AWS Practice Exam 3 & 4 (Security & Compliance)
AWS Trusted Advisor analyzes your AWS environment and provides best practice recommendations for which of the following categories? (Select two)? 1.) Elasticity 2.) Change Management 3.) Service Limits 4.) Cost Optimization 5.) Documentation
3.) Service Limits 4.) Cost Optimization
A multi-national company has its business-critical data stored on a fleet of Amazon EC2 instances, in various countries, configured in region-specific compliance rules. To demonstrate compliance, the company needs to submit historical configurations on a regular basis. Which AWS service is best suited for this requirement? 1.) AWS Config 2.) Amazon GuardDuty 3.) Amazon Macie 4.) AWS CloudTrail
1.) AWS Config
Which of the following are correct statements regarding the AWS Shared Responsibility Model? (Select two) 1.) AWS is responsible for Security "of" the Cloud 2.) For a service like Amazon EC2, that falls under Infrastructure as a Service, AWS is responsible for maintaining guest operating system 3.) Configuration Management is the responsibility of the customer 4.) AWS is responsible for training AWS and customer employees on AWS products and services 5.) For abstracted services like Amazon S3, AWS operates the infrastructure layer, the operating system, and platforms.
1.) AWS is responsible for Security "of" the Cloud 5.) For abstracted services like Amazon S3, AWS operates the infrastructure layer, the operating system, and platforms
According to the AWS Shared Responsibility Model, which of the following are responsibilities of the customer (select 2)? 1.) Enabling data encryption of data stored in S3 buckets 2.) Ensuring AWS employees cannot access customer data 3.) Operating system patches and updates of an EC2 instance 4.) AWS Global Network Security 5.) Compliance validation of Cloud infrastructure
1.) Enabling data encryption of data stored in S3 buckets 3.) Operating system patches and updates of an EC2 instance
Which of the following entities should be used for an Amazon EC2 Instance to access a DynamoDB table? 1.) IAM role 2.) AWS IAM user access keys 3.) AWS Key Management Service 4.) Amazon Cognito
1.) IAM role
Which of the following describes an Availability Zone in the AWS Cloud? 1.) One or more data centers in the same location 2.) One or more server racks in the same location 3.) One or more server racks in multiple locations 4.) One or more data centers in multiple locations
1.) One or more data centers in the same location
Which AWS services can be used together to send alerts whenever the AWS account root user signs in? (Select two) 1.) SNS 2.) SQS 3.) Step Function 4.) CloudWatch 5.) Lambda
1.) SNS 4.) CloudWatch
AWS Trusted Advisor can provide alerts on which of the following common security misconfigurations? (Select two)? 1.) When you don't turn on user activity logging (AWS CloudTrail) 2.) When you allow public access to Amazon S3 buckets 3.) When you don't tag objects in S3 buckets 4.) When you share IAM user credentials with others 5.) When you don't enable data encryption on S3 Glacier
1.) When you don't turn on user activity logging (AWS CloudTrail) 2.) When you allow public access to Amazon S3 buckets
Data encryption is automatically enabled for which of the following AWS services? (Select two)? 1.) Amazon EBS volumes 2.) AWS Storage Gateway 3.) Amazon Redshift 4.) Amazon S3 Glacier 5.) Amazon EFS drives
2.) AWS Storage Gateway 4.) Amazon S3 Glacier
AWS Shield Advanced provides expanded DDoS attack protection for web applications running on which of the following resources? (Select two) 1.) AWS Elastic Beanstalk 2.) Amazon CloudFront 3.) Amazon Elastic Compute Cloud 4.) Amazon Simple Storage Service (Amazon S3) 5.) AWS Identity and Access Management (IAM)
2.) Amazon CloudFront 3.) Amazon Elastic Compute Cloud
According to the AWS Shared Responsibility Model, which of the following are responsibilities of the customer for IAM? (Select two) 1.) Configuration and vulnerability analysis for the underlying software infrastructure 2.) Enable MFA on all accounts 3.) Analyze user access patterns and review IAM permissions 4.) Manage global network security infrastructure 5.) Compliance validation for the underlying software infrastructure
2.) Enable MFA on all accounts 3.) Analyze user access patterns and review IAM permissions
Which AWS service protects your AWS account by monitoring malicious activity and detecting threats? 1.) CloudWatch 2.) GuardDuty 3.) CloudTrail 4.) Trusted Advisor
2.) GuardDuty
Under the AWS Shared Responsibility Model, which of the following is the responsibility of a customer regarding lambda functions? 1.) Patch underlying OS for the lambda function infrastructure 2.) Maintain versions of a lambda function 3.) Maintain all runtime environments for lambda functions 4.) Configure networking infrastructure for the lambda functions
2.) Maintain versions of a lambda function
Which of the following are recommended best practices for AWS IAM service? (Select two) 1.) Share AWS account root user access keys with other administrators 2.) Rotate credentials regularly 3.) Grant maximum privileges to avoid assigning privileges again 4.) Create a minimum number of accounts and share these account credentials among employees 5.) Enable MFA for all users
2.) Rotate credentials regularly 5.) Enable MFA for all users
Which of the following are recommended security best practices for the AWS account root user? (Select two) 1.) Keep your AWS account root user access keys in an encrypted file on S3 2.) Set up an IAM user with administrator permissions and do not use AWS account root user for administrative tasks 3.) Share AWS account root user access keys with other administrators 4.) Enable MFA for the AWS account root user 5.) Disable MFA for the AWS account root user as it can lock the entire AWS account if the MFA device is lost
2.) Set up an IAM user with administrator permissions and do not use AWS account root user for administrative tasks 4.) Enable MFA for the AWS account root user
Which of the following AWS authentication mechanisms supports a Multi-Factor Authentication (MFA) device that you can plug into a USB port on your computer? 1.) Hardware MFA device 2.) U2F security key 3.) SMS text message-based MFA 4.) Virtual MFA device
2.) U2F security key
An e-commerce company wants to review the Payment Card Industry (PCI) reports on AWS Cloud. Which AWS resource can be used to address this use-case? 1.) AWS Trusted Advisor 2.) AWS Cost and Usage Reports 3.) AWS Artifact 4.) AWS Secrets Manager
3.) AWS Artifact
An AWS hardware failure has impacted one of your EBS volumes. Which AWS service will alert you of the affected resources and provide a remedial action? 1.) Amazon GuardDuty 2.) AWS Config 3.) AWS Personal Health Dashboard 4.) AWS Trusted Advisor
3.) AWS Personal Health Dashboard
As per the Shared Responsibility Model, Security and Compliance is a shared responsibility between AWS and the customer. Which of the following security services falls under the purview of AWS under the Shared Responsibility Model? 1.) AWS Web Application Firewall (WAF) 2.) AWS Shield Advanced 3.) AWS Shield Standard 4.) Security Groups for Amazon EC2
3.) AWS Shield Standard
Which of the following AWS entities lists all users in your account and the status of their various account aspects such as passwords, access keys, and MFA devices? 1.) AWS Trusted Advisor 2.) AWS Cost and Usage Reports 3.) Credential Reports 4.) Amazon Inspector
3.) Credential Reports
A cyber-security agency uses AWS Cloud and wants to carry out security assessments on their own AWS infrastructure without any prior approval from AWS. Which of the following describes/facilitates this practice? 1.) Amazon Inspector 2.) AWS Secrets Manager 3.) Penetration Testing 4.) Network Stress Testing
3.) Penetration Testing
An IT company has a hybrid cloud architecture and it wants to centralize the server logs for its EC2 instances and on-premises servers. Which of the following is the MOST effective for this use-case? 1.) Use CloudWatch Logs for the EC2 instance and CloudTrail for the on-premises servers 2.) Use AWS Lambda to send log data from EC2 instance as well as on-premises servers to CloudWatch Logs 3.) Use CloudWatch Logs for both the EC2 instance and the on-premises servers 4.) Use CloudTrail for the EC2 instance and CloudWatch Logs for the on-premises servers
3.) Use CloudWatch Logs for both the EC2 instance and the on-premises servers
Which AWS service will you use to privately connect your VPC to Amazon S3? 1.) Amazon API Gateway 2.) AWS Transit Gateway 3.) VPC Endpoint Gateway 5.) AWS Direct Connect
3.) VPC Endpoint Gateway
Which AWS entity enables you to privately connect your VPC to an Amazon SQS queue? 1.) Internet Gateway 2.) VPC Gateway Endpoint 3.) VPC Interface Endpoint 4.) AWS Direct Connect
3.) VPC Interface Endpoint
A financial services enterprise plans to enable Multi-Factor Authentication (MFA) for its employees. For ease of travel, they prefer not to use any physical devices to implement MFA. Which of the below options is best suited for this use case? 1.) U2F security key 2.) Hardware MFA device 3.) Virtual MFA device 4.) Soft Token MFA device
3.) Virtual MFA device
Which of the following are benefits of the AWS Web Application Firewall (WAF)? (Select two) 1.) WAF offers protection against all known infrastructure (Layer 3 and 4) attacks 2.) WAF offers dedicated support from the DDoS Response Team (DRT) and advanced reporting 3.) WAF can check for the presence of SQL code that is likely to be malicious (known as SQL injection) 4.) AWS WAF lets you monitor the HTTP and HTTPS requests that are forwarded to Amazon Route 53 5.) WAF can block all requests except the ones that you allow
3.) WAF can check for the presence of SQL code that is likely to be malicious (known as SQL injection) 5.) WAF can block all requests except the ones that you allow
As per the AWS Shared Responsibility Model, which of the following is a responsibility of AWS from a security and compliance point of view? 1.) Patching guest OS and applications 2.) Identity and Access Management 3.) Service and Communications Protection 4.) Patching networking infrastructure
4.) Patching networking infrastructure
Which of the following AWS services specialize in data migration from on-premises to AWS Cloud? (Select two) 1.) Transit Gateway 2.) Site-to-Site VPN 3.) Direct Connect 4.) Snowball 5.) Database Migration Service
4.) Snowball 5.) Database Migration Service
A financial services company wants to ensure that all customer data uploaded on its data lake on Amazon S3 always stays private. Which of the following is the MOST efficient solution to address this compliance requirement? 1.) Set up a high-level advisory committee to review the privacy settings of each object uploaded into S3 2.) Trigger a lambda function every time an object is uploaded on S3. The lambda function should change the object settings to make sure it stays private 3.) Use CloudWatch to ensure that all S3 resources stay private 4.) Use Amazon S3 Block Public Access to ensure that all S3 resources stay private
4.) Use Amazon S3 Block Public Access to ensure that all S3 resources stay private