CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
Inspirational journeys
Follow the stories of academics and their research expeditions
AWS Certified Security - Specialty - Part 20
1. You are responsible to deploying a critical application onto AWS. Part of the requirements for this application is to ensure that the controls set for this application met PCI compliance. Also there is a need to monitor web application logs to identify any malicious activity. Which of the following services can be used to fulfil this requirement. Choose 2 answers from the options given below(Select 2answers)
A) Amazon Cloudtrail
B) Amazon Cloudwatch Logs
C) Amazon VPC Flow Logs
D) Amazon AWS(Amazon Web Service) Config
2. Your company currently has a set of EC2 Instances hosted in a VPC. The IT Security department is suspecting a possible DDos attack on the instances. What can you do to zero in on the IP addresses which are receiving a flurry of requests.
A) Use AWS(Amazon Web Service) Trusted Advisor to get the IP addresses accessing the EC2 Instances
B) Use AWS(Amazon Web Service) Config to get the IP addresses accessing the EC2 Instances
C) Use AWS(Amazon Web Service) Cloud trail to get the IP addresses accessing the EC2 Instances
D) Use VPC Flow logs to get the IP addresses accessing the EC2 Instances
3. A company stores critical data in an S3 bucket. There is a requirement to ensure that an extra level of security is added to the S3 bucket. In addition , it should be ensured that objects are available in a secondary region if the primary one goes down. Which of the following can help fulfil these requirements? Choose 2 answers from the options given below(Select 2answers)
A) Enable the Bucket ACL and add a condition for { 'Null': { 'aws:MultiFactorAuthAge': true }}
B) Enable bucket versioning and also enable CRR
C) Enable bucket versioning and enable Master Pays
D) For the Bucket policy add a condition for { 'Null': { 'aws:MultiFactorAuthAge': true }}
4. An EC2 Instance hosts a Java based application that access a DynamoDB table. This EC2 Instance is currently serving production based users. Which of the following is a secure way of ensuring that the EC2 Instance access the DynamoDB table
A) Use IAM Roles with permissions to interact with DynamoDB and assign it to the EC2 Instance
B) Use IAM Access Keys with the right permissions to interact with DynamoDB and assign it to the EC2 Instance
C) Use IAM Access Groups with the right permissions to interact with DynamoDB and assign it to the EC2 Instance
D) Use KMS keys with the right permissions to interact with DynamoDB and assign it to the EC2 Instance
5. You have a requirement to serve up private content using the keys available with Cloudfront. How can this be achieved?
A) Add the keys to the S3 bucket
B) Add the keys to the backend distribution.
C) Create pie-signed URL5
D) Use AWS(Amazon Web Service) Access keys
A) Amazon Cloudtrail
B) Amazon Cloudwatch Logs
C) Amazon VPC Flow Logs
D) Amazon AWS(Amazon Web Service) Config
2. Your company currently has a set of EC2 Instances hosted in a VPC. The IT Security department is suspecting a possible DDos attack on the instances. What can you do to zero in on the IP addresses which are receiving a flurry of requests.
A) Use AWS(Amazon Web Service) Trusted Advisor to get the IP addresses accessing the EC2 Instances
B) Use AWS(Amazon Web Service) Config to get the IP addresses accessing the EC2 Instances
C) Use AWS(Amazon Web Service) Cloud trail to get the IP addresses accessing the EC2 Instances
D) Use VPC Flow logs to get the IP addresses accessing the EC2 Instances
3. A company stores critical data in an S3 bucket. There is a requirement to ensure that an extra level of security is added to the S3 bucket. In addition , it should be ensured that objects are available in a secondary region if the primary one goes down. Which of the following can help fulfil these requirements? Choose 2 answers from the options given below(Select 2answers)
A) Enable the Bucket ACL and add a condition for { 'Null': { 'aws:MultiFactorAuthAge': true }}
B) Enable bucket versioning and also enable CRR
C) Enable bucket versioning and enable Master Pays
D) For the Bucket policy add a condition for { 'Null': { 'aws:MultiFactorAuthAge': true }}
4. An EC2 Instance hosts a Java based application that access a DynamoDB table. This EC2 Instance is currently serving production based users. Which of the following is a secure way of ensuring that the EC2 Instance access the DynamoDB table
A) Use IAM Roles with permissions to interact with DynamoDB and assign it to the EC2 Instance
B) Use IAM Access Keys with the right permissions to interact with DynamoDB and assign it to the EC2 Instance
C) Use IAM Access Groups with the right permissions to interact with DynamoDB and assign it to the EC2 Instance
D) Use KMS keys with the right permissions to interact with DynamoDB and assign it to the EC2 Instance
5. You have a requirement to serve up private content using the keys available with Cloudfront. How can this be achieved?
A) Add the keys to the S3 bucket
B) Add the keys to the backend distribution.
C) Create pie-signed URL5
D) Use AWS(Amazon Web Service) Access keys
1. Right Answer: A,B
Explanation: The AWS(Amazon Web Service) Documentation mentions the following about these services AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS(Amazon Web Service) account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS(Amazon Web Service) infrastructure. CloudTrail provides event history of your AWS(Amazon Web Service) account activity, including actions taken through the AWS(Amazon Web Service) Management Console, AWS(Amazon Web Service) SDKs, command line tools, and other AWS(Amazon Web Service) services. This event history simplifies security analysis, resource change tracking, and troubleshooting. Option B is invalid because this is only used for VPC's Option C is invalid because this is a configuration service and cannot be used for logging purposes For more information on Cloudtrail, please refer to below URL https://aws.amazon.com/cloudtrail/
2. Right Answer: D
Explanation: With VPC Flow logs you can get the list of IP addresses which are hitting the Instances in your VPC. You can then use the information in the logs to see which external IP addresses are sending a flurry of requests which could be the potential threat for a DDos attack. Option B is invalid this is an API monitoring service and will not be able to get the IP addresses Option C is invalid this is a config service and will not be able to get the IP addresses Option D is invalid because this is a recommendation service and will not be able to get the IP addresses For more information on VPC Flow Logs, please visit the following url https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html
3. Right Answer: B,D
Explanation: The AWS(Amazon Web Service) Documentation mentions the following Option B is invalid because just enabling bucket versioning will not guarantee replication of objects Option D is invalid because the condition for the bucket policy needs to be set accordingly For more information on example bucket policies, please visit the following url https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html Also versioning and Cross Region replication can ensure that objects will be available in the destination region in case the primary region fails. For more information on CRR, please visit the following url https://docs.aws.amazon.com/AmazonS3/latest/dev/crr.html
4. Right Answer: A
Explanation: To always ensure secure access to AWS(Amazon Web Service) resources from EC2 Instances, always ensure to assign a Role to the EC2 Instance Option B is invalid because KMS keys are not used as a mechanism for providing EC2 Instances access to AWS(Amazon Web Service) services. Option C is invalid Access keys is not a safe mechanism for providing EC2 Instances access to AWS(Amazon Web Service) services. Option D is invalid because there is no way access groups can be assigned to EC2 Instances. For more information on IAM Roles, please refer to the below URL https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html
5. Right Answer: C
Explanation:
Explanation: The AWS(Amazon Web Service) Documentation mentions the following about these services AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS(Amazon Web Service) account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS(Amazon Web Service) infrastructure. CloudTrail provides event history of your AWS(Amazon Web Service) account activity, including actions taken through the AWS(Amazon Web Service) Management Console, AWS(Amazon Web Service) SDKs, command line tools, and other AWS(Amazon Web Service) services. This event history simplifies security analysis, resource change tracking, and troubleshooting. Option B is invalid because this is only used for VPC's Option C is invalid because this is a configuration service and cannot be used for logging purposes For more information on Cloudtrail, please refer to below URL https://aws.amazon.com/cloudtrail/
2. Right Answer: D
Explanation: With VPC Flow logs you can get the list of IP addresses which are hitting the Instances in your VPC. You can then use the information in the logs to see which external IP addresses are sending a flurry of requests which could be the potential threat for a DDos attack. Option B is invalid this is an API monitoring service and will not be able to get the IP addresses Option C is invalid this is a config service and will not be able to get the IP addresses Option D is invalid because this is a recommendation service and will not be able to get the IP addresses For more information on VPC Flow Logs, please visit the following url https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html
3. Right Answer: B,D
Explanation: The AWS(Amazon Web Service) Documentation mentions the following Option B is invalid because just enabling bucket versioning will not guarantee replication of objects Option D is invalid because the condition for the bucket policy needs to be set accordingly For more information on example bucket policies, please visit the following url https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html Also versioning and Cross Region replication can ensure that objects will be available in the destination region in case the primary region fails. For more information on CRR, please visit the following url https://docs.aws.amazon.com/AmazonS3/latest/dev/crr.html
4. Right Answer: A
Explanation: To always ensure secure access to AWS(Amazon Web Service) resources from EC2 Instances, always ensure to assign a Role to the EC2 Instance Option B is invalid because KMS keys are not used as a mechanism for providing EC2 Instances access to AWS(Amazon Web Service) services. Option C is invalid Access keys is not a safe mechanism for providing EC2 Instances access to AWS(Amazon Web Service) services. Option D is invalid because there is no way access groups can be assigned to EC2 Instances. For more information on IAM Roles, please refer to the below URL https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html
5. Right Answer: C
Explanation:
Tags:
aws cloud awc cloud cerification certified aws aws certifications aws cloud practitioner aws solution architect aws training aws certified cloud practitioner aws exam aws certification exam aws practice exams aws 2023 aws updated questions aws questions aws cert aws certified solutions architect aws solution architect associate aws training and certification aws certified developer associate certification for devops0 Comments
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
Leave a comment