- (Topic 1)
A company is reviewing its operating policies.
Which policy complies with guidance in the security pillar of the AWS Well-Architected Framework?

1. A. Ensure that employees have access to all company data.
2. B. Expand employees' permissions as they gain more experience.
3. C. Grant all privileges and access to all users.
4. D. Apply security requirements at all layers of a process.

Correct Answer: D
Applying security requirements at all layers of a process is a policy that complies with guidance in the security pillar of the AWS Well-Architected Framework. The security pillar of the AWS Well-Architected Framework provides best practices for securing the user’s data and systems in the AWS Cloud. One of the design principles of the security pillar is to apply security at all layers, which means that the user should implement defense-in-depth strategies and avoid relying on a single security mechanism. For example, the user should use multiple security controls, such as encryption, firewalls, identity and access management, and logging and monitoring, to protect their data and resources at different layers.

- (Topic 3)
Which AWS service provides protection against DDoS attacks for applications that run in the AWS Cloud?

1. A. Amazon VPC
2. B. AWS Shield
3. C. AWS Audit Manager
4. D. AWS Config

Correct Answer: B
AWS Shield is an AWS service that provides protection against distributed denial of service (DDoS) attacks for applications that run in the AWS Cloud. DDoS attacks are attempts to make an online service unavailable by overwhelming it with traffic from multiple sources. AWS Shield provides two tiers of protection: AWS Shield Standard and AWS Shield Advanced. AWS Shield Standard is automatically enabled for all AWS customers at no additional charge. It provides protection against common and frequently occurring network and transport layer DDoS attacks. AWS Shield Advanced is an optional paid service that provides additional protection against larger and more sophisticated DDoS attacks. AWS Shield Advanced also provides access to 24/7 DDoS response team, cost protection, and enhanced detection and mitigation capabilities

- (Topic 1)
A company is designing an identity access management solution for an application. The company wants users to be able to use their social media, email, or online shopping accounts to access the application.
Which AWS service provides this functionality?

1. A. AWS IAM Identity Center (AWS Single Sign-On)
2. B. AWS Config
3. C. Amazon Cognito
4. D. AWS Identity and Access Management (IAM)

Correct Answer: C
The correct answer is C because Amazon Cognito provides identity federation and user authentication for web and mobile applications. Amazon Cognito allows users to sign in with their social media, email, or online shopping accounts. The other options are incorrect because they do not provide identity federation or user authentication. AWS IAM Identity Center (AWS Single Sign-On) is a service that enables users to access multiple AWS accounts and applications with a single sign-on experience. AWS Config is a service that enables users to assess, audit, and evaluate the configurations of their AWS resources. AWS Identity and Access Management (IAM) is a service that enables users to manage access to AWS resources using users, groups, roles, and policies.
Reference: Amazon Cognito FAQs

- (Topic 1)
Which AWS service aggregates, organizes, and prioritizes security alerts and findings from multiple AWS services?

1. A. Amazon Detective
2. B. Amazon Inspector
3. C. Amazon Macie
4. D. AWS Security Hub

Correct Answer: D
The correct answer is D because AWS Security Hub is a service that aggregates, organizes, and prioritizes security alerts and findings from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, Amazon Macie, AWS Firewall Manager, and AWS IAM Access Analyzer. The other options are incorrect because they are not services that aggregate security alerts and findings from multiple AWS services. Amazon Detective is a service that helps users analyze and visualize security data to investigate and remediate potential issues. Amazon Inspector is a service that helps users find security vulnerabilities and deviations from best practices in their Amazon EC2 instances. Amazon Macie is a service that helps users discover, classify, and protect sensitive data stored in Amazon S3. Reference: AWS Security Hub FAQs

- (Topic 1)
A company is running applications on Amazon EC2 instances in the same AWS account for several different projects. The company wants to track the infrastructure costs for each of the projects separately. The company must conduct this tracking with the least possible impact to the existing infrastructure and with no additional cost.
What should the company do to meet these requirements?

1. A. Use a different EC2 instance type for each project.
2. B. Publish project-specific custom Amazon CloudWatch metrics for each application.
3. C. Deploy EC2 instances for each project in a separate AWS account.
4. D. Use cost allocation tags with values that are specific to each project.

Correct Answer: D
The correct answer is D because cost allocation tags are a way to track the infrastructure costs for each of the projects separately. Cost allocation tags are key-value pairs that can be attached to AWS resources, such as EC2 instances, and used to categorize and group them for billing purposes. The other options are incorrect because they do not meet the requirements of the question. Use a different EC2 instance type for each project does not help to track the costs for each project, and may impact the performance and compatibility of the applications. Publish project-specific custom Amazon CloudWatch metrics for each application does not help to track the costs for each project, and may incur additional charges for using CloudWatch. Deploy EC2 instances for each project in a separate AWS account does help to track the costs for each project, but it impacts the existing infrastructure and incurs additional charges for using multiple accounts. Reference: Using Cost Allocation Tags