Questions
ayuda
option
My Daypo

ERASED TEST, YOU MAY BE INTERESTED ONPractice Test-1

COMMENTS STATISTICS RECORDS
TAKE THE TEST
Title of test:
Practice Test-1

Description:
Non-MCQ Practice Test

Author:
Nicks
(Other tests from this author)

Creation Date:
01/11/2021

Category:
Others

Number of questions: 35
Share the Test:
Facebook
Twitter
Whatsapp
Share the Test:
Facebook
Twitter
Whatsapp
Last comments
No comments about this test.
Content:
A Security Engineer must implement mutually authenticated TLS connections between containers that communicate inside a VPC. Which solution would be MOST secure and easy to maintain ? Create a self-signed certificate in one container and use AWS Secrets Manager to distribute the certificate to the other containers to establish trust. Use AWS Certificate Manager Private Certificate Authority (ACM PCA) to create a subordinate certificate authority, then create the private keys in the containers and sign them using the ACM PCA API. Use AWS Certificate Manager Private Certificate Authority (ACM PCA) to create a subordinate certificate authority, then use AWS Certificate Manager to generate the private certificates and deploy them to all the containers. Use AWS Certificate Manager to generate certificates from a public certificate authority and deploy them to all the containers.
A company wants to deploy a distributed web application on a fleet of EC2 instances. The fleet will be fronted by a Classic Load Balancer that will be configured to terminate the TLS connection. The company wants to make sure that all past and current TLS traffic to the Classic Load Balancer stays secure even if the certificate private key is leaked. To ensure the company meets these requirements, a Security Engineer can configure a Classic Load Balancer with: An HTTPS listener that uses a certificate that is managed by Amazon Certification Manager. A TCP listener that uses a custom security policy that allows only perfect forward secrecy cipher suites. An HTTPS listener that uses the latest AWS predefined ELBSecuntyPolicy-TLS-1 -2-2017-01 security policy An HTTPS listener that uses a custom security policy that allows only perfect forward secrecy cipher suites.
Which of the following are valid configurations for using SSL certificates with Amazon CloudFront? (Select THREE ) Default SSL certificate stored in AWS Secrets Manager Default AWS Certificate Manager certificate Default CloudFront certificate Custom SSL certificate stored in AWS Certificate Manager Custom SSL certificate stored in AWS KMS Custom SSL certificate stored in AWS IAM.
Your company has a set of 1000 EC2 Instances defined in an AWS Account. They want to effectively automate several administrative tasks on these instances. Which of the following would be an effective way to achieve this? Please select: Use the AWS Systems Manager Parameter Store Use the AWS Systems Manager Run Command Use the AWS Inspector Use AWS Config.
An IT department currently has a Java web application deployed on Apache Tomcat running on Amazon EC2 instances. All traffic to the EC2 instances is sent through an internet-facing Application Load Balancer (ALB) The Security team has noticed during the past two days thousands of unusual read requests coming from hundreds of IP addresses. This is causing the Tomcat server to run out of threads and reject new connections Which the SIMPLEST change that would address this server issue? Create an AWS Web Application Firewall (WAF). and attach it to the ALB Create an Amazon Cloud-Front distribution and configure the ALB as the origin Map the application domain name to use Route 53 Block the malicious IPs with a network access list (NACL).
An external Auditor finds that a company's user passwords have no minimum length. The company is currently using two identity providers: * AWS IAM federated with on-premises Active Directory * Amazon Cognito user pools to accessing an AWS Cloud application developed by the company Which combination of actions should the Security Engineer take to solve this issue? (Select TWO.) Update the password length policy In the on-premises Active Directory configuration. Create an SCP with AWS Organizations that enforces a minimum password length for AWS IAM and Amazon Cognito. Update the password length policy In the IAM configuration. Update the password length policy in the Amazon Cognito configuration. Enforce an IAM policy In Amazon Cognito and AWS IAM with a minimum password length condition.
A company's security engineer is configuring Amazon S3 permissions to ban all current and future public buckets. However, the company hosts several websites directly off S3 buckets with public access enabled. The engineer needs to block direct access to pubic S3 buckets without causing any outages on websites. The engineer has set up an Amazon Cloud-Front distribution (or each website Which set of steps should the security engineer implement next? Configure an S3 bucket as the origin with an origin access identity (OAI) for the Cloud-Front distribution Enable block public access settings at the account level Configure an S3 bucket as the origin an origin access identity (OAI) for the Cloud-Front distribution Switch the DNS records from websites to point to the Cloud-Front distribution Enable Nock public access settings at the account level Configure an S3 bucket as the origin for me Cloud-Front distribution Configure the S3 bucket policy to accept connections from the Cloud-Front points of presence only Switch the DNS records for the websites to point to the Cloud-Front distribution Enable block public access settings at me account level Configure an S3 bucket as the origin with an origin access identity (OAI) for the Cloud-Front distribution Switch the ONS records tor the websites to point to the Cloud-Front disinfection Then, for each S3 bucket enable block public access settings.
A security team is responsible for reviewing AWS API call activity in the cloud environment for security violations. These events must be recorded and retained in a centralized location for both current and future AWS regions. What is the SIMPLEST way to meet these requirements? Enable Amazon Cloud-Watch logging for all AWS services across all regions, and aggregate them to a single Amazon S3 bucket for later analysis. Enable AWS Cloud-Trail by creating individual trails for each region, and specify a single Amazon S3 bucket to receive log files for later analysis. Enable AWS Trusted Advisor security checks in the AWS Console, and report all security incidents for all regions. Enable AWS Cloud-Trail by creating a new trail and applying the trail to all regions. Specify a single Amazon S3 bucket as the storage location.
The Security Engineer implemented a new vault lock policy for 10TB of data and called initiate-vault-lock 12 hours ago. The Audit team identified a typo that is allowing incorrect access to the vault. What is the MOST cost-effective way to correct this? Call the abort-vault-lock operation, fix the typo, and call the initiate-vault-lock again. Copy the vault data to Amazon S3, delete the vault, and create a new vault with the data. Update the policy, keeping the vault lock in place. Update the policy and call initiate-vault-lock again to apply the new policy.
The Security Engineer has discovered that a new application that deals with highly sensitive data is storing Amazon S3 objects with the following key pattern, which itself contains highly sensitive data. Pattern: "randomID_datestamp_PII.csv" Example: "1234567_12302017_000-00-0000 csv" The bucket where these objects are being stored is using server-side encryption (SSE). Which solution is the most secure and cost-effective option to protect the sensitive data? Remove the sensitive data from the object name, and store the sensitive data using S3 user-defined metadata. Add an S3 bucket policy that denies the action s3:GetObject Use a random and unique S3 object key, and create an S3 metadata index in Amazon DynamoDB using client-side encrypted attributes. Store all sensitive objects in Binary Large Objects (BLOBS) in an encrypted Amazon RDS instance.
Amazon Guard-Duty has detected communications to a known command and control endpoint from a company's Amazon EC2 instance. The instance was found to be running a vulnerable version of a common web framework. The company's security operations team wants to quickly identity other compute resources with the specific version of that framework installed. Which approach should the team take to accomplish this task? Scan all the EC2 instances with the Amazon Inspector Network Reachability rules package to identity instances running a web server with RecognizedPortWithListener findings Scan all the EC2 instances for noncompliance with AWS Config. Use Amazon Athena to query AWS CloudTrail logs for the framework installation Scan an the EC2 instances with AWS Resource Access Manager to identify the vulnerable version of the web framework Scan all the EC2 instances with AWS Systems Manager to identify the vulnerable version of the web framework.
A Security Engineer has launched multiple Amazon EC2 instances from a private AMI using an AWS CloudFormation template. The Engineer notices instances terminating right after they are launched. What could be causing these terminations? The IAM user launching those instances is missing ec2:Runinstances permission. AWS currently does not have sufficient capacity in the Region. The AMI used as encrypted and the IAM does not have the required AWS KMS permissions. The instance profile used with the EC2 instances in unable to query instance metadata.
A company's Developers plan to migrate their on-premises applications to Amazon EC2 instances running Amazon Linux AMIs. The applications are accessed by a group of partner companies. The Security Engineer needs to implement the following host-based security measures for these instances: * Block traffic from documented known bad IP addresses * Detect known software vulnerabilities and CIS Benchmarks compliance. Which solution addresses these requirements? Launch the EC2 instances with an IAM role attached. Include a user data script that uses the AWS CLI to retrieve the list of bad IP addresses from AWS Secrets Manager and uploads it as a threat list in Amazon GuardDuty Use Amazon Inspector to scan the instances for known software vulnerabilities and CIS Benchmarks compliance Launch the EC2 instances with an IAM role attached Include a user data script that creates a cron job to periodically retrieve the list of bad IP addresses from Amazon S3, and configures iptables on the instances blocking the list of bad IP addresses Use Amazon inspector to scan the instances for known software vulnerabilities and CIS Benchmarks compliance. Launch the EC2 instances with an IAM role attached Include a user data script that uses the AWS CLl to create NACLs blocking ingress traffic from the known bad IP addresses in the EC2 instance's subnets Use AWS Systems Manager to scan the instances for known software vulnerabilities, and AWS Trusted Advisor to check instances for CIS Benchmarks compliance Launch the EC2 instances with an IAM role attached Include a user data script that uses the AWS CLl to create and attach security groups that only allow an allow listed source IP address range inbound. Use Amazon Inspector to scan the instances for known software vulnerabilities, and AWS Trusted Advisor to check instances for CIS Benchmarks compliance.
You need to establish a secure backup and archiving solution for your company, using AWS. Documents should be immediately accessible for three months and available for five years for compliance reasons. Which AWS service fulfills these requirements in the most cost-effective way? Choose the correct answer: Please select: Upload data to S3 and use lifecycle policies to move the data into Glacier for long-term archiving. Upload the data on EBS, use lifecycle policies to move EBS snapshots into S3 and later into Glacier for long-term archiving. Use Direct Connect to upload data to S3 and use IAM policies to move the data into Glacier for long-term archiving. Use Storage Gateway to store data to S3 and use lifecycle policies to move the data into Redshift for long-term archiving.
An application has been written that publishes custom metrics to Amazon CloudWatch. Recently, IAM changes have been made on the account and the metrics are no longer being reported. Which of the following is the LEAST permissive solution that will allow the metrics to be delivered? Add a statement to the IAM policy used by the application to allow logs:putLogEvents and logs:createLogStream Modify the IAM role used by the application by adding the CloudWatchFullAccess managed policy. Add a statement to the IAM policy used by the application to allow cloudwatch:putMetricData. Add a trust relationship to the IAM role used by the application for cloudwatch.amazonaws.com.
Your company is planning on using bastion hosts for administering the servers in AWS. Which of the following is the best description of a bastion host from a security perspective? Please select: A Bastion host should be on a private subnet and never a public subnet due to security concerns A Bastion host sits on the outside of an internal network and is used as a gateway into the private network and is considered the critical strong point of the network Bastion hosts allow users to log in using RDP or SSH and use that session to SSH into internal network to access private subnet resources. A Bastion host should maintain extremely tight security and monitoring as it is available to the public A bastion host is a special purpose computer on a network specifically designed and configured to withstand attacks. The computer generally hosts a single application, for example a proxy server, and all other services are removed or limited to reduce the threat to the computer.
A company has a serverless application for internal users deployed on AWS.The application uses AWS Lambda for the front end and for business logic. The Lambda function accesses an Amazon RDS database inside a VPC The company uses AWS Systems Manager Parameter Store for storing database credentials. A recent security review highlighted the following issues. The Lambda function has internet access. The relational database is publicly accessible. The database credentials are not stored in an encrypted state. Which combination of steps should the company take to resolve these security issues? (Select THREE) Move all the Lambda functions inside the VPC. Create a VPC endpoint for Systems Manager. Store the credentials as a SecureString parameter. Edit the IAM role used by Lambda to restrict internet access. Create a VPC endpoint for Systems Manager. Store the credentials as a string parameter. Change the parameter type to an advanced parameter. Disable public access to the RDS database inside the VPC Edit the IAM role used by RDS to restrict internet access.
Your CTO is very worried about the security of your AWS account. How best can you prevent hackers from completely hijacking your account? Please select: Use short but complex password on the root account and any administrators. Use AWS IAM Geo-Lock and disallow anyone from logging in except for in your city. Use MFA on all users and accounts, especially on the root account. Don't write down or remember the root account password after creating the AWS account.
There is a set of Ec2 Instances in a private subnet. The application hosted on these EC2 Instances need to access a DynamoDB table. It needs to be ensured that traffic does not flow out to the internet. How can this be achieved? Please select: Use a VPC endpoint to the DynamoDB table Use a VPN connection from the VPC Use a VPC gateway from the VPC Use a VPC Peering connection to the DynamoDB table.
A Security Administrator is restricting the capabilities of company root user accounts. The company uses AWS Organizations and has enabled it for all feature sets, including consolidated billing. The top-level account is used for billing and administrative purposes, not for operational AWS resource purposes. How can the Administrator restrict usage of member root user accounts across the organization? Disable the use of the root user account at the organizational root. Enable multi-factor authentication of the root user account for each organizational member account. Configure IAM user policies to restrict root account capabilities for each Organizations member account. Create an organizational unit (OU) in Organizations with a service control policy that controls usage of the root user. Add all operational accounts to the new OU. Configure AWS CloudTrail to integrate with Amazon CloudWatch Logs and then create a metric filter for RootAccountUsage.
You have enabled Cloudtrail logs for your company's AWS account. In addition, the IT Security department has mentioned that the logs need to be encrypted. How can this be achieved ? Please select: Enable SSL certificates for the Cloudtrail logs There is no need to do anything since the logs will already be encrypted Enable Server side encryption for the trail Enable Server side encryption for the destination S3 bucket.
A company is using AWS Secrets Manager to store secrets for its production Amazon RDS database. The Security Officer has asked that secrets be rotated every 3 months. Which solution would allow the company to securely rotate the secrets? (Select TWO.) Place the RDS instance in a private subnet and an AWS Lambda function inside the VPC in the private subnet. Configure a Secrets Manager interface endpoint. Schedule the Lambda function to run every 3 months to rotate the secrets. Place the RDS instance in a private subnet and an AWS Lambda function inside the VPC in the private subnet. Configure the private subnet to use a NAT gateway. Schedule the Lambda function to run every 3 months to rotate the secrets. Place the RDS instance in a private subnet and an AWS Lambda function inside the VPC in the private subnet. Schedule the Lambda function to run quarterly to rotate the secrets. Place the RDS instance in a public subnet and an AWS Lambda function outside the VPC. Schedule the Lambda function to run every 3 months to rotate the secrets. Place the RDS instance in a private subnet and an AWS Lambda function outside the VPC. Configure the private subnet to use an internet gateway. Schedule the Lambda function to run every 3 months lo rotate the secrets.
A company has several critical applications running on a large fleet of Amazon EC2 instances. As part of a security operations review, the company needs to apply a critical operating system patch to EC2 instances within 24 hours of the patch becoming available from the operating system vendor. The company does not have a patching solution deployed on AWS, but does have AWS Systems Manager configured. The solution must also minimize administrative overhead. What should a security engineer recommend to meet these requirements? Use an AWS Systems Manager Patch Manager predefined baseline to patch affected instances. Create an AWS Config rule defining the patch as a required configuration for EC2 instances. Use the AWS Systems Manager Run Command to patch affected instances. Use AWS Systems Manager Session Manager to log in to each affected instance and apply the patch.
A Development team has built an experimental environment to test a simple stale web application. It has built an isolated VPC with a private and a public subnet. The public subnet holds only an Application Load Balancer, a NAT gateway, and an internet gateway. The private subnet holds all of the Amazon EC2 instances. There are 3 different types of servers. Each server type has its own Security Group that limits access to only required connectivity. The Security Groups have both inbound and outbound rules applied. Each subnet has both inbound and outbound network ACls applied to limit access to only required connectivity. Which of the following should the team check if a server cannot establish an outbound connection to the internet? (Select THREE.) The outbound network ACL rules on the private subnet and both the inbound and outbound rules on the public subnet The Security Group applied to the Application Load Balancer and NAT gateway The outbound network ACL rules on the private subnet and the Inbound network ACL rules on the public subnet The rules on any host-based firewall that may be applied on the Amazon EC2 instances The route tables and the outbound rules on the appropriate private subnet security group That the 0.0.0./0 route in the private subnet route table points to the internet gateway in the public subnet.
A Security Engineer discovered that some sudo commands were never properly notified or reported on the Amazon CloudWatch Logs agent after a manual check of system logs from an Amazon Linux EC2 instance. Why were there no sudo command-line alerts? There is a security group blocking outbound port 80 traffic that is preventing the agent from sending the logs. The IAM instance profile on the EC2 instance was not properly configured to allow the CloudWatch Logs agent to push the logs to CloudWatch. CloudWatch Logs status is set to ON versus SECURE, which prevents if from pulling in OS security event logs. The VPC requires that all traffic go through a proxy, and the CloudWatch Logs agent does not support a proxy configuration.
To prevent an AWS KMS Customer Master Key (CMK) from being utilized for encryption or decryption activities, an organization must provide the capability to remove it within a 24-hour period. Which of the following activities satisfies this criterion? Manually rotate a key within KMS to create a new CMK immediately. Use the KMS import key functionality to execute a delete key operation Use the schedule key deletion function within KMS to specify the minimum wait period for deletion. Change the KMS CMK alias to immediately prevent any services from using the CMK.
VPC Flow Logs must be enabled on all VPCs as part of a company's security strategy. A security engineer wishes to automate the process of compliance audits VPC resources. Which activities should the Engineer execute in connection with one another? (Make a selection of at least two.) Create an AWS Lambda function that determines whether Flow Logs are enabled for a given VPC. Create an AWS Config configuration item for each VPC in the company AWS account. Create an AWS Config managed rule with a resource type of AWS:: Lambda:: Function. Create an Amazon CloudWatch Event rule that triggers on events emitted by AWS Config. Create an AWS Config custom rule, and associate it with an AWS Lambda function that contains the evaluating logic.
In the event of a security issue, a security engineer must create a system that allows the incident Response team to audit for modifications to a user's IAM rights. How is this possible? Use AWS Config to review the IAM policy assigned to users before and after the incident. Run the GenerateCredentialReport via the AWS CLI, and copy the output to Amazon S3 daily for auditing purposes. Copy AWS CloudFormation templates to S3, and audit for changes from the template. Use Amazon EC2 Systems Manager to deploy images, and review AWS CloudTrail logs for changes.
A program writes logs to a text file. Security issues must be regularly tracked in the logs. Which design will satisfy the criteria with the LEAST amount of effort? Create a scheduled process to copy the componentג€™s logs into Amazon S3. Use S3 events to trigger a Lambda function that updates Amazon CloudWatch metrics with the log data. Set up CloudWatch alerts based on the metrics. Install and configure the Amazon CloudWatch Logs agent on the applicationג€™s EC2 instance. Create a CloudWatch metric filter to monitor the application logs. Set up CloudWatch alerts based on the metrics. Create a scheduled process to copy the application log files to AWS CloudTrail. Use S3 events to trigger Lambda functions that update CloudWatch metrics with the log data. Set up CloudWatch alerts based on the metrics. Create a file watcher that copies data to Amazon Kinesis when the application writes to the log file. Have Kinesis trigger a Lambda function to update Amazon CloudWatch metrics with the log data. Set up CloudWatch alerts based on the metrics. .
A Systems Engineer has been assigned the responsibility of establishing outgoing mail using Simple Email Service (SES) while adhering to current TLS requirements. Which of the following endpoints and matching ports should the mail application be configured to connect to? email.us-east-1.amazonaws.com over port 8080 email-pop3.us-east-1.amazonaws.com over port 995 email-smtp.us-east-1.amazonaws.com over port 587 email-imap.us-east-1.amazonaws.com over port 993.
A business uses imported key materials to create a customer master key (CMK). All encryption keys must be rotated annually per company policy. What steps may be taken to execute the aforementioned policy? Enable automatic key rotation annually for the CMK Use AWS Command Line Interface to create an AWS Lambda function to rotate the existing CMK annually. Import new key material to the existing CMK and manually rotate the CMK. Create a new CMK, import new key material to it, and point the key alias to the new CMK.
Which technique will trigger automatic security warnings in the event that an unusually large number of illegal AWS API queries is discovered? Create an Amazon CloudWatch metric filter that looks for API call error codes and then implement an alarm based on that metricג€™s rate. Configure AWS CloudTrail to stream event data to Amazon Kinesis. Configure an AWS Lambda function on the stream to alarm when the threshold has been exceeded. Run an Amazon Athena SQL query against CloudTrail log files. Use Amazon QuickSight to create an operational dashboard. Use the Amazon Personal Health Dashboard to monitor the accountג€™s use of AWS services, and raise an alert if service error rates increase.
A DDoS assault knocked off an ecommerce website for one hour. During the assault phase, users were unable to access to the website. The security staff at the ecommerce firm is concerned about future possible assaults and wants to prepare for them. The company's reaction to future such assaults must be as quick as possible. Which measures might assist in doing this? (Select two.) Enable Amazon GuardDuty to automatically monitor for malicious activity and block unauthorized access. Subscribe to AWS Shield Advanced and reach out to AWS Support in the event of an attack. Use VPC Flow Logs to monitor network traffic and an AWS Lambda function to automatically block an attackerג€™s IP using security groups. Set up an Amazon CloudWatch Events rule to monitor the AWS CloudTrail events in real time, use AWS Config rules to audit the configuration, and use AWS Systems Manager for remediation. Use AWS WAF to create rules to respond to such attacks.
A development team is attempting to encrypt and decode a secure string parameter from the AWS Systems Manager Parameter Store using an AWS Key Management Service (AWS KMS) CMK. However, each attempt results in an error message being sent to the development team. Which CMK-related problems possibly account for the error? (Select two.) The CMK is used in the attempt does not exist. The CMK is used in the attempt needs to be rotated. The CMK is used in the attempt is using the CMKג€™s key ID instead of the CMK ARN The CMK is used in the attempt is not enabled. The CMK is used in the attempt is using an alias.
A developer is developing an AWS Lambda function that will make use of environment variables to store connection and logging information. To conform to business rules for safeguarding Lambda environment variables, the Developer must utilize an AWS KMS Customer Master Key (CMK) issued by the Information Security department. Which of the following is necessary for this arrangement to function properly? (Select two.) The Developer must configure Lambda access to the VPC using the --vpc-config parameter. The Lambda function execution role must have the kms:Decrypt permission added in the AWS IAM policy. The KMS key policy must allow permissions for the Developer to use the KMS key. The AWS IAM policy assigned to the Developer must have the kms:GenerateDataKey permission added. The Lambda execution role must have the kms:Encrypt permission added in the AWS IAM policy.
Report abuse Consent Terms of use