AWS-Certified-Developer-Associate Free Practice Test

A company notices that credentials that the company uses to connect to an external software as a service (SaaS) vendor are stored in a configuration file as plaintext.
The developer needs to secure the API credentials and enforce automatic credentials rotation on a quarterly basis.
Which solution will meet these requirements MOST securely?

1. A. Use AWS Key Management Service (AWS KMS) to encrypt the configuration fil
2. B. Decrypt the configuration file when users make API calls to the SaaS vendo
3. C. Enable rotation.
4. D. Retrieve temporary credentials from AWS Security Token Service (AWS STS) every 15 minute
5. E. Use the temporary credentials when users make API calls to the SaaS vendor.
6. F. Store the credentials in AWS Secrets Manager and enable rotatio
7. G. Configure the API to have Secrets Manager access.
8. H. Store the credentials in AWS Systems Manager Parameter Store and enable rotatio
9. I. Retrieve the credentials when users make API calls to the SaaS vendor.

Correct Answer: C
Store the credentials in AWS Secrets Manager and enable rotation. Configure the API to have Secrets Manager access. This is correct. This solution will meet the requirements most securely, because it uses a service that is designed to store and manage secrets such as API credentials. AWS Secrets Manager helps you protect access to your applications, services, and IT resources by enabling you to rotate, manage, and retrieve secrets throughout their lifecycle1. You can store secrets such as passwords, database strings, API keys, and license codes as encrypted values2. You can also configure automatic rotation of your secrets on a schedule that you specify3. You can use the AWS SDK or CLI to retrieve secrets from Secrets Manager when you need them4. This way, you can avoid storing credentials in plaintext files or hardcoding them in your code.

An application that is hosted on an Amazon EC2 instance needs access to files that are stored in an Amazon S3 bucket. The application lists the objects that are stored in the S3 bucket and displays a table to the user. During testing, a developer discovers that the application does not show any objects in the list.
What is the MOST secure way to resolve this issue?

1. A. Update the IAM instance profile that is attached to the EC2 instance to include the S3:* permission for the S3 bucket.
2. B. Update the IAM instance profile that is attached to the EC2 instance to include the S3:ListBucket permission for the S3 bucket.
3. C. Update the developer's user permissions to include the S3:ListBucket permission for the S3 bucket.
4. D. Update the S3 bucket policy by including the S3:ListBucket permission and by setting the Principal element to specify the account number of the EC2 instance.

Correct Answer: B
IAM instance profiles are containers for IAM roles that can be associated with EC2 instances. An IAM role is a set of permissions that grant access to AWS resources. An IAM role can be used to allow an EC2 instance to access an S3 bucket by including the appropriate permissions in the role’s policy. The S3:ListBucket permission allows listing the objects in an S3 bucket. By updating the IAM instance profile with this permission, the application on the EC2 instance can retrieve the objects from the S3 bucket and display them to the user. Reference: Using an IAM role to grant permissions to applications running on Amazon EC2 instances

A company is migrating legacy internal applications to AWS. Leadership wants to rewrite the internal employee directory to use native AWS services. A developer needs to create a solution for storing employee contact details and high-resolution photos for use with the new application.
Which solution will enable the search and retrieval of each employee's individual details and high-resolution photos using AWS APIs?

1. A. Encode each employee's contact information and photos using Base64. Store the information in an Amazon DynamoDB table using a sort key.
2. B. Store each employee's contact information in an Amazon DynamoDB table along with the object keys for the photos stored in Amazon S3.
3. C. Use Amazon Cognito user pools to implement the employee directory in a fully managedsoftware-as-a-service (SaaS) method.
4. D. Store employee contact information in an Amazon RDS DB instance with the photos stored in Amazon Elastic File System (Amazon EFS).

Correct Answer: B
Amazon DynamoDB is a fully managed NoSQL database service that provides fast and consistent performance with seamless scalability. The developer can store each employee’s contact information in a DynamoDB table along with the object keys for the photos stored in Amazon S3. Amazon S3 is an object storage service that offers industry-leading scalability, data availability, security, and performance. The developer can use AWS APIs to search and retrieve the employee details and photos from DynamoDB and S3.
References:
✑ [Amazon DynamoDB]
✑ [Amazon Simple Storage Service (S3)]

A developer is creating an AWS CloudFormation template to deploy Amazon EC2 instances across multiple AWS accounts. The developer must choose the EC2 instances from a list of approved instance types.
How can the developer incorporate the list of approved instance types in the CloudFormation template?

1. A. Create a separate CloudFormation template for each EC2 instance type in the list.
2. B. In the Resources section of the CloudFormation template, create resources for each EC2 instance type in the list.
3. C. In the CloudFormation template, create a separate parameter for each EC2 instance type in the list.
4. D. In the CloudFormation template, create a parameter with the list of EC2 instance types as AllowedValues.

Correct Answer: D
In the CloudFormation template, the developer should create a parameter with the list of approved EC2 instance types as AllowedValues. This way, users can select the instance type they want to use when launching the CloudFormation stack, but only from the approved list.

A company needs to harden its container images before the images are in a running state. The company's application uses Amazon Elastic Container Registry (Amazon ECR) as an image registry. Amazon Elastic Kubernetes Service (Amazon EKS) for compute, and an AWS CodePipeline pipeline that orchestrates a continuous integration and continuous delivery (CI/CD) workflow.
Dynamic application security testing occurs in the final stage of the pipeline after a new image is deployed to a development namespace in the EKS cluster. A developer needs to
place an analysis stage before this deployment to analyze the container image earlier in the CI/CD pipeline.
Which solution will meet these requirements with the MOST operational efficiency?

1. A. Build the container image and run the docker scan command locall
2. B. Mitigate any findings before pushing changes to the source code repositor
3. C. Write a pre-commit hook that enforces the use of this workflow before commit.
4. D. Create a new CodePipeline stage that occurs after the container image is buil
5. E. Configure ECR basic image scanning to scan on image pus
6. F. Use an AWS Lambda function as the action provide
7. G. Configure the Lambda function to check the scan results and to fail the pipeline if there are findings.
8. H. Create a new CodePipeline stage that occurs after source code has been retrieved from its repositor
9. I. Run a security scanner on the latest revision of the source cod
10. J. Fail the pipeline if there are findings.
11. K. Add an action to the deployment stage of the pipeline so that the action occurs before the deployment to the EKS cluste
12. L. Configure ECR basic image scanning to scan on image pus
13. M. Use an AWS Lambda function as the action provide
14. N. Configure the Lambda function to check the scan results and to fail the pipeline if there are findings.

Correct Answer: B
The solution that will meet the requirements with the most operational efficiency is to create a new CodePipeline stage that occurs after the container image is built. Configure ECR basic image scanning to scan on image push. Use an AWS Lambda function as the action provider. Configure the Lambda function to check the scan results and to fail the pipeline if there are findings. This way, the container image is analyzed earlier in the CI/CD pipeline and any vulnerabilities are detected and reported before deploying to the EKS cluster. The other options either delay the analysis until after deployment, which increases the risk of exposing insecure images, or perform analysis on the source code instead of the container image, which may not capture all the dependencies and configurations that affect the security posture of the image.
Reference: Amazon ECR image scanning