Phase 1 Exam: Cloud Foundations

Which of the following best describes the difference between authentication and authorization in AWS Identity and Access Management (IAM)?

A company is evaluating whether to migrate from on-premises infrastructure to AWS. The Chief Financial Officer wants to understand the financial impact. Which statement accurately describes the spending model shift when moving to the cloud?

A solutions architect needs to ensure that an Amazon EC2 instance in a private subnet can download software updates from the internet, but the instance must not be directly reachable from the internet. Which combination of components enables this? (Select TWO.)Select multiple

Which of the following are essential characteristics of cloud computing as defined by the National Institute of Standards and Technology (NIST)? (Select THREE.)Select multiple

An organization uses AWS Organizations to manage multiple AWS accounts. The security team attaches a Service Control Policy (SCP) to the Production organizational unit (OU) that denies the `s3:DeleteBucket` action. A user in a Production account has an IAM policy that grants `s3:*` (full S3 access). What happens when the user attempts to delete an S3 bucket?

A startup is designing a web application on AWS. The application has a public-facing web tier and a backend database. The team wants to follow security best practices by limiting network exposure. Which VPC design pattern is most appropriate for this workload?

What is the primary purpose of an AWS Availability Zone (AZ)?

A developer needs to grant an Amazon EC2 instance permission to read objects from an Amazon S3 bucket. Which approach follows IAM security best practices?

A cloud engineer is reviewing the following IAM policy. What does this policy allow? ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::reports-bucket", "arn:aws:s3:::reports-bucket/*" ], "Condition": { "IpAddress": { "aws:SourceIp": "10.0.0.0/16" } } } ] } ```

Which of the following statements correctly describes the AWS Shared Responsibility Model? (Select TWO.)Select multiple

A network engineer is troubleshooting connectivity for an EC2 instance in a public subnet. The instance has a public IP address and the VPC has an internet gateway attached. The instance can send traffic to the internet, but external clients cannot reach the instance on port 443 (HTTPS). Which is the most likely cause?

Which of the following correctly describes the relationship between AWS Regions, Availability Zones, and subnets in a VPC?

A security auditor is reviewing an AWS account and finds that the root user has active access keys and no Multi-Factor Authentication (MFA) enabled. Which actions should the auditor recommend? (Select TWO.)Select multiple

A company is deploying a three-tier web application on AWS. The architecture includes a load balancer, application servers, and a database. The security team requires that each tier can only communicate with the tier directly above or below it. How should the security groups be configured?

What is the key difference between security groups and network access control lists (NACLs) in a VPC?

A junior developer asks why they should use customer managed policies instead of inline policies for granting permissions to multiple IAM users. Which explanation is correct?

A company wants to deploy a production application that remains available even if a single data center experiences a failure. Which AWS infrastructure design best supports this requirement?

An organization is planning its VPC network design. The VPC will use the CIDR block `10.0.0.0/16`. The team needs to create subnets for two Availability Zones, each with a public and a private subnet. Which of the following subnet CIDR allocations is valid for this VPC?

In the IAM policy evaluation logic, what is the result when an IAM policy explicitly allows an action but a separate policy attached to the same user explicitly denies the same action?

A systems administrator needs to allow instances in a private subnet to access the internet for downloading patches, while preventing any inbound connections from the internet. The administrator also needs to ensure high availability. What is the recommended approach?

Which of the following is an example of a Platform as a Service (PaaS) offering on AWS?

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to communicate with an EC2 instance in the public subnet within the same VPC. Which statement is correct about this communication?

Place the following steps in the correct order for how IAM evaluates a request when multiple policies apply to a principal. 1. An explicit allow in an identity-based policy overrides the implicit deny. 2. All requests start with an implicit deny. 3. An explicit deny in any policy overrides any allow.

A company is migrating to AWS and wants to understand the Shared Responsibility Model as it applies to IAM and VPC security. The security team asks: "Who is responsible for configuring IAM policies, and who is responsible for ensuring the physical network infrastructure is secure?" Which answer correctly assigns these responsibilities?

A cloud architect is designing a secure architecture for a web application. The architect wants to implement layered security using both IAM and VPC controls. Which combination correctly describes how IAM policies and security groups work together to protect an EC2 instance running a web application? (Select TWO.)Select multiple