Published - Fri, 03 Mar 2023
AWS Certified Security - Specialty - Part 33
1. A web application runs in a VPC on EC2 instances behind an ELB Application Load Balancer. The application stores data in an RDS MySQL DB instance. A Linux bastion host is used to apply schema updates to the database ' administrators connect to the host via SSH from a corporate workstation. The following security groups are applied to the infrastructure-sgLB ' associated with the ELBsgWeb ' associated with the EC2 instances.sgDB ' associated with the databasesgBastion ' associated with the bastion host Which security group configuration will allow the application to be secure and functional?
A) sgLB :allow port 80 and 443 traffic from 0.0.0.0/0 sgWeb :allow port 80 and 443 traffic from 0.0.0.0/0 sgDB :allow port 3306 traffic from sgWeb and sgBastion sgBastion: allow port 22 traffic from the corporate IP address range (Incorrect)
B) sgLB :allow port 80 and 443 traffic from 0.0.0.0/0 sgWeb :allow port 80 and 443 traffic from sgLB sgDB :allow port 3306 traffic from sgWeb and sgBastion sgBastion: allow port 22 traffic from the corporate IP address range
C) sgLB :allow port 80 and 443 traffic from 0.0.0.0/0 sgWeb :allow port 80 and 443 traffic from sgLB sgDB :allow port 3306 traffic from sgWeb and sgBastion sgBastion: allow port 22 traffic from the VPC IP address range
D) sgLB :allow port 80 and 443 traffic from 0.0.0.0/0 sgWeb :allow port 80 and 443 traffic from sgLB sgDB :allow port 3306 traffic from sgWeb and sgLB sgBastion: allow port 22 traffic from the VPC IP address range
2. A company wishes to enable Single Sign On (SSO) so its employees can login to the management console using their corporate directory identity. Which steps below are required as part of the process? Select 2 answers from the options given below.(Select 2answers)
A) Create a Lambda function to assign IAM roles to the temporary security tokens provided to the users.
B) Create a Direct Connect connection between the corporate network and the AWS(Amazon Web Service) region with the company's infrastructure.
C) Create IAM policies that can be mapped to group memberships in the corporate directory.
D) Create an IAM role that establishes a trust relationship between IAM and the corporate directory identity provider (IdP)
E) Create IAM users that can be mapped to the employees' corporate identities (Incorrect)
3. A large organization is planning on AWS(Amazon Web Service) to host their resources. They have a number of autonomous departments that wish to use AWS. What could be the strategy to adopt for managing the accounts. Please select:
A) Use multiple VPC?s in the account each VPC for each department
B) Use multiple AWS(Amazon Web Service) accounts, each account for each department
C) Use multiple lAM groups. each group for each department
D) Use multiple lAM roles, each group for each department
4. You have an S3 bucket hosted in AWS. This is used to host promotional videos uploaded by yourself. You need to provide access to users for a limited duration of time. How can this be achieved?
A) Use IAM Roles with a timestamp to limit the access
B) Use IAM policies with a timestamp to limit the access
C) Use Pre signed URL?s
D) Use versioning and enable a time starnp for each version
5. An application running on EC2 instances in a VPC must access sensitive data in the data center. The access must be encrypted in transit and have consistent low latency. Which hybrid architecture will meet these requirements?
A) A VPN between the VPC and the data center.
B) Expose the data with a public HTTPS endpoint.
C) A Direct Connect connection between the VPC and data center. (Incorrect)
D) A VPN between the VPC and the data center over a Direct Connect connection
A) sgLB :allow port 80 and 443 traffic from 0.0.0.0/0 sgWeb :allow port 80 and 443 traffic from 0.0.0.0/0 sgDB :allow port 3306 traffic from sgWeb and sgBastion sgBastion: allow port 22 traffic from the corporate IP address range (Incorrect)
B) sgLB :allow port 80 and 443 traffic from 0.0.0.0/0 sgWeb :allow port 80 and 443 traffic from sgLB sgDB :allow port 3306 traffic from sgWeb and sgBastion sgBastion: allow port 22 traffic from the corporate IP address range
C) sgLB :allow port 80 and 443 traffic from 0.0.0.0/0 sgWeb :allow port 80 and 443 traffic from sgLB sgDB :allow port 3306 traffic from sgWeb and sgBastion sgBastion: allow port 22 traffic from the VPC IP address range
D) sgLB :allow port 80 and 443 traffic from 0.0.0.0/0 sgWeb :allow port 80 and 443 traffic from sgLB sgDB :allow port 3306 traffic from sgWeb and sgLB sgBastion: allow port 22 traffic from the VPC IP address range
2. A company wishes to enable Single Sign On (SSO) so its employees can login to the management console using their corporate directory identity. Which steps below are required as part of the process? Select 2 answers from the options given below.(Select 2answers)
A) Create a Lambda function to assign IAM roles to the temporary security tokens provided to the users.
B) Create a Direct Connect connection between the corporate network and the AWS(Amazon Web Service) region with the company's infrastructure.
C) Create IAM policies that can be mapped to group memberships in the corporate directory.
D) Create an IAM role that establishes a trust relationship between IAM and the corporate directory identity provider (IdP)
E) Create IAM users that can be mapped to the employees' corporate identities (Incorrect)
3. A large organization is planning on AWS(Amazon Web Service) to host their resources. They have a number of autonomous departments that wish to use AWS. What could be the strategy to adopt for managing the accounts. Please select:
A) Use multiple VPC?s in the account each VPC for each department
B) Use multiple AWS(Amazon Web Service) accounts, each account for each department
C) Use multiple lAM groups. each group for each department
D) Use multiple lAM roles, each group for each department
4. You have an S3 bucket hosted in AWS. This is used to host promotional videos uploaded by yourself. You need to provide access to users for a limited duration of time. How can this be achieved?
A) Use IAM Roles with a timestamp to limit the access
B) Use IAM policies with a timestamp to limit the access
C) Use Pre signed URL?s
D) Use versioning and enable a time starnp for each version
5. An application running on EC2 instances in a VPC must access sensitive data in the data center. The access must be encrypted in transit and have consistent low latency. Which hybrid architecture will meet these requirements?
A) A VPN between the VPC and the data center.
B) Expose the data with a public HTTPS endpoint.
C) A Direct Connect connection between the VPC and data center. (Incorrect)
D) A VPN between the VPC and the data center over a Direct Connect connection
1. Right Answer: B
Explanation: The Load Balancer should accept traffic on ow port 80 and 443 traffic from 0.0.0.0/0 The backend EC2 Instances should accept traffic from the Load Balancer The database should allow traffic from the Web server And the Bastion host should only allow traffic from a specific corporate IP address range Option A is incorrect because the Web group should only allow traffic from the Load balancer Option B and C are incorrect because the bastion host should only traffic from a corporate IP address For more information on AWS(Amazon Web Service) Security Groups , please refer to below URL https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html
2. Right Answer: B,D
Explanation: Create a Direct Connect connection so that corporate users can access the AWS(Amazon Web Service) account. Option B is incorrect because IAM policies are not directly mapped to group memberships in the corporate directory. It is IAM roles which are mapped. Option C is incorrect because Lambda functions is an incorrect option to assign roles. Option D is incorrect because IAM users are not directly mapped to employees' corporate identities. For more information on Direct Connect , please refer to below URL https://aws.amazon.com/directconnect/ From the AWS(Amazon Web Service) Documentation , for federated access, you also need to ensure the right policy permissions are in place < href='https://s3.amazonaws.com/whizlabs-pub/AWS+Security+Specialty+Practice+Test+Images/Practice+Test+I/62.png' target='_blank'> For more information on SAML federation , please refer to below URL https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html
3. Right Answer: A
Explanation:
4. Right Answer: C
Explanation:
5. Right Answer: D
Explanation: Since this is required over a consistency low latency connection , you should use Direct Connect. For encryption , you can make use of a VPN Option A is invalid because exposing an HTTPS endpoint will not help all traffic to flow between a VPC and the data center. Option C is invalid because low latency is a key requirement Option D is invalid because only Direct Connect will not suffice For more information on the connection options please see the below link https://aws.amazon.com/answers/networking/aws-multiple-vpc-vpn-connection-sharing/
Explanation: The Load Balancer should accept traffic on ow port 80 and 443 traffic from 0.0.0.0/0 The backend EC2 Instances should accept traffic from the Load Balancer The database should allow traffic from the Web server And the Bastion host should only allow traffic from a specific corporate IP address range Option A is incorrect because the Web group should only allow traffic from the Load balancer Option B and C are incorrect because the bastion host should only traffic from a corporate IP address For more information on AWS(Amazon Web Service) Security Groups , please refer to below URL https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html
2. Right Answer: B,D
Explanation: Create a Direct Connect connection so that corporate users can access the AWS(Amazon Web Service) account. Option B is incorrect because IAM policies are not directly mapped to group memberships in the corporate directory. It is IAM roles which are mapped. Option C is incorrect because Lambda functions is an incorrect option to assign roles. Option D is incorrect because IAM users are not directly mapped to employees' corporate identities. For more information on Direct Connect , please refer to below URL https://aws.amazon.com/directconnect/ From the AWS(Amazon Web Service) Documentation , for federated access, you also need to ensure the right policy permissions are in place < href='https://s3.amazonaws.com/whizlabs-pub/AWS+Security+Specialty+Practice+Test+Images/Practice+Test+I/62.png' target='_blank'> For more information on SAML federation , please refer to below URL https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html
3. Right Answer: A
Explanation:
4. Right Answer: C
Explanation:
5. Right Answer: D
Explanation: Since this is required over a consistency low latency connection , you should use Direct Connect. For encryption , you can make use of a VPN Option A is invalid because exposing an HTTPS endpoint will not help all traffic to flow between a VPC and the data center. Option C is invalid because low latency is a key requirement Option D is invalid because only Direct Connect will not suffice For more information on the connection options please see the below link https://aws.amazon.com/answers/networking/aws-multiple-vpc-vpn-connection-sharing/
Created by
Comments (0)
Search
Popular categories
Latest blogs
CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
Write a public review