- (Exam Topic 2)
A company hosts a critical web application on the IAM Cloud. This is a key revenue generating application for the company. The IT Security team is worried about potential DDos attacks against the web site. The senior management has also specified that immediate action needs to be taken in case of a potential DDos attack. What should be done in this regard?
Please select:

1. A. Consider using the IAM Shield Service
2. B. Consider using VPC Flow logs to monitor traffic for DDos attack and quickly take actions on a trigger of a potential attack.
3. C. Consider using the IAM Shield Advanced Service
4. D. Consider using Cloudwatch logs to monitor traffic for DDos attack and quickly take actions on a trigger of a potential attack.

Correct Answer: C
Option A is invalid because the normal IAM Shield Service will not help in immediate action against a DDos attack. This can be done via the IAM Shield Advanced Service
Option B is invalid because this is a logging service for VPCs traffic flow but cannot specifically protect against DDos attacks.
Option D is invalid because this is a logging service for IAM Services but cannot specifically protect against DDos attacks.
The IAM Documentation mentions the following
IAM Shield Advanced provides enhanced protections for your applications running on Amazon EC2. Elastic Load Balancing (ELB), Amazon CloudFront and Route 53 against larger and more sophisticated attacks. IAM Shield Advanced is available to IAM Business Support and IAM Enterprise Support customers. IAM Shield Advanced protection provides always-on, flow-based monitoring of network traffic and active application monitoring to provide near real-time notifications of DDoS attacks. IAM Shield Advanced also gives customers highly flexible controls over attack mitigations to take actions instantly. Customers can also engage the DDoS Response Team (DRT) 24X7 to manage and mitigate their application layer DDoS attacks.
For more information on IAM Shield, please visit the below URL: https://IAM.amazon.com/shield/faqs;
The correct answer is: Consider using the IAM Shield Advanced Service Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
Your team is experimenting with the API gateway service for an application. There is a need to implement a custom module which can be used for authentication/authorization for calls made to the API gateway. How can this be achieved?
Please select:

1. A. Use the request parameters for authorization
2. B. Use a Lambda authorizer
3. C. Use the gateway authorizer
4. D. Use CORS on the API gateway

Correct Answer: B
The IAM Documentation mentions the following
An Amazon API Gateway Lambda authorizer (formerly known as a custom authorize?) is a Lambda function that you provide to control access to your API methods. A Lambda authorizer uses bearer token authentication strategies, such as OAuth or SAML. It can also use information described by headers, paths, query strings, stage variables, or context variables request parameters.
Options A,C and D are invalid because these cannot be used if you need a custom authentication/authorization for calls made to the API gateway
For more information on using the API gateway Lambda authorizer please visit the URL:
https://docs.IAM.amazon.com/apisateway/latest/developerguide/apieateway-use-lambda-authorizer.htmll The correct answer is: Use a Lambda authorizer
Submit your Feedback/Queries to our Experts

- (Exam Topic 1)
A company Is building a data lake on Amazon S3. The data consists of millions of small files containing sensitive information. The security team has the following requirements for the architecture:
• Data must be encrypted in transit.
• Data must be encrypted at rest.
• The bucket must be private, but if the bucket is accidentally made public, the data must remain confidential. Which combination of steps would meet the requirements? (Select THREE.)

1. A. Enable AES-256 encryption using server-side encryption with Amazon S3-managed encryption keys (SSE-S3) on the S3 bucket
2. B. Enable default encryption with server-side encryption with IAM KMS-managed keys (SSE-KMS) on the S3 bucket.
3. C. Add a bucket policy that includes a deny if a PutObject request does not include IAMiSecureTcanspoct.
4. D. Add a bucket policy with ws: Sourcelpto Allow uploads and downloads from the corporate intranet only.
5. E. Add a bucket policy that includes a deny if a PutObject request does not include s3:x-amz-sairv9r-side-enctyption: "IAM: kms".
6. F. Enable Amazon Macie to monitor and act on changes to the data lake's S3 bucket.

Correct Answer: BDF

- (Exam Topic 3)
Your company has defined a set of S3 buckets in IAM. They need to monitor the S3 buckets and know the source IP address and the person who make requests to the S3 bucket. How can this be achieved?
Please select:

1. A. Enable VPC flow logs to know the source IP addresses
2. B. Monitor the S3 API calls by using Cloudtrail logging
3. C. Monitor the S3 API calls by using Cloudwatch logging
4. D. Enable IAM Inspector for the S3 bucket

Correct Answer: B
The IAM Documentation mentions the following
Amazon S3 is integrated with IAM CloudTrail. CloudTrail is a service that captures specific API calls made to Amazon S3 from your IAM account and delivers the log files to an Amazon S3 bucket that you specify. It captures API calls made from the Amazon S3 console or from the Amazon S3 API.
Using the information collected by CloudTrail, you can determine what request was made to Amazon S3, the source IP address from which the request was made, who made the request when it was made, and so on Options A,C and D are invalid because these services cannot be used to get the source IP address of the calls to S3 buckets
For more information on Cloudtrail logging, please refer to the below Link: https://docs.IAM.amazon.com/AmazonS3/latest/dev/cloudtrail-logeins.htmll
The correct answer is: Monitor the S3 API calls by using Cloudtrail logging Submit your Feedback/Queries to our Experts

- (Exam Topic 4)
A company is using IAM Organizations to develop a multi-account secure networking strategy. The company plans to use separate centrally managed accounts for shared services, auditing, and security inspection. The company plans to provide dozens of additional accounts to application owners for production and development environments.
Company security policy requires that all internet traffic be routed through a centrally managed security inspection layer in the security inspection account. A security engineer must recommend a solution that
minimizes administrative overhead and complexity. Which solution meets these requirements?

1. A. Use IAM Control Towe
2. B. Modify the default Account Factory networking template to automatically associate new accounts with a centrally managed VPC through a VPC peering connection and to create a default route to the VPC peer in the default route tabl
3. C. Create an SCP that denies the CreatelnternetGateway actio
4. D. Attach the SCP to all accounts except the security inspection account.
5. E. Create a centrally managed VPC in the security inspection accoun
6. F. Establish VPC peering connections between the security inspection account and other account
7. G. Instruct account owners to create default routes in their account route tables that point to the VPC pee
8. H. Create an SCP that denies theAttach InternetGateway actio
9. I. Attach the SCP to all accounts except the security inspection account.
10. J. Use IAM Control Towe
11. K. Modify the default Account Factory networking template to automatically associate new accounts with a centrally managed transitgateway and to create a default route to the transit gateway in the default route tabl
12. L. Create an SCP that denies the AttachlnternetGateway actio
13. M. Attach the SCP to all accounts except the security inspection account.
14. N. Enable IAM Resource Access Manager (IAM RAM) for IAM Organization
15. O. Create a shared transit gateway, and make it available by using an IAM RAM resource shar
16. P. Create an SCP that denies the CreatelnternetGateway actio
17. Q. Attach the SCP to all accounts except the security inspection accoun
18. R. Create routes in the route tables of all accounts that point to the shared transit gateway.

Correct Answer: C