A company has recently recovered from a security incident that required the restoration of Amazon EC2 instances from snapshots.
After performing a gap analysis of its disaster recovery procedures and backup strategies, the company is concerned that, next time, it will not be able to recover the EC2 instances if the AWS account was compromised and Amazon EBS snapshots were deleted.
All EBS snapshots are encrypted using an AWS KMS CMK.
Which solution would solve this problem?

• A.Use AWS Backup to copy EBS snapshots to Amazon S3.
• B.Create a new AWS account with limited privileges. Allow the new account to access the AWS KMS key used to encrypt the EBS snapshots, and copy the encrypted snapshots to the new account on a recuning basis
• C.Create a new Amazon S3 bucket Use EBS lifecycle policies to move EBS snapshots to the new S3 bucket. Move snapshots to Amazon S3 Glacier using lifecycle policies, and apply Glacier Vault Lock policies to prevent deletion
• D.Use AWS Systems Manager to distribute a configuration that performs local backups of all attached disks to Amazon S3.

Comment: *

Name: *

Email: *

Verification: *

A user has created a VPC with the public and private subnets using the VPC wizard. The VPC has CIDR 20.0.0.0/16. The public subnet uses CIDR 20.0.1.0/24. The user is planning to host a web server in the public subnet with port 80 and a Database server in the private subnet with port 3306. The user is configuring a security group for the public subnet (WebSecGrp) and the private subnet (DBSecGrp). which of the below mentioned entries is required in the private subnet database security group DBSecGrp?
Please select:

• A.Allow Inbound on port 3306 for Source Web Server Security Group WebSecGrp.
• B.Allow Inbound on port 3306 from source 20.0.0.0/16
• C.Allow Outbound on port 3306 for Destination Web Server Security Group WebSecGrp.
• D.Allow Outbound on port 80 for Destination NAT Instance IP

Correct Answer: A

Since the Web server needs to talk to the database server on port 3306 that means that the database server should allow incoming traffic on port 3306. The below table from the aws documentation shows how the security groups should be set up.

Option B is invalid because you need to allow incoming access for the database server from the WebSecGrp security group.
Options C and D are invalid because you need to allow Outbound traffic and not inbound traffic For more information on security groups please visit the below Link:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC Scenario2.html The correct answer is: Allow Inbound on port 3306 for Source Web Server Security Group WebSecGrp. Submit your Feedback/Queries to our Experts

Comment: *

Name: *

Email: *

Verification: *

A company's security engineer is configuring Amazon S3 permissions to ban all current and future public buckets However, the company hosts several websites directly off S3 buckets with public access enabled The engineer needs to bock me pubic S3 buckets without causing any outages on me easting websites The engineer has set up an Amazon CloudFrom distribution (or each website Which set or steps should the security engineer implement next?

• A.Configure an S3 bucket as the origin with an origin access identity (OAI) for the CloudFront distribution Switch the ONS records tor the websites to point to the CloudFront disinfection Then, tor each S3 bucket enable block public access settings
• B.Configure an S3 bucket as the origin for me CloudFront distribution Configure the S3 bucket policy to accept connections from the CloudFront points of presence only Switch the DNS records for the websites to point to the CloudFront distribution Enable block public access settings at me account level
• C.Configure an S3 bucket as the origin with an origin access identity (OAI) for the CloudFront distribution Enable block public access settings at the account level
• D.Configure an S3 bucket as the origin an origin access identity (OAI) for the CloudFront distribution Switch the DNS records from websites to point to the CloudFront distribution Enable Nock public access settings at the account level

Comment: *

Name: *

Email: *

Verification: *

A user has created a VPC with the public and private subnets using the VPC wizard. The VPC has CIDR
20.0.0.0/16. The public subnet uses CIDR 20.0.1.0/24. The user is planning to host a web server in the public subnet with port 80 and a Database server in the private subnet with port 3306. The user is configuring a security group for the public subnet (WebSecGrp) and the private subnet (DBSecGrp). which of the below mentioned entries is required in the private subnet database security group DBSecGrp?
Please select:

• A.Allow Inbound on port 3306 for Source Web Server Security Group WebSecGrp.
• B.Allow Inbound on port 3306 from source 20.0.0.0/16
• C.Allow Outbound on port 3306 for Destination Web Server Security Group WebSecGrp.
• D.Allow Outbound on port 80 for Destination NAT Instance IP

Correct Answer: A

Explanation
Since the Web server needs to talk to the database server on port 3306 that means that the database server should allow incoming traffic on port 3306. The below table from the aws documentation shows how the security groups should be set up.

Option B is invalid because you need to allow incoming access for the database server from the WebSecGrp security group.
Options C and D are invalid because you need to allow Outbound traffic and not inbound traffic For more information on security groups please visit the below Link:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC
Scenario2.html
The correct answer is: Allow Inbound on port 3306 for Source Web Server Security Group WebSecGrp.
Submit your Feedback/Queries to our Experts

Comment: *

Name: *

Email: *

Verification: *

There are currently multiple applications hosted in a VPC.
During monitoring it has been noticed that multiple port scans are coming in from a specific IP Address block.
The internal security team has requested that all offending IP Addresses be denied for the next 24 hours.
Which of the following is the best method to quickly and temporarily deny access from the specified IP Address's.
Please select:

• A.Modify the Windows Firewall settings on all AMI'S that your organization uses in that VPC to deny access from the IP address block.
• B.Create an AD policy to modify the Windows Firewall settings on all hosts in the VPC to deny access from the IP Address block.
• C.Modify the Network ACLs associated with all public subnets in the VPC to deny access from the IP Address block.
• D.Add a rule to all of the VPC Security Groups to deny access from the IP Address block.

Comment: *

Name: *

Email: *

Verification: *