AWS. DVA-C01 :: Security Exam3

You are a software developer for a multinational investment bank which has a hybrid cloud architecture with AWS. To improve the security of their applications, they decided to use AWS Key Management Service (KMS) to create and manage their encryption keys across a wide range of AWS services. You were given the responsibility to integrate AWS KMS with the financial applications of the company. Which of the following are the recommended steps to locally encrypt data using AWS KMS that you should follow? (Select TWO.). Use the GenerateDataKey operation to get a data encryption key then use the plaintext data key in the response to encrypt data locally. Erase the plaintext data key from memory and store the encrypted data key alongside the locally encrypted data. Erase the encrypted data key from memory and store the plaintext data key alongside the locally encrypted data. Encrypt data locally using the Encrypt operation. Use the GenerateDataKeyWithoutPlaintext operation to get a data encryption key then use the plaintext data key in the response to encrypt data locally.

A developer is using API Gateway Lambda Authorizer to securely authenticate the API requests to their web application. The authentication process should be implemented using a custom authorization scheme which accepts header and query string parameters from the API caller. Which of the following methods should the developer use to properly implement the above requirement?. Request Parameter-based Authorization. Amazon Cognito User Pools Authorizer. Cross-Account Lambda Authorizer. Token-based Authorization.

A company is currently in the process of integrating their on-premises data center to their cloud infrastructure in AWS. One of the requirements is to integrate the on-premises Lightweight Directory Access Protocol (LDAP) directory service to their AWS VPC using IAM. Which of the following provides the MOST suitable solution to implement if the identity store that they are using is not compatible with SAML?. Create a custom identity broker application in your on-premises data center and use STS to issue short-lived AWS credentials. Set up an IAM policy that references the LDAP identifiers and AWS credentials. Implement the AWS Single Sign-On (SSO) service to enable single sign-on between AWS and your LDAP. Create IAM roles to rotate the IAM credentials whenever LDAP credentials are updated.

To improve their information security management system (ISMS), a company recently released a new policy which requires all database credentials to be encrypted and be automatically rotated to avoid unauthorized access. Which of the following is the MOST appropriate solution to secure the credentials?. Create a secret in AWS Secrets Manager and enable automatic rotation of the database credentials. Create an IAM Role which has full access to the database. Attach the role to the services which require access. Enable IAM DB authentication which rotates the credentials by default. Create a parameter to the Systems Manager Parameter Store using the PutParameter API with a type of SecureString.

A company has a suite of web applications that is heavily using RDS database in Multi-AZ Deployments configuration with several Read Replicas. For improved security, you were instructed to ensure that all of their database credentials, API keys, and other secrets are encrypted and rotated on a regular basis. You should also configure your applications to use the latest version of the encrypted credentials when connecting to the RDS database. Which of the following is the MOST appropriate solution to secure the credentials?. Use AWS Secrets Manager to store and encrypt the credentials and enable automatic rotation. Store the credentials to AWS ACM. Store the credentials to Systems Manager Parameter Store with a SecureString data type. Store the credentials in AWS KMS.

A serverless application is composed of several Lambda functions which reads data from RDS. These functions must share the same connection string that should be encrypted to improve data security. Which of the following is the MOST secure way to meet the above requirement?. Create a Secure String Parameter using the AWS Systems Manager Parameter Store. Use AWS Lambda environment variables encrypted with CloudHSM. Create an IAM Execution Role that has access to RDS and attach it to the Lambda functions. Use AWS Lambda environment variables encrypted with KMS which will be shared by the Lambda functions.

A developer is building an application that will be hosted in ECS and must be configured to run tasks and services using the Fargate launch type. The application will have four different tasks, each of which will access different AWS resources than the others. Which of the following is the MOST efficient solution that can provide your application in ECS access to the required AWS resources?. Create 4 different IAM Roles with the required permissions and attach them to each of the 4 ECS tasks. Create an IAM Group with all the required permissions and attach them to each of the 4 ECS tasks. Create 4 different Container Instance IAM Roles with the required permissions and attach them to each of the 4 ECS tasks. Create 4 different Service-Linked Roles with the required permissions and attach them to each of the 4 ECS tasks.

A developer runs a shell script that uses the AWS CLI to upload a large file to an S3 bucket, which includes an AWS KMS key. An Access Denied error always shows up whenever the developer uploads a file with a size of 100 GB or more. However, when he tried to upload a smaller file with the KMS key, the upload succeeds. Which of the following are possible reasons why this issue is happening? (Select TWO.). The developer does not have the kms:Decrypt permission. The AWS CLI S3 commands perform a multipart upload when the file is large. The developer's IAM permission has an attached inline policy that restricts him from uploading a file to S3 with a size of 100 GB or more. The developer does not have the kms:Encrypt permission. The maximum size that can be encrypted in KMS is only 100 GB.

A startup has recently launched a high-quality photo sharing portal using Amazon Lightsail and S3. They noticed that there are other external websites which are linking and using their photos without permission. This has caused an increase on their data transfer cost and potential revenue loss. Which of the following is the MOST effective method to solve this issue?. Configure the S3 bucket to remove public read access and use pre-signed URLs with expiry dates. Block the IP addresses of the offending websites using Network Access Control List. Use a CloudFront web distribution to serve the photos. Enable cross-origin resource sharing (CORS) which allows cross-origin GET requests from all origins.

Your team is developing a serverless application, which is composed of multiple Lambda functions which process data from an SQS queue and stores the results to an RDS database. To comply with the strict IT policy of the company, you were instructed to configure these functions to share the same connection string that should be properly secured and encrypted. What should you do to protect, encrypt, and share your database credentials in AWS?. Use AWS Systems Manager Parameter Store as a Secure String Parameter. Use IAM DB Authentication in RDS to allow encrypted connections from each Lambda function. Store the database credentials as environment variables with KMS encryption which will be shared by the Lambda functions. Encrypt the database credentials and store them in an S3 bucket which the Lambda functions can fetch.

A developer is using API Gateway Lambda Authorizer to provide authentication for every API request and control access to your API. The requirement is to implement an authentication strategy which is similar to OAuth or SAML. Which of the following is the MOST suitable method that the developer should use in this scenario?. Token-based Authorization. Request Parameter-based Authorization. AWS STS-based Authentication. Cross-Account Lambda Authorizer.

A developer needs to encrypt all objects being uploaded by their application to the S3 bucket to comply with the company’s security policy. The bucket will use server-side encryption with Amazon S3-Managed encryption keys (SSE-S3) to encrypt the data using 256-bit Advanced Encryption Standard (AES-256) block cipher. Which of the following request headers should the developer use?. x-amz-server-side-encryption. x-amz-server-side-encryption-customer-key-MD5. x-amz-server-side-encryption-customer-key. x-amz-server-side-encryption-customer-algorithm.

A programmer is developing a Node.js application which will be run in a Linux server on their on-premises data center. The application will access various AWS services such as S3, DynamoDB, and ElastiCache using the AWS SDK. Which of the following is the MOST suitable way to provide access to the developer in order to accomplish the specified task?. Go to the AWS Console and create a new IAM user with programmatic access. In the application server, create the credentials file at ~/.aws/credentials with the access keys of the IAM user. Create an IAM role with the appropriate permissions to access the required AWS services and assign the role to the on-premises Linux server. Whenever the application needs to access any AWS services, request for temporary security credentials from STS using the AssumeRole API. Go to the AWS Console and create a new IAM User with the appropriate permissions. In the application server, create the credentials file at ~/.aws/credentials with the username and the hashed password of the IAM User. Create an IAM role with the appropriate permissions to access the required AWS services. Assign the role to the on-premises Linux server.

Category: CDA – Deployment A developer is preparing the application specification (AppSpec) file in CodeDeploy, which will be used to deploy her Lambda functions to AWS. In the deployment, she needs to configure CodeDeploy to run a task before the traffic is shifted to the deployed Lambda function version. Which deployment lifecycle event should she configure in this scenario?. BeforeAllowTraffic. Start. BeforeInstall. Install.

Your manager assigned you a task of implementing server-side encryption with customer-provided encryption keys (SSE-C) to your S3 bucket, which will allow you to set your own encryption keys. Amazon S3 will manage both the encryption and decryption process using your key when you access your objects, which will remove the burden of maintaining any code to perform data encryption and decryption. To properly upload data to this bucket, which of the following headers must be included in your request?. x-amz-server-side​-encryption​-customer-algorithm, x-amz-server-side-encryption-customer-key and x-amz-server-side-encryption-customer-key-MD5 headers. x-amz-server-side-encryption-customer-key header only. x-amz-server-side-encryption and x-amz-server-side-encryption-aws-kms-key-id headers. x-amz-server-side-encryption, x-amz-server-side-encryption-customer-key and x-amz-server-side-encryption-customer-key-MD5 headers.