Security

5 minutes 5 Questions

Amazon ElastiCache ensures the security of your cache infrastructures through various mechanisms. Cache clusters and nodes are deployed within an Amazon Virtual Private Cloud (VPC), restricting access to only authorized users and resources. Network security can be further configured using security …

Test mode:

Exam (Timed)

Practice (With explanations)

Start practice test

Question 1

Which AWS service can be used to monitor and record API calls made to various AWS services for security and compliance purposes?

AWS CloudTrail Amazon Inspector for automated security assessments Amazon GuardDuty, which analyzes VPC Flow Logs, DNS logs, and AWS CloudTrail event logs AWS Config for tracking resource configuration changes

Correct Answer: AWS CloudTrail

AWS CloudTrail is the correct answer because it is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. CloudTrail records API calls made to various AWS services, including details about the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. This information can be used for security analysis, resource change tracking, and compliance auditing. Amazon GuardDuty analyzes logs but does not record API calls. AWS Config tracks resource configuration changes but not API calls specifically. Amazon Inspector is used for automated security assessments of applications, not for recording API calls.

Question 2

You are configuring a new Amazon EC2 instance to host a web application. Which of the following security best practices should you implement to protect the instance from unauthorized access?

Configure a security group to allow inbound traffic only on necessary ports and restrict access to specific IP ranges. Assign an Elastic IP address to the instance and configure it to accept all inbound traffic on all ports. Configure an IAM role with full administrative access and attach it to the EC2 instance for enhanced security measures. Enable public access to the instance and rely on the built-in firewall rules to filter traffic.

Correct Answer: Configure a security group to allow inbound traffic only on necessary ports and restrict access to specific IP ranges.

The best security practice for protecting an Amazon EC2 instance from unauthorized access is to configure a security group that allows inbound traffic only on necessary ports and restricts access to specific IP ranges. This ensures that only authorized traffic can reach the instance, minimizing the attack surface. Enabling public access and relying on built-in firewall rules is not recommended, as it exposes the instance to potential threats. Assigning an Elastic IP address and accepting all inbound traffic on all ports is a highly insecure practice that should be avoided. Attaching an IAM role with full administrative access to the EC2 instance is not a security best practice, as it violates the principle of least privilege and can lead to potential security risks if the instance is compromised.

Question 3

Your architecture has an EC2 instance in a VPC that needs to publish messages to an SNS topic. For enhanced security, what method should you use to grant the necessary permissions?

Access key and secret key Hardcoded AWS credentials IAM role assigned to the EC2 instance VPC endpoint for SNS

Correct Answer: IAM role assigned to the EC2 instance

To provide secure access to the SNS topic, you should assign an IAM role to the EC2 instance, which grants the necessary permissions. This method does not require storing sensitive credentials and adheres to the best practices for providing access to AWS resources.

🎓 Unlock Premium Access

AWS Certified Solutions Architect - Associate + ALL Certifications

Security

Guide for Security in Amazon Elasticache for AWS Solution Architect Exams

AWS Certified Solutions Architect - Security Example Questions

Question 1

Question 2

Question 3

🎓 Unlock Premium Access