- (Exam Topic 2)
An organization is using IAM CloudTrail, Amazon CloudWatch Logs, and Amazon CloudWatch to send alerts when new access keys are created. However, the alerts are no longer appearing in the Security Operations mail box.
Which of the following actions would resolve this issue?
Correct Answer:
C
- (Exam Topic 3)
Which of the following is the correct sequence of how KMS manages the keys when used along with the Redshift cluster service
Please select:
Correct Answer:
A
This is mentioned in the IAM Documentation
Amazon Redshift uses a four-tier, key-based architecture for encryption. The architecture consists of data encryption keys, a database key, a cluster key, and a master key.
Data encryption keys encrypt data blocks in the cluster. Each data block is assigned a randomly-generated AES-256 key. These keys are encrypted by using the database key for the cluster.
The database key encrypts data encryption keys in the cluster. The database key is a randomly-generated AES-256 key. It is stored on disk in a separate network from the Amazon Redshift cluster and passed to the cluster across a secure channel.
The cluster key encrypts the database key for the Amazon Redshift cluster.
Option B is incorrect because the master key encrypts the cluster key and not the database key
Option C is incorrect because the master key encrypts the cluster key and not the data encryption keys Option D is incorrect because the master key encrypts the cluster key only
For more information on how keys are used in Redshift, please visit the following URL: https://docs.IAM.amazon.com/kms/latest/developereuide/services-redshift.html
The correct answer is: The master keys encrypts the cluster key. The cluster key encrypts the database key. The database key encrypts the data encryption keys.
Submit your Feedback/Queries to our Experts
- (Exam Topic 3)
A company wishes to enable Single Sign On (SSO) so its employees can login to the management console using their corporate directory identity. Which steps below are required as part of the process? Select 2 answers from the options given below.
Please select:
Correct Answer:
AE
Create a Direct Connect connection so that corporate users can access the IAM account
Option B is incorrect because IAM policies are not directly mapped to group memberships in the corporate directory. It is IAM roles which are mapped.
Option C is incorrect because Lambda functions is an incorrect option to assign roles.
Option D is incorrect because IAM users are not directly mapped to employees' corporate identities. For more information on Direct Connect, please refer to below URL:
' https://IAM.amazon.com/directconnect/
From the IAM Documentation, for federated access, you also need to ensure the right policy permissions are in place
Configure permissions in IAM for your federated users
The next step is to create an IAM role that establishes a trust relationship between IAM and your organization's IdP that identifies your IdP as a principal (trusted entity) for purposes of federation. The role also defines what users authenticated your organization's IdP are allowed to do in IAM. You can use the IAM console to create this role. When you create the trust policy that indicates who can assume the role, you specify the SAML provider that you created earlier in IAM along with one or more SAML attributes that a user must match to be allowed to assume the role. For example, you can specify that only users whose SAML eduPersonOrgDN value is ExampleOrg are allowed to sign in. The role wizard automatically adds a condition to test the saml:aud attribute to make sure that the role is assumed only for sign-in to the IAM Management Console. The trust policy for the role might look like this:
C:\Users\wk\Desktop\mudassar\Untitled.jpg
For more information on SAML federation, please refer to below URL: https://docs.IAM.amazon.com/IAM/latest/UserGuide/id_roles_providers_enabli Note:
What directories can I use with IAM SSO?
You can connect IAM SSO to Microsoft Active Directory, running either on-premises or in the IAM Cloud. IAM SSO supports IAM Directory Service for Microsoft Active Directory, also known as IAM Managed Microsoft AD, and AD Connector. IAM SSO does not support Simple AD. See IAM Directory Service Getting Started to learn more.
To connect to your on-premises directory with AD Connector, you need the following: VPC
Set up a VPC with the following:
• At least two subnets. Each of the subnets must be in a different Availability Zone.
• The VPC must be connected to your on-premises network through a virtual private network (VPN) connection or IAM Direct
Connect.
• The VPC must have default hardware tenancy.
• https://IAM.amazon.com/single-sign-on/
• https://IAM.amazon.com/single-sign-on/faqs/
• https://IAM.amazon.com/bloj using-corporate-credentials/
• https://docs.IAM.amazon.com/directoryservice/latest/admin
The correct answers are: Create a Direct Connect connection between on-premise network and IAM. Use an AD connector connecting IAM with on-premise active directory.. Create an IAM role that establishes a trust relationship between IAM and corporate directory identity provider (IdP)
Submit your Feedback/Queries to our Experts
- (Exam Topic 1)
A company's application runs on Amazon EC2 and stores data in an Amazon S3 bucket The company wants additional security controls in place to limit the likelihood of accidental exposure of data to external parties
Which combination of actions will meet this requirement? (Select THREE.)
Correct Answer:
BCE
- (Exam Topic 4)
An Incident Response team is investigating an IAM access key leak that resulted in Amazon EC2 instances being launched. The company did not discover the incident until many months later The Director of Information Security wants to implement new controls that will alert when similar incidents happen in the future
Which controls should the company implement to achieve this? {Select TWO.)
Correct Answer:
AE
