An administrator is using Amazon CloudFormation to deploy a three tier web application that consists of a web
tier and application tier that will utilize Amazon DynamoDB for storage when creating the CloudFormation
template which of the following would allow the application instance access to the DynamoDB tables without
exposing API credentials?

An AWS customer is deploying an application mat is composed of an AutoScaling group of EC2 Instances.
The customers security policy requires that every outbound connection from these instances to any other
service within the customers
Virtual Private Cloud must be authenticated using a unique x 509 certificate that contains the specific instanceid.
In addition an x 509 certificates must Designed by the customer’s Key management service in order to be
trusted for authentication.
Which of the following configurations will support these requirements?

Your company has recently extended its datacenter into a VPC on AVVS to add burst computing capacity as
needed Members of your Network Operations Center need to be able to go to the AWS Management Console
and administer Amazon EC2 instances as necessary You don’t want to create new IAM users for each NOC
member and make those users sign in again to the AWS Management Console Which option below will meet
the needs for your NOC members?

You are designing an SSUTLS solution that requires HTTPS clients to be authenticated by the Web server using
client certificate authentication. The solution must be resilient.
Which of the following options would you consider for configuring the web server infrastructure? (Choose 2
answers)

You are designing a connectivity solution between on-premises infrastructure and Amazon VPC Your server’s
on-premises will De communicating with your VPC instances You will De establishing IPSec tunnels over the
internet You will be using VPN gateways and terminating the IPsec tunnels on AWS-supported customer
gateways.
Which of the following objectives would you achieve by implementing an IPSec tunnel as outlined above?
(Choose 4 answers)

You are designing an intrusion detection prevention (IDS/IPS) solution for a customer web application in a
single VPC. You are considering the options for implementing IOS IPS protection for traffic coming from the
Internet.
Which of the following options would you consider? (Choose 2 answers)

You are designing a photo sharing mobile app the application will store all pictures in a single Amazon S3
bucket.
Users will upload pictures from their mobile device directly to Amazon S3 and will be able to view and
download their own pictures directly from Amazon S3.
You want to configure security to handle potentially millions of users in the most secure manner possible.
What should your server-side application do when a new user registers on the photo-sharing mobile
application?

You have an application running on an EC2 Instance which will allow users to download flies from a private S3
bucket using a pre-assigned URL. Before generating the URL the application should verify the existence of the
file in S3.
How should the application use AWS credentials to access the S3 bucket securely?

You are designing a social media site and are considering how to mitigate distributed denial-of-service (DDoS)
attacks. Which of the below are viable mitigation techniques? (Choose 3 answers)

A benefits enrollment company is hosting a 3-tier web application running in a VPC on AWS which includes a
NAT (Network Address Translation) instance in the public Web tier. There is enough provisioned capacity for
the expected workload tor the new fiscal year benefit enrollment period plus some extra overhead Enrollment
proceeds nicely for two days and then the web tier becomes unresponsive, upon investigation using
CloudWatch and other monitoring tools it is discovered that there is an extremely large and unanticipated
amount of inbound traffic coming from a set of 15 specific IP addresses over port 80 from a country where the
benefits company has no customers. The web tier instances are so overloaded that benefit enrollment
administrators cannot even SSH into them. Which activity would be useful in defending against this attack?