没有合适的资源?快使用搜索试试~ 我知道了~
首页AWS-Security-Specialty.pdf
资源详情
资源评论
资源推荐
INCIDENT RESPONSEQUESTION 1
A company hosts a popular web application that connects to an Amazon RDS MySQL DB instance running
in a private VPC subnet that was created with default ACL settings. The IT Security department has a
suspicion that a DDos attack is coming from a suspecting IP. How can you protect the subnets from this
attack?
Explanation :
Answer – C
Option A and B are invalid because by default the Security Groups already block traffic. You can use NACL’s as an additional
security layer for the subnet to deny traffic.
Option D is invalid since just changing the Inbound Rules is sufficient.
The AWS Documentation mentions the following
A network access control list (ACL
)
is an optional layer of security for your VPC that acts as a firewall for controlling traffic in
and out of one or more subnets. You might set up network ACLs with rules similar to your security groups in order to add an
additional layer of security to your VPC.
For more information on Network Access Control Lists, please visit the following URL:
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html
IDENTITY AND ACCESS MANAGEMENTQUESTION 2
You are designing a custom IAM policy that would allow uses to list buckets in S3 only if they are MFA
authenticated. Which of the following would best match this requirement?
A. Change the Inbound Security Groups to deny access from the suspecting
IP
B. Change the Outbound Security Groups to deny access from the suspecting
IP
C. Change the Inbound NACL to deny access from the suspecting
IP
D. Change the Outbound NACL to deny access from the suspecting
IP
A. {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "Resource": "arn:aws:s3:::*",
"Condition": {
"Bool": {"aws:MultiFactorAuthPresent":
true}
}
}
}
Explanation :
Answer - A
The Condition clause can be used to ensure users can only work with resources if they are MFA authenticated.
Option B and C are wrong since the aws:MultiFactorAuthPresent clause should be marked as true. Here you are saying that
only if the user has been MFA activated , that means it is true , then allow access.
Option D is invalid because the “bool” clause is missing in the evaluation for the condition clause.
Boolean conditions let you construct Condition elements that restrict access based on comparing a key to "true" or "false."
Here in this scenario the bool attribute in the condition element will return a value True for option A which will ensure that
access is allowed on S3 resources.
For more information on an example on such a policy, please visit the following URL:
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_mfa-dates.html
B. {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "Resource": "arn:aws:s3:::*",
"Condition": {
"Bool":
{"aws:MultiFactorAuthPresent":false}
}
}
}
C. {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "Resource":
"arn:aws:s3:::*",
"Condition": {
"aws:MultiFactorAuthPresent":false
}
}
}
D. {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "Resource":
"arn:aws:s3:::*",
"Condition": {
"aws:MultiFactorAuthPresent":true
}
}
}
IDENTITY AND ACCESS MANAGEMENTQUESTION 3
You are hosting a web site via website hosting on an S3 bucket - http://demo.s3-website-us-east-
1.amazonaws.com. You have some web pages that use Javascript that access resources in another bucket
which has web site hosting also enabled. But when users access the web pages , they are getting a blocked
Javascript error. How can you rectify this?
Explanation :
Answer – A
Such a scenario is also given in the AWS Documentation
Cross-Origin Resource Sharing: Use-case Scenarios
The following are example scenarios for using CORS:
Scenario 1: Suppose that you are hosting a website in an Amazon S3 bucket named website as described in Hosting a Static
Website on Amazon S3. Your users load the website endpoint http://website.s3-website-us-east-1.amazonaws.com. Now you
want to use JavaScript on the webpages that are stored in this bucket to be able to make authenticated GET and PUT requests
against the same bucket by using the Amazon S3 API endpoint for the bucket, website.s3.amazonaws.com. A browser would
normally block JavaScript from allowing those requests, but with CORS you can configure your bucket to explicitly enable cross-
origin requests from website.s3-website-us-east-1.amazonaws.com.
Scenario 2: Suppose that you want to host a web font from your S3 bucket. Again, browsers require a CORS check (also called a
preflight check) for loading web fonts. You would configure the bucket that is hosting the web font to allow any origin to make
these requests.
Option B is invalid because versioning is only to create multiple versions of an object and can help in accidental deletion of
objects
Option C is invalid because this is used as an extra measure of caution for deletion of objects
Option D is invalid because this is used for Cross region replication of objects
For more information on Cross Origin Resource sharing, please visit the following URL:
https://docs.aws.amazon.com/AmazonS3/latest/dev/cors.html
IDENTITY AND ACCESS MANAGEMENTQUESTION 4
You have a vendor that needs access to an AWS resource. You create an AWS user account. You want to
restrict access to the resource using a policy for just that user over a brief period. Which of the following
would be an ideal policy to use?
A. Enable CORS for the
bucket
B. Enable versioning for the
bucket
C. Enable MFA for the
bucket
D. Enable CRR for the
bucket
Explanation :
Answer – B
The AWS Documentation gives an example on such a case
Inline policies are useful if you want to maintain a strict one-to-one relationship between a policy and the principal entity
that it's applied to. For example, you want to be sure that the permissions in a policy are not inadvertently assigned to a
principal entity other than the one they're intended for. When you use an inline policy, the permissions in the policy cannot
be inadvertently attached to the wrong principal entity. In addition, when you use the AWS Management Console to delete
that principal entity, the policies embedded in the principal entity are deleted as well. That's because they are part of the
principal entity.
Option A is invalid because AWS Managed Polices are ok for a group of users , but for individual users , inline policies are
better.
Option C and D are invalid because they are specifically meant for access to S3 buckets
For more information on policies, please visit the following URL:
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html
LOGGING AND MONITORINGQUESTION 5
Your company has a requirement to monitor all root user activity by notification. How can this best be
achieved? Choose 2 answers from the options given below. Each answer forms part of the solution
Explanation :
Answer – A and C
Below is a snippet from the AWS blogs on a solution
A. An AWS Managed
Policy
B. An Inline Policy
C. A Bucket Policy
D. A bucket
ACL
A. Create a Cloudwatch Events
Rule
B. Create a Cloudwatch Logs
Rule
C. Use a Lambda
function
D. Use Cloudtrail API
call
Option B is invalid because you need to create a Cloudwatch Events Rule and there is such thing as a Cloudwatch Logs Rule
Option D is invalid because Cloud Trail API calls can be recorded but cannot be used to send across notifications
For more information on this blog article, please visit the following URL:
https://aws.amazon.com/blogs/mt/monitor-and-notify-on-aws-account-root-user-activity/
DATA PROTECTIONQUESTION 6
A company wants to have a secure way of generating, storing and managing cryptographic keys. But they
want to have exclusive access for the keys. Which of the following can be used for this purpose?
Explanation :
Answer – D
The AWS Documentation mentions the following
The AWS CloudHSM service helps you meet corporate, contractual and regulatory compliance requirements for data
security by using dedicated Hardware Security Module (HSM) instances within the AWS cloud. AWS and AWS Marketplace
partners offer a variety of solutions for protecting sensitive data within the AWS platform, but for some applications and
data subject to contractual or regulatory mandates for managing cryptographic keys, additional protection may be
necessary. CloudHSM complements existing data protection solutions and allows you to protect your encryption keys
within HSMs that are designed and validated to government standards for secure key management. CloudHSM allows you
A. Use KMS and the normal KMS encryption
keys
B. Use KMS and use an external key
material
C. Use S3 Server Side
encryption
D. Use Cloud
HSM
剩余145页未读,继续阅读
isfufula
- 粉丝: 1
- 资源: 2
上传资源 快速赚钱
- 我的内容管理 收起
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
会员权益专享
最新资源
- zigbee-cluster-library-specification
- JSBSim Reference Manual
- c++校园超市商品信息管理系统课程设计说明书(含源代码) (2).pdf
- 建筑供配电系统相关课件.pptx
- 企业管理规章制度及管理模式.doc
- vb打开摄像头.doc
- 云计算-可信计算中认证协议改进方案.pdf
- [详细完整版]单片机编程4.ppt
- c语言常用算法.pdf
- c++经典程序代码大全.pdf
- 单片机数字时钟资料.doc
- 11项目管理前沿1.0.pptx
- 基于ssm的“魅力”繁峙宣传网站的设计与实现论文.doc
- 智慧交通综合解决方案.pptx
- 建筑防潮设计-PowerPointPresentati.pptx
- SPC统计过程控制程序.pptx
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功
评论0