The Information Technology department has stopped using Classic Load Balancers and switched to Application Load Balancers to save costs. After the switch, some users on older devices are no longer able to connect to the website.
What is causing this situation?

• A.Application Load Balancers do not support older web browsers.
• B.The Perfect Forward Secrecy settings are not configured correctly.
• C.The intermediate certificate is installed within the Application Load Balancer.
• D.The cipher suites on the Application Load Balancers are blocking connections.

Comment: *

Name: *

Email: *

Verification: *

Amazon GuardDuty has detected communications to a known command and control endpoint from a company's Amazon EC2 instance. The instance was found to be running a vulnerable version of a common web framework. The company's security operations team wants to quickly identity other compute resources with the specific version of that framework installed.
Which approach should the team take to accomplish this task?

• A.Scan all the EC2 instances for noncompliance with IAM Config. Use Amazon Athena to query IAM CloudTrail logs for the framework installation
• B.Scan all the EC2 instances with IAM Systems Manager to identify the vulnerable version of the web framework
• C.Scan an the EC2 instances with IAM Resource Access Manager to identify the vulnerable version of the web framework
• D.Scan all the EC2 instances with the Amazon Inspector Network Reachability rules package to identity instances running a web server with RecognizedPortWithListener findings

Comment: *

Name: *

Email: *

Verification: *

A company wishes to enable Single Sign On (SSO) so its employees can login to the management console using their corporate directory identity. Which steps below are required as part of the process? Select 2 answers from the options given below.
Please select:

• A.Create a Direct Connect connection between on-premise network and AWS. Use an AD connector for connecting AWS with on-premise active directory.
• B.Create IAM policies that can be mapped to group memberships in the corporate directory.
• C.Create a Lambda function to assign IAM roles to the temporary security tokens provided to the users.
• D.Create IAM users that can be mapped to the employees' corporate identities
• E.Create an IAM role that establishes a trust relationship between IAM and the corporate directory identity provider (IdP)

Correct Answer: A,E

Create a Direct Connect connection so that corporate users can access the AWS account Option B is incorrect because IAM policies are not directly mapped to group memberships in the corporate directory. It is IAM roles which are mapped.
Option C is incorrect because Lambda functions is an incorrect option to assign roles.
Option D is incorrect because IAM users are not directly mapped to employees' corporate identities.
For more information on Direct Connect, please refer to below URL:
' https://aws.amazon.com/directconnect/
From the AWS Documentation, for federated access, you also need to ensure the right policy permissions are in place Configure permissions in AWS for your federated users The next step is to create an IAM role that establishes a trust relationship between IAM and your organization's IdP that identifies your IdP as a principal (trusted entity) for purposes of federation. The role also defines what users authenticated your organization's IdP are allowed to do in AWS. You can use the IAM console to create this role. When you create the trust policy that indicates who can assume the role, you specify the SAML provider that you created earlier in IAM along with one or more SAML attributes that a user must match to be allowed to assume the role. For example, you can specify that only users whose SAML eduPersonOrgDN value is ExampleOrg are allowed to sign in. The role wizard automatically adds a condition to test the saml:aud attribute to make sure that the role is assumed only for sign-in to the AWS Management Console. The trust policy for the role might look like this:

For more information on SAML federation, please refer to below URL:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enabli Note:
What directories can I use with AWS SSO?
You can connect AWS SSO to Microsoft Active Directory, running either on-premises or in the AWS Cloud. AWS SSO supports AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft AD, and AD Connector. AWS SSO does not support Simple AD. See AWS Directory Service Getting Started to learn more.
To connect to your on-premises directory with AD Connector, you need the following:
VPC
Set up a VPC with the following:
* At least two subnets. Each of the subnets must be in a different Availability Zone.
* The VPC must be connected to your on-premises network through a virtual private network (VPN) connection or AWS Direct Connect.
* The VPC must have default hardware tenancy.
* https://aws.amazon.com/single-sign-on/
* https://aws.amazon.com/single-sign-on/faqs/
* https://aws.amazon.com/bloj using-corporate-credentials/
* https://docs.aws.amazon.com/directoryservice/latest/admin-
The correct answers are: Create a Direct Connect connection between on-premise network and AWS. Use an AD connector connecting AWS with on-premise active directory.. Create an IAM role that establishes a trust relationship between IAM and corporate directory identity provider (IdP) Submit your Feedback/Queries to our Experts

Comment: *

Name: *

Email: *

Verification: *

Your company has an EC2 Instance hosted in AWS. This EC2 Instance hosts an application. Currently this application is experiencing a number of issues. You need to inspect the network packets to see what the type of error that is occurring? Which one of the below steps can help address this issue?
Please select:

• A.Use the VPC Flow Logs.
• B.Use a network monitoring tool provided by an AWS partner.
• C.Use Cloudwatch metric
• D.Use another instance. Setup a port to "promiscuous mode" and sniff the traffic to analyze the packets. -

Comment: *

Name: *

Email: *

Verification: *

A threat assessment has identified a risk whereby an internal employee could exfiltrate sensitive data from
production host running inside AWS (Account 1). The threat was documented as follows:
Threat description: A malicious actor could upload sensitive data from Server X by configuring credentials
for an AWS account (Account 2) they control and uploading data to an Amazon S3 bucket within their
control.
Server X has outbound internet access configured via a proxy server. Legitimate access to S3 is required
so that the application can upload encrypted files to an S3 bucket. Server X is currently using an IAM
instance role. The proxy server is not able to inspect any of the server communication due to TLS
encryption.
Which of the following options will mitigate the threat? (Choose two.)

• A.Block outbound access to public S3 endpoints on the proxy server.
• B.Bypass the proxy and use an S3 VPC endpoint with a policy that whitelists only certain S3 buckets
  within Account 1.
• C.Modify the S3 bucket policy for the legitimate bucket to allow access only from the public IP addresses
  associated with the application server.
• D.Configure Network ACLs on Server X to deny access to S3 endpoints.
• E.Remove the IAM instance role from the application server and save API access keys in a trusted and
  encrypted application config file.

Comment: *

Name: *

Email: *

Verification: *