ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 1013 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 1013
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

A company had a third-party audit of its AWS environment. The auditor identified secrets in developer documentation and found secrets that were hardcoded into AWS CloudFormation templates throughout the environment. The auditor also identified security groups that allowed inbound traffic from the internet and outbound traffic to all destinations on the internet.

A solutions architect must design a solution that will encrypt all secrets and rotate the secrets every 90 days. Additionally, the solutions architect must configure the security groups to prevent resources from being accessible from the internet.

Which solution will meet these requirements?

  • A. Use AWS Secrets Manager to create, store, and access secrets. Create new secrets in AWS CloudFormation by using the AWS::SecretsManager::Secret resource type. Reference the secrets in other templates by using Secrets Manager dynamic references. Configure automatic rotation in Secrets Manager to rotate the secrets every 90 days. Use AWS Firewall Manager to create a policy that identifies all security groups that allow inbound or outbound communications for any protocols to 0.0.0.0/0. Whenever the policy flags a security group in violation, remove the noncompliant rule from security groups.
  • B. Use AWS Systems Manager Parameter Store to create, store, and access secrets. Create new Parameter Store items in AWS CloudFormation by using the AWS::SSM::Parameter resource type. Access these items by using the AWS CLI or AWS APIs. Configure automatic rotation in Parameter Store to rotate the secrets every 90 days. Use AWS Firewall Manager to create a policy that identifies all security groups that allow inbound or outbound communications for any protocols to 0.0.0.0/0. Whenever the policy flags a security group in violation, remove the noncompliant rule from security groups.
  • C. Use AWS Secrets Manager to create, store, and access secrets. Create new secrets in AWS CloudFormation by using the AWS::SecretsManager::Secret resource type. Reference the secrets in other templates by using Secrets Manager dynamic references. Configure automatic rotation in Secrets Manager to rotate the secrets every 90 days. Use AWS Firewall Manager to create a policy that enforces a requirement for all security groups to explicitly deny inbound and outbound communications for all protocols to 0.0.0.0/0.
  • D. Use AWS Systems Manager Parameter Store to create, store, and access secrets. Create new Parameter Store items in AWS CloudFormation by using the AWS::SSM::Parameter resource type. Reference the items in other templates by using Systems Manager dynamic references. Configure automatic rotation in Parameter Store to rotate the secrets every 90 days. Use AWS Firewall Manager to create a policy that enforces a requirement for all security groups to explicitly deny inbound and outbound communications for all protocols to 0.0.0.0/0.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by Heer at Nov. 21, 2022, 9:05 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Ebi
1 year, 4 months ago
Answer is A
upvoted 1 times
...
zozza2023
2 years, 5 months ago
Selected Answer: A
Parameter Store can not rotate secrets!
upvoted 2 times
...
VVish
2 years, 6 months ago
A . Explicit Deny not possible with SGs
upvoted 2 times
...
ggrodskiy
2 years, 6 months ago
Correct A.
upvoted 3 times
...
Spavanko
2 years, 7 months ago
Selected Answer: A
Answer is A D: Parameter Store can not rotate secrets!
upvoted 2 times
...
Spavanko
2 years, 7 months ago
Answer is A D: Parameter Store can not rotate secrets!
upvoted 1 times
...
Heer
2 years, 7 months ago
The right option is A 1)The requirement is to rotate the key and only Secret Manager can do that . So option B and D are out 2)Out of option A and C :THe catch is that we cannot apply deny any rule in security group as it only allows.Second catch is that Aws Firewall can only Audit the usage of SG and remove the unused ones Audit security group rules and can remediate those Apply common security group rules to accounts . So the option A talks about 'Audit security group rules and can remediate those'
upvoted 4 times
pixepe
2 years, 7 months ago
Good catch on Security Group, We can't add EXPLICIT DENY in security group.
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel