CloudAcademy: Knowledge Check: Security (SAA-C03) 2 of 2

Question 1

When you are creating a rule in AWS Web Application Firewall, the _____ rule option asks you to enter the maximum number of requests from a single IP within a five-minute timeframe.

A. regular
B. count-based
C. IP
D. rate-based

Answer 1

D. rate-based

Explanation:
When you select a rate-based rule option, and as you can see from the image, you are asked to enter the maximum number of requests from a single IP within a five-minute timeframe. When the count limit is reached, the action of the rule is triggered until the request rate falls back below the rate limit specified.

Question 2

Fill in the blanks: During the identity federation process, one party acts as the _____ provider and the other acts as the _____ provider.

A. OAuth, SAML
B. access, manager
C. sign-on, authentication
D. identity, service

Answer 2

D. identity, service

Explanation:
During the federation process, one party would act as an identity provider, known as an IdP, and the other would be the service provider, an SP.

Question 3

The Amazon Inspector service provides which of the following benefits? (Choose 2 answers)

A. It assesses the exposure of attack points.
B. It simplifies compliance.
C. It scales and centralizes security management.
D. It automates responses to security attacks.

Answer 3

A. It assesses the exposure of attack points.
B. It simplifies compliance.

Explanation:
The benefits of Amazon Inspector are simplifying security compliance and enforcing security standards.

Question 4

AWS Security Hub runs continuous, account-level configuration and security checks based on AWS best practices and industry standards, and provides the result of these checks as a(n) _____.

A. security graph
B. readiness score
C. alert table
D. violation score

Answer 4

B. readiness score

Explanation:
Security Hub runs continuous, account-level configuration and security checks based on AWS best practices and industry standards. It provides the result of these checks as a readiness score, and identifies specific accounts and resources that require attention.

Question 5

AWS _____ allows you to protect your VPCs from common network threats by implementing fine-grained firewall rules, enabling you to control which traffic is permitted and which should be blocked.

A. Resolver DNS Firewall
B. WAF
C. Network Firewall
D. Shield

Answer 5

C. Network Firewall

Explanation:
AWS Network Firewalls allow you to protect your VPCs from common network threats by implementing fine-grained firewall rules, enabling you to control which traffic is permitted and which should be blocked.

Question 6

What service does AWS IAM Identity Center (formerly AWS SSO) provide?

A. It is used to manage access to AWS services and resources securely, by creating and managing AWS users and groups and by using permissions to allow and deny their access to AWS resources.
B. It is used to centrally manage and categorize multiple AWS accounts that you own, bringing them together into a single organization, helping to maintain your AWS environment from a security, compliance, and account management perspective.
C. It gives you a comprehensive view of your security alerts and security posture across your AWS accounts.
D. It helps you implement a federated access control system, providing a portal to your users that allows them to access multiple accounts within your AWS organization without having to supply IAM credentials for each one.

Answer 6

D. It helps you implement a federated access control system, providing a portal to your users that allows them to access multiple accounts within your AWS organization without having to supply IAM credentials for each one.

Explanation:
IAM Identity Center is used to help you implement a federated access control system, providing a portal to your users that allows them to access multiple accounts within your AWS organization without having to supply IAM credentials for each one.

Question 7

Amazon Cognito _____ help to provide temporary-access AWS credentials for your users or guests that need access to AWS services.

A. identity pools
B. assertions
C. user pools
D. attributes

Answer 7

A. identity pools

Explanation:
The Amazon Cognito identity pools, also known as federated identities, help to provide temporary-access AWS credentials for your users or guests that need access to AWS services.

Question 8

Which AWS service can assess the security state of your applications running on EC2 instances?

A. Amazon Inspector
B. Amazon GuardDuty
C. Amazon EventBridge
D. Amazon CloudTrail

Answer 8

A. Amazon Inspector

Explanation:
Amazon Inspector is an automated security service that can assess your network and the accessibility of your amazon EC2 instances. Additionally, Amazon Inspector can also assess the security state of your applications running on those instances.

Question 9

AWS _____ is designed to help protect your infrastructure against distributed denial of service attacks, commonly known as DDoS.

A. Network Firewall
B. WAF
C. Resolver DNS Firewall
D. Shield

Answer 9

D. Shield

Explanation:
Shield Advanced Policy: The AWS Shield service is designed to help protect your infrastructure against distributed denial of service attacks, commonly known as DDoS.

Question 10

Which is the typical order for rule priorities in AWS Web Application Firewall, from first to last?

A .bad signatures
denylisted IPs
allowlisted IPs

B. denylisted IPs
bad signatures
allowlisted IPs

C .denylisted IPs
allowlisted IPs
bad signatures

D. allowlisted IPs
denylisted IPs
bad signatures

Answer 10

D. allowlisted IPs
denylisted IPs
bad signatures

Explanation:
During both of their configurations, the web ACL or rule group, you’ll be asked to verify the rule priorities of the rules that have been added. And this is an important point as rules are executed in the order that they are listed. Typically, these are ordered as shown. Firstly, your allowlisted IPs are allowed; you then have your denylisted IPs, which are blocked, and then any bad signatures, which are also blocked.

Question 11

AWS Shield Standard offers DDoS protection against which layer(s) of attacks?

A. three only
B. three, four, and seven
C. seven only
D. three and four

Answer 11

D. three and four

Explanation:
AWS Shield Standard is free to everyone–well, at least anyone who has an AWS account–and it offers DDoS protection against some of the more common layer three, or the network layer, and layer four, or the transport layer, DDoS attacks.

Question 12

Amazon Cognito _____ allow(s) users to pick up where they left off in your application when switching devices.

A. identity pools
B. user pools
C. Sync
D. OAuth

Answer 12

C. Sync

Explanation:
Amazon Cognito answers another question that many web and mobile applications developers will need help with on some level: the question of how to sync your application’s user data across various platforms. This allows the users to pick up where they left off when switching devices. Amazon Cognito Sync can help take care of these data points for you, instead of you having to create your own backend that you would need to maintain and manage yourself.

Question 13

Amazon GuardDuty uses data from which of the following AWS services to detect unusual and unexpected behavior? (Choose 3 answers)

A . VPC flow logs
B. CloudWatch Logs
C. AWS CloudTrail event logs
D. DNS logs

Answer 13

A . VPC flow logs
C. AWS CloudTrail event logs
D. DNS logs

Explanation:
Amazon GuardDuty is a regional-based intelligent threat detection service, the first of its kind offered by AWS, which allows users to monitor their AWS account for unusual and unexpected behavior by analyzing AWS CloudTrail event logs, VPC flow logs, and DNS logs. It then uses the data from logs and assesses them against multiple security and threat detection feeds, looking for anomalies and known malicious sources, such as IP addresses and URLs.

Question 14

In AWS Web Application Firewall, _____ are used as the component that is associated with one of the supported resources to determine which web requests are considered safe and which ones are not.

A. rule routers
B. web access control lists
C. whitelisted IPs
D. IP lists

Answer 14

B. web access control lists

Explanation:
Web access control lists, or web ACLs, are the main building block of the WAF service. And an ACL is used as the component that is associated with one of the supported resources to determine which web requests are considered safe and which ones are not.

Question 15

AWS _____ provide(s) a means of centrally managing and categorizing multiple AWS accounts that you own, bringing them together into a single organization, helping to maintain your AWS environment from a security, compliance, and account management perspective.

A. categories
B. accounts
C. organizations
D. Central

Answer 15

C. organizations

Explanation:
For those unfamiliar with AWS organizations, they provide a means of centrally managing and categorizing multiple AWS accounts that you own, bringing them together into a single organization, helping to maintain your AWS environment from a security, compliance, and account management perspective.

Question 16

The Amazon _____ integration with AWS Security Hub allows you to switch back and forth between them to investigate a security finding.

A. Macie
B. Inspector
C. Detective
D. GuardDuty

Answer 16

C. Detective

Explanation:
The Amazon Detective integration allows you to switch back and forth from Security Hub to Detective and investigate a security finding.

Question 17

Which of the following statements about authentication and authorization in AWS is true?

A. AWS recommends users within the same account share passwords and other secrets to simplify security management
B. Authentication only takes place once an identity has been authorized.
C. Authentication is used for human access and services access to systems.
D. AWS allows two identical usernames to be created within the same single AWS account.

Answer 17

C. Authentication is used for human access and services access to systems.

Explanation:
The authentication process is comprised of two parts of information. The first part of this process is to define who you are, effectively presenting your identity. An example of this would be your login username to your AWS account. This identification is a unique value within your AWS account that you are trying to authenticate to, and so as a result of it being unique, AWS would not allow two identical usernames to be created within the same single AWS account. The second part of the authentication process is to verify that you are who you say you are in the first step. This is achieved by providing additional information, which should be kept private and secret for security purposes. However, unlike the username, this private information does not have to be a unique value within your AWS account. Authentication is not just for verifying human access to systems or areas. Authorization only takes place once an identity has been authenticated, so there is a clear order in which these two operate.

Question 18

Which of the following lists correctly presents the steps to create an AWS Firewall Manager policy?

A Choose the policy and region.
Describe the policy.
Configure policy tags.
Define the policy scope.
Review and create the policy.

B Configure policy tags.
Choose the policy and region.
Describe the policy.
Define the policy scope.
Review and create the policy.

C Choose the policy and region.
Define the policy scope.
Describe the policy.
Configure policy tags.
Review and create the policy.

D Choose the policy and region.
Describe the policy.
Define the policy scope.
Configure policy tags.
Review and create the policy.

Answer 18

D Choose the policy and region.
Describe the policy.
Define the policy scope.
Configure policy tags.
Review and create the policy.

Explanation:
The creation of each policy type is generally a five-step process, apart from the Network Firewall Policy, which contains an extra step. So step one, you must choose your policy and region. In this step, you must select which policy you’d like in addition to the region. Step two, describe the policy. So here you need to define the details of the policy, which are dependent on which policy you selected. Step three, define the policy scope. So this step defines which resources and accounts are covered by the policy that you’re creating. Step four, configure policy tags. This is an optional step allowing you to associate a resource tag to the policy. Step five, review and create policy.

Question 19

Amazon Cognito is a(n) _____ service.

A. authentication and user management
B. secrets management
C. key management
D. threat detection

Answer 19

A. authentication and user management

Explanation:
At its core, Amazon Cognito is an authentication and user management service.

Question 20

What is Amazon Macie?

A. a managed relational database service for MySQL, PostgreSQL, Oracle, SQL Server, and MariaDB
B. a fully managed service for searching, visualizing, and analyzing up to petabytes of text and unstructured data
C. a fully managed machine learning and pattern matching service that helps with data security and data privacy
D. a highly available, secure, and managed workflow orchestration platform

Answer 20

C. a fully managed machine learning and pattern matching service that helps with data security and data privacy

Explanation:
Amazon Macie is a fully managed machine learning and pattern matching service that helps with data security and data privacy.

Question 21

Which DDoS protection requirements can be satisfied using AWS Shield Standard? (Choose 2 answers)

A. A web application wants to be protected from DDoS attacks transmitted through Route 53 on the application layer.
B. A web application hosted on a CloudFront custom origin outside of AWS needs protection on the network layer.
C. An EC2 web application utilizing Application Load Balancers needs protection from common DDoS attacks on the transport layer.
D. A web application hosted on Amazon EC2 instances needs to protect its IP addresses from common DDoS attacks over the network and application layers.

Answer 21

B. A web application hosted on a CloudFront custom origin outside of AWS needs protection on the network layer.
C. An EC2 web application utilizing Application Load Balancers needs protection from common DDoS attacks on the transport layer.

Explanation:
To answer this question, you should know which network layers AWS Shield Standard can protect and what services it is integrated with.

Scenario 1: A web application wants to be protected from DDoS attacks transmitted through Route 53 on the application layer. AWS Shield is integrated with Route 53, but you need Shield Advanced to protect at the application level.

No, AWS Shield Standard cannot protect resources from traffic over the application layer.

Scenario 2: A web application hosted on a CloudFront custom origin outside of AWS needs protection on the network layer.

Yes, AWS Shield can protect resources from traffic over the transport layer, and because it is integrated with AWS CloudFront, it can protect CloudFront resources, such as custom origins, that are outside of the AWS.

Scenario 3: An EC2 web application utilizing Application Load Balancers needs protection from common DDoS attacks on the transport layer.

Yes, AWS Shield can protect EC2 instances and application load balancers on the transport layer.

A web application hosted on Amazon EC2 instances needs to protect its IP addresses from common DDoS attacks over the network and application layers.

No, AWS Shield would cannot meet these requirements. It does protect EC2 instances, but it does not protect over the application layer.

Question 22

What does AWS Security Hub do?

A. It consolidates security findings and alerts across accounts and provider products and displays the results in a single dashboard.
B. It lets you analyze your deployed EC2 instances to identify potential security issues.
C. It provides an intelligent threat detection service that allows you to consistently monitor and protect your AWS accounts and workloads for suspicious activity.
D. It uses machine learning to help you discover and analyze sensitive data stored in Amazon S3 buckets.

Answer 22

A. It consolidates security findings and alerts across accounts and provider products and displays the results in a single dashboard.

Explanation:
AWS Security Hub allows you to start consolidating security findings and alerts across accounts and provider products and display results in a single dashboard.

Question 23

What does Amazon GuardDuty look for?

A. specific violations of GDPR
B. specific violations of HIPAA
C. anomalies and known malicious sources
D. personally identifiable information (PII)

Answer 23

C. anomalies and known malicious sources

Explanation:
Amazon GuardDuty is a region-based intelligent threat detection service, the first of its kind offered by AWS, which allows users to monitor the AWS account for unusual and unexpected behavior by analyzing CloudTrial event logs, VPC flow logs, and DNS logs. It then uses the data from these logs and assesses them against multiple security and threat detection feeds, looking for anomalies and known malicious sources, such as IP addresses and URLs.

Question 24

_____ is an open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords.

A. Security Assertion Markup Language 2.0 (SAML 2.0)
B. Amazon Cognito
C. OAuth
D. OpenID Connect

Question 25

What is the core function of AWS Firewall Manager?

A. to help you simplify the management of security protection to a range of different resources, between multiple AWS accounts
B. to rotate, manage, and retrieve secrets
C. to provision, manage, and deploy SSL/TLS certificates
D. to provide identity management for your apps

Answer 25

A. to help you simplify the management of security protection to a range of different resources, between multiple AWS accounts

Explanation:
The core function of AWS Firewall Manager is to help you simplify the management of being able to provide security protection to a range of different resources, between multiple AWS accounts.