CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
Inspirational journeys
Follow the stories of academics and their research expeditions
AWS Certified Security - Specialty - Part 47
1. You have a 2 tier application hosted in AWS. It consists of a web server and database server (SQL Server) hosted on separate EC2 Instances. You are devising the security groups for these EC2 Instances. The Web tier needs to be accessed by users across the Internet. You have created a web security group(wg-123) and database security group(db-345). Which combination of the following security group rules will allow the application to be secure and functional. Choose 2 answers from the options given below.(Select 2answers)
A) db-345 - Allow port 1433 from wg-123
B) wg-123 - Allow ports 80 and 443 from 0.0.0.0/0
C) db-345 - Allow ports 1433 from 0.0.0.0/0 (Incorrect)
D) wg-123 - Allow port 1433 from wg-123
2. You have a 2 tier application hosted in AWS. It consists of a web server and database server (SQL Server) hosted on separate EC2 Instances. You are devising the security groups for these EC2 Instances. The Web tier needs to be accessed by users across the Internet. You have created a web security group(wg-123) and database security group(db-345). Which combination of the following security group rules will allow the application to be secure and functional. Choose 2 answers from the options given below.(Select 2answers)
A) wg-123 - Allow ports 80 and 443 from 0.0.0.0/0
B) wg-123 - Allow port 1433 from wg-123
C) db-345 - Allow ports 1433 from 0.0.0.0/0 (Incorrect)
D) db-345 - Allow port 1433 from wg-123
3. Your IT Security team has advised to carry out a penetration test on the resources in their company's AWS(Amazon Web Service) Account. This is as part of their capability to analyze the security of the Infrastructure. What should be done first in this regard?
A) Submit a request to AWS(Amazon Web Service) Support
B) Turn on VPC Flow Logs and carry out the penetration test
C) Use a custom AWS(Amazon Web Service) Marketplace solution for conducting the penetration test (Incorrect)
D) Turn on Cloud trail and carry out the penetration test
4. You have just received an email from AWS(Amazon Web Service) Support stating that your AWS(Amazon Web Service) account might have been compromised. Which of the following steps would you look to carry out immediately. Choose 3 answers from the options below.(Select 3answers)
A) Rotate all IAM access keys
B) Change the root account password.
C) Keep all resources running to avoid disruption
D) Change the password for all IAM users.
5. A company is using Cloud Trail to log all AWS(Amazon Web Service) API activity for all regions in all of its accounts. The CISO has asked that additional steps be taken to protect the Integrity of the log files. What combination of steps will protect the log files from intentional or unintentional alteration? Choose 2 answers from the options given below Please select?(Select 2answers)
A) Create a Security Group that blocks all traffic except calls from the Cloud Trail service. Associate the security group with all the Cloud Trail destination S3 buckets.
B) Write a Lambda function that queries the Trusted Advisor Cloud Trail checks. Run the function every 10 minutes.
C) Create an S3 bucket In a dedicated log account and grant the other accounts write only access. Deliver all log files from every account t this S3 bucket.
D) Enable Cloud Trail log file integrity validation ,
E) Use Systems Manager Configuration Compliance to continually monitor the access policies of S3 buckets containing Cloud Trail logs.
A) db-345 - Allow port 1433 from wg-123
B) wg-123 - Allow ports 80 and 443 from 0.0.0.0/0
C) db-345 - Allow ports 1433 from 0.0.0.0/0 (Incorrect)
D) wg-123 - Allow port 1433 from wg-123
2. You have a 2 tier application hosted in AWS. It consists of a web server and database server (SQL Server) hosted on separate EC2 Instances. You are devising the security groups for these EC2 Instances. The Web tier needs to be accessed by users across the Internet. You have created a web security group(wg-123) and database security group(db-345). Which combination of the following security group rules will allow the application to be secure and functional. Choose 2 answers from the options given below.(Select 2answers)
A) wg-123 - Allow ports 80 and 443 from 0.0.0.0/0
B) wg-123 - Allow port 1433 from wg-123
C) db-345 - Allow ports 1433 from 0.0.0.0/0 (Incorrect)
D) db-345 - Allow port 1433 from wg-123
3. Your IT Security team has advised to carry out a penetration test on the resources in their company's AWS(Amazon Web Service) Account. This is as part of their capability to analyze the security of the Infrastructure. What should be done first in this regard?
A) Submit a request to AWS(Amazon Web Service) Support
B) Turn on VPC Flow Logs and carry out the penetration test
C) Use a custom AWS(Amazon Web Service) Marketplace solution for conducting the penetration test (Incorrect)
D) Turn on Cloud trail and carry out the penetration test
4. You have just received an email from AWS(Amazon Web Service) Support stating that your AWS(Amazon Web Service) account might have been compromised. Which of the following steps would you look to carry out immediately. Choose 3 answers from the options below.(Select 3answers)
A) Rotate all IAM access keys
B) Change the root account password.
C) Keep all resources running to avoid disruption
D) Change the password for all IAM users.
5. A company is using Cloud Trail to log all AWS(Amazon Web Service) API activity for all regions in all of its accounts. The CISO has asked that additional steps be taken to protect the Integrity of the log files. What combination of steps will protect the log files from intentional or unintentional alteration? Choose 2 answers from the options given below Please select?(Select 2answers)
A) Create a Security Group that blocks all traffic except calls from the Cloud Trail service. Associate the security group with all the Cloud Trail destination S3 buckets.
B) Write a Lambda function that queries the Trusted Advisor Cloud Trail checks. Run the function every 10 minutes.
C) Create an S3 bucket In a dedicated log account and grant the other accounts write only access. Deliver all log files from every account t this S3 bucket.
D) Enable Cloud Trail log file integrity validation ,
E) Use Systems Manager Configuration Compliance to continually monitor the access policies of S3 buckets containing Cloud Trail logs.
1. Right Answer: A,B
Explanation: The Web security groups should allow access for ports 80 and 443 for HTTP and HTTPS traffic to all users from the internet. The database security group should just allow access from the web security group from port 1433. Option C is invalid because this is not a valid configuration Option D is invalid because database security should not be allowed on the internet For more information on Security Groups please visit the below URL https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html
2. Right Answer: A,D
Explanation: The Web security groups should allow access for ports 80 and 443 for HTTP and HTTPS traffic to all users from the internet. The database security group should just allow access from the web security group from port 1433. Option C is invalid because this is not a valid configuration Option D is invalid because database security should not be allowed on the internet For more information on Security Groups please visit the below URL https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html
3. Right Answer: A
Explanation: This concept is given in the AWS(Amazon Web Service) Documentation Option A,B and D are all invalid because the first step is to get prior authorization from AWS(Amazon Web Service) for penetration tests For more information on penetration testing, please visit the below URL https://aws.amazon.com/security/penetration-testing/
4. Right Answer: A,B,D
Explanation: One of the articles from AWS(Amazon Web Service) mentions what should be done in such a scenario If you suspect that your account has been compromised, or if you have received a notification from AWS(Amazon Web Service) that the account has been compromised, perform the following tasks: Change your AWS(Amazon Web Service) root account password and the passwords of any IAM users. Delete or rotate all root and AWS(Amazon Web Service) Identity and Access Management (IAM) access keys. Delete any resources on your account you didn't create, especially running EC2 instances, EC2 spot bids, or IAM users. Respond to any notifications you received from AWS(Amazon Web Service) Support through the AWS(Amazon Web Service) Support Center. Option C is invalid because there could be compromised instances or resources running on your environment. They should be shutdown or stopped immediately. For more information on the article, please visit the below URL https://aws.amazon.com/premiumsupport/knowledge-center/potential-account-compromise/
5. Right Answer: C,D
Explanation:
Explanation: The Web security groups should allow access for ports 80 and 443 for HTTP and HTTPS traffic to all users from the internet. The database security group should just allow access from the web security group from port 1433. Option C is invalid because this is not a valid configuration Option D is invalid because database security should not be allowed on the internet For more information on Security Groups please visit the below URL https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html
2. Right Answer: A,D
Explanation: The Web security groups should allow access for ports 80 and 443 for HTTP and HTTPS traffic to all users from the internet. The database security group should just allow access from the web security group from port 1433. Option C is invalid because this is not a valid configuration Option D is invalid because database security should not be allowed on the internet For more information on Security Groups please visit the below URL https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html
3. Right Answer: A
Explanation: This concept is given in the AWS(Amazon Web Service) Documentation Option A,B and D are all invalid because the first step is to get prior authorization from AWS(Amazon Web Service) for penetration tests For more information on penetration testing, please visit the below URL https://aws.amazon.com/security/penetration-testing/
4. Right Answer: A,B,D
Explanation: One of the articles from AWS(Amazon Web Service) mentions what should be done in such a scenario If you suspect that your account has been compromised, or if you have received a notification from AWS(Amazon Web Service) that the account has been compromised, perform the following tasks: Change your AWS(Amazon Web Service) root account password and the passwords of any IAM users. Delete or rotate all root and AWS(Amazon Web Service) Identity and Access Management (IAM) access keys. Delete any resources on your account you didn't create, especially running EC2 instances, EC2 spot bids, or IAM users. Respond to any notifications you received from AWS(Amazon Web Service) Support through the AWS(Amazon Web Service) Support Center. Option C is invalid because there could be compromised instances or resources running on your environment. They should be shutdown or stopped immediately. For more information on the article, please visit the below URL https://aws.amazon.com/premiumsupport/knowledge-center/potential-account-compromise/
5. Right Answer: C,D
Explanation:
Tags:
aws cloud awc cloud cerification certified aws aws certifications aws cloud practitioner aws solution architect aws training aws certified cloud practitioner aws exam aws certification exam aws practice exams aws 2023 aws updated questions aws questions aws cert aws certified solutions architect aws solution architect associate aws training and certification aws certified developer associate certification for devops0 Comments
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
Leave a comment