Domain 1: Design Secure Architectures Flashcards
You work for a security company with a custom VPC and S3 buckets. You plan on allowing access to your trusted S3 buckets using a gateway endpoint. Which of the following would assist with this?
Create a bucket policy for trusted S3 buckets.
Create an object policy for trusted S3 objects.
Create an endpoint policy for your trusted VPCs.
Create an endpoint policy for your trusted S3 buckets.
Create a bucket policy for trusted S3 buckets.
This would not create a private connection to your VPC.
Selected
Create an endpoint policy for your trusted S3 buckets.
This is the best answer in the scenario. It allows you to create a trusted connection from your VPC to your trusted S3 buckets.
Your company has an internal web application that uses RDS in the backend with Multi-AZ deployment for redundancy. You have been asked to improve security and make sure the database credentials and API keys are encrypted and rotated on a regular basis. The internal web application should also use the latest version of the encrypted credentials when connecting to the RDS database. What is the easiest way to achieve this?
Store the API keys and database credentials in AWS Secrets Manager.
Store the API keys and database credentials in a public S3 bucket for access.
Store the API keys and database credentials in CloudWatch.
Store the API keys and database credentials in KMS.
Store the API keys and database credentials in AWS Secrets Manager.
AWS Secrets Manager is designed to store your key confidential data.
Store the API keys and database credentials in KMS.
You cannot store credentials in KMS.
Selected
You have an S3 bucket that contains some vital files for your company. You need to be alerted if these files are deleted or have write operations performed on them. What AWS services are event notification destinations for S3 buckets?
SQS
SNS
Lambda
SES
SQS
You can use SQS as an event notification service for S3. Reference: Event notification types and destinations
SNS
You can use SNS as an event notification service for S3. Reference: Event notification types and destinations
Selected
Lambda
You can use Lambda as an event notification service for S3. Reference: Event notification types and destinations
Selected
SES
You cannot use SES as an event notification service for S3. Reference: Event notification types and destinations
Selected
You work for a security company that hosts a secure file storage service on S3. All files uploaded to the S3 buckets must have AES-256 encryption using Server Side Encryption (SSE-S3). Which of the following request headers must be used?
x-enable-server-side-encryption-s3
x-amz-server-side-encryption
x-enable-server-side-encryption
x-amz-server-side-encryption-enable-s3
x-amz-server-side-encryption
‘x-amz-server-side-encryption is the correct header to use. Reference: Using Server-Side Encryption`
You work for an online store that has a large number of EC2 instances. The company had a list of public keys and public IP addresses of the individual EC2 instances stored in an S3 bucket. However, this was accidentally deleted by an intern. You need to rebuild this list using an automated script. You create a script running a curl command to get the data on each EC2 instance and to write this to an S3 bucket. Which of the following should you query?
Instance Metadata
Amazon EBS
Amazon Machine Image
Instance Userdata
Instance Metadata
Instance Metadata describes all the data about the EC2 instance.
You work for a doctor’s surgery in New York City that has thousands of patients. The patients data is stored on-premises, but the backups need to be stored on S3 in the most secure way possible. Which of the following is the most secure way of achieving this?
Encrypt the data locally using your own encryption keys. Upload the data to AWS S3 using HTTPS. Use AES 256 server-side encryption on the S3 bucket to encrypt the bucket.
Store the data on AWS Fargate and use server-side encryption to encrypt the backups.
Encrypt the data locally using your own encryption keys. Upload the data to AWS S3 using HTTP. Use AES 256 server side encryption on the S3 bucket to encrypt the bucket.
Upload the backups directly to a public S3 bucket.
Encrypt the data locally using your own encryption keys. Upload the data to AWS S3 using HTTPS. Use AES 256 server-side encryption on the S3 bucket to encrypt the bucket.
This is the best solution in this scenario.
You have recently terminated an employee from the company due to gross misconduct. Unfortunately, you discover they have been using a backdoor account to access your internal web application. They have been doing this from their home, which has a static IP address. You need to block access from this IP address immediately and then fix the backdoor. What is the fastest approach to achieve this?
Block the IP address on the public NACL.
Block the IP address using a security group.
Use Amazon Shield to block the IP address.
Block the IP address using an Internet Gateway.
Block the IP address on the public NACL.
This is the best solution as it’s a static IP address.
You have a new intern starting at a security company who works on the developer team. She has access to the developer account but needs temporary write access to S3 in your production account. What is the most secure way to provide the intern with access?
Create an IAM username and password with S3 write access to the production account and share this user name and password with your intern.
Create an IAM username and password with Admin Access to the production account and share this user name and password with your intern.
Use AWS KMS to provide access.
Use AWS STS.
Use AWS STS.
This gives you temporary credentials to access an account.
You have started as the chief security officer at a major internet security company. They are migrating to AWS and you are tasked with creating the required IAM users, IAM roles, IAM groups, and IAM policies for the entire company. What is the best practice when creating IAM policies?
Grant all users power user access.
Use the concept of maximum privilege where you grant every permission possible.
Conduct extensive background research on your staff and if they pass grant them full admin access.
Use the concept of least privilege where you grant the permissions only required to complete a task.
Use the concept of least privilege where you grant the permissions only required to complete a task.
You should always use the concept of least privilege when granting permissions.
You have started at a new company that has recently had a major security breach in their AWS account. Somehow, someone was able to gain access to the entire account, and they were able to create EC2 instances to mine Bitcoin and share pirated material using S3. Your boss instructs you to find an automated threat detection service that can protect your entire AWS account. What AWS service should you recommend?
AWS Shield Advanced
Amazon Inspector.
Amazon Trusted Advisor
Amazon Guard Duty
Amazon Guard Duty
Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. Reference: Amazon Guard Duty
You work for a government agency that needs to host a sensitive internal application on AWS. They have very strict encryption requirements, so they must control all keys and have root access to the HSM that generates the keys. What AWS service should they use?
AWS CloudHSM
KMS
KMS with HSM enabled.
AWS Inspector.
AWS CloudHSM
This is the best answer, as you have root-level access to HSM. Reference: Comparison of HSM to KMS
You are building an application on EC2 that will require access to S3 and DynamoDB. You need to provide access to these services in the most secure way possible to your developers. What should you use to achieve this?
Assign a role to the EC2 instance allowing access to S3 and DynamoDB.
Create a master IAM username and password with Admin Access and share this user name and password with your developers.
Create a master IAM username and password with power user access and share this user name and password with your developers.
Use AWS KMS to provide access to these resources.
Assign a role to the EC2 instance allowing access to S3 and DynamoDB.
This would be the most efficient solution.
Your web application is designed to encourage people to vote for your chosen celebrity at a major national talent contest. Unfortunately, some hackers have managed to deploy a SQL injection against your application, and they have managed to drop your MySQL database. You have a backup, so you haven’t lost any data, but you need to prevent this from happening again. How should you complete this?
Refactor the application to use NeptuneDB as the backend database.
Use GuardDuty to set up SQL firewalls so that they cannot launch another SQL injection.
Discover the IP address from which the SQL injection was delivered and use NACLs to block the offending IP address.
Set up an AWS WAF and create rules that prevent SQL injections. Associate the WAF to your application load balancer.
Set up an AWS WAF and create rules that prevent SQL injections. Associate the WAF to your application load balancer.
This is the best answer, as AWS WAF is capable of this.
You have been evaluating the NACLs in your company. Most of the NACLs are configured the same:
100 All Traffic Allow
200 All Traffic Deny
* All Traffic Deny
What function does the * All Traffic Deny rule perform?
It is there in case no other rules are defined.
Traffic will be denied from specified IP addresses.
This rule ensures that if a packet doesn’t match any of the other numbered rules, it’s denied.
The * specifies that it is an example rule.
This rule ensures that if a packet doesn’t match any of the other numbered rules, it’s denied.
The default network ACL is configured to allow all traffic to flow in and out of the subnets with which it is associated. Each network ACL also includes a rule whose rule number is an asterisk. This rule ensures that if a packet doesn’t match any of the other numbered rules, it’s denied. You can’t modify or remove this rule. Reference: Network ACLs.
Your company’s website, hosted on an on-premises solution, suffered a major DDoS attack that resulted in several days of downtime. Your boss has decided to migrate the website to AWS and has tasked you with selecting the most robust DDoS protection available from AWS. What should you recommend?
AWS Defender
AWS Defender - Advanced
AWS Shield Advanced
AWS Shield Standard
AWS Shield Advanced
AWS Shield Advanced is the most powerful DDoS protection service available from AWS. It provides extra DDoS mitigation features, round-the-clock access to a DDoS response team, and protection against bigger and more complex attacks, making it the ideal choice for situations requiring more complete protection.
