Exam Simulator: Design Secure Architectures - Part A - CompTIA PBQs & Labs, Linux Commands and Coding

Question 1 of 15

1. Question

Your web application is on a fleet of EC2 instances located in three Availability Zones which are behind an Application Load Balancer. Which health check configuration will you implement to ensure that your web app is highly-available?

HTTP/HTTPS Health Check
UDP Health Check
TCP health Check
Passive health Check

Question 2 of 15

2. Question

Your new online event management application is hosted in AWS. The application uses Multi-AZ RDS for its database tier, which has a standby replica. What are the events that will make Amazon RDS to automatically perform a failover to the standby replica? (Select all that apply.)

Loss of availability in primary Availability Zone
Loss of network connectivity to primary
Compute unit failure on primary
In the case of Replica failure
Compute unit failer on secondary
Loss of network connectivity to secondary

Question 3 of 15

3. Question

You have just hosted a website in an Amazon S3 bucket named examsdigest. The URL that loads the website is http://examsdigest.s3-website-eu-west-1.amazonaws.com. Now you want to use JavaScript on the webpages that are stored in this bucket to be able to make authenticated GET and PUT requests against the same bucket by using the Amazon S3 API endpoint for the bucket. The web browser blocks Javascript to make the requests.

What solution will you implement to allow the requests?

Configure Amazon S3 bucket to use CORS
Configure an Amazon EC2 Lambda to use CORS
Configure an Amazon EBS to use CORS
Configure an Amazon EFS to use CORS

Question 4 of 15

4. Question

You are deploying an application on Amazon EC2 that call AWS APIs. Which method of securely passing credentials to the application should you use?

Assign IAM roles to the EC2 instances
Store API credentials in Amazon S3
Store the API credentials on the instance using instance metadata
Store API credentials in DynamoDB

Question 5 of 15

5. Question

You are developing an application that uses Python Lambda functions. You need to store some sensitive data such as credentials for accessing the database. How will you store this data securely and adjust your function’s behavior without updating code?

Use AWS Lambda environment variables
Use AWS Identity and Access Management
Use AWS CloudTrail
Use AWS CodeDeploy

Question 6 of 15

6. Question

You have just launched an SFTP Secure Server Windows using an On-Demand EC2 instance in a newly created VPC named vpc-0e359265 with default settings. The server should not be accessible publicly but only through your IP address 155.144.123.12.

Which of the following is the most suitable way to implement this requirement?

Create a new inbound rule in the security group of the EC2 instance with the following details:

Rule: 100
Type: SSH
Protocol: TCP
Port Range: 22
Source: 155.144.123.12/32
Allow / Deny: ALLOW

Rule: *
Type: All Traffic
Protocol: ALL
Port Range: ALL
Source: 0.0.0.0/0
Allow / Deny: DENY
Create a new inbound rule in the security group of the EC2 instance with the following details:

Rule: 100
Type: SSH
Protocol: TCP
Port Range: 22
Source: 155.144.123.13/32
Allow / Deny: ALLOW

Rule: *
Type: All Traffic
Protocol: ALL
Port Range: ALL
Source: 0.0.0.0/0
Allow / Deny: DENY
Create a new inbound rule in the security group of the EC2 instance with the following details:

Rule: 100
Type: SSH
Protocol: TCP
Port Range: 53
Source: 155.144.123.12/32
Allow / Deny: ALLOW

Rule: *
Type: All Traffic
Protocol: ALL
Port Range: ALL
Source: 0.0.0.0/0
Allow / Deny: DENY
Create a new outbound rule in the security group of the EC2 instance with the following details:

Rule: 100
Type: SSH
Protocol: TCP
Port Range: 22
Source: 155.144.123.12/32
Allow / Deny: ALLOW

Rule: *
Type: All Traffic
Protocol: ALL
Port Range: ALL
Source: 0.0.0.0/0
Allow / Deny: DENY

Question 7 of 15

7. Question

Your new machine learning application is hosted on an EC2 instance with multiple Elastic Block Storage Volumes attached and uses Redshift as it is simple and cost-effective to efficiently analyze all your data. Due to a security policy, you encrypted all of the EBS volumes attached to the instance to protect the confidential data stored in the volumes.

Which of the following statements are true about encrypted Amazon Elastic Block Store volumes? (Select all that apply.)

EBS encrypts your volume with a data key using AES-256 algorithm
All data moving between the volume and the instance aren't encrypted
All snapshots created from the volume are encrypted
All volumes created from those snapshots are encrypted
Encryption is supported by all EBS volume types
The volume is automatically encrypted

Question 8 of 15

8. Question

You have just created a new On-Demand EC2 instance located in a subnet with ID subnet-aa181cd0 and IPv4 CIRD 172.31.16.0/20 in AWS which hosts your WordPress blog site. The security group attached to this EC2 instance has the following Inbound Rules:

You can establish an FTP connection into the EC2 instance from the internet. However, you are not able to establish an SSH connection from the internet. How to resolve the issue?

In the Security Group, add an Inbound SSH rule
In the Security Group, change FTP's Source IP to 172.31.16.20
In the Security Group, remove the HTTPS rule
In the Security Group, add an Outbound SSH rule

Question 9 of 15

9. Question

You have been tasked to set up a Linux bastion host that will allow access to the Amazon EC2 instances running in the VPC with ID vpc-0e359265. For security reasons, only the clients connecting from a specific external IP address should have SSH access to the host. The external public IP address is 23.24.25.26.

Which is the best option to complete the task?

Create a Security Group Inbound Rule:
Protocol – TCP,
Port Range – 22,
Source – 23.24.25.26/32
Create a Security Group Inbound Rule:
Protocol – TCP,
Port Range – 22,
Source – 23.24.25.26/0
Create a Security Group Inbound Rule:
Protocol – TCP,
Port Range – 80,
Source – 23.24.25.26/32
Create a Security Group Inbound Rule:
Protocol – TCP,
Port Range – 443,
Source – 23.24.25.26/32

Question 10 of 15

10. Question

What are some of the major advantages of having a Virtual Private Network (VPN) in AWS? (Choose all that apply)

It establishes secure and private sessions with IP Security (IPSec) and Transport Layer Security (TLS) tunnels
It provides a cost-effective, hybrid connection from your VPC to your on-premises network
It connects two VPCs and enables route traffic between them
It delivers high availability by using two tunnels across multiple Availability Zones within the AWS global network
It takes advantage of ACLs for an extra security layer

Question 11 of 15

11. Question

The mobile application you have just launched stores player and score information using Amazon S3 and DynamoDB. The users of your app can sign in using an external identity provider (IdP), such as Login with Amazon, Facebook, or Google. Amazon recommends that you do not embed or distribute long-term AWS credentials with apps that a user downloads to a device, even in an encrypted store.

Which AWS Security Token Service will you use to requests temporary AWS security credentials when needed?

Web identity federation
AWS Identity and Access Management (IAM)
Amazon S3 Access Control List (ACL)
Security Assertion Markup Language 2.0 (SAML)

Question 12 of 15

12. Question

Which of the following AWS Key Management Service (AWS KMS) practice encrypts plaintext data with a data key, and then encrypts the data key under another key?

Key usage
Envelope encryption
Key spec
Cryptographic operations

Question 13 of 15

13. Question

You have just created a number of IAM users in your AWS account. What else needs to be done in order to ensure that the users are able to make API calls to AWS services and use AWS PowerShell tools?

Configure Amazon API Gateway
Create an access key pair
Use AWS Certificate Manager
Create a User Pool in Amazon Cognito

Question 14 of 15

14. Question

You are developing a fitness application that provides users with a rich array of guided workouts for a variety of fitness levels. Your application resides on an EC2 instance which requires access to various AWS services for its operations.

Which of the following is the best way to allow your EC2 instance to access your S3 bucket and other AWS services?

Store the API credentials in the EC2 instance
Create an IAM role and attach it to the EC2 instance
There is no best way
Create a Network Access Control List

Question 15 of 15

15. Question

You are developing a service marketplace platform in which people buy and sell online services. The project manager instructed you that the API calls on the AWS resources should be monitored and recorded. You used CloudTrail to help you in compliance, operational, and risk auditing of your AWS account. The project manager asked you where does CloudTrail store all of the logs?

The logs are stored in Amazon DynamoDB
The logs are stored in Amazon S3
The logs are stored in Amazon DocumentDB
The logs are stored in Amazon Redshift

Exam Simulator: Design Secure Architectures – Part A

Anastasia-Instructor September 1, 2022

Quiz Summary

Information

Results