SEC540: Quiz Questions
Which of these principles is the most important in ensuring consistency, repeatability and traceability in DevOps? a) Security b) Automation c) Sharing d) Culture
Automation
Within GIt and Workflow, what can be used to automatically run scripts to check for embedded secrets, code correctness, and problems at different stages in the workflow? a) Add hooks b) Commit hooks c) Stash hooks d) Push hooks
Book 1 page 91
Which of the following is a common lean engineering workflow management technique that improves efficiency, reduces friction, and eliminates hand-offs and delays? a) Automation b) Waterfall c) Value stream mapping d) Kanban
Kanban Book 1 page 17
Which of the following is an example of a branch protection? a) Requiring a pull / merge request for merging changes b) Installing and executing built in per-commit hooks c) Implementing policies to do peer code review d) Identifying and tagging high-risk code
See Book 1 page 95
What are the available actions for HTTP/S requests in AWS WAF?
a) Allow, block, and count Book 5 page 40
How does Blue/Green deployment differ from A/B testing in continuous deployment? a) Blue/Green Deployment switches between production environments, while A/B testing measures the effect/acceptance of a change in production b) Blue/Green Deployment is better suited for legacy applications, while A/B testing is better suited for stateless web applications and micro services. c) Blue/Green Deployment relies on hiding new features behind switches (blue=hidden, green=visible), while A/B testing has developers directly pushing changes to production d) Blue/Green Deployment works in small increments, while A/B testing deploys changes to the entire environments at once.
a) Blue/Green Deployment switches between production environments, while A/B testing measures the effect/acceptance of a change in production.
Which action automatically triggers a pipeline in a Continous Integration practice? a) Completing a commit on the main branch b) Unit tests failing c) Deployment request d) Random time intervals`
a) Completing a commit on the main branch Book 1 page 41
Which of the following is a feature of Storage Service Encryption in Azure? a) Data written to Azure Storage will be automatically encrypted b) Data written to Azure Storage will automatically be decrypted c) Data written to Azure Storage cannot be encrypted. Another storage option will need to be used. d) Data written to Azure Storage can be encrypted, but this is not automatic
a) Data written to Azure Storage will automatically be encrypted; an "always-on" feature for any data written to Azure storage Book 3 page 137
Which of the following features can be specified in canned policy of signed URLs or cookies? a) Date and time access expires b) IP addresses that can be used to access content c) Date and time from which access is valid d) Inclusion of Base64-encoded policy in URL
a) Date and time access expires Book 4 page 38
When switching to green environment on an EC2 instance-based blue/green deployment, why is it a bad idea to cut all traffic over to the new environment immediately? a) Elastic Load Balancer needs time to scale. b) Green environments cannot handle a huge amount of traffic. c) Immediate cutover causes higher EC2 bill. d) Immediate cutover requires duplicating the database.
a) Elastic Load Balancer (ELB) needs time to scale Book 4 page 13
What tool parses docker fiels into abstract Syntax Trees to run a suite of security tools? a) Conftest b) Hadolint c) BuildKit d) Anchore
a) Hadolint Book 2 Page 107
When an organization attempts to set up systems Infrastructure as Code, the system administrator needs to : a) Learn to be a developer b) Complete ad hoc changes and fixes c) Set up systems through scripts and checklists d) Implement hardening steps at runtime
a) Learn to be a developer Book 2 Page 65
The code below can be used to create a CloudWatch Metric filter. Which line number provides a way to store metric names in a common group? a) Line 9: MetricNamespace: "dm/fargate/web" b) Line 2: Type: AWS::LOGS::METRICFILTER c) Line: 4: LogGroupName: */dm/web/docker" d) Line 7: MetricName: AuthenticationFailure
a) Line 9MetricNamespace: "dm/farget/web" Book 3 page 113
In what mode is a WAF deployed to avoid the risk of blocking legitimate traffic? a) Monitor b) Bypass c) Inspection d) Fail-open
a) Monitor Book 5 page 35
What tool can be used to verify there are no vulnerabilities in the software supply chain after each build cycle? a) OWASP Dependency Check b) OWASP Module Assessor c) OWASP Library Check d) OWASP Supply Chain Assessor
a) OWASP Dependency Check Book 3 page 72
Which Container Security Life Cycle phase includes installing approved binaries inside a base image? a) Pre-Commit b) Static Analysis c) Commit d) Hardening
a) Pre-Commit Book 2 Page 105
Which of the following are the two main considerations when evaluating a Blue/Green deployment model? a) Cloud service cost and downtime b) Rollback capability and application debugging c) Deployment complexity and rollback capability d) Hardware cost and downtime
a) Rollback capability and application debugging Book 4 page 19
What can be used to define the maximum permissions granted by an identity-based or resource-based policy within an AWS organization? a) Service control policy b) Permission granting policy c) Resource allocation policy d) Cloud permission policy
a) Service control policy (SCP) Book 5 page 18
What is a benefit of launching a SAST tool via a Lambda function? a) Simple parallelization b) No need for customization c) Limited set of languages for Lambda d) No need to build and maintain a library of integration code
a) Simple parallelization Book 3 page 76
Why is it important for security teams to understand the GitFlow option utilized by their organization? a) To identify and understand potential weaknesses and secure them b) To satisfy the culture in CAMS/CALMS DevOps principles c) To increase transparency in DevOps d) To minimize the need for security gates and rely on security guardrails only
a) To identify and understand potential weaknesses and secure them
What can be done to ensure S3 buckets are only accessible via CloudFront to prevent bypassing access controls? a) Use an Origin Access identity b) Use same-origin policy c) Use signed URLs d) Use signed cookies
a) Use an Origin Access Identity Book 4 page 32
Which of the following tools can be sued to provision a set of VMs to test different hardened configurations? a) Vagrant b) Ansible c) Salt d) Chef
a) Vagrant; open-source tool for rapidly configuring and spinning up VMs. Book 2 Page 74
Which of the following is a key decision point of PayPal's Risk Questionnaire? a) Whether the team plans on following a recognized approach b) Whether the team can review and make incremental updates to the risk assessment c) Whether the team plans on conducting vulnerability assessments on their new products d) Whether the team can conduct threat modeling on new services
a) Whether the team plans on following a recognized approach Book 1 page 83
What needs to be present on a system that does not allow agents to be installed in order to be managed by Ansible configuraition management tool?
a) python
In continuous delivery, what artifact is used to prepare for release? a) The latest good build from CI b) The latest good build from last major change c) The latest build from stable tree d) An artificially chosen build
a) the latest good build from CI Book 1 page 42
What is the issue with the AWS S3 code shown below? a) Type b) AccessControl c) BucketId d) BucketName
b) AccessControl Book 3 Page 49
What is an important limitation to be aware of in the context of CI testing? a) CI is well suited for in-depth static application security testing (SAST). b) All tests executed in CI must provide unambiguous pass/fail results. c) CI can tolerate false positive test reults. d) CI is well suited for in-depth dynamic application security testing (DAST).
b) All tests executed in CI must provide unambiguous pass/fail results. Book 1 page 78
Which Security Token Service (STS) API command returns temporary credentials for federated users authenticated through an OIDC-compatible identity provider? a) AssumeRoleWithSAML b) AssumeRoleWithWebIdentity c) AssumeRole d) GetSessionToken
b) AssumeRoleWithWebIdentity Book 4 page 71
Which Azure WAF rule set includes signatures to protect against SQL Injection, XSS, session fixation, and remote code execution? a) Attack detection rule set b) Azure-managed core rule set c) Prevention rule set d) Malicious activity rule set
b) Azure-managed Core Rule Set Book 5 page 38
A security team is working on hardening a company's Azure infrastructure. Which of the following can be used as a reference for this task? a) OWASP Top 10 b) CIS Azure Foundation Benchmark c) PCI DSS d) CIS Azure Assessment Workbook
b) CIS Azure Foundation Benchmark Book 5 page 15
In regard to the limits of automated security test, which of the following tradeoffs highlight why this testing cannot be exhaustive? a) Completeness vs. usability b) Completeness vs. speed c) Repeatability vs. usability d) Repeatability vs. periodic checking
b) Completeness vs. speed and repeatability Book 2 page 172
When using EC2 instances to perform blue/green deployments, what service could be used to redirect traffic between two deployments? a) ELB b) DNS c) Lambda d) ECS
b) DNS Book 4 page 12
What is a key difference between the baseline and the full ZAP command line DAST scans? a) Full scan spiders site for 1 minute before conducting passive scan. b) Full Scan conducts an active scan. c) Baseline Scan uses SOAP or GraphQL. d) Baseline Scan has no time limit by default
b) Full Scan conducts an Active scan Book 2 Page 166 (Three ZAP scans)
Which AWS service is a cost-effective solution for a long-term archival storage that integrates with KMS for data encryption? a) DynamoDB b) Glacier c) Montblanc d) S3
b) Glacier Book 3 Page 158
AWS Security Hub can be used to aggregate information from which one of the following services? a) Policy b) GuardDuty c) Defender for Cloud d) KeyVault
b) GuardDuty Book 5 page 26
Which of the following is responsible for provisioning an ingress controller and DNS endpoint in Azure Kubernetes Service (AKS)? a) Azure Application Gateway b) HTTP application routing c) Virtual networking d) Azure DNS and traffic manager
b) HTTP application routing Book 3 page 25
What are default ingress/egress rules in security groups for EC2? a) Ingress rule allows all traffic; egress rule allows no traffic. b) Ingress rule allows no traffic; egress rule allows all traffic. c) Both ingress and egress rules allow no traffic. d) Both ingress and egress rules allow all traffic.
b) Ingress rule allows no traffic; egress rule allows all traffic Book 2 Page 50
Which of the following is Amazon's key management system? a) Key Vault b) Key Management Service c) Safe Net d) Safe Vault
b) Key Management Service Book 3 Page 127
Continuous monitoring and integrated observability platforms rely on which core data types? a) Metric, log, and metadata b) Metric, log, and trace c) Metric, log, and alarm d) Register, log, and trace
b) Metric, log and trace Book 3 page 93
Which azure solution provides workflow capabilities for alerting and security automation? a) Microsoft Secure Manager b) Microsoft Defender for Cloud c) Microsoft Azure Protect d) Microsoft Cloud SIEM
b) Microsoft Defender for Cloud Book 5 page 60
When moving from the traditional infrastructure to infrastructure as Code, why are legacy systems a concern? a) Hardware limitation causing many tools to fail b) No or outdated documentation and limited platform support c) The legacy systems may not support Infrastructure as code d) Infrastructure to code approach on legacy platform exposes more security vulnerabilities.
b) No or outdated documentation and limited platform support Book 2 Page 66
What open source CSPM tool for AWS comes with numerous built-in policies covering CIS Benchmarks, as well as GDRP, HIPAA, ISO 27001, and PCI? a) Policysoft b) Prowler c) Auditor d) Benchmarker
b) Prowler Book 5 page 30
What is a benefit of an organization adopting a security champions or security mavens program? a) Security champions help shield developers from taking responsibility for their own application's security. b) Security champions help bridge the gap between central security and the product development team c) Security champions do no require funding and support from upper management d) Security champions operate inside of the development teams ensuring they do not try to hid stuff from the central security team.
b) Security champions help bridge the gap between central security and the product development team.
How does the AWS Application Load Balancer (ALB) verify the health of targets, such as an EC2 instance? a) The ALB and the targets utilize CloudWatch to monitor for failed targets. b) The ALB sends requests to each target based on specified protocol, port, path, frequency, status code, and other parameters c) The ALB leverages osquery to continuously check target health based on specified protocol, port, path, frequency, status code, and other parameters d) The ALB uses AWS Inspector API calls based on specified protocol, port, path, frequency, status code, and other parameters
b) The ALB sends requests to each target based on specified protocol, port, path, frequency, status code, and other parameters Book 3 Page 31
Which AWS solution can be used to protect web applications against XSS attacks? a) CloudWatch b) WAF Security Automation c Inspector d) Athena
b) WAF Security Automation Book 5 page 43
What steps must be taken to attempt to elevate privileges by modifying the JWT token payload claims in a vulnerable implementation of JWT? a) Leave the header and signature fields intact b) Set alg field in header to none, and set empty signature. c) Set alg field in header to none, and regenerate the signature d) Remove all fields in the header and leave the signature intact.
b) set alg field in header to none, and set empty signature Book 4 page 79
Where does Terraform store the acquired information about the state of the resources defined in configuration files? a) In *.tfbak files b) In *.tfrsc files c) In *.tfstate files d) In *.statebak files
c) *.tfstate Book 2 page 21
What provides a single point of entry for all clients in a microservices acrchitecutre? a) Web portal b) SAML c) API gateway d) SSO
c) API gateway Book 4 page 65
Which tool can be used to perform an audit assessment of AWS account management practices? a) CSA Cloud Audit Tool b) AWS Cloud Audit Tool c) AWS Foundation Benchmark d) CSA Security Benchmark
c) AWS Foundation Benchmark Book 5 page 15
Which Azure service will allow you to assess adherence to compliance and configuration standards by looking tat the resource properties across Azure subscriptions and comparing them against policy definitions? a) Microsoft Trust Center b) Azure Compliance Manager c) Azure Policy d) Azure Monitor
c) Azure Policy Book 5 page 22
Which free, open-source tool supported by Capital One helps with running well-managed cloud infrastructure securely, cost effectively, and with support for AWS, Azure, and GCP? a) AuditCloud b) MasterCloud Admin c) Cloud Custodian d) Cloud Detective
c) Cloud Custodian Book 5 page 66
In which DevOps workflow phase are container security controls implemented? a) Container security controls are out of the scope of DevOps workflow b) Pre-commit phase c) Commit phase d) Acceptance phase
c) Commit Phase Book 1 page 77
What does the C stand for in the DevOps CAMS model? a) Cloud b) Continuous c) Culture d) Collaboration
c) Culture Book 1 page 11
Which type of Azure WAF rules can be written to match geographic location of HTTP/S request? a) Geographic rules b) Managed rules c) Custom rules d) Source address rules
c) Custom rules Book 5 page 36
What is the potential issue with providing content delivery links directly to users? a) Content distribution service impact b) Password c racking c) Data leakage d) Privilege reduction
c) Data leakage Book 4 page 24
Which of the following features in Elastic Load Balancing allows multiple tasks to run from the same service per container instance? a) Path-based routing b) Classic load balancing c) Dynamic port mapping d) Fixed port mapping`
c) Dynamic port mapping Book 3 page 30
What feature is used by the AWS KMS to provide integrity checks and log encryption key usage data? a) Customer master key b) Data keys c) Encryption contexts d) Envelope encryption
c) Encryption contexts Book 3 page 143
How do Azure Network Security Groups handle traffic based on the defined firewall rules? a) Last matching rule determines access (allow or deny) b) Default implicit allow/deny determines access. c) First matching rule determines access (allow or deny). d) The most permissive rule is used before making a decision.
c) First matching rule determines access (allow or deny) Book 2 Page 48
Which of the following is a disadvantage of using an API gateway in microservices? a) Increases the number of round trips b) Insulates the client c) Higher complexity d) Higher hardware cost
c) Higher complexity Book 4 page 66
Which of the following is a good fit for using blue/green deployments? a) Heave use of feature flags to change behavior b) Custom third-party vendors update process c) Immutable infrastructure d) Complex database schema changes
c) Immutable infrastructure Book 4 page 7
Which section of CloudFormation template provides flexible dictionary storage based on name-value pairs? a) Parameters b) Outputs c) Mappings d) Resources
c) Mappings Book 2 Page 10
What architectural approach allows applications to be broken down into smaller functions that interface with other functions via APIs? a) Use of CDNs b) API gateways c) Microservices d) .Containers
c) Microservices Book 4 page 56
What provides the backbone for authentication services in AWS by issuing temporary security credentials? a) SAML b) Web Identity Federation c) Security Token Service d) Identity Federation Services
c) Security Token Service (STS) Book 4 page 69
Which statement accurately compares server-side and client-side encryption in the context of cloud data protection? a) Server-side encryption keys can be cloud-managed or customer-managed, while client-side encryption keys can only be customer-managed. b) Both server-side and client-side encryption provide encryption in transit and at rest. c) Server-side encryption provides only encryption at rest, while client-side provides encryption both in transit and at rest. d) Server-side encryption provides encryption both in transit and at rest, while client-side provides encryption only in transit.
c) Server-side encryption provides only encryption at rest, while client-side provides encryption both in transit and at rest. Book 3 page 128
What is the purpose of the following AWS CLI Command? $ aws cloudformation describe-stacks --stack-name VPC-Delivered a) To deploy a stack to a specific environment b) To instantiate a new Virtual Private Cloud named VPC-Delivered c) To view status details of a stack after deploying an AWS CloudFormation template d) To rename the currently selected stack description to VPC-Delivered
c) To view status details of a stack after deploying an AWS CloudFormation template Book 2 Page 17
How does on prevent replay attacks for JSON Web Token? a) Use JSON Web Encryption b) Use an HMAC private key c) Use a nonce in the JWT ID d) Use JSON Web Signature
c) Use a nonce in the JWT ID Book 4 page 80
How can AWS KMS be accessed for client-side encryption? a) The KMS can only be used for server-side encryption. b) Using an API c) Using the KMS SDK d) Using a Lambda function
c) Using the KMS SDK Book 3 page 157
What type of resource would you create when protecting a newly supported service using Microsoft Defender for Cloud? a) azure_cloud_activation b) azureng_defender_start c) azurerm_security_center_subscription_pricing d) azure_service_enable
c) azurerm_security_center_subscription_pricing Book 5 page 28
Which Git action updates the repository with the changes in the staging area? a) push b) add c) commit d) clone
c) commit Book 1 page 33
Which of the following Terraform commands will update local state file with the real resource state? a) tain/untaint b) apply c) refresh d) resolve
c) refresh Book 2 page 36
What would happen if the admin SecurityGroup is modified to allow ingress from anywhere when using the following AWS Cloud Custodian Policy? policies: - name: admin resource: security-group mode: type: cloudtrail events: - source: ec2.amazonaws.com event: AuthorizeSecurityGroupIngress ids: "reqeustParameters.groupId" filters: - or: -type: ingress Cidr: value: "0.0.0.0/0" actions: - type:remove-permissions ingress: matched a) The new configuration would be restricted to administartors only. b) The new configuration would be removed. c) The filter Cidr value would be updated to the new configuration. d) Cloud Custodian would generate an alert.
c) the filter Cidr value would be updated to the new configuration. Book 5 page 69
Which of the following is a possible benefit of integrating SAST scanning via CodeBuild? a) No need to maintain SAST tool environment b) Wide set of reporting tools available in CodePipeline c) Wide set of pre-built environments d) AWS-supported tool chain
d) AWS-Supported tool chain Book 3 Page 77
What type of dynamic scanning sends malicious payloads and data directly to the target? a) Passive b) Idle c) Header Analysis d) Active
d) Active Book 2 Page 161
To what type of attack are microservice APIs particularly susceptible? a) Application OS command execution b) Cross-site scripting c) SQL Injection d) Application DDoS
d) Application DDoS Book 4 Page 61
Which of the following is a key advantage of IaC? a) Better security b) Enhanced reliability c) Enhanced user access d) Cheaper to setup and change
d) Cheaper to setup and change Book 2 page 3
When using virtual machines in Azure to set up blue/green deployment, which of the following is a best practice for environment setup? a) Create blue/green environments in one single resource group. b) Deploy virtual machines using Chef. c) Deploy virtual machines using Jenkins d) Create blue/green environments in separate Azure resource groups.
d) Create blue/green environments in separate Azure resource groups. Book 4 page 9
What core DevOps principle is evident in an organization where failures are accepted as a learning opportunity, rather than a reason to blame the people responsible? a) Lessons Learned b) Measurement c) Collaboration d) Culture
d) Culture
What is a security consideration when deciding between cloud-managed and customer-managed keys in AWS Key Management Service? a) Customer-managed keys are automatically rotated every three years. b) Customer-managed keys require re-encryption when keys are rotated. c) Customer-managed symmetric and asymmetric keys can be automatically rotated. d) Customer-managed keys are not rotated by default.
d) Customer-managed keys are not rotated by default Book 3 page 141
What is an advantage of a distributed version control system (DVCS) over other control systems? a) DVCS introduced the notion of a repository-wide version identifier b) DVCS eliminated merging conflicts c) DVCS replaced reliance on .bak file d) DVCS allows developers to share patches without a central intermediary
d) DVCS allows developers to share patches without a central intermediary Book 1 page 31
What free, community-built, process framework demonstrates compliance controls and checks that can be automated and built into Devops workflows? a) DevOps Controls Toolkit b) DevOps Compliance Check Toolkit c) DevOps Automation Framework Toolkit d) DevOps Audit Defense Toolkit
d) DevOps Audit Defense Toolkit Book 5 Page 8
What is an important security consideration when implementing encryption of MySQL database in AWS RDS a) The encryption uses the RSA algorithm b) Keys can be managed either by AWS KMS or by the development team. c) Both server-side and client-side encryption options are available d) Encryption is transparent to the application.
d) Encryption is transparent to the application Book 3 page 163
Which one of the following drawbacks is applicable to automated testing in CD? a) It generates too many false negative results. b) Some cloud models do not enable the integration of automatic testing. c) It generates too many false positive results. d) Exhaustive testing is not feasible
d) Exhaustive testing is not feasible; there is not enough time to run all the required tests Book 2 Page 172
Which of the following security testing does not easily fit into the automated testing and CI/CD? a) Linting b) Dynamic Scanning c) Static Analysis d) Fuzzing
d) Fuzzing Book 2 Page 170
With regards to secretes management, what is a security consideration when comparing GitLab CI/CD with GitHub Actions? a) Both GitLab CI/CD and GitHub Actions include a built-in AWS Secretes Manager to manage secrets b) GitLab CI/CD Uses libsodium sealed boxes called environment secretes, while GitHub Actions has built in Azure Key Vault secrets manager. c) GitHub Actions has no native secrets management and relies on third-party secrets management, such as HashiCorp Vault. d) GitLab CI/CD has no native secrets management and relies on third-party secretes management, such as HashiCorp Vault
d) GitLab CI/CD has no native secrets management and relies on third-party secrets management, such as HashiCorp Vault. Book 1 page 56
Which of the following is an example of a security code smell? a) Security libraries b) Error handling c) Embedded product update URL d) Hand-rolled crypto
d) Hand-rolled crypto Book 1 page 94
Based on the AWS configuration below, which of the following could be a concern regarding patching status of the instances? LaunchConfiguration: Type: AWS::AutoScaling::LaunchConfiguration ... Properties:ImageId: !FindInMap [AWSRegionToAMI, !Ref "AWS::Region", AMI]InstanceType: !Ref InstanceTypeIamInstanceProfile: !Ref InstanceProfileKeyName: "SEC540"SecurityGroups: !Ref SecurityGroupUserData:"Fn::Base64": !Sub |#!/bin/bashyum install -y aws-cfn-bootstrap a) SecurityGroups b) KeyName c) InstanceProfile d) ImageId
d) ImageId Book 3 Page 61
What are the four code phases in AWS's CodeBuild service? a) Install, build, test, post_build b) Configure, install, pre-build, build c) Configure, install, build, post_build d) Install, pre-build, build, post_build
d) Install, pre-build, build- post_build Book 3 page 16
A contractor has successfully secured DevOps and CD using a specific set of tools at three organizations. What is the danger if they insist on implementing the same tools at a new organization? a) Executive leadership may not approve these specific tools. b) The DevOps team might incorrectly assume that security is not their responsibility. c) There is no danger; these tools worked for others and will work well here too. d) Mandating tools before understanding the workflows can derail the program
d) Mandating tools before understanding the workflows can derail the program
Which of the following GitLab branch protection option creates granular approval rules for individual files or directories in the repository? a) Allowed to receive b) Require approval from all users c) Allowed to merge d) Require approval from code owners
d) Require approval from code owners Book 1 page 98
What language is used by Chef to define configurations programmatically? a) YAML b) Python c) JSON d) Ruby
d) Ruby Book 2 Page 67
What protocol does AWS use to support identity federation and offer a single sign-on capability? a) OpenID b) OAuth c) WS-Fed d) SAML 2.0
d) SAML 2.0 Book 4 page 72
What is the outcome when attempting to enable AWS Security Hub using the command "aws securityhub enable-security-hub" command without hte --region parameter? a) Security Hub would not be enabled b) Security Hub would be enabled for all regions. c) Security Hub would prompt for a region d) Security Hub would be enabled for the current region
d) Security Hub would be enabled for the current region Book 5 page 29
What web application security control might prevent malicious code from reading, stealing, or modifying data on another site? a) Use of signed URLs b) Disabling active content c) Use of signed cookies d) The same-origin policy
d) The same-origin policy Book 4 page 44
What is a DevOps recommended practice on how to treat vulnerabilities identified by a penetration test in an application that is deployed in production? a) Blame the developers for the application weaknesses. b) Ignore the penetration test results. c) Address all problems in version 2.0 of the application. d) Tread major findings like a production incident.
d) Treat major findings like a production incident. Book 2 Page 173
Which of the following mitigations is a recommended way to minimize session hijacking attacks by stealing the session cookie? a) Setting CloudFront-Expire attributes to the longest value possible b) Restricting access by specifying source IP addresses in a canned policy c) Setting session cookies without any flags d) Using the most specific Domain cookie attribute possible
d) Using the most specific Domain cookie attribute possible Book 4 page 43
In which of the following situations is it better to use signed URLs instead of signed cookies to restrict access to content served by CloudFront? a) When providing access to multiple files b) When keeping the existing URL structure c) When the content and web app are on the same domain d) When restricting access to a specific file
d) When restricting access to a specific file Book 4 page
When can an AWS Relational Database Service instance be encrypted? a) Any time the developer chooses b) After the instance is created c) Whenever the database is upgraded d) When the instance is created
d) When the instance is created; it is NOT possible at a later time Book 3 page 164
Which AWS WAF matching condition should be used to inspect for XSS attacks? a) ThreatMatchStatement b) OwaspMatchStatement c) AttackMatchStatement d) XssMatchStatement
d) XssMatchStatement
Which Cloud Custodian mode can create an Event Grid triggered by Azure function that will allow you to apply response actions whenever certain events occur? a) azure-pull b) azure-periodic c) azure-responder d) azure-event-grid
d) azure-event-grid Book 5 page
Which combination of Security Hub Parameters can be used to import findings from third-party tools? a) enable-external-access and --module b) enable-import-third-party and --productname c) enable-data-retrieve and --start d) enable-import-findings-for-product and --product-arn
d) enable-import-findings-for-product and --product-arn Book 5 page 29