GoShiken AWS-Security-Specialty問題集PDFで100%合格保証付き
AWS-Security-Specialtyブレーン問題集でリアル試験最新問題2022年02月11日には530問題
Amazon AWS-Security-Specialty 認定試験の出題範囲:
| トピック | 出題範囲 |
|---|---|
| トピック 1 |
|
| トピック 2 |
|
| トピック 3 |
|
| トピック 4 |
|
| トピック 5 |
|
質問 290
AWS CloudTrail is being used to monitor API calls in an organization. An audit revealed that CloudTrail is failing to deliver events to Amazon S3 as expected.
What initial actions should be taken to allow delivery of CloudTrail events to S3? (Select two.)
- A. Verify that the S3 bucket defined in CloudTrail exists.
- B. Verify that the log file prefix defined in CloudTrail exists in the S3 bucket.
- C. Remove any lifecycle policies on the S3 bucket that are archiving objects to Amazon Glacier.
- D. Verify that the IAM role used by CloudTrail has access to write to Amazon CloudWatch Logs.
- E. Verify that the S3 bucket policy allow CloudTrail to write objects.
正解: A,E
解説:
Explanation
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.html
質問 291
Which of bucket policies will ensure that objects being uploaded to a bucket called 'demo' are encrypted.
正解:
解説:
The condition of "s3:x-amz-server-side-encryption":"aws:kms" ensures that objects uploaded need to be encrypted.
Options B,C and D are invalid because you have to ensure the condition of ns3:x-amz-server-side-encryption":"aws:kms" is present For more information on AWS KMS best practices, just browse to the below URL:
https://dl.awsstatic.com/whitepapers/aws-kms-best-praaices.pdf
Submit your Feedback/Queries to our Expert
質問 292
Your company has created a set of keys using the AWS KMS service. They need to ensure that each key is only used for certain services. For example , they want one key to be used only for the S3 service. How can this be achieved?
Please select:
- A. Create a bucket policy that allows the key to be accessed by only the S3 service.
- B. Create an 1AM policy that allows the key to be accessed by only the S3 service.
- C. Use the kms:ViaService condition in the Key policy
- D. Define an 1AM user, allocate the key and then assign the permissions to the required service
正解: C
解説:
Option A and B are invalid because mapping keys to services cannot be done via either the 1AM or bucket policy Option D is invalid because keys for 1AM users cannot be assigned to services This is mentioned in the AWS Documentation The kms:ViaService condition key limits use of a customer-managed CMK to requests from particular AWS services. (AWS managed CMKs in your account, such as aws/s3, are always restricted to the AWS service that created them.) For example, you can use kms:V1aService to allow a user to use a customer managed CMK only for requests that Amazon S3 makes on their behalf. Or you can use it to deny the user permission to a CMK when a request on their behalf comes from AWS Lambda.
For more information on key policy's for KMS please visit the following URL:
https://docs.aws.amazon.com/kms/latest/developereuide/policy-conditions.html The correct answer is: Use the kms:ViaServtce condition in the Key policy Submit your Feedback/Queries to our Experts
質問 293
In order to encrypt data in transit for a connection to an AWS RDS instance, which of the following would you implement Please select:
- A. Data keys from AWS KMS
- B. Data Keys from CloudHSM
- C. SSL from your application
- D. Transparent data encryption
正解: C
解説:
Explanation
This is mentioned in the AWS Documentation
You can use SSL from your application to encrypt a connection to a DB instance running MySQL MariaDB, Amazon Aurora, SQL Server, Oracle, or PostgreSQL.
Option A is incorrect since Transparent data encryption is used for data at rest and not in transit Options C and D are incorrect since keys can be used for encryption of data at rest For more information on working with RDS and SSL, please refer to below URL:
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html The correct answer is: SSL from your application Submit your Feedback/Queries to our Experts
質問 294
A company wants to establish separate AWS Key Management Service (AWS KMS) keys to use for different AWS services. The company's security engineer created the following key policy lo allow the infrastructure deployment team to create encrypted Amazon Elastic Block Store (Amazon EBS) volumes by assuming the InfrastructureDeployment 1AM role:
The security engineer recently discovered that 1AM roles other than the InfrastructureDeployment role used this key (or other services. Which change to the policy should the security engineer make to resolve these issues?
- A. In the policy document, remove the statement Dlock that contains the Sid "Enable 1AM User Permissions". Add key management policies to the KMS policy.
- B. In the statement block that contains the Sid "Allow use of the key", under the "Condition" block, change StringEquals to StringLike.
- C. In the statement block that contains the Sid "Allow use of the Key", under the "Condition" block, change the Kms:ViaService value to ec2.us-east-1 .amazonaws com.
- D. In the policy document, add a new statement block that grants the kms:Disable' permission to the security engineer's IAM role.
正解: C
質問 295
You have been given a new brief from your supervisor for a client who needs a web application set up on AWS. The a most important requirement is that MySQL must be used as the database, and this database must not be hosted in t public cloud, but rather at the client's data center due to security risks. Which of the following solutions would be the ^ best to assure that the client's requirements are met? Choose the correct answer from the options below Please select:
- A. Use the public subnet for the application server and use RDS with a storage gateway to access and synchronize the data securely from the local data center.
- B. Build the application server on a public subnet and the database at the client's data center. Connect them with a VPN connection which uses IPsec.
- C. Build the application server on a public subnet and build the database in a private subnet with a secure ssh connection to the private subnet from the client's data center.
- D. Build the application server on a public subnet and the database on a private subnet with a NAT instance between them.
正解: B
解説:
Since the database should not be hosted on the cloud all other options are invalid.
The best option is to create a VPN connection for securing traffic as shown below.
Option B is invalid because this is the incorrect use of the Storage gateway Option C is invalid since this is the incorrect use of the NAT instance Option D is invalid since this is an incorrect configuration For more information on VPN connections, please visit the below URL
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_VPN.htmll
The correct answer is: Build the application server on a public subnet and the database at the client's data center. Connect them with a VPN connection which uses IPsec Submit your Feedback/Queries to our Experts
質問 296
An organization is using AWS CloudTrail, Amazon CloudWatch Logs, and Amazon CloudWatch to send alerts when new access keys are created. However, the alerts are no longer appearing in the Security Operations mail box.
Which of the following actions would resolve this issue?
- A. In Amazon SNS, determine whether the "Account spend limit" has been reached for this alert.
- B. In CloudWatch, verify that the alarm threshold "consecutive periods" value is equal to, or greater than 1.
- C. In SNS, ensure that the subscription used by these alerts has not been deleted.
- D. In CloudTrail, verify that the trail logging bucket has a log prefix configured.
正解: A
質問 297
An employee keeps terminating EC2 instances on the production environment. You've determined the best way to ensure this doesn't happen is to add an extra layer of defense against terminating the instances. What is the best method to ensure the employee does not terminate the production instances? Choose the 2 correct answers from the options below Please select:
- A. Tag the instance with a production-identifying tag and modify the employees group to allow only start stop, and reboot API calls and not the terminate instance call.
- B. Tag the instance with a production-identifying tag and add resource-level permissions to the employee user with an explicit deny on the terminate API call to instances with the production tag. <
- C. Modify the IAM policy on the user to require MFA before deleting EC2 instances
- D. Modify the IAM policy on the user to require MFA before deleting EC2 instances and disable MFA access to the employee
正解: A,B
解説:
Tags enable you to categorize your AWS resources in different ways, for example, by purpose, owner, or environment. This is useful when you have many resources of the same type - you can quickly identify a specific resource based on the tags you've assigned to it. Each tag consists of a key and an optional value, both of which you define Options C&D are incorrect because it will not ensure that the employee cannot terminate the instance.
For more information on tagging answer resources please refer to the below URL:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Usins_Tags.htmll
The correct answers are: Tag the instance with a production-identifying tag and add resource-level permissions to the employe user with an explicit deny on the terminate API call to instances with the production tag.. Tag the instance with a production-identifying tag and modify the employees group to allow only start stop, and reboot API calls and not the terminate instance Submit your Feedback/Queries to our Experts
質問 298
A company will store sensitive documents in three Amazon S3 buckets based on a data classification
scheme of "Sensitive," "Confidential," and "Restricted." The security solution must meet all of the following
requirements:
Each object must be encrypted using a unique key.
Items that are stored in the "Restricted" bucket require two-factor authentication for decryption.
AWS KMS must automatically rotate encryption keys annually.
Which of the following meets these requirements?
- A. Create a CMK grant for each data classification type with EnableKeyRotation and
MultiFactorAuthPresent set to true. S3 can then use the grants to encrypt each object with a unique
CMK. - B. Create a Customer Master Key (CMK) for each data classification type, and enable the rotation of it
annually. For the "Restricted" CMK, define the MFA policy within the key policy. Use S3 SSE-KMS to
encrypt the objects. - C. Create a CMK for each data classification type, and within the CMK policy, enable rotation of it
annually, and define the MFA policy. S3 can then create DEK grants to uniquely encrypt each object
within the S3 bucket. - D. Create a CMK with unique imported key material for each data classification type, and rotate them
annually. For the "Restricted" key material, define the MFA policy in the key policy. Use S3 SSE-KMS
to encrypt the objects.
正解: B
質問 299
A company is migrating its legacy workloads to AWS. The current security information events management (SIEM) system that analyzes logs is aging, and different SIEM systems are being evaluated to replace it. The company wants to change SIEMs without re-architecture the solution.
What should the Security Engineer do to accomplish this with minimal operational impact?
- A. Select a pay-per-use SIEM in the AWS Marketplace. Deploy the AMI in each workload to provide elasticity when required. Use Amazon Athena to send real-time alerts.
- B. Prepare an AMI with the SIEM log forwarder agent for each workload, and configure it to send logs to a centralized SIEM located in the Security team AWS account. Configure an Amazon EC2 instance base AMI to forward logs to its local log forwarder agent. Deploy an AMI in each workload.
- C. Configure an Amazon EC2 base AMI to send logs to a local AWS CloudTrail log file. Configure CloudTrail to send logs to Amazon CloudWatch. Set up a central SIEM in the Security team AWS account and configure a puller to get information on CloudWatch.
- D. Configure an Amazon EC2 base AMI with an Amazon Kinesis Agent, and configure it to send to Amazon Kinesis Data Streams in the Security team AWS account. Add an AWS Lambda function at Kinesis Data Streams to push streamed logs to the SIEM.
正解: D
質問 300
A Security Engineer creates an Amazon S3 bucket policy that denies access to all users. A few days later, the Security Engineer adds an additional statement to the bucket policy to allow read-only access to one other employee. Even after updating the policy, the employee still receives an access denied message.
What is the likely cause of this access denial?
- A. The IAM policy does not allow the user to access the bucket
- B. It takes a few minutes for a bucket policy to take effect
- C. The allow permission is being overridden by the deny
- D. The ACL in the bucket needs to be updated
正解: A
解説:
Explanation/Reference: https://aws.amazon.com/premiumsupport/knowledge-center/s3-access-denied-bucket-policy/
質問 301
Which of the following is used as a secure way to log into an EC2 Linux Instance?
Please select:
- A. Key pairs
- B. AWS Access keys
- C. IAM User name and password
- D. AWS SDK keys
正解: A
解説:
The AWS Documentation mentions the following
Key pairs consist of a public key and a private key. You use the private key to create a digital signature, and then AWS uses the corresponding public key to validate the signature. Key pairs are used only for Amazon EC2 and Amazon CloudFront.
Option A.C and D are all wrong because these are not used to log into EC2 Linux Instances For more information on AWS Security credentials, please visit the below URL:
https://docs.aws.amazon.com/eeneral/latest/er/aws-sec-cred-types.html
The correct answer is: Key pairs
Submit your Feedback/Queries to our Experts
質問 302
Due to new compliance requirements, a Security Engineer must enable encryption with customer-provided keys on corporate data that is stored in DynamoDB. The company wants to retain full control of the encryption keys.
Which DynamoDB feature should the Engineer use to achieve compliance'?
- A. Create a KMS master key. Generate per-record data keys and use them to encrypt data prior to uploading it to DynamoDS. Dispose of the cleartext and encrypted data keys after encryption without storing.
- B. Enable S3 server-side encryption with the customer-provided keys. Upload the data to Amazon S3, and then use S3Copy to move all data to DynamoDB
- C. Use the DynamoDB Java encryption client to encrypt data prior to uploading it to DynamoDB.
- D. Use AWS Certificate Manager to request a certificate. Use that certificate to encrypt data prior to uploading it to DynamoDB.
正解: C
解説:
Follow the link: https://docs.aws.amazon.com/dynamodb-encryption-client/latest/devguide/what-is-ddb-encrypt.html
質問 303
A company stores critical data in an S3 bucket. There is a requirement to ensure that an extra level of security is added to the S3 bucket. In addition , it should be ensured that objects are available in a secondary region if the primary one goes down. Which of the following can help fulfil these requirements? Choose 2 answers from the options given below Please select:
- A. Enable bucket versioning and enable Master Pays
- B. For the Bucket policy add a condition for {"Null": {"aws:MultiFactorAuthAge": true}} i
- C. Enable bucket versioning and also enable CRR
- D. Enable the Bucket ACL and add a condition for {"Null": {"aws:MultiFactorAuthAge": true}}
正解: B,C
解説:
Explanation
The AWS Documentation mentions the following
Adding a Bucket Policy to Require MFA
Amazon S3 supports MFA-protected API access, a feature that can enforce multi-factor authentication (MFA) for access to your Amazon S3 resources. Multi-factor authentication provides an extra level of security you can apply to your AWS environment. It is a security feature that requires users to prove physical possession of an MFA device by providing a valid MFA code. For more information, go to AWS Multi-Factor Authentication. You can require MFA authentication for any requests to access your Amazoi. S3 resources.
You can enforce the MFA authentication requirement using the aws:MultiFactorAuthAge key in a bucket policy. 1AM users car access Amazon S3 resources by using temporary credentials issued by the AWS Security Token Service (STS). You provide the MFA code at the time of the STS request.
When Amazon S3 receives a request with MFA authentication, the aws:MultiFactorAuthAge key provides a numeric value indicating how long ago (in seconds) the temporary credential was created. If the temporary credential provided in the request was not created using an MFA device, this key value is null (absent). In a bucket policy, you can add a condition to check this value, as shown in the following example bucket policy.
The policy denies any Amazon S3 operation on the /taxdocuments folder in the examplebucket bucket if the request is not MFA authenticated. To learn more about MFA authentication, see Using Multi-Factor Authentication (MFA) in AWS in the 1AM User Guide.
Option B is invalid because just enabling bucket versioning will not guarantee replication of objects Option D is invalid because the condition for the bucket policy needs to be set accordingly For more information on example bucket policies, please visit the following URL: *
https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html Also versioning and Cross Region replication can ensure that objects will be available in the destination region in case the primary region fails.
For more information on CRR, please visit the following URL:
https://docs.aws.amazon.com/AmazonS3/latest/dev/crr.html
The correct answers are: Enable bucket versioning and also enable CRR, For the Bucket policy add a condition for {"Null": { "aws:MultiFactorAuthAge": true}} Submit your Feedback/Queries to our Experts
質問 304
The Security Engineer is managing a web application that processes highly sensitive personal information.
The application runs on Amazon EC2. The application has strict compliance requirements, which instruct
that all incoming traffic to the application is protected from common web exploits and that all outgoing
traffic from the EC2 instances is restricted to specific whitelisted URLs.
Which architecture should the Security Engineer use to meet these requirements?
- A. Use AWS Shield to scan inbound traffic for web exploits. Use a third-party AWS Marketplace solution to
restrict egress traffic to specific whitelisted URLs. - B. Use AWS WAF to scan inbound traffic for web exploits. Use VPC Flow Logs and AWS Lambda to
restrict egress traffic to specific whitelisted URLs. - C. Use AWS Shield to scan inbound traffic for web exploits. Use VPC Flow Logs and AWS Lambda to
restrict egress traffic to specific whitelisted URLs. - D. Use AWS WAF to scan inbound traffic for web exploits. Use a third-party AWS Marketplace solution to
restrict egress traffic to specific whitelisted URLs.
正解: A
質問 305
Your company makes use of S3 buckets for storing dat
a. There is a company policy that all services should have logging enabled. How can you ensure that logging is always enabled for created S3 buckets in the AWS Account?
Please select:
- A. Use AWS Cloudwatch logs to check whether logging is enabled for buckets This is given in the AWS Documentation as an example rule in AWS Config Example rules with triggers Example rule with configuration change trigger
- B. Use AWS Cloudwatch metrics to check whether logging is enabled for buckets
- C. Use AWS Inspector to inspect all S3 buckets and enable logging for those where it is not enabled
- D. Use AWS Config Rules to check whether logging is enabled for buckets
正解: D
解説:
1. You add the AWS Config managed rule, S3_BUCKET_LOGGING_ENABLED, to your account to check whether your Amazon S3 buckets have logging enabled.
2. The trigger type for the rule is configuration changes. AWS Config runs the evaluations for the rule when an Amazon S3 bucket is created, changed, or deleted.
3. When a bucket is updated, the configuration change triggers the rule and AWS Config evaluates whether the bucket is compliant against the rule.
Option A is invalid because AWS Inspector cannot be used to scan all buckets Option C and D are invalid because Cloudwatch cannot be used to check for logging enablement for buckets.
For more information on Config Rules please see the below Link:
https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config-rules.html The correct answer is: Use AWS Config Rules to check whether logging is enabled for buckets Submit your Feedback/Queries to our Experts
質問 306
One of your company's EC2 Instances have been compromised. The company has strict po thorough investigation on finding the culprit for the security breach. What would you do in from the options given below.
Please select:
- A. Isolate the machine from the network
- B. Ensure all passwords for all IAM users are changed
- C. Take a snapshot of the EBS volume
- D. Ensure that all access kevs are rotated.
- E. Make sure that logs are stored securely for auditing and troubleshooting purpose
正解: A,C,E
解説:
Some of the important aspects in such a situation are
1) First isolate the instance so that no further security harm can occur on other AWS resources
2) Take a snapshot of the EBS volume for further investigation. This is incase if you need to shutdown the initial instance and do a separate investigation on the data
3) Next is Option C. This indicates that we have already got logs and we need to make sure that it is stored securely so that n unauthorised person can access it and manipulate it.
Option D and E are invalid because they could have adverse effects for the other IAM users.
For more information on adopting a security framework, please refer to below URL
https://d1.awsstatic.com/whitepapers/compliance/NIST Cybersecurity Framework
Note:
In the question we have been asked to take actions to find the culprit and to help the investigation or to further reduce the damage that has happened due to the security breach. So by keeping logs secure is one way of helping the investigation.
The correct answers are: Take a snapshot of the EBS volume. Isolate the machine from the network. Make sure that logs are stored securely for auditing and troubleshooting purpose Submit your Feedback/Queries to our Experts
質問 307
You are trying to use the Systems Manager to patch a set of EC2 systems. Some of the systems are not getting covered in the patching process. Which of the following can be used to troubleshoot the issue? Choose 3 answers from the options given below.
Please select:
- A. Ensure that agent is running on the instances.
- B. Check to see if the 1AM user has the right permissions for EC2
- C. Check to see if the right role has been assigned to the EC2 instances
- D. Check the Instance status by using the Health API.
正解: A,C,D
解説:
Explanation
For ensuring that the instances are configured properly you need to ensure the followi .
1) You installed the latest version of the SSM Agent on your instance
2) Your instance is configured with an AWS Identity and Access Management (1AM) role that enables the instance to communicate with the Systems Manager API
3) You can use the Amazon EC2 Health API to quickly determine the following information about Amazon EC2 instances The status of one or more instances The last time the instance sent a heartbeat value The version of the SSM Agent The operating system The version of the EC2Config service (Windows) The status of the EC2Config service (Windows) Option B is invalid because 1AM users are not supposed to be directly granted permissions to EC2 Instances For more information on troubleshooting AWS SSM, please visit the following URL:
https://docs.aws.amazon.com/systems-manager/latest/userguide/troubleshooting-remote-commands.html
The correct answers are: Check to see if the right role has been assigned to the EC2 Instances, Ensure that agent is running on the Instances., Check the Instance status by using the Health API.
Submit your Feedback/Queries to our Experts
質問 308
The Security Engineer is given the following requirements for an application that is running on Amazon EC2 and managed by using AWS CloudFormation templates with EC2 Auto Scaling groups:
-Have the EC2 instances bootstrapped to connect to a backend database.
-Ensure that the database credentials are handled securely.
-Ensure that retrievals of database credentials are logged.
Which of the following is the MOST efficient way to meet these requirements?
- A. Write a script that is passed in as UserData so that it is executed upon launch of the EC2 instance. Ensure that the instance is configured to log to Amazon CloudWatch Logs.
- B. Store database passwords in AWS Systems Manager Parameter Store by using SecureString parameters.
Set the IAM role for the EC2 instance profile to allow access to the parameters. - C. Create an AWS Lambda that ingests the database password and persists it to Amazon S3 with server-side encryption. Have the EC2 instances retrieve the S3 object on startup, and log all script invocations to syslog.
- D. Pass databases credentials to EC2 by using CloudFormation stack parameters with the property set to true.
Ensure that the instance is configured to log to Amazon CloudWatch Logs.
正解: B
質問 309
What is the result of the following bucket policy?
Choose the correct answer:
Please select:
- A. It will deny all access to the bucket mybucket
- B. None of these
- C. It will allow the user mark from AWS account number 111111111 all access to the bucket but deny everyone else all access to the bucket
- D. It will allow all access to the bucket mybucket
正解: A
解説:
Explanation
The policy consists of 2 statements, one is the allow for the user mark to the bucket and the next is the deny policy for all other users. The deny permission will override the allow and hence all users will not have access to the bucket.
Options A,B and D are all invalid because this policy is used to deny all access to the bucket mybucket For examples on S3 bucket policies, please refer to the below Link:
http://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.htmll The correct answer is: It will deny all access to the bucket mybucket Submit your FeedbacK/Quenes to our Experts
質問 310
A company's security team has defined a set of AWS Config rules that must be enforced globally in all AWS accounts the company owns. What should be done to provide a consolidated compliance overview for the security team?
- A. Use Amazon GuardDuty to load data results from the AWS Config rules compliance status, aggregate GuardDuty findings of all AWS accounts into one AWS account, and provide role access to the security team.
- B. Consolidate AWS Config rule results with an AWS Lambda function and push data to Amazon SQS.
Use Amazon SNS to consolidate and alert when some metrics are triggered. - C. Use AWS Config aggregation to consolidate the views into one AWS account, and provide role access to the security team.
- D. Use AWS Organizations to limit AWS Config rules to the appropriate Regions, and then consolidate the Amazon CloudWatch dashboard into one AWS account.
正解: C
質問 311
A company wants to deploy a distributed web application on a fleet of EC2 instances. The fleet will be fronted by a Classic Load Balancer that will be configured to terminate the TLS connection. The company wants to make sure that all past and current TLS traffic to the Classic Load Balancer stays secure, even if the certificate private key is leaked.
To ensure the company meets these requirements, a Security Engineer can configure a Classic Load Balancer with:
- A. An HTTPS listener that uses a custom security policy that allows only perfect forward secrecy cipher suites.
- B. An HTTPS listener that uses the latest AWS predefined ELBSecurityPolicy-TLS-1-2-2017-01 security policy.
- C. A TCP listener that uses a custom security policy that allows only perfect forward secrecy cipher suites.
- D. An HTTPS listener that uses a certificate that is managed by Amazon Certification Manager.
正解: A
質問 312
A Software Engineer wrote a customized reporting service that will run on a fleet of Amazon EC2 instances.
The company security policy states that application logs for the reporting service must be centrally collected.
What is the MOST efficient way to meet these requirements?
- A. Install the Amazon CloudWatch Logs Agent on the EC2 instances, and configure it to send the application logs to CloudWatch Logs.
- B. Write an AWS Lambda function that logs into the EC2 instance to pull the application logs from the EC2 instance and persists them into an Amazon S3 bucket.
- C. Enable AWS CloudTrail logging for the AWS account, create a new Amazon S3 bucket, and then configure Amazon CloudWatch Logs to receive the application logs from CloudTrail.
- D. Create a simple cron job on the EC2 instances that synchronizes the application logs to an Amazon S3 bucket by using rsync.
正解: B
質問 313
Your company has a set of EBS volumes defined in AWS. The security mandate is that all EBS volumes are encrypted. What can be done to notify the IT admin staff if there are any unencrypted volumes in the account.
Please select:
- A. Use AWS Config to check for unencrypted EBS volumes
- B. Use AWS Lambda to check for the unencrypted EBS volumes
- C. Use AWS Guard duty to check for the unencrypted EBS volumes
- D. Use AWS Inspector to inspect all the EBS volumes
正解: A
解説:
The enc config rule for AWS Config can be used to check for unencrypted volumes.
encrypted-volurrn
5 volumes that are in an attached state are encrypted. If you specify the ID of a KMS key for encryptio using the kmsld parameter, the rule checks if the EBS volumes in an attached state are encrypted with that KMS key*1.
Options A and C are incorrect since these services cannot be used to check for unencrypted EBS volumes Option D is incorrect because even though this is possible, trying to implement the solution alone with just the Lambda servk would be too difficult For more information on AWS Config and encrypted volumes, please refer to below URL:
https://docs.aws.amazon.com/config/latest/developerguide/encrypted-volumes.html
Submit your Feedback/Queries to our Experts
質問 314
A company hosts critical data in an S3 bucket. Even though they have assigned the appropriate permissions to the bucket, they are still worried about data deletion. What measures can be taken to restrict the risk of data deletion on the bucket. Choose 2 answers from the options given below Please select:
- A. Enable data in transit for the objects in the bucket
- B. Enable MFA Delete in the bucket policy
- C. Enable versioning on the S3 bucket
- D. Enable data at rest for the objects in the bucket
正解: B,C
解説:
Explanation
One of the AWS Security blogs mentions the followinj
Versioning keeps multiple versions of an object in the same bucket. When you enable it on a bucket Amazon S3 automatically adds a unique version ID to every object stored in the bucket. At that point, a simple DELETE action does not permanently delete an object version; it merely associates a delete marker with the object. If you want to permanently delete an object version, you must specify its version ID in your DELETE request.
You can add another layer of protection by enabling MFA Delete on a versioned bucket. Once you do so, you must provide your AWS accounts access keys and a valid code from the account's MFA device in order to permanently delete an object version or suspend or reactivate versioning on the bucket.
Option B is invalid because enabling encryption does not guarantee risk of data deletion.
Option D is invalid because this option does not guarantee risk of data deletion.
For more information on AWS S3 versioning and MFA please refer to the below URL:
https://aws.amazon.com/blogs/security/securing-access-to-aws-using-mfa-part-3/
The correct answers are: Enable versioning on the S3 bucket Enable MFA Delete in the bucket policy Submit your Feedback/Queries to our Experts
質問 315
......
AWS-Security-Specialty問題集には100%厳密検証された問題と解答で合格保証付きもしくは全額返金:https://www.goshiken.com/Amazon/AWS-Security-Specialty-mondaishu.html
最新AWS-Security-SpecialtyPDF問題集リアル無料テスト本日更新です:https://drive.google.com/open?id=1QV9VhTEzbdg2yIem1X0QAKVBHJEyC2PT