- (Exam Topic 3)
A company is operating a website using Amazon CloudFornt. CloudFront servers some content from Amazon S3 and other from web servers running EC2 instances behind an Application. Load Balancer (ALB). Amazon DynamoDB is used as the data store. The company already uses AWS Certificate Manager (ACM) to store a public TLS certificate that can optionally secure connections between the website users and CloudFront. The company has a new requirement to enforce end-to-end encryption in transit.
Which combination of steps should the company take to meet this requirement? (Select THREE.)

1. A. Update the CloudFront distributio
2. B. configuring it to optionally use HTTPS when connecting to origins on Amazon S3
3. C. Update the web application configuration on the web servers to use HTTPS instead of HTTP when connecting to DynamoDB
4. D. Update the CloudFront distribution to redirect HTTP corrections to HTTPS
5. E. Configure the web servers on the EC2 instances to listen using HTTPS using the public ACM TLS certificate Update the ALB to connect to the target group using HTTPS
6. F. Update the ALB listen to listen using HTTPS using the public ACM TLS certificat
7. G. Update the CloudFront distribution to connect to the HTTPS listener.
8. H. Create a TLS certificate Configure the web servers on the EC2 instances to use HTTPS only with that certificat
9. I. Update the ALB to connect to the target group using HTTPS.

Correct Answer: BCE

- (Exam Topic 3)
You have a set of 100 EC2 Instances in an AWS account. You need to ensure that all of these instances are patched and kept to date. All of the instances are in a private subnet. How can you achieve this. Choose 2 answers from the options given below
Please select:

1. A. Ensure a NAT gateway is present to download the updates
2. B. Use the Systems Manager to patch the instances
3. C. Ensure an internet gateway is present to download the updates
4. D. Use the AWS inspector to patch the updates

Correct Answer: AB
Option C is invalid because the instances need to remain in the private: Option D is invalid because AWS inspector can only detect the patches
One of the AWS Blogs mentions how patching of Linux servers can be accomplished. Below is the diagram representation of the architecture setup
C:\Users\wk\Desktop\mudassar\Untitled.jpg

For more information on patching Linux workloads in AWS, please refer to the Lin. https://aws.amazon.com/blogs/security/how-to-patch-linux-workloads-on-awsj
The correct answers are: Ensure a NAT gateway is present to download the updates. Use the Systems Manager to patch the instances
Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
A developer 15 building a serverless application hosted on AWS that uses Amazon Redshift in a data store. The application has separate modules for read/write and read-only functionality. The modules need their own database users tor compliance reasons.
Which combination of steps should a security engineer implement to grant appropriate access' (Select TWO )

1. A. Configure cluster security groups for each application module to control access to database users that are required for read-only and read/write.
2. B. Configure a VPC endpoint for Amazon Redshift Configure an endpoint policy that maps database users to each application module, and allow access to the tables that are required for read-only and read/write
3. C. Configure an 1AM poky for each module Specify the ARN of an Amazon Redshift database user that allows the GetClusterCredentials API call
4. D. Create focal database users for each module
5. E. Configure an 1AM policy for each module Specify the ARN of an 1AM user that allows the GetClusterCredentials API call

Correct Answer: AE

- (Exam Topic 1)
After multiple compromises of its Amazon EC2 instances, a company's Security Officer is mandating that memory dumps of compromised instances be captured for further analysis. A Security Engineer just received an EC2 abuse notification report from AWS stating that an EC2 instance running the most recent Windows Server 2019 Base AMI is compromised.
How should the Security Engineer collect a memory dump of the EC2 instance for forensic analysis?

1. A. Give consent to the AWS Security team to dump the memory core on the compromised instance and provide it to AWS Support for analysis.
2. B. Review memory dump data that the AWS Systems Manager Agent sent to Amazon CloudWatch Logs.
3. C. Download and run the EC2Rescue for Windows Server utility from AWS.
4. D. Reboot the EC2 Windows Server, enter safe mode, and select memory dump.

Correct Answer: B

- (Exam Topic 1)
A Security Engineer has launched multiple Amazon EC2 instances from a private AMI using an AWS CloudFormation template. The Engineer notices instances terminating right after they are launched.
What could be causing these terminations?

1. A. The IAM user launching those instances is missing ec2:Runinstances permission.
2. B. The AMI used as encrypted and the IAM does not have the required AWS KMS permissions.
3. C. The instance profile used with the EC2 instances in unable to query instance metadata.
4. D. AWS currently does not have sufficient capacity in the Region.

Correct Answer: C