Test 3 Quiz 1

A modern, digital illustration of cloud security elements like locks, shields, and AWS-related icons, showcasing a vibrant color palette that represents technology and security.

AWS Security Best Practices Quiz

Test your knowledge of AWS security practices with our comprehensive quiz designed for security professionals and enthusiasts. This quiz evaluates your understanding of key concepts such as compliance, encryption, IAM policies, and monitoring.

Join us to explore the following topics:

  • Resource Security
  • Key Management
  • Compliance Regulations
  • Incident Response Strategies
15 Questions4 MinutesCreated by SecuringCloud101
A company is planning to shift its operations to AWS. The security lead is in charge of running continuous security checks on resource configurations against company-defined policies as well as the Center for Internet Security's (CIS) AWS Foundations Benchmarks. How can the security lead fulfill these requirements?
Allow Amazon Inspector to scan all Regions for potential vulnerabilities. Use AWS Security Hub to assess whether the findings violate the CIS AWS Foundations Benchmark.
Enable AWS Config across all regions and set it to track all resource configuration changes. Turn on Amazon Inspector and ensure that CIS AWS Foundations Benchmark is enabled.
Allow Amazon Inspector to scan all Regions for potential vulnerabilities. Use Amazon Macie to assess whether the findings violate the CIS AWS Foundations Benchmark.
Enable AWS Config across all regions and set it to track all resource configuration changes. Turn on AWS Security Hub and ensure that CIS AWS Foundations Benchmark is enabled.
A security administrator is developing a solution to encrypt business data stored on a fleet of Elastic Block Store (EBS)-backed EC2 instances. As per requirement, the key material must be expired automatically after 30 days. Which solution meets these requirements?
Use an AWS Managed KMS key.
Use a customer-managed KMS key created with imported key material.
Use a customer-managed KMS key created with KMS generated key material.
Use the AWS Encryption SDK.
Due to a recent security incident, one of the company's EC2 key pairs in the Ohio region was compromised. A security admin has been tasked with figuring out which EC2 instances were launched using the compromised key pair. What should the security admin do?
Use the aws ec2 describe-instances --filters "Name=key-name,Values=NameOfKeyPair" command to retrieve the list of affected instances.
Use the aws ec2 describe-key-pairs --filters "Name=key-name,Values=NameOfKeyPair" command to retrieve the key pair’s fingerprint. Contact AWS Support and send them the fingerprint.
Log in to the Amazon EC2 Console and get the fingerprint of the key pair. Contact AWS Support and send them the fingerprint.
SSH to one of the EC2 instances and send a GET request to http: http://169.254.169.254/latest/meta-data/public- keys/.
A company's developer has recently finalized an update to a Lambda function in his local machine. A security engineer must ensure any updates to the Lambda function are verified for authenticity before deployment to prevent tampering. The engineer has enabled Code signing for the Lambda function. Which combination of steps should be taken next to meet the requirement? (Select two)
Package the source code in a zip file and upload it to an S3 bucket.
Bundle the source code in a folder named lambda_handler and upload it to an S3 bucket.
Digitally sign the code using an AWS KMS asymmetric key. Restrict access to the KMS key to the security engineer.
Sign the code using an AWS Signer profile.
Use Amazon CodeGuru to detect security vulnerabilities in the code.
A financial company is using hundreds of Amazon S3 buckets to store sensitive corporate files. There is a requirement to improve the security of the data stored in S3 buckets. The files must be encrypted in transit and also at rest. Any object retrievals must be logged using AWS CloudTrail for audit purposes. What should the Security Engineer implement to satisfy the above security requirements? (Select THREE.)
Add the { "Bool": { "aws:SecureTransport": "false" } } condition inside a deny statement in the S3 bucket policy.
Modify the security group of the Amazon S3 bucket to only allow access via port 443.
Enable default encryption in the S3 bucket.
Enable S3 Events Notification.
Enable object-level logging in the S3 bucket to log data events.
Enable S3 object versioning for the S3 bucket.
During a security risk assessment, database credentials and API keys were found exposed in the environment variables of an AWS Fargate application. A security engineer is tasked with ensuring all sensitive data are both encrypted at rest and in transit. Which combination of steps should the security engineer do to complete the task? (Select THREE.)
Store the credentials as secrets in AWS Secrets Manager.
Designate a task execution role with the correct IAM policies that can read and retrieve secrets from Secrets Manager.
Call the GetSecretValue API within the application to pull the credentials from AWS Secrets Manager.
Designate a container instance IAM role with the correct IAM policies that can read and retrieve secrets from Secrets Manager.
SSH into the AWS Fargate instance, read the credentials from Secrets Manager using the GetSecretValue API, and store it in the environment’s variable.
Store the credentials as a JSON object in Amazon S3 and limit application access through the S3 bucket policy.
A Software Engineer has developed a web application to monitor the pending/processed orders on the corporate sales server. The application needs to be accessed by Delivery, Finance, and Admin teams. The Security Administrator decided to integrate Amazon Cognito to the application to provide user sign-in functionality for the members of each team. The Delivery team should be able to update entries on the application while the Finance team only needs read permissions to verify the flow of orders. Which of the following options will help the Administrator grant distinct permissions for each team member?
Amazon Cognito User Pool Groups
Amazon Cognito Identity Pool
Amazon Cognito Sync
Amazon Cognito Federated Identities
A company has a number of EC2 instances running in its AWS account. After receiving an alert from Amazon GuardDuty about an UnauthorizedAccess:EC2/TorClient finding, a security team wants to determine whether the flagged instance is compromised or not. The company’s AWS account has VPC Flow logs, AWS Config, Amazon Detective, and Amazon Inspector enabled. What steps should the security team take to gather this information?
Investigate the VPC Flow logs using Amazon Detective. Use the From Findings annotations to see the log entries involved in the finding.
Review the configuration of the flagged EC2 instance using AWS Config and compare it to a known secure baseline to determine whether it is compromised.
Generate findings based on the VPC Flow logs using AWS Security Hub, then leverage the security score provided by the service to determine whether the flagged instance is compromised.
Use Amazon Inspector to assess the finding generated by Amazon GuardDuty. Determine whether the flagged instance is compromised based on the Amazon Inspector’s risk score.
A Security Engineer found out that API logging was disabled in the corporate AWS production account. The Engineer also noticed that the root IAM user was used to create new API keys without approval. What should the Engineer do to detect and automatically remediate these types of security incidents?
Review all of the API calls using Amazon Inspector. Configure the inspector agent to leverage in Amazon SNS topics to notify the Security Engineer of the change to AWS CloudTrail. Revoke the new API keys created by the root user using the inspector agent.
Create a config rule in AWS Config that detects when AWS CloudTrail is disabled. Set another rule to monitor any calls to the create-api-key by the root IAM user. Set up an AWS Lambda function to re-enable CloudTrail logs and deactivate the root API keys.
Create a CloudWatch event that detects AWS CloudTrail deactivation. Use Amazon Trusted Advisor Checks to automatically detect the creation of root API keys. Set up an AWS Lambda function to re-enable CloudTrail logs and deactivate the root API keys.
Set up a new CloudTrail event that detects the deactivation of CloudTrail logs. Create another CloudTrail event that detects the creation of root API keys. Set up an AWS Lambda function to re-enable CloudTrail logs and deactivate the root API keys.
A security administrator must see to it that products deployed in AWS Service Catalog can be safely launched by end-users without them having to use their IAM credentials to enforce least privilege access. Which solution should the security administrator employ?
Apply launch constraints to individual products in a portfolio.
Apply template constraints to individual products in a portfolio.
Set a stack set constraint to individual products in a portfolio.
Set a notification constraint to alert the administrator about product-related stack events.
A company is running a host intrusion detection system (HIDS) on its EC2 instances to identify malicious activities. These EC2 instances receive traffic from an Application Load Balancer (ALB). The company’s security engineer must employ additional security features to improve user privacy without interfering with the HIDS. Which is the MOST secure approach to accomplish the task?
Add an HTTPS listener on the ALB that uses Elliptic Curve Diffie-Hellman (ECDHE) cipher suites, send encrypted traffic to the EC2 instances, and enable Perfect Forward Secrecy (PFS).
Add a TLS listener on the ALB that uses Elliptic Curve Diffie-Hellman (ECDHE) cipher suites. Terminate and decrypt the connection at the EC2 instances.
Add an HTTPS listener on the ALB that uses Elliptic Curve Diffie-Hellman (ECDHE) cipher suites. Decrypt the traffic at the ALB and enable Perfect Forward Secrecy (PFS) on the EC2 instances.
Add an HTTPS listener on the ALB that uses non-Elliptic Curve Diffie-Hellman (ECDHE) cipher suites. Terminate and decrypt the connection at the EC2 instances.
A company is hosting an application on an EC2 instance that runs within a Virtual Private Cloud (VPC). The application is connected to a proxy server, granting it internet access while blocking requests to known malicious sites. The application and proxy are located in the same availability zone but reside in separate subnets. During a threat assessment, a security analyst discovered that a rogue employee with access to the application’s server could exfiltrate sensitive data from an S3 bucket and forward it to their own AWS account. How can the security analyst mitigate the threat without affecting other workloads that might be running in the VPC? (Select Two)
Modify the S3 bucket policy to only allow requests coming from private IP address of the EC2 instance.
Configure a Network Access Control List (ACL) on the proxy’s subnet to block outgoing traffic to S3 endpoints.
Use a VPC Gateway endpoint to bypass the proxy for traffic to S3 endpoints.
Configure a Network Access Control List (ACL) on the application’s subnet to block outgoing traffic to S3 endpoints.
Update the proxy server’s configuration to block outgoing traffic to S3 endpoints.
An Amazon CloudFront distribution is serving a single-page application (SPA) for a fitness tracking app. The distribution has a default cache behavior that routes all requests to an S3 bucket origin containing the SPA. The company uses Amazon Cognito APIs to authenticate users. During a security audit, it was discovered that unsigned users could download the source code for the SPA. Which combination of actions can prevent unauthenticated users from seeing the SPA code? (Select Two)
Create an Origin Access Control (OAC) for the CloudFront distribution. Configure the bucket's policy to grant the OAC access.
Set up an Amazon Cognito-hosted UI page for the login. Modify the default behavior to route unauthenticated users to a function.
Isolate the login page from the index page in a separate S3 bucket. Create a new cache behavior that routes the /login path to the new S3 bucket
Create a Lambda@Edge function for the viewer request CloudFront event to handle the logic of serving content to signed users and redirecting unauthenticated users to the login page.
Create a CloudFront function for the viewer response CloudFront event to handle the logic of serving content to signed users and redirecting unauthenticated users to the login page.
A security engineer is designing a monitoring solution for expiring public certificates managed by AWS Certificate Manager (ACM). The certificates are a mixture of imported and managed certificates that were validated thru either DNS or email methods. The security engineer must receive alerts by email when a certificate is nearing its expiration date. What is the MOST operationally efficient way to meet this requirement?
Write a Lambda function that lists all certificates and filters on the NotAfter attribute to determine the expiration date. Use the AWS SDK for SNS to send email notifications. Use an Amazon EventBridge Events cron expression to run the function daily.
Build an Amazon CloudWatch alarm based on the DaysToExpiry metric for each certificate ARNs in the AWS/CertificateManager namespace. Configure the alarm to publish a notification to an Amazon SNS topic when the value for the DaysToExpiry metric is less than 30 days.
Create an Amazon EventBridge rule with the ACM Certificate Approaching Expiration as the event pattern and configure an Amazon SNS topic as the target.
In AWS Security Hub, enable the AWS Foundational Security Best Practices standard with integrated ACM. Create a custom action rule that matches the NotBefore attribute pattern in the ACM findings, and use an Amazon SNS topic as the target.
A security engineer plans to set up AWS CloudTrail in order to record and monitor all AWS API operations across multiple AWS accounts. The log files must be stored in a central repository and secured against unauthorized modifications. Which of the following options will satisfy this requirement? (Select TWO.)
Enable AWS Organizations for all AWS accounts and create a Service Control Policy to enable AWS CloudTrail in each member account. Configure the organization trail to write logs directly to the Amazon S3 bucket.
Set up an Amazon S3 bucket in the logging account and authorize AWS CloudTrail to write logs to this bucket in the member accounts.
Enable server access logging on the Amazon S3 bucket.
Enable AWS Organizations across all AWS accounts and log file validation for AWS CloudTrail. Configure the organization trail to write logs directly to the Amazon S3 bucket.
Use Amazon Inspector to monitor the Amazon S3 bucket policy.
{"name":"Test 3 Quiz 1", "url":"https://www.quiz-maker.com/QPREVIEW","txt":"Test your knowledge of AWS security practices with our comprehensive quiz designed for security professionals and enthusiasts. This quiz evaluates your understanding of key concepts such as compliance, encryption, IAM policies, and monitoring.Join us to explore the following topics:Resource SecurityKey ManagementCompliance RegulationsIncident Response Strategies","img":"https:/images/course4.png"}
Powered by: Quiz Maker