- (Exam Topic 1)
A Security Engineer for a large company is managing a data processing application used by 1,500 subsidiary companies. The parent and subsidiary companies all use AWS. The application uses TCP port 443 and runs on Amazon EC2 behind a Network Load Balancer (NLB). For compliance reasons, the application should only be accessible to the subsidiaries and should not be available on the public internet. To meet the compliance requirements for restricted access, the Engineer has received the public and private CIDR block ranges for each subsidiary
What solution should the Engineer use to implement the appropriate access restrictions for the application?

1. A. Create a NACL to allow access on TCP port 443 from the 1;500 subsidiary CIDR block ranges.Associate the NACL to both the NLB and EC2 instances
2. B. Create an AWS security group to allow access on TCP port 443 from the 1,500 subsidiary CIDR block range
3. C. Associate the security group to the NL
4. D. Create a second security group for EC2 instances with access on TCP port 443 from the NLB security group.
5. E. Create an AWS PrivateLink endpoint service in the parent company account attached to the NL
6. F. Create an AWS security group for the instances to allow access on TCP port 443 from the AWS PrivateLink endpoin
7. G. Use AWS PrivateLink interface endpoints in the 1,500 subsidiary AWS accounts to connect to the data processing application.
8. H. Create an AWS security group to allow access on TCP port 443 from the 1,500 subsidiary CIDR block range
9. I. Associate the security group with EC2 instances.

Correct Answer: D

- (Exam Topic 2)
An application uses Amazon Cognito to manage end users’ permissions when directly accessing AWS resources, including Amazon DynamoDB. A new feature request reads as follows:
Provide a mechanism to mark customers as suspended pending investigation or suspended permanently. Customers should still be able to log in when suspended, but should not be able to make changes.
The priorities are to reduce complexity and avoid potential for future security issues. Which approach will meet these requirements and priorities?

1. A. Create a new database field “suspended_status” and modify the application logic to validate that field when processing requests.
2. B. Add suspended customers to second Cognito user pool and update the application login flow to check both user pools.
3. C. Use Amazon Cognito Sync to push out a “suspension_status” parameter and split the lAM policy into normal users and suspended users.
4. D. Move suspended customers to a second Cognito group and define an appropriate IAM access policy for the group.

Correct Answer: D
https://aws.amazon.com/blogs/aws/new-amazon-cognito-groups-and-fine-grained-role-based-access-control-2/

- (Exam Topic 3)
You have a set of Keys defined using the AWS KMS service. You want to stop using a couple of keys , but are not sure of which services are currently using the keys. Which of the following would be a safe option to stop using the keys from further usage.
Please select:

1. A. Delete the keys since anyway there is a 7 day waiting period before deletion
2. B. Disable the keys
3. C. Set an alias for the key
4. D. Change the key material for the key

Correct Answer: B
Option A is invalid because once you schedule the deletion and waiting period ends, you cannot come back
from the deletion process.
Option C and D are invalid because these will not check to see if the keys are being used or not The AWS Documentation mentions the following
Deleting a customer master key (CMK) in AWS Key Management Service (AWS KMS) is destructive and potentially dangerous. It deletes the key material and all metadata associated with the CMK, and is irreversible. After a CMK is deleted you can no longer decrypt the data that was encrypted under that CMK, which means that data becomes unrecoverable. You should delete a CMK only when you are sure that you don't need to use it anymore. If you are not sure, consider disabling the CMK instead of deleting it. You can re-enable a disabled CMK if you need to use it again later, but you cannot recover a deleted CMK.
For more information on deleting keys from KMS, please visit the below URL: https://docs.aws.amazon.com/kms/latest/developereuide/deleting-keys.html
The correct answer is: Disable the keys Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
Auditors tor a health care company have mandated mat all data volumes be encrypted at rest Infrastructure is deployed mainly via AWS CloudFormation however third-party frameworks and manual deployment are required on some legacy systems
What is the BEST way to monitor, on a recurring basis, whether all EBS volumes are encrypted?

1. A. On a recurring basis, update an IAM user policies to require that EC2 instances are created with an encrypted volume
2. B. Configure an AWS Config rule lo run on a recurring basis 'or volume encryption
3. C. Set up Amazon Inspector rules tor volume encryption to run on a recurring schedule
4. D. Use CloudWatch Logs to determine whether instances were created with an encrypted volume

Correct Answer: A

- (Exam Topic 3)
A company has a legacy application that outputs all logs to a local text file. Logs from all applications running on AWS must be continually monitored for security related messages.
What can be done to allow the company to deploy the legacy application on Amazon EC2 and still meet the monitoring requirement? Please select:

1. A. Create a Lambda function that mounts the EBS volume with the logs and scans the logs for security incident
2. B. Trigger the function every 5 minutes with a scheduled Cloudwatch event.
3. C. Send the local text log files to CloudWatch Logs and configure a CloudWatch metric filte
4. D. Trigger cloudwatch alarms based on the metrics.
5. E. Install the Amazon inspector agent on any EC2 instance running the legacy applicatio
6. F. Generate CloudWatch alerts a based on any Amazon inspector findings.
7. G. Export the local text log files to CloudTrai
8. H. Create a Lambda function that queries the CloudTrail logs for security ' incidents using Athena.

Correct Answer: B
One can send the log files to Cloudwatch Logs. Log files can also be sent from On-premise servers. You can then specify metrii to search the logs for any specific values. And then create alarms based on these metrics.
Option A is invalid because this will be just a long over drawn process to achieve this requirement Option C is invalid because AWS Inspector cannot be used to monitor for security related messages.
Option D is invalid because files cannot be exported to AWS Cloudtrail
For more information on Cloudwatch logs agent please visit the below URL: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/QuickStartEC2lnstance.hti
The correct answer is: Send the local text log files to Cloudwatch Logs and configure a Cloudwatch metric filter. Trigger cloudwatch alarms based on the metrics.
Submit your Feedback/Queries to our Experts