While securing the connection between a company's VPC and its on-premises data center, a Security Engineer sent a ping command from an on-premises host (IP address 203.0.113.12) to an Amazon EC2 instance (IP address 172.31.16.139). The ping command did not return a response. The flow log in the VPC showed the following:
2 123456789010 eni-1235b8ca 203.0.113.12 172.31.16.139 0 0 1 4 336 1432917027 1432917142 ACCEPT OK
2 123456789010 eni-1235b8ca 172.31.16.139 203.0.113.12 0 0 1 4 336 1432917094 1432917142 REJECT OK What action should be performed to allow the ping to work?

• A.In the security group of the EC2 instance, allow outbound ICMP traffic.
• B.In the VPC's NACL, allow inbound ICMP traffic.
• C.In the security group of the EC2 instance, allow inbound ICMP traffic.
• D.In the VPC's NACL, allow outbound ICMP traffic.

Comment: *

Name: *

Email: *

Verification: *

Your company is planning on developing an application in AWS. This is a web based application. The application users will use their facebook or google identities for authentication. You want to have the ability to manage user profiles without having to add extra coding to manage this. Which of the below would assist in this.
Please select:

• A.Create an OlDC identity provider in AWS
• B.Create a SAML provider in AWS
• C.Use AWS Cognito to manage the user profiles
• D.Use IAM users to manage the user profiles

Comment: *

Name: *

Email: *

Verification: *

You are designing a connectivity solution between on-premises infrastructure and Amazon VPC. Your server's on-premises will be communicating with your VPC instances. You will be establishing IPSec tunnels over the internet. Yo will be using VPN gateways and terminating the IPsec tunnels on AWS-supported customer gateways. Which of the following objectives would you achieve by implementing an IPSec tunnel as outlined above? Choose 4 answers form the options below Please select:

• A.End-to-end protection of data in transit
• B.End-to-end Identity authentication
• C.Data encryption across the internet
• D.Protection of data in transit over the Internet
• E.Peer identity authentication between VPN gateway and customer gateway
• F.Data integrity protection across the Internet

Comment: *

Name: *

Email: *

Verification: *

A company needs to use HTTPS when connecting to its web applications to meet compliance requirements. These web applications run in Amazon VPC on Amazon EC2 instances behind an Application Load Balancer (ALB). A security engineer wants to ensure that the load balancer win only accept connections over port 443. even if the ALB is mistakenly configured with an HTTP listener
Which configuration steps should the security engineer take to accomplish this task?

• A.Create a security group with a single inbound rule that allows connections from 0.0.0 0/0 on port 443. Ensure this security group is the only one associated with the ALB
• B.Create a security group with a rule that denies Inbound connections from 0.0.0 0/0 on port 00. Attach this security group to the ALB to overwrite more permissive rules from the ALB's default security
  group.
• C.Create a network ACL that denies inbound connections from 0 0.0.0/0 on port 80 Associate the network ACL with the VPC s internet gateway
• D.Create a network ACL that allows outbound connections to the VPC IP range on port 443 only. Associate the network ACL with the VPC's internet gateway.

Comment: *

Name: *

Email: *

Verification: *

A company runs an application on AWS that needs to be accessed only by employees. Most employees work from the office, but others work remotely or travel.
How can the Security Engineer protect this workload so that only employees can access it?

• A.Use a VPN appliance from the AWS Marketplace for users to connect to, and restrict workload access to traffic from that appliance.
• B.Add each employee's home IP address to the security group for the application so that only those users can access the workload.
• C.Create a virtual gateway for VPN connectivity for each employee, and restrict access to the workload from within the VPC.
• D.Route all traffic to the workload through AWS WAF. Add each employee's home IP address into an AWS WAF rule, and block all other traffic.

Comment: *

Name: *

Email: *

Verification: *