Security Flashcards
You are working on a Lambda function which needs to access data in RDS, which is the best approach for securely storing the encrypted database connection strings and other secrets which your function needs to use?
• Store the encrypted connection string and other secrets in S3
• Use Lambda Environment Variables
• Use Systems Manager Parameter Store
• Use DynamoDB to store the encrypted connection string and secrets
Use Systems Manager Parameter Store
One of your junior developers has never had AWS Access before and needs access to an Elastic Load Balancer in your custom VPC. This is the first and only time she will need access. Which of the following choices is the most secure way to grant this access?
- None of these.
- Add that developer to a Group with the requisite access (although that group may have more permissions than are needed for the Dev to do her job).
- Create a new IAM user with only the required credentials and delete that IAM user after the developer has finished her work.
- Let her log in with Admin credentials and change the Admin password when she is finished.
Create a new IAM user with only the required credentials and delete that IAM user after the developer has finished her work.
What is the recommended approach to configuring a mobile application to allow users to sign-in and sign-up to your application via Facebook?
• Use encrypted AWS credentials within your application code and store them locally on the device
Use a custom Lambda function to act as an Identity • • Broker between your application and the Web Identity Provider
• Use IAM as an Identity Broker between your application and the Web Identity Provider
• Use Cognito as an Identity Broker between your application and the Web Identity Provider
• Use Cognito as an Identity Broker between your application and the Web Identity Provider
You are working on a mobile phone app for an online retailer which stores customer data in DynamoDB. You would like to allow new users to sign-up using their Facebook credentials. What is the recommended approach?
- After the user has successfully logged in to Facebook and received an authentication token, Cognito should be used to exchange the token for temporary access to DynamoDB
- Write your own custom code which allows the user to log in via Facebook and receive an authentication token, then calls the AssumeRoleWithWebIdentity API and exchanges the authentication tokens for temporary access to DynamoDB
- Embed encrypted AWS credentials into the application code, so that the application can access DynamoDB on the user’s behalf.
- After the user has authenticated with Facebook, allow them to download encrypted AWS credentials to their device so that the mobile app can access DynamoDB
• After the user has successfully logged in to Facebook and received an authentication token, Cognito should be used to exchange the token for temporary access to DynamoDB
When using Web Identity Federation and Cognito to allow a user to access an AWS service (such as an S3 bucket), which of the following is the correct order of steps?
- Users cannot use Facebook credentials to access the AWS platform.
- A user logs in to the AWS platform using their Facebook credentials. AWS authenticates with Facebook to check the credentials. Temporary Security Access is granted to AWS.
- A user makes the AssumeRoleWithWebIdentity API Call. The user is then redirected to Facebook to authenticate. Once authenticated, the user is given an ID token. The user is then granted temporary access to the AWS platform.
- A user authenticates with Facebook first. They are then given an ID token by Facebook. An API call, AssumeRoleWithWebIdentity, is then used in conjunction with the ID token. A user is then granted temporary security credentials.
A user authenticates with Facebook first. They are then given an ID token by Facebook. An API call, AssumeRoleWithWebIdentity, is then used in conjunction with the ID token. A user is then granted temporary security credentials.
Which of the following does Cognito use to manage sign-up and sign-in functionality for mobile and web applications? • IAM Users • IAM Groups • User Pools • Identity Pools
• User Pools
You are working on a mobile phone app for an online retailer which stores its customer data in DynamoDB. You would like to enable new users to sign-up using Facebook or Google credentials. What is the recommended approach?
- Write your own custom code which allows the user to log in via a Web Identity Provider and receive an authentication token, then calls the • AssumeRoleWithWebIdentity API and exchanges the authentication tokens for temporary access to DynamoDB
- Embed encrypted AWS credentials into the application code, so that the application can access DynamoDB on the user’s behalf
- After the user has authenticated with Facebook, allow them to download encrypted AWS credentials to their device so that the mobile app can access DynamoDB
- Once the user has logged in to the Web Identity Provider, use Cognito to exchange the authentication tokens for temporary access to DynamoDB
Once the user has logged in to the Web Identity Provider, use Cognito to exchange the authentication tokens for temporary access to DynamoDB
You are working as a Developer for an online retailer. Your Security Architect has requested that any files stored in S3 must be encrypted. However some teams are continuing to upload their files without encrypting them. Which of the following will ensure that only encrypted data is uploaded?
- Tell all team members to include the x-amz-encryption parameter in request header
- Use a bucket policy that only allows PUT operations which include the x-amz-server-side-encryption parameter in the request header
- Select the Encrypted Files Only checkbox in the S3 Permissions tab in the AWS console
- Create a bucket ACL that only allows PUT operations which include the x-amz-encryption parameter in request header
• Use a bucket policy that only allows PUT operations which include the x-amz-server-side-encryption parameter in the request header
An IT Auditor has started in your Security Team, they will need access to read files in S3 and DynamoDB as well as the ability to describe EC2 instances. You want to ensure that only the Auditor is granted this access and that the IAM policy you create cannot mistakenly be attached to any other user. Which IAM policy type should you use? • Inline Policy • Custom Policy • AWS Managed Policy • Customer Managed Policy
Inline Policy
In order to enable encryption at rest using EC2 and Elastic Block Store, you must ________.
• Mount the EBS volume in to S3 and then encrypt the bucket using a bucket policy
• Configure encryption using the appropriate Operating Systems file system
• Configure encryption when creating the EBS volume
• Configure encryption using X.509 certificates
• Configure encryption when creating the EBS volume
You are developing a online-banking website which will be accessed by a global customer base. You are planning to use CloudFront to ensure users experience good performance regardless of their location. The Security Architect working on the project asks you to ensure that all requests to CloudFront are encrypted using HTTPS. How can you configure this?
• Set the Viewer Protocol Policy to redirect HTTP to HTTPS
• Set the Request Protocol Policy to redirect HTTP to HTTPS
• Set the User Protocol Policy to redirect HTTP to HTTPS
• Set the Session Protocol Policy to redirect HTTP to HTTPS
• Set the Viewer Protocol Policy to redirect HTTP to HTTPS
You are building an S3 hosted website and your website is accessing javascript and image files located in another S3 bucket. How can you enable this? • Cross Origin Resource Sharing (CORS) • IAM roles • S3 bucket policies • S3 ACLs
Cross Origin Resource Sharing (CORS)
You have provisioned an RDS database and then deployed your application servers using Elastic Beanstalk. You now need to connect your application servers to the database. What should you do?
- Configure a security group allowing access to the database and add it to your environments auto-scaling group
- Provide the database connection information to your application
- Provide the ip address of the RDS instance to Elastic Beanstalk
- Configure Elastic Beanstalk to install a database client on your application servers
- Configure a security group allowing access to the database and add it to your environments auto-scaling group
- Provide the database connection information to your application
Your mobile application needs to read data from DynamoDB. What is the best way to give mobile devices permissions to read from DynamoDB?
• Connect your application to an EC2 instance with permission to read from DynamoDB.
• Create an IAM role that can be assumed by an app that allows federated users.
• Create an IAM role for your users.
• Issue an access key and secret access key to each user.
• Create an IAM role that can be assumed by an app that allows federated users.
Which of the following methods will allow you to *securely* upload/download your data to the S3 service? Pick all that apply. • SSL endpoints using the HTTPS protocol • HTTP endpoints using HTTPS protocol • HTTP endpoints using HTTP protocol • SSL endpoints using HTTP protocol
SSL endpoints using the HTTPS protocol
HTTP endpoints using HTTPS protocol
