AWSSecurity.pdf资源-CSDN文库

版权申诉

AWS认证

112 浏览量 2024-04-29 14:12:38 上传评论收藏 6.3MB PDF 举报

资源推荐

资源详情

资源评论

Expert Veried, Online, Free.

 Custom View Settings

Topic 1 - Single Topic

Topic 1

Question #1

The Security team believes that a former employee may have gained unauthorized access to AWS resources sometime in the past 3 months by

using an identied access key.

What approach would enable the Security team to nd out what the former employee may have done within AWS?

A. Use the AWS CloudTrail console to search for user activity.

B. Use the Amazon CloudWatch Logs console to lter CloudTrail data by user.

C. Use AWS Cong to see what actions were taken by the user.

D. Use Amazon Athena to query CloudTrail logs stored in Amazon S3.

Correct Answer:

Community vote distribution

A (100%)

Topic 1

Question #2

A company is storing data in Amazon S3 Glacier. The security engineer implemented a new vault lock policy for 10TB of data and called initiate-

vault-lock operation 12 hours ago. The audit team identied a typo in the policy that is allowing unintended access to the vault.

What is the MOST cost-effective way to correct this?

A. Call the abort-vault-lock operation. Update the policy. Call the initiate-vault-lock operation again.

B. Copy the vault data to a new S3 bucket. Delete the vault. Create a new vault with the data.

C. Update the policy to keep the vault lock in place.

D. Update the policy. Call initiate-vault-lock operation again to apply the new policy.

Correct Answer:

Initiate the lock by attaching a vault lock policy to your vault, which sets the lock to an in-progress state and returns a lock ID. While in the in-

progress state, you have 24 hours to validate your vault lock policy before the lock ID expires.

Use the lock ID to complete the lock process. If the vault lock policy doesn't work as expected, you can abort the lock and restart from the

beginning. For information on how to use the S3 Glacier API to lock a vault, see Locking a Vault by Using the Amazon S3 Glacier API.

Reference:

https://docs.aws.amazon.com/amazonglacier/latest/dev/vault-lock-policy.html

Community vote distribution

A (100%)

Topic 1

Question #9

A threat assessment has identied a risk whereby an internal employee could exltrate sensitive data from production host running inside AWS

(Account 1). The threat was documented as follows:

Threat description: A malicious actor could upload sensitive data from Server X by conguring credentials for an AWS account (Account 2) they

control and uploading data to an Amazon S3 bucket within their control.

Server X has outbound internet access congured via a proxy server. Legitimate access to S3 is required so that the application can upload

encrypted les to an

S3 bucket. Server X is currently using an IAM instance role. The proxy server is not able to inspect any of the server communication due to TLS

encryption.

Which of the following options will mitigate the threat? (Choose two.)

A. Bypass the proxy and use an S3 VPC endpoint with a policy that whitelists only certain S3 buckets within Account 1.

B. Block outbound access to public S3 endpoints on the proxy server.

C. Congure Network ACLs on Server X to deny access to S3 endpoints.

D. Modify the S3 bucket policy for the legitimate bucket to allow access only from the public IP addresses associated with the application

server.

E. Remove the IAM instance role from the application server and save API access keys in a trusted and encrypted application cong le.

Correct Answer:

Community vote distribution

AB (67%) AD (33%)

Topic 1

Question #10

A company will store sensitive documents in three Amazon S3 buckets based on a data classication scheme of `Sensitive,` `Condential,` and

`Restricted.` The security solution must meet all of the following requirements:

Each object must be encrypted using a unique key.

Items that are stored in the `Restricted` bucket require two-factor authentication for decryption.

AWS KMS must automatically rotate encryption keys annually.

Which of the following meets these requirements?

A. Create a Customer Master Key (CMK) for each data classication type, and enable the rotation of it annually. For the €Restricted € CMK,

dene the MFA policy within the key policy. Use S3 SSE-KMS to encrypt the objects.

B. Create a CMK grant for each data classication type with EnableKeyRotation and MultiFactorAuthPresent set to true. S3 can then use the

grants to encrypt each object with a unique CMK.

C. Create a CMK for each data classication type, and within the CMK policy, enable rotation of it annually, and dene the MFA policy. S3 can

then create DEK grants to uniquely encrypt each object within the S3 bucket.

D. Create a CMK with unique imported key material for each data classication type, and rotate them annually. For the €Restricted € key

material, dene the MFA policy in the key policy. Use S3 SSE-KMS to encrypt the objects.

Correct Answer:

Community vote distribution

A (100%)

剩余268页未读，继续阅读

评论收藏

内容反馈

版权申诉

xueyunshengling

粉丝: 175
资源: 511

AWS Security.pdf

最新资源

AWS Security.pdf

信息安全_数据安全_Getting started with AWS security.pdf

AWS_Security_Best_Practices_CN（AWS安全最佳实践）.pdf

AWS_Security_Whitepaper(AWS云安全白皮书2020版).pdf

AWS Administration Cookbook.pdf

AWS Security Incident Response Guide文档.pdf

AWs Security Guide文档操作手册.pdf

zero-trust-security-AWS-zscaler.pdf

AWS_Lambda_Security.pdf

AWS学习视频&PDF.zip

Mastering.AWS.Security.Create.and.maintain.a.secure.cloud.ecosystem

aws security best practices.pdf

AWS-Security-Specialty.pdf

Splunk 2020PPT汇总（36份）.zip

AWS_Security_Whitepaper_2008_09.pdf

aws_security_incident_response.pdf

AWS Certified Developer_Associate Guide-Packt Publishing(2017).pdf

AWS Security Best Practices on AWS Learn to secure your data, servers, and epub

AWS_Security_Best_Practices

Sans Summit 2019PPT汇总（101份）.zip

计算机组成原理课后习题答案

《科研伦理与学术规范》期末考试及答案2023

Latex中文论文模板A4双栏，适用课程论文

哈尔滨工业大学ppt模板

2024年科目一考试题库(小客车C1C2C3)

爱心代码c语言.rar

2024北森题库（含答案）

北京科技大学研究生英语科技论文写作MOOC参考答案

大唐杯A组文字题库资料

最新资源