Published - Fri, 03 Mar 2023
AWS Certified Security - Specialty - Part 43
1. An application running on EC2 instances must use a username and password to access a database. The developer has stored those secrets in the SSM Parameter Store with type SecureString using the default KMS CMK.Which combination of configuration steps will allow the application to access the secrets via the API? Select 2 answers from the options below(Select 2answers)
A) Add the SSM service role as a trusted service to the EC2 instance role.
B) Add permission to use the KMS key to decrypt to the EC2 instance role
C) Add permission to use the KMS key to decrypt to the SSM service role.
D) Add permission to read the SSM parameter to the EC2 instance role.
E) Add the EC2 instance role as a trusted service to the SSM service role.
2. A security team must present a daily briefing to the CISO that includes a report of which of the company's thousands of EC2 instances and on-premises servers are missing the latest security patches. All instances/servers must be brought into compliance within 24 hours so they do not show up on the next day's report.How can the security team fulfill these requirements?
A) Use Systems Manger Patch Manger to generate the report of out of compliance instances/ servers. Use Systems Manager Patch Manger to install the missing patches.
B) Use Systems Manger Patch Manger to generate the report of out of compliance instances/ servers. Redeploy all out of compliance instances/servers using an AMI with the latest patches. (Incorrect)
C) Use Trusted Advisor to generate the report of out of compliance instances/ servers. Use Systems Manger Patch Manger to install the missing patches.
D) Use Amazon QuickSight and Cloud Trail to generate the report of out of compliance instances/servers. Redeploy all out of compliance instances/servers using an AMI with the latest patches.
3. You are deivising a policy to allow users to have the ability to access objects in a bucket called appbucket.You define the below custom bucket policy{ 'ID': 'Policy1502987489630','Version': '2012-10-17','Statement': [{'Sid': 'Stmt1502987487640','Action': ['s3:GetObject','s3:GetObjectVersion'],'Effect': 'Allow','Resource': 'arn:aws:s3:::appbucket','Principal': '*'}]}But when you try to apply the policy you get the error'Action does not apply to any resource(s) in statement. What should be done to rectify the error
A) Change the Resource section to 'arn:aws:s3:::appbucket/*'.
B) Change the IAM permissions by applying PutBucketPolicy permissions.
C) Create the bucket 'appbucket' and then apply the policy. (Incorrect)
D) Verify that the policy has the same name as the bucket name. If not, make it the same.
4. A company wants to have an Intrusion detection system available for their VPC in AWS. They want to have complete control over the system. Which of the following would be ideal to implement?
A) Use AWS(Amazon Web Service) Cloudwatch to monitor all traffic (Incorrect)
B) Use a custom solution available in the AWS(Amazon Web Service) Marketplace
C) Use VPC Flow logs to detect the issues and flag them accordingly.
D) Use AWS(Amazon Web Service) WAF to catch all intrusions occurring on the systems in the VPC
5. You have an instance setup in a test environment in AWS. You installed the required application and the promoted the server to a production environment. Your IT Security team has advised that there maybe traffic flowing in from an unknown IP address to port 22. How can this be mitigated immediately?
A) Change the Instance type for the Instance (Incorrect)
B) Change the AMI for the instance
C) Shutdown the instance
D) Remove the rule for incoming traffic on port 22 for the Security Group
A) Add the SSM service role as a trusted service to the EC2 instance role.
B) Add permission to use the KMS key to decrypt to the EC2 instance role
C) Add permission to use the KMS key to decrypt to the SSM service role.
D) Add permission to read the SSM parameter to the EC2 instance role.
E) Add the EC2 instance role as a trusted service to the SSM service role.
2. A security team must present a daily briefing to the CISO that includes a report of which of the company's thousands of EC2 instances and on-premises servers are missing the latest security patches. All instances/servers must be brought into compliance within 24 hours so they do not show up on the next day's report.How can the security team fulfill these requirements?
A) Use Systems Manger Patch Manger to generate the report of out of compliance instances/ servers. Use Systems Manager Patch Manger to install the missing patches.
B) Use Systems Manger Patch Manger to generate the report of out of compliance instances/ servers. Redeploy all out of compliance instances/servers using an AMI with the latest patches. (Incorrect)
C) Use Trusted Advisor to generate the report of out of compliance instances/ servers. Use Systems Manger Patch Manger to install the missing patches.
D) Use Amazon QuickSight and Cloud Trail to generate the report of out of compliance instances/servers. Redeploy all out of compliance instances/servers using an AMI with the latest patches.
3. You are deivising a policy to allow users to have the ability to access objects in a bucket called appbucket.You define the below custom bucket policy{ 'ID': 'Policy1502987489630','Version': '2012-10-17','Statement': [{'Sid': 'Stmt1502987487640','Action': ['s3:GetObject','s3:GetObjectVersion'],'Effect': 'Allow','Resource': 'arn:aws:s3:::appbucket','Principal': '*'}]}But when you try to apply the policy you get the error'Action does not apply to any resource(s) in statement. What should be done to rectify the error
A) Change the Resource section to 'arn:aws:s3:::appbucket/*'.
B) Change the IAM permissions by applying PutBucketPolicy permissions.
C) Create the bucket 'appbucket' and then apply the policy. (Incorrect)
D) Verify that the policy has the same name as the bucket name. If not, make it the same.
4. A company wants to have an Intrusion detection system available for their VPC in AWS. They want to have complete control over the system. Which of the following would be ideal to implement?
A) Use AWS(Amazon Web Service) Cloudwatch to monitor all traffic (Incorrect)
B) Use a custom solution available in the AWS(Amazon Web Service) Marketplace
C) Use VPC Flow logs to detect the issues and flag them accordingly.
D) Use AWS(Amazon Web Service) WAF to catch all intrusions occurring on the systems in the VPC
5. You have an instance setup in a test environment in AWS. You installed the required application and the promoted the server to a production environment. Your IT Security team has advised that there maybe traffic flowing in from an unknown IP address to port 22. How can this be mitigated immediately?
A) Change the Instance type for the Instance (Incorrect)
B) Change the AMI for the instance
C) Shutdown the instance
D) Remove the rule for incoming traffic on port 22 for the Security Group
1. Right Answer: B,D
Explanation: The below example policy from the AWS(Amazon Web Service) Documentation is required to be given to the EC2 Instance in order to read a secure string from AWS(Amazon Web Service) KMS. Permissions need to be given to the Get Parameter API and the KMS API call to decrypt the secret. { 'Version': '2012-10-17', 'Statement': [ { 'Effect': 'Allow', 'Action': [ 'ssm:GetParameter*' ], 'Resource': 'arn:aws:ssm:us-west-2:111122223333:/parameter/ReadableParameters/*' }, { 'Effect': 'Allow', 'Action': [ 'kms:Decrypt' ], 'Resource': 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' } ] } Option A is invalid because roles can be attached to EC2 and not EC2 roles to SSM Option B is invalid because the KMS key does not need to decrypt the SSM service role. Option E is invalid because this configuration is valid For more information on the parameter store, please visit the below URL https://docs.aws.amazon.com/kms/latest/developerguide/services-parameter-store.html
2. Right Answer: A
Explanation: Use the Systems Manger Patch Manger to generate the report and also install the missing patches The AWS(Amazon Web Service) Documentation mentions the following AWS Systems Manager Patch Manager automates the process of patching managed instances with security-related updates. For Linux-based instances, you can also install patches for non-security updates. You can patch fleets of Amazon EC2 instances or your on-premises servers and virtual machines (VMs) by operating system type. This includes supported versions of Windows, Ubuntu Server, Red Hat Enterprise Linux (RHEL), SUSE Linux Enterprise Server (SLES), and Amazon Linux. You can scan instances to see only a report of missing patches, or you can scan and automatically install all missing patches. Option A is invalid because Amazon QuickSight and Cloud Trail cannot be used to generate the list of servers that don't meet compliance needs. Option C is wrong because deploying instances via new AMI's would impact the applications hosted on these servers Option D is invalid because Amazon Trusted Advisor cannot be used to generate the list of servers that don't meet compliance needs. For more information on the AWS(Amazon Web Service) Patch Manager, please visit the below URL https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-patch.html
3. Right Answer: A
Explanation: When you define access to objects in a bucket, you need to ensure that you specify to which objects in the bucket access needs to be given to. In this case , the * can be used to assign the permission to all objects in the bucket. Option A is invalid because the right permissions are already provided as per the question requirement Option B is invalid because it is not necessary that the policy has the same name as the bucket Option D is invalid because this should be the default flow for applying the policy For more information on bucket policies please visit the below URL https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html
4. Right Answer: B
Explanation: Sometimes companies want to have custom solutions in place for monitoring Intrusions to their systems. In such a case , you can use the AWS(Amazon Web Service) Marketplace for looking at custom solutions. Option A,C and D are all invalid because they cannot be used to conduct intrusion detection or prevention For more information on using custom security solutions please visit the below URL https://d1.awsstatic.com/Marketplace/security/AWSMP_Security_Solution%20Overview.pdf
5. Right Answer: D
Explanation: In the test environment, the security groups might have been opened to all IP addresses for testing purpose. Always to ensure to remove this rule once all testing is completed. Option A , C and D are all invalid because this would affect the application running on the server. The easiest way is just to remove the rule for access on port 22. For more information on authorizing access to an instance, please visit the below URL https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html
Explanation: The below example policy from the AWS(Amazon Web Service) Documentation is required to be given to the EC2 Instance in order to read a secure string from AWS(Amazon Web Service) KMS. Permissions need to be given to the Get Parameter API and the KMS API call to decrypt the secret. { 'Version': '2012-10-17', 'Statement': [ { 'Effect': 'Allow', 'Action': [ 'ssm:GetParameter*' ], 'Resource': 'arn:aws:ssm:us-west-2:111122223333:/parameter/ReadableParameters/*' }, { 'Effect': 'Allow', 'Action': [ 'kms:Decrypt' ], 'Resource': 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' } ] } Option A is invalid because roles can be attached to EC2 and not EC2 roles to SSM Option B is invalid because the KMS key does not need to decrypt the SSM service role. Option E is invalid because this configuration is valid For more information on the parameter store, please visit the below URL https://docs.aws.amazon.com/kms/latest/developerguide/services-parameter-store.html
2. Right Answer: A
Explanation: Use the Systems Manger Patch Manger to generate the report and also install the missing patches The AWS(Amazon Web Service) Documentation mentions the following AWS Systems Manager Patch Manager automates the process of patching managed instances with security-related updates. For Linux-based instances, you can also install patches for non-security updates. You can patch fleets of Amazon EC2 instances or your on-premises servers and virtual machines (VMs) by operating system type. This includes supported versions of Windows, Ubuntu Server, Red Hat Enterprise Linux (RHEL), SUSE Linux Enterprise Server (SLES), and Amazon Linux. You can scan instances to see only a report of missing patches, or you can scan and automatically install all missing patches. Option A is invalid because Amazon QuickSight and Cloud Trail cannot be used to generate the list of servers that don't meet compliance needs. Option C is wrong because deploying instances via new AMI's would impact the applications hosted on these servers Option D is invalid because Amazon Trusted Advisor cannot be used to generate the list of servers that don't meet compliance needs. For more information on the AWS(Amazon Web Service) Patch Manager, please visit the below URL https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-patch.html
3. Right Answer: A
Explanation: When you define access to objects in a bucket, you need to ensure that you specify to which objects in the bucket access needs to be given to. In this case , the * can be used to assign the permission to all objects in the bucket. Option A is invalid because the right permissions are already provided as per the question requirement Option B is invalid because it is not necessary that the policy has the same name as the bucket Option D is invalid because this should be the default flow for applying the policy For more information on bucket policies please visit the below URL https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html
4. Right Answer: B
Explanation: Sometimes companies want to have custom solutions in place for monitoring Intrusions to their systems. In such a case , you can use the AWS(Amazon Web Service) Marketplace for looking at custom solutions. Option A,C and D are all invalid because they cannot be used to conduct intrusion detection or prevention For more information on using custom security solutions please visit the below URL https://d1.awsstatic.com/Marketplace/security/AWSMP_Security_Solution%20Overview.pdf
5. Right Answer: D
Explanation: In the test environment, the security groups might have been opened to all IP addresses for testing purpose. Always to ensure to remove this rule once all testing is completed. Option A , C and D are all invalid because this would affect the application running on the server. The easiest way is just to remove the rule for access on port 22. For more information on authorizing access to an instance, please visit the below URL https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html
Created by
Comments (0)
Search
Popular categories
Latest blogs
CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
Write a public review