- (Exam Topic 2)
Example.com hosts its internal document repository on Amazon EC2 instances. The application runs on EC2 instances and previously stored the documents on encrypted Amazon EBS volumes. To optimize the application for scale, example.com has moved the files to Amazon S3. The security team has mandated that all the files are securely deleted from the EBS volume, and it must certify that the data is unreadable before releasing the underlying disks.
Which of the following methods will ensure that the data is unreadable by anyone else?

1. A. Change the volume encryption on the EBS volume to use a different encryption mechanis
2. B. Then, release the EBS volumes back to AWS.
3. C. Release the volumes back to AW
4. D. AWS immediately wipes the disk after it is deprovisioned.
5. E. Delete the encryption key used to encrypt the EBS volum
6. F. Then, release the EBS volumes back to AWS.
7. G. Delete the data by using the operating system delete command
8. H. Run Quick Format on the drive and then release the EBS volumes back to AWS.

Correct Answer: D
Amazon EBS volumes are presented to you as raw unformatted block devices that have been wiped prior to being made available for use. Wiping occurs immediately before reuse so that you can be assured that the wipe process completed. If you have procedures requiring that all data be wiped via a specific method, such as those detailed in NIST 800-88 (“Guidelines for Media Sanitization”), you have the ability to do so on Amazon EBS. You should conduct a specialized wipe procedure prior to deleting the volume for compliance with your established requirements.
https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf

- (Exam Topic 2)
An organization receives an alert that indicates that an EC2 instance behind an ELB Classic Load Balancer has been compromised.
What techniques will limit lateral movement and allow evidence gathering?

1. A. Remove the instance from the load balancer and terminate it.
2. B. Remove the instance from the load balancer, and shut down access to the instance by tightening the security group.
3. C. Reboot the instance and check for any Amazon CloudWatch alarms.
4. D. Stop the instance and make a snapshot of the root EBS volume.

Correct Answer: B
https://d1.awsstatic.com/whitepapers/aws_security_incident_response.pdf

- (Exam Topic 3)
An application running on EC2 instances in a VPC must call an external web service via TLS (port 443). The instances run in public subnets.
Which configurations below allow the application to function and minimize the exposure of the instances? Select 2 answers from the options given below
Please select:

1. A. A network ACL with a rule that allows outgoing traffic on port 443.
2. B. A network ACL with rules that allow outgoing traffic on port 443 and incoming traffic on ephemeral ports
3. C. A network ACL with rules that allow outgoing traffic on port 443 and incoming traffic on port 443.
4. D. A security group with a rule that allows outgoing traffic on port 443
5. E. A security group with rules that allow outgoing traffic on port 443 and incoming traffic on ephemeral ports.
6. F. A security group with rules that allow outgoing traffic on port 443 and incoming traffic on port 443.

Correct Answer: BD
Since here the traffic needs to flow outbound from the Instance to a web service on Port 443, the outbound rules on both the Network and Security Groups need to allow outbound traffic. The Incoming traffic should be allowed on ephermal ports for the Operating System on the Instance to allow a connection to be established on any desired or available port.
Option A is invalid because this rule alone is not enough. You also need to ensure incoming traffic on ephemeral ports
Option C is invalid because need to ensure incoming traffic on ephemeral ports and not only port 443
Option E and F are invalid since here you are allowing additional ports on Security groups which are not required
For more information on VPC Security Groups, please visit the below URL: https://docs.aws.amazon.com/AmazonVPC/latest/UserGuideA/PC_SecurityGroups.htmll
The correct answers are: A network ACL with rules that allow outgoing traffic on port 443 and incoming traffic on ephemeral ports, A security group with a rule that allows outgoing traffic on port 443
Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
Your IT Security team has identified a number of vulnerabilities across critical EC2 Instances in the company's AWS Account. Which would be the easiest way to ensure these vulnerabilities are remediated?
Please select:

1. A. Create AWS Lambda functions to download the updates and patch the servers.
2. B. Use AWS CLI commands to download the updates and patch the servers.
3. C. Use AWS inspector to patch the servers
4. D. Use AWS Systems Manager to patch the servers

Correct Answer: D
The AWS Documentation mentions the following
You can quickly remediate patch and association compliance issues by using Systems Manager Run Command. You can tat either instance IDs or Amazon EC2 tags and execute the AWS-RefreshAssociation document or the AWS-RunPatchBaseline document. If refreshing the association or re-running the patch baseline fails to resolve the compliance issue, then you need to investigate your associations, patch baselines, or instance configurations to understand why the Run Command executions did not resolve the problem
Options A and B are invalid because even though this is possible, still from a maintenance perspective it would be difficult to maintain the Lambda functions
Option C is invalid because this service cannot be used to patch servers
For more information on using Systems Manager for compliance remediation please visit the below Link: https://docs.aws.amazon.com/systems-manaeer/latest/usereuide/sysman-compliance-fixing.html
The correct answer is: Use AWS Systems Manager to patch the servers Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
A company is planning to run a number of Admin related scripts using the AWS Lambda service. There is a need to understand if there are any errors encountered when the script run. How can this be accomplished in the most effective manner.
Please select:

1. A. Use Cloudwatch metrics and logs to watch for errors
2. B. Use Cloudtrail to monitor for errors
3. C. Use the AWS Config service to monitor for errors
4. D. Use the AWS inspector service to monitor for errors

Correct Answer: A
The AWS Documentation mentions the following
AWS Lambda automatically monitors Lambda functions on your behalf, reporting metrics through Amazon CloudWatch. To help you troubleshoot failures in a function. Lambda logs all requests handled by your function and also automatically stores logs generated by your code through Amazon CloudWatch Logs.
Option B,C and D are all invalid because these services cannot be used to monitor for errors. I For more information on Monitoring Lambda functions, please visit the following URL: https://docs.aws.amazon.com/lambda/latest/dg/monitorine-functions-loes.htmll
The correct answer is: Use Cloudwatch metrics and logs to watch for errors Submit your Feedback/Queries to our Experts