CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
Inspirational journeys
Follow the stories of academics and their research expeditions
AWS Certified Security - Specialty - Part 49
1. Your IT Security department has mandated that all data on EBS volumes created for underlying EC2 Instances need to be encrypted. Which of the following can help achieve this?
A) AWS KMS API
B) API Gateway with STS
C) IAM Access Key (Incorrect)
D) AWS Certificate Manager
2. A company is hosting a website that must be accessible to users for HTTPS traffic. Also port 22 should be open for administrative purposes. Which of the following security group configurations are the MOST secure but still functional to support these requirements? Choose 2 answers from the options given below(Select 2answers)
A) Port 22 coming from 10.0.0.0/16
B) Port 22 coming from 0.0.0.0/0
C) Port 443 coming from 10.0.0.0/16
D) Port 443 coming from 0.0.0.0/0
3. Your company has a set of resources defined in the AWS(Amazon Web Service) Cloud. Their IT audit department has requested to get a list of resources that have been defined across the account. How can this be achieved in the easiest manner?
A) Create a bash shell script with the AWS(Amazon Web Service) CLI. Query for all resources in all regions. Store the results in an S3 bucket.
B) Use AWS(Amazon Web Service) Config to get the list of all resources
C) Create a powershell script using the AWS(Amazon Web Service) CLI. Query for all resources with the tag of production.
D) Use Cloud Trail to get the list of all resources
4. You need to ensure that objects in an S3 bucket are available in another region. This is because of the criticality of the data that is hosted In the S3 bucket. How can you achieve this in the easiest way possible?
A) Enable versioning which will copy the objects to the destination region
B) Write a script to copy the objects to another bucket in the destination region
C) Enable cross region replication for the bucket
D) Create an 53 snapshot in the destination region
5. Your company has a requirement to monitor all root user activity. How can this best be achieved? Choose 2 answers from the options given below. Each answer forms part of the solution(Select 2answers)
A) Create a Cloudwatch Logs Rule
B) Use Cloudtrail API call (Incorrect)
C) Create a Cloudwatch Events Rule
D) Use a Lambda function
A) AWS KMS API
B) API Gateway with STS
C) IAM Access Key (Incorrect)
D) AWS Certificate Manager
2. A company is hosting a website that must be accessible to users for HTTPS traffic. Also port 22 should be open for administrative purposes. Which of the following security group configurations are the MOST secure but still functional to support these requirements? Choose 2 answers from the options given below(Select 2answers)
A) Port 22 coming from 10.0.0.0/16
B) Port 22 coming from 0.0.0.0/0
C) Port 443 coming from 10.0.0.0/16
D) Port 443 coming from 0.0.0.0/0
3. Your company has a set of resources defined in the AWS(Amazon Web Service) Cloud. Their IT audit department has requested to get a list of resources that have been defined across the account. How can this be achieved in the easiest manner?
A) Create a bash shell script with the AWS(Amazon Web Service) CLI. Query for all resources in all regions. Store the results in an S3 bucket.
B) Use AWS(Amazon Web Service) Config to get the list of all resources
C) Create a powershell script using the AWS(Amazon Web Service) CLI. Query for all resources with the tag of production.
D) Use Cloud Trail to get the list of all resources
4. You need to ensure that objects in an S3 bucket are available in another region. This is because of the criticality of the data that is hosted In the S3 bucket. How can you achieve this in the easiest way possible?
A) Enable versioning which will copy the objects to the destination region
B) Write a script to copy the objects to another bucket in the destination region
C) Enable cross region replication for the bucket
D) Create an 53 snapshot in the destination region
5. Your company has a requirement to monitor all root user activity. How can this best be achieved? Choose 2 answers from the options given below. Each answer forms part of the solution(Select 2answers)
A) Create a Cloudwatch Logs Rule
B) Use Cloudtrail API call (Incorrect)
C) Create a Cloudwatch Events Rule
D) Use a Lambda function
1. Right Answer: A
Explanation: The AWS(Amazon Web Service) Documentation mentions the following on AWS(Amazon Web Service) KMS AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data. AWS(Amazon Web Service) KMS is integrated with other AWS(Amazon Web Service) services including Amazon Elastic Block Store (Amazon EBS), Amazon Simple Storage Service (Amazon S3), Amazon Redshift, Amazon Elastic Transcoder, Amazon WorkMail, Amazon Relational Database Service (Amazon RDS), and others to make it simple to encrypt your data with encryption keys that you manage Option B is incorrect - The AWS(Amazon Web Service) Certificate manager can be used to generate SSL certificates that can be used to encrypt traffic in transit, but not at rest Option C is incorrect is again used for issuing tokens when using API gateway for traffic in transit. Option D is used for secure access to EC2 Instances For more information on AWS(Amazon Web Service) KMS, please visit the following url https://docs.aws.amazon.com/kms/latest/developerguide/overview.html
2. Right Answer: A,D
Explanation: vSince HTTPS traffic is required for all users on the Internet , Port 443 should be open on all IP addresses. For port 22 , the traffic should be restricted to an internal subnet. Option B is invalid , because this only allow traffic from a particular CIDR block and not from the internet Option C is invalid because allowing port 22 from the internet is a security risk For more information on AWS(Amazon Web Service) Security Groups, please visit the following url https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html
3. Right Answer: B
Explanation: The most feasible option is to use AWS(Amazon Web Service) Config. When you turn on AWS(Amazon Web Service) Config , you will get a list of resources defined in your AWS(Amazon Web Service) Account. A sample snapshot of the resources dashboard in AWS(Amazon Web Service) Config is shown below Option A is incorrect because this would give the list of production based resources and now all resources. Option B is partially correct. But this will just add more maintenance overhead. Option C is incorrect because this can be used to log API activities but not give an account of all resources For more information on AWS(Amazon Web Service) Config, please visit the below URL https://docs.aws.amazon.com/config/latest/developerguide/how-does-config-work.html
4. Right Answer: C
Explanation:
5. Right Answer: C,D
Explanation: Below is a snippet from the AWS(Amazon Web Service) blogs on a solution Option B is invalid because you need to create a Cloudwatch Events Rule and there is such thing as a Cloudwatch Logs Rule Option D is invalid because Cloud Trail API calls can be recorded but cannot be used to send across notifications For more information on this blog article, please visit the following url https://aws.amazon.com/blogs/mt/monitor-and-notify-on-aws-account-root-user-activity/
Explanation: The AWS(Amazon Web Service) Documentation mentions the following on AWS(Amazon Web Service) KMS AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data. AWS(Amazon Web Service) KMS is integrated with other AWS(Amazon Web Service) services including Amazon Elastic Block Store (Amazon EBS), Amazon Simple Storage Service (Amazon S3), Amazon Redshift, Amazon Elastic Transcoder, Amazon WorkMail, Amazon Relational Database Service (Amazon RDS), and others to make it simple to encrypt your data with encryption keys that you manage Option B is incorrect - The AWS(Amazon Web Service) Certificate manager can be used to generate SSL certificates that can be used to encrypt traffic in transit, but not at rest Option C is incorrect is again used for issuing tokens when using API gateway for traffic in transit. Option D is used for secure access to EC2 Instances For more information on AWS(Amazon Web Service) KMS, please visit the following url https://docs.aws.amazon.com/kms/latest/developerguide/overview.html
2. Right Answer: A,D
Explanation: vSince HTTPS traffic is required for all users on the Internet , Port 443 should be open on all IP addresses. For port 22 , the traffic should be restricted to an internal subnet. Option B is invalid , because this only allow traffic from a particular CIDR block and not from the internet Option C is invalid because allowing port 22 from the internet is a security risk For more information on AWS(Amazon Web Service) Security Groups, please visit the following url https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html
3. Right Answer: B
Explanation: The most feasible option is to use AWS(Amazon Web Service) Config. When you turn on AWS(Amazon Web Service) Config , you will get a list of resources defined in your AWS(Amazon Web Service) Account. A sample snapshot of the resources dashboard in AWS(Amazon Web Service) Config is shown below Option A is incorrect because this would give the list of production based resources and now all resources. Option B is partially correct. But this will just add more maintenance overhead. Option C is incorrect because this can be used to log API activities but not give an account of all resources For more information on AWS(Amazon Web Service) Config, please visit the below URL https://docs.aws.amazon.com/config/latest/developerguide/how-does-config-work.html
4. Right Answer: C
Explanation:
5. Right Answer: C,D
Explanation: Below is a snippet from the AWS(Amazon Web Service) blogs on a solution Option B is invalid because you need to create a Cloudwatch Events Rule and there is such thing as a Cloudwatch Logs Rule Option D is invalid because Cloud Trail API calls can be recorded but cannot be used to send across notifications For more information on this blog article, please visit the following url https://aws.amazon.com/blogs/mt/monitor-and-notify-on-aws-account-root-user-activity/
Tags:
aws cloud awc cloud cerification certified aws aws certifications aws cloud practitioner aws solution architect aws training aws certified cloud practitioner aws exam aws certification exam aws practice exams aws 2023 aws updated questions aws questions aws cert aws certified solutions architect aws solution architect associate aws training and certification aws certified developer associate certification for devops0 Comments
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
Leave a comment