CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
Inspirational journeys
Follow the stories of academics and their research expeditions
AWS Certified Security - Specialty - Part 25
1. You are trying to use the AWS(Amazon Web Service) Systems Manager run command on a set of Instances. The run command is not working on a set of Instances. What can you do to diagnose the issue? Choose 2 answers from the options given below(Select 2answers)
A) Ensure the right AMI is used for the Instance
B) Check the Ivar/log/amazon/ssm/errors.log file
C) Ensure that the SSM agent is running on the target machine
D) Ensure the security groups allow outbound communication for the Instance
2. You have an EBS volume attached to an EC2 Instance which uses KMS for Encryption. Someone has now gone ahead and deleted the Customer Key which was used for the EBS encryption. What should be done to ensure the data can be decrypted.
A) Use AWS(Amazon Web Service) Config to recover the key
B) Request AWS(Amazon Web Service) Support to recover the key
C) Create a new Customer Key using KMS and attach it to the existing volume
D) Copy the data from the EBS volume before detaching it from the Instance
3. You are building a system to distribute confidential training videos to employees. Using CloudFront, what method could be used to serve content that is stored in S3, but not publicly accessible from S3 directly?
A) Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket to that OAI.
B) Create an Identity and Access Management (IAM) User for CloudFront and grant access to the objects in your S3 bucket to that IAM User.
C) Create a S3 bucket policy that lists the CloudFront distribution ID as the Principal and the target bucket as the Amazon Resource Name (ARN).
D) Add the CloudFront account security group 'amazon-cf/amazon-cf-sg to the appropriate S3 bucket policy.
4. Your company has a set of EC2 Instances that are placed behind an ELB. Some of the applications hosted on these Instances communicate via a legacy protocol. There Is a security mandate that all traffic between the client and the EC2 Instances need to be secure. How would you accomplish this?
A) Use a Classic Load balancer and terminate the SSL connection at the EC2 Instances
B) Use an Application Load balancer and terminate the SSL connection at the EC2 Instances
C) Use an Application Load balancer and terminate the SSL connection at the ELB
D) Use a Classic Load balancer and terminate the SSL connection at the ELB
5. You have a vendor that needs access to an AWS(Amazon Web Service) resource. You create an AWS(Amazon Web Service) user account. You want to restrict access to the resource using a policy for just that user over a brief period. Which of the following would be an ideal policy to use?
A) An Inline Policy
B) A bucket ACL (Incorrect)
C) An AWS(Amazon Web Service) Managed Policy
D) A Bucket Policy
A) Ensure the right AMI is used for the Instance
B) Check the Ivar/log/amazon/ssm/errors.log file
C) Ensure that the SSM agent is running on the target machine
D) Ensure the security groups allow outbound communication for the Instance
2. You have an EBS volume attached to an EC2 Instance which uses KMS for Encryption. Someone has now gone ahead and deleted the Customer Key which was used for the EBS encryption. What should be done to ensure the data can be decrypted.
A) Use AWS(Amazon Web Service) Config to recover the key
B) Request AWS(Amazon Web Service) Support to recover the key
C) Create a new Customer Key using KMS and attach it to the existing volume
D) Copy the data from the EBS volume before detaching it from the Instance
3. You are building a system to distribute confidential training videos to employees. Using CloudFront, what method could be used to serve content that is stored in S3, but not publicly accessible from S3 directly?
A) Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket to that OAI.
B) Create an Identity and Access Management (IAM) User for CloudFront and grant access to the objects in your S3 bucket to that IAM User.
C) Create a S3 bucket policy that lists the CloudFront distribution ID as the Principal and the target bucket as the Amazon Resource Name (ARN).
D) Add the CloudFront account security group 'amazon-cf/amazon-cf-sg to the appropriate S3 bucket policy.
4. Your company has a set of EC2 Instances that are placed behind an ELB. Some of the applications hosted on these Instances communicate via a legacy protocol. There Is a security mandate that all traffic between the client and the EC2 Instances need to be secure. How would you accomplish this?
A) Use a Classic Load balancer and terminate the SSL connection at the EC2 Instances
B) Use an Application Load balancer and terminate the SSL connection at the EC2 Instances
C) Use an Application Load balancer and terminate the SSL connection at the ELB
D) Use a Classic Load balancer and terminate the SSL connection at the ELB
5. You have a vendor that needs access to an AWS(Amazon Web Service) resource. You create an AWS(Amazon Web Service) user account. You want to restrict access to the resource using a policy for just that user over a brief period. Which of the following would be an ideal policy to use?
A) An Inline Policy
B) A bucket ACL (Incorrect)
C) An AWS(Amazon Web Service) Managed Policy
D) A Bucket Policy
1. Right Answer: B,C
Explanation:
2. Right Answer: D
Explanation: The AWS(Amazon Web Service) Documentation mentions the series of steps that are followed when EBS uses KMS for Encryption The following explains how Amazon EBS uses your CMK: 1. When you create an encrypted EBS volume, Amazon EBS sends a GenerateDataKeyWithoutPlaintext request to AWS(Amazon Web Service) KMS, specifying the CMK that you chose for EBS volume encryption. 2. AWS(Amazon Web Service) KMS generates a new data key, encrypts it under the specified CMK, and then sends the encrypted data key to Amazon EBS to store with the volume metadata. 3. When you attach the encrypted volume to an EC2 instance, Amazon EC2 sends the encrypted data key to AWS(Amazon Web Service) KMS with a Decryptrequest. 4. AWS(Amazon Web Service) KMS decrypts the encrypted data key and then sends the decrypted (plaintext) data key to Amazon EC2. 5. Amazon EC2 uses the plaintext data key in hypervisor memory to encrypt disk I/O to the EBS volume. The data key persists in memory as long as the EBS volume is attached to the EC2 instance. Option A is invalid because you cannot attach customer master keys after the volume is encrypted https://docs.aws.amazon.com/kms/latest/developerguide/services-ebs.html
3. Right Answer: A
Explanation: The AWS(Amazon Web Service) Documentation mentions the following You can optionally secure the content in your Amazon S3 bucket so users can access it through CloudFront but cannot access it directly by using Amazon S3 URLs. This prevents anyone from bypassing CloudFront and using the Amazon S3 URL to get content that you want to restrict access to. This step isn't required to use signed URLs, but we recommend it. To require that users access your content through CloudFront URLs, you perform the following tasks: Create a special CloudFront user called an origin access identity. Give the origin access identity permission to read the objects in your bucket. Remove permission for anyone else to use Amazon S3 URLs to read the objects. Option B,C and D are all automatically invalid , because the right way is to ensure to create Origin Access Identity (OAI) for CloudFront and grant access accordingly. For more information on serving private content via Cloudfront, please visit the following url https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.html
4. Right Answer: A
Explanation:
5. Right Answer: A
Explanation: The AWS(Amazon Web Service) Documentation gives an example on such a case Inline policies are useful if you want to maintain a strict one-to-one relationship between a policy and the principal entity that it's applied to. For example, you want to be sure that the permissions in a policy are not inadvertently assigned to a principal entity other than the one they're intended for. When you use an inline policy, the permissions in the policy cannot be inadvertently attached to the wrong principal entity. In addition, when you use the AWS(Amazon Web Service) Management Console to delete that principal entity, the policies embedded in the principal entity are deleted as well. That's because they are part of the principal entity. Option A is invalid because AWS(Amazon Web Service) Managed Polices are ok for a group of users , but for individual users , inline policies are better. Option C and D are invalid because they are specifically meant for access to S3 buckets For more information on policies, please visit the following url https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html
Explanation:
2. Right Answer: D
Explanation: The AWS(Amazon Web Service) Documentation mentions the series of steps that are followed when EBS uses KMS for Encryption The following explains how Amazon EBS uses your CMK: 1. When you create an encrypted EBS volume, Amazon EBS sends a GenerateDataKeyWithoutPlaintext request to AWS(Amazon Web Service) KMS, specifying the CMK that you chose for EBS volume encryption. 2. AWS(Amazon Web Service) KMS generates a new data key, encrypts it under the specified CMK, and then sends the encrypted data key to Amazon EBS to store with the volume metadata. 3. When you attach the encrypted volume to an EC2 instance, Amazon EC2 sends the encrypted data key to AWS(Amazon Web Service) KMS with a Decryptrequest. 4. AWS(Amazon Web Service) KMS decrypts the encrypted data key and then sends the decrypted (plaintext) data key to Amazon EC2. 5. Amazon EC2 uses the plaintext data key in hypervisor memory to encrypt disk I/O to the EBS volume. The data key persists in memory as long as the EBS volume is attached to the EC2 instance. Option A is invalid because you cannot attach customer master keys after the volume is encrypted https://docs.aws.amazon.com/kms/latest/developerguide/services-ebs.html
3. Right Answer: A
Explanation: The AWS(Amazon Web Service) Documentation mentions the following You can optionally secure the content in your Amazon S3 bucket so users can access it through CloudFront but cannot access it directly by using Amazon S3 URLs. This prevents anyone from bypassing CloudFront and using the Amazon S3 URL to get content that you want to restrict access to. This step isn't required to use signed URLs, but we recommend it. To require that users access your content through CloudFront URLs, you perform the following tasks: Create a special CloudFront user called an origin access identity. Give the origin access identity permission to read the objects in your bucket. Remove permission for anyone else to use Amazon S3 URLs to read the objects. Option B,C and D are all automatically invalid , because the right way is to ensure to create Origin Access Identity (OAI) for CloudFront and grant access accordingly. For more information on serving private content via Cloudfront, please visit the following url https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.html
4. Right Answer: A
Explanation:
5. Right Answer: A
Explanation: The AWS(Amazon Web Service) Documentation gives an example on such a case Inline policies are useful if you want to maintain a strict one-to-one relationship between a policy and the principal entity that it's applied to. For example, you want to be sure that the permissions in a policy are not inadvertently assigned to a principal entity other than the one they're intended for. When you use an inline policy, the permissions in the policy cannot be inadvertently attached to the wrong principal entity. In addition, when you use the AWS(Amazon Web Service) Management Console to delete that principal entity, the policies embedded in the principal entity are deleted as well. That's because they are part of the principal entity. Option A is invalid because AWS(Amazon Web Service) Managed Polices are ok for a group of users , but for individual users , inline policies are better. Option C and D are invalid because they are specifically meant for access to S3 buckets For more information on policies, please visit the following url https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html
Tags:
aws cloud awc cloud cerification certified aws aws certifications aws cloud practitioner aws solution architect aws training aws certified cloud practitioner aws exam aws certification exam aws practice exams aws 2023 aws updated questions aws questions aws cert aws certified solutions architect aws solution architect associate aws training and certification aws certified developer associate certification for devops0 Comments
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
Leave a comment