1. A company continually generates sensitive records that it stores in an S3 bucket. All objects in the bucket are encrypted using SSEK MS using one of the company's CMKs. Company compliance policies require that no more than one month of data be encrypted using the same encryption key. What solution below will meet the company's requirements?

A) Trigger a Lambda function with a monthly Cloud Watch event that creates a new CMK. updates the 53 bucket to use the new CMK. an deletes the old CMK.
B) Trigger a Lambda function with a monthly Cloud Watch event that creates a new CMK and updates the S3 bucket to use the new CMK
C) Trigger a Lambda function with a monthly Cloud Watch event that rotates the key material in the CMK.
D) Configure the CMK to rotate the key material every month.



2. You want to get a list of vulnerabilities for an EC2 Instance as per the guidelines set by the Center of Internet Security. How can you go about doing this?

A) Use AWS(Amazon Web Service) Trusted Advisor
B) Enable AWS(Amazon Web Service) Guard Duty for the Instance
C) Use AWS(Amazon Web Service) Made
D) Use AWS(Amazon Web Service) Inspector



3. Which of the below services can be integrated with the AWS(Amazon Web Service) Web application firewall service. Choose 2 answers from the options given below Please select:(Select 2answers)

A) AWS Classic Load Balancer
B) AWS Cloud front
C) AWS Application Load Balancer
D) AWS Lambda



4. You are building a large-scale confidential documentation web server on AWS(Amazon Web Service) and all of the documentation for it will be stored on S3. One of the requirements is that it cannot be publicly accessible from S3 directly. and you will need to use Cloud Front to accomplish this. Which of the methods listed below would satisfy the requirements as outlined? Choose an answer from the options below

A) Create an Origin Access Identity (OAI) for Cloud Front and grant access to the objects in your S3 bucket to > that OAI.
B) Create an 53 bucket policy that lists the Cloud Front distribution ID as the Principal and the target bucket as the Amazon Resource Name (ARN).
C) Create individual policies for each bucket the documents are stored in and in that policy grant access to only Cloud Front.
D) Create an Identity and Access Management (lAM) user for Cloud Front and grant access to the objects in your S3 bucket to that IAM User.



5. A user has created a VPC with the public and private subnets using the VPC wizard. The VPC has CIDR 20.0.0.0/16. The public subnet uses CIDR 20.0.1.0/24. The user Is planning to host a web server In the pub subnet with port 80 and a Database server in the private subnet with port 3306. The user is configuring a security group for the public subnet (WebSecGrp) and the private subnet (DBSecGrp). which of the below mentioned entries is required in the private subnet database security group DBSecGrp? Please select:

A) Allow Inbound on port 3306 for Source Web Server Security Group WebSecGrp
B) Allow Outbound on port 80 for Destination NAT Instance IP
C) Allow Outbound on port 3306 for Destination Web Server Security Group WebSecGrp
D) Allow Inbound on port 3306 from source 20.0.0.0/16