- (Topic 3)
Which VPC component provides a layer of security at the subnet level?

1. A. Security groups
2. B. Network ACLs
3. C. NAT gateways
4. D. Route tables

Correct Answer: B
Network ACLs are a feature that provide a layer of security at the subnet level by acting as a firewall to control traffic in and out of one or more subnets. Network ACLs can be configured with rules that allow or deny traffic based on the source and destination IP addresses, ports, and protocols5. Security groups are a feature that provide a layer of security at the instance level by acting as a firewall to control traffic to and from one or more instances. Security groups can be configured with rules that allow or deny traffic based on the source and destination IP addresses, ports, protocols, and security groups. NAT gateways are a feature that enable instances in a private subnet to connect to the internet or other AWS services, but prevent the internet from initiating a connection with those instances. Route tables are a feature that determine where network traffic from a subnet or gateway is directed.

- (Topic 2)
Which AWS service or tool provides on-demand access to AWS security and compliance reports and AWS online agreements?

1. A. AWS Artifact
2. B. AWS Trusted Advisor
3. C. Amazon Inspector
4. D. AWS Billing console

Correct Answer: A
AWS Artifact is the AWS service or tool that provides on-demand access to AWS security and compliance reports and AWS online agreements. AWS Trusted Advisor is a tool that provides real-time guidance to help users provision their resources following AWS best practices. Amazon Inspector is a service that helps users improve the security and compliance of their applications. AWS Billing console is a tool that helps users manage their AWS costs and usage. These concepts are explained in the AWS Cloud Practitioner Essentials course3.

- (Topic 1)
A user wants to identify any security group that is allowing unrestricted incoming SSH traffic.
Which AWS service can be used to accomplish this goal?

1. A. Amazon Cognito
2. B. AWS Shield
3. C. Amazon Macie
4. D. AWS Trusted Advisor

Correct Answer: D
The correct answer to the question is D because AWS Trusted Advisor is an AWS service that can be used to accomplish the goal of identifying any security group that is allowing unrestricted incoming SSH traffic. AWS Trusted Advisor is a service that provides customers with recommendations that help them follow AWS best practices. Trusted Advisor evaluates the customer’s AWS environment and identifies ways to optimize their AWS infrastructure, improve security and performance, reduce costs, and monitor service quotas. One of the checks that Trusted Advisor performs is the Security Groups - Specific Ports Unrestricted check, which flags security groups that allow unrestricted access to specific ports, such as port 22 for SSH. Customers can use this check to review and modify their security group rules to restrict SSH access to only authorized sources. Reference: Security Groups - Specific Ports Unrestricted

- (Topic 2)
A company must store call recordings for 6 years. The storage system should be highly durable and cost-effective.
Which AWS service meets these requirements?

1. A. AWS Snowball
2. B. Amazon S3
3. C. AWS Storage Gateway
4. D. Amazon Kinesis

Correct Answer: B
Amazon S3 is a service that provides highly durable and cost-effective object storage for a variety of use cases, including backup and archive, big data analytics, disaster recovery, and cloud applications. Amazon S3 offers 99.999999999% (11 9’s) of durability, meaning that data is designed to withstand the loss of two facilities concurrently. Amazon S3 also offers several storage classes with different price and performance characteristics, such as S3 Glacier and S3 Glacier Deep Archive, which are ideal for long- term archival of data that is rarely accessed. AWS Snowball, AWS Storage Gateway, and Amazon Kinesis are not designed to provide the same level of durability and cost- effectiveness as Amazon S3 for storing call recordings for 6 years. Source: Amazon S3

- (Topic 1)
According to the AWS shared responsibility model, which of the following are AWS responsibilities? (Select TWO.)

1. A. Network infrastructure and virtualization of infrastructure
2. B. Security of application data
3. C. Guest operating systems
4. D. Physical security of hardware
5. E. Credentials and policies

Correct Answer: AD
The correct answers are A and D because network infrastructure and virtualization of infrastructure and physical security of hardware are AWS responsibilities according to the AWS shared responsibility model. The AWS shared responsibility model is a framework that defines the division of responsibilities between AWS and the customer for security and compliance. AWS is responsible for the security of the cloud, which includes the global infrastructure, such as the regions, availability zones, and edge locations; the hardware, software, networking, and facilities that run the AWS services; and the virtualization layer that separates the customer instances and storage. The customer is responsible for the security in the cloud, which includes the customer data, the guest operating systems, the applications, the identity and access management, the firewall configuration, and the encryption. The other options are incorrect because they are not AWS responsibilities according to the AWS shared responsibility model. Security of application data, guest operating systems, and credentials and policies are customer responsibilities according to the AWS shared responsibility model. Reference: [AWS Shared Responsibility Model]