AWS Certified Solutions Architect – Professional Set 3 Author: CloudVikas Published Date: 4 March 2020 Leave a Comment on AWS Certified Solutions Architect – Professional Set 3 Welcome to AWS Certified Solutions Architect - Professional Set 3. 1. Which statements about SGs and NACLs are true? (Choose 3) NACLs are stateful. NACLs are stateless. SGs are stateful. SGs are stateless. NACLs support DENY rules. SGs support DENY rules.2. Your project client recently failed a security audit because they had username and passwords hard-coded in a script which runs on an EC2 instance. Which of the following is a way to remediate?Store credentials in an encrypted file on S3 and create an IAM role with access assigning it to the EC2 instance.Store credentials in DynamoDB and create an IAM policy with access and assign to the EC2 instance.Store credentials in KMS and create an IAM role with access and assign to the EC2 instance.Store credentials on an encrypted EBS volume that gets dynamically attached and detached when the script is executed.3. Encrypting data at rest is vital for regulatory compliance to ensure that sensitive data saved on disks is not readable by any user or application without a valid key. Which of the following AWS services allow native encryption of data, while at rest? S3 Elastic File System (EFS) Elastic Block Store (EBS) Elasticache for Memcached4. Which are characteristics of OAuth 2.0? (Choose 2)It issues tokens to clients.It is best suited for single-sign-on scenarios.It handles authorization.It handles authentication.It can contain group and membership information.5. Your client is trying to setup SSO for on-prem employees into AWS via a trust relationship with Simple AD but its not working. What is the most likely cause?They need to extend the AD schema to accommodate the extra SSO attributes.Ports 53, 88 and 445 are not open on the NACLs between the VPC subnet and on-prem.The Trust Relationship has not been setup properly in the respective IAM role.They have chosen a Small size but SSO is only supported in the Large size.Kerberos-based SSO is not configured properly.Simple AD does not support trust relationships with other domains.6. One of the most important things you can do as a customer to ensure the security of your resources is to maintain careful control over who has access to them.Now you are creating a mobile app that needs secure access to AWS resources. What is the best way to do this?Create an anonymous token vending machine to issue temporary credentials.Use secure token service and web identity federation using AssumeRoleWithIdentity.Use secure token service and web identity federation using AssumeRoleWithWebIdentity.Use the Cognito SDK to provide temporary credentials.Create an identity token vending machine to issue temporary credentials.7. _________ says only issue enough access to do only that which is needed and nothing more.Security Practices FrameworkWell-Designed FrameworkRisk Management RulePrinciple of Lowest AccessPrinciple of Least Privilege8. What is the main difference between IDS and IPS?IDS features typically include: alerting administrators of possible incidents, logging information, and reporting attempts.An IPS usually handles proactive patching of system vulnerabilities.An IDS monitors networks and systems for malicious activity or policy violation, and report them to systems administrators.An IPS will take automatic action on suspicious traffic within the network.9. Because of regulatory requirements, certain areas of your organization can only use certain regions. Which is the BEST way to implement this control?Access Control ListIdentity-based PolicyResource-based PolicyService Control Policy10. What is the most efficient way of logging all external interaction with AWS services for your accounts globally?Setup CloudTrail in each region where you have assets to store logs in S3 buckets in that region.Setup Log Consolidation in AWS Organizations for all accounts globally.Setup CloudWatch in each region where you have assets to store logs in S3 buckets in that region.Setup CloudTrail in your main region and configure it to log all regions and store logs in a single S3 bucket in your main region.Setup CloudWatch in your main region and configure it to log all regions and store logs in a single S3 bucket in your main region.11 out of 10Please fill in the comment box below. Author: CloudVikas