BrowseAWS
Security Specialty

Practice Set 1

Which service would you select if you need extreme performance and a static IP address?
Network Load Balancer operates at the connection level (Layer 4), routing connections to targets (Amazon EC2 instances, microservices, and containers) within Amazon VPC, based on IP protocol data. Ideal for load balancing of both TCP and UDP traffic, Network Load Balancer is capable of handling millions of requests per second while maintaining ultra-low latencies. Network Load Balancer is optimized to handle sudden and volatile traffic patterns while using a single static IP address per Availability Zone. It is integrated with other popular AWS services such as Auto Scaling, Amazon EC2 Container Service (ECS), Amazon CloudFormation, and AWS Certificate Manager (ACM).
Your website is under attack, and you have discovered 5 IP addresses originating the attack. How could you quickly mitigate the attack?
A Security Group does not support blocking ports or IP addresses, a Network ACL does.
Where can KMS Store Encryption Keys? (Choose all that apply)
KMS can store secrets in KMS, CloudHSM or an External Key Store (e.g. your own HSM on-premise)
What are correct AWS Certificate Manager (ACM) service offerings? (Choose all that apply)
KMS can store secrets in KMS, CloudHSM or an External Key Store (e.g. your own HSM on-premise)
What are features of Amazon Macie? (Choose all that apply)
Which statement about S3 encryption is true?
Which of the following cases gives public access to an S3 object? (Choose 1 or more)
Correct answer is: a and d, because all policies are collected (incl policies and ACLs). Note ACLs also do not have Deny statements, which makes c even impossible. Source
How does cross-region data encryption work for S3 bucket replication?
Correct answer is B. C is also possible, but data must be re-encrypted. Source1 and Source2
When you discover role session credentials were leaked, what’s the best solution to ensure the temporary credentials cannot be used? (Choose 2)
When you discover role session credentials were leaked, what’s the best solution to ensure the temporary credentials cannot be used? (Choose 2)
What is true about Instance Metadata Service v1 and v2? (Choose 2)
Which are AWS Control Tower behaviour options? (Choose 3)
Werner created an S3 bucket with a bucket policy that allows s3:GetObject for the same Account. A user in the same account tries to access the resource but gets “Access Denied”. How to fix this?