- (Exam Topic 3)
Your company has a requirement to work with a DynamoDB table. There is a security mandate that all data should be encrypted at rest. What is the easiest way to accomplish this for DynamoDB.
Please select:

1. A. Use the AWS SDK to encrypt the data before sending it to the DynamoDB table
2. B. Encrypt the DynamoDB table using KMS during its creation
3. C. Encrypt the table using AWS KMS after it is created
4. D. Use S3 buckets to encrypt the data before sending it to DynamoDB

Correct Answer: B
The most easiest option is to enable encryption when the DynamoDB table is created. The AWS Documentation mentions the following
Amazon DynamoDB offers fully managed encryption at rest. DynamoDB encryption at rest provides enhanced security by encrypting your data at rest using an AWS Key Management Service (AWS KMS) managed encryption key for DynamoDB. This functionality eliminates the operational burden and complexity involved in protecting sensitive data.
Option A is partially correct, you can use the AWS SDK to encrypt the data, but the easier option would be to encrypt the table before hand.
Option C is invalid because you cannot encrypt the table after it is created
Option D is invalid because encryption for S3 buckets is for the objects in S3 only.
For more information on securing data at rest for DynamoDB please refer to below URL: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/EncryptionAtRest.htmll The correct answer is: Encrypt the DynamoDB table using KMS during its creation Submit your
Feedback/Queries to our Experts

- (Exam Topic 3)
Your company looks at the gaming domain and hosts several Ec2 Instances as game servers. The servers each experience user loads in the thousands. There is a concern of DDos attacks on the EC2 Instances which could cause a huge revenue loss to the company. Which of the following can help mitigate this security concern and also ensure minimum downtime for the servers.
Please select:

1. A. Use VPC Flow logs to monitor the VPC and then implement NACL's to mitigate attacks
2. B. Use AWS Shield Advanced to protect the EC2 Instances
3. C. Use AWS Inspector to protect the EC2 Instances
4. D. Use AWS Trusted Advisor to protect the EC2 Instances

Correct Answer: B
Below is an excerpt from the AWS Documentation on some of the use cases for AWS Shield C:\Users\wk\Desktop\mudassar\Untitled.jpg

- (Exam Topic 3)
Your company hosts critical data in an S3 bucket. There is a requirement to ensure that all data is encrypted. There is also metadata about the information stored in the bucket that needs to be encrypted as well. Which of the below measures would you take to ensure that the metadata is encrypted?
Please select:

1. A. Put the metadata as metadata for each object in the S3 bucket and then enable S3 Server side encryption.
2. B. Put the metadata as metadata for each object in the S3 bucket and then enable S3 Server KMSencryption.
3. C. Put the metadata in a DynamoDB table and ensure the table is encrypted during creation time.
4. D. Put thp metadata in thp S3 hurkpf itself.

Correct Answer: C
Option A ,B and D are all invalid because the metadata will not be encrypted in any case and this is a key requirement from the question.
One key thing to note is that when the S3 bucket objects are encrypted, the meta data is not encrypted. So the best option is to use an encrypted DynamoDB table
Important
All GET and PUT requests for an object protected by AWS KMS will fail if they are not made via SSL or by using SigV4. SSE-KMS encrypts only the object data. Any object metadata is not encrypted. For more information on using KMS encryption for S3, please refer to below URL: 1 https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html
The correct answer is: Put the metadata in a DynamoDB table and ensure the table is encrypted during creation time. Submit your Feedback/Queries to our Experts

- (Exam Topic 2)
A Security Engineer is defining the logging solution for a newly developed product. Systems Administrators and Developers need to have appropriate access to event log files in AWS CloudTrail to support and troubleshoot the product.
Which combination of controls should be used to protect against tampering with and unauthorized access to log files? (Choose two.)

1. A. Ensure that the log file integrity validation mechanism is enabled.
2. B. Ensure that all log files are written to at least two separate Amazon S3 buckets in the same account.
3. C. Ensure that Systems Administrators and Developers can edit log files, but prevent any other access.
4. D. Ensure that Systems Administrators and Developers with job-related need-to-know requirements only are capable of viewing—but not modifying—the log files.
5. E. Ensure that all log files are stored on Amazon EC2 instances that allow SSH access from the internalcorporate network only.

Correct Answer: AD

- (Exam Topic 3)
A company had developed an incident response plan 18 months ago. Regular implementations of the response plan are carried out. No changes have been made to the response plan have been made since its creation. Which of the following is a right statement with regards to the plan?
Please select:

1. A. It places too much emphasis on already implemented security controls.
2. B. The response plan is not implemented on a regular basis
3. C. The response plan does not cater to new services
4. D. The response plan is complete in its entirety

Correct Answer: C
So definitely the case here is that the incident response plan is not catering to newly created services. AWS keeps on changing and adding new services and hence the response plan must cater to these new services.
Option A and B are invalid because we don't know this for a fact.
Option D is invalid because we know that the response plan is not complete, because it does not cater to new features of AWS
For more information on incident response plan please visit the following URL:
https://aws.amazon.com/blogs/publicsector/buildins-a-cloud-specific-incident-response-plan;
The correct answer is: The response plan does not cater to new services Submit your Feedback/Queries to our Experts