CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
Inspirational journeys
Follow the stories of academics and their research expeditions
AWS Certified Security - Specialty - Part 2
1. You have been given a new brief from your supervisor for a client who needs a web application set up on AWS. The most important requirement is that MySQL must be used as the database, and this database must not be hosted in the public cloud, but rather at the client's data center due to security risks. Which of the following solutions would be the best to assure that the client's requirements are met? Choose the correct answer from the options below
A) Build the application server on a public subnet and the database at the client's data center. Connect them with a VPN connection which uses IPsec.
B) Use the public subnet for the application server and use RDS with a storage gateway to access and synchronize the data securely from the local data center.
C) Build the application server on a public subnet and build the database in a private subnet with a secure ssh connection to the private subnet from the client's data center.
D) Build the application server on a public subnet and the database on a private subnet with a NAT instance between them.
2. Your company has been using AWS(Amazon Web Service) for the past 2 years. They have separate S3 buckets for logging the various AWS(Amazon Web Service) services that have been used. They have hired an external vendor for analyzing their log files. They have their own AWS(Amazon Web Service) account. What is the best way to ensure that the partner account can access the log files in the company account for analysis. Choose 2 answers from the options given below(Select 2answers)
A) Ensure the IAM user has access for read-only to the S3 buckets
B) Create an IAM Role in the company account
C) Create an IAM user in the company account
D) Ensure the IAM Role has access for read-only to the S3 buckets
3. Your company has a set of EBS volumes defined in AWS. The security mandate is that all EBS volumes are encrypted. What can be done to notify the IT admin staff if there are any unencrypted volumes in the account.
A) Use AWS(Amazon Web Service) Lambda to check for the unencrypted EBS volumes
B) Use AWS(Amazon Web Service) Config to check for unencrypted EBS volumes
C) Use AWS(Amazon Web Service) Inspector to inspect all the EBS volumes
D) Use AWS(Amazon Web Service) Guard duty to check for the unencrypted EBS volumes
4. Your company hosts a large section of EC2 instances in AWS. There are strict security rules governing the EC2 Instances. During a potential security breach , you need to ensure quick investigation of the underlying EC2 Instance. Which of the following service can help you quickly provision a test environment to look into the breached instance.
A) AWS Cloudwatch
B) AWS Cloudformation
C) AWS Config
D) AWS Cloudtrail
5. An EC2 Instance hosts a Java based application that access a Dynamo DB table. This EC2 Instance is currently serving production based users. Which of the following is a secure way of ensuring that the EC2 Instance access the Dynamo DB table
A) Use KMS keys with the right permissions to Interact with Dynamo DB and assign It to the EC2 Instance
B) Use IAM Access Groups with the right permissions to interact with Dynamo DB and assign it to the EC2 Instance
C) Use IAM Roles with permissions to interact with Dynamo DS and assign It to the EC2 Instance
D) Use IAM Access Keys with the right permissions to interact with Dynamo DB and assign it to the EC2 Insani
A) Build the application server on a public subnet and the database at the client's data center. Connect them with a VPN connection which uses IPsec.
B) Use the public subnet for the application server and use RDS with a storage gateway to access and synchronize the data securely from the local data center.
C) Build the application server on a public subnet and build the database in a private subnet with a secure ssh connection to the private subnet from the client's data center.
D) Build the application server on a public subnet and the database on a private subnet with a NAT instance between them.
2. Your company has been using AWS(Amazon Web Service) for the past 2 years. They have separate S3 buckets for logging the various AWS(Amazon Web Service) services that have been used. They have hired an external vendor for analyzing their log files. They have their own AWS(Amazon Web Service) account. What is the best way to ensure that the partner account can access the log files in the company account for analysis. Choose 2 answers from the options given below(Select 2answers)
A) Ensure the IAM user has access for read-only to the S3 buckets
B) Create an IAM Role in the company account
C) Create an IAM user in the company account
D) Ensure the IAM Role has access for read-only to the S3 buckets
3. Your company has a set of EBS volumes defined in AWS. The security mandate is that all EBS volumes are encrypted. What can be done to notify the IT admin staff if there are any unencrypted volumes in the account.
A) Use AWS(Amazon Web Service) Lambda to check for the unencrypted EBS volumes
B) Use AWS(Amazon Web Service) Config to check for unencrypted EBS volumes
C) Use AWS(Amazon Web Service) Inspector to inspect all the EBS volumes
D) Use AWS(Amazon Web Service) Guard duty to check for the unencrypted EBS volumes
4. Your company hosts a large section of EC2 instances in AWS. There are strict security rules governing the EC2 Instances. During a potential security breach , you need to ensure quick investigation of the underlying EC2 Instance. Which of the following service can help you quickly provision a test environment to look into the breached instance.
A) AWS Cloudwatch
B) AWS Cloudformation
C) AWS Config
D) AWS Cloudtrail
5. An EC2 Instance hosts a Java based application that access a Dynamo DB table. This EC2 Instance is currently serving production based users. Which of the following is a secure way of ensuring that the EC2 Instance access the Dynamo DB table
A) Use KMS keys with the right permissions to Interact with Dynamo DB and assign It to the EC2 Instance
B) Use IAM Access Groups with the right permissions to interact with Dynamo DB and assign it to the EC2 Instance
C) Use IAM Roles with permissions to interact with Dynamo DS and assign It to the EC2 Instance
D) Use IAM Access Keys with the right permissions to interact with Dynamo DB and assign it to the EC2 Insani
1. Right Answer: A
Explanation: Since the database should not be hosted on the cloud all other options are invalid. The best option is to create a VPN connection for securing traffic as shown below Option B is invalid because this is the incorrect use of the Storage gateway Option C is invalid since this is the incorrect use of the NAT instance Option D is invalid since this is an incorrect configuration For more information on VPN connections , please visit the below url http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_VPN.html
2. Right Answer: B,D
Explanation: The AWS(Amazon Web Service) Documentation mentions the following To share log files between multiple AWS(Amazon Web Service) accounts, you must perform the following general steps. These steps are explained in detail later in this section. Create an IAM role for each account that you want to share log files with. For each of these IAM roles, create an access policy that grants read-only access to the account you want to share the log files with. Have an IAM user in each account programmatically assume the appropriate role and retrieve the log files. Options A and C are invalid because creating an IAM user and then sharing the IAM user credentials with the vendor is a direct 'NO' practise from a security perspective. For more information on sharing cloudtrail logs files, please visit the following URL: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-sharing-logs.html
3. Right Answer: B
Explanation: The encrypted-volumes config rule for AWS(Amazon Web Service) Config can be used to check for unencrypted volumes. Options A and C are incorrect since these services cannot be used to check for unencrypted EBS volumes Option D is incorrect because even though this is possible , trying to implement the solution alone with just the Lambda service would be too difficult For more information on AWS(Amazon Web Service) Config and encrypted volumes, please refer to below URL https://docs.aws.amazon.com/config/latest/developerguide/encrypted-volumes.html
4. Right Answer: B
Explanation: The AWS(Amazon Web Service) Security best practises mentions the following Unique to AWS, security practitioners can use CloudFormation to quickly create a new, trusted environment in which to conduct deeper investigation. The CloudFormation template can pre-configure instances in an isolated environment that contains all the necessary tools forensic teams need to determine the cause of the incident. This cuts down on the time it takes to gather necessary tools, isolates systems under examination, and ensures that the team is operating in a clean room. Option A is incorrect since this is a logging service and cannot be used to provision a test environment Option C is incorrect since this is an API logging service and cannot be used to provision a test environment Option D is incorrect since this is a configuration service and cannot be used to provision a test environment For more information on AWS(Amazon Web Service) Security best practises, please refer to below URL https://d1.awsstatic.com/whitepapers/architecture/AWS-Security-Pillar.pdf
5. Right Answer: C
Explanation:
Explanation: Since the database should not be hosted on the cloud all other options are invalid. The best option is to create a VPN connection for securing traffic as shown below Option B is invalid because this is the incorrect use of the Storage gateway Option C is invalid since this is the incorrect use of the NAT instance Option D is invalid since this is an incorrect configuration For more information on VPN connections , please visit the below url http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_VPN.html
2. Right Answer: B,D
Explanation: The AWS(Amazon Web Service) Documentation mentions the following To share log files between multiple AWS(Amazon Web Service) accounts, you must perform the following general steps. These steps are explained in detail later in this section. Create an IAM role for each account that you want to share log files with. For each of these IAM roles, create an access policy that grants read-only access to the account you want to share the log files with. Have an IAM user in each account programmatically assume the appropriate role and retrieve the log files. Options A and C are invalid because creating an IAM user and then sharing the IAM user credentials with the vendor is a direct 'NO' practise from a security perspective. For more information on sharing cloudtrail logs files, please visit the following URL: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-sharing-logs.html
3. Right Answer: B
Explanation: The encrypted-volumes config rule for AWS(Amazon Web Service) Config can be used to check for unencrypted volumes. Options A and C are incorrect since these services cannot be used to check for unencrypted EBS volumes Option D is incorrect because even though this is possible , trying to implement the solution alone with just the Lambda service would be too difficult For more information on AWS(Amazon Web Service) Config and encrypted volumes, please refer to below URL https://docs.aws.amazon.com/config/latest/developerguide/encrypted-volumes.html
4. Right Answer: B
Explanation: The AWS(Amazon Web Service) Security best practises mentions the following Unique to AWS, security practitioners can use CloudFormation to quickly create a new, trusted environment in which to conduct deeper investigation. The CloudFormation template can pre-configure instances in an isolated environment that contains all the necessary tools forensic teams need to determine the cause of the incident. This cuts down on the time it takes to gather necessary tools, isolates systems under examination, and ensures that the team is operating in a clean room. Option A is incorrect since this is a logging service and cannot be used to provision a test environment Option C is incorrect since this is an API logging service and cannot be used to provision a test environment Option D is incorrect since this is a configuration service and cannot be used to provision a test environment For more information on AWS(Amazon Web Service) Security best practises, please refer to below URL https://d1.awsstatic.com/whitepapers/architecture/AWS-Security-Pillar.pdf
5. Right Answer: C
Explanation:
Tags:
aws cloud awc cloud cerification certified aws aws certifications aws cloud practitioner aws solution architect aws training aws certified cloud practitioner aws exam aws certification exam aws practice exams aws 2023 aws updated questions aws questions aws cert aws certified solutions architect aws solution architect associate aws training and certification aws certified developer associate certification for devops0 Comments
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
Leave a comment