没有合适的资源?快使用搜索试试~ 我知道了~
AWS Security.pdf
1.该资源内容由用户上传,如若侵权请联系客服进行举报
2.虚拟产品一经售出概不退款(资源遇到问题,请及时私信上传者)
2.虚拟产品一经售出概不退款(资源遇到问题,请及时私信上传者)
版权申诉
0 下载量 112 浏览量
2024-04-29
14:12:38
上传
评论
收藏 6.3MB PDF 举报
温馨提示
试读
269页
AWSks助力资源
资源推荐
资源详情
资源评论
-
Expert Veried, Online, Free.
Custom View Settings
Topic 1 - Single Topic
Topic 1
Question #1
The Security team believes that a former employee may have gained unauthorized access to AWS resources sometime in the past 3 months by
using an identied access key.
What approach would enable the Security team to nd out what the former employee may have done within AWS?
A. Use the AWS CloudTrail console to search for user activity.
B. Use the Amazon CloudWatch Logs console to lter CloudTrail data by user.
C. Use AWS Cong to see what actions were taken by the user.
D. Use Amazon Athena to query CloudTrail logs stored in Amazon S3.
Correct Answer:
A
Community vote distribution
A (100%)
Topic 1
Question #2
A company is storing data in Amazon S3 Glacier. The security engineer implemented a new vault lock policy for 10TB of data and called initiate-
vault-lock operation 12 hours ago. The audit team identied a typo in the policy that is allowing unintended access to the vault.
What is the MOST cost-effective way to correct this?
A. Call the abort-vault-lock operation. Update the policy. Call the initiate-vault-lock operation again.
B. Copy the vault data to a new S3 bucket. Delete the vault. Create a new vault with the data.
C. Update the policy to keep the vault lock in place.
D. Update the policy. Call initiate-vault-lock operation again to apply the new policy.
Correct Answer:
A
Initiate the lock by attaching a vault lock policy to your vault, which sets the lock to an in-progress state and returns a lock ID. While in the in-
progress state, you have 24 hours to validate your vault lock policy before the lock ID expires.
Use the lock ID to complete the lock process. If the vault lock policy doesn't work as expected, you can abort the lock and restart from the
beginning. For information on how to use the S3 Glacier API to lock a vault, see Locking a Vault by Using the Amazon S3 Glacier API.
Reference:
https://docs.aws.amazon.com/amazonglacier/latest/dev/vault-lock-policy.html
Community vote distribution
A (100%)
Topic 1
Question #3
A company wants to control access to its AWS resources by using identities and groups that are dened in its existing Microsoft Active Directory.
What must the company create in its AWS account to map permissions for AWS services to Active Directory user attributes?
A. AWS IAM groups
B. AWS IAM users
C. AWS IAM roles
D. AWS IAM access keys
Correct Answer:
C
Reference:
https://aws.amazon.com/blogs/security/how-to-connect-your-on-premises-active-directory-to-aws-using-ad-connector/
Community vote distribution
C (100%)
Topic 1
Question #4
A company has contracted with a third party to audit several AWS accounts. To enable the audit, cross-account IAM roles have been created in
each account targeted for audit. The Auditor is having trouble accessing some of the accounts.
Which of the following may be causing this problem? (Choose three.)
A. The external ID used by the Auditor is missing or incorrect.
B. The Auditor is using the incorrect password.
C. The Auditor has not been granted sts:AssumeRole for the role in the destination account.
D. The Amazon EC2 role used by the Auditor must be set to the destination account role.
E. The secret key used by the Auditor is missing or incorrect.
F. The role ARN used by the Auditor is missing or incorrect.
Correct Answer:
CEF
Community vote distribution
ACF (73%) CEF (18%) 9%
Topic 1
Question #5
Compliance requirements state that all communications between company on-premises hosts and EC2 instances be encrypted in transit. Hosts
use custom proprietary protocols for their communication, and EC2 instances need to be fronted by a load balancer for increased availability.
Which of the following solutions will meet these requirements?
A. Ooad SSL termination onto an SSL listener on a Classic Load Balancer, and use a TCP connection between the load balancer and the EC2
instances.
B. Route all trac through a TCP listener on a Classic Load Balancer, and terminate the TLS connection on the EC2 instances.
C. Create an HTTPS listener using an Application Load Balancer, and route all of the communication through that load balancer.
D. Ooad SSL termination onto an SSL listener using an Application Load Balancer, and re-spawn and SSL connection between the load
balancer and the EC2 instances.
Correct Answer:
B
Community vote distribution
B (100%)
Topic 1
Question #6
An application is currently secured using network access control lists and security groups. Web servers are located in public subnets behind an
Application Load
Balancer (ALB); application servers are located in private subnets.
How can edge security be enhanced to safeguard the Amazon EC2 instances against attack? (Choose two.)
A. Congure the application's EC2 instances to use NAT gateways for all inbound trac.
B. Move the web servers to private subnets without public IP addresses.
C. Congure AWS WAF to provide DDoS attack protection for the ALB.
D. Require all inbound network trac to route through a bastion host in the private subnet.
E. Require all inbound and outbound network trac to route through an AWS Direct Connect connection.
Correct Answer:
BC
Community vote distribution
BC (100%)
Topic 1
Question #7
A Security Administrator is restricting the capabilities of company root user accounts. The company uses AWS Organizations and has enabled it
for all feature sets, including consolidated billing. The top-level account is used for billing and administrative purposes, not for operational AWS
resource purposes.
How can the Administrator restrict usage of member root user accounts across the organization?
A. Disable the use of the root user account at the organizational root. Enable multi-factor authentication of the root user account for each
organizational member account.
B. Congure IAM user policies to restrict root account capabilities for each Organizations member account.
C. Create an organizational unit (OU) in Organizations with a service control policy that controls usage of the root user. Add all operational
accounts to the new OU.
D. Congure AWS CloudTrail to integrate with Amazon CloudWatch Logs and then create a metric lter for RootAccountUsage.
Correct Answer:
C
Reference:
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_about-scps.html
Community vote distribution
C (100%)
Topic 1
Question #8
A Systems Engineer has been tasked with conguring outbound mail through Simple Email Service (SES) and requires compliance with current
TLS standards.
The mail application should be congured to connect to which of the following endpoints and corresponding ports?
A. email.us-east-1.amazonaws.com over port 8080
B. email-pop3.us-east-1.amazonaws.com over port 995
C. email-smtp.us-east-1.amazonaws.com over port 587
D. email-imap.us-east-1.amazonaws.com over port 993
Correct Answer:
C
Reference:
https://docs.aws.amazon.com/ses/latest/DeveloperGuide/smtp-connect.html
Community vote distribution
C (100%)
Topic 1
Question #9
A threat assessment has identied a risk whereby an internal employee could exltrate sensitive data from production host running inside AWS
(Account 1). The threat was documented as follows:
Threat description: A malicious actor could upload sensitive data from Server X by conguring credentials for an AWS account (Account 2) they
control and uploading data to an Amazon S3 bucket within their control.
Server X has outbound internet access congured via a proxy server. Legitimate access to S3 is required so that the application can upload
encrypted les to an
S3 bucket. Server X is currently using an IAM instance role. The proxy server is not able to inspect any of the server communication due to TLS
encryption.
Which of the following options will mitigate the threat? (Choose two.)
A. Bypass the proxy and use an S3 VPC endpoint with a policy that whitelists only certain S3 buckets within Account 1.
B. Block outbound access to public S3 endpoints on the proxy server.
C. Congure Network ACLs on Server X to deny access to S3 endpoints.
D. Modify the S3 bucket policy for the legitimate bucket to allow access only from the public IP addresses associated with the application
server.
E. Remove the IAM instance role from the application server and save API access keys in a trusted and encrypted application cong le.
Correct Answer:
AC
Community vote distribution
AB (67%) AD (33%)
Topic 1
Question #10
A company will store sensitive documents in three Amazon S3 buckets based on a data classication scheme of `Sensitive,` `Condential,` and
`Restricted.` The security solution must meet all of the following requirements:
Each object must be encrypted using a unique key.
Items that are stored in the `Restricted` bucket require two-factor authentication for decryption.
AWS KMS must automatically rotate encryption keys annually.
Which of the following meets these requirements?
A. Create a Customer Master Key (CMK) for each data classication type, and enable the rotation of it annually. For the €Restricted € CMK,
dene the MFA policy within the key policy. Use S3 SSE-KMS to encrypt the objects.
B. Create a CMK grant for each data classication type with EnableKeyRotation and MultiFactorAuthPresent set to true. S3 can then use the
grants to encrypt each object with a unique CMK.
C. Create a CMK for each data classication type, and within the CMK policy, enable rotation of it annually, and dene the MFA policy. S3 can
then create DEK grants to uniquely encrypt each object within the S3 bucket.
D. Create a CMK with unique imported key material for each data classication type, and rotate them annually. For the €Restricted € key
material, dene the MFA policy in the key policy. Use S3 SSE-KMS to encrypt the objects.
Correct Answer:
A
Community vote distribution
A (100%)
剩余268页未读,继续阅读
资源评论
xueyunshengling
- 粉丝: 175
- 资源: 511
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功