- (Exam Topic 2)
The Security Engineer is managing a web application that processes highly sensitive personal information. The application runs on Amazon EC2. The application has strict compliance requirements, which instruct that all incoming traffic to the application is protected from common web exploits and that all outgoing traffic from the EC2 instances is restricted to specific whitelisted URLs.
Which architecture should the Security Engineer use to meet these requirements?

1. A. Use AWS Shield to scan inbound traffic for web exploit
2. B. Use VPC Flow Logs and AWS Lambda to restrict egress traffic to specific whitelisted URLs.
3. C. Use AWS Shield to scan inbound traffic for web exploit
4. D. Use a third-party AWS Marketplace solution to restrict egress traffic to specific whitelisted URLs.
5. E. Use AWS WAF to scan inbound traffic for web exploit
6. F. Use VPC Flow Logs and AWS Lambda torestrict egress traffic to specific whitelisted URLs.
7. G. Use AWS WAF to scan inbound traffic for web exploit
8. H. Use a third-party AWS Marketplace solution to restrict egress traffic to specific whitelisted URLs.

Correct Answer: D
AWS Shield is mainly for DDos Attacks.AWS WAF is mainly for some other types of attacks like Injection and XSS etcIn this scenario, It seems it is WAF functionality that is needed.VPC logs do show the source and destination IP and Port , they never show any URL .. because URL are level 7 while VPC are concerned about lover network levels.
https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html

- (Exam Topic 3)
An employee keeps terminating EC2 instances on the production environment. You've determined the best way to ensure this doesn't happen is to add an extra layer of defense against terminating the instances. What is the best method to ensure the employee does not terminate the production instances? Choose the 2 correct answers from the options below
Please select:

1. A. Tag the instance with a production-identifying tag and add resource-level permissions to the employee user with an explicit deny on the terminate API call to instances with the production ta
2. B. <
3. C. Tag the instance with a production-identifying tag and modify the employees group to allow only start stop, and reboot API calls and not the terminate instance call.
4. D. Modify the IAM policy on the user to require MFA before deleting EC2 instances and disable MFA access to the employee
5. E. Modify the IAM policy on the user to require MFA before deleting EC2 instances

Correct Answer: AB
Tags enable you to categorize your AWS resources in different ways, for example, by purpose, owner, or environment. This is useful when you have many resources of the same type — you can quickly identify a specific resource based on the tags you've assigned to it. Each tag consists of a key and an optional value, both of which you define
Options C&D are incorrect because it will not ensure that the employee cannot terminate the instance. For more information on tagging answer resources please refer to the below URL: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Usins_Tags.htmll
The correct answers are: Tag the instance with a production-identifying tag and add resource-level permissions to the employe user with an explicit deny on the terminate API call to instances with the production tag.. Tag the instance with a production-identifying tag and modify the employees group to allow only start stop, and reboot API calls and not the terminate instance
Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
Your organization is preparing for a security assessment of your use of AWS. In preparation for this assessment, which three IAM best practices should you consider implementing?
Please select:

1. A. Create individual IAM users
2. B. Configure MFA on the root account and for privileged IAM users
3. C. Assign IAM users and groups configured with policies granting least privilege access
4. D. Ensure all users have been assigned and dre frequently rotating a password, access ID/secret key, andX.509 certificate

Correct Answer: ABC
When you go to the security dashboard, the security status will show the best practices for initiating the first level of security.
C:\Users\wk\Desktop\mudassar\Untitled.jpg

Option D is invalid because as per the dashboard, this is not part of the security recommendation For more information on best security practices please visit the URL:
https://aws.amazon.com/whitepapers/aws-security-best-practices;
The correct answers are: Create individual IAM users, Configure MFA on the root account and for privileged IAM users. Assign IAM users and groups configured with policies granting least privilege access
Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
You have a requirement to serve up private content using the keys available with Cloudfront. How can this be achieved?
Please select:

1. A. Add the keys to the backend distribution.
2. B. Add the keys to the S3 bucket
3. C. Create pre-signed URL's
4. D. Use AWS Access keys

Correct Answer: C
Option A and B are invalid because you will not add keys to either the backend distribution or the S3 bucket. Option D is invalid because this is used for programmatic access to AWS resources
You can use Cloudfront key pairs to create a trusted pre-signed URL which can be distributed to users Specifying the AWS Accounts That Can Create Signed URLs and Signed Cookies (Trusted Signers) Topics
• Creating CloudFront Key Pairs for Your Trusted Signers
• Reformatting the CloudFront Private Key (.NET and Java Only)
• Adding Trusted Signers to Your Distribution
• Verifying that Trusted Signers Are Active (Optional) 1 Rotating CloudFront Key Pairs
To create signed URLs or signed cookies, you need at least one AWS account that has an active CloudFront key pair. This accou is known as a trusted signer. The trusted signer has two purposes:
• As soon as you add the AWS account ID for your trusted signer to your distribution, CloudFront starts to require that users us signed URLs or signed cookies to access your objects.
' When you create signed URLs or signed cookies, you use the private key from the trusted signer's key pair to sign a portion of the URL or the cookie. When someone requests a restricted object CloudFront compares the signed portion of the URL or cookie with the unsigned portion to verify that the URL or cookie hasn't been tampered with. CloudFront also verifies that the URL or cookie is valid, meaning, for example, that the expiration date and time hasn't passed.
For more information on Cloudfront private trusted content please visit the following URL:
• https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-s The correct answer is: Create pre-signed URL's Submit your Feedback/Queries to our Experts

- (Exam Topic 1)
A company's security team has defined a set of AWS Config rules that must be enforced globally in all AWS accounts the company owns. What should be done to provide a consolidated compliance overview for the security team?

1. A. Use AWS Organizations to limit AWS Config rules to the appropriate Regions, and then consolidate the Amazon CloudWatch dashboard into one AWS account.
2. B. Use AWS Config aggregation to consolidate the views into one AWS account, and provide role access to the security team.
3. C. Consolidate AWS Config rule results with an AWS Lambda function and push data to Amazon SQ
4. D. Use Amazon SNS to consolidate and alert when some metrics are triggered.
5. E. Use Amazon GuardDuty to load data results from the AWS Config rules compliance status, aggregate GuardDuty findings of all AWS accounts into one AWS account, and provide role access to the security team.

Correct Answer: B