AWS Certified Security - Specialty - Part 47

1. You have a 2 tier application hosted in AWS. It consists of a web server and database server (SQL Server) hosted on separate EC2 Instances. You are devising the security groups for these EC2 Instances. The Web tier needs to be accessed by users across the Internet. You have created a web security group(wg-123) and database security group(db-345). Which combination of the following security group rules will allow the application to be secure and functional. Choose 2 answers from the options given below.(Select 2answers)

A) db-345 - Allow port 1433 from wg-123
B) wg-123 - Allow ports 80 and 443 from 0.0.0.0/0
C) db-345 - Allow ports 1433 from 0.0.0.0/0 (Incorrect)
D) wg-123 - Allow port 1433 from wg-123



2. You have a 2 tier application hosted in AWS. It consists of a web server and database server (SQL Server) hosted on separate EC2 Instances. You are devising the security groups for these EC2 Instances. The Web tier needs to be accessed by users across the Internet. You have created a web security group(wg-123) and database security group(db-345). Which combination of the following security group rules will allow the application to be secure and functional. Choose 2 answers from the options given below.(Select 2answers)

A) wg-123 - Allow ports 80 and 443 from 0.0.0.0/0
B) wg-123 - Allow port 1433 from wg-123
C) db-345 - Allow ports 1433 from 0.0.0.0/0 (Incorrect)
D) db-345 - Allow port 1433 from wg-123



3. Your IT Security team has advised to carry out a penetration test on the resources in their company's AWS(Amazon Web Service) Account. This is as part of their capability to analyze the security of the Infrastructure. What should be done first in this regard?

A) Submit a request to AWS(Amazon Web Service) Support
B) Turn on VPC Flow Logs and carry out the penetration test
C) Use a custom AWS(Amazon Web Service) Marketplace solution for conducting the penetration test (Incorrect)
D) Turn on Cloud trail and carry out the penetration test



4. You have just received an email from AWS(Amazon Web Service) Support stating that your AWS(Amazon Web Service) account might have been compromised. Which of the following steps would you look to carry out immediately. Choose 3 answers from the options below.(Select 3answers)

A) Rotate all IAM access keys
B) Change the root account password.
C) Keep all resources running to avoid disruption
D) Change the password for all IAM users.



5. A company is using Cloud Trail to log all AWS(Amazon Web Service) API activity for all regions in all of its accounts. The CISO has asked that additional steps be taken to protect the Integrity of the log files. What combination of steps will protect the log files from intentional or unintentional alteration? Choose 2 answers from the options given below Please select?(Select 2answers)

A) Create a Security Group that blocks all traffic except calls from the Cloud Trail service. Associate the security group with all the Cloud Trail destination S3 buckets.
B) Write a Lambda function that queries the Trusted Advisor Cloud Trail checks. Run the function every 10 minutes.
C) Create an S3 bucket In a dedicated log account and grant the other accounts write only access. Deliver all log files from every account t this S3 bucket.
D) Enable Cloud Trail log file integrity validation ,
E) Use Systems Manager Configuration Compliance to continually monitor the access policies of S3 buckets containing Cloud Trail logs.