CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
Inspirational journeys
Follow the stories of academics and their research expeditions
AWS Certified Security - Specialty - Part 36
1. You working in the media industry and you have created a web application where users will be able to upload photos they create to your website. This web application must be able to call the S3 API in order to be able to function. Where should you store your API credentials whilst maintaining the maximum level of security?
A) Save your API credentials in a public Github repository.
B) Save the API credentials to your PHP files.
C) Pass API credentials to the instance using instance userdata. (Incorrect)
D) Don't save your API credentials. Instead create a role in IAM and assign this role to an EC2 instance when you first create it.
2. You have a set of Keys defined using the AWS(Amazon Web Service) KMS service. You want to stop using a couple of keys , but are not sure of which services are currently using the keys. Which of the following would be a safe option to stop using the keys from further usage.
A) Change the key material for the key (Incorrect)
B) Set an alias for the key
C) Delete the keys since anyway there is a 7 day waiting period before deletion
D) Disable the keys
3. Your company has defined privileged users for their AWS(Amazon Web Service) Account. These users are administrators for key resources defined in tle company. There is now a mandate to enhance the security authentication for these users, How can this be accomplished? Please select:
A) Enable accidental deletion for these user accounts
B) Enable MEA for these user accounts
C) Disable root access for the users
D) Enable version Ing for these user accounts
4. A company hosts a critical web application on the AWS(Amazon Web Service) Cloud. This is a key revenue generating application for the company. The IT Security team is worried about potential DDos attacks against the web site. The senior management has also specified that immediate action needs to be taken in case of a potential DDos attack. What should be done in this regard?
A) Consider using Cloudwatch logs to monitor traffic for DDos attack and quickly take actions on a trigger of a potential attack. (Incorrect)
B) Consider using the AWS(Amazon Web Service) Shield Service
C) Consider using the AWS(Amazon Web Service) Shield Advanced Service
D) Consider using VPC Flow logs to monitor traffic for DDos attack and quickly take actions on a trigger of a potential attack.
5. Your company has an EC2 Instance that is hosted in an AWS(Amazon Web Service) VPC. There is a requirement to ensure that logs files from the EC2 Instance are stored accordingly. The access should also be limited for the destination of the log files. How can this be accomplished? Choose 2 answers from the options given below. Each answer forms part of the solution(Select 2answers)
A) Create an lAM policy that gives the desired level of access to the Cloud watch Log group
B) Create an lAM policy that gives the desired level of access to the Cloud trail.
C) Stream the log files to a separate Cloudwatch Log group
D) Stream the log files to a separate Cloudtrail trail
A) Save your API credentials in a public Github repository.
B) Save the API credentials to your PHP files.
C) Pass API credentials to the instance using instance userdata. (Incorrect)
D) Don't save your API credentials. Instead create a role in IAM and assign this role to an EC2 instance when you first create it.
2. You have a set of Keys defined using the AWS(Amazon Web Service) KMS service. You want to stop using a couple of keys , but are not sure of which services are currently using the keys. Which of the following would be a safe option to stop using the keys from further usage.
A) Change the key material for the key (Incorrect)
B) Set an alias for the key
C) Delete the keys since anyway there is a 7 day waiting period before deletion
D) Disable the keys
3. Your company has defined privileged users for their AWS(Amazon Web Service) Account. These users are administrators for key resources defined in tle company. There is now a mandate to enhance the security authentication for these users, How can this be accomplished? Please select:
A) Enable accidental deletion for these user accounts
B) Enable MEA for these user accounts
C) Disable root access for the users
D) Enable version Ing for these user accounts
4. A company hosts a critical web application on the AWS(Amazon Web Service) Cloud. This is a key revenue generating application for the company. The IT Security team is worried about potential DDos attacks against the web site. The senior management has also specified that immediate action needs to be taken in case of a potential DDos attack. What should be done in this regard?
A) Consider using Cloudwatch logs to monitor traffic for DDos attack and quickly take actions on a trigger of a potential attack. (Incorrect)
B) Consider using the AWS(Amazon Web Service) Shield Service
C) Consider using the AWS(Amazon Web Service) Shield Advanced Service
D) Consider using VPC Flow logs to monitor traffic for DDos attack and quickly take actions on a trigger of a potential attack.
5. Your company has an EC2 Instance that is hosted in an AWS(Amazon Web Service) VPC. There is a requirement to ensure that logs files from the EC2 Instance are stored accordingly. The access should also be limited for the destination of the log files. How can this be accomplished? Choose 2 answers from the options given below. Each answer forms part of the solution(Select 2answers)
A) Create an lAM policy that gives the desired level of access to the Cloud watch Log group
B) Create an lAM policy that gives the desired level of access to the Cloud trail.
C) Stream the log files to a separate Cloudwatch Log group
D) Stream the log files to a separate Cloudtrail trail
1. Right Answer: D
Explanation: Applications must sign their API requests with AWS(Amazon Web Service) credentials. Therefore, if you are an application developer, you need a strategy for managing credentials for your applications that run on EC2 instances. For example, you can securely distribute your AWS(Amazon Web Service) credentials to the instances, enabling the applications on those instances to use your credentials to sign requests, while protecting your credentials from other users. However, it's challenging to securely distribute credentials to each instance, especially those that AWS(Amazon Web Service) creates on your behalf, such as Spot Instances or instances in Auto Scaling groups. You must also be able to update the credentials on each instance when you rotate your AWS(Amazon Web Service) credentials. IAM roles are designed so that your applications can securely make API requests from your instances, without requiring you to manage the security credentials that the applications use. Option A,C and D are invalid because using AWS(Amazon Web Service) Credentials in an application in production is a direct no recommendation for secure access For more information on IAM Roles, please visit the below URL http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
2. Right Answer: D
Explanation: Option A is invalid because once you schedule the deletion , you cannot come back from the deletion process Option C and D are invalid because these will not check to see if the keys are being used or not The AWS(Amazon Web Service) Documentation mentions the following Deleting a customer master key (CMK) in AWS(Amazon Web Service) Key Management Service (AWS KMS) is destructive and potentially dangerous. It deletes the key material and all metadata associated with the CMK, and is irreversible. After a CMK is deleted you can no longer decrypt the data that was encrypted under that CMK, which means that data becomes unrecoverable. You should delete a CMK only when you are sure that you don't need to use it anymore. If you are not sure, consider disabling the CMK instead of deleting it. You can re-enable a disabled CMK if you need to use it again later, but you cannot recover a deleted CMK. For more information on deleting keys from KMS, please visit the below URL https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html
3. Right Answer: B
Explanation:
4. Right Answer: C
Explanation: Option A is invalid because the normal AWS(Amazon Web Service) Shield Service will not help in immediate action against a DDos attack. This can be done via the AWS(Amazon Web Service) Shield Advanced Service Option B is invalid because this is a logging service for VPC's traffic flow but cannot specifically protect against DDos attacks. Option D is invalid because this is a logging service for AWS(Amazon Web Service) Services but cannot specifically protect against DDos attacks. The AWS(Amazon Web Service) Documentation mentions the following AWS Shield Advanced provides enhanced protections for your applications running on Amazon EC2, Elastic Load Balancing (ELB), Amazon CloudFront and Route 53 against larger and more sophisticated attacks. AWS(Amazon Web Service) Shield Advanced is available to AWS(Amazon Web Service) Business Support and AWS(Amazon Web Service) Enterprise Support customers. AWS(Amazon Web Service) Shield Advanced protection provides always-on, flow-based monitoring of network traffic and active application monitoring to provide near real-time notifications of DDoS attacks. AWS(Amazon Web Service) Shield Advanced also gives customers highly flexible controls over attack mitigations to take actions instantly. Customers can also engage the DDoS Response Team (DRT) 24X7 to manage and mitigate their application layer DDoS attacks. For more information on AWS(Amazon Web Service) Shield, please visit the below URL https://aws.amazon.com/shield/faqs/
5. Right Answer: A,C
Explanation:
Explanation: Applications must sign their API requests with AWS(Amazon Web Service) credentials. Therefore, if you are an application developer, you need a strategy for managing credentials for your applications that run on EC2 instances. For example, you can securely distribute your AWS(Amazon Web Service) credentials to the instances, enabling the applications on those instances to use your credentials to sign requests, while protecting your credentials from other users. However, it's challenging to securely distribute credentials to each instance, especially those that AWS(Amazon Web Service) creates on your behalf, such as Spot Instances or instances in Auto Scaling groups. You must also be able to update the credentials on each instance when you rotate your AWS(Amazon Web Service) credentials. IAM roles are designed so that your applications can securely make API requests from your instances, without requiring you to manage the security credentials that the applications use. Option A,C and D are invalid because using AWS(Amazon Web Service) Credentials in an application in production is a direct no recommendation for secure access For more information on IAM Roles, please visit the below URL http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
2. Right Answer: D
Explanation: Option A is invalid because once you schedule the deletion , you cannot come back from the deletion process Option C and D are invalid because these will not check to see if the keys are being used or not The AWS(Amazon Web Service) Documentation mentions the following Deleting a customer master key (CMK) in AWS(Amazon Web Service) Key Management Service (AWS KMS) is destructive and potentially dangerous. It deletes the key material and all metadata associated with the CMK, and is irreversible. After a CMK is deleted you can no longer decrypt the data that was encrypted under that CMK, which means that data becomes unrecoverable. You should delete a CMK only when you are sure that you don't need to use it anymore. If you are not sure, consider disabling the CMK instead of deleting it. You can re-enable a disabled CMK if you need to use it again later, but you cannot recover a deleted CMK. For more information on deleting keys from KMS, please visit the below URL https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html
3. Right Answer: B
Explanation:
4. Right Answer: C
Explanation: Option A is invalid because the normal AWS(Amazon Web Service) Shield Service will not help in immediate action against a DDos attack. This can be done via the AWS(Amazon Web Service) Shield Advanced Service Option B is invalid because this is a logging service for VPC's traffic flow but cannot specifically protect against DDos attacks. Option D is invalid because this is a logging service for AWS(Amazon Web Service) Services but cannot specifically protect against DDos attacks. The AWS(Amazon Web Service) Documentation mentions the following AWS Shield Advanced provides enhanced protections for your applications running on Amazon EC2, Elastic Load Balancing (ELB), Amazon CloudFront and Route 53 against larger and more sophisticated attacks. AWS(Amazon Web Service) Shield Advanced is available to AWS(Amazon Web Service) Business Support and AWS(Amazon Web Service) Enterprise Support customers. AWS(Amazon Web Service) Shield Advanced protection provides always-on, flow-based monitoring of network traffic and active application monitoring to provide near real-time notifications of DDoS attacks. AWS(Amazon Web Service) Shield Advanced also gives customers highly flexible controls over attack mitigations to take actions instantly. Customers can also engage the DDoS Response Team (DRT) 24X7 to manage and mitigate their application layer DDoS attacks. For more information on AWS(Amazon Web Service) Shield, please visit the below URL https://aws.amazon.com/shield/faqs/
5. Right Answer: A,C
Explanation:
Tags:
aws cloud awc cloud cerification certified aws aws certifications aws cloud practitioner aws solution architect aws training aws certified cloud practitioner aws exam aws certification exam aws practice exams aws 2023 aws updated questions aws questions aws cert aws certified solutions architect aws solution architect associate aws training and certification aws certified developer associate certification for devops0 Comments
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
Leave a comment