Secure Architecture I

Question 15

A company is building a web application for an insurance company. The application will store data in S3 buckets in two different regions. The company must use a customer-managed key to encrypt/decrypt the data and buckets in both regions. The data and the keys must be securely available in both regions.

A solutions architect must provide a solution with the least operational overhead to meet the requirements.

A. Create an S3 bucket in each region. Configure the buckets to use S3 Server-side encryption with replication between the two buckets.

B. Configure a customer-managed KMS key and an S3 bucket in each region. Configure the buckets to use KMS Server-side encryption with replication between the two buckets.

C. Configure a customer-managed KMS key and an S3 bucket in each region. Configure the buckets to use S3 Server-side encryption with replication between the two buckets.

D. Configure a customer-managed Multi-Region KMS key. Create an S3 bucket in each Region. Configure the buckets to use KMS server-side encryption with replication between the two buckets.

Question 16

A software company has recently hired a cloud engineer to deploy different applications on AWS Cloud using AWS CloudFormation templates to create different resources.

As a solutions architect, ensure the cloud engineer fulfills his duties while following the principal least privilege.

Which actions should be taken to accomplish the goal? (Select two options.)

A. Provide the cloud engineer with the root account user credentials.

B. Create an IAM user for the cloud engineer and add it to the group with the PowerUser policy attached.

C. Create an IAM user for the cloud engineer and add it to the group that has the administrator policy attached.

D. Create an IAM user and add it to the group that allows CloudFormation actions only.

E. Create an IAM role to explicitly define the AWS CloudFormation stack and launch stack actions only.

Question 17

A company has a three-tier web architecture; the database of the company is hosted on an Amazon RDS MYSQL Multi-AZ DB instance. The company plans to secure the connection between the servers to the DB instance. The updated security requirements of the company state that security credentials must be rotated frequently.

As a solutions architect, provide a solution that meets these requirements.

A. Configure AWS Secrets Manager and store the database credentials in it. Grant necessary IAM permissions to the servers to access the AWS Secrets Manager.

B. Configure AWS KMS and store the database credentials in KMS encrypted files. Grant necessary IAM permissions to the servers to encrypt/decrypt the files to access the database credentials.

C. Configure AWS KMS and store the database credentials in the KMS encrypted S3 bucket. Grant necessary IAM permissions to the servers to access the database credentials in S3 buckets.

D. Configure AWS Systems Manager OpsCenter and store the database credentials in it. Grant necessary IAM permissions to the servers to access the database OpsCenter.

Question 18

A social media company stores sensitive customer information in an S3 bucket. The bucket is accessed by an application in a VPC over the internet. The company plans to secure the connection between the application on the EC2 instance and the S3 bucket.

As a solutions architect, provide a solution to meet these requirements. (Select two options.)

A. Configure an AWS File Gateway to access S3 within the VPC.

B. Configure a VPC gateway endpoint to access S3 within the VPC.

C. Configure the S3 bucket to make the objects public.

D. Create an IAM policy that limits the access of objects to the application only and attach it to the bucket.

E. Configure NAT gateways to access the S3 bucket with EC2 instances.