1. Which of the following is the correct sequence of how KMS manages the keys when used along with the Red shift cluster service Please select:

A) The master keys encrypts the database key. The database key encrypts the data encryption keys.
B) The master keys encrypts the cluster key, database key and data encryption keys
C) The master keys encrypts the cluster key. The cluster key encrypts the database key. The database key encrypts the data encryption keys.
D) The master keys encrypts the data encryption keys. The data encryption keys encrypts the database key



2. An organization has setup multiple lAM users. The organization wants that each lAM user accesses the lAM console only within the organization and not from outside. How can it achieve this? Please select:

A) Create an lAM policy with VPC and allow a secure gateway between the organization and AWS(Amazon Web Service) Console
B) Configure the EC2 instance security group which allows traffic only from the organizations IP range
C) Create an lAM policy with a condition which denies access when the IP address range is not from the organization
D) Create an lAM policy with the security group and use that security group for AWS(Amazon Web Service) console login



3. An enterprise wants to use a third-party SaaS application. The SaaS application needs to have access to issue several API commands to discover Amazon EC2 resources running within the enterprise?s account. The enterprise has internal security policies that require any outside access to their environment must conform to the principles of least privilege and there must be controls in place to ensure that the credentials used by the SaaS vendor cannot be used by any other third party. Which of the following would meet all of these conditions?

A) Create an lAM user within the enterprise account assign a user policy to the lAM user that allows only the actions required by the SaaS application. Create a new access and secret key for the user and provide these credentials to the SaaS provider.
B) Create an lAM role for EQ instances, assign it a policy that allows only the actions required tor the Saas application to work, provide the role ARN to the SaaS provider to use when launching their application instances.
C) From the AWS(Amazon Web Service) Management Console, navigate to the Security Credentials page and retrieve the access secret key for your account.
D) Create an lAM role for cross-account access allows the SaaS providers account to assume the role and assign it a policy that allows only the actions required by the SaaS application.



4. There are currently multiple applications hosted in a VPC. During monitoring it has been noticed that multiple port scans are coming in from a specific IP Address block. The Internal security team has requested that all offending IP Addresses be denied for the next 24 hours. Which of the following is the best method to quickly and temporarily deny access from the specified IP Addresses?

A) Modify the Network Ads associated with all public subnets in the VPC to deny access from the IP Address block.
B) Add a rule to all of the VPC Security Groups to deny access from the P Address block.
C) Modify the Windows Firewall settings on all AMI?s that your organization uses in that VPC to deny access from the IP address block.
D) Create an AD policy to modify the Windows Firewall settings on all hosts in the VPC to deny access from the lP Address block.



5. A company is planning on using AWS(Amazon Web Service) EC2 and AWS(Amazon Web Service) Cloud front for their web application. For which one of the below attacks is usage of Cloud front most suited for?

A) Cross side scripting
B) SQL Injection
C) DDo Sattacks
D) Malware attacks