CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
Inspirational journeys
Follow the stories of academics and their research expeditions
AWS Certified Security - Specialty - Part 32
1. You have an Ec2 Instance in a private subnet which needs to access the KMS service. Which of the below methods can help fulfil this requirement, keeping security in perspective
A) Attach a VPN connection to the VPC
B) Use VPC Peering (Incorrect)
C) Use a VPC endpoint
D) Attach an Internet gateway to the subnet
2. You want to ensure that you keep a check on the Active EBS Volumes, Active snapshots and Elastic IP addresses you use so that you don't go beyond the service limit. Which of the below services can help in this regard?
A) AWS Cloudwatch
B) AWS SNS (Incorrect)
C) AWS Trusted Advisor
D) AWS EC2
3. You have a set of Customer keys created using the AWS(Amazon Web Service) KMS service. These keys have been used for around 6 months. You are now trying to use the new KMS features for the existing set of key's but are not able to do so. What could be the reason for this.
A) You have not explicitly given access via IAM users
B) You have not explicitly given access via the IAM policy
C) You have not explicitly given access via the key policy
D) You have not given access via the IAM roles
4. You have just developed a new mobile application that handles analytics workloads on large scale datasets that are stored on Amazon Red shift. Consequently, the application needs to access Amazon Red shift tables. Which of the below methods would be the best, both practically and security-wise, to access the tables? Choose the correct answer from the options below ?
A) Create a RedShift read-only access policy in lAM and embed those credentials in the application.
B) Create an HSM client certificate in Red shift and authenticate using this certificate.
C) Create an lAM user and generate encryption keys for that user. Create a policy for RedShift read-only access. Embed the keys in the application.
D) Use roles that allow a web identity federated user to assume a role that allows access to the RedShift table by providing temporary credentials.
5. A company continually generates sensitive records that it stores in an S3 bucket. All objects in the bucket are encrypted using SSE-KMS using one of the company's CMKs. Company compliance policies require that no more than one month of data be encrypted using the same encryption key.What solution below will meet the company's requirements?
A) Trigger a Lambda function with a monthly CloudWatch event that creates a new CMK and updates the S3 bucket to use the new CMK.
B) Configure the CMK to rotate the key material every month.
C) Trigger a Lambda function with a monthly CloudWatch event that creates a new CMK, updates the S3 bucket to use the new CMK, and deletes the old CMK. (Incorrect)
D) Trigger a Lambda function with a monthly CloudWatch event that rotates the key material in the CMK.
A) Attach a VPN connection to the VPC
B) Use VPC Peering (Incorrect)
C) Use a VPC endpoint
D) Attach an Internet gateway to the subnet
2. You want to ensure that you keep a check on the Active EBS Volumes, Active snapshots and Elastic IP addresses you use so that you don't go beyond the service limit. Which of the below services can help in this regard?
A) AWS Cloudwatch
B) AWS SNS (Incorrect)
C) AWS Trusted Advisor
D) AWS EC2
3. You have a set of Customer keys created using the AWS(Amazon Web Service) KMS service. These keys have been used for around 6 months. You are now trying to use the new KMS features for the existing set of key's but are not able to do so. What could be the reason for this.
A) You have not explicitly given access via IAM users
B) You have not explicitly given access via the IAM policy
C) You have not explicitly given access via the key policy
D) You have not given access via the IAM roles
4. You have just developed a new mobile application that handles analytics workloads on large scale datasets that are stored on Amazon Red shift. Consequently, the application needs to access Amazon Red shift tables. Which of the below methods would be the best, both practically and security-wise, to access the tables? Choose the correct answer from the options below ?
A) Create a RedShift read-only access policy in lAM and embed those credentials in the application.
B) Create an HSM client certificate in Red shift and authenticate using this certificate.
C) Create an lAM user and generate encryption keys for that user. Create a policy for RedShift read-only access. Embed the keys in the application.
D) Use roles that allow a web identity federated user to assume a role that allows access to the RedShift table by providing temporary credentials.
5. A company continually generates sensitive records that it stores in an S3 bucket. All objects in the bucket are encrypted using SSE-KMS using one of the company's CMKs. Company compliance policies require that no more than one month of data be encrypted using the same encryption key.What solution below will meet the company's requirements?
A) Trigger a Lambda function with a monthly CloudWatch event that creates a new CMK and updates the S3 bucket to use the new CMK.
B) Configure the CMK to rotate the key material every month.
C) Trigger a Lambda function with a monthly CloudWatch event that creates a new CMK, updates the S3 bucket to use the new CMK, and deletes the old CMK. (Incorrect)
D) Trigger a Lambda function with a monthly CloudWatch event that rotates the key material in the CMK.
1. Right Answer: C
Explanation: The AWS(Amazon Web Service) Documentation mentions the following You can connect directly to AWS(Amazon Web Service) KMS through a private endpoint in your VPC instead of connecting over the internet. When you use a VPC endpoint, communication between your VPC and AWS(Amazon Web Service) KMS is conducted entirely within the AWS(Amazon Web Service) network. Option B is invalid because this could open threats from the internet Option C is invalid because this is normally used for communication between on-premise environments and AWS. Option D is invalid because this is normally used for communication between VPC's For more information on accessing KMS via an endpoint, please visit the following url https://docs.aws.amazon.com/kms/latest/developerguide/kms-vpc-endpoint.html
2. Right Answer: C
Explanation: Option A is invalid because this is used as a monitoring service and will not provide the level of details that are required as per the question. Option B is invalid because this is a compute service offered by AWS Option D is invalid because this is a notification service offered by AWS Below is a snapshot of the service limits that the Trusted Advisor can monitor Option A is invalid because even though you can monitor resources, it cannot be checked against the service limit. Option B is invalid because this is the Elastic Compute cloud service Option D is invalid because it can be send notification but not check on service limits For more information on the Trusted Advisor monitoring, please visit the below URL https://aws.amazon.com/premiumsupport/ta-faqs/
3. Right Answer: C
Explanation: By default , keys created in KMS are created with the default key policy. When features are added to KMS, you need to explicitly update the default key policy for these keys. Option B,C and D are invalid because the key policy is the main entity used to provide access to the keys For more information on upgrading key policies please visit the following url https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-upgrading.html
4. Right Answer: D
Explanation:
5. Right Answer: A
Explanation: You can use a Lambda function to create a new key and then update the S3 bucket to use the new key. Remember not to delete the old key , else you will not be able to decrypt the documents stored in the S3 bucket using the older key. Option B is incorrect because AWS(Amazon Web Service) KMS cannot rotate keys on a monthly basis Option C is incorrect because deleting the old key means that you cannot access the older objects Option D is incorrect because rotating key material is not possible. For more information on AWS(Amazon Web Service) KMS keys , please refer to below URL https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html
Explanation: The AWS(Amazon Web Service) Documentation mentions the following You can connect directly to AWS(Amazon Web Service) KMS through a private endpoint in your VPC instead of connecting over the internet. When you use a VPC endpoint, communication between your VPC and AWS(Amazon Web Service) KMS is conducted entirely within the AWS(Amazon Web Service) network. Option B is invalid because this could open threats from the internet Option C is invalid because this is normally used for communication between on-premise environments and AWS. Option D is invalid because this is normally used for communication between VPC's For more information on accessing KMS via an endpoint, please visit the following url https://docs.aws.amazon.com/kms/latest/developerguide/kms-vpc-endpoint.html
2. Right Answer: C
Explanation: Option A is invalid because this is used as a monitoring service and will not provide the level of details that are required as per the question. Option B is invalid because this is a compute service offered by AWS Option D is invalid because this is a notification service offered by AWS Below is a snapshot of the service limits that the Trusted Advisor can monitor Option A is invalid because even though you can monitor resources, it cannot be checked against the service limit. Option B is invalid because this is the Elastic Compute cloud service Option D is invalid because it can be send notification but not check on service limits For more information on the Trusted Advisor monitoring, please visit the below URL https://aws.amazon.com/premiumsupport/ta-faqs/
3. Right Answer: C
Explanation: By default , keys created in KMS are created with the default key policy. When features are added to KMS, you need to explicitly update the default key policy for these keys. Option B,C and D are invalid because the key policy is the main entity used to provide access to the keys For more information on upgrading key policies please visit the following url https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-upgrading.html
4. Right Answer: D
Explanation:
5. Right Answer: A
Explanation: You can use a Lambda function to create a new key and then update the S3 bucket to use the new key. Remember not to delete the old key , else you will not be able to decrypt the documents stored in the S3 bucket using the older key. Option B is incorrect because AWS(Amazon Web Service) KMS cannot rotate keys on a monthly basis Option C is incorrect because deleting the old key means that you cannot access the older objects Option D is incorrect because rotating key material is not possible. For more information on AWS(Amazon Web Service) KMS keys , please refer to below URL https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html
Tags:
aws cloud awc cloud cerification certified aws aws certifications aws cloud practitioner aws solution architect aws training aws certified cloud practitioner aws exam aws certification exam aws practice exams aws 2023 aws updated questions aws questions aws cert aws certified solutions architect aws solution architect associate aws training and certification aws certified developer associate certification for devops0 Comments
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
Leave a comment