You have a private S3 bucket that stores application logs and the bucket contents are accessible to all members of the Developer IAM group.
However, you want to make an object inside the bucket which should only be accessible to the members of Admin IAM group.
How can you apply an S3 bucket policy to this object using AWS CLI? None of the options. Use the put-bucket-policy --permission command. Use the put-bucket-policy --policy command. Use the put-bucket-policy--grants command.
A software engineer is building a serverless application in AWS consisting of Lambda, API Gateway, and DynamoDB.
She needs to implement a custom authorization scheme that uses a bearer token authentication strategy such as OAuth or SAML to determine the caller’s identity.
Which of the features of API Gateway is the MOST suitable one that she should use to build this feature? Lambda Authorizers Resource Policy Cross-Account Lambda Authorizer Cross-Origin Resource Sharing (CORS).
An application hosted in an Auto Scaling group of On-Demand EC2 instances is used to process data polled from an SQS queue and the generated output is stored in an S3 bucket.
To improve security, you were tasked to ensure that all objects in the S3 bucket are encrypted at rest using server-side encryption with AWS KMS–Managed Keys (SSE-KMS).
Which of the following is required to properly implement this requirement? Add a bucket policy which denies any s3:PutObject action unless the request includes the x-amz-server-side-encryption header. Add a bucket policy which denies any s3:PutObject action unless the request includes the x-amz-server-side-encryption-aws-kms-key-id header. Add a bucket policy which denies any s3:PostObject action unless the request includes the x-amz-server-side-encryption-aws-kms-key-id header. Add a bucket policy which denies any s3:PostObject action unless the request includes the x-amz-server-side-encryption header.
Your development team is currently developing a financial application in AWS.
One of the requirements is to create and control the encryption keys used to encrypt your data using the envelope encryption strategy to comply with the strict IT security policy of the company.
Which of the following correctly describes the process of envelope encryption? Encrypt plaintext data with a data key and then encrypt the data key with a top-level plaintext master key. Encrypt plaintext data with a master key and then encrypt the master key with a top-level encrypted data key. Encrypt plaintext data with a master key and then encrypt the master key with a top-level plaintext data key. Encrypt plaintext data with a data key and then encrypt the data key with a top-level encrypted master key.
You are developing a new batch job for the enterprise application suite in your company, which is hosted in an Auto Scaling group of EC2 instances behind an ELB.
The application is using an S3 bucket configured with Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS).
The batch job must upload files to the bucket using the default AWS KMS key to protect the data at rest.
What should you do to satisfy this requirement with the LEAST amount of configuration? Include the x-amz-server-side-encryption header with a value of aws:kms in your upload request. Include the x-amz-server-side-encryption-customer-algorithm, x-amz-server-side-encryption-customer-key, and x-amz-server-side-encryption-customer-key-MD5 headers with appropriate values in the upload request. Include the x-amz-server-side-encryption header with a value of aws:kms as well as the x-amz-server-side-encryption-aws-kms-key-id header containing the ID of the default AWS KMS key in your upload request. Include the x-amz-server-side-encryption header with a value of AES256 in your upload request.
A web application is currently using an on-premises Microsoft SQL Server 2019 Enterprise Edition database.
Your manager instructed you to migrate the application to Elastic Beanstalk and the database to RDS.
For additional security, you must configure your database to automatically encrypt data before it is written to storage, and automatically decrypt data when the data is read from storage.
Which of the following services will you use to achieve this? Enable Transparent Data Encryption (TDE). Use IAM DB Authentication. Enable RDS Encryption. Use Microsoft SQL Server Windows Authentication.
A developer is designing a multi-tiered system which utilizes various AWS resources. The application will be hosted in Elastic Beanstalk, which uses an RDS database and an S3 bucket that is configured to use Server-Side Encryption with Customer-Provided Encryption Keys (SSE-C).
In this configuration, Amazon S3 does not store the encryption key you provide but instead, stores a randomly salted hash-based message authentication code (HMAC) value of the encryption key in order to validate future requests.
Which of the following is a valid consideration that the developer should keep in mind when implementing this architecture? If you lose the encryption key, you lose the object. The salted HMAC value can be used to decrypt the contents of the encrypted object. If you lose the encryption key, the salted HMAC value can be used to decrypt the object. The salted HMAC value can be used to derive the value of the encryption key.
You work for a software development company where the teams are divided into distinct projects.
The management wants to have separation on their AWS resources, which will have a detailed report on the costs of each project.
Which of the following options is the recommended way to implement this? Create separate AWS accounts for each project and use consolidated billing. Create separate AWS accounts for each project and generate Detailed Billing for each account. Tag resources by IAM group assigned for each project and use Detailed Billing reports to show costing. Tag resources by projects and use Detailed Billing Reports to show costing per tag.
A developer is working on an application that will process files encrypted with a data key generated from a KMS key.
The application needs to decrypt the files locally before it can proceed with the processing of the files.
Which of the following are valid and secure steps in decrypting data? (Select TWO.) Use the Decrypt operation to decrypt the encrypted data key. Use the plaintext data key to decrypt data locally, then erase the plaintext data key from memory. Use the Decrypt operation to decrypt the plaintext data key. Use the plaintext data key to decrypt data locally, then erase the encrypted data key from memory. Use the encrypted data key to decrypt data locally, then erase the encrypted data key from memory.
|
