Security and Access Control

5 minutes 5 Questions

Security and access control in AWS Elastic Beanstalk is achieved through the integration of AWS Identity and Access Management (IAM), EC2 security groups, and environment-level configurations. IAM allows you to manage permissions for Elastic Beanstalk resources and actions, creating policies and ro…

AWS Elastic Beanstalk: Security and Access Control Guide

Importance:
Security and Access Control is critical in AWS Elastic Beanstalk as it allows only authorized users to access and manage AWS resources. Controlling who can do what with the resources is key to maintaining the confidentiality, integrity, and availability of data.

What It Is:
Security and Access Control in AWS involves identification, authentication, authorization, and accountability of all users. AWS provides tools like Identity Access Management (IAM) and security groups to achieve this.

How It Works:
Identity Access Management (IAM): This tool allows you to manage users and their access to AWS resources. You can create users, groups, and roles, and manage their permissions.
Security Groups: These act as a virtual firewall for your instance, controlling inbound and outbound traffic.

Answering Exam Questions:
When answering exam questions on Security and Access Control, keep these tips in mind:
- Understand the role and capabilities of IAM.
- Know the difference between IAM policies and Security Group rules.
- Understand how AWS manages and secures data.
- Remember that Security and Access Control extends to all aspects of AWS, not just data storage.

Test mode:

Exam (Timed)

Practice (With explanations)

Start practice test

AWS Certified Solutions Architect - Security and Access Control Example Questions

Test your knowledge of Security and Access Control

Question 1

A financial organization is using AWS to store sensitive financial data. They need to make sure their data is encrypted both in transit and at rest. What combination of AWS services would help achieve this?

AWS EFS and AWS Secrets Manager. AWS S3 bucket with Server-Side Encryption. Amazon S3 with AWS KMS. Amazon RDS with AWS KMS and SSL/TLS.

Correct Answer: Amazon RDS with AWS KMS and SSL/TLS.

Encrypting data at rest and in transit can be achieved with Amazon RDS (Relational Database Service) using AWS KMS (Key Management Service) for server-side encryption and SSL/TLS for secure connections. Using Amazon S3 with KMS or Server-Side Encryption does not provide encryption in transit. AWS EFS and AWS Secrets Manager, Amazon DynamoDB with Amazon Macie, or Amazon VPC with AWS PrivateLink do not provide both data transit and at-rest encryption.

Question 2

A company hosts a public web application on AWS. Static assets are stored in an Amazon S3 bucket and delivered to users through an Amazon CloudFront distribution over HTTPS. After detecting direct, unauthorized requests to the S3 bucket URL, the company wants to ensure that S3 objects cannot be accessed directly from the internet but remain available via CloudFront. What is the best solution to restrict access to the S3 bucket?

Enable a VPC endpoint for the S3 bucket. Change the S3 bucket static website hosting settings. Block all public access to the S3 bucket and restrict access to only the Amazon CloudFront distribution by using an Origin Access Control (or legacy Origin Access Identity) with a bucket policy that allows only that principal. Disable public access to the S3 bucket and create a new bucket.

Correct Answer: Block all public access to the S3 bucket and restrict access to only the Amazon CloudFront distribution by using an Origin Access Control (or legacy Origin Access Identity) with a bucket policy that allows only that principal.

The most effective way to prevent unauthorized direct access to S3 while still serving content to end users is to make the bucket private and allow reads only through CloudFront. Using an Origin Access Control (OAC) (or the older OAI) causes CloudFront to sign requests to S3, and the bucket policy permits only that CloudFront principal to access objects. S3 Block Public Access should be enabled to prevent any public ACLs or policies. This setup ensures objects are inaccessible from the internet via direct S3 URLs but remain available through the CloudFront distribution. IP-based policies or VPC endpoints are unsuitable for public web delivery because end users have arbitrary IPs and do not traverse your VPC; changing static website hosting settings does not address access control; creating a new bucket is unnecessary.

Question 3

A serverless application on AWS needs to store user-uploaded documents and images as objects. The data must be encrypted at rest using customer-managed keys, with access controlled via IAM and auditable key usage. Which AWS service should be used to store this data?

AWS Systems Manager Parameter Store. Amazon SimpleDB. Amazon DynamoDB with AWS Secrets Manager. Amazon S3 with server-side encryption using AWS KMS (SSE-KMS).

Correct Answer: Amazon S3 with server-side encryption using AWS KMS (SSE-KMS).

For storing user-uploaded documents and images as objects in a serverless application, Amazon S3 is the correct storage service. Enabling server-side encryption with AWS KMS (SSE-KMS) ensures data is encrypted at rest with customer-managed keys, provides fine-grained access control via IAM, and supports auditability of key usage through AWS CloudTrail. AWS Systems Manager Parameter Store is intended for configuration values and small secrets, not bulk user data. Amazon SimpleDB is legacy and not recommended for new workloads. Amazon DynamoDB with AWS Secrets Manager is not appropriate for storing binary objects; DynamoDB is a NoSQL database and Secrets Manager is for managing secrets, not general user data.

🎓 Unlock Premium Access

AWS Certified Solutions Architect - Associate + ALL Certifications

🎓 Access to ALL Certifications: Study for any certification on our platform with one subscription
5645 Superior-grade AWS Certified Solutions Architect - Associate practice questions
Unlimited practice tests across all certifications
Detailed explanations for every question
AWS Certified Solutions Architect: 5 full exams plus all other certification exams
100% Satisfaction Guaranteed: Full refund if unsatisfied
Risk-Free: 7-day free trial with all premium features!

Start Your Free 7-Day Trial

More Security and Access Control questions

15 questions (total)

Start 15 question test