What is Amazon CloudFront?
A
Amazon CloudFront is a global content delivery network (CDN) service that accelerates delivery of your websites, APIs, video content or other web assets through
CDN caching. It integrates with other Amazon Web Services products to give developers and businesses an easy way to accelerate content to end users with no minimum usage commitments.
Reference:
https://aws.amazon.com/cloudfront/
You can create a CloudWatch alarm that watches a single metric. The alarm performs one or more actions based on the value of the metric relative to a threshold over a number of time periods. Which of the following states is possible for the CloudWatch alarm?
A
You can create a CloudWatch alarm that watches a single metric. The alarm performs one or more actions based on the value of the metric relative to a threshold over a number of time periods. The action can be an Amazon EC2 action, an Auto Scaling action, or a notification sent to an Amazon SNS topic.
An alarm has three possible states:
OK--The metric is within the defined threshold
ALARM--The metric is outside of the defined threshold
INSUFFICIENT_DATA--The alarm has just started, the metric is not available, or not enough data is available for the metric to determine the alarm state
Reference:
http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/AlarmThatSendsEmail.html
A user has enabled instance protection for his Auto Scaling group that has spot instances. If Auto Scaling wants to terminate an instance in this Auto Scaling group due to a CloudWatch trigger unre-lated to bid price, what will happen?
D
Auto Scaling protects instances from termination during scale-in events. This means that Auto Scal-ing instance protection will receive the CloudWatch trigger to delete instances, and delete instances in the Auto Scaling group that do not have instance protection enabled. However, instance protec-tion won't protect Spot instance termination triggered due to market price exceeding bid price.
Reference:
http://docs.aws.amazon.com/autoscaling/latest/userguide/as-instance-termination.html#instance-protection
In a hardware security module (HSM), what is the function of a Transparent Data Encryption (TDE)?
A
In a hardware security module (HSM), Transparent Data Encryption (TDE) reduces the risk of con-fidential data theft by encrypting sensitive data.
Reference:
http://docs.aws.amazon.com/cloudhsm/latest/userguide/cloud-hsm-third-party-apps.html
In IAM, a policy has to include the information about who (user) is allowed to access the resource, known as the _____.
D
To specify resource-based permissions, you can attach a policy to the resource, such as an Amazon SNS topic, an Amazon S3 bucket, or an Amazon Glacier vault. In that case, the policy has to in-clude information about who is allowed to access the resource, known as the principal. (For user-based policies, the principal is the IAM user that the policy is attached to, or the user who gets the policy from a group.)
Reference:
http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
Amazon S3 provides a number of security features for protection of data at rest, which you can use or not, depending on your threat profile. What feature of S3 allows you to create and manage your own encryption keys for sending data?
A
With client-side encryption you create and manage your own encryption keys. Keys you create are not exported to AWS in clear text. Your applications encrypt data before submitting it to Amazon S3, and decrypt data after receiving it from Amazon S3. Data is stored in an encrypted form, with keys and algorithms only known to you. While you can use any encryption algorithm, and either symmetric or asymmetric keys to encrypt the data, the AWS-provided Java SDK offers
Amazon S3 client-side encryption features.
Reference:
https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf
In AWS KMS, which of the following is NOT a mode of server-side encryption that you can use to protect data at rest in Amazon S3?
B
You can protect data at rest in Amazon S3 by using three different modes of server-side encryption: SSE-S3, SSE-C, or SSE-KMS.
Reference:
http://docs.aws.amazon.com/kms/latest/developerguide/services-s3.html
AWS Cloud Hardware Security Modules (HSMs) are designed to _____.
D
A Hardware Security Module (HSM) is a hardware appliance that provides secure key storage and cryptographic operations within a tamper-resistant hardware device. They are designed to securely store cryptographic key material and also to be able to use this key material without exposing it out-side the cryptographic boundary of the appliance.
Reference:
https://aws.amazon.com/cloudhsm/faqs/
Which of the following statements is true of IAM?
A
MFA can be used either with a specific MFA-enabled device or by installing an application on a smartphone. If a user chooses to use her smartphone, physical access to the device is required in or-der to complete the configuration wizard.
Reference:
http://docs.aws.amazon.com/IAM/latest/UserGuide/GenerateMFAConfig.html
Could you use IAM to grant access to Amazon DynamoDB resources and API actions?
D
Amazon DynamoDB integrates with AWS Identity and Access Management (IAM). You can use AWS IAM to grant access to Amazon DynamoDB resources and
API actions. To do this, you first write an AWS IAM policy, which is a document that explicitly lists the permissions you want to grant. You then attach that policy to an AWS IAM user or role.
Reference:
http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/UsingIAMWithDDB.html
