- (Exam Topic 1)
A company uses HTTP Live Streaming (HLS) to stream live video content to paying subscribers by using Amazon CloudFront. HLS splits the video content into chunks so that the user can request the right chunk based on different conditions Because the video events last for several hours, the total video is made up of thousands of chunks
The origin URL is not disclosed and every user is forced to access the CloudFront URL The company has a web application that authenticates the paying users against an internal repository and a CloudFront key pair that is already issued.
What is the simplest and MOST effective way to protect the content?

1. A. Develop the application to use the CloudFront key pair to create signed URLs that users will use to access the content.
2. B. Develop the application to use the CloudFront key pair to set the signed cookies that users will use to access the content.
3. C. Develop the application to issue a security token that Lambda@Edge will receive to authenticate and authorize access to the content
4. D. Keep the CloudFront URL encrypted inside the application, and use AWS KMS to resolve the URL on-the-fly after the user is authenticated.

Correct Answer: B

- (Exam Topic 3)
An application team wants to use AWS Certificate Manager (ACM) to request public certificates to ensure that data is secured in transit. The domains that are being used are not currently hosted on Amazon Route 53
The application team wants to use an AWS managed distribution and caching solution to optimize requests to its systems and provide better points of presence to customers The distribution solution will use a primary domain name that is customized The distribution solution also will use several alternative domain names The certificates must renew automatically over an indefinite period of time
Which combination of steps should the application team take to deploy this architecture? (Select THREE.)

1. A. Request a certificate (torn ACM in the us-west-2 Region Add the domain names that the certificate will secure
2. B. Send an email message to the domain administrators to request vacation of the domains for ACM
3. C. Request validation of the domains for ACM through DNS Insert CNAME records into each domain's DNS zone
4. D. Create an Application Load Balancer for me caching solution Select the newly requested certificate from ACM to be used for secure connections
5. E. Create an Amazon CloudFront distribution for the caching solution Enter the main CNAME record as the Origin Name Enter the subdomain names or alternate names in the Alternate Domain Names Distribution Settings Select the newly requested certificate from ACM to be used for secure connections
6. F. Request a certificate from ACM in the us-east-1 Region Add the domain names that the certificate wil secure

Correct Answer: CDF

- (Exam Topic 1)
A company's security information events management (SIEM) tool receives new AWS CloudTrail logs from an Amazon S3 bucket that is configured to send all object created event notification to an Amazon SNS topic An Amazon SQS queue is subscribed to this SNS topic. The company's SEM tool then ports this SQS queue for new messages using an IAM role and fetches new log events from the S3 bucket based on the SQS messages.
After a recent security review that resulted m restricted permissions, the SEM tool has stopped receiving new CloudTral logs
Which of the following are possible causes of this issue? (Select THREE)

1. A. The SOS queue does not allow the SQS SendMessage action from the SNS topic
2. B. The SNS topic does not allow the SNS Publish action from Amazon S3
3. C. The SNS topic is not delivering raw messages to the SQS queue
4. D. The S3 bucket policy does not allow CloudTrail to perform the PutObject action
5. E. The IAM role used by the 5EM tool does not have permission to subscribe to the SNS topic
6. F. The IAM role used by the SEM tool does not allow the SQS DeleteMessage actio

Correct Answer: ADF

- (Exam Topic 1)
A Developer signed in to a new account within an AWS Organizations organizations unit (OU) containing multiple accounts. Access to the Amazon S3 service is restricted with the following SCP:

How can the Security Engineer provide the Developer with Amazon S3 access without affecting other accounts?

1. A. Move the SCP to the root OU of Organizations to remove the restriction to access Amazon S3.
2. B. Add an IAM policy for the Developer, which grants S3 access.
3. C. Create a new OU without applying the SCP restricting S3 acces
4. D. Move the Developer account to this new OU.
5. E. Add an allow list for the Developer account for the S3 service.

Correct Answer: B

- (Exam Topic 2)
In response to the past DDoS attack experiences, a Security Engineer has set up an Amazon CloudFront distribution for an Amazon S3 bucket. There is concern that some users may bypass the CloudFront distribution and access the S3 bucket directly.
What must be done to prevent users from accessing the S3 objects directly by using URLs?

1. A. Change the S3 bucket/object permission so that only the bucket owner has access.
2. B. Set up a CloudFront origin access identity (OAI), and change the S3 bucket/object permission so that only the OAI has access.
3. C. Create IAM roles for CloudFront, and change the S3 bucket/object permission so that only the IAM role has access.
4. D. Redirect S3 bucket access to the corresponding CloudFront distribution.

Correct Answer: B
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3