- (Exam Topic 1)
A large government organization is moving to the cloud and has specific encryption requirements. The first workload to move requires that a customer's data be immediately destroyed when the customer makes that request.
Management has asked the security team to provide a solution that will securely store the data, allow only authorized applications to perform encryption and decryption and allow for immediate destruction of the data
Which solution will meet these requirements?

1. A. Use AWS Secrets Manager and an AWS SDK to create a unique secret for the customer-specific data
2. B. Use AWS Key Management Service (AWS KMS) and the AWS Encryption SDK to generate and store a data encryption key for each customer.
3. C. Use AWS Key Management Service (AWS KMS) with service-managed keys to generate and store customer-specific data encryption keys
4. D. Use AWS Key Management Service (AWS KMS) and create an AWS CloudHSM custom key store Use CloudHSM to generate and store a new CMK for each customer.

Correct Answer: A

- (Exam Topic 3)
A company is deploying a new web application on AWS. Based on their other web applications, they anticipate being the target of frequent DDoS attacks. Which steps can the company use to protect their application? Select 2 answers from the options given below.
Please select:

1. A. Associate the EC2 instances with a security group that blocks traffic from blacklisted IP addresses.
2. B. Use an ELB Application Load Balancer and Auto Scaling group to scale to absorb application layer traffic.
3. C. Use Amazon Inspector on the EC2 instances to examine incoming traffic and discard malicious traffic.
4. D. Use CloudFront and AWS WAF to prevent malicious traffic from reaching the application
5. E. Enable GuardDuty to block malicious traffic from reaching the application

Correct Answer: BD
The below diagram from AWS shows the best case scenario for avoiding DDos attacks using services such as AWS Cloudfro WAF, ELB and Autoscaling
C:\Users\wk\Desktop\mudassar\Untitled.jpg

Option A is invalid because by default security groups don't allow access Option C is invalid because AWS Inspector cannot be used to examine traffic
Option E is invalid because this can be used for attacks on EC2 Instances but not against DDos attacks on the entire application For more information on DDos mitigation from AWS, please visit the below URL:
https://aws.amazon.com/answers/networking/aws-ddos-attack-mitieationi
The correct answers are: Use an ELB Application Load Balancer and Auto Scaling group to scale to absorb application layer traffic., Use CloudFront and AWS WAF to prevent malicious traffic from reaching the application
Submit your Feedback/Queries to our Experts

- (Exam Topic 1)
An application is currently secured using network access control lists and security groups. Web servers are located in public subnets behind an Application Load Balancer (ALB); application servers are located in private subnets.
How can edge security be enhanced to safeguard the Amazon EC2 instances against attack? (Choose two.)

1. A. Configure the application’s EC2 instances to use NAT gateways for all inbound traffic.
2. B. Move the web servers to private subnets without public IP addresses.
3. C. Configure AWS WAF to provide DDoS attack protection for the ALB.
4. D. Require all inbound network traffic to route through a bastion host in the private subnet.
5. E. Require all inbound and outbound network traffic to route through an AWS Direct Connect connection.

Correct Answer: BC

- (Exam Topic 3)
Your company is planning on using AWS EC2 and ELB for deployment for their web applications. The security policy mandates that all traffic should be encrypted. Which of the following options will ensure that this requirement is met. Choose 2 answers from the options below.
Please select:

1. A. Ensure the load balancer listens on port 80
2. B. Ensure the load balancer listens on port 443
3. C. Ensure the HTTPS listener sends requests to the instances on port 443
4. D. Ensure the HTTPS listener sends requests to the instances on port 80

Correct Answer: BC
The AWS Documentation mentions the following
You can create a load balancer that listens on both the HTTP (80) and HTTPS (443) ports. If you specify that the HTTPS listener sends requests to the instances on port 80, the load balancer terminates the requests and communication from the load balancer to the instances is not encrypted, if the HTTPS listener sends requests to the instances on port 443, communication from the load balancer to the instances is encrypted.
Option A is invalid because there is a need for secure traffic, so port 80 should not be used
Option D is invalid because for the HTTPS listener you need to use port 443 For more information on HTTPS with ELB, please refer to the below Link:
https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-load-balancer.htmll
The correct answers are: Ensure the load balancer listens on port 443, Ensure the HTTPS listener sends requests to the instances on port 443
Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
For compliance reasons a Security Engineer must produce a weekly report that lists any instance that does not have the latest approved patches applied. The Engineer must also ensure that no system goes more than 30 days without the latest approved updates being applied
What would the MOST efficient way to achieve these goals?

1. A. Use Amazon inspector to determine which systems do not have the latest patches applied, and after 30 days, redeploy those instances with the latest AMI version
2. B. Configure Amazon EC2 Systems Manager to report on instance patch compliance and enforce updates during the defined maintenance windows
3. C. Examine AWS CloudTrail togs to determine whether any instances have not restarted in the last 30 days, and redeploy those instances
4. D. Update the AMls with the latest approved patches and redeploy each instance during the defined maintenance window

Correct Answer: B