CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
Inspirational journeys
Follow the stories of academics and their research expeditions
AWS Certified Security - Specialty - Part 39
1. Every application in a company's portfolio has a separate AWS(Amazon Web Service) account for development and production. The security team wants to prevent the root user and all IAM users in the production accounts from accessing a specific set of unneeded services. How can they control this functionality?
A) Create an IAM policy that denies access to the services. Associate the policy with an IAM group and enlist all users and the root users in this group. (Incorrect)
B) Create an IAM policy that denies access to the services. Create a Config Rule that checks that all users have the policy assigned. Trigger a Lambda function that adds the policy when found missing.
C) Create a Service Control Policy that denies access to the services. Assemble all production accounts in an organizational unit. Apply the policy to that organizational unit.
D) Create a Service Control Policy that denies access to the services. Apply the policy to the root account.
2. You want to track access requests for a particular 53 bucket. How can you achieve this in the easiest possible way?
A) Enable server access logging for the bucket
B) Enable Cloud watch logs for the bucket
C) Enable AWS(Amazon Web Service) Config for the 53 bucket
D) Enable Cloud watch metrics for the bucket
3. Your company makes use of S3 buckets for storing data. There is a company policy that all services should have logging enabled. How can you ensure that logging is always enabled for created S3 buckets in the AWS(Amazon Web Service) Account?
A) Use AWS(Amazon Web Service) Config Rules to check whether logging is enabled for buckets
B) Use AWS(Amazon Web Service) Inspector to inspect all S3 buckets and enable logging for those where it is not enabled
C) Use AWS(Amazon Web Service) Cloudwatch metrics to check whether logging is enabled for buckets
D) Use AWS(Amazon Web Service) Cloudwatch logs to check whether logging is enabled for buckets (Incorrect)
4. Your company has confidential documents stored in the simple storage service. Due to compliance requirements, you have to ensure that the data in the S3 bucket is available in a different geographical location. As an architect what is the change you would make to comply with this requirement.
A) Enable Cross region replication for the S3 bucket
B) Create a snapshot of the S3 bucket and copy it to another region
C) Copy the data to an EBS Volume in another Region
D) Apply Multi-AZ for the underlying S3 bucket
5. A company hosts a popular web application that connects to an Amazon RDS MySQL DB instance running in a private VPC subnet that was created with default ACL settings. The IT Security department has a suspicion that a DDos attack is coming from a suspecting IP. How can you protect the subnets from this attack? Please select:
A) Change the In bound Security Groups to deny access from the suspecting IP
B) Change the Outbound Security Groups to deny access from the suspecting IP
C) Change the Inbound NACL to deny access from the suspecting IP
D) Change the Outbound NACL to deny access from the suspecting lP
A) Create an IAM policy that denies access to the services. Associate the policy with an IAM group and enlist all users and the root users in this group. (Incorrect)
B) Create an IAM policy that denies access to the services. Create a Config Rule that checks that all users have the policy assigned. Trigger a Lambda function that adds the policy when found missing.
C) Create a Service Control Policy that denies access to the services. Assemble all production accounts in an organizational unit. Apply the policy to that organizational unit.
D) Create a Service Control Policy that denies access to the services. Apply the policy to the root account.
2. You want to track access requests for a particular 53 bucket. How can you achieve this in the easiest possible way?
A) Enable server access logging for the bucket
B) Enable Cloud watch logs for the bucket
C) Enable AWS(Amazon Web Service) Config for the 53 bucket
D) Enable Cloud watch metrics for the bucket
3. Your company makes use of S3 buckets for storing data. There is a company policy that all services should have logging enabled. How can you ensure that logging is always enabled for created S3 buckets in the AWS(Amazon Web Service) Account?
A) Use AWS(Amazon Web Service) Config Rules to check whether logging is enabled for buckets
B) Use AWS(Amazon Web Service) Inspector to inspect all S3 buckets and enable logging for those where it is not enabled
C) Use AWS(Amazon Web Service) Cloudwatch metrics to check whether logging is enabled for buckets
D) Use AWS(Amazon Web Service) Cloudwatch logs to check whether logging is enabled for buckets (Incorrect)
4. Your company has confidential documents stored in the simple storage service. Due to compliance requirements, you have to ensure that the data in the S3 bucket is available in a different geographical location. As an architect what is the change you would make to comply with this requirement.
A) Enable Cross region replication for the S3 bucket
B) Create a snapshot of the S3 bucket and copy it to another region
C) Copy the data to an EBS Volume in another Region
D) Apply Multi-AZ for the underlying S3 bucket
5. A company hosts a popular web application that connects to an Amazon RDS MySQL DB instance running in a private VPC subnet that was created with default ACL settings. The IT Security department has a suspicion that a DDos attack is coming from a suspecting IP. How can you protect the subnets from this attack? Please select:
A) Change the In bound Security Groups to deny access from the suspecting IP
B) Change the Outbound Security Groups to deny access from the suspecting IP
C) Change the Inbound NACL to deny access from the suspecting IP
D) Change the Outbound NACL to deny access from the suspecting lP
1. Right Answer: C
Explanation: As an administrator of the master account of an organization, you can restrict which AWS(Amazon Web Service) services and individual API actions the users and roles in each member account can access. This restriction even overrides the administrators of member accounts in the organization. When AWS(Amazon Web Service) Organizations blocks access to a service or API action for a member account, a user or role in that account can't access any prohibited service or API action, even if an administrator of a member account explicitly grants such permissions in an IAM policy. Organization permissions overrule account permissions. Option B is invalid because service policies cannot be assigned to the root account at the account level. Option C and D are invalid because IAM policies alone at the account level would not be able to suffice the requirement For more information on attaching an IAM policy to a group, please visit the below URL https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage_attach-policy.html
2. Right Answer: A
Explanation:
3. Right Answer: A
Explanation: This is given in the AWS(Amazon Web Service) Documentation as an example rule in AWS(Amazon Web Service) Config Option A is invalid because AWS(Amazon Web Service) Inspector cannot be used to scan all buckets Option C and D are invalid because Cloudwatch cannot be used to check for logging enablement for buckets. For more information on Config Rules please see the below link https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config-rules.html
4. Right Answer: A
Explanation: This is mentioned clearly as a use case for S3 cross-region replication You might configure cross-region replication on a bucket for various reasons, including the following: Compliance requirements ' Although, by default, Amazon S3 stores your data across multiple geographically distant Availability Zones, compliance requirements might dictate that you store data at even further distances. Cross-region replication allows you to replicate data between distant AWS(Amazon Web Service) Regions to satisfy these compliance requirements. Option A is invalid because Multi-AZ cannot be used to S3 buckets Option B is invalid because copying it to an EBS volume is not a recommended practice Option C is invalid because creating snapshots is not possible in S3 For more information on S3 cross-region replication, please visit the following url https://docs.aws.amazon.com/AmazonS3/latest/dev/crr.html
5. Right Answer: C
Explanation:
Explanation: As an administrator of the master account of an organization, you can restrict which AWS(Amazon Web Service) services and individual API actions the users and roles in each member account can access. This restriction even overrides the administrators of member accounts in the organization. When AWS(Amazon Web Service) Organizations blocks access to a service or API action for a member account, a user or role in that account can't access any prohibited service or API action, even if an administrator of a member account explicitly grants such permissions in an IAM policy. Organization permissions overrule account permissions. Option B is invalid because service policies cannot be assigned to the root account at the account level. Option C and D are invalid because IAM policies alone at the account level would not be able to suffice the requirement For more information on attaching an IAM policy to a group, please visit the below URL https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage_attach-policy.html
2. Right Answer: A
Explanation:
3. Right Answer: A
Explanation: This is given in the AWS(Amazon Web Service) Documentation as an example rule in AWS(Amazon Web Service) Config Option A is invalid because AWS(Amazon Web Service) Inspector cannot be used to scan all buckets Option C and D are invalid because Cloudwatch cannot be used to check for logging enablement for buckets. For more information on Config Rules please see the below link https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config-rules.html
4. Right Answer: A
Explanation: This is mentioned clearly as a use case for S3 cross-region replication You might configure cross-region replication on a bucket for various reasons, including the following: Compliance requirements ' Although, by default, Amazon S3 stores your data across multiple geographically distant Availability Zones, compliance requirements might dictate that you store data at even further distances. Cross-region replication allows you to replicate data between distant AWS(Amazon Web Service) Regions to satisfy these compliance requirements. Option A is invalid because Multi-AZ cannot be used to S3 buckets Option B is invalid because copying it to an EBS volume is not a recommended practice Option C is invalid because creating snapshots is not possible in S3 For more information on S3 cross-region replication, please visit the following url https://docs.aws.amazon.com/AmazonS3/latest/dev/crr.html
5. Right Answer: C
Explanation:
Tags:
aws cloud awc cloud cerification certified aws aws certifications aws cloud practitioner aws solution architect aws training aws certified cloud practitioner aws exam aws certification exam aws practice exams aws 2023 aws updated questions aws questions aws cert aws certified solutions architect aws solution architect associate aws training and certification aws certified developer associate certification for devops0 Comments
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
Leave a comment