Published - Fri, 03 Mar 2023
AWS Certified Security - Specialty - Part 37
1. Your company has a set of EBS volumes defined in AWS. The security mandate is that all EBS volumes are encrypted. What can be done to notify the IT admin staff if there are any unencrypted volumes in the account?
A) Use AWS(Amazon Web Service) Lambda to check for the unencrypted EBS volumes
B) Use AWS(Amazon Web Service) Guard duty to check for the unencrypted EBS volumes
C) Use AWS(Amazon Web Service) Conflg to check for unencrypteci EBS volumes
D) Use AWS(Amazon Web Service) Inspector to inspect all the EBS volumes
2. An application running on EC2 instances in a VPC must call an external web service via TLS (port 443). The instances run in public subnets. Which configurations below allow the application to function and minimize the exposure of the instances? Select 2 answers from the options given below(Select 2answers)
A) A security group with a rule that allows outgoing traffic on port 443
B) A network ACL with rules that allow outgoing traffic on port 443 and incoming traffic on ephemeral ports
C) A network ACL with a rule that allows outgoing traffic on port 443.
D) A security group with rules that allow outgoing traffic on port 443 and incoming traffic on port 443.
E) A network ACL with rules that allow outgoing traffic on port 443 and incoming traffic on port 443.
F) A security group with rules that allow outgoing traffic on port 443 and incoming traffic on ephemeral ports.
3. You are hosting a web site via website hosting on an S3 bucket - http:!/demo.s3-websiteus-east-1 .amazonaws.com. You have some web pages that use Java script that access resources in another bucket which has web site hosting also enabled. But when users access the web pages, they are getting a blocked Java script error. How can you rectify this?
A) Enable MFA for the bucket
B) Enable CRR for the bucket
C) Enable versioning for the bucket
D) Enable CORS for the bucket
4. Your company hosts a large section of EC2 instances in AWS. There are strict security rules governing the EC2 Instances. During a potential security breach , you need to ensure quick investigation of the underlying EC2 Instance. Which of the following service can help you quickly provision a test environment to look Into the breached instance?
A) AWS Cloud trail
B) AWS Config
C) AWS Cloud formation
D) AWS Cloud watch
5. A company is hosting a website that must be accessible to users for HTTPS traffic. Also port 22 should be open for administrative purposes. Which of the following security group configurations are the MOST secure but still functional to support these requirements? Choose 2 answers from the options given below(Select 2answers)
A) Port 443 coming from 10.0.0.0/16
B) Port 22 coming from 0.0.0.0/0
C) Port 22 coming from 10.0.0.0/16
D) Port 443 coming from 0.0.0.0/0
A) Use AWS(Amazon Web Service) Lambda to check for the unencrypted EBS volumes
B) Use AWS(Amazon Web Service) Guard duty to check for the unencrypted EBS volumes
C) Use AWS(Amazon Web Service) Conflg to check for unencrypteci EBS volumes
D) Use AWS(Amazon Web Service) Inspector to inspect all the EBS volumes
2. An application running on EC2 instances in a VPC must call an external web service via TLS (port 443). The instances run in public subnets. Which configurations below allow the application to function and minimize the exposure of the instances? Select 2 answers from the options given below(Select 2answers)
A) A security group with a rule that allows outgoing traffic on port 443
B) A network ACL with rules that allow outgoing traffic on port 443 and incoming traffic on ephemeral ports
C) A network ACL with a rule that allows outgoing traffic on port 443.
D) A security group with rules that allow outgoing traffic on port 443 and incoming traffic on port 443.
E) A network ACL with rules that allow outgoing traffic on port 443 and incoming traffic on port 443.
F) A security group with rules that allow outgoing traffic on port 443 and incoming traffic on ephemeral ports.
3. You are hosting a web site via website hosting on an S3 bucket - http:!/demo.s3-websiteus-east-1 .amazonaws.com. You have some web pages that use Java script that access resources in another bucket which has web site hosting also enabled. But when users access the web pages, they are getting a blocked Java script error. How can you rectify this?
A) Enable MFA for the bucket
B) Enable CRR for the bucket
C) Enable versioning for the bucket
D) Enable CORS for the bucket
4. Your company hosts a large section of EC2 instances in AWS. There are strict security rules governing the EC2 Instances. During a potential security breach , you need to ensure quick investigation of the underlying EC2 Instance. Which of the following service can help you quickly provision a test environment to look Into the breached instance?
A) AWS Cloud trail
B) AWS Config
C) AWS Cloud formation
D) AWS Cloud watch
5. A company is hosting a website that must be accessible to users for HTTPS traffic. Also port 22 should be open for administrative purposes. Which of the following security group configurations are the MOST secure but still functional to support these requirements? Choose 2 answers from the options given below(Select 2answers)
A) Port 443 coming from 10.0.0.0/16
B) Port 22 coming from 0.0.0.0/0
C) Port 22 coming from 10.0.0.0/16
D) Port 443 coming from 0.0.0.0/0
1. Right Answer: C
Explanation:
2. Right Answer: A,B
Explanation: Since here the traffic needs to flow outbound from the Instance to a web service on Port 443 , the outbound rules on both the Network and Security Groups need to allow outbound traffic. The Incoming traffic should be allowed on ephermal ports for the Operating System on the Instance to allow a connection to be established on any desired or available port. Option A is invalid because this rule alone is not enough. You also need to ensure incoming traffic on ephemeral ports Option C is invalid because need to ensure incoming traffic on ephemeral ports and not only port 443 Option E and F are invalid since here you are allowing additional ports on Security groups which are not required For more information on VPC Security Groups, please visit the below URL https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html
3. Right Answer: D
Explanation:
4. Right Answer: C
Explanation:
5. Right Answer: C,D
Explanation:
Explanation:
2. Right Answer: A,B
Explanation: Since here the traffic needs to flow outbound from the Instance to a web service on Port 443 , the outbound rules on both the Network and Security Groups need to allow outbound traffic. The Incoming traffic should be allowed on ephermal ports for the Operating System on the Instance to allow a connection to be established on any desired or available port. Option A is invalid because this rule alone is not enough. You also need to ensure incoming traffic on ephemeral ports Option C is invalid because need to ensure incoming traffic on ephemeral ports and not only port 443 Option E and F are invalid since here you are allowing additional ports on Security groups which are not required For more information on VPC Security Groups, please visit the below URL https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html
3. Right Answer: D
Explanation:
4. Right Answer: C
Explanation:
5. Right Answer: C,D
Explanation:
Created by
Comments (0)
Search
Popular categories
Latest blogs
CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
Write a public review