Make your own quiz Manage my Quizzes Plans / Features Guides and Help Contact Privacy & Security

Test 3

A detailed illustration of cloud security concepts with elements like AWS symbols, lock icons, EC2 instances, and CloudFront distributions in a vibrant color scheme.

AWS Security Specialty Quiz

Test your knowledge of AWS security practices with this comprehensive quiz designed for professionals looking to deepen their understanding of cloud security. It covers a range of topics, including compliance, access management, log monitoring, and incident response.

Upon completion, you will:

Enhance your AWS security skills
Prepare for certification examinations
Identify gaps in your knowledge

15 Questions4 MinutesCreated by GuardingFalcon457

The IT Security team recently discovered a vulnerability in the old operating systems of several EC2 instances. The team needs to immediately mitigate the security risk to safeguard the company’s applications from various cyber security attacks. For audit purposes, there is also a need to record all of the changes to patch and association compliance statuses. Which of the following is the MOST suitable solution in this scenario?

Use AWS Systems Manager Patch Manager to easily deploy the OS patches for the outdated EC2 instances. Set up AWS Config to record and track any configuration changes.

Configure the Amazon EC2 instances to automatically install the OS patches on a weekly basis.

Deploy the OS patches for the outdated EC2 instances using AWS Systems Manager Sessions Manager. Integrate Amazon QuickSight with Kibana to record and track any configuration changes.

Set up AWS Systems Manager Patch Manager to deploy the patches for the EC2 instances with old operating systems. Use Amazon ES to record and track any configuration changes.

An enterprise monitoring application collects data and generates audit logs of all operational activities of the company’s AWS Cloud infrastructure. The IT Security team requires that the application retain the logs for 5 years before the data can be deleted. How can the Security Engineer meet the above requirement?

Use Amazon S3 to store the audit logs and enable Multi-Factor Authentication Delete (MFA Delete) for additional protection.

Use Amazon S3 Glacier to store the audit logs and apply a Vault Lock policy.

Use Amazon EBS Volumes to store the audit logs and take automated EBS snapshots every month using Amazon Data Lifecycle Manager.

Use Amazon EFS to store the audit logs and enable Network File System version 4 (NFSv4) file-locking mechanism

A startup has a single AWS account that hosts its applications. Its Security Engineer has been instructed to provision S3 access to all authorized employees. This will enable them to access both the S3 bucket and the objects in it. What type of policies should the Engineer use to grant the necessary permission? (Select TWO.)

Bucket policy

Multi-factor Authentication (MFA) policy

IAM User policy

Routing policy

Service Control Policy (SCP)

The application logs of an online customer portal hosted in Elastic Beanstalk are delivered to CloudWatch by a running CloudWatch Logs agent. After a few hours, the delivery of the logs to the associated log stream abruptly stopped. Which of the following options must be done to properly investigate this issue? (Select TWO.)

Check for duplicates in the [logstream] section of the agent configuration file.

Verify that there are no recent changes in the settings of the Amazon DynamoDB stream that handles the log delivery from the CloudWatch Logs Agent in the server to CloudWatch Logs.

Check if the log file integrity validation feature of CloudWatch Logs Agent was accidentally enabled.

Check the configured log rotation rules of the application and ensure that it is compatible with CloudWatch Log Agent streaming configuration.

Verify that there are no recent changes in the settings of the Amazon Kinesis data stream that handles the log delivery from the CloudWatch Logs Agent in the server to CloudWatch Logs.

After migrating the DNS records of a domain to Route 53, a company configured logging of public DNS queries. After a week, the company realized that log data were accumulating quickly. The company is worried that this might incur high storage fees in the long run, so they wanted logs older than 1 month to be deleted. Which action will resolve the problem most cost-effectively?

Create a scheduled job using a Lambda function to export logs from CloudWatch Logs to an S3 bucket. Set an S3 lifecycle policy that deletes objects older than 1 month.

Configure CloudWatch Logs to export log data to an S3 bucket. Set an S3 lifecycle policy that deletes objects older than 1 month.

Change the destination of the DNS query logs to S3 Glacier Deep Archive.

Configure a retention policy in CloudWatch Logs to delete logs older than 1 month.

An organization is implementing a security policy in which their cloud-based users must be contained in a separate authentication domain and prevented from accessing on-premises systems. Their IT Operations team is launching and maintaining a number of Amazon RDS for SQL Server databases and EC2 instances. The organization also has an on-premises Active Directory service that contains the administrator accounts that must have access to the databases and EC2 instances. How would the Security Engineer manage the AWS resources of the organization in the MOST secure manner? (Select TWO.)

Using AWS Directory Service, set up an AWS Managed Microsoft AD to manage the RDS databases and EC2 instances.

Set up and configure AWS Service Catalog to manage the RDS databases and EC2 instances.

Set up a one-way incoming trust in the existing on-premises Active Directory and a one-way outgoing trust in the new Active Directory in AWS.

Set up a two-way trust relationship between the new Active Directory in AWS and the existing Active Directory service in the on-premises data center.

Set up a one-way incoming trust relationship in the new Active Directory in AWS and a one-way outgoing trust in the existing on-premises Active Directory.

An organization has a serverless application in AWS that is comprised of Amazon API Gateway and several Lambda functions, and behind a CloudFront distribution. A Security Engineer has been instructed to apply additional protection to the application by including the X-Content-Type-Options, X-Frame-Options, and X-XSS-Protection HTTP security headers, without changing the application source code. Which of the following approaches would meet this requirement?

Enable DNSSEC in the Amazon Route 53 record of the serverless application.

Launch an AWS WAF custom rule to add the required security headers by using regular expression (RegEx) match condition.

Configure the CloudFront distribution to use signed cookies.

Add the required HTTP security headers using Lambda@Edge and CloudFront.

An online system is hosted in EC2 instances with multiple ENIs behind an Application Load Balancer that has a virtual security appliance that prevents network attacks and data breaches. There is one specific instance that is not properly receiving inbound connections originating from the public Internet. All other servers are working perfectly. The Administrator already verified that the rule sets configured in the Security Groups, Network ACL, and the virtual applicance are all correct. Which of the following are valid actions to take to further troubleshoot this issue? (Select TWO.)

Ensure that the 0.0.0.0/0 route in the public subnet goes to a NAT gateway.

Check if the instance is registered as a target in the Application Load Balancer.

Https://portal.tutorialsdojo.com/courses/aws-certified-security-specialty-practice-exams-scs-c02/lessons/practice-exams-review-mode-7/quizzes/aws-certified-security-specialty-practice-exam-review-mode-set-1/#:~:text=Ensure%20that%20the%20IP%20address%20of%20the%20instance%20is%20not%20explicitly%20blocked%20in%20the%20AWS%20Security%20Hub.

Check if the correct ENI of the defective instance is properly mapped to the proper security group and not to another ENI.

Ensure that the IP address of the instance is not explicitly blocked in Amazon GuardDuty.

A company has a monitoring solution in AWS that tracks all configuration changes to the security groups of their VPCs. An Amazon CloudWatch alarm is already in place to monitor the AWS CloudTrail log events and send out email notifications immediately to the Security team. The Operations team added a new inbound rule to a security group but there was no notification sent at all. Which of the following steps should be done to properly troubleshoot the issue? (Select TWO.)

Ensure that the Filter Pattern includes the AuthorizeSecurityGroupIngress event in CloudWatch Alarm.

Ensure that a metric filter was created in CloudWatch Alarm with a correct Filter Pattern and a Metric Value of 1.

Verify that a metric filter was created in CloudWatch Alarm with a Metric Value of 10 with a correct Filter Pattern.

Use Amazon Inspector to periodically scan all security groups and monitor if there are any modifications.

Verify that the Filter Pattern includes the CreateNetworkAclEntry event in CloudWatch Alarm.

A company has a suite of web applications hosted in several EC2 instances. Recently, the IT Operations team identified that one of the instances has been compromised. The team needs to improve the network security of their cloud resources in AWS. Which of the following should the team do in this scenario? (Select TWO.)

Use VPC Flow Logs to monitor the traffic that reaches your instances.

Use AWS Security Hub to check for unintended network accessibility from your instances.

Use AWS Audit Manager to enable automatic key rotation on all AWS-managed CMKs which rotates the keys every year.

Use AWS Systems Manager State Manager to access your instances remotely instead of opening inbound RDP ports.

Attach an AWS Network Firewall to the VPC to enable instances in a private subnet to connect to the internet but prevent the internet from initiating a connection with those instances.

An e-commerce website is hosted in an Auto Scaling group of EC2 instances behind an Application Load Balancer (ALB) in us-west-1. The static assets are being cached using Amazon CloudFront. A Security Administrator has been instructed to modify the architecture to require HTTPS between the clients and CloudFront. The traffic between CloudFront and ALB should be encrypted using HTTPS as well. A custom domain name was already registered for the CloudFront distribution. Which combination of steps should the Administrator do next? (Select TWO.)

In the us-west-1 region, request a public AWS Certificate Manager(ACM) certificate for the custom domain name. Use this certificate to enable HTTPS between CloudFront and the clients.

Use Lambda@Edge to allow HTTPS connection between the client and CloudFront.

Request a public AWS Certificate Manager(ACM) certificate in the us-west-1 region and associate it with the ALB to enable an HTTPS connection between CloudFront and ALB.

Request a public AWS Certificate Manager(ACM) certificate in the us-east-1 region and associate it with the ALB to enable an HTTPS connection between CloudFront and ALB.

In the us-east-1 region, request a public AWS Certificate Manager(ACM) certificate for the custom domain name. Use this certificate to enable HTTPS between CloudFront and the clients.

A company is developing an online customer portal in AWS. There is a requirement to create and control the encryption keys used to encrypt your data using the envelope encryption strategy to comply with the strict IT security policy of the company. Which of the following statements correctly describes the envelope encryption process?

It is a process where you encrypt plaintext data with a data key and then encrypt the data key with a top-level plaintext master key.

It is a process where you encrypt plaintext data with a master key and then encrypt the master key with a top-level plaintext data key.

It is a process where you encrypt plaintext data with a data key and then encrypt the data key with a top-level encrypted master key.

It is a process where you encrypt plaintext data with a master key and then encrypt the master key with a top-level encrypted data key.

A company has a hybrid cloud architecture that integrates its on-premises network and cloud resources in AWS. A custom BIND DNS server is launched in AWS to enable Domain Name System Security Extensions (DNSSEC) protocol for securing DNS traffic from spoofing or man-in-the-middle attacks. There is a requirement to prevent the EC2 instances from using the Amazon-provided DNS in the VPC. What is the BEST to accomplish this requirement?

Set all traffic going to the Amazon DNS server IP address: 169.254.169.253 into a blackhole state by routing it to a specific gateway that isn’t attached to the VPC.

Set the enableDnsHostnames and enableDnsSupport attributes in the VPC to false to disable DNS resolution in the VPC.

Configure all the security groups to deny access to the Amazon DNS server IP address: 169.254.169.253.

Configure all the Network ACLs to deny access to the Amazon DNS server IP address: 169.254.169.253.

A website is hosted in an Auto Scaling group of EC2 instances behind an Application Load Balancer in US West (N. California) region. There is a new requirement to place a CloudFront distribution in front of the load balancer to improve the site’s latency and lower the load on the origin servers. The Security Engineer must implement HTTPS communication from the client to CloudFront and then from CloudFront to the load balancer. A custom domain name must be used for your distribution and the SSL/TLS certificate should be generated from AWS Certificate Manager (ACM). How many certificates should be generated by the Engineer in this scenario?

Generate one certificate in the US West (N. California) region.

Generate one certificate in the US West (N. California) region and one in the US East (Virginia) region.

Generate two certificates in the US West (N. California) region.

Generate one certificate in the US West (N. California) region and use the CloudFront default certificate in the US East (Virginia) region.

A company has an application that runs on several EC2 instances behind an Application Load Balancer (ALB). A CloudFront web distribution is placed in front of the ALB to support the global users of the application. Recently, the Security Engineer noticed a sudden spike in traffic that might indicate a potential DDoS event. The login page of the application is being flooded with HTTP requests from multiple geographic locations with the User-Agent set to the: Mozilla/5.0 (compatible; DojoHack; Macintosh; Intel Mac OS X 10.13; rv:74.0). What mitigation can the Engineer apply to block attacks while continuing to service legitimate requests?

Integrate AWS WAF on each EC2 instance. Set up a cross-site scripting (XSS) attack rule in AWS WAF to limit the incoming requests to the login page that has a User-Agent header set to the: Mozilla/5.0 (compatible; DojoHack; Macintosh; Intel Mac OS X 10.13; rv:74.0).

Integrate AWS WAF on each EC2 instance. Set up an SQL injection attack rule in AWS WAF to limit the total number of incoming requests to the login page.

Integrate AWS WAF with the ALB. Set up an IP set match rule in AWS WAF to block the suspicious requests to the login page.

Integrate AWS WAF with the ALB. Set up a rate-based rule in AWS WAF to limit the incoming requests to the login page that has a User-Agent header set to the: Mozilla/5.0 (compatible; DojoHack; Macintosh; Intel Mac OS X 10.13; rv:74.0).

{"name":"Test 3", "url":"https://www.quiz-maker.com/QPREVIEW","txt":"Test your knowledge of AWS security practices with this comprehensive quiz designed for professionals looking to deepen their understanding of cloud security. It covers a range of topics, including compliance, access management, log monitoring, and incident response.Upon completion, you will:Enhance your AWS security skillsPrepare for certification examinationsIdentify gaps in your knowledge","img":"https:/images/course8.png"}