Published - Fri, 03 Mar 2023
AWS Certified Security - Specialty - Part 44
1. You are designing a custom IAM policy that would allow uses to list buckets in S3 only if they are MFA authenticated. Which of the following would best match this requirement?
A) { 'Version': '2012-10-17', 'Statement': { 'Effect': 'Allow', 'Action': [ 's3:ListAllMyBuckets', 's3:GetBucketLocation' ], 'Resource': 'Resource': 'arn:aws:s3:::*', 'Condition': { 'Bool': {'aws:MultiFactorAuthPresent':false} } } }
B) { 'Version': '2012-10-17', 'Statement': { 'Effect': 'Allow', 'Action': [ 's3:ListAllMyBuckets', 's3:GetBucketLocation' ], 'Resource': 'Resource': 'arn:aws:s3:::*', 'Condition': { 'aws:MultiFactorAuthPresent':false } } }
C) { 'Version': '2012-10-17', 'Statement': { 'Effect': 'Allow', 'Action': [ 's3:ListAllMyBuckets', 's3:GetBucketLocation' ], 'Resource': 'Resource': 'arn:aws:s3:::*', 'Condition': { 'aws:MultiFactorAuthPresent':true } } }
D) { 'Version': '2012-10-17', 'Statement': { 'Effect': 'Allow', 'Action': [ 's3:ListAllMyBuckets', 's3:GetBucketLocation' ], 'Resource': 'Resource': 'arn:aws:s3:::*', 'Condition': { 'Bool': {'aws:MultiFactorAuthPresent': true} } } }
2. An application running on EC2 instances must use a username and password to access a database. The developer has stored those secrets in the SSM Parameter Store with type SecureString using the default KMS CMK.Which combination of configuration steps will allow the application to access the secrets via the API? Select 2 answers from the options below(Select 2answers)
A) Add permission to use the KMS key to decrypt to the EC2 instance role
B) Add permission to read the SSM parameter to the EC2 instance role.
C) Add the SSM service role as a trusted service to the EC2 instance role.
D) Add permission to use the KMS key to decrypt to the SSM service role.
E) Add the EC2 instance role as a trusted service to the SSM service role.
3. Your company has defined privileged users for their AWS(Amazon Web Service) Account. These users are administrators for key resources defined in the company. There is now a mandate to enhance the security authentication for these users. How can this be accomplished?
A) Enable accidental deletion for these user accounts
B) Enable MFA for these user accounts
C) Disable root access for the users (Incorrect)
D) Enable versioning for these user accounts
4. A new application will be deployed on EC2 instances in private subnets. The application will transfer sensitive data to and from an S3 bucket. Compliance requirements state that the data must not traverse the public Internet. Which solution meets the compliance requirement?
A) Access the 53 bucket through a NAT gateway.
B) Access the 53 bucket through a VPC endpo Ent for 53
C) Access the 53 bucket through a proxy server
D) Access the 53 bucket through the SSL protected 53 endpoint
5. You have a set of Keys defined using the AWS(Amazon Web Service) KMS service. You want to stop using a couple of keys, but are not sure of which services are currently using the keys. Which of the following would be a safe option to stop using the keys from further usage?
A) Set an alias for the key
B) Change the key material for the key
C) Disable the keys
D) Delete the keys since anyway there is a 7 day waiting period before deletion
A) { 'Version': '2012-10-17', 'Statement': { 'Effect': 'Allow', 'Action': [ 's3:ListAllMyBuckets', 's3:GetBucketLocation' ], 'Resource': 'Resource': 'arn:aws:s3:::*', 'Condition': { 'Bool': {'aws:MultiFactorAuthPresent':false} } } }
B) { 'Version': '2012-10-17', 'Statement': { 'Effect': 'Allow', 'Action': [ 's3:ListAllMyBuckets', 's3:GetBucketLocation' ], 'Resource': 'Resource': 'arn:aws:s3:::*', 'Condition': { 'aws:MultiFactorAuthPresent':false } } }
C) { 'Version': '2012-10-17', 'Statement': { 'Effect': 'Allow', 'Action': [ 's3:ListAllMyBuckets', 's3:GetBucketLocation' ], 'Resource': 'Resource': 'arn:aws:s3:::*', 'Condition': { 'aws:MultiFactorAuthPresent':true } } }
D) { 'Version': '2012-10-17', 'Statement': { 'Effect': 'Allow', 'Action': [ 's3:ListAllMyBuckets', 's3:GetBucketLocation' ], 'Resource': 'Resource': 'arn:aws:s3:::*', 'Condition': { 'Bool': {'aws:MultiFactorAuthPresent': true} } } }
2. An application running on EC2 instances must use a username and password to access a database. The developer has stored those secrets in the SSM Parameter Store with type SecureString using the default KMS CMK.Which combination of configuration steps will allow the application to access the secrets via the API? Select 2 answers from the options below(Select 2answers)
A) Add permission to use the KMS key to decrypt to the EC2 instance role
B) Add permission to read the SSM parameter to the EC2 instance role.
C) Add the SSM service role as a trusted service to the EC2 instance role.
D) Add permission to use the KMS key to decrypt to the SSM service role.
E) Add the EC2 instance role as a trusted service to the SSM service role.
3. Your company has defined privileged users for their AWS(Amazon Web Service) Account. These users are administrators for key resources defined in the company. There is now a mandate to enhance the security authentication for these users. How can this be accomplished?
A) Enable accidental deletion for these user accounts
B) Enable MFA for these user accounts
C) Disable root access for the users (Incorrect)
D) Enable versioning for these user accounts
4. A new application will be deployed on EC2 instances in private subnets. The application will transfer sensitive data to and from an S3 bucket. Compliance requirements state that the data must not traverse the public Internet. Which solution meets the compliance requirement?
A) Access the 53 bucket through a NAT gateway.
B) Access the 53 bucket through a VPC endpo Ent for 53
C) Access the 53 bucket through a proxy server
D) Access the 53 bucket through the SSL protected 53 endpoint
5. You have a set of Keys defined using the AWS(Amazon Web Service) KMS service. You want to stop using a couple of keys, but are not sure of which services are currently using the keys. Which of the following would be a safe option to stop using the keys from further usage?
A) Set an alias for the key
B) Change the key material for the key
C) Disable the keys
D) Delete the keys since anyway there is a 7 day waiting period before deletion
1. Right Answer: D
Explanation: The Condition clause can be used to ensure users can only work with resources if they are MFA authenticated. Option B and C are wrong since the aws:MultiFactorAuthPresent clause should be marked as true. Here you are saying that only if the user has been MFA activated , that means it is true , then allow access. Option D is invalid because the 'bool clause is missing in the evaluation for the condition clause. For more information on an example on such a policy, please visit the following url https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_mfa-dates.html
2. Right Answer: A,B
Explanation: The below example policy from the AWS(Amazon Web Service) Documentation is required to be given to the EC2 Instance in order to read a secure string from AWS(Amazon Web Service) KMS. Permissions need to be given to the Get Parameter API and the KMS API call to decrypt the secret. { 'Version': '2012-10-17', 'Statement': [ { 'Effect': 'Allow', 'Action': [ 'ssm:GetParameter*' ], 'Resource': 'arn:aws:ssm:us-west-2:111122223333:/parameter/ReadableParameters/*' }, { 'Effect': 'Allow', 'Action': [ 'kms:Decrypt' ], 'Resource': 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' } ] } Option A is invalid because roles can be attached to EC2 and not EC2 roles to SSM Option B is invalid because the KMS key does not need to decrypt the SSM service role. Option E is invalid because this configuration is valid For more information on the parameter store, please visit the below URL https://docs.aws.amazon.com/kms/latest/developerguide/services-parameter-store.html
3. Right Answer: B
Explanation: The AWS(Amazon Web Service) Documentation mentions the following as a best practise for IAM users For extra security, enable multi-factor authentication (MFA) for privileged IAM users (users who are allowed access to sensitive resources or APIs). With MFA, users have a device that generates a unique authentication code (a one-time password, or OTP). Users must provide both their normal credentials (like their user name and password) and the OTP. The MFA device can either be a special piece of hardware, or it can be a virtual device (for example, it can run in an app on a smartphone). Option B,C and D are invalid because no such security options are available in AWS For more information on IAM best practises, please visit the below URL ttps://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
4. Right Answer: B
Explanation:
5. Right Answer: C
Explanation:
Explanation: The Condition clause can be used to ensure users can only work with resources if they are MFA authenticated. Option B and C are wrong since the aws:MultiFactorAuthPresent clause should be marked as true. Here you are saying that only if the user has been MFA activated , that means it is true , then allow access. Option D is invalid because the 'bool clause is missing in the evaluation for the condition clause. For more information on an example on such a policy, please visit the following url https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_mfa-dates.html
2. Right Answer: A,B
Explanation: The below example policy from the AWS(Amazon Web Service) Documentation is required to be given to the EC2 Instance in order to read a secure string from AWS(Amazon Web Service) KMS. Permissions need to be given to the Get Parameter API and the KMS API call to decrypt the secret. { 'Version': '2012-10-17', 'Statement': [ { 'Effect': 'Allow', 'Action': [ 'ssm:GetParameter*' ], 'Resource': 'arn:aws:ssm:us-west-2:111122223333:/parameter/ReadableParameters/*' }, { 'Effect': 'Allow', 'Action': [ 'kms:Decrypt' ], 'Resource': 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' } ] } Option A is invalid because roles can be attached to EC2 and not EC2 roles to SSM Option B is invalid because the KMS key does not need to decrypt the SSM service role. Option E is invalid because this configuration is valid For more information on the parameter store, please visit the below URL https://docs.aws.amazon.com/kms/latest/developerguide/services-parameter-store.html
3. Right Answer: B
Explanation: The AWS(Amazon Web Service) Documentation mentions the following as a best practise for IAM users For extra security, enable multi-factor authentication (MFA) for privileged IAM users (users who are allowed access to sensitive resources or APIs). With MFA, users have a device that generates a unique authentication code (a one-time password, or OTP). Users must provide both their normal credentials (like their user name and password) and the OTP. The MFA device can either be a special piece of hardware, or it can be a virtual device (for example, it can run in an app on a smartphone). Option B,C and D are invalid because no such security options are available in AWS For more information on IAM best practises, please visit the below URL ttps://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
4. Right Answer: B
Explanation:
5. Right Answer: C
Explanation:
Created by
Comments (0)
Search
Popular categories
Latest blogs
CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
Write a public review