Published - Fri, 03 Mar 2023
AWS Certified Security - Specialty - Part 42
1. You have setup a set of applications across 2 VPC?s. You have also setup VPC Peering. The applications are still not able to communicate across the Peering connection. Which network troubleshooting steps should be taken to resolve the issue? Please select:
A) Ensure the applications are hosted in a public subnet
B) Check to see if the VPC has an Internet gateway attached.
C) Check to see if the VPC has a NAT gateway attached
D) Check the Route tables for the VPCs
2. You are deivising a policy to allow users to have the ability to access objects in a bucket called appbucket.You define the below custom bucket policy{ 'ID': 'Policy1502987489630','Version': '2012-10-17','Statement': [{'Sid': 'Stmt1502987487640','Action': ['s3:GetObject','s3:GetObjectVersion'],'Effect': 'Allow','Resource': 'arn:aws:s3:::appbucket','Principal': '*'}]}But when you try to apply the policy you get the error'Action does not apply to any resource(s) in statement. What should be done to rectify the error
A) Verify that the policy has the same name as the bucket name. If not, make it the same.
B) Change the IAM permissions by applying PutBucketPolicy permissions.
C) Create the bucket 'appbucket' and then apply the policy. (Incorrect)
D) Change the Resource section to 'arn:aws:s3:::appbucket/*'.
3. Your company has mandated that all calls to the AWS(Amazon Web Service) KMS service be recorded. How can this be achieved?
A) Use Cloudwatch metrics (Incorrect)
B) Enable a trail in Cloudtrail
C) Enable logging on the KMS service
D) Enable Cloudwatch logs
4. A security team is creating a response plan in the event an employee executes unauthorized actions on AWS(Amazon Web Service) infrastructure. They want to include steps to determine if the employee's IAM permissions changed as part of the incident. What steps should the team document In the plan?
A) Use Trusted Advisor to examine the employee's PAM permissions prior to the incident and compare them to the employee's current IAM permissions.
B) Use Made to examine the employee's IAM permissions prior to the incident and compare them to the employee's current IAM permissions.
C) Use Cloud Trail to examine the employee's IAM permissions prior to the incident and compare them to the employee's current IAM permissions
D) Use AWS(Amazon Web Service) Configure to examine the employee's IAM permissions prior to the incident and compare them to the employee's current PAM permissions.
5. You have an instance setup in a test environment in AWS. You installed the required application and the promoted the server to a production environment. Your IT Security team has advised that there maybe traffic flowing in from an unknown IP address to port 22. How can this be mitigated immediately?
A) Remove the rule for incoming traffic on port 22 for the Security Group
B) Shutdown the instance
C) Change the AMI for the instance
D) Change the Instance type for the Instance
A) Ensure the applications are hosted in a public subnet
B) Check to see if the VPC has an Internet gateway attached.
C) Check to see if the VPC has a NAT gateway attached
D) Check the Route tables for the VPCs
2. You are deivising a policy to allow users to have the ability to access objects in a bucket called appbucket.You define the below custom bucket policy{ 'ID': 'Policy1502987489630','Version': '2012-10-17','Statement': [{'Sid': 'Stmt1502987487640','Action': ['s3:GetObject','s3:GetObjectVersion'],'Effect': 'Allow','Resource': 'arn:aws:s3:::appbucket','Principal': '*'}]}But when you try to apply the policy you get the error'Action does not apply to any resource(s) in statement. What should be done to rectify the error
A) Verify that the policy has the same name as the bucket name. If not, make it the same.
B) Change the IAM permissions by applying PutBucketPolicy permissions.
C) Create the bucket 'appbucket' and then apply the policy. (Incorrect)
D) Change the Resource section to 'arn:aws:s3:::appbucket/*'.
3. Your company has mandated that all calls to the AWS(Amazon Web Service) KMS service be recorded. How can this be achieved?
A) Use Cloudwatch metrics (Incorrect)
B) Enable a trail in Cloudtrail
C) Enable logging on the KMS service
D) Enable Cloudwatch logs
4. A security team is creating a response plan in the event an employee executes unauthorized actions on AWS(Amazon Web Service) infrastructure. They want to include steps to determine if the employee's IAM permissions changed as part of the incident. What steps should the team document In the plan?
A) Use Trusted Advisor to examine the employee's PAM permissions prior to the incident and compare them to the employee's current IAM permissions.
B) Use Made to examine the employee's IAM permissions prior to the incident and compare them to the employee's current IAM permissions.
C) Use Cloud Trail to examine the employee's IAM permissions prior to the incident and compare them to the employee's current IAM permissions
D) Use AWS(Amazon Web Service) Configure to examine the employee's IAM permissions prior to the incident and compare them to the employee's current PAM permissions.
5. You have an instance setup in a test environment in AWS. You installed the required application and the promoted the server to a production environment. Your IT Security team has advised that there maybe traffic flowing in from an unknown IP address to port 22. How can this be mitigated immediately?
A) Remove the rule for incoming traffic on port 22 for the Security Group
B) Shutdown the instance
C) Change the AMI for the instance
D) Change the Instance type for the Instance
1. Right Answer: A
Explanation:
2. Right Answer: D
Explanation: When you define access to objects in a bucket, you need to ensure that you specify to which objects in the bucket access needs to be given to. In this case , the * can be used to assign the permission to all objects in the bucket. Option A is invalid because the right permissions are already provided as per the question requirement Option B is invalid because it is not necessary that the policy has the same name as the bucket Option D is invalid because this should be the default flow for applying the policy For more information on bucket policies please visit the below URL https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html
3. Right Answer: B
Explanation: The AWS(Amazon Web Service) Documentation states the following AWS KMS is integrated with CloudTrail, a service that captures API calls made by or on behalf of AWS(Amazon Web Service) KMS in your AWS(Amazon Web Service) account and delivers the log files to an Amazon S3 bucket that you specify. CloudTrail captures API calls from the AWS(Amazon Web Service) KMS console or from the AWS(Amazon Web Service) KMS API. Using the information collected by CloudTrail, you can determine what request was made, the source IP address from which the request was made, who made the request, when it was made, and so on. Option A is invalid because logging is not possible in the KMS service Option C and D are invalid because Cloudwatch cannot be used to monitor API calls For more information on logging using Cloudtrail please visit the below URL https://docs.aws.amazon.com/kms/latest/developerguide/logging-using-cloudtrail.html
4. Right Answer: D
Explanation:
5. Right Answer: A
Explanation:
Explanation:
2. Right Answer: D
Explanation: When you define access to objects in a bucket, you need to ensure that you specify to which objects in the bucket access needs to be given to. In this case , the * can be used to assign the permission to all objects in the bucket. Option A is invalid because the right permissions are already provided as per the question requirement Option B is invalid because it is not necessary that the policy has the same name as the bucket Option D is invalid because this should be the default flow for applying the policy For more information on bucket policies please visit the below URL https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html
3. Right Answer: B
Explanation: The AWS(Amazon Web Service) Documentation states the following AWS KMS is integrated with CloudTrail, a service that captures API calls made by or on behalf of AWS(Amazon Web Service) KMS in your AWS(Amazon Web Service) account and delivers the log files to an Amazon S3 bucket that you specify. CloudTrail captures API calls from the AWS(Amazon Web Service) KMS console or from the AWS(Amazon Web Service) KMS API. Using the information collected by CloudTrail, you can determine what request was made, the source IP address from which the request was made, who made the request, when it was made, and so on. Option A is invalid because logging is not possible in the KMS service Option C and D are invalid because Cloudwatch cannot be used to monitor API calls For more information on logging using Cloudtrail please visit the below URL https://docs.aws.amazon.com/kms/latest/developerguide/logging-using-cloudtrail.html
4. Right Answer: D
Explanation:
5. Right Answer: A
Explanation:
Created by
Comments (0)
Search
Popular categories
Latest blogs
CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
Write a public review