Amazon (SCS-C01) Exam Questions And Answers page 31
A Systems Engineer is troubleshooting the connectivity of a test environment that includes a virtual security appliance deployed inline. In addition to using the virtual security appliance, the Development team wants to use security groups and network ACLs to accomplish various security requirements in the environment.
What configuration is necessary to allow the virtual security appliance to route the traffic?
What configuration is necessary to allow the virtual security appliance to route the traffic?
Configure the security appliance's elastic network interface for promiscuous mode.
Disable the Network Source/Destination check on the security appliance's elastic network interface
Place the security appliance in the public subnet with the internet gateway
Infrastructure Security
How Can We Prevent Unauthorized Data Exfiltration in AWS?
Multiple Choice
A threat assessment has identified a risk whereby an internal employee could exfiltrate sensitive data from production host running inside AWS (Account 1). The threat was documented as follows:
Threat description: A malicious actor could upload sensitive data from Server X by configuring credentials for an AWS account (Account 2) they control and uploading data to an Amazon S3 bucket within their control.
Server X has outbound internet access configured via a proxy server. Legitimate access to S3 is required so that the application can upload encrypted files to an S3 bucket. Server X is currently using an IAM instance role. The proxy server is not able to inspect any of the server communication due to TLS encryption.
Which of the following options will mitigate the threat? (Choose two.)
Threat description: A malicious actor could upload sensitive data from Server X by configuring credentials for an AWS account (Account 2) they control and uploading data to an Amazon S3 bucket within their control.
Server X has outbound internet access configured via a proxy server. Legitimate access to S3 is required so that the application can upload encrypted files to an S3 bucket. Server X is currently using an IAM instance role. The proxy server is not able to inspect any of the server communication due to TLS encryption.
Which of the following options will mitigate the threat? (Choose two.)
Bypass the proxy and use an S3 VPC endpoint with a policy that whitelists only certain S3 buckets within Account 1.
Block outbound access to public S3 endpoints on the proxy server.
Configure Network ACLs on Server X to deny access to S3 endpoints.
Modify the S3 bucket policy for the legitimate bucket to allow access only from the public IP addresses associated with the application server.
Remove the IAM instance role from the application server and save API access keys in a trusted and encrypted application config file.
Infrastructure Security
Identity and Access Management
Auditors for a health care company have mandated that all data volumes be encrypted at rest. Infrastructure is deployed mainly via AWS CloudFormation; however, third-party frameworks and manual deployment are required on some legacy systems.
What is the BEST way to monitor, on a recurring basis, whether all EBS volumes are encrypted?
What is the BEST way to monitor, on a recurring basis, whether all EBS volumes are encrypted?
On a recurring basis, update all IAM user policies to require that EC2 instances are created with an encrypted volume.
Configure an AWS Config rule to run on a recurring basis for volume encryption.
Set up Amazon Inspector rules for volume encryption to run on a recurring schedule.
Use CloudWatch Logs to determine whether instances were created with an encrypted volume.
Logging and Monitoring
A user in account 111122223333 is receiving an access denied error message while calling the AWS Key Management Service (AWS KMS) GenerateDataKey API operation. The key policy contains the following statement:
Account 111122223333 is not using AWS Organizations SCPs.
Which combination of steps should a security engineer take to ensure that KMSUser can perform the action on the key? (Choose two.)
Account 111122223333 is not using AWS Organizations SCPs.
Which combination of steps should a security engineer take to ensure that KMSUser can perform the action on the key? (Choose two.)
Modify the key policy to include the key s key ID in the Resource field.
Verify that KMSUser has no explicit denies for the GenerateDataKey action in its attached IAM policies.
Verify that KMSUser is allowed to perform the GenerateDataKey action in its attached IAM policies for the encryption context.
Ensure that KMSUser is including the encryption context key-value pair in its GenerateDataKey.
Revoke any KMS grants on the key that are denying the GenerateDataKey action for KMSUser.
Incident Response
Infrastructure Security
A user is implementing a third-party web application on an Amazon EC2 instance. All client communications must be over HTTPS, and traffic must be terminated before it reaches the instance. Communication to the instance must be over port 80. Company policy requires that workloads reside in private subnets.
Which solution meets these requirements?
Which solution meets these requirements?
Create an Application Load Balancer. Add an HTTP listener for port 80 to redirect traffic to HTTPS on port 443. Add another listener with an AWS Certificate Manager (ACM) certificate for termination and a rule that forwards to the target instance through port 80.
Allocate an Elastic IP address that has SSL termination activated. Associate the Elastic IP address with the instance on port 80.
Create a Gateway Load Balancer. Add an HTTP listener for port 80 to redirect traffic to HTTPS on port 443. Add another listener with an AWS Certificate Manager (ACM) certificate for termination and a rule that forwards to the target instance through port 80.
Implement a Network Load Balancer. Add an HTTP listener for port 80 to redirect traffic to HTTPS on port 443. Add another listener with an AWS Certificate Manager (ACM) certificate for termination and a rule that forwards to the target instance through port 80.
Logging and Monitoring
Infrastructure Security
Authorized Administrators are unable to connect to an Amazon EC2 Linux bastion host using SSH over the Internet. The connection either fails to respond or generates the following error message:
Network error: Connection timed out.
What could be responsible for the connection failure? (Choose three.)
Network error: Connection timed out.
What could be responsible for the connection failure? (Choose three.)
The NAT gateway in the subnet where the EC2 instance is deployed has been misconfigured.
The internet gateway of the VPC has been misconfigured.
The security group denies outbound traffic on ephemeral ports.
The route table is missing a route to the internet gateway.
The NACL denies outbound traffic on ephemeral ports.
The host-based firewall is denying SSH traffic.
Infrastructure Security
Identity and Access Management
A VPC endpoint for Amazon CloudWatch Logs was recently added to a company s VPC. The company s system administrator has verified that private DNS is enabled and that the appropriate route tables and security groups have been updated. The role attached to the Amazon EC2 instance is:
The CloudWatch Logs agent is running and attempting to write to a CloudWatch Logs stream in the same AWS account. However, no logs are being updated in CloudWatch Logs.
What is the likely cause of this issue?
The CloudWatch Logs agent is running and attempting to write to a CloudWatch Logs stream in the same AWS account. However, no logs are being updated in CloudWatch Logs.
What is the likely cause of this issue?
The EC2 instance role is not allowing the appropriate Put actions.
The EC2 instance role policy is incorrect and should be changed to:
The CloudWatch Logs endpoint policy is not allowing the appropriate Put actions.
The CloudWatch Logs resource policy is not allowing the appropriate List actions.
Incident Response
Logging and Monitoring
A water utility company uses a number of Amazon EC2 instances to manage updates to a fleet of 2,000 Internet of Things (IoT) field devices that monitor water quality. These devices each have unique access credentials.
An operational safety policy requires that access to specific credentials is independently auditable.
What is the MOST cost-effective way to manage the storage of credentials?
An operational safety policy requires that access to specific credentials is independently auditable.
What is the MOST cost-effective way to manage the storage of credentials?
Use AWS Systems Manager to store the credentials as Secure Strings Parameters. Secure by using an AWS KMS key.
Use AWS Key Management System to store a master key, which is used to encrypt the credentials. The encrypted credentials are stored in an Amazon RDS instance.
Use AWS Secrets Manager to store the credentials.
Store the credentials in a JSON file on Amazon S3 with server-side encryption.
Identity and Access Management
A Web Administrator for the website example.com has created an Amazon CloudFront distribution for dev.example.com, with a requirement to configure HTTPS using a custom TLS certificate imported to AWS Certificate Manager.
Which combination of steps is required to ensure availability of the certificate in the CloudFront console? (Choose two.)
Which combination of steps is required to ensure availability of the certificate in the CloudFront console? (Choose two.)
Call UploadServerCertificate with /cloudfront/dev/ in the path parameter.
Import the certificate with a 4,096-bit RSA public key.
Ensure that the certificate, private key, and certificate chain are PKCS #12-encoded.
Import the certificate in the us-east-1 (N. Virginia) Region.
Ensure that the certificate, private key, and certificate chain are PEM-encoded.
Logging and Monitoring
Infrastructure Security
A Website currently runs on Amazon EC2, with mostly static content on the site. Recently, the site was subjected to a DDoS attack, and a Security Engineer was tasked with redesigning the edge security to help mitigate this risk in the future.
What are some ways the Engineer could achieve this? (Choose three.)
What are some ways the Engineer could achieve this? (Choose three.)
Use AWS X-Ray to inspect the traffic going to the EC2 instances.
Move the static content to Amazon S3, and front this with an Amazon CloudFront distribution.
Change the security group configuration to block the source of the attack traffic.
Use AWS WAF security rules to inspect the inbound traffic.
Use Amazon Inspector assessment templates to inspect the inbound traffic.
Use Amazon Route 53 to distribute traffic.
Logging and Monitoring
Infrastructure Security
Comments