- (Exam Topic 3)
A new application will be deployed on EC2 instances in private subnets. The application will transfer sensitive data to and from an S3 bucket. Compliance requirements state that the data must not traverse the public internet. Which solution meets the compliance requirement?
Please select:
Correct Answer:
C
The IAM Documentation mentions the following
A VPC endpoint enables you to privately connect your VPC to supported IAM services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or IAM Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network.
Option A is invalid because using a proxy server is not sufficient enough
Option B and D are invalid because you need secure communication which should not traverse the internet For more information on VPC endpoints please see the below link https://docs.IAM.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.htmll
The correct answer is: Access the S3 bucket through a VPC endpoint for S3 Submit your Feedback/Queries to our Experts
- (Exam Topic 2)
A distributed web application is installed across several EC2 instances in public subnets residing in two Availability Zones. Apache logs show several intermittent brute-force attacks from hundreds of IP addresses at the layer 7 level over the past six months.
What would be the BEST way to reduce the potential impact of these attacks in the future?
Correct Answer:
D
https://docs.IAM.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html NACL has limit 20 (can increase to maximum 40 rule), and more rule will make more low-latency
- (Exam Topic 3)
Which technique can be used to integrate IAM IAM (Identity and Access Management) with an on-premise LDAP (Lightweight Directory Access Protocol) directory service?
Please select:
Correct Answer:
B
On the IAM Blog site the following information is present to help on this context
The newly released whitepaper. Single Sign-On: Integrating IAM, OpenLDAP, and Shibboleth, will help you integrate your existing LDAP-based user directory with IAM. When you integrate your existing directory with IAM, your users can access IAM by using their existing credentials. This means that your users don't need to maintain yet another user name and password just to access IAM resources.
Option A.C and D are all invalid because in this sort of configuration, you have to use SAML to enable single sign on.
For more information on integrating IAM with LDAP for Single Sign-On, please visit the following URL:
https://IAM.amazon.eom/blogs/security/new-whitepaper-sinEle-sign-on-inteErating-IAM-openldap-and-shibbol
The correct answer is: Use SAML (Security Assertion Markup Language) to enable single sign-on between IAM and LDAP. Submit your Feedback/Queries to our Experts
- (Exam Topic 1)
An IAM account administrator created an IAM group and applied the following managed policy to require that each individual user authenticate using multi-factor authentication:
After implementing the policy, the administrator receives reports that users are unable to perform Amazon EC2 commands using the IAM CLI. What should the administrator do to resolve this problem while still enforcing multi-factor authentication?
Correct Answer:
B
- (Exam Topic 3)
You are planning on using the IAM KMS service for managing keys for your application. For which of the following can the KMS CMK keys be used for encrypting? Choose 2 answers from the options given below
Please select:
Correct Answer:
CD
The CMK keys themselves can only be used for encrypting data that is maximum 4KB in size. Hence it can be used for encryptii information such as passwords and RSA keys.
Option A and B are invalid because the actual CMK key can only be used to encrypt small amounts of data and not large amoui of data. You have to generate the data key from the CMK key in order to encrypt high amounts of data
For more information on the concepts for KMS, please visit the following URL: https://docs.IAM.amazon.com/kms/latest/developereuide/concepts.htmll
The correct answers are: Password, RSA Keys Submit your Feedback/Queries to our Experts