Your company has recently extended its datacenter into a VPC on AWS to add burst computing
capacity as needed. Members of your Network Operations Center need to be able to go to the
AWS Management Console and administer Amazon EC2 instances as necessary.
You don’t want to create new IAM users for each NOC member and make those users sign in
again to the AWS Management Console.
Which option below will meet the needs for your NOC members?

You’ve been hired to enhance the overall security posture for a very large e-commerce site. They
have a well architected, multi-tier application running in a VPC that uses ELBs in front of both the
web and the app tier with static assets served directly from S3. They are using a combination of
RDS and DynamoDB for their dynamic data and then archiving nightly into S3 for further
processing with EMR. They are concerned because they found questionable log entries and
suspect someone is attempting to gain unauthorized access.
Which approach provides a cost effective, scalable mitigation to this kind of attack?

You are designing an SSL/TLS solution that requires HTTPS clients to be authenticated by the
Web server using client certificate authentication. The solution must be resilient.
Which of the following options would you consider for configuring the Web server infrastructure?
Choose 2 answers

A benefits enrollment company is hosting a 3-tier web application running in a VPC on AWS
which includes a NAT (Network Address Translation) instance in the public Web tier. There is
enough provisioned capacity for the expected workload for the new fiscal year benefit enrollment
period plus some extra overhead. Enrollment proceeds nicely for a few days and then the web
tier becomes unresponsive. Upon investigation using CloudWatch and other monitoring tools it is
discovered that there is an extremely large and unanticipated amount of inbound traffic coming
from a set of 15 specific IP addresses over port 80 from a country where the benefits company
has no customers. The web tier instances are so overloaded that benefit enrollment
administrators cannot even SSH into them.
Which activity would be useful in defending against this attack?

You have an application running on an EC2 instance which will allow users to download files from
a private S3 bucket using a pre-signed URL. Before generating the URL, the application should
verify the existence of the file in S3.
How should the application use AWS credentials to access the S3 bucket securely?