Amazon CLF-C02 Exam

IAM roles are a secure way to grant permissions to applications running on an Amazon EC2 instance to make calls to other AWS services. IAM roles are entities that have specific permissions policies attached to them. You can create an IAM role and associate it with an EC2 instance when you launch it or later. The applications on the instance can then use the temporary credentials provided by the role to access AWS resources that the role allows.This way, you do not have to store any long-term credentials or access keys on the instance, which reduces the risk of compromise or misuse12.

The other options are not correct, because:

Security groups are virtual firewalls that control the inbound and outbound traffic for your EC2 instances.Security groups do not grant permissions to access other AWS services, but rather filter the network traffic based on rules that you define3.

AWS Firewall Manager is a service that helps you centrally configure and manage firewall rules across your accounts and resources. AWS Firewall Manager works with AWS WAF, AWS Shield Advanced, and Amazon VPC security groups.AWS Firewall Manager does not grant permissions to access other AWS services, but rather helps you enforce consistent security policies across your AWS infrastructure4.

IAM user SSH keys are credentials that allow you to connect to your EC2 instance using SSH.SSH keys do not grant permissions to access other AWS services, but rather authenticate your identity when you log in to your instance5.

Using an IAM role to grant permissions to applications running on Amazon EC2 instances - AWS Identity and Access Management

IAM roles for Amazon EC2 - Amazon Elastic Compute Cloud

Security groups for your VPC - Amazon Virtual Private Cloud

What is AWS Firewall Manager? - AWS Firewall Manager

Connecting to your Linux instance using SSH - Amazon Elastic Compute Cloud

A network ACL (NACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. You can create a network ACL and associate it with a subnet to apply rules that allow or deny traffic to or from the subnet. Network ACLs are stateless, meaning that they evaluate the source and destination IP addresses for both inbound and outbound traffic.You can also use network ACLs to block IP address ranges that are known to be malicious12.

The other options are not AWS services or tools that can be used to set up a firewall to control traffic going into and coming out of an Amazon VPC subnet. Security groups are another layer of security for your VPC that act as a firewall for your EC2 instances. Security groups are stateful, meaning that they automatically allow return traffic for allowed inbound traffic.Security groups can only filter traffic based on protocols, ports, and source or destination IP addresses, not on IP ranges3. AWS WAF is a web application firewall that helps protect your web applications from common web exploits. AWS WAF can filter web requests based on rules that you define, such as IP addresses, HTTP headers, HTTP body, or URI strings.AWS WAF does not apply to non-web traffic or to traffic within a VPC4. AWS Firewall Manager is a service that helps you centrally configure and manage firewall rules across your accounts and resources in AWS Organizations. You can use Firewall Manager to apply AWS WAF rules, AWS Network Firewall policies, and Amazon VPC security groups across your AWS accounts. AWS Firewall Manager does not provide a firewall service itself, but rather helps you manage other firewall services

AWS WAF is a web application firewall service that helps protect web applications from common web exploits that could affect availability, compromise security, or consume excessive resources. AWS WAF gives you control over which traffic to allow or block to your web applications by defining customizable web security rules.You can use AWS WAF to create rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that filter out specific traffic patterns you define1.AWS WAF also integrates with other AWS services, such as Amazon CloudFront, Amazon API Gateway, AWS AppSync, and AWS Load Balancer, to provide a comprehensive defense against web attacks2. Therefore, AWS WAF meets the requirements of the social media company, compared to the other options.

The other options are not suitable for the social media company's requirements, because:

Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for exposure, vulnerabilities, and deviations from best practices.However, Amazon Inspector does not provide a web application firewall service that can block malicious web requests3.

Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3. Amazon GuardDuty analyzes and processes the following data sources: VPC Flow Logs, AWS CloudTrail event logs, and DNS logs.However, Amazon GuardDuty does not provide a web application firewall service that can block malicious web requests4.

Amazon CloudWatch is a monitoring and observability service that provides data and actionable insights to monitor your applications, respond to system-wide performance changes, optimize resource utilization, and get a unified view of operational health. Amazon CloudWatch collects monitoring and operational data in the form of logs, metrics, and events, and visualizes it using automated dashboards, alarms, and notifications. However, Amazon CloudWatch does not provide a web application firewall service that can block malicious web requests.

What Is AWS WAF? - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced

AWS WAF Features - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced

What Is Amazon Inspector? - Amazon Inspector

What Is Amazon GuardDuty? - Amazon GuardDuty

[What Is Amazon CloudWatch? - Amazon CloudWatch]

The correct answer isBandC. EC2 Amazon Machine Images (AMIs) and Amazon Elastic Block Store (Amazon EBS) snapshots are two AWS services that provide disaster recovery solutions for Amazon EC2 instances.

EC2 AMIsare preconfigured templates that contain the software configuration and data required to launch an EC2 instance. You can create AMIs from your running EC2 instances and use them to launch new instances in the same or different AWS Regions.This way, you can quickly recover your EC2 instances in case of a disaster that affects your primary Region or Availability Zone1.

Amazon EBS snapshotsare incremental backups of your Amazon EBS volumes. You can create snapshots of your volumes and store them in Amazon S3, which is a highly durable and scalable storage service. You can use snapshots to restore your volumes to a previous point in time or to create new volumes from snapshots.Snapshots can also be copied across AWS Regions, enabling you to recover your data in another Region in case of a disaster2.

The other options are not directly related to disaster recovery for EC2 instances:

EC2 Reserved Instancesare a pricing model that allows you to reserve EC2 capacity for a specific period of time and receive a discount on the hourly charge.Reserved Instances do not provide any disaster recovery benefits, as they are only a billing option3.

AWS Shieldis a managed service that protects your AWS resources from distributed denial-of-service (DDoS) attacks. AWS Shield provides basic protection for all AWS customers at no additional charge, and advanced protection for customers who need higher levels of detection and mitigation.AWS Shield does not provide any disaster recovery benefits, as it is only a security service4.

Amazon GuardDutyis a threat detection service that monitors your AWS account and workloads for malicious or unauthorized activity. Amazon GuardDuty analyzes various data sources, such as AWS CloudTrail, Amazon VPC Flow Logs, and DNS logs, to identify potential threats and alert you via Amazon CloudWatch Events or AWS Lambda.Amazon GuardDuty does not provide any disaster recovery benefits, as it is only a monitoring service5.

AWS Trusted Advisor is the service that can meet these requirements. AWS Trusted Advisor is a service that helps you optimize your AWS environment by providing recommendations based on AWS best practices. Trusted Advisor continuously evaluates your AWS resources and services across five categories: cost optimization, performance, service limits, fault tolerance, and security. You can view the recommendations on the Trusted Advisor console or access them programmatically using the Trusted Advisor API. You can also set up notifications and alerts for any changes in the status of your checks.Trusted Advisor can help you improve your AWS environment by reducing costs, enhancing performance, increasing security, and ensuring reliability12. The other services are not designed to provide best practice recommendations in five categories. AWS Shield is a service that protects your AWS resources from distributed denial-of-service (DDoS) attacks. AWS WAF is a service that helps you protect your web applications from common web exploits.AWS Service Catalog is a service that enables you to create and manage catalogs of IT services that are approved for use on AWS34.Reference:AWS Trusted Advisor,Achieve operational excellence with AWS Trusted Advisor,AWS Shield,AWS WAF, [AWS Service Catalog]