CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
Inspirational journeys
Follow the stories of academics and their research expeditions
AWS Certified Security - Specialty - Part 53
1. A Lambda function reads metadata from an S3 object and stores the metadata in a DynamoDB table. The function is triggered whenever an object is stored within the S3 bucket. How should the Lambda function be given access to the DynamoDB table?
A) Create a resource policy that grants the Lambda function permissions to write to the DynamoDB table. Attach the policy to the DynamoDB table.
B) Create a VPC endpoint for DynamoDB within a VPC. Configure the Lambda function to access resources in the VPC.
C) Create an IAM user with permissions to write to the DynamoDB table. Store an access key for that user in the Lambda environment variables.
D) Create an IAM service role with permissions to write to the DynamoDB table. Associate that role with the Lambda function.
2. Your company is planning on hosting an internal network in AWS. They want machines in the VPC to authenticate using private certificates. They want to minimize the work and maintenance in working with certificates. What is the ideal way to fulfil this requirement.
A) Consider using AWS(Amazon Web Service) Access keys to generate the certificates
B) Consider using AWS(Amazon Web Service) Certificate Manager
C) Consider using Windows Server 2016 Certificate Manager
D) Consider using AWS(Amazon Web Service) Trusted Advisor for managing the certificates (Incorrect)
3. When you enable automatic key rotation for an existing CMK key where the backing key is managed by AWS(Amazon Web Service) , after how long is the key rotated?
A) After 128 days
B) After 3 years (Incorrect)
C) After 365 days
D) After 30 days
4. You are hosting a web site via website hosting on an S3 bucket http://demo.s3-website-us-east-1.amazonaws.com. You have some web pages that use Javascript that access resources in another bucket which has web site hosting also enabled. But when users access the web pages , they are getting a blocked Javascript error.How can you rectify this?
A) Enable MFA for the bucket
B) Enable versioning for the bucket
C) Enable CORS for the bucket
D) Enable CRR for the bucket (Incorrect)
5. A company wants to use Cloud trail for logging all API activity. They want to segregate the logging of data events and management events. How can this be achieved? Choose 2 answers from the options given below Please select:(Select 2answers)
A) Create another Cloud trail log group for management events
B) Create one Cloud trail log group for data events
C) Create another trail that logs management events to another S3 bucket
D) Create one trail that logs data events to an S3 bucket
A) Create a resource policy that grants the Lambda function permissions to write to the DynamoDB table. Attach the policy to the DynamoDB table.
B) Create a VPC endpoint for DynamoDB within a VPC. Configure the Lambda function to access resources in the VPC.
C) Create an IAM user with permissions to write to the DynamoDB table. Store an access key for that user in the Lambda environment variables.
D) Create an IAM service role with permissions to write to the DynamoDB table. Associate that role with the Lambda function.
2. Your company is planning on hosting an internal network in AWS. They want machines in the VPC to authenticate using private certificates. They want to minimize the work and maintenance in working with certificates. What is the ideal way to fulfil this requirement.
A) Consider using AWS(Amazon Web Service) Access keys to generate the certificates
B) Consider using AWS(Amazon Web Service) Certificate Manager
C) Consider using Windows Server 2016 Certificate Manager
D) Consider using AWS(Amazon Web Service) Trusted Advisor for managing the certificates (Incorrect)
3. When you enable automatic key rotation for an existing CMK key where the backing key is managed by AWS(Amazon Web Service) , after how long is the key rotated?
A) After 128 days
B) After 3 years (Incorrect)
C) After 365 days
D) After 30 days
4. You are hosting a web site via website hosting on an S3 bucket http://demo.s3-website-us-east-1.amazonaws.com. You have some web pages that use Javascript that access resources in another bucket which has web site hosting also enabled. But when users access the web pages , they are getting a blocked Javascript error.How can you rectify this?
A) Enable MFA for the bucket
B) Enable versioning for the bucket
C) Enable CORS for the bucket
D) Enable CRR for the bucket (Incorrect)
5. A company wants to use Cloud trail for logging all API activity. They want to segregate the logging of data events and management events. How can this be achieved? Choose 2 answers from the options given below Please select:(Select 2answers)
A) Create another Cloud trail log group for management events
B) Create one Cloud trail log group for data events
C) Create another trail that logs management events to another S3 bucket
D) Create one trail that logs data events to an S3 bucket
1. Right Answer: D
Explanation: The ideal way is to create an IAM role which has the required permissions and then associate it with the Lambda function The AWS(Amazon Web Service) Documentation additionally mentions the following Each Lambda function has an IAM role (execution role) associated with it. You specify the IAM role when you create your Lambda function. Permissions you grant to this role determine what AWS(Amazon Web Service) Lambda can do when it assumes the role. There are two types of permissions that you grant to the IAM role: ? If your Lambda function code accesses other AWS(Amazon Web Service) resources, such as to read an object from an S3 bucket or write logs to CloudWatch Logs, you need to grant permissions for relevant Amazon S3 and CloudWatch actions to the role. ? If the event source is stream-based (Amazon Kinesis Data Streams and DynamoDB streams), AWS(Amazon Web Service) Lambda polls these streams on your behalf. AWS(Amazon Web Service) Lambda needs permissions to poll the stream and read new records on the stream so you need to grant the relevant permissions to this role. Option A is invalid because the VPC endpoint allows access instances in a private subnet to access DynamoDB Option B is invalid because resources policies are present for resources such as S3 and KMS , but not AWS(Amazon Web Service) Lambda Option C is invalid because AWS(Amazon Web Service) Roles should be used and not IAM Users For more information on the Lambda permission model, please visit the below URL https://docs.aws.amazon.com/lambda/latest/dg/intro-permission-model.html
2. Right Answer: B
Explanation: The AWS(Amazon Web Service) Documentation mentions the following ACM is tightly linked with AWS(Amazon Web Service) Certificate Manager Private Certificate Authority. You can use ACM PCA to create a private certificate authority (CA) and then use ACM to issue private certificates. These are SSL/TLS X.509 certificates that identify users, computers, applications, services, servers, and other devices internally. Private certificates cannot be publicly trusted Option A is partially invalid. Windows Server 2016 Certificate Manager can be used but since there is a requirement to 'minimize the work and maintenance, AWS(Amazon Web Service) Certificate Manager should be used Option C and D are invalid because these cannot be used for managing certificates. For more information on ACM, please visit the below URL https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html
3. Right Answer: C
Explanation: The AWS(Amazon Web Service) Documentation states the following Automatic key rotation is disabled by default on customer managed CMKs. When you enable (or re-enable) key rotation, AWS(Amazon Web Service) KMS automatically rotates the CMK 365 days after the enable date and every 365 days thereafter. Option A,B and D are automatically invalid because the default is 365 days For more information on key rotation please visit the below URL https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
4. Right Answer: C
Explanation: Such a scenario is also given in the AWS(Amazon Web Service) Documentation Option B is invalid because versioning is only to create multiple versions of an object and can help in accidental deletion of objects Option C is invalid because this is used as an extra measure of caution for deletion of objects Option D is invalid because this is used for Cross region replication of objects For more information on Cross Origin Resource sharing, please visit the following url https://docs.aws.amazon.com/AmazonS3/latest/dev/cors.html
5. Right Answer: C,D
Explanation:
Explanation: The ideal way is to create an IAM role which has the required permissions and then associate it with the Lambda function The AWS(Amazon Web Service) Documentation additionally mentions the following Each Lambda function has an IAM role (execution role) associated with it. You specify the IAM role when you create your Lambda function. Permissions you grant to this role determine what AWS(Amazon Web Service) Lambda can do when it assumes the role. There are two types of permissions that you grant to the IAM role: ? If your Lambda function code accesses other AWS(Amazon Web Service) resources, such as to read an object from an S3 bucket or write logs to CloudWatch Logs, you need to grant permissions for relevant Amazon S3 and CloudWatch actions to the role. ? If the event source is stream-based (Amazon Kinesis Data Streams and DynamoDB streams), AWS(Amazon Web Service) Lambda polls these streams on your behalf. AWS(Amazon Web Service) Lambda needs permissions to poll the stream and read new records on the stream so you need to grant the relevant permissions to this role. Option A is invalid because the VPC endpoint allows access instances in a private subnet to access DynamoDB Option B is invalid because resources policies are present for resources such as S3 and KMS , but not AWS(Amazon Web Service) Lambda Option C is invalid because AWS(Amazon Web Service) Roles should be used and not IAM Users For more information on the Lambda permission model, please visit the below URL https://docs.aws.amazon.com/lambda/latest/dg/intro-permission-model.html
2. Right Answer: B
Explanation: The AWS(Amazon Web Service) Documentation mentions the following ACM is tightly linked with AWS(Amazon Web Service) Certificate Manager Private Certificate Authority. You can use ACM PCA to create a private certificate authority (CA) and then use ACM to issue private certificates. These are SSL/TLS X.509 certificates that identify users, computers, applications, services, servers, and other devices internally. Private certificates cannot be publicly trusted Option A is partially invalid. Windows Server 2016 Certificate Manager can be used but since there is a requirement to 'minimize the work and maintenance, AWS(Amazon Web Service) Certificate Manager should be used Option C and D are invalid because these cannot be used for managing certificates. For more information on ACM, please visit the below URL https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html
3. Right Answer: C
Explanation: The AWS(Amazon Web Service) Documentation states the following Automatic key rotation is disabled by default on customer managed CMKs. When you enable (or re-enable) key rotation, AWS(Amazon Web Service) KMS automatically rotates the CMK 365 days after the enable date and every 365 days thereafter. Option A,B and D are automatically invalid because the default is 365 days For more information on key rotation please visit the below URL https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
4. Right Answer: C
Explanation: Such a scenario is also given in the AWS(Amazon Web Service) Documentation Option B is invalid because versioning is only to create multiple versions of an object and can help in accidental deletion of objects Option C is invalid because this is used as an extra measure of caution for deletion of objects Option D is invalid because this is used for Cross region replication of objects For more information on Cross Origin Resource sharing, please visit the following url https://docs.aws.amazon.com/AmazonS3/latest/dev/cors.html
5. Right Answer: C,D
Explanation:
Tags:
aws cloud awc cloud cerification certified aws aws certifications aws cloud practitioner aws solution architect aws training aws certified cloud practitioner aws exam aws certification exam aws practice exams aws 2023 aws updated questions aws questions aws cert aws certified solutions architect aws solution architect associate aws training and certification aws certified developer associate certification for devops0 Comments
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
Leave a comment