Security and Compliance

Question 1

Company wishes to force users to change their passwords regularly

Answer 1

Create an IAM password policy and enabled password expiration

Question 2

Need to restrict access to a bucket based on source IP range

Answer 2

Use bucket policy with “Condition”: “NotIpAddress”: statement

Question 3

Need to control access to group of EC2 instances with specific tags

Answer 3

Use an IAM policy with a condition element granting access based on the tag and attach an IAM policy to the user or groups that require access

Question 4

IAM policy for SQS queue allows too much access. Who is responsible for correcting the issue?

Answer 4

According the AWS shared responsibility mode, this is a customer responsibility

Question 5

Data is encrypted with AWS KMS customer-managed CMKs. Need to enable rotation ensuring the data remains readable

Answer 5

Just enable key rotation in AWS KMS for the CMK (backing key is rotated, data key is not changed)

Question 6

Company must rotate encryption keys once a year with least effort

Answer 6

Use customer-managed CMK and enabled automatic key rotation

Question 7

App uses KMS CMK with imported key material and references the CMK by alias in the application. Must be rotated every 6 months

Answer 7

To rotate, create a new CMK with new imported material and update the key alias to point to new CMK

Question 8

Certificate request rejected by ACM

Answer 8

Submit a request for a certificate using the correct domain name NOT the ALB FQDN

Question 9

Security findings are missing in Amazon Inspector

Answer 9

Verify agent installed on affected instances and restart agent

Question 10

Security team need to verify vulnerabilities and exposures are addressed for EC2 instances regularly

Answer 10

Use Amazon Inspector and perform regular assessments

Question 11

There may be a vulnerable version of software installed on EC2 instances and need to check

Answer 11

Create and run an Amazon Inspector assessment template

Question 12

Need to use information in request header to count requests from each front-end server

Answer 12

Use a string match statement

Question 13

Large amount of suspicious HTTP requests hitting an ALB from various source IPs

Answer 13

Block the traffic using AWS WAF with a rate-based rule and a defined threshold

Question 14

Many 404 errors being sent to one IP address every minute. Bot may be collecting info

Answer 14

Use AWS WAF to block the activity

Question 15

Website has been deployed and penetration testing shows its vulnerable to cross-site scripting

Answer 15

Use AWS WAF to mitigate cross-site scripting attacks

Question 16

Application is under repeated DDoS attacks. Need to minimize downtime and require 24/7 support

Answer 16

Setup AWS Shield Advanced

Question 17

Company needs to understand the PCI status of the AWS infrastructure

Answer 17

Use AWS Artifact to locate this information

Question 18

Company uses LDAP and needs to implement access control in AWS as part of an integration between internal and cloud

Answer 18

Need to configure SAM federation of IAM users and groups with the LDAP DB and map LDAP user and groups to IAM roles

Question 19

Permissions policy for cross-account access must be created and attached. Who is responsible for doing this?

Answer 19

According to the AWS shared responsibility model, this is a customer responsibility

Question 20

Company wishes to move from IAM user accounts to using on-premises Active Directory accounts for AWS management console access

Answer 20

Configure a VPN tunnel and use Active Directory Connector