CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
Inspirational journeys
Follow the stories of academics and their research expeditions
AWS Certified Security - Specialty - Part 22
1. An application running on EC2 instances processes sensitive information stored on Amazon S3. The information is accessed over the Internet. The security team is concerned that the Internet connectivity to Amazon S3 is a security risk. Which solution will resolve the security concern?
A) Access the data through a NAT Gateway.
B) Access the data through an Internet Gateway.
C) Access the data through a VPC endpoint for Amazon S3
D) Access the data through a VPN connection.
2. You have a set of application , database and web servers hosted in AWS. The web servers are placed behind an ELB. There are separate security groups for the application, database and web servers. The network security groups have been defined accordingly. There is an issue with the communication between the application and database servers. In order to troubleshoot the issue between just the application and database server, what is the ideal set of MINIMAL steps you would take
A) Check the Inbound security rules for the database security group Check the Outbound security rules for the application security group
B) Check the both the Inbound and Outbound security rules for the database security group Check the Inbound security rules for the application security group
C) Check the Outbound security rules for the database security group Check the Inbound security rules for the application security group
D) Check the Outbound security rules for the database security group Check the both the Inbound and Outbound security rules for the application security group
3. You are devising a policy to allow users to have the ability to access objects in a bucket called app bucket. You define the below custom bucket policy { 'ID': 'Pollcy l 502987489630', 'Version': '2012-10-17', 'Statement': [ 'Sid': 'Stmtl 502987487640', 'Action': [ 's3:GetObject', 's3:GetObjectVersion ' 'Effect': 'Allow', 'Resource': 'arn:aws:s3:::appbucket', 'Principal': But when you try to apply the policy you get the error 'Action does not apply to any resource(s) in statement.' What should be done to rectify the error Please select:
A) Create the bucket 'app bucket' and then apply the policy.
B) Change the Resource section to arn:aws:s3:::app bucket I*
C) Change the IAM permissions by applying Put Bucket Policy permissions.
D) Verify that the policy has the same name as the bucket name. If not, make it the same
4. Development teams in your organization use S3 buckets to store the log files for various application hosted in development environments in AWS. The developers want to keep the logs for one month for troubleshooting purposes, and then purge the logs.What feature will enable this requirement?
A) Enabling CORS on the S3 bucket.
B) Creating an IAM policy for the S3 bucket.
C) Adding a bucket policy on the S3 bucket.
D) Configuring lifecycle configuration rules on the S3 bucket.
5. Which technique can be used to integrate AWS(Amazon Web Service) IAM (Identity and Access Management) with an on-premise LDAP (Lightweight Directory Access Protocol) directory service?
A) Use AWS(Amazon Web Service) Security Token Service from an identity broker to issue short-lived AWS(Amazon Web Service) credentials.
B) Use an IAM policy that references the LDAP account identifiers and the AWS(Amazon Web Service) credentials.
C) Use IAM roles to automatically rotate the IAM credentials when LDAP credentials are updated.
D) Use SAML (Security Assertion Markup Language) to enable single sign-on between AWS(Amazon Web Service) and LDAP.
A) Access the data through a NAT Gateway.
B) Access the data through an Internet Gateway.
C) Access the data through a VPC endpoint for Amazon S3
D) Access the data through a VPN connection.
2. You have a set of application , database and web servers hosted in AWS. The web servers are placed behind an ELB. There are separate security groups for the application, database and web servers. The network security groups have been defined accordingly. There is an issue with the communication between the application and database servers. In order to troubleshoot the issue between just the application and database server, what is the ideal set of MINIMAL steps you would take
A) Check the Inbound security rules for the database security group Check the Outbound security rules for the application security group
B) Check the both the Inbound and Outbound security rules for the database security group Check the Inbound security rules for the application security group
C) Check the Outbound security rules for the database security group Check the Inbound security rules for the application security group
D) Check the Outbound security rules for the database security group Check the both the Inbound and Outbound security rules for the application security group
3. You are devising a policy to allow users to have the ability to access objects in a bucket called app bucket. You define the below custom bucket policy { 'ID': 'Pollcy l 502987489630', 'Version': '2012-10-17', 'Statement': [ 'Sid': 'Stmtl 502987487640', 'Action': [ 's3:GetObject', 's3:GetObjectVersion ' 'Effect': 'Allow', 'Resource': 'arn:aws:s3:::appbucket', 'Principal': But when you try to apply the policy you get the error 'Action does not apply to any resource(s) in statement.' What should be done to rectify the error Please select:
A) Create the bucket 'app bucket' and then apply the policy.
B) Change the Resource section to arn:aws:s3:::app bucket I*
C) Change the IAM permissions by applying Put Bucket Policy permissions.
D) Verify that the policy has the same name as the bucket name. If not, make it the same
4. Development teams in your organization use S3 buckets to store the log files for various application hosted in development environments in AWS. The developers want to keep the logs for one month for troubleshooting purposes, and then purge the logs.What feature will enable this requirement?
A) Enabling CORS on the S3 bucket.
B) Creating an IAM policy for the S3 bucket.
C) Adding a bucket policy on the S3 bucket.
D) Configuring lifecycle configuration rules on the S3 bucket.
5. Which technique can be used to integrate AWS(Amazon Web Service) IAM (Identity and Access Management) with an on-premise LDAP (Lightweight Directory Access Protocol) directory service?
A) Use AWS(Amazon Web Service) Security Token Service from an identity broker to issue short-lived AWS(Amazon Web Service) credentials.
B) Use an IAM policy that references the LDAP account identifiers and the AWS(Amazon Web Service) credentials.
C) Use IAM roles to automatically rotate the IAM credentials when LDAP credentials are updated.
D) Use SAML (Security Assertion Markup Language) to enable single sign-on between AWS(Amazon Web Service) and LDAP.
1. Right Answer: C
Explanation: The AWS(Amazon Web Service) Documentation mentions the following A VPC endpoint enables you to privately connect your VPC to supported AWS(Amazon Web Service) services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS(Amazon Web Service) Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network. Option A,B and C are all invalid because the question specifically mentions that access should not be provided via the Internet For more information on VPC endpoints, please refer to the below URL https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.html
2. Right Answer: A
Explanation: Here since the communication would be established inward to the database server and outward from the application server , you need to ensure that just the Inbound rules for the application server security groups are checked. And then just the Outbound rules for the database server security groups are checked. Option B is invalid because the communication needs to be checked for the Inbound traffic for Database security Groups and Inbound for the application security groups. Option C is invalid because you don't need to check for Outbound security rules for the database security group Option D is invalid because you don't need to check for Inbound security rules for the application security group For more information on Security Groups, please refer to below URL https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html
3. Right Answer: B
Explanation:
4. Right Answer: D
Explanation: The AWS(Amazon Web Service) Documentation mentions the following on lifecycle policies Lifecycle configuration enables you to specify the lifecycle management of objects in a bucket. The configuration is a set of one or more rules, where each rule defines an action for Amazon S3 to apply to a group of objects. These actions can be classified as follows: Transition actions ' In which you define when objects transition to another storage class. For example, you may choose to transition objects to the STANDARD_IA (IA, for infrequent access) storage class 30 days after creation, or archive objects to the GLACIER storage class one year after creation. Expiration actions ' In which you specify when the objects expire. Then Amazon S3 deletes the expired objects on your behalf. Option A and C are invalid because neither bucket policies neither IAM policy's can control the purging of logs Option D is invalid CORS is used for accessing objects across domains and not for purging of logs For more information on AWS(Amazon Web Service) S3 Lifecycle policies, please visit the following url https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lifecycle-mgmt.html
5. Right Answer: D
Explanation: On the AWS(Amazon Web Service) Blog site the following information is present to help on this context The newly released whitepaper, Single Sign-On: Integrating AWS, OpenLDAP, and Shibboleth, will help you integrate your existing LDAP-based user directory with AWS. When you integrate your existing directory with AWS, your users can access AWS(Amazon Web Service) by using their existing credentials. This means that your users don't need to maintain yet another user name and password just to access AWS(Amazon Web Service) resources. Option A,B and D are all invalid because in this sort of configuration, you have to use SAML to enable single sign on. For more information on integrating AWS(Amazon Web Service) with LDAP for Single Sign-On, please visit the following url https://aws.amazon.com/blogs/security/new-whitepaper-single-sign-on-integrating-aws-openldap-and-shibboleth/
Explanation: The AWS(Amazon Web Service) Documentation mentions the following A VPC endpoint enables you to privately connect your VPC to supported AWS(Amazon Web Service) services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS(Amazon Web Service) Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network. Option A,B and C are all invalid because the question specifically mentions that access should not be provided via the Internet For more information on VPC endpoints, please refer to the below URL https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.html
2. Right Answer: A
Explanation: Here since the communication would be established inward to the database server and outward from the application server , you need to ensure that just the Inbound rules for the application server security groups are checked. And then just the Outbound rules for the database server security groups are checked. Option B is invalid because the communication needs to be checked for the Inbound traffic for Database security Groups and Inbound for the application security groups. Option C is invalid because you don't need to check for Outbound security rules for the database security group Option D is invalid because you don't need to check for Inbound security rules for the application security group For more information on Security Groups, please refer to below URL https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html
3. Right Answer: B
Explanation:
4. Right Answer: D
Explanation: The AWS(Amazon Web Service) Documentation mentions the following on lifecycle policies Lifecycle configuration enables you to specify the lifecycle management of objects in a bucket. The configuration is a set of one or more rules, where each rule defines an action for Amazon S3 to apply to a group of objects. These actions can be classified as follows: Transition actions ' In which you define when objects transition to another storage class. For example, you may choose to transition objects to the STANDARD_IA (IA, for infrequent access) storage class 30 days after creation, or archive objects to the GLACIER storage class one year after creation. Expiration actions ' In which you specify when the objects expire. Then Amazon S3 deletes the expired objects on your behalf. Option A and C are invalid because neither bucket policies neither IAM policy's can control the purging of logs Option D is invalid CORS is used for accessing objects across domains and not for purging of logs For more information on AWS(Amazon Web Service) S3 Lifecycle policies, please visit the following url https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lifecycle-mgmt.html
5. Right Answer: D
Explanation: On the AWS(Amazon Web Service) Blog site the following information is present to help on this context The newly released whitepaper, Single Sign-On: Integrating AWS, OpenLDAP, and Shibboleth, will help you integrate your existing LDAP-based user directory with AWS. When you integrate your existing directory with AWS, your users can access AWS(Amazon Web Service) by using their existing credentials. This means that your users don't need to maintain yet another user name and password just to access AWS(Amazon Web Service) resources. Option A,B and D are all invalid because in this sort of configuration, you have to use SAML to enable single sign on. For more information on integrating AWS(Amazon Web Service) with LDAP for Single Sign-On, please visit the following url https://aws.amazon.com/blogs/security/new-whitepaper-single-sign-on-integrating-aws-openldap-and-shibboleth/
Tags:
aws cloud awc cloud cerification certified aws aws certifications aws cloud practitioner aws solution architect aws training aws certified cloud practitioner aws exam aws certification exam aws practice exams aws 2023 aws updated questions aws questions aws cert aws certified solutions architect aws solution architect associate aws training and certification aws certified developer associate certification for devops0 Comments
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
Leave a comment