- (Exam Topic 3)
You have an Amazon VPC that has a private subnet and a public subnet in which you have a NAT instance server. You have created a group of EC2 instances that configure themselves at startup by downloading a bootstrapping script from S3 that deploys an application via GIT.
Which one of the following setups would give us the highest level of security? Choose the correct answer from the options given below.
Please select:

1. A. EC2 instances in our public subnet, no EIPs, route outgoing traffic via the IGW
2. B. EC2 instances in our public subnet, assigned EIPs, and route outgoing traffic via the NAT
3. C. EC2 instance in our private subnet, assigned EIPs, and route our outgoing traffic via our IGW
4. D. EC2 instances in our private subnet, no EIPs, route outgoing traffic via the NAT

Correct Answer: D
The below diagram shows how the NAT instance works. To make EC2 instances very secure, they need to be in a private sub such as the database server shown below with no EIP and all traffic routed via the NAT.
C:\Users\wk\Desktop\mudassar\Untitled.jpg

Options A and B are invalid because the instances need to be in the private subnet
Option C is invalid because since the instance needs to be in the private subnet, you should not attach an EIP to the instance
For more information on NAT instance, please refer to the below Link: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuideA/PC lnstance.html!
The correct answer is: EC2 instances in our private subnet no EIPs, route outgoing traffic via the NAT Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
A developer at a company uses an SSH key to access multiple Amazon EC2 instances. The company discovers that the SSH key has been posted on a public GitHub repository. A security engineer verifies that the key has not been used recently.
How should the security engineer prevent unauthorized access to the EC2 instances?

1. A. Delete the key pair from the EC2 consol
2. B. Create a new key pair.
3. C. Use the ModifylnstanceAttribute API operation to change the key on any EC2 instance that is using the key.
4. D. Restrict SSH access in the security group to only known corporate IP addresses.
5. E. Update the key pair in any AMI that is used to launch the EC2 instance
6. F. Restart the EC2 instances.

Correct Answer: C

- (Exam Topic 2)
During a recent internal investigation, it was discovered that all API logging was disabled in a production account, and the root user had created new API keys that appear to have been used several times.
What could have been done to detect and automatically remediate the incident?

1. A. Using Amazon Inspector, review all of the API calls and configure the inspector agent to leverage SNS topics to notify security of the change to AWS CloudTrail, and revoke the new API keys for the root user.
2. B. Using AWS Config, create a config rule that detects when AWS CloudTrail is disabled, as well as any calls to the root user create-api-ke
3. C. Then use a Lambda function to re-enable CloudTrail logs and deactivate the root API keys.
4. D. Using Amazon CloudWatch, create a CloudWatch event that detects AWS CloudTrail deactivation and a separate Amazon Trusted Advisor check to automatically detect the creation of root API key
5. E. Then use a Lambda function to enable AWS CloudTrail and deactivate the root API keys.
6. F. Using Amazon CloudTrail, create a new CloudTrail event that detects the deactivation of CloudTrail logs, and a separate CloudTrail event that detects the creation of root API key
7. G. Then use a Lambda function to enable CloudTrail and deactivate the root API keys.

Correct Answer: B
https://docs.aws.amazon.com/config/latest/developerguide/cloudtrail-enabled.html https://docs.aws.amazon.com/config/latest/developerguide/iam-root-access-key-check.html

- (Exam Topic 3)
Which technique can be used to integrate AWS IAM (Identity and Access Management) with an on-premise LDAP (Lightweight Directory Access Protocol) directory service?
Please select:

1. A. Use an IAM policy that references the LDAP account identifiers and the AWS credentials.
2. B. Use SAML (Security Assertion Markup Language) to enable single sign-on between AWS and LDAP.
3. C. Use AWS Security Token Service from an identity broker to issue short-lived AWS credentials.
4. D. Use IAM roles to automatically rotate the IAM credentials when LDAP credentials are updated.

Correct Answer: B
On the AWS Blog site the following information is present to help on this context
The newly released whitepaper. Single Sign-On: Integrating AWS, OpenLDAP, and Shibboleth, will help you integrate your existing LDAP-based user directory with AWS. When you integrate your existing directory with AWS, your users can access AWS by using their existing credentials. This means that your users don't need to maintain yet another user name and password just to access AWS resources.
Option A.C and D are all invalid because in this sort of configuration, you have to use SAML to enable single sign on.
For more information on integrating AWS with LDAP for Single Sign-On, please visit the following URL: https://aws.amazon.eom/blogs/security/new-whitepaper-sinEle-sign-on-inteErating-aws-openldap-and-shibbolet The correct answer is: Use SAML (Security Assertion Markup Language) to enable single sign-on between
AWS and LDAP. Submit your Feedback/Queries to our Experts

- (Exam Topic 2)
An organization operates a web application that serves users globally. The application runs on Amazon EC2 instances behind an Application Load Balancer. There is an Amazon CloudFront distribution in front of the load balancer, and the organization uses AWS WAF. The application is currently experiencing a volumetric attack whereby the attacker is exploiting a bug in a popular mobile game.
The application is being flooded with HTTP requests from all over the world with the User-Agent set to the following string: Mozilla/5.0 (compatible; ExampleCorp; ExampleGame/1.22; Mobile/1.0)
What mitigation can be applied to block attacks resulting from this bug while continuing to service legitimate requests?

1. A. Create a rule in AWS WAF rules with conditions that block requests based on the presence of ExampleGame/1.22 in the User-Agent header
2. B. Create a geographic restriction on the CloudFront distribution to prevent access to the application from most geographic regions
3. C. Create a rate-based rule in AWS WAF to limit the total number of requests that the web application services.
4. D. Create an IP-based blacklist in AWS WAF to block the IP addresses that are originating from requests that contain ExampleGame/1.22 in the User-Agent header.

Correct Answer: A
Since all the attack has http header- User-Agent set to string: Mozilla/5.0 (compatible; ExampleCorp;) it would be much more easier to block these attack by simply denying traffic with the header match . HTH ExampleGame/1.22; Mobile/1.0)