Cloud Computing & Cybersecurity Final
What are best practices for handling an incident? (Select TWO)
1. Automate containment capabilities 2. Identify key personnel, external resources, and tooling
Which statements are true for a virtual private cloud (VPC)? (Select THREE)
1. Gives you control over your virtual networking resources including selecting the IP address range, creating subnets, and configuring route tables and network gateways 2. Is a logically isolated section of the AWS Cloud where you cna launch AWS resources in a virtual netwrok 3. Provides the ability to customize your network including creating a public subnet for your web servers that can access the public internet
What is the purpose of an internet gateway? (Select TWO.)
1. Perform network address translation (NAT) for instances that have been assigned public IPv4 addresses 2. Provide a target within a route table to enable internet-routable traffic
What can be used to control access to an Amazon S3 bucket? (Select THREE.)
1. S3 bucket policies 2. Virtual private Cloud (VPC) endpoint policies 3. AWS Identity and Access Management (IAM policies)
Which types of server-side encryption (SSE) are available for Amazon S3? (Select THREE)
1. SSE with Amazon S3 managed keys (SSE-S3) 2. SSE with AWS Key Management Service (AWS KMS) keys (SSE-KMS) SSE with customer managed keys (SSE-C)
What are best practices to protect your network? (Select TWO)
1. Use security groups to control access to resources 2. Place Amazon EC2 instances in private subnets when they will not regularly need direct access to the internet
Where can we find logs of failed logins?
AWS Cloud Trail
To monitor API calls against our AWS accounts, we can use ------------------ to create a history of calls in bulk for later review, and use ------------ for reacting to AWS API calls in real-time
AWS Cloud Trail; CloudWatch Events
An administrator would like to have additional insight into their applications, and collect operational data in the form of logs, metrics, and events. Which AWS service would meet their need?
AWS CloudWatch
What can be used to automatically monitor your EC2 instances and notify the operations team for any incidents?
AWS CloudWatch
Which AWS Service provides insights to enable organizations to optimize resource utilization and provide a unified view of operation health?
AWS CloudWatch
An administrator wants to run continuous assessment checks on their resources. The purpose is to verify that these resources comply with their own policies and industry best practices, and compliance standards. Which AWS service would meet their need?
AWS Config
Which AWS Service allows an organization to audit and assesses the overall compliance of all AWS resources?
AWS Config
Which AWS service is a continuous monitoring and assessment service that provides an inventory of AWS resources and records changes to their configuration?
AWS Config
Which AWS service can be used to generate encryption keys that are protected by FIPS 140-2 validated hardware security modules (HSMs)?
AWS Key Management Service (KMS)
Which AWS service can be used to store items, such as database credentials, securely without having to hard code them into the source code or a configuration file?
AWS Secrets Manager
An administrator wants to implement a level of protection against distributed denial of service (DDoS attacks. Which AWS service would meet their need?
AWS Shield
An administrator would like to help managing complex and time-consuming operations, such as patching software and routing support tickets. Which AWS serve would meet their need?
AWS Step Functions
An administrator wants to ensure that they optimize their AWS infrastructure and also improve security performance. Which option would meet their need?
AWS Trusted Advisor
Which AWS service evaluates your account by using checks that identify ways to optimize your AWS infrastructure, improve security and performance, reduce costs, and monitor service quotas?
AWS Trusted Advisor
Which AWS service helps to identify groups that are allowing unrestricted access to users' AWS Resources?
AWS Trusted Advisor
Which of the following services can help you collect important metrics from Amazon RDS and EC2 Instances?
Amazon CloudWatch
A Company wants to monitor the AWS MySQL instance and send real-time alerts to the Operations team. Which two services are required to meet the requirements?
Amazon CloudWatch; Amazon Simple Notification Service (SNS)
Which AWS logging and monitoring service is a serverless event bus service that can connect your applications with data from a variety of sources?
Amazon EventBridge
An administrator would like to increase their network protection, and eliminate any potentially unauthroized or malicious activity in their AWS environment. Which AWS service would meet their need?
Amazon GuardDuty
An administrator wats to improve their vulnerability management. They would like to use a service to continuously scans Amazon eC2 instances for software vulnerabilities and unintended network exposure. Which AWS service would meet their need?
Amazon Inspector
Which service provides an automated security assessment that helps users to improve the security and compliance of applications that they deploy on AWS?
Amazon Inspector
A machine learning engineer wants a solution that will discover sensitive information that is stored in AWS. The solution should also use natural language processing (NLP) to classify the data and provide business-related insights. Which AWS service would meet their need?
Amazon Macie
Which service would you use to send alerts based on Amazon cloudWatch Alarms?
Amazon Simple Notification Service (Amazon SNS)
Which service can help users to automate management tasks such as collecting system inventory, applying operating system patches, maintaining up-to-date antivirus definitions, and configuring operating systems and applications at scale?
Amazon System Managers
where should the cloud customer's encryption keys be stored?
Anywhere but with the cloud provider
Which of the below mentioned actions is not supported by the CloudWatch alarm?
Auto Scaling launch config to scale up
Data classification can be ______ or ______.
Automatic or manual
Which of the following is not used to determine data retention requirements?
Average media longevity
Which of the following would NOT be used to determine the classification of data?
Future use
What of the following is NOT the default metric for CloudWatch to monitor EC2 Instances?
Memory Usage
Which statement about AWS monitoring is true?
Monitoring is a continuous process
Which of the mandatory parameter for CloudWatch request list?
Namespace
What are the two metrics Amazon Cloud watch gathers from RDS Instances?
OS Processes; RDS processes
What is a form of cloud storage where data is stored as objects, arranged in a hierarchal structure, like a file tree?
Object storage
A company wants to create a multi-tier website. What is the best practice for creating a load balancer and subnet architecture?
Place the web server and database in a private subnet, and the load balancer in a public subnet.
a three-tier web application environment is a modular client-server architecture. What are the three tiers
Presentation, application, and data
As in a traditional IT environment, proper key management is crucial in the cloud. Which of the following principles is not true regarding key management?
Public keys should never be shared with anyone
Which control mechanism is recommended to protect data in transit to Amazon S3 to reduce the risk of unauthorized access or loss?
Use Amazon Virtual Private Cloud (Amazon VPC) endpoints to limit access to the bucket
Security groups are stateful, and network access control lists (ACLs) are stateless. What is the difference between stateful and stateless?
Stateful means that return traffic is automatically allowed. Stateless means that return traffic must be explicitly allowed by rules.
Deploying digital rights management (DRM) tools in a bring-your-own-device (BYOD) environment will require ___________________.
User consent and action
The application team is trying to connect to EC2 instance but they were not able to connect. Which AWS log needs to be looked at it?
VPC Flow Logs
Data transformation in a cloud environment should be of great concern to organizations considering cloud migration because __________ could affect data classification processes and implementations.
Virtualization
According to Cloud Secure Data Lifecycle, which phase comes soon after (or at the same time as) the Create phase?
Store
When implementing cryptography in a cloud environment, where is the worst place to store the keys?
With the cloud provider
AWS Cloud Trail and Amazon CloudWatch serve specific functions. Which function is indicative of CloudWatch?
to detect anomalous behavior, set alarms, and discover insights
Who is ultimately responsible for a data breach that includes personally identifiable information (PII), in the event of negligence on the part of the cloud provider?
The cloud customer
Who will determine data classifications for the cloud customer?
The cloud customer
Which statement is true about server-side encryption in Amazon S# with customer-provided keys (SSE-C)?
The customer retains control of the keys
Which statement regarding client-side encryption is true?
The keys and algorithms are known only to the customer
As with the traditional IT environment, cloud data encryption includes all the following elements except ___________________.
The user
Which information does AWS CloudTrail NOT capture?
Time of the origin of the request in your local time
DLP solutions typically involve all of the following aspects except ______.
Tokenization
What is the difference between a security group and network access control list (ACL)?
A security group acts as a firewall for EC2 instances. A network ACL acts as a firewall to control traffic in and out of one or more subnets
Where can a user find information about prohibited actions on the AWS infrastructure?
AWS Acceptable Use Policy
The goals of DLP solution implementation include all of the following, except
Elasticity
The company wants to analyze traffic patterns of all clients' connection information from their load balancer within an interval of minutes. Which of the following options meets the company requirements?
Enable Access logs on the load balancer
What is NOT a best practice to protect compute resources?
Enable VPC down to logging subnets
You are developing a new process for data discovery for your organization and are charged with ensuring that all applicable data is included. Which of the following is NOT one of the three methods of data discovery?
Classification
To see the performance of AWS services, which logs will be useful?
Cloud Trail Logs
Which statement about AWS CloudTrail is true?
CloudTrail can be integrated into applications by using the API
A Company wants to monitor the logs of an application and receive a notification whenever a specific number of occurrences of certain HTTP status code errors occur.
CloudWatch Logs
Which statement about Amazon CloudWatch is true?
CloudWatch can be used to detect anomalous behavior and invoke other services to take further action
What is a form of cloud storage often used for streaming multimedia data to users?
Content delivery network (CDN)
According to Cloud Secure Data Life Cycle, in which phase should the process of categorization/classification of data occur?
Create
A typical DLP tool can enhance the organization's efforts at accomplishing what legal task? Response:
Evidence collection
Which of the following sanitization methods is feasible for use in the cloud?
Crypto-shredding
Which of the following tools might be useful in data discovery efforts that are based on content analysis?
DLP
DLP can be combined with what other security technology to enhance data controls? Response:
DRM
Data destruction in the cloud is difficult because __________.
Data in the cloud is constantly being replicated and backed up
The cloud security professional should be aware that encryption would most likely be necessary in all the following aspects of a cloud deployment except ___________________.
Data of relief
What type of data storage is often used in platform as a service (PaaS) arrangements?
Databases
What is the first step to use the detection control that AWS provides?
Define your requirements for logs, alerts, and metrics.
A web application uses a fleet of Amazon EC2 instances for both dynamic and static assests. The EC2 instances are in a private subnet, behind a load balancer that is in a public subnet inside the VPC. Which sevice logs would provide the MOST insight into how users are using the web application?
Elastic Load Balancing (ELB) access logs
Digital rights management (DRM) solutions (sometimes referred to as information rights management, or IRM) can be used to protect all sorts of sensitive data but are usually particularly designed to secure ___________.
Intellectual property (IP)
What metric in cloud watch we can use to monitor Auto Scaling and Elastic Load balancer?
Latency to reach load balancer
Which statement about logging and log files is true?
Log files can be used to demonstrate compliance with regulations
Amazon S3 Object Lock is a feature that provides protection for scenarios where it is imperative that data is not changed or deleted. What are the two ways to mange object retention with Object Lock?
Retention periods and legal holds
Which Amazon S3 feature stores objects by using the write-once-read-many (WORM) model
S3 Object Lock
All of the following are database encryption options that could be used in a platform as a service (PaaS) implementation except ___________________.
Secure Socket Layer (SSL)
You are the security manager of a small firm that has just purchased a DLP solution to implement in your cloud-based production environment. What should you not expect the tool to address?
Sensitive data captured by screenshots
Which definition best describes an incident response?
Set of information security policies and procedures that con be used to identify, contain, and eliminate cyberattacks.