AWS Cloud Practitioner CLF-C01 (security and compliance)

Which service allows you to create access keys for someone who needs to access AWS through the command line interface (CLI)?. IAM. Secrets Manager. Security Center. Amazon Cloud Directory.

Which service can integrate with a Lambda function to automatically take corrective action when it discovers suspicious network activity by monitoring logs in your AWS account?. amazon inspector. aws cloudtrail. amazon guardduty. aws systems manager.

What service allows you to locate credit card numbers stored in Amazon S3?. amazon inspector. amazon macie. amazon rekognition. amazon comprehend.

Which service allows you to record software configuration changes on your Amazon EC2 instances over time?. trusted advisor. inspector. systems manager. config.

How do I manage the permissions of multiple users at once using AWS Identity and Access Management (IAM)?. EC2 security groups. roles. groups. policies.

Which service protects your web application from cross-site scripting attacks?. inspector. WAF. Shield. Macie.

Which of the following services will help you optimize your entire AWS environment in real time by following AWS best practices?. WAF. Trusted advisor. Shield. Inspector.

True or false: It is more secure to use access keys than to use IAM roles. true. false.

AWS Web Application Firewall can work down to which layer of the OSI model?. 6. 7. 5. 4.

Which of the following conformance assurances attests to the fact that the aws platform has met the standard required for the secure storage of medical records in the US?. HIPPA. FERPA. PCI DSS. HITECH. GLBA.

You must use an AWS service to assess the security and compliance of your EC2 instances. Which of the following services should you use?. inspector. trusted advisor. shield. WAF.

True or false: The standard version of AWS Shield offers automated monitoring of application traffic (Layer 7). true. false.

Which of the following AWS services can help you assess/evaluate the fault tolerance of your AWS environment?. inspector. trusted advisor. shield. WAF.

Which of the following is the AWS Managed DDoS Protection Service?. WAF. Security groups. Shield. Control lists.

Which of the following compliance certifications attests to the security of the AWS platform with respect to credit card transactions?. PCI DSS. SOC 2. SOC 1. ISO 27001.

True or false: Security in the Cloud is the responsibility of AWS. TRUE. FALSE.

Which term refers to the Identity and Access Management (IAM) resource objects that AWS uses for authentication?. Entities. identities. resources. principal.

Under the shared responsibility model, which task is AWS' responsibility when managing AWS Lambda functions?. Ensuring the Lambda function has the proper IAM permissions to access other services and resources. Upgrading function code when new versions of programming languages are released. Managing the Lambda runtime environment. Managing the versions of Lambda function code.

Which of the following are focuses of the reliability pillar of the Well-Architected Framework?. Recover from failure automatically. Implement recovery procedures without testing. Reduce idle (inactive) resources. Scale vertically for resilience.

A new application needs temporary access to resources in AWS. How can this best be achieved?. Create an IAM policy and attach it to the application. Create an IAM role and have the application assume the role. Store an access key in an S3 bucket and give the application access to the bucket. Add the application to a group that has the appropriate permissions.

Where is the best place to store your root user access key so your application can use it to make requests to AWS?. Nowhere — you should not use the root user access keys for this. It should be configured as a parameter and held in the Key Management Store (KMS). In the .aws file in your application. It needs to be coded directly into your application.

Which AWS service provides central governance and management across multiple AWS accounts?. AWS Systems Manager. Identity and Access Management. AWS Organizations. CloudFormation.

Which of the following are components of the security pillar of the AWS Well-Architected Framework? (3 options). Ensure security at all application layers. Customer service. Technical account management. CloudTrail. Encrypt data at rest and in transit.

Which are focuses of the security pillar of the Well-Architected Framework? (2 options). Assign only the least privilege required. Perform tasks manually. Only encrypt data in transit. Track who did what and when.

How would a customer create a virtual firewall for an EC2 instance?. With an IAM group. With AWS Shield. With a web application firewall. With a security group.

Which of the below are TRUE statements when it comes to data security in AWS? (3 options). AWS is responsible for the security of the software that manages the data. The customer is responsible for the security of the hardware the data resides on. The customer is responsible for the security of the software that runs AWS Cloud services. The customer is responsible for managing who can access the data. AWS is responsible for managing who can access the data. AWS is responsible for the security of the hardware the data resides on.

You are concerned about access to your top-secret application by stolen passwords. What additional layer of security can you add for logging in to the AWS Management Console, in addition to user passwords?. Secret access keys. AWS Transcribe. AWS Voice Recognition. Multi-factor authentication.

A customer has noticed several of their AWS accounts were hacked and used to mine bitcoin. Who should the customer report the issue to?. AWS Inspector. AWS Support. AWS Trust & Safety OR (old)AWS Abuse team. Developer Forums.

A security administrator is setting up a new IAM user and has decided to grant the least privilege. What does the principle of least privilege mean?. Granting permissions at the group level only. Granting permission to only 1 user to perform a task. Granting the minimum requirement to perform a task. Granting permissions to only users that have MFA enabled on their account.

Which service might you use to provide Distributed Denial of Service (DDoS) protection to your applications running on AWS?. AWS Inspector. AWS Shield. AWS WAF. DynamoDB.

Where AWS use tape media to perform backups in their data centres, who would be responsible for their safe and secure disposal?. AWS. Third Parties. Shared Responsibility. Customer.

How does AWS Shield Standard help protect your environment?. By automatically protecting your web applications running on AWS against the most common, frequently occurring DDoS attacks. By scanning your instances for viruses. By scanning incoming application traffic for known attacks. By scanning outgoing application traffic for sensitive information.

A popular company that sells products online just experienced a distributed denial-of-service (DDoS) attack that consumed all available bandwidth on their network and didn't allow legitimate requests to be processed. Which AWS services can the company integrate and combine going forward to prevent future attacks? (4 options). shield. route53. guardduty. cloudfront. WAF.

Which following statement is true of newly created security groups with their default rules?. New security groups block both incoming and outbound traffic. New security groups block outbound traffic and allow all incoming traffic. New security groups allow only outbound traffic and block all incoming traffic. New security groups allow both incoming and outbound traffic.

You need to set up a virtual firewall for your EC2 instance. Which would you use?. Network ACL. Security group. IAM policy. Subnet.

According to the AWS Shared Responsibility Model, which of the following is the customer responsible for?(3 options). Amazon Virtual Private Cloud (VPC) service. Subnets. Network access control lists (Network ACLs). Security groups.

You would like to give an application running on one of your EC2 instances access to an S3 bucket. What is the best way to implement this?. Assign the instance an IAM role. Give the application a set of access keys. Use an IAM user for the application. Make the bucket public.

Instead of relying on a single data center to provide its services across the world, AWS relies on several separate geographic areas, each of which consists of one or more isolated locations. What are the official name for these separate geographic areas, and what is the name for the one or more multiple, isolated locations?. Regions; data centers. Locations; data centers. Sections; Availability Zones. Regions; Availability Zones.

How would you create and manage access keys for users that need to access AWS services from the AWS Command Line Interface (CLI)?. Control Tower. Software development kit (SDK). Identity and Access Management (IAM). Systems Manager.

A customer has multiple IAM users that need the same access permissions. How can the customer provide the same access permissions to all the users quickly and efficiently?. By assigning users to an EC2 security group. By assigning a preconfigured AWS managed policy to each user. By assigning users to an IAM group. By creating a policy and assigning it to each user.

Broadly speaking, AWS is responsible for: Security IN the Cloud. No security — security is up to the customer to manage. Security both IN and OF the Cloud. Security OF the Cloud.

Which factors are required to sign in to the AWS Management Console using multi-factor authentication (MFA)?. Username and password. Password and authentication code. Username and authentication code. Username and password + authentication code.

What is the most efficient way for a customer to continuously monitor CloudTrail event logs, Amazon VPC Flow Logs, and DNS logs looking for unauthorized behavior?. Inspector. Config. GuardDuty. CloudWatch.

A customer is managing multiple AWS accounts using AWS Organizations. What can the customer use to restrict the same permissions across all AWS accounts managed under AWS Organizations using minimal effort?. IAM user policy. Service control policies (SCPs). S3 bucket policy. IAM organization policy.

You need to use an AWS service to assess the security and compliance of your EC2 instances. Which of the following services should you use?. AWS Trusted Advisor. AWS Inspector. AWS WAF. AWS Shield.

You just had a Data Analyst join the company, and you have been tasked with creating a new IAM user accordingly. Although the user has received all the necessary credentials, she realized that she cannot perform any Amazon RDS actions on the Clients table. Which of the following are possible solutions to this issue? (2 options). Create an identity-based policy. Create a ticket for the Help Desk to resolve the issue. Add the user to the group that has the necessary permission policy. Supply the password necessary to log into the AWS Console. Double-check the credentials you sent to the user.

Which of the following statements are true about who can use IAM roles? (3). An IAM user in a different AWS account than the role. A web service offered by providers other than AWS. A web service offered by AWS. An IAM user in the same AWS account as the role.

You are working with IAM and need to attach policies to users, groups, and roles. Which of the following will you be attaching these policies to?. Principals. Identities. Entities. Resources.

Which of the following are focuses of the cost optimization pillar of the Well-Architected Framework? (3). Pay for extra resources to cover demand. Implement cloud financial management. Measure overall efficiency. Utilize consumption-based pricing.

What does a developer need in order to log in to an EC2 instance via SSH from their local machine? (3). Key Management System (KMS) generated key. SSH client. Public key. Private key. API key.

A developer doesn't want to hardcode the database password in their application code when developing a new application. Which service will help with accessing the password without having to hardcode it?. AWS Artifact. IAM credential report. Secrets Manager. Key Management Service (KMS).

You are using your corporate directory to grant your users access to AWS services. What is this called?. Federated access. Multi-Factor Authentication. Role-based access. User group access.

A customer set up an Amazon S3 bucket to accept downloads from their mobile application users. Due to data privacy requirements, the customer needs to automatically and continually scan S3 for the users' addresses. Which service can do this?. macie. guardduty. inspector. athena.

How can a customer meet corporate, contractual, and regulatory compliance requirements for data security by using dedicated hardware in the cloud?. Secrets Manager. CloudHSM. Identity and Access Management. DynamoDB.

Which of the below is true about root accounts on AWS?(2). The root user should not be used for day-to-day activities. The root user has full access to everything in the AWS account. The root user is the recommended way to work in the AWS Console. The root user will be used by AWS should they need to help you with something in your account. The root user should be disabled after you create an admin user.

Which of the below are you responsible for managing when storing data in S3? (2). Who has access to data you stored on the S3 service. Who has access to the S3 infrastructure software. Who has access to the network hardware. Who has access to the storage hardware. Who has access to the S3 service.

Which credentials can you use to access the AWS Management Console?. Your security token. Your secret access key. Your access key. Your username and password.

A huge department store sells products online and in-person. Most of their customers use credit cards instead of cash when making purchases. For security purposes, the credit card data must be encrypted at rest. Which services allow the department store to generate and store the encryption key used to secure the credit card numbers? (2). Secrets Manager. Key Management Service (KMS). Identity and Access Management (IAM). CloudHSM. Macie.

Which of the following are pillars found in the AWS Well-Architected Framework? (2). Encrypting data at rest. Deploying to multiple Availability Zones. Performance Optimization. Operational Excellence. Cost Optimization.

Using CloudTrail to track user activity and API calls within your account is an example of which AWS Well-Architected Framework pillar?. Cost Optimization. Operational Excellence. Security. Reliability.

Configuring user permissions so that users can access only the resources they need to do their job follows what principle?. Principle of minimum permissions. Principle of least privilege. IAM principle. Principle of organizations.

Which of the below are you responsible for when running an RDS database on AWS?. Controlling access to the compute hardware. Controlling access to the database. Controlling access to the network hardware. Updating the host operating system. Updating the database software.

Which of the below statements are correct in relation to security responsibilities in AWS?(2). As an AWS customer, you are responsible for the security OF the Cloud. AWS is responsible for the security IN the Cloud. AWS is responsible for the security OF the Cloud. As an AWS customer, you are responsible for the security IN the Cloud.

A user uses CloudFormation to deploy infrastructure to multiple Regions. This multi-Region deployment strategy involves which pillar of the AWS Well-Architected Framework?. Performance Efficiency. Security. Operational Excellence. Reliability.

For which services is DDoS protection via AWS Shield Advanced supported?(3). Route 53. CloudFront. Elastic Load Balancing. GuardDuty.

A company is in the process of migrating its workloads to AWS, and they want to develop and implement security policies. What are some of the recommended best practices for Identity and Access Management (IAM) they can put in place to make sure their accounts are secure? (3). Allow users to pick their own passwords that are easy to remember. Do not share access keys. Grant users full access to just the services they need. Enable MFA for privileged users. Create individual users instead of using root.

After configuring your VPC and all of the resources within it, you want to add an extra layer of security at the subnet level. Which will you use to add this security?. Network ACL. Private IP address. Security group. IAM.

An oil and gas utility company which is highly regulated must create a Cloud governance scheme. The company is organized into multiple autonomous departments which will all be using AWS resources. These departments each sponsor independent projects that are reviewed by regulatory boards for the approval of customer price increases. The code and infrastructure for each project has production, development, and testing environments. Which of the following account strategies will maximize security and operational efficiency for the company?. Create an Organizational Unit structure in AWS Organizations with separate underlying accounts for production, development, and testing environments. Create a single AWS account for centralized security management. Create multiple AWS accounts, 1 for each autonomous department within the company. Create multiple AWS accounts: 1 for the production environment, 1 for the development environment, and 1 for the testing environment for all departments.

You are creating a few IAM policies. This is the first time you have worked with IAM policies. Which tool can you use to test IAM policies?. CloudWatch. Amazon GuardDuty. Amazon Inspector. IAM policy simulator.

A developer wants to be alerted when an EC2 running their application is approaching 100% CPU utilization. Which service helps the developer do this in an automated way?. Cost budgets in AWS Budgets. CloudTrail. CloudFormation. CloudWatch.

Which of the following are focuses of the operational excellence pillar of the Well-Architected Framework?(3). Ignore failure and don't introduce changes. Plan for and anticipate failure. Script operations as code. Deploy smaller reversible changes.

A company wants to block network traffic from accessing an EC2 instance. What's the best way to protect the EC2 instance from unwanted traffic?. Trusted Advisor. Security group. The security group acts as a virtual firewall to protect the EC2 instance. IAM group. Macie.