AWS - Multiple Choice Questions - Set #12

1. You have an EC2 instance running a web service with an HTTPS endpoint. The instance has two network interfaces, and the web application listens only on the secondary interface. The primary interface is reserved for SSH management traffic. A public-facing network load balancer is configured to listen on TCP port 443 and forward traffic to the instance. Which of the following is the most secure way to ensure the instance receives HTTPS connections from clients on the Internet? (Choose three.)

A. Create a new security group with an inbound rule allowing HTTPS access.
B. Attach the security group to the instance’s primary interface.
C. Attach the security group to the instance’s secondary interface.
D. Create a new security group with an inbound rule allowing SSH access.
E. Attach the security group to the network load balancer.
F. Create a new security group with an outbound rule allowing HTTPS access.

Answer - A, C, E

Explanation - For this to be successful, HTTPS traffic needs to flow through the network load balancer to the instance’s secondary interface. Hence, you must create a security group allowing inbound HTTPS access and attach it to the network load balancer and the instance’s secondary interface, since that’s where the web service is listening for traffic. The instance’s primary interface is reserved for SSH management traffic and has nothing to do with the web service. There’s no need to create an outbound security group rule because security groups are stateful.

2. You’ve created a new network access control list (NACL) and added a rule to allow inbound SSH access to a public subnet hosting some EC2 instances, but you’re unable to SSH to these instances. You’ve verified that you have the correct SSH key pair, that the SSH service is running on each instance, and that each instance’s security group has an inbound rule permitting SSH from your public IP address. What should you do to resolve the issue?

A. Add an outbound security group rule allowing SSH traffic.
B. Add an outbound security group rule allowing all traffic.
C. Add an outbound network access control list rule allowing SSH traffic.
D. Add an outbound network access control list rule allowing all traffic.

Answer - D

Explanation - NACLs are stateless and require an outbound rule to explicitly allow return traffic on an ephemeral port. Because the ephemeral port range varies by operating system, creating an outbound NACL rule allowing all traffic is sufficient. Security groups are stateful and thus don’t require an explicit outbound rule to permit return traffic.

3. When you create an IAM principal, by default it has no permissions. Which of the following is this an example of?

A. Whitelisting
B. Blacklisting
C. Greylisting
D. Blackmailing

Answer - A

Explanation - Whitelisting is the practice of denying all permissions by default and granting only those specifically required. Blacklisting is the opposite. Greylisting is a technique to avoid spam emails. Blackmailing is a form of extortion.

4. In IAM, which of the following two compose an example of blacklisting? (Choose two.)

A. Applying an identity-based policy to deny all actions for all services and on all resources
B. Applying an identity-based policy to allow all actions for all services and on all resources
C. Applying an identity-based policy to explicitly deny the TerminateInstances action
D. Applying an identity-based policy to explicitly permit the TerminateInstances action

Answer - B, C

Explanation - Blacklisting is the practice of allowing all actions for all services and on all resources while denying access only to specific actions or resources.

5. A user on your organization’s AWS account created and subsequently deleted a Simple Notification Service (SNS) policy. Which of the following services may contain the contents of the deleted policy?

A. CloudWatch Events
B. CloudTrail
C. SNS
D. IAM
E. None of these

Answer - B

Explanation - CloudTrail may contain the contents of the policy if CloudTrail has been configured to log API events for SNS. CloudWatch Events doesn’t store any API events. IAM doesn’t store resource-based policies. SNS doesn’t keep backups of policies.

6. You have an EC2 instance running an application that needs to regularly connect to an IPv6 endpoint on the Internet. Which of the following is the simplest and most secure way to provide outbound-only Internet access to this instance?

A. NAT gateway
B. NAT instance
C. Egress-only Internet gateway
D. NATv6 gateway

Answer - C

Explanation - An egress-only Internet gateway allows outboundonly IPv6 access to the Internet. NAT gateways do not support IPv6. A NAT instance could be configured to support IPv6 but would not be as simple as using an egress-only Internet gateway. There’s no such thing as a NATv6 gateway in AWS.

7. You’ve created an unconditional IAM permissions policy allowing access to all EC2 actions and resources. You apply the policy to an IAM user in your account, but several hours later the user is unable to launch any Linux instances. Which of the following could be the cause?

A. The user is using the wrong SSH key pair.
B. An ACL is restricting the user’s EC2 permissions.
C. The user is using the wrong region.
D. A permissions boundary is restricting the user’s EC2 permissions.
E. The permissions policy restricts the use of Linux AMIs.

Answer - C

Explanation - A permissions boundary could be configured to limit the user’s EC2 access. The region isn’t relevant as the permissions policy doesn’t have any conditions, and IAM is a global service. ACLs aren’t relevant either, as the permissions policy and user are in the same AWS account. The user’s SSH key pair is only for logging into the instance once it’s launched and has no bearing on their permissions to launch it. The permissions policy allows access to all resources, so the specific AMI the user is attempting to launch is irrelevant.

8. Which of the following elements of an IAM policy statement is optional?

A. Sid
B. Version
C. Action
D. Resource

Answer - A

Explanation - The statement ID, or Sid, is the only optional element of those given. The action and resource elements can be given as wildcards to signify all, but they must be included in the policy.

9. Which of the following determines who is allowed to assume an IAM role?

A. Profile
B. Trust policy
C. Group
D. Permissions policy

Answer - B

Explanation - A trust policy defines who is allowed to assume a role. A permissions policy defines the permissions of the principal.

10. You need to store data in a relational database. You need to encrypt the data using an encryption key that’s rotated every 30 days. Which of the following database services should you use?

A. MongoDB
B. KMS
C. DynamoDB
D. RDS

Answer - D

Explanation - RDS allows you to use a customer managed customer master key that you can rotate every 30 days. DynamoDB also lets you use your own KMS keys, but it’s not a relational database system. MongoDB doesn’t let you use KMS keys. KMS is the service that manages the encryption keys, but it isn’t a database service.

11. You’re developing a web application that will allow users to upload pictures. The application will run on EC2 instances. Which of the following AWS services will most securely let users upload pictures to an S3 bucket in your account?

A. Directory Service
B. Instance profiles
C. Cognito
D. Security Ticket Service

Answer - C

Explanation - Cognito allows you to grant application users temporary access to services in your AWS account. Directory Service allows integration with Microsoft Active Directory. Instance profiles grant applications running on an instance—not users—access to AWS resources. There’s no such service as Security Ticket Service.

12. Which of the following does the Security Token Service provide? (Choose two.)

A. Secret access key
B. Short-term credentials
C. Long-term credentials
D. An encrypted access key ID

Answer - A, B

Explanation - STS provides short-term credentials consisting of an unencrypted access key ID, a secret access key, and a token.

13. While reviewing CloudTrail logs, you notice suspicious activity performed by a principal using an access key ID beginning with AROA. Which of the following principals performed the activity?

A. Another AWS service
B. An IAM role
C. An IAM user
D. An IAM group

Answer - B

Explanation - IAM roles make API calls using an access key that starts with AROA. If it were another AWS service, the access key would have begun with ASIA. If it was an IAM user, the key would have started with AKIA or ASIA. An IAM group is not a principal.

14. What’s the maximum number of IAM roles you can have in an AWS account?

A. 250
B. 500
C. 1000
D. 2000

Answer - C

Explanation - You can have up to 1000 IAM roles in an AWS account.

15. How many concurrent access keys can an IAM user have?

A. 1
B. 2
C. 3
D. 10

Answer - B

Explanation - An IAM user can have only two access keys assigned concurrently.

16. You assign an access key to a new IAM user. You then deactivate the key and assign the user a new one. How many more keys can you assign to the user?

A. None
B. One
C. Two
D. Three

Answer - A

Explanation - You can assign only two keys to a user concurrently regardless of whether the keys are active or inactive.

17. A large global enterprise with over 10,000 employees in Microsoft Active Directory wants to use a variety of AWS services in different regions. Which of the following approaches will enable them to use AWS in the most secure way and with the least amount of effort?

A. Use multiple AWS accounts.
B. Create an IAM user for each employee.
C. Create an IAM role for each employee.
D. Automatically assign temporary security credentials to each employee.

Answer - D

Explanation - An AWS account can have up to 5000 users, so creating an IAM user for each employee isn’t feasible. The limit on roles per account is 1000, so assigning a role to each user isn’t an option either. Using multiple AWS accounts is a possibility but requires more effort than the final option: automatically assigning temporary security credentials to each employee.

18. You run EC2 instances in only the us-east-1 AWS region. These instances use an instance profile role to connect to a DynamoDB database. Which of the following steps will prevent instances only in other regions from using the instance profile role to connect to DynamoDB?

A. Disable EC2 in all other regions.
B. Disable the Security Token Service in all other regions.
C. Delete the instance profile role in all other regions.
D. Delete the trust policy in all other regions.

Answer - B

Explanation - Disabling STS in all other regions except us-east-1 will prevent instances in those regions from obtaining temporary credentials, even if they have the instance profile role. Because IAM is global, deleting the instance profile role or attached trust policy will affect instances in the us-east-1 region as well. It’s not possible to disable the EC2 service.

19. How many managed policies can be attached to an IAM principal?

A. 3
B. 5
C. 10
D. 20
E. 50

Answer - C

Explanation - You can attach up to 10 managed policies to an IAM principal.

20. What is the maximum number of allowed characters in an IAM managed policy?

A. 2048
B. 5120
C. 6144
D. 10,240

Answer - C

Explanation - A managed policy can have up to 6144 characters.

21. What is the maximum aggregate inline policy size for an IAM user?

A. 2048 characters
B. 5120 characters
C. 6144 characters
D. 10,240 characters

Answer - A

Explanation - The sum of all inline policies embedded in an IAM user is 2048 characters.

22. What is the maximum aggregate inline policy size for an IAM group?

A. 2048 characters
B. 5120 characters
C. 6144 characters
D. 10,240 characters

Answer - B

Explanation - The sum of all inline policies embedded in an IAM group is 5120 characters.

23. What is the maximum aggregate inline policy size for an IAM role?

A. 2048 characters
B. 5120 characters
C. 6144 characters
D. 10,240 characters

Answer - D

Explanation - The sum of all inline policies embedded in an IAM role is 10,240 characters.

24. How many IAM roles can be associated with an instance profile?

A. One
B. Two
C. Three
D. Four

Answer - A

Explanation - An instance profile can have only one role associated with it.

25. What’s the maximum session duration for an IAM role?

A. 15 minutes
B. 1 hour
C. 12 hours
D. 24 hours

Answer - C

Explanation - The maximum session duration for a role is 12 hours. The minimum can be as little as 15 minutes.

26. What’s the default credential lifetime for an IAM role?

A. 15 minutes
B. 1 hour
C. 12 hours
D. 24 hours

Answer - B

Explanation - The default credential lifetime for an IAM role is 1 hour.

27. You create an IAM group and attach to it a policy that grants access to all read actions against all resources in S3. You then create an IAM user and add the user to the group. Which of the following is true of this user?

A. The user will be able to read EBS snapshots stored in S3.
B. The user won’t be able to read files encrypted with SSE-S3.
C. The user will be able to delete an S3 bucket.
D. The user won’t be able to terminate an EC2 instance.

Answer - D

Explanation - The policy grants access to read actions against all resources in S3. Because IAM uses an implicit deny framework, any actions not specifically allowed will be denied, so the user won’t be able to delete an S3 bucket or terminate an EC2 instance. The user also won’t be able to read EBS snapshots stored in S3 since those snapshots must be accessed via EC2 and not directly from S3. The user will, however, be able to read files even if they’re encrypted using SSE-S3.

28. A user attempting to log into the AWS Management Console accidentally types their password in the username field. Which of the following will be logged in CloudTrail Events? (Choose two.)

A. The account ID
B. The error message text
C. The password
D. The username

Answer - A, B

Explanation - In the case of a failed login, CloudTrail Events will hide the username and password fields to avoid accidentally exposing a password. The account ID and error message text will be logged.

29. Your organization runs a serverless Lambda application that encrypts data and writes it to a DynamoDB table. Which of the following is responsible for decrypting the data?

A. The application
B. KMS
C. DynamoDB
D. Lambda

Answer - A

Explanation - Because the application encrypts the data, it’s also responsible for decrypting it. DynamoDB and KMS play no role because they’re not involved in the encryption process. The Lambda service provides the compute power to run the application but doesn’t actually perform encryption or decryption.

30. Every IAM user in your AWS account has a “department” resource tag with a value that corresponds to their department. You need to grant users different levels of access according to their department. How can you do this with the least amount of effort? (Choose two.)

A. Create a group for each department.
B. Create an inline policy for each group.
C. Create a single managed policy.
D. Use the Condition policy element to grant access according to the department tag.

Answer - C, D

Explanation - Because users already have department tags, the easiest way to grant them access according to their tags is to create a single managed policy and use the Condition policy element. For example, including the following element under a policy statement would apply the permissions in the statement only to those with a department tag with a value of marketing: "Condition":{"StringEquals": {"aws:ResourceTag/department": "marketing"}}

31. You use Amazon Certificate Manager (ACM) to create a public TLS certificate. Which of the following can you attach this certificate to?

A. An RDS instance
B. An S3 bucket
C. An EC2 instance
D. An application load balancer

Answer - D

Explanation - You can attach an ACM-generated certificate to an application load balancer. You can’t attach it to an RDS instance, S3 bucket, or EC2 instance.

32. You have a public TLS certificate issued by a third party. You want to use this certificate with a fleet of 100 EC2 instances. How can you do this with the least effort? (Choose two.)

A. Create an application load balancer.
B. Create a network load balancer.
C. Import the certificate into Amazon Certificate Manager.
D. Import the certificate into each EC2 instance.

Answer - A, C

Explanation - The way to achieve this with the least effort is to import the certificate into ACM, create an application load balancer (ALB), and use the certificate with the ALB. Creating a network load balancer won’t work because it can’t terminate TLS connections. Importing the certificate into each EC2 instance is possible but would require greater effort.

33. You take scheduled EBS snapshots of an EC2 instance. Which of the following steps will ensure that the snapshots are always encrypted?

A. Encrypt the instance’s filesystem.
B. Enable snapshot encryption.
C. Encrypt the instance’s EBS volume.
D. Store the snapshot in an S3 bucket with encryption enabled.

Answer - C

Explanation - If the EBS volume is encrypted, the snapshot will always be encrypted. Encrypting the filesystem won’t encrypt the snapshot. There’s no option to enable snapshot encryption. You can’t select the S3 bucket to store the snapshot in.

34. During the process of launching an Amazon Linux 2 EC2 instance, you fail to download the SSH key pair. Which of the following could you do next? (Choose two.)

A. Terminate the instance and launch a new one.
B. Log in to the instance using SSM Session Manager.
C. RDP into the instance.
D. Import an existing SSH key pair into the instance.

Answer - A, B

Explanation - Terminating the instance and launching a new one is a valid next step. Logging into the instance using SSM Session Manager is also a possibility. Importing an existing SSH key pair into the instance is an option only after you’ve gained access to the instance. You can’t RDP into an Amazon Linux 2 instance.

35. Who is responsible for protecting the contents of a KMS master key?

A. Both the customer and AWS
B. AWS only
C. The customer only
D. Nobody; the master key is intended to be public.

Answer - B

Explanation - Because KMS generates and stores the contents of the master key and doesn’t allow customers to ever see it, AWS is solely responsible for protecting it from release.

36. Which of the following is true of a KMS data key? (Choose two.)

A. It’s stored unencrypted in KMS.
B. It’s encrypted using a master key.
C. It can be exported unencrypted.
D. It can be 256 bits in length.

Answer - B, D

Explanation - A data key is encrypted using a master key and can be up to 1024 bits in length. KMS stores the data key encrypted and can export it encrypted. KMS will not export the key in plaintext.

37. A developer accidentally emailed a copy of an encrypted KMS data key to an overseas vendor. This key is used to encrypt a sensitive organizational database. Which of the following is necessary to protect the database contents?

A. Rotate the customer master key.
B. Rotate the data key.
C. Revoke the developer’s decryption access in KMS.
D. No action is necessary.

Answer - D

Explanation - Because the data key is encrypted using the customer master key, there’s no need to take any action. Without the customer master key, no one can use the encrypted data key to decrypt the contents of the database. Rotating a customer master key doesn’t reencrypt any data encrypted by the data key.

38. You just created a customer master key in KMS. What’s the earliest you can delete it?

A. Immediately
B. 3 days
C. 7 days
D. 30 days

Answer - C

Explanation - You can’t delete a KMS key immediately, but you can schedule its deletion to occur within 7 to 30 days.

39. You’ve just scheduled a KMS customer master key for deletion in 30 days. Which of the following is true? (Choose two.)

A. Once the key is deleted, any data encrypted with it will be permanently lost.
B. You can’t use the key during the 30-day waiting period.
C. You can’t cancel the scheduled deletion.
D. KMS won’t delete the key if any AWS services are using it.

Answer - A, B

Explanation - Once you schedule a key deletion you can’t use the key during the waiting period. And once the key is deleted, any data encrypted using it will be permanently lost. KMS doesn’t prevent the deletion just because an AWS service is using the key. You can cancel a scheduled deletion.

40. You just imported a customer master key into KMS. What’s the earliest you can delete it?

A. Immediately
B. 3 days
C. 7 days
D. 30 days

Answer - A

Explanation - Keys that you import into KMS can be deleted immediately. There is no waiting period.

41. You have an application that references a KMS customer master key by its ARN. Which of the following steps do you need to take to immediately rotate the key? (Choose two.)

A. Update the key’s alias to reference the new key’s ID.
B. Update the application to reference the new key’s ARN.
C. Enable automatic key rotation in KMS.
D. Create a new key in KMS.

Answer - B, D

Explanation - To immediately rotate a key, you need to create a new key and then point the application to the new key. Optional automatic key rotation precludes the need to create a new key or update the application, but it occurs only once a year and can’t be triggered manually.

42. Your organization requires that all KMS customer master keys be rotated annually. Some of the keys are imported, while others are generated by KMS. Several custom applications use these keys to encrypt data. Which of the following can help ease the burden of meeting the requirement? (Choose two.)

A. Enable automatic key rotation.
B. Use key aliases for imported keys.
C. Perform manual key rotation for all keys.
D. Set an expiration period on imported keys.

Answer - A, B

Explanation - Enabling automatic key rotation will cause KMS to annually rotate the keys that it generated. You must manually rotate imported keys, which entails creating new ones and updating the applications to point to them. Aliases make this process easier. Instead of updating the application to reference the key by its ARN or key ID, you reference the key by its alias. You then update the key’s alias to point to the new key’s ID.

43. You’ve disabled a customer master key in KMS. Which of the following is true?

A. The data key is deleted when the customer master key is disabled.
B. The key can’t be rotated automatically.
C. The key can’t be rotated manually.
D. The key can’t be deleted.

Answer - B

Explanation - A disabled key can’t be rotated automatically. Manually rotating a key requires creating a new key and using it in place of the original one, and disabling the original key has no effect on this process. A disabled key can be deleted. Disabling a customer master key doesn’t delete any data keys.

44. Your organization runs a web application on EC2 instances. Your processor configured the application to store files in an S3 bucket. The bucket is configured to encrypt data using an imported key stored in KMS. Everything worked fine until today when the application suddenly failed to read files from or write files to the bucket. Attempts to read or write files via the S3 API using your administrative user also failed. After investigating and finding no changes have been made, you’ve narrowed the problem down to KMS. Which of the following is the most likely cause of the problem?

A. The bucket policy is misconfigured.
B. The key expired.
C. The key was rotated automatically.
D. The EC2 instance role doesn’t have the correct permissions to the table.

Answer - B

Explanation - The imported key could have been set with an expiration. Upon expiration, the key material is deleted, rendering the key unusable. Imported keys can’t be automatically rotated. The instance role permissions aren’t likely an issue because attempting to access the table directly via the S3 API also fails, even with the proper permissions.

45. Which of the following are true of keys stored in a KMS custom key store?

A. They can be automatically rotated.
B. They are stored in CloudHSM.
C. They can be imported.
D. They can be managed by AWS.

Answer - B

Explanation - Keys in a custom KMS key store are stored in a CloudHSM cluster. They can’t be automatically rotated or imported. AWS managed keys can’t be stored in a custom key store.

46. Which of the following do you need to do to export a private key from a CloudHSM cluster? (Choose two.)

A. Export the key using the exportPrivateKey command.
B. Export the key using the exportPubKey command.
C. Create a wrapping key.
D. Share the private key.

Answer - A, C

Explanation - To export a private key from CloudHSM, you must create a wrapping key, then export the private key using the exportPrivateKey command. The exportPubKey command is only for public keys. Sharing the private key isn’t necessary to export it.

47. What is the monthly service-level agreement for KMS?

A. 99.0 percent
B. 99.5 percent
C. 99.9 percent
D. 99.99 percent

Answer - C

Explanation - The monthly SLA for KMS is 99.9 percent.

48. What is the monthly service-level agreement for CloudHSM?

A. 99.0 percent
B. 99.5 percent
C. 99.95 percent
D. 99.99 percent

Answer - C

Explanation - The monthly SLA for CloudHSM is 99.95 percent. Note that this is higher than the KMS SLA of 99.9 percent, as KMS depends on CloudHSM for its custom key store.

49. Last year you generated a public, email-validated certificate using Amazon Certificate Manager. The certificate expires in 60 days. Which of the following will ensure the certificate is automatically renewed indefinitely? (Choose two.)

A. Associate the certificate with an application load balancer.
B. Revalidate domain ownership using email validation.
C. Revalidate domain ownership using DNS validation.
D. Manually renew the certificate.

Answer - A, C

Explanation - ACM will automatically renew a public certificate if two conditions are met: First, the certificate must be associated with an AWS service such as an application load balancer. Second, ACM must be able to validate domain ownership using email or DNS validation. Email validation is only good for 825 days, but DNS validation will remain valid as long as the appropriate records exist in the domain’s DNS. Manually renewing the certificate will renew it once but will not cause ACM to automatically renew the certificate indefinitely.

50. You’re using a TLS certificate generated by Amazon Certificate Manager to encrypt data in-transit between users and an elastic load balancer that terminates HTTPS connections. Which of the following is required to re-create this configuration in another AWS region?

A. Create a network load balancer in the other AWS region.
B. Configure cross-region load balancing in the elastic load balancer.
C. Use the existing certificate in the other region.
D. Create a new TLS certificate in the other region.

Answer - D

Explanation - Because ACM is a regional service, you’d have to create a new certificate in the other region. You can’t use the existing certificate. Elastic load balancers don’t offer cross-region load balancing. The question implies the use of an application load balancer, so creating a network load balancer in the other region wouldn’t fulfill the requirement.

Amazon Web Services (AWS) - Set #12