AWS-Certified-Solutions-Architect-Professional Amazon Exam Questions and Free Practice Test

Question 61

In the context of AWS Cloud Hardware Security ModuIe(HSM), does your application need to reside in the same VPC as the CIoudHSM instance?

A. No, but the sewer or instance on which your application and the HSNI client is running must have network (IP) reachability to the HSNI.

B. Yes, always

C. No, but they must reside in the same Availability Zone.

D. No, but it should reside in same Availability Zone as the DB instanc

Correct Answer:A
Your application does not need to reside in the same VPC as the CIoudHSM instance.
However, the server or instance on which your application and the HSM client is running must have network (IP) reachability to the HSM. You can establish network connectMty in a variety of ways, including operating your application in the same VPC, with VPC peering, with a VPN connection, or with Direct Connect.
Reference: https://aws.amazon.com/cIoudhsm/faqs/

Question 62

The two policies that you attach to an IAM role are the access policy and the trust policy. The trust policy identifies who can assume the role and grants the permission in the AWS Lambda account principal by adding the action.

A. aws:AssumeAdmin

B. Iambda:InvokeAsync

C. sts:|nvokeAsync

D. sts:AssumeRoIe

Correct Answer:D
The two policies that you attach to an IAM role are the access policy and the trust policy.
Remember that adding an account to the trust policy of a role is only half of establishing the trust relationship. By default, no users in the trusted accounts can assume the role until the administrator for that account grants the users the permission to assume the role by adding the Amazon Resource Name (ARN) of the role to an Allow element for the sts:AssumeRoIe action.
Reference: http://docs.aws.amazon.com/|AM/Iatest/UserGuide/id_ro|es_manage_modify.html

Question 63

A benefits enrollment company is hosting a 3-tier web application running in a VPC on AWS which includes a NAT (Network Address Translation) instance in the public Web tier. There is enough provisioned capacity for the expected workload tor the new fiscal year benefit enrollment period plus some extra overhead Enrollment proceeds nicely for two days and then the web tier becomes unresponsive, upon investigation using CIoudWatch and other monitoring tools it is discovered that there is an extremely large and unanticipated amount of inbound traffic coming from a set of 15 specific IP addresses over port 80 from a country where the benefits company has no customers. The web tier instances are so overloaded that benefit enrollment administrators cannot even SSH into them. Which actMty would be useful in defending against this attack?

A. Create a custom route table associated with the web tier and block the attacking IP addresses from the IGW (Internet Gateway)

B. Change the EIP (Elastic IP Address) of the NAT instance in the web tier subnet and update the Nlain Route Table with the new EIP

C. Create 15 Security Group rules to block the attacking IP addresses over port 80

D. Create an inbound NACL (Network Access control list) associated with the web tier subnet with deny rules to block the attacking IP addresses

Correct Answer:D

Question 64

Regarding Identity and Access Management (IAM), Which type of special account belonging to your application allows your code to access Google services programmatically?

A. Service account

B. Simple Key

C. OAuth

D. Code account

Correct Answer:A
A service account is a special Google account that can be used by applications to access Google
services programmatically. This account belongs to your application or a virtual machine (VM), instead of to an indMdual end user. Your application uses the service account to call the Google API of a service, so that the users aren't directly involved.
A service account can have zero or more pairs of service account keys, which are used to authenticate to Google. A service account key is a public/private keypair generated by Google. Google retains the public
key, while the user is given the private key.
Reference: https://cloud.googIe.com/iam/docs/service-accounts

Question 65

A bucket owner has allowed another account’s IAM users to upload or access objects in his bucket. The IAM user of Account A is trying to access an object created by the IAM user of account B. What will happen in this scenario?

A. It is not possible to give permission to multiple IAM users

B. AWS S3 will verify proper rights given by the owner of Account A, the bucket owner as well as by the IAM user B to the object

C. The bucket policy may not be created as S3 will give error due to conflict of Access Rights

D. It is not possible that the IAM user of one account accesses objects of the other IAM user

Correct Answer:B
If a IAM user is trying to perform some action on an object belonging to another AWS user’s bucket, S3 will verify whether the owner of the IAM user has given sufficient permission to him. It also verifies the policy for the bucket as well as the policy defined by the object owner.
Reference:
http://docs.aws.amazon.com/AmazonS3/Iatest/dev/access-control-auth-workflow-object-operation.htmI

Question 66

In IAM, which of the following is true of temporary security credentials?

A. Once you issue temporary security credentials, they cannot be revoked.

B. None of these are correct.

C. Once you issue temporary security credentials, they can be revoked only when the virtual MFA device is used.

D. Once you issue temporary security credentials, they can be revoke

Correct Answer:A
Temporary credentials in IAM are valid throughout their defined duration of time and hence can't be revoked. However, because permissions are evaluated each time an AWS request is made using the credentials, you can achieve the effect of revoking the credentials by changing the permissions for the
credentials even after they have been issued. Reference:
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentiaIs_temp_controI-access_disable-perms.h tml

START AWS-Certified-Solutions-Architect-Professional EXAM