Your current setup in IAM consists of the following architecture. 2 public subnets, one subnet which has the web servers accessed by users across the internet and the other subnet for the database server. Which of the following changes to the architecture would add a better security boundary to the resources hosted in your setup Please select:

• A.Consider moving the web server to a private subnet
• B.Consider moving the database server to a private subnet
• C.Consider moving both the web and database server to a private subnet
• D.Consider creating a private subnet and adding a NAT instance to that subnet

Correct Answer: B

Explanation
The ideal setup is to ensure that the web server is hosted in the public subnet so that it can be accessed by users on the internet. The database server can be hosted in the private subnet.
The below diagram from the IAM Documentation shows how this can be setup .

Option A and C are invalid because if you move the web server to a private subnet, then it cannot be accessed by users Option D is invalid because NAT instances should be present in the public subnet For more information on public and private subnets in IAM, please visit the following url com/AmazonVPC/latest/UserGuide/VPC Scenario2.
The correct answer is: Consider moving the database server to a private subnet Submit your Feedback/Queries to our Experts

Comment: *

Name: *

Email: *

Verification: *

You have a set of Customer keys created using the IAM KMS service. These keys have been used for around
6 months. You are now trying to use the new KMS features for the existing set of key's but are not able to do so. What could be the reason for this.
Please select:

• A.You have not explicitly given access via the key policy
• B.You have not explicitly given access via the IAM policy
• C.You have not given access via the IAM roles
• D.You have not explicitly given access via IAM users

Comment: *

Name: *

Email: *

Verification: *

A company's Security Team received an email notification from the Amazon EC2 Abuse team that one or more of the company's Amazon EC2 instances may have been compromised Which combination of actions should the Security team take to respond to (be current modem? (Select TWO.)

• A.Detach the internet gateway from the VPC remove aft rules that contain 0.0.0.0V0 from the security groups, and create a NACL rule to deny all traffic Inbound from the internet
• B.Respond to the notification and list the actions that have been taken to address the incident
• C.Delete the identified compromised instances and delete any associated resources that the Security team did not create.
• D.Open a support case with the IAM Security team and ask them to remove the malicious code from the affected instance
• E.Delete all IAM users and resources in the account

Comment: *

Name: *

Email: *

Verification: *

You have a set of application , database and web servers hosted in AWS. The web servers are placed behind an ELB. There are separate security groups for the application, database and web servers. The network security groups have been defined accordingly. There is an issue with the communication between the application and database servers. In order to troubleshoot the issue between just the application and database server, what is the ideal set of MINIMAL steps you would take?
Please select:

• A.Check the Inbound security rules for the database security group Check the Outbound security rules for the application security group
• B.Check the Outbound security rules for the database security group I Check the inbound security rules for the application security group
• C.Check the both the Inbound and Outbound security rules for the database security group Check the inbound security rules for the application security group
• D.Check the Outbound security rules for the database security group
  Check the both the Inbound and Outbound security rules for the application security group

Comment: *

Name: *

Email: *

Verification: *

A company hosts a critical web application on the AWS Cloud. This is a key revenue generating application for the company. The IT Security team is worried about potential DDos attacks against the web site. The senior management has also specified that immediate action needs to be taken in case of a potential DDos attack. What should be done in this regard?
Please select:

• A.Consider using the AWS Shield Service
• B.Consider using VPC Flow logs to monitor traffic for DDos attack and quickly take actions on a trigger of a potential attack.
• C.Consider using the AWS Shield Advanced Service
• D.Consider using Cloudwatch logs to monitor traffic for DDos attack and quickly take actions on a trigger of a potential attack.

Comment: *

Name: *

Email: *

Verification: *