CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
Inspirational journeys
Follow the stories of academics and their research expeditions
AWS Certified Security - Specialty - Part 6
1. Your company has been using AWS(Amazon Web Service) for hosting EC2 Instances for their web and database applications. They want to have a compliance check to see the followingWhether any ports are left open other than admin ones like SSH and RDPWhether any ports to the database server other than ones from the web server security group are openWhich of the following can help achieve this in the easiest way possible. You don't want to carry out an extra configuration changes?
A) AWS Inspector
B) AWS Config
C) AWS GuardDuty
D) AWS Trusted Advisor
2. You are planning on using the AWS(Amazon Web Service) KMS service for managing keys for your application. For which of the following can the KMS CMK keys be used for encrypting? Choose 2 answers from the options given below(Select 2answers)
A) Password
B) RSA Keys
C) Large files
D) Image Objects
3. You have a set of application , database and web servers hosted in AWS. The web servers are placed behind an ELB. There are separate security groups for the application, database and web servers. The network security groups have been defined accordingly. There is an issue with the communication between the application and database servers. In order to troubleshoot the issue between just the application and database server, what is the ideal set of MINIMAL steps you would take .
A) Check the Inbound security rules for the database security group Check the Outbound security rules for the application security group
B) Check the Outbound security rules for the database security group Check the Inbound security rules for the application security group
C) Check the both the Inbound and Outbound security rules for the database security group Check the Inbound security rules for the application security group
D) Check the Outbound security rules for the database security group Check the both the Inbound and Outbound security rules for the application security group
4. You are building a system to distribute confidential training videos to employees. Using CloudFront, what method could be used to serve content that is stored in 53, but not publicly accessible from 53 directly? Please select:
A) Create a 53 bucket policy that lists the Cloud Front distribution ID as the Principal and the target bucket as the Amazon Resource Name (ARN).
B) Create an Origin Access Identity (OAI) for Cloud Front and grant access to the objects in your S3 bucket to that OAI.
C) Create an Identity and Access Management (IAM) User for Cloud Front and grant access to the objects in your 53 bucket to that IAM User
D) Add the Cloud Front account security group to the appropriate S3 bucket policy.
5. One of the EC2 Instances in your company has been compromised. What steps would you take to ensure that you could apply digital forensics on the Instance. Select 2 answers from the options given below(Select 2answers)
A) Remove the role applied to the Ec2 Instance
B) Ensure that the security groups only allow communication to this forensic instance
C) Terminate the instance
D) Create a separate forensic instance
A) AWS Inspector
B) AWS Config
C) AWS GuardDuty
D) AWS Trusted Advisor
2. You are planning on using the AWS(Amazon Web Service) KMS service for managing keys for your application. For which of the following can the KMS CMK keys be used for encrypting? Choose 2 answers from the options given below(Select 2answers)
A) Password
B) RSA Keys
C) Large files
D) Image Objects
3. You have a set of application , database and web servers hosted in AWS. The web servers are placed behind an ELB. There are separate security groups for the application, database and web servers. The network security groups have been defined accordingly. There is an issue with the communication between the application and database servers. In order to troubleshoot the issue between just the application and database server, what is the ideal set of MINIMAL steps you would take .
A) Check the Inbound security rules for the database security group Check the Outbound security rules for the application security group
B) Check the Outbound security rules for the database security group Check the Inbound security rules for the application security group
C) Check the both the Inbound and Outbound security rules for the database security group Check the Inbound security rules for the application security group
D) Check the Outbound security rules for the database security group Check the both the Inbound and Outbound security rules for the application security group
4. You are building a system to distribute confidential training videos to employees. Using CloudFront, what method could be used to serve content that is stored in 53, but not publicly accessible from 53 directly? Please select:
A) Create a 53 bucket policy that lists the Cloud Front distribution ID as the Principal and the target bucket as the Amazon Resource Name (ARN).
B) Create an Origin Access Identity (OAI) for Cloud Front and grant access to the objects in your S3 bucket to that OAI.
C) Create an Identity and Access Management (IAM) User for Cloud Front and grant access to the objects in your 53 bucket to that IAM User
D) Add the Cloud Front account security group to the appropriate S3 bucket policy.
5. One of the EC2 Instances in your company has been compromised. What steps would you take to ensure that you could apply digital forensics on the Instance. Select 2 answers from the options given below(Select 2answers)
A) Remove the role applied to the Ec2 Instance
B) Ensure that the security groups only allow communication to this forensic instance
C) Terminate the instance
D) Create a separate forensic instance
1. Right Answer: D
Explanation: Trusted Advisor checks for compliance with the following security recommendations: Limited access to common administrative ports to only a small subset of addresses. This includes ports 22 (SSH), 23 (Telnet) 3389 (RDP), and 5500 (VNC). Limited access to common database ports. This includes ports 1433 (MSSQL Server), 1434 (MSSQL Monitor), 3306 (MySQL), Oracle (1521) and 5432 (PostgreSQL). Option A is partially correct but then you would need to write custom rules for this. The AWS(Amazon Web Service) trusted advisor can give you all of these checks on its dashboard Options C and D are invalid because these services don't provide these details For more information on the Trusted Advisor, please visit the following URL: https://aws.amazon.com/premiumsupport/trustedadvisor/
2. Right Answer: A,B
Explanation: The CMK keys themselves can only be used for encrypting data that is maximum 4KB in size. Hence it can be used for encrypting information such as passwords and RSA keys. Option A and B are invalid because the actual CMK key can only be used to encrypt small amounts of data and not large amount of data. You have to generate the data key from the CMK key in order to encrypt high amounts of data For more information on the concepts for KMS, please visit the following URL: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html
3. Right Answer: C
Explanation:
4. Right Answer: B
Explanation:
5. Right Answer: C,D
Explanation:
Explanation: Trusted Advisor checks for compliance with the following security recommendations: Limited access to common administrative ports to only a small subset of addresses. This includes ports 22 (SSH), 23 (Telnet) 3389 (RDP), and 5500 (VNC). Limited access to common database ports. This includes ports 1433 (MSSQL Server), 1434 (MSSQL Monitor), 3306 (MySQL), Oracle (1521) and 5432 (PostgreSQL). Option A is partially correct but then you would need to write custom rules for this. The AWS(Amazon Web Service) trusted advisor can give you all of these checks on its dashboard Options C and D are invalid because these services don't provide these details For more information on the Trusted Advisor, please visit the following URL: https://aws.amazon.com/premiumsupport/trustedadvisor/
2. Right Answer: A,B
Explanation: The CMK keys themselves can only be used for encrypting data that is maximum 4KB in size. Hence it can be used for encrypting information such as passwords and RSA keys. Option A and B are invalid because the actual CMK key can only be used to encrypt small amounts of data and not large amount of data. You have to generate the data key from the CMK key in order to encrypt high amounts of data For more information on the concepts for KMS, please visit the following URL: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html
3. Right Answer: C
Explanation:
4. Right Answer: B
Explanation:
5. Right Answer: C,D
Explanation:
Tags:
aws cloud awc cloud cerification certified aws aws certifications aws cloud practitioner aws solution architect aws training aws certified cloud practitioner aws exam aws certification exam aws practice exams aws 2023 aws updated questions aws questions aws cert aws certified solutions architect aws solution architect associate aws training and certification aws certified developer associate certification for devops0 Comments
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
Leave a comment