CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
Inspirational journeys
Follow the stories of academics and their research expeditions
AWS Certified Security - Specialty - Part 10
1. An application is designed to run on an EC2 Instance. The applications needs to work with an S3 bucket. From a security perspective , what is the ideal way for the EC2 instance/ application to be configured?
A) Assign an IAM Role and assign it to the EC2 Instance
B) Use the AWS(Amazon Web Service) access keys ensuring that they are frequently rotated.
C) Assign an IAM group and assign it to the EC2 Instance
D) Assign an IAM user to the application that has specific access to only that S3 bucket
2. Your company has created a set of keys using the AWS(Amazon Web Service) KMS service. They need to ensure that each key is only used for certain services. For example, they want one key to be used only for the S3 service. How can this be achieved? Please select:
A) Create a bucket policy that allows the key to be accessed by only the S3 service.
B) Create an lAM policy that allows the key to be accessed by only the S3 service.
C) Use the kms:ViaService condition in the Key policy
D) Define an lAM user, allocate the key and then assign the permissions to the required service
3. An organization has launched 5 instances: 2 for production and 3 for testing. The organization wants that one particular group of IAM users should only access the test instances and not the production ones. How can the organization set that as a part of the policy?
A) Create an IAM policy with a condition which allows access to only small instances
B) Define the IAM policy which allows access based on the instance ID
C) Launch the test and production instances in separate regions and allow region wise access to the group
D) Define the tags on the test and production servers and add a condition to the IAM policy which allows access to specific tags
4. Your company has an EC2 Instance hosted in AWS. This EC2 Instance hosts an application. Currently this application is experiencing a number of issues. You need to inspect the network packets to see what the type of error that is occurring? Which one of the below steps can help address this issue?
A) Use the VPC Flow Logs.
B) Use Cloudwatch metric
C) Use another instance. Setup a port to 'promiscuous mode and sniff the traffic to analyze the packets.
D) Use a network monitoring tool provided by an AWS(Amazon Web Service) partner.
5. You currently have an S3 bucket hosted in an AWS(Amazon Web Service) Account. It holds information that needs be accessed by a partner account. Which is the MOST secure way to allow the partner account to access the S3 bucket in your account? Select 3 options. Please select:(Select 3answers)
A) Ensure an lAM user Is created which can be assumed by the partner account.
B) Ensure an AM role is created which can be assumed by the partner account.
C) Provide the Account Id to the partner account
D) Provide the ARN for the role to the partner account
E) Ensure the partner uses an external Id when making the request
F) Provide access keys for your account to the partner account
A) Assign an IAM Role and assign it to the EC2 Instance
B) Use the AWS(Amazon Web Service) access keys ensuring that they are frequently rotated.
C) Assign an IAM group and assign it to the EC2 Instance
D) Assign an IAM user to the application that has specific access to only that S3 bucket
2. Your company has created a set of keys using the AWS(Amazon Web Service) KMS service. They need to ensure that each key is only used for certain services. For example, they want one key to be used only for the S3 service. How can this be achieved? Please select:
A) Create a bucket policy that allows the key to be accessed by only the S3 service.
B) Create an lAM policy that allows the key to be accessed by only the S3 service.
C) Use the kms:ViaService condition in the Key policy
D) Define an lAM user, allocate the key and then assign the permissions to the required service
3. An organization has launched 5 instances: 2 for production and 3 for testing. The organization wants that one particular group of IAM users should only access the test instances and not the production ones. How can the organization set that as a part of the policy?
A) Create an IAM policy with a condition which allows access to only small instances
B) Define the IAM policy which allows access based on the instance ID
C) Launch the test and production instances in separate regions and allow region wise access to the group
D) Define the tags on the test and production servers and add a condition to the IAM policy which allows access to specific tags
4. Your company has an EC2 Instance hosted in AWS. This EC2 Instance hosts an application. Currently this application is experiencing a number of issues. You need to inspect the network packets to see what the type of error that is occurring? Which one of the below steps can help address this issue?
A) Use the VPC Flow Logs.
B) Use Cloudwatch metric
C) Use another instance. Setup a port to 'promiscuous mode and sniff the traffic to analyze the packets.
D) Use a network monitoring tool provided by an AWS(Amazon Web Service) partner.
5. You currently have an S3 bucket hosted in an AWS(Amazon Web Service) Account. It holds information that needs be accessed by a partner account. Which is the MOST secure way to allow the partner account to access the S3 bucket in your account? Select 3 options. Please select:(Select 3answers)
A) Ensure an lAM user Is created which can be assumed by the partner account.
B) Ensure an AM role is created which can be assumed by the partner account.
C) Provide the Account Id to the partner account
D) Provide the ARN for the role to the partner account
E) Ensure the partner uses an external Id when making the request
F) Provide access keys for your account to the partner account
1. Right Answer: A
Explanation: The below diagram from the AWS(Amazon Web Service) whitepaper shows the best security practise of allocating a role that has access to the S3 bucket Options A,B and D are invalid because using users , groups or access keys is an invalid security practise when giving access to resources from other AWS(Amazon Web Service) resources. For more information on the Security Best practices, please visit the following URL: https://d1.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf
2. Right Answer: C
Explanation:
3. Right Answer: D
Explanation: Tags enable you to categorize your AWS(Amazon Web Service) resources in different ways, for example, by purpose, owner, or environment. This is useful when you have many resources of the same type ' you can quickly identify a specific resource based on the tags you've assigned to it. Option A is invalid because this is not a recommended practise Option B is invalid because this is an overhead to maintain this in policies Option C is invalid because the instance type will not resolve the requirement For information on resource tagging, please visit the below URL: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html
4. Right Answer: D
Explanation: Since here you need to sniff the actual network packets , the ideal approach would be to use a network monitoring tool provided by an AWS(Amazon Web Service) partner. The AWS(Amazon Web Service) documentation mentions the following Multiple AWS(Amazon Web Service) Partner Network members offer virtual firewall appliances that can be deployed as an in-line gateway for inbound or outbound network traffic. Firewall appliances provide additional application-level filtering, deep packet inspection, IPS/IDS, and network threat protection features. Option A and D are invalid because these services cannot be used for packet inspection. Option C is invalid because 'promiscuous mode is not supported in AWS For more information on the security capabilities, please visit the below URL: https://aws.amazon.com/answers/networking/vpc-security-capabilities/
5. Right Answer: B,D,E
Explanation:
Explanation: The below diagram from the AWS(Amazon Web Service) whitepaper shows the best security practise of allocating a role that has access to the S3 bucket Options A,B and D are invalid because using users , groups or access keys is an invalid security practise when giving access to resources from other AWS(Amazon Web Service) resources. For more information on the Security Best practices, please visit the following URL: https://d1.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf
2. Right Answer: C
Explanation:
3. Right Answer: D
Explanation: Tags enable you to categorize your AWS(Amazon Web Service) resources in different ways, for example, by purpose, owner, or environment. This is useful when you have many resources of the same type ' you can quickly identify a specific resource based on the tags you've assigned to it. Option A is invalid because this is not a recommended practise Option B is invalid because this is an overhead to maintain this in policies Option C is invalid because the instance type will not resolve the requirement For information on resource tagging, please visit the below URL: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html
4. Right Answer: D
Explanation: Since here you need to sniff the actual network packets , the ideal approach would be to use a network monitoring tool provided by an AWS(Amazon Web Service) partner. The AWS(Amazon Web Service) documentation mentions the following Multiple AWS(Amazon Web Service) Partner Network members offer virtual firewall appliances that can be deployed as an in-line gateway for inbound or outbound network traffic. Firewall appliances provide additional application-level filtering, deep packet inspection, IPS/IDS, and network threat protection features. Option A and D are invalid because these services cannot be used for packet inspection. Option C is invalid because 'promiscuous mode is not supported in AWS For more information on the security capabilities, please visit the below URL: https://aws.amazon.com/answers/networking/vpc-security-capabilities/
5. Right Answer: B,D,E
Explanation:
Tags:
aws cloud awc cloud cerification certified aws aws certifications aws cloud practitioner aws solution architect aws training aws certified cloud practitioner aws exam aws certification exam aws practice exams aws 2023 aws updated questions aws questions aws cert aws certified solutions architect aws solution architect associate aws training and certification aws certified developer associate certification for devops0 Comments
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
Leave a comment