I passed the exam but haven’t got the score yet. Thanks a lot, to Ryan and team and everyone who took time to share their exam experience.
Questions were very tough, but I believe with enough preparation and a bit of luck you can pass the exam. There were around 10 – 12 question from acloud.guru practice test, practice test on AWS website, sample questions on AWS website and where Ryan says ‘This question is going to be in the exam’.
Some of the questions/ topics that I could remember:
Lot of users are trying to access the application hosted on EC2 but guard duty is flagging those requests as brute force attack. How to decrease the noise-signal ratio?
You have on prem active directory and want to have cloud users in a separate directory and don’t want cloud users to access the on prem resources. How would you setup trust relationship – one way from old directory to new, new to old or both ways?
One question on STS:AssumeRoleWithWebIdentity
Two questions on Cross Account Access to S3 (this is the one from practice test on aws website)
You wanna build a security solution where you get notified if a user’s iam permissions were changed. How would you do that? – aws config or credentials report.
Access Keys got compromised – 2 questions. One was on ec2 authorized_keys.
Private Key that is being used on a lot of EC2s got compromised, how would you find out which EC2 instances were launched with that key while maintaining a minimum operational overhead. I selected the option with aws ec2 describe-instances –filters key-name.
Quite a few on Lambda.
One question KMS Grant
Build a solution for S3 where – Encryption in transit, at rest, if bucket becomes public then also data is not compromised.
Data is on EC2 EBS(encrypted using KMS CMK) and then backed up to S3 (encrypted using KMS CMK). Former employee deletes the kms key and you came to know after it got deleted. How would you recover the data?
One on Macie.
One on Athena.
One where a malicious actor found a security gap and is sending requests from multiple IPs all over the world but using same query string parameters. How would WAF help?
Few on DDOS.
One on IPS where the options were 3rd party, marketplace, IP tables and SG + NACL
Secure ses on port 587.
VPC endpoints for S3
IAM policies for Cross Account Access were listed and you have to find the one that was correct.
One question on Secrets Manager where because you enabled rotation some application can’t connect.
One was where you had to store login credentials for tens of thousands of devices but it had to be COST effective – Flat file on S3 encrypted with KMS, SSM Parameter Store with secure string, Secrets Manager
One on Certificate manager
Security team wants you to setup a policy so that users are only able to access the files in folder only.
Security team wants to backup everything on S3 but want to use a unique key for each file. Setup with minimum operation overhead.
One on instance got compromised.