ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS DevOps Engineer Professional All Questions

View all questions & answers for the AWS DevOps Engineer Professional exam
Go to Exam

Exam AWS DevOps Engineer Professional topic 1 question 83 discussion

Exam question from Amazon's AWS DevOps Engineer Professional
Question #: 83
Topic #: 1
[All AWS DevOps Engineer Professional Questions]

A consulting company was hired to assess security vulnerabilities within a client company's application and propose a plan to remediate all identified issues. The architecture is identified as follows: Amazon S3 storage for content, an Auto Scaling group of Amazon EC2 instances behind an Elastic Load Balancer with attached Amazon EBS storage, and an Amazon RDS MySQL database. There are also several AWS Lambda functions that communicate directly with the RDS database using connection string statements in the code.

The consultants identified the top security threat as follows: the application is not meeting its requirement to have encryption at rest.

What solution will address this issue with the LEAST operational overhead and will provide monitoring for potential future violations?

  • A. Enable SSE encryption on the S3 buckets and RDS database. Enable OS-based encryption of data on EBS volumes. Configure Amazon Inspector agents on EC2 instances to report on insecure encryption ciphers. Set up AWS Config rules to periodically check for non-encrypted S3 objects.
  • B. Configure the application to encrypt each file prior to storing on Amazon S3. Enable OS-based encryption of data on EBS volumes. Encrypt data on write to RDS. Run cron jobs on each instance to check for unencrypted data and notify via Amazon SNS. Use S3 Events to call an AWS Lambda function and verify if the file is encrypted.
  • C. Enable Secure Sockets Layer (SSL) on the load balancer, ensure that AWS Lambda is using SSL to communicate to the RDS database, and enable S3encryption. Configure the application to force SSL for incoming connections and configure RDS to only grant access if the session is encrypted. Configure Amazon Inspector agents on EC2 instances to report on insecure encryption ciphers.
  • D. Enable SSE encryption on the S3 buckets, EBS volumes, and the RDS database. Store RDS credentials in EC2 Parameter Store. Enable a policy on the S3 bucket to deny unencrypted puts. Set up AWS Config rules to periodically check for non-encrypted S3 objects and EBS volumes, and to ensure that RDS storage is encrypted.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by SmileyCloud at Dec. 1, 2022, 5:03 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
SmileyCloud
Highly Voted 2 years, 5 months ago
Selected Answer: D
A - there is no need to use OS based encryption on the EBS volumes. You can just use AWS provided EBS encryption. B - No need to configure apps to encrypt when writing to S3. You use encryption on S3. C - This is encryption in transit, not encryption on rest. D - Correct.
upvoted 5 times
...
qsergii
Most Recent 1 year, 11 months ago
D - what is "EC2 Parameter Store"? Is it exists?
upvoted 1 times
vikasnm123
1 year, 4 months ago
EC2 Paramter store evolved to System manager parameter store.
upvoted 1 times
...
...
skkakarla
2 years, 2 months ago
D - None of the other options mention removing the DB connection string from the code
upvoted 3 times
...
Piccaso
2 years, 2 months ago
Selected Answer: D
A and B are eliminated because of "OS-based encryption of data on EBS volumes". Between C and D, monitoring of D is better.
upvoted 1 times
...
Bulti
2 years, 3 months ago
Correct answer is D.
upvoted 1 times
...
Kapello10
2 years, 4 months ago
D is the correct answer.
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago