QCrusher.com
Offcanvas
Cloud
AWS
BrowseAWS
Cloud Practitioner
Pre-test
Practice Set 1
Official Sample Questions
Associate
General
Solutions Architect
Practice Set 1
Official Sample Questions
Solutions Architect Pro
Official Sample Questions
DevOps Pro
Practice Set 1
Security Specialty
Practice Set 1
Browse AWS
AWS
Cloud Practitioner
Pre-test
Practice Set 1
Official Sample Questions
Associate
General
Solutions Architect
Practice Set 1
Official Sample Questions
Solutions Architect Pro
Official Sample Questions
DevOps Pro
Practice Set 1
Security Specialty
Practice Set 1
Security Specialty
Practice Set 1
Which service would you select if you need extreme performance and a static IP address?
3rd party Load Balancer from the Marketplace
Gateway Load Balancer
Application Load Balancer
Classic ELB
Network Load Balancer
Network Load Balancer operates at the connection level (Layer 4), routing connections to targets (Amazon EC2 instances, microservices, and containers) within Amazon VPC, based on IP protocol data. Ideal for load balancing of both TCP and UDP traffic, Network Load Balancer is capable of handling
millions of requests per second while maintaining ultra-low latencies
. Network Load Balancer is optimized to handle sudden and volatile traffic patterns while
using a single static IP address per Availability Zone
. It is integrated with other popular AWS services such as Auto Scaling, Amazon EC2 Container Service (ECS), Amazon CloudFormation, and AWS Certificate Manager (ACM).
Check
Your website is under attack, and you have discovered 5 IP addresses originating the attack. How could you quickly mitigate the attack?
Block all ports from the 5 IP addresses on the EC2 Web Server
Block all ports from the 5 IP addresses on the Application Load Balancer
Block all ports from the 5 IP addresses on the Network ACL
Block all ports from the 5 IP addresses on the Security Group
A Security Group does not support blocking ports or IP addresses, a Network ACL does.
Check
Where can KMS Store Encryption Keys? (Choose all that apply)
External Key Store
KMS itself
Secrets Manager
CloudHSM
KMS can store secrets in KMS, CloudHSM or an External Key Store (e.g. your own HSM on-premise)
Check
What are correct AWS Certificate Manager (ACM) service offerings? (Choose all that apply)
Free Public Certificate from Amazon
Generate Self-Signed Certificates
AWS Private Certificate Authority
Import Self-Signed Certificates
AWS Private CA Short-Lived Certificates
KMS can store secrets in KMS, CloudHSM or an External Key Store (e.g. your own HSM on-premise)
Check
What are features of Amazon Macie? (Choose all that apply)
Automatically build an interactive data map of your sensitive data in S3.
Automatic key rotation for objects stored in S3 buckets.
Generate findings and send to EventBridge and Security Hub for automated remediation and workflow integration.
Analyzes objects in S3 buckets, inspecting them for sensitive data such as personally identifiable information (PII).
Source
Check
Which statement about S3 encryption is true?
S3 buckets have a default encryption key, and all objects in the bucket are encrypted with the default key or another specified key.
S3 buckets have a default encryption configuration, but objects in buckets can be encrypted or not.
S3 buckets have an encryption configuration which all objects inherit.
S3 buckets have an encryption configuration which is applied to all objects in the bucket.
Source
Check
Which of the following cases gives public access to an S3 object? (Choose 1 or more)
The Object ACL is not configured, the Bucket Policy has an Allow
Both the Object ACL and Bucket Policy have an Allow
The Object ACL has an Allow, the Bucket Policy a Deny
The Object ACL has a Deny, the Bucket Policy an Allow
Correct answer is: a and d, because all policies are collected (incl policies and ACLs). Note ACLs also do not have Deny statements, which makes c even impossible.
Source
Check
How does cross-region data encryption work for S3 bucket replication?
A) They point to the KMS key in a central region
B) Both regions have their own KMS keys and data is always encrypted/decrypted with the key in the same region as the bucket
C) They point to a KMS multi-region key and data can be replicated to any region and decrypted in any region
D) It requires customer provided keys (SSE-C) and not KMS keys
Correct answer is B. C is also possible, but data must be re-encrypted.
Source1
and
Source2
Check
When you discover role session credentials were leaked, what’s the best solution to ensure the temporary credentials cannot be used? (Choose 2)
Delete the role
Click revoke active sessions in the management console
Detach the policies
Manually add an inline policy which applies a Deny in case aws:TokenIssueTime is less than the current time.
Source
Check
When you discover role session credentials were leaked, what’s the best solution to ensure the temporary credentials cannot be used? (Choose 2)
Delete the role
Click revoke active sessions in the management console
Detach the policies
Manually add an inline policy which applies a Deny in case aws:TokenIssueTime is less than the current time.
Source
Check
What is true about Instance Metadata Service v1 and v2? (Choose 2)
It’s possible to implement an SCP that enforces v2 only
IMDSv1 is accessible from other hosts
IMDSv2 uses session-oriented requests
IMDSv1 is not available for new EC2 instances
Source
Check
Which are AWS Control Tower behaviour options? (Choose 3)
Reactive
Proactive
Detective
Preventive
Block
Source
Check
Werner created an S3 bucket with a bucket policy that allows s3:GetObject for the same Account. A user in the same account tries to access the resource but gets “Access Denied”. How to fix this?
Correct the bucket name in the ARN of the bucket policy.
Remove the explicit Deny statement in any of the identity based policies.
Change s3:GetObject to all accounts and use a condition to limit access only from the same account.
Add an Allow to any of the identity based policies.
Source
Check