AWS Certified Solutions Architect – Professional Set 3 Welcome to AWS Certified Solutions Architect - Professional Set 3. 1. Which of the following AWS services allow native encryption of data, while at rest? (Choose 3) S3 Elastic File System (EFS) Elastic Block Store (EBS) Elasticache for Memcached2. _________ says only issue enough access to do only that which is needed and nothing more. Security Practices Framework Well-Designed Framework Risk Management Rule Principle of Lowest Access Principle of Least Privilege3. Which statements about SGs and NACLs are true? (Choose 3) NACLs are stateful. NACLs are stateless. SGs are stateful. SGs are stateless. NACLs support DENY rules. SGs support DENY rules.4. Because of regulatory requirements, certain areas of your organization can only use certain regions. Which is the BEST way to implement this control? Access Control List Identity-based Policy Resource-based Policy Service Control Policy5. Your client recently failed a security audit because they had username and passwords hard-coded in a script which runs on an EC2 instance. Which of the following is a way to remediate? Store credentials in an encrypted file on S3 and create an IAM role with access assigning it to the EC2 instance. Store credentials in DynamoDB and create an IAM policy with access and assign to the EC2 instance. Store credentials in KMS and create an IAM role with access and assign to the EC2 instance. Store credentials on an encrypted EBS volume that gets dynamically attached and detached when the script is executed.6. Which are characteristics of OAuth 2.0? (Choose 2) It issues tokens to clients. It is best suited for single-sign-on scenarios. It handles authorization. It handles authentication. It can contain group and membership information.7. Your client is trying to setup SSO for on-prem employees into AWS via a trust relationship with Simple AD but its not working. What is the most likely cause? They need to extend the AD schema to accommodate the extra SSO attributes. Ports 53, 88 and 445 are not open on the NACLs between the VPC subnet and on-prem. The Trust Relationship has not been setup properly in the respective IAM role. They have chosen a Small size but SSO is only supported in the Large size. Kerberos-based SSO is not configured properly. Simple AD does not support trust relationships with other domains.8. What is the main difference between IDS and IPS? IDS features typically include: alerting administrators of possible incidents, logging information, and reporting attempts. An IPS usually handles proactive patching of system vulnerabilities. An IDS monitors networks and systems for malicious activity or policy violation, and report them to systems administrators. An IPS will take automatic action on suspicious traffic within the network.9. You are creating a mobile app that needs secure access to AWS resources. What is the best way to do this? Create an anonymous token vending machine to issue temporary credentials. Use secure token service and web identity federation using AssumeRoleWithIdentity. Use secure token service and web identity federation using AssumeRoleWithWebIdentity. Use the Cognito SDK to provide temporary credentials. Create an identity token vending machine to issue temporary credentials.10. What is the most efficient way of logging all external interaction with AWS services for your accounts globally? Setup CloudTrail in each region where you have assets to store logs in S3 buckets in that region. Setup Log Consolidation in AWS Organizations for all accounts globally. Setup CloudWatch in each region where you have assets to store logs in S3 buckets in that region. Setup CloudTrail in your main region and configure it to log all regions and store logs in a single S3 bucket in your main region. Setup CloudWatch in your main region and configure it to log all regions and store logs in a single S3 bucket in your main region.11 out of Please fill in the comment box below.