Cloud Practice

#131 (Accuracy: 100% / 2 votes)

The security engineer implemented a new vault stock policy for 10TB of data and called initiate-vault-lock 12 hours ago. The audit team identified a typo that is allowing incorrect access to the vault.
What is the MOST cost-effective way to correct this?

A. Call the abort-vault-lock operation, fix the typo, and call the initiate-vault-lock again.
B. Copy the vault data to Amazon S3, delete the vault, and create a new vault with the data.
C. Update the policy, keeping the vault lock in place.
D. Update the policy, and call initiate-vault-lock again to apply the new policy.

#132 (Accuracy: 100% / 6 votes)

A company's on-premises networks are connected to VPCs using an AWS Direct Connect gateway. The company's on-premises application needs to stream data using an existing Amazon Kinesis Data Firehose delivery stream. The company's security policy requires that data be encrypted in transit using a private network.
How should the company meet these requirements?

A. Create a VPC endpoint for Kinesis Data Firehose. Configure the application to connect to the VPC endpoint.
B. Configure an IAM policy to restrict access to Kinesis Data Firehose using a source IP condition. Configure the application to connect to the existing Firehose delivery stream.
C. Create a new TLS certificate in AWS Certificate Manager (ACM). Create a public-facing Network Load Balancer (NLB) and select the newly created TLS certificate. Configure the NLB to forward all traffic to Kinesis Data Firehose. Configure the application to connect to the NLB.
D. Peer the on-premises network with the Kinesis Data Firehose VPC using Direct Connect. Configure the application to connect to the existing Firehose delivery stream.

#133 (Accuracy: 100% / 3 votes)

A security engineer has been tasked with implementing a solution that allows the company's development team to have interactive command line access to
Amazon EC2 Linux instances using the AWS Management Console.
Which steps should the security engineer take to satisfy this requirement maintaining least privilege?

A. Enable AWS Systems Manager in the AWS Management Console and configure for access to EC2 instances using the default AmazonEC2RoleforSSM role. Install the Systems Manager Agent on all EC2 Linux instances that need interactive access. Configure IAM user policies to allow development team access to the Systems Manager Session Manager and attach to the team's IAM users.
B. Enable console SSH access in the EC2 console. Configure IAM user policies to allow development team access to the AWS Systems Manager Session Manager and attach to the development team's IAM users.
C. Enable AWS Systems Manager in the AWS Management Console and configure to access EC2 instances using the default AmazonEC2RoleforSSM role. Install the Systems Manager Agent on all EC2 Linux instances that need interactive access. Configure a security group that allows SSH port 22 from all published IP addresses. Configure IAM user policies to allow development team access to the AWS Systems Manager Session Manager and attach to the team's IAM users.
D. Enable AWS Systems Manager in the AWS Management Console and configure to access EC2 instances using the default AmazonEC2RoleforSSM role. Install the Systems Manager Agent on all EC2 Linux instances that need interactive access. Configure IAM user policies to allow development team access to the EC2 console and attach to the team's IAM users.

#134 (Accuracy: 100% / 7 votes)

A company needs its Amazon Elastic Block Store (Amazon EBS) volumes to be encrypted at all times. During a security incident, EBS snapshots of suspicious instances are shared to a forensics account for analysis. A security engineer attempting to share a suspicious EBS snapshot to the forensics account receives the following error:
`Unable to share snapshot. An error occurred (OperationNotPermitted) when calling the ModifySnapshotAttribute operation: Encrypted snapshots with EBS default key cannot be shared`
Which combination of steps should the security engineer take in the incident account to complete the sharing operation? (Choose three.)

A. Create a customer managed CMK. Copy the EBS snapshot encrypting the destination snapshot using the new CMK.
B. Allow forensics accounting principals to use the CMK by modifying its policy.
C. Create an Amazon EC2 instance. Attach the encrypted and suspicious EBS volume. Copy data from the suspicious volume to an unencrypted volume. Snapshot the unencrypted volume.
D. Copy the EBS snapshot to the new decrypted snapshot.
E. Restore a volume from the suspicious EBS snapshot. Create an unencrypted EBS volume of the same size.
F. Share the target EBS snapshot with the forensics account.

#135 (Accuracy: 100% / 3 votes)

A company needs its Amazon Elastic Block Store (Amazon EBS) volumes to be encrypted at all times. During a security incident, a security engineer attempts to share a snapshot of a suspicious EBS volume to the company's forensics account for analysis. The security engineer receives the following error:

"Unable to share snapshot: An error occurred (OperationNotPermitted) when calling the ModifySnapshotAttribute operation: Encrypted snapshots with EBS default key cannot be shared."

Which combination of steps should the security engineer take in the incident account to complete the sharing operation? (Choose three.)

A. Create an AWS Key Management Service (AWS KMS) customer managed key. Copy the snapshot of the suspicious EBS volume. Encrypt the copy of the snapshot by using the new KMS key.
B. Allow principals in the forensics account to use the AWS Key Management Service (AWS KMS) customer managed key by modifying the key policy.
C. Launch an Amazon EC2 instance. Attach the encrypted and suspicious EBS volume. Copy the data from the suspicious EBS volume to an unencrypted EBS volume. Create a snapshot of the unencrypted EBS volume.
D. Copy the snapshot to the new decrypted snapshot.
E. Restore an EBS volume from the snapshot of the suspicious EBS volume. Create an unencrypted EBS volume of the same size.
F. Share the encrypted snapshot with the forensics account.

#136 (Accuracy: 100% / 2 votes)

A company has a large number of Amazon S3 buckets and a large number of objects in each S3 bucket. The company's security team wants to analyze the access patterns for the objects and buckets. These patterns include the most frequently accessed buckets and objects, the largest 100 objects downloaded, and the objects with the longest download time from public IP addresses.

The security team wants to view this information in a dashboard that is based on predetermined simple SQL queries.

Which combination of AWS services and features should a security engineer use to provide and display the information to the security team? (Choose three.)

A. Amazon CloudWatch Logs Insights
B. Amazon S3 server access logs
C. Amazon CloudWatch Logs
D. Amazon GuardDuty
E. Amazon QuickSight
F. Amazon Athena

#137 (Accuracy: 100% / 2 votes)

A Security Engineer is defining the logging solution for a newly developed product. Systems Administrators and Developers need to have appropriate access to event log files in AWS CloudTrail to support and troubleshoot the product.
Which combination of controls should be used to protect against tampering with and unauthorized access to log files? (Choose two.)

A. Ensure that the log file integrity validation mechanism is enabled.
B. Ensure that all log files are written to at least two separate Amazon S3 buckets in the same account.
C. Ensure that Systems Administrators and Developers can edit log files, but prevent any other access.
D. Ensure that Systems Administrators and Developers with job-related need-to-know requirements only are capable of viewing ג€" but not modifying ג€" the log files.
E. Ensure that all log files are stored on Amazon EC2 instances that allow SSH access from the internal corporate network only.

#138 (Accuracy: 100% / 1 votes)

A Security Architect is evaluating managed solutions for storage of encryption keys. The requirements are:
-Storage is accessible by using only VPCs.
-Service has tamper-evident controls.
-Access logging is enabled.
-Storage has high availability.
Which of the following services meets these requirements?

A. Amazon S3 with default encryption
B. AWS CloudHSM
C. Amazon DynamoDB with server-side encryption
D. AWS Systems Manager Parameter Store

#139 (Accuracy: 100% / 3 votes)

In response to the past DDoS attack experiences, a Security Engineer has set up an Amazon CloudFront distribution for an Amazon S3 bucket. There is concern that some users may bypass the CloudFront distribution and access the S3 bucket directly.
What must be done to prevent users from accessing the S3 objects directly by using URLs?

A. Change the S3 bucket/object permission so that only the bucket owner has access.
B. Set up a CloudFront origin access identity (OAI), and change the S3 bucket/object permission so that only the OAI has access.
C. Create IAM roles for CloudFront, and change the S3 bucket/object permission so that only the IAM role has access.
D. Redirect S3 bucket access to the corresponding CloudFront distribution.

#140 (Accuracy: 100% / 3 votes)

A security engineer is attempting to push a Linux-based container image to an Amazon Elastic Container Registry (Amazon ECR) repository that is in the us-east-1 Region. The security engineer has retrieved an authentication token by using the aws ecr get-login-password AWS CLI command within the last 4 hours. The security engineer has confirmed that the correct permissions are in place to push the container image to the repository.

When the security engineer tries to push the container image, the security engineer receives the following error: “no basic auth credentials”.

What should the security engineer do to resolve this error?

A. Obtain a new authorization token.
B. Configure the AWS CLI to use us-east-1.
C. Modify the aws-auth-cm.yaml file to include the IAM role for the security engineer.
D. Activate AWS Security Token Service (AWS STS) in us-east-1.

There are 254 results