Test 2 Part 1(revisit)
AWS Security and Compliance Quiz
Test your knowledge on AWS security best practices and compliance measures through this comprehensive quiz. Designed for IT professionals, this quiz challenges your understanding of Amazon Web Services security architecture, IAM permissions, and data protection mechanisms.
- Explore various AWS security features.
- Enhance your skills in managing cloud resources securely.
- Prepare for certification or improve your knowledge for real-world application.
A company has a multitier online application hosted in several EC2 instances that is publicly accessible around the world. The Security Administrator has already placed the required network access control lists and security groups in the VPC of the application. The web servers are hosted in public subnets behind a public-facing Application Load Balancer while the application servers are hosted in private subnets. The Administrator needs to enhance the edge security of the cloud architecture to safeguard the EC2 instances against attacks. Which combination of options should be implemented in this scenario? (Select TWO.)
Use a NAT Gateway for all the inbound traffic to the application.
Migrate the web servers to private subnets without any public IP or Elastic IP addresses.
Attach an AWS Direct Connect Gateway to the VPC to establish a dedicated network connection that doesn't traverse the public Internet.
Launch a new CloudFront distribution and configure geo restriction to prevent users in specific geographic locations from accessing content.
Integrate AWS WAF to the Application Load Balancer to provide SQL injection or cross-site scripting attack protection to the online application. Launch a new CloudFront distribution and configure it to use AWS WAF.
The InfoSec team is designing a solution that allows the Incident Response team to audit any IAM permission changes of any IAM User. In the event of a security incident, the team should be able to track the changes in each user’s IAM permissions. It should also show the permissions that belonged to a user at a specific time. How can this task be accomplished?
Audit the IAM permission changes of each IAM User using Amazon CloudWatch Logs.
Track and review the IAM policy changes using Amazon GuardDuty.
Develop a Lambda function that invokes the GenerateCredentialReport API action. Integrate Amazon EventBridge and AWS Lambda to run the process every day. Copy and store the results to an Amazon S3 bucket.
Review the IAM policy assigned to the IAM users before and after the security incident using AWS Config.
An organization has a financial application that contains sensitive corporate data. The Security Administrator has been instructed to ensure that all IP packet data are inspected for malicious or suspicious content. Which of the following can satisfy the requirement? (Select TWO.)
Launch and set up a proxy software on an EC2 instance and route all outbound VPC traffic through it. Execute the packet data inspection using the proxy software to detect any suspicious content.
Enable access logs in the Application Load Balancer. Perform packet data inspection from the log data of the ELB access logs.
Set up a host-based agent on each EC2 instance within the corporate VPC and perform the inspection using the agent.
Enable VPC Flow Logs in the VPC. Use CloudWatch Logs to perform a packet data inspection on the Flow Log data.
Install the CloudWatch Logs agent on each EC2 instance. Run the packet data inspection process on the log data collected by CloudWatch Logs.
A new security policy requires encrypting all communications between the company’s on-premises servers and Amazon EC2 instances behind in transit. The servers communicate using custom proprietary protocols. The EC2 instances must be placed behind a load balancer to improve availability and scalability. Which of the following will satisfy the above requirements?
Import a TLS certificate to a Network Load Balancer (NLB) and create a TLS listener. Offload the TLS termination at the NLB.
Pass the entire TLS traffic through a Network Load Balancer (NLB). Terminate the TLS connection on the Amazon EC2 instances.
Set up an HTTPS listener in an Application Load Balancer (ALB). Route the entire traffic through the load balancer to terminate the connection on the Amazon EC2 instances.
Import an SSL certificate to an Application Load Balancer (ALB) and create an HTTPS listener. Offload the SSL termination at the ALB.
A government organization has a static website that consists of HTML 5 and Bootstrap CSS files hosted in a single EC2 instance. The site allows citizens to download PDF files and other public documents. A Security Administrator has been tasked to protect the site against DDoS attacks and minimize the ongoing operational overhead. Which of the following is the MOST suitable solution in this scenario?
Migrate and host the website to an Auto Scaling group of EC2 instances behind an Application Load Balancer (ALB). Integrate AWS WAF with the ALB to protect the application from common web exploits. Enable AWS Shield Advanced to provide enhanced protection to the static website running behind the ALB.
Migrate and host the website to an Auto Scaling group of EC2 instances behind an Application Load Balancer (ALB). Integrate AWS WAF with the ALB to provide enhanced protection to the static website, which is running behind the ALB, against all types of DDoS attacks.
Migrate and host the static website to Amazon S3. Set up a CloudFront web distribution with Origin Access Identity in front of the bucket and terminate the EC2 instance. Enable AWS Shield Advanced to provide enhanced protection to the static website running behind Amazon CloudFront.
Migrate and host the static website to Amazon S3. Use AWS WAF in front of the bucket to provide enhanced protection and terminate the EC2 instance.
A company has a static website hosted in an S3 bucket. The Security Engineer has been instructed to configure the system to allow the users to access the site via an Amazon CloudFront distribution. The users must also be prevented from directly accessing the website using an Amazon S3 URL to avoid any unauthorized access. Which combination of actions will satisfy these requirements? (Select TWO.)
Modify the associated security group of the S3 bucket to only allow inbound traffic from CloudFront.
Associate an Origin Access Identity (OAI) with the Amazon CloudFront distribution.
Create a new VPC Gateway Endpoint. Host the CloudFront web distribution into the specified VPC and modify the bucket policy to only allow incoming traffic through the VPC Endpoint.
Modify the S3 bucket policy and add this line: "Principal": "cloudfront.amazonaws.com".
Edit the S3 bucket permissions and add the Origin Access Identity (OAI) to ensure that it is the only one that can access the S3 bucket objects.
A developer is writing a shell script that calls the AWS CLI to control the resources in the development environment. The EC2 instance that is being used contains the access keys and the IAM role, which are used to run the AWS CLI. The Security Administrator gave the developer a new set of access key credentials with another IAM role that allows access to the production environment. The developer needs to refactor the script to easily switch from one IAM role to another. What is the EASIEST way to satisfy this requirement?
Store the access key and the secret access key of the production environment in the user data of the instance. Call the credentials whenever you need to access the production environment.
Set up a new instance profile in the AWS CLI configuration file. Refactor the shell script to append the --profile parameter in the AWS CLI command, including the new profile name.
Store the access keys of the production environment in the instance metadata. Directly use the keys whenever you need to access the production environment.
Set up a new profile for the role in the AWS CLI configuration file. Refactor the shell script to append the --profile parameter in the AWS CLI command, including the new profile name.
A company is using Amazon CloudWatch to monitor the application logs from multiple Linux EC2 instances via CloudWatch Logs agents installed in each instance. The agent configuration files have been verified and the log files to be pushed are properly configured. However, the Security Administrator identified that a few EC2 instances were not sending any logs at all. Which actions should be taken to troubleshoot this problem? (Select TWO.)
Ensure that the IAM permissions used by the CloudWatch Logs agent allow putting log events as well as creating log groups and log streams in CloudWatch.
Use the AWS Systems Manager Run Command to confirm that the awslogs service is running on all Amazon EC2 instances.
Use AWS X-Ray to trace and diagnose the CloudWatch Logs agents.
Verify any rejected application log entries due to invalid time stamps or corrupted data by reviewing the /var/cloudwatch/rejects.log file.
Enable Detailed Monitoring in CloudWatch.
A company has a financial application hosted in a fleet of EC2 instances that processes sensitive information and fetches market data from an external API over the public Internet. A Security Engineer has been instructed to ensure that all incoming traffic to the application are protected from common attack patterns such as SQL injection or cross-site scripting. There is also a requirement that all outgoing traffic from the EC2 instances are restricted to specific whitelisted URLs only. Which of the following solutions should the Engineer implement to satisfy these requirements?
Set up AWS Shield to scan inbound traffic for any common attack patterns such as SQL injection or cross-site scripting. Use VPC Flow Logs and AWS Lambda to restrict egress traffic to specific whitelisted URLs.
Set up AWS WAF to scan inbound traffic for common attack patterns such as SQL injection or cross-site scripting. Use a 3rd party solution from AWS Marketplace to restrict egress traffic to specific whitelisted URLs.
Set up AWS WAF to scan inbound traffic for common attack patterns such as SQL injection or cross-site scripting. Use VPC Flow Logs and AWS Lambda to restrict egress traffic to specific whitelisted URLs.
Set up AWS Shield to scan inbound traffic for common attack patterns such as SQL injection or cross-site scripting. Use a 3rd party solution from AWS Marketplace to restrict egress traffic to specific whitelisted URLs.
In order to lower your AWS costs, you have developed two Lambda functions using Python 3.8 to stop/start your EC2 instances. You scheduled to run the first Lambda function to stop the instances every Friday night and the second Lambda function to start the instances on Monday morning. You have added logging statements on your functions to ensure that they are working properly. Upon testing, the EC2 instances are being shut down/started as expected, but you don’t see any logs on CloudWatch Logs that show the execution of your functions. Which of the following is the possible reason for this?
The execution role for the Lambda function doesn’t have permission to write log data to CloudWatch Logs.
The Lambda function hasn't been granted permission to write on the Amazon S3 bucket where the logs should be stored.
The Lambda function is not executing properly because you are using an older version of Python which is not supported by AWS Lambda.
You haven't manually created a Log group in Amazon CloudWatch where the Lambda function will send the log data.
An organization is planning to launch an application that will store sensitive files in three Amazon S3 buckets based on a data classification scheme of Restricted, Private, and Public. The solution must encrypt each object using a unique key, and the AWS KMS must be set to automatically rotate encryption keys annually. Moreover, access to files in the Restricted bucket must be protected by two-factor authentication. Which of the following solutions will satisfy the above requirement?
Create a Customer Managed key for each data classification type. Enable the rotation of keys annually. Set up an MFA policy within the key policy for the Restricted CMK. Encrypt the files using Server-Side Encryption with CMKs Stored in AWS Key Management Service (SSE-KMS).
Create a Customer Managed Key with unique imported key material for each data classification type. Enable the rotation of keys annually. Define the MFA policy in the key policy for the Restricted key material. Encrypt the files using Server-Side Encryption with CMKs Stored in AWS Key Management Service (SSE-KMS).
Create a Customer Managed key for each data classification type with aws:MultiFactorAuthPresent and kms:EnableKeyRotation elements set to true. Configure a policy that will allow Amazon S3 to use the grants to encrypt each file with a unique CMK.
Create a Customer Managed key for each data classification type and enable the rotation of keys annually. Encrypt the files using Server-Side Encryption with CMKs Stored in AWS Key Management Service (SSE-KMS). Configure MFA (multi-factor authentication) delete on the Restricted bucket.
A global organization has complex connectivity rules governing egress, ingress, and other various communications between the Linux EC2 instances. The connectivity rules are extremely intricate that the InfoSec team cannot implement them within the maximum number of network access control lists and security groups in AWS. There is a requirement to implement a solution that will allow the company to apply all the required network rules without incurring additional cost. Which of the following is the BEST solution for this scenario?
Use AWS WAF to implement all of the required egress, ingress, and other security rules.
Leverage on the operating system’s built-in, host-based firewall such as the iptables command-line firewall utility to apply the required rules.
Attach a NAT Gateway in your VPC to prevent instances in a private subnet from connecting to the Internet. Configure the NAT Gateway to control egress and ingress traffic.
Use AWS Shield Advanced to implement all of the required security rules and to protect all the Amazon EC2 instances. Ensure that each instance doesn't have an associated Elastic IP address.
An organization has a web application hosted in a fleet of EC2 instances that publishes custom metrics to Amazon CloudWatch. After a few days, the IT Operations team noticed that the metrics are no longer sent to CloudWatch. The Security Administrator noticed that there has been a recent change in the IAM policy that is used by the application. The issue must be fixed immediately without compromising security. Which of the following is the LEAST permissive solution that the Administrator should grant in this scenario?
Add the CloudWatchActionsEC2Access managed policy.
Add the CloudWatchFullAccess managed policy.
Add cloudwatch:putMetricData permission in the IAM Policy.
In the IAM role used by the application, add a trust relationship and specify cloudwatch.amazonaws.com as the principal.
An organization needs to control access to its cloud resources in AWS by using identities and groups defined in its existing Microsoft Active Directory. The Security Engineer is tasked to map the permissions of the Active Directory user attributes to the AWS services. What should the Engineer do in this scenario?
Use IAM Groups to map the permissions of the Active Directory user attributes to the AWS services.
Use IAM Users to map the permissions of the Active Directory user attributes to the AWS services.
Use Security Control Policies (SCPs) to map the permissions of the Active Directory user attributes to the AWS services.
Use IAM Roles to map the permissions of the Active Directory user attributes to the AWS services.
A Security Administrator has been instructed to set up a solution to easily control access to the data being encrypted under a CMK. The solution must use additional authenticated data (AAD) to support authenticated encryption and avoid tampering the ciphertext. What is the BEST solution in this scenario that the Administrator should implement?
Use Grant tokens to enable authenticated encryption.
Use CloudHSM instead since AWS KMS does not support authenticated encryption.
Create a key alias and use it when calling the Encrypt and Decrypt API actions.
Add a kms:EncryptionContext condition when defining the key policy for the CMK.
{"name":"Test 2 Part 1(revisit)", "url":"https://www.quiz-maker.com/QPREVIEW","txt":"Test your knowledge on AWS security best practices and compliance measures through this comprehensive quiz. Designed for IT professionals, this quiz challenges your understanding of Amazon Web Services security architecture, IAM permissions, and data protection mechanisms.Explore various AWS security features.Enhance your skills in managing cloud resources securely.Prepare for certification or improve your knowledge for real-world application.","img":"https:/images/course8.png"}
More Quizzes
Security Plus 10q Part 2
10525
Cybersecurity Knowledge Challenge
1058
ITEC MIDTERMS
452226
Security Plus
191025
Understanding Information Security
211015
SSRF, impacts of SSRF, prevention of SSRF, SSRF attack scenarios, SSRF with metadata url in cloud systems
13626
Cloud Workshops #2
4221
20744 MOC
753832
Security Malware
105116
WFBS-SVC Admin quiz
740
Data Security, Privacy, Availability and Integrity in Cloud Computing: Issues and Current Solutions
8413
(Test2)Quiz #3
1589