CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
Inspirational journeys
Follow the stories of academics and their research expeditions
AWS Certified Security - Specialty - Part 46
1. You have enabled Cloud trail logs for your company?s AWS(Amazon Web Service) account. In addition, the IT Security department has mentioned that the logs need to be encrypted. How can this be achieved? Please select
A) Enable Server side encryption for the trail
B) There is no need to do anything since the logs will already be encrypted
C) Enable Server side encryption for the destination S3 bucket
D) Enable SSL certificates for the Cloud trail logs
2. You have a web site that is sitting behind AWS(Amazon Web Service) Cloudfront. You need to protect the web site against threats such as SQL injection and Cross site scripting attacks. Which of the following service can help in such a scenario
A) AWS Config (Incorrect)
B) AWS WAF
C) AWS Inspector
D) AWS Trusted Advisor
3. Your company has an EC2 Instance that is hosted in an AWS(Amazon Web Service) VPC. There is a requirement to ensure that logs files from the EC2 Instance are stored accordingly. The access should also be limited for the destination of the log files. How can this be accomplished? Choose 2 answers from the options given below. Each answer forms part of the solution(Select 2answers)
A) Stream the log files to a separate Cloudtrail trail
B) Create an IAM policy that gives the desired level of access to the Cloudtrail trail
C) Create an IAM policy that gives the desired level of access to the Cloudwatch Log group
D) Stream the log files to a separate Cloudwatch Log group
4. A security team is creating a response plan in the event an employee executes unauthorized actions on AWS(Amazon Web Service) infrastructure. They want to include steps to determine if the employee's IAM permissions changed as part of the incident. What steps should the team document in the plan?
A) Use Trusted Advisor to examine the employee's IAM permissions prior to the incident and compare them to the employee's current IAM permissions.
B) Use AWS(Amazon Web Service) Config to examine the employee's IAM permissions prior to the incident and compare them to the employee's current IAM permissions.
C) Use CloudTrail to examine the employee's IAM permissions prior to the incident and compare them to the employee's current IAM permissions. (Incorrect)
D) Use Macie to examine the employee's IAM permissions prior to the incident and compare them to the employee's current IAM permissions.
5. A company hosts a popular web application that connects to an Amazon RDS MySQL DB instance running in a private VPC subnet that was created with default ACL settings. The IT Security department has a suspicion that a DDos attack is coming from a suspecting IP. How can you protect the subnets from this attack?
A) Change the Inbound Security Groups to deny access from the suspecting IP
B) Change the Inbound NACL to deny access from the suspecting IP
C) Change the Outbound Security Groups to deny access from the suspecting IP
D) Change the Outbound NACL to deny access from the suspecting IP (Incorrect)
A) Enable Server side encryption for the trail
B) There is no need to do anything since the logs will already be encrypted
C) Enable Server side encryption for the destination S3 bucket
D) Enable SSL certificates for the Cloud trail logs
2. You have a web site that is sitting behind AWS(Amazon Web Service) Cloudfront. You need to protect the web site against threats such as SQL injection and Cross site scripting attacks. Which of the following service can help in such a scenario
A) AWS Config (Incorrect)
B) AWS WAF
C) AWS Inspector
D) AWS Trusted Advisor
3. Your company has an EC2 Instance that is hosted in an AWS(Amazon Web Service) VPC. There is a requirement to ensure that logs files from the EC2 Instance are stored accordingly. The access should also be limited for the destination of the log files. How can this be accomplished? Choose 2 answers from the options given below. Each answer forms part of the solution(Select 2answers)
A) Stream the log files to a separate Cloudtrail trail
B) Create an IAM policy that gives the desired level of access to the Cloudtrail trail
C) Create an IAM policy that gives the desired level of access to the Cloudwatch Log group
D) Stream the log files to a separate Cloudwatch Log group
4. A security team is creating a response plan in the event an employee executes unauthorized actions on AWS(Amazon Web Service) infrastructure. They want to include steps to determine if the employee's IAM permissions changed as part of the incident. What steps should the team document in the plan?
A) Use Trusted Advisor to examine the employee's IAM permissions prior to the incident and compare them to the employee's current IAM permissions.
B) Use AWS(Amazon Web Service) Config to examine the employee's IAM permissions prior to the incident and compare them to the employee's current IAM permissions.
C) Use CloudTrail to examine the employee's IAM permissions prior to the incident and compare them to the employee's current IAM permissions. (Incorrect)
D) Use Macie to examine the employee's IAM permissions prior to the incident and compare them to the employee's current IAM permissions.
5. A company hosts a popular web application that connects to an Amazon RDS MySQL DB instance running in a private VPC subnet that was created with default ACL settings. The IT Security department has a suspicion that a DDos attack is coming from a suspecting IP. How can you protect the subnets from this attack?
A) Change the Inbound Security Groups to deny access from the suspecting IP
B) Change the Inbound NACL to deny access from the suspecting IP
C) Change the Outbound Security Groups to deny access from the suspecting IP
D) Change the Outbound NACL to deny access from the suspecting IP (Incorrect)
1. Right Answer: B
Explanation:
2. Right Answer: B
Explanation: The AWS(Amazon Web Service) Documentation mentions the following AWS(Amazon Web Service) WAF is a web application firewall that helps detect and block malicious web requests targeted at your web applications. AWS(Amazon Web Service) WAF allows you to create rules that can help protect against common web exploits like SQL injection and cross-site scripting. With AWS(Amazon Web Service) WAF you first identify the resource (either an Amazon CloudFront distribution or an Application Load Balancer) that you need to protect. Option A is invalid because this will only give advise on how you can better the security in your AWS(Amazon Web Service) account, but not protect against threats mentioned in the question. Option C is invalid because this can be used to scan EC2 Instances for vulnerabilities but not protect against threats mentioned in the question. Option D is invalid because this can be used to check config changes but not protect against threats mentioned in the question. For more information on AWS(Amazon Web Service) WAF, please visit the following url https://aws.amazon.com/waf/details/
3. Right Answer: C,D
Explanation: You can create a Log group and send all logs from the EC2 Instance to that group. You can then limit the access to the Log groups via an IAM policy. Option A is invalid because Cloudtrail is used to record API activity and not for storing log files Option C is invalid because Cloudtrail is the wrong service to be used for this requirement For more information on Access to Cloudwatch logs, please visit the following url https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/auth-and-access-control-cwl.html
4. Right Answer: B
Explanation: You can use the AWS(Amazon Web Service) Config history to see the history of a particular item. The below snapshot shows an example configuration for a user in AWS(Amazon Web Service) Config Option B,C and D are all invalid because these services cannot be used to see the history of a particular configuration item. This can only be accomplished by AWS(Amazon Web Service) Config. For more information on tracking changes in AWS(Amazon Web Service) Config, please visit the below URL https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/TrackingChanges.html
5. Right Answer: B
Explanation: Option A and B are invalid because by default the Security Groups already block traffic. You can use NACL's as an additional security layer for the subnet to deny traffic. Option D is invalid since just changing the Inbound Rules is sufficient. The AWS(Amazon Web Service) Documentation mentions the following A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC. For more information on Network Access Control Lists, please visit the following url https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html
Explanation:
2. Right Answer: B
Explanation: The AWS(Amazon Web Service) Documentation mentions the following AWS(Amazon Web Service) WAF is a web application firewall that helps detect and block malicious web requests targeted at your web applications. AWS(Amazon Web Service) WAF allows you to create rules that can help protect against common web exploits like SQL injection and cross-site scripting. With AWS(Amazon Web Service) WAF you first identify the resource (either an Amazon CloudFront distribution or an Application Load Balancer) that you need to protect. Option A is invalid because this will only give advise on how you can better the security in your AWS(Amazon Web Service) account, but not protect against threats mentioned in the question. Option C is invalid because this can be used to scan EC2 Instances for vulnerabilities but not protect against threats mentioned in the question. Option D is invalid because this can be used to check config changes but not protect against threats mentioned in the question. For more information on AWS(Amazon Web Service) WAF, please visit the following url https://aws.amazon.com/waf/details/
3. Right Answer: C,D
Explanation: You can create a Log group and send all logs from the EC2 Instance to that group. You can then limit the access to the Log groups via an IAM policy. Option A is invalid because Cloudtrail is used to record API activity and not for storing log files Option C is invalid because Cloudtrail is the wrong service to be used for this requirement For more information on Access to Cloudwatch logs, please visit the following url https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/auth-and-access-control-cwl.html
4. Right Answer: B
Explanation: You can use the AWS(Amazon Web Service) Config history to see the history of a particular item. The below snapshot shows an example configuration for a user in AWS(Amazon Web Service) Config Option B,C and D are all invalid because these services cannot be used to see the history of a particular configuration item. This can only be accomplished by AWS(Amazon Web Service) Config. For more information on tracking changes in AWS(Amazon Web Service) Config, please visit the below URL https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/TrackingChanges.html
5. Right Answer: B
Explanation: Option A and B are invalid because by default the Security Groups already block traffic. You can use NACL's as an additional security layer for the subnet to deny traffic. Option D is invalid since just changing the Inbound Rules is sufficient. The AWS(Amazon Web Service) Documentation mentions the following A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC. For more information on Network Access Control Lists, please visit the following url https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html
Tags:
aws cloud awc cloud cerification certified aws aws certifications aws cloud practitioner aws solution architect aws training aws certified cloud practitioner aws exam aws certification exam aws practice exams aws 2023 aws updated questions aws questions aws cert aws certified solutions architect aws solution architect associate aws training and certification aws certified developer associate certification for devops0 Comments
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
Leave a comment