CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
Inspirational journeys
Follow the stories of academics and their research expeditions
AWS Certified Security - Specialty - Part 35
1. You have an Ec2 Instance in a private subnet which needs to access the KMS service. Which of the below methods can help fulfill this requirement keeping security in perspective Please select:
A) Use a VPC endpoint
B) Use VPC Peering
C) Attach a VPN connection to the VPC
D) Attach an Internet gateway to the subnet
2. Your company has a set of 1000 EC2 Instances defined in an AWS(Amazon Web Service) Account. They want to effectively automate several administrative tasks on these instances. Which of the following would be an effective way to achieve this?
A) Use the AWS(Amazon Web Service) Inspector
B) Use the AWS(Amazon Web Service) Systems Manager Run Command
C) Use the AWS(Amazon Web Service) Systems Manager Parameter Store
D) Use AWS(Amazon Web Service) Config (Incorrect)
3. A company has a legacy application that outputs all logs to a local text file. Logs from all applications running on AWS(Amazon Web Service) must be continually monitored for security related messages. What can be done to allow the company to deploy the legacy application on Amazon EC2 and still meet the monitoring requirement?
A) Install the Amazon Inspector agent on any EC2 instance running the legacy application. Generate CloudWatch alerts based on any Amazon Inspector findings. (Incorrect)
B) Create a Lambda function that mounts the EBS volume with the logs and scans the logs for security incidents. Trigger the function every 5 minutes with a scheduled Cloudwatch event.
C) Send the local text log files to CloudWatch Logs and configure a CloudWatch metric filter. Trigger cloudWatch alarms based on the metrics.
D) Export the local text log files to CloudTrail. Create a Lambda function that queries the CloudTrail logs for security incidents using Athena.
4. You have a web site that is sitting behind AWS(Amazon Web Service) Cloud front. You need to protect the web site against threats such as SQL injection and Cross site scripting attacks. Which of the following service can help in such a scenario Please select:
A) AWS WAF
B) AWS Inspector
C) AWS Configuration
D) AWS Trusted Advisor
5. You are responsible to deploying a critical application onto AWS. Part of the requirements for this application is to ensure that the controls set for this application met PCI compliance. Also there is a need to monitor web application logs to identify any malicious activity. Which of the following services can be used to fulfil this requirement. Choose 2 answers from the options given below(Select 2answers)
A) Amazon Cloudwatch Logs
B) Amazon AWS(Amazon Web Service) Config
C) Amazon VPC Flow Logs
D) Amazon Cloudtrail
A) Use a VPC endpoint
B) Use VPC Peering
C) Attach a VPN connection to the VPC
D) Attach an Internet gateway to the subnet
2. Your company has a set of 1000 EC2 Instances defined in an AWS(Amazon Web Service) Account. They want to effectively automate several administrative tasks on these instances. Which of the following would be an effective way to achieve this?
A) Use the AWS(Amazon Web Service) Inspector
B) Use the AWS(Amazon Web Service) Systems Manager Run Command
C) Use the AWS(Amazon Web Service) Systems Manager Parameter Store
D) Use AWS(Amazon Web Service) Config (Incorrect)
3. A company has a legacy application that outputs all logs to a local text file. Logs from all applications running on AWS(Amazon Web Service) must be continually monitored for security related messages. What can be done to allow the company to deploy the legacy application on Amazon EC2 and still meet the monitoring requirement?
A) Install the Amazon Inspector agent on any EC2 instance running the legacy application. Generate CloudWatch alerts based on any Amazon Inspector findings. (Incorrect)
B) Create a Lambda function that mounts the EBS volume with the logs and scans the logs for security incidents. Trigger the function every 5 minutes with a scheduled Cloudwatch event.
C) Send the local text log files to CloudWatch Logs and configure a CloudWatch metric filter. Trigger cloudWatch alarms based on the metrics.
D) Export the local text log files to CloudTrail. Create a Lambda function that queries the CloudTrail logs for security incidents using Athena.
4. You have a web site that is sitting behind AWS(Amazon Web Service) Cloud front. You need to protect the web site against threats such as SQL injection and Cross site scripting attacks. Which of the following service can help in such a scenario Please select:
A) AWS WAF
B) AWS Inspector
C) AWS Configuration
D) AWS Trusted Advisor
5. You are responsible to deploying a critical application onto AWS. Part of the requirements for this application is to ensure that the controls set for this application met PCI compliance. Also there is a need to monitor web application logs to identify any malicious activity. Which of the following services can be used to fulfil this requirement. Choose 2 answers from the options given below(Select 2answers)
A) Amazon Cloudwatch Logs
B) Amazon AWS(Amazon Web Service) Config
C) Amazon VPC Flow Logs
D) Amazon Cloudtrail
1. Right Answer: A
Explanation:
2. Right Answer: B
Explanation: The AWS(Amazon Web Service) Documentation mentions the following AWS Systems Manager Run Command lets you remotely and securely manage the configuration of your managed instances. A managed instance is any Amazon EC2 instance or on-premises machine in your hybrid environment that has been configured for Systems Manager. Run Command enables you to automate common administrative tasks and perform ad hoc configuration changes at scale. You can use Run Command from the AWS(Amazon Web Service) console, the AWS(Amazon Web Service) Command Line Interface, AWS(Amazon Web Service) Tools for Windows PowerShell, or the AWS(Amazon Web Service) SDKs. Run Command is offered at no additional cost. Option A is invalid because this service is used to store parameters Option C is invalid because this service is used to scan vulnerabilities in an EC2 Instance. Option D is invalid because this service is used to check for configuration changes For more information on executing remote commands, please visit the below URL https://docs.aws.amazon.com/systems-manager/latest/userguide/execute-remote-commands.html
3. Right Answer: C
Explanation: One can send the log files to Cloudwatch Logs. Log files can also be sent from On-premise servers. You can then specify metrics to search the logs for any specific values. And then create alarms based on these metrics. Option A is invalid because this will be just a long over drawn process to achieve this requirement Option C is invalid because AWS(Amazon Web Service) Inspector cannot be used to monitor for security related messages. Option D is invalid because files cannot be exported to AWS(Amazon Web Service) Cloudtrail For more information on Cloudwatch logs agent, please visit the below URL https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/QuickStartEC2Instance.html
4. Right Answer: A
Explanation:
5. Right Answer: A,D
Explanation: The AWS(Amazon Web Service) Documentation mentions the following about these services AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS(Amazon Web Service) account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS(Amazon Web Service) infrastructure. CloudTrail provides event history of your AWS(Amazon Web Service) account activity, including actions taken through the AWS(Amazon Web Service) Management Console, AWS(Amazon Web Service) SDKs, command line tools, and other AWS(Amazon Web Service) services. This event history simplifies security analysis, resource change tracking, and troubleshooting. Option B is incorrect because VPC flow logs can only check for flow to instances in a VPC Option C is incorrect because this can check for configuration changes only For more information on Cloudtrail, please refer to below URL https://aws.amazon.com/cloudtrail/ You can use Amazon CloudWatch Logs to monitor, store, and access your log files from Amazon Elastic Compute Cloud (Amazon EC2) instances, AWS(Amazon Web Service) CloudTrail, Amazon Route 53, and other sources. You can then retrieve the associated log data from CloudWatch Logs. For more information on Cloudwatch logs, please refer to below URL http://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html
Explanation:
2. Right Answer: B
Explanation: The AWS(Amazon Web Service) Documentation mentions the following AWS Systems Manager Run Command lets you remotely and securely manage the configuration of your managed instances. A managed instance is any Amazon EC2 instance or on-premises machine in your hybrid environment that has been configured for Systems Manager. Run Command enables you to automate common administrative tasks and perform ad hoc configuration changes at scale. You can use Run Command from the AWS(Amazon Web Service) console, the AWS(Amazon Web Service) Command Line Interface, AWS(Amazon Web Service) Tools for Windows PowerShell, or the AWS(Amazon Web Service) SDKs. Run Command is offered at no additional cost. Option A is invalid because this service is used to store parameters Option C is invalid because this service is used to scan vulnerabilities in an EC2 Instance. Option D is invalid because this service is used to check for configuration changes For more information on executing remote commands, please visit the below URL https://docs.aws.amazon.com/systems-manager/latest/userguide/execute-remote-commands.html
3. Right Answer: C
Explanation: One can send the log files to Cloudwatch Logs. Log files can also be sent from On-premise servers. You can then specify metrics to search the logs for any specific values. And then create alarms based on these metrics. Option A is invalid because this will be just a long over drawn process to achieve this requirement Option C is invalid because AWS(Amazon Web Service) Inspector cannot be used to monitor for security related messages. Option D is invalid because files cannot be exported to AWS(Amazon Web Service) Cloudtrail For more information on Cloudwatch logs agent, please visit the below URL https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/QuickStartEC2Instance.html
4. Right Answer: A
Explanation:
5. Right Answer: A,D
Explanation: The AWS(Amazon Web Service) Documentation mentions the following about these services AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS(Amazon Web Service) account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS(Amazon Web Service) infrastructure. CloudTrail provides event history of your AWS(Amazon Web Service) account activity, including actions taken through the AWS(Amazon Web Service) Management Console, AWS(Amazon Web Service) SDKs, command line tools, and other AWS(Amazon Web Service) services. This event history simplifies security analysis, resource change tracking, and troubleshooting. Option B is incorrect because VPC flow logs can only check for flow to instances in a VPC Option C is incorrect because this can check for configuration changes only For more information on Cloudtrail, please refer to below URL https://aws.amazon.com/cloudtrail/ You can use Amazon CloudWatch Logs to monitor, store, and access your log files from Amazon Elastic Compute Cloud (Amazon EC2) instances, AWS(Amazon Web Service) CloudTrail, Amazon Route 53, and other sources. You can then retrieve the associated log data from CloudWatch Logs. For more information on Cloudwatch logs, please refer to below URL http://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html
Tags:
aws cloud awc cloud cerification certified aws aws certifications aws cloud practitioner aws solution architect aws training aws certified cloud practitioner aws exam aws certification exam aws practice exams aws 2023 aws updated questions aws questions aws cert aws certified solutions architect aws solution architect associate aws training and certification aws certified developer associate certification for devops0 Comments
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
Leave a comment