| Question.6 A company must encrypt all AMIs that the company shares across accounts. A DevOps engineer has access to a source account where an unencrypted custom AMI has been built. The DevOps engineer also has access to a target account where an Amazon EC2 Auto Scaling group will launch EC2 instances from the AMI. The DevOps engineer must share the AMI with the target account. The company has created an AWS Key Management Service (AWS KMS) key in the source account. Which additional steps should the DevOps engineer perform to meet the requirements? (Choose three.) (A) In the source account, copy the unencrypted AMI to an encrypted AMI. Specify the KMS key in the copy action. (B) In the source account, copy the unencrypted AMI to an encrypted AMI. Specify the default Amazon Elastic Block Store (Amazon EBS) encryption key in the copy action. (C) In the source account, create a KMS grant that delegates permissions to the Auto Scaling group service-linked role in the target account. (D) In the source account, modify the key policy to give the target account permissions to create a grant. In the target account, create a KMS grant that delegates permissions to the Auto Scaling group service-linked role. (E) In the source account, share the unencrypted AMI with the target account. (F) In the source account, share the encrypted AMI with the target account. |
6. Click here to View Answer
Answer: ADF
Explanation:
Here’s a detailed justification for the correct answer (ADF) to the AMI encryption and sharing scenario:
- A. In the source account, copy the unencrypted AMI to an encrypted AMI. Specify the KMS key in the copy action. This step is fundamental. You cannot directly encrypt an existing unencrypted AMI. You must create a copy and encrypt it during the copy process. Specifying the KMS key ensures that the AMI is encrypted using the company’s designated key, fulfilling the requirement of encrypting all shared AMIs. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIEncryption.html
- D. In the source account, modify the key policy to give the target account permissions to create a grant. In the target account, create a KMS grant that delegates permissions to the Auto Scaling group service-linked role. When sharing encrypted AMIs across accounts, the target account needs permission to use the KMS key to decrypt the AMI and associated EBS volumes. The source account’s KMS key policy must grant the target account permission to perform actions like
kms:CreateGrant. Then the grant allows the service linked role of autoscaling in target account to use the KMS key. https://docs.aws.amazon.com/kms/latest/developerguide/grants.html - F. In the source account, share the encrypted AMI with the target account. Only the encrypted AMI should be shared. Sharing the unencrypted AMI (as suggested in option E) would violate the security requirement of encrypting all shared AMIs. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-encrypt.html
Why other options are incorrect:
E: As mentioned earlier, this directly contradicts the requirement to share only encrypted AMIs.
B: Using the default EBS encryption key would not fulfill the requirement to use the company’s KMS key. The company wants control and manageability of encryption via their specific KMS key.
C: While grants are important, the target account needs permission to create the grant first. Option C skips the crucial step of modifying the KMS key policy in the source account to allow the target account to create a grant.
| Question.7 A company uses AWS CodePipeline pipelines to automate releases of its application A typical pipeline consists of three stages build, test, and deployment. The company has been using a separate AWS CodeBuild project to run scripts for each stage. However, the company now wants to use AWS CodeDeploy to handle the deployment stage of the pipelines. The company has packaged the application as an RPM package and must deploy the application to a fleet of Amazon EC2 instances. The EC2 instances are in an EC2 Auto Scaling group and are launched from a common AMI. Which combination of steps should a DevOps engineer perform to meet these requirements? (Choose two.) (A) Create a new version of the common AMI with the CodeDeploy agent installed. Update the IAM role of the EC2 instances to allow access to CodeDeploy. (B) Create a new version of the common AMI with the CodeDeploy agent installed. Create an AppSpec file that contains application deployment scripts and grants access to CodeDeploy. (C) Create an application in CodeDeploy. Configure an in-place deployment type. Specify the Auto Scaling group as the deployment target. Add a step to the CodePipeline pipeline to use EC2 Image Builder to create a new AMI. Configure CodeDeploy to deploy the newly created AMI. (D) Create an application in CodeDeploy. Configure an in-place deployment type. Specify the Auto Scaling group as the deployment target. Update the CodePipeline pipeline to use the CodeDeploy action to deploy the application. (E) Create an application in CodeDeploy. Configure an in-place deployment type. Specify the EC2 instances that are launched from the common AMI as the deployment target. Update the CodePipeline pipeline to use the CodeDeploy action to deploy the application. |
7. Click here to View Answer
Answer: AD
Explanation:
Here’s a detailed justification for why options A and D are the correct choices, and why the others are incorrect, for integrating AWS CodeDeploy into an existing CodePipeline to deploy an RPM package to an EC2 Auto Scaling group.
Justification for Option A: Create a new version of the common AMI with the CodeDeploy agent installed. Update the IAM role of the EC2 instances to allow access to CodeDeploy.
- The CodeDeploy agent is a prerequisite for CodeDeploy to manage deployments on an EC2 instance. The agent must be installed and running on each instance targeted for deployment. Baking the agent into the common AMI ensures that every EC2 instance launched from that AMI has the necessary software.
- CodeDeploy needs permissions to perform actions on the EC2 instances, such as stopping, starting, and copying files. The IAM role attached to the EC2 instances must grant these permissions. Without the correct IAM role, CodeDeploy will fail to deploy the application.https://docs.aws.amazon.com/codedeploy/latest/userguide/getting-started-create-iam-instance-profile.html
Justification for Option D: Create an application in CodeDeploy. Configure an in-place deployment type. Specify the Auto Scaling group as the deployment target. Update the CodePipeline pipeline to use the CodeDeploy action to deploy the application.
- Before using CodeDeploy, an application must be created. This application is a container for deployments.
- For deploying to a fleet of EC2 instances managed by an Auto Scaling group, the “in-place” deployment type is appropriate. This deployment type updates the application directly on the existing instances.
- Specifying the Auto Scaling group as the deployment target ensures that CodeDeploy deploys to all instances within the group. This is crucial for maintaining consistency across the fleet.
- To integrate CodeDeploy into the existing CodePipeline, the CodePipeline must be updated to use the CodeDeploy action in the deployment stage. This step will initiate the deployment process through CodeDeploy.https://docs.aws.amazon.com/codedeploy/latest/userguide/deployments-create-pipeline.html
Why other options are incorrect:
- Option B: While creating a new AMI with the CodeDeploy agent is correct, creating an AppSpec file doesn’t inherently grant access to CodeDeploy. The IAM role handles access. The AppSpec file defines how the application is deployed, not who can deploy it.
- Option C: While EC2 Image Builder can be used to create AMIs, it is not necessary to use it as a step in every pipeline execution. The company already uses a common AMI. Using EC2 Image Builder in this way would cause AMI proliferation.
- Option E: Specifying individual EC2 instances instead of the Auto Scaling group as a deployment target defeats the purpose of using an Auto Scaling group. If new instances are launched as part of scaling, they will not be included in the deployment. Targeting the Auto Scaling group ensures that all instances within the group are deployed.
In summary, the combination of creating an AMI with the CodeDeploy agent, updating the IAM role of EC2 instances, creating a CodeDeploy application, specifying an in-place deployment type with the Auto Scaling group as the target, and integrating CodeDeploy into the CodePipeline will meet the requirements of automating the deployment of an RPM package to an EC2 Auto Scaling group.
| Question.8 A company’s security team requires that all external Application Load Balancers (ALBs) and Amazon API Gateway APIs are associated with AWS WAF web ACLs. The company has hundreds of AWS accounts, all of which are included in a single organization in AWS Organizations. The company has configured AWS Config for the organization. During an audit, the company finds some externally facing ALBs that are not associated with AWS WAF web ACLs. Which combination of steps should a DevOps engineer take to prevent future violations? (Choose two.) (A) Delegate AWS Firewall Manager to a security account. (B) Delegate Amazon GuardDuty to a security account. (C) Create an AWS Firewall Manager policy to attach AWS WAF web ACLs to any newly created ALBs and API Gateway APIs. (D) Create an Amazon GuardDuty policy to attach AWS WAF web ACLs to any newly created ALBs and API Gateway APIs. (E) Configure an AWS Config managed rule to attach AWS WAF web ACLs to any newly created ALBs and API Gateway APIs. |
8. Click here to View Answer
Answer: AC
Explanation:
The correct answer is AC. Here’s why:
A. Delegate AWS Firewall Manager to a security account: AWS Firewall Manager is designed to centrally manage and enforce security rules across multiple AWS accounts within an organization. Delegating Firewall Manager to a dedicated security account centralizes the configuration and management of WAF rules, making it easier to enforce the company’s security policy consistently. This delegation is a prerequisite for creating organization-wide firewall policies.
C. Create an AWS Firewall Manager policy to attach AWS WAF web ACLs to any newly created ALBs and API Gateway APIs: This is the core step for preventing future violations. Firewall Manager allows you to create policies that automatically associate WAF web ACLs with newly created resources (ALBs and API Gateway APIs, in this case). This policy enforcement ensures that all externally facing ALBs and API Gateways are protected by WAF, meeting the company’s security requirements. Firewall Manager policies can be configured to apply across the entire organization or specific organizational units (OUs).
Why the other options are incorrect:
- B. Delegate Amazon GuardDuty to a security account: GuardDuty is a threat detection service, it does not enforce WAF policies. It detects malicious activity but doesn’t prevent the creation of unprotected resources.
- D. Create an Amazon GuardDuty policy to attach AWS WAF web ACLs to any newly created ALBs and API Gateway APIs: GuardDuty doesn’t have the capability to automatically attach WAF web ACLs. It only reports security threats.
- E. Configure an AWS Config managed rule to attach AWS WAF web ACLs to any newly created ALBs and API Gateway APIs: AWS Config’s primary function is to assess and audit the configuration of your AWS resources. While Config can detect resources that are non-compliant (i.e., not associated with WAF), it cannot automatically attach WAF web ACLs to newly created resources in the same way as Firewall Manager. Config can trigger remediation actions via Systems Manager Automation documents, Lambda functions, or CloudWatch Events/EventBridge, it would require additional scripting/automation for the WAF attachment, which Firewall Manager simplifies.
In summary: Firewall Manager provides the centralized policy enforcement capabilities required to automatically associate WAF web ACLs with new ALBs and API Gateway APIs across an organization, which addresses the company’s need to prevent future violations. Delegating Firewall Manager to a security account provides a central place for management.
Supporting Documentation:
Amazon GuardDuty: https://aws.amazon.com/guardduty/
AWS Firewall Manager: https://aws.amazon.com/firewall-manager/
AWS WAF: https://aws.amazon.com/waf/
AWS Organizations: https://aws.amazon.com/organizations/
AWS Config: https://aws.amazon.com/config/
| Question.9 A company uses AWS Key Management Service (AWS KMS) keys and manual key rotation to meet regulatory compliance requirements. The security team wants to be notified when any keys have not been rotated after 90 days. Which solution will accomplish this? (A) Configure AWS KMS to publish to an Amazon Simple Notification Service (Amazon SNS) topic when keys are more than 90 days old. (B) Configure an Amazon EventBridge event to launch an AWS Lambda function to call the AWS Trusted Advisor API and publish to an Amazon Simple Notification Service (Amazon SNS) topic. (C) Develop an AWS Config custom rule that publishes to an Amazon Simple Notification Service (Amazon SNS) topic when keys are more than 90 days old. (D) Configure AWS Security Hub to publish to an Amazon Simple Notification Service (Amazon SNS) topic when keys are more than 90 days old. |
9. Click here to View Answer
Answer: C
Explanation:
Here’s a detailed justification for why option C is the correct solution, along with explanations of why the other options are less suitable:
Why Option C is Correct: Develop an AWS Config custom rule that publishes to an Amazon Simple Notification Service (Amazon SNS) topic when keys are more than 90 days old.
AWS Config is the ideal service for tracking configuration changes and compliance status across your AWS resources. It allows you to define custom rules to evaluate whether your resources comply with your internal policies. Specifically for this scenario:
- Continuous Monitoring: AWS Config continuously monitors the configuration of your AWS resources, including KMS keys.
- Custom Rule Creation: You can create a custom AWS Config rule using Lambda to evaluate the rotation status of KMS keys. The Lambda function can check the
KeyRotationStatusandCreationDateattributes of the KMS key. - Age Evaluation: The custom rule can be configured to check if the key’s age (calculated from the creation date or last rotation date) exceeds 90 days.
- Non-Compliance Reporting: If a KMS key is found to be older than 90 days, the Config rule will mark it as non-compliant.
- SNS Notification: AWS Config can be configured to publish an Amazon SNS notification when a resource’s compliance status changes. In this case, when a KMS key becomes non-compliant due to being older than 90 days, a notification will be sent to the specified SNS topic.
- Automation and Auditability: This approach automates the compliance checking process and provides an auditable record of compliance status over time.
Why Other Options are Incorrect:
- Option A: Configure AWS KMS to publish to an Amazon Simple Notification Service (Amazon SNS) topic when keys are more than 90 days old. AWS KMS does not natively offer a mechanism to publish to SNS based on key age. KMS publishes events for key usage and management operations (like key rotation actions, not lack thereof), but not based on a period since the last rotation.
- Option B: Configure an Amazon EventBridge event to launch an AWS Lambda function to call the AWS Trusted Advisor API and publish to an Amazon Simple Notification Service (Amazon SNS) topic. While EventBridge and Lambda can be used, using Trusted Advisor for this specific KMS key rotation check isn’t ideal. Trusted Advisor provides high-level best practices, cost optimization, security improvements, performance enhancements, and service limits. Tracking key rotation through AWS Config provides a more focused and auditable solution. The Trusted Advisor API doesn’t specifically target KMS key rotation in a way that easily facilitates the 90-day check.
- Option D: Configure AWS Security Hub to publish to an Amazon Simple Notification Service (Amazon SNS) topic when keys are more than 90 days old. AWS Security Hub aggregates findings from various AWS security services. While Security Hub might surface findings related to KMS keys through integrations with other services, it doesn’t directly monitor key age and trigger SNS notifications based on a 90-day threshold for rotation. It relies on other services or integrated third-party tools to provide such detailed configuration analysis. Security Hub findings are often more general security alerts, rather than specific configuration violations like the age of a KMS key.
Supporting Documentation:
Amazon SNS: https://aws.amazon.com/sns/
AWS Config: https://aws.amazon.com/config/
AWS Config Custom Rules: https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config.html
AWS KMS Key Rotation: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
| Question.10 A security review has identified that an AWS CodeBuild project is downloading a database population script from an Amazon S3 bucket using an unauthenticated request. The security team does not allow unauthenticated requests to S3 buckets for this project. How can this issue be corrected in the MOST secure manner? (A) Add the bucket name to the AllowedBuckets section of the CodeBuild project settings. Update the build spec to use the AWS CLI to download the database population script. (B) Modify the S3 bucket settings to enable HTTPS basic authentication and specify a token. Update the build spec to use cURL to pass the token and download the database population script. (C) Remove unauthenticated access from the S3 bucket with a bucket policy. Modify the service role for the CodeBuild project to include Amazon S3 access. Use the AWS CLI to download the database population script. (D) Remove unauthenticated access from the S3 bucket with a bucket policy. Use the AWS CLI to download the database population script using an IAM access key and a secret access key. |
10. Click here to View Answer
Answer: C
Explanation:
The correct answer is C. Here’s a detailed justification:
Why Option C is the MOST Secure:
Option C enforces the principle of least privilege and uses AWS best practices for secure access management.
- Restricting Unauthenticated Access: Removing unauthenticated access from the S3 bucket is a crucial first step. This prevents anyone without proper credentials from accessing the database population script. A bucket policy is the standard method for controlling access to an S3 bucket.
- Leveraging IAM Roles: IAM roles are the preferred method for granting permissions to AWS services. CodeBuild, like other AWS services, can assume an IAM role that defines what resources it can access. Instead of using potentially exposed access keys, a service role automatically provides temporary credentials for access.
- Granting S3 Access via Service Role: Modifying the CodeBuild’s service role to include Amazon S3 access means CodeBuild will be able to access S3 buckets securely, eliminating the need for unauthenticated requests or storing sensitive keys within the CodeBuild project.
- Using AWS CLI for Authentication: The AWS CLI automatically uses the credentials provided by the service role to authenticate and authorize requests. Thus, the
aws s3 cporaws s3 synccommands will download the database population script using the role’s permissions.
Why Other Options are Less Secure or Incorrect:
- Option A: Adding the bucket to the AllowedBuckets section is a deprecated feature and doesn’t inherently provide authentication or authorization. It just tells CodeBuild what buckets it can attempt to access, not how to access them securely. It doesn’t address the core issue of unauthenticated access.
- Option B: Enabling HTTP basic authentication on an S3 bucket is highly discouraged. It’s less secure than using IAM roles because it involves managing and storing secrets (tokens) which are susceptible to leakage. Furthermore, HTTP basic authentication is generally used with HTTPS.
- Option D: Storing IAM access keys and secret access keys directly in the CodeBuild environment (or worse, in the build script) is a major security risk. If these keys are compromised, an attacker can use them to access any AWS resources that the keys have permissions to access. This defeats the purpose of using roles.
Supporting Cloud Computing Concepts:
- Principle of Least Privilege: Only grant the minimum necessary permissions to a user or service. Option C adheres to this by granting CodeBuild only the S3 access required to download the script.
- IAM Roles: IAM roles are a secure way to grant permissions to AWS services without needing to manage long-term credentials.
- Authentication vs. Authorization: Authentication verifies the identity of the user or service. Authorization determines what resources the authenticated identity is allowed to access.
Authoritative Links:
CodeBuild IAM Service Role: https://docs.aws.amazon.com/codebuild/latest/userguide/security-iam.html
IAM Roles: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html
S3 Bucket Policies: https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.html