- (Exam Topic 3)
A Network Load Balancer (NLB) target instance is not entering the InService state. A security engineer determines that health checks are failing.
Which factors could cause the health check failures? (Select THREE.)

1. A. The target instance's security group does not allow traffic from the NLB.
2. B. The target instance's security group is not attached to the NLB.
3. C. The NLB's security group is not attached to the target instance.
4. D. The target instance's subnet network ACL does not allow traffic from the NLB.
5. E. The target instance's security group is not using IP addresses to allow traffic from the NLB.
6. F. The target network ACL is not attached to the NLB.

Correct Answer: ACD

- (Exam Topic 2)
A company wants to have a secure way of generating, storing and managing cryptographic exclusive access for the keys. Which of the following can be used for this purpose?
Please select:

1. A. Use KMS and the normal KMS encryption keys
2. B. Use KMS and use an external key material
3. C. Use S3 Server Side encryption
4. D. Use Cloud HSM

Correct Answer: D
The AWS Documentation mentions the following
The AWS CloudHSM service helps you meet corporate, contractual and regulatory compliance requirements for data security by using dedicated Hardware Security Module (HSM) instances within the AWS cloud. AWS and AWS Marketplace partners offer a variety of solutions for protecting sensitive data within the AWS platform, but for some applications and data subject to contractual or regulatory mandates for managing cryptographic keys, additional protection may be necessary. CloudHSM complements existing data protection solutions and allows you to protect your encryption keys within HSMs that are desigr and validated to government standards for secure key management. CloudHSM allows you to securely generate, store and manage cryptographic keys used for data encryption in a way that keys are accessible only by you.
Option A.B and Care invalid because in all of these cases, the management of the key will be with AWS. Here the question specifically mentions that you want to have exclusive access over the keys. This can be achieved with Cloud HSM
For more information on CloudHSM, please visit the following URL: https://aws.amazon.com/cloudhsm/faq:
The correct answer is: Use Cloud HSM Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
You are planning on hosting a web application on AWS. You create an EC2 Instance in a public subnet. This instance needs to connect to an EC2 Instance that will host an Oracle database. Which of the following steps should be followed to ensure a secure setup is in place? Select 2 answers.
Please select:

1. A. Place the EC2 Instance with the Oracle database in the same public subnet as the Web server for faster communication
2. B. Place the EC2 Instance with the Oracle database in a separate private subnet
3. C. Create a database security group and ensure the web security group to allowed incoming access
4. D. Ensure the database security group allows incoming traffic from 0.0.0.0/0

Correct Answer: BC
The best secure option is to place the database in a private subnet. The below diagram from the AWS Documentation shows this setup. Also ensure that access is not allowed from all sources but just from the web servers.
C:\Users\wk\Desktop\mudassar\Untitled.jpg

Option A is invalid because databases should not be placed in the public subnet
Option D is invalid because the database security group should not allow traffic from the internet For more information on this type of setup, please refer to the below URL:
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuideA/PC Scenario2.
The correct answers are: Place the EC2 Instance with the Oracle database in a separate private subnet Create a database security group and ensure the web security group to allowed incoming access
Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
Your company has a set of EC2 Instances defined in AWS. They need to ensure that all traffic packets are monitored and inspected for any security threats. How can this be achieved? Choose 2 answers from the options given below
Please select:

1. A. Use a host based intrusion detection system
2. B. Use a third party firewall installed on a central EC2 instance
3. C. Use VPC Flow logs
4. D. Use Network Access control lists logging

Correct Answer: AB
If you want to inspect the packets themselves, then you need to use custom based software A diagram representation of this is given in the AWS Security best practices C:\Users\wk\Desktop\mudassar\Untitled.jpg

Option C is invalid because VPC Flow logs cannot conduct packet inspection.
For more information on AWS Security best practices, please refer to below URL:
The correct answers are: Use a host based intrusion detection system. Use a third party firewall installed on a central EC2
Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
Your company has a set of EC2 Instances defined in AWS. These Ec2 Instances have strict security groups attached to them. You need to ensure that changes to the Security groups are noted and acted on accordingly. How can you achieve this?
Please select:

1. A. Use Cloudwatch logs to monitor the activity on the Security Group
2. B. Use filters to search for the changes and use SNS for the notification.
3. C. Use Cloudwatch metrics to monitor the activity on the Security Group
4. D. Use filters to search for the changes and use SNS for the notification.
5. E. Use AWS inspector to monitor the activity on the Security Group
6. F. Use filters to search for the changes and use SNS f the notification.
7. G. Use Cloudwatch events to be triggered for any changes to the Security Group
8. H. Configure the Lambda function for email notification as well.

Correct Answer: D
The below diagram from an AWS blog shows how security groups can be monitored C:\Users\wk\Desktop\mudassar\Untitled.jpg

Option A is invalid because you need to use Cloudwatch Events to check for chan, Option B is invalid because you need to use Cloudwatch Events to check for chang
Option C is invalid because AWS inspector is not used to monitor the activity on Security Groups For more information on monitoring security groups, please visit the below URL:
Ihttpsy/aws.amazon.com/blogs/security/how-to-automatically-revert-and-receive-notifications-about-changes-to 'pc-security-groups/
The correct answer is: Use Cloudwatch events to be triggered for any changes to the Security Groups. Configure the Lambda function for email notification as well.
Submit your Feedback/Queries to our Experts