©2019 by Raghavendra Kambhampati

AWS SA Associate Practice Questions – 17

Question 1:

What statements correctly describe security groups within a VPC? (Select

three)

A. default security group only permit inbound traffic

B. security groups are stateful firewalls

C. only allow rules are supported

D. allow and deny rules are supported

E. security groups are associated to network interfaces

Answer (B,C,E)

Question 2:

What three items are required to configure a security group rule?

A. protocol type

B. VPC name

C. port number

D. source IP

E. destination IP

F. description

Answer (A,C,D)

Question 3:

What two source IP address types are permitted in a security group rule?

A. only CIDR blocks with /16 subnet mask

B. source IP address 0.0.0.0/0

C. single source IP address with /24 subnet mask

D. security group id

E. IPv6 address with /64 prefix length

Answer (B,D)

Question 4:

What protocols must be enabled for remote access to Linux-based and

Windows-based EC2 instances?

A. SSH, ICMP, Telnet

B. SSH, HTTP, RDP

C. SSH, HTTP, SSL

D. SSH, RDP, ICMP

Answer (D)

Question 5:

Distinguish network ACLs from security groups within a VPC? (Select three)

A. ACL filters at the subnet level

B. ACL is based on deny rules only

C. ACL is applied to instances and subnets

D. ACL is stateless

E. ACL supports a numbered list for filtering

Answer (A,D,E)

Question 6:

What happens to the security permissions of a tenant when an IAM role is

granted? (Select two)

A. tenant inherits only permissions assigned to the IAM role temporarily

B. add security permissions of the IAM role to existing permissions

C. previous security permissions are no longer in effect

D. previous security permissions are deleted unless reconfigured

E. tenant inherits only read permissions assigned to the IAM role

Answer (A,C)

Question 7:

Where are IAM permissions granted to invoke and execute a Lambda

function for S3 access? (Select two)

A. S3 bucket

B. EC2 instance

C. Lambda function

D. IAM role

E. event mapping

Answer (A,D)

Question 8:

You have some developers working on code for an application and they

require temporary access to AWS cloud up to an hour. What is the easiest

web-based solution from AWS to provides access and minimize security

exposure?

A. ACL

B. security group

C. IAM group

D. STS

E. EFS

Answer (D)

Question 9:

What two methods are used to request temporary credentials based on AWS

Security Token Service (STS)?

A. Web Identity Federation

B. LDAP

C. IAM identity

D. dynamic ACL

E. private key rotation

Answer (A,C)

Question 10:

What two components are required for enabling SAML authentication

requests to AWS Identity and Access Management (IAM)?

A. access keys

B. session token

C. SSO

D. identity provider (IdP)

E. SAML provider entity

Answer (D,E)

Question 11:

What are two reasons for deploying Origin Access Identity (OAI) when

enabling CloudFront?

A. prevent users from deleting objects in S3 buckets

B. mitigate distributed denial of service attacks (DDoS)

C. prevent users from accessing objects with Amazon S3 URL

D. prevent users from accessing objects with CloudFront URL

E. replace IAM for internet-based customer authentication

Answer (B,C)

Question 12:

What solutions are recommended to mitigate DDoS attacks? (Select three)

A. host-based firewall

B. elastic load balancer

C. WAF

D. SSL/TLS

E. Bastion host

F. NAT gateway

Answer (B,C,E)

Question 13:

What features are required to prevent users from bypassing AWS CloudFront

security? (Select three)

A. Bastion host

B. signed URL

C. IP whitelist

D. signed cookies

E. origin access identity (OAI)

Answer (B,D,E)

Question 14:

What is the advantage of resource-based policies for cross-account access?

A. trusted account permissions are not replaced

B. trusted account permissions are replaced

C. resource-based policies are easier to deploy

D. trusting account manages all permissions

Answer (A)

Question 15:

Select three requirements for configuring a Bastion host?

A. EIP

B. SSH inbound permission

C. default route

D. CloudWatch logs group

E. VPN

F. Auto-Scaling

Answer (A,B,D)

Question 16:

What rule must be added to the security group assigned to a mount target

instance that enables EFS access from an EC2 instance?

A. Type = EC2, protocol = IP, port = 2049, source = remote security

group id

B. Type = EC2, protocol = EFS, port = 2049, source = 0.0.0.0/0

C. Type = NFS, protocol = TCP, port = 2049, source = remote security

group id

D. Type = NFSv4, protocol = UDP, port = 2049, source = remote security

group id

Answer (C)

Question 17:

What statement correctly describes IAM architecture?

A. IAM security is unified per region and replicated based on

requirements for an AWS tenant account

B. IAM security is defined per region for roles only on an AWS tenant

account

C. IAM security is globally unified across the AWS cloud for an AWS

tenant account

D. IAM security is defined separately per region and cross-region

security enabled for an AWS tenant account

Answer (C)

Question 18:

What are two advantages of customer-managed encryption keys (CMK)?

A. create and rotate encryption keys

B. AES-128 cipher for data at rest

C. audit encryption keys

D. encrypts data in-transit for server-side encryption only

Answer (A,C)

Question 19:

What feature is not available with AWS Trusted Advisor?

A. cost optimization

B. infrastructure best practices

C. vulnerability assessment

D. monitor application metrics

Answer (C)

Question 20:

What is required to Ping from a source instance to a destination instance?

A. Network ACL: not required

Security Group: allow ICMP outbound on source/destination EC2 instances

B. Network ACL: allow ICMP inbound/outbound on source/destination

subnets

Security Group: not required

C. Network ACL: allow ICMP inbound/outbound on

source/destination subnets

Security Group: allow ICMP outbound on source EC2 instance

Security Group: allow ICMP inbound on destination EC2 instance

D. Network ACL: allow TCP inbound/outbound on source/destination

subnets

Security Group: allow TCP and ICMP inbound on source EC2 instance

Answer (C)

Question 21:

What two steps are required to grant cross-account permissions between AWS

accounts?

A. create an IAM user

B. attach a trust policy to S3

C. create a transitive policy

D. attach a trust policy to the role

E. create an IAM role

Answer (D,E)

Question 22:

You have configured a security group to allow ICMP, SSH and RDP inbound

and assigned the security group to all instances in a subnet. There is no access

to any Linux-based or Windows-based instances and you cannot Ping any

instances. The network ACL for the subnet is configured to allow all inbound

traffic to the subnet. What is the most probable cause?

A. on-premises firewall rules

B. security group and network ACL outbound rules

C. network ACL outbound rules

D. security group outbound rules

E. Bastion host required

Answer (C)

Question 23:

What three techniques provide authentication security on S3 volumes?

A. bucket policies

B. network ACL

C. Identity and Access Management (IAM)

D. encryption

E. AES256

Answer (A,B,C)

Question 24:

What statement correctly describes support for AWS encryption of S3

objects?

A. tenants manage encryption for server-side encryption of S3 objects

B. Amazon manages encryption for server-side encryption of S3 objects

C. client-side encryption of S3 objects is not supported

D. S3 buckets are encrypted only

E. SSL is only supported with Glacier storage

Answer (B)

Question 25:

What authentication method provides Federated Single Sign-On (SSO) for

cloud applications?

A. ADS

B. ISE

C. RADIUS

D. TACACS

E. SAML

Answer (E)

Question 26:

Based on the Amazon security model, what infrastructure configuration and

associated security is the responsibility of tenants and not Amazon AWS?

(Select two)

A. dedicated cloud server

B. hypervisor

C. operating system level

D. application level

E. upstream physical switch

Answer (C,D)

Question 27:

What security authentication is required before configuring or modifying EC2

instances? (Select three)

A. authentication at the operating system level

B. EC2 instance authentication with asymmetric keys

C. authentication at the application level

D. Telnet username and password

E. SSH/RDP session connection

Answer (A,B,E)

Question 28:

What feature is part of Amazon Trusted Advisor?

A. security compliance

B. troubleshooting tool

C. EC2 configuration tool

D. security certificates

Answer (A)

Question 29:

What are two best practices for account management within Amazon AWS?

A. do not use root account for common administrative tasks

B. create a single AWS account with multiple IAM users that have root

privilege

C. create multiple AWS accounts with multiple IAM users per AWS

account

D. use root account for all administrative tasks

E. create multiple root user accounts for redundancy

Answer (A,C)

Question 30:

What AWS feature is recommended for optimizing data security?

A. Multi-factor authentication

B. username and encrypted password

C. Two-factor authentication

D. SAML

E. Federated LDAP

Answer (A)

Question 31:

What IAM class enables an EC2 instance to access a file object in an S3

bucket?

A. user

B. root

C. role

D. group

Answer (C)

Question 32:

What are three recommended solutions that provide protection and mitigation

from distributed denial of service (DDoS) attacks?

A. security groups

B. CloudWatch

C. encryption

D. WAF

E. data replication

F. Auto-Scaling

Answer (A,B,D)

Question 33:

What are three recommended best practices when configuring Identity and

Access Management (IAM) security services?

A. Lock or delete your root access keys when not required

B. IAM groups are not recommended for storage security

C. create an IAM user with administrator privileges

D. share your password and/or access keys with members of your group

only

E. delete any AWS account where the access keys are unknown

Answer (A,C,E)

Question 34:

What two features create security zones between EC2 instances within a

VPC?

A. security groups

B. Virtual Security Gateway

C. network ACL

D. WAF

Answer (A,B)

Question 35:

What AWS service provides vulnerability assessment services to tenants

within the cloud?

A. Amazon WAF

B. Amazon Inspector

C. Amazon Cloud Logic

D. Amazon Trusted Advisor

Answer (B)

Question 36:

What are two primary differences between AD Connector and Simple AD for

cloud directory services?

A. Simple AD requires an on-premises ADS directory

B. Simple AD is fully managed and setup in minutes

C. AD Connector requires an on-premises ADS directory

D. Simple AD is more scalable than AD Connector

E. Simple AD provides enhanced integration with IAM

Answer (B,C)