Infrastructure Security

Your team needs to provide access to a Linux instance shell using AWS Systems Manager Session Manager. The instance does not have Internet access. What is the minimum configuration required for Session Manager to work? (Choose all that apply.)

A. The instance’s security group has an inbound rule allowing SSH.

B. VPC endpoints are created for Systems Manager.

C.  The IAM role attached to the EC2 instance has permission to Systems Manager.

D. The EC2 instance has the AWS Systems Manager agent installed.

B is correct. Suppose the subnet where the instance is running does not have Internet access. In that case, you need to create the VPC endpoints for the Systems Manager so that the System Manager agent installed in the EC2 instance can establish a connection to the service. C is correct. The EC2 instance must have an IAM role with an IAM policy allowing access to the Systems Manager service. The Systems Manager agent has proper permission to communicate with the service control plane. D is correct. The instance must have the Systems Manager agent installed.

A is incorrect. The Systems Manager agent establishes an egress HTTPS connection from the instance to the Systems Manager endpoints.

You’ve launched a bastion host in a public subnet and cannot establish an SSH connection to the instance. During the troubleshooting, you confirmed that the instance has a public IP associated with it and the security group is allowing ingress access from 0.0.0.0/0 to port TCP 22. What else can you check that can be a source of the issue? (Choose all that apply.)

A.Verify if the NACL associated with the public subnet has an inbound rule that allows connections to port TCP 22 and an outbound rule that allows traffic from ephemeral ports to any destination or your client’s IP address.

B.Verify if the route table associated with the public subnet has a default route to the Internet Gateway.

C.Check if the security group associated with the EC2 instance has an outbound rule with destination port TCP 22.

D.Check if the EC2 instance has the SSH server running and allows connections to port TCP 22.

E.Verify if the NACL associated with the public subnet has an inbound rule that allows connections from port TCP 22.

A is correct. The NACL associated with the public subnet should have an inbound rule allowing traffic coming from any IP address from the Internet or the public IP address from the SSH client with a destination to port TCP 22. Because NACL is stateless, you should also have an outbound rule allowing any destination or the SSH client public IP address and ephemeral ports. The port opened by the client is randomly selected from a range defined by the client’s operating system.
B is correct. The route table associated with the public subnet should have a default route to the Internet Gateway so that the instances from the subnet can route traffic to the Internet.
D is correct. The EC2 instance should be running an SSH server and has no rule in the internal firewall blocking connections to port TCP 22.

A security incident happened with a web server hosted behind a Classic Load Balancer. The incident response team detected an attacker exploiting an SQL injection vulnerability in the web application that resulted in data leakage. Which combination of solutions can you implement to protect against attacks like that in the future? (Choose two.)

A.Enable AWS Shield Advanced and associate the Classic Load Balancer with the service.

B.Create an AWS WAF web ACL with a ruleset to block requests containing SQL injection content.

C.Add Amazon API Gateway in front of the Classic Load Balancer to authorize requests.

D. Replace the Classic Load Balancer with an Application Load Balancer.

B is correct. AWS WAF comes with SQL injection match conditions. An SQL injection match condition identifies the part of web requests, such as the URI or the query string, that you want AWS WAF to inspect. D is correct. AWS WAF does not support the Classic Load Balancer, and you need to replace it with an Application Load Balancer to enable the service.

A is incorrect. The AWS Shield Advanced is service-oriented to protect against DDoS attacks. C is incorrect. Amazon API Gateway does not have any default protection against SQL injection attacks. You could use the API Gateway’s request validation feature as an additional layer of protection.

The application team is implementing an e-learning platform to train the global workforce on its products and services. The e-learning platform will provide media content that contains confidential information, and access must be restricted to employees. How can you distribute the content globally to authorized users only?

A.Store the media content in a public S3 bucket. Use the Amazon API Gateway with a Lambda authorizer to authorize the REST API requests.

B.Store the media content in a private S3 bucket. Produce S3 signed URLs dynamically for the media content stored in the S3 bucket to users.

C. Configure the Amazon CloudFront distribution to restrict viewer access. Modify the e-learning application to sign requests to the media content servers by CloudFront to authorized users.

D. Store the media content in a public S3 bucket. Configure an Application Load Balancer in front of your application to authorize requests.

C is correct. You can use Amazon CloudFront to validate signed cookies or signed URLs after the e-learning application correctly authorized the user’s request to the media content and created the signed cookie or signed URL.

A is incorrect. Although you are using Amazon API Gateway with a Lambda authorizer to authorize requests, the S3 bucket is publicly available. Everyone who knows the URL can access the media content directly. B is incorrect. Although this solution can restrict access to the media content, it does not distribute the content globally and depends on the AWS region where the S3 bucket is created to serve the content. D is incorrect. Although you are using the Application Load Balancer to authorize requests, the S3 bucket is public, and everyone who has the URL can access the media content from the Internet.

You’ve identified a malicious source IP address from the Internet trying to exploit a vulnerability in a TCP application that you have behind a Network Load Balancer. You want to immediately block the connections from this source IP address, including the established connections. What’s the best option to block the request immediately?

A. Modify the security group associated with the EC2 instance hosting the application and add a new inbound rule denying the malicious source IP address.

B. Add a new denying rule to the NACL associated with the Network Load Balancer’s subnets. The new rule should deny access to the malicious source IP address.

C. Modify the security group associated with the Network Load Balancer and add a new inbound rule denying the malicious source IP address.

D. Create a rule using AWS WAF to block the malicious source IP address, associate the rule with a web ACL, and associate the web ACL with the Network Load Balancer.

B is correct. NACLs are stateless, and as soon as you add a deny rule for the malicious source IP address, the connection will be blocked.

A is incorrect. You can only add “allow” rules to a security group. Security groups are stateful, and updated rules won’t influence established connections. C is incorrect. The Network Load Balancer does not support security groups. Besides that, you can only add “allow” rules to a security group. Security groups are stateful, and updated rules won’t influence established connections. D is incorrect. You cannot associate an AWS WAF’s web ACL with a Network Load Balancer.

Your company is developing a new application that will serve thousands of clients hosted at AWS but can have VPCs with overlapping IP addresses. You were tasked with finding a solution that can easily and quickly enable a private connection to the new application. Which provides the best solution for this problem?

A. Add an Internet-facing Network Load Balancer in front of the new application and control it using the security group associated with the application’s instance to only allow the trusted source IP addresses.

B. Create a VPC endpoint service for the new application and request clients to create a VPC endpoint interface to your service.

C. Establish a site-to-site VPN between the client’s VPCs and the new application’s VPC.

D. Establish VPC peering between the new application’s VPC and each client’s VPC.

B is correct. The PrivateLink technology that powers the VPC endpoint allows you to connect clients and services that have overlapping IP addresses quickly and easily.

A is incorrect. This alternative does not meet the criteria of providing private access to the new application. C is incorrect. A site-to-site VPN does not meet the criteria of an easy and quick solution and does not work out of the box when you have overlapping IP addresses between the VPCs. D is incorrect. You cannot establish VPC peering with VPCs that have overlapping IP addresses.

Your company is currently using Direct Connect to connect your on-premises data center with AWS. The traffic between the customer router and the Direct Connect endpoint is not encrypted and was reported as a noncompliant item by a security auditor. What design change can you propose to encrypt the traffic while providing a low-latency and high-bandwidth connection to AWS?

A. All traffic between the customer gateway and AWS using a Direct Connect connection is automatically encrypted.

B. Replace the Direct Connect connection with a site-to-site VPN over the Internet.

C. Establish a site-to-site VPN connection between the customer gateway and AWS through a Direct Connect public VIF.

D. Attach a Direct Connect gateway to the Direct Connect connection to encrypt the traffic.

C is correct. Using a site-to-site VPN over the Direct Connect connection, you can encrypt all traffic between the customer gateway and the AWS region.

A is incorrect. The traffic between the customer gateway and the Direct Connect endpoint is not encrypted. B is incorrect. Using an Internet link does not guarantee low latency as required by the question statement. D is incorrect. The Direct Connect gateway is used to connect a Direct Connect connection to multiple AWS regions.

There are many Windows Server instances deployed in the AWS cloud, and each instance has a security group associated with it. Each Window Server instance comes with a set of management tools preinstalled that receives incoming connections from the management servers running on-premises. When a different management tool is installed or replaced or the IP address of the management server changes, your team needs to add or modify those rules to all the security groups used by the EC2 instances. Which alternatives can help you accomplish this goal? (Choose all that apply.)

A. Create a CloudWatch Event that triggers a Lambda function once a security group is created or updated. Implement a code in the Lambda function to update the security group with the management server rules.

B. Create a single security group for each AWS account containing all the management ports that should be open and the management servers’ source IP. Enforce the adoption of the management security group for new instances launched by using Service Control Policies. Associate this new security group with all Windows Server instances.

C. Create an AWS Config custom rule that periodically evaluates if the security groups contain all the inbound rules for the management servers. Create an auto-remediation using AWS Systems Manager to add the rules for the security groups that are not compliant.

D. Use AWS Firewall Manager to apply the inbound rules to security groups across AWS accounts.

B is correct. By having a security group containing all the inbound rules for the management server and associated with the Windows Server instances, you only need to update the rules in a single place. C is correct. However, the AWS Config custom rule needs to be updated every time the inbound rules change. D is correct. AWS Firewall Manager simplifies administration and maintenance of the security groups, allowing you to apply security group rules to all member accounts or specific subsets of accounts in an AWS Organizations organization and automatically applies the rules to new in-scope accounts that join the organization.

A is incorrect. This solution partially accomplishes the goal because it does not update the existent security groups.

Your company is developing a modern application and will use the Amazon API Gateway to control REST API requests from a single VPC. How can you securely provide access between the clients and the API?

A. Add an inbound rule to the security group associated with the microservice’s instances allowing HTTPS only from the Amazon API Gateway IP addresses.

B. Add a custom header for each request leaving the API Gateway in the method’s integration request and validate the custom header value in the microservice to make sure they match.

C. Create a VPC link on API Gateway to establish a connection between the service and the VPC where the microservices are hosted. Configure the API’s integration request to use the VPC link as the integration type and set the endpoint URL to point to the microservice’s URL.

D. Create the API as private and modify the resource policy to allow access only from the VPC ID where the API clients are hosted.

D is correct. Creating an API as private and configuring the resource policy correctly can restrict connections only coming from a VPC.

A is incorrect. The Amazon API Gateway service is not attached to a VPC, so it cannot connect to resources in a private subnet without a VPC link. B is incorrect. The Amazon API Gateway service is not attached to a VPC, so it cannot connect to resources in a private subnet without a VPC link. C is incorrect. Although the VPC link allows the Amazon API Gateway service to communicate to a VPC, it is not going to impede users from other locations to reach out to the API.

A new security policy was released by the company requiring that all web servers must have the ingress and egress traffic inspected at layer 7. Which combination of solutions should be implemented to meet this new policy? (Choose all that apply.)

A. Deploy an Application Load Balancer in front of the web servers.

B. Create an AWS WAF web ACL and associate it with the Application Load Balancer.

C. Set the AWS WAF’s web ACL to inspect egress traffic from the web servers.

D. Deploy an AWS Marketplace full inspection firewall to your VPC and modify the route table associated with the web server’s subnets to route the traffic through the firewall for egress inspection.

A is correct. By using an Application Load Balancer in front of the web servers, you can use AWS WAF to inspect the incoming traffic. B is correct. You need to create or associate an existent web ACL from AWS WAF to the Application Load Balancer before the traffic gets inspected. D is correct. You can use a third-party firewall from AWS Marketplace to perform an inspection of the egress traffic.

C is incorrect. AWS WAF only supports inspection of the incoming requests.

Your team needs to provide access to a Linux instance shell using AWS Systems Manager Session Manager. The instance does not have Internet access. What is the minimum configuration required for Session Manager to work? (Choose all that apply.)

A. The instance’s security group has an inbound rule allowing SSH.

B. VPC endpoints are created for Systems Manager.

C. The IAM role attached to the EC2 instance has permission to Systems Manager.

D. The EC2 instance has the AWS Systems Manager agent installed.

B is correct. Suppose the subnet where the instance is running does not have Internet access. In that case, you need to create the VPC endpoints for the Systems Manager so that the System Manager agent installed in the EC2 instance can establish a connection to the service. C is correct. The EC2 instance must have an IAM role with an IAM policy allowing access to the Systems Manager service. The Systems Manager agent has proper permission to communicate with the service control plane. D is correct. The instance must have the Systems Manager agent installed.

A is incorrect. The Systems Manager agent establishes an egress HTTPS connection from the instance to the Systems Manager endpoints.