CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
Inspirational journeys
Follow the stories of academics and their research expeditions
AWS Certified Security - Specialty - Part 29
1. A company has several Customer Master Keys (CMK), some of which have imported key material. Each CMK must be rotated annually. What two methods can the security team use to rotate each key? Select 2 answers from the options given below(Select 2answers)
A) Enable automatic key rotation for a CMK
B) Use the CLI or console to explicitly rotate an existing CMK
C) Import new key material to an existing CMK
D) Delete an existing CMK and a new default CMK will be created. (Incorrect)
E) Import new key material to a new CMK; Point the key alias to the new CMK.
2. Your company has created a set of keys using the AWS(Amazon Web Service) KMS service. They need to ensure that each key is only used for certain services. For example , they want one key to be used only for the S3 service. How can this be achieved?
A) Define an IAM user , allocate the key and then assign the permissions to the required service
B) Create a bucket policy that allows the key to be accessed by only the S3 service.
C) Use the kms:ViaService condition in the Key policy
D) Create an IAM policy that allows the key to be accessed by only the S3 service.
3. You are building a large-scale confidential documentation web server on AWS(Amazon Web Service) and all of the documentation for it will be stored on S3. One of the requirements is that it cannot be publicly accessible from S3 directly, and you will need to use CloudFront to accomplish this. Which of the methods listed below would satisfy the requirements as outlined? Choose an answer from the options below
A) Create individual policies for each bucket the documents are stored in and in that policy grant access to only CloudFront. (Incorrect)
B) Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket to that OAI.
C) Create an Identity and Access Management (IAM) user for CloudFront and grant access to the objects in your S3 bucket to that IAM User.
D) Create an S3 bucket policy that lists the CloudFront distribution ID as the Principal and the target bucket as the Amazon Resource Name (ARN).
4. A company is hosting a website that must be accessible to users for HTTPS traffic. Also port 22 should be open for administrative purposes. Which of the following security group configurations are the MOST secure but still functional to support these requirements? Choose 2 answers from the options given below(Select 2answers)
A) Port 22 coming from 0.0.0.0/0
B) Port 443 coming from 10.0.0.0/16
C) Port 443 coming from 0.0.0.0/0
D) Port 22 coming from 10.0.0.0/16
5. You have a requirement to conduct penetration testing on the AWS(Amazon Web Service) Cloud for a couple of EC2 Instances. How could you go about doing this? Choose 2 right answers from the options given below.(Select 2answers)
A) Choose the right AMI for the underlying instance type (Incorrect)
B) Get prior approval from AWS(Amazon Web Service) for conducting the test
C) Use a pre-approved penetration testing tool.
D) Work with an AWS(Amazon Web Service) partner and no need for prior approval request from AWS
A) Enable automatic key rotation for a CMK
B) Use the CLI or console to explicitly rotate an existing CMK
C) Import new key material to an existing CMK
D) Delete an existing CMK and a new default CMK will be created. (Incorrect)
E) Import new key material to a new CMK; Point the key alias to the new CMK.
2. Your company has created a set of keys using the AWS(Amazon Web Service) KMS service. They need to ensure that each key is only used for certain services. For example , they want one key to be used only for the S3 service. How can this be achieved?
A) Define an IAM user , allocate the key and then assign the permissions to the required service
B) Create a bucket policy that allows the key to be accessed by only the S3 service.
C) Use the kms:ViaService condition in the Key policy
D) Create an IAM policy that allows the key to be accessed by only the S3 service.
3. You are building a large-scale confidential documentation web server on AWS(Amazon Web Service) and all of the documentation for it will be stored on S3. One of the requirements is that it cannot be publicly accessible from S3 directly, and you will need to use CloudFront to accomplish this. Which of the methods listed below would satisfy the requirements as outlined? Choose an answer from the options below
A) Create individual policies for each bucket the documents are stored in and in that policy grant access to only CloudFront. (Incorrect)
B) Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket to that OAI.
C) Create an Identity and Access Management (IAM) user for CloudFront and grant access to the objects in your S3 bucket to that IAM User.
D) Create an S3 bucket policy that lists the CloudFront distribution ID as the Principal and the target bucket as the Amazon Resource Name (ARN).
4. A company is hosting a website that must be accessible to users for HTTPS traffic. Also port 22 should be open for administrative purposes. Which of the following security group configurations are the MOST secure but still functional to support these requirements? Choose 2 answers from the options given below(Select 2answers)
A) Port 22 coming from 0.0.0.0/0
B) Port 443 coming from 10.0.0.0/16
C) Port 443 coming from 0.0.0.0/0
D) Port 22 coming from 10.0.0.0/16
5. You have a requirement to conduct penetration testing on the AWS(Amazon Web Service) Cloud for a couple of EC2 Instances. How could you go about doing this? Choose 2 right answers from the options given below.(Select 2answers)
A) Choose the right AMI for the underlying instance type (Incorrect)
B) Get prior approval from AWS(Amazon Web Service) for conducting the test
C) Use a pre-approved penetration testing tool.
D) Work with an AWS(Amazon Web Service) partner and no need for prior approval request from AWS
1. Right Answer: A,E
Explanation: The AWS(Amazon Web Service) Documentation mentions the following When you enable automatic key rotation for a customer managed CMK, AWS(Amazon Web Service) KMS generates new cryptographic material for the CMK every year. AWS(Amazon Web Service) KMS also saves the CMK's older cryptographic material so it can be used to decrypt data that it encrypted. Because the new CMK is a different resource from the current CMK, it has a different key ID and ARN. When you change CMKs, you need to update references to the CMK ID or ARN in your applications. Aliases, which associate a friendly name with a CMK, make this process easier. Use an alias to refer to a CMK in your applications. Then, when you want to change the CMK that the application uses, change the target CMK of the alias. Option B is invalid because you also need to point the key alias to the new key Option C is invalid because existing CMK keys cannot be rotated as they are Option E is invalid because deleting existing keys will not guarantee the creation of a new default CMK key For more information on Key rotation please see the below link https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
2. Right Answer: C
Explanation: Option A and B are invalid because mapping keys to services cannot be done via either the IAM or bucket policy Option D is invalid because keys for IAM users cannot be assigned to services This is mentioned in the AWS(Amazon Web Service) Documentation The kms:ViaService condition key limits use of a customer-managed CMK to requests from particular AWS(Amazon Web Service) services. (AWS managed CMKs in your account, such as aws/s3, are always restricted to the AWS(Amazon Web Service) service that created them.) For example, you can use kms:ViaService to allow a user to use a customer managed CMK only for requests that Amazon S3 makes on their behalf. Or you can use it to deny the user permission to a CMK when a request on their behalf comes from AWS(Amazon Web Service) Lambda. For more information on key policy's for KMS please visit the following url https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html
3. Right Answer: B
Explanation: If you want to use CloudFront signed URLs or signed cookies to provide access to objects in your Amazon S3 bucket, you probably also want to prevent users from accessing your Amazon S3 objects using Amazon S3 URLs. If users access your objects directly in Amazon S3, they bypass the controls provided by CloudFront signed URLs or signed cookies, for example, control over the date and time that a user can no longer access your content and control over which IP addresses can be used to access content. In addition, if user's access objects both through CloudFront and directly by using Amazon S3 URLs, CloudFront access logs are less useful because they're incomplete. Option A is invalid because you need to create a Origin Access Identity for Cloudfront and not an IAM user Option C and D are invalid because using policies will not help fulfil the requirement For more information on Origin Access Identity please see the below link http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html
4. Right Answer: C,D
Explanation: vSince HTTPS traffic is required for all users on the Internet , Port 443 should be open on all IP addresses. For port 22 , the traffic should be restricted to an internal subnet. Option B is invalid , because this only allow traffic from a particular CIDR block and not from the internet Option C is invalid because allowing port 22 from the internet is a security risk For more information on AWS(Amazon Web Service) Security Groups, please visit the following url https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html
5. Right Answer: B,C
Explanation: You can use a pre-approved solution from the AWS(Amazon Web Service) Marketplace. But till date the AWS(Amazon Web Service) Documentation still mentions that you have to get prior approval before conducting a test on the AWS(Amazon Web Service) Cloud for EC2 Instances. Option C and D are invalid because you have to get prior approval first For more information on penetration testing please visit the following url https://aws.amazon.com/kms/faqs/
Explanation: The AWS(Amazon Web Service) Documentation mentions the following When you enable automatic key rotation for a customer managed CMK, AWS(Amazon Web Service) KMS generates new cryptographic material for the CMK every year. AWS(Amazon Web Service) KMS also saves the CMK's older cryptographic material so it can be used to decrypt data that it encrypted. Because the new CMK is a different resource from the current CMK, it has a different key ID and ARN. When you change CMKs, you need to update references to the CMK ID or ARN in your applications. Aliases, which associate a friendly name with a CMK, make this process easier. Use an alias to refer to a CMK in your applications. Then, when you want to change the CMK that the application uses, change the target CMK of the alias. Option B is invalid because you also need to point the key alias to the new key Option C is invalid because existing CMK keys cannot be rotated as they are Option E is invalid because deleting existing keys will not guarantee the creation of a new default CMK key For more information on Key rotation please see the below link https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
2. Right Answer: C
Explanation: Option A and B are invalid because mapping keys to services cannot be done via either the IAM or bucket policy Option D is invalid because keys for IAM users cannot be assigned to services This is mentioned in the AWS(Amazon Web Service) Documentation The kms:ViaService condition key limits use of a customer-managed CMK to requests from particular AWS(Amazon Web Service) services. (AWS managed CMKs in your account, such as aws/s3, are always restricted to the AWS(Amazon Web Service) service that created them.) For example, you can use kms:ViaService to allow a user to use a customer managed CMK only for requests that Amazon S3 makes on their behalf. Or you can use it to deny the user permission to a CMK when a request on their behalf comes from AWS(Amazon Web Service) Lambda. For more information on key policy's for KMS please visit the following url https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html
3. Right Answer: B
Explanation: If you want to use CloudFront signed URLs or signed cookies to provide access to objects in your Amazon S3 bucket, you probably also want to prevent users from accessing your Amazon S3 objects using Amazon S3 URLs. If users access your objects directly in Amazon S3, they bypass the controls provided by CloudFront signed URLs or signed cookies, for example, control over the date and time that a user can no longer access your content and control over which IP addresses can be used to access content. In addition, if user's access objects both through CloudFront and directly by using Amazon S3 URLs, CloudFront access logs are less useful because they're incomplete. Option A is invalid because you need to create a Origin Access Identity for Cloudfront and not an IAM user Option C and D are invalid because using policies will not help fulfil the requirement For more information on Origin Access Identity please see the below link http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html
4. Right Answer: C,D
Explanation: vSince HTTPS traffic is required for all users on the Internet , Port 443 should be open on all IP addresses. For port 22 , the traffic should be restricted to an internal subnet. Option B is invalid , because this only allow traffic from a particular CIDR block and not from the internet Option C is invalid because allowing port 22 from the internet is a security risk For more information on AWS(Amazon Web Service) Security Groups, please visit the following url https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html
5. Right Answer: B,C
Explanation: You can use a pre-approved solution from the AWS(Amazon Web Service) Marketplace. But till date the AWS(Amazon Web Service) Documentation still mentions that you have to get prior approval before conducting a test on the AWS(Amazon Web Service) Cloud for EC2 Instances. Option C and D are invalid because you have to get prior approval first For more information on penetration testing please visit the following url https://aws.amazon.com/kms/faqs/
Tags:
aws cloud awc cloud cerification certified aws aws certifications aws cloud practitioner aws solution architect aws training aws certified cloud practitioner aws exam aws certification exam aws practice exams aws 2023 aws updated questions aws questions aws cert aws certified solutions architect aws solution architect associate aws training and certification aws certified developer associate certification for devops0 Comments
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
Leave a comment