Tutorials Dojo (Security) Flashcards
Which of the following options below is solely the responsibility of the customer in accordance with the AWS shared responsibility model?
Configuration Management
Service and Communications Protection or Security Zone
Awareness & Training
Patching of the host operating system
Service and Communications Protection or Security Zone
How can you apply and easily manage the common access permissions to a large number of IAM users in AWS?
Attach the necessary policies or permissions required to a new IAM Group then afterwards, add the IAM Users to the IAM group.
Attach the exact same IAM Policy to all of the IAM Users.
Attach the IAM Policy to an IAM Role then afterwards, associate that role to all of the IAM Users.
Apply permissions to multiple IAM Users by using a cross-account role.
Attach the necessary policies or permissions required to a new IAM Group then afterwards, add the IAM Users to the IAM group.
Which of the following are the best practices that can help secure your AWS resources using the AWS Identity and Access Management (IAM) service? (Select TWO.)
Grant most privilege.
Lock away your AWS account root user access keys.
Grant least privilege.
Use Inline Policies instead of Customer Managed Policies.
Use Bastion Hosts.
Lock away your AWS account root user access keys.
Grant least privilege.
You are permitted to conduct security assessments and penetration testing without prior approval against which AWS resources? (Select TWO.)
Amazon S3
Amazon RDS
AWS Identity and Access Management (IAM)
Amazon Aurora
AWS Security Token Service (STS)
Amazon RDS
Amazon Aurora
Permitted Services:
- Amazon EC2 instances, NAT Gateways, and Elastic Load Balancers
- Amazon RDS
- Amazon CloudFront
- Amazon Aurora
- Amazon API Gateways
- AWS Lambda and Lambda Edge functions
- Amazon Lightsail resources
- Amazon Elastic Beanstalk environments
Which of the following should you use if you need to provide temporary AWS credentials for users who have been authenticated via their social media logins as well as for guest users who do not require any authentication?
Amazon Cognito User Pool
Amazon Cognito Sync
Amazon Cognito Identity Pool
AWS Single Sign-On
Amazon Cognito Identity Pool
Which is a machine learning-powered security service that discovers, classifies, and protects sensitive data such as personally identifiable information (PII) or intellectual property?
Amazon Rekognition
Amazon GuardDuty
Amazon Macie
Amazon Cognito
Amazon Macie
There is an incident with your team where an S3 object was deleted using an account without the owner’s knowledge. What can be done to prevent unauthorized deletion of your S3 objects?
Set up stricter IAM policies that will prevent users from deleting S3 objects
Create access control policies so that only you can perform S3-related actions
Configure MFA (Multi-Factor Authentication) delete on the S3 bucket.
Set your S3 buckets to private so that objects are not publicly readable/writable
Configure MFA (Multi-Factor Authentication) delete on the S3 bucket
Which of the following is typically used to secure your VPC subnets?
Security Group
AWS IAM
AWS Config
Network ACL
Network ACL
What is the most secure way to provide applications temporary access to your AWS resources?
Create an IAM user with access keys and assign it to the application
Create an IAM group that has access to the resources, and add the application there
Create an IAM role and have the application assume the role
Create an IAM policy that allows the application to access the resources, and attach the policy to the application
Create an IAM role and have the application assume the role
a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session.
Which of the following policies grant the necessary permissions required to access your Amazon S3 resources? (Select TWO.)
Routing policies
Network access control policies
Bucket policies
User policies
Object policies
Bucket policies
User policies
Which of the following security group rules are valid? (Select TWO.)
Inbound TCP rule with instance ID as source
Inbound HTTP rule with security group ID as source
Outbound HTTPS rule with hostname as destination
Outbound MYSQL rule with IP address as source
Inbound RDP rule with an address range as source
Inbound HTTP rule with security group ID as source
Inbound RDP rule with an address range as source
A customer has recently experienced an SQL injection attack on their web application’s database hosted in EC2. They submitted a complaint ticket to AWS. What should be the response from AWS?
AWS should secure their infrastructure better to reduce these kinds of incidents.
AWS and the customer should contact a third party auditor to verify the incident.
AWS should not be liable for the damages since the customer should have properly patched the EC2 instance.
AWS should reiterate that the customer is responsible for the security of their applications in the Cloud.
AWS should reiterate that the customer is responsible for the security of their applications in the Cloud.
In the AWS Shared Responsibility Model, whose responsibility is it to patch the host operating system of an Amazon EC2 instance?
Neither AWS nor the customer
AWS
Customer
Both AWS and the customer
AWS
As an AWS customer, what offering do you naturally inherit from AWS after you sign up?
All the hardware and software that you provision in the AWS cloud
All the best practices of AWS policies, architecture, and operational processes built to satisfy your requirements
All the data you store in and retrieve from AWS
All the responsibilities in enforcing security and compliance policies of your organization
All the best practices of AWS policies, architecture, and operational processes built to satisfy your requirements
Which of the following instances is it better to use IAM roles rather than IAM users? (Select TWO.)
When you have outside entities that need to perform specific actions in your AWS account
If you have employees who will constantly need access to your AWS resources
When you want to provide AWS services permissions to do certain actions
When you need an administrator to handle
the AWS account for you
When you need a GUI to interact with your AWS environment
When you have outside entities that need to perform specific actions in your AWS account
When you want to provide AWS services permissions to do certain actions
