AWS Certified Security – Specialty Set5 Welcome to AWS Certified Security - Specialty Set5. 1. You are configuring an Elastic Load Balancer for a highly secure environment, which has a strict requirement to secure all network connections end-to-end. How can you avoid exposing your data in plain text at any time? Use a Classic Load Balancer and terminate SSL on the ELB Use a Network Load Balancer and terminate SSL on the ELB, then use HTTPS to connect from the ELB to the instances Use a Network Load Balancer with TCP pass through and configure SSL termination on your EC2 instances2. You have an EC2 host in a private subnet which needs to access S3. Which of the following is the most secure way to enable access to the S3 bucket? Use an VPC Gateway Endpoint Use Direct Connect Use a NAT Gateway3. Which of the following statements is correct in relation to NACLs? (Choose 2) Network ACLs deny by default and you can only configure them to allow access Network ACLs are stateless Network ACLs are stateful A network ACL has separate inbound and outbound rules, and each rule can either allow or deny traffic4. Which of the following would you use to block inbound network traffic from a known IP address range from reaching your VPC subnet? VPC Flow Log Network ACL Security Group5. You have 3 VPCs (A, B and C). You have configured VPC peering between VPC A and VPC B, and between VPC A and VPC C. You now have a requirement for instances in VPC B to communicate with VPC C. What should you do? Do nothing because instances in VPC B will automatically be able to communicate with VPC C because they can both communicate with VPC A. Configure the default routing table in VPC C to route all traffic destined for VPC B across VPC A You will need to configure peering between VPC B and VPC C6. You have a number of instances in a private subnet in your VPC, which need to access the internet. You have added a NAT Gateway to the VPC and added a Security Group rule allowing outbound internet traffic, however internet access is still not working. What could the problem be? You forgot to add an elastic IP address to the instances which need to access the internet You forgot to update the private subnet’s route table to route internet-bound traffic via the NAT gateway You forgot to disable source/destination checks on the NAT Gateway7. How can you securely enable an EC2 instance in a private subnet to access the internet to download security patches for software running on your instance? Use an Internet Gateway Use a NAT Gateway or NAT Instance Use a VPN Gateway8. Which of the following statements is correct in relation to Security Groups? (Choose 2) If you have already configured an outbound rule allowing traffic to be sent from your EC2 instance, you do not need to configure a corresponding inbound rule to allow the incoming response to the request Security Groups are stateless Security Groups are stateful If you have configured an outbound rule allowing traffic to be sent from your EC2 instance, you will also need to configure a corresponding inbound rule to allow the incoming response to the request9. How can you enable instances in one VPC to communicate with instances in another VPC without sending traffic across the public internet? Use a VPC Gateway Endpoint Use AWS PrivateLink Use VPC peering10. Your web application is running a CPU heavy workload and you want to add a Load Balancer to distribute HTTPS requests across a number of EC2 instances based on headers in the HTTP Request. Which of the following options should you select to give the best performance for your application? Use a Network Load Balancer and terminate SSL on the EC2 instance Use a Classic Load Balancer and terminate HTTPS on the EC2 instance Use an Application Load Balancer and terminate SSL on the ELB11. You have configured a Network ACL to allow outbound access allowing all the EC2 instances in your subnet to download application updates accessed over the internet from a trusted third party using port 443. However your instances are still not able to download any updates. What could the problem be? You need to add a rule to the Network ACL allowing inbound traffic on ephemeral ports 1024-65535 You need to add a rule to the Network ACL allowing inbound traffic on port 8080 You need to add a rule to the Network ACL allowing inbound traffic on port 8012. Which of the following can be accomplished using VPC Flow Logs? Analysis of the IP traffic flow into and out of your VPC, ENIs and subnets Routing of IP traffic into and out of your VPC, ENIs and subnets Analysis of network packet headers for traffic flowing into and out of your VPC13. You need to access the EC2 instances in your private subnet using SSH, which of the following is the most secure approach? Add a Virtual private gateway and access the private subnet over a site-to-site VPN Access hosts in the private subnet using a bastion host Add a public IP address to one of the hosts in your private subnet and us that host to access all the others14 out of 2Please fill in the comment box below. Email
