Security Flashcards

24% of Exam

1
Q

Which services are integrated with KMS encryption? (choose 2)

  1. Amazon RDS
  2. Amazon EC2
  3. Amazon EBS
  4. Amazon SWF
  5. AWS CloudFormation
A
  1. Amazon RDS
  2. Amazon EBS

• https://aws.amazon.com/kms/features/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Under the AWS shared responsibility model what is the customer responsible for? (choose 2)

  1. Physical security of the data center
  2. Replacement and disposal of disk drives
  3. Configuration of security groups
  4. Patch management of infrastructure
  5. Encryption of customer data
A
  1. Configuration of security groups
  2. Encryption of customer data
  • AWS are responsible for “Security of the Cloud”
  • Customers are responsible for “Security in the Cloud”
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which service records API activity on your account and delivers log files to an Amazon S3 bucket?

  1. Amazon CloudWatch
  2. Amazon S3 Event Notifications
  3. Amazon CloudTrail
  4. Amazon CloudWatch Logs
A
  1. Amazon CloudTrail
  • AWS CloudTrail is a web service that records activity made on your account and delivers log files to an Amazon S3 bucket
  • CloudTrail is for auditing (CloudWatch is for performance monitoring)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

The IAM service can be used to manage which objects? (choose 2)

  1. Security groups
  2. Access policies
  3. Roles
  4. Network ACLs
  5. Key pairs
A
  1. Access policies
  2. Roles
  • Access policies are objects that you attach to entities and resources to define their permissions
  • Roles are created and then “assumed” by trusted entities and define a set of permissions for making AWS service requests
  • Security groups and network ACLs are used as instance-level and subnet-level firewalls respectively
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Under the shared responsibility model, what are examples of shared controls? (choose 2)

  1. Patch management
  2. Storage system patching
  3. Physical and environmental
  4. Configuration management
  5. Service and Communications Protection
A
  1. Patch management
  2. Configuration management
  • Shared Controls– Controls which apply to both the infrastructure layer and customer layers, but in completely separate contexts or perspectives
    • Patch Management– AWS is responsible for patching and fixing flaws within the infrastructure, but customers are responsible for patching their guest OS and applications
    • Configuration Management– AWS maintains the configuration of its infrastructure devices, but a customer is responsible for configuring their own guest operating systems, databases, and applications
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which of the following are features of Amazon CloudWatch? (choose 2)

  1. Used to gain system-wide visibility into resource utilization
  2. Records account activity and service events from most AWS services
  3. Used for auditing of API calls
  4. Can be accessed via API, command-line interface, AWS SDKs, and the AWS Management Console
  5. Provides visibility into user activity by recording actions taken on your account
A
  1. Used to gain system-wide visibility into resource utilization
  2. Can be accessed via API, command-line interface, AWS SDKs, and the AWS Management Console
  • Amazon CloudWatch is a monitoring service for AWS cloud resources and the applications you run on AWS
  • CloudWatch is for performance monitoring (CloudTrail is for auditing)
  • CloudTrail is for auditing (CloudWatch is for performance monitoring)
  • CloudTrail records account activity and service events from most AWS services
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which statement below is incorrect in relation to Security Groups?

  1. Operate at the instance level
  2. Support allow rules only
  3. Stateless
  4. Evaluate all rules
A
  1. Stateless

• Security groups are stateful meaning that if traffic is allowed in one direction, the return traffic is automatically allowed regardless of whether there is a matching rule for the traffic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What constraints apply to customers when performing penetration testing? (choose 2)

  1. Permission is required for all penetration tests
  2. You can perform penetration testing on your own systems at any time without prior authorization
  3. You must complete and submit the AWS Vulnerability / Penetration Testing Request Form to request authorization
  4. Penetration testing can be performed against any AWS resources
  5. Penetration testing must be performed by a certified security consultant
A
  1. Permission is required for all penetration tests
  2. You must complete and submit the AWS Vulnerability / Penetration Testing Request Form to request authorization
  • There is a limited set of resources on which penetration testing can be performed
  • https://digitalcloud.training/certification-training/aws-certified-cloud-practitioner/cloud-security/
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which statement below is incorrect in relation to Network ACLs?

  1. Operate at the Availability Zone level
  2. Support allow and deny rules
  3. Stateless
  4. Process rules in order
A
  1. Operate at the Availability Zone level
  • Network ACLS operate at the subnet level
  • https://digitalcloud.training/certification-training/aws-certified-cloud-practitioner/aws-networking/
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which feature can you use to grant read/write access to an Amazon S3 bucket?

  1. IAM Role
  2. IAM Policy
  3. IAM Group
  4. IAM User
A
  1. IAM Policy
  • IAM Policies are documents that define permissions and can be applied to users, groups and roles
  • IAM policies can be written to grant access to Amazon S3 buckets
  • IAM Roles are created and then “assumed” by trusted entities and define a set of permissions for making AWS service requests
  • IAM Groups are collections of users and have policies attached to them
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which AWS service is used to enable multi-factor authentication?

  1. Amazon STS
  2. AWS IAM
  3. Amazon EC2
  4. AWS KMS
A
  1. AWS IAM
  • IAM is used to securely control individual and group access to AWS resources
  • The AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for IAM users or for users that you authenticate (federated users)
  • AWS Key Management Service (KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data
  • Amazon EC2 is used for running operating systems instances in the cloud
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which AWS service gives you centralized control over the encryption keys used to protect your data?

  1. AWS STS
  2. AWS KMS
  3. AWS DMS
  4. Amazon EBS
A
  1. AWS KMS
  • AWS Key Management Service gives you centralized control over the encryption keys used to protect your data. You can create, import, rotate, disable, delete, define usage policies for, and audit the use of encryption keys used to encrypt your data
  • The AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users
  • AWS Database Migration Service (DMS) helps you migrate databases to AWS quickly and securely
  • Amazon Elastic Block Store (Amazon EBS) provides persistent block storage volumes for use withAmazon EC2instances in the AWS Cloud
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

How can a security compliance officer retrieve AWS compliance documentation such as a SOC 2 report?

  1. Using AWS Artifact
  2. Using AWS Trusted Advisor
  3. Using AWS Inspector
  4. Using the AWS Personal Health Dashboard
A
  1. Using AWS Artifact
  • AWS Artifact, available in the console, is a self-service audit artifact retrieval portal that provides our customers with on-demand access to AWS’ compliance documentation and AWS agreements
  • You can use AWS Artifact Reports to download AWS security and compliance documents, such as AWS ISO certifications, Payment Card Industry (PCI), and System and Organization Control (SOC) reports
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which service provides visibility into user activity by recording actions taken on your account?

  1. Amazon CloudWatch
  2. Amazon CloudFormation
  3. Amazon CloudTrail
  4. Amazon CloudHSM
A
  1. Amazon CloudTrail
  • CloudTrail is a web service that records activity made on your account and delivers log files to an Amazon S3 bucket
  • CloudTrail is for auditing (CloudWatch is for performance monitoring)
  • CloudFormation is used for deploying infrastructure through code
  • CloudHSM is a hardware security module for generating, managing and storing encryption keys
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

A new user is unable to access any AWS services, what is the most likely explanation?

  1. The user needs to login with a key pair
  2. The services are currently unavailable
  3. By default new users are created without access to any AWS services
  4. The default limit for user logons has been reached
A
  1. By default new users are created without access to any AWS services
  • By default new users are created with NO access to any AWS services – they can only login to the AWS console
  • https://digitalcloud.training/certification-training/aws-certified-cloud-practitioner/identity-and-access-management/
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which of the following compliance programs allows the AWS environment to process, maintain, and store protected health information?

  1. ISO 27001
  2. PCI DSS
  3. HIPAA
  4. SOC 1
A
  1. HIPAA

• AWS enables covered entities and their business associates subject to the U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA) to use the secure AWS environment to process, maintain, and store protected health information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Which file format is used to write AWS Identity and Access Management (IAM) policies?

  1. DOC
  2. XML
  3. JBOD
  4. JSON
A
  1. JSON

• You manage access in AWS by creating policies and attaching them to IAM identities or AWS resources. A policy is an object in AWS that, when associated with an entity or resource, defines their permissions. AWS evaluates these policies when a principal, such as a user, makes a request. Permissions in the policies determine whether the request is allowed or denied. Most policies are stored in AWS as JSON documents

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

At what level is a Network ACL applied?

  1. Instance level
  2. Region level
  3. Availability Zone level
  4. Subnet level
A
  1. Subnet level
  • Network Access Control Lists (ACLs) provide a firewall/security layer at the subnet level
  • Security Groups provide a firewall/security layer at the instance level
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Which AWS service protects against common exploits that could compromise application availability, compromise security or consume excessive resources?

  1. AWS WAF
  2. AWS Shield
  3. Security Group
  4. Network ACL
A
  1. AWS WAF
  • AWS WAF is a web application firewall that protects against common exploits that could compromise application availability, compromise security or consume excessive resources
  • AWS Shield is a managed Distributed Denial of Service (DDoS) protection service
  • Security groups and Network ACLs are firewalls protecting at the instance and subnet level respectively
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

How can an organization assess application for vulnerabilities and deviations from best practice?

  1. Use AWS Artifact
  2. Use AWS Inspector
  3. Use AWS Shield
  4. Use AWS WAF
A
  1. Use AWS Inspector
  • Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Inspector automatically assesses applications for vulnerabilities or deviations from best practices
  • AWS Artifact is your go-to, central resource for compliance-related information that matters to you
  • AWS Shield is a managed Distributed Denial of Service (DDoS) protection service
  • AWS WAF is a web application firewall
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Which of the following is NOT one of the five AWS Trusted Advisor categories?

  1. Cost Optimization
  2. Performance
  3. Security
  4. Application transformation
A
  1. Application transformation

• The five categories are cost optimization, performance, security, fault tolerance and service limits

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Which of the following are AWS recommended best practices in relation to IAM? (choose 2)

  1. Assign permissions to users
  2. Create individual IAM users
  3. Embed access keys in application code
  4. Enable MFA for all users
  5. Grant least privilege
A
  1. Create individual IAM users
  2. Grant least privilege
  • AWS recommend creating individual IAM users and assigning the least privileges necessary for them to perform their role
  • You should use groups to assign permissions to IAM users, should avoid embedding access keys in application code, and should enable MFA for privileged users (not everyone)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Which of the following security operations tasks must be performed by AWS customers? (choose 2)

  1. Collecting syslog messages from physical firewalls
  2. Issuing data center access keycards
  3. Installing security updates on EC2 instances
  4. Enabling multi-factor authentication (MFA) for privileged users
  5. Installing security updates for server firmware
A
  1. Installing security updates on EC2 instances
  2. Enabling multi-factor authentication (MFA) for privileged users

• The customer is responsible for installing security updates on EC2 instances and enabling MFA. AWS is responsible for security of the physical data center and the infrastructure upon which customer services run

24
Q

Which services are involved with security? (choose 2)

  1. AWS CloudHSM
  2. AWS DMS
  3. AWS KMS
  4. AWS SMS
  5. Amazon ELB
A
  1. AWS CloudHSM
  2. AWS KMS
  • AWS CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud
  • AWS Key Management Service gives you centralized control over the encryption keys used to protect your data
25
Q

Which information security standard applies to entities that store, process or transmit credit cardholder data?

  1. ISO 27001
  2. HIPAA
  3. NIST
  4. PCI DSS
A
  1. PCI DSS
  • The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard administered by thePCI Security Standards Council
  • AWS enables covered entities and their business associates subject to the U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA) to use the secure AWS environment to process, maintain, and store protected health information
  • TheNational Institute of Standards and Technology (NIST) 800-53 security controls are generally applicable to US Federal Information Systems
  • ISO/IEC 27001:2013 is a security management standard that specifies security management best practices and comprehensive security controls following the ISO/IEC 27002 best practice guidance
26
Q

Which services provide protection measures against distributed denial of service (DDoS) attacks? (choose 2)

  1. AWS CloudHSM
  2. Amazon CloudFront
  3. AWS WAF
  4. Internet Gateway
  5. Managed VPN
A
  1. Amazon CloudFront
  2. AWS WAF
  • AWS offers globally distributed, high network bandwidth and resilient services that, when used in conjunction with application-specific strategies, are key to mitigating DDoS attacks
  • AWS WAFis a web application firewall that helps protect web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources
  • Amazon CloudFront distributes traffic across multiple edge locations and filters requests to ensure that only valid HTTP(S) requests will be forwarded to backend hosts. CloudFront also supports geoblocking, which you can use to prevent requests from particular geographic locations from being served
  • Internet Gateways, Managed VPN and CloudHSM do not help to mitigate DDoS attacks
27
Q

When using Amazon IAM, what authentication methods are available to use? (choose 2)

  1. Client certificates
  2. Access keys
  3. Amazon KMS
  4. Server certificates
  5. AES 256
A
  1. Access keys
  2. Server certificates
  • Supported authentication methods include console passwords, access keys and server certificates
  • Access keys are a combination of an access key ID and a secret access key and can be used to make programmatic calls to AWS
  • Server certificates are SSL/TLS certificates that you can use to authenticate with some AWS services
  • Client certificates are not a valid IAM authentication method
  • Amazon Key Management Service (KMS) is used for managing encryption keys and is not used for authentication
  • AES 256 is an encryption algorithm, not an authentication method
28
Q

To ensure the security of your AWS account, what are two AWS best practices for managing access keys? (choose 2)

  1. Don’t create any access keys, use IAM roles instead
  2. Don’t generate an access key for the root account user
  3. Where possible, use IAM roles with temporary security credentials
  4. Rotate access keys daily
  5. Use MFA for access keys
A
  1. Don’t generate an access key for the root account user
  2. Where possible, use IAM roles with temporary security credentials

• Best practices include:
– Don’t generate an access key for the root account user
– Use Temporary Security Credentials (IAM Roles) Instead of Long-Term Access Keys
– Manage IAM User Access Keys Properly
• Rotating access keys is a recommended practice, but doing it daily would be excessive and hard to manage
• You can use MFA for securing privileged accounts, but it does not secure access keys
• You should use IAM roles where possible, but AWS do not recommend that you don’t create any access keys as they also have a purpose

29
Q

Which feature of Amazon S3 adds a layer of additional security to prevent accidental deletion?

  1. Versioning
  2. Encryption
  3. MFA delete
  4. Lifecycle management
A
  1. MFA delete
  • MFA delete adds an additional layer of security as users must include the x-amz-mfarequest header in requests to permanently delete an object version or change the versioning state of the bucket. This header must include the authentication code from a multi-factor authentication device
  • Versioning helps to mitigate the impact of deleting objects as older versions are retained however it does not prevent deletion
  • Encryption protects against unauthorized agents reading your data, it does not protect it from deletion
  • Lifecycle management can also reduce the impact of deleting objects as they may have been archived, but again it does not stop you from deleting them
30
Q

Which of the options below are recommendations in the security pillar of the well-architected framework? (choose 2)

  1. Enable traceability
  2. Apply security at the application layer
  3. Automate security best practices
  4. Protect data when it is at rest only
  5. Expect to be secure
A
  1. Enable traceability
  2. Automate security best practices

• The security pillar includes the ability to protect information, systems, and assets while delivering business value through risk assessments and mitigation strategies
• There are six design principles for security in the cloud:
– Implement a strong identity foundation
– Enable traceability
– Apply security at all layers
– Automate security best practices
– Protect data in transit and at rest
– Prepare for security events

31
Q

What does an organization need to do in Amazon IAM to enable user access to services being launched in new region?

  1. Update the user accounts to allow access from another region
  2. Create new user accounts in the new region
  3. Enable global mode in IAM to provision the required access
  4. Nothing, IAM is global
A
  1. Nothing, IAM is global

• IAM is used to securely control individual and group access to AWS resources. IAM is universal (global) and does not apply to regions

32
Q

What can be assigned to an IAM user? (choose 2)

  1. An access key ID and secret access key
  2. A password for logging into Linux
  3. A password for access to the management console
  4. A key pair
  5. An SSL/TLS certificate
A
  1. An access key ID and secret access key
  2. A password for access to the management console
  • An IAM user is an entity that represents a person or service. Users can be assigned an access key ID and secret access key for programmatic access to the AWS API, CLI, SDK, and other development tools and a password for access to the management console
  • Key pairs are used with Amazon EC2 as a method of using public key encryption to securely access EC2 instances
  • You cannot assign an IAM user with a password for logging into a Linux instance
  • You cannot assign an SSL/TLS certificate to a user
33
Q

Which of the below are valid use cases for using AWS services to implement real-time auditing? (choose 2)

  1. Use Amazon Inspector to monitor for compliance
  2. Use Amazon CloudWatch for monitoring API calls
  3. Use Amazon CloudTrail to monitor application performance
  4. Use AWS IAM to store log files
  5. Use AWS Lambda to scan log files
A
  1. Use Amazon Inspector to monitor for compliance
  2. Use AWS Lambda to scan log files
  • Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for exposure, vulnerabilities, and deviations from best practices
  • You can use AWS Lambda, Amazon EMR, the Amazon Elasticsearch Service, or third- party tools from the AWS Marketplace to scan logs to detect things like unused permissions, overuse of privileged accounts, usage of keys, anomalous logins, policy violations, and system abuse
  • CloudWatch is used for performance monitoring whereas CloudTrail is used for logging API calls
  • AWS IAM is not used for storage of log files
34
Q

Which type of security control can be used to deny network access from a specific IP address?

  1. Security Group
  2. Network ACL
  3. AWS WAF
  4. AWS Shield
A
  1. Network ACL
  • A Network ACL supports allow and deny rules. You can create a deny rule specifying a specific IP address that you would like to block
  • A Security Group only supports allow rules
  • AWS WAF is a web application firewall
  • AWS Shield is a managed Distributed Denial of Service (DDoS) protection service
35
Q

Which of the following security related activities are AWS customers responsible for? (choose 2)

  1. Installing patches on network devices
  2. Implementing data center access controls
  3. Implementing IAM password policies
  4. Installing patches on Windows operating systems
  5. Secure disposal of faulty disk drives
A
  1. Implementing IAM password policies
  2. Installing patches on Windows operating systems
  • Customers are responsible for configuring their own IAM password policies and installing operating system patches on Amazon EC2 instances
  • AWS are responsible for installing patches on physical hardware devices, data center access controls and secure disposal of disk drives
36
Q

Which feature of AWS IAM enables you to identify unnecessary permissions that have been assigned to users?

  1. Role Advisor
  2. Access Advisor
  3. Permissions Advisor
  4. Group Advisor
A
  1. Access Advisor
  • The IAM console provides information about when IAM users and roles last attempted to access AWS services. This information is calledservice last accessed data. This data can help you identify unnecessary permissions so that you can refine your IAM policies to better adhere to the principle of “least privilege.” That means granting the minimum permissions required to perform a specific task. You can find the data on the Access Advisor tab in the IAM console by examining the detail view for any IAM user, group, role, or managed policy
  • https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor.html
37
Q

How can you enable access to AWS accounts using credentials from an on-premise corporate directory?

  1. SSO using Cognito
  2. Federation using IAM
  3. Replication using Simple AD
  4. AWS Organizations
A
  1. Federation using IAM
  • You can enable single sign-on (SSO) to your AWS accounts by using federation and AWS Identity and Access Management (IAM). By federating your AWS accounts, users can sign in to the AWS Management Console and AWS Command Line Interface (CLI) using credentials from your corporate directory
  • Amazon Cognito helps you add user sign-up and sign-in to your mobile and web apps easily, it is not used for connecting corporate directories
  • Simple AD is an inexpensive Active Directory-compatible service with common directory features. It is a standalone directory on AWS and cannot replicate with an on-premise directory
  • AWS Organizations offers policy-based management for multiple AWS accounts. With Organizations, you can create groups of accounts, automate account creation, apply and manage policies for those group. It is not used for SSO
38
Q

Which service can be used to assign a policy to a group?

  1. AWS IAM
  2. Amazon Cognito
  3. Amazon STS
  4. AWS Shield
A
  1. AWS IAM
  • IAM is used to securely control individual and group access to AWS resources. Groups are collections of users and have policies attached to them. You can use IAM to attach a policy to a group
  • Amazon Cognito is used for authentication using mobile apps
  • The AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for IAM users or for users that you authenticate (federated users)
  • AWS Shieldis a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS
39
Q

Which AWS service uses a highly secure hardware storage device to store encryption keys?

  1. AWS WAF
  2. AWS IAM
  3. AWS CloudHSM
  4. Amazon Cloud Directory
A
  1. AWS CloudHSM
  • AWS CloudHSM is a cloud-based hardware security module (HSM) that allows you to easily add secure key storage and high-performance crypto operations to your AWS applications
  • Amazon Cloud Directory enables you to build flexible cloud-native directories for organizing hierarchies of data along multiple dimensions
  • AWS WAF is a web application firewall that helps protect your web applications from common web exploits
  • AWS Identity and Access Management (IAM) is used for managing users, groups, and roles in AWS
40
Q

Which security service only requires a rule to be created in one direction as it automatically allows return traffic?

  1. VPC Router
  2. Network ACL
  3. Security Group
  4. AWS Shield
A
  1. Security Group
  • Security groups are stateful so if you allow traffic to pass through, the return traffic is automatically allowed even if no rule matches the traffic
  • Network ACLs are stateless so you must create rules in both directions to allow traffic through
  • A VPC router is not a security service
  • AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS
41
Q

What is required to decrypt the Administrator password of a newly launched Amazon EC2 Windows instance?

  1. Key pair
  2. Access key and secret ID
  3. KMS key
  4. IAM role
A
  1. Key pair
  • You use a key pair to decrypt the Administrator password through the console or using the CLI
  • An access key and secret ID are associated with IAM accounts and are used for signing programmatic requests
  • KMS is used for managing encryption keys, a “KMS key” is incorrect
  • IAM roles cannot be used for decrypting the Administrator password

• https://aws.amazon.com/premiumsupport/knowledge-center/retrieve-windows-admin-password/

42
Q

What modifications can be made to an IAM access key once created? (choose 2)

  1. Change user
  2. Make active
  3. Add user
  4. Change scope
  5. Make inactive
A
  1. Make active
  2. Make inactive

• All you can do with an access key once it has been generated is to make active, make inactive, or delete the access key

43
Q

What is the name of the online, self-service portal that AWS provides to enable customers to view reports and, such as PCI reports, and accept agreements?

  1. AWS Compliance Portal
  2. AWS Documentation Portal
  3. AWS Artifact
  4. AWS DocuFact
A
  1. AWS Artifact
  • AWS Artifact is your go-to, central resource for compliance-related information that matters to you. It provides on-demand access to AWS’ security and compliance reports and select online agreements. Reports available in AWS Artifact include our Service Organization Control (SOC) reports, Payment Card Industry (PCI) reports, and certifications from accreditation bodies across geographies and compliance verticals that validate the implementation and operating effectiveness of AWS security controls.
  • Agreements available in AWS Artifact include the Business Associate Addendum (BAA) and the Nondisclosure Agreement (NDA)
  • All other options are made up and do not exist
44
Q

Which AWS IAM best practice recommends applying the minimum permissions necessary to perform a task when creating IAM policies?

  1. Create individual IAM users
  2. Use roles to delegate permissions
  3. Grant least privilege
  4. Enable MFA for privileged users
A
  1. Grant least privilege

• When you create IAM policies, follow the standard security advice of granting least privilege—that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks

45
Q

What are the benefits of using IAM roles for applications that run on EC2 instances? (choose 2)

  1. Easier to configure than using storing access keys within the EC2 instance
  2. More secure than storing access keys within applications
  3. Can apply multiple roles to a single instance
  4. It is easier to manage IAM roles
  5. Role credentials are permanent
A
  1. More secure than storing access keys within applications
  2. It is easier to manage IAM roles
  • Using IAM roles instead of storing credentials within EC2 instances is more secure It is also easier to manage roles
  • It is not easier to configure as there are extra steps that need to be completed
  • You cannot apply multiple roles to a single instance
  • Role credentials are temporary, not permanent, and are rotated automatically
46
Q

A web server is being maliciously targeted, how can a systems administrator deny access from a list of known attacker IP addresses? (choose 2)

  1. Using a local firewall such as iptables
  2. Using a rule on the Internet Gateway
  3. Using a Security Group deny rule
  4. Using a Network ACL deny rule
  5. Through VPC route table configuration
A
  1. Using a local firewall such as iptables
  2. Using a Network ACL deny rule
  • To block access to a known list of IP addresses you can configure a local firewall on the web server or use Network ACL deny rules
  • You cannot create deny rules with Security Groups (only allow rules)
  • Internet Gateways do not have allow/deny rules and route table configuration could not be used to break connections with specific addresses
47
Q

Which of the following is not a best practice for protecting the root user of an AWS account?

  1. Don’t share the root user credentials
  2. Enable MFA
  3. Remove administrative permissions
  4. Lock away the AWS root user access keys
A
  1. Remove administrative permissions

• You cannot remove administrative permissions from the root user of an AWS account. Therefore, you must protect the account through creating a complex password, enabling MFA, locking away access keys (assuming they’re even required), and not sharing the account details

48
Q

What types of rules can be defined in a security group? (choose 2)

  1. Inbound
  2. Deny
  3. Tags
  4. Outbound
  5. Stateful
A
  1. Inbound
  2. Outbound
  • You can create inbound and outbound rules in a security group
  • You can tag a security group but this is not a type of rule
  • You cannot create deny rules with a security group, all rules entries allow traffic
  • A security group is stateful but this is not a rule type
49
Q

Which AWS security tool uses an agent installed in EC2 instances and assesses applications for vulnerabilities and deviations from best practices?

  1. AWS Trusted Advisor
  2. AWS Personal Health Dashboard
  3. AWS TCO Calculator
  4. AWS Inspector
A
  1. AWS Inspector
  • Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Inspector automatically assesses applications for vulnerabilities or deviations from best practices. Uses an agent installed on EC2 instances
  • Trusted Advisor is an online resource that helps to reduce cost, increase performance and improve security by optimizing your AWS environment
  • AWS Personal Health Dashboard provides alerts and remediation guidance when AWS is experiencing events that may impact you
  • The AWS TCO calculator can be used to compare the cost of running your applications in an on-premises or colocation environment to AWS
50
Q

Up to what layer of the OSI model does AWS Web Application Firewall operate?

  1. Layer 3
  2. Layer 4
  3. Layer 5
  4. Layer 7
A
  1. Layer 7
  • The AWS Web Application Firewall operates up to the application layer (layer 7). You can use AWS WAF to create custom rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that are designed for your specific application
  • https://aws.amazon.com/waf/
51
Q

What do you need to log into the AWS console?

  1. User name and password
  2. Key pair
  3. Access key and secret ID
  4. Certificate
A
  1. User name and password
  • You can log into the AWS console using a user name and password
  • You cannot log in to the AWS console using a key pair, access key & secret ID or certificate
52
Q

Your manager has asked you to explain the benefits of using IAM groups. Which of the below statements are valid benefits? (choose 2)

  1. You can restrict access to the subnets in your VPC
  2. Groups let you specify permissions for multiple users, which can make it easier to manage the permissions for those users
  3. Provide the ability to create custom permission policies
  4. Enables you to attach IAM permission policies to more than one user at a time
  5. Provide the ability to nest groups to create an organizational hierarchy
A
  1. Groups let you specify permissions for multiple users, which can make it easier to manage the permissions for those users
  2. Enables you to attach IAM permission policies to more than one user at a time
  • Groups are collections of users and have policies attached to them
  • A group is not an identity and cannot be identified as a principal in an IAM policy
  • Use groups to assign permissions to users
  • Use the principal of least privilege when assigning permissions
  • You cannot nest groups (groups within groups)
53
Q

Which of the authentication options below can be used to authenticate using AWS APIs? (choose 2)

  1. Key pairs
  2. Access keys
  3. Server passwords
  4. Security groups
  5. Server certificates
A
  1. Access keys
  2. Security groups
  • Key pairs are used for encrypting logon information when accessing EC2 instances
  • Access keys are a combination of an access key ID and a secret access key
  • A server password cannot be used to authenticate with an API
  • Server certificates are SSL/TLS certificates that you can use to authenticate with some AWS services
  • Security groups are an instance-level firewall used for controlling access to AWS resources

• https://digitalcloud.training/certification-training/aws-certified-cloud-practitioner/identity-and-access-management/

54
Q

Which of the following are NOT features of AWS IAM? (choose 2)

  1. Shared access to your AWS account
  2. Logon using local user accounts
  3. Identity federation
  4. PCI DSS compliance
  5. Charged for what you use
A
  1. Logon using local user accounts
  2. Charged for what you use
  • You cannot use IAM to create local user accounts on any system. You are also not charged for what you use, IAM is free to use
  • The other options are all features of AWS IAM
55
Q

Which of the following records are captured by Amazon CloudTrail? (choose 2)

  1. The identity of the API caller
  2. The CPU usage of the instance
  3. Custom metrics generated by applications
  4. The request parameters
  5. Billing information
A
  1. The identity of the API caller
  2. The request parameters

• AWS CloudTrail is a web service that records activity made on your account and delivers log files to an Amazon S3 bucket. CloudTrail is about logging and saves a history of API calls for your AWS account
• CloudTrail records account activity and service events from most AWS services and logs the following records:
– The identity of the API caller
– The time of the API call
– The source IP address of the API caller
– The request parameters
– The response elements returned by the AWS service
• All other options are metrics that can be recorded using CloudWatch

• https://digitalcloud.training/certification-training/aws-certified-cloud-practitioner/monitoring-and-logging-services/

56
Q

Your manager has asked you to explain some of the security features available in the AWS cloud. How can you describe the function of Amazon CloudHSM?

  1. It is a Public Key Infrastructure (PKI)
  2. It provides server-side encryption for S3 objects
  3. It can be used to generate, use and manage encryption keys in the cloud
  4. it is a firewall for use with web applications
A
  1. It can be used to generate, use and manage encryption keys in the cloud
  • AWS CloudHSM is a cloud-based hardware security module (HSM) that allows you to easily add secure key storage and high-performance crypto operations to your AWS applications
  • CloudHSM has no upfront costs and provides the ability to start and stop HSMs on-demand, allowing you to provision capacity when and where it is needed quickly and cost-effectively
  • CloudHSM is a managed service that automates time-consuming administrative tasks, such as hardware provisioning, software patching, high availability, and backups

• https://aws.amazon.com/cloudhsm/details/

57
Q

When using Identity and Access Management (IAM) what is the process of gaining access to a resource?

  1. First you authenticate, then you are authorized, and then you gain access
  2. First you are authorized, then you authenticate, and then you gain access
  3. First you authenticate, then you gain access, and then you are authorized
  4. With IAM you do not need to authenticate or be authorized
A
  1. First you authenticate, then you are authorized, and then you gain access
  • The process is that you are first authenticated (the system checks you are who you say you are), then you are authorized (the system determined the resources you are allowed to access), and then you are able to access the resources
  • https://digitalcloud.training/certification-training/aws-certified-cloud-practitioner/identity-and-access-management/