A large company wants to track the combined AWS usage costs of all of its linked accounts. How can this be accomplished?
Correct Answer: B
The company can use AWS Organizations to track the combined AWS usage costs of all of its linked accounts. AWS Organizations is a service that enables you to consolidate multiple AWS accounts into an organization that you can manage centrally. You can use AWS Organizations to create a consolidated billing report that shows the charges incurred by each account in your organization as well as the total charges across all accounts. You can also use AWS Organizations to apply policies and controls to your accounts to help you manage costs and security5.
Question 47
A company needs to block SQL injection attacks. Which AWS service or feature can meet this requirement?
Correct Answer: A
AWS WAF is a web application firewall that helps protect web applications from common web exploits, such as SQL injection attacks. It allows customers to create custom rules that block malicious requests. AWS Shield is a managed service that protects against distributed denial of service (DDoS) attacks, not SQL injection attacks. Network ACLs and security groups are network-level security features that filter traffic based on IP addresses and ports, not web requests or SQL queries. Reference: [AWS WAF], [AWS Shield], [Network ACLs], [Security groups]
Question 48
Using AWS Identity and Access Management (IAM) to grant access only to the resources needed to perform a task is a concept known as:
Correct Answer: C
The concept of granting access only to the resources needed to perform a task is known as least privilege access. This is a security best practice in IAM that helps to reduce the risk of unauthorized or malicious actions. By applying least privilege access, you can limit the permissions of your IAM users, groups, and roles to the minimum required for their specific tasks. You can also use conditions, permissions boundaries, and IAM Access Analyzer to further restrict and verify access. Reference: Security best practices in IAM, Policies and permissions in IAM, Use IAM policies to grant the least privileges required to access Amazon RDS resources, How to Design a Least Privilege Architecture in AWS, 12 Azure & AWS IAM Security Best Practices
Question 49
Which AWS solution gives companies the ability to use protocols such as NFS to store and retrieve objects in Amazon S3?
Correct Answer: C
Explanation AWS Storage Gateway file gateway allows companies to use protocols such as NFS and SMB to store and retrieve objects in Amazon S3. File gateway provides a seamless integration between on-premises applications and Amazon S3, and enables low-latency access to data through local caching. File gateway also supports encryption, compression, and lifecycle management of the objects in Amazon S3. For more information, see What is AWS Storage Gateway? and File Gateway.
Question 50
Which AWS features will meet these requirements? (Select TWO.)
Correct Answer: C,D
The correct answers are C and D because S3 bucket policies and IAM user policies are AWS features that will meet the requirements. S3 bucket policies are access policies that can be attached to Amazon S3 buckets to grant or deny permissions to the bucket and the objects it contains. S3 bucket policies can be used to control who has permission to read, write, or delete objects that the company stores in the S3 bucket. IAM user policies are access policies that can be attached to IAM users to grant or deny permissions to AWS resources and actions. IAM user policies can be used to control who has permission to read, write, or delete objects that the company stores in the S3 bucket. The other options are incorrect because they are not AWS features that will meet the requirements. Security groups and network ACLs are AWS features that act as firewalls to control inbound and outbound traffic to and from Amazon EC2 instances and subnets. Security groups and network ACLs do not control who has permission to read, write, or delete objects that the company stores in the S3 bucket. S3 bucket versioning is an AWS feature that enables users to keep multiple versions of the same object in the same bucket. S3 bucket versioning can be used to recover from accidental overwrites or deletions of objects, but it does not control who has permission to read, write, or delete objects that the company stores in the S3 bucket. Reference: Using Bucket Policies and User Policies, Security Groups for Your VPC, Network ACLs, [Using Versioning]
