- (Exam Topic 3)
A company's application team needs to host a MySQL database on AWS. According to the company's security policy, all data that is stored on AWS must be encrypted at rest. In addition, all cryptographic material must be compliant with FIPS 140-2 Level 3 validation.
The application team needs a solution that satisfies the company's security requirements and minimizes operational overhead.
Which solution will meet these requirements?

1. A. Host the database on Amazon RD
2. B. Use Amazon Elastic Block Store (Amazon EBS) for encryption.Use an AWS Key Management Service (AWS KMS) custom key store that is backed by AWS CloudHSM for key management.
3. C. Host the database on Amazon RD
4. D. Use Amazon Elastic Block Store (Amazon EBS) for encryption.Use an AWS managed CMK in AWS Key Management Service (AWS KMS) for key management.
5. E. Host the database on an Amazon EC2 instanc
6. F. Use Amazon Elastic Block Store (Amazon EBS) for encryptio
7. G. Use a customer managed CMK in AWS Key Management Service (AWS KMS) for key management.
8. H. Host the database on an Amazon EC2 instanc
9. I. Use Transparent Data Encryption (TDE) for encryption and key management.

Correct Answer: B

- (Exam Topic 3)
An application is designed to run on an EC2 Instance. The applications needs to work with an S3 bucket. From a security perspective , what is the ideal way for the EC2 instance/ application to be configured?
Please select:

1. A. Use the AWS access keys ensuring that they are frequently rotated.
2. B. Assign an IAM user to the application that has specific access to only that S3 bucket
3. C. Assign an IAM Role and assign it to the EC2 Instance
4. D. Assign an IAM group and assign it to the EC2 Instance

Correct Answer: C
The below diagram from the AWS whitepaper shows the best security practicse of allocating a role that has access to the S3 bucket
C:\Users\wk\Desktop\mudassar\Untitled.jpg

Options A,B and D are invalid because using users, groups or access keys is an invalid security practise when giving access to resources from other AWS resources.
For more information on the Security Best practices, please visit the following URL: https://d1.awsstatic.com/whitepapers/Security/AWS Security Best Practices.pdl
The correct answer is: Assign an IAM Role and assign it to the EC2 Instance Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
You work as an administrator for a company. The company hosts a number of resources using AWS. There is an incident of a suspicious API activity which occurred 11 days ago. The Security Admin has asked to get the API activity from that point in time. How can this be achieved?
Please select:

1. A. Search the Cloud Watch logs to find for the suspicious activity which occurred 11 days ago
2. B. Search the Cloudtrail event history on the API events which occurred 11 days ago.
3. C. Search the Cloud Watch metrics to find for the suspicious activity which occurred 11 days ago
4. D. Use AWS Config to get the API calls which were made 11 days ago.

Correct Answer: B
The Cloud Trail event history allows to view events which are recorded for 90 days. So one can use a metric filter to gather the API calls from 11 days ago.
Option A and C is invalid because Cloudwatch is used for logging and not for monitoring API activity Option D is invalid because AWSConfig is a configuration service and not for monitoring API activity For more information on AWS Cloudtrail, please visit the following URL: https://docs.aws.amazon.com/awscloudtrail/latest/usereuide/how-cloudtrail-works.html
Note:
In this question we assume that the customer has enabled cloud trail service.
AWS CloudTrail is enabled by default for ALL CUSTOMERS and will provide visibility into the past seven days of account activity without the need for you to configure a trail in the service to get started. So for an activity that happened 11 days ago to be stored in the cloud trail we need to configure the trail manually to ensure that it is stored in the events history.
• https://aws.amazon.com/blogs/aws/new-amazon-web-services-extends-cloudtrail-to-all-aws-customers/ The correct answer is: Search the Cloudtrail event history on the API events which occurred 11 days ago.

- (Exam Topic 2)
What are the MOST secure ways to protect the AWS account root user of a recently opened AWS account? (Choose two.)

1. A. Use the AWS account root user access keys instead of the AWS Management Console
2. B. Enable multi-factor authentication for the AWS IAM users with the AdministratorAccess managed policy attached to them
3. C. Enable multi-factor authentication for the AWS account root user
4. D. Use AWS KMS to encrypt all AWS account root user and AWS IAM access keys and set automatic rotation to 30 days
5. E. Do not create access keys for the AWS account root user; instead, create AWS IAM users

Correct Answer: CE

- (Exam Topic 3)
Your company use AWS KMS for management of its customer keys. From time to time, there is a requirement to delete existing keys as part of housekeeping activities. What can be done during the deletion process to verify that the key is no longer being used.
Please select:

1. A. Use CloudTrail to see if any KMS API request has been issued against existing keys
2. B. Use Key policies to see the access level for the keys
3. C. Rotate the keys once before deletion to see if other services are using the keys
4. D. Change the IAM policy for the keys to see if other services are using the keys

Correct Answer: A
The AWS lentation mentions the following
You can use a combination of AWS CloudTrail, Amazon CloudWatch Logs, and Amazon Simple Notification Service (Amazon SNS) to create an alarm that notifies you of AWS KMS API requests that attempt to use a customer master key (CMK) that is pending deletion. If you receive a notification from such an alarm, you might want to cancel deletion of the CMK to give yourself more time to determine whether you want to delete it
Options B and D are incorrect because Key policies nor IAM policies can be used to check if the keys are being used.
Option C is incorrect since rotation will not help you check if the keys are being used. For more information on deleting keys, please refer to below URL:
https://docs.aws.amazon.com/kms/latest/developereuide/deletine-keys-creatine-cloudwatch-alarm.html
The correct answer is: Use CloudTrail to see if any KMS API request has been issued against existing keys Submit your Feedback/Queries to our Experts