- (Exam Topic 2)
A Software Engineer is trying to figure out why network connectivity to an Amazon EC2 instance does not appear to be working correctly. Its security group allows inbound HTTP traffic from 0.0.0.0/0, and the outbound rules have not been modified from the default. A custom network ACL associated with its subnet allows inbound HTTP traffic from 0.0.0.0/0 and has no outbound rules.
What would resolve the connectivity issue?

1. A. The outbound rules on the security group do not allow the response to be sent to the client on the ephemeral port range.
2. B. The outbound rules on the security group do not allow the response to be sent to the client on the HTTP port.
3. C. An outbound rule must be added to the network ACL to allow the response to be sent to the client on the ephemeral port range.
4. D. An outbound rule must be added to the network ACL to allow the response to be sent to the client on the HTTP port.

Correct Answer: C
https://docs.IAM.amazon.com/vpc/latest/userguide/vpc-network-acls.html

- (Exam Topic 3)
A Devops team is currently looking at the security aspect of their CI/CD pipeline. They are making use of IAM resource? for their infrastructure. They want to ensure that the EC2 Instances don't have any high security vulnerabilities. They want to ensure a complete DevSecOps process. How can this be achieved?
Please select:

1. A. Use IAM Config to check the state of the EC2 instance for any sort of security issues.
2. B. Use IAM Inspector API's in the pipeline for the EC2 Instances
3. C. Use IAM Trusted Advisor API's in the pipeline for the EC2 Instances
4. D. Use IAM Security Groups to ensure no vulnerabilities are present

Correct Answer: B
Amazon Inspector offers a programmatic way to find security defects or misconfigurations in your operating systems and applications. Because you can use API calls to access both the processing of assessments and the results of your assessments, integration of the findings into workflow and notification systems is simple.
DevOps teams can integrate Amazon Inspector into their CI/CD pipelines and use it to identify any pre-existing issues or when new issues are introduced.
Option A.C and D are all incorrect since these services cannot check for Security Vulnerabilities. These can only be checked by the IAM Inspector service.
For more information on IAM Security best practices, please refer to below URL: https://d1.IAMstatic.com/whitepapers/Security/IAM Security Best Practices.pdl
The correct answer is: Use IAM Inspector API's in the pipeline for the EC2 Instances Submit your Feedback/Queries to our Experts

- (Exam Topic 2)
A Security Analyst attempted to troubleshoot the monitoring of suspicious security group changes. The Analyst was told that there is an Amazon CloudWatch alarm in place for these IAM CloudTrail log events.
The Analyst tested the monitoring setup by making a configuration change to the security group but did not receive any alerts.
Which of the following troubleshooting steps should the Analyst perform?

1. A. Ensure that CloudTrail and S3 bucket access logging is enabled for the Analyst's IAM account.
2. B. Verify that a metric filter was created and then mapped to an alar
3. C. Check the alarm notification action.
4. D. Check the CloudWatch dashboards to ensure that there is a metric configured with an appropriate dimension for security group changes.
5. E. Verify that the Analyst's account is mapped to an IAM policy that includes permissions for cloudwatch: GetMetricStatistics and Cloudwatch: ListMetrics.

Correct Answer: B
MetricFilter:
Type: 'IAM::Logs::MetricFilter' Properties:
LogGroupName: '' FilterPattern: >{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress)
|| ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }
MetricTransformations:
- MetricValue: '1'
MetricNamespace: CloudTrailMetrics MetricName: SecurityGroupEventCount

- (Exam Topic 4)
A company deploys a set of standard IAM roles in IAM accounts. The IAM roles are based on job functions within the company. To balance operational efficiency and security, a security engineer implemented IAM Organizations SCPs to restrict access to critical security services in all company accounts.
All of the company's accounts and OUs within IAM Organizations have a default FullIAMAccess SCP that is attached. The security engineer needs to ensure that no one can disable Amazon GuardDuty and IAM Security Hub. The security engineer also must not override other permissions that are granted by IAM policies that are defined in the accounts.
Which SCP should the security engineer attach to the root of the organization to meet these requirements?

A)

B)

C)

1. A. Option A
2. B. Option B
3. C. Option C

Correct Answer: C

- (Exam Topic 3)
You have setup a set of applications across 2 VPC's. You have also setup VPC Peering. The applications are still not able to communicate across the Peering connection. Which network troubleshooting steps should be taken to resolve the issue?
Please select:

1. A. Ensure the applications are hosted in a public subnet
2. B. Check to see if the VPC has an Internet gateway attached.
3. C. Check to see if the VPC has a NAT gateway attached.
4. D. Check the Route tables for the VPC's

Correct Answer: D
After the VPC peering connection is established, you need to ensure that the route tables are modified to ensure traffic can between the VPCs
Option A ,B and C are invalid because allowing access the Internet gateway and usage of public subnets can help for Inter, access, but not for VPC Peering.
For more information on VPC peering routing, please visit the below URL: com/AmazonVPC/latest/Peeri
The correct answer is: Check the Route tables for the VPCs Submit your Feedback/Queries to our Experts