Domain 1: Design Secure Architectures Flashcards
A consultant is hired by a small company to configure an AWS environment. The consultant begins working with the VPC and launching EC2 instances within the VPC. The initial instances will be placed in a public subnet. The consultant begins to create security groups. The consultant has launched several instances, created security groups, and associated security groups with instances. The consultant wants to change the security groups that are associated with the instance. Which statement is true?
1)You can’t change security groups. Create a new instance and attach the desired security groups.
2)You can change the security groups for an instance when the instance is in the pending or stopped state.
3)You can’t change the security groups for an instance when the instance is in the running or stopped state.
4)You can change the security groups for an instance when the instance is in the running or stopped state.
4)You can change the security groups for an instance when the instance is in the running or stopped state.
After you launch an instance into a VPC, you can change the security groups that are associated with the instance. You can change the security groups for an instance when the instance is in the running or stopped state. https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html
Several S3 Buckets have been deleted and a few EC2 instances have been terminated. Which AWS service can you use to determine who took these actions?
1)Trusted Advisor
2)AWS CloudTrail
3)AWS CloudWatch
4)AWS Inspector
2)AWS CloudTrail
AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command-line tools, and other AWS services. This event history simplifies security analysis, resource change tracking, and troubleshooting. In addition, you can use CloudTrail to detect unusual activity in your AWS accounts. These capabilities help simplify operational analysis and troubleshooting.
You have been given an assignment to configure Network ACLs in your VPC. Before configuring the NACLs, you need to understand how the NACLs are evaluated. How are NACL rules evaluated?
1)NACL rules are evaluated by rule number from highest to lowest, and all are evaluated before traffic is passed through.
2)NACL rules are evaluated by rule number from lowest to highest and executed immediately when a matching rule is found.
3)All NACL rules that you configure are evaluated before traffic is passed through.
4)NACL rules are evaluated by rule number from highest to lowest, and executed immediately when a matching rule is found.
2)NACL rules are evaluated by rule number from lowest to highest and executed immediately when a matching rule is found.
Correct. You can add or remove rules from the default network ACL, or create additional network ACLs for your VPC. When you add or remove rules from a network ACL, the changes are automatically applied to the subnets that it’s associated with. A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC. The following are the parts of a network ACL rule:
- Rule number. Rules are evaluated starting with the lowest-numbered rule. As soon as a rule matches traffic, it’s applied regardless of any higher-numbered rule that might contradict it.
- Type. The type of traffic, for example, SSH. You can also specify all traffic or a custom range.
- Protocol. You can specify any protocol that has a standard protocol number. For more information, see Protocol Numbers. If you specify ICMP as the protocol, you can specify any or all of the ICMP types and codes.
Port range. The listening port or port range for the traffic. For example, 80 for HTTP traffic. - Source. [Inbound rules only] The source of the traffic (CIDR range).
Destination. [Outbound rules only] The destination for the traffic (CIDR range). - Allow/Deny. Whether to allow or deny the specified traffic. https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#nacl-rules
An organization of about 100 employees has performed the initial setup of users in IAM. All users except administrators have the same basic privileges. But now it has been determined that 50 employees will have extra restrictions on EC2. They will be unable to launch new instances or alter the state of existing instances. What will be the quickest way to implement these restrictions?
1) Create the appropriate policy. Create a new group for the restricted users. Place the restricted users in the new group and attach the policy to the group.
2) Create the appropriate policy. Place the restricted users in the new policy.
3) Create an IAM Role for the restrictions. Attach it to the EC2 instances.
4) Create the appropriate policy. With only 20 users, attach the policy to each user.
1) Create the appropriate policy. Create a new group for the restricted users. Place the restricted users in the new group and attach the policy to the group.
You manage access in AWS by creating policies and attaching them to IAM identities (users, groups of users, or roles) or AWS resources. A policy is an object in AWS that, when associated with an identity or resource, defines their permissions. AWS evaluates these policies when an IAM principal (user or role) makes a request. Permissions in the policies determine whether the request is allowed or denied. Most policies are stored in AWS as JSON documents. AWS supports six types of policies: identity-based policies, resource-based policies, permissions boundaries, Organizations SCPs, ACLs, and session policies. IAM policies define permissions for an action regardless of the method that you use to perform the operation. For example, if a policy allows the GetUser action, then a user with that policy can get user information from the AWS Management Console, the AWS CLI, or the AWS API. When you create an IAM user, you can choose to allow console or programmatic access. If console access is allowed, the IAM user can sign in to the console using a user name and password. Or if programmatic access is allowed, the user can use access keys to work with the CLI or API. https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
You have been evaluating the NACLs in your company. Most of the NACLs are configured the same:
100 All Traffic Allow
200 All Traffic Deny
* All Traffic Deny
If a request comes in, how will it be evaluated?
1)The default will deny traffic.
2)The highest numbered rule will be used, a deny.
3)The request will be allowed.
4) All rules will be evaluated and the end result will be Deny.
The request will be allowed.
Correct. Rules are evaluated starting with the lowest numbered rule. As soon as a rule matches traffic, it’s applied immediately regardless of any higher-numbered rule that may contradict it. The following are the basic things that you need to know about network ACLs: Your VPC automatically comes with a modifiable default network ACL. By default, it allows all inbound and outbound IPv4 traffic and, if applicable, IPv6 traffic. You can create a custom network ACL and associate it with a subnet. By default, each custom network ACL denies all inbound and outbound traffic until you add rules. Each subnet in your VPC must be associated with a network ACL. If you don’t explicitly associate a subnet with a network ACL, the subnet is automatically associated with the default network ACL. You can associate a network ACL with multiple subnets. However, a subnet can be associated with only one network ACL at a time. When you associate a network ACL with a subnet, the previous association is removed. A network ACL contains a numbered list of rules. We evaluate the rules in order, starting with the lowest-numbered rule, to determine whether traffic is allowed in or out of any subnet associated with the network ACL. The highest number that you can use for a rule is 32766. We recommend that you start by creating rules in increments (for example, increments of 10 or 100) so that you can insert new rules where you need to later on. A network ACL has separate inbound and outbound rules, and each rule can either allow or deny traffic. Network ACLs are stateless, which means that responses to allowed inbound traffic are subject to the rules for outbound traffic (and vice versa). https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html
You have been put in charge of S3 buckets for your company. The buckets are separated based on the type of data they are holding and the level of security required for that data. You have several buckets that have data you want to safeguard from accidental deletion. Which configuration will meet this requirement?
1) Signed URLs to all users to access the bucket.
2) Configure cross-account access with an IAM Role prohibiting object deletion in the bucket.
3) Archive sensitive data to Amazon Glacier.
4) Enable versioning on the bucket and multi-factor authentication delete as well.
4) Enable versioning on the bucket and multi-factor authentication delete as well.
Correct. Versioning is a means of keeping multiple variants of an object in the same bucket. You can use versioning to preserve, retrieve, and restore every version of every object stored in your Amazon S3 bucket. With versioning, you can easily recover from both unintended user actions and application failures. When you enable versioning for a bucket, if Amazon S3 receives multiple write requests for the same object simultaneously, it stores all of the objects. Key point: versioning is turned off by default. If a bucket’s versioning configuration is MFA Delete–enabled, the bucket owner must include the x-amz-mfa request header in requests to permanently delete an object version or change the versioning state of the bucket. References: https://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMFADelete.html
You have been evaluating the NACLs in your company. Currently, you are looking at the default network ACL. Which statement is true about NACLs?
1) The default configuration of the default NACL is Allow, and the default configuration of a custom NACL is Allow.
2) The default configuration of the default NACL is Deny, and the default configuration of a custom NACL is Allow.
3) The default configuration of the default NACL is Allow, and the default configuration of a custom NACL is Deny.
4) The default configuration of the default NACL is Deny, and the default configuration of a custom NACL is Deny.
3) The default configuration of the default NACL is Allow, and the default configuration of a custom NACL is Deny.
Your VPC automatically comes with a modifiable default network ACL. By default, it allows all inbound and outbound IPv4 traffic and, if applicable, IPv6 traffic. You can create a custom network ACL and associate it with a subnet. By default, each custom network ACL denies all inbound and outbound traffic until you add rules. https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#default-network-acl
An insurance company is creating an application that will perform analytics in near real-time on huge datasets in the terabyte range, and potentially even petabyte. The company is evaluating an AWS data storage option. Which AWS service will allow storage of petabyte-scale data and also allow fast complex queries over a large number of rows?
1) ElastiCache
2) Redshift
3) RDS
4) DynamoDB
2) Redshift
Amazon Redshift is a fully-managed, petabyte-scale data warehouse service in the Cloud. An Amazon Redshift data warehouse is a collection of computing resources called nodes, which are organized into a group called a cluster. Each cluster runs an Amazon Redshift engine and contains one or more databases.
Reference: Amazon Redshift
https://docs.aws.amazon.com/redshift/latest/gsg/getting-started.html
You are a solutions architect working for an online gaming company. The company wants to integrate Amazon, Facebook, and Google authentication into the application so people can use their existing social media accounts to sign up to the application. Which AWS service facilitates this?
1) AWS Trusted Advisor
2) AWS Artifact
3) Amazon Detective
4) Amazon Cognito
4) Amazon Cognito
Amazon Cognito provides authentication, authorization, and user management for your web and mobile apps in a single service without the need for custom code.
A company has created a mobile application that is hugely popular. The initial plan was to give each user login credentials to the application. But due to the volume of users, this idea has become impractical. What service can you use to allow outside users to login through a third party such as Facebook, Amazon, Google or Apple?
AWS cross account access
Google Authenticator
Amazon Cognito
AWS IAM
Amazon Cognito
Correct - Amazon Cognito provides authentication, authorization, and user management for your web and mobile apps. Your users can sign in directly with a user name and password or through a third party such as Facebook, Amazon, Google, or Apple. The two main components of Amazon Cognito are user pools and identity pools. User pools are user directories that provide sign-up and sign-in options for your app users. Identity pools enable you to grant your users access to other AWS services. You can use identity pools and user pools separately or together. https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html
Selected
You work for a consulting company, which is currently undergoing both a financial and technical audit. You have been asked by the auditors to produce regular reports in regards to your PCI compliance. You need to produce this as fast and as efficiently as possible. Which AWS service should you consider using?
Amazon Audit Automation
Amazon Detective
AWS Audit Manager
AWS Security Hub
AWS Audit Manager
AWS Audit Manager is an automated service that produces reports specific to auditors for PCI compliance, GDPR, and more.
A small startup company has multiple departments with small teams representing each department. They have hired you to configure Identity and Access Management in their AWS account. The team expects to grow rapidly, and promote from within which could mean promoted team members switching over to a new team fairly often. How can you configure IAM to prepare for this type of growth?
- Create the user accounts, create a group for each department, create and attach an appropriate policy to each group, and place each user account into their department’s group. When new team members are onboarded, create their account and put them in the appropriate group. If an existing team member changes departments, move their account to their new IAM group.
- Create the user accounts, create a group for each department, create and attach an appropriate policy to each group, and place each user account into their department’s group. When new team members are onboarded, create their account and put them in the appropriate group. If an existing team member changes departments, delete their account, create a new account and put the account in the appropriate group.
- Create the user accounts, create a group for each department, create and attach an appropriate role to each group, and place each user account into their department’s group. When new team members are onboarded, create their account and put them in the appropriate group. If an existing team member changes departments, move their account to their new IAM group.
- Create the user accounts, create a role for each department, create and attach an appropriate policy to each role, and place each user account into their department’s role. When new team members are onboarded, create their account and put them in the appropriate role. If an existing team member changes departments, move their account to their new IAM group.
Create the user accounts, create a group for each department, create and attach an appropriate policy to each group, and place each user account into their department’s group. When new team members are onboarded, create their account and put them in the appropriate group. If an existing team member changes departments, move their account to their new IAM group.
An IAM group is a collection of IAM users. Groups let you specify permissions for multiple users, which can make it easier to manage the permissions for those users. For example, you could have a group called Admins and give that group the types of permissions that administrators typically need. Any user in that group automatically has the permissions that are assigned to the group. If a new user joins your organization and needs administrator privileges, you can assign the appropriate permissions by adding the user to that group. Similarly, if a person changes jobs in your organization, instead of editing that user’s permissions, you can remove the user from the old groups and add the user to the appropriate new groups.
You are managing S3 buckets in your organization. This management of S3 extends to Amazon Glacier. For auditing purposes you would like to be informed if an object is restored to S3 from Glacier. What is the most efficient way you can do this?
Create an SNS notification for any upload to S3
Create a CloudWatch Event for uploads to S3
Configure S3 notifications for restore operations from Glacier
Create a Lambda function which is triggered by restoration of object from Glacier to S3
Configure S3 notifications for restore operations from Glacier
The Amazon S3 notification feature enables you to receive notifications when certain events happen in your bucket. To enable notifications, you must first add a notification configuration that identifies the events you want Amazon S3 to publish and the destinations where you want Amazon S3 to send the notifications. An S3 notification can be set up to notify you when objects are restored from Glacier to S3.
Your company needs to deploy an application in the company AWS account. The application will reside on EC2 instances in an Auto Scaling Group fronted by an Application Load Balancer. The company has been using Elastic Beanstalk to deploy the application due to limited AWS experience within the organization. The application now needs upgrades and a small team of subcontractors have been hired to perform these upgrades. Which web service can be used to provide users that you authenticate with short-term security credentials that can control access to your AWS resources?
IAM user accounts
IAM Group
AWS STS
AWS SSO
AWS STS
AWS Security Token Service (AWS STS) is the service that you can use to create and provide trusted users with temporary security credentials that can control access to your AWS resources. Temporary security credentials work almost identically to the long-term access key credentials that your IAM users can use. You can use the AWS Security Token Service (AWS STS) to create and provide trusted users with temporary security credentials that can control access to your AWS resources. Temporary security credentials work almost identically to the long-term access key credentials that your IAM users can use, with the following differences: Temporary security credentials are short-term, as the name implies. They can be configured to last for anywhere from a few minutes to several hours. After the credentials expire, AWS no longer recognizes them or allows any kind of access from API requests made with them. Temporary security credentials are not stored with the user but are generated dynamically and provided to the user when requested. When (or even before) the temporary security credentials expire, the user can request new credentials, as long as the user requesting them still has permissions to do so. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html
You are working for a startup company with a small number of employees. The company expects rapid growth and you have been assigned to configure existing users and onboard new users with IAM privileges and logins. You intend to create IAM groups for the company departments and add new users to the appropriate group when you onboard them. You begin creating policies to assign permissions and attach them to the appropriate group. What is the best practice when giving users permissions in IAM policies?
Use the principle of top-down privilege.
Use the principle of least privilege.
Grant all permissions to each AWS service the user will work with.
Create a policy for each department head granting root access.
Use the principle of least privilege.
When you create IAM policies, follow the standard security advice of granting least privilege, or granting only the permissions required to perform a task. Determine what users (and roles) need to do and then craft policies that allow them to perform only those tasks. Start with a minimum set of permissions and grant additional permissions as necessary. Doing so is more secure than starting with permissions that are too lenient and then trying to tighten them later. https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#use-groups-for-permissions
