- (Exam Topic 4)
A company is hosting a static website on Amazon S3 The company has configured an Amazon CloudFront distribution to serve the website contents The company has associated an IAM WAF web ACL with the CloudFront distribution. The web ACL ensures that requests originate from the United States to address compliance restrictions.
THE company is worried that the S3 URL might still be accessible directly and that requests can bypass the CloudFront distribution
Which combination of steps should the company take to remove direct access to the S3 URL? (Select TWO. )

1. A. Select "Restrict Bucket Access" in the origin settings of the CloudFront distribution
2. B. Create an origin access identity (OAI) for the S3 origin
3. C. Update the S3 bucket policy to allow s3 GetObject with a condition that the IAM Referer key matches the secret value Deny all other requests
4. D. Configure the S3 bucket poky so that only the origin access identity (OAI) has read permission for objects in the bucket
5. E. Add an origin custom header that has the name Referer to the CloudFront distribution Give the header a secret value.

Correct Answer: AD

- (Exam Topic 3)
You need to have a requirement to store objects in an S3 bucket with a key that is automatically managed and rotated. Which of the following can be used for this purpose?
Please select:

1. A. IAM KMS
2. B. IAM S3 Server side encryption
3. C. IAM Customer Keys
4. D. IAM Cloud HSM

Correct Answer: B
The IAM Documentation mentions the following
Server-side encryption protects data at rest. Server-side encryption with Amazon S3-managed encryption keys (SSE-S3) uses strong multi-factor encryption. Amazon S3 encrypts each object with a unique key. As an additional safeguard, it encrypts the key itself with a master key that it rotates regularly. Amazon S3
server-side encryption uses one of the strongest block ciphers available, 256-bit Advanced Encryption
Standard (AES-256), to encrypt your data.
All other options are invalid since here you need to ensure the keys are manually rotated since you manage the entire key set Using IAM S3 Server side encryption, IAM will manage the rotation of keys automatically.
For more information on Server side encryption, please visit the following URL: https://docs.IAM.amazon.com/AmazonS3/latest/dev/UsineServerSideEncryption.htmll
The correct answer is: IAM S3 Server side encryption Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
You need to ensure that objects in an S3 bucket are available in another region. This is because of the criticality of the data that is hosted in the S3 bucket. How can you achieve this in the easiest way possible?
Please select:

1. A. Enable cross region replication for the bucket
2. B. Write a script to copy the objects to another bucket in the destination region
3. C. Create an S3 snapshot in the destination region
4. D. Enable versioning which will copy the objects to the destination region

Correct Answer: A
Option B is partially correct but a big maintenance over head to create and maintain a script when the functionality is already available in S3
Option C is invalid because snapshots are not available in S3 Option D is invalid because versioning will not replicate objects The IAM Documentation mentions the following
Cross-region replication is a bucket-level configuration that enables automatic, asynchronous copying of objects across buck in different IAM Regions.
For more information on Cross region replication in the Simple Storage Service, please visit the below URL: https://docs.IAM.amazon.com/AmazonS3/latest/dev/crr.html
The correct answer is: Enable cross region replication for the bucket Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
You have an EBS volume attached to an EC2 Instance which uses KMS for Encryption. Someone has now gone ahead and deleted the Customer Key which was used for the EBS encryption. What should be done to ensure the data can be decrypted.
Please select:

1. A. Create a new Customer Key using KMS and attach it to the existing volume
2. B. You cannot decrypt the data that was encrypted under the CMK, and the data is not recoverable.
3. C. Request IAM Support to recover the key
4. D. Use IAM Config to recover the key

Correct Answer: B
Deleting a customer master key (CMK) in IAM Key Management Service (IAM KMS) is destructive and potentially dangerous. It deletes the key material and all metadata associated with the CMK, and is irreversible. After a CMK is deleted you can no longer decrypt the data that was encrypted under that CMK, which means that data becomes unrecoverable. You should delete a CMK only when you are sure that you don't need to use it anymore. If you are not sure, consider disabling the CMK instead of deleting it. You can re-enable a disabled CMK if you need to use it again later, but you cannot recover a deleted CMK.
https://docs.IAM.amazon.com/kms/latest/developerguide/deleting-keys.html
A is incorrect because Creating a new CMK and attaching it to the exiting volume will not allow the data to be decrypted, you cannot attach customer master keys after the volume is encrypted
Option C and D are invalid because once the key has been deleted, you cannot recover it For more information on EBS Encryption with KMS, please visit the following URL:
https://docs.IAM.amazon.com/kms/latest/developerguide/services-ebs.html
The correct answer is: You cannot decrypt the data that was encrypted under the CMK, and the data is not recoverable. Submit your Feedback/Queries to our Experts

- (Exam Topic 4)
A company wants to deploy a distributed web application on a fleet of EC2 instances. The fleet will be fronted by a Classic Load Balancer that will be configured to terminate the TLS connection The company wants to make sure that all past and current TLS traffic to the Classic Load Balancer stays secure even if the certificate private key is leaked.
To ensure the company meets these requirements, a Security Engineer can configure a Classic Load Balancer with:

1. A. An HTTPS listener that uses a certificate that is managed by Amazon Certification Manager.
2. B. An HTTPS listener that uses a custom security policy that allows only perfect forward secrecy cipher suites
3. C. An HTTPS listener that uses the latest IAM predefined ELBSecuntyPolicy-TLS-1 -2-2017-01 security policy
4. D. A TCP listener that uses a custom security policy that allows only perfect forward secrecy cipher suites.

Correct Answer: B