A financial application is composed of an Auto Scaling group of EC2 instances, an Application Load Balancer, and a MySQL RDS instance in a Multi-AZ Deployments configuration. To protect the confidential data of your customers, you have to ensure that your RDS database can only be accessed using the profile credentials specific to your EC2 instances via an authentication token.
As the Solutions Architect of the company, which of the following should you do to meet the above requirement?

• A.Configure SSL in your application to encrypt the database connection to RDS.
• B.Create an IAM Role and assign it to your EC2 instances which will grant exclusive access to your RDS instance.
• C.Use a combination of IAM and STS to restrict access to your RDS instance via a temporary token.
• D.Enable the IAM DB Authentication.

Correct Answer: D

You can authenticate to your DB instance using AWS Identity and Access Management (IAM) database authentication. IAM database authentication works with MySQL and PostgreSQL. With this authentication method, you don't need to use a password when you connect to a DB instance. Instead, you use an authentication token.
An authentication token is a unique string of characters that Amazon RDS generates on request.
Authentication tokens are generated using AWS Signature Version 4.
Each token has a lifetime of 15 minutes. You don't need to store user credentials in the database, because authentication is managed externally using IAM. You can also still use standard database authentication.


IAM database authentication provides the following benefits:
Network traffic to and from the database is encrypted using Secure Sockets Layer (SSL).
You can use IAM to centrally manage access to your database resources, instead of managing access individually on each DB instance.
For applications running on Amazon EC2, you can use profile credentials specific to your EC2 instance to access your database instead of a password, for greater security Hence, enabling IAM DB Authentication is the correct answer based on the above reference. Configuring SSL in your application to encrypt the database connection to RDS is incorrect because an SSL connection is not using an authentication token from IAM. Although configuring SSL to your application can improve the security of your data in flight, it is still not a suitable option to use in this scenario.
Creating an IAM Role and assigning it to your EC2 instances which will grant exclusive access to your RDS instance is incorrect because although you can create and assign an IAM Role to your EC2 instances, you still need to configure your RDS to use IAM DB Authentication.
Using a combination of IAM and STS to restrict access to your RDS instance via a temporary token is incorrect because you have to use IAM DB Authentication for this scenario, and not a combination of an IAM and STS. Although STS is used to send temporary tokens for authentication, this is not a compatible use case for RDS.
Explanation:
Reference:
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html Check out this Amazon RDS cheat sheet:
https://tutorialsdojo.com/amazon-relational-database-service-amazon-rds/

Comment: *

Name: *

Email: *

Verification: *

A company has an On-Demand EC2 instance located in a subnet in AWS that hosts a web application.
The security group attached to this EC2 instance has the following Inbound Rules:

The Route table attached to the VPC is shown below. You can establish an SSH connection into the EC2 instance from the Internet. However, you are not able to connect to the web server using your Chrome browser.

Which of the below steps would resolve the issue?

• A.In the Route table, add this new route entry: 0.0.0.0 -> igw-b51618cc
• B.In the Route table, add this new route entry: 10.0.0.0/27 -> local
• C.In the Security Group, remove the SSH rule.
• D.In the Security Group, add an Inbound HTTP rule.

Correct Answer: D

In this particular scenario, you can already connect to the EC2 instance via SSH. This means that there is no problem in the Route Table of your VPC. To fix this issue, you simply need to update your Security Group and add an Inbound rule to allow HTTP traffic.

The option that says: In the Security Group, remove the SSH rule is incorrect as doing so will not solve the issue. It will just disable SSH traffic that is already available.
The options that say: In the Route table, add this new route entry: 0.0.0.0 -> igw-b51618cc and In the Route table, add this new route entry: 10.0.0.0/27 -> local are incorrect as there is no need to change the Route Tables.
Explanation:
Reference:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html Check out this Amazon VPC Cheat Sheet:
https://tutorialsdojo.com/amazon-vpc/

Comment: *

Name: *

Email: *

Verification: *

There is a technical requirement by a financial firm that does online credit card processing to have a secure application environment on AWS. They are trying to decide on whether to use KMS or CloudHSM.
Which of the following statements is right when it comes to CloudHSM and KMS?

• A.AWS CloudHSM should always be used for any payment transactions.
• B.You should consider using AWS CloudHSM over AWS KMS if you require your keys stored in dedicated, third-party validated hardware security modules under your exclusive control.
• C.If you want a managed service for creating and controlling your encryption keys but don't want or need to operate your own HSM, consider using AWS CloudHSM.
• D.No major difference. They both do the same thing.

Correct Answer: B

AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data. The master keys that you create in AWS KMS are protected by FIPS 140-2 validated cryptographic modules. AWS KMS is integrated with most other AWS services that encrypt your data with encryption keys that you manage. AWS KMS is also integrated with AWS CloudTrail to provide encryption key usage logs to help meet your auditing, regulatory and compliance needs.

By using AWS KMS, you gain more control over access to data you encrypt. You can use the key management and cryptographic features directly in your applications or through AWS services that are integrated with AWS KMS. Whether you are writing applications for AWS or using AWS services, AWS KMS enables you to maintain control over who can use your customer master keys and gain access to your encrypted data. AWS KMS is integrated with AWS CloudTrail, a service that delivers log files to an Amazon S3 bucket that you designate. By using CloudTrail you can monitor and investigate how and when your master keys have been used and by whom.
If you want a managed service for creating and controlling your encryption keys, but you don't want or need to operate your own HSM, consider using AWS Key Management Service.
Hence, the correct answer is: You should consider using AWS CloudHSM over AWS KMS if you require your keys stored in dedicated, third-party validated hardware security modules under your exclusive control.
The option that says: No major difference. They both do the same thing is incorrect because KMS and CloudHSM are two different services. If you want a managed service for creating and controlling your encryption keys, without operating your own HSM, you have to consider using AWS Key Management Service.
The option that says: If you want a managed service for creating and controlling your encryption keys, but you don't want or need to operate your own HSM, consider using AWS CloudHSM is incorrect because you have to consider using AWS KMS if you want a managed service for creating and controlling your encryption keys, without operating your own HSM.
The option that says: AWS CloudHSM should always be used for any payment transactions is incorrect because this is not always the case. AWS CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud. References:
https://docs.aws.amazon.com/kms/latest/developerguide/overview.html
https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#data-keys
https://docs.aws.amazon.com/cloudhsm/latest/userguide/introduction.html Check out this AWS Key Management Service Cheat Sheet: https://tutorialsdojo.com/aws-key-management-service-aws-kms/

Comment: *

Name: *

Email: *

Verification: *

A startup launched a fleet of on-demand EC2 instances to host a massively multiplayer online role- playing game (MMORPG). The EC2 instances are configured with Auto Scaling and AWS Systems Manager.
What can be used to configure the EC2 instances without having to establish an RDP or SSH connection to each instance?

• A.AWS CodePipeline
• B.Run Command
• C.EC2Config
• D.AWS Config

Correct Answer: B

You can use Run Command from the console to configure instances without having to login to each instance.

AWS Systems Manager Run Command lets you remotely and securely manage the configuration of your managed instances. A managed instance is any Amazon EC2 instance or on-premises machine in your hybrid environment that has been configured for Systems Manager. Run Command enables you to automate common administrative tasks and perform ad hoc configuration changes at scale. You can use Run Command from the AWS console, the AWS Command Line Interface, AWS Tools for Windows PowerShell, or the AWS SDKs. Run Command is offered at no additional cost. Hence, the correct answer is: Run Command.
Explanation:
Reference:
https://docs.aws.amazon.com/systems-manager/latest/userguide/execute-remote-commands.html AWS Systems Manager Overview:
https://www.youtube.com/watch?v=KVFKyMAHxqY
Check out this AWS Systems Manager Cheat Sheet:
https://tutorialsdojo.com/aws-systems-manager/

Comment: *

Name: *

Email: *

Verification: *

A telecommunications company is planning to give AWS Console access to developers. Company policy mandates the use of identity federation and role-based access control. Currently, the roles are already assigned using groups in the corporate Active Directory.
In this scenario, what combination of the following services can provide developers access to the AWS console? (Select TWO.)

• A.AWS Directory Service AD Connector
• B.IAM Groups
• C.AWS Directory Service Simple AD
• D.IAM Roles
• E.Lambda

Correct Answer: A,D

Considering that the company is using a corporate Active Directory, it is best to use AWS Directory Service AD Connector for easier integration. In addition, since the roles are already assigned using groups in the corporate Active Directory, it would be better to also use IAM Roles. Take note that you can assign an IAM Role to the users or groups from your Active Directory once it is integrated with your VPC via the AWS Directory Service AD Connector.

AWS Directory Service provides multiple ways to use Amazon Cloud Directory and Microsoft Active Directory (AD) with other AWS services. Directories store information about users, groups, and devices, and administrators use them to manage access to information and resources. AWS Directory Service provides multiple directory choices for customers who want to use existing Microsoft AD or Lightweight Directory Access Protocol (LDAP)-aware applications in the cloud. It also offers those same choices to developers who need a directory to manage users, groups, devices, and access.

AWS Directory Service Simple AD is incorrect because this just provides a subset of the features offered by AWS Managed Microsoft AD, including the ability to manage user accounts and group memberships, create and apply group policies, securely connect to Amazon EC2 instances, and provide Kerberos- based single sign-on (SSO). In this scenario, the more suitable component to use is the AD Connector since it is a directory gateway with which you can redirect directory requests to your on-premises Microsoft Active Directory.
IAM Groups is incorrect because this is just a collection of IAM users. Groups let you specify permissions for multiple users, which can make it easier to manage the permissions for those users. In this scenario, the more suitable one to use is IAM Roles in order for permissions to create AWS Directory Service resources.
Lambda is incorrect because this is primarily used for serverless computing.
Explanation:
Reference:
https://aws.amazon.com/blogs/security/how-to-connect-your-on-premises-active-directory-to-aws-using- ad-connector/ Check out these AWS IAM and Directory Service Cheat Sheets: https://tutorialsdojo.com/aws-identity- and-access-management-iam/ https://tutorialsdojo.com/aws-directory-service/ Here is a video tutorial on AWS Directory Service:
https://youtu.be/4XeqotTYBtY

Comment: *

Name: *

Email: *

Verification: *