- (Exam Topic 3)
A company has an application that uses an Amazon RDS PostgreSQL database. The company is developing an application feature that will store sensitive information for an individual in the database.
During a security review of the environment, the company discovers that the RDS DB instance is not encrypting data at rest. The company needs a solution that will provide encryption at rest for all the existing data and for any new data that is entered for an individual.
Which combination of options can the company use to meet these requirements? (Select TWO.)

1. A. Create a snapshot of the DB instanc
2. B. Copy the snapshot to a new snapshot, and enable encryption for the copy proces
3. C. Use the new snapshot to restore the DB instance.
4. D. Modify the configuration of the DB instance by enabling encryptio
5. E. Create a snapshot of the DB instanc
6. F. Use the snapshot to restore the DB instance.
7. G. Use AWS Key Management Service (AWS KMS) to create a new default AWS managed awa/rds key.Select this key as the encryption key for operations with Amazon RDS.
8. H. Use AWS Key Management Service (AWS KMS] to create a new CM
9. I. Select this key as the encryption key for operations with Amazon RDS.
10. J. Create a snapshot of the DB instanc
11. K. Enable encryption on the snapshoVUse the snapshot to restore the DB instance.

Correct Answer: CE

- (Exam Topic 2)
You have a web site that is sitting behind AWS Cloudfront. You need to protect the web site against threats such as SQL injection and Cross site scripting attacks. Which of the following service can help in such a scenario
Please select:

1. A. AWS Trusted Advisor
2. B. AWS WAF
3. C. AWS Inspector
4. D. AWS Config

Correct Answer: B
The AWS Documentation mentions the following
AWS WAF is a web application firewall that helps detect and block malicious web requests targeted at your web applications. AWS WAF allows you to create rules that can help protect against common web exploits like SQL injection and cross-site scripting. With AWS WAF you first identify the resource (either an Amazon CloudFront distribution or an Application Load Balancer) that you need to protect.
Option A is invalid because this will only give advise on how you can better the security in your AWS account but not protect against threats mentioned in the question.
Option C is invalid because this can be used to scan EC2 Instances for vulnerabilities but not protect against threats mentioned in the question.
Option D is invalid because this can be used to check config changes but not protect against threats mentioned in the quest
For more information on AWS WAF, please visit the following URL: https://aws.amazon.com/waf/details;
The correct answer is: AWS WAF
Submit your Feedback/Queries to our Experts

- (Exam Topic 1)
A company has decided to migrate sensitive documents from on-premises data centers to Amazon S3. Currently, the hard drives are encrypted to meet a compliance requirement regarding data encryption. The CISO wants to improve security by encrypting each file using a different key instead of a single key. Using a different key would limit the security impact of a single exposed key.
Which of the following requires the LEAST amount of configuration when implementing this approach?

1. A. Place each file into a different S3 bucke
2. B. Set the default encryption of each bucket to use a different AWS KMS customer managed key.
3. C. Put all the files in the same S3 bucke
4. D. Using S3 events as a trigger, write an AWS Lambda function to encrypt each file as it is added using different AWS KMS data keys.
5. E. Use the S3 encryption client to encrypt each file individually using S3-generated data keys
6. F. Place all the files in the same S3 bucke
7. G. Use server-side encryption with AWS KMS-managed keys (SSE-KMS) to encrypt the data

Correct Answer: C

- (Exam Topic 3)
A company's policy requires that all API keys be encrypted and stored separately from source code in a centralized security account. This security account is managed by the company's security team However, an audit revealed that an API key is steed with the source code of an AWS Lambda function m an AWS CodeCommit repository in the DevOps account
How should the security learn securely store the API key?

1. A. Create a CodeCommit repository in the security account using AWS Key Management Service (AWS KMS) tor encryption Require the development team to migrate the Lambda source code to this repository
2. B. Store the API key in an Amazon S3 bucket in the security account using server-side encryption with Amazon S3 managed encryption keys (SSE-S3) to encrypt the key Create a resigned URL tor the S3 ke
3. C. and specify the URL m a Lambda environmental variable in the AWS CloudFormation template Update the Lambda function code to retrieve the key using the URL and call the API
4. D. Create a secret in AWS Secrets Manager in the security account to store the API key using AWS Key Management Service (AWS KMS) tor encryption Grant access to the 1AM role used by the Lambda function so that the function can retrieve the key from Secrets Manager and call the API
5. E. Create an encrypted environment variable for the Lambda function to store the API key using AWS Key Management Service (AWS KMS) tor encryption Grant access to the 1AM role used by the Lambda function so that the function can decrypt the key at runtime

Correct Answer: C

- (Exam Topic 2)
Your company has a set of resources defined in the AWS Cloud. Their IT audit department has requested to get a list of resources that have been defined across the account. How can this be achieved in the easiest manner?
Please select:

1. A. Create a powershell script using the AWS CL
2. B. Query for all resources with the tag of production.
3. C. Create a bash shell script with the AWS CL
4. D. Query for all resources in all region
5. E. Store the results in an S3 bucket.
6. F. Use Cloud Trail to get the list of all resources
7. G. Use AWS Config to get the list of all resources

Correct Answer: D
The most feasible option is to use AWS Config. When you turn on AWS Config, you will get a list of resources defined in your AWS Account.
A sample snapshot of the resources dashboard in AWS Config is shown below C:\Users\wk\Desktop\mudassar\Untitled.jpg

Option A is incorrect because this would give the list of production based resources and now all resources Option B is partially correct But this will just add more maintenance overhead.
Option C is incorrect because this can be used to log API activities but not give an account of all resou For more information on AWS Config, please visit the below URL: https://docs.aws.amazon.com/config/latest/developereuide/how-does-confie-work.html
The correct answer is: Use AWS Config to get the list of all resources Submit your Feedback/Queries to our Experts