Extinction Agenda Book 1 Chapter 3

65問 • 1年前

問題一覧

A company has moved its business critical data to Amazon Elastic File System (Amazon EFS) which will be accessed by multiple Amazon EC2 instances. As an AWS Certified Solutions Architect - Associate, which of the following would you recommend to exercise access control such that only the permitted Amazon EC2 instances can read from the Amazon EFS file system? (Select two)

Use an IAM policy to control access for clients who can mount your file system with the required permissions, Use VPC security groups to control the network traffic to and from your file system

A team has around 200 users, each of these having an IAM user account in AWS. Currently, they all have read access to an Amazon S3 bucket. The team wants 50 among them to have write and read access to the buckets. How can you provide these users access in the least possible time, with minimal changes?

Create a group, attach the policy to the group and place the users in the group

The engineering team at a multi-national company uses AWS Firewall Manager to centrally configure and manage firewall rules across its accounts and applications using AWS Organizations. Which of the following AWS resources can the AWS Firewall Manager configure rules on? (Select three)

AWS Shield Advanced, VPC Security Groups, AWS Web Application Firewall (AWS WAF)

During a review, a security team has flagged concerns over an Amazon EC2 instance querying IP addresses used for cryptocurrency mining. The Amazon EC2 instance does not host any authorized application related to cryptocurrency mining. Which AWS service can be used to protect the Amazon EC2 instances from such unauthorized behavior in the future?

Amazon GuardDuty

A healthcare company wants to run its applications on single-tenant hardware to meet compliance guidelines. Which of the following is the MOST cost-effective way of isolating the Amazon EC2 instances to a single tenant?

Dedicated Instances

A development team wants to ensure that all objects uploaded to an Amazon S3 bucket are encrypted? Which of the following options represents the correct solution?

Configure the bucket policy to deny if the PutObject does not have an x-amz-server-side-encryption header set

A company needs an Active Directory service to run directory-aware workloads in the AWS Cloud and it should also support configuring a trust relationship with any existing on-premises Microsoft Active Directory. Which AWS Directory Service is the best fit for this requirement?

AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD)

A company helps its customers legally sign highly confidential contracts. To meet the strong industry requirements, the company must ensure that the signed contracts are encrypted using the company's proprietary algorithm. The company is now migrating to AWS Cloud using Amazon Simple Storage Service (Amazon S3) and would like you, the solution architect, to advise them on the encryption scheme to adopt. What do you recommend?

Client Side Encryption

When it comes to security groups within a custom VPC, which of the following statements are correct? (Choose two.)

Updates to security groups are applied immediately., Security groups are stateful.

You are defining appropriate security options for S3 buckets in AWS. As part of the process, you must identify the default access restrictions on S3 buckets. Which one of the following best describes the default access restrictions in place on S3 buckets?

Only bucket and object owners have access to the resources they create

You are concerned about maintaining security patches on the 103 AWS EC2 instances that you run. All instances run Windows, Ubuntu Server, or Red Hat Enterprise Linux. What AWS service can assist you on properly and automatically patching these instances?

AWS Systems Manager Patch Manager

You are working with roles. When changes are made to roles, when do they take effect?

Immediately

You are planning VPC deployments. What is the maximum number of subnets that can be created in a VPC?

200

You are designing a password policy for IAM users. Which one of the following cannot be configured for password policies in the AWS Console?

Prevent passwords including the user’s last name

What should the last rule be in a NACL that allows three protocols and disallows everything else?

All traffic/Deny

You have three Elastic Network Interfaces (ENIs). They are attached to three instances. You need an ENI for another instance and one of the instances currently using an ENI no longer needs it. What is the best action to take?

Move the ENI from the instance no longer needing it to the instance requiring it

You successfully configure VPC peering between VPC-A and VPC-B. You then establish an IGW and a Direct-Connect connection in VPC-B. Can instances in VPC-A connect to your corporate office via the Direct-Connect service as well as connect to the Internet via the IGW?

No, VPC peering does not support edge-to-edge routing.

You are running and hosting a web application in AWS. The web server is hosted in an EC2 server in the public subnet, and it is using the Oracle database in RDS in a private subnet. All the users must use SSL to connect to the web server, and only the web server should be able to connect to the database server. Which of the following actions satisfy this condition? (Choose two.)

Create a security group for the database server. The security group should allow traffic on TCP port 1521 from the web server security group., Create a security group for the web server. The security group should allow inbound HTTPS traffic on port 443 from 0.0.0.0/0 (anywhere).

You are a solutions architect working for an oil and gas company that’s moving its production environment to AWS and needs a custom VPC in which to put it. You have been asked to create a public subnet. You create the VPC with a subnet bearing the CIDR address range 10.0.1.0/24. Which of the following steps should you take to make this subnet public? (Choose two.)

Attach an Internet Gateway (IGW) to the VPC., Create a route in the route table of the subnet allowing a route out of the Internet Gateway (IGW).

In which of the following services can you have root-level access to the operating system? (Choose two.)

Amazon EMR, Amazon EC2

When considering NACLs and security groups, what is evaluated first when a packet is inbound to an EC2 instance?

NACL then security group

You are considering the use of encryption for an EBS volume. When should the encryption be applied?

At the time the EBS volume is created

You want to limit who can modify a NACL that is associated with a subnet. What can you use?

IAM

You are implementing a web hosting architecture in AWS. Three EC2 instances are in use. The first is a web server, the second an application server, and the third is a database server. The web server communicates with the application server, but not with the database server. The application server communicates with the database server and the web server. Outside uses may access the web server directly, but they cannot access other servers. What kind of secure architecture are you implementing?

A multi-tier secure architecture

You are planning VPCs and want to document their functionality. How many Availability Zones within a region does a single VPC span?

All of them

You are in the process of deploying an application in an EC2 instance. The application must call AWS APIs. What is the secured way of passing credentials to the application?

Assign IAM roles to the EC2 instance.

You are working with roles. How many roles can be assigned to an instance?

To establish a successful site-to-site VPN connection from your on-premises network to an AWS virtual private cloud, which of the following must be configured? (Choose three.)

An on-premises customer gateway, A virtual private gateway, A VPC with hardware VPN access

What login has the ability to cancel an AWS subscription?

Root login

What is a security best practice that should be implemented for the root login immediately after creating an AWS account?

Enable MFA

To what are security groups applied within an AWS IAM managed solution?

Network interfaces

Which of the following statements are true regarding SAML-enabled single sign-on? (Choose two.)

The portal first verifies the user's identity in the organization and then generates a SAML authentication response., After the client browser posts the SAML assertion, AWS sends the sign-in URL as a redirect and then the client browser is redirected to the Console.

Your server logs are full of what appear to be application-layer attacks, so you deploy AWS Web Application Firewall. Which of the following conditions can you set when configuring AWS WAF? (Choose three.)

String match conditions, Size constraint conditions, IP match conditions

What is the default rule that exists in security groups?

Allow all outbound traffic

What IAM account is accessed using an e-mail address and has unlimited permissions within AWS?

Root user

You are a solutions architect working for a large antivirus company and your job is to secure your company’s production AWS environment. A new policy dictates that a particular public-facing subnet needs to allow RDP on port 3389 at the network ACL layer. You create an inbound rule allowing traffic to port 3389 on the ACL level. However, users complain that they still cannot connect. Which of the following answers may represent the root cause of the connectivity issues? (Choose two.)

You need to create an outbound rule allowing RDP response traffic to go back out again., Network access control lists are stateless.

To audit the API calls made to your account, which AWS service would you use?

AWS CloudTrail

What should be implemented to ensure security when using AWS Access Keys?

Key Rotation

A client is concerned that someone other than approved administrators is trying to gain access to the Linux web app instances in their VPC. The client asks what sort of network access logging can be added. Which of the following might you recommend? (Choose two.)

Make use of an OS-level logging tool such as iptables and log events to CloudWatch or S3., Set up a Flow Log for the group of instances and forward them to CloudWatch.

When creating NACLs within AWS, why is the rule order so important?

Because the first matching rule applies

How should you enforce the use of an 8-character password for all AWS logins?

Through a password policy

What authentication method can be used for programmatic or CLI-based access that avoids the use of usernames and passwords?

Access Key ID/Secret Access Key

You are a solutions architect with a manufacturing company running several legacy applications. One of these applications needs to communicate with services that are currently hosted on premises. The people who wrote this application have left the company, and there is no documentation describing how the application works. You need to ensure that this application can be hosted in a non-default VPC but remains able to communicate with the back-end services hosted on premises. Which of the following options will allow the application to communicate back to the on-premises equipment without the need to reprogram the application? (Choose two.)

You should configure the VPC subnet in which the application sits so that it does not have an IP address range that conflicts with that of the on-premises VLAN in which the back-end services sit., You should configure an AWS Direct-Connect link between the VPC and the site with the on-premises solution.

Even if all best practices are being followed in IAM administration, what can present vulnerabilities related to your EC2 instances?

OS security issues within the instances

What is the default rule in a NACL created within AWS?

Allow all traffic in and out

What common security standard is IAM in compliance with that allows for credit card data to be processed?

PCI-DSS

What is the model used within AWS wherein AWS guarantees the secure operation of the cloud and the customer ensures the security of that which is placed in the cloud?

Shared Responsibility

You have implemented a NACL and notice that return traffic from an internal request is not allowed. Why is this happening?

NACLs are stateless

When you’re editing permissions (policies and ACLs), to whom does the concept of the “owner” refer?

“Owner” refers to the identity and e-mail address used to create the AWS account.

Which one of the following is controlled by a security group attached to an instance?

Inbound traffic

What AWS tool can be used to provide automatic recommendations for improvements in your AWS account security configuration?

Trusted Advisor

Which instance type runs on hardware allocated to a single customer?

Dedicated instance

Your company has a policy of encrypting all data at rest. You host your production environment on EC2 in a non-default VPC. Attached to your EC2 instances are multiple EBS volumes, and you must ensure this data is encrypted. Which of the following options will allow you to do this? (Choose three.)

Use third-party volume encryption tools., Encrypt the data using native encryption tools available in the operating system., Encrypt the data inside your application, before storing it on EBS.

When copying an AMI, you must manually copy which of the following types of information to the new instance? (Choose three.)

Launch permissions, S3 bucket permissions, User-defined tags

What is the default maximum number of VPCs that can be created in a region?

In addition to inbound and outbound rules, what type of rule does a security group allow?

Allow rules

What can be used to assign permissions to more than one user login without having to modify each login individually?

Groups

You are a solutions architect working for a construction company. Your company is migrating its production estate to AWS, and you are in the process of setting up access to the AWS console using Identity Access Management (IAM). You have created 15 users for your system administrators. What further steps do you need to take to enable your system administrators to get access to the AWS console in a secure fashion? (Choose two.)

Have each user set up multifactor authentication once they have logged in to the console., Generate a password for each user and give these passwords to your system administrators.

You have several Windows and Linux instances within a single subnet in a VPC. You want to ensure that no inbound traffic can reach the Windows instances. What is the best option?

Security Groups

Your security manager has hired a security contractor to audit your firewall implementation. When the consultant asks for the login details for the firewall appliance, which of the following might you do? (Choose two.)

Explain that AWS implements network security differently and that there is no such thing as a firewall appliance. Create an IAM user with a policy that can read Security Group and Route settings., Tell him the details of the web application firewall.

What is used to control network traffic at the subnet level in AWS?

Network ACLs (NACLs)

How is the public IP address managed in an instance session via the instance GUI/RDP or Terminal/SSH session?

The public IP address is not managed on the instance; instead, it is an alias applied as a network address translation of the private IP address.

What can be used to provide temporary access to perform a specific function within AWS and that will automatically expire without further action?

Role

What is the maximum number of security groups that can be assigned to an instance?

When using an encrypted EBS volume, what type of data is encrypted automatically? (Choose the single best answer.)

All data stored on the volume

xj9 - 19628 - a

critical flaw · 98問 · 2年前

xj9 - 19628 - a