You are designing an intrusion detection prevention (IDS/IPS) solution for a customer web application in a
single VPC. You are considering the options for implementing IOS IPS protection for traffic coming from the
Internet.
Which of the following options would you consider? (Choose 2 answers)
Answer
Implement IDS/IPS agents on each Instance running In VPC
Configure an instance in each subnet to switch its network interface card to promiscuous mode and analyze network traffic.`
Implement Elastic Load Balancing with SSL listeners In front of the web applications
Implement a reverse proxy layer in front of web servers and configure IDS/IPS agents on each reverse proxy server.
Question 2
Question
Your customer is willing to consolidate their log streams (access logs application logs security logs etc.) in one
single system. Once consolidated, the customer wants to analyze these logs in real time based on heuristics.
From time to time, the customer needs to validate heuristics, which requires going back to data samples
extracted from the last 12 hours?
What is the best approach to meet your customer’s requirements?
Answer
Send all the log events to Amazon SQS. Setup an Auto Scaling group of EC2 servers to consume the logs and apply the heuristics.
Send all the log events to Amazon Kinesis develop a client process to apply heuristics on the logs
Configure Amazon Cloud Trail to receive custom logs, use EMR to apply heuristics the logs
Setup an Auto Scaling group of EC2 syslogd servers, store the logs on S3 use EMR to apply heuristics on the logs
Question 3
Question
You require the ability to analyze a customer's clickstream data on a website so they can do behavioral
analysis. Your customer needs to know what sequence of pages and ads their customer clicked on. This data
will be used in real time to modify the page layouts as customers click through the site to increase stickiness
and advertising click-through. Which option meets the requirements for captioning and analyzing this data?
Answer
Log clicks in weblogs by URL store to Amazon S3, and then analyze with Elastic MapReduce
Push web clicks by session to Amazon Kinesis and analyze behavior using Kinesis workers
Write click events directly to Amazon Redshift and then analyze with SQL
Publish web clicks by session to an Amazon SQS queue men periodically drain these events to Amazon
RDS and analyze
Question 4
Question
You are designing a connectivity solution between on-premises infrastructure and Amazon VPC Your server’s
on-premises will De communicating with your VPC instances You will De establishing IPSec tunnels over the
internet You will be using VPN gateways and terminating the IPsec tunnels on AWS-supported customer
gateways.
Which of the following objectives would you achieve by implementing an IPSec tunnel as outlined above?
(Choose 4 answers)
Answer
End-to-end protection of data in transit
End-to-end Identity authentication
Data encryption across the Internet
Protection of data in transit over the Internet
Peer identity authentication between VPN gateway and customer gateway