Determining Appropriate Data Security Controls

By

Date: Jul 3, 2023

Return to the article

In this sample chapter from AWS Certified Solutions Architect - Associate (SAA-C03) Cert Guide, 2nd Edition, you will learn how your organization can define the security and accessibility of data records stored at AWS, with coverage on key concepts such as data access and governance, Amazon EBS encryption, Amazon S3 bucket security, and AWS Certificate Manager.

This chapter covers the following topics:

This chapter covers content that’s important to the following exam domain and task statement:

Domain 1: Design Secure Architectures

Task Statement 3: Determine appropriate data security controls

Organizations have workloads and associated cloud services fail while operating at AWS. Amazon Elastic Compute Cloud (EC2) instances fail, Amazon Elastic Block Store (EBS) volumes crash, and cloud services can stop working. However, you shouldn’t have go to your boss and announce, “We’ve lost some data.” Fortunately, all data can be securely and redundantly stored at AWS.

All data stored at AWS using any storage service can be encrypted; organizations make the decision about whether encryption is required. However, Amazon S3 objects and S3 Glacier archive storage is automatically encrypted at rest. All other storage services at AWS store data records in an unencrypted state to start. For example, Amazon S3 buckets are encrypted using server-side encryption using Amazon S3, the AWS Key Management Service (KMS) with customer master keys (CMK) and data keys, or encryption keys supplied by each organization. Amazon EBS volumes—both boot and data volumes—can be encrypted at rest and in transit using CMKs provided by AWS KMS. Shared storage services such as Amazon EFS and Amazon FSx for Windows File Server can also be encrypted at rest, as can Amazon DynamoDB tables, Amazon Relational Database Service (RDS) deployments, and Amazon Simple Queue Service (SQS) queues.

AWS does not have single-tenant persistent data storage for individual organizations; all storage services offered at AWS are multi-tenant by design. AWS has the responsibility to ensure that each organization’s stored data records are isolated to the AWS account in which they are first created. Organizations can secure data at rest by choosing to encrypt all data records; protecting data in transit can be achieved using Transport Layer Security (TLS).

Each organization is in control of the storage and retrieval of its data records that are stored at AWS. It’s the organization’s responsibility to define the security and accessibility of all data records stored at AWS. All data storage at AWS starts as private storage only accessible across the AWS private network. Organizations can choose to make select Amazon S3 buckets public, but all other storage services offered by AWS remain private and are not publicly accessible across the Internet. AWS VPN and AWS Direct Connect connections from on-premises locations can directly access AWS storage services; however, EBS volumes can only be accessed through the attached EC2 instance. Figure 5-1 illustrates the options for data encryption at AWS that are discussed in this chapter.

Figure 5-1 Encryption Choices at AWS

“Do I Know This Already?”

The “Do I Know This Already?” quiz allows you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics, read the entire chapter. Table 5-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. You can find the answers in Appendix A, “Answers to the ‘Do I Know This Already?’ Quizzes and Q&A Sections.”

Table 5-1 “Do I Know This Already?” Section-to-Question Mapping

Foundation Topics Section

Questions

Data Access and Governance

1, 2

Amazon EBS Encryption

3, 4

Amazon S3 Bucket Security

5, 6

AWS Key Management Service

7, 8

AWS Certificate Manager

9, 10

1. What AWS service assists in protecting access to AWS?

  1. AWS Shield

  2. Amazon Macie

  3. Amazon EBS volumes

  4. Amazon DynamoDB databases

2. What is the purpose of using detective controls?

  1. To enable and enforce multifactor access

  2. To detect and alert when security controls change

  3. To manage AWS Organizations backups

  4. To analyze compliance levels

3. Which of the following determines whether an attached Amazon EBS volume can be encrypted?

  1. The type of Amazon EC2 instance

  2. The size of the Amazon EBS volume

  3. The type of the Amazon EBS volume

  4. The IOPS assigned to the Amazon EBS volume

4. Where are data keys stored when they are delivered to an Amazon EC2 instance for safekeeping?

  1. The associated Amazon EBS volume

  2. Unsecured RAM

  3. Secured RAM

  4. AWS Key Management Service

5. What security policy allows multiple AWS accounts to access the same Amazon S3 bucket?

  1. Amazon IAM policy

  2. AWS IAM server control policy

  3. Amazon S3 Bucket policy

  4. Amazon IAM policy

6. What type of encryption can be carried out before uploading objects to Amazon S3 to ensure absolute encryption outside AWS control?

  1. RSA encryption

  2. AES 128-bit encryption

  3. Client-side encryption

  4. Server-side encryption

7. What is the advantage of importing your organization’s symmetric keys into AWS KMS?

  1. High level of compliance

  2. Faster encryption and decryption

  3. Absolute control of encryption keys

  4. None

8. What additional AWS service can work with AWS KMS as a custom key store?

  1. Encrypted EBS volume

  2. Encrypted Amazon S3 bucket

  3. AWS CloudHSM

  4. Encrypted AWS SQS queue

9. How does AWS charge for provisioning SSL/TLS certificates for AWS services using AWS Certificate Manager?

  1. It charges per certificate per year.

  2. It charges for private TLS certificates only.

  3. It does not charge for AWS services.

  4. It charges per certificate check.

10. Where are the security certificates for the AWS Application Load Balancer stored?

  1. Amazon S3 bucket

  2. Amazon EBS volume

  3. AWS Certificate Manager

  4. AWS KMS service

Foundation Topics

Data Access and Governance

Many on-premises and AWS-hosted workloads store their associated data records in the AWS cloud. Personal data stored in the public cloud is sometimes defined as personally identifiable information (PII). Sensitive data types, such as PII, must be protected to comply with privacy regulations such as the General Data Protection Regulation (GDPR), laws such as the Health Insurance Portability and Accountability Act (HIPAA), and industry standards such as the Payment Card Industry Data Security Standard (PCI DSS). More than 13 billion data records have been stolen since 2013, according to the 2022 Thales Data Threat Report (https://cpl.thalesgroup.com/data-threat-report). AWS Artifact, located in the AWS Management console, provides on-demand access to all current AWS compliance and security reports, including Service Organization Control (SOC) and Payment Card Industry (PCI) reports and certifications from accreditation bodies validating the implementation and operating effectiveness of AWS security controls (see Figure 5-2).

Figure 5-2 AWS Artifact PCI Report

Data Retention and Classification

When classifying data, it’s important for each organization to implement data retention policies for each class of stored data. Organizations should design security policies using security zones for all data records, and data classification requirements based on how data is stored and who has access to it (see Figure 5-3). Defined security zones for data records range from highly protected to publicly accessible.

Figure 5-3 Classification of Data Records

Security zones are typically used to segregate different types of organizational data assets based on their sensitivity or importance, with the most sensitive or valuable data being placed in the highest security zone. This segregation enables organizations to implement different levels of security controls and access restrictions based on the sensitivity of the data, ensuring that only authorized users with the appropriate level of clearance can access and view sensitive data records.

Additionally, the creation of relevant security zones can help organizations prevent the spread of security breaches by limiting the potential impact to a specific area of the organization. Organizations also should create a network perimeter with defined network flow and access policies for data records defining where and how data can be accessed. Defense-in-depth security at AWS is applied using infrastructure security controls, AWS IAM security policies, and AWS detective controls (see Figure 5-4).

Figure 5-4 Preventative Controls

Infrastructure Security

Infrastructure security requires deploying the following protections:

IAM Controls

AWS Identity and Access Management (IAM) policies are useful for controlling access to the data layer (database, queue, AWS EBS volumes, shared data [AWS EFS and AWS FSx for Windows File Server], and Amazon S3 storage) and managing IAM user and federated user activity and infrastructure security. Separate administrative tasks should be created for Amazon RDS with IAM policies (see Example 5-1) that control access to database data records. For authentication and authorization to any workload or organizational data records, enable multifactor authentication (MFA) for all administrators and end users.

Example 5-1 Administrative Access to Amazon RDS

Detective Controls

Detective controls are a type of security control designed to detect and alert when potential security incidents or breaches occcur. Detective controls typically are used with preventive and corrective controls forming a comprehensive security strategy. Examples of detective controls at AWS include intrusion detection systems, and auditing or logging systems that monitor user activity and alert on suspicious behavior. The goal of detective controls is to identify potential security threats or vulnerabilities before they can cause harm, allowing organizations to take appropriate action to prevent or mitigate the impact of a security incident.

Detective controls are an important part of a defense-in-depth security strategy as they provide an additional layer of protection by detecting and responding to potential security threats. Detective controls at AWS include the following security services:

Amazon EBS Encryption

Amazon Elastic Block Storage (EBS) volumes provide persistent block-level storage volumes for EC2 instances. They can be used to store a wide variety of data, including operating system files, application data, and database records. EBS volumes are automatically replicated within their availability zone to protect against data loss due to failure, and support a range of performance levels and storage options to meet the needs of different workloads.

Amazon Elastic Block Store (EBS) provides the option to encrypt EBS volumes to protect the data records. Encrypting EBS volumes ensures that the data cannot be read or accessed by unauthorized parties, even if the underlying storage volume is compromised. Encryption is performed using a customer master key and data key managed by the AWS Key Management Service (KMS), which provides a secure and auditable encryption service for managing data encryption at AWS using encryption keys. EBS volumes can be encrypted when first created, or volumes can be encrypted after they have been created. EBS also provides the option to encrypt snapshots of EBS volumes, enabling you to create encrypted backups of your EBS volumes.

Both EBS boot and data volumes can be encrypted. Most EC2 instances support EBS volumes’ encryption, including the C4, I2, I3, M3, M4, R3, and R4 families. AWS has made the encryption process incredibly easy to deploy; when creating an EBS volume, merely checking off the option to enable encryption starts the encryption process (see Figure 5-5), which is managed by AWS Key Management Service (KMS). More details on AWS KMS are provided throughout this chapter.

Figure 5-5 Enabling EBS Encryption

The CMK protects all the other keys issued for data encryption and decryption of your EBS volumes within your AWS account. All AWS KMS-issued CMKs are protected using envelope encryption, which means AWS is responsible for creating and wrapping the “envelope” that contains the CMKs of the respective AWS account. Envelope encryption encrypts the plaintext data with a data key, and then encrypts the data key using a key that is managed by the AWS Key Management Service (KMS). KMS keys are created inside AWS KMS and never leave AWS KMS unencrypted. AWS cryptographic tools and services support the Advanced Encryption Standard (AES) with 128-, 192-, or 256-bit keys. AES is combined with Galois/Counter Mode (GCM), which provides high-performance symmetric key operation using a block size of 128 bits and is used by AWS KMS. AES and GCM are documented as AES-GCM.

After enabling your customer key using KMS for your AWS account, for additional security, it’s a good idea to add another key administrator and to allow key rotation of your Customer Master Keys. Administrators can use the KMS master key provided to create additional AWS KMS administrators, and to optionally enable key rotation of the CMK (see Figure 5-6).

Figure 5-6 Enabling Key Rotation

To encrypt an EBS volume using the AWS Key Management Service, a CMK can be created by AWS and stored in AWS KMS. Optionally, organizations can choose to specify the key material for the CMK, which can be generated by KMS or imported from your own key management infrastructure. After a CMK has been created, you can create an encrypted EBS volume using the EC2 dashboard and specifying the ID of the CMK when creating the volume (see Figure 5-7). The EBS volume will be encrypted using the specified CMK, and the data on the EBS volume will be encrypted at rest on the underlying storage.

Figure 5-7 Select KMS Key

When you attach the encrypted EBS volume to an EC2 instance, the instance will automatically download and install the necessary encryption and decryption components, including the appropriate version of the AWS Encryption SDK and the public key portion of the CMK. The instance will then use the CMK to encrypt and decrypt data as it is written to and read from the EBS volume. The private key portion of the CMK remains securely stored in AWS KMS, and is never made available to the EC2 instance.

When an EBS volume has been encrypted and attached to an EC2 instance, the following data types are encrypted:

AWS KMS performs the following steps, as illustrated in Figure 5-8, to encrypt and decrypt the EBS volume:

Step 1. AWS EBS sends a request to KMS, specifying the CMK to use for the AWS EBS volume encryption.

Step 2. AWS KMS generates a new data key, encrypts it using the specified CMK, and sends the encrypted key to AWS EBS to be stored with the volume metadata.

Step 3. The Amazon EC2 service sends a decrypt request to KMS.

Step 4. EBS sends a request to KMS to decrypt the data key.

Step 5. KMS uses the CMK to decrypt the encrypted data key and sends the decrypted key to the EC2 service.

Step 6. EC2 stores the plaintext decrypted key in protected hypervisor memory on the bare-metal server where the EC2 instance is hosted and uses the key when required to perform decryption for the EBS volume.

Figure 5-8 EBS Encryption Steps

Amazon S3 Bucket Security

By default, only the owner who created an S3 bucket has access to the objects stored in the bucket. There are several methods for controlling security for an S3 bucket (see Figure 5-9):

Example 5-2 S3 Bucket Policy

Figure 5-11 Blocking Public Access on an S3 Bucket by Default

S3 Storage at Rest

For the AWS Certified Solutions Architect – Associate (SAA-C03) exam, the key topics to know about S3 storage at rest are as follows:

Figure 5-13 SSE-C Encryption Process

Amazon S3 Object Lock Policies

Amazon S3 buckets and Amazon S3 Glacier have data policies that can lock objects so they cannot be deleted or changed. Amazon S3 objects can be locked using a write-once/read-many (WORM) policy. Object lock policies enable you to set rules that restrict certain actions on objects, such as deleting or overwriting them, in order to protect objects and ensure they remain available and unaltered. Object lock policies are set at the S3 bucket level and apply to all objects in the bucket, or set on individual objects. This can be useful for complying with legal or regulatory requirements or protecting important or sensitive data. Apply a WORM policy, as shown in Figure 5-14, to stop an Amazon S3 object from being overwritten, or deleted for a fixed time period, or indefinitely. There are several options to WORM policies to understand. First is the retention period, which refers to a set number of days or years during which an object will remain locked, protected, and unable to be overwritten or deleted. There are two retention modes:

Figure 5-14 WORM Policy Settings

Legal Hold

An object lock allows you to place a legal hold on an S3 object. Legal hold provides the same protection as a previously discussed retention period but does not have an expiration date. expiration date. Once in force, a legal hold remains in place until it is removed. An object lock works on S3 buckets that have versioning already enabled. Legal hold can be applied to a single S3 object. A legal hold can be placed and removed by any user with the s3:PutObjectLegalHold permission applied to their IAM user or group account they are a member of.

Amazon S3 Glacier Storage at Rest

Objects stored in Amazon S3 Glacier are automatically encrypted using SSE and AES-256 encryption. Amazon S3 Glacier Vault Lock enables you to deploy and enforce regulatory and required compliance controls by applying a Vault Lock policy on an Amazon S3 Glacier vault. Once a WORM policy has been applied to an S3 Glacier vault, the policy cannot be changed.

Data Backup and Replication

Amazon S3 object backups can be carried out with the services and utilities listed in Table 5-2. AWS Backup and AWS DataSync can back up additional AWS storage service data records.

Table 5-2 Data Backup and Replication Options

AWS Service

Use

Data Types

AWS Backup

Back up all AWS storage services

EBS volumes and snapshots, S3 buckets, EFS, FSx for Windows File Server, RDS, DynamoDB

Amazon S3 Same-Region Replication (SRR)

Replicate objects to an S3 bucket in the same AWS region

Objects and versioned objects

Amazon S3 Cross-Region Replication (CRR)

Replicate objects to an S3 bucket in a different AWS region

Objects and versioned objects

Amazon S3 Multi-Region Access Points

Replicate data sets across multiple AWS regions

Objects and versioned objects

AWS DataSync

Copy data to and from AWS storage services

Network File System (NFS) or Server Message Block (SMB) shares, Hadoop Distributed File Systems (HDFS), AWS Snowcone, S3 buckets, EFS, FSx for Windows File Server

AWS Key Management Service

AWS Key Management Service (KMS) lets organizations create, manage, and control cryptographic keys used to protect data records. AWS KMS integrates with AWS services that can encrypt data records (see Figure 5-15).

Figure 5-15 KMS Console

Organizations do not have to directly interface with AWS KMS to enable data encryption; instead, they can use AWS KMS services through more than 100 integrated AWS services, such as Amazon EBS storage, Amazon RDS, Amazon S3, Amazon EFS, Amazon FSx for Windows File Server, Amazon Aurora, and Amazon DynamoDB. When you enable encryption services using AWS KMS, a CMK is automatically generated in your AWS account for data encryption and decryption services. Organizations can choose to create one or more CMKs and use them to match their security requirements. A custom CMK allows you to control each key’s access control and usage policy; you can also grant permissions to other AWS accounts and services to use a specific custom CMK.

You can also choose to create symmetric CMKs, which use the same key to encrypt and decrypt data, or asymmetric CMKs, which use a public/private key pair (one for encrypting and one for decrypting).

The most common way to use KMS is to choose which AWS service will encrypt your data and select the CMK from within the AWS service itself; for example, you can encrypt an RDS database volume, as shown in Figure 5-16.

Figure 5-16 Generating CMKs with KMS for an RDS Instance

Envelope Encryption

KMS uses a process called envelope encryption to encrypt data at rest. It involves two layers of encryption: the first layer encrypts the data using a key generated by the organization, and the second layer encrypts the customer-generated key using a key that is managed by the AWS Key Management Service (KMS). This process enables each organization to retain control over their encryption keys and also enables them to rotate and manage the keys as needed, while still benefitting from the security and reliability of using the KMS for encryption key management. When you need to encrypt data, KMS generates a data key that is used to encrypt the data locally within the AWS service or application. The data keys are also encrypted under the organization’s CMK. When it’s time to decrypt your data, a request is sent to KMS to decrypt the data key (that is, the data key copy that was stored with the encrypted data) using your CMK. The entire encryption or decryption process is logged in AWS CloudTrail for auditing purposes.

Organizations that choose to import 256-bit symmetric keys into AWS KMS for compliance requirements are responsible for managing the imported keys’ expiration dates.

In addition to encrypting your data, AWS KMS provides other security features to help protect your encryption keys:

AWS KMS Cheat Sheet

For the AWS Certified Solutions Architect – Associate (SAA-C03) exam, you need to understand the following critical aspects of AWS KMS:

AWS CloudHSM

Instead of using the default AWS KMS store, you can create a custom key store using a VPC-hosted AWS CloudHSM cluster and authorize KMS to use it as its dedicated key store. AWS CloudHSM clusters are created using multiple single-tenant hardware devices (see Figure 5-17). Amazon maintains the AWS CloudHSM hardware and backs up its contents but never enters an AWS CloudHSM device. Organizations might use an AWS CloudHSM deployment if compliance rules explicitly require that encryption keys are protected in a single-tenant hardware device. AWS CloudHSM can operate as a complete stand-alone hardware device for your synchronous and asynchronous keys and provide you with Federal Information Processing Standard (FIPS) 140-2 Level 3 compliance.

Figure 5-17 CloudHSM Design

AWS Certificate Manager

AWS Certificate Manager (ACM) is a managed service that allows you to provision, manage, and deploy public and private SSL/TLS certificates that can be used with your AWS services and AWS-hosted websites and applications. Certificates can also be deployed on ELB load balancers, CloudFront distributions, Elastic Beanstalk, and APIs hosted on Amazon API Gateway. There is no additional charge for provisioning public or private SSL/TLS certificates for use with AWS services. However, organizations will pay a fee for creating and operating a private certificate authority (CA) and for the private certificates that are issued by the private CA that is used by your internally hosted resources, such as application servers or appliances.

ACM can generate the following certificate types (see Figure 5-18):

Figure 5-18 Certificate Choices in AWS Certificate Manager

Encryption in Transit

AWS uses HTTPS endpoints communication, providing encryption in transit for communicating with AWS APIs. AWS service endpoints can also be accessed using TLS version 1.2. Some AWS services offer endpoints that support the Federal Processing Standard (FIPS) 140-2 in some regions. Each endpoint is the URL of the entry point for each AWS service. AWS SDKs and the AWS Command Line Interface (AWS CLI) automatically use the default endpoint for each service per AWS Region, but an alternative endpoint can be specified for API requests. Most AWS services have regional endpoints that can be used to make requests. The format for a regional endpoint is protocol://service-code.region-code.amazonaws.com. AWS endpoints can be referenced here: https://docs.aws.amazon.com/general/latest/gr/aws-service-information.html.

Global endpoints are used for global services and services located in edge locations. The global AWS services are

HTTP endpoints for domains and hosted workloads hosted at AWS can be be blocked with Security Groups and Network ACLs and can automatically be redirected to HTTPS endpoints when using Amazon CloudFront or an Amazon ELB.

Exam Preparation Tasks

As mentioned in the section “How to Use This Book” in the Introduction, you have a couple of choices for exam preparation: the exercises here, Chapter 16, “Final Preparation,” and the exam simulation questions in the Pearson Test Prep software online.

Review All Key Topics

Review the most important topics in the chapter, noted with the Key Topic icon in the margin of the page. Table 5-3 lists these key topics and the page number on which each is found.

Table 5-3 Chapter 5 Key Topics

Key Topic Element

Description

Page Number

Figure 5-1

Encryption Choices at AWS

204

Section

Data Retention and Classification

207

Section

Infrastructure Security

209

Section

Detective Controls

210

Section

Amazon EBS Encryption

212

Figure 5-6

Enabling Key Rotation

213

Section

S3 Storage at Rest

220

Section

Amazon S3 Object Lock Policies

221

Section

Amazon S3 Glacier Storage at Rest

222

Section

AWS Key Management Service

224

Section

AWS KMS Cheat Sheet

226

Section

AWS CloudHSM

227

List

AWS Certificate Manager certificate types

227

Define Key Terms

Define the following key terms from this chapter and check your answers in the glossary:

Amazon Elastic Block Storage (EBS)

symmetric key

access control list (ACL)

bucket policy

write-once/read-many (WORM)

AWS Key Management Service (KMS)

certificate authority (CA)

Q & A

The answers to these questions appear in Appendix A. Use the Pearson Test Prep Software Online for more practice with exam format questions.

1. Which AWS storage service is available with AWS as a single-tenant storage design?

2. What is the default state of an S3 bucket regarding public access when the bucket is first created?

3. What is the security advantage of using SSE-C encryption with Amazon S3 buckets?

4. Describe the concept of envelope encryption that KMS uses.

5. What type of data stored at AWS is always automatically encrypted by default?

6. Why is AWS CloudHSM chosen by companies that must adhere to a high compliance standard?

7. How does AWS KMS carry out automatic key rotation for imported keys?

8. Where can private CAs created by AWS Certificate Manager be deployed?

800 East 96th Street, Indianapolis, Indiana 46240

sale-70-410-exam    | Exam-200-125-pdf    | we-sale-70-410-exam    | hot-sale-70-410-exam    | Latest-exam-700-603-Dumps    | Dumps-98-363-exams-date    | Certs-200-125-date    | Dumps-300-075-exams-date    | hot-sale-book-C8010-726-book    | Hot-Sale-200-310-Exam    | Exam-Description-200-310-dumps?    | hot-sale-book-200-125-book    | Latest-Updated-300-209-Exam    | Dumps-210-260-exams-date    | Download-200-125-Exam-PDF    | Exam-Description-300-101-dumps    | Certs-300-101-date    | Hot-Sale-300-075-Exam    | Latest-exam-200-125-Dumps    | Exam-Description-200-125-dumps    | Latest-Updated-300-075-Exam    | hot-sale-book-210-260-book    | Dumps-200-901-exams-date    | Certs-200-901-date    | Latest-exam-1Z0-062-Dumps    | Hot-Sale-1Z0-062-Exam    | Certs-CSSLP-date    | 100%-Pass-70-383-Exams    | Latest-JN0-360-real-exam-questions    | 100%-Pass-4A0-100-Real-Exam-Questions    | Dumps-300-135-exams-date    | Passed-200-105-Tech-Exams    | Latest-Updated-200-310-Exam    | Download-300-070-Exam-PDF    | Hot-Sale-JN0-360-Exam    | 100%-Pass-JN0-360-Exams    | 100%-Pass-JN0-360-Real-Exam-Questions    | Dumps-JN0-360-exams-date    | Exam-Description-1Z0-876-dumps    | Latest-exam-1Z0-876-Dumps    | Dumps-HPE0-Y53-exams-date    | 2017-Latest-HPE0-Y53-Exam    | 100%-Pass-HPE0-Y53-Real-Exam-Questions    | Pass-4A0-100-Exam    | Latest-4A0-100-Questions    | Dumps-98-365-exams-date    | 2017-Latest-98-365-Exam    | 100%-Pass-VCS-254-Exams    | 2017-Latest-VCS-273-Exam    | Dumps-200-355-exams-date    | 2017-Latest-300-320-Exam    | Pass-300-101-Exam    | 100%-Pass-300-115-Exams    |
http://www.portvapes.co.uk/    | http://www.portvapes.co.uk/    |