- (Exam Topic 4)
Within a VPC, a corporation runs an Amazon RDS Multi-AZ DB instance. The database instance is connected to the internet through a NAT gateway via two subnets.
Additionally, the organization has application servers that are hosted on Amazon EC2 instances and use the RDS database. These EC2 instances have been deployed onto two more private subnets inside the same VPC. These EC2 instances connect to the internet through a default route via the same NAT gateway. Each VPC subnet has its own route table.
The organization implemented a new security requirement after a recent security examination. Never allow the database instance to connect to the internet. A security engineer must perform this update promptly without interfering with the network traffic of the application servers.
How will the security engineer be able to comply with these requirements?

1. A. Remove the existing NAT gatewa
2. B. Create a new NAT gateway that only the application server subnets can use.
3. C. Configure the DB instance€™s inbound network ACL to deny traffic from the security group ID of the NAT gateway.
4. D. Modify the route tables of the DB instance subnets to remove the default route to the NAT gateway.
5. E. Configure the route table of the NAT gateway to deny connections to the DB instance subnets.

Correct Answer: C
Each subnet has a route table, so modify the routing associated with DB instance subnets to prevent internet access.

- (Exam Topic 3)
Your company hosts a large section of EC2 instances in IAM. There are strict security rules governing the EC2 Instances. During a potential security breach , you need to ensure quick investigation of the underlying EC2 Instance. Which of the following service can help you quickly provision a test environment to look into the breached instance.
Please select:

1. A. IAM Cloudwatch
2. B. IAM Cloudformation
3. C. IAM Cloudtrail
4. D. IAM Config

Correct Answer: B
The IAM Security best practises mentions the following
Unique to IAM, security practitioners can use CloudFormation to quickly create a new, trusted environment in which to conduct deeper investigation. The CloudFormation template can pre-configure instances in an isolated environment that contains all the necessary tools forensic teams need to determine the cause of the incident This cuts down on the time it takes to gather necessary tools, isolates systems under examination, and ensures that the team is operating in a clean room.
Option A is incorrect since this is a logging service and cannot be used to provision a test environment Option C is incorrect since this is an API logging service and cannot be used to provision a test environment Option D is incorrect since this is a configuration service and cannot be used to provision a test environment For more information on IAM Security best practises, please refer to below URL: https://d1.IAMstatic.com/whitepapers/architecture/IAM-Security-Pillar.pd1
The correct answer is: IAM Cloudformation Submit your Feedback/Queries to our Experts

- (Exam Topic 4)
A developer has created an AWS Lambda function in a company's development account. The Lambda function requires the use of an AWS Key Management Service (AWS KMS) customer managed key that exists in a security account that the company's security team controls. The developer obtains the ARN of the KMS key from a previous Lambda function in the development account. The previous Lambda function had been working properly with the KMS key.
When the developer uses the ARN and tests the new Lambda function an error message states that access is denied to the KMS key in the security account. The developer tests the previous Lambda function that uses the same KMS key and discovers that the previous Lambda function still can encrypt data as expected.
A security engineer must resolve the problem so that the new Lambda function in the development account
can use the KMS key from the security account.
Which combination of steps should the security engineer take to meet these requirements? (Select TWO.)

1. A. In the security account configure an IAM role for the new Lambda functio
2. B. Attach an IAM policy that allows access to the KMS key in the security account.
3. C. In the development account configure an IAM role for the new Lambda functio
4. D. Attach a key policy that allows access to the KMS key in the security account.
5. E. In the development account configure an IAM role for the new Lambda functio
6. F. Attach an IAM policy that allows access to the KMS key in the security account.
7. G. Configure a key policy for the KMS key m the security account to allow access to the IAM role of the new Lambda function in the security account.
8. H. Configure a key policy for the KMS key in the security account to allow access to the IAM role of the new Lambda function in the development account.

Correct Answer: CE
To allow cross-account access to a KMS key, the key policy of the KMS key must grant permission to the external account or principal, and the IAM policy of the external account or principal must delegate the key policy permission. In this case, the new Lambda function in the development account needs to use the KMS key in the security account, so the key policy of the KMS key must allow access to the IAM role of the new Lambda function in the development account (option E), and the IAM role of the new Lambda function in the development account must have an IAM policy that allows access to the KMS key in the security account (option C). Option A is incorrect because it creates an IAM role for the new Lambda function in the security account, not in the development account. Option B is incorrect because it attaches a key policy to an IAM role, which is not valid. Option D is incorrect because it allows access to the IAM role of the new Lambda function in the security account, not in the development account. Verified References:
https://docs.aws.amazon.com/autoscaling/ec2/userguide/key-policy-requirements-EBS-encryption.html

- (Exam Topic 3)
Your current setup in IAM consists of the following architecture. 2 public subnets, one subnet which has the web servers accessed by users across the internet and the other subnet for the database server. Which of the following changes to the architecture would add a better security boundary to the resources hosted in your setup
Please select:

1. A. Consider moving the web server to a private subnet
2. B. Consider moving the database server to a private subnet
3. C. Consider moving both the web and database server to a private subnet
4. D. Consider creating a private subnet and adding a NAT instance to that subnet

Correct Answer: B
The ideal setup is to ensure that the web server is hosted in the public subnet so that it can be accessed by users on the internet. The database server can be hosted in the private subnet.
The below diagram from the IAM Documentation shows how this can be setup
Option A and C are invalid because if you move the web server to a private subnet, then it cannot be accessed by users Option D is invalid because NAT instances should be present in the public subnet
For more information on public and private subnets in IAM, please visit the following url com/AmazonVPC/latest/UserGuide/VPC Scenario2.
The correct answer is: Consider moving the database server to a private subnet Submit your Feedback/Queries to our Experts

- (Exam Topic 4)
A company is running an application in The eu-west-1 Region. The application uses an IAM Key Management Service (IAM KMS) CMK to encrypt sensitive data. The company plans to deploy the application in the eu-north-1 Region.
A security engineer needs to implement a key management solution for the application deployment in the new Region. The security engineer must minimize changes to the application code.
Which change should the security engineer make to the IAM KMS configuration to meet these requirements?

1. A. Update the key policies in eu-west-1. Point the application in eu-north-1 to use the same CMK as theapplication in eu-west-1.
2. B. Allocate a new CMK to eu-north-1 to be used by the application that is deployed in that Region.
3. C. Allocate a new CMK to eu-north-1. Create the same alias name for both key
4. D. Configure the application deployment to use the key alias.
5. E. Allocate a new CMK to eu-north-1. Create an alias for eu-'-1. Change the application code to point to the alias for eu-'-1.

Correct Answer: B