Your company policies require encryption of sensitive data at rest. You are considering the
possible options for protecting data while storing it at rest on an EBS data volume, attached to
an EC2 instance.
Which of these options would allow you to encrypt your data at rest? (Choose 3)
A. Implement third party volume encryption tools
B. Implement SSL/TLS for all services running on the server
C. Encrypt data inside your applications before storing it on EBS
D. Encrypt data using native data encryption drivers at the file system level
E. Do nothing as EBS volumes are encrypted by default
Answer(s): A, C, D QUESTION: 2
A customer is deploying an SSL enabled web application to AWS and would like to implement a
separation of roles between the EC2 service administrators that are entitled to login to instances
as wel as making API cal s and the security officers who wil maintain and have exclusive
access to the application's X.509 certificate that contains the private key.
A. Upload the certificate on an S3 bucket owned by the security officers and accessible only by
EC2 Role of the web servers.
B. Configure the web servers to retrieve the certificate upon boot from an CloudHSM is
managed by the security officers.
C. Configure system permissions on the web servers to restrict access to the certificate only to
the authority security officers
D. Configure IAM policies authorizing access to the certificate store only to the security officers
and terminate SSL on an ELB.
Answer(s): D Explanation:
You'l terminate the SSL at ELB. and the web request wil get unencrypted to the EC2 instance,
even if the certs are stored in S3, it has to be configured on the web servers or load balancers
somehow, which becomes difficult if the keys are stored in S3. However, keeping the keys in the
cert store and using IAM to restrict access gives a clear separation of concern between security
officers and developers. Developer's personnel can stil configure SSL on ELB without actual y
handling the keys.
You have recently joined a startup company building sensors to measure street noise and air
quality in urban areas. The company has been running a pilot deployment of around 100
sensors for 3 months each sensor uploads 1KB of sensor data every minute to a backend
hosted on AWS.
During the pilot, you measured a peak or 10 IOPS on the database, and you stored an average
of 3GB of sensor data per month in the database. The current deployment consists of a load-
balanced auto scaled Ingestion layer using EC2 instances and a PostgreSQL RDS database
with 500GB standard storage.
The pilot is considered a success and your CEO has managed to get the attention or some
potential investors. The business plan requires a deployment of at least 100K sensors which