Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

AWS cloud practitioner > Security and compliance > Flashcards

Security and compliance Flashcards

1
Q

Which of the following is an AWS Well-Architected Framework design principle related to operational excellence?

  1. Use serverless architectures first.
  2. Scale horizontally for resilience.
  3. Deploy smaller, reversible changes.
  4. Assign only the least privileges required.
A

Deploy smaller, reversible changes.

This is a design principle related to operational excellence. Smaller changes can easily be reverted, if necessary.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

A developer doesn’t want to hardcode the database password in their application code when developing a new application. Which service will help with accessing the password without having to hardcode it?

  1. IAM credential report
  2. Secrets Manager
  3. Key Management Service (KMS)
  4. AWS Artifact
A

Secrets Manager

Secrets Manager allows you to manage and retrieve secrets (passwords or keys).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which is the most efficient AWS feature that allows a company to restrict IAM users from making changes to a common administrator IAM role created in all accounts in their organization?

IAM user policy
GuardDuty IAM findings
Service control policies (SCPs)
Shield

A

Service control policies (SCPs)

AWS Organizations provides central governance and management for multiple accounts. Organization SCPs allow you to create permissions guardrails that apply to all accounts within a given organization. Service control policies (SCPs)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

A customer has created an Administrators group in IAM containing 5 users. What does the customer attach to the group to ensure all the users have the needed administrative access?

-Service control policies (SCPs)
-IAM service role
-IAM policy
-IAM role

A

IAM policy

Policies can be attached to a group to ensure all users in the group have the same access. AWS even has a managed policy, Administrator Access, you can use.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What pillar of the Well-Architected Framework would include the use of information gathered through a workload process evaluation to drive adoption of new services or resources when they become available?

  1. Performance Efficiency
  2. Security
  3. Operational Excellence
  4. Reliability
A

Performance Efficiency

This Performance Efficiency pillar focuses on the effective use of resources to meet demand. In this pillar, you would use the information gathered through the evaluation process to actively drive adoption of new services or resources. You would also define a process to improve workload performance, and you would need to stay up-to-date on new resources and services.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

A customer has noticed several of their AWS accounts were hacked and used to mine bitcoin. Who should the customer report the issue to?

  1. AWS Inspector
  2. AWS Support
  3. Developer Forums
  4. AWS Trust & Safety team
A

AWS Trust & Safety team

The customer should contact the AWS Trust & Safety team using the form or email.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

In order to support their auditing and compliance efforts, a company needs to produce a report to audit the effects of password lifecycle requirements. How can they access a report that lists all users in their account along with the status of the various credentials?

AWS Artifact
IAM credential report
Redshift
QuickSight

A

IAM credential report

The IAM credential report lists all the users and the status of their various credentials, including passwords, access keys, server certificates, and MFA devices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Under the shared responsibility model for EC2, who is responsible for patching the guest operating system?

choose 1

  • The customer is responsible for patching the guest operating system.
  • AWS is responsible for patching the guest operating system.
  • The responsibility for patching the guest operating system is shared between the customer and AWS.

-The responsibility to patch the guest operating system is not part of the AWS shared responsibility model.

A

The customer is responsible for patching the guest operating system.

You are responsible for patching the guest operating system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which of the following acts like built-in firewalls per instance for your virtual servers?
choose 1
a. Security groups
b. Route tables
c. Availability Zones
d. Network access control lists

A

Security groups

Security groups act like built-in firewalls for your virtual servers — the rules you create define what is allowed to talk to your instances and how. Although network access control lists can be used to block or deny traffic, these operate at the subnet level (covering all instances in the subnet with the same ruleset), not per instance as the question specifies. Route tables tell traffic where it should go next to reach its destination, and an Availability Zone is a collection of data centers — which isn’t relevant in this question.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

A huge department store sells products online and in-person. Most of their customers use credit cards instead of cash when making purchases. For security purposes, the credit card data must be encrypted at rest. Which services allow the department store to generate and store the encryption key used to secure the credit card numbers?
choose 2
a. Secrets Manager
b. CloudHSM
c. Macie
d. Key Management Service (KMS)

A

CloudHSM

CloudHSM is a hardware security module (HSM) used to generate and store encryption keys.

Key Management Service (KMS)

KMS allows you to generate and store encryption keys.

NO IS ———–

NO -Secrets Manager
why
Secrets Manager allows you to manage and retrieve secrets (passwords or keys).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

A popular company that sells products online just experienced a distributed denial-of-service (DDoS) attack that consumed all available bandwidth on their network and didn’t allow legitimate requests to be processed. Which AWS services can the company integrate and combine going forward to prevent future attacks?
choose 4
1. Route 53
2. GuardDuty
3. Web Application Firewall (WAF)
4. CloudFront
5. AWS Shield

A
  1. Route 53

DDoS protection via Shield Advanced is supported on several services, including Route 53.
2. Web Application Firewall (WAF)

There is a rule type in WAF called a “rate-based” rule that protects you from web-layer DDoS attacks, brute-force login attempts, and bots. (Note: This requires very detailed knowledge of WAF and will probably not be on the exam, but it’s good to know just in case.)

  1. CloudFront

DDoS protection via Shield Advanced is supported on several services, including CloudFront.

  1. AWS Shield

Shield is a managed Distributed Denial of Service (DDoS) protection service. Shield Standard provides free protection against common and frequently occurring attacks. Shield Advanced provides enhanced protections and 24/7 access to AWS experts for a fee.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which of the following are pillars found in the AWS Well-Architected Framework?
Choose2
a. Operational Excellence
b. Cost Optimization
c. Performance Optimization
d. Deploying to multiple Availability Zones
e. Encrypting data at rest

A

a. Operational Excellence

The Operational Excellence pillar focuses on building applications that effectively support your workloads.

b. Cost Optimization

The Cost Optimization pillar focuses on building resilient systems at the least cost.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Microsoft has announced a new patch for its operating system. For a platform-as-a-service solution, who would be responsible for applying the patch?
choose 1

a. Customer
b. Either can apply this patch.
c. AWS
d. The customer for Spot instances only.

A

AWS

The platform-as-a-service model removes the need for organizations to manage the underlying infrastructure (usually hardware and operating systems) and allows you to focus on the deployment and management of your applications.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

A customer needs to identify vulnerabilities on their EC2 instances, such as unintended network access. Which services will provide a report of findings?

choose 1

a. Trusted Advisor
b. AWS Artifact

c. IAM credential report

d. Inspector
e. Macie

A

a. Trusted Advisor

Trusted Advisor is a tool that provides real-time guidance to help you provision resources following AWS best practices. It will check security groups for rules that allow unrestricted access (0.0.0.0/0) to specific ports.

IS NOT
Macie

Macie uses machine learning to discover sensitive data stored on Amazon S3.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

A customer is managing multiple AWS accounts using AWS Organizations. What can the customer use to restrict the same permissions across all AWS accounts managed under AWS Organizations using minimal effort?

a. S3 bucket policy

b. IAM organization policy

c. IAM user policy

d. Service control policies

A

d. Service control policies

AWS Organizations provides central governance and management for multiple accounts. Organization service control policies (SCPs) allow you to create permissions guardrails that apply to all accounts within a given organization.

IS NOT —-
IAM organization policy

There is no such thing as an IAM organization policy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which service powers the creation of encrypted EBS volumes for Amazon EC2?

choose 1

a. CloudHSM
b.Identity and Access Management (IAM)

c. Secrets Manager

d. Key Management Service (KMS)

A

d. Key Management Service (KMS)

When you create an encrypted Amazon EBS volume, you’re able to specify a KMS customer master key.

IS NOT —-
a. CloudHSM

CloudHSM is a hardware security module (HSM) used to generate encryption keys. It is used for handling encryption keys in AWS, but does not work with EBS Volume Encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

A company is configuring IAM for its new AWS account. There are 5 departments with between 5 to 10 users in each department. How can they efficiently apply access permissions for each of these departments and simplify management of these users?

a. Create an IAM group for each department. Add the department’s members to the group.
b. Create an IAM role defining the permissions needed. Create an IAM group and attach the policy to the group. Add the department’s members to the group.
c. Create policies for each department that define the permissions needed. Create an IAM group for each department and attach the policy to each group. Add each department’s members to their respective IAM group.
d. Create policies defining the permissions needed. Attach the policies to all users in each department.

A

c. Create policies for each department that define the permissions needed. Create an IAM group for each department and attach the policy to each group. Add each department’s members to their respective IAM group.

By creating an IAM group, all like users can be managed all at one time. Once the permissions are defined within the policy, it can be attached to the IAM group, allowing them access to the resources/services stated within the policy.

IS NOT—- B
Create an IAM role defining the permissions needed. Create an IAM group and attach the policy to the group. Add the department’s members to the group.

Policies assign permissions, not IAM roles. You can use IAM roles to delegate access to your AWS resources, but underneath an IAM role is a policy. The IAM role is not appropriate in this case, just a policy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Which of the following AWS services can help you assess the fault tolerance of your AWS environment?

choose 1

a. AWS WAF

b. AWS Trusted Advisor

c. AWS Shield

d. AWS Inspector

A

b. AWS Trusted Advisor

AWS Trusted Advisor can help you assess the fault tolerance of your AWS environment. AWS Inspector can help you assess your security.

IS NOT —-D
AWS Inspector

Inspector works with EC2 instances to uncover and report vulnerabilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Which service might you use to provide Distributed Denial of Service (DDoS) protection to your applications running on AWS?

choose 1

a. DynamoDB
b. AWS Shield
c. AWS WAF
d.AWS Inspector

A

b. AWS Shield

AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Which policy will provide information on performing penetration testing on your EC2 instances?

choose 1
a. Customer Service Policy for Penetration Testing
b. AWS Customer Agreement
c. JSON policy
d. IAM policy

A

a. Customer Service Policy for Penetration Testing

AWS customers are welcome to carry out security assessments or penetration tests against their AWS infrastructure without prior approval for Amazon EC2 instances, NAT gateways, elastic load balancers, and 7 other services. Reference:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Which of the following is a design principle of the Well-Architected Framework’s reliability pillar?

choose 1

a. Scale vertically for resilience

b. Maximize utilization

c. Implement recovery procedures without testing

d. Recover from failure automatically

A

d. Recover from failure automatically

This is a focus of the reliability pillar. This pillar focuses on designing systems that work consistently and recover quickly.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

A customer has set up an Amazon S3 bucket and wants to limit access to specific users. What is the most efficient way to do so?

a. AmazonS3FullAccess managed policy

b. IAM user policy

c. IAM role assumed by the user

d. Bucket access policy

A

d. Bucket access policy

You can add a bucket access policy directly to an Amazon S3 bucket to grant IAM users access permissions for the bucket and the objects in it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

A purchasing department staff member is set up as an AWS user in the company’s Procurement AWS account. At each month-end, the staff member needs access to an application running on EC2 in the company’s Accounts Payable AWS account to reconcile reports. Which of the following provides the most secure and operationally efficient way to give the staff member access to the Accounts Payable application?

choose 1

a. Configure Active Directory integration so you can federate the staff member’s access to the Accounts Payable AWS account.

b. Have the user request temporary security credentials for the application by assuming a role.

c. Create a user for the staff member in the Accounts Payable AWS account.

d. Invoke an AWS Lambda function to run the application in the Accounts Payable AWS account.

A

b. Have the user request temporary security credentials for the application by assuming a role.

The staff member should be given the ability to assume a role programmatically with the permissions necessary to run the Accounts Payable application.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Which policy will provide information on performing penetration testing on your EC2 instances?

choose 1

a. AWS Customer Agreement

b. JSON policy

c. Customer Service Policy for Penetration Testing

d. IAM policy

A

c. Customer Service Policy for Penetration Testing

AWS customers are welcome to carry out security assessments or penetration tests against their AWS infrastructure without prior approval for Amazon EC2 instances, NAT gateways, elastic load balancers, and 7 other services.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

A customer needs to identify vulnerabilities on their EC2 instances, such as unintended network access. Which services will provide a report of findings?

choose 2

a. Inspector

b. Trusted Advisor

c. IAM credential report

d. AWS Artifact

e. Macie

A

a. Inspector

Inspector works with EC2 instances to uncover and report vulnerabilities.

b. Trusted Advisor

Trusted Advisor is a tool that provides real-time guidance to help you provision resources following AWS best practices. It will check security groups for rules that allow unrestricted access (0.0.0.0/0) to specific ports.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

An IAM user with administrative access is attempting to close the AWS account. After troubleshooting, the admin user uncovers they need to sign in with root user credentials in order to perform this task. What other tasks require root user credentials?

choose 4

a. Activate IAM access to the Billing and Cost Management console

b. Changing the email address associated with the account

c. Configuring an Amazon S3 bucket to enable MFA (multi-factor authentication)

d. Modifying the support plan

e. Create a user with administrative access

A

A, B, C, D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What is the recommended way to give your applications running in EC2 permission to other AWS resources?

choose 1

a. Create an IAM group with appropriate permissions and assign it to the instance.

b. Create an IAM user with appropriate permissions and assign it to the instance.

c. Create an IAM role with appropriate permissions and assign it to the instance.

d. Create a root access key and use it in the application.

A

C. Create an IAM role with appropriate permissions and assign it to the instance.

You should use IAM roles wherever possible to enable applications running on EC2 instances to access other AWS resources. This is the most secure method to do so.

IS NOT A—-
Create an IAM group with appropriate permissions and assign it to the instance.

It is not possible to assign an IAM group or user to an instance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Which of the below are you responsible for managing when storing data in S3?

choose 2

a. Who has access to the network hardware

b. Who has access to the S3 infrastructure software

c. Who has access to the S3 service

d. Who has access to the storage hardware

e. Who has access to data you stored on the S3 service

A

c. Who has access to the S3 service

Under the Shared Responsibility Model for managed services, AWS takes responsibility for managing all the hardware (including access, patching, and other maintenance). When it comes to S3, the customer is responsible for all aspects of the data being stored on S3, and who has access to manage the S3 service for that account.

e. Who has access to data you stored on the S3 service

Under the Shared Responsibility Model for managed services, AWS takes responsibility for managing all the hardware (including access, patching, and other maintenance). When it comes to S3, the customer is responsible for all aspects of the data being stored on S3, and who has access to manage the S3 service for that account.

29
Q

You are currently running an application in a production environment, but you want to ensure that it is free of vulnerabilities. Which of the following AWS services would you need to use?

choose 1

a. AWS Shield
b. Amazon Inspector

c. AWS Web Application Firewall (WAF)

d. AWS Trusted Inspector

A

b. Amazon Inspector

You will need to turn to Amazon Inspector for security assessment. Not only does it identify vulnerabilities in your application, it will also spot deviations from security best practices. AWS Shield and WAF protect the application from attacks that exploit vulnerabilities, rather than identify them. Trusted Advisor only provides recommendations on how to improve security.

30
Q

Which of the following are focuses of the cost optimization pillar of the Well-Architected Framework?

choose 3

a. Implement cloud financial management.

b. Measure overall efficiency.

c. Pay for extra resources to cover demand.

d. Utilize consumption-based pricing.

A

a. Implement cloud financial management.

This is a focus of the cost optimization pillar. This pillar focuses on delivering optimum and resilient solutions at the least cost to the user.

b. Measure overall efficiency.

This is a focus of the cost optimization pillar. This pillar focuses on delivering optimum and resilient solutions at the least cost to the user.

d. Utilize consumption-based pricing.

This is a focus of the cost optimization pillar. This pillar focuses on delivering optimum and resilient solutions at the least cost to the user.

31
Q

You would like to give an application running on one of your EC2 instances access to an S3 bucket. What is the best way to implement this?

choose 1

a. Give the application a set of access keys

b. Use an IAM user for the application

c. Make the bucket public

d. Assign the instance an IAM role

A

d. Assign the instance an IAM role

The recommended method to assign permissions to apps running in EC2 is to use IAM roles.

32
Q

After configuring your VPC and all of the resources within it, you want to add an extra layer of security at the subnet level. Which will you use to add this security?

choose 1

a. IAM

b. Security group

c. Private IP address

d. Network ACL

A

d. Network ACL

A network access control list (NACL) is an optional layer of security for your VPC that ensures the proper traffic is allowed into the subnet.

IS NOT B
Security group

A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign up to 5 security groups to the instance. Security groups act at the instance level, not the subnet level.

33
Q

Which security service provides enhanced protections and 24/7 access to AWS experts for a fee when issues arise?

choose 1

a. Macie

b. Enterprise Support

c. AWS Shield Standard

d. AWS Shield Advanced

A

d. AWS Shield Advanced

AWS Shield Advanced provides enhanced protections and 24/7 access to AWS experts for a fee.

IS NOT B
Enterprise Support

An AWS Support plan is not considered a security service.

34
Q

A new application needs temporary access to resources in AWS. How can this best be achieved?

choose 1

a. Create an IAM policy and attach it to the application.

b. Create an IAM role and have the application assume the role.

c. Store an access key in an S3 bucket and give the application access to the bucket.

d. Add the application to a group that has the appropriate permissions.

A

b. Create an IAM role and have the application assume the role.

Roles define access permissions and are temporarily assumed by an IAM user or service.

IS NOT D—
Add the application to a group that has the appropriate permissions.

Applications cannot be added to IAM groups.

35
Q

What is the most efficient way for a customer to continuously monitor CloudTrail event logs, Amazon VPC Flow Logs, and DNS logs looking for unauthorized behavior?

choose 1

a. GuardDuty

b. CloudWatch

c. Inspector

d. Config

A

a. GuardDuty

GuardDuty is an intelligent threat detection system that uncovers unauthorized behavior.

IS NOT C—
Inspector

Inspector works with EC2 instances to uncover and report vulnerabilities.

36
Q

Which of the following services will help you optimize your entire AWS environment in real-time following AWS best practices?

choose 1

a. AWS Trusted Advisor

b. AWS Inspector

c. AWS WAF

d. AWS Shield

A

a. AWS Trusted Advisor

Trusted Advisor helps you optimize your entire AWS environment in real-time following AWS best practices. It helps you optimize cost, fault tolerance, and more.

37
Q

In Identity and Access Management (IAM), which term applies to a person or application that uses the AWS account root user, an IAM user, or an IAM role to sign in and make requests to AWS?

choose 1

a. Entity

b. Principal

c. Identity

d. Resource

A

b. Principal

A principal is a person or application that uses the AWS account root user, an IAM user, or an IAM role to sign in and make requests to AWS.

38
Q

Which of the below are TRUE statements when it comes to network security for an EC2 instance in AWS?

choose 3

a. AWS is responsible for ensuring unwanted traffic does not reach the EC2 instance.

b. AWS is responsible for ensuring malicious traffic does not impair the network hardware.

c. The customer is responsible for ensuring malicious traffic does not impair the network hardware.

d. The customer is responsible for ensuring malicious traffic does not reach the EC2 instance.

e. The customer is responsible for ensuring unwanted traffic does not reach the EC2 instance.

f. AWS is responsible for ensuring malicious traffic does not reach the EC2 instance.

A

b. AWS is responsible for ensuring malicious traffic does not impair the network hardware.

d. The customer is responsible for ensuring malicious traffic does not reach the EC2 instance.

e. The customer is responsible for ensuring unwanted traffic does not reach the EC2 instance.

39
Q

You are creating a few IAM policies. This is the first time you have worked with IAM policies. Which tool can you use to test IAM policies?

choose 1

a. Amazon GuardDuty

b. IAM policy simulator

c. CloudWatch

d. Amazon Inspector

A

b. IAM policy simulator

The IAM policy simulator allows you to test and troubleshoot identity-based policies, IAM permissions boundaries, service control policies (SCPs), and resource-based policies.

40
Q

Your company has recently migrated large amounts of data to the AWS Cloud in S3 buckets. It is necessary to discover and protect the sensitive data in these buckets. Which AWS service can do that?

choose 1

a. CloudTrail

b. GuardDuty

c. AWS Inspector

d. Amazon Macie

A

d. Amazon Macie

Macie helps you discover and protect sensitive data.

IS NOT C—-
c. AWS Inspector

Inspector works with EC2 instances to uncover and report vulnerabilities.

41
Q

Which term refers to the Identity and Access Management (IAM) resource objects that AWS uses for authentication?

choose 2

a. Principal

b. Resources

c. Identities

d. Entities

A

d. Entities

IAM entities are the users (IAM users and federated users) and roles that are created and used for authentication.

c. Identities

An identity is an IAM resource object that is used to identify and group. You can attach a policy to an IAM identity. These include users, groups, and roles.

42
Q

A company has a large number of S3 buckets and needs to manage and automate tasks on these buckets at one time. Which AWS feature can do this?

choose 1

a. IAM groups

b. Tagging

c. Resource groups

d. IAM

A

c. Resource groups

You can use resource groups to organize your AWS resources. Resource groups make it easier to manage and automate tasks on large numbers of resources at one time. This guide shows you how to create and manage AWS resource groups.

IS NOT A—
IAM groups

IAM groups are used to group users, not AWS resources.

43
Q

Enabling Amazon GuardDuty automatically grants the service permission to analyze continuous metadata streams from which of the following data sources?

choose 3

a. DNS query logs

b. VPC Flow Logs

c. AWS CloudTrail logs

d. Sensitive data in Amazon S3 buckets

A

a. DNS query logs

This option only works if you use AWS DNS resolvers for your EC2 instances. GuardDuty will be able to access and process your request and response DNS logs through the internal DNS resolvers. When you enable GuardDuty, it will immediately start analyzing DNS logs through an independent data stream.

b. VPC Flow Logs

VPC Flow Logs captures information about the IP traffic going to and from Amazon EC2 network interfaces in your VPC. When you enable GuardDuty, it immediately starts analyzing your VPC Flow Logs data. It consumes VPC Flow Logs events directly from the VPC Flow Logs feature through an independent and duplicative stream of flow logs.

c. AWS CloudTrail logs

AWS CloudTrail provides you with a history of AWS API calls for your account, including API calls made using the AWS Management Console, AWS SDKs, command-line tools, and higher-level AWS services. CloudTrail also allows you to identify which users and accounts called AWS APIs for services that support CloudTrail, the source IP address that the calls were made from, and when the calls occurred. When you enable GuardDuty, it immediately starts analyzing your CloudTrail event logs. It consumes CloudTrail management and S3 data events directly from CloudTrail.

44
Q

Which service allows a user to rotate, manage, and retrieve secrets?

choose 1

a. Secrets Manager

b. Identity and Access Management (IAM)

c. CloudHSM

d. Key Management Service (KMS)

A

a. Secrets Manager

Secrets Manager allows you to manage and retrieve secrets (passwords or keys).

45
Q

Users need to access AWS resources from the Command Line Interface. Which IAM option can be used for authentication?

a. IAM group

b. IAM role

c. IAM policy

d. Access keys

A

d. Access keys

You must provide your AWS access keys to make programmatic calls to AWS or to use the AWS Command Line Interface or AWS Tools for PowerShell.

46
Q

You are using your corporate directory to grant your users access to AWS services. What is this called?

a. Federated access

b. Role-based access

c. User group access

d. Multi-Factor Authentication

A

a. Federated access

Federated access is when you use an external directory, such as your corporate one, to grant users in that directory access to AWS resources.

47
Q

Which following statement is true of newly created security groups with their default rules?

choose 1

a. New security groups allow both incoming and outbound traffic.

b. New security groups allow only outbound traffic and block all incoming traffic.

c. New security groups block both incoming and outbound traffic.

d. New security groups block outbound traffic and allow all incoming traffic.

A

b. New security groups allow only outbound traffic and block all incoming traffic.

By default, new security groups start with only an outbound rule to allow all traffic to leave the instances. You must add rules to enable any inbound traffic.

48
Q

You are working with IAM and need to attach policies to users, groups, and roles. Which of the following will you be attaching these policies to?

choose 1

a. Principals

b. Identities

c. Entities

d. Resources

A

b. Identities

Identities are the IAM resource objects that are used to identify and group. You can attach a policy to an IAM identity. These include users, groups, and roles.

49
Q

An auditor is conducting an audit of your IT operations for compliance. The auditor requests visibility to logs of event history across your AWS-based employee expense system infrastructure. Which AWS service will record and provide you the information you need?

choose 1

a. AWS Compliance Manager

b. AWS CloudWatch Logs

c. AWS Systems Manager

d. AWS CloudTrail

A

d. AWS CloudTrail

AWS CloudTrail provides visibility to API call activity for AWS infrastructure and other services. AWS Cloudwatch Logs might be part of a centralized logging solution, but all API event information will come from CloudTrail. AWS Systems Manager can process EC2 logs only, and AWS Compliance Manager is not a service offered by AWS.

50
Q

A company is in the process of migrating its workloads to AWS, and they want to develop and implement security policies. What are some of the recommended best practices for Identity and Access Management (IAM) they can put in place to make sure their accounts are secure?

choose 3

a. Create individual users instead of using root.
b. Enable MFA for privileged users
c. Grant users full access to just the services they need.
d. Do not share access keys.

A

a. Create individual users instead of using root.

You should not use the root user for daily tasks.

b. Enable MFA for privileged users

You should enable multi-factor authentication (MFA) for the root user and other administrative users.

d. Do not share access keys.

This case comes from the additional reading provided as a part of the lesson: “Security best practices in IAM.” Access keys provide programmatic access to AWS and should not be embedded in code or shared with other users.

IS NOT C—
Grant users full access to just the services they need.

You should only grant the least privilege needed to perform a task.

51
Q

A company is using Trusted Advisor to ensure they are following AWS best practices. What real-time guidance does Trusted Advisor provide?

choose 3

a. Amazon services down

b. S3 bucket permissions for public access

c. Exposed access keys

d. Upcoming user interface changes to the console

e. Low utilization on EC2 instances

A

b. S3 bucket permissions for public access

Trusted Advisor checks this for all customers.

c. Exposed access keys

Trusted Advisor checks this for Enterprise and Business Support customers.

e. Low utilization on EC2 instances

Trusted Advisor checks this for all customers. FYI: This was found in the “AWS Trusted Advisor best practice checklist” documentation linked from within the lesson.

52
Q

Which of the below are TRUE when running a database in an EC2 instance?

choose 3

a. AWS is responsible for updating the guest operating system.

b. The customer is responsible for managing access to the database.

c. The customer is responsible for updating the guest operating system.

d. The customer is responsible for updating the database software.

e. AWS is responsible for managing access to the database.

f. AWS is responsible for updating the database software.

A

b. The customer is responsible for managing access to the database.
In this case, as the database is being run in an EC2 instance, all aspects of database updates and access is the responsibility of the customer.

c. The customer is responsible for updating the guest operating system.

As it is an EC2 instance, the customer is responsible for guest OS patching.

d. The customer is responsible for updating the database software.

Under the Shared Responsibility Model, AWS takes responsibility for managing all the hardware (including access, patching, and other maintenance) and software required to deliver the service — which in this case is the EC2 instance. Anything to do with the instance itself is the responsibility of the customer

53
Q

Which of the following are best practices when it comes to securing your AWS account?

choose 5

a. Create individual IAM users

b. Store your root account keys on your application for easy access.

c. Delete your root access keys.

d. Apply an IAM password policy

e. Activate MFA on the root account

f. Use groups to assign permissions

g, Delete your root account password.

A

a. Create individual IAM users

c. Create individual IAM users

d. Apply an IAM password policy

e. Activate MFA on the root account

f. Use groups to assign permissions

54
Q

When AWS uses tape media to perform backups in their data centers, who would be responsible for their safe and secure disposal?

choose 1

a. Shared Responsibility

b. Third Parties

c. AWS

d. Customer

A

c. AWS

Since this relates to physical media located within an AWS data center, it is the responsibility of AWS.

55
Q

An oil and gas utility company which is highly regulated must create a Cloud governance scheme. The company is organized into multiple autonomous departments which will all be using AWS resources. These departments each sponsor independent projects that are reviewed by regulatory boards for the approval of customer price increases. The code and infrastructure for each project has production, development, and testing environments. Which of the following account strategies will maximize security and operational efficiency for the company?

choose 1

a. Create multiple AWS accounts, 1 for each autonomous department within the company.

b. Create an Organizational Unit structure in AWS Organizations with separate

c. Create a single AWS account for centralized security management.

d. Create multiple AWS accounts: 1 for the production environment, 1 for the development environment, and 1 for the testing environment for all departments.

A

b. Create an Organizational Unit structure in AWS Organizations with separate underlying accounts for production, development, and testing environments.

A multi-layered account structure will work best for this company, leveraging AWS Organizations to establish Organizational Units for each department, with separate production, development, and testing environments. While there is no physical AWS account at the department level, service control policies can be applied at the Organizational Unit level, and billing can be reported separately for each department. An account for each department — in which the department combines dev/test/prod — or a single account for the company hosting all workloads together will NOT provide segregation of production, development, and testing environments at the account level. Multiple standalone accounts for each department and environment would compromise operational efficiency in managing environments across departments, as there is no overarching AWS Organization to manage all the accounts centrally.

56
Q

A small startup is configuring its AWS Cloud environment. Which AWS service will allow grouping these users together and applying permissions to them as a group?

choose 1

a. AWS IAM

b. Tagging

c. AWS Organizations

d. Resource groups

A

a. AWS IAM

IAM allows you to control access to your AWS services and resources.

57
Q

As an AWS account administrator, you are in charge of creating AWS accounts and securing those accounts. What steps can you take?

choose 2

a. Grant admin access to all users.

b. Store the root account credentials in SharePoint.

c. Create multi-factor authentication for the root account.

d. Add IP restrictions for all accounts.

e. Create functional groups for each department and use a common password for each group.

A

c. Create multi-factor authentication for the root account.

This will add an additional layer of security to the root account.

d. Add IP restrictions for all accounts.

This would greatly limit who can access your environment and from where.

58
Q

Which of the following statements are true about who can use IAM roles?

choose 3

a. A web service offered by AWS.

b. An IAM user in the same AWS account as the role.

c. An IAM user in a different AWS account than the role.

d. A web service offered by providers other than AWS.

A

a. A web service offered by AWS.

A role can be used by either an IAM user in the same AWS account as the role or a user in a different AWS account. A role can also be used by a web service that AWS offers; a prime example is Amazon EC2.

b. An IAM user in the same AWS account as the role.

A role can be used by either an IAM user in the same AWS account as the role or a user in a different AWS account. A role can also be used by a web service that AWS offers; a prime example is Amazon EC2.

c. An IAM user in a different AWS account than the role.

A role can be used by either an IAM user in the same AWS account as the role or a user in a different AWS account. A role can also be used by a web service that AWS offers; a prime example is Amazon EC2.

IS NOT D____
A web service offered by providers other than AWS.

A role can be used by either an IAM user in the same AWS account as the role or a user in a different AWS account.

59
Q

In Identity and Access Management (IAM), which term applies to a person or application that uses the AWS account root user, an IAM user, or an IAM role to sign in and make requests to AWS?

choose 1

a. Identity

b. Principal

c. Resource

d. Entity

A

b. Principal

A principal is a person or application that uses the AWS account root user, an IAM user, or an IAM role to sign in and make requests to AWS.

60
Q

What is the most efficient way for a customer to continuously monitor CloudTrail event logs, Amazon VPC Flow Logs, and DNS logs looking for unauthorized behavior?

choose 1

a. Config

b, Inspector

c. CloudWatch

d. GuardDuty

A

d. GuardDuty

GuardDuty is an intelligent threat detection system that uncovers unauthorized behavior.

61
Q

You need to use an AWS service to assess software vulnerabilities and unintended network exposure of your Amazon EC2 instances. Which of the following services should you use?

choose 1

a. AWS Trusted Advisor

b. AWS WAF

c. Amazon Inspector

d. AWS Shield

A

c. Amazon Inspector

Amazon Inspector is an automated vulnerability management service that continually scans Amazon Elastic Compute Cloud (EC2) and container workloads for software vulnerabilities and unintended network exposure.

62
Q

You are working with IAM and need to attach policies to users, groups, and roles. Which of the following will you be attaching these policies to?

choose 1

a. Principals

b. Resources

c. Identities

d. Entities

A

c. Identities

Identities are the IAM resource objects that are used to identify and group. You can attach a policy to an IAM identity. These include users, groups, and roles.

IS NOT D.—
Entities

Entities are the IAM resource objects that AWS uses for authentication. These include IAM users, federated users, and assumed IAM roles.

63
Q

Which term refers to the Identity and Access Management (IAM) resource objects that AWS uses for authentication?

choose 1

a. Identities

b. Resources

c. Entities

d. Principal

A

c. Entities

IAM entities are the users (IAM users and federated users) and roles that are created and used for authentication.

IS NOT A—
Identities

An identity is an IAM resource object that is used to identify and group. You can attach a policy to an IAM identity. These include users, groups, and roles.

64
Q

An auditor is conducting an audit of your IT operations for compliance. The auditor requests visibility to logs of event history across your AWS-based employee expense system infrastructure. Which AWS service will record and provide you the information you need?

choose 1

a. AWS Compliance Manager

b. AWS CloudTrail

c. AWS Systems Manager

d. AWS CloudWatch Logs

A

b. AWS CloudTrail

AWS CloudTrail provides visibility to API call activity for AWS infrastructure and other services. AWS Cloudwatch Logs might be part of a centralized logging solution, but all API event information will come from CloudTrail. AWS Systems Manager can process EC2 logs only, and AWS Compliance Manager is not a service offered by AWS.

IS NOT C—
AWS Systems Manager

Systems Manager gives you visibility into and control over your AWS resources.

65
Q

How are permissions assigned to an IAM group?

choose 2

a. Roles

b. Collection

c. Security group

d. Policies

A

a. Roles

Access is assigned using policies and roles.

d. Policies

Access is assigned using policies and roles.

66
Q

You need to set up a virtual firewall for your EC2 instance. Which would you use?

choose 1

a. IAM policy

b. Security group

c. Network ACL

d. Subnet

A

b. Security group

A security group acts as a virtual firewall for your instance to protect your EC2 instance by controlling inbound and outbound traffic.

67
Q

How would a customer create a virtual firewall for an EC2 instance?

choose 1

a. With a web application firewall

b. With AWS Shield

c. With a security group

d. With an IAM group

A

c. With a security group

Security groups act as virtual firewalls for EC2 instances.

68
Q

Enabling Amazon GuardDuty automatically grants the service permission to analyze continuous metadata streams from which of the following data sources?

choose 3

a. AWS CloudTrail logs

b. DNS query logs

c. VPC Flow Logs

d. Sensitive data in Amazon S3 buckets

A

a. AWS CloudTrail logs

b. DNS query logs

c. VPC Flow Logs

AWS cloud practitioner (4 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions