CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
Inspirational journeys
Follow the stories of academics and their research expeditions
AWS Certified Security - Specialty - Part 41
1. You have just recently set up a web and database tier in a VPC and hosted the application. When testing the application , you are not able to reach the home page for the app. You have verified the security groups. What can help you diagnose the issue.
A) Use VPC Flow logs to diagnose the traffic
B) Use the AWS(Amazon Web Service) Trusted Advisor to se what can be done.
C) Use AWS(Amazon Web Service) WAF to analyze the traffic
D) Use AWS(Amazon Web Service) Guard Duty to analyze the traffic (Incorrect)
2. An application running on EC2 instances in a VPC must call an external web service via TLS (port 443). The instances run in public subnets. Which configurations below allow the application to function and minimize the exposure of the Instances? Select one answer from the options given below
A) A security group with a rule that allows outgoing traffic on port 443
B) A security group with rules that allow outgoing traffic on port 443 and incoming traffic on ephemeral ports.
C) A security group with rules that allow outgoing traffic on port 443 and incoming traffic on port 443.
D) A network ACL with rules that allow outgoing traffic on port 443 and incoming traffic on port 443
E) A network ACL with a rule that allows outgoing traffic on port 443.
F) A network ACL with rules that allow outgoing traffic on port 443 and incoming traffic on ephemeral ports
3. A company is using CloudTrail to log all AWS(Amazon Web Service) API activity for all regions in all of its accounts. The CISO has asked that additional steps be taken to protect the integrity of the log files. What combination of steps will protect the log files from intentional or unintentional alteration? Choose 2 answers from the options given below(Select 2answers)
A) Create an S3 bucket in a dedicated log account and grant the other accounts write only access. Deliver all log files from every account to this S3 bucket.
B) Use Systems Manager Configuration Compliance to continually monitor the access policies of S3 buckets containing Cloud Trail logs. (Incorrect)
C) Create a Security Group that blocks all traffic except calls from the CloudTrail service. Associate the security group with all the Cloud Trail destination S3 buckets.
D) Write a Lambda function that queries the Trusted Advisor Cloud Trail checks. Run the function every 10 minutes.
E) Enable Cloud Trail log file integrity validation
4. Your development team has started using AWS(Amazon Web Service) resources for development purposes. The AWS(Amazon Web Service) account has just been created. Your IT Security team is worried about possible leakage of AWS(Amazon Web Service) keys. What is the first level of measure that should be taken to protect the AWS(Amazon Web Service) account ?
A) Create AM Groups
B) Restrict access using AM policies
C) Create AM Roles
D) Delete the AWS(Amazon Web Service) keys for the root account
5. A Lambda function reads metadata from an S3 object and stores the metadata in a DynamoDB table. The function is triggered whenever an object is stored within the S3 bucket. How should the Lambda function be given access to the DynamoDB table?
A) Create an IAM user with permissions to write to the DynamoDB table. Store an access key for that user in the Lambda environment variables.
B) Create an IAM service role with permissions to write to the DynamoDB table. Associate that role with the Lambda function.
C) Create a resource policy that grants the Lambda function permissions to write to the DynamoDB table. Attach the policy to the DynamoDB table.
D) Create a VPC endpoint for DynamoDB within a VPC. Configure the Lambda function to access resources in the VPC.
A) Use VPC Flow logs to diagnose the traffic
B) Use the AWS(Amazon Web Service) Trusted Advisor to se what can be done.
C) Use AWS(Amazon Web Service) WAF to analyze the traffic
D) Use AWS(Amazon Web Service) Guard Duty to analyze the traffic (Incorrect)
2. An application running on EC2 instances in a VPC must call an external web service via TLS (port 443). The instances run in public subnets. Which configurations below allow the application to function and minimize the exposure of the Instances? Select one answer from the options given below
A) A security group with a rule that allows outgoing traffic on port 443
B) A security group with rules that allow outgoing traffic on port 443 and incoming traffic on ephemeral ports.
C) A security group with rules that allow outgoing traffic on port 443 and incoming traffic on port 443.
D) A network ACL with rules that allow outgoing traffic on port 443 and incoming traffic on port 443
E) A network ACL with a rule that allows outgoing traffic on port 443.
F) A network ACL with rules that allow outgoing traffic on port 443 and incoming traffic on ephemeral ports
3. A company is using CloudTrail to log all AWS(Amazon Web Service) API activity for all regions in all of its accounts. The CISO has asked that additional steps be taken to protect the integrity of the log files. What combination of steps will protect the log files from intentional or unintentional alteration? Choose 2 answers from the options given below(Select 2answers)
A) Create an S3 bucket in a dedicated log account and grant the other accounts write only access. Deliver all log files from every account to this S3 bucket.
B) Use Systems Manager Configuration Compliance to continually monitor the access policies of S3 buckets containing Cloud Trail logs. (Incorrect)
C) Create a Security Group that blocks all traffic except calls from the CloudTrail service. Associate the security group with all the Cloud Trail destination S3 buckets.
D) Write a Lambda function that queries the Trusted Advisor Cloud Trail checks. Run the function every 10 minutes.
E) Enable Cloud Trail log file integrity validation
4. Your development team has started using AWS(Amazon Web Service) resources for development purposes. The AWS(Amazon Web Service) account has just been created. Your IT Security team is worried about possible leakage of AWS(Amazon Web Service) keys. What is the first level of measure that should be taken to protect the AWS(Amazon Web Service) account ?
A) Create AM Groups
B) Restrict access using AM policies
C) Create AM Roles
D) Delete the AWS(Amazon Web Service) keys for the root account
5. A Lambda function reads metadata from an S3 object and stores the metadata in a DynamoDB table. The function is triggered whenever an object is stored within the S3 bucket. How should the Lambda function be given access to the DynamoDB table?
A) Create an IAM user with permissions to write to the DynamoDB table. Store an access key for that user in the Lambda environment variables.
B) Create an IAM service role with permissions to write to the DynamoDB table. Associate that role with the Lambda function.
C) Create a resource policy that grants the Lambda function permissions to write to the DynamoDB table. Attach the policy to the DynamoDB table.
D) Create a VPC endpoint for DynamoDB within a VPC. Configure the Lambda function to access resources in the VPC.
1. Right Answer: A
Explanation: Option A is invalid because this can be used to check for security issues in your account , but not verify as to why you cannot reach the home page for your application Option C is invalid because this used to protect your app against application layer attacks , but not verify as to why you cannot reach the home page for your application Option D is invalid because this used to protect your instance against attacks , but not verify as to why you cannot reach the home page for your application The AWS(Amazon Web Service) Documentation mentions the following VPC Flow Logs capture network flow information for a VPC, subnet, or network interface and stores it in Amazon CloudWatch Logs. Flow log data can help customers troubleshoot network issues; for example, to diagnose why specific traffic is not reaching an instance, which might be a result of overly restrictive security group rules. Customers can also use flow logs as a security tool to monitor the traffic that reaches their instances, to profile network traffic, and to look for abnormal traffic behaviours For more information on AWS(Amazon Web Service) Security, please visit the following URL https://aws.amazon.com/answers/networking/vpc-security-capabilities/
2. Right Answer: F
Explanation:
3. Right Answer: A,E
Explanation: The AWS(Amazon Web Service) Documentation mentions the following To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it, you can use CloudTrail log file integrity validation. This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection. Option B is invalid because there is no such thing as Trusted Advisor Cloud Trail checks Option D is invalid because Systems Manager cannot be used for this purpose. Option E is invalid because Security Groups cannot be used to block calls from other services For more information on Cloudtrail log file validation, please visit the below URL https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html For more information on delivering Cloudtrail logs from multiple accounts, please visit the below URL https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html
4. Right Answer: A
Explanation:
5. Right Answer: B
Explanation: The ideal way is to create an IAM role which has the required permissions and then associate it with the Lambda function The AWS(Amazon Web Service) Documentation additionally mentions the following Each Lambda function has an IAM role (execution role) associated with it. You specify the IAM role when you create your Lambda function. Permissions you grant to this role determine what AWS(Amazon Web Service) Lambda can do when it assumes the role. There are two types of permissions that you grant to the IAM role: ? If your Lambda function code accesses other AWS(Amazon Web Service) resources, such as to read an object from an S3 bucket or write logs to CloudWatch Logs, you need to grant permissions for relevant Amazon S3 and CloudWatch actions to the role. ? If the event source is stream-based (Amazon Kinesis Data Streams and DynamoDB streams), AWS(Amazon Web Service) Lambda polls these streams on your behalf. AWS(Amazon Web Service) Lambda needs permissions to poll the stream and read new records on the stream so you need to grant the relevant permissions to this role. Option A is invalid because the VPC endpoint allows access instances in a private subnet to access DynamoDB Option B is invalid because resources policies are present for resources such as S3 and KMS , but not AWS(Amazon Web Service) Lambda Option C is invalid because AWS(Amazon Web Service) Roles should be used and not IAM Users For more information on the Lambda permission model, please visit the below URL https://docs.aws.amazon.com/lambda/latest/dg/intro-permission-model.html
Explanation: Option A is invalid because this can be used to check for security issues in your account , but not verify as to why you cannot reach the home page for your application Option C is invalid because this used to protect your app against application layer attacks , but not verify as to why you cannot reach the home page for your application Option D is invalid because this used to protect your instance against attacks , but not verify as to why you cannot reach the home page for your application The AWS(Amazon Web Service) Documentation mentions the following VPC Flow Logs capture network flow information for a VPC, subnet, or network interface and stores it in Amazon CloudWatch Logs. Flow log data can help customers troubleshoot network issues; for example, to diagnose why specific traffic is not reaching an instance, which might be a result of overly restrictive security group rules. Customers can also use flow logs as a security tool to monitor the traffic that reaches their instances, to profile network traffic, and to look for abnormal traffic behaviours For more information on AWS(Amazon Web Service) Security, please visit the following URL https://aws.amazon.com/answers/networking/vpc-security-capabilities/
2. Right Answer: F
Explanation:
3. Right Answer: A,E
Explanation: The AWS(Amazon Web Service) Documentation mentions the following To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it, you can use CloudTrail log file integrity validation. This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection. Option B is invalid because there is no such thing as Trusted Advisor Cloud Trail checks Option D is invalid because Systems Manager cannot be used for this purpose. Option E is invalid because Security Groups cannot be used to block calls from other services For more information on Cloudtrail log file validation, please visit the below URL https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html For more information on delivering Cloudtrail logs from multiple accounts, please visit the below URL https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html
4. Right Answer: A
Explanation:
5. Right Answer: B
Explanation: The ideal way is to create an IAM role which has the required permissions and then associate it with the Lambda function The AWS(Amazon Web Service) Documentation additionally mentions the following Each Lambda function has an IAM role (execution role) associated with it. You specify the IAM role when you create your Lambda function. Permissions you grant to this role determine what AWS(Amazon Web Service) Lambda can do when it assumes the role. There are two types of permissions that you grant to the IAM role: ? If your Lambda function code accesses other AWS(Amazon Web Service) resources, such as to read an object from an S3 bucket or write logs to CloudWatch Logs, you need to grant permissions for relevant Amazon S3 and CloudWatch actions to the role. ? If the event source is stream-based (Amazon Kinesis Data Streams and DynamoDB streams), AWS(Amazon Web Service) Lambda polls these streams on your behalf. AWS(Amazon Web Service) Lambda needs permissions to poll the stream and read new records on the stream so you need to grant the relevant permissions to this role. Option A is invalid because the VPC endpoint allows access instances in a private subnet to access DynamoDB Option B is invalid because resources policies are present for resources such as S3 and KMS , but not AWS(Amazon Web Service) Lambda Option C is invalid because AWS(Amazon Web Service) Roles should be used and not IAM Users For more information on the Lambda permission model, please visit the below URL https://docs.aws.amazon.com/lambda/latest/dg/intro-permission-model.html
Tags:
aws cloud awc cloud cerification certified aws aws certifications aws cloud practitioner aws solution architect aws training aws certified cloud practitioner aws exam aws certification exam aws practice exams aws 2023 aws updated questions aws questions aws cert aws certified solutions architect aws solution architect associate aws training and certification aws certified developer associate certification for devops0 Comments
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
Leave a comment