Which of the following tasks is the customer's duty under the shared responsibility model? (Select two.)
Maintaining the underlying Amazon EC2 hardware.
Managing the VPC network access control lists.
Encrypting data in transit and at rest.
Replacing failed hard disk drives.
Deploying hardware in different Availability Zones.
Answers are; Managing the VPC network access control lists.
C. Encrypting data in transit and at rest.
The hardware related jobs is the prime responsibility of AWS. VPC network access control lists is something a customer has to do himself to secure the applications. Encrypting data in transit and at rest is a shared responsibility in which AWS plays a part. All hardware related jobs have nothing to do with the customer.
Which of the following are AWS obligations, according to the AWS shared responsibility model? (Select two.)
Network infrastructure and virtualization of infrastructure
Security of application data
Guest operating systems
Physical security of hardware
Credentials and policies
Answer are; Network infrastructure and virtualization of infrastructure
D. Physical security of hardware
Question 113
Which of the following are features of network ACLs as they are used in the AWS Cloud? (Choose two.)
They are stateless.
They are stateful.
They evaluate all rules before allowing traffic.
They process rules in order, starting with the lowest numbered rule, when deciding whether to allow traffic.
They operate at the instance level.
Answers are;
A. They are stateless.
D. They process rules in order, starting with the lowest numbered rule, when deciding whether to allow traffic.
Network ACLs are stateless, which means that responses to allowed inbound traffic are subject to the rules for outbound traffic (and vice versa).
Rules are evaluated starting with the lowest numbered rule. As soon as a rule matches traffic, it's applied regardless of any higher-numbered rule that might contradict it.
A company wants to run production workloads on AWS. The company needs concierge service, a designated AWS technical account manager (TAM), and technical support that is available 24 hours a day, 7 days a week.
Which AWS Support plan will meet these requirements?
Which architecture design principle describes the need to isolate failures between dependent components in the AWS Cloud?
Use a monolithic design.
Design for automation.
Design for single points of failure.
Loosely couple components.
Answer is Loosely couple components.
In the cloud practitioner course states that in a microservices approach, application components are loosely coupled. In this case, if a single component fails, the other components continue to work because they are communicating with each other. The loose coupling prevents the entire application from failing.
Question 116
A company recently deployed an Amazon RDS instance in its VPC. The company needs to implement a stateful firewall to limit traffic to the private corporate network.
Which AWS service or feature should the company use to limit network traffic directly to its RDS instance?
Network ACLs
Security groups
AWS WAF
Amazon GuardDuty
Answer is Security groups
Amazon RDS security groups enable you to manage network access to your Amazon RDS instances. With security groups, you specify sets of IP addresses using CIDR notation, and only network traffic originating from these addresses is recognized by your Amazon RDS instance.
Although they function in a similar way, Amazon RDS security groups are different from Amazon EC2 security groups. It is possible to add an EC2 security group to your RDS security group. Any EC2 instances that are members of the EC2 security group are then able to access the RDS instances that are members of the RDS security group.
What is the scope of a VPC within the AWS network?
A VPC can span all Availability Zones globally.
A VPC must span at least two subnets in each AWS Region.
A VPC must span at least two edge locations in each AWS Region.
A VPC can span all Availability Zones within an AWS Region.
Answer is A VPC can span all Availability Zones within an AWS Region.
* A VPC is a logically isolated piece of AWS cloud dedicated to your company. This means, you can run applications on overly provisioned, highly available, and redundant infrastructure setup and it is managed by AWS. All the complexity of setting up a data center with cables, server racks, hardware, power supply, etc. all are managed by AWS.
* A VPC belongs to a region.
* A VPC spans all availability zones.
* You can have multiple VPCs per region.
* VPC contains one or more subnets.
* A Subnet is tied to a single availability zone.
* EC2 instances launch into subnets.
Question 118
Which of the following are components of an AWS Site-to-Site VPN connection? (Choose two.)
AWS Storage Gateway
Virtual private gateway
NAT gateway
Customer gateway
Internet gateway
Answers are;
B. Virtual private gateway
D. Customer gateway
The VPC has an attached virtual private gateway, and your on-premises (remote) network includes a customer gateway device, which you must configure to enable the Site-to-Site VPN connection. You set up the routing so that any traffic from the VPC bound for your network is routed to the virtual private gateway.
Which IT controls do AWS and the customer share, according to the AWS shared responsibility model? (Choose two.)
Physical and environmental controls
Patch management
Cloud awareness and training
Zone security
Application data encryption
Answers are;
B. Patch management
C. Cloud awareness and training
Shared Controls – Controls which apply to both the infrastructure layer and customer layers, but in completely separate contexts or perspectives. In a shared control, AWS provides the requirements for the infrastructure and the customer must provide their own control implementation within their use of AWS services.
Patch Management – AWS is responsible for patching and fixing flaws within the infrastructure, but customers are responsible for patching their guest OS and applications.
Configuration Management – AWS maintains the configuration of its infrastructure devices, but a customer is responsible for configuring their own guest operating systems, databases, and applications.
Awareness & Training - AWS trains AWS employees, but a customer must train their own employees.