- (Exam Topic 2)
Your development team has started using IAM resources for development purposes. The IAM account has just been created. Your IT Security team is worried about possible leakage of IAM keys. What is the first level of measure that should be taken to protect the IAM account.
Please select:

1. A. Delete the IAM keys for the root account
2. B. Create IAM Groups
3. C. Create IAM Roles
4. D. Restrict access using IAM policies

Correct Answer: A
The first level or measure that should be taken is to delete the keys for the IAM root user
When you log into your account and go to your Security Access dashboard, this is the first step that can be seen C:\Users\wk\Desktop\mudassar\Untitled.jpg

Option B and C are wrong because creation of IAM groups and roles will not change the impact of leakage of IAM root access keys
Option D is wrong because the first key aspect is to protect the access keys for the root account For more information on best practises for Security Access keys, please visit the below URL:
https://docs.IAM.amazon.com/eeneral/latest/gr/IAM-access-keys-best-practices.html
The correct answer is: Delete the IAM keys for the root account Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
An organization has setup multiple IAM users. The organization wants that each IAM user accesses the IAM console only within the organization and not from outside. How can it achieve this?
Please select:

1. A. Create an IAM policy with the security group and use that security group for IAM console login
2. B. Create an IAM policy with a condition which denies access when the IP address range is not from the organization
3. C. Configure the EC2 instance security group which allows traffic only from the organization's IP range
4. D. Create an IAM policy with VPC and allow a secure gateway between the organization and IAM Console

Correct Answer: B
You can actually use a Deny condition which will not allow the person to log in from outside. The below example shows the Deny condition to ensure that any address specified in the source address is not allowed to access the resources in IAM.
Option A is invalid because you don't mention the security group in the IAM policy Option C is invalid because security groups by default don't allow traffic
Option D is invalid because the IAM policy does not have such an option For more information on IAM policy conditions, please visit the URL: http://docs.IAM.amazon.com/IAM/latest/UserGuide/access
pol examples.htm l#iam-policy-example-ec2-two-condition!
The correct answer is: Create an IAM policy with a condition which denies access when the IP address range is not from the organization
Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
You need to ensure that the cloudtrail logs which are being delivered in your IAM account is encrypted. How can this be achieved in the easiest way possible?
Please select:

1. A. Don't do anything since CloudTrail logs are automatically encrypted.
2. B. Enable S3-SSE for the underlying bucket which receives the log files
3. C. Enable S3-KMS for the underlying bucket which receives the log files
4. D. Enable KMS encryption for the logs which are sent to Cloudwatch

Correct Answer: A
The IAM Documentation mentions the following
By default the log files delivered by CloudTrail to your bucket are encrypted by Amazon server-side encryption with Amazon S3-managed encryption keys (SSE-S3)
Option B,C and D are all invalid because by default all logs are encrypted when they sent by Cloudtrail to S3 buckets
For more information on IAM Cloudtrail log encryption, please visit the following URL: https://docs.IAM.amazon.com/IAMcloudtrail/latest/usereuide/encryptine-cloudtrail-loe-files-with-IAM-kms.htm The correct answer is: Don't do anything since CloudTrail logs are automatically encrypted. Submit your
Feedback/Queries to our Experts

- (Exam Topic 3)
A company wants to use Cloudtrail for logging all API activity. They want to segregate the logging of data events and management events. How can this be achieved? Choose 2 answers from the options given below
Please select:

1. A. Create one Cloudtrail log group for data events
2. B. Create one trail that logs data events to an S3 bucket
3. C. Create another trail that logs management events to another S3 bucket
4. D. Create another Cloudtrail log group for management events

Correct Answer: BC
The IAM Documentation mentions the following
You can configure multiple trails differently so that the trails process and log only the events that you specify. For example, one trail can log read-only data and management events, so that all read-only events are delivered to one S3 bucket. Another trail can log only write-only data and management events, so that all write-only events are delivered to a separate S3 bucket
Options A and D are invalid because you have to create a trail and not a log group
For more information on managing events with cloudtrail, please visit the following URL: https://docs.IAM.amazon.com/IAMcloudtrail/latest/userguide/loHEing-manasement-and-data-events-with-cloud The correct answers are: Create one trail that logs data events to an S3 bucket. Create another trail that logs management events to another S3 bucket
Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
A company has a set of EC2 instances hosted in IAM. These instances have EBS volumes for storing critical information. There is a business continuity requirement and in order to boost the agility of the business and to ensure data durability which of the following options are not required.
Please select:

1. A. Use lifecycle policies for the EBS volumes
2. B. Use EBS Snapshots
3. C. Use EBS volume replication
4. D. Use EBS volume encryption

Correct Answer: CD
Data stored in Amazon EBS volumes is redundantly stored in multiple physical locations as part of normal operation of those services and at no additional charge. However, Amazon EBS replication is stored within the same availability zone, not across multiple zones; therefore, it is highly recommended that you conduct regular snapshots to Amazon S3 for long-term data durability.
You can use Amazon Data Lifecycle Manager (Amazon DLM) to automate the creation, retention, and deletion of snapshots
taken to back up your Amazon EBS volumes.
With lifecycle management, you can be sure that snapshots are cleaned up regularly and keep costs under control.
EBS Lifecycle Policies
A lifecycle policy consists of these core settings:
• Resource type—The IAM resource managed by the policy, in this case, EBS volumes.
• Target tag—The tag that must be associated with an EBS volume for it to be managed by the policy.
• Schedule—Defines how often to create snapshots and the maximum number of snapshots to keep. Snapshot creation starts within an hour of the specified start time. If creating a new snapshot exceeds the maximum number of snapshots to keep for the volume, the oldest snapshot is deleted.
Option C is correct. Each Amazon EBS volume is automatically replicated within its Availability Zone to protect you from component failure, offering high availability and durability. But it does not have an explicit feature like that.
Option D is correct Encryption does not ensure data durability
For information on security for Compute Resources, please visit the below URL https://d1.IAMstatic.com/whitepapers/Security/Security Compute Services Whitepaper.pdl
The correct answers are: Use EBS volume replication. Use EBS volume encryption Submit your Feedback/Queries to our Experts