CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
Inspirational journeys
Follow the stories of academics and their research expeditions
AWS Certified Security - Specialty - Part 16
1. How can you ensure that instance in an VPC does not use AWS(Amazon Web Service) DNS for routing DNS requests. You want to use your own managed DNS instance. How can this be achieved?
A) Change the existing DHCP options set
B) change the subnet configuration to allow DNS requests from the new DNS Server
C) Create a new DHCP options set and replace the existing one
D) Change the route table for the VPC
2. A company wants to have a secure way of generating, storing and managing cryptographic keys. But they want to have exclusive access for the keys. Which of the following can be used for this purpose?
A) Use KMS and use an external key material
B) Use Cloud HSM
C) Use KMS and the normal KMS encryption keys
D) Use S3 Server Side encryption
3. Your company has a requirement to work with a DynamoDB table. There is a security mandate that all data should be encrypted at rest. What is the easiest way to accomplish this for DynamoDB.
A) Use the AWS(Amazon Web Service) SDK to encrypt the data before sending it to the DynamoDB table
B) Use S3 buckets to encrypt the data before sending it to DynamoDB
C) Encrypt the table using AWS(Amazon Web Service) KMS after it is created
D) Encrypt the table using AWS(Amazon Web Service) KMS before it is created
4. A company has hired a third-party security auditor, and the auditor needs read-only access to all AWS(Amazon Web Service) resources and logs of all VPC records and events that have occurred on AWS. How can the company meet the auditor's requirements without comprising security in the AWS(Amazon Web Service) environment? Choose the correct answer from the options below
A) Create an SNS notification that sends the CloudTrail log files to the auditor's email when CloudTrail delivers the logs to S3, but do not allow the auditor access to the AWS(Amazon Web Service) environment.
B) Create a role that has the required permissions for the auditor.
C) The company should contact AWS(Amazon Web Service) as part of the shared responsibility model, and AWS(Amazon Web Service) will grant required access to the third-party auditor.
D) Enable CloudTrail logging and create an IAM user who has read-only permissions to the required AWS(Amazon Web Service) resources, including the bucket containing the CloudTrail logs.
5. You are trying to use the AWS(Amazon Web Service) Systems Manager run command on a set of Instances. The run command is not working on a set of Instances. What can you do to diagnose the issue? Choose 2 answers from the options given below(Select 2answers)
A) Check the /var/log/amazon/ssm/errors.log file
B) Ensure the security groups allow outbound communication for the Instance
C) Ensure that the SSM agent is running on the target machine
D) Ensure the right AMI is used for the Instance
A) Change the existing DHCP options set
B) change the subnet configuration to allow DNS requests from the new DNS Server
C) Create a new DHCP options set and replace the existing one
D) Change the route table for the VPC
2. A company wants to have a secure way of generating, storing and managing cryptographic keys. But they want to have exclusive access for the keys. Which of the following can be used for this purpose?
A) Use KMS and use an external key material
B) Use Cloud HSM
C) Use KMS and the normal KMS encryption keys
D) Use S3 Server Side encryption
3. Your company has a requirement to work with a DynamoDB table. There is a security mandate that all data should be encrypted at rest. What is the easiest way to accomplish this for DynamoDB.
A) Use the AWS(Amazon Web Service) SDK to encrypt the data before sending it to the DynamoDB table
B) Use S3 buckets to encrypt the data before sending it to DynamoDB
C) Encrypt the table using AWS(Amazon Web Service) KMS after it is created
D) Encrypt the table using AWS(Amazon Web Service) KMS before it is created
4. A company has hired a third-party security auditor, and the auditor needs read-only access to all AWS(Amazon Web Service) resources and logs of all VPC records and events that have occurred on AWS. How can the company meet the auditor's requirements without comprising security in the AWS(Amazon Web Service) environment? Choose the correct answer from the options below
A) Create an SNS notification that sends the CloudTrail log files to the auditor's email when CloudTrail delivers the logs to S3, but do not allow the auditor access to the AWS(Amazon Web Service) environment.
B) Create a role that has the required permissions for the auditor.
C) The company should contact AWS(Amazon Web Service) as part of the shared responsibility model, and AWS(Amazon Web Service) will grant required access to the third-party auditor.
D) Enable CloudTrail logging and create an IAM user who has read-only permissions to the required AWS(Amazon Web Service) resources, including the bucket containing the CloudTrail logs.
5. You are trying to use the AWS(Amazon Web Service) Systems Manager run command on a set of Instances. The run command is not working on a set of Instances. What can you do to diagnose the issue? Choose 2 answers from the options given below(Select 2answers)
A) Check the /var/log/amazon/ssm/errors.log file
B) Ensure the security groups allow outbound communication for the Instance
C) Ensure that the SSM agent is running on the target machine
D) Ensure the right AMI is used for the Instance
1. Right Answer: C
Explanation:
2. Right Answer: B
Explanation: The AWS(Amazon Web Service) Documentation mentions the following The AWS(Amazon Web Service) CloudHSM service helps you meet corporate, contractual and regulatory compliance requirements for data security by using dedicated Hardware Security Module (HSM) instances within the AWS(Amazon Web Service) cloud. AWS(Amazon Web Service) and AWS(Amazon Web Service) Marketplace partners offer a variety of solutions for protecting sensitive data within the AWS(Amazon Web Service) platform, but for some applications and data subject to contractual or regulatory mandates for managing cryptographic keys, additional protection may be necessary. CloudHSM complements existing data protection solutions and allows you to protect your encryption keys within HSMs that are designed and validated to government standards for secure key management. CloudHSM allows you to securely generate, store and manage cryptographic keys used for data encryption in a way that keys are accessible only by you. Option A,B and C are invalid because in all of these cases , the management of the key will be with AWS. Here the question specifically mentions that you want to have exclusive access over the keys. This can be achieved with Cloud HSM For more information on CloudHSM, please visit the following url https://aws.amazon.com/cloudhsm/faqs/
3. Right Answer: D
Explanation: The most easiest option is to enable encryption when the DynamoDB table is created. The AWS(Amazon Web Service) Documentation mentions the following Amazon DynamoDB offers fully managed encryption at rest. DynamoDB encryption at rest provides enhanced security by encrypting your data at rest using an AWS(Amazon Web Service) Key Management Service (AWS KMS) managed encryption key for DynamoDB. This functionality eliminates the operational burden and complexity involved in protecting sensitive data. Option A is partially correct, you can use the AWS(Amazon Web Service) SDK to encrypt the data , but the easier option would be to encrypt the table before hand. Option C is invalid because you cannot encrypt the table after it is created Option D is invalid because encryption for S3 buckets is for the objects in S3 only. For more information on securing data at rest for DynamoDB please refer to below URL https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/EncryptionAtRest.html
4. Right Answer: D
Explanation: AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS(Amazon Web Service) account. With CloudTrail, you can log, continuously monitor, and retain events related to API calls across your AWS(Amazon Web Service) infrastructure. CloudTrail provides a history of AWS(Amazon Web Service) API calls for your account, including API calls made through the AWS(Amazon Web Service) Management Console, AWS(Amazon Web Service) SDKs, command line tools, and other AWS(Amazon Web Service) services. This history simplifies security analysis, resource change tracking, and troubleshooting. Option A and C are incorrect since Cloudtrail needs to be used as part of the solution Option B is incorrect since the auditor needs to have access to Cloudtrail For more information on cloudtrail , please visit the below url https://aws.amazon.com/cloudtrail/
5. Right Answer: A,C
Explanation: The AWS(Amazon Web Service) Documentation mentions the following If you experience problems executing commands using Run Command, there might be a problem with the SSM Agent. Use the following information to help you troubleshoot the agent. View Agent Logs The SSM Agent logs information in the following files. The information in these files can help you troubleshoot problems. On Windows %PROGRAMDATA%AmazonSSMLogsamazon-ssm-agent.log %PROGRAMDATA%AmazonSSMLogserror.log Note The default filename of the seelog is seelog.xml.template. If you modify a seelog, you must rename the file to seelog.xml. On Linux /var/log/amazon/ssm/amazon-ssm-agent.log /var/log/amazon/ssm/errors.log Option C is invalid because the right AMI has nothing to do with the issues. The agent which is used to execute run commands can run on a variety of AMI's Option D is invalid because security groups does not come into the picture with the communication between the agent and the SSM service For more information on troubleshooting AWS(Amazon Web Service) SSM, please visit the following url https://docs.aws.amazon.com/systems-manager/latest/userguide/troubleshooting-remote-commands.html
Explanation:
2. Right Answer: B
Explanation: The AWS(Amazon Web Service) Documentation mentions the following The AWS(Amazon Web Service) CloudHSM service helps you meet corporate, contractual and regulatory compliance requirements for data security by using dedicated Hardware Security Module (HSM) instances within the AWS(Amazon Web Service) cloud. AWS(Amazon Web Service) and AWS(Amazon Web Service) Marketplace partners offer a variety of solutions for protecting sensitive data within the AWS(Amazon Web Service) platform, but for some applications and data subject to contractual or regulatory mandates for managing cryptographic keys, additional protection may be necessary. CloudHSM complements existing data protection solutions and allows you to protect your encryption keys within HSMs that are designed and validated to government standards for secure key management. CloudHSM allows you to securely generate, store and manage cryptographic keys used for data encryption in a way that keys are accessible only by you. Option A,B and C are invalid because in all of these cases , the management of the key will be with AWS. Here the question specifically mentions that you want to have exclusive access over the keys. This can be achieved with Cloud HSM For more information on CloudHSM, please visit the following url https://aws.amazon.com/cloudhsm/faqs/
3. Right Answer: D
Explanation: The most easiest option is to enable encryption when the DynamoDB table is created. The AWS(Amazon Web Service) Documentation mentions the following Amazon DynamoDB offers fully managed encryption at rest. DynamoDB encryption at rest provides enhanced security by encrypting your data at rest using an AWS(Amazon Web Service) Key Management Service (AWS KMS) managed encryption key for DynamoDB. This functionality eliminates the operational burden and complexity involved in protecting sensitive data. Option A is partially correct, you can use the AWS(Amazon Web Service) SDK to encrypt the data , but the easier option would be to encrypt the table before hand. Option C is invalid because you cannot encrypt the table after it is created Option D is invalid because encryption for S3 buckets is for the objects in S3 only. For more information on securing data at rest for DynamoDB please refer to below URL https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/EncryptionAtRest.html
4. Right Answer: D
Explanation: AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS(Amazon Web Service) account. With CloudTrail, you can log, continuously monitor, and retain events related to API calls across your AWS(Amazon Web Service) infrastructure. CloudTrail provides a history of AWS(Amazon Web Service) API calls for your account, including API calls made through the AWS(Amazon Web Service) Management Console, AWS(Amazon Web Service) SDKs, command line tools, and other AWS(Amazon Web Service) services. This history simplifies security analysis, resource change tracking, and troubleshooting. Option A and C are incorrect since Cloudtrail needs to be used as part of the solution Option B is incorrect since the auditor needs to have access to Cloudtrail For more information on cloudtrail , please visit the below url https://aws.amazon.com/cloudtrail/
5. Right Answer: A,C
Explanation: The AWS(Amazon Web Service) Documentation mentions the following If you experience problems executing commands using Run Command, there might be a problem with the SSM Agent. Use the following information to help you troubleshoot the agent. View Agent Logs The SSM Agent logs information in the following files. The information in these files can help you troubleshoot problems. On Windows %PROGRAMDATA%AmazonSSMLogsamazon-ssm-agent.log %PROGRAMDATA%AmazonSSMLogserror.log Note The default filename of the seelog is seelog.xml.template. If you modify a seelog, you must rename the file to seelog.xml. On Linux /var/log/amazon/ssm/amazon-ssm-agent.log /var/log/amazon/ssm/errors.log Option C is invalid because the right AMI has nothing to do with the issues. The agent which is used to execute run commands can run on a variety of AMI's Option D is invalid because security groups does not come into the picture with the communication between the agent and the SSM service For more information on troubleshooting AWS(Amazon Web Service) SSM, please visit the following url https://docs.aws.amazon.com/systems-manager/latest/userguide/troubleshooting-remote-commands.html
Tags:
aws cloud awc cloud cerification certified aws aws certifications aws cloud practitioner aws solution architect aws training aws certified cloud practitioner aws exam aws certification exam aws practice exams aws 2023 aws updated questions aws questions aws cert aws certified solutions architect aws solution architect associate aws training and certification aws certified developer associate certification for devops0 Comments
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
Leave a comment