An AWS customer is deploying an application that is composed of an AutoScaling group of EC2
instances.
The customers security policy requires that every outbound connection from these instances to
any other service within the customers Virtual Private Cloud must be authenticated using a
unique X.509 certificate that contains the specific Instance-id.
In addition, all X.509 certificates must be signed by the customer’s key management service in
order to be trusted for authentication.
Which of the following configurations will support these requirements:

What is the maximum write throughput I can provision for a single Dynamic DB table?

An administrator is using Amazon CloudFormation to deploy a three tier web application that
consists of a web tier and application tier that will utilize Amazon DynamoDB for storage.
When creating the CloudFormation template which of the following would allow the application
Instance access to the DynamoDB tables without exposing API credentials?

Your fortune 500 company has under taken a TCO analysis evaluating the use of Amazon S3
versus acquiring more hardware. The outcome was that all employees would be granted access
to use Amazon S3 for storage of their personal documents.
Which of the following will you need to consider so you can set up a solution that incorporates
single sign-on from your corporate AD or LDAP directory and restricts access for each user to a
designated user folder in a bucket? Choose 3 answers

Your company has recently extended its datacenter into a VPC on AWS to add burst computing
capacity as needed. Members of your Network Operations Center need to be able to go to the
AWS Management Console and administer Amazon EC2 instances as necessary.
You don’t want to create new IAM users for each NOC member and make those users sign in
again to the AWS Management Console.
Which option below will meet the needs for your NOC members?

You’ve been hired to enhance the overall security posture for a very large e-commerce site. They
have a well architected, multi-tier application running in a VPC that uses ELBs in front of both the
web and the app tier with static assets served directly from S3. They are using a combination of
RDS and DynamoDB for their dynamic data and then archiving nightly into S3 for further
processing with EMR. They are concerned because they found questionable log entries and
suspect someone is attempting to gain unauthorized access.
Which approach provides a cost effective, scalable mitigation to this kind of attack?

You are designing an SSL/TLS solution that requires HTTPS clients to be authenticated by the
Web server using client certificate authentication. The solution must be resilient.
Which of the following options would you consider for configuring the Web server infrastructure?
Choose 2 answers

A benefits enrollment company is hosting a 3-tier web application running in a VPC on AWS
which includes a NAT (Network Address Translation) instance in the public Web tier. There is
enough provisioned capacity for the expected workload for the new fiscal year benefit enrollment
period plus some extra overhead. Enrollment proceeds nicely for a few days and then the web
tier becomes unresponsive. Upon investigation using CloudWatch and other monitoring tools it is
discovered that there is an extremely large and unanticipated amount of inbound traffic coming
from a set of 15 specific IP addresses over port 80 from a country where the benefits company
has no customers. The web tier instances are so overloaded that benefit enrollment
administrators cannot even SSH into them.
Which activity would be useful in defending against this attack?

You have an application running on an EC2 instance which will allow users to download files from
a private S3 bucket using a pre-signed URL. Before generating the URL, the application should
verify the existence of the file in S3.
How should the application use AWS credentials to access the S3 bucket securely?

You currently operate a web application in the AWS US-East region. The application runs on an
auto- scaled layer of EC2 instances and an RDS Multi-AZ database. Your IT security compliance
officer has tasked you to develop a reliable and durable logging solution to track changes made
to your EC2, IAM, and RDS resources.
The solution must ensure the integrity and confidentiality of your log data.
Which of these solutions would you recommend?