- (Topic 3)
A company has designed its AWS Cloud infrastructure to run its workloads effectively. The company also has protocols in place to continuously improve supporting processes.
Which pillar of the AWS Well-Architected Framework does this scenario represent?
Correct Answer:
D
The scenario represents the operational excellence pillar of the AWS Well- Architected Framework, which focuses on running and monitoring systems to deliver business value and continually improve supporting processes and procedures1. Security, performance efficiency, cost optimization, and reliability are the other four pillars of the framework1.
- (Topic 3)
Which AWS service provides threat detection by monitoring for malicious activities and unauthorized actions to protect AWS accounts, workloads, and data that is stored in Amazon S3?
Correct Answer:
C
Amazon GuardDuty is a service that provides intelligent threat detection and continuous monitoring for your AWS accounts, workloads, and data. Amazon GuardDuty analyzes and processes data sources, such as VPC Flow Logs, AWS CloudTrail event logs, and DNS logs, to identify malicious activities and unauthorized actions, such as reconnaissance, instance compromise, account compromise, and data exfiltration. Amazon GuardDuty can also detect threats to your data stored in Amazon S3, such as API calls from unusual locations or disabling of preventative controls. Amazon GuardDuty generates findings that summarize the details of the detected threats and provides recommendations for remediation. AWS Shield, AWS Firewall Manager, and Amazon Inspector are not the best services to meet this requirement. AWS Shield is a service that provides protection against distributed denial of service (DDoS) attacks. AWS Firewall Manager is a service that allows you to centrally configure and manage firewall rules across your accounts and resources. Amazon Inspector is a service that assesses the security and compliance of your applications running on EC2 instances.
- (Topic 2)
A company has an AWS-hosted website located behind an Application Load Balancer. The company wants to safeguard the website from SQL injection or cross-site scripting.
Which AWS service should the company use?
Correct Answer:
B
The company should use AWS WAF to safeguard the website from SQL injection or cross-site scripting. AWS WAF is a web application firewall that helps protect web applications from common web exploits that could affect availability, compromise security, or consume excessive resources. The company can use AWS WAF to create custom rules that block malicious requests that match certain patterns, such as SQL injection or cross-site scripting. AWS WAF can be applied to web applications that are behind an Application Load Balancer, Amazon CloudFront, or Amazon API Gateway. Amazon GuardDuty, AWS Trusted Advisor, and Amazon Inspector are not the best services to use for this purpose. Amazon GuardDuty is a threat detection service that monitors for malicious activity and unauthorized behavior across the AWS accounts and resources. AWS Trusted Advisor is a service that provides best practice recommendations for cost optimization, performance, security, and fault tolerance. Amazon Inspector is a service that assesses the security and compliance of applications running on Amazon EC2 instances12
- (Topic 1)
Which of the following is a cost efficiency principle related to the AWS Cloud?
Correct Answer:
A
One of the cost efficiency principles related to the AWS Cloud is to right-size services based on capacity requirements. This means choosing the most appropriate type
and size of AWS resources to meet the performance and scalability needs of the applications, while avoiding over-provisioning or under-provisioning. By right-sizing services, users can optimize the costs and benefits of using the AWS Cloud1
- (Topic 3)
Which AWS service or feature enables users to encrypt data at rest in Amazon S3?
Correct Answer:
B
Server-side encryption is an encryption option that Amazon S3 provides to encrypt data at rest in Amazon S3. With server-side encryption, Amazon S3 encrypts an object before saving it to disk in its data centers and decrypts it when you download the objects. You have three server-side encryption options to choose from: SSE-S3, SSE-C, and SSE-KMS. SSE-S3 uses keys that are managed by Amazon S3. SSE-C allows you to manage your own encryption keys. SSE-KMS uses keys that are managed by AWS Key Management Service (AWS KMS)5.
