- Email support@dumps4free.com
A company wants to deploy a distributed web application on a fleet of EC2 instances. The fleet will be fronted by a Classic Load Balancer that will be configured to terminate the TLS connection The company wants to make sure that all past and current TLS traffic to the Classic Load Balancer stays secure even if the certificate private key is leaked. To ensure the company meets these requirements, a Security Engineer can configure a Classic Load Balancer with:
A.
An HTTPS listener that uses a certificate that is managed by Amazon Certification Manager.
B.
An HTTPS listener that uses a custom security policy that allows only perfect forward secrecy cipher suites
C.
An HTTPS listener that uses the latest IAM predefined ELBSecuntyPolicy-TLS-1-2- 2017-01 security policy
D.
A TCP listener that uses a custom security policy that allows only perfect forward secrecy cipher suites.
An HTTPS listener that uses a custom security policy that allows only perfect forward secrecy cipher suites
this is a way to configure a Classic Load Balancer with perfect forward secrecy cipher suites. Perfect forward secrecy is a property of encryption protocols that ensures that past and current TLS traffic stays secure even if the certificate private key is leaked. Cipher suites are sets of algorithms that determine how encryption is performed. A custom security policy is a set of cipher suites and protocols that you can select for your load balancer to support. An HTTPS listener is a process that checks for connection requests using encrypted SSL/TLS protocol. By using an HTTPS listener that uses a custom security policy that allows only perfect forward secrecy cipher suites, you can ensure that your Classic Load Balancer meets the requirements. The other options are either invalid or insufficient for configuring a Classic Load Balancer with perfect forward secrecy cipher suites.
A corporation is preparing to acquire several companies. A Security Engineer must design a solution to ensure that newly acquired IAM accounts follow the corporation's security best practices. The solution should monitor each Amazon S3 bucket for unrestricted public write access and use IAM managed services. What should the Security Engineer do to meet these requirements?
A.
Configure Amazon Macie to continuously check the configuration of all S3 buckets.
B.
Enable IAM Config to check the configuration of each S3 bucket
C.
Set up IAM Systems Manager to monitor S3 bucket policies for public write access
D.
Configure an Amazon EC2 instance to have an IAM role and a cron job that checks the status of all S3 buckets.
Set up IAM Systems Manager to monitor S3 bucket policies for public write access
Explanation:
Because this is a solution that can monitor each S3 bucket for unrestricted public write access and use IAM managed services. S3 is a service that provides object storage in the cloud. Systems Manager is a service that helps you automate and manage your AWS resources. You can use Systems Manager to monitor S3 bucket policies for public write access by using a State Manager association that runs a predefined document called AWS-FindS3BucketWithPublicWriteAccess. This document checks each S3 bucket in an account and reports any bucket that has public write access enabled. The other options are either not suitable or not feasible for meeting the requirements.
A company is using Amazon Macie, AWS Firewall Manager, Amazon Inspector, and AWS Shield Advanced in its AWS account. The company wants to receive alerts if a DDoS attack occurs against the account. Which solution will meet this requirement?
A.
Use Macie to detect an active DDoS event. Create Amazon CloudWatch alarms that respond to Macie findings.
B.
Use Amazon Inspector to review resources and to invoke Amazon CloudWatch alarms for any resources that are vulnerable to DDoS attacks.
C.
Create an Amazon CloudWatch alarm that monitors Firewall Manager metrics for an active DDoS event.
D.
Create an Amazon CloudWatch alarm that monitors Shield Advanced metrics for an active DDoS event.
Create an Amazon CloudWatch alarm that monitors Shield Advanced metrics for an active DDoS event.
This answer is correct because AWS Shield Advanced is a service that provides comprehensive protection against DDoS attacks of any size or duration. It also provides metrics and reports on the DDoS attack vectors, duration, and size. You can create an Amazon CloudWatch alarm that monitors Shield Advanced metrics such as DDoSAttackBitsPerSecond, DDoSAttackPacketsPerSecond, and DDoSAttackRequestsPerSecond to receive alerts if a DDoS attack occurs against your account. For more information, see Monitoring AWS Shield Advanced with Amazon CloudWatch and AWS Shield Advanced metrics and alarms.
A security team is using Amazon EC2 Image Builder to build a hardened AMI with forensic capabilities. An AWS Key Management Service (AWS KMS) key will encrypt the forensic AMI EC2 Image Builder successfully installs the required patches and packages in the security team's AWS account. The security team uses a federated IAM role m the same AWS account to sign in to the AWS Management Console and attempts to launch the forensic AMI. The EC2 instance launches and immediately terminates.
What should the security learn do lo launch the EC2 instance successfully?
A.
Update the policy that is associated with the federated IAM role to allow the ec2. Describelmages action for the forensic AMI.
B.
Update the policy that is associated with the federated IAM role to allow the ec2 Start Instances action m the security team's AWS account.
C.
Update the policy that is associated with the KMS key that is used to encrypt the forensic AMI. Configure the policy to allow the kms. Encrypt and kms Decrypt actions for the federated IAM role.
D.
Update the policy that is associated with the federated IAM role to allow the kms. DescribeKey action for the KMS key that is used to encrypt the forensic AMI.
Update the policy that is associated with the KMS key that is used to encrypt the forensic AMI. Configure the policy to allow the kms. Encrypt and kms Decrypt actions for the federated IAM role.
Explanation: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/troubleshootinglaunch.
html#troubleshooting-launch-internal
A company has two teams, and each team needs to access its respective Amazon S3 buckets. The company anticipates adding more teams that also will have their own S3 buckets. When the company adds these teams, team members will need the ability to be assigned to multiple teams. Team members also will need the ability to change teams.
Additional S3 buckets can be created or deleted.
An IAM administrator must design a solution to accomplish these goals. The solution also must be scalable and must require the least possible operational overhead. Which solution meets these requirements?
A.
Add users to groups that represent the teams. Create a policy for each team that allows the team to access its respective S3 buckets only. Attach the policy to the corresponding group.
B.
Create an IAM role for each team. Create a policy for each team that allows the team to access its respective S3 buckets only. Attach the policy to the corresponding role.
C.
Create IAM roles that are labeled with an access tag value of a team. Create one policy that allows dynamic access to S3 buckets with the same tag. Attach the policy to the IAM roles. Tag the S3 buckets accordingly.
D.
Implement a role-based access control (RBAC) authorization model. Create the corresponding policies, and attach them to the IAM users.
Add users to groups that represent the teams. Create a policy for each team that allows the team to access its respective S3 buckets only. Attach the policy to the corresponding group.
| Page 1 out of 58 Pages |