CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
Inspirational journeys
Follow the stories of academics and their research expeditions
AWS Certified Security - Specialty - Part 7
1. DDoS attacks that happen at the application layer commonly target web applications with lower volumes of traffic compared to infrastructure attacks. To mitigate these types of attacks, you should probably want to include a WAF (Web Application Firewall) as part of your infrastructure. To inspect all HTTP requests, WAFs sit in-line with your application traffic. Unfortunately, this creates a scenario where WAFs can become a point of failure or bottleneck. To mitigate this problem, you need the ability to run multiple WAFs on demand during traffic spikes. This type of scaling for WAF is done via a 'WAF sandwich. Which of the following statements best describes what a 'WAF sandwich' is? Choose the correct answer from the options below
A) The EC2 instance running your WAF software is placed between your private subnets and any NATed connections to the Internet.
B) The EC2 instance running your WAF software is placed between your public subnets and your Internet Gateway.
C) The EC2 instance running your WAF software is placed between your public subnets and your private subnets.
D) The EC2 instance running your WAF software is included in an Auto Scaling group and placed in between two Elastic load balancers.
2. An employee keeps terminating EC2 instances on the production environment. You've determined the best way to ensure this doesn't happen is to add an extra layer of defence against terminating the instances. What is the best method to ensure the employee does not terminate the production instances? Choose the 2 correct answers from the options below(Select 2answers)
A) Modify the IAM policy on the user to require MFA before deleting EC2 instances
B) Modify the IAM policy on the user to require MFA before deleting EC2 instances and disable MFA access to the employee
C) Tag the instance with a production-identifying tag and add resource-level permissions to the employee user with an explicit deny on the terminate API call to instances with the production tag.
D) Tag the instance with a production-identifying tag and modify the employees group to allow only start, stop, and reboot API calls and not the terminate instance call.
3. Which of the following is the correct sequence of how KMS manages the keys when used along with the Redshift cluster service
A) The master keys encrypts the cluster key, database key and data encryption keys
B) The master keys encrypts the database key. The database key encrypts the data encryption keys.
C) The master keys encrypts the data encryption keys. The data encryption keys encrypts the database key
D) The master keys encrypts the cluster key. The cluster key encrypts the database key. The database key encrypts the data encryption keys.
4. You company has mandated that all data in AWS(Amazon Web Service) be encrypted at rest. How can you achieve this for EBS volumes? Choose 2 answers from the options given below(Select 2answers)
A) Use Windows Bitlocker for windows-based instances
B) Use AWS(Amazon Web Service) KMS to encrypt the existing EBS volumes
C) Use TreuEncrypt for Linux based instances
D) Enable encryption on existing EBS volumes
5. Your application currently use AWS(Amazon Web Service) Cognito for authenticating users. Your application consists of different types of users. Some users are only allowed read access to the application and others are given contributor access. How would you manage the access effectively?
A) Create different cognito groups, one for the readers and the other for the contributors.
B) Create different cognito endpoints , one for the readers and the other for the contributors.
C) This needs to be managed via Web security tokens
D) You need to manage this within the application itself
A) The EC2 instance running your WAF software is placed between your private subnets and any NATed connections to the Internet.
B) The EC2 instance running your WAF software is placed between your public subnets and your Internet Gateway.
C) The EC2 instance running your WAF software is placed between your public subnets and your private subnets.
D) The EC2 instance running your WAF software is included in an Auto Scaling group and placed in between two Elastic load balancers.
2. An employee keeps terminating EC2 instances on the production environment. You've determined the best way to ensure this doesn't happen is to add an extra layer of defence against terminating the instances. What is the best method to ensure the employee does not terminate the production instances? Choose the 2 correct answers from the options below(Select 2answers)
A) Modify the IAM policy on the user to require MFA before deleting EC2 instances
B) Modify the IAM policy on the user to require MFA before deleting EC2 instances and disable MFA access to the employee
C) Tag the instance with a production-identifying tag and add resource-level permissions to the employee user with an explicit deny on the terminate API call to instances with the production tag.
D) Tag the instance with a production-identifying tag and modify the employees group to allow only start, stop, and reboot API calls and not the terminate instance call.
3. Which of the following is the correct sequence of how KMS manages the keys when used along with the Redshift cluster service
A) The master keys encrypts the cluster key, database key and data encryption keys
B) The master keys encrypts the database key. The database key encrypts the data encryption keys.
C) The master keys encrypts the data encryption keys. The data encryption keys encrypts the database key
D) The master keys encrypts the cluster key. The cluster key encrypts the database key. The database key encrypts the data encryption keys.
4. You company has mandated that all data in AWS(Amazon Web Service) be encrypted at rest. How can you achieve this for EBS volumes? Choose 2 answers from the options given below(Select 2answers)
A) Use Windows Bitlocker for windows-based instances
B) Use AWS(Amazon Web Service) KMS to encrypt the existing EBS volumes
C) Use TreuEncrypt for Linux based instances
D) Enable encryption on existing EBS volumes
5. Your application currently use AWS(Amazon Web Service) Cognito for authenticating users. Your application consists of different types of users. Some users are only allowed read access to the application and others are given contributor access. How would you manage the access effectively?
A) Create different cognito groups, one for the readers and the other for the contributors.
B) Create different cognito endpoints , one for the readers and the other for the contributors.
C) This needs to be managed via Web security tokens
D) You need to manage this within the application itself
1. Right Answer: D
Explanation: The below diagram shows how a WAF sandwich is created. It's the concept of placing the Ec2 instance which hosts the WAF software in between 2 elastic load balancers. Option A,B and C are incorrect since the EC2 Instance with the WAF software needs to be placed in an Autoscaling Group For more information on a WAF sandwich please refer to the below link https://www.cloudaxis.com/2016/11/21/waf-sandwich/
2. Right Answer: C,D
Explanation: Tags enable you to categorize your AWS(Amazon Web Service) resources in different ways, for example, by purpose, owner, or environment. This is useful when you have many resources of the same type ' you can quickly identify a specific resource based on the tags you've assigned to it. Each tag consists of a key and an optional value, both of which you define Options C and D are incorrect since tagging the IAM Policy will not resolve the issue For more information on tagging aws resources please refer to the below url http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html
3. Right Answer: D
Explanation: This is mentioned in the AWS(Amazon Web Service) Documentation Amazon Redshift uses a four-tier, key-based architecture for encryption. The architecture consists of data encryption keys, a database key, a cluster key, and a master key. Data encryption keys encrypt data blocks in the cluster. Each data block is assigned a randomly-generated AES-256 key. These keys are encrypted by using the database key for the cluster. The database key encrypts data encryption keys in the cluster. The database key is a randomly-generated AES-256 key. It is stored on disk in a separate network from the Amazon Redshift cluster and passed to the cluster across a secure channel. The cluster key encrypts the database key for the Amazon Redshift cluster. Option B is incorrect because the master key encrypts the cluster key and not the database key Option C is incorrect because the master key encrypts the cluster key and not the data encryption keys Option D is incorrect because the master key encrypts the cluster key only For more information on how keys are used in Redshift, please visit the following URL: https://docs.aws.amazon.com/kms/latest/developerguide/services-redshift.html
4. Right Answer: A,C
Explanation: EBS encryption can also be enabled when the volume is created and not for existing volumes. One can use existing tools for OS level encryption. Options C and D are invalid because volumes cannot be encrypted from AWS(Amazon Web Service) after they have been created For more information on the Security Best practices, please visit the following URL: https://d1.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf
5. Right Answer: A
Explanation: The AWS(Amazon Web Service) Documentation mentions the following You can use groups to create a collection of users in a user pool, which is often done to set the permissions for those users. For example, you can create separate groups for users who are readers, contributors, and editors of your website and app. Option A is incorrect since you need to create cognito groups and not endpoints Options C and D are incorrect since these would be overheads when you can use AWS(Amazon Web Service) Cognito For more information on AWS(Amazon Web Service) Cognito user groups please refer to the below link https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-user-groups.html
Explanation: The below diagram shows how a WAF sandwich is created. It's the concept of placing the Ec2 instance which hosts the WAF software in between 2 elastic load balancers. Option A,B and C are incorrect since the EC2 Instance with the WAF software needs to be placed in an Autoscaling Group For more information on a WAF sandwich please refer to the below link https://www.cloudaxis.com/2016/11/21/waf-sandwich/
2. Right Answer: C,D
Explanation: Tags enable you to categorize your AWS(Amazon Web Service) resources in different ways, for example, by purpose, owner, or environment. This is useful when you have many resources of the same type ' you can quickly identify a specific resource based on the tags you've assigned to it. Each tag consists of a key and an optional value, both of which you define Options C and D are incorrect since tagging the IAM Policy will not resolve the issue For more information on tagging aws resources please refer to the below url http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html
3. Right Answer: D
Explanation: This is mentioned in the AWS(Amazon Web Service) Documentation Amazon Redshift uses a four-tier, key-based architecture for encryption. The architecture consists of data encryption keys, a database key, a cluster key, and a master key. Data encryption keys encrypt data blocks in the cluster. Each data block is assigned a randomly-generated AES-256 key. These keys are encrypted by using the database key for the cluster. The database key encrypts data encryption keys in the cluster. The database key is a randomly-generated AES-256 key. It is stored on disk in a separate network from the Amazon Redshift cluster and passed to the cluster across a secure channel. The cluster key encrypts the database key for the Amazon Redshift cluster. Option B is incorrect because the master key encrypts the cluster key and not the database key Option C is incorrect because the master key encrypts the cluster key and not the data encryption keys Option D is incorrect because the master key encrypts the cluster key only For more information on how keys are used in Redshift, please visit the following URL: https://docs.aws.amazon.com/kms/latest/developerguide/services-redshift.html
4. Right Answer: A,C
Explanation: EBS encryption can also be enabled when the volume is created and not for existing volumes. One can use existing tools for OS level encryption. Options C and D are invalid because volumes cannot be encrypted from AWS(Amazon Web Service) after they have been created For more information on the Security Best practices, please visit the following URL: https://d1.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf
5. Right Answer: A
Explanation: The AWS(Amazon Web Service) Documentation mentions the following You can use groups to create a collection of users in a user pool, which is often done to set the permissions for those users. For example, you can create separate groups for users who are readers, contributors, and editors of your website and app. Option A is incorrect since you need to create cognito groups and not endpoints Options C and D are incorrect since these would be overheads when you can use AWS(Amazon Web Service) Cognito For more information on AWS(Amazon Web Service) Cognito user groups please refer to the below link https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-user-groups.html
Tags:
aws cloud awc cloud cerification certified aws aws certifications aws cloud practitioner aws solution architect aws training aws certified cloud practitioner aws exam aws certification exam aws practice exams aws 2023 aws updated questions aws questions aws cert aws certified solutions architect aws solution architect associate aws training and certification aws certified developer associate certification for devops0 Comments
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
Leave a comment