IAM So Secure
An organization has a large number of technical employees who operate their AWS Cloud infrastructure. What does AWS provide to help organize them into teams and then assign the appropriate permissions for each team?
A. IAM users
B. AWS Organizations
C. IAM roles
D. IAM user groups
Correct Answer: D
Overall explanation: An IAM user group is a collection of IAM users that are managed as a unit. User groups let you specify permissions for multiple users, which can make it easier to manage the permissions for those users. For example, you could have a user group called Admins and give that user group the types of permissions that administrators typically need. Any user in that user group automatically has the permissions that are assigned to the user group. If a new user joins your organization and needs administrator privileges, you can assign the appropriate permissions by adding the user to that user group. Similarly, if a person changes jobs in your organization, instead of editing that user's permissions, you can remove him or her from the old user groups and add him or her to the appropriate new user groups.
A healthcare company is considering migrating its on-premises infrastructure to AWS Cloud to enhance data management, improve scalability, and reduce operational costs. The leadership team is new to cloud technologies and wants a clear understanding of what cloud computing entails, specifically how AWS defines and implements it. This understanding is essential for the company to make informed decisions about the benefits and use cases of cloud computing in their operations. Given this context, what is cloud computing, as defined by AWS?
A. Cloud computing is the process of using a single local server to store and process data
B. Cloud computing refers to the on-demand delivery of IT resources and applications via the internet with pay-as-you-go pricing
C. Cloud computing is the practice of using only open-source software for all computing needs
D. Cloud computing involves manually managing physical data centers and networking hardware for data storage and processing
Correct Answer: B
Overall explanation: Cloud computing refers to the on-demand delivery of IT resources and applications via the internet with pay-as-you-go pricing. Cloud computing, as defined by AWS, is the on-demand delivery of IT resources and applications over the internet with pay-as-you-go pricing. This allows businesses to access computing power, storage, and applications as needed without investing in physical infrastructure.
A technology company is deploying AI systems on AWS to automate its business processes and improve decision-making. The IT team wants to ensure that their AWS environment is optimized for governance, cost savings, performance, security, and fault tolerance. To achieve this, they are looking for a tool that provides recommendations and best practices to enhance the overall efficiency and security of their AI systems. Which AWS tool do you recommend for the given use case?
A. AWS Trusted Advisor
B. AWS Config
C. AWS CloudTrail
D. AWS Audit Manager
Correct Answer: A
Overall Explanation: AWS Trusted Advisor is a service that provides guidance to help you provision your resources following AWS best practices. It helps optimize your AWS environment in areas such as cost savings, performance, security, and fault tolerance, making it an essential tool for governance in AI systems.
A financial institution must ensure that data transferred from Amazon S3 to an Amazon SageMaker instance for training machine learning models does not leave the AWS network, adhering to strict compliance requirements. Which AWS Service will meet this requirement most effectively?
A. Amazon VPC Gateway Endpoint
B. Amazon S3 Transfer Acceleration
C. Amazon S3 Access Point
D. Amazon CloudFront Distribution
Correct Answer: A
Overall Explanation: A VPC Gateway Endpoint is a highly available and scalable AWS service that allows you to privately connect your Amazon Virtual Private Cloud (VPC) to supported AWS services, including Amazon S3 and Amazon SageMaker, without the need for an internet gateway, NAT device, or VPN connection.
A media company is developing generative AI applications on AWS to automate content creation and enhance customer engagement. Given the sensitivity of customer data and the complexity of AI models, the company’s security team wants to implement a defense-in-depth security approach to protect both the data and the AI infrastructure. Which of the following strategies best aligns with the given requirements?
A. Using a single authentication mechanism for all users and services accessing the AI models
B. Implementing a single-layer firewall to block unauthorized access to the AI models
C. Relying solely on data encryption to protect the AI training data
D. Applying multiple layers of security measures including input validation, access controls, and continuous monitoring to address vulnerabilities
Correct Answer: D
Overall explanation: Applying multiple layers of security measures including input validation, access controls, and continuous monitoring to address vulnerabilities. Architecting a defense-in-depth security approach involves implementing multiple layers of security to protect generative AI applications. This includes input validation to prevent malicious data inputs, strict access controls to limit who can interact with the AI models, and continuous monitoring to detect and respond to security incidents. These measures can help address common vulnerabilities and meet the best practices for securing generative AI applications on AWS.
A data scientist uses Amazon SageMaker for a machine learning project to classify images of plant species. The datasets need to be securely stored, easily accessible for training, and efficiently managed throughout the project. Which of the following would you use to store and manage your dataset for this machine learning project?
A. Amazon Fsx
B. Amazon EFS
C. Amazon S3
D. AWS Snowcone
Correct Answer: C
Overall Explanation: Amazon S3 (Simple Storage Service) is designed for scalable object storage. It is highly integrated with Amazon SageMaker, making storing large datasets and retrieving them for training machine learning models easy. S3 provides secure, durable, and highly available storage, which is essential for managing datasets in machine learning projects.
You have noticed that several critical Amazon EC2 instances have been terminated. Which of the following AWS services would help you determine who took this action?
A. EC2 Instance Usage Report
B. AWS Trusted Advisor
C. Amazon Inspector
D. AWS CloudTrail
Correct Answer: D
Overall explanation: AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This event history simplifies security analysis, resource change tracking, and troubleshooting.
A company relies heavily on machine learning models for personalized recommendations and fraud detection. The company stores sensitive data in Amazon S3 buckets and needs a solution that automatically discovers, classifies, and protects this sensitive data. Which of the following is the MOST suitable for this use case?
A. Amazon Inspector
B. Amazon GuardDuty
C. Amazon Macie
D. Amazon Kinesis
Correct Answer: C
Overall Explanation: Amazon Macie uses machine learning to automatically discover sensitive data within your S3 buckets. It scans objects and identifies patterns that match common types of sensitive information, such as personally identifiable information (PII), credit card numbers, and intellectual property. Macie classifies the discovered data based on predefined categories (e.g., PII, financial data, health records). It assigns labels to objects, making it easier to manage and apply access controls.
A cloud security engineer is tasked with securing machine learning (ML) workloads in an AWS environment. The engineer needs to ensure that only specific applications and services can access Amazon SageMaker and Amazon RDS resources. These applications require controlled and limited access to these services to maintain security and minimize the risk of unauthorized access. Which AWS service or feature can the engineer use to grant and manage these permissions effectively?
A. AWS Identity and Access Management (IAM)
B. VPC Endpoint Policy
C. AWS Security Token Service (STS)
D. AWS Secrets Manager
Correct Answer: A
Overall Explanation: AWS Identity and Access Management (IAM) is a service that allows you to control the use of AWS services and resources. IAM lets you set up and handle AWS users and groups, as well as define permissions to allow or prohibit access to AWS resources. IAM allows you to build fine-grained access control by defining roles and policies that determine who may access specific services and what activities they can do.
To protect against data loss, you need to backup your database regularly. What is the most cost-effective storage option that provides immediate retrieval of your backups?
A. Amazon S3 Glacier Deep Archive
B. Amazon EBS
C. Amazon S3 Standard-Infrequent Access
D. Instance Store
Correct Answer: C
Overall explanation: Amazon S3 has a wide variety of storage classes to cover different workloads and use cases. The S3 storage class you choose primarily depends upon two factors: accessibility and cost. If you need immediate access to your data, then you want to use either S3 Standard, S3 Intelligent-Tiering, S3 Standard-Infrequent Access, S3 One Zone-IA, or Amazon S3 Glacier Instant Retrieval. S3 Standard-Infrequent Access (S3 Standard-IA) is for data that is accessed less frequently, but requires rapid access when needed. S3 Standard-IA offers the high durability, high throughput, and low latency of S3 Standard, with a low per GB storage price and per GB retrieval charge. This combination of low cost and high performance make S3 Standard-IA ideal for long-term storage, backups, and as a data store for disaster recovery files.
Database backup is an important operation to consider for any database system. Taking backups not only enables data restore on database failure but also enables recovery from data corruption. Amazon S3 Standard-Infrequent Access is the best choice because it provides immediate access to your database backups while reducing costs. S3 Standard-IA is ideal for data that is accessed less frequently (like database backups), but requires immediate access when needed.
Which of the following services allows customers to manage their agreements with AWS?
A. AWS Systems Manager
B. AWS Artifact
C. AWS Organizations
D. AWS Certificate Manager
Correct Answer: B
Overall explanation: AWS Artifact is a self-service audit artifact retrieval portal that provides customers with on-demand access to AWS’ compliance documentation and AWS agreements. You can use AWS Artifact Agreements to review, accept, and track the status of AWS agreements such as the Business Associate Addendum (BAA). You can also use AWS Artifact Reports to download AWS security and compliance documents, such as AWS ISO certifications, Payment Card Industry (PCI), and System and Organization Control (SOC) reports.
A financial analytics company has deployed a machine learning model using Amazon SageMaker within a Virtual Private Cloud (VPC) to analyze sensitive customer data. To meet security guidelines, the VPC is configured with no internet access. However, the model needs to regularly access and read data stored in Amazon S3. The company is looking for a solution that allows secure data transfer between the SageMaker model in the VPC and Amazon S3 without exposing data traffic to the public internet. What do you recommend?
A. The company should use a SageMaker Inference endpoint that allows secure connectivity between the VPC and Amazon S3
B. The company should use a VPC endpoint for Amazon S3 that allows secure, private connectivity between the VPC and Amazon S3, without the need for an internet connection, ensuring data is transferred securely within the AWS network
C. The company should use a NAT Gateway which enables outbound internet access for resources within the VPC to securely access Amazon S3
D. The company should use an Internet Gateway, which provides a direct connection between the VPC and the internet, allowing data to be accessed from Amazon S3
Correct Answer: B
Overall explanation: The company should use a VPC endpoint for Amazon S3 that allows secure, private connectivity between the VPC and Amazon S3, without the need for an internet connection, ensuring data is transferred securely within the AWS network
A VPC endpoint for Amazon S3 is the most appropriate choice because it creates a private connection between the VPC and Amazon S3 over the AWS network, without requiring internet access. This VPC endpoint allows the SageMaker model deployed within the VPC to securely access data from Amazon S3 directly, using the internal AWS network paths. It provides enhanced security by keeping data traffic within the AWS infrastructure and not exposing it to the public internet.
You can use two types of VPC endpoints to access Amazon S3: gateway endpoints and interface endpoints (by using AWS PrivateLink). A gateway endpoint is a gateway that you specify in your route table to access Amazon S3 from your VPC over the AWS network. Interface endpoints extend the functionality of gateway endpoints by using private IP addresses to route requests to Amazon S3 from within your VPC, on premises, or from a VPC in another AWS Region by using VPC peering or AWS Transit Gateway.
Which of the following AWS services are regional in scope? (Select two)
A. Amazon CloudFront
B. Amazon Rekognition
C. AWS Identity and Access Management (AWS IAM)
D. AWS Web Application Firewall (AWS WAF)
E. AWS Lambda
Correct Answer: B, E
Overall explanation: Most of the services that AWS offers are Region-specific. But few services, by definition, need to be in a global scope because of the underlying service they offer. AWS Identity and Access Management (AWS IAM), Amazon CloudFront, Amazon Route 53, and AWS Web Application Firewall (AWS WAF) are some of the global services.
AWS Lambda is a compute service that lets you run code without provisioning or managing servers. AWS Lambda executes your code only when needed and scales automatically, from a few requests per day to thousands per second. AWS Lambda is a regional service.
With Amazon Rekognition, you can identify objects, people, text, scenes, and activities in images and videos, as well as detect any inappropriate content. Amazon Rekognition also provides highly accurate facial analysis and facial search capabilities that you can use to detect, analyze, and compare faces for a wide variety of user verification, people counting, and public safety use cases. Amazon Rekognition is a regional service.
Which of the following S3 storage classes is most appropriate to host static assets for a popular e-commerce website with stable access patterns?
A. S3 Glacier Deep Archive
B. S3 Standard-IA
C. S3 Standard
D. S3 Intelligent-Tiering
Correct Answer: C
Overall explanation: S3 Standard offers high durability, availability, and performance object storage for frequently accessed data. Because it delivers low latency and high throughput, S3 Standard is appropriate for a wide variety of use cases, including cloud applications, dynamic websites, content distribution, mobile and gaming applications, and big data analytics.
A financial services company is deploying AI systems on AWS to analyze customer transactions and detect fraud. To meet stringent regulatory requirements, the company's compliance team needs a tool that can continuously audit AWS usage, automate evidence collection, and streamline risk assessments. This tool should help ensure that the AI systems comply with industry standards and reduce the manual effort involved in compliance reporting. Which AWS tool meets these requirements?
A. AWS Audit Manager
B. AWS Trusted Advisor
C. AWS Artifact
D. AWS CloudTrail
Correct Answer: A
Overall explanation: AWS Audit Manager helps automate the collection of evidence to continuously audit your AWS usage. It simplifies the process of assessing risk and compliance with regulations and industry standards, making it an essential tool for governance in AI systems.
A healthcare organization is developing an AI-driven diagnostic application leveraging Amazon Bedrock. The application is deployed within a VPC that must comply with strict data privacy regulations. These regulations prohibit any internet connectivity to or from the VPC. What AWS service or feature will satisfy these objectives?
A. AWS PrivateLink
B. AWS Direct Connect
C. Amazon S3 VPC Endpoint
D. Internet gateway
Correct Answer: A
Overall Explanation: AWS PrivateLink allows you to connect your VPC directly to AWS services without exposing your data to the public internet. This is important for businesses that must meet strict compliance standards, as it keeps your network traffic completely private and within the AWS network without relying on public-facing gateways or external connections.
The option that says: AWS Direct Connect is incorrect because this service only provides a dedicated network connection from on-premises to AWS but does not inherently prevent internet connectivity within the VPC.
The option that says: Amazon S3 VPC Endpoint is incorrect because it simply allows private connectivity to Amazon S3 and would not cover the need to connect to other AWS services like Amazon Bedrock.
The option that says: Internet gateway is incorrect because it primarily enables internet connectivity, which directly violates the organization’s requirement to prohibit internet access to or from the VPC.
A financial services firm is adopting Amazon Q Business to streamline its data-driven decision-making processes. As part of the implementation, the company needs a robust solution for managing user access, ensuring that employees across various departments have appropriate permissions to interact with dashboards and reports. The team is evaluating options for user management that offer secure, scalable, and easy-to-administer controls within Amazon Q Business. Which of the following would you recommend for user management in Amazon Q Business?
A. AWS Account
B. AWS IAM service
C. IAM Identity Center
D. IAM user
Correct Answer: C
Overall explanation: With IAM Identity Center, you can create or connect workforce users and centrally manage their access across all their AWS accounts and applications. You need to configure an IAM Identity Center instance for your Amazon Q Business application environment with users and groups added. Amazon Q Business supports both organization and account-level IAM Identity Center instances.
Incorrect options:
AWS Account - An AWS account is a container for your AWS resources. You create and manage your AWS resources in an AWS account, and the AWS account provides administrative capabilities for access and billing.
AWS IAM service - AWS IAM service is a powerful tool for securely managing access to your AWS resources. One of the primary benefits of using IAM is the ability to grant shared access to your AWS account. Additionally, IAM allows you to assign granular permissions, enabling you to control exactly what actions different users can perform on specific resources.
IAM user - An IAM user is an entity that you create in AWS. The IAM user represents the human user or workload who uses the IAM user to interact with AWS. A user in AWS consists of a name and credentials.
Which of the following compute resources are serverless? (Choose TWO)
A. Amazon Lightsail
B. AWS Lambda
C. Amazon EC2
D. Amazon ECS
E. AWS Fargate
Overall explanation:
AWS Lambda lets you run code without provisioning or managing servers. You pay only for the compute time you consume, and there is no charge when your code is not running. With Lambda, you can run code for virtually any type of application or backend service - all with zero administration. Just upload your code and Lambda takes care of everything required to run and scale your code with high availability.
AWS Fargate is a compute engine for deploying and managing containers, which frees you from having to manage any of the underlying infrastructure. With AWS Fargate, you no longer have to provision, configure, and scale clusters of virtual machines to run containers. AWS Fargate seamlessly integrates with Amazon ECS and Amazon EKS, so you can deploy and manage containers without having to provision or manage servers.
A healthcare organization is deploying AI systems on AWS to manage sensitive patient data and support clinical decision-making. To meet strict regulatory requirements, the IT and compliance teams are seeking a service that offers continuous monitoring, tracks changes in resource configurations, and ensures compliance with healthcare standards. The company is evaluating which AWS service can help maintain governance and security throughout the AI system lifecycle. What do you recommend?
A. AWS Config
B. Amazon Inspector
C. AWS Artifact
D. AWS Audit Manager
Correct Answer: A
Overall explanation: AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. It continuously monitors and records AWS resource configurations and allows automated compliance checking against desired configurations. This is crucial for governance in AI systems, ensuring that resources remain in compliance with organizational policies and regulatory requirements.
A healthcare company is deploying AI systems on AWS to manage patient data and improve diagnostic accuracy. To ensure compliance with strict healthcare regulations and to enhance the security of their applications, the company's security team is looking for an AWS service that can automate security assessments. What do you recommend?
A. AWS Artifact
B. Amazon Inspector
C. AWS Audit Manager
D. AWS Config
Correct Answer: B
Overall Explanation: Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. It automatically assesses applications for exposure, vulnerabilities, and deviations from best practices, making it an essential tool for ensuring the security of AI systems.
Incorrect options:
AWS Config - AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. While it is important for governance and compliance monitoring, it does not perform automated security assessments of applications.
AWS Audit Manager - AWS Audit Manager helps you continuously audit your AWS usage to simplify how you assess risk and compliance with regulations and industry standards. It focuses on audit and compliance reporting rather than automated security assessments.
AWS Artifact - AWS Artifact provides on-demand access to AWS’ compliance reports and online agreements. It helps with compliance reporting but does not offer automated security assessments of applications.
Reference: