Cloud Security Solutions Architect Quiz

Questions and Answers

What is the most effective action to block a malicious IP address for an application running behind an ALB?

Modify the network ACL on the EC2 instances to deny the IP address

Modify the security groups for the ALB to deny the IP address

Modify the network ACL on the CloudFront distribution to allow the IP address

Modify the configuration of AWS WAF to add an IP match condition to block the IP address (correct)

What is the best cost-saving strategy for an ecommerce application that requires at least 40 EC2 instances most of the time?

Purchase On-Demand Instances for all 40 instances

Purchase Reserved Instances for 40 instances and use Spot Instances for the remainder (correct)

Purchase Reserved Instances to cover 80 instances and use On-Demand for additional needs

Purchase Reserved Instances for 200 instances to ensure availability

Which type of Amazon EC2 instances should be chosen for uninterrupted analytics running 4 hours a night, 5 days a week for a minimum of 1 year?

Scheduled Reserved Instances covering only the specific run times

Spot Instances that can terminate at any time

On-Demand Instances billed hourly

Standard Reserved Instances for continual access and savings (correct)

If the access pattern of log files is unknown for an ecommerce store, what should be considered for backup to Amazon S3?

Use S3 Intelligent-Tiering for storing the logs

What is the primary benefit of modifying the security groups for the EC2 instances behind the ALB in response to a malicious IP?

It applies changes immediately without needing to modify the network configuration

For a stateless application scaling up to 200 instances, what is the disadvantage of purchasing Reserved Instances for the maximum capacity?

It locks in pricing which may not be optimal during fluctuating demand

In managing application logs, which solution would ensure both cost-effectiveness and accessibility given unpredictability in access frequency?

Combining S3 Standard and S3 Lifecycle Policies to transition logs

What is the most crucial aspect when deciding on the type of instances for running long-duration workloads?

The ability to achieve significant cost savings over the required duration

What is the MOST cost-effective storage solution for log files that persist for only 24 hours?

Amazon S3 One Zone-Infrequent Access (S3 One Zone-IA)

Which TWO actions can make a web application more resilient to sporadic increases in request rates?

Add a WAF in front of the ALB

What method can ensure that Amazon EC2 instances can make API calls to DynamoDB without traversing the internet?

Create a gateway endpoint for DynamoDB

Which architectural component can improve the application's response time by caching content closer to users?

Add an Amazon CloudFront distribution in front of the ALB

To ensure a web application is resistant to a single point of failure, which strategy would be BEST to implement?

Deploy multiple EC2 instances across Availability Zones

When designing a solution for high availability, which practice should NOT be followed?

Rely solely on manual intervention for scaling

Which method ensures secure and private communication between EC2 instances and DynamoDB?

Create a VPC endpoint for DynamoDB

To effectively manage erratic traffic loads, which solution would be an appropriate choice?

Use an Auto Scaling group

Which of the following would improve performance when dealing with high read traffic for a database?

Add Amazon Aurora Replicas

What is the purpose of adding an Amazon CloudFront distribution in front of an ALB?

To cache content and offload traffic from the backend

Which of the following statements about AWS Global Accelerator is correct?

It directs users to application instances in different regions based on latency.

Why would an AWS WAF not improve performance in the described scenario?

It is designed to protect applications from attacks rather than improve performance.

What role does an AWS Transit Gateway play in network architecture?

It facilitates connections between on-premises networks and AWS VPCs.

When would the use of Amazon Aurora Read Replicas be most beneficial?

In scenarios with sudden increases in read traffic.

Which service would NOT help in improving application performance when used in front of an ALB?

AWS WAF

Which S3 storage class is most suitable for minimizing costs while accommodating infrequently accessed data?

S3 Standard-Infrequent Access (S3 Standard-IA)

What is a primary function of AWS Global Accelerator that differentiates it from Amazon CloudFront?

It routes user traffic based on latency across multiple geographical regions.

What combination of AWS services should be used for a service needing to handle key-value requests and scale with an unknown future growth?

AWS Lambda and Amazon DynamoDB

To ensure application resources can be deployed in a second Region during a disaster, which actions should be taken?

Copy an Amazon Machine Image (AMI) of an EC2 instance and specify the second Region for the destination

Which combination of actions would you use to implement a document submission application that utilizes Amazon S3 for storage?

Trigger a Lambda function to process submitted documents from S3

Which of the following S3 storage classes would be least cost-effective for frequently accessed data?

S3 Glacier

What services combination would best facilitate a backend that can rapidly adjust to over 800 requests per second?

AWS Fargate and Amazon DynamoDB

How would you ensure data redundancy for an application in the event of a disaster?

Prepare an AMI and an EBS snapshot in a different Region

Which S3 storage class is ideal for data that is rarely accessed but must be quickly retrieved when needed?

S3 Standard-IA

Which AWS service is best suited to replace a Microsoft filesystem?

Amazon FSx

What is the primary function of AWS Storage Gateway?

To connect on-premises storage to cloud storage

Which method should be employed to block a malicious IP address in an AWS WAF?

Create an IP match condition in AWS WAF

What is NOT a function of AWS WAF?

Manage Auto Scaling groups

When should network ACLs be modified to protect against a detected threat?

When blocking IP addresses at the subnet level

What kind of attack is AWS WAF protecting against in the given scenario?

SQL injection

Which of the following is NOT a usage for AWS WAF?

Routing traffic through an Elastic Load Balancer

In the context of AWS, what is a recommended action for regulating access to CloudFront distributions?

Use WAF IP match conditions for external IPs

Study Notes

Protecting Applications

• Modify AWS WAF configuration to block malicious IP addresses with IP match conditions.
• Utilize network ACLs on CloudFront distributions and EC2 instances for additional security measures.
• Implement security groups to filter access at the instance level as a protective strategy.

Cost-Efficient Scaling for E-commerce

• Reserve 40 instances to meet minimum operational needs; use On-Demand and Spot Instances for fluctuating demands.
• Analyses may utilize Reserved Instances for predictable workloads, lending stability and reduced costs over time.

Cost Control for Analytics Jobs

• Schedule Reserved Instances for nightly analytics on financial data to minimize costs.
• Avoid Spot Instances for critical, uninterrupted tasks during designated hours.

S3 Storage Class Selection

• Choose S3 Intelligent-Tiering for unpredictable log access patterns, balancing immediate uptime with cost savings.
• Other S3 classes like Glacier and One Zone-IA may incur higher costs or restrictions for frequently accessed data.

Service Architecture for Backend Data Persistence

• Pair Amazon API Gateway with Amazon DynamoDB for a key-value backend storage solution.
• Consider AWS Fargate and AWS Lambda for scalable, serverless functionality across varying request rates.

Disaster Recovery Across Regions

• Detach EC2 instance volumes for backup to S3 and copy Amazon Machine Images (AMIs) to establish redundancy in second regions.
• Create AMIs of EC2 instances specifically targeting disaster recovery processes.

Cost-Effective Solutions for Short-Term Log Storage

• Opt for Amazon S3 Standard for log files persisting for 24 hours, providing balance between access speed and cost.

Enhancing Application Resilience

• Utilize Amazon Aurora Read Replicas to manage read traffic efficiently during high demand.
• Implement Amazon CloudFront distributions to enhance application performance and responsiveness.

Private API Calls to DynamoDB

• Create a gateway endpoint for DynamoDB to allow EC2 instances private API calls without traversing the internet.
• Update VPC route tables to direct traffic efficiently to the DynamoDB endpoint, ensuring security and performance.

Description

Test your knowledge on key strategies that a solutions architect should implement to protect applications in the cloud. This quiz focuses on network access control, IP blocking, and security group configurations specific to AWS environments.