Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

TEST ASG 5 > Domain 1: Design Secure Architectures > Flashcards

Domain 1: Design Secure Architectures Flashcards

1
Q

You work for an insurance company that has recently fallen victim to a ransomware attack. They have decided to move their internal systems to AWS and want a service that would continuously monitor their AWS accounts and workloads for malicious activity. What AWS service should you recommend?

Amazon Inspector

AWS Trusted Advisor

Amazon Detective

Amazon GuardDuty

A

Amazon Detective

Amazon Detective simplifies the investigative process and helps security teams conduct faster and more effective investigations. With the Amazon Detective prebuilt data aggregations, summaries, and context, you can quickly analyze and determine the nature and extent of possible security issues. It is not suitable to continuously monitor your AWS accounts and workloads for malicious activity. Reference: Amazon Detective

Selected
Amazon GuardDuty

Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. Reference: Amazon GuardDuty

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

You work for a consulting company that has taken on a new client who is keen to move to AWS. The client has a good understanding of AWS, and they want a highly bespoke custom VPC. They need their network traffic to be filtered before it reaches their internet gateway. What AWS service allows you to do this?

AWS Firewall Manager

AWS Network Firewall

Amazon Detective

AWS Artifact

A

AWS Firewall Manager

AWS Firewall Manager is a security management service that allows you to centrally configure and manage firewall rules across your accounts and applications in AWS Organizations. It cannot filter network traffic before it reaches your internet gateway. Reference: AWS Firewall Manager

Selected
AWS Network Firewall

With AWS Network Firewall, you can define firewall rules that provide fine-grained control over network traffic. Reference: AWS Network Firewall

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

You work for a company that provides services for the intelligence community. You have strict legislative requirements to control all your encryption keys, including the generation, storage, and disposal of these keys. These keys must also be stored on dedicated hardware. What AWS service should you use?

AWS CloudTrail

AWS Shield

Amazon Macie

AWS CloudHSM

A

AWS CloudHSM

AWS CloudHSM helps you meet corporate, contractual, and regulatory compliance requirements for data security. Reference: AWS CloudHSM

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

You are a solutions architect working for a pharmaceutical company that specializes in creating vaccines. They have multiple production AWS accounts with hundreds of VPCs and thousands of Web Application Firewalls. Recently, there was a security breach in one of their VPCs, and this was due to a firewall rule not being configured correctly. They have asked you if there is a service they can use to centrally manage their firewalls. What AWS service would you recommend?

AWS Inspector

AWS Trusted Advisor

AWS Firewall Manager

AWS WAF Central Control Manager

A

AWS Firewall Manager

AWS Firewall Manager is a security management service that allows you to centrally configure and manage firewall rules across your accounts and applications in AWS Organizations. Reference: AWS Firewall Manager

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

You start work as a solutions architect at a small startup consisting of 10 people. They are new to AWS and have a fairly large estate of AWS assets and services that you need to become familiar with quickly. You also want to impress your new boss. What service should you use to get a broad overview of things like cost optimization, performance, security, fault tolerance, and service limits?

AWS Shield

AWS Trusted Advisor

Amazon GuardDuty

Amazon Inspector

A

AWS Trusted Advisor

AWS Trusted Advisor provides recommendations that help you follow AWS best practices. Trusted Advisor evaluates your account by using checks that identify ways to optimize your AWS infrastructure, improve security and performance, reduce costs, and monitor service quotas.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

A consultant is hired by a small company to configure an AWS environment. The consultant begins working with the VPC and launching EC2 instances within the VPC. The initial instances will be placed in a public subnet. The consultant begins to create security groups. What is true of security groups?

Security groups are stateless.

Security groups act at the instance level, not the subnet level.

Security groups act at the VPC level, not the instance level.

Security groups act at the subnet level, not the instance level.

A

Security groups act at the instance level, not the subnet level.

The following are the basic characteristics of security groups for your VPC:

There are quotas on the number of security groups that you can create per VPC, the number of rules that you can add to each security group, and the number of security groups that you can associate with a network interface. For more information, see Amazon VPC quotas.
You can specify allow rules, but not deny rules.
You can specify separate rules for inbound and outbound traffic.
When you create a security group, it has no inbound rules. Therefore, no inbound traffic originating from another host to your instance is allowed until you add inbound rules to the security group.
By default, a security group includes an outbound rule that allows all outbound traffic. You can remove the rule and add outbound rules that allow specific outbound traffic only. If your security group has no outbound rules, no outbound traffic originating from your instance is allowed.
Security groups are stateful. If you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules. Responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules.
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

You have a large fleet of EC2 instances. After a recent security breach, your boss asks you to find a service that will install an agent on your EC2 instances, perform assessments against hardened EC2 templates, and report results and violations. Which service should you use?

Amazon Athena

Amazon Inspector

Amazon Macie

AWS Trusted Advisor

A

Amazon Inspector

Amazon Inspector is a vulnerability management service that continuously scans your AWS workloads for vulnerabilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

You work for a major film studio who is releasing a new motion picture. Last year, a rogue nation-state implemented a large DDoS attack on the website hosting the preview of the movie, taking the site down for 48 hours. You need to prevent something like this from happening again. What AWS service should you use to prevent this from happening again?

AWS Shield

AWS CloudTrail

Amazon GuardDuty

Amazon Detective

A

AWS Shield

AWS Shield is a managed DDoS protection service that safeguards applications running on AWS. Reference: AWS Shield

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

A news media company is using an S3 bucket as a website to serve photos of television personalities within the company. The photos are intended to be served nationwide to local affiliates across the company, but you have found that these photos are being accessed and pirated for other websites not affiliated with the company. What can you do to stop this?

Set up an RDS database to store the photos. Make users register and log in to the site.

Use a Network Access Control List (NACL) to block the IP address of unauthorized users.

Use CloudFront on the front end to serve the photos.

Remove public read access from your bucket, then provide your users with presigned URLs to access the photos.

A

Remove public read access from your bucket, then provide your users with presigned URLs to access the photos.

All objects by default are private. Only the object owner has permission to access these objects. However, the object owner can optionally share objects with others by creating a presigned URL, using their own security credentials, to grant time-limited permission to download the objects.

When you create a presigned URL for your object, you must provide your security credentials, specify a bucket name, an object key, specify the HTTP method (GET to download the object) and expiration date and time.

The presigned URLs are valid only for the specified duration. Anyone who receives the presigned URL can then access the object.

https://docs.aws.amazon.com/AmazonS3/latest/dev/ShareObjectPreSignedURL.html

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Your company has gone through an audit with a focus on data storage. You are currently storing historical data in Amazon S3 Glacier Flexible Retrieval (formerly, S3 Glacier). One of the results of the audit is that a portion of the infrequently accessed historical data must be rapidly retrieved upon request. Where can you cost effectively store this data to meet this requirement?

Amazon S3 Glacier Instant Retrieval

S3 Standard

S3 Standard-IA

Store the data in EBS

A

Amazon S3 Glacier Instant Retrieval

Amazon S3 Glacier Instant Retrieval delivers the lowest-cost storage for long-lived data that is rarely accessed and enables retrieval in milliseconds.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

You work for a real estate company that hosts some production services on AWS. Unfortunately, a junior system administrator leaves a CSV file containing Personally Identifiable Information (PII) about the businesses customers on a public S3 bucket. You need to prevent this from happening in the future. What AWS service uses machine learning (ML) and pattern matching to discover and protect PII?

Amazon GuardDuty

Amazon Macie

AWS CloudTrail

AWS Shield

A

Amazon Macie

Amazon Macie is a data security and data privacy service that uses machine learning (ML) and pattern matching to discover and protect your sensitive data. Reference: Amazon Macie

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

You have begun creating a hybrid cloud environment. Now you need to create a bastion host and a new custom VPC. The corporate data center personnel require internal access to the bastion host via SSH, and the bastion host also requires access to the public internet to be enabled. How can you configure the bastion host and set up access?

Create the bastion host (EC2 instance) in a private subnet. For the instance security group, add ingress on port 80 and specify the address range of the personnel in the data center. Use a private key to connect to the bastion host. Add an internet gateway, a route table, and a route to the internet gateway in the route table.

Create the bastion host (EC2 instance) in a public subnet. For the instance security group, add ingress on port 22, and specify the address range of the personnel in the data center. Use a private key to connect to the bastion host. Add an internet gateway, a route table, and a route to the internet gateway in the route table.

Create the bastion host (EC2 instance) in a private subnet. For the instance security group, add ingress on port 22, and specify the address range of the personnel in the data center. Use a private key to connect to the bastion host.

Create the bastion host (EC2 instance) in a public subnet. For the instance security group, add ingress on port 443, and specify the address range of the personnel in the data center. Use a private key to connect to the bastion host.

A

Create the bastion host (EC2 instance) in a public subnet. For the instance security group, add ingress on port 22, and specify the address range of the personnel in the data center. Use a private key to connect to the bastion host. Add an internet gateway, a route table, and a route to the internet gateway in the route table.

Including bastion hosts in your VPC environment enables you to securely connect to your Linux instances without exposing your environment to the internet. After you set up your bastion hosts, you can access the other instances in your VPC through Secure Shell (SSH) connections on Linux. Bastion hosts are also configured with security groups to provide fine-grained ingress control. An internet gateway enables resources in your public subnets to connect to the Internet. Reference: Linux Bastion Hosts on AWS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

You work for a UK company that facilitates loans to consumers. There is heavy regulation, and you need to ensure your AWS environment is continuously audited to be GDPR-compliant. What AWS service should you use?

AWS Trusted Advisor

AWS Detective

Amazon Inspector

AWS Audit Manager

A

AWS Audit Manager

Use AWS Audit Manager to map your compliance requirements to AWS usage data with pre-built and custom frameworks and automated evidence collection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

You are about to configure two EC2 instances in your VPC. The instances will be in different subnets, but in the same Availability Zone. The first instance will house the main company website and will need to be able to communicate with the database that will be housed on the second instance. What steps can you take to make sure the instances will be able to communicate properly? CHOOSE 2

Make sure each instance has an elastic IP address.

Make sure all security groups allow communication between the app and database on the correct port using the proper protocol.

Configure a Virtual Private Gateway.

Put the instances in the same placement group.

Make sure the NACL allows communication between the two subnets.

A

Make sure all security groups allow communication between the app and database on the correct port using the proper protocol.

The proper ingress on both the security groups and NACL need to be configured to allow communication between these instances.

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html

Selected

Make sure the NACL allows communication between the two subnets.

The proper ingress on both the Security Groups and NACL need to be configured to allow communication between these instances.

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html

Selected

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

A consultant is hired by a small company to configure an AWS environment. The consultant begins working with the VPC and launching EC2 instances within the VPC. The initial instances will be placed in a public subnet. The consultant begins to create security groups. What is true of security groups?

You can specify deny rules, but not allow rules.

You can’t specify separate rules for inbound and outbound traffic.

You can specify allow rules but not deny rules.

By default, a security group includes an inbound rule that allows all inbound traffic.

A

You can specify allow rules but not deny rules.

The following are the basic characteristics of security groups for your VPC:

There are quotas on the number of security groups that you can create per VPC, the number of rules that you can add to each security group, and the number of security groups that you can associate with a network interface. For more information, see Amazon VPC quotas.
You can specify allow rules, but not deny rules.
You can specify separate rules for inbound and outbound traffic.
When you create a security group, it has no inbound rules. Therefore, no inbound traffic originating from another host to your instance is allowed until you add inbound rules to the security group.
By default, a security group includes an outbound rule that allows all outbound traffic. You can remove the rule and add outbound rules that allow specific outbound traffic only. If your security group has no outbound rules, no outbound traffic originating from your instance is allowed.
Security groups are stateful. If you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules. Responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules.
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

A financial institution is preparing for an upcoming audit. You have been placed in charge of preparation for this audit. One of the requests made by the auditors is to see documentation on all activity made on your account. Which AWS service will you use to meet this audit request?

CloudTrail

CloudFormation

AWS Config

CloudWatch

A

CloudTrail

AWS CloudTrail is a web service that records activity made on your account and delivers log files to your Amazon S3 bucket.

CloudTrail provides visibility into user activity by recording actions
taken on your account. CloudTrail records important information about
each action, including who made the request, the services used, the
actions performed, parameters for the actions, and the response elements
returned by the AWS service. This information helps you track changes
made to your AWS resources and to troubleshoot operational issues.
CloudTrail makes it easier to ensure compliance with internal policies
and regulatory standards.

https://aws.amazon.com/cloudtrail/faqs/
17
Q

You work for a security consultancy company and have taken on board a new client. The client has multiple production AWS accounts. Unfortunately, the client appears to have a rogue system administrator who keeps making unauthorized changes to the production environment. You need to review a log of the API calls made so you can identify who is making the changes. What AWS service should you use?

AWS CloudTrail

Amazon Inspector

AWS Artifact

AWS WAF

A

AWS CloudTrail

AWS CloudTrail monitors and records account activity across your AWS infrastructure, giving you control over storage, analysis, and remediation actions. Reference: AWS CloudTrail

18
Q

You work for an online betting company that recently had a major security breach. The CSO needs you to urgently review the root cause of this breach, using artificial intelligence and machine learning. What AWS service can you use that will fulfill this requirement?

Amazon Detective

Amazon Inspector

AWS Audit Manager

AWS Firewall Manager

A

Amazon Detective

Amazon Detective simplifies the investigative process and helps security teams conduct faster and more effective investigations. With the Amazon Detective prebuilt data aggregations, summaries, and context, you can quickly analyze and determine the nature and extent of possible security issues. Reference: Amazon Detective

19
Q

You work for an insurance company that is recently undergoing an annual audit. The auditors are requesting a lot of compliance-related information such as AWS security and compliance reports or select online agreements. What AWS service can you use to quickly produce the information they require?

AWS Trusted Advisor

AWS Artifact

AWS Audit Manager

Amazon Detective

A

AWS Artifact

AWS Artifact is your go-to, central resource for compliance-related information that matters to you. It provides on-demand access to security and compliance reports from AWS and Independent Software Vendors (ISVs) who sell their products on AWS Marketplace. Reference: AWS Artifact

20
Q

Your architecture consists of an Application Load Balancer front, an Auto Scaling Group of EC2 instances, backed by an RDS database. Your security team has notified you of cross-site scripting attacks and also SQL injection attacks on the application. You have been asked to take steps to quickly mitigate these attacks. What steps should you take?

Immediately block the offending IP addresses on the NACL.

Configure Amazon GuardDuty to prevent these attacks.

Using the AWS WAF service, set up rules which block SQL injection, and cross-site scripting attacks. Associate the rules to the ALB.

Use Amazon Inspector to detect these attacks and manually block the IP addresses from which these attacks come.

A

Using the AWS WAF service, set up rules which block SQL injection, and cross-site scripting attacks. Associate the rules to the ALB.

AWS WAF is a web application firewall that helps protect your web applications or APIs against common web exploits that may affect availability, compromise security, or consume excessive resources. AWS WAF gives you control over how traffic reaches your applications by enabling you to create security rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that filter out specific traffic patterns you define. You can get started quickly using Managed Rules for AWS WAF, a pre-configured set of rules managed by AWS or AWS Marketplace Sellers. The Managed Rules for WAF address issues like the OWASP Top 10 security risks. These rules are regularly updated as new issues emerge. AWS WAF includes a full-featured API that you can use to automate the creation, deployment, and maintenance of security rules.

https://aws.amazon.com/waf/

TEST ASG 5 (4 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions