A company wishes to enable Single Sign On (SSO) so its employees can login to the management console using their corporate directory identity. Which steps below are required as part of the process? Select 2 answers from the options given below.
Please select:

• A.Create a Direct Connect connection between on-premise network and AWS. Use an AD connector for connecting AWS with on-premise active directory.
• B.Create IAM policies that can be mapped to group memberships in the corporate directory.
• C.Create a Lambda function to assign IAM roles to the temporary security tokens provided to the users.
• D.Create IAM users that can be mapped to the employees' corporate identities
• E.Create an IAM role that establishes a trust relationship between IAM and the corporate directory identity provider (IdP)

Correct Answer: A,E

Explanation
Create a Direct Connect connection so that corporate users can access the AWS account Option B is incorrect because IAM policies are not directly mapped to group memberships in the corporate directory. It is IAM roles which are mapped.
Option C is incorrect because Lambda functions is an incorrect option to assign roles.
Option D is incorrect because IAM users are not directly mapped to employees' corporate identities.
For more information on Direct Connect, please refer to below URL:
' https://aws.amazon.com/directconnect/
From the AWS Documentation, for federated access, you also need to ensure the right policy permissions are in place Configure permissions in AWS for your federated users The next step is to create an IAM role that establishes a trust relationship between IAM and your organization's IdP that identifies your IdP as a principal (trusted entity) for purposes of federation. The role also defines what users authenticated your organization's IdP are allowed to do in AWS. You can use the IAM console to create this role. When you create the trust policy that indicates who can assume the role, you specify the SAML provider that you created earlier in IAM along with one or more SAML attributes that a user must match to be allowed to assume the role. For example, you can specify that only users whose SAML eduPersonOrgDN value is ExampleOrg are allowed to sign in. The role wizard automatically adds a condition to test the saml:aud attribute to make sure that the role is assumed only for sign-in to the AWS Management Console. The trust policy for the role might look like this:

For more information on SAML federation, please refer to below URL:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enabli Note:
What directories can I use with AWS SSO?
You can connect AWS SSO to Microsoft Active Directory, running either on-premises or in the AWS Cloud.
AWS SSO supports AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft AD, and AD Connector. AWS SSO does not support Simple AD. See AWS Directory Service Getting Started to learn more.
To connect to your on-premises directory with AD Connector, you need the following:
VPC
Set up a VPC with the following:
* At least two subnets. Each of the subnets must be in a different Availability Zone.
* The VPC must be connected to your on-premises network through a virtual private network (VPN) connection or AWS Direct Connect.
* The VPC must have default hardware tenancy.
* https://aws.amazon.com/single-sign-on/
* https://aws.amazon.com/single-sign-on/faqs/
* https://aws.amazon.com/bloj using-corporate-credentials/
* https://docs.aws.amazon.com/directoryservice/latest/admin-
The correct answers are: Create a Direct Connect connection between on-premise network and AWS. Use an AD connector connecting AWS with on-premise active directory.. Create an IAM role that establishes a trust relationship between IAM and corporate directory identity provider (IdP) Submit your Feedback/Queries to our Experts

Comment: *

Name: *

Email: *

Verification: *

An EC2 Instance hosts a Java based application that access a DynamoDB table. This EC2 Instance is currently serving production based users. Which of the following is a secure way of ensuring that the EC2 Instance access the Dynamo table
Please select:

• A.Use IAM Roles with permissions to interact with DynamoDB and assign it to the EC2 Instance
• B.Use KMS keys with the right permissions to interact with DynamoDB and assign it to the EC2 Instance
• C.Use IAM Access Keys with the right permissions to interact with DynamoDB and assign it to the EC2 Instance
• D.Use IAM Access Groups with the right permissions to interact with DynamoDB and assign it to the EC2 Instance

Comment: *

Name: *

Email: *

Verification: *

A company is deploying a new web application on AWS. Based on their other web applications, they anticipate being the target of frequent DDoS attacks. Which steps can the company use to protect their application? Select 2 answers from the options given below.
Please select:

• A.Associate the EC2 instances with a security group that blocks traffic from blacklisted IP addresses.
• B.Use an ELB Application Load Balancer and Auto Scaling group to scale to absorb application layer traffic.
• C.Use Amazon Inspector on the EC2 instances to examine incoming traffic and discard malicious traffic.
• D.Use CloudFront and AWS WAF to prevent malicious traffic from reaching the application
• E.Enable GuardDuty to block malicious traffic from reaching the application The below diagram from AWS shows the best case scenario for avoiding DDos attacks using services such as AWS Cloudfro WAF, ELB and Autoscaling

Correct Answer: B,D

Option A is invalid because by default security groups don't allow access Option C is invalid because AWS Inspector cannot be used to examine traffic Option E is invalid because this can be used for attacks on EC2 Instances but not against DDos attacks on the entire application For more information on DDos mitigation from AWS, please visit the below URL:
https://aws.amazon.com/answers/networking/aws-ddos-attack-mitieationi
The correct answers are: Use an ELB Application Load Balancer and Auto Scaling group to scale to absorb application layer traffic., Use CloudFront and AWS WAF to prevent malicious traffic from reaching the application Submit your Feedback/Queries to our Experts

Comment: *

Name: *

Email: *

Verification: *

A company is designing the securely architecture (or a global latency-sensitive web application it plans to deploy to AWS. A Security Engineer needs to configure a highly available and secure two-tier architecture. The security design must include controls to prevent common attacks such as DDoS, cross-site scripting, and SQL injection.
Which solution meets these requirements?

• A.Create an Application Load Balancer (ALB) that uses public subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create an Amazon CloudFront distribution that uses the ALB as its origin. Create appropriate AWS WAF ACLs and enable them on the CloudFront distribution.
• B.Create an Application Load Balancer (ALB) that uses private subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create appropriate AWS WAF ACLs and enable them on the ALB.
• C.Create an Application Load Balancer (ALB) that uses public subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create appropriate AWS WAF ACLs and enable them on the ALB.
• D.Create an Application Load Balancer (ALB) that uses private subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create an Amazon CloudFront distribution that uses the ALB as its origin. Create appropriate AWS WAF ACLs and enable them on the CloudFront distribution.

Comment: *

Name: *

Email: *

Verification: *

A company's Developers plan to migrate their on-premises applications to Amazon EC2 instances running Amazon Linux AMIs. The applications are accessed by a group of partner companies The Security Engineer needs to implement the following host-based security measures for these instances:
* Block traffic from documented known bad IP addresses
* Detect known software vulnerabilities and CIS Benchmarks compliance.
Which solution addresses these requirements?

• A.Launch the EC2 instances with an IAM role attached Include a user data script that uses the IAM CLl to create NACLs blocking ingress traffic from the known bad IP addresses in the EC2 instance's subnets Use IAM Systems Manager to scan the instances for known software vulnerabilities, and IAM Trusted Advisor to check instances for CIS Benchmarks compliance
• B.Launch the EC2 instances with an IAM role attached Include a user data script that creates a cron job to periodically retrieve the list of bad IP addresses from Amazon S3, and configures iptabies on the instances blocking the list of bad IP addresses Use Amazon inspector to scan the instances for known software vulnerabilities and CIS Benchmarks compliance.
• C.Launch the EC2 instances with an IAM role attached Include a user data script that uses the IAM CLl to create and attach security groups that only allow an allow listed source IP address range inbound. Use Amazon Inspector to scan the instances for known software vulnerabilities, and IAM Trusted Advisor to check instances for CIS Benchmarks compliance
• D.Launch the EC2 instances with an IAM role attached. Include a user data script that uses the IAM CLI to retrieve the list of bad IP addresses from IAM Secrets Manager and uploads it as a threat list in Amazon GuardDuty Use Amazon Inspector to scan the instances for known software vulnerabilities and CIS Benchmarks compliance

Comment: *

Name: *

Email: *

Verification: *