What is the most secure way to provide applications temporary access to your AWS resources? Create an IAM group that has access to the resources, and add the application there Create an IAM user with access keys and assign it to the application Create an IAM role and have the application assume the role Create an IAM policy that allows the application to access the resources, and attach the policy to the application .
Which of the following is part of the best practices in securing your AWS account? Enable MFA only on the root account Always manually define permissions to each and every individual IAM user Create an IAM user with admin privileges instead of using root Grant Most Privilege .
In compliance with the Sarbanes-Oxley Act (SOX) federal law, a US-based company is required to provide SOC 1 and SOC 2 reports of their cloud resources.
Where are these AWS compliance documents located? AWS Artifact AWS Organizations AWS GovCloud AWS Certificate Manager .
Which service in AWS protects your resources from common DDoS attacks in a proactive manner? Amazon Inspector AWS WAF Security groups AWS Shield .
A customer has recently experienced an SQL injection attack on their web application’s database hosted in EC2.
They submitted a complaint ticket to AWS.
What should be the response from AWS? AWS should not be liable for the damages since the customer should have properly patched the EC2 instance. AWS should secure their infrastructure better to reduce these kinds of incidents. AWS should reiterate that the customer is responsible for the security of their applications in the Cloud. AWS and the customer should contact a third party auditor to verify the incident. .
There is an incident with your team where an S3 object was deleted using an account without the owner’s knowledge.
What can be done to prevent unauthorized deletion of your S3 objects? Configure MFA delete on the S3 bucket. Set up stricter IAM policies that will prevent users from deleting S3 objects Create access control policies so that only you can perform S3-related actions Set your S3 buckets to private so that objects are not publicly readable/writable .
Which of the following is typically used to secure your VPC subnets? AWS Config Security Group AWS IAM Network ACL .
Which of the following IAM identities is associated with the access keys that are used in managing your cloud resources via the AWS Command Line Interface (AWS CLI)? IAM Group IAM Role IAM User IAM Policy .
Which of the following security group rules are valid? (Select TWO.) Outbound HTTPS rule with hostname as destination Outbound MYSQL rule with IP address as source Inbound HTTP rule with security group ID as source Inbound RDP rule with an address range as source Inbound TCP rule with instance ID as source .
You are permitted to conduct security assessments and penetration testing without prior approval against which AWS resources? (Select TWO.) Amazon RDS Amazon S3 AWS Security Token Service (STS) AWS Identity and Access Management (IAM) Amazon Aurora .
Which of the following instances is it better to use IAM roles rather than IAM users? (Select TWO.) If you have employees who will constantly need access to your AWS resources When you need a GUI to interact with your AWS environment When you want to provide AWS services permissions to do certain actions When you need an administrator to handle the AWS account for you When you have outside entities that need to perform specific actions in your AWS account.
Which of the following should you use if you need to provide temporary AWS credentials for users who have been authenticated via their social media logins as well as for guest users who do not require any authentication? AWS AppSync AWS IAM Identity Center Amazon Cognito User Pool Amazon Cognito Identity Pool .
A customer needs to identify the IAM user who terminated their production EC2 instance in AWS.
Which service should they use in this situation? Amazon CloudWatch AWS Systems Manager Amazon AppStream 2.0 AWS CloudTrail .
In the Shared Responsibility Model, which of the following options below is a shared control between AWS and the customer? Client-side data encryption Server-side data encryption Physical and environmental controls of the AWS data centers Awareness and training .
Which among the services below can you use to test and troubleshoot IAM and resource-based policies? IAM Policy Simulator AWS Config Systems Manager Amazon Inspector .
Which service lets you create rules to filter web traffic based on conditions that include IP addresses, HTTP headers, or custom URIs? Security Group AWS Trusted Advisor Network ACLs AWS WAF .
What service should you use in order to add user sign-up, sign-in, and access control to your mobile app with a feature that supports sign-in with social identity providers such as Facebook, Google, and Amazon, and enterprise identity providers via SAML 2.0? AWS Single Sign-On (SSO) AWS Directory Service AWS Identity and Access Management (IAM) Amazon Cognito .
As an AWS customer, what offering do you naturally inherit from AWS after you sign up? All the responsibilities in enforcing security and compliance policies of your organization All the hardware and software that you provision in the AWS cloud All the best practices of AWS policies, architecture, and operational processes built to satisfy your requirements All the data you store in and retrieve from AWS .
Which of the following is a benefit of using AWS Config? Facilitates the automation of AWS resource deployment. Facilitates the management of user access to AWS resources. Facilitates adherence to regulatory requirements and best practices. Facilitates the real-time monitoring of AWS resources for security threats.
Which of the following is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads? AWS Shield Amazon GuardDuty AWS WAF Amazon Macie .
Which of the following is needed to retrieve a list of your EC2 instances using the AWS CLI? Username and password SSH keys MFA Access Keys .
In the AWS Shared Responsibility Model, whose responsibility is it to patch the host operating system of an Amazon EC2 instance? AWS Customer Both AWS and the customer Neither AWS nor the customer .
An employee is asking for access to your S3 buckets. What should be the level of access that you should provide to him? Ask what type of access he requires and only provide him those permissions Give him read-only access Give him administrator access levels Give him S3 full access .
What is the best way to keep track of all activities made in your AWS account? Use Amazon CloudWatch Logs to log all activities Create a multi-region trail in AWS CloudTrail Set up MFA logging to know who is currently in your environment Use LDAP authentication on your AWS account .
Which of the following policies grant the necessary permissions required to access your Amazon S3 resources? (Select TWO.) User policies Network access control policies Bucket policies Routing policies Object policies .
An e-commerce company launches several EC2 instances to run their web application.
Which of the following services can be used to help ensure security compliance? (Select TWO.) Amazon MQ Amazon Inspector AWS Trusted Advisor AWS Systems Manager AWS CloudFormation .
A company is using Amazon S3 to store their static media contents such as photos and videos.
Which of the following should you use to provide specific users access to the bucket? Security Group Network Access Control List SSH key Bucket Policy .
Which of the following tasks fall under the sole responsibility of AWS based on the shared responsibility model? Applying Amazon S3 bucket policies Patch Management Implementing IAM policies Physical and environmental controls .
WS Identity and Access Management (IAM) enables you to manage access to AWS services and resources securely.
Which of the following best describes what an account alias is in IAM? A substitute for an account ID in the web address for your account The numerical value of your account ID The name AWS assigns to your account Your IAM root username .
Which of the following statements is true for AWS CloudTrail? When you create a trail in the AWS Management Console, the trail applies to all AWS Regions by default CloudTrail is disabled by default for newly created AWS accounts CloudTrail is able to capture application error logs from your EC2 instances CloudTrail charges you for every management event trail created .
|
