CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
Inspirational journeys
Follow the stories of academics and their research expeditions
AWS Certified Security - Specialty - Part 21
1. Your company hosts critical data in an S3 bucket. There is a requirement to ensure that all data is encrypted. There is also metadata about the information stored in the bucket that needs to be encrypted as well. Which of the below measures would you take to ensure this requirement is fulfilled?
A) Put the metadata as metadata for each object in the S3 bucket and then enable S3 Server side encryption.
B) Put the metadata in a DynamoDB table and ensure the table is encrypted during creation time.
C) Put the metadata in the S3 bucket itself.
D) Put the metadata as metadata for each object in the S3 bucket and then enable S3 Server KMS encryption.
2. A company has a large set of keys defined in AWS(Amazon Web Service) KMS. Their developers frequently use the keys for the applications being developed. What is one of the ways that can be used to reduce the cost of accessing the keys in the AWS(Amazon Web Service) KMS service.
A) Use the right key policy
B) Use Data key caching
C) Create an alias of the key
D) Enable rotation of the keys
3. A Lambda function reads metadata from an S3 object and stores the metadata in a Dynamo DB table. The function is triggered whenever an object is stored within the 53 bucket. How should the Lambda function be given access to the Dynamo DB table? Please select:
A) Create a VPC endpoint for Dynamo Ds within a VPC. Configure the Lambda function to access resources in the VPC.
B) Create a resource policy that grants the Lambda function permissions to write to the Dynamo DB table. Attach the policy to the Dynamo DB table.
C) Create an IAM user with permissions to write to the Dynamo DB table. Store an access key for that user in the Lambda environment variables
D) Create an IAM service role with permissions to write to the Dynamo DB table, Associate that role with the Lambda function.
4. You are trying to use the Systems Manager to patch a set of EC2 systems. Some of the systems are not getting covered in the patching process. Which of the following can be used to troubleshoot the issue? Choose 3 answers from the options given below.(Select 3answers)
A) Check the Instance status by using the Health API.
B) Ensure that agent is running on the Instances.
C) Check to see if the right role has been assigned to the EC2 Instances
D) Check to see if the IAM user has the right permissions for EC2
5. Your company has a set of EC2 Instances defined in AWS. They need to ensure that all traffic packets are monitored and inspected for any security threats. How can this be achieved? Choose 2 answers from the options given below(Select 2answers)
A) Use a third party firewall installed on a central EC2 Instance
B) Use Network Access control lists logging
C) Use VPC Flow logs
D) Use a host based intrusion detection system
A) Put the metadata as metadata for each object in the S3 bucket and then enable S3 Server side encryption.
B) Put the metadata in a DynamoDB table and ensure the table is encrypted during creation time.
C) Put the metadata in the S3 bucket itself.
D) Put the metadata as metadata for each object in the S3 bucket and then enable S3 Server KMS encryption.
2. A company has a large set of keys defined in AWS(Amazon Web Service) KMS. Their developers frequently use the keys for the applications being developed. What is one of the ways that can be used to reduce the cost of accessing the keys in the AWS(Amazon Web Service) KMS service.
A) Use the right key policy
B) Use Data key caching
C) Create an alias of the key
D) Enable rotation of the keys
3. A Lambda function reads metadata from an S3 object and stores the metadata in a Dynamo DB table. The function is triggered whenever an object is stored within the 53 bucket. How should the Lambda function be given access to the Dynamo DB table? Please select:
A) Create a VPC endpoint for Dynamo Ds within a VPC. Configure the Lambda function to access resources in the VPC.
B) Create a resource policy that grants the Lambda function permissions to write to the Dynamo DB table. Attach the policy to the Dynamo DB table.
C) Create an IAM user with permissions to write to the Dynamo DB table. Store an access key for that user in the Lambda environment variables
D) Create an IAM service role with permissions to write to the Dynamo DB table, Associate that role with the Lambda function.
4. You are trying to use the Systems Manager to patch a set of EC2 systems. Some of the systems are not getting covered in the patching process. Which of the following can be used to troubleshoot the issue? Choose 3 answers from the options given below.(Select 3answers)
A) Check the Instance status by using the Health API.
B) Ensure that agent is running on the Instances.
C) Check to see if the right role has been assigned to the EC2 Instances
D) Check to see if the IAM user has the right permissions for EC2
5. Your company has a set of EC2 Instances defined in AWS. They need to ensure that all traffic packets are monitored and inspected for any security threats. How can this be achieved? Choose 2 answers from the options given below(Select 2answers)
A) Use a third party firewall installed on a central EC2 Instance
B) Use Network Access control lists logging
C) Use VPC Flow logs
D) Use a host based intrusion detection system
1. Right Answer: B
Explanation: Option A ,B and D are all invalid because the metadata will not be encrypted in any case and this is a key requirement from the question. One key thing to note is that when the S3 bucket objects are encrypted , the meta data is not encrypted. So the best option is to use an encrypted DynamoDB table Option A ,B and C are all invalid because the metadata will not be encrypted in any case and this is a key requirement from the question. For more information on using KMS encryption for S3, please refer to below URL https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html
2. Right Answer: B
Explanation: The AWS(Amazon Web Service) Documentation mentions the following Data key caching stores data keys and related cryptographic material in a cache. When you encrypt or decrypt data, the AWS(Amazon Web Service) Encryption SDK looks for a matching data key in the cache. If it finds a match, it uses the cached data key rather than generating a new one. Data key caching can improve performance, reduce cost, and help you stay within service limits as your application scales. Option A,C and D are all incorrect since these options will not impact how the key is used. For more information on data key caching, please refer to below URL https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/data-key-caching.html
3. Right Answer: D
Explanation:
4. Right Answer: A,B,C
Explanation: For ensuring that the instances are configured properly you need to ensure the following 1) You installed the latest version of the SSM Agent on your instance 2) Your instance is configured with an AWS(Amazon Web Service) Identity and Access Management (IAM) role that enables the instance to communicate with the Systems Manager API 3) You can use the Amazon EC2 Health API to quickly determine the following information about Amazon EC2 instances The status of one or more instances The last time the instance sent a heartbeat value The version of the SSM Agent The operating system The version of the EC2Config service (Windows) The status of the EC2Config service (Windows) Option B is invalid because IAM users are not supposed to be directly granted permissions to EC2 Instances For more information on troubleshooting AWS(Amazon Web Service) SSM, please visit the following url https://docs.aws.amazon.com/systems-manager/latest/userguide/troubleshooting-remote-commands.html
5. Right Answer: A,D
Explanation: If you want to inspect the packets themselves , then you need to use custom based software A diagram representation of this is given in the AWS(Amazon Web Service) Security best practises Option C is invalid because VPC Flow logs cannot conduct packet inspection. Option D is invalid because logging is not available for Network Access control lists For more information on AWS(Amazon Web Service) Security best practises, please refer to below URL https://d1.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf
Explanation: Option A ,B and D are all invalid because the metadata will not be encrypted in any case and this is a key requirement from the question. One key thing to note is that when the S3 bucket objects are encrypted , the meta data is not encrypted. So the best option is to use an encrypted DynamoDB table Option A ,B and C are all invalid because the metadata will not be encrypted in any case and this is a key requirement from the question. For more information on using KMS encryption for S3, please refer to below URL https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html
2. Right Answer: B
Explanation: The AWS(Amazon Web Service) Documentation mentions the following Data key caching stores data keys and related cryptographic material in a cache. When you encrypt or decrypt data, the AWS(Amazon Web Service) Encryption SDK looks for a matching data key in the cache. If it finds a match, it uses the cached data key rather than generating a new one. Data key caching can improve performance, reduce cost, and help you stay within service limits as your application scales. Option A,C and D are all incorrect since these options will not impact how the key is used. For more information on data key caching, please refer to below URL https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/data-key-caching.html
3. Right Answer: D
Explanation:
4. Right Answer: A,B,C
Explanation: For ensuring that the instances are configured properly you need to ensure the following 1) You installed the latest version of the SSM Agent on your instance 2) Your instance is configured with an AWS(Amazon Web Service) Identity and Access Management (IAM) role that enables the instance to communicate with the Systems Manager API 3) You can use the Amazon EC2 Health API to quickly determine the following information about Amazon EC2 instances The status of one or more instances The last time the instance sent a heartbeat value The version of the SSM Agent The operating system The version of the EC2Config service (Windows) The status of the EC2Config service (Windows) Option B is invalid because IAM users are not supposed to be directly granted permissions to EC2 Instances For more information on troubleshooting AWS(Amazon Web Service) SSM, please visit the following url https://docs.aws.amazon.com/systems-manager/latest/userguide/troubleshooting-remote-commands.html
5. Right Answer: A,D
Explanation: If you want to inspect the packets themselves , then you need to use custom based software A diagram representation of this is given in the AWS(Amazon Web Service) Security best practises Option C is invalid because VPC Flow logs cannot conduct packet inspection. Option D is invalid because logging is not available for Network Access control lists For more information on AWS(Amazon Web Service) Security best practises, please refer to below URL https://d1.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf
Tags:
aws cloud awc cloud cerification certified aws aws certifications aws cloud practitioner aws solution architect aws training aws certified cloud practitioner aws exam aws certification exam aws practice exams aws 2023 aws updated questions aws questions aws cert aws certified solutions architect aws solution architect associate aws training and certification aws certified developer associate certification for devops0 Comments
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
Leave a comment