(Test2)Quiz #3
AWS Security and Compliance Quiz
Test your knowledge on AWS security best practices with our engaging quiz! This quiz comprises various questions designed to assess your understanding of AWS services, security measures, and compliance standards.
Whether you are preparing for certification, brushing up your skills, or simply curious, this quiz offers:
- Challenging questions across multiple topics
- Insights into AWS services and governance
- Immediate feedback on your answers
A company wants to launch a multitier web application in which the application servers are hosted on Amazon EC2 instances behind an Application Load Balancer. These EC2 instances require access to credentials that they will use to authenticate their SQL connections to an Amazon RDS database. The application is also using several AWS Lambda functions to issue queries to the database using the same database credentials. The Security Engineer is instructed to store the credentials so that both EC2 instances and the Lambda functions can access them. For audit purposes, access logs must also be recorded to track when the credentials were accessed and by whom. What should the Engineer do to satisfy the above requirements?
Use AWS KMS to store the database credentials. Set up an IAM role with access to KMS by using the EC2 and Lambda service principals in the role's trust policy. Add the IAM role to an EC2 instance profile then attach the profile to the EC2 instances and the Lambda functions.
Use AWS Secrets Manager to store the database credentials. Set up an IAM role with access to Secrets Manager by using the EC2 and Lambda service principals in the role's trust policy. Add the IAM role to an EC2 instance profile and then attach the profile to the EC2 instances and the Lambda functions.
Use AWS Secrets Manager to store the database credentials. Set up an IAM role with access to Secrets Manager by using the EC2 and Lambda service principals in the role's trust policy. Add the IAM role to an EC2 instance profile then attach the profile to the EC2 instances. Configure the Lambda functions to use the new IAM role for execution.
Use AWS Key Management Service (AWS KMS) to store the database credentials. Set up an IAM role with access to AWS KMS by using the EC2 and Lambda service principals in the role's trust policy. Add the role to an instance profile then attach the profile to the EC2 instances. Configure the Lambda functions to use the new role for execution.
An organization has created multiple accounts in AWS to support the rapid growth of its cloud services. The multiple accounts are used to separate their various departments such as finance, human resources, engineering, and many others. Each account is managed by a Systems Administrator which has the root access for that specific account only. There is a requirement to centrally manage policies across multiple AWS accounts by allowing or denying particular AWS services for individual accounts, or for groups of accounts. Which is the most suitable solution that Security Engineer should implement with the LEAST amount of complexity?
Set up a cross-account access to each of the AWS accounts of the company to connect all departments. Set up and attach IAM policies to your resources based on their respective departments to control access.
Control the list of AWS services that can be used by each member account using AWS Organizations and Service Control Policies.
Set up Identity Federation to provide access to externally authenticated users. Configure an IAM role to specify permissions for users from each department whose identity is federated from your organization or a third-party identity provider.
Connect all AWS accounts of each department by setting up AWS Organizations and Organizational Units (OU). Set up a custom IAM Policy to allow or deny the use of certain AWS services for each account.
A company is using Amazon Athena query with Amazon QuickSight to visualize the AWS CloudTrail logs. The Security Administrator created a custom Athena query that reads the CloudTrail logs and checks if there are IAM user accounts or credentials created in the past 29, 30 or 31 days (depending on the current month). However, the Administrator always gets an Insufficient Permissions error whenever she tries to run the query from Amazon QuickSight. What is the MOST suitable solution that the Administrator should do to fix this issue?
Disable the Log File Integrity feature in AWS CloudTrail.
Enable Cross-Origin Resource Sharing (CORS) in the S3 bucket that is used by Athena.
Use the AWS Account Root User to run the Athena query from Amazon QuickSight.
Make sure that Amazon QuickSight can access the S3 buckets used by Athena.
The Security team has been tasked to simplify the management of AWS WAF, AWS Shield Advanced, and Amazon VPC security groups as well maintenance tasks across multiple accounts and resources. Which of the following is the MOST suitable service that the team should use?
AWS Systems Manager
AWS Resource Access Manager (RAM)
AWS Security Hub
AWS Firewall Manager
A company wants to block all traffic to their Amazon S3 bucket except for the traffic coming from an EC2 instance in their VPC or from an authorized external IP address that its Security Administrator specifies. Which steps could be taken to accomplish this task without incurring any extra costs? (Select TWO.)
Set up an S3 bucket policy with aws:CalledVia condition that blocks traffic to the bucket unless the request is from an authorized external IP address.
Create a VPC Gateway endpoint for the S3 bucket that is attached to the route table of the EC2 instance’s subnet. Ensure that the VPC endpoint is in the same AWS Region as the bucket. Set up a bucket policy with aws:sourceVpce condition that blocks traffic to the bucket unless the request is from a specified VPC endpoint.
Create a VPC Interface endpoint for the S3 bucket that is attached to the route table of the EC2 instance’s subnet. Ensure that the VPC endpoint is in a same AWS Region as the bucket. Set up a bucket policy with aws:sourceVpc condition that blocks traffic to the bucket unless the request is from a specified VPC endpoint.
Set up a bucket policy with aws:SourceIp condition that blocks traffic to the bucket unless the request is from an authorized external IP address.
Create a VPC Interface endpoint for the S3 bucket that is attached to the route table of the EC2 instance’s subnet. Ensure that the VPC endpoint is in a different AWS Region from the bucket. Set up a bucket policy with aws:sourceVpce condition that blocks traffic to the bucket unless the request is from a specified VPC endpoint.
An organization is planning to launch its web application with an Amazon RDS MariaDB database to serve its clients worldwide. The application will run on both on-premises servers as well as Reserved EC2 instances. The database credentials must be encrypted both at rest and in transit. Their Security Engineer is tasked to manage all of the security aspects of the application architecture. How should the Engineer automate the deployment process of the application in the MOST secure manner?
Use AWS Secrets Manager and upload the database credentials with key rotation. Prepare a new IAM role that enables access and decryption of the database credentials then associate this role to all on-premises servers and EC2 instances. Use Elastic Beanstalk to host and manage the application on both on-premises servers and EC2 instances. Deploy the succeeding application revisions to AWS and on-premises servers using Elastic Beanstalk.
Use AWS Systems Manager Parameter Store and upload the database credentials with a Secure String data type. Prepare a new IAM role with an attached policy that enables access and decryption of the database credentials then associate this role to all on-premises servers and EC2 instances. Deploy the application packages to the EC2 instances and on-premises servers using AWS CodeDeploy.
Use AWS Systems Manager Parameter Store and upload the database credentials with a Secure String data type. Prepare a new IAM policy that enables access and decryption of the database credentials then attach this IAM policy to the instance profile for CodeDeploy-managed instances. Attach the same policy to the on-premises instances. Using AWS CodeDeploy, launch the application packages to the Amazon EC2 instances and on-premises servers.
Use AWS Systems Manager Parameter Store and upload the database credentials with a Secure String data type. Prepare a new IAM role that enables access and decryption of the database credentials then associate this role to all on-premises servers and EC2 instances. Use Elastic Beanstalk to host and manage the application on both on-premises servers and EC2 instances. Deploy the succeeding application revisions to AWS and on-premises servers using Elastic Beanstalk.
A financial company is using hundreds of Amazon S3 buckets to store sensitive corporate files. There is a requirement to improve the security of the data stored in S3 buckets. The files must be encrypted in transit and also at rest. Any object retrievals must be logged using AWS CloudTrail for audit purposes. What should the Security Engineer implement to satisfy the above security requirements? (Select THREE.)
Add the { "Bool": { "aws:SecureTransport": "false" } } condition inside a deny statement in the S3 bucket policy.
Modify the security group of the Amazon S3 bucket to only allow access via port 443.
Enable S3 Events Notification.
Enable default encryption in the S3 bucket.
Enable object-level logging in the S3 bucket to log data events.
Enable S3 object versioning for the S3 bucket.
You have created a Lambda function that requires access to an RDS MySQL database. You did not store the database password inside your function code, but instead, you stored it as a “SecureString” type parameter on AWS Systems Manager Parameter Store. You’ve also added the ssm:GetParameter permission on the IAM execution role of your function to enable the retrieval of the database password. Upon testing, your API does not function properly, and you suspected that the database password is not retrieved when the function runs. Which of the following is the possible reason for this?
The Lambda function execution role needs the ssm:DecryptParameter permission to retrieve and decrypt the password stored on Parameter Store.
Your Lambda function is not associated with the VPC where the RDS instance is hosted. Instead, you should use a Lambda Environment Variable configured with the default settings for easier retrieval of credentials.
The Lambda function execution role needs the secretsmanager:GetSecretValue in order to retrieve encrypted values of “SecureString” stored on Parameter Store.AC
The Lambda function execution role needs the kms:Decrypt permission to decrypt the password stored on the Parameter store.
A media company runs a Python script that uses the AWS CLI command aws s3 cp to upload a large file to an Amazon S3 bucket, which includes an AWS KMS key. An Access Denied error always shows up whenever their developers upload a file with a size of 10 GB or more. However, when they tried to upload a smaller file with the KMS key, the upload succeeds. Which of the following are potential reasons why this issue is happening? (Select TWO.)
There is an attached inline policy in the developers' IAM permissions that restricts them from uploading a file with a size of 10 GB or more.
The kms:Encrypt permission is missing from the IAM policy of the developers.
10 GB is the maximum size that can be encrypted in KMS.
The AWS CLI S3 commands perform a multipart upload when the file is large.
The IAM policy of the developer does not include the kms:Decrypt permission.
A company has an application hosted in an Auto Scaling group of On-Demand EC2 instances behind a Classic Load Balancer (CLB). The Security Administrator is tasked to secure the application by allowing multiple domains to serve SSL traffic over the same IP address. Which of the following should the Administrator implement to satisfy this requirement?
Integrate AWS WAF with the Classic Load Balancer to allow multiple domains to serve SSL traffic over the same IP address.
Create an Elastic IP to allow multiple domains to serve SSL traffic. Upload multiple 3rd party certificates to AWS Certificate Manager and use them in the Classic Load Balancer.
Create a CloudFront web distribution and generate an SSL certificate from AWS Certificate Manager. Associate the certificate with the CloudFront distribution then enable Server Name Indication (SNI)
Configure the Classic Load Balancer to use Server Name Indication (SNI).
The IT Security team of an organization recently discovered that several employees placed restricted data in various S3 buckets without any authorization. The team needs to identify all possible S3 objects that contain personally identifiable information (PII) and then determine whether this information has been accessed or not. Any data that may have been exposed would have serious consequences for the organization. What should the Security team do in this situation?
Enable Amazon Macie on specific Amazon S3 buckets and perform the required data classification. Use AWS CloudTrail to determine if the objects with personally identifiable information (PII) have been recently accessed by tracking the GET API calls that are used to fetch these objects.
Set up Amazon GuardDuty to detect personally identifiable information (PII) on the specific S3 buckets and perform the required data classification. Use AWS CloudTrail to determine if the objects with PII have been recently accessed by tracking the GET API calls that are used to fetch these objects.
Enable Amazon Inspector on specific Amazon S3 buckets and perform the required data classification. Use AWS CloudTrail to determine if the objects with personally identifiable information (PII) have been recently accessed by tracking the FETCH API calls that are used to fetch these objects.
Set up Amazon Athena to detect personally identifiable information (PII) on the specific S3 buckets and to perform the required data classification. Use Amazon CloudWatch to determine if the objects with PII have been recently accessed by tracking the GET API calls that are used to fetch these objects.
You are storing sensitive information for each user on a DynamoDB table. The entries are encrypted using a customer managed CMK to ensure that they are not easily readable from other users. However, other privileged users may have permissions to both read and write to the DynamodDB table. These users could possibly swap encrypted entries inside the table and view them as their own. To prevent this, you want to enable authenticated encryption by including additional authenticated data (AAD) such as email address and username on the ciphertext. Which of the following options will help you achieve this?
Use a Master Key for an additional layer of encryption for your encrypted data. This will require the email address and username to correctly decrypt your data.
Use AuthenticationContext to require context information such as the email address and username when decrypting your data.
Use EncryptionContext to require additional information such as the email address and username when decrypting your data.
Use EnvelopeEncryption for an additional layer of protection to your encrypted data. This will require the email address and username entry to correctly decrypt your data.
The InfoSec team is responsible for reviewing AWS API call activities to detect security violations across all AWS Regions wherein the company’s cloud resources are used. The events must be recorded and stored in a centralized location for both current and future AWS regions. Which of the following is the SIMPLEST solution to satisfy the above requirements?
Create a new trail in AWS CloudTrail and apply the trail to all AWS regions. Use a single S3 bucket as the centralized storage location of the CloudTrail logs.
Use the security checks in AWS Trusted Advisor to review the AWS API call activities and detect security violations across all AWS Regions.
Create a new trail in AWS CloudTrail for each AWS Region. Use a single S3 bucket as the centralized storage location of the CloudTrail logs.
Use Amazon CloudWatch to track all API call activities across all AWS Regions. Aggregate the collected metrics into a single S3 bucket.
The Security team wants to delegate user creation duties to the SysOps Administrator. However, the team must ensure that the SysOps Administrator creates users that adhere to the following company rules: – Users cannot use IAM to create or manage users, groups, roles, or policies. – Users are denied access to the Amazon S3 logs bucket and cannot access production EC2 instances. How can the team fulfill this task?
Delegate the user creation duties using Permissions Boundaries.
Delegate the user creation duties using Service Control Policies (SCPs).
Delegate the user creation duties using Session Policies.
Delegate the user creation duties using Resource-Based Policies.
An application is hosted in multiple EC2 instances behind an Application Load Balancer that allows a number of remote employees to send and process corporate data files. The Security Engineer noticed that data files are not encrypted while in transit over the public Internet. What is the EASIEST solution to resolve this security risk?
Set up a Direct Connect Gateway in AWS and establish Direct Connect connection for each employee's home network.
Integrate AWS KMS with the application in AWS. Use the KMS Encrypt API to encrypt all the data going to AWS and then use the KMS Decrypt API on the servers to process the sent data.
Provision an SSL certificate to the ALB using AWS Certificate Manager.
Use AWS Shield Advanced to protect the data in transit.
{"name":"(Test2)Quiz #3", "url":"https://www.quiz-maker.com/QPREVIEW","txt":"Test your knowledge on AWS security best practices with our engaging quiz! This quiz comprises various questions designed to assess your understanding of AWS services, security measures, and compliance standards.Whether you are preparing for certification, brushing up your skills, or simply curious, this quiz offers:Challenging questions across multiple topicsInsights into AWS services and governanceImmediate feedback on your answers","img":"https:/images/course8.png"}
More Quizzes
Test 2 Part 1(revisit)
1586
AWS Security & Identity
1586
Security Plus 10q Part 2
10524
Cloud Fundamentals
1477
Cloud Computing Quiz
7428
Fortigate 4 questions
4229
OCI_Foundation_5
1050
MW Security QUIZZ
11622
CAS-002 First 50
50250
Test 3
1589
Data Loss Prevention Quiz (Case Share)
8439
Unmanaged endpoints - take the quiz
5236