• ホーム
  • ブログ
  • [2024年08月19日]AWS-Security-Specialty試験問題集PDF正確率保証と更新された問題 [Q250-Q275]

[2024年08月19日]AWS-Security-Specialty試験問題集PDF正確率保証と更新された問題 [Q250-Q275]

Share

[2024年08月19日]AWS-Security-Specialty試験問題集PDF正確率保証と更新された問題

合格させるAWS-Security-Specialty試験にはリアルテストエンジンPDFには592問題あります

質問 # 250
You have private video content in S3 that you want to serve to subscribed users on the Internet. User IDs, credentials, and subscriptions are stored in an Amazon RDS database. Which configuration will allow you to securely serve private content to your users?
Please select:

  • A. Create an 1AM user for each subscribed user and assign the GetObject permission to each 1AM user
  • B. Crpafp a Cloud Front Clriein Identity user for vnur suhsrrihprl users and assign the GptOhiprt oprmissinn to this user
  • C. Create an S3 bucket policy that limits access to your private content to only your subscribed users'credentials
  • D. Generate pre-signed URLs for each user as they request access to protected S3 content

正解:D

解説:
Explanation
All objects and buckets by default are private. The pre-signed URLs are useful if you want your user/customer to be able upload a specific object to your bucket but you don't require them to have AWS security credentials or permissions. When you create a pre-signed URL, you must provide your security credentials, specify a bucket name, an object key, an HTTP method (PUT for uploading objects), and an expiration date and time.
The pre-signed URLs are valid only for the specified duration.
Option B is invalid because this would be too difficult to implement at a user level.
Option C is invalid because this is not possible
Option D is invalid because this is used to serve private content via Cloudfront For more information on pre-signed urls, please refer to the Link:
http://docs.aws.amazon.com/AmazonS3/latest/dev/PresienedUrlUploadObiect.htmll The correct answer is: Generate pre-signed URLs for each user as they request access to protected S3 content Submit your Feedback/Queries to our Experts


質問 # 251
A company has a set of resources defined in AWS. It is mandated that all API calls to the resources be monitored. Also all API calls must be stored for lookup purposes. Any log data greater than 6 months must be archived. Which of the following meets these requirements? Choose 2 answers from the options given below. Each answer forms part of the solution.
Please select:

  • A. Enable CloudTrail logging in all accounts into S3 buckets
  • B. Enable CloudTrail logging in all accounts into Amazon Glacier
  • C. Ensure a lifecycle policy is defined on the S3 bucket to move the data to Amazon Glacier after 6 months.
  • D. Ensure a lifecycle policy is defined on the S3 bucket to move the data to EBS volumes after 6 months.

正解:A、C

解説:
Cloudtrail publishes the trail of API logs to an S3 bucket
Option B is invalid because you cannot put the logs into Glacier from CloudTrail Option C is invalid because lifecycle policies cannot be used to move data to EBS volumes For more information on Cloudtrail logging, please visit the below URL:
https://docs.aws.amazon.com/awscloudtrail/latest/usereuide/cloudtrail-find-log-files.htmll You can then use Lifecycle policies to transfer data to Amazon Glacier after 6 months For more information on S3 lifecycle policies, please visit the below URL:
https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lifecycle-mgmt.html The correct answers are: Enable CloudTrail logging in all accounts into S3 buckets. Ensure a lifecycle policy is defined on the bucket to move the data to Amazon Glacier after 6 months.
Submit your Feedback/Queries to our Experts


質問 # 252
A company's application team needs to host a MySQL database on AWS. According to the company's security policy, all data that is stored on AWS must be encrypted at rest. In addition, all cryptographic material must be compliant with FIPS 140-2 Level 3 validation.
The application team needs a solution that satisfies the company's security requirements and minimizes operational overhead.
Which solution will meet these requirements?

  • A. Host the database on an Amazon EC2 instance. Use Transparent Data Encryption (TDE) for encryption and key management.
  • B. Host the database on Amazon RDS. Use Amazon Elastic Block Store (Amazon EBS) for encryption. Use an AWS managed CMK in AWS Key Management Service (AWS KMS) for key management.
  • C. Host the database on Amazon RDS. Use Amazon Elastic Block Store (Amazon EBS) for encryption. Use an AWS Key Management Service (AWS KMS) custom key store that is backed by AWS CloudHSM for key management.
  • D. Host the database on an Amazon EC2 instance. Use Amazon Elastic Block Store (Amazon EBS) for encryption. Use a customer managed CMK in AWS Key Management Service (AWS KMS) for key management.

正解:B


質問 # 253
A Developer's laptop was stolen. The laptop was not encrypted, and it contained the SSH key used to access multiple Amazon EC2 instances. A Security Engineer has verified that the key has not been used, and has blocked port 22 to all EC2 instances while developing a response plan.
How can the Security Engineer further protect currently running instances?

  • A. Use the modify-instance-attributeAPI to change the key on any EC2 instance that is using the key.
  • B. Delete the key-pair key from the EC2 console, then create a new key pair.
  • C. Update the key pair in any AMI used to launch the EC2 instances, then restart the EC2 instances.
  • D. Use the EC2 RunCommand to modify the authorized_keys file on any EC2 instance that is using the key.

正解:D

解説:
Explanation/Reference: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html#delete-key-pair


質問 # 254
A Developer signed in to a new account within an AWS Organizations organizations unit (OU) containing multiple accounts. Access to the Amazon S3 service is restricted with the following SCP:

How can the Security Engineer provide the Developer with Amazon S3 access without affecting other accounts?

  • A. Move the SCP to the root OU of Organizations to remove the restriction to access Amazon S3.
  • B. Create a new OU without applying the SCP restricting S3 access. Move the Developer account to this new OU.
  • C. Add an allow list for the Developer account for the S3 service.
  • D. Add an IAM policy for the Developer, which grants S3 access.

正解:B


質問 # 255
You are working in the media industry and you have created a web application where users will be able to upload photos they create to your website. This web application must be able to call the S3 API in order to be able to function. Where should you store your API credentials whilst maintaining the maximum level of security?
Please select:

  • A. Save the API credentials to your PHP files.
  • B. Pass API credentials to the instance using instance userdata.
  • C. Don't save your API credentials, instead create a role in IAM and assign this role to an EC2 instance when you first create it.
  • D. Save your API credentials in a public Github repository.

正解:C

解説:
Applications must sign their API requests with AWS credentials. Therefore, if you are an application developer, you need a strategy for managing credentials for your applications that run on EC2 instances. For example, you can securely distribute your AWS credentials to the instances, enabling the applications on those instances to use your credentials to sign requests, while protecting your credentials from other users. However, it's challenging to securely distribute credentials to each instance. especially those that AWS creates on your behalf, such as Spot Instances or instances in Auto Scaling groups. You must also be able to update the credentials on each instance when you rotate your AWS credentials.
IAM roles are designed so that your applications can securely make API requests from your instances, without requiring you manage the security credentials that the applications use.
Option A.C and D are invalid because using AWS Credentials in an application in production is a direct no recommendation 1 secure access
For more information on IAM Roles, please visit the below URL:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
The correct answer is: Don't save your API credentials. Instead create a role in IAM and assign this role to an EC2 instance when you first create it
Submit your Feedback/Queries to our Experts


質問 # 256

  • A. Use an on-premises scanning engine to scan the instances in all three VPCs. Complete the penetration test request form for all three VPCs.
  • B. Deploy a pre-authorized scanning engine from the Marketplace into each VPC, and scan instances in each VPC from the scanning engine in that VPC. Do not complete the penetration test request form.
  • C. Create a VPN connection from the data center to each of the three VPCs. Use an on-premises scanning engine to scan the instances in each VPC. Complete the penetration test request form for all three VPCs.
  • D. Deploy a pre-authorized scanning engine from the AWS Marketplace into VPC B, and use it to scan instances in all three VPCs. Do not complete the penetration test request form.
  • E. Create a VPN connection from the data center to each of the three VPCs. Use an on-premises scanning engine to scan the instances in each VPC. Do not complete the penetration test request form.
  • F. Create a VPN connection from the data center to VPC

正解:B、E


質問 # 257
Your company has been using AWS for hosting EC2 Instances for their web and database applications. They want to have a compliance check to see the following Whether any ports are left open other than admin ones like SSH and RDP Whether any ports to the database server other than ones from the web server security group are open Which of the following can help achieve this in the easiest way possible. You don't want to carry out an extra configuration changes?
Please select:

  • A. AWS Trusted Advisor
  • B. AWS Inspector D.AWSGuardDuty
  • C. AWS Config

正解:A

解説:
Trusted Advisor checks for compliance with the following security recommendations:
Limited access to common administrative ports to only a small subset of addresses. This includes ports 22 (SSH), 23 (Telnet) 3389 (RDP), and 5500 (VNQ.
Limited access to common database ports. This includes ports 1433 (MSSQL Server), 1434 (MSSQL Monitor), 3306 (MySQL), Oracle (1521) and 5432 (PostgreSQL).
Option A is partially correct but then you would need to write custom rules for this. The AWS trusted advisor can give you all o these checks on its dashboard Option C is incorrect. Amazon Inspector needs a software agent to be installed on all EC2 instances that are included in th.
assessment target, the security of which you want to evaluate with Amazon Inspector. It monitors the behavior of the EC2 instance on which it is installed, including network, file system, and process activity, and collects a wide set of behavior and configuration data (telemetry), which it then passes to the Amazon Inspector service.
Our question's requirement is to choose a choice that is easy to implement. Hence Trusted Advisor is more appropriate for this ) question.
Options D is invalid because this service dont provide these details.
For more information on the Trusted Advisor, please visit the following URL
https://aws.amazon.com/premiumsupport/trustedadvisor>
The correct answer is: AWS Trusted Advisor Submit your Feedback/Queries to our Experts


質問 # 258
You have several S3 buckets defined in your IAM account. You need to give access to external IAM accounts to these S3 buckets. Which of the following can allow you to define the permissions for the external accounts?
Choose 2 answers from the options given below
Please select:

  • A. IAM users
  • B. Bucket policies
  • C. Buckets ACL's
  • D. IAM policies

正解:B、C

解説:
Explanation
The IAM Security whitepaper gives the type of access control and to what level the control can be given

Options A and C are incorrect since for external access to buckets, you need to use either Bucket policies or Bucket ACL's or more information on Security for storage services role please refer to the below URL:
https://d1.IAMstatic.com/whitepapers/Security/Security Storage Services Whitepaper.pdf The correct answers are: Buckets ACL's, Bucket policies Submit your Feedback/Queries to our Experts


質問 # 259
The Security Engineer is given the following requirements for an application that is running on Amazon EC2 and managed by using AWS CloudFormation templates with EC2 Auto Scaling groups:
-Have the EC2 instances bootstrapped to connect to a backend database.
-Ensure that the database credentials are handled securely.
-Ensure that retrievals of database credentials are logged.
Which of the following is the MOST efficient way to meet these requirements?

  • A. Create an AWS Lambda that ingests the database password and persists it to Amazon S3 with server-side encryption. Have the EC2 instances retrieve the S3 object on startup, and log all script invocations to syslog.
  • B. Write a script that is passed in as UserData so that it is executed upon launch of the EC2 instance. Ensure that the instance is configured to log to Amazon CloudWatch Logs.
  • C. Store database passwords in AWS Systems Manager Parameter Store by using SecureString parameters.
    Set the IAM role for the EC2 instance profile to allow access to the parameters.
  • D. Pass databases credentials to EC2 by using CloudFormation stack parameters with the property set to true.
    Ensure that the instance is configured to log to Amazon CloudWatch Logs.

正解:C


質問 # 260
Which of the following is the responsibility of the customer? Choose 2 answers from the options given below.
Please select:

  • A. Protection of data in transit
  • B. Encryption of data at rest
  • C. Decommissioning of old storage devices
  • D. Management of the Edge locations

正解:A、B

解説:
Explanation
Below is the snapshot of the Shared Responsibility Model

For more information on AWS Security best practises, please refer to below URL awsstatic corn/whitepapers/Security/AWS Practices.
The correct answers are: Encryption of data at rest Protection of data in transit Submit your Feedback/Queries to our Experts


質問 # 261
A company is using Amazon Elastic Container Service (Amazon ECS) to deploy an application that deals with sensitive data During a recent security audit, the company identified a security issue in which Amazon RDS credentials were stored with the application code In the company's source code repository A security engineer needs to develop a solution to ensure that database credentials are stored securely and rotated periodically. The credentials should be accessible to the application only The engineer also needs to prevent database administrators from sharing database credentials as plaintext with other teammates. The solution must also minimize administrate overhead Which solution meets these requirements?

  • A. Use IAM Secrets Manager to store database credentials. Use IAM roles for ECS tasks to restrict access to database credentials to specific containers only.
  • B. Use IAM Secrets Manager to store database credentials. Use an IAM inline policy for ECS tasks to restrict access to database credentials to specific containers only.
  • C. Use the IAM Systems Manager Parameter Store to store database credentials. Use IAM roles for ECS tasks to restrict access to database credentials lo specific containers only
  • D. Use the IAM Systems Manager Parameter Store to generate database credentials. Use an IAM profile for ECS tasks to restrict access to database credentials to specific containers only.

正解:A


質問 # 262
A user has created a VPC with the public and private subnets using the VPC wizard. The VPC has CIDR
20.0.0.0/16. The public subnet uses CIDR 20.0.1.0/24. The user is planning to host a web server in the public subnet with port 80 and a Database server in the private subnet with port 3306. The user is configuring a security group for the public subnet (WebSecGrp) and the private subnet (DBSecGrp). which of the below mentioned entries is required in the private subnet database security group DBSecGrp?
Please select:

  • A. Allow Inbound on port 3306 from source 20.0.0.0/16
  • B. Allow Outbound on port 80 for Destination NAT Instance IP
  • C. Allow Outbound on port 3306 for Destination Web Server Security Group WebSecGrp.
  • D. Allow Inbound on port 3306 for Source Web Server Security Group WebSecGrp.

正解:D

解説:
Explanation
Since the Web server needs to talk to the database server on port 3306 that means that the database server should allow incoming traffic on port 3306. The below table from the aws documentation shows how the security groups should be set up.

Option B is invalid because you need to allow incoming access for the database server from the WebSecGrp security group.
Options C and D are invalid because you need to allow Outbound traffic and not inbound traffic For more information on security groups please visit the below Link:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC
Scenario2.html
The correct answer is: Allow Inbound on port 3306 for Source Web Server Security Group WebSecGrp.
Submit your Feedback/Queries to our Experts


質問 # 263
A company is collecting AWS CloudTrail log data from multiple AWS accounts by managing individual trails in each account and forwarding log data to a centralized Amazon S3 bucket residing in a log archive account.
After CloudTrail introduced support for AWS Organizations trails, the company decided to further centralize management and automate deployment of the CloudTrail logging capability across all of its AWS accounts.
The company's security engineer created an AWS Organizations trail in the master account, enabled server-side encryption with AWS KMS managed keys (SSE-KMS) for the log files, and specified the same bucket as the storage location. However, the engineer noticed that logs recorded by the new trail were not delivered to the bucket.
Which factors could cause this issue? (Select TWO.)

  • A. The CMK key policy does not allow CloudTrail to make encrypt and decrypt API calls against the key.
  • B. The CMK key policy does not allow the IAM role used by the CloudTrail trail to use the key for crypto graphicaI operations.
  • C. The IAM role used by the CloudTrail trail does not have permissions to make PutObject API calls against a folder created for the Organizations trail.
  • D. The CMK key policy does not allow CloudTrail to make GenerateDataKey API calls against the key.
  • E. The S3 bucket policy does not allow CloudTrail to make PutObject API calls against a folder created for the Organizations trail.

正解:A、E


質問 # 264
You have been given a new brief from your supervisor for a client who needs a web application set up on AWS. The a most important requirement is that MySQL must be used as the database, and this database must not be hosted in ts public cloud, but rather at the client's data center due to security risks. Which of the following solutions would be the ^ best to assure that the client's requirements are met? Choose the correct answer from the options below
Please select:

  • A. Use the public subnet for the application server and use RDS with a storage gateway to access and synchronize the data securely from the local data center.
  • B. Build the application server on a public subnet and the database at the client's data center. Connect them with a VPN connection which uses IPsec.
  • C. Build the application server on a public subnet and build the database in a private subnet with a secure ssh connection to the private subnet from the client's data center.
  • D. Build the application server on a public subnet and the database on a private subnet with a NAT instance between them.

正解:B

解説:
Since the database should not be hosted on the cloud all other options are invalid.
The best option is to create a VPN connection for securing traffic as shown below.

Option B is invalid because this is the incorrect use of the Storage gateway Option C is invalid since this is the incorrect use of the NAT instance Option D is invalid since this is an incorrect configuration For more information on VPN connections, please visit the below URL
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_VPN.htmll
The correct answer is: Build the application server on a public subnet and the database at the client's data center. Connect them with a VPN connection which uses IPsec
Submit your Feedback/Queries to our Experts


質問 # 265
An application has a requirement to be resilient across not only Availability Zones within the application's primary region but also be available within another region altogether.
Which of the following supports this requirement for AWS resources that are encrypted by AWS KMS?

  • A. Configure AWS KMS to automatically synchronize the CMK between regions so that it can be used to decrypt the resource in the target region.
  • B. Use AWS services that replicate data across regions, and re-wrap the data encryption key created in the source region by using the CMK in the target region so that the target region's CMK can decrypt the database encryption key.
  • C. Configure the target region's AWS service to communicate with the source region's AWS KMS so that it can decrypt the resource in the target region.
  • D. Copy the application's AWS KMS CMK from the source region to the target region so that it can be used to decrypt the resource after it is copied to the target region.

正解:B


質問 # 266
The Security Engineer created a new AWS Key Management Service (AWS KMS) key with the following key policy:

What are the effects of the key policy? (Choose two.)

  • A. The policy allows access for the AWS account 111122223333 to manage key access though IAM policies.
  • B. The policy allows all IAM users in account 111122223333 to have full access to the KMS key.
  • C. The policy allows all IAM roles in account 111122223333 to have full access to the KMS key.
  • D. The policy allows the root user in account 111122223333 to have full access to the KMS key.
  • E. The policy allows the KMS service-linked role in account 111122223333 to have full access to the KMS key.

正解:A、B


質問 # 267
There is a set of Ec2 Instances in a private subnet. The application hosted on these EC2 Instances need to access a DynamoDB table. It needs to be ensured that traffic does not flow out to the internet. How can this be achieved?
Please select:

  • A. Use a VPC gateway from the VPC
  • B. Use a VPC endpoint to the DynamoDB table
  • C. Use a VPN connection from the VPC
  • D. Use a VPC Peering connection to the DynamoDB table

正解:B

解説:
The following diagram from the AWS Documentation shows how you can access the DynamoDB service from within a V without going to the Internet This can be done with the help of a VPC endpoint

Option B is invalid because this is used for connection between an on-premise solution and AWS Option C is invalid because there is no such option Option D is invalid because this is used to connect 2 VPCs For more information on VPC endpointsfor DynamoDB, please visit the URL:
The correct answer is: Use a VPC endpoint to the DynamoDB table Submit your Feedback/Queries to our Experts


質問 # 268
You have an Amazon VPC that has a private subnet and a public subnet in which you have a NAT instance server. You have created a group of EC2 instances that configure themselves at startup by downloading a bootstrapping script from S3 that deploys an application via GIT.
Which one of the following setups would give us the highest level of security?
Choose the correct answer from the options given below.
Please select:

  • A. EC2 instance in our private subnet, assigned EIPs, and route our outgoing traffic via our IGW
  • B. EC2 instances in our public subnet, assigned EIPs, and route outgoing traffic via the NAT
  • C. EC2 instances in our public subnet, no EIPs, route outgoing traffic via the IGW
  • D. EC2 instances in our private subnet, no EIPs, route outgoing traffic via the NAT

正解:D

解説:
Explanation
The below diagram shows how the NAT instance works. To make EC2 instances very secure, they need to be in a private sub such as the database server shown below with no EIP and all traffic routed via the NAT.

Options A and B are invalid because the instances need to be in the private subnet Option C is invalid because since the instance needs to be in the private subnet, you should not attach an EIP to the instance For more information on NAT instance, please refer to the below Link:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuideA/PC
lnstance.html!
The correct answer is: EC2 instances in our private subnet no EIPs, route outgoing traffic via the NAT Submit your Feedback/Queries to our Experts


質問 # 269
A company has a legacy application that outputs all logs to a local text file. Logs from all applications running on AWS
must be continually monitored for security related messages.
What can be done to allow the company to deploy the legacy application on Amazon EC2 and still meet the monitoring
requirement?
Please select:

  • A. Send the local text log files to CloudWatch Logs and configure a CloudWatch metric filter. Trigger cloudwatch alarms based on the metrics.
  • B. Create a Lambda function that mounts the EBS volume with the logs and scans the logs for security incidents. Trigger the function every 5 minutes with a scheduled Cloudwatch event.
  • C. Install the Amazon inspector agent on any EC2 instance running the legacy application. Generate CloudWatch alerts a based on any Amazon inspector findings.
  • D. Export the local text log files to CloudTrail. Create a Lambda function that queries the CloudTrail logs for security ' incidents using Athena.

正解:A

解説:
One can send the log files to Cloudwatch Logs. Log files can also be sent from On-premise servers. You can then specify metrii to search the logs for any specific values. And then create alarms based on these metrics.
Option A is invalid because this will be just a long over drawn process to achieve this requirement
Option C is invalid because AWS Inspector cannot be used to monitor for security related messages.
Option D is invalid because files cannot be exported to AWS Cloudtrail
For more information on Cloudwatch logs agent please visit the below URL:
https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/QuickStartEC2lnstance.hti
The correct answer is: Send the local text log files to Cloudwatch Logs and configure a Cloudwatch metric filter. Trigger cloudwatch alarms based on the metrics.
Submit your Feedback/Queries to our Experts


質問 # 270
You company has mandated that all data in AWS be encrypted at rest. How can you achieve this for EBS volumes? Choose 2 answers from the options given below
Please select:

  • A. Use Windows bit locker for EBS volumes on Windows instances
  • B. Use TrueEncrypt for EBS volumes on Linux instances
  • C. Boot EBS volume can be encrypted during launch without using custom AMI
  • D. Use AWS Systems Manager to encrypt the existing EBS volumes

正解:A、B

解説:
EBS encryption can also be enabled when the volume is created and not for existing volumes. One can use existing tools for OS level encryption.
Option C is incorrect.
AWS Systems Manager is a management service that helps you automatically collect software inventory, apply OS patches, create system images, and configure Windows and Linux operating systems.
Option D is incorrect
You cannot choose to encrypt a non-encrypted boot volume on instance launch. To have encrypted boot volumes during launch , your custom AMI must have it's boot volume encrypted before launch.
For more information on the Security Best practices, please visit the following URL:
.com/whit Security Practices.
The correct answers are: Use Windows bit locker for EBS volumes on Windows instances. Use TrueEncrypt for EBS volumes on Linux instances
Submit your Feedback/Queries to our Experts


質問 # 271
You are deivising a policy to allow users to have the ability to access objects in a bucket called appbucket. You define the below custom bucket policy

But when you try to apply the policy you get the error "Action does not apply to any resource(s) in statement." What should be done to rectify the error Please select:

  • A. Create the bucket "appbucket" and then apply the policy.
  • B. Change the IAM permissions by applying PutBucketPolicy permissions.
  • C. Change the Resource section to "arn:aws:s3:::appbucket/*'.
  • D. Verify that the policy has the same name as the bucket name. If not. make it the same.

正解:C

解説:
When you define access to objects in a bucket you need to ensure that you specify to which objects in the bucket access needs to be given to. In this case, the * can be used to assign the permission to all objects in the bucket Option A is invalid because the right permissions are already provided as per the question requirement Option B is invalid because it is not necessary that the policy has the same name as the bucket Option D is invalid because this should be the default flow for applying the policy For more information on bucket policies please visit the below URL:
https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.htmll The correct answer is: Change the Resource section to "arn:aws:s3:::appbucket/" Submit your Feedback/Queries to our Experts


質問 # 272
A company plans to use custom AMIs to launch Amazon EC2 instances across multiple IAM accounts in a single Region to perform security monitoring and analytics tasks. The EC2 instances are launched in EC2 Auto Scaling groups. To increase the security of the solution, a Security Engineer will manage the lifecycle of the custom AMIs in a centralized account and will encrypt them with a centrally managed IAM KMS CMK. The Security Engineer configured the KMS key policy to allow cross-account access. However, the EC2 instances are still not being properly launched by the EC2 Auto Scaling groups.
Which combination of configuration steps should the Security Engineer take to ensure the EC2 Auto Scaling groups have been granted the proper permissions to execute tasks?

  • A. Create a customer-managed CMK or an IAM managed CMK in the centralized account. Allow other applicable accounts to use that key for cryptographical operations by applying proper cross-account permissions in the key policy. Use the CMK administrator to create a CMK grant that includes permissions to perform cryptographical operations that define EC2 Auto Scaling service-linked roles from all other accounts as the grantee principal.
  • B. Create a customer-managed CMK or an IAM managed CMK in the centralized account. Allow other applicable accounts to use that key for cryptographical operations by applying proper cross-account permissions in the key policy. Modify the access policy for the EC2 Auto Scaling roles to perform cryptographical operations against the centrally managed CMK.
  • C. Create a customer-managed CMK in the centralized account. Allow other applicable accounts to use that key for cryptographical operations by applying proper cross-account permissions in the key policy. Create an IAM role in all applicable accounts and configure its access policy to allow the use of the centrally managed CMK for cryptographical operations. Configure EC2 Auto Scaling groups within each applicable account to use the created IAM role to launch EC2 instances.
  • D. Create a customer-managed CMK in the centralized account. Allow other applicable accounts to use that key for cryptographical operations by applying proper cross-account permissions in the key policy. Create an IAM role in all applicable accounts and configure its access policy with permissions to create grants for the centrally managed CMK. Use this IAM role to create a grant for the centrally managed CMK with permissions to perform cryptographical operations and with the EC2 Auto Scaling service-linked role defined as the grantee principal.

正解:D


質問 # 273
You are hosting a web site via website hosting on an S3 bucket - http://demo.s3-website-us-east-l .amazonIAM.com. You have some web pages that use Javascript that access resources in another bucket which has web site hosting also enabled. But when users access the web pages , they are getting a blocked Javascript error. How can you rectify this?
Please select:

  • A. Enable CRR for the bucket
  • B. Enable CORS for the bucket
  • C. Enable MFA for the bucket
  • D. Enable versioning for the bucket

正解:B

解説:
Your answer is incorrect
Answer-A
Such a scenario is also given in the IAM Documentation Cross-Origin Resource Sharing: Use-case Scenarios The following are example scenarios for using CORS:
* Scenario 1: Suppose that you are hosting a website in an Amazon S3 bucket named website as described in Hosting a Static Website on Amazon S3. Your users load the website endpoint http://website.s3-website-us-east-1 .amazonIAM.com. Now you want to use JavaScript on the webpages that are stored in this bucket to be able to make authenticated GET and PUT requests against the same bucket by using the Amazon S3 API endpoint for the bucket website.s3.amazonIAM.com. A browser would normally block JavaScript from allowing those requests, but with CORS you can configure your bucket to explicitly enable cross-origin requests from website.s3-website-us-east-1 .amazonIAM.com.
* Scenario 2: Suppose that you want to host a web font from your S3 bucket. Again, browsers require a CORS check (also called a preflight check) for loading web fonts. You would configure the bucket that is hosting the web font to allow any origin to make these requests.
Option Bis invalid because versioning is only to create multiple versions of an object and can help in accidental deletion of objects Option C is invalid because this is used as an extra measure of caution for deletion of objects Option D is invalid because this is used for Cross region replication of objects For more information on Cross Origin Resource sharing, please visit the following URL
* ittps://docs.IAM.amazon.com/AmazonS3/latest/dev/cors.html
The correct answer is: Enable CORS for the bucket
Submit your Feedback/Queries to our Experts


質問 # 274
A company is running an application on Amazon EC2 instances in an Auto Scaling group. The application stores logs locally A security engineer noticed that logs were lost after a scale-in event. The security engineer needs to recommend a solution to ensure the durability and availability of log data All logs must be kept for a minimum of 1 year for auditing purposes
What should the security engineer recommend?

  • A. Build the Amazon CloudWatch agent into the AMI used in the Auto Scaling group. Configure the CloudWatch agent to send the logs to Amazon CloudWatch Logs for review.
  • B. Create an Amazon Elastic file System (Amazon EFS) file system and add a command in the user data section of the Auto Scaling launch template to mount the EFS file system during EC2 instance creation Configure a process on the instance to copy the logs once a day from an instance Amazon Elastic Block Store (Amazon EBS) volume to a directory in the EFS file system.
  • C. Within the Auto Scaling lifecycle, add a hook to create and attach an Amazon Elastic Block Store (Amazon EBS) log volume each time an EC2 instance is created. When the instance is terminated, the EBS volume can be reattached to another instance for log review.
  • D. Within the Auto Scaling lifecycle, add a lifecycle hook at the terminating state transition and alert the engineering team by using a lifecycle notification to Amazon Simple Notification Service (Amazon SNS). Configure the hook to remain in the Terminating:Wait state for 1 hour to allow manual review of the security logs prior to instance termination.

正解:B


質問 # 275
......

最新をゲットせよ!AWS-Security-Specialty認定練習テスト問題試験問題集:https://www.goshiken.com/Amazon/AWS-Security-Specialty-mondaishu.html

リアルAWS-Security-Specialty試験問題集解答で有効なAWS-Security-Specialty問題集PDF:https://drive.google.com/open?id=1QV9VhTEzbdg2yIem1X0QAKVBHJEyC2PT

関するブログ

もっと
AWS-Security-Specialty無料問題集