You have a set of application , database and web servers hosted in AWS. The web servers are placed behind an ELB. There are separate security groups for the application, database and web servers. The network security groups have been defined accordingly. There is an issue with the communication between the application and database servers. In order to troubleshoot the issue between just the application and database server, what is the ideal set of MINIMAL steps you would take?
Please select:

• A.Check the Inbound security rules for the database security group Check the Outbound security rules for the application security group
• B.Check the Outbound security rules for the database security group I Check the inbound security rules for the application security group
• C.Check the both the Inbound and Outbound security rules for the database security group Check the inbound security rules for the application security group
• D.Check the Outbound security rules for the database security group
  Check the both the Inbound and Outbound security rules for the application security group

Comment: *

Name: *

Email: *

Verification: *

A company's security engineer is configuring Amazon S3 permissions to ban all current and future public buckets However, the company hosts several websites directly off S3 buckets with public access enabled The engineer needs to bock me pubic S3 buckets without causing any outages on me easting websites The engineer has set up an Amazon CloudFrom distribution (or each website Which set or steps should the security engineer implement next?

• A.Configure an S3 bucket as the origin with an origin access identity (OAI) for the CloudFront distribution Enable block public access settings at the account level
• B.Configure an S3 bucket as the origin an origin access identity (OAI) for the CloudFront distribution Switch the DNS records from websites to point to the CloudFront distribution Enable Nock public access settings at the account level
• C.Configure an S3 bucket as the origin with an origin access identity (OAI) for the CloudFront distribution Switch the ONS records tor the websites to point to the CloudFront disinfection Then, tor each S3 bucket enable block public access settings
• D.Configure an S3 bucket as the origin for me CloudFront distribution Configure the S3 bucket policy to accept connections from the CloudFront points of presence only Switch the DNS records for the websites to point to the CloudFront distribution Enable block public access settings at me account level

Comment: *

Name: *

Email: *

Verification: *

Your CTO is very worried about the security of your AWS account. How best can you prevent hackers from completely hijacking your account?
Please select:

• A.Use short but complex password on the root account and any administrators.
• B.Use AWS 1AM Geo-Lock and disallow anyone from logging in except for in your city.
• C.Use MFA on all users and accounts, especially on the root account.
• D.Don't write down or remember the root account password after creating the AWS account.

Correct Answer: C

Explanation
Multi-factor authentication can add one more layer of security to your AWS account Even when you go to your Security Credentials dashboard one of the items is to enable MFA on your root account

Option A is invalid because you need to have a good password policy Option B is invalid because there is no
1AM Geo-Lock Option D is invalid because this is not a recommended practices For more information on MFA, please visit the below URL
http://docs.aws.amazon.com/IAM/latest/UserGuide/id
credentials mfa.htmll
The correct answer is: Use MFA on all users and accounts, especially on the root account.
Submit your Feedback/Queries to our Experts

Comment: *

Name: *

Email: *

Verification: *

Due to new compliance requirements, a Security Engineer must enable encryption with customer-provided keys on corporate data that is stored in DynamoDB. The company wants to retain full control of the encryption keys.
Which DynamoDB feature should the Engineer use to achieve compliance'?

• A.Enable S3 server-side encryption with the customer-provided keys. Upload the data to Amazon S3, and then use S3Copy to move all data to DynamoDB
• B.Use the DynamoDB Java encryption client to encrypt data prior to uploading it to DynamoDB.
• C.Create a KMS master key. Generate per-record data keys and use them to encrypt data prior to uploading it to DynamoDS. Dispose of the cleartext and encrypted data keys after encryption without storing.
• D.Use AWS Certificate Manager to request a certificate. Use that certificate to encrypt data prior to uploading it to DynamoDB.

Comment: *

Name: *

Email: *

Verification: *

Your application currently uses customer keys which are generated via AWS KMS in the US east region. You now want to use the same set of keys from the EU-Central region. How can this be accomplished?
Please select:

• A.Export the key from the US east region and import them into the EU-Central region
• B.Use key rotation and rotate the existing keys to the EU-Central region
• C.Use the backing key from the US east region and use it in the EU-Central region
• D.This is not possible since keys from KMS are region specific

Comment: *

Name: *

Email: *

Verification: *