CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
Inspirational journeys
Follow the stories of academics and their research expeditions
AWS Certified Security - Specialty - Part 28
1. A Devops team is currently looking at the security aspect of their Cl/CD pipeline. They are making use of AWS(Amazon Web Service) resources for their Infrastructure. They want to ensure that the EC2 Instances don?t have any high security vulnerabilities. They want to ensure a complete Dev Sec Ops process. How can this be achieved?
A) Use AWS(Amazon Web Service) Config to check the state of the EC2 instance for any sort of security issues.
B) Use AWS(Amazon Web Service) Inspector API?s in the pipeline for the EC2 Instances
C) Use AWS(Amazon Web Service) Security Groups to ensure no vulnerabilities are present
D) Use AWS(Amazon Web Service) Trusted Advisor API?S In the pipeline for the EC2 Instances
2. A company is deploying a new web application on AWS. Based on their other web applications, they anticipate being the target of frequent DDoS attacks. Which steps can the company use to protect their application? Select 2 answers from the options given below.(Select 2answers)
A) Use CloudFront and AWS(Amazon Web Service) WAF to prevent malicious traffic from reaching the application
B) Enable GuardDuty to block malicious traffic from reaching the application (Incorrect)
C) Use Amazon Inspector on the EC2 instances to examine incoming traffic and discard malicious traffic.
D) Use an ELB Application Load Balancer and Auto Scaling group to scale to absorb application layer traffic.
E) Associate the EC2 instances with a security group that blocks traffic from blacklisted IP addresses.
3. You want to launch an EC2 Instance with your own key pair in AWS. How can you achieve this? Choose 2 answers from the options given below. Each option forms part of the solution.(Select 2answers)
A) Use a third party tool to create the Key pair
B) Import the public key pair into EC2
C) Create a new key pair using the AWS(Amazon Web Service) CLI
D) Import the private key pair into EC2 (Incorrect)
4. A company wants to have an Intrusion detection system available for their VPC in AWS. They want to have complete control over the system. Which of the following would be ideal to implement?(Select 2answers)
A) Use AWS(Amazon Web Service) Cloud watch to monitor all traffic
B) Use AWS(Amazon Web Service) WAF to catch all intrusions occurring on the systems in the VPC
C) Use a custom solution available In the AWS(Amazon Web Service) Marketplace
D) Use VPC Flow logs to detect the Issues and flag them accordingly
5. Your current setup in AWS(Amazon Web Service) consists of the following architecture. 2 public subnets, one subnet which has the web servers accessed by users across the internet and the other subnet for the database server. Which of the following changes to the architecture would add a better security boundary to the resources hosted in your setup
A) Consider moving the database server to a private subnet
B) Consider creating a private subnet and adding a NAT instance to that subnet (Incorrect)
C) Consider moving both the web and database server to a private subnet
D) Consider moving the web server to a private subnet
A) Use AWS(Amazon Web Service) Config to check the state of the EC2 instance for any sort of security issues.
B) Use AWS(Amazon Web Service) Inspector API?s in the pipeline for the EC2 Instances
C) Use AWS(Amazon Web Service) Security Groups to ensure no vulnerabilities are present
D) Use AWS(Amazon Web Service) Trusted Advisor API?S In the pipeline for the EC2 Instances
2. A company is deploying a new web application on AWS. Based on their other web applications, they anticipate being the target of frequent DDoS attacks. Which steps can the company use to protect their application? Select 2 answers from the options given below.(Select 2answers)
A) Use CloudFront and AWS(Amazon Web Service) WAF to prevent malicious traffic from reaching the application
B) Enable GuardDuty to block malicious traffic from reaching the application (Incorrect)
C) Use Amazon Inspector on the EC2 instances to examine incoming traffic and discard malicious traffic.
D) Use an ELB Application Load Balancer and Auto Scaling group to scale to absorb application layer traffic.
E) Associate the EC2 instances with a security group that blocks traffic from blacklisted IP addresses.
3. You want to launch an EC2 Instance with your own key pair in AWS. How can you achieve this? Choose 2 answers from the options given below. Each option forms part of the solution.(Select 2answers)
A) Use a third party tool to create the Key pair
B) Import the public key pair into EC2
C) Create a new key pair using the AWS(Amazon Web Service) CLI
D) Import the private key pair into EC2 (Incorrect)
4. A company wants to have an Intrusion detection system available for their VPC in AWS. They want to have complete control over the system. Which of the following would be ideal to implement?(Select 2answers)
A) Use AWS(Amazon Web Service) Cloud watch to monitor all traffic
B) Use AWS(Amazon Web Service) WAF to catch all intrusions occurring on the systems in the VPC
C) Use a custom solution available In the AWS(Amazon Web Service) Marketplace
D) Use VPC Flow logs to detect the Issues and flag them accordingly
5. Your current setup in AWS(Amazon Web Service) consists of the following architecture. 2 public subnets, one subnet which has the web servers accessed by users across the internet and the other subnet for the database server. Which of the following changes to the architecture would add a better security boundary to the resources hosted in your setup
A) Consider moving the database server to a private subnet
B) Consider creating a private subnet and adding a NAT instance to that subnet (Incorrect)
C) Consider moving both the web and database server to a private subnet
D) Consider moving the web server to a private subnet
1. Right Answer: B
Explanation:
2. Right Answer: A,D
Explanation: The below diagram from AWS(Amazon Web Service) shows the best case scenario for avoiding DDos attacks using services such as AWS(Amazon Web Service) Cloudfront , WAF , ELB and Autoscaling Option A is invalid because by default security groups don't allow access Option C is invalid because AWS(Amazon Web Service) Inspector cannot be used to examine traffic Option E is invalid because this can be used for attacks on EC2 Instances but not against DDos attacks on the entire application For more information on DDos mitigation from AWS, please visit the below URL https://aws.amazon.com/answers/networking/aws-ddos-attack-mitigation/
3. Right Answer: A,B
Explanation: This is given in the AWS(Amazon Web Service) Documentation Option B is invalid because you cannot use the AWS(Amazon Web Service) CLI to create a new key pair Option D is invalid because the public key needs to be stored in the EC2 Instance For more information on EC2 Key pairs, please visit the below URL https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html
4. Right Answer: A,D
Explanation:
5. Right Answer: A
Explanation: The ideal setup is to ensure that the web server is hosted in the public subnet so that it can be accessed by users on the internet. The database server can be hosted in the private subnet. The below diagram from the AWS(Amazon Web Service) Documentation shows how this can be setup Option A and C are invalid because if you move the web server to a private subnet , then it cannot be accessed by users Option D is invalid because NAT instances should be present in the public subnet For more information on public and private subnets in AWS, please visit the following url https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html
Explanation:
2. Right Answer: A,D
Explanation: The below diagram from AWS(Amazon Web Service) shows the best case scenario for avoiding DDos attacks using services such as AWS(Amazon Web Service) Cloudfront , WAF , ELB and Autoscaling Option A is invalid because by default security groups don't allow access Option C is invalid because AWS(Amazon Web Service) Inspector cannot be used to examine traffic Option E is invalid because this can be used for attacks on EC2 Instances but not against DDos attacks on the entire application For more information on DDos mitigation from AWS, please visit the below URL https://aws.amazon.com/answers/networking/aws-ddos-attack-mitigation/
3. Right Answer: A,B
Explanation: This is given in the AWS(Amazon Web Service) Documentation Option B is invalid because you cannot use the AWS(Amazon Web Service) CLI to create a new key pair Option D is invalid because the public key needs to be stored in the EC2 Instance For more information on EC2 Key pairs, please visit the below URL https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html
4. Right Answer: A,D
Explanation:
5. Right Answer: A
Explanation: The ideal setup is to ensure that the web server is hosted in the public subnet so that it can be accessed by users on the internet. The database server can be hosted in the private subnet. The below diagram from the AWS(Amazon Web Service) Documentation shows how this can be setup Option A and C are invalid because if you move the web server to a private subnet , then it cannot be accessed by users Option D is invalid because NAT instances should be present in the public subnet For more information on public and private subnets in AWS, please visit the following url https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html
Tags:
aws cloud awc cloud cerification certified aws aws certifications aws cloud practitioner aws solution architect aws training aws certified cloud practitioner aws exam aws certification exam aws practice exams aws 2023 aws updated questions aws questions aws cert aws certified solutions architect aws solution architect associate aws training and certification aws certified developer associate certification for devops0 Comments
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
Leave a comment