Here you have the best Amazon SAP-C01 practice exam questions
Your company policies require encryption of sensitive data at rest. You are considering the possible options for protecting data while storing it at rest on an EBS data volume, attached to an EC2 instance.
Which of these options would allow you to encrypt your data at rest? (Choose three.)
To encrypt data at rest on an EBS data volume, attached to an EC2 instance, you have several options. First, you can implement third-party volume encryption tools to encrypt your data. Second, you can encrypt data inside your applications before storing it on the EBS volume, ensuring that the data is encrypted before it even reaches the storage medium. Lastly, you can use native data encryption drivers at the file system level to encrypt the data as it is written to and read from the EBS volume. Implementing SSL/TLS is not suitable for data at rest as it is meant for encrypting data in transit, and EBS volumes are not encrypted by default.
A customer is deploying an SSL enabled web application to AWS and would like to implement a separation of roles between the EC2 service administrators that are entitled to login to instances as well as making API calls and the security officers who will maintain and have exclusive access to the application's X.509 certificate that contains the private key.
To maintain a separation of roles between EC2 service administrators and security officers, it is necessary to ensure that security officers have exclusive access to the X.509 certificate containing the private key. Configuring IAM policies to authorize access to the certificate store to only the security officers and terminating SSL on an ELB (Elastic Load Balancer) achieves this separation. By terminating SSL on the ELB, the SSL/TLS session is terminated before reaching the EC2 instance, and the web request can then be forwarded unencrypted to the instance. This setup prevents the EC2 service administrators from accessing the certificate, as it is handled at the ELB level, and IAM policies enforce restricted access.
You have recently joined a startup company building sensors to measure street noise and air quality in urban areas. The company has been running a pilot deployment of around 100 sensors for 3 months each sensor uploads 1KB of sensor data every minute to a backend hosted on AWS.
During the pilot, you measured a peak or 10 IOPS on the database, and you stored an average of 3GB of sensor data per month in the database.
The current deployment consists of a load-balanced auto scaled Ingestion layer using EC2 instances and a PostgreSQL RDS database with 500GB standard storage.
The pilot is considered a success and your CEO has managed to get the attention or some potential investors. The business plan requires a deployment of at least 100K sensors which needs to be supported by the backend. You also need to store sensor data for at least two years to be able to compare year over year
Improvements.
To secure funding, you have to make sure that the platform meets these requirements and leaves room for further scaling.
Which setup win meet the requirements?
Given the requirements for scalability, long-term data storage, and efficient data ingestion, the best setup is to use DynamoDB for ingesting data and then move old data to Redshift. DynamoDB is well-suited for write-heavy scenarios and provides the scalability needed to handle the data ingestion from 100K sensors. By moving old data to Redshift, you can manage large volumes of data effectively, taking advantage of Redshift's capabilities for storage and analytics. This setup ensures that the platform can meet the current requirements and allows room for further scaling.
A web company is looking to implement an intrusion detection and prevention system into their deployed VPC. This platform should have the ability to scale to thousands of instances running inside of the VPC.
How should they architect their solution to achieve these goals?
To implement an intrusion detection and prevention system that can scale to thousands of instances running inside a VPC, the best approach is to create a second VPC and route all traffic from the primary application VPC through this second VPC where the scalable virtualized IDS/IPS platform resides. This solution allows for centralized monitoring and control of incoming and outgoing traffic, ensuring that all traffic is inspected before reaching the servers. Additionally, this architecture supports scalability by utilizing a separate, dedicated VPC for the IDS/IPS platform, making it more manageable and efficient for large-scale deployments.
A company is storing data on Amazon Simple Storage Service (S3). The company's security policy mandates that data is encrypted at rest.
Which of the following methods can achieve this? (Choose three.)
To achieve encryption at rest for data stored in Amazon S3, three methods can be utilized. First, using Amazon S3 server-side encryption with AWS Key Management Service (KMS) managed keys ensures that AWS manages the keys, providing a secure and automated encryption process. Second, Amazon S3 server-side encryption with customer-provided keys allows users to bring their own encryption keys, providing full control over the encryption procedure. Third, clients can encrypt the data on the client-side using their own master key before uploading it to S3, ensuring data is already encrypted before it reaches the storage service.