AWS Security, Identity & Compliance

AWS Certified Solutions Architect Associate Training Notes [Cheat Sheets]

Use the buttons below to browse detailed training notes for AWS Security, Identity and Compliance.

AWS Identity and Access Management (IAM)

AWS Accounts and Organizations

AWS Directory Services

AWS Key Management Service (KMS)

AWS CloudHSM

Amazon Cognito

AWS WAF and Shield

Fast-track your Exam Success with these popular Training Resources

Video Course

Enroll in our popular video course with over 28 hours of video lessons, quiz questions, exam crams and more.

FREE Practice Exams

At the bottom of this page, you'll find FREE sample exam questions to test your knowledge.

Exam Simulator

Assess your exam readiness with over 500 unique practice questions using our online exam simulator.

Take your studies offline with these downloadable eBooks

For those who want to take their studies offline, we’ve combined all of our Cheat Sheets into a downloadable eBook. You also get to download 390 practice questions with detailed answers in PDF format.

Amazon AWS Solutions Architect Training Notes

AWS Certified Solutions Architect Associate - Training Notes (eBook)

Download this eBook (in PDF format) for the SAA-C02 with 300 pages of detailed facts, tables and diagrams. These cheat sheets contain everything you need to know to fast-track your exam success.

Learn More

AWS Certified Solutions Architect Associate Practice Questions

AWS Certified Solutions Architect Associate - Practice Tests (eBook)

Assess your exam readiness with these Practice Tests to maximize your chance of passing the AWS certification exam first time. We recommend reviewing these practice questions until you’re confident in all areas!

Learn More

Click "Start Practice Exam" below

Free AWS Security, Identity and Compliance Practice Questions

Test your knowledge with this FREE AWS Practice Test for the AWS Certified Solutions Architect

Total number of practice questions: 10
Pass mark: 72%
Completion time: No time limit

Want 500 more AWS practice questions?

Learn more about our popular practice exams that will help you fast-track your exam success.

Time limit: 0

Practice Exam Summary

0 of 10 questions completed

Questions:

Information

You have already completed the practice exam before. Hence you can not start it again.

Practice Exam is loading…

You must sign in or sign up to start the practice exam.

Results

Practice Exam complete. Results are being recorded.

Results

0 of 10 questions answered correctly

Your time:

Time has elapsed

You have reached 0 of 0 point(s), (0)

Earned Point(s): 0 of 0, (0)
0 Essay(s) Pending (Possible Point(s): 0)

Categories

AWS Security, Identity, & Compliance 0%

Better luck next time!
Unfortunately on this occasion, you did not pass the exam. The passing mark is a minimum score of 72%. Please use the “View Questions” button below to review answers, explanations, and reference links for each question before taking the practice exam again.

Need to improve your score? Get access to over 500+ high-quality questions here.
Congratulations!
You have passed the exam. The passing mark is a minimum score of 72%. Please use the “View Questions” button below to review answers, explanations, and reference links for each question.

Want more questions like these? Get access to over 500+ high-quality questions here.

Current
Review
Answered
Incorrect

Question 1 of 10

1. Question
A solutions Architect is designing a new workload where an AWS Lambda function will access an Amazon DynamoDB table.

What is the MOST secure means of granting the Lambda function access to the DynamoDB table?
- Create an identity and access management (IAM) role with the necessary permissions to access the DynamoDB table, and assign the role to the Lambda function
- Create a DynamoDB username and password and give them to the Developer to use in the Lambda function
- Create an identity and access management (IAM) user and create access and secret keys for the user. Give the user the necessary permissions to access the DynamoDB table. Have the Developer use these keys to access the resources
- Create an identity and access management (IAM) role allowing access from AWS Lambda and assign the role to the DynamoDB table
Correct

Incorrect
Question 2 of 10

2. Question
A Solutions Architect is developing an encryption solution. The solution requires that data keys are encrypted using envelope protection before they are written to disk.

Which solution option can assist with this requirement?
- AWS KMS API
- AWS Certificate Manager
- API Gateway with STS
- IAM Access Key
Correct

Incorrect
Question 3 of 10

3. Question
An EC2 instance that you manage has an IAM role attached to it that provides it with access to Amazon S3 for saving log data to a bucket. A change in the application architecture means that you now need to provide the additional ability for the application to securely make API requests to Amazon API Gateway.

Which two methods could you use to resolve this challenge? (Select TWO.)
- Delegate access to the EC2 instance from the API Gateway management console
- Create an IAM role with a policy granting permissions to Amazon API Gateway and add it to the EC2 instance as an additional IAM role
- You cannot modify the IAM role assigned to an EC2 instance after it has been launched. You’ll need to recreate the EC2 instance and assign a new IAM role
- Create a new IAM role with multiple IAM policies attached that grants access to Amazon S3 and Amazon API Gateway, and replace the existing IAM role that is attached to the EC2 instance
- Add an IAM policy to the existing IAM role that the EC2 instance is using granting permissions to access Amazon API Gateway
Correct

Incorrect
Question 4 of 10

4. Question
The security team in your company is defining new policies for enabling security analysis, resource change tracking, and compliance auditing. They would like to gain visibility into user activity by recording API calls made within the company’s AWS account. The information that is logged must be encrypted. This requirement applies to all AWS regions in which your company has services running.

How will you implement this request? (Select TWO.)
- Create a CloudTrail trail and apply it to all regions
- Create a CloudTrail trail in each region in which you have services
- Enable encryption with a single KMS key
- Enable encryption with multiple KMS keys
- Use CloudWatch to monitor API calls
Correct

Incorrect
Question 5 of 10

5. Question
You work for Digital Cloud Training and have just created a number of IAM users in your AWS account. You need to ensure that the users are able to make API calls to AWS services. What else needs to be done?
- Set a password for each user
- Create a set of Access Keys for the users
- Enable Multi-Factor Authentication for the users
- Create a group and add the users to it
Correct

Incorrect
Question 6 of 10

6. Question
The development team at your company have created a new mobile application that will be used by users to access confidential data. The developers have used Amazon Cognito for authentication, authorization, and user management. Due to the sensitivity of the data, there is a requirement to add another method of authentication in addition to a username and password.

You have been asked to recommend the best solution. What is your recommendation?
- Integrate IAM with a user pool in Cognito
- Enable multi-factor authentication (MFA) in IAM
- Integrate a third-party identity provider (IdP)
- Use multi-factor authentication (MFA) with a Cognito user pool
Correct

Incorrect
Question 7 of 10

7. Question
A Solutions Architect is creating a URL that lets users who sign in to the organization’s network securely access the AWS Management Console. The URL will include a sign-in token that authenticates the user to AWS. Microsoft Active Directory Federation Services is being used as the identity provider (IdP).

Which of the steps below will the Solutions Architect need to include when developing the custom identity broker? (Select TWO.)
- Call the AWS Security Token Service (AWS STS) AssumeRole or GetFederationToken API operations to obtain temporary security credentials for the user
- Generate a pre-signed URL programmatically using the AWS SDK for Java or the AWS SDK for .NET
- Call the AWS federation endpoint and supply the temporary security credentials to request a sign-in token
- Delegate access to the IdP through the "Configure Provider" wizard in the IAM console
- Assume an IAM Role through the console or programmatically with the AWS CLI, Tools for Windows PowerShell or API
Correct

Incorrect
Question 8 of 10

8. Question
A Solutions Architect must design a solution for providing single sign-on to existing staff in a company. The staff manage on-premise web applications and also need access to the AWS management console to manage resources in the AWS cloud.

Which combination of services are BEST suited to delivering these requirements?
- Use your on-premise LDAP directory with IAM
- Use IAM and MFA
- Use the AWS Secure Token Service (STS) and SAML
- Use IAM and Amazon Cognito
Correct

Incorrect
Question 9 of 10

9. Question
A solutions architect is designing a microservices architecture. AWS Lambda will store data in an Amazon DynamoDB table named Orders. The solutions architect needs to apply an IAM policy to the Lambda function’s execution role to allow it to put, update, and delete items in the Orders table. No other actions should be allowed.

Which of the following code snippets should be included in the IAM policy to fulfill this requirement whilst providing the LEAST privileged access?
- "Sid": "PutUpdateDeleteOnOrders", "Effect": "Allow", "Action": [ "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem" ], "Resource": "arn:aws:dynamodb:us-east-1:227392126428:table/Orders"
- "Sid": "PutUpdateDeleteOnOrders", "Effect": "Allow", "Action": [ "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem" ], "Resource": "arn:aws:dynamodb:us-east-1:227392126428:table/*"
- "Sid": "PutUpdateDeleteOnOrders", "Effect": "Allow", "Action": "dynamodb:* ", "Resource": "arn:aws:dynamodb:us-east-1:227392126428:table/Orders"
- "Sid": "PutUpdateDeleteOnOrders", "Effect": "Deny", "Action": "dynamodb:* ", "Resource": "arn:aws:dynamodb:us-east-1:227392126428:table/Orders"
Correct

Incorrect
Question 10 of 10

10. Question
A website runs on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB) which serves as an origin for an Amazon CloudFront distribution. An AWS WAF is being used to protect against SQL injection attacks. A review of security logs revealed an external malicious IP that needs to be blocked from accessing the website.

What should a solutions architect do to protect the application?
- Modify the network ACL on the CloudFront distribution to add a deny rule for the malicious IP address
- Modify the configuration of AWS WAF to add an IP match condition to block the malicious IP address
- Modify the network ACL for the EC2 instances in the target groups behind the ALB to deny the malicious IP address
- Modify the security groups for the EC2 instances in the target groups behind the ALB to deny the malicious IP address.
Correct

Incorrect

AWS Certified Solutions Architect Associate Training Notes [Cheat Sheets]