
AWS SA Associate Practice Questions – 17
Updated: Jul 17, 2020
Question 1:
What statements correctly describe security groups within a VPC? (Select
three)
A. default security group only permit inbound traffic
B. security groups are stateful firewalls
C. only allow rules are supported
D. allow and deny rules are supported
E. security groups are associated to network interfaces
Answer (B,C,E)
Question 2:
What three items are required to configure a security group rule?
A. protocol type
B. VPC name
C. port number
D. source IP
E. destination IP
F. description
Answer (A,C,D)
Question 3:
What two source IP address types are permitted in a security group rule?
A. only CIDR blocks with /16 subnet mask
B. source IP address 0.0.0.0/0
C. single source IP address with /24 subnet mask
D. security group id
E. IPv6 address with /64 prefix length
Answer (B,D)
Question 4:
What protocols must be enabled for remote access to Linux-based and
Windows-based EC2 instances?
A. SSH, ICMP, Telnet
B. SSH, HTTP, RDP
C. SSH, HTTP, SSL
D. SSH, RDP, ICMP
Answer (D)
Question 5:
Distinguish network ACLs from security groups within a VPC? (Select three)
A. ACL filters at the subnet level
B. ACL is based on deny rules only
C. ACL is applied to instances and subnets
D. ACL is stateless
E. ACL supports a numbered list for filtering
Answer (A,D,E)
Question 6:
What happens to the security permissions of a tenant when an IAM role is
granted? (Select two)
A. tenant inherits only permissions assigned to the IAM role temporarily
B. add security permissions of the IAM role to existing permissions
C. previous security permissions are no longer in effect
D. previous security permissions are deleted unless reconfigured
E. tenant inherits only read permissions assigned to the IAM role
Answer (A,C)
Question 7:
Where are IAM permissions granted to invoke and execute a Lambda
function for S3 access? (Select two)
A. S3 bucket
B. EC2 instance
C. Lambda function
D. IAM role
E. event mapping
Answer (A,D)
Question 8:
You have some developers working on code for an application and they
require temporary access to AWS cloud up to an hour. What is the easiest
web-based solution from AWS to provides access and minimize security
exposure?
A. ACL
B. security group
C. IAM group
D. STS
E. EFS
Answer (D)
Question 9:
What two methods are used to request temporary credentials based on AWS
Security Token Service (STS)?
A. Web Identity Federation
B. LDAP
C. IAM identity
D. dynamic ACL
E. private key rotation
Answer (A,C)
Question 10:
What two components are required for enabling SAML authentication
requests to AWS Identity and Access Management (IAM)?
A. access keys
B. session token
C. SSO
D. identity provider (IdP)
E. SAML provider entity
Answer (D,E)
Question 11:
What are two reasons for deploying Origin Access Identity (OAI) when
enabling CloudFront?
A. prevent users from deleting objects in S3 buckets
B. mitigate distributed denial of service attacks (DDoS)
C. prevent users from accessing objects with Amazon S3 URL
D. prevent users from accessing objects with CloudFront URL
E. replace IAM for internet-based customer authentication
Answer (B,C)
Question 12:
What solutions are recommended to mitigate DDoS attacks? (Select three)
A. host-based firewall
B. elastic load balancer
C. WAF
D. SSL/TLS
E. Bastion host
F. NAT gateway
Answer (B,C,E)
Question 13:
What features are required to prevent users from bypassing AWS CloudFront
security? (Select three)
A. Bastion host
B. signed URL
C. IP whitelist
D. signed cookies
E. origin access identity (OAI)
Answer (B,D,E)
Question 14:
What is the advantage of resource-based policies for cross-account access?
A. trusted account permissions are not replaced
B. trusted account permissions are replaced
C. resource-based policies are easier to deploy
D. trusting account manages all permissions
Answer (A)
Question 15:
Select three requirements for configuring a Bastion host?
A. EIP
B. SSH inbound permission
C. default route
D. CloudWatch logs group
E. VPN
F. Auto-Scaling
Answer (A,B,D)
Question 16:
What rule must be added to the security group assigned to a mount target
instance that enables EFS access from an EC2 instance?
A. Type = EC2, protocol = IP, port = 2049, source = remote security
group id
B. Type = EC2, protocol = EFS, port = 2049, source = 0.0.0.0/0
C. Type = NFS, protocol = TCP, port = 2049, source = remote security
group id
D. Type = NFSv4, protocol = UDP, port = 2049, source = remote security
group id
Answer (C)
Question 17:
What statement correctly describes IAM architecture?
A. IAM security is unified per region and replicated based on
requirements for an AWS tenant account
B. IAM security is defined per region for roles only on an AWS tenant
account
C. IAM security is globally unified across the AWS cloud for an AWS
tenant account
D. IAM security is defined separately per region and cross-region
security enabled for an AWS tenant account
Answer (C)
Question 18:
What are two advantages of customer-managed encryption keys (CMK)?
A. create and rotate encryption keys
B. AES-128 cipher for data at rest
C. audit encryption keys
D. encrypts data in-transit for server-side encryption only
Answer (A,C)
Question 19:
What feature is not available with AWS Trusted Advisor?
A. cost optimization
B. infrastructure best practices
C. vulnerability assessment
D. monitor application metrics
Answer (C)
Question 20:
What is required to Ping from a source instance to a destination instance?
A. Network ACL: not required
Security Group: allow ICMP outbound on source/destination EC2 instances
B. Network ACL: allow ICMP inbound/outbound on source/destination
subnets
Security Group: not required
C. Network ACL: allow ICMP inbound/outbound on
source/destination subnets
Security Group: allow ICMP outbound on source EC2 instance
Security Group: allow ICMP inbound on destination EC2 instance
D. Network ACL: allow TCP inbound/outbound on source/destination
subnets
Security Group: allow TCP and ICMP inbound on source EC2 instance
Answer (C)
Question 21:
What two steps are required to grant cross-account permissions between AWS
accounts?
A. create an IAM user
B. attach a trust policy to S3
C. create a transitive policy
D. attach a trust policy to the role
E. create an IAM role
Answer (D,E)
Question 22:
You have configured a security group to allow ICMP, SSH and RDP inbound
and assigned the security group to all instances in a subnet. There is no access
to any Linux-based or Windows-based instances and you cannot Ping any
instances. The network ACL for the subnet is configured to allow all inbound
traffic to the subnet. What is the most probable cause?
A. on-premises firewall rules
B. security group and network ACL outbound rules
C. network ACL outbound rules
D. security group outbound rules
E. Bastion host required
Answer (C)
Question 23:
What three techniques provide authentication security on S3 volumes?
A. bucket policies
B. network ACL
C. Identity and Access Management (IAM)
D. encryption
E. AES256
Answer (A,B,C)
Question 24:
What statement correctly describes support for AWS encryption of S3
objects?
A. tenants manage encryption for server-side encryption of S3 objects
B. Amazon manages encryption for server-side encryption of S3 objects
C. client-side encryption of S3 objects is not supported
D. S3 buckets are encrypted only
E. SSL is only supported with Glacier storage
Answer (B)
Question 25:
What authentication method provides Federated Single Sign-On (SSO) for
cloud applications?
A. ADS
B. ISE
C. RADIUS
D. TACACS
E. SAML
Answer (E)
Question 26:
Based on the Amazon security model, what infrastructure configuration and
associated security is the responsibility of tenants and not Amazon AWS?
(Select two)
A. dedicated cloud server
B. hypervisor
C. operating system level
D. application level
E. upstream physical switch
Answer (C,D)
Question 27:
What security authentication is required before configuring or modifying EC2
instances? (Select three)
A. authentication at the operating system level
B. EC2 instance authentication with asymmetric keys
C. authentication at the application level
D. Telnet username and password
E. SSH/RDP session connection
Answer (A,B,E)
Question 28:
What feature is part of Amazon Trusted Advisor?
A. security compliance
B. troubleshooting tool
C. EC2 configuration tool
D. security certificates
Answer (A)
Question 29:
What are two best practices for account management within Amazon AWS?
A. do not use root account for common administrative tasks
B. create a single AWS account with multiple IAM users that have root
privilege
C. create multiple AWS accounts with multiple IAM users per AWS
account
D. use root account for all administrative tasks
E. create multiple root user accounts for redundancy
Answer (A,C)
Question 30:
What AWS feature is recommended for optimizing data security?
A. Multi-factor authentication
B. username and encrypted password
C. Two-factor authentication
D. SAML
E. Federated LDAP
Answer (A)
Question 31:
What IAM class enables an EC2 instance to access a file object in an S3
bucket?
A. user
B. root
C. role
D. group
Answer (C)
Question 32:
What are three recommended solutions that provide protection and mitigation
from distributed denial of service (DDoS) attacks?
A. security groups
B. CloudWatch
C. encryption
D. WAF
E. data replication
F. Auto-Scaling
Answer (A,B,D)
Question 33:
What are three recommended best practices when configuring Identity and
Access Management (IAM) security services?
A. Lock or delete your root access keys when not required
B. IAM groups are not recommended for storage security
C. create an IAM user with administrator privileges
D. share your password and/or access keys with members of your group
only
E. delete any AWS account where the access keys are unknown
Answer (A,C,E)
Question 34:
What two features create security zones between EC2 instances within a
VPC?
A. security groups
B. Virtual Security Gateway
C. network ACL
D. WAF
Answer (A,B)
Question 35:
What AWS service provides vulnerability assessment services to tenants
within the cloud?
A. Amazon WAF
B. Amazon Inspector
C. Amazon Cloud Logic
D. Amazon Trusted Advisor
Answer (B)
Question 36:
What are two primary differences between AD Connector and Simple AD for
cloud directory services?
A. Simple AD requires an on-premises ADS directory
B. Simple AD is fully managed and setup in minutes
C. AD Connector requires an on-premises ADS directory
D. Simple AD is more scalable than AD Connector
E. Simple AD provides enhanced integration with IAM
Answer (B,C)