12.7 Whizlabs - Practice Test V

The best practice for IAM is to create roles which has specific access to an AWS service and then give the user permission to the AWS service via the role. No matter it is an one-time only access or not. (The temporary credential is used for the user who has not an AWS account, and has to access AWS through corporate AD, LDAP or OpenID, etc).
To protect objects in S3 from both accidental deletion and accidental overwriting, there is one methodology adopted by AWS: Enable Versioning on the bucket (first choice). Versioning allows to store every version of an object, so that if by mistake there is a version deleted, you can recover other versions, because the entire object is not deleted.
For the Enable multi-factor authentication (MFA), it can protect the access on S3. It is used to add an additional security layer to S3. The users need to be authenticated properly before having access to the bucket. However, the users who are authenticated could still delete or overwrite an object accidentally. Select both of Versioning and MFA only when the question ask you to protect objects from both of accidental deleting and unauthenticated access.
By default, S3 object is not encrypted. You need to enable SSE using AES-256.
You AWS environment contains several Reserved EC2 instances dedicated to a project. For stop incurring charges for the reserved instances immediately:
1. If this project is suspended and may restart later, you just need to stop these EC2 instances as soon as possible (make sure it is not an instance-store volume).
2. If this project is cancelled, you need to terminate the instances as soon as possible, and sell the reserved instances on the AWS Reserved Instance Marketplace. Note: all reserved instances are grouped according to the duration of the term remaining and the hourly price in the market place. Hence, terminating the instance immediately would help to save remaining term.
To ensure that you can SSH into an instance hosted in a VPC from the Internet, the private IP address is not required. (Although you may say elastic IP also is, but you need to choose private IP in this question).
Two permission types used by AWS are: User-based and Resource-based.
A company has resources hosted both on their on-premise network and in AWS. They want their administrators to access resources in both environment using their on-premise credentials which is stored in Active Directory. You need to use SAML Federation to fulfill this.
1. Active Directory/Single Sign-On => SAML 2.0-based Identity Federation
2. Mobile Apps/OpenID => Web Identity Federation
Working with a DB Instance in a VPC. Your VPC must have at least one subnet in at least two of the Availability Zones in the region where you want to deploy your DB instance. If you want your DB instance in the VPC to be publicly accessible, you must enable the VPC attributes DNS hostnames and DNS resolution.
Few Important points about VPC:
1. When you create a VPC, it spans all the AZs in the Region
2. After creating a VPC, you can add one or more subnets in each AZ, but subnet cannot span AZs.
Based on the AWS Shared Responsibility Model, protecting against IP spoofing or packet sniffing is the responsibility of AWS (Network layer security, just remember that IP layer is embedded in hardware).
What happens during Multi-AZ failover and how long does it take.
1. When failing over, Amazon RDS simply flips the canonical name record (CNAME) for your DB instance to point at the standby, which is in turn promoted to become the new primary.
2. Failovers typically complete within one to two minutes.
An organization is planning to use AWS for their production roll out. The organization wants to implement automation for deployment such that it will automatically create a LAMP stack, download the lastest PHP installable from S3 and setup the ELB. In order to meet the requirement for making an orderly deployment of the software, AWS Elastic Beanstalk is the best one do this. CloudFormation can also do this in a harder way and it will be less native.
If your Amazon EBS volume is attached to an EC2 instance, you can increase its size, change its volume type, or adjust its IOPS performance, all without detaching instance.
EBS Upgrading & Create AMI
In the basic monitoring package for RDS, CloudWatch provides
1. Database visible metrics such as number of connections
2. Disk IOPS metrics
3. Database memory usage

Previous12.6 Whizlabs - Practice Test IV Next12.8 Whizlabs - Practice Test VI

Last updated 5 years ago

Was this helpful?

12.7 Whizlabs - Practice Test V

The best practice for IAM is to create roles which has specific access to an AWS service and then give the user permission to the AWS service via the role. No matter it is an one-time only access or not. (The temporary credential is used for the user who has not an AWS account, and has to access AWS through corporate AD, LDAP or OpenID, etc).
To protect objects in S3 from both accidental deletion and accidental overwriting, there is one methodology adopted by AWS: Enable Versioning on the bucket (first choice). Versioning allows to store every version of an object, so that if by mistake there is a version deleted, you can recover other versions, because the entire object is not deleted.
For the Enable multi-factor authentication (MFA), it can protect the access on S3. It is used to add an additional security layer to S3. The users need to be authenticated properly before having access to the bucket. However, the users who are authenticated could still delete or overwrite an object accidentally. Select both of Versioning and MFA only when the question ask you to protect objects from both of accidental deleting and unauthenticated access.
By default, S3 object is not encrypted. You need to enable SSE using AES-256.
You AWS environment contains several Reserved EC2 instances dedicated to a project. For stop incurring charges for the reserved instances immediately:
1. If this project is suspended and may restart later, you just need to stop these EC2 instances as soon as possible (make sure it is not an instance-store volume).
2. If this project is cancelled, you need to terminate the instances as soon as possible, and sell the reserved instances on the AWS Reserved Instance Marketplace. Note: all reserved instances are grouped according to the duration of the term remaining and the hourly price in the market place. Hence, terminating the instance immediately would help to save remaining term.
To ensure that you can SSH into an instance hosted in a VPC from the Internet, the private IP address is not required. (Although you may say elastic IP also is, but you need to choose private IP in this question).
Two permission types used by AWS are: User-based and Resource-based.
A company has resources hosted both on their on-premise network and in AWS. They want their administrators to access resources in both environment using their on-premise credentials which is stored in Active Directory. You need to use SAML Federation to fulfill this.
1. Active Directory/Single Sign-On => SAML 2.0-based Identity Federation
2. Mobile Apps/OpenID => Web Identity Federation
Working with a DB Instance in a VPC. Your VPC must have at least one subnet in at least two of the Availability Zones in the region where you want to deploy your DB instance. If you want your DB instance in the VPC to be publicly accessible, you must enable the VPC attributes DNS hostnames and DNS resolution.
Few Important points about VPC:
1. When you create a VPC, it spans all the AZs in the Region
2. After creating a VPC, you can add one or more subnets in each AZ, but subnet cannot span AZs.
Based on the AWS Shared Responsibility Model, protecting against IP spoofing or packet sniffing is the responsibility of AWS (Network layer security, just remember that IP layer is embedded in hardware).
What happens during Multi-AZ failover and how long does it take.
1. When failing over, Amazon RDS simply flips the canonical name record (CNAME) for your DB instance to point at the standby, which is in turn promoted to become the new primary.
2. Failovers typically complete within one to two minutes.
An organization is planning to use AWS for their production roll out. The organization wants to implement automation for deployment such that it will automatically create a LAMP stack, download the lastest PHP installable from S3 and setup the ELB. In order to meet the requirement for making an orderly deployment of the software, AWS Elastic Beanstalk is the best one do this. CloudFormation can also do this in a harder way and it will be less native.
If your Amazon EBS volume is attached to an EC2 instance, you can increase its size, change its volume type, or adjust its IOPS performance, all without detaching instance.
EBS Upgrading & Create AMI
In the basic monitoring package for RDS, CloudWatch provides
1. Database visible metrics such as number of connections
2. Disk IOPS metrics
3. Database memory usage

Previous12.6 Whizlabs - Practice Test IV Next12.8 Whizlabs - Practice Test VI

Last updated 5 years ago

Was this helpful?