You are designing a social media site and are considering how to mitigate distributed denial-ofservice (DDoS) attacks.
Which of the below are viable mitigation techniques? Choose 3 answers

You are designing a photo-sharing mobile app. The application will store all pictures in a single
Amazon S3 bucket.
Users will upload pictures from their mobile device directly to Amazon S3 and will be able to view
and download their own pictures directly from Amazon S3.
You want to configure security to handle potentially millions of users in the most secure manner
possible. What should your server-side application do when a new user registers on the photosharing mobile application?

Your company policies require encryption of sensitive data at rest.
You are considering the possible options for protecting data while storing it at rest on an EBS
data volume, attached to an EC2 instance.
Which of these options would allow you to encrypt your data at rest? Choose 3 answers

An enterprise wants to use a third-party SaaS application. The SaaS application needs to have
access to issue several API commands to discover Amazon EC2 resources running within the
enterprise’s account. The enterprise has internal security policies that require any outside access
to their environment must conform to the principles of least privilege, and there must be controls
in place to ensure that the credentials used by the SaaS vendor cannot be used by any other

third party.
Which of the following would meet all of these conditions:

You are designing an intrusion detection/prevention (IDS/IPS) solution for a customer web
application in a single VPC.
You are considering the options for Implementing IDS/IPS protection for traffic coming from the
Internet.
Which of the following options would you consider? Choose 2 answers

You are designing a connectivity solution between on-premises infrastructure and Amazon VPC.
Your servers on-premises will be communicating with your VPC instances.
You will be establishing IPsec tunnels over the Internet.
You will be using VPN gateways, and terminating the IPsec tunnels on AWS supported customer
gateways.
Which of the following objectives would you achieve by implementing an IPsec tunnel as outlined
above? Choose 4 answers

You are tasked with moving a legacy application from a virtual machine running inside your
datacenter to an Amazon VPC. Unfortunately, this app requires access to a number of onpremises services and no one who configured the app still works for your company. Even worse,
there’s no documentation for it. What will allow the application running inside the VPC to reach
back and access its internal dependencies without being reconfigured? Choose 3 answers

You are designing a multi-platform web application for AWS. The application will run on EC2
instances and will be accessed from PCs, tablets and smart phones, supported accessing
platforms are Windows, MacOS, IOS and Android. Separate sticky session and SSL certificate
setups are required for different platform types. Which of the following describes the most cost
effective and performance efficient architecture setup?

A corporate web application is deployed within an Amazon Virtual Private Cloud (VPC), and is
connected to the corporate data center via an IPsec VPN. The application must authenticate
against the on- premises LDAP server. After authentication, each logged-in user can only access
an Amazon Simple Storage Space (S3) keyspace specific to that user.
Which two approaches can satisfy these objectives? Choose 2 answers

You’re running an application on-premises due to its dependency on non-x86 hardware and want
to use AWS for data backup. Your backup application is only able to write to POSIX-compatible,
block-based storage. You have 140TB of data and would like to mount it as a single folder on
your file server. Users must be able to access portions of this data while the backups are taking
place. What backup solution would be most appropriate for this use case?