- (Exam Topic 3)
A company deployed Amazon GuardDuty In the us-east-1 Region. The company wants all DNS logs that relate to the company's Amazon EC2 instances to be inspected. What should a security engineer do to ensure that the EC2 instances are logged?

1. A. Use IPv6 addresses that are configured for hostnames.
2. B. Configure external DNS resolvers as internal resolvers that are visible only to AWS.
3. C. Use AWS DNS resolvers for all EC2 instances.
4. D. Configure a third-party DNS resolver with logging for all EC2 instances.

Correct Answer: C

- (Exam Topic 1)
A company uses SAML federation with AWS Identity and Access Management (IAM) to provide internal users with SSO for their AWS accounts. The company's identity provider certificate was rotated as part of its normal lifecycle. Shortly after, users started receiving the following error when attempting to log in:
"Error: Response Signature Invalid (Service: AWSSecuntyTokenService; Status Code: 400; Error Code: InvalidldentltyToken)"
A security engineer needs to address the immediate issue and ensure that it will not occur again. Which combination of steps should the security engineer take to accomplish this? (Select TWO.)

1. A. Download a new copy of the SAML metadata file from the identity provider Create a new IAM identity provider entit
2. B. Upload the new metadata file to the new IAM identity provider entity.
3. C. During the next certificate rotation period and before the current certificate expires, add a new certificate as the secondary to the identity provide
4. D. Generate a new metadata file and upload it to the IAM identity provider entit
5. E. Perform automated or manual rotation of the certificate when required.
6. F. Download a new copy of the SAML metadata file from the identity provider Upload the new metadata to the IAM identity provider entity configured for the SAML integration in question.
7. G. During the next certificate rotation period and before the current certificate expires, add a new certificate as the secondary to the identity provide
8. H. Generate a new copy of the metadata file and create a new IAM identity provider entit
9. I. Upload the metadata file to the new IAM identity provider entit
10. J. Performautomated or manual rotation of the certificate when required.
11. K. Download a new copy of the SAML metadata file from the identity provider Create a new IAM identity provider entit
12. L. Upload the new metadata file to the new IAM identity provider entit
13. M. Update the identity provider configurations to pass a new IAM identity provider entity name in the SAML assertion.

Correct Answer: AD

- (Exam Topic 3)
Your current setup in AWS consists of the following architecture. 2 public subnets, one subnet which has the web servers accessed by users across the internet and the other subnet for the database server. Which of the following changes to the architecture would add a better security boundary to the resources hosted in your setup
Please select:

1. A. Consider moving the web server to a private subnet
2. B. Consider moving the database server to a private subnet
3. C. Consider moving both the web and database server to a private subnet
4. D. Consider creating a private subnet and adding a NAT instance to that subnet

Correct Answer: B
The ideal setup is to ensure that the web server is hosted in the public subnet so that it can be accessed by users on the internet. The database server can be hosted in the private subnet.
The below diagram from the AWS Documentation shows how this can be setup C:\Users\wk\Desktop\mudassar\Untitled.jpg

Option A and C are invalid because if you move the web server to a private subnet, then it cannot be accessed by users Option D is invalid because NAT instances should be present in the public subnet
For more information on public and private subnets in AWS, please visit the following url com/AmazonVPC/latest/UserGuide/VPC Scenario2.
The correct answer is: Consider moving the database server to a private subnet Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
A company is using a Redshift cluster to store their data warehouse. There is a requirement from the Internal IT Security team to ensure that data gets encrypted for the Redshift database. How can this be achieved?
Please select:

1. A. Encrypt the EBS volumes of the underlying EC2 Instances
2. B. Use AWS KMS Customer Default master key
3. C. Use SSL/TLS for encrypting the data
4. D. Use S3 Encryption

Correct Answer: B
The AWS Documentation mentions the following
Amazon Redshift uses a hierarchy of encryption keys to encrypt the database. You can use either AWS Key Management Servic (AWS KMS) or a hardware security module (HSM) to manage the top-level encryption keys in this hierarchy. The process that Amazon Redshift uses for encryption differs depending on how you manage keys.
Option A is invalid because its the cluster that needs to be encrypted
Option C is invalid because this encrypts objects in transit and not objects at rest Option D is invalid because this is used only for objects in S3 buckets
For more information on Redshift encryption, please visit the following URL: https://docs.aws.amazon.com/redshift/latest/memt/workine-with-db-encryption.htmll
The correct answer is: Use AWS KMS Customer Default master key Submit your Feedback/Queries to our Experts

- (Exam Topic 1)
A city is implementing an election results reporting website that will use Amazon GoudFront The website runs on a fleet of Amazon EC2 instances behind an Application Load Balancer (ALB) in an Auto Scaling group. Election results are updated hourly and are stored as .pdf tiles in an Amazon S3 bucket. A Security Engineer needs to ensure that all external access to the website goes through CloudFront.
Which solution meets these requirements?

1. A. Create an IAM role that allows CloudFront to access the specific S3 bucke
2. B. Modify the S3 bucket policy to allow only the new IAM role to access its content
3. C. Create an interface VPC endpoint for CloudFront to securely communicate with the ALB.
4. D. Create an IAM role that allows CloudFront to access the specific S3 bucke
5. E. Modify the S3 bucket policy to allow only the new IAM role to access its content
6. F. Associate the ALB with a security group that allows only incoming traffic from the CloudFront service to communicate with the ALB.
7. G. Create an origin access identity (OAI) in CloudFron
8. H. Modify the S3 bucket policy to allow only the new OAI to access the bucket content
9. I. Create an interface VPC endpoint for CloudFront to securely communicate with the ALB.
10. J. Create an origin access identity (OAI) in CloudFron
11. K. Modify the S3 bucket policy to allow only the new OAI to access the bucket content
12. L. Associate the ALB with a security group that allows onlyincoming traffic from the CloudFront service to communicate with the ALB.

Correct Answer: C