Friday , October 23 2020

AWS Certified Security Specialty Practice Test 1

AWS Certified Security Specialty Practice Test 1

1) Your company has the following setup in AWS ?

a. A set of EC2 Instances hosting a web application

b. An application load balancer placed in front of the EC2 instances

There seems to be a set of malicious requests coming from a set of IP addresses. Which of the following can be used to protect against these requests?

(A)  Use VPC Flow Logs to block the IP addresses

(B)  Use AWS WAF to block The IP addresses

(C)  Use Security Groups to block the IP addresses

(D) Use AWS inspector to block the iP addresses

Answer

Option B

2) A company wants to use Cloud trail for logging all API activity. They want to segregate the logging of data events and management events. How can this be achieved? Choose 2 answers from the options given below:

Please select:

A. Create one Cloud trail log group for data events

B. Create one trail that logs data events to an S3 bucket 

C. Create another trail that logs management events to another S3 bucket

D. Create another Cloud trail log group for management events

(A)  A,B

(B)  A,D

(C)  A,C

(D) B,C

Answer & Explanation

Option D

Explanation

The AWS Documentation mentions the following You can configure multiple trails differently so that the trails process and log only the events that you specify. For example. one trail can log read-only data and management events. so that all read—only events are delivered to one 53 bucket. Another trail can log only write-only data and management events, so that all writeonly events are delivered to a separate 53 bucket. Options A and D are invalid because you have to create a trail and not a log group

3) Company policy requires that all insecure server protocols, such as FTP, Telnet, HTTP, etc be disabled on all servers. The security team would like to regularly check all servers to ensure compliance with this requirement by using a scheduled Cloud Watch event to trigger a review of the current infrastructure. What process will check compliance of the company‟s EC2 instances?

(A) Query the Trusted Advisor API for all best practice security checks and check for „action recommended” status.

(B) Trigger an AWS Configure Rules evaluation of the restricted-common-ports rule against every EC2 instance

(C)  Enable a Guard Duty threat detection analysis targeting the port configuration on every EC2 instance

(D) Run an Amazon Inspector assessment using the Runtime Behavior Analysis rules package against every EC2

Answer & Explanation

Option B

Explanation

Option B is incorrect because querying Trusted Advisor API‟S are not possible Option C is incorrect because Guard Duty should be used to detect threats and not check the compliance of security protocols. Option D states that Run Amazon Inspector using runtime behaviour analysis rules which will analyze the behavior of your Instances during an assessment run, and provide guidance about how to make your E2 instances more secure.

4) Your company is planning on AWS on hosting its AWS resources. There is a company policy which mandates that all security keys are completed managed within the company Itself. Which of the following is the correct measure of following this policy?

(A)  Use the EC2 Key pairs that come with AWS

(B)  Use S3 server-side encryption

(C)  Generating the key pairs for the EC2 Instances using puttygen

(D) Using the AWS KMS service for creation of the keys and the company managing the key life cycle thereafter

Answer & Explanation

Option C

Explanation

By ensuring that you generate the key pairs for EC2 Instances, you will have complete control of the access keys. Options A.C and D are invalid because all of these processes means that AWS has ownership of the keys. And the question special mentions that you need ownership of the keys

5)  Your company has many AWS accounts defined and all are managed via AWS Organizations. One AWS account has an S3 bucket that has critical data. How can we ensure that all the users in the AWS organization have access to this bucket?

(A)  Ensure the bucket policy has a condition which Involves aws: Account Number

(B)  Ensure the bucket policy has a condition which involves aws: Principal Org D

(C)  Ensure the bucket policy has a condition which involves aws: Principal lD

(D) Ensure the bucket policy has a condition which involves aws:Org ID

Answer & Explanation

6) The CFO of a company wants to allow one of his employees to view only the AWS usage report page. Which of the below mentioned lAM policy statements allows the user to have access to the AWS usage report page?

(A)  Effect: Allow‟, Action: [aws-portal: ViewBilling9, “Resource‟

(B)  Effect: Allow”. “Action: [Describe9, Resource”: BilIing‟

(C)  Effect: Allow‟, NAction: AccountUsage]. Resource

(D) Effect: Allow. “Action: [aws-portal:ViewUsage aws-portal:ViewBilling9, Resource:

Answer

Option D

7) Your company has been using AWS for the past 2 years. They have separate 53 buckets for logging the various AWS services that have been used. They have hired an external vendor for analyzing their log files. They have their own AWS account. What Is the best way to ensure that the partner account can access the log files in the company account for analysis. Choose 2 answers from the options given below Please select:

 A. Create an lAM user In the company account x

B. Create an lAM Role in the company account

C. Ensure the lAM user has access for read-only to the 53 buckets

D. Ensure the lAM Role has access for read-only to the S3 buckets

(A)  B,C

(B)  A,B

(C)  B,D

(D) A,C

Answer & Explanation

Option C

Explanation

The AWS Documentation mentions the following To share log files between multiple AWS accounts, you must perform the following general steps. These steps are explained in detail later in this section. Create an lAM role for each account that you want to share log files with. For each of these lAM roles. create an access policy that grants read-only access to the account you want to share the log files with.

8) A company continually generates sensitive records that it stores in an S3 bucket. All objects in the bucket are encrypted using SSEK MS using one of the company‟s CMKs. Company compliance policies require that no more than one month of data be encrypted using the same encryption key.

What solution below will meet the company‟s requirements?

(A) Trigger a Lambda function with a monthly Cloud Watch event that creates a new CMK and updates the S3 bucket to use the new CMK

(B)  Configure the CMK to rotate the key material every month.

(C)  Trigger a Lambda function with a monthly Cloud Watch event that rotates the key material in the CMK.

(D) Trigger a Lambda function with a monthly Cloud Watch event that creates a new CMK. updates the 53 bucket to use the new CMK. an deletes the old CMK

Answer

Option A

Explanation

You can use a Lambda function to create a new key and then update the S3 bucket to use the new key. Remember not to delete the old keY you will not be able to decrypt the documents stored in the 53 bucket using the older key. Option B is incorrect because AWS KMS cannot rotate keys on a monthly basis Option C Is Incorrect because deleting the old key means that you cannot access the older objects Option D is incorrect because rotating key material is not possible.

9)  Your company has an external web site. This web site needs to access the objects in an S3 bucket. Which of the following would allow the web site to access the objects in the most secure manner?

(A)  Use the aws:Referer key in the condition clause for the bucket policy

(B)  Grant public access for the bucket via the bucket policy

(C)  Use the aws:sites key in the condition clause for the bucket policy

(D) Grant a role that can be assumed by the web site

Answer

Option A

10)  Which of the below services can be integrated with the AWS Web application firewall service.

Choose 2 answers from the options given below

Please select:

A. AWS Cloud front

B. AWS Lambda

C. AWS Application Load Balancer

D. AWS Classic Load Balancer 

(A)  A,D

(B)  A,C

(C)  B,C

(D) A,B

Answer

Option B

Explanation

The AWS documentation mentions the following on the Application Load Balancer AWS WAF can be deployed on Amazon Cloud Front and the Application Load Balancer (AIS). As part of Amazon Cloud Front it can be part of your Content Distribution Network (CDN) protecting your resources and content at the Edge locations and as part of the Application Load Balancer it can protect your origin web servers running behind the AIBs. Options B and D are Invalid because only Cloudfront and the Application Load Balancer services are supported by AWS WAR

11)  Your company is planning on using AWS EC2 and ELB for deployment for their web applications. The securil policy mandates that all traffic should be encrypted. Which of the following options will ensure that this requirement Is met. Choose 2 answers from the options below.

A. Ensure the load balancer listens on port 80

B. Ensure the load balancer listens on port 443

C. Ensure the HTTPS listener sends requests to the instances on port 443

D. Ensure the I-ITTPS listener sends requests to the instances on port 80

(A)  B,C

(B)  B,D

(C) A,D

(D)  A,B

Answer & Explanation

Option A

Explanation

The AW5 Documentation mentions the following You can create a load balancer that listens on both the H1TP (80) and H1TPS (443) ports. If you specify that the 1-IUPS listener sends requests to the instances on port 80, the load balancer terminates the requests and communication from the load balancer to the instances is not encrypted. If the l-fTTPS listener sends requests to the instances on port 443, communication from the load balancer to the instances is encrypted. Option A Is Invalid because there Is a need for secure traffic, so port 80 should not be used Option D is invalid because for the H1TPS listener you need to use port 443 /

12)  You have an Amazon VPC that has a private subnet and a public subnet in which you have a NAT instance server. You have created a group of EC2 instances that configure themselves at startup by downloading a bootstrapping script from S3 that deploys an application via GIT. Which one of the following setups would give us the highest level of security?

Choose the correct answer from the options given below.

A. EC2 instances in our public subnet, no EIP5, route outgoing traffic via the 1GW x

B. EC2 instances in our public subnet, assigned EIPs, and route outgoing traffic via the NAT

C. EC2 Instance In our private subnet. assigned EIP5, and route our outgoing traffic via our 1GW

D. EC2 instances in our private subnet no EIP5. route outgoing traffic via the NAT

(A)  A,C

(B)  B,C

(C) A,B

(D)  A,D

Answer

Option D

13) Your organization is preparing for a security assessment of your use of AWS. In preparation for this assessment, which three lAM best practices should you consider implementing?

(A)  Configure MFA on the root account and for privileged lAM users

(B)  Create individual lAM users for everyone in your organization

(C) Ensure all users have been assigned and are frequently rotating a password. access ID/secret key, and X.5

(D)  Assign AM users and groups configured with policies granting least privilege access

Answer

Option B

14) An organization has setup multiple lAM users. The organization wants that each lAM user accesses the lAM console only within the organization and not from outside. How can it achieve this?

(A)  Create an lAM policy with the security group and use that security group for AWS console login

(B)  Configure the EC2 instance security group which allows traffic only from the organizations IP range

(C)  Create an lAM policy with VPC and allow a secure gateway between the organization and AWS Console

(D) Create an lAM policy with a condition which denies access when the IP address range is not from the organization

Answer & Explanation

Option D

Explanation

You can actually use a Deny condition which will not allow the person to log In from outside. The below example shows the Deny condition to ensure that any address specified in the source address is not allowed to access the resources in aws. Option A is invalid because you donut mention the security group in the lAM policy option C Is invalid because security groups by default dont allow traffic Option D is invalid because the AM policy does not have such an option

15)  Your developer is using the KMS service and an assigned key in their Java program. They get the below erro when running the code arn:aws:iam::1 1374538871 2:user!UserB Is not authorized to perform: kms:DescribeKey Which of the following could help resolve the issue?

(A)  Ensure that User B is given the right lAM role to access the key

(B)  Ensure that User B Is given the right permissions In the lAM policy

(C)  Ensure that User B is given the right permissions in the Key policy

(D)  Ensure that User B is given the right permissions in the Bucket policy

Answer

Option C

16)  A company hosts critical data in an S3 bucket. Even though they have assigned the appropriate permissions to the bucket, they are still worried about data deletion. What measures can be taken to restrict the risk of data deletion on the bucket. Choose 2 answers from the options given below

A. Enable versioning on the S3 bucket

B. Enable data at rest for the objects in the bucket

C. Enable MFA Delete in the bucket policy

D. Enable data in transit for the objects In the bucket

(A)  A,C

(B)  A,B

(C)  B,C

(D)  A,D

Answer

Option A

17)  In your LAMP application, you have some developers that say they would like access to your logs. However, since you are using an AWS Auto Scaling group, your Instances are constantly being recreated. What would you do to make sure that these developers can access these log files? Choose the correct answer from the options below Please select?

(A)  Give only the necessary access to the Apache servers so that the developers can gain access to the log files

(B) Give read-only access to your developers to the Apache servers.

(C)  Set up a central logging server that you can use to archive your logs; archive these logs to an S3 bucket for developer-access

(D)  Give root access to your Apache servers to the developers

Answer & Explanation

Option C

Explanation

One important security aspect Is to never give access to actual servers, hence Option A.B and C are just totally wrong from a security perspective. The best option is to have a central logging server that can be used to archive logs. These logs can then be stored in 53. Options A.B and C are all invalid because you should not give access to the developers on the Apache servers For more information on S3. please refer to the below link

18)  You are creating a Lambda function which will be triggered by a Cloud watch Event. The data from these events needs to be stored in a Dynamo DB table. How should the Lambda function be given access to the Dynamo DB table?

(A)  Use an AM role which has permissions to the Dynamo DB table and attach it to the Lambda function.

(B)  Create a VPC endpoint for the Dynamo DB table. Access the VPC endpoint from the Lambda function

(C)  Put the AWS Access keys in the Lambda function since the Lambda function by default is secure

(D)  Use the AWS Access keys which has access to Dynamo DB and then place it in an 53 bucket

Answer & Explanation

Option A

Explanation

AWS Lambda functions uses roles to interact with other AWS services. So use an lAM role which has permissions to the Dynamo DB table and attach It to the Lambda function. Options A and C are all invalid because you should never use AWS keys for access. Option D is invalid because the VPC endpoint is used for VPCs

19)  Your company has an EC2 Instance hosted in AWS. This EC2 Instance hosts an application. Currently this application Is experiencing a number of issues. You need to inspect the network packets to see what the typ of error that is occurring? Which one of the below steps can help address this issue?

(A)  Use another instance. Setup a port to promiscuous mode‟ and sniff the traffic to analyze the packets

(B)  Use a network monitoring tool provided by an AWS partner.

(C)  Use the VPC Flow Logs

(D) Use Cloudwatch metric

Answer & Explanation

Option A

Explanation

Since here you need to sniff the actual network packets, the Ideal approach would be to use a network monitoring tool provided by an AWS partner.

20)  A company has been using the AWS KMS service for managing its keys. They are planning on carrying out housekeeping activities and deleting keys which are no longer in use. What are the ways that can be incorporated to see which keys are in use? Choose 2 answers from the options given below Please select:

A. Determine the age of the master key

B. See who is assigned permissions to the master key

C. See Cloud trail for usage of the key

D. Use AWS cloud watch events for events generated for the key 

(A)  B,D

(B)  A,B

(C) A,C

(D)  B,C

Answer & Explanation

Option D

Explanation

The direct ways that can be used to see how the key Is being used is to see the current access permissions and cloud trail logs Option A is invalid because seeing how long ago the key was created would not determine the usage of the key Option D is invalid because Cloud trail Event Is better for seeing for events generated by the key This is also mentioned in the AWS Documentation

 

 

Check Also

Computer Science Quiz # 10 – GCSE Topic: TRANSLATORS AND FACILITIES OF LANGUAGES

Computer Science Quiz # 10 – GCSE Topic: TRANSLATORS AND FACILITIES OF LANGUAGES INSTRUCTIONS: This …

One comment

  1. I just couldn’t leave your web site before suggesting that I really loved the usual information a person provide for your visitors? Is gonna be back ceaselessly in order to check out new posts

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: