Question 1:
To enable In-flight Encryption (In-Transit Encryption), we need to have ........................
Answer (2) : The correct answer, "an HTTPS endpoint with an SSL certificate," is right because HTTPS encrypts data in transit, ensuring security. HTTPS cannot be used without an SSL certificate, which verifies the server's identity. Other options are incorrect if they lack encryption or proper security measures. SSL certificates are essential for establishing trust and secure communication. This ensures data integrity and confidentiality during transmission.
Question 2:
Server-Side Encryption means that the data is sent encrypted to the server.
Answer (2) : Server-Side Encryption means the data is encrypted by the server after it's received, not while it's being sent. The statement is false because encryption during transmission is handled by protocols like TLS, known as in-flight encryption. Server-Side Encryption specifically refers to encrypting stored data, ensuring it is protected at rest. Other options that suggest encryption during transfer would refer to client-side or in-transit encryption, not server-side. This distinction helps ensure data security both in transit and at rest.
Question 3:
In Server-Side Encryption, where do the encryption and decryption happen?
Answer (1): The correct answer, "Both Encryption and Decryption happen on the server," is right because server-side encryption manages encryption keys and processes on the server side, meaning the server handles both tasks. The other options are incorrect because they involve the client performing encryption or decryption, which isn't the case with server-side encryption. In server-side encryption, the user doesn't have access to the keys, so they cannot encrypt or decrypt data themselves. This setup ensures secure handling of data by the server.
Question 4:
In Client-Side Encryption, the server must know our encryption scheme before we can upload the data.
Answer (1): In client-side encryption, the server acts as a "blind" storage provider and does not need to know the encryption scheme or keys to store the data. The data is fully encrypted before it leaves your device, ensuring the server only manages opaque blobs of information without any insight into the underlying cryptographic methods.
Question 5:
You need to create KMS Keys in AWS KMS before you are able to use the encryption features for EBS, S3, RDS …
Answer (2) : AWS provides managed keys that can be used for encryption without creating your own KMS keys. You only need to create custom keys if you have specific security requirements. The other options are incorrect because creating your own keys is optional, not mandatory, to enable encryption for services like EBS, S3, or RDS. AWS Managed Keys simplify the process and are ready to use. Therefore, creating KMS keys in advance is not a required step.
Question 6:
AWS KMS supports both symmetric and asymmetric KMS keys.
Answer (1): AWS KMS supports both symmetric and asymmetric keys. Symmetric keys are used for encryption and decryption with a single key. Asymmetric keys involve a key pair (RSA or ECC) used for encryption/decryption or signing/verification. The other option, "False," is incorrect because KMS indeed supports both types of keys. This allows flexible cryptographic operations for different security needs.
Question 7:
When you enable Automatic Rotation on your KMS Key, the backing key is rotated every ……………
Answer (2) : Automatic Rotation is enabled on a KMS key, it rotates every 12 months by default. The "90 days" option is incorrect because AWS does not rotate keys that frequently by default. The other options, "2 years" and "3 years," are incorrect because they exceed the standard rotation period set by AWS, which is one year. This rotation frequency balances security and operational consistency.
Question 8:
You have an AMI that has an encrypted EBS snapshot using KMS CMK. You want to share this AMI with another AWS account. You have shared the AMI with the desired AWS account, but the other AWS account still can't use it. How would you solve this problem?
Answer (2) : KMS keys are customer-managed or AWS-managed, and sharing the AMI alone does not grant access to the encryption key. The other accounts must also have permission to use the CMK to access the encrypted snapshot. The first option, "logout and login," is incorrect because credential refresh doesn't resolve key sharing issues. The third option, "you can't share an encrypted AMI," is incorrect because encrypted AMIs can be shared if the CMK permissions are properly configured. Sharing the CMK ensures the other account can decrypt and use the AMI.
Question 9:
You have created a Customer-managed CMK in KMS that you use to encrypt both S3 buckets and EBS snapshots. Your company policy mandates that your encryption keys be rotated every 6 months. What should you do?
Answer (1): AWS KMS supports automatic key rotation every year. However, since your policy requires rotation every 6 months, you need to manually rotate the key or create a new one, as automatic rotation is annual. Using AWS Managed Keys isn't suitable because their rotation is automatic but on a quarterly basis, and they don't allow custom retention periods. Manually creating and rotating keys gives control over the exact 6-month schedule. The other options do not meet the specific 6-month rotation requirement.
Question 10:
What should you use to control access to your KMS CMKs?
Answer (1) : They directly define and control access permissions for each CMK. "KMS IAM Policy" is incorrect because IAM policies manage permissions at the user or role level, not specific to each key. "AWS GuardDuty" is incorrect as it is a security threat detection service, not an access control tool. "KMS Access Control List (KMS ACL)" is incorrect because KMS does not support ACLs for controlling access. Key policies are the primary method for managing access to KMS CMKs.
Question 11:
You have a Lambda function used to process some data in the database. You would like to give your Lambda function access to the database password. Which of the following options is the most secure?
Answer (3): It keeps the sensitive data secure while allowing the Lambda to access it securely during execution. Embedding the password in the code is insecure because it can be easily exposed if the code is accessed. Having it as plaintext environment variable is also insecure as it's visible in plain text within environment settings. Encrypting it and decrypting at runtime ensures the password remains protected at rest and only accessible in memory during execution. This approach balances security and accessibility effectively.
Question 12:
You have a secret value that you use for encryption purposes, and you want to store and track the values of this secret over time. Which AWS service should you use?
Answer (2): It allows secure storage of secrets with built-in version tracking, enabling you to see historical values. "AWS KMS" can rotate encryption keys but doesn't track or store different secret values over time. "Amazon S3" offers versioning and encryption but is not specifically designed for secret management or audit tracking of secret values. SSM Parameter Store provides dedicated secret management with version history, making it the best fit.
Question 13:
Your user-facing website is a high-risk target for DDoS attacks and you would like to get 24/7 support in case they happen and AWS bill reimbursement for the incurred costs during the attack. What AWS service should you use?
Answer (2): It provides 24/7 support for DDoS attacks and offers cost reimbursement assistance through AWS's DDoS Response Team. "AWS WAF" helps protect web applications from common web exploits but does not offer 24/7 support or billing reimbursement. "AWS Shield" provides basic DDoS protection but lacks the dedicated support and cost reimbursement features of Shield Advanced. "AWS DDoS OpsTeam" is not a service but a support team; the appropriate service is AWS Shield Advanced.
Question 14:
You would like to externally maintain the configuration values of your main database, to be picked up at runtime by your application. What's the best place to store them to maintain control and version history?
Answer (4): It securely stores configuration values with version control, making it easy to update and track changes at runtime. "Amazon DynamoDB" is a NoSQL database suitable for application data but isn't mainly designed for configuration management or versioning. "Amazon S3" can store files and version data, but it's less ideal for sensitive configuration values due to lack of built-in secret management features. "Amazon EBS" provides block storage for EC2 instances and is not suitable for managing or versioning configuration data externally.
Question 15:
AWS GuardDuty scans the following data sources, EXCEPT …………….
Answer (4): AWS GuardDuty does not directly scan CloudWatch Logs data sources; it primarily analyzes other specific logs. "CloudTrail Logs" are monitored because they record API activity for security analysis. "VPC Flow Logs" document network traffic, which GuardDuty analyzes for suspicious activity. "DNS Logs" are also scanned since they help detect malicious domain requests. GuardDuty focuses on certain data sources, and CloudWatch Logs are not one of them.
Question 16:
You have a website hosted on a fleet of EC2 instances fronted by an Application Load Balancer. What should you use to protect your website from common web application attacks (e.g., SQL Injection)?
Answer (2): It allows you to create custom rules to block common web application attacks like SQL Injection and Cross-Site Scripting. "AWS Shield" provides protection against DDoS attacks but does not specifically target application-layer threats. "AWS Security Hub" is a centralized security management service and does not directly protect against web attacks. "AWS GuardDuty" detects malicious activity but is focused on threat detection rather than web application protection.
Question 17:
You would like to analyze OS vulnerabilities from within EC2 instances. You need these analyses to occur weekly and provide you with concrete recommendations in case vulnerabilities are found. Which AWS service should you use?
Answer (3) : It automatically analyzes EC2 instances for security vulnerabilities and provides detailed findings and recommendations. "AWS Shield" focuses on protecting against DDoS attacks and does not analyze OS vulnerabilities. "Amazon GuardDuty" detects threats and malicious activity but does not perform vulnerability assessments. "AWS Config" monitors configuration compliance but does not provide detailed vulnerability analysis or recommendations.
Question 18:
What is the most suitable AWS service for storing RDS DB passwords which also provides you automatic rotation?
Answer (1) : It securely stores database passwords and provides automatic rotation, reducing manual management. "AWS KMS" is a key management service and does not store or rotate passwords directly. "AWS SSM Parameter Store" can store passwords but lacks built-in automatic rotation features. Secrets Manager is specifically designed for secret management and automated credential rotation.
Question 19:
Which AWS service allows you to centrally manage EC2 Security Groups and AWS Shield Advanced across all AWS accounts in your AWS Organization?
Answer (4): It centrally manages security policies across multiple AWS accounts, including Security Groups and Shield Advanced. "AWS GuardDuty" detects security threats but does not handle centralized management of security groups or Shield. "AWS Config" monitors resource compliance, but it does not manage security policies across accounts. It tracks changes but doesn't enforce security rules centrally.
Question 20:
Which AWS service helps you protect your sensitive data stored in S3 buckets?
Answer(3) : It uses machine learning to identify and protect sensitive data in S3 buckets. "AWS KMS" is a key management service that encrypts data but does not identify or classify sensitive information in S3. "Amazon GuardDuty" detects security threats but doesn't specifically protect or identify sensitive data. "Amazon Shield" focuses on DDoS protection and does not manage or analyze data stored in S3.
Question 21:
An online-payment company is using AWS to host its infrastructure. The frontend is created using VueJS and is hosted on an S3 bucket and the backend is developed using PHP and is hosted on EC2 instances in an Auto Scaling Group. As their customers are worldwide, they use both CloudFront and Aurora Global database to implement multi-region deployments to provide the lowest latency and provide availability, and resiliency. A new feature required which gives customers the ability to store data encrypted on the database and this data must not be disclosed even by the company admins. The data should be encrypted on the client side and stored in an encrypted format. What do you recommend to implement this?
Answer (1) : Lambda is not designed for client-side encryption of database data. "Using Aurora Client-side Encryption and CloudHSM" is incorrect because while CloudHSM provides hardware security, it is not specifically integrated for client-side encryption in this context. "Using Lambda Client-side Encryption and CloudHSM" is incorrect because Lambda alone doesn't handle client-side encryption for databases, and CloudHSM is not tailored for this use case.
Question 22:
You have an S3 bucket that is encrypted with SSE-KMS. You have been tasked to replicate the objects to a target bucket in the same AWS region but with a different KMS Key. You have configured the S3 replication, the target bucket, and the target KMS key and it is still not working. What is missing to make the S3 replication work?
Answer (3): You need to configure permissions for both the source KMS key (kms:Decrypt) and the target KMS key (kms:Encrypt) so that S3 replication can access and use them properly. The other options are incorrect because replication is supported, no support ticket is needed, and the source and target keys do not have to be the same. Proper permissions are necessary for encryption and decryption during replication.
Question 23:
You have generated a public certificate using LetsEncrypt and uploaded it to the ACM so you can use and attach to an Application Load Balancer that forwards traffic to EC2 instances. As this certificate is generated outside of AWS, it does not support the automatic renewal feature. How would you be notified 30 days before this certificate expires so you can manually generate a new one?
Answer (2) : allows you to receive notifications 30 days before the certificate expires. Linking ACM to a third-party provider like Let's Encrypt does not provide automated notifications from AWS. Using monthly expiration events or CloudWatch alarms won't give you the timely warning needed 30 days in advance. EventBridge is suitable for scheduled, daily checks, ensuring proactive renewal alerts.
Question 24:
You have created the main Edge-Optimized API Gateway in us-west-2 AWS region. This main Edge-Optimized API Gateway forwards traffic to the second level API Gateway in ap-southeast-1. You want to secure the main API Gateway by attaching an ACM certificate to it. Which AWS region are you going to create the ACM certificate in?
Answer (1) : ACM certificates for CloudFront distributions must be created in the us-east-1 region, as AWS only supports CloudFront-related certificates there. "us-west-2" is incorrect because ACM certificates in this region cannot be used directly with CloudFront or Edge-Optimized API Gateway. "ap-southeast-1" is incorrect since it's not the region for ACM certificates used with CloudFront. "Both us-east-1 and us-west-2" is incorrect because only us-east-1 supports ACM certificates for CloudFront distributions.
Question 25:
You are managing an AWS Organization with multiple AWS accounts. Each account has a separate application with different resources. You want an easy way to manage Security Groups and WAF Rules across those accounts as there was a security incident the last week and you want to tighten up your resources. Which AWS service can help you to do so?
Answer (4) : AWS Firewall Manager allows centralized management of security policies, such as Security Groups and WAF rules, across multiple AWS accounts in an organization. It simplifies enforcement and updates, especially after security incidents.
Others are incorrect because:
- AWS GuardDuty is primarily for threat detection, not policy management.
- Amazon Shield provides DDoS protection but doesn't manage Security Groups or WAF rules.
- Amazon Inspector assesses security vulnerabilities but doesn't handle centralized rule management.
To stay informed on the latest technical insights and tutorials, connect with me on Medium, LinkedIn, and Dev.to. For professional inquiries or technical discussions, please contact me via email. I welcome the opportunity to engage with fellow professionals and address any questions you may have. All blogs in this series will be optimized, fine-tuned, developed, and updated in a timely manner to reflect the latest AWS changes, exam updates, and real-world best practices.
Top comments (0)