Test 2 Quiz#2
AWS Security Best Practices Quiz
Test your knowledge on AWS security practices with our engaging quiz! Designed for security professionals and AWS users, this quiz covers various aspects including IAM policies, data protection, logging, and compliance.
Prepare yourself with real-world scenarios and multiple-choice questions to enhance your understanding of AWS security measures.
- Multiple-choice questions
- Real-world scenarios
- Enhance your AWS security knowledge
An organization is building a distributed system using KMS where they need to encrypt data at a later time. An API must be called that returns only the encrypted copy of the data key which will be used for encryption. After an hour, the data key will be decrypted by calling the Decrypt API then using the returned plaintext data key to finally encrypt the data. Which is the MOST suitable KMS API that the system should use to securely implement the above requirement?
GenerateRandom
GenerateDataKey
Encrypt
GenerateDataKeyWithoutPlaintext
A digital payments company is using AWS to host its suite of financial web applications that uses external APIs for credit and debit transactions. The current architecture is using CloudTrail with several trails to log all API actions. Each trail is protected with an IAM policy to restrict access from unauthorized users. The Security Engineer must implement a solution that allows the company to trace the integrity of each file and prevent the files from being tampered. Which of the following is the MOST suitable solution with the LEAST amount of effort to implement?
Enable the log file integrity feature in CloudTrail using the AWS Systems Manager State Manager to automatically generate a digest file for every log file that CloudTrail delivers. Verify the integrity of the delivered CloudTrail files using the generated digest files.
Enable the log file integrity feature in the Amazon S3 bucket of the trail that will automatically generate a digest file for every log file that CloudTrail delivers. Grant the IT Security team full access to download the file integrity logs stored in the S3 bucket via an IAM policy.
Enable the log file integrity feature in AWS CloudTrail to secure the trail and to automatically generate a digest file for every log file that CloudTrail delivers. Verify the integrity of the delivered CloudTrail files using the generated digest files.
Enable the log file integrity feature in CloudTrail using AWS Config to automatically generate a digest file for every log file that CloudTrail delivers. Verify the integrity of the delivered CloudTrail files using the generated digest files.
A Security Administrator is tasked to set up an automated system to manage the access keys in the company’s AWS account. A solution must be implemented to automatically disable all IAM user access keys that are more than 90 days old. Which of the following should the Administrator implement?
Go to the IAM dashboard of the AWS Management Console. View the IAM Users table and check the Access Key Age column. Disable the IAM user access keys that are more than 90 days old.
Develop a Lambda function that calls the GenerateCredentialReport API to generate the credential report. Configure the function to use GetCredentialReport API to download the report, parse the CSV file and check the keys with a access_key_1_last_rotated of more than 90 days. Disable the old access keys using the UpdateAccessKey API.
Use the access-keys-rotated managed rule in AWS Config and set the maxAccessKeyAge to 90 days. AWS Config will automatically disable the obsolete access keys using its built-in AWS Lambda function.
Set up an Amazon CloudWatch Alarm to detect access keys that are more than 90 days old. Create a Lambda function that will be invoked by CloudWatch Alarm to disable the old keys.
A Security Administrator is setting up a logging system that will track all of the changes made to their cloud resources in all AWS Regions. Any configuration made in CloudFront, Route 53 and other global AWS services should also be tracked. The solution must provide an event history of all API calls made in AWS CLI or in the AWS Management Console. Which of the following actions should the Administrator do in this scenario?
Create a new trail in Amazon CloudWatch Logs using the AWS CLI and pass the --is-multi-region-trail parameter. Encrypt the log files using AWS Secrets Manager.
Create a new trail in AWS CloudTrail using the AWS CLI and pass both the --is-multi-region-trail and --no-include-global-service-events parameters. Encrypt the log files using AWS CloudHSM.
Create a new trail in Amazon CloudWatch Events using the AWS CLI and pass both the --is-multi-region-trail and --include-global-service-events parameters. Encrypt the log files using KMS encryption.
Create a new trail in AWS CloudTrail using the AWS CLI and pass both the --is-multi-region-trail and --include-global-service-events parameters. Encrypt the log files using KMS encryption.
A food delivery mobile app is currently being developed by a startup and it needs to have an authentication service. The Security Engineer needs to use an AWS service that provides temporary AWS credentials for users who have been authenticated via their social media logins as well as for guest users who do not require any authentication. What is the MOST suitable way that the Engineer can satisfy the above requirement?
Use Amazon Cognito Sync for social authentication.
Set up a combination of AWS Identity and Access Management (IAM) policies and AWS Security Token Service (STS) to enable access to both authenticated and unauthenticated identities.
Set up AWS Single Sign-On (SSO) for social logins as well as for unauthenticated identities.
Set up an Amazon Cognito Identity Pool with a configuration to enable access to unauthenticated identities.
A company has a suite of web applications deployed on hundreds of Amazon EC2 instances in AWS. The Security Team has been tasked to verify that the security groups and network access control lists (network ACLs) are properly configured and work as expected. What step should the team do to fulfill this task?
Set up and install the Amazon Inspector agent on all EC2 instances using the Systems Manager Run Command to capture the IP traffic. Store the network logs in Amazon S3 and use Amazon Athena to query and analyze the logs.
Set up an AWS Config rule for each security group and network ACL configuration. Send and store the logs to an S3 bucket then use Amazon Inspector to query the network logs.
Enable VPC Flow Logs to capture information about the IP traffic going to and from network interfaces in your VPC. Store the logs in Amazon S3 and use Amazon Athena to query and analyze the logs.
Enable AWS CloudTrail in the AWS Account. View and analyze the network traffic going in and out of the VPC using the Event History of the CloudTrail console.
A company is in the process of developing an application that allows the users to easily make cartoon animations and store the generated media files to AWS. The required IAM role has also been created with the appropriate permissions to upload the files to an S3 bucket and to other AWS resources. Which API call should you use to allow the application to upload the files to Amazon S3?
AssumeRole
AssumeRoleWithSAML
GetSessionToken
AssumeRoleWithWebIdentity
A Security Engineer is setting up a cloud-based solution that enables two-way (mutual) authenticated TLS connections between the servers hosted in the corporate VPC. A Certificate Authority (CA) hierarchy must be established to provide strong security and restrictive access controls for the most-trusted root CA at the top of the trust chain while allowing more permissive access and bulk certificate issuance lower down the chain. Which of the following should the Engineer use to satisfy the requirement?
Use the IAM certificate store and create subordinate CAs to issue end-entity certificates.
Use the AWS Secrets Manager and create end-entity certificates to issue subordinate CAs.
Use the AWS Certificate Manager (ACM) and create end-entity certificates to issue subordinate CAs.
Use the AWS Certificate Manager Private Certificate Authority (ACM PCA) and create subordinate CAs to issue end-entity certificates.
A financial firm has recently adopted a hybrid cloud architecture to augment their on-premises data center with virtual private clouds (VPCs) in AWS. A Security Administrator was assigned to manage all of the company’s cloud infrastructure including the security of their AWS resources using IAM policies and roles. Which of the following are best practices in managing security in AWS? (Select TWO.)
Always delete the root user access keys.
Always grant full permissions to the resources in order to perform the task without any limitations and potential issues.
Always provide AWS Management console and programmatic access to developers.
Grant only the necessary permissions by the resource to perform a certain task.
Implement IAM inline policies to delegate permissions.
A company is planning to host a containerized e-commerce portal on multiple Amazon ECS clusters which are launched in multiple AWS accounts. The database credentials should be provided to the e-commerce AMI by using environment variables. A Security Engineer was instructed to ensure that the credentials are secure when passed to the image and that they cannot be viewed on the cluster itself. The credentials must be kept in a dedicated storage with lifecycle management and key rotation. An automated system must also be implemented that evaluates the security compliance of the credentials across all the accounts of its AWS Organization. Which of the following is the most suitable solution in this scenario that the Engineer can implement with the least effort?V
Use AWS Secrets Manager to store the database credentials and then encrypt them using AWS KMS. Set up an IAM Role for your Amazon ECS task execution role and reference it with your task definition which allows access to both KMS and AWS Secrets Manager. Within your container definition, specify secrets with the name of the environment variable to set in the container and the full ARN of the Secrets Manager secret which contains the sensitive data, to present to the container. Configure AWS Config Multi-Account Multi-Region Data Aggregator to review the configurations of the credentials across all accounts.
Store the database credentials and encrypt them with KMS then reference them in the ECS task definition file of the ECS Cluster. Store the task definition JSON file in AWS Control Tower. Set up an IAM role to the ECS task definiton script that allows access to AWS Control Tower for the the ECS register-task-definition action. Reference the task definition JSON file in the Control Tower which contains the database credentials. Configure AWS Config in any member AWS account of the AWS Organization to check the security compliance of the credentials on all AWS accounts.
Use AWS Systems Manager Parameter Store to store and manage the database credentials and then encrypt them using AWS KMS. Set up an IAM Role for your Amazon ECS task execution role and reference it with your task definition, which allows access to both KMS and the Parameter Store. Within your container definition, specify secrets with the name of the environment variable to set in the container and the full ARN of the Systems Manager Parameter Store parameter containing the sensitive data to present to the container. Set up AWS Config in any member AWS account of the AWS Organization to check the security compliance of the credentials on all accounts.
Store the database credentials using AWS Security Hub to centrally manage the sensitive data and securely transmit it to only those containers that need access to it. Reference the credentials in the ECS task definition file of the ECS Cluster. Secrets are automatically encrypted during transit and at rest. Set up AWS Config Multi-Account Multi-Region Data Aggregator to review the configurations of the credentials across all accounts.
A social media website is implementing an authentication system that allows its users to be authenticated using their social identity providers such as Twitter, Facebook, and Google. Users can login to the site which will allow them to upload their selfies, memes, and other media files in an S3 bucket. There is also a requirement to support guest user access to certain sections of the website as an additional feature. Which of the following should the Security Engineer do to accomplish this task?
Integrate the social media website with AWS Single Sign-On (SSO).
Set up an Identity Pool in Amazon Cognito. Configure the Identity Pool to allow access to unauthenticated identities.
Set up a custom identity broker that integrates with the AWS Security Token Service and supports unauthenticated access.
Set up a User Pool in Amazon Cognito. Configure the User Pool to allow access to unauthenticated identities.
A developer is writing a shell script that calls the AWS CLI to control the resources in the development environment. The EC2 instance that is being used contains the access keys and the IAM role, which are used to run the AWS CLI. The Security Administrator gave the developer a new set of access key credentials with another IAM role that allows access to the production environment. The developer needs to refactor the script to easily switch from one IAM role to another. What is the EASIEST way to satisfy this requirement?
Set up a new instance profile in the AWS CLI configuration file. Refactor the shell script to append the --profile parameter in the AWS CLI command, including the new profile name.
Store the access key and the secret access key of the production environment in the user data of the instance. Call the credentials whenever you need to access the production environment.
Store the access keys of the production environment in the instance metadata. Directly use the keys whenever you need to access the production environment.
Set up a new profile for the role in the AWS CLI configuration file. Refactor the shell script to append the --profile parameter in the AWS CLI command, including the new profile name.
A government entity developed an online portal for gathering population and migration data in your city. Each household information uploaded on the portal is stored in encrypted files in an Amazon S3 bucket, and the indexes are saved on a DynamoDB table. The government wants to verify that the data access configuration meets the strict compliance standards. They should also be alerted if there is any risk of unauthorized access or suspicious access patterns. Which of the following solutions is a necessary step to meet the above requirements?
Set up Amazon Macie to monitor and detect usage patterns on your S3 data.
Set up Amazon Rekognition to monitor and recognize patterns on your S3 data.
Set up Amazon GuardDuty to monitor malicious activity on your S3 data.
Set up Amazon Inspector to alert you whenever a security violation is detected on your S3 data.
An organization needs to control access to its cloud resources in AWS by using identities and groups defined in its existing Microsoft Active Directory. The Security Engineer is tasked to map the permissions of the Active Directory user attributes to the AWS services. What should the Engineer do in this scenario?
Use IAM Groups to map the permissions of the Active Directory user attributes to the AWS services.
Use IAM Users to map the permissions of the Active Directory user attributes to the AWS services.
Use IAM Roles to map the permissions of the Active Directory user attributes to the AWS services.
Use Security Control Policies (SCPs) to map the permissions of the Active Directory user attributes to the AWS services.
A company is planning to migrate its on-premises application to AWS. The application will be hosted in Elastic Beanstalk, which uses an external RDS database and an S3 bucket configured to use Server-Side Encryption with Customer-Provided Encryption Keys (SSE-C). In this configuration, Amazon S3 does not store the encryption key you provide but instead, stores a randomly salted hash-based message authentication code (HMAC) value of the encryption key in order to validate future requests. The Security Engineer was assigned to implement the required security measures for the application. Which of the following is a valid consideration that the Engineer should keep in mind when implementing this architecture?
The salted HMAC value can be used to decrypt the S3 object in the event that you lose the encryption key.
The salted HMAC value can be used to decrypt the contents of the encrypted object.
You will lose access to the S3 object if you lose the encryption key.
The salted HMAC value can be used to derive the value of the encryption key.
{"name":"Test 2 Quiz#2", "url":"https://www.quiz-maker.com/QPREVIEW","txt":"Test your knowledge on AWS security practices with our engaging quiz! Designed for security professionals and AWS users, this quiz covers various aspects including IAM policies, data protection, logging, and compliance.Prepare yourself with real-world scenarios and multiple-choice questions to enhance your understanding of AWS security measures.Multiple-choice questionsReal-world scenariosEnhance your AWS security knowledge","img":"https:/images/course7.png"}
More Quizzes
Test 2 Part 1(revisit)
1585
Cloud Fundamentals
1476
Test 2 Quiz 1
1588
Test 3
1589
SSRF, impacts of SSRF, prevention of SSRF, SSRF attack scenarios, SSRF with metadata url in cloud systems
13623
(Test2)Quiz #3
1588
AWS Security & Identity
1585
2019 PCI OWASP Top Ten Quiz
12632
Quiz 6
1586
Security Malware
105106
AWS EC2
15811
Test 3 Quiz 1
1588