• ホーム
  • ブログ
  • 初心者向けのAWS-Security-Specialty試験 [2022] 問題集でAmazonのPDF問題 [Q201-Q226]

初心者向けのAWS-Security-Specialty試験 [2022] 問題集でAmazonのPDF問題 [Q201-Q226]

Share

初心者向けのAWS-Security-Specialty試験 [2022] 問題集でAmazonのPDF問題

AWS-Security-Specialtyプレミアム試験エンジンPDFをダウンロード

質問 201
A company is configuring three Amazon EC2 instances with each instance in a separate Availability Zone. The EC2 instances will be used as transparent proxies for outbound internet traffic for ports 80 and 443 so the proxies can block traffic to certain internet destinations as required by the company's security policies. A Security Engineer completed the following:
* Set up the proxy software on the EC2 instances.
* Modified the route tables on the private subnets to use the proxy EC2 instances as the default route.
* Created a security group rule opening inbound port 80 and 443 TCP protocols on the proxy EC2 instance security group.
However, the proxy EC2 instances are not successfully forwarding traffic to the internet.
What should the Security Engineer do to make the proxy EC2 instances route traffic to the internet?

  • A. Disable source and destination checks on the proxy EC2 instances.
  • B. Open all inbound ports on the proxy EC2 instance security group.
  • C. Change the VPC's DHCP domain-name-servers options set to the IP addresses of proxy EC2 instances.
  • D. Put all the proxy EC2 instances in a cluster placement group.

正解: A

解説:
Explanation/Reference: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html

 

質問 202
Your company has just set up a new central server in a VPC. There is a requirement for other teams who have their servers located in different VPC's in the same region to connect to the central server. Which of the below options is best suited to achieve this requirement.
Please select:

  • A. None of the above options will work.
  • B. Set up AWS DirectConnect between the central server VPC and each of the teams VPCs.
  • C. Set up VPC peering between the central server VPC and each of the teams VPCs.
  • D. Set up an IPSec Tunnel between the central server VPC and each of the teams VPCs.

正解: C

解説:
Explanation
A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses. Instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account within a single region.
Options B and C are invalid because you need to use VPC Peering
Option D is invalid because VPC Peering is available
For more information on VPC Peering please see the below Link:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-peering.html
The correct answer is: Set up VPC peering between the central server VPC and each of the teams VPCs.
Submit your Feedback/Queries to our Experts

 

質問 203
A company has several workloads running on AWS Employees are required to authenticate using on-premises ADFS and SSO to access the AWS Management Console Developers migrated an existing legacy web application to an Amazon EC2 instance Employees need to access this application from anywhere on the internet but currently, mere is no authentication system but into the application.
How should the Security Engineer implement employee-only access to this system without changing the application?

  • A. Place the application behind an Application Load Balancer (ALB) Use Amazon Cognito as authentication (or the ALB Define a SAML-based Amazon Cognito user pool and connect it to ADFS implement AWS SSO in the master account and link it to ADFS as an identity provide' Define the EC2 instance as a managed resource, then apply an 1AM policy on the resource
  • B. Active Directory user names and passwords
  • C. Create an AWS Lambda custom authorizer as the authenticator for a reverse proxy on Amazon EC2 Ensure the security group on Amazon EC2 only allows access from the Lambda function.
  • D. Define an Amazon Cognito identity pool then install the connector on the Active Directory server Use the Amazon Cognito SDK on the application instance to authenticate the employees using their

正解: A

 

質問 204
A company's on-premises networks are connected to VPCs using an AWS Direct Connect gateway. The company's on-premises application needs to stream data using an existing Amazon Kinesis Data Firehose delivery stream. The company's security policy requires that data be encrypted in transit using a private network.
How should the company meet these requirements?

  • A. Configure an 1AM policy to restrict access to Kinesis Data Firehose using a source IP condition. Configure the application to connect to the existing Firehose delivery stream.
  • B. Create a VPC endpoint tor Kinesis Data Firehose. Configure the application to connect to the VPC endpoint.
  • C. Create a new TLS certificate in AWS Certificate Manager (ACM). Create a public-facing Network Load Balancer (NLB) and select the newly created TLS certificate. Configure the NLB to forward all traffic to Kinesis Data Firehose. Configure the application to connect to the NLB.
  • D. Peer the on-premises network with the Kinesis Data Firehose VPC using Direct Connect. Configure the application to connect to the existing Firehose delivery stream.

正解: B

 

質問 205
You need to ensure that the cloudtrail logs which are being delivered in your AWS account is encrypted. How can this be achieved in the easiest way possible?
Please select:

  • A. Enable KMS encryption for the logs which are sent to Cloudwatch
  • B. Enable S3-SSE for the underlying bucket which receives the log files
  • C. Don't do anything since CloudTrail logs are automatically encrypted.
  • D. Enable S3-KMS for the underlying bucket which receives the log files

正解: C

解説:
Explanation
The AWS Documentation mentions the following
By default the log files delivered by CloudTrail to your bucket are encrypted by Amazon server-side encryption with Amazon S3-managed encryption keys (SSE-S3) Option B,C and D are all invalid because by default all logs are encrypted when they sent by Cloudtrail to S3 buckets For more information on AWS Cloudtrail log encryption, please visit the following URL:
https://docs.aws.amazon.com/awscloudtrail/latest/usereuide/encryptine-cloudtrail-loe-files-with-aws-kms.htmll The correct answer is: Don't do anything since CloudTrail logs are automatically encrypted. Submit your Feedback/Queries to our Experts

 

質問 206
A company's Security Engineer is copying all application logs to centralized Amazon S3 buckets. Currently, each of the company's applications is in its own AWS account, and logs are pushed into S3 buckets associated with each account. The Engineer will deploy an AWS Lambda function into each account that copies the relevant log files to the centralized S3 bucket.
The Security Engineer is unable to access the log files in the centralized S3 bucket. The Engineer's IAM user policy from the centralized account looks like this:

The centralized S3 bucket policy looks like this:

Why is the Security Engineer unable to access the log files?

  • A. The object ACLs are not being updated to allow the users within the centralized account to access the objects
  • B. The s3:PutObject and s3:PutObjectAcl permissions should be applied at the S3 bucket level
  • C. The Security Engineers IAM policy does not grant permissions to read objects in the S3 bucket
  • D. The S3 bucket policy does not explicitly allow the Security Engineer access to the objects in the bucket.

正解: C

 

質問 207
Your company has a set of resources defined in the AWS Cloud. Their IT audit department has requested to get a list of resources that have been defined across the account. How can this be achieved in the easiest manner?
Please select:

  • A. Create a bash shell script with the AWS CLI. Query for all resources in all regions. Store the results in an S3 bucket.
  • B. Use Cloud Trail to get the list of all resources
  • C. Create a powershell script using the AWS CLI. Query for all resources with the tag of production.
  • D. Use AWS Config to get the list of all resources

正解: D

解説:
Explanation
The most feasible option is to use AWS Config. When you turn on AWS Config, you will get a list of resources defined in your AWS Account.
A sample snapshot of the resources dashboard in AWS Config is shown below

Option A is incorrect because this would give the list of production based resources and now all resources Option B is partially correct But this will just add more maintenance overhead.
Option C is incorrect because this can be used to log API activities but not give an account of all resou For more information on AWS Config, please visit the below URL:
https://docs.aws.amazon.com/config/latest/developereuide/how-does-confie-work.html The correct answer is: Use AWS Config to get the list of all resources Submit your Feedback/Queries to our Experts

 

質問 208
A company is running an application on Amazon EC2 instances in an Auto Scaling group. The application stores logs locally A security engineer noticed that logs were lost after a scale-in event. The security engineer needs to recommend a solution to ensure the durability and availability of log data All logs must be kept for a minimum of 1 year for auditing purposes What should the security engineer recommend?

  • A. Within the Auto Scaling lifecycle, add a hook to create and attach an Amazon Elastic Block Store (Amazon EBS) log volume each time an EC2 instance is created. When the instance is terminated, the EBS volume can be reattached to another instance for log review.
  • B. Within the Auto Scaling lifecycle, add a lifecycle hook at the terminating state transition and alert the engineering team by using a lifecycle notification to Amazon Simple Notification Service (Amazon SNS). Configure the hook to remain in the Terminating:Wait state for 1 hour to allow manual review of the security logs prior to instance termination.
  • C. Build the Amazon CloudWatch agent into the AMI used in the Auto Scaling group. Configure the CloudWatch agent to send the logs to Amazon CloudWatch Logs for review.
  • D. Create an Amazon Elastic File System (Amazon EFS) file system and add a command in the user data section of the Auto Scaling launch template to mount the EFS file system during EC2 instance creation Configure a process on the instance to copy the logs once a day from an instance Amazon Elastic Block Store (Amazon EBS) volume to a directory in the EFS file system.

正解: D

 

質問 209
Development teams in your organization use S3 buckets to store the log files for various applications hosted ir development environments in AWS. The developers want to keep the logs for one month for troubleshooting purposes, and then purge the logs. What feature will enable this requirement?
Please select:

  • A. Enabling CORS on the S3 bucket.
  • B. Adding a bucket policy on the S3 bucket.
  • C. Configuring lifecycle configuration rules on the S3 bucket.
  • D. Creating an 1AM policy for the S3 bucket.

正解: C

解説:
The AWS Documentation mentions the following on lifecycle policies
Lifecycle configuration enables you to specify the lifecycle management of objects in a bucket. The configuration is a set of one or more rules, where each rule defines an action for Amazon S3 to apply to a group of objects. These actions can be classified a follows:
Transition actions - In which you define when objects transition to another . For example, you may choose to transition objects to the STANDARDJA (IA, for infrequent access) storage class 30 days after creation, or archive objects to the GLACIER storage class one year after creation.
Expiration actions - In which you specify when the objects expire. Then Amazon S3 deletes the expired objects on your behalf.
Option A and C are invalid because neither bucket policies neither 1AM policy's can control the purging of logs Option D is invalid CORS is used for accessing objects across domains and not for purging of logs For more information on AWS S3 Lifecycle policies, please visit the following URL:
.com/AmazonS3/latest/d<
The correct answer is: Configuring lifecycle configuration rules on the S3 bucket. Submit your Feedback/Queries to our Experts

 

質問 210
Your company has an EC2 Instance that is hosted in an AWS VPC. There is a requirement to ensure that logs files from the EC2 Instance are stored accordingly. The access should also be limited for the destination of the log files. How can this be accomplished? Choose 2 answers from the options given below. Each answer forms part of the solution Please select:

  • A. Create an 1AM policy that gives the desired level of access to the Cloudtrail trail
  • B. Stream the log files to a separate Cloudtrail trail
  • C. Stream the log files to a separate Cloudwatch Log group
  • D. Create an 1AM policy that gives the desired level of access to the Cloudwatch Log group

正解: C,D

解説:
You can create a Log group and send all logs from the EC2 Instance to that group. You can then limit the access to the Log groups via an 1AM policy.
Option A is invalid because Cloudtrail is used to record API activity and not for storing log files Option C is invalid because Cloudtrail is the wrong service to be used for this requirement For more information on Log Groups and Log Streams, please visit the following URL:
* https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/Workinj
For more information on Access to Cloudwatch logs, please visit the following URL:
* https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/auth-and-access-control-cwl.html The correct answers are: Stream the log files to a separate Cloudwatch Log group. Create an 1AM policy that gives the desired level of access to the Cloudwatch Log group Submit your Feedback/Queries to our Experts

 

質問 211
A Security Engineer receives alerts that an Amazon EC2 instance on a public subnet is under an SFTP brute force attack from a specific IP address, which is a known malicious bot. What should the Security Engineer do to block the malicious bot?

  • A. Configure Linux iptables or Windows Firewall to block any traffic from the malicious IP
  • B. Add a deny rule to the public VPC security group to block the malicious IP
  • C. Add the malicious IP to AWS WAF backhsted IPs
  • D. Modify the hosted zone in Amazon Route 53 and create a DNS sinkhole for the malicious IP

正解: D

 

質問 212
A company has a few dozen application servers in private subnets behind an Elastic Load Balancer (ELB) in an AWS Auto Scaling group. The application is accessed from the web over HTTPS. The data must always be encrypted in transit. The Security Engineer is worried about potential key exposure due to vulnerabilities in the application software.
Which approach will meet these requirements while protecting the external certificate during a breach?

  • A. Use a Network Load Balancer (NLB) to pass through traffic on port 443 from the internet to port 443 on the instances.
  • B. Upload a new external certificate to the load balancer. Have the ELB decrypt the traffic and forward it on port 80 to the instances.
  • C. Generate an internal self-signed certificate and apply it to the instances. Use AWS Certificate Manager to generate a new external certificate for the ELB. Have the ELB decrypt traffic, and route and re-encrypt with the internal certificate.
  • D. Purchase an external certificate, and upload it to the AWS Certificate Manager (for use with the ELB) and to the instances. Have the ELB decrypt traffic, and route and re-encrypt with the same certificate.

正解: C

 

質問 213
A company has an AWS account and allows a third-party contractor who uses another AWS account, to assume certain IAM roles. The company wants to ensure that IAM roles can be assumed by the contractor only if the contractor has multi-factor authentication enabled on their IAM user accounts What should the company do to accomplish this?
A)

B)

C)

D)

  • A. Option D
  • B. Option C
  • C. Option B
  • D. Option A

正解: D

 

質問 214
Your CTO thinks your AWS account was hacked. What is the only way to know for certain if there was unauthorized access and what they did, assuming your hackers are very sophisticated AWS engineers and doing everything they can to cover their tracks?
Please select:

  • A. Use CloudTrail backed up to AWS S3 and Glacier.
  • B. Use CloudTrail Log File Integrity Validation.
  • C. Use AWS Config SNS Subscriptions and process events in real time.
  • D. Use AWS Config Timeline forensics.

正解: B

解説:
Explanation
The AWS Documentation mentions the following
To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it you can use CloudTrail log file integrity validation. This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection. You can use the AWS CLI to validate the files in the location where CloudTrail delivered them Validated log files are invaluable in security and forensic investigations. For example, a validated log file enables you to assert positively that the log file itself has not changed, or that particular user credentials performed specific API activity. The CloudTrail log file integrity validation process also lets you know if a log file has been deleted or changed, or assert positively that no log files were delivered to your account during a given period of time.
Options B.C and D is invalid because you need to check for log File Integrity Validation for cloudtrail logs For more information on Cloudtrail log file validation, please visit the below URL:
http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html The correct answer is: Use CloudTrail Log File Integrity Validation.
omit your Feedback/Queries to our Expert

 

質問 215
Your company has a set of EBS volumes defined in AWS. The security mandate is that all EBS volumes are encrypted. What can be done to notify the IT admin staff if there are any unencrypted volumes in the account.
Please select:

  • A. Use AWS Config to check for unencrypted EBS volumes
  • B. Use AWS Lambda to check for the unencrypted EBS volumes
  • C. Use AWS Guard duty to check for the unencrypted EBS volumes
  • D. Use AWS Inspector to inspect all the EBS volumes

正解: A

解説:
The enc config rule for AWS Config can be used to check for unencrypted volumes.
encrypted-volurrn
5 volumes that are in an attached state are encrypted. If you specify the ID of a KMS key for encryptio using the kmsld parameter, the rule checks if the EBS volumes in an attached state are encrypted with that KMS key*1.
Options A and C are incorrect since these services cannot be used to check for unencrypted EBS volumes Option D is incorrect because even though this is possible, trying to implement the solution alone with just the Lambda servk would be too difficult For more information on AWS Config and encrypted volumes, please refer to below URL:
https://docs.aws.amazon.com/config/latest/developerguide/encrypted-volumes.html
Submit your Feedback/Queries to our Experts

 

質問 216
You are working in the media industry and you have created a web application where users will be able to upload photos they create to your website. This web application must be able to call the S3 API in order to be able to function. Where should you store your API credentials whilst maintaining the maximum level of security?
Please select:

  • A. Save your API credentials in a public Github repository.
  • B. Don't save your API credentials, instead create a role in 1AM and assign this role to an EC2 instance when you first create it.
  • C. Save the API credentials to your PHP files.
  • D. Pass API credentials to the instance using instance userdata.

正解: B

解説:
Explanation
Applications must sign their API requests with AWS credentials. Therefore, if you are an application developer, you need a strategy for managing credentials for your applications that run on EC2 instances. For example, you can securely distribute your AWS credentials to the instances, enabling the applications on those instances to use your credentials to sign requests, while protecting your credentials from other users. However, it's challenging to securely distribute credentials to each instance. especially those that AWS creates on your behalf, such as Spot Instances or instances in Auto Scaling groups. You must also be able to update the credentials on each instance when you rotate your AWS credentials.
1AM roles are designed so that your applications can securely make API requests from your instances, without requiring you manage the security credentials that the applications use.
Option A.C and D are invalid because using AWS Credentials in an application in production is a direct no recommendation 1 secure access For more information on 1AM Roles, please visit the below URL:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html The correct answer is: Don't save your API credentials. Instead create a role in 1AM and assign this role to an EC2 instance when you first create it Submit your Feedback/Queries to our Experts

 

質問 217
An organization is using Amazon CloudWatch Logs with agents deployed on its Linux Amazon EC2 instances. The agent configuration files have been checked and the application log files to be pushed are configured correctly. A review has identified that logging from specific instances is missing.
Which steps should be taken to troubleshoot the issue? (Choose two.)

  • A. Use an EC2 run command to confirm that the "awslogs" service is running on all instances.
  • B. Verify that the time zone on the application servers is in UTC.
  • C. Verify that the permissions used by the agent allow creation of log groups/streams and to put log events.
  • D. Check that the trust relationship grants the service "cwlogs.amazonaws.com" permission to write objects to the Amazon S3 staging bucket.
  • E. Check whether any application log entries were rejected because of invalid time stamps by reviewing /var/cwlogs/rejects.log.

正解: A,C

解説:
EC2 run command - can run scripts, install software, collect metrics and log files, manage patches and more. Bringing these two services together - can create CloudWatch Events rules that use EC2 Run Command to perform actions on EC2 instances or on-premises servers.

 

質問 218
A Security Engineer must design a system that can detect whether a file on an Amazon EC2 host has been modified. The system must then alert the Security Engineer of the modification.
What is the MOST efficient way to meet these requirements?

  • A. Install antivirus software and ensure that signatures are up-to-date. Configure Amazon CloudWatch alarms to send alerts for security events.
  • B. Use Amazon CloudWatch Logs to detect file system changes. If a change is detected, automatically terminate and recreate the instance from the most recent AMI. Use Amazon SNS to send notification of the event.
  • C. Install host-based IDS software to check for file integrity. Export the logs to Amazon CloudWatch Logs for monitoring and alerting.
  • D. Export system log files to Amazon S3. Parse the log files using an AWS Lambda function that will send alerts of any unauthorized system login attempts through Amazon SNS.

正解: C

 

質問 219
A company had one of its Amazon EC2 key pairs compromised. A Security Engineer must identify which current Linux EC2 instances were deployed and used the compromised key pair.
How can this task be accomplished?

  • A. Obtain the fingerprint for the key pair from the AWS Management Console, then search for the fingerprint in Amazon CloudWatch Logs using: aws logs filter-log-events.
  • B. Obtain the list of instances by directly querying Amazon EC2 using: aws ec2 describe-instances --fi1ters
    "Name=key-name,Values=KEYNAMEHERE".
  • C. Obtain the fingerprint for the key pair from the AWS Management Console, then search for the fingerprint in the Amazon Inspector logs.
  • D. Obtain the output from the EC2 instance metadata using: curl http:
    //169.254.169.254/latest/meta-data/public- keys/0/.

正解: B

 

質問 220
You need to establish a secure backup and archiving solution for your company, using AWS. Documents should be immediately accessible for three months and available for five years for compliance reasons. Which AWS service fulfills these requirements in the most cost-effective way? Choose the correct answer:
Please select:

  • A. Upload the data on EBS, use lifecycle policies to move EBS snapshots into S3 and later into Glacier for long-term archiving.
  • B. Upload data to S3 and use lifecycle policies to move the data into Glacier for long-term archiving.
  • C. Use Storage Gateway to store data to S3 and use lifecycle policies to move the data into Redshift for long-term archiving.
  • D. Use Direct Connect to upload data to S3 and use 1AM policies to move the data into Glacier for long-term archiving.

正解: B

解説:
Explanation
amazon Glacier is a secure, durable, and extremely low-cost cloud storage service for data archiving and long-term backup. Customers can reliably store large or small amounts of data for as little as $0,004 per gigabyte per month, a significant savings compared to on-premises solutions.
With Amazon lifecycle policies you can create transition actions in which you define when objects transition to another Amazon S3 storage class. For example, you may choose to transition objects to the STANDARDJA (IA, for infrequent access) storage class 30 days after creation, or archive objects to the GLACIER storage class one year after creation.
Option B is invalid because lifecycle policies are not available for EBS volumes Option C is invalid because 1AM policies cannot be used to move data to Glacier Option D is invalid because lifecycle policies is not used to move data to Redshif For more information on S3 lifecycle policies, please visit the URL:
http://docs.aws.amazon.com/AmazonS3/latest/dev/obiect-lifecycle-mgmt.html The correct answer is: Upload data to S3 and use lifecycle policies to move the data into Glacier for long-term archiving.
Submit your Feedback/Queries to our Experts

 

質問 221
A Security Engineer who was reviewing AWS Key Management Service (AWS KMS) key policies found this statement in each key policy in the company AWS account.

What does the statement allow?

  • A. All principals from all AWS accounts to use the key.
  • B. All principals from account 111122223333 to use the key but only on Amazon S3.
  • C. Only principals from account 111122223333 that have an IAM policy applied that grants access to this key to use the key.
  • D. Only the root user from account 111122223333 to use the key.

正解: C

 

質問 222
Your organization is preparing for a security assessment of your use of AWS. In preparation for this assessment, which three IAM best practices should you consider implementing?
Please select:

  • A. Ensure all users have been assigned and dre frequently rotating a password, access ID/secret key, and X.509 certificate When you go to the security dashboard, the security status will show the best practices for initiating the first level of security.
  • B. Assign IAM users and groups configured with policies granting least privilege access
  • C. Configure MFA on the root account and for privileged IAM users
  • D. Create individual IAM users

正解: B,C,D

解説:

Option D is invalid because as per the dashboard, this is not part of the security recommendation For more information on best security practices please visit the URL:
https://aws.amazon.com/whitepapers/aws-security-best-practices;
The correct answers are: Create individual IAM users, Configure MFA on the root account and for privileged IAM users. Assign IAM users and groups configured with policies granting least privilege access Submit your Feedback/Queries to our Experts

 

質問 223
A company has a customer master key (CMK) with imported key materials. Company policy requires that all encryption keys must be rotated every year.
What can be done to implement the above policy?

  • A. Enable automatic key rotation annually for the CMK.
  • B. Import new key material to the existing CMK and manually rotate the CMK.
  • C. Use AWS Command Line Interface to create an AWS Lambda function to rotate the existing CMK annually.
  • D. Create a new CMK, import new key material to it, and point the key alias to the new CMK.

正解: D

解説:
https://docs.aws.amazon.com/en_pv/kms/latest/developerguide/rotate-keys.html#rotate-keys-manually
"You might prefer to rotate keys manually so you can control the rotation frequency. It's also a good solution for CMKs that are not eligible for automatic key rotation, such as asymmetric CMKs, CMKs in custom key stores and CMKs with imported key material. Because the new CMK is a different resource from the current CMK, it has a different key ID and ARN. When you change CMKs, you need to update references to the CMK ID or ARN in your applications. Aliases, which associate a friendly name with a CMK, make this process easier. Use an alias to refer to a CMK in your applications. Then, when you want to change the CMK that the application uses, change the target CMK of the alias. To update the target CMK of an alias, use UpdateAlias operation in the AWS KMS API. "

 

質問 224
A Software Engineer is trying to figure out why network connectivity to an Amazon EC2 instance does not appear to be working correctly. Its security group allows inbound HTTP traffic from 0.0.0.0/0, and the outbound rules have not been modified from the default. A custom network ACL associated with its subnet allows inbound HTTP traffic from 0.0.0.0/0 and has no outbound rules.
What would resolve the connectivity issue?

  • A. An outbound rule must be added to the network ACL to allow the response to be sent to the client on the HTTP port.
  • B. The outbound rules on the security group do not allow the response to be sent to the client on the HTTP port.
  • C. An outbound rule must be added to the network ACL to allow the response to be sent to the client on the ephemeral port range.
  • D. The outbound rules on the security group do not allow the response to be sent to the client on the ephemeral port range.

正解: C

解説:
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html

 

質問 225
Which technique can be used to integrate AWS 1AM (Identity and Access Management) with an on-premise LDAP (Lightweight Directory Access Protocol) directory service?
Please select:

  • A. Use 1AM roles to automatically rotate the 1AM credentials when LDAP credentials are updated.
  • B. Use AWS Security Token Service from an identity broker to issue short-lived AWS credentials.
  • C. Use an 1AM policy that references the LDAP account identifiers and the AWS credentials.
  • D. Use SAML (Security Assertion Markup Language) to enable single sign-on between AWS and LDAP.

正解: D

解説:
Explanation
On the AWS Blog site the following information is present to help on this context The newly released whitepaper. Single Sign-On: Integrating AWS, OpenLDAP, and Shibboleth, will help you integrate your existing LDAP-based user directory with AWS. When you integrate your existing directory with AWS, your users can access AWS by using their existing credentials. This means that your users don't need to maintain yet another user name and password just to access AWS resources.
Option A.C and D are all invalid because in this sort of configuration, you have to use SAML to enable single sign on.
For more information on integrating AWS with LDAP for Single Sign-On, please visit the following URL:
https://aws.amazon.eom/blogs/security/new-whitepaper-sinEle-sign-on-inteErating-aws-openldap-and-shibboleth The correct answer is: Use SAML (Security Assertion Markup Language) to enable single sign-on between AWS and LDAP. Submit your Feedback/Queries to our Experts

 

質問 226
......

あなたを合格させるAmazon試験にはAWS-Security-Specialty試験問題集:https://www.goshiken.com/Amazon/AWS-Security-Specialty-mondaishu.html

検証済みAWS-Security-Specialty豪華お試しセットリアル試験問題集PDF:https://drive.google.com/open?id=1DCwXKBpTM0bK7mWyhZGpFMxLwPOn9KBQ

関するブログ

もっと
AWS-Security-Specialty無料問題集