are permissions policies that you attach to a resource such as an Amazon S3 bucket or an IAM role trust policy.
  3. Identity-based policies are permissions policies that you attach to an IAM identity, such an Amazon S3 bucket or an IAM role trust policy.
  4. Resource-based policies are permissions policies that you attach to a resource such as an IAM user, group, or role.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

How many types of IAM Identity Managed policies are there? Choose 2.

  1. Inline policies
  2. AWS managed policies
  3. Resource-based policies
  4. Customer managed policies
A
  1. Inline policies
  2. AWS managed policies
  3. Resource-based policies
  4. Customer managed policies
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is a principal in AWS IAM terms? Choose 2.

  1. A person that uses the AWS account root user, an IAM user, or an IAM role to sign in and make requests to AWS.
  2. An application that uses the AWS account root user, an IAM user, or an IAM role to sign in and make requests to AWS.
  3. An encryption API that uses the AWS account root user, an IAM user, or an IAM role to sign in and make requests to AWS.
  4. A replication service that uses the AWS account root user, an IAM user, or an IAM role to sign in and make requests to AWS.
A
  1. A person that uses the AWS account root user, an IAM user, or an IAM role to sign in and make requests to AWS.
  2. An application that uses the AWS account root user, an IAM user, or an IAM role to sign in and make requests to AWS.
  3. An encryption API that uses the AWS account root user, an IAM user, or an IAM role to sign in and make requests to AWS.
  4. A replication service that uses the AWS account root user, an IAM user, or an IAM role to sign in and make requests to AWS.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Choose IAM best practices which should be followed? Choose 4.

  1. Use Roles for Applications That Run on Amazon EC2 Instances
  2. Share user credentials to delegate permissions
  3. Use Roles to Delegate Permissions
  4. Enable MFA for Privileged Users
  5. Do Not Share Access Keys
  6. Store access keys in your application configuration file
A
  1. Use Roles for Applications That Run on Amazon EC2 Instances
  2. Share user credentials to delegate permissions
  3. Use Roles to Delegate Permissions
  4. Enable MFA for Privileged Users
  5. Do Not Share Access Keys
  6. Store access keys in your application configuration file
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What are the scenarios when you should create an IAM ‘user’ instead of a ‘role’? Choose 3.

  1. You’re creating an application that runs on an Amazon Elastic Compute Cloud (Amazon EC2) instance and that application makes requests to other AWS resources.
  2. You created an AWS account and you’re the only person who works in your account.
  3. Other people in your group need to work in your AWS account, and your group is using no other identity mechanism.
  4. You want to use the command-line interface (CLI) to work with AWS.
  5. Users in your company are authenticated in your corporate network and want to be able to use AWS without having to sign in again.
A
  1. You’re creating an application that runs on an Amazon Elastic Compute Cloud (Amazon EC2) instance and that application makes requests to other AWS resources.
  2. You created an AWS account and you’re the only person who works in your account.
  3. Other people in your group need to work in your AWS account, and your group is using no other identity mechanism.
  4. You want to use the command-line interface (CLI) to work with AWS.
  5. Users in your company are authenticated in your corporate network and want to be able to use AWS without having to sign in again.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

An IAM user with administrator permissions is not the same thing as the AWS account root user.

  1. True
  2. False
A
  1. True
  2. False
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What are the different ways to access AWS depending on user credentials? Choose 4.

  1. Access Keys
  2. Console password
  3. SSH keys for use with CodeCommit
  4. Server Certificate
  5. Telnet Putty
A
  1. Access Keys
  2. Console password
  3. SSH keys for use with CodeCommit
  4. Server Certificate
  5. Telnet Putty
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Which statements are true about IAM users? Choose 4.

  1. By default, a brand new IAM user has no permissions to do anything.
  2. You could use an ARN to specify the user as a Principal in an IAM policy. Arn: aws: iam: account-ID-without-hyphens: user/James.
  3. By default, a brand new IAM user has administrator permissions to do anything.
  4. Each IAM user can be associated with more than one AWS account.
  5. An IAM user can represent a person or an application that uses its credentials to make AWS requests.
  6. Each IAM user is associated with one and only one AWS account.
A
  1. By default, a brand new IAM user has no permissions to do anything.
  2. You could use an ARN to specify the user as a Principal in an IAM policy. Arn: aws: iam: account-ID-without-hyphens: user/James.
  3. By default, a brand new IAM user has administrator permissions to do anything.
  4. Each IAM user can be associated with more than one AWS account.
  5. An IAM user can represent a person or an application that uses its credentials to make AWS requests.
  6. Each IAM user is associated with one and only one AWS account.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
What signature versions are supported by AWS? Choose 2. 1. Signature Version 1 2. Signature Version 2 3. Signature Version 3 4. Signature Version 4 5. Signature Version 5
1. Signature Version 1 2. **Signature Version 2** 3. Signature Version 3 4. **Signature Version 4** 5. Signature Version 5
26
# Choose ways you can change the permissions for an IAM user in your AWS account? 1. By changing its group memberships 2. By copying permissions from an existing user 3. By attaching policies directly to a user 4. By setting a permissions boundary 5. All of the above
1. By changing its group memberships 2. By copying permissions from an existing user 3. By attaching policies directly to a user 4. **By setting a permissions boundary** 5. All of the above
27
Which statements are true for IAM groups? Choose 3. 1. A group can contain many users, and a user can belong to multiple groups. 2. Groups can't be nested; they can contain only users, not other groups. 3. Groups can be nested; they can contain only users, not other groups. 4. There's no default group that automatically includes all users in the AWS account. If you want to have a group like that, you need to create it and assign each new user to it. 5. Groups can't be nested; they can contain only roles, not other groups. 6. A group can contain many roles, and a role can belong to multiple groups.
1. **A group can contain many users, and a user can belong to multiple groups.** 2. **Groups can't be nested; they can contain only users, not other groups.** 3. Groups can be nested; they can contain only users, not other groups. 4. **There's no default group that automatically includes all users in the AWS account. If you want to have a group like that, you need to create it and assign each new user to it.** 5. Groups can't be nested; they can contain only roles, not other groups. 6. A group can contain many roles, and a role can belong to multiple groups.
28
A group is not truly an "identity" in IAM because it cannot be identified as a Principal in a permission policy. It is simply a way to attach policies to multiple users at one time. 1. True 2. False
1. **True** 2. False
29
An IAM role is not an IAM identity that you can create in your account that has specific permissions. 1. True 2. False
1. True 2. **False**
30
Roles can be used by the following. 1. An IAM user in the same AWS account as the role. 2. An IAM user in a different AWS account than the role. 3. A web service offered by AWS such as Amazon Elastic Compute Cloud (Amazon EC2). 4. An external user authenticated by an external identity provider (IdP) service that is compatible with SAML 2.0 or OpenID Connect, or a custom-built identity broker. 5. All of the above.
1. An IAM user in the same AWS account as the role. 2. An IAM user in a different AWS account than the role. 3. A web service offered by AWS such as Amazon Elastic Compute Cloud (Amazon EC2). 4. An external user authenticated by an external identity provider (IdP) service that is compatible with SAML 2.0 or OpenID Connect, or a custom-built identity broker. 5. **All of the above.**
31
Delegation of a role involves setting up a trust between the account that owns the resource (the trusting account), and the account that contains the users that need to access the resource (the trusted account). The trusted and trusting accounts can be any of the following. Choose 3: 1. The same account. 2. It can never be in two accounts owned by different organization. 3. Separate accounts that are both under your organization's control. 4. Two accounts owned by different organizations.
1. **The same account.** 2. It can never be in two accounts owned by different organization. 3. **Separate accounts that are both under your organization's control.** 4. **Two accounts owned by different organizations.**
32
Assuming that for a live web application you are maintaining two AWS accounts to isolate development and production environment. Development account users are assigned to two IAM groups of Testers and Developers. Some of the users in development account belonging to Developer user group will require access to production environment. What steps you will take to leverage IAM Roles so that some of the users in the Developer group in development account environment will have cross account access to production account environment? Choose 3. 1. In the production account use IAM to create a role in that account and defines a trust policy that specifies the development account as a Principal. Also defines a permissions policy for the role that specifies which role users have read and write permissions to AWS resources. 2. Share the account number and name of the role (for AWS console users) or the Amazon Resource Name (ARN) (for AWS CLI or AWS API access) to Development environment users for whom you want to give access. 3. Create separate identities and passwords in each environment for users who work in both accounts. 4. In the development account grant specific required members of the Developers group permission to switch to the role. This is done by granting the Developers group permission to call the AWS Security Token Service (AWS STS) AssumeRole API for the role created in production account.
1. **In the production account use IAM to create a role in that account and defines a trust policy that specifies the development account as a Principal. Also defines a permissions policy for the role that specifies which role users have read and write permissions to AWS resources.** 2. **Share the account number and name of the role (for AWS console users) or the Amazon Resource Name (ARN) (for AWS CLI or AWS API access) to Development environment users for whom you want to give access.** 3. Create separate identities and passwords in each environment for users who work in both accounts. 4. **In the development account grant specific required members of the Developers group permission to switch to the role. This is done by granting the Developers group permission to call the AWS Security Token Service (AWS STS) AssumeRole API for the role created in production account.**
33
You have VPC where you have web server instances in public subnet and database servers in the private subnet. There is an Application Load Balancer in the front listening at port 80 mapped to web server instances in public subnet. You are also leveraging Cloudfront for low latency and high transfer speeds for your end user. How can you minimize the impact of a DDoS attack or brute force attack from one ip address on your application? You want to ensure that attack requests should not reach your web server instances? Choose 2. 1. On discovering attack update the web server instance security group to block access to ip address/es. 2. Use AWS Shield together with AWS WAF rules to create a comprehensive DDoS attack mitigation strategy. 3. Have your web server instances in private subnet. 4. Add CloudFront IP addresses to your security groups to ensure ELB only responds to requests that are served by CloudFront (and therefore inspected by AWS WAF).
1. On discovering attack update the web server instance security group to block access to ip address/es. 2. **Use AWS Shield together with AWS WAF rules to create a comprehensive DDoS attack mitigation strategy.** 3. Have your web server instances in private subnet. 4. **Add CloudFront IP addresses to your security groups to ensure ELB only responds to requests that are served by CloudFront (and therefore inspected by AWS WAF).**
34
What are the features of IAM user access keys? Choose 3. 1. Access keys are long-term credentials for an IAM user or the AWS account root user. 2. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK). 3. You must use either the access key ID or secret access key to authenticate your requests. 4. Access keys consist of two parts: an access key ID and a secret access.
1. **Access keys are long-term credentials for an IAM user or the AWS account root user.** 2. **You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK).** 3. You must use either the access key ID or secret access key to authenticate your requests. 4. **Access keys consist of two parts: an access key ID and a secret access.**
35
Your company first project in AWS cloud is an internal web application to be used by employees only. You want to provide single sign on where employee can use their existing corporate sign on identities. You don’t want to a have separate user management module in the new application which will require your employees to have a separate authentication userid/password. Essentially this will enable your employees to have single sign on to new web application using existing corporate identities. You found that AWS supports this by way of user federation for authenticating using existing corporate identities. Which of the following consideration have to be kept in mind to use this user federation feature? Choose 3. 1. Existing corporate Identity Provider should be compatible with Security Assertion Markup Language 2.0 (SAML 2.0) to provide single-sign on (SSO) access. 2. If your corporate Identity Provider is Microsoft Active Directory Federation Service (AD FS), you cannot configure SSO. 3. If your corporate Identity Provider is Microsoft Active Directory Federation Service (AD FS), you can configure SSO. 4. If your corporate directory is not compatible with SAML 2.0, you can create an identity broker application to provide single-sign on (SSO) access to the AWS for your users. 5. If your corporate directory is not compatible with SAML 2.0, you cannot create an identity broker application to provide single-sign on (SSO) access to the AWS Management Console for your users.
1. **Existing corporate Identity Provider should be compatible with Security Assertion Markup Language 2.0 (SAML 2.0) to provide single-sign on (SSO) access.** 2. If your corporate Identity Provider is Microsoft Active Directory Federation Service (AD FS), you cannot configure SSO. 3. **If your corporate Identity Provider is Microsoft Active Directory Federation Service (AD FS), you can configure SSO.** 4. **If your corporate directory is not compatible with SAML 2.0, you can create an identity broker application to provide single-sign on (SSO) access to the AWS for your users.** 5. If your corporate directory is not compatible with SAML 2.0, you cannot create an identity broker application to provide single-sign on (SSO) access to the AWS Management Console for your users.
36
You are planning to use a third party product to monitor your AWS accounts and its resources for optimization. To enable this you are planning to use roles to delegate access to them. What information third party must provide to you to create a role that they can assume? Choose 3. 1. The third party's AWS account ID which you will specify as the principal when you define the trust policy for the role. 2. The third party’s AWS account root user id which you will specify as the principal when you define the trust policy for the role. 3. An external ID to uniquely associate with the role. You will specify this ID when you define the trust policy for the role. The third party then must provide this ID when they assume the role. 4. The access keys of third party account to uniquely associate with the role. You will specify these keys when you define the trust policy for the role. The third party then must provide these keys when they assume the role. 5. The permissions that the third party requires to work with your AWS resources. You must specify these permissions when defining the role's permission policy
1. **The third party's AWS account ID which you will specify as the principal when you define the trust policy for the role.** 2. The third party’s AWS account root user id which you will specify as the principal when you define the trust policy for the role. 3. **An external ID to uniquely associate with the role. You will specify this ID when you define the trust policy for the role. The third party then must provide this ID when they assume the role.** 4. The access keys of third party account to uniquely associate with the role. You will specify these keys when you define the trust policy for the role. The third party then must provide these keys when they assume the role. 5. **The permissions that the third party requires to work with your AWS resources. You must specify these permissions when defining the role's permission policy**
37
What are the scenarios when you should create an IAM ‘role’ instead of a ‘user’? Choose 3. 1. You're creating an application that runs on an Amazon Elastic Compute Cloud (Amazon EC2) instance and that application makes requests to other AWS resources. 2. You created an AWS account and you're the only person who works in your account. 3. Other people in your group need to work in your AWS account, and your group is using no other identity mechanism. 4. You want to use the command-line interface (CLI) to work with AWS. 5. Users in your company are authenticated in your corporate network and want to be able to use AWS without having to sign in again. 6. You're creating an app that runs on a mobile phone and that makes requests to AWS.
1. **You're creating an application that runs on an Amazon Elastic Compute Cloud (Amazon EC2) instance and that application makes requests to other AWS resources.** 2. You created an AWS account and you're the only person who works in your account. 3. Other people in your group need to work in your AWS account, and your group is using no other identity mechanism. 4. You want to use the command-line interface (CLI) to work with AWS. 5. **Users in your company are authenticated in your corporate network and want to be able to use AWS without having to sign in again.** 6. **You're creating an app that runs on a mobile phone and that makes requests to AWS.**
38
What are the best practices for managing IAM user access keys? Choose 4. 1. Remove (or Don't Generate) Account Access Key. 2. Use Temporary Security Credentials (IAM Roles) Instead of Long-Term Access Keys 3. Don't embed access keys directly into code. 4. Rotate access keys periodically. 5. Embed access keys directly into code for better security.
1. **Remove (or Don't Generate) Account Access Key.** 2. **Use Temporary Security Credentials (IAM Roles) Instead of Long-Term Access Keys** 3. **Don't embed access keys directly into code.** 4. **Rotate access keys periodically.** 5. Embed access keys directly into code for better security.
39
What are the steps you will follow to create an administrator user following IAM best practices? Choose 3. 1. Create an Administrators group and give the group permission to access all AWS account's resources. 2. Create an Administrators role and give the group permission to access all AWS account's resources. 3. Create a user and add that user to the Administrators group. 4. Create a role and add that role to the Administrators group. 5. Create a password for the user to sign in to the AWS Management Console.
1. **Create an Administrators group and give the group permission to access all AWS account's resources.** 2. Create an Administrators role and give the group permission to access all AWS account's resources. 3. **Create a user and add that user to the Administrators group.** 4. Create a role and add that role to the Administrators group. 5. **Create a password for the user to sign in to the AWS Management Console.**
40
Soma is founder of an Artificial Intelligence product start up. Upon starting the company, she created her own AWS account and used AWS services by herself. Then as company expanded she hired developers, admins, testers, managers, and system administrators. What steps would you advice for Soma based on IAM best practices to manage user access? Choose 3. 1. Using AWS account root user credentials she should create a user for herself called Soma, and a group called Admins. Add user Soma to group Admins. 2. She should share her root credentials with Sysadmin to make the job of user management easier. 3. She should create groups called Developers, Testers, Managers and SysAdmins. Employee’s userid should be created by admins, and put them in their respective groups. 4. She should continue using the root credentials to create users and groups.
1. **Using AWS account root user credentials she should create a user for herself called Soma, and a group called Admins. Add user Soma to group Admins.** 2. She should share her root credentials with Sysadmin to make the job of user management easier. 3. **She should create groups called Developers, Testers, Managers and SysAdmins. Employee’s userid should be created by admins, and put them in their respective groups.** 4. She should continue using the root credentials to create users and groups.
41
You have an application running on EC2 instance which has to access AWS resources. How can you grant permission to application so that it can access the AWS resources following the best practices? 1. Define an IAM role that has appropriate permissions for your application and launch the Amazon EC2 instance with roles for EC2. 2. Pass an access key to the application. 3. Embed the access key in the application 4. Have the application read a key from a source such as an Amazon S3 encrypted bucket
1. **Define an IAM role that has appropriate permissions for your application and launch the Amazon EC2 instance with roles for EC2.** 2. Pass an access key to the application. 3. Embed the access key in the application 4. Have the application read a key from a source such as an Amazon S3 encrypted bucket
42
Federated users don't have permanent identities in your AWS account the way that IAM users do. How do you assign permissions to federated users? Choose 2. 1. Create an entity referred to as a role and define permissions for the role 2. When a federated user signs in to AWS, the user is associated with the role and is granted the permissions that are defined in the role. 3. Create an entity referred to as a group and define permissions for the group 4. When a federated user signs in to AWS, the user is associated with the group and is granted the permissions that are defined in the group.
1. **Create an entity referred to as a role and define permissions for the role** 2. **When a federated user signs in to AWS, the user is associated with the role and is granted the permissions that are defined in the role.** 3. Create an entity referred to as a group and define permissions for the group 4. When a federated user signs in to AWS, the user is associated with the group and is granted the permissions that are defined in the group.
43
A principal can be an AWS account root user, an IAM user, or a role which can perform actions and access resources. How you can grant permissions to a principal to access a resource? Choose 2. 1. You can attach a trust policy to a user (directly, or indirectly through a group) or to a role. 2. You can attach a permissions policy to a user (directly, or indirectly through a group) or to a role. 3. For those services that support resource-based policies, you can identify the principal in the Principal element of a policy attached to the resource. 4. You can only attach a managed policy to a user (directly, or indirectly through a group) or to a role.
1. You can attach a trust policy to a user (directly, or indirectly through a group) or to a role. 2. You can attach a permissions policy to a user (directly, or indirectly through a group) or to a role. 3. **For those services that support resource-based policies, you can identify the principal in the Principal element of a policy attached to the resource.** 4. **You can only attach a managed policy to a user (directly, or indirectly through a group) or to a role.**
44
You are building a mobile app car racing game where user data such as scores and profiles is stored in Amazon S3 and Amazon DynamoDB. You know that for security and maintenance reasons, long-term AWS security credentials should not be distributed with the game. You do not want to create new user identities in IAM for each player because the game will have large number of users. You have designed the game in such a way so that users can sign in using an identity that they've already established with well-known external identity provider (IdP), such as Amazon, Facebook, Google, or any OpenID Connect (OIDC)-compatible IdP What is the process to configure your app to enable user login using their external identity provider user id and password? 1. Sign up as a developer with Login with Amazon, Facebook, Google, or any other OpenID Connect (OIDC) compatible IdP and configure one or more apps with the provider. 2. Create identity pool in Amazon Cognito to have IAM role for authenticated identities 3. Download and integrate the AWS SDK for iOS or the AWS SDK for Android with your app, and import the files required to use Amazon Cognito. 4. Create an instance of the Amazon Cognito credentials provider, passing the identity pool ID, your AWS account number, and the Amazon Resource Name (ARN) of the roles that you associated with the identity pool. 5. All of the above
1. Sign up as a developer with Login with Amazon, Facebook, Google, or any other OpenID Connect (OIDC) compatible IdP and configure one or more apps with the provider. 2. Create identity pool in Amazon Cognito to have IAM role for authenticated identities 3. Download and integrate the AWS SDK for iOS or the AWS SDK for Android with your app, and import the files required to use Amazon Cognito. 4. Create an instance of the Amazon Cognito credentials provider, passing the identity pool ID, your AWS account number, and the Amazon Resource Name (ARN) of the roles that you associated with the identity pool. 5. **All of the above**
45
You have a mobile app which access backend resources in AWS. You are using external identity provider (IdP), Amazon, for users to sign in and authenticate them. Arrange the following 5 steps in right sequence which mirrors the execution steps? * a) A customer starts your app on a mobile device. The app asks the user to sign in. * b) The app requests temporary security credentials from AWS STS, passing the Cognito token. * c) The app uses Login with Amazon resources to accept the user's credentials. * d)The temporary security credentials can be used by the app to access any AWS resources required by the app to operate. The role associated with the temporary security credentials and its assigned policies determines what can be accessed. * e) The app uses Cognito API operations to exchange the Login with Amazon ID token for a Cognito token. 1. a, b, c, d, e 2. a c, d, b, e 3. a, c, e, b, d 4. a, d, c, e, b 5. a, e, b, d, c
1. a, b, c, d, e 2. a c, d, b, e 3. **a, c, e, b, d** 4. a, d, c, e, b 5. a, e, b, d, c
46
Which of the following AWS services allow you to attach a policy directly to a resource (instead of using a role as a proxy)? Choose 4. 1. Amazon RDS 2. Amazon Simple Storage Service (S3) buckets 3. Glacier vaults 4. Amazon Simple Notification Service (SNS) topics 5. Simple Queue Service (SQS) queues 6. Amazon EC2
1. Amazon RDS 2. **Amazon Simple Storage Service (S3) buckets** 3. **Glacier vaults** 4. **Amazon Simple Notification Service (SNS) topics** 5. **Simple Queue Service (SQS) queues** 6. Amazon EC2
47
When you want to configure web identity federation with an external identity provider (IdP) service, what you should create in IAM to inform AWS about the IdP and its configuration and also establishes "trust" between your AWS account and the IdP ? 1. IAM Role 2. IAM User 3. IAM Service linked Role 4. IAM identity provider
1. IAM Role 2. IAM User 3. IAM Service linked Role 4. **IAM identity provider**
48
What are the features of AWS IAM Managed policies? Choose 4. 1. It is a standalone policy that is created and administered by AWS having its own Amazon Resource Name (ARN) that includes the policy name. 2. You cannot change the permissions defined in AWS managed policies. 3. One particularly useful category of AWS managed policies are those designed for job functions. 4. AWS managed policies are designed to provide permissions for many common use cases. 5. You can modify a managed policy and save it as your own account version.
1. **It is a standalone policy that is created and administered by AWS having its own Amazon Resource Name (ARN) that includes the policy name.** 2. **You cannot change the permissions defined in AWS managed policies.** 3. **One particularly useful category of AWS managed policies are those designed for job functions.** 4. **AWS managed policies are designed to provide permissions for many common use cases.** 5. You can modify a managed policy and save it as your own account version.
49
You have created an IAM user named Austin with a permission boundary as shown below so that he should be allowed to manage only Amazon S3, Amazon CloudWatch, and Amazon EC2. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:\*", "cloudwatch:\*", "ec2:\*" ], "Resource": "\*" } ] } After that you attached following policy to Austin user: { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "iam:CreateUser", "Resource": "\*" } } This policy allows creating a user in IAM. What will happen when Austin tries to create a user in IAM? 1. He will be able to create a user as per permission given in second policy. 2. It fails because the permissions boundary does not allow the iam:CreateUser operation. 3. You cannot attach two policies to an IAM user. 4. He will be able to create a user who has permission to resources in first policy only.
1. He will be able to create a user as per permission given in second policy. 2. **It fails because the permissions boundary does not allow the iam:CreateUser operation.** 3. You cannot attach two policies to an IAM user. 4. He will be able to create a user who has permission to resources in first policy only.
50
Which AWS service acts as an identity broker and does much of the federation work for you to enable your users to sign in directly with a user name and password, or through a third party such as Facebook, Amazon, or Google ? 1. AWS IAM 2. AWS Cognito 3. AWS WAF 4. AWS Inspector
1. AWS IAM 2. **AWS Cognito** 3. AWS WAF 4. AWS Inspector
51
What are the features of Amazon Cognito? Choose 3. 1. Encryption Key management 2. Social and enterprise identity federation 3. Access control for AWS resources 4. Standards-based authentication using common identity management standards including OpenID Connect, OAuth 2.0, and SAML 2.0
1. Encryption Key management 2. **Social and enterprise identity federation** 3. **Access control for AWS resources** 4. **Standards-based authentication using common identity management standards including OpenID Connect, OAuth 2.0, and SAML 2.0**
52
Which of the following statement is not correct about policies and IAM root user? 1. You cannot attach identity-based policies to the root user. 2. You cannot set the permissions boundary for the root user. 3. You can attach identity-based policies to the root user. 4. You can specify the root user as the principal in a resource-based policy or an ACL. 5. As a member of an account, the root user is affected by any SCPs for the account.
1. You cannot attach identity-based policies to the root user. 2. You cannot set the permissions boundary for the root user. 3. **You can attach identity-based policies to the root user.** 4. You can specify the root user as the principal in a resource-based policy or an ACL. 5. As a member of an account, the root user is affected by any SCPs for the account.
53
What are the two main components of Amazon Cognito? 1. Password Pools 2. User pools 3. IAM Pools 4. Identity Pools
1. Password Pools 2. User pools 3. **IAM Pools** 4. **Identity Pools**
54
What are the features of Amazon Cognito User Pools? Choose 3. 1. Sign-up and sign-in services. A built-in, customizable web UI to sign in users. 2. Social sign-in with Facebook, Google, and Login with Amazon, as well as sign-in with SAML identity providers from your user pool. 3. Obtain temporary, limited-privilege AWS credentials to access other AWS services. 4. User directory management and user profiles. Security features such as multi-factor authentication (MFA), checks for compromised credentials, account takeover protection, and phone and email verification.
1. **Sign-up and sign-in services. A built-in, customizable web UI to sign in users.** 2. **Social sign-in with Facebook, Google, and Login with Amazon, as well as sign-in with SAML identity providers from your user pool.** 3. Obtain temporary, limited-privilege AWS credentials to access other AWS services. 4. **User directory management and user profiles. Security features such as multi-factor authentication (MFA), checks for compromised credentials, account takeover protection, and phone and email verification.**
55
What are the features of Amazon Identity User Pools? Choose 2. 1. User Identity directory management and user profiles. 2. Enable you to create unique identities for your users and federate them with identity providers. 3. Sign-up and sign-in services. 4. You can obtain temporary, limited-privilege AWS credentials to access other AWS services.
1. User Identity directory management and user profiles. 2. **Enable you to create unique identities for your users and federate them with identity providers.** 3. Sign-up and sign-in services. 4. **You can obtain temporary, limited-privilege AWS credentials to access other AWS services.**
56
Which are the identity providers supported by Amazon Identity pool? 1. Login with Amazon (Identity Pools), Facebook (Identity Pools), Google (Identity Pools). 2. Amazon Cognito User Pools 3. Open ID Connect Providers (Identity Pools), SAML Identity Providers (Identity Pools) 4. All of the above
1. Login with Amazon (Identity Pools), Facebook (Identity Pools), Google (Identity Pools). 2. Amazon Cognito User Pools 3. Open ID Connect Providers (Identity Pools), SAML Identity Providers (Identity Pools) 4. **All of the above**
57
You are developing a mobile application that will enable user to login using their userids in Facebook, Amazon and Google. In the cloud backend you will have Serverless architecture. For backend application data storage you want to use a RDBMS database. What is the minimum set of AWS services you will need for your mobile application and backend cloud application? 1. Lambda, Cognito, API Gateway, DynamoDB 2. Lambda, Cognito, API Gateway, Aurora Serverless 3. Elastic Beanstalk, Cognito, API Gateway, Aurora 4. Lambda, Fargate, API Gateway, DynamoDB
1. Lambda, Cognito, API Gateway, DynamoDB 2. **Lambda, Cognito, API Gateway, Aurora Serverless** 3. Elastic Beanstalk, Cognito, API Gateway, Aurora 4. Lambda, Fargate, API Gateway, DynamoDB
58
Your company is adopting AWS cloud by migrating majority of existing on-premise application to cloud and retaining some of them on premise. Currently they use Microsoft Active Directory in the corporate network for centralized resource management and single sign on for users. As a solution architect you have recommended to use AWS Managed Microsoft AD. Which of the following is not a use cases possible by using AWS Managed Microsoft AD? Choose 2. 1. Sign In to AWS Applications and Services with AD Credentials. 2. Centrally manage your Amazon EC2 for Windows or Linux instances by joining your instances to your AWS Managed Microsoft AD domain. 3. Provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources. 4. Provide Directory Services to Your AD-Aware Workloads. 5. Provide SSO to Office 365 and Other Cloud Applications. 6. Extend Your On-Premises AD to the AWS Cloud. 7. Create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications.
1. Sign In to AWS Applications and Services with AD Credentials. 2. Centrally manage your Amazon EC2 for Windows or Linux instances by joining your instances to your AWS Managed Microsoft AD domain. 3. **Provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources.** 4. Provide Directory Services to Your AD-Aware Workloads. 5. Provide SSO to Office 365 and Other Cloud Applications. 6. Extend Your On-Premises AD to the AWS Cloud. 7. **Create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications.**
59
Which of the following is not a benefit provided by AD Connector? 1. Your end users and IT administrators can use their existing corporate credentials to log on to AWS applications such as Amazon WorkSpaces, Amazon WorkDocs, or Amazon WorkMail. 2. You can manage AWS resources like Amazon EC2 instances or Amazon S3 buckets through IAM role-based access to the AWS Management Console. 3. You can consistently enforce existing security policies (such as password expiration, password history, and account lockouts) whether users or IT administrators are accessing resources in your on-premises infrastructure or in the AWS Cloud. 4. You can use AD Connector to enable multi-factor authentication by integrating with your existing RADIUS-based MFA infrastructure to provide an additional layer of security when users access AWS applications. 5. None of the above
1. Your end users and IT administrators can use their existing corporate credentials to log on to AWS applications such as Amazon WorkSpaces, Amazon WorkDocs, or Amazon WorkMail. 2. You can manage AWS resources like Amazon EC2 instances or Amazon S3 buckets through IAM role-based access to the AWS Management Console. 3. You can consistently enforce existing security policies (such as password expiration, password history, and account lockouts) whether users or IT administrators are accessing resources in your on-premises infrastructure or in the AWS Cloud. 4. You can use AD Connector to enable multi-factor authentication by integrating with your existing RADIUS-based MFA infrastructure to provide an additional layer of security when users access AWS applications. 5. **None of the above**
60
Which of the following is not true regarding AWS shared responsibility model? 1. AWS responsibility “Security of the Cloud” - AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. 2. Shared responsibility model also extends to IT controls. 3. Shared responsibility model is limited to security only and doesn’t extends to IT controls. 4. Customer is responsible for “Security in the Cloud” – Customer responsibility will be determined by the AWS Cloud services that a customer selects.
1. AWS responsibility “Security of the Cloud” - AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. 2. Shared responsibility model also extends to IT controls. 3. **Shared responsibility model is limited to security only and doesn’t extends to IT controls.** 4. Customer is responsible for “Security in the Cloud” – Customer responsibility will be determined by the AWS Cloud services that a customer selects.
61
All AWS customers get access to the seven core Trusted Advisor checks to help increase the security and performance of the AWS environment. Choose 3 from below. 1. Security : S3 Bucket Permissions, Security Groups - Specific Ports Unrestricted, IAM Use 2. Security :MFA on Root Account, EBS Public Snapshots, RDS Public Snapshots 3. Service Limits 4. Amazon EC2 Reserved instance optimization
1. **Security : S3 Bucket Permissions, Security Groups - Specific Ports Unrestricted, IAM Use** 2. **Security :MFA on Root Account, EBS Public Snapshots, RDS Public Snapshots** 3. **Service Limits** 4. Amazon EC2 Reserved instance optimization
62
AWS Trusted Advisor offers a rich set of best practice checks and recommendations across five categories. Which of the following security checks are done? Choose 3. 1. Security Groups Unrestricted Access 2. Amazon Redshift Security Group 3. IAM Password policy, IAM Access key rotation 4. ELB Security groups and listener security
1. **Security Groups Unrestricted Access** 2. Amazon Redshift Security Group 3. **IAM Password policy, IAM Access key rotation** 4. **ELB Security groups and listener security**
63
Which AWS online tool provides you real time guidance to help you provision your resources following AWS best practices in five categories of Cost optimization, performance, security, fault tolerance and service limits? 1. AWS System Manager 2. AWS Well architected Tool 3. AWS Trusted Advisor 4. AWS Organizations
1. AWS System Manager 2. AWS Well architected Tool 3. **AWS Trusted Advisor** 4. AWS Organizations
64
Which of the following are cost optimization best practices checks performed by Trusted Advisor? Choose 3. 1. Lambda Optimization 2. Amazon EC2 Reserved Instances Optimization 3. Low utilization Amazon EC2 Instances 4. Underutilized Amazon EBS volumes and Amazon Redshift Clusters
1. Lambda Optimization 2. **Amazon EC2 Reserved Instances Optimization** 3. **Low utilization Amazon EC2 Instances** 4. **Underutilized Amazon EBS volumes and Amazon Redshift Clusters**
65
Which type of IAM Identity policy you can embed in a principal entity (a user, group, or role) and is an inherent part of the principal entity? 1. AWS Managed Policies 2. Inline Policies 3. Customer Managed Policies 4. Managed Policies
1. AWS Managed Policies 2. **Inline Policies** 3. Customer Managed Policies 4. Managed Policies
66
Which of the following statement is not correct about IAM Access Control Policies (ACLs)? 1. ACLs are service policies that allow you to control which principals in another account can access a resource. 2. ACLs cannot be used to control access for a principal within the same account. 3. ACLs can be used to control access for a principal within the same account. 4. ACLs are similar to resource-based policies, although they are the only policy type that does not use the JSON policy document format. 5. Amazon S3, AWS WAF, and Amazon VPC are examples of services that support ACLs.
1. ACLs are service policies that allow you to control which principals in another account can access a resource. 2. ACLs cannot be used to control access for a principal within the same account. 3. **ACLs can be used to control access for a principal within the same account.** 4. ACLs are similar to resource-based policies, although they are the only policy type that does not use the JSON policy document format. 5. Amazon S3, AWS WAF, and Amazon VPC are examples of services that support ACLs.
67
Soma is founder of an Artificial Intelligence product start up. Upon starting the company, she created her own AWS account and used AWS products by herself. Then as company expanded she hired developers, admins, testers, managers, and system administrators. Using AWS account root user credentials she created a user for herself called Soma, and a group called Admins. She added user Soma to group Admins. She also created groups called Developers, Testers, Managers and SysAdmins. She created users for each of her employees, and puts the users in their respective groups. What IAM best practice she should follow so that she can easily apply any account-wide permissions to all users in the AWS account? 1. Create a customer managed policy and attach to each user. 2. Any account wide permission can be updated in each of the group’s permission (Developers, Testers, Managers and SysAdmins) are attached to. 3. She should create a group called AllUsers and add all users to that group so that she can easily apply any account-wide permissions to all users in the AWS account.. 4. Create a customer managed policy and attach to each group.
1. Create a customer managed policy and attach to each user. 2. Any account wide permission can be updated in each of the group’s permission (Developers, Testers, Managers and SysAdmins) are attached to. 3. **She should create a group called AllUsers and add all users to that group so that she can easily apply any account-wide permissions to all users in the AWS account..** 4. Create a customer managed policy and attach to each group
68
Assume that a principal sends a request to AWS to access a resource in the same account as the principal's entity. Choose the correct statements which aligns with how IAM policy evaluation logic works? Choose 4. 1. By default, all requests are implicitly allowed. 2. By default, all requests are implicitly denied. 3. An explicit allow in an identity-based or resource-based policy overrides implicit deny. 4. An explicit allow in an identity-based or resource-based policy overrides implicit allow. 5. If a permissions boundary, Organizations SCP, or session policy is present, it might override the allow with an implicit deny. 6. An explicit deny in any policy overrides any allows.
1. By default, all requests are implicitly allowed. 2. **By default, all requests are implicitly denied.** 3. **An explicit allow in an identity-based or resource-based policy overrides implicit deny.** 4. An explicit allow in an identity-based or resource-based policy overrides implicit allow. 5. **If a permissions boundary, Organizations SCP, or session policy is present, it might override the allow with an implicit deny.** 6. **An explicit deny in any policy overrides any allows.**
69
The administrator of the 123456789012 account attached identity-based policies to the users JohnSmith, CarlosSalazar, and MaryMajor. The administrator also added resource-based policies to Resource X, Resource Y, and Resource Z. Which of the following statements are correct about actions that can be performed by Mary Major and John Smith as per above identity and resource policies? Choose 2. 1. John can perform list and read actions on Resource X. 2. Mary can list, Read only on Resource X. 3. Mary can perform list, read, and write operations on Resource X, Resource Y, and Resource Z. 4. John can perform list and read actions on Resource Z.
1. **John can perform list and read actions on Resource X**. 2. Mary can list, Read only on Resource X. 3. **Mary can perform list, read, and write operations on Resource X, Resource Y, and Resource Z.** 4. John can perform list and read actions on Resource Z.
70
Which of the following statements are correct about actions that can be performed by Carlos Salazar and Zhang Wei as per above identity and resource policies? Choose 2. 1. Zhang has no access to Resource Z. 2. Carlos can perform list, read, and write actions on Resource Y, Z. 3. Carlos can perform list, read, and write actions on Resource Y, but is denied access to Resource Z. 4. Zhang has full access to Resource Z.
1. Zhang has no access to Resource Z. 2. Carlos can perform list, read, and write actions on Resource Y, Z. 3. **Carlos can perform list, read, and write actions on Resource Y, but is denied access to Resource Z.** 4. **Zhang has full access to Resource Z.**
71
What is the format of an IAM Policy? 1. XML 2. CSV 3. JSON 4. All of the above
1. XML 2. CSV 3. **JSON** 4. All of the above
72
You have created an IAM user for a new employee but she is not able to do actions. Which of the following is correct reason? 1. A newly created user becomes active after 24 hours. 2. By default, a brand new IAM user has no permissions to do anything. 3. Your account IAM service may be disabled. 4. AWS IAM service may be down.
1. A newly created user becomes active after 24 hours. 2. **By default, a brand new IAM user has no permissions to do anything.** 3. Your account IAM service may be disabled. 4. AWS IAM service may be down.
73
Your company is adopting AWS cloud by migrating majority of existing on-premise application to cloud and retaining some of them on premise. Currently they use on-premises AD to administer user accounts, manage group memberships, and control access to on-premises resources. You want to enable your users to sign in to the AWS Management Console using on-premises AD credentials to manage AWS resources such as Amazon EC2, Amazon RDS, and Amazon S3. How can you achieve this? Choose 2. 1. Connect Your On-Premises Active Directory to AWS Simple AD for federated AWS Management Console access. 2. Connect Your On-Premises Active Directory to AWS Using AD Connector for federated AWS Management Console access. 3. By using an AD trust between AWS Microsoft AD and your on-premises AD, you can assign your on-premises AD users and groups to IAM roles for AWS Management Console access. 4. By using an AD trust between AWS Simple AD and your on-premises AD, you can assign your on-premises AD users and groups to IAM roles for AWS Management Console access.
1. Connect Your On-Premises Active Directory to AWS Simple AD for federated AWS Management Console access. 2. **Connect Your On-Premises Active Directory to AWS Using AD Connector for federated AWS Management Console access.** 3. **By using an AD trust between AWS Microsoft AD and your on-premises AD, you can assign your on-premises AD users and groups to IAM roles for AWS Management Console access.** 4. By using an AD trust between AWS Simple AD and your on-premises AD, you can assign your on-premises AD users and groups to IAM roles for AWS Management Console access.
74
Your company has headquarter in Los Angeles CA and have deployed their internal applications in US-West region. They are going to open a new office in Frankfurt Germany and are planning to transfer few employees as well. To comply with European regulations some of the applications will be replicated in a new AWS account created in EU-Central region. How will you manage the IAM users and roles being used by employees who will be transferred to Frankfurt? 1. IAM is a global service, users and roles are not region specific. You don’t need to create new one for EU-Central region. 2. You will need to create new IAM users and roles for EU-Central region. 3. IAM users is a global service, roles are region specific. You don’t need to create new users but will need to create new roles for EU-Central region. 4. IAM roles is a global service, users are region specific. You don’t need to create new roles but will need to create new users for EU-Central region.
1. **IAM is a global service, users and roles are not region specific. You don’t need to create new one for EU-Central region.** 2. You will need to create new IAM users and roles for EU-Central region. 3. IAM users is a global service, roles are region specific. You don’t need to create new users but will need to create new roles for EU-Central region. 4. IAM roles is a global service, users are region specific. You don’t need to create new roles but will need to create new users for EU-Central region.
75
Which of the following is not an element in an IAM JSON Policy? Choose 2. 1. Statement 2. Effect 3. Ip address 4. Principal 5. Encryption 6. Action 7. Resource
1. Statement 2. Effect 3. **Ip address** 4. Principal 5. **Encryption** 6. Action 7. Resource
76
What Is IAM Access Analyzer? Choose 3. 1. Informs you which resources in your account that you are sharing with external principals. 2. Analyzes the policies applied to all of the supported resources in your account. 3. Identifies policies that grants access to an external principal that isn't within your zone of trust, it generates a finding. 4. Identify resources that are not encrypted at transit.
1. **Informs you which resources in your account that you are sharing with external principals.** 2. **Analyzes the policies applied to all of the supported resources in your account.** 3. **Identifies policies that grants access to an external principal that isn't within your zone of trust, it generates a finding.** 4. Identify resources that are not encrypted at transit.
77
What are the features of IAM roles for EC2 instances? Choose 4 1. AWS temporary security credentials to use when making requests from running EC2 instances to AWS services. 2. Define cross account permission of EC2 instances. 3. Automatic rotation of the AWS temporary security credentials. 4. Granular AWS service permissions for applications running on EC2 instances. 5. Simplifies management and deployment of AWS access keys to EC2 instances.
1. **AWS temporary security credentials to use when making requests from running EC2 instances to AWS services.** 2. Define cross account permission of EC2 instances. 3. **Automatic rotation of the AWS temporary security credentials.** 4. **Granular AWS service permissions for applications running on EC2 instances.** 5. **Simplifies management and deployment of AWS access keys to EC2 instances.**
78
What are the benefits of temporary security credentials? Choose 3. 1. Encrypt in transit data. 2. Extend your internal user directories to enable federation to AWS, enabling your employees and applications to securely access AWS service APIs without needing to create an AWS identity for them. 3. Request temporary security credentials for an unlimited number of federated users. 4. Configure the time period after which temporary security credentials expire, offering improved security when accessing AWS service APIs through mobile devices where there is a risk of losing the device.
1. Encrypt in transit data. 2. **Extend your internal user directories to enable federation to AWS, enabling your employees and applications to securely access AWS service APIs without needing to create an AWS identity for them.** 3. **Request temporary security credentials for an unlimited number of federated users.** 4. **Configure the time period after which temporary security credentials expire, offering improved security when accessing AWS service APIs through mobile devices where there is a risk of losing the device.**
79
Your company is adopting AWS cloud by migrating majority of existing on-premise application to cloud and retaining some of them on premise. Currently they use on-premises AD to administer user accounts, manage group memberships, and control access to on-premises resources. You want to enable your users to sign in to the AWS Management Console using on-premises AD credentials to manage AWS resources such as Amazon EC2, Amazon RDS, and Amazon S3. How can you achieve this without using AWS Directory services? 1. SAML Federation 2. Trust relationship between AD and IAM 3. Web Identity Federation 4. All of the above
1. **SAML Federation** 2. Trust relationship between AD and IAM 3. Web Identity Federation 4. All of the above
80
What are the benefits of using AWS Key Management Service (AWS KMS)? Choose 3. 1. Centrally manage the encryption keys that control access to your data. 2. Manage encryption for AWS services, digitally sign data and encrypt data in your applications 3. Provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources. 4. Highly secure and built-in auditing to record all API requests, including key management actions and usage of your keys.
1. **Centrally manage the encryption keys that control access to your data.** 2. **Manage encryption for AWS services, digitally sign data and encrypt data in your applications** 3. **Provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources.** 4. Highly secure and built-in auditing to record all API requests, including key management actions and usage of your keys.
81
Which of the following keys never leave AWS KMS unencrypted? Choose 2. 1. Data Keys 2. Symmetric CMKs 3. Private keys of asymmetric CMKs 4. Public keys of asymmetric CMKs
1. Data Keys 2. **Symmetric CMKs** 3. **Private keys of asymmetric CMKs** 4. Public keys of asymmetric CMKs
82
Which strategy KMS uses to encrypt data and also protect your encryption key? 1. Encryption Context 2. Symmetric keys 3. Asymmetric keys 4. Envelope Encryption
1. Encryption Context 2. Symmetric keys 3. Asymmetric keys 4. **Envelope Encryption**
83
Which of the following statements are correct when using Data key to encrypt large data within your application? Choose 3. 1. Data key creation: call the GenerateDataKey operation, AWS KMS uses the CMK that you specify to return a plaintext copy of the data key. 2. Data key creation: call the GenerateDataKey operation, AWS KMS uses the CMK that you specify to return a plaintext copy of the data key and a copy of the data key encrypted under the CMK 3. Data encryption: use the plaintext data key to encrypt data, remove it from memory as soon as possible. Safely store the encrypted data key with the encrypted data so it is available to decrypt the data. 4. Data encryption: use the plaintext data key to encrypt data, remove it from memory as soon as possible. Safely store the data key with the encrypted data so it is available to decrypt the data. 5. Decrypting Data: pass the encrypted data key to the Decrypt operation, AWS KMS uses your CMK to decrypt the data key and then it returns the plaintext data key. Use the plaintext data key to decrypt your data and then remove the plaintext data key from memory as soon as possible. 6. Decrypting Data: Use the plaintext data key to decrypt your data and then remove the plaintext data key from memory as soon as possible.
1. Data key creation: call the GenerateDataKey operation, AWS KMS uses the CMK that you specify to return a plaintext copy of the data key. 2. **Data key creation: call the GenerateDataKey operation, AWS KMS uses the CMK that you specify to return a plaintext copy of the data key and a copy of the data key encrypted under the CMK** 3. **Data encryption: use the plaintext data key to encrypt data, remove it from memory as soon as possible. Safely store the encrypted data key with the encrypted data so it is available to decrypt the data.** 4. Data encryption: use the plaintext data key to encrypt data, remove it from memory as soon as possible. Safely store the data key with the encrypted data so it is available to decrypt the data. 5. **Decrypting Data: pass the encrypted data key to the Decrypt operation, AWS KMS uses your CMK to decrypt the data key and then it returns the plaintext data key. Use the plaintext data key to decrypt your data and then remove the plaintext data key from memory as soon as possible.** 6. Decrypting Data: Use the plaintext data key to decrypt your data and then remove the plaintext data key from memory as soon as possible.
84
Which of the following statements are not correct about AWS KMS cryptographic operations encryption context? Choose 2. 1. You cannot specify an encryption context in a cryptographic operation with an asymmetric CMK. 2. All AWS KMS cryptographic operations that use symmetric CMKs accept an encryption context. 3. All AWS KMS cryptographic operations that use symmetric or asymmetric CMKs accept an encryption context. 4. When you include an encryption context in an encryption request, it is cryptographically bound to the ciphertext such that the same encryption context is required to decrypt (or decrypt and re-encrypt) the data 5. An encryption context can consist of any keys and values in simple literal string. 6. The key and value in an encryption context pair can be strings, integers or objects.
1. You cannot specify an encryption context in a cryptographic operation with an asymmetric CMK. 2. All AWS KMS cryptographic operations that use symmetric CMKs accept an encryption context. 3. **All AWS KMS cryptographic operations that use symmetric or asymmetric CMKs accept an encryption context.** 4. When you include an encryption context in an encryption request, it is cryptographically bound to the ciphertext such that the same encryption context is required to decrypt (or decrypt and re-encrypt) the data 5. An encryption context can consist of any keys and values in simple literal string. 6. **The key and value in an encryption context pair can be strings, integers or objects.**
85
Your company follows very strict access policy with regard to access to production environment deployed on AWS. There has been an outage in the production environment. To debug the issues you want to give ready only access to a software engineer so that she can view all resources in the Amazon EC2 console. She does have access to development and QA environment. Currently she doesn’t have any access to production environment VPC deployed in the same AWS account. Which of the following is the best way to provide this short term access? 1. Create a new IAM user with necessary access, provide the credentials to her and delete the user after the issue is fixed. 2. Create a new IAM role with access policies which can be attached to her IAM user. Detach the role after the issue is fixed. 3. Give the AWS account root user access to her temporarily. 4. Share the IAM user credentials of an existing production support engineer, change the password after the issue is fixed.
1. Create a new IAM user with necessary access, provide the credentials to her and delete the user after the issue is fixed. 2. **Create a new IAM role with access policies which can be attached to her IAM user. Detach the role after the issue is fixed.** 3. Give the AWS account root user access to her temporarily. 4. Share the IAM user credentials of an existing production support engineer, change the password after the issue is fixed.
86
As per AWS shared responsibility model which of the following are responsibility of the customer? Choose 2. 1. For Amazon EC2 instance deployment, customer are responsible for management of the guest operating system (including updates and security patches), any application software or utilities installed by the customer on the instances, and the configuration of the AWS-provided firewall (called a security group) on each instance. 2. For services such as Amazon S3 and Amazon DynamoDB, customer should operate the infrastructure layer, the operating system, and platforms. 3. Customer is responsible for configuring or programming encryption of data in transit or rest. 4. Protecting the infrastructure that runs all of the services offered in the AWS Cloud.
1. **For Amazon EC2 instance deployment, customer are responsible for management of the guest operating system (including updates and security patches), any application software or utilities installed by the customer on the instances, and the configuration of the AWS-provided firewall (called a security group) on each instance.** 2. For services such as Amazon S3 and Amazon DynamoDB, customer should operate the infrastructure layer, the operating system, and platforms. 3. **Customer is responsible for configuring or programming encryption of data in transit or rest.** 4. Protecting the infrastructure that runs all of the services offered in the AWS Cloud.
87
Where can you upload and import an SSL certificate in AWS? 1. AWS Key Management Service (KMS) 2. AWS IAM 3. AWS Certificate Manager (ACM) 4. AWS CloudHSM
1. AWS Key Management Service (KMS) 2. **AWS IAM** 3. **AWS Certificate Manager (ACM)** 4. AWS CloudHSM
88
You are using Amazon Cognito authentication, authorization, and user management for your web and mobile apps. How can you increases security for your app by adding another authentication method, and not relying solely on user name and password? 1. Adding Multi-Factor Authentication (MFA) to Cognito User Pool 2. Allow sign in through a third party such as Facebook, Amazon, Google or Apple. 3. Add biometric authentication to Cognito user pool. 4. Add Captcha image capture to authentication.
1. **Adding Multi-Factor Authentication (MFA) to Cognito User Pool** 2. Allow sign in through a third party such as Facebook, Amazon, Google or Apple. 3. Add biometric authentication to Cognito user pool. 4. Add Captcha image capture to authentication.
89
Which AWS managed service is a cloud-based hardware security module (HSM) that allows you to easily add secure key storage and high-performance crypto operations to your AWS applications? 1. AWS Key Management Service (KMS) 2. AWS IAM 3. AWS Certificate Manager (ACM) 4. AWS CloudHSM
1. AWS Key Management Service (KMS) 2. AWS IAM 3. AWS Certificate Manager (ACM) 4. **AWS CloudHSM**
90
Which of the following is not a reason to use AWS CloudHSM instead of AWS KMS? 1. Store keys in dedicated, third-party validated hardware security modules under your exclusive control. 2. FIPS 140-2 compliance. 3. Use and manage encryption keys in multi-tenant managed service. 4. Integration with applications using PKCS#11, Java JCE, or Microsoft CNG interfaces. 5. High-performance in-VPC cryptographic acceleration (bulk crypto).
1. Store keys in dedicated, third-party validated hardware security modules under your exclusive control. 2. FIPS 140-2 compliance. 3. **Use and manage encryption keys in multi-tenant managed service.** 4. Integration with applications using PKCS#11, Java JCE, or Microsoft CNG interfaces. 5. High-performance in-VPC cryptographic acceleration (bulk crypto).
91
When you use an HSM from AWS CloudHSM, which of the following cryptographic tasks you cannot perform? Choose 2 1. Generate, store, import, export, and manage cryptographic keys, including symmetric keys and asymmetric key pairs. 2. Provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services. 3. Use symmetric and asymmetric algorithms to encrypt and decrypt data. 4. Use cryptographic hash functions to compute message digests and hash-based message authentication codes (HMACs). 5. Use it as managed service for creating and controlling your encryption keys, but you don't want or need to operate your own HSM. 6. Cryptographically sign data (including code signing) and verify signatures. Generate cryptographically secure random data.
1. Generate, store, import, export, and manage cryptographic keys, including symmetric keys and asymmetric key pairs. 2. **Provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services.** 3. Use symmetric and asymmetric algorithms to encrypt and decrypt data. 4. Use cryptographic hash functions to compute message digests and hash-based message authentication codes (HMACs). 5. **Use it as managed service for creating and controlling your encryption keys, but you don't want or need to operate your own HSM.** 6. Cryptographically sign data (including code signing) and verify signatures. Generate cryptographically secure random data.
92
How can you set up a highly available and load balanced AWS HSM? Choose 2. 1. Have at least two HSMs in your CloudHSM Cluster. 2. Use Application Load Balancer or Network Load Balancer 3. Create the HSMs in same AWS Availability Zones. 4. Create the HSMs in different AWS Availability Zones.
1. **Have at least two HSMs in your CloudHSM Cluster.** 2. Use Application Load Balancer or Network Load Balancer 3. Create the HSMs in same AWS Availability Zones. 4. **Create the HSMs in different AWS Availability Zones.**
93
Which AWS security service uses machine learning to automatically discover, classify, and protect sensitive data such as personally identifiable information (PII) or intellectual property. 1. AWS WAF 2. AWS Shield 3. Amazon GuardDuty 4. Amazon Macie
1. AWS WAF 2. AWS Shield 3. Amazon GuardDuty 4. **Amazon Macie**
94
What data sources Amazon Macie supports? 1. AWS CloudTrail event logs, including Amazon S3 object-level API activity 2. Amazon S3 3. VPC Flow Logs 4. Cloudwatch
1. **AWS CloudTrail event logs, including Amazon S3 object-level API activity** 2. **Amazon S3** 3. VPC Flow Logs 4. Cloudwatch
95
Which of the following is not an examples of suspicious activity that Amazon Macie can detect? 1. Compromised user accounts enumerating and downloading large amounts of sensitive content from unusual IP addresses 2. Download of large quantities of source code by a user account that typically does not access this type of sensitive content. 3. Detection of large quantities of high-risk documents shared publically or to the entire company, such as files containing personally identifiable information (PII), protected health information (PHI), intellectual properties (IP), legal or financial data. 4. None of the above
1. Compromised user accounts enumerating and downloading large amounts of sensitive content from unusual IP addresses 2. Download of large quantities of source code by a user account that typically does not access this type of sensitive content. 3. Detection of large quantities of high-risk documents shared publically or to the entire company, such as files containing personally identifiable information (PII), protected health information (PHI), intellectual properties (IP), legal or financial data. 4. **None of the above**

AWS Study Deck - SAA (18 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions