Security

1. A company wants to restrict access to its Amazon VPC so that only specific IP ranges from corporate offices can connect. Which VPC feature should be used to enforce this network-level access control?

• A.Network Access Control Lists (NACLs) applied at the subnet level to allow or deny traffic based on IP address ranges✓ Correct
• B.IAM policies attached to EC2 instances that restrict which users can initiate connections to the VPC
• C.Amazon CloudFront geo-restriction settings configured to block traffic from non-corporate locations
• D.AWS Direct Connect virtual interfaces configured with BGP route filters to limit allowed prefixes

2. An organization uses Amazon CloudFront to serve content globally but needs to block users from certain countries due to licensing restrictions. Which CloudFront feature accomplishes this requirement?

• A.CloudFront geo-restriction (geographic blocking) configured with a blocklist of restricted country codes✓ Correct
• B.AWS WAF rules attached to the CloudFront distribution to inspect request headers for country information
• C.Route 53 latency-based routing policies that redirect restricted-country traffic to an error page
• D.VPC security groups on the origin server configured to deny traffic from restricted country IP ranges

3. A development team has 15 developers who all need the same set of AWS permissions to access S3 and DynamoDB resources. What is the most efficient and manageable IAM approach for this scenario?

• A.Create an IAM group with the required S3 and DynamoDB permissions, then add all 15 developer users to that group✓ Correct
• B.Create 15 individual IAM users and attach identical inline policies to each user with the required permissions
• C.Create a single shared IAM user account with the required permissions for all developers to use collectively
• D.Create an IAM role with the required permissions and have each developer assume the role via the console

4. An EC2 instance needs to read objects from an S3 bucket without storing AWS credentials on the instance. Which IAM construct is specifically designed to grant AWS service permissions without long-term credentials?

• A.An IAM role with an S3 read policy attached, assigned to the EC2 instance as an instance profile at launch✓ Correct
• B.An IAM user with S3 read permissions whose access key and secret key are stored in environment variables on the instance
• C.An IAM group containing the EC2 instance as a member with S3 read permissions attached to the group policy
• D.An S3 bucket policy granting public read access so the EC2 instance can retrieve objects without authentication

5. A junior developer requires read-only access to a single S3 bucket named 'project-assets'. Which IAM policy approach best demonstrates the principle of least privilege for this requirement?

• A.Create a policy granting s3:GetObject and s3:ListBucket only on the specific 'project-assets' bucket ARN and its objects✓ Correct
• B.Attach the AWS managed policy AmazonS3ReadOnlyAccess which grants read access to all S3 buckets in the account
• C.Grant the developer the AdministratorAccess policy and rely on organizational guidelines to limit actual usage
• D.Create a policy granting s3:* on all S3 resources so the developer has flexibility to perform any read operations needed