- (Exam Topic 3)
A company deploys a distributed web application on a fleet of Amazon EC2 instances. The fleet is behind an Application Load Balancer (ALB) that will be configured to terminate the TLS connection. All TLS traffic to the ALB must stay secure, even if the certificate private key is compromised.
How can a security engineer meet this requirement?

1. A. Create an HTTPS listener that uses a certificate that is managed by AWS Certificate Manager (ACM).
2. B. Create an HTTPS listener that uses a security policy that uses a cipher suite with perfect toward secrecy (PFS).
3. C. Create an HTTPS listener that uses the Server Order Preference security feature.
4. D. Create a TCP listener that uses a custom security policy that allows only cipher suites with perfect forward secrecy (PFS).

Correct Answer: A

- (Exam Topic 1)
A company's architecture requires that its three Amazon EC2 instances run behind an Application Load Balancer (ALB). The EC2 instances transmit sensitive data between each other Developers use SSL certificates to encrypt the traffic between the public users and the ALB However the Developers are unsure of how to encrypt the data in transit between the ALB and the EC2 instances and the traffic between the EC2 instances
Which combination of activities must the company implement to meet its encryption requirements'? (Select TWO )

1. A. Configure SSLTLS on the EC2 instances and configure the ALB target group to use HTTPS
2. B. Ensure that all resources are in the same VPC so the default encryption provided by the VPC is used to encrypt the traffic between the EC2 instances.
3. C. In the AL
4. D. select the default encryption to encrypt the traffic between the ALB and the EC2 instances
5. E. In the code for the application, include a cryptography library and encrypt the data before sending it between the EC2 instances
6. F. Configure AWS Direct Connect to provide an encrypted tunnel between the EC2 instances

Correct Answer: BC

- (Exam Topic 3)
Which of the below services can be integrated with the AWS Web application firewall service. Choose 2 answers from the options given below
Please select:

1. A. AWS Cloudfront
2. B. AWS Lambda
3. C. AWS Application Load Balancer
4. D. AWS Classic Load Balancer

Correct Answer: AC
The AWS documentation mentions the following on the Application Load Balancer
AWS WAF can be deployed on Amazon CloudFront and the Application Load Balancer (ALB). As part of Amazon CloudFront it car be part of your Content Distribution Network (CDN) protecting your resources and content at the Edge locations and as part of the Application Load Balancer it can protect your origin web servers running behind the ALBs.
Options B and D are invalid because only Cloudfront and the Application Load Balancer services are supported by AWS WAF.
For more information on the web application firewall please refer to the below URL: https://aws.amazon.com/waf/faq;
The correct answers are: AWS Cloudfront AWS Application Load Balancer Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
Your company has created a set of keys using the AWS KMS service. They need to ensure that each key is only used for certain services. For example , they want one key to be used only for the S3 service. How can this be achieved?
Please select:

1. A. Create an IAM policy that allows the key to be accessed by only the S3 service.
2. B. Create a bucket policy that allows the key to be accessed by only the S3 service.
3. C. Use the kms:ViaService condition in the Key policy
4. D. Define an IAM user, allocate the key and then assign the permissions to the required service

Correct Answer: C
Option A and B are invalid because mapping keys to services cannot be done via either the IAM or bucket policy
Option D is invalid because keys for IAM users cannot be assigned to services This is mentioned in the AWS Documentation
The kms:ViaService condition key limits use of a customer-managed CMK to requests from particular AWS services. (AWS managed CMKs in your account, such as aws/s3, are always restricted to the AWS service that created them.)
For example, you can use kms:V1aService to allow a user to use a customer managed CMK only for requests that Amazon S3 makes on their behalf. Or you can use it to deny the user permission to a CMK when a request on their behalf comes from AWS Lambda.
For more information on key policy's for KMS please visit the following URL: https://docs.aws.amazon.com/kms/latest/developereuide/policy-conditions.html
The correct answer is: Use the kms:ViaServtce condition in the Key policy Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
A developer 15 building a serverless application hosted on AWS that uses Amazon Redshift in a data store. The application has separate modules for read/write and read-only functionality. The modules need their own database users tor compliance reasons.
Which combination of steps should a security engineer implement to grant appropriate access' (Select TWO )

1. A. Configure cluster security groups for each application module to control access to database users that are required for read-only and read/write.
2. B. Configure a VPC endpoint for Amazon Redshift Configure an endpoint policy that maps database users to each application module, and allow access to the tables that are required for read-only and read/write
3. C. Configure an 1AM poky for each module Specify the ARN of an Amazon Redshift database user that allows the GetClusterCredentials API call
4. D. Create focal database users for each module
5. E. Configure an 1AM policy for each module Specify the ARN of an 1AM user that allows the GetClusterCredentials API call

Correct Answer: AE