Published - Fri, 03 Mar 2023
AWS Certified Security - Specialty - Part 38
1. A new application will be deployed on EC2 instances in private subnets. The application will transfer sensitive data to and from an S3 bucket. Compliance requirements state that the data must not traverse the public internet.Which solution meets the compliance requirement?
A) Access the S3 bucket through the SSL protected S3 endpoint (Incorrect)
B) Access the S3 bucket through a VPC endpoint for S3
C) Access the S3 bucket through a proxy server
D) Access the S3 bucket through a NAT gateway.
2. You need to ensure that objects in an S3 bucket are available in another region. This is because of the criticality of the data that is hosted in the S3 bucket. How can you achieve this in the easiest way possible?
A) Enable cross region replication for the bucket
B) Write a script to copy the objects to another bucket in the destination region
C) Create an S3 snapshot in the destination region
D) Enable versioning which will copy the objects to the destination region (Incorrect)
3. A company has external vendors that must deliver files to the company. These vendors have cross-account that gives them permission to upload objects to one of the company's S3 buckets.What combination of steps must the vendor follow to successfully deliver a file to the company? Select 2 answers from the options given below(Select 2answers)
A) Add a bucket policy to the bucket that grants the bucket owner full permissions to the object (Incorrect)
B) Add a grant to the object's ACL giving full permissions to bucket owner.
C) Attach an IAM role to the bucket that grants the bucket owner full permissions to the object
D) Upload the file to the company's S3 bucket as an object
E) Encrypt the object with a KMS key controlled by the company.
4. A company had developed an incident response plan 18 months ago. Regular implementations of the response plan are carried out. No changes have been made to the response plan have been made since its creation. Which of the following is a right statement with regards to the plan?
A) The response plan is complete in its entirety (Incorrect)
B) The response plan does not cater to new services
C) It places too much emphasis on already implemented security controls.
D) The response plan is not implemented on a regular basis
5. An application running on EC2 instances must use a username and password to access a database. The developer has stored those secrets in the SSM Parameter Store with type Secure String using the default KMS CMK. Which combination of configuration steps will allow the application to access the secrets via the API? Select 2 answers from the options below Please select:(Select 2answers)
A) Add the SSM service role as a trusted service to the EC2 instance role.
B) Add the EC2 instance role as a trusted service to the SSM service role.
C) Add permission to use the KMS key to decrypt to the EC2 instance role
D) Add permission to use the KMS key to decrypt to the SSM service role.
E) Add permission to read the SSM parameter to the EC2 instance role
A) Access the S3 bucket through the SSL protected S3 endpoint (Incorrect)
B) Access the S3 bucket through a VPC endpoint for S3
C) Access the S3 bucket through a proxy server
D) Access the S3 bucket through a NAT gateway.
2. You need to ensure that objects in an S3 bucket are available in another region. This is because of the criticality of the data that is hosted in the S3 bucket. How can you achieve this in the easiest way possible?
A) Enable cross region replication for the bucket
B) Write a script to copy the objects to another bucket in the destination region
C) Create an S3 snapshot in the destination region
D) Enable versioning which will copy the objects to the destination region (Incorrect)
3. A company has external vendors that must deliver files to the company. These vendors have cross-account that gives them permission to upload objects to one of the company's S3 buckets.What combination of steps must the vendor follow to successfully deliver a file to the company? Select 2 answers from the options given below(Select 2answers)
A) Add a bucket policy to the bucket that grants the bucket owner full permissions to the object (Incorrect)
B) Add a grant to the object's ACL giving full permissions to bucket owner.
C) Attach an IAM role to the bucket that grants the bucket owner full permissions to the object
D) Upload the file to the company's S3 bucket as an object
E) Encrypt the object with a KMS key controlled by the company.
4. A company had developed an incident response plan 18 months ago. Regular implementations of the response plan are carried out. No changes have been made to the response plan have been made since its creation. Which of the following is a right statement with regards to the plan?
A) The response plan is complete in its entirety (Incorrect)
B) The response plan does not cater to new services
C) It places too much emphasis on already implemented security controls.
D) The response plan is not implemented on a regular basis
5. An application running on EC2 instances must use a username and password to access a database. The developer has stored those secrets in the SSM Parameter Store with type Secure String using the default KMS CMK. Which combination of configuration steps will allow the application to access the secrets via the API? Select 2 answers from the options below Please select:(Select 2answers)
A) Add the SSM service role as a trusted service to the EC2 instance role.
B) Add the EC2 instance role as a trusted service to the SSM service role.
C) Add permission to use the KMS key to decrypt to the EC2 instance role
D) Add permission to use the KMS key to decrypt to the SSM service role.
E) Add permission to read the SSM parameter to the EC2 instance role
1. Right Answer: B
Explanation: The AWS(Amazon Web Service) Documentation mentions the following A VPC endpoint enables you to privately connect your VPC to supported AWS(Amazon Web Service) services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS(Amazon Web Service) Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network. Option A is invalid because using a proxy server is not sufficient enough Option B and D are invalid because you need secure communication which should not traverse the internet For more information on VPC endpoints please see the below link https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.html
2. Right Answer: A
Explanation: Option B is partially correct but a big maintenance over head to create and maintain a script when the functionality is already available in S3 Option C is invalid because snapshots are not available in S3 Option D is invalid because versioning will not replicate objects The AWS(Amazon Web Service) Documentation mentions the following Cross-region replication is a bucket-level configuration that enables automatic, asynchronous copying of objects across buckets in different AWS(Amazon Web Service) Regions. For more information on Cross region replication in the Simple Storage Service, please visit the below URL https://docs.aws.amazon.com/AmazonS3/latest/dev/crr.html
3. Right Answer: B,D
Explanation: This scenario is given in the AWS(Amazon Web Service) Documentation Option A and D are invalid because bucket ACL's are used to give grants to bucket owners. Option C is not required since encryption is not part of the requirement For more information on this scenario please see the below link https://docs.aws.amazon.com/AmazonS3/latest/dev/example-walkthroughs-managing-access-example3.html
4. Right Answer: B
Explanation: So definitely the case here is that the incident response plan is not catering to newly created services. AWS(Amazon Web Service) keeps on changing and adding new services and hence the response plan must cater to these new services. Option A and B are invalid because we don't know this for a fact. Option D is invalid because we know that the response plan is not complete , because it does not cater to new features of AWS For more information on incident response plan please visit the following url https://aws.amazon.com/blogs/publicsector/building-a-cloud-specific-incident-response-plan/
5. Right Answer: C,E
Explanation:
Explanation: The AWS(Amazon Web Service) Documentation mentions the following A VPC endpoint enables you to privately connect your VPC to supported AWS(Amazon Web Service) services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS(Amazon Web Service) Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network. Option A is invalid because using a proxy server is not sufficient enough Option B and D are invalid because you need secure communication which should not traverse the internet For more information on VPC endpoints please see the below link https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.html
2. Right Answer: A
Explanation: Option B is partially correct but a big maintenance over head to create and maintain a script when the functionality is already available in S3 Option C is invalid because snapshots are not available in S3 Option D is invalid because versioning will not replicate objects The AWS(Amazon Web Service) Documentation mentions the following Cross-region replication is a bucket-level configuration that enables automatic, asynchronous copying of objects across buckets in different AWS(Amazon Web Service) Regions. For more information on Cross region replication in the Simple Storage Service, please visit the below URL https://docs.aws.amazon.com/AmazonS3/latest/dev/crr.html
3. Right Answer: B,D
Explanation: This scenario is given in the AWS(Amazon Web Service) Documentation Option A and D are invalid because bucket ACL's are used to give grants to bucket owners. Option C is not required since encryption is not part of the requirement For more information on this scenario please see the below link https://docs.aws.amazon.com/AmazonS3/latest/dev/example-walkthroughs-managing-access-example3.html
4. Right Answer: B
Explanation: So definitely the case here is that the incident response plan is not catering to newly created services. AWS(Amazon Web Service) keeps on changing and adding new services and hence the response plan must cater to these new services. Option A and B are invalid because we don't know this for a fact. Option D is invalid because we know that the response plan is not complete , because it does not cater to new features of AWS For more information on incident response plan please visit the following url https://aws.amazon.com/blogs/publicsector/building-a-cloud-specific-incident-response-plan/
5. Right Answer: C,E
Explanation:
Created by
Comments (0)
Search
Popular categories
Latest blogs
CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
Write a public review