A company has a set of resources defined in AWS. It is mandated that all API calls to the resources be monitored. Also all API calls must be stored for lookup purposes. Any log data greater than 6 months must be archived. Which of the following meets these requirements? Choose 2 answers from the options given below. Each answer forms part of the solution.
Please select:

• A.Enable CloudTrail logging in all accounts into S3 buckets
• B.Enable CloudTrail logging in all accounts into Amazon Glacier
• C.Ensure a lifecycle policy is defined on the S3 bucket to move the data to EBS volumes after 6 months.
• D.Ensure a lifecycle policy is defined on the S3 bucket to move the data to Amazon Glacier after 6 months.

Comment: *

Name: *

Email: *

Verification: *

You have a set of application , database and web servers hosted in AWS. The web servers are placed behind an ELB. There are separate security groups for the application, database and web servers. The network security groups have been defined accordingly. There is an issue with the communication between the application and database servers. In order to troubleshoot the issue between just the application and database server, what is the ideal set of MINIMAL steps you would take?
Please select:

• A.Check the Inbound security rules for the database security group Check the Outbound security rules for the application security group
• B.Check the Outbound security rules for the database security group I Check the inbound security rules for the application security group
• C.Check the both the Inbound and Outbound security rules for the database security group Check the inbound security rules for the application security group
• D.Check the Outbound security rules for the database security group

Comment: *

Name: *

Email: *

Verification: *

An application running on Amazon EC2 instances generates log files in a folder on a Linux file system. The instances block access to the console and file transfer utilities, such as Secure Copy Protocol (SCP) and Secure File Transfer Protocol (SFTP). The Application Support team wants to automatically monitor the application log files so the team can set up notifications in the future.
A Security Engineer must design a solution that meets the following requirements:
* Make the log files available through an AWS managed service.
* Allow for automatic monitoring of the logs.
* Provide an interface for analyzing logs.
* Minimize effort.
Which approach meets these requirements?

• A.Modify the application to use the AWS SDK. Write the application logs to an Amazon S3 bucket.
• B.Install the unified Amazon CloudWatch agent on the instances. Configure the agent to collect the application log files on the EC2 file system and send them to Amazon CloudWatch Logs.
• C.Install AWS Systems Manager Agent on the instances. Configure an automation document to copy the application log files to AWS DeepLens.
• D.Install Amazon Kinesis Agent on the instances. Stream the application log files to Amazon Kinesis Data Firehose and set the destination to Amazon Elasticsearch Service.

Comment: *

Name: *

Email: *

Verification: *

Your current setup in AWS consists of the following architecture. 2 public subnets, one subnet which has the web servers accessed by users across the internet and the other subnet for the database server. Which of the following changes to the architecture would add a better security boundary to the resources hosted in your setup Please select:

• A.Consider moving the web server to a private subnet
• B.Consider moving the database server to a private subnet
• C.Consider moving both the web and database server to a private subnet
• D.Consider creating a private subnet and adding a NAT instance to that subnet The ideal setup is to ensure that the web server is hosted in the public subnet so that it can be accessed by users on the internet. The database server can be hosted in the private subnet.

Correct Answer: B

The below diagram from the AWS Documentation shows how this can be setup

Option A and C are invalid because if you move the web server to a private subnet, then it cannot be accessed by users Option D is invalid because NAT instances should be present in the public subnet For more information on public and private subnets in AWS, please visit the following url
.com/AmazonVPC/latest/UserGuide/VPC Scenario2.
The correct answer is: Consider moving the database server to a private subnet Submit your Feedback/Queries to our Experts

Comment: *

Name: *

Email: *

Verification: *

Your CTO is very worried about the security of your AWS account. How best can you prevent hackers from completely hijacking your account?
Please select:

• A.Use short but complex password on the root account and any administrators.
• B.Use AWS IAM Geo-Lock and disallow anyone from logging in except for in your city.
• C.Use MFA on all users and accounts, especially on the root account.
• D.Don't write down or remember the root account password after creating the AWS account.

Correct Answer: C

Multi-factor authentication can add one more layer of security to your AWS account Even when you go to your Security Credentials dashboard one of the items is to enable MFA on your root account

Option A is invalid because you need to have a good password policy Option B is invalid because there is no IAM Geo-Lock Option D is invalid because this is not a recommended practices For more information on MFA, please visit the below URL
http://docs.aws.amazon.com/IAM/latest/UserGuide/id credentials mfa.htmll
The correct answer is: Use MFA on all users and accounts, especially on the root account.
Submit your Feedback/Queries to our Experts

Comment: *

Name: *

Email: *

Verification: *