Special Offer | Flat 15% OFF on All Courses | Use Coupon - WHIZSITE15

Search Courses D b Ask Expert M Team Account Hi, abhijeet

Dashboard My Courses All Courses Inbox

! j My Courses j AWS Certified Solutions Architect Professional j Security and Identity j Report

Security and Identity Completed on 17-February-2021

Attempt Marks Obtained

Congratulations, you passed. Keep
Your score
it up
Time Taken Result
1 9 / 10 90% N/A Congratulations!
Passed

Attempt Marks Obtained Your score Time Taken Result

01 9 / 10 90% N/A Congratulations!
Passed

Share your Result with your friends

hm

Domains wise Quiz Performance Report Join us on Slack community

No Domain Total Question Correct Incorrect Unattempted Marked as Review

1 Design for New Solutions 6 5 1 0 2

2 Continuous Improvement for Existing Solutions 3 3 0 0 0

3 Migration Planning 1 1 0 0 0

Total All Domain 10 9 1 0 2

Review the Answers Sorting by All

Question 1 Correct

Domain :Design for New Solutions

You are in charge of maintaining an Oracle database in RDS. The development team tells you that the database instance needs to communicate with a new
S3 bucket. For example, it should be able to save the backup files to S3, and at the same time, it can fetch Oracle Data Pump files from the same bucket
when required. In order to connect the database instance with the particular S3 bucket successfully, which options are the prerequisites? (Select TWO.)

z A. Configure an IAM role with a policy that allows to read and write the S3 bucket objects. Associate the role with the RDS instance.
A
B. Create a parameter group that includes the parameter of IAM S3 service role name. Attach the parameter group with the DB instance.

C. Configure a new DB subnet group. Link the DB instance with the subnet group.

For the new S3 bucket, ensure the Block Public Access settings are turned off. Enable the public access for the S3 bucket or add the S3 endpoint
D.
for the bucket.

z E. Create an option group that includes the S3_INTEGRATION option. Associate the DB instance with the option group.
A

Explanation:

Correct Answer – A, E

About how to transfer files between RDS Oracle and S3, please refer to the reference in
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/oracle-s3-integration.html.

Option A is CORRECT: Because the IAM role is required to allow the DB instance to interact with the S3 bucket.

Option B is incorrect: Because parameter group is not a necessary condition for this scenario.

Option C is incorrect: Because a new subnet group is not required. The default subnet group also works.

Option D is incorrect: Because the S3 bucket does not need a public access. The RDS and S3 can communicate with each other under the same VPC.

Option E is CORRECT: Because an option group that includes the S3_INTEGRATION option should be attached with the DB instance. Check the below
screenshot on how to add the S3_INTEGRATION option to the option group:

Ask our Experts Rate this Question?

vu

View Queries open

j

Question 2 Correct

Domain :Continuous Improvement for Existing Solutions

In your organization, your DevOps team is in charge of provisioning resources in an AWS account. Tim was a team member and created a Customer Managed
Key in KMS several months ago. The default key policy is removed, and the key policy is as below:
{
"Version": "2012-10-17",
"Id": "key-consolepolicy-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::111122223333:user/Tim"},
"Action": "kms:*",
"Resource": "*"
}
]
}
As Tim leaves the company, his accounts are deleted including the above IAM user. As a result, the CMK becomes unmanageable for other users to view or
use. How should you deal with this problem?

z] A. Contact AWS Support to regain access to the CMK.

A
] B. Login as the root user of the AWS account and add another user as the key administrator.

Use the IAM admin user to edit the key policy to allow all actions for the principal of arn:aws:iam::111122223333:root. Add other IAM users as key
] C.
administrators or users if required.

Create an IAM policy that allows the action of kms:PutKeyPolicy and attach the policy to an IAM user. Login into AWS console with the user and
] D. modify the key policy to the default one.

Explanation:

Correct Answer – A

About the default and recommended key policies in KMS, check the AWS documentation in
https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default. The default key policy is as below:

"Sid": "Enable IAM User Permissions",

"Effect": "Allow",

"Principal": {"AWS": "arn:aws:iam::111122223333:root"},

"Action": "kms:*",

"Resource": "*"

This allows the permissions of the key to be managed by IAM policies.

Option A is CORRECT: Because even root user cannot manage it. You have to contact AWS Support to restore it.

Option B is incorrect: Because the root user cannot manage the key policy either as the user is not allowed to do that.

Option C is incorrect: Because the key policy cannot be modified by any IAM user anymore.

Option D is incorrect: Because the key policy still denies the action even if the IAM user has an IAM policy to allow it.

Ask our Experts Rate this Question?

vu

View Queries open

j

Question 3 Correct

Domain :Continuous Improvement for Existing Solutions

A company has a new S3 bucket which stores very sensitive files. These objects are supposed to be used only by limited IAM admin users. Other IAM users or
roles should not have access. Users in other AWS accounts can not assume any role to read the S3 objects either. You plan to use the S3 bucket policy to
apply the security rules. Which option is the most secure one?

{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::444455556666:user/Admin",
"arn:aws:iam::444455556666:root"
] A. ]},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::BUCKETNAME",
"arn:aws:s3:::BUCKETNAME/*"
]
}]
}

{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"NotPrincipal": {"AWS": [
"arn:aws:iam::444455556666:user/Admin",
"arn:aws:iam::444455556666:root"
z] B. ]},
"Action": "s3:*",
A
"Resource": [
"arn:aws:s3:::BUCKETNAME",
"arn:aws:s3:::BUCKETNAME/*"
]
}]
}

{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"NotPrincipal": {"AWS": [
"arn:aws:iam::444455556666:user/User1",
"arn:aws:iam::444455556666:user/User2",
…
] C. "arn:aws:iam::444455556666:user/UserX"
]},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::BUCKETNAME",
"arn:aws:s3:::BUCKETNAME/*"
]
}]
}

{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Principal": {"AWS": [
"arn:aws:iam::444455556666:user/User1",
"arn:aws:iam::444455556666:user/User2",
…
] D. "arn:aws:iam::444455556666:user/UserX"
]},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::BUCKETNAME",
"arn:aws:s3:::BUCKETNAME/*"
]
}]
}

Explanation:

Correct Answer – B

Explicit deny should be considered as it takes the highest priority even if the action is explicit allowed somewhere else. Options A and C are eliminated. For
option D, it is not realistic to list all users and roles to deny the action. The only option left is option B. About how to use NotPrincipal, refer to
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notprincipal.html.

Option A is incorrect: Because other users can access the bucket as well if they have an Allow in their IAM policies. Explicit deny should be used.

Option B is CORRECT: With the policy, only the user Admin and root can access the bucket objects. Other IAM entities are denied.

Option C is incorrect: Because it is unsuitable to use Allow with NotPrincipal. Any IAM users or roles which are not in the NotPrincipal list can access the
objects.

Option D is incorrect: Because you have to list all IAM users and roles in the Principal list, which is not appropriate.

Ask our Experts Rate this Question?

vu

View Queries open

j

Question 4 Correct

Domain :Migration Planning

As an AWS Solutions Architect, you need to configure an identity service in AWS based on SAML. Since you already have a SAML identity provider outside of
AWS, you plan to use the same IdP to manage user identities. In order to create the SAML identity provider in IAM, the below steps may be required:
1, Configure the SAML IdP with relying party trust.
2, Use AWS CLI assume-role-with-web-identity to return a set of temporary security credentials for authentication.
3, Get the SAML metadata document from the IdP.
4, Create a SAML IAM identity provider from AWS console or CLI.
5, In IdP, configure SAML Assertions for the authentication response.
Which one describes the correct sequences?

] A. 4 -> 1 -> 5 -> 2

] B. 3 -> 1 -> 4 -> 2

] C. 1 -> 4 -> 3 -> 5

3 -> 4 -> 1 -> 5

z] D.
A

Explanation:

Correct Answer – D

Please check https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html on how to create IAM SAML identity providers.

Option A is incorrect: Because assume-role-with-web-identity is not used for SAML identity provider. Step 2 should not be included.

Option B is incorrect: Same reason as Option A.

Option C is incorrect: Before creating the identity provider, you need to get the metadata document from IdP:

Option D is CORRECT: After creating the identity provider in step 4, you need to configure the IdP side as step 1 and 5 which add the relying party trust
between the IdP and AWS.

Ask our Experts Rate this Question?

vu

View Queries open

j

Question 5 Correct

Domain :Design for New Solutions

Your team is developing an Android app. You need to use an Amazon Cognito Identity Pool to create unique identities for the app users and federate them
with the identity provider from Google. You also want to allow unauthenticated guest access for the application. Guests can get temporary tokens for limited
access. How would you implement the guest access using Amazon Cognito?

z] A. Enable the unauthenticated access in Cognito Identity Pool. Guest users can request an identity ID via the GetId API.
A
] B. Activate the unauthenticated access feature in Cognito User Pool. Link the User Pool in Cognito Identity Pool

] C. Users can get guest credentials via the GetCredentialsForIdentity API with a request type as Guest.

] D. Guest users can request temporary tokens by using the GetOpenIdToken API

Explanation:

Correct Answer – A

About how to use Identity Pool for federated identities in AWS Cognito, please refer to

https://docs.aws.amazon.com/cognito/latest/developerguide/identity-pools.html. The authentication flow can be found in

https://docs.aws.amazon.com/en_pv/cognito/latest/developerguide/authentication-flow.html

Option A is CORRECT: Because the unauthenticated access feature can be enabled in Cognito Identity Pool as below:

Option B is incorrect: Because the feature of unauthenticated identities is managed in Cognito Identity Pool instead of User Pool.

Option C is incorrect: Because the GetCredentialsForIdentity API does not have a request type of Guest.

Option D is incorrect: Because the GetOpenIdToken API does not provide the temporary tokens. Users can request a new temporary identity ID via the
GetId API.

Ask our Experts Rate this Question?

vu

View Queries open

j

Question 6 Marked as review Incorrect

Domain :Design for New Solutions

You create an EBS snapshot for an application in non-production AWS account A. The snapshot is encrypted by a customer-managed key (CMK-A). In order
to deploy the same application in the production AWS account B, you need to create an AMI using the snapshot and launch an EC2 instance. The IAM admin
user in account B is allowed to use CMK-A. However, the production EC2 instance has to use its own customer-managed key (CMK-B) to encrypt the EBS
volume. Which solution is the best?

z] A. Copy the snapshot to another one and do not encrypt it. Share the new snapshot to account
B
Created an encrypted version of the snapshot (w/ CMK-A) and then create an AMI using the encrypted snapshot. Launch an EC2 instance
] B.
using the AMI and encrypt the EBS volume with CMK-B. A
] C. Share the snapshot with account B and encrypt it with CMK-B. Create an AMI using the new snapshot and launch an EC2 instance

] D. Create an image in account B and change the encryption key to CMK-B. Launch an EC2 instance using the image.

Explanation:

Correct Answer – B

When sharing an Amazon EBS snapshot between accounts, there are cases that a new CMK has to be used. References can be found in
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html and
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-copy-snapshot.html.

Option A is incorrect: Because encrypted snapshots cannot be copied to non-encrypted ones.

Option B is CORRECT: Because when creating snapshots, the new snapshot can be encrypted with a new CMK. AWS CLI command copy-snapshot uses
the option of --KMS-key-id to specify the CMK.

The steps to create a proper encrypted EC2/AMI in account B are:

1. Share the EBS snapshot with account B

2. The IAM admin user in account B, copy the EBS snapshot from A to B (since it is shared and we have access to CMK A that works just fine) using CMK B

3. The IAM admin user in account B, create EC2 AMI out from the copied EBS Snapshot

Option C is incorrect: Because you need to create a copy of the snapshot and you cannot just share the snapshot between Account "A" and Account "B"

Option D is incorrect: Because you need to share the snapshot between Account "A" and Account "B". Without sharing you cannot create the image in
Account "B"

Ask our Experts Rate this Question?

vu

View Queries open

j

Question 7 Correct

Domain :Design for New Solutions

You use AWS Cognito User Pool to configure a user directory for an application. You want to separate different users as readers, contributors, and editors of
the app. For example, the readers can only read contents from AWS S3 buckets, contributors are able to put contents into Amazon S3 buckets and editors
have the permissions to publish contents through an API in Amazon API Gateway. Which method is the best to achieve this requirement in AWS Cognito?

] A. In IAM, add different groups and assign suitable IAM policies. In Amazon Cognito User Pool, assign users to the IAM groups.

] B. Configure different IAM roles in IAM for readers, contributors and editors. In Amazon Cognito User Pool, configure each user with an IAM role.

z] C. In Amazon Cognito User Pool, create groups and assign IAM roles to them. Add users to the groups to assign the required permissions.
A
Directly attach an IAM policy to each user in Amazon Cognito User Pool. Make sure each user has an appropriate IAM policy according to the
] D.
user role.

Explanation:

Correct Answer – C

In Amazon Cognito User Pool, you can configure users in groups which enable you to better manage the permissions. Each group can be linked with an IAM
role ARN. The reference can be found in https://docs.aws.amazon.com/en_pv/cognito/latest/developerguide/cognito-user-pools-user-groups.html.

Option A is incorrect: Because users should be added into groups in Cognito User Pool instead of IAM.

Option B is incorrect: Because users in Cognito User Pool cannot be configured directly with an IAM role.

Option C is CORRECT: Check the below example:

Group1 is linked with an IAM role and User1 is added into the group.

Option D is incorrect: Similar with Option B, it is inappropriate to directly attach an IAM policy to each user.

Ask our Experts Rate this Question?

vu

View Queries open

j

Question 8 Correct

Domain :Design for New Solutions

Your team creates a Customer Managed Key (CMK) in KMS in an AWS account (111122223333). The key is supposed to be used by another account
(444455556666) for encryption and decryption operations. At the moment, it is known that only IAM user Bob and IAM role Admin in the account
(444455556666) need access. Which configurations are required in together to achieve this requirement? (Select TWO.)

Edit the Principal of the key policy as below:

"Principal": {
"AWS": [
A.
"arn:aws:iam::444455556666:root"
]
}

Edit the Principal of the key policy as below:

"Principal": {
"AWS": [
z B. "arn:aws:iam::444455556666:role/Admin",
"arn:aws:iam::444455556666:user/Bob"
A
]
}

Edit the Principal of the key policy as below:

"Principal": {
"AWS": [
"arn:aws:iam::444455556666:root",
C.
"arn:aws:iam::444455556666:role/Admin",
"arn:aws:iam::444455556666:user/Bob"
]
}

In account 444455556666, allow the KMS encryption and decryption actions as below:
z D. "Resource":
"arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
A

In account 444455556666, allow the KMS encryption and decryption actions as below:
E. "Principal": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"

Explanation:

Correct Answer – B, D

Check https://docs.aws.amazon.com/en_pv/kms/latest/developerguide/key-policy-modifying-external-accounts.html on how to allow users or roles in

other accounts to use a CMK.

Option A is incorrect: Because this key policy gives the external account (or users and roles in the external account) permission and violates the 'principle of
least privilege'

Option B is CORRECT : Because this follows the 'principle of least privilege' by giving permission only to "Admin" and "Bob" as per the requirements stated

Option C is incorrect: Because only "arn:aws:iam::444455556666:root" is not required.

Option D is CORRECT: In account 444455556666, IAM policies can be used to configure the permissions to use the key in another account. This option will
work together with Option A to assign permissions.

Option E is incorrect: Because the field should be "Resource" instead of "Principal" in IAM policies as it controls which resources to be allowed for IAM
entities.

Ask our Experts Rate this Question?

vu

View Queries open

j

Question 9 Correct

Domain :Continuous Improvement for Existing Solutions

You work in a DevOps team and your team maintains several applications deployed in AWS. At the moment, there are dozens of server certificates stored in
IAM. These certificates are used for different purposes and have different expiry date. You have to renew the certificates before they expire otherwise the
services will be impacted. You want to use another approach to renew and manage these certificates. Which method is the best?

] A. In IAM console, add a new strategy for server certificates to automatically renew one month before the expiry date.

Provision and manage the server certificates in AWS Certificate Manager (ACM). The certificates requested from ACM are automatically
]
z B.
renewed A
] C. In IAM console, migrate the certificates from IAM to ACM then ACM can automatically renew the certificates one month before the expiry date.

Import all third-party certificates into ACM. ACM is responsible for the automatic renew for both third-party certificates and ACM provided
] D.
certificates

Explanation:

Correct Answer – B

Check https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html on how to manage server certificates in IAM and ACM.

Option A is incorrect: Because for the imported server certificates in IAM, there is no IAM console to manage them. This is one major disadvantage of
managing certificates in IAM.

Option B is CORRECT: Because ACM is a preferred solution. Certificates requested by ACM are free and automatically renew.

Option C is incorrect: Because you cannot migrate the certificates from IAM to ACM directly. There is no such console to do that. For ACM, you can import
third party certificates to the service.

Option D is incorrect: Because ACM cannot automatically renew imported third party certificates. You are responsible for monitoring the expiration date.
 Please check the reference in

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html

Ask our Experts Rate this Question?

vu

View Queries open

j
Question 10 Marked as review Correct

Domain :Design for New Solutions

You start to use AWS Certificate Manager to manage certificates. And some existing certificates in IAM will not be used or will be replaced by the new ones in
ACM. You just create a new public server certificate for a domain name called www.example.com. However, the status of the certificate is “Pending validation”.
Which option can be used by ACM as a validation approach? (Select TWO.)

A. ACM sends an SMS to the registered phone number of the domain name. A user can validate it by clicking the validation URL.

z B. Use DNS to validate the domain ownership. You can insert ACM generated CNAME records into your DNS database
A
C. If the domain name is registered by Route53, no validation action is required. Just wait for a while and it will be automatically validated.

z D. ACM sends emails to the contact addresses of the domain name. You can validate the domain owner in the email.
A
If the domain name is registered by Route53, there is a Pending Validation icon generated in the Registered Domains. Just click the Pending
E.
Validation icon and ACM will modify the certificate status to Issued

Explanation:

Correct Answer – B, D

Refer to the below approaches on how to validate pending certificates in ACM:

https://docs.aws.amazon.com/en_pv/acm/latest/userguide/gs-acm-validate-dns.html

https://docs.aws.amazon.com/en_pv/acm/latest/userguide/gs-acm-validate-email.html

Option A is incorrect: Because ACM does not send SMS to validate if a user owns the domain name or not.

Option B is CORRECT: User can choose either DNS validation or Email validation as below:

Option C is incorrect: Because domain names registered through Route53 still need to be validated.

Option D is CORRECT: The below email will be received as an email validation:

Option E is incorrect: Because there is no Pending Validation icon. You have to use either DNS validation or Email validation

Ask our Experts Rate this Question?

vu

View Queries open

j

Finish Review

Certification Company Support Join us on Slack!

Cloud Certification Become Our Instructor Contact Us Join our open Slack community and
get your queries answered instantly!
Java Certification Support Help Topics Our experts are online to answer
your questions!
PM Certification Discussions
Follow us
Big Data Certification Blog
hom
Business

© Copyright 2021. Whizlabs Software Pvt. Ltd. All Right Reserved.