Quiz: AWS Certified Security Specialty Part 3

How can you make your data encrypted in transit for connection with RDS instance?

An organization uses EBS volumes in AWS, and for security purpose, they want all volumes to be encrypted and they want to get notified about any unencrypted volume in the How can this be done?

You have a setup in which you use logging enabled S3 buckets. If changes to the S3 bucket are made, a config rule will be checked. If logging is deactivated, a function of Lambda is invoked. The Lambda function again allows the S3 bucket to log in. The whole flow is now a problem. You have checked the invoking of the Lambda function. However, the Lambda function does not re-open when logging for the bucket is disabled. Which one of the following might be a problem?

An organization uses EC2 instances, and they have compromised instances. They have strict policies and want to find out the culprit of the security How would they do this? (choose any 3)

How does the data forwarded to S3 can be encrypted at rest?

An enterprise has its AWS account in which it hosts the resources. All API activities in all regions must be monitored. The audit must also be carried out in future regions. To meet this requirement, which of the following could be used?

A company is planning to use AWS for hosting the resources. They have multiple independent departments that also want to use AWS. Which of the following methods could be used to manage the accounts?

From the following options, which is best to view event logs of all API on AWS which is read-only access to the auditor?

An organization has an application in which it has multiple types of users like some have read-only access, or others have contributor access. The application is using AWS Cognito for authenticating. How would they manage the users?

An enterprise uses Linux EC2 instance in AWS, and they want secure authentication to the instance from Windows. How can this requirement be met?

An organization is using AWS resource for its infrastructure, and now they are searching for the security aspect of their CI / CD pipeline. They want to ensure that there should not be any high-security vulnerabilities in the EC2 instances. They also want to make sure that the DevSecOps process is complete. How can they meet this requirement?

How will you make sure that your S3 bucket on AWS is only accessible via VPC endpoint?

An enterprise uses AWS to host its infrastructure on AWS EC2 instances. The EC2 instances are subjected to strict security regulations. You need a quick investigation of the underlying EC2 instance during a possible security violation. Which service can help you provide a test environment for the violated case quickly?

You have a huge number of keys specified in AWS KMS. You have an application which uses the keys very frequently. How can the cost of access keys in AWS KMS service be reduced?

An organization has one compromised EC2 instance. Which of the following steps are needed for applying digital forensics on the instance? (choose any 2)

There is a set of AWS-hosted applications, database, and web servers. Behind an ELB, the web servers are located. The application, database and web servers have separate security groups. The security groups of the network were defined with some configuration. Contact between the application and database servers is problematic. What ideal set of MINIMAL steps would you take to resolve the problems between only the application and the database server?

Your development team needs to use AWS Lambda service for running multiple scripts, and now they need to understand the errors encountered during the running of the script. How can they do this?

In AWS Public Cloud the client has an RHEL Linux instance. The VPC and subnet used to host the instance that were created with the Network Access Control Lists default settings. You must provide secure access to the underlying instance for the IT Administrator. How can this be done?

An organization uses the AWS cloud for creating a private connection from on-premises IT infrastructure to AWS. Now, they want a solution of getting core benefits of traffic encryption, while ensuring that the latency is kept to minimum. How would they achieve their requirement? (choose any 2)

From the following options, which is best to generate encryption keys based on FIPS 140-2 level 3? (choose any 2)

A huge multinational enterprise has thousands of EC2 instances on AWS, and now they want to make sure that all servers are not occupying any critical security flaws. How can this requirement be fulfilled? (choose any 2)

In Amazon Linux AMI instances, a company is trying to use AWS Systems Manager. The command run does not work on a number of instances. How would they diagnose the problem? (choose any 2)

A company has an EC2 instance with EBS volume, and encryption of this is done via KMS. Now, some hacker deletes the customer key that is used for encryption. Then how can they decrypt the data?

You must use the keys available in the CloudFront to serve private content. How is this possible?

For a number of EC2 instances, you must perform penetration tests on the AWS Cloud. How can you do this? (choose any 2)

The AWS KMS service provides you with a set of customer keys. These keys were used for approximately six months. Now, you are attempting to use new KMS functions for the existing key set, but you are unable to do so. What could be the issue behind this?

If you want to use your own DNS managed instance rather than using AWS DNS service for routing DNS request from the instance in VPC then how would you do this?

How do you make sure to inspect the running process on EC2 instance without interrupting its continuous running for security issues?

A company hired you and assigned you a task to make sure that AWS and its on-site Active Directory are federated authentication mechanisms. What are the important steps that must be taken in this process? (choose any 2)

If you want to get the point in time API activity of any suspicious API activity that occurred 15 days ago. How would you get that?

A set of EC2 instances is currently held by your company in the VPC. The IT Security department suspects that the instances will be attacked by DDos. What can you do to minify the chances of attack on the IP addresses that receive a large number of applications?

An incident reaction plan was drafted a few months ago by an IT team of the enterprise. The response plan is regularly implemented. Since its inception, no changes has been made to the response plan. Which of the following is the correct plan statement?

There is an S3 bucket currently hosted in an AWS account. It contains information that a partner account needs to access. What is the safest way to access S3 buckets in your account with your partner account? (choose any 3)

An organization uses AWS to host its web application for which they create EC2 instance in public subnet. Now, they need to connect an EC2 instance which will host Oracle DB. How would they do all this in a secure way? (choose an 2)

A company uses S3 bucket to store log files. These log files are used for analysis after that, they purge these files. How would they do this configuration in S3 bucket?

A windows machine in one VPC needs to join the AD domain in another VPC. VPC Peering has been established. But the domain join is not working. What is the other step that needs to be followed in order to ensure that the AD domain join can work as intended?

How do you ensure that the object in the primary region is available in the secondary region on the failure of the primary region? (choose any 2)

You try to patch a set of EC2 systems with the Systems Manager. Some of the systems are not covered by the patch. Which of these can be used to resolve the problem? (choose any 3)

How can I integrate the AWS IAM with a local LDAP (Lightweight Directory Access Protocol) directory service? What technique can be used?

How do you make CloudTrail logs encrypted when they are being delivered in AWS account?

A company has an application which currently uses customer keys which are generated via AWS KMS in the US East Now, they want to use the same set of keys from the EU-Central region. How can this be accomplished?

A set of keys was developed for your company with AWS KMS. You must ensure that only certain services are used for each key. For instance, they want to use only one key for the S3 service. How can you do that?

An enterprise is using AWS to host its java-based application on EC2 instance. That application can access the DynamoDB table and currently instance serving production based user. How securely an instance can access the DynamoDB table?

A company uses a cluster Redshift to store its data storage facility. The Internal IT Security team is required to ensure that Redshift database data should be encrypted. How can we accomplish that?

An enterprise uses S3 to put its critical data and metadata. They want all of their data and metadata to be encrypted. What steps are needed to ensure that metadata is encrypted?

A security team must submit daily briefings to the CISO containing a report that misses out on the latest security patches on thousands of EC2 instances and on-site servers. All servers must comply within 24 hours to ensure that they do not appear in the report on the next day. How does the security team meet these requirements?

An organization uses a number of EC2 instances and wants to identify the SG that allows unrestricted access to the resource. How would they fulfill their requirement?

A company uses AWS KMS service to create customer keys. These keys are used for 6 months and now they are trying to use new KMS features for an existing set of keys but are unable to do that. Why is that?

For your AWS account, an enterprise has specified privileged users. They are the administrator for key corporate resources. The security authentication for these users is now mandated to improve. How can this be done?

From the following options, which is not the best practice of security audit?