- (Exam Topic 2)
A company has a few dozen application servers in private subnets behind an Elastic Load Balancer (ELB) in an AWS Auto Scaling group. The application is accessed from the web over HTTPS. The data must always be encrypted in transit. The Security Engineer is worried about potential key exposure due to vulnerabilities in the application software.
Which approach will meet these requirements while protecting the external certificate during a breach?

1. A. Use a Network Load Balancer (NLB) to pass through traffic on port 443 from the internet to port 443 on the instances.
2. B. Purchase an external certificate, and upload it to the AWS Certificate Manager (for use with the ELB) and to the instance
3. C. Have the ELB decrypt traffic, and route and re-encrypt with the same certificate.
4. D. Generate an internal self-signed certificate and apply it to the instance
5. E. Use AWS Certificate Manager to generate a new external certificate for the EL
6. F. Have the ELB decrypt traffic, and route andre-encrypt with the internal certificate.
7. G. Upload a new external certificate to the load balance
8. H. Have the ELB decrypt the traffic and forward it on port 80 to the instances.

Correct Answer: C

- (Exam Topic 2)
The Security Engineer created a new AWS Key Management Service (AWS KMS) key with the following key policy:

What are the effects of the key policy? (Choose two.)

1. A. The policy allows access for the AWS account 111122223333 to manage key access though IAM policies.
2. B. The policy allows all IAM users in account 111122223333 to have full access to the KMS key.
3. C. The policy allows the root user in account 111122223333 to have full access to the KMS key.
4. D. The policy allows the KMS service-linked role in account 111122223333 to have full access to the KMS key.
5. E. The policy allows all IAM roles in account 111122223333 to have full access to the KMS key.

Correct Answer: AC
Giving the AWS account full access to the CMK does this; it enables you to use IAM policies to give IAM users and roles in the account access to the CMK. It does not by itself give any IAM users or roles access to the CMK, but it enables you to use IAM policies to do so.
https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable

- (Exam Topic 1)
A large government organization is moving to the cloud and has specific encryption requirements. The first workload to move requires that a customer's data be immediately destroyed when the customer makes that request.
Management has asked the security team to provide a solution that will securely store the data, allow only authorized applications to perform encryption and decryption and allow for immediate destruction of the data
Which solution will meet these requirements?

1. A. Use AWS Secrets Manager and an AWS SDK to create a unique secret for the customer-specific data
2. B. Use AWS Key Management Service (AWS KMS) and the AWS Encryption SDK to generate and store a data encryption key for each customer.
3. C. Use AWS Key Management Service (AWS KMS) with service-managed keys to generate and store customer-specific data encryption keys
4. D. Use AWS Key Management Service (AWS KMS) and create an AWS CloudHSM custom key store Use CloudHSM to generate and store a new CMK for each customer.

Correct Answer: A

- (Exam Topic 2)
Your company has defined a number of EC2 Instances over a period of 6 months. They want to know if any of the security groups allow unrestricted access to a resource. What is the best option to accomplish this requirement?
Please select:

1. A. Use AWS Inspector to inspect all the security Groups
2. B. Use the AWS Trusted Advisor to see which security groups have compromised access.
3. C. Use AWS Config to see which security groups have compromised access.
4. D. Use the AWS CLI to query the security groups and then filter for the rules which have unrestricted accessd

Correct Answer: B
The AWS Trusted Advisor can check security groups for rules that allow unrestricted access to a resource. Unrestricted access increases opportunities for malicious activity (hacking, denial-of-service attacks, loss of data).
If you go to AWS Trusted Advisor, you can see the details C:\Users\wk\Desktop\mudassar\Untitled.jpg

Option A is invalid because AWS Inspector is used to detect security vulnerabilities in instances and not for security groups.
Option C is invalid because this can be used to detect changes in security groups but not show you security groups that have compromised access.
Option Dis partially valid but would just be a maintenance overhead
For more information on the AWS Trusted Advisor, please visit the below URL: https://aws.amazon.com/premiumsupport/trustedadvisor/best-practices;
The correct answer is: Use the AWS Trusted Advisor to see which security groups have compromised access. Submit your Feedback/Queries to our Experts

- (Exam Topic 1)
A company has recently recovered from a security incident that required the restoration of Amazon EC2 instances from snapshots.
After performing a gap analysis of its disaster recovery procedures and backup strategies, the company is concerned that, next time, it will not be able to recover the EC2 instances if the AWS account was compromised and Amazon EBS snapshots were deleted.
All EBS snapshots are encrypted using an AWS KMS CMK. Which solution would solve this problem?

1. A. Create a new Amazon S3 bucket Use EBS lifecycle policies to move EBS snapshots to the new S3 bucke
2. B. Move snapshots to Amazon S3 Glacier using lifecycle policies, and apply Glacier Vault Lock policies to prevent deletion
3. C. Use AWS Systems Manager to distribute a configuration that performs local backups of all attached disks to Amazon S3.
4. D. Create a new AWS account with limited privilege
5. E. Allow the new account to access the AWS KMS key used to encrypt the EBS snapshots, and copy the encrypted snapshots to the new account on a recuning basis
6. F. Use AWS Backup to copy EBS snapshots to Amazon S3.

Correct Answer: A