- (Exam Topic 2)
You have a 2 tier application hosted in AWS. It consists of a web server and database server (SQL Server) hosted on separate EC2 Instances. You are devising the security groups for these EC2 Instances. The Web tier needs to be accessed by users across the Internet. You have created a web security group(wg-123) and database security group(db-345). Which combination of the following security group rules will allow the application to be secure and functional. Choose 2 answers from the options given below.
Please select:

1. A. wg-123 -Allow ports 80 and 443 from 0.0.0.0/0
2. B. db-345 - Allow port 1433 from wg-123
3. C. wg-123 - Allow port 1433 from wg-123
4. D. db-345 -Allow ports 1433 from 0.0.0.0/0

Correct Answer: AB
The Web security groups should allow access for ports 80 and 443 for HTTP and HTTPS traffic to all users from the internet.
The database security group should just allow access from the web security group from port 1433. Option C is invalid because this is not a valid configuration
Option D is invalid because database security should not be allowed on the internet For more information on Security Groups please visit the below URL: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/usins-network-security.htmll
The correct answers are: wg-123 - Allow ports 80 and 443 from 0.0.0.0/0, db-345 - Allow port 1433 from wg-123
Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
A company has a large set of keys defined in AWS KMS. Their developers frequently use the keys for the applications being developed. What is one of the ways that can be used to reduce the cost of accessing the keys in the AWS KMS service.
Please select:

1. A. Enable rotation of the keys
2. B. Use Data key caching
3. C. Create an alias of the key
4. D. Use the right key policy

Correct Answer: B
The AWS Documentation mentions the following
Data key caching stores data keys and related cryptographic material in a cache. When you encrypt or decrypt data, the AWS Encryption SDK looks for a matching data key in the cache. If it finds a match, it uses the cached data key rather than generatir a new one. Data key caching can improve performance, reduce cost, and help you stay within service limits as your application scales.
Option A.C and D are all incorrect since these options will not impact how the key is used. For more information on data key caching, please refer to below URL: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/data-key-cachine.htmll The correct answer is: Use Data key caching Submit your Feedback/Queries to our Experts

- (Exam Topic 1)
The Security Engineer is managing a traditional three-tier web application that is running on Amazon EC2 instances. The application has become the target of increasing numbers of malicious attacks from the Internet.
What steps should the Security Engineer take to check for known vulnerabilities and limit the attack surface? (Choose two.)

1. A. Use AWS Certificate Manager to encrypt all traffic between the client and application servers.
2. B. Review the application security groups to ensure that only the necessary ports are open.
3. C. Use Elastic Load Balancing to offload Secure Sockets Layer encryption.
4. D. Use Amazon Inspector to periodically scan the backend instances.
5. E. Use AWS Key Management Services to encrypt all the traffic between the client and application servers.

Correct Answer: BD

- (Exam Topic 2)
A company has deployed a custom DNS server in AWS. The Security Engineer wants to ensure that Amazon EC2 instances cannot use the Amazon-provided DNS.
How can the Security Engineer block access to the Amazon-provided DNS in the VPC?

1. A. Deny access to the Amazon DNS IP within all security groups.
2. B. Add a rule to all network access control lists that deny access to the Amazon DNS IP.
3. C. Add a route to all route tables that black holes traffic to the Amazon DNS IP.
4. D. Disable DNS resolution within the VPC configuration.

Correct Answer: D
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html

- (Exam Topic 2)
What are the MOST secure ways to protect the AWS account root user of a recently opened AWS account? (Choose two.)

1. A. Use the AWS account root user access keys instead of the AWS Management Console
2. B. Enable multi-factor authentication for the AWS IAM users with the AdministratorAccess managed policy attached to them
3. C. Enable multi-factor authentication for the AWS account root user
4. D. Use AWS KMS to encrypt all AWS account root user and AWS IAM access keys and set automatic rotation to 30 days
5. E. Do not create access keys for the AWS account root user; instead, create AWS IAM users

Correct Answer: CE