Test 2 Quiz 1
AWS Security and Compliance Quiz
Test your knowledge on AWS security features, compliance strategies, and best practices in this comprehensive quiz designed for IT professionals and enthusiasts alike.
Explore key topics including:
- AWS IAM Roles and Policies
- Application Security
- Data Protection Strategies
- Infrastructure Monitoring
A company has several accounts integrated with AWS Organizations that has enabled all feature sets and consolidated billing. The CTO is planning to restrict the capabilities of the root user accounts to further tighten the infrastructure security. The top-level account is primarily used for billing and administrative purposes while the other accounts are for systems operations. Each department can have one or more AWS accounts. What is the MOST suitable solution to restrict usage of member root user accounts across the organization?
Enable multi-factor authentication (MFA) of the root user account for each organizational member account.
Set up IAM user policies to restrict root account capabilities for each member account in AWS Organizations.
Set up an organizational unit (OU) in AWS Organizations with a Service Control Policy (SCP) that controls usage of the root user. Include all systems operation accounts to the new OU.
Attach a unique External ID to each account. Use AWS Service Catalog to restrict the capabilities of the root user accounts.
An organization has several web applications hosted in On-Demand Amazon EC2 instances. The InfoSec team has been tasked to set up a monitoring solution that will centrally collect all of the application logs from the instances. What is the MOST efficient way to satisfy this requirement?
Set up and install the CloudWatch Logs Agent on the EC2 instances. Configure the agent to send the application logs to Amazon CloudWatch Logs.
Enable AWS CloudTrail logging for the account that will automatically track and collect the application logs from the EC2 instances. Configure Amazon CloudWatch to receive the application logs from CloudTrail.
Set up Systems Manager Session Manager to automatically collect the application logs from the EC2 instances.
Develop a function in AWS Lambda that connects into the EC2 instance via SSH. Configure the function to pull the application logs from the instance and store them into an Amazon S3 bucket.
A new security policy requires encrypting all communications between the company’s on-premises servers and Amazon EC2 instances behind in transit. The servers communicate using custom proprietary protocols. The EC2 instances must be placed behind a load balancer to improve availability and scalability.
Pass the entire TLS traffic through a Network Load Balancer (NLB). Terminate the TLS connection on the Amazon EC2 instances.
Set up an HTTPS listener in an Application Load Balancer (ALB). Route the entire traffic through the load balancer to terminate the connection on the Amazon EC2 instances.
Import an SSL certificate to an Application Load Balancer (ALB) and create an HTTPS listener. Offload the SSL termination at the ALB.
Import a TLS certificate to a Network Load Balancer (NLB) and create a TLS listener. Offload the TLS termination at the NLB.
A financial organization hired a 3rd party company to audit all of its AWS accounts in compliance with the country’s strict data security laws. The Security Engineer already created the cross-account IAM roles for each AWS account. The Engineer also applied a system to prevent the other customers of the 3rd party company from accessing the accounts. However, the IT auditor is still having an issue accessing accounts that hampers the audit procedure. Which of the following are the potential causes of this issue? (Select THREE.)
The IT auditor is using a wrong access key and secret key combination.
In the IAM Role of the IT auditor, the attached permission policy does not have the sts:GetAccessKeyInfo action.
The attached permission policy in the IAM Role of the IT auditor doesn’t have the sts:AssumeRole action.
The IAM Role ARN used by the IT auditor is incorrect.
The IT auditor is using an incorrect password to access the AWS accounts.
The IT auditor is using an incorrect External ID.
An organization is planning to launch an application that will store sensitive files in three Amazon S3 buckets based on a data classification scheme of Restricted, Private, and Public. The solution must encrypt each object using a unique key, and the AWS KMS must be set to automatically rotate encryption keys annually. Moreover, access to files in the Restricted bucket must be protected by two-factor authentication. Which of the following solutions will satisfy the above requirement?
Create a Customer Managed key for each data classification type. Enable the rotation of keys annually. Set up an MFA policy within the key policy for the Restricted CMK. Encrypt the files using Server-Side Encryption with CMKs Stored in AWS Key Management Service (SSE-KMS).
Create a Customer Managed key for each data classification type and enable the rotation of keys annually. Encrypt the files using Server-Side Encryption with CMKs Stored in AWS Key Management Service (SSE-KMS). Configure MFA (multi-factor authentication) delete on the Restricted bucket.
Create a Customer Managed key for each data classification type with aws:MultiFactorAuthPresent and kms:EnableKeyRotation elements set to true. Configure a policy that will allow Amazon S3 to use the grants to encrypt each file with a unique CMK.
Create a Customer Managed Key with unique imported key material for each data classification type. Enable the rotation of keys annually. Define the MFA policy in the key policy for the Restricted key material. Encrypt the files using Server-Side Encryption with CMKs Stored in AWS Key Management Service (SSE-KMS).
A company is using hundreds of Linux EC2 instances to run its suite of web applications. The Security team needs to implement a system that verifies that all of the EC2 instances are using the approved Amazon Machine Image (AMI). The solution should notify the team if there are non-compliant EC2 instances in the corporate VPC. Which of the following actions should the team implement?
On each EC2 instance, install CloudWatch Logs agent that will determine if the EC2 instance is using an unapproved AMI. Configure the agent to automatically send email notifications to the Security team and push the data to Amazon CloudWatch for proper monitoring.
Set up Amazon GuardDuty to continuously detect if there is an instance that is using an unapproved AMI. Use CloudWatch Alarms to notify you if there are any non-compliant instances running in your VPC.
Configure AWS Shield Advanced to automatically detect uncompliant EC2 instances that do not use approved AMIs.
Use the approved-amis-by-id managed rule in AWS Config to automatically check whether all running EC2 instances are using approved AMIs. Set up CloudWatch Alarms to notify the team if there are any non-compliant instances running in the VPC.
An organization has a web application hosted in a fleet of EC2 instances that publishes custom metrics to Amazon CloudWatch. After a few days, the IT Operations team noticed that the metrics are no longer sent to CloudWatch. The Security Administrator noticed that there has been a recent change in the IAM policy that is used by the application. The issue must be fixed immediately without compromising security. Which of the following is the LEAST permissive solution that the Administrator should grant in this scenario?
Add cloudwatch:putMetricData permission in the IAM Policy.
Add the CloudWatchActionsEC2Access managed policy.
In the IAM role used by the application, add a trust relationship and specify cloudwatch.amazonaws.com as the principal.
Add the CloudWatchFullAccess managed policy.
The InfoSec team is designing a solution that allows the Incident Response team to audit any IAM permission changes of any IAM User. In the event of a security incident, the team should be able to track the changes in each user’s IAM permissions. It should also show the permissions that belonged to a user at a specific time. How can this task be accomplished?
Review the IAM policy assigned to the IAM users before and after the security incident using AWS Config.
Develop a Lambda function that invokes the GenerateCredentialReport API action. Integrate Amazon EventBridge and AWS Lambda to run the process every day. Copy and store the results to an Amazon S3 bucket.
Track and review the IAM policy changes using Amazon GuardDuty.
Audit the IAM permission changes of each IAM User using Amazon CloudWatch Logs.
A Solutions Architect is designing an application to fetch the RDS database credentials that are stored as Secure String parameters in AWS Systems Manager Parameter Store. The Security Administrator has been tasked to handle the integration, but she always receives an error message every time she tries to encrypt or decrypt a Secure String parameter from the AWS Systems Manager Parameter Store that uses an AWS KMS customer-managed key (CMK). Which of the following options could be responsible for this issue? (Select TWO.)
The key alias was specified when creating the secure string parameter in the AWS Systems Manager Parameter Store instead of the KeyID parameter of the CMK.
The credentials that the application is using do not have permission to perform the specified action on the CMK.
The CMK is disabled.
The CMK used is symmetric.
In creating the secure string parameter, the KeyID parameter of the CMK was specified in the AWS Systems Manager Parameter Store instead of the CMK’s Amazon Resource Name (ARN).
An organization uses several EC2 instances to manage and push the regular updates to a fleet of 3,000 Internet of Things (IoT) field devices that monitor the city’s air quality. Each IoT device has unique access credentials used to communicate to the instances. The Security Engineer has been instructed to ensure that access to specific credentials are independently auditable. What is the MOST cost-effective way to manage the storage of credentials?
Store the credentials in AWS Systems Manager Parameter Store as standard parameters.
Create a new CMK in AWS KMS then use this key to encrypt the IoT credentials. Store the encrypted credentials in a DynamoDB database using the Amazon DynamoDB Encryption client.
Store the IoT credentials using AWS Secrets Manager.
Store the credentials in an Amazon S3 bucket with Server-Side Encryption with CMKs Stored in AWS Key Management Service (SSE-KMS).
A Security Engineer refactored an application to remove the hardcoded Amazon RDS database credential from the application and store it to AWS Secrets Manager instead. The application works fine after the code change. For improved data security, the Engineer enabled rotation of the credential in Secrets Manager and then set the rotation to change every 30 days. The change was done successfully without any issues but after a short while, the application is getting an authentication error whenever it connects to the database. What is the MOST likely cause of this issue?
Enabling rotation in AWS Secrets Manager causes the secret to rotate immediately.
The Security Engineer doesn’t have a SecretsManagerReadWrite permission.
The Security Engineer doesn't have the required AWS CloudHSM permissions. The AWS Secrets Manager encrypts the protected text of a secret by using AWS CloudHSM.
IAM DB Authentication was accidentally turned off.
A Systems Administrator is configuring the outbound mail of an application through Amazon Simple Email Service (SES). There is a requirement that all connections must be encrypted automatically using Transport Layer Security (TLS) to comply with the company’s IT policy. Which of the following is the correct endpoint and port that the Administrator should use?
Connect to email-smtp.us-east-1.amazonaws.com endpoint using port 587.
Connect to email-sns.us-east-1.amazonaws.com endpoint using port 25.
Connect to email-pop3.us-west-2.amazonaws.com endpoint using port 995.
Connect to email-smtp.us-west-2.amazonaws.com endpoint using port 465.
A Software Engineer has developed a web application to monitor the pending/processed orders on the corporate sales server. The application needs to be accessed by Delivery, Finance, and Admin teams. The Security Administrator decided to integrate Amazon Cognito to the application to provide user sign-in functionality for the members of each team. The Delivery team should be able to update entries on the application while the Finance team only needs read permissions to verify the flow of orders. Which of the following options will help the Administrator grant distinct permissions for each team member?
Amazon Cognito Federated Identities
Amazon Cognito User Pool Groups
Amazon Cognito Identity Pool
Amazon Cognito Sync
A company has a multitier online application hosted in several EC2 instances that is publicly accessible around the world. The Security Administrator has already placed the required network access control lists and security groups in the VPC of the application. The web servers are hosted in public subnets behind a public-facing Application Load Balancer while the application servers are hosted in private subnets. The Administrator needs to enhance the edge security of the cloud architecture to safeguard the EC2 instances against attacks. Which combination of options should be implemented in this scenario? (Select TWO.)
Migrate the web servers to private subnets without any public IP or Elastic IP addresses.
Use a NAT Gateway for all the inbound traffic to the application.
Attach an AWS Direct Connect Gateway to the VPC to establish a dedicated network connection that doesn't traverse the public Internet.
Launch a new CloudFront distribution and configure geo restriction to prevent users in specific geographic locations from accessing content.
Integrate AWS WAF to the Application Load Balancer to provide SQL injection or cross-site scripting attack protection to the online application. Launch a new CloudFront distribution and configure it to use AWS WAF.
A company is using Amazon CloudWatch to monitor the application logs from multiple Linux EC2 instances via CloudWatch Logs agents installed in each instance. The agent configuration files have been verified and the log files to be pushed are properly configured. However, the Security Administrator identified that a few EC2 instances were not sending any logs at all. Which actions should be taken to troubleshoot this problem? (Select TWO.)
Use the AWS Systems Manager Run Command to confirm that the awslogs service is running on all Amazon EC2 instances.
Ensure that the IAM permissions used by the CloudWatch Logs agent allow putting log events as well as creating log groups and log streams in CloudWatch.
Use AWS X-Ray to trace and diagnose the CloudWatch Logs agents.
Enable Detailed Monitoring in CloudWatch.
Verify any rejected application log entries due to invalid time stamps or corrupted data by reviewing the /var/cloudwatch/rejects.log file.
{"name":"Test 2 Quiz 1", "url":"https://www.quiz-maker.com/QPREVIEW","txt":"Test your knowledge on AWS security features, compliance strategies, and best practices in this comprehensive quiz designed for IT professionals and enthusiasts alike.Explore key topics including:AWS IAM Roles and PoliciesApplication SecurityData Protection StrategiesInfrastructure Monitoring","img":"https:/images/course3.png"}
More Quizzes
Security Plus 10q Part 2
10524
Test 3
1589
Cybersecurity Quiz - World Wide Wednesday
11612
Test 2 Part 1(revisit)
1586
Network Security Quiz 3rd Sept 2020
6326
Cybersecurity Proficiency Quiz
301562
2019 PCI OWASP Top Ten Quiz
12633
Info Security Chapter 1
20100
Quiz 6
1587
Test 2 Quiz#2
15812
MITRE ATT&CK Intro
1780
SSRF, impacts of SSRF, prevention of SSRF, SSRF attack scenarios, SSRF with metadata url in cloud systems
13625