Table of Contents
AWS Fundamentals Addressing Security Risk Quiz Answers
Q1. What security mechanism can add an extra layer of protection to your AWS account in addition to a username-password combination?
- Transport Layer Protocol or TCP
- Mult-factor Authentication or MFA
- Iris Scan Service or ISS
- Scure Bee Service or SBS
Q2. If a user wanted to read from a DynamoDB table what policy would you attach to their user profile?
Q3. What are valid MFA or Multi-factor Authentication options available to use on AWS? Select all that apply.
- Gemalto token
- Blizzard Authenticator
- Google Authenticator
- AWS IoT button
Q4. What format is an Identity and Access Management policy document in?
Q5. Which are valid options for interacting with your AWS account? Select all that apply.
- Command Line Interface
- Software Development Kit
- Application Programming Interface
- AWS Console
Q1. Which solution below grants AWS Management Console access to a DevOps engineer?
- Enable Single sign-on on AWS accounts by using federation and AWS IAM
- Create a user for the security engineer in AWS Cognito User Pool
- Create IAM user for the engineer and associate relevant IAM managed policies to this IAM user
- Use AWS Organization to scope down IAM roles and grant the security engineer access to this IAM roles
Q2. Which of these IAM policies cannot be updated by you?
- managed policy
- customer managed policy
- inline policy
- group policy
Q3. Which of these services can establish a trusted relationship between your corporate Active Directory and AWS?
- Amazon Cognito
- AWS SSO
- AD Connector
Q4. What is the main difference between Cognito User Pool and Cognito Identity Pool?
- User Pool cannot use public identity providers (e.g Facebook, Amazon, …) while Identity Pool can
- Identity Pools provide temporary AWS credentials
- Only User Pools has feature to enable MFA
- User Pools support both authenticated and unauthenticated identities
Q5. How do you audit IAM user’s access to your AWS accounts and resources?
- Using CloudTrail to look at the API call and timestamp
- Using CloudWatch event to notify you when an IAM user sign in
- Using AWS Config to notify you when IAM resources are changed
- Use Trusted Advisor to show a list of sign in events from all users
Week 2 Quiz Answers
Q1. Which statement is true?
- You can only attach 1 elastic network interface (ENI) to each EC2 instance launched in VPC
- By default, each instance that you launch into a nondefault subnet has a public IPv4 address
- To use AWS Private Link, the VPC is required to have a NAT device
- Traffics within an Availability Zone, or between Availability Zones in all Regions, are routed over the AWS private global network
Q2. What is a Security Group?
- Act as a firewall for associated Amazon EC2 instances, controlling both inbound and outbound traffic at the instance level
- Act as a firewall for associated subnets, controlling both inbound and outbound traffic at the subnet level
- Control who in your organization has permission to create and manage VPC flow logs
- Capture information about the IP traffic going to and from network interfaces in your VPC
Q3. How many types of VPC Endpoints are available?
- Many. Each AWS Service will be supported by 1 type of VPC Endpoints
- Two: Amazon S3 and DynamoDB
- Two: Gateway Endpoint and Interface Endpoint
- One: VPC
Q4. Which of these AWS resources cannot be monitored using VPC Flow logs?
- A subnet in a VPC
- A network interface attached to EC2
- An Internet Gateway attached to VPC
Q5. You can route traffic to a NAT Gateway through:
- Site-to-Site VPN connection
- AWS Direct Connect
- VPC Peering
- None of the above
Q1. What AWS Services keeps a record of who is interacting with your AWS Account?1 point
- Amazon ServiceLog
- Amazon Auditor
- AWS AccountMonitor
- AWS CloudTrail
Q2. Which of the following are monitoring and logging services available on AWS? Select all that apply.
- AWS CloudWatch
- AWS CloudLogger
- Amazon Beehive
- Amazon Config
Q3. Which of the following sections from Trusted Advisor exists under the Well-Architected Framework as a pillar as well?
- Cost Transparency
- Operational Excellence
- Fault Tolerance
Q4. If you wanted to accomplish threat detection in your AWS Infrastructure, which of the following services would you use?
- AWS GuardDuty
- Amazon ThreatDetector
- Amazon S3
- AWS DynamoDB
Q5. Which AWS Service has an optional agent that can be deployed to EC2 instances to perform a security assessment?
- AWS Assessor
- Amazon Inspector
- AWS EC2Deploy
- Amazon Agent
Week 3 Quiz Answers
Q1. What requirement must you adhere to in order to deploy an AWS CloudHSM?
- Run the HSM in two regions
- Provision the HSM in a VPC
- Deploy an EBS volume for the HSM
- Call AWS Support first to enable it
Q2. What AWS KMS keys are used to encrypt and decrypt data in AWS?
- Customer master keys
- AWS master keys
- Seller recrypt keys
- User recrypt keys
Q3. How much data can you encrypt/decrypt using a Customer Master Key?
- Up to 4MB
- Up to 4TB
- Up to 1MB
- Up to 4KB
Q1. The purpose of encrypting data when it is in transit between systems and services is to prevent (choose 3 correct answers):
- unauthenticated server and client communication
- unauthorized alterations
- unauthorized copying
Q2. Which protocol below is an industry-standard cryptographic protocol used for encrypting data at the transport layer?
Q3. How do you encrypt an existing unencrypted EBS volume?
- EBS volumes are encrypted at rest by default
- Enable Encryption by Default feature
- Take a snapshot for EBS volume, and create new encrypted volume for this snapshot
- Enable encryption for EC2 instance, which will encrypt the attached EBS volumes
Q4. Can you encrypt just a subset of items in a DynamoDB table?
Q5. When you enable encryption for the RDS DB instance, what would not be encrypted?
- JBDC connection
- Transaction logs
- Automated backups
- Read Replicas
Week 4 Quiz Answers
Q1. Which of the following are valid Pillars of the Well-Architected Framework? Choose two.
- Cost Optimization
Q2. What language does Amazon Athena support?
Q3. What is the name of the model that shows how security is handled by AWS and its customers in the AWS Cloud?
- Cloud Security Model
- Role Based Model
- Shared Responsibility Model
- AWS Authentication Model
Q4. What AWS service is best suited for storing objects?
- Amazon Simple Storage Service
- Amazon Elastic Beanstalk
- Amazon DynamoDB
- Amazon Object Store
Q5. What AWS service can be used to manage multiple AWS accounts for consolidated billing?
- AWS Multiple-man
- AWS Account Manager
- AWS Billing
- AWS Organizations
Q6. What type of database is Amazon DynamoDB?
Q7. What is a customer access endpoint?
- A customer token
- A signed code segment
- A URL entry point for a web service
- A websocket for customer connections
Refer Above Quizzes for End of Course Assessment Quiz Answers