CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
Inspirational journeys
Follow the stories of academics and their research expeditions
AWS Certified Security - Specialty - Part 4
1. Which of the following is the responsibility of the customer? Choose 2 answers from the options given below.(Select 2answers)
A) Decommissioning of old storage devices
B) Management of the Edge locations
C) Encryption of data at rest
D) Protection of data in transit
2. Your company use AWS(Amazon Web Service) KMS for management of its customer keys. From time to time , there is a requirement to delete existing keys as part of housekeeping activities. What can be done during the deletion process to verify that the key is no longer being used.
A) Use Key policies to see the access level for the keys
B) Use CloudTrail to see if any KMS API request has been issued against existing keys
C) Change the IAM policy for the keys to see if other services are using the keys
D) Rotate the keys once before deletion to see if other services are using the keys
3. A user has created a VPC with the public and private subnets using the VPC wizard. The VPC has CIDR 20.0.0.0/16. The public subnet uses CIDR 20.0.1.0/24. The user is planning to host a web server in the public subnet with port 80 and a Database server in the private subnet with port 3306. The user is configuring a security group for the public subnet (WebSecGrp) and the private subnet (DBSecGrp). which of the below mentioned entries is required in the private subnet database security group DBSecGrp?
A) Allow Outbound on port 3306 for Destination Web Server Security Group WebSecGrp.
B) Allow Inbound on port 3306 from source 20.0.0.0/16
C) Allow Inbound on port 3306 for Source Web Server Security Group WebSecGrp.
D) Allow Outbound on port 80 for Destination NAT Instance IP
4. You need to create a linux EC2 instance in AWS. Which of the following steps is used to ensure secure authentication to the EC2 instance. Choose 2 answers from the options given below.(Select 2answers)
A) Ensure to create a strong password for logging into the EC2 Instance
B) Create a key pair using putty
C) Ensure the password is passed securely using SSL
D) Use the private key to log into the instance
5. In order to encrypt data in transit for a connection to an AWS(Amazon Web Service) RDS instance, which of the following would you implement
A) Data Keys from CloudHSM
B) Transparent data encryption
C) Data keys from AWS(Amazon Web Service) KMS
D) SSL from your application
A) Decommissioning of old storage devices
B) Management of the Edge locations
C) Encryption of data at rest
D) Protection of data in transit
2. Your company use AWS(Amazon Web Service) KMS for management of its customer keys. From time to time , there is a requirement to delete existing keys as part of housekeeping activities. What can be done during the deletion process to verify that the key is no longer being used.
A) Use Key policies to see the access level for the keys
B) Use CloudTrail to see if any KMS API request has been issued against existing keys
C) Change the IAM policy for the keys to see if other services are using the keys
D) Rotate the keys once before deletion to see if other services are using the keys
3. A user has created a VPC with the public and private subnets using the VPC wizard. The VPC has CIDR 20.0.0.0/16. The public subnet uses CIDR 20.0.1.0/24. The user is planning to host a web server in the public subnet with port 80 and a Database server in the private subnet with port 3306. The user is configuring a security group for the public subnet (WebSecGrp) and the private subnet (DBSecGrp). which of the below mentioned entries is required in the private subnet database security group DBSecGrp?
A) Allow Outbound on port 3306 for Destination Web Server Security Group WebSecGrp.
B) Allow Inbound on port 3306 from source 20.0.0.0/16
C) Allow Inbound on port 3306 for Source Web Server Security Group WebSecGrp.
D) Allow Outbound on port 80 for Destination NAT Instance IP
4. You need to create a linux EC2 instance in AWS. Which of the following steps is used to ensure secure authentication to the EC2 instance. Choose 2 answers from the options given below.(Select 2answers)
A) Ensure to create a strong password for logging into the EC2 Instance
B) Create a key pair using putty
C) Ensure the password is passed securely using SSL
D) Use the private key to log into the instance
5. In order to encrypt data in transit for a connection to an AWS(Amazon Web Service) RDS instance, which of the following would you implement
A) Data Keys from CloudHSM
B) Transparent data encryption
C) Data keys from AWS(Amazon Web Service) KMS
D) SSL from your application
1. Right Answer: C,D
Explanation: Below is the snapshot of the Shared Responsibility Model Option A and D are incorrect since these are managed by AWS For more information on AWS(Amazon Web Service) Security best practises, please refer to below URL https://d1.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf
2. Right Answer: B
Explanation: The AWS(Amazon Web Service) Documentation mentions the following You can use a combination of AWS(Amazon Web Service) CloudTrail, Amazon CloudWatch Logs, and Amazon Simple Notification Service (Amazon SNS) to create an alarm that notifies you of AWS(Amazon Web Service) KMS API requests that attempt to use a customer master key (CMK) that is pending deletion. If you receive a notification from such an alarm, you might want to cancel deletion of the CMK to give yourself more time to determine whether you want to delete it. Options B and D are incorrect because Key policies nor IAM policies can be used to check if the keys are being used. Option C is incorrect since rotation will not help you check if the keys are being used. For more information on deleting keys, please refer to below URL https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys-creating-cloudwatch-alarm.html
3. Right Answer: C
Explanation: Since the Web server needs to talk to the database server on port 3306 that means that the database server should allow incoming traffic on port 3306. The below table from the aws documentation shows how the security groups should be set up. Option B is invalid because you need to allow incoming access for the database server from the WebSecGrp security group. Options C and D are invalid because you need to allow Outbound traffic and not inbound traffic For more information on security groups please visit the below Link: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html
4. Right Answer: B,D
Explanation: The AWS(Amazon Web Service) Documentation mentions the following You can use Amazon EC2 to create your key pair. Alternatively, you could use a third-party tool and then import the public key to Amazon EC2. Each key pair requires a name. Be sure to choose a name that is easy to remember. Amazon EC2 associates the public key with the name that you specify as the key name. Amazon EC2 stores the public key only, and you store the private key. Anyone who possesses your private key can decrypt your login information, so it's important that you store your private keys in a secure place. Options A and D are incorrect since you should use key pairs for secure access to Ec2 Instances For more information on EC2 key pairs, please refer to below URL https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html
5. Right Answer: D
Explanation: This is mentioned in the AWS(Amazon Web Service) Documentation You can use SSL from your application to encrypt a connection to a DB instance running MySQL, MariaDB, Amazon Aurora, SQL Server, Oracle, or PostgreSQL. Option A is incorrect since Transparent data encryption is used for data at rest and not in transit Options C and D are incorrect since keys can be used for encryption of data at rest For more information on working with RDS and SSL, please refer to below URL https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html
Explanation: Below is the snapshot of the Shared Responsibility Model Option A and D are incorrect since these are managed by AWS For more information on AWS(Amazon Web Service) Security best practises, please refer to below URL https://d1.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf
2. Right Answer: B
Explanation: The AWS(Amazon Web Service) Documentation mentions the following You can use a combination of AWS(Amazon Web Service) CloudTrail, Amazon CloudWatch Logs, and Amazon Simple Notification Service (Amazon SNS) to create an alarm that notifies you of AWS(Amazon Web Service) KMS API requests that attempt to use a customer master key (CMK) that is pending deletion. If you receive a notification from such an alarm, you might want to cancel deletion of the CMK to give yourself more time to determine whether you want to delete it. Options B and D are incorrect because Key policies nor IAM policies can be used to check if the keys are being used. Option C is incorrect since rotation will not help you check if the keys are being used. For more information on deleting keys, please refer to below URL https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys-creating-cloudwatch-alarm.html
3. Right Answer: C
Explanation: Since the Web server needs to talk to the database server on port 3306 that means that the database server should allow incoming traffic on port 3306. The below table from the aws documentation shows how the security groups should be set up. Option B is invalid because you need to allow incoming access for the database server from the WebSecGrp security group. Options C and D are invalid because you need to allow Outbound traffic and not inbound traffic For more information on security groups please visit the below Link: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html
4. Right Answer: B,D
Explanation: The AWS(Amazon Web Service) Documentation mentions the following You can use Amazon EC2 to create your key pair. Alternatively, you could use a third-party tool and then import the public key to Amazon EC2. Each key pair requires a name. Be sure to choose a name that is easy to remember. Amazon EC2 associates the public key with the name that you specify as the key name. Amazon EC2 stores the public key only, and you store the private key. Anyone who possesses your private key can decrypt your login information, so it's important that you store your private keys in a secure place. Options A and D are incorrect since you should use key pairs for secure access to Ec2 Instances For more information on EC2 key pairs, please refer to below URL https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html
5. Right Answer: D
Explanation: This is mentioned in the AWS(Amazon Web Service) Documentation You can use SSL from your application to encrypt a connection to a DB instance running MySQL, MariaDB, Amazon Aurora, SQL Server, Oracle, or PostgreSQL. Option A is incorrect since Transparent data encryption is used for data at rest and not in transit Options C and D are incorrect since keys can be used for encryption of data at rest For more information on working with RDS and SSL, please refer to below URL https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html
Tags:
aws cloud awc cloud cerification certified aws aws certifications aws cloud practitioner aws solution architect aws training aws certified cloud practitioner aws exam aws certification exam aws practice exams aws 2023 aws updated questions aws questions aws cert aws certified solutions architect aws solution architect associate aws training and certification aws certified developer associate certification for devops0 Comments
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
Leave a comment