SOA-C01 : AWS-SysOps : Part 24

SOA-C01 : AWS-SysOps : Part 24

1. What is Amazon CloudFront?

   • A global Content Delivery Network
   • An encrypted endpoint to upload files to the Cloud
   • A web service to schedule regular data movement
   • A development front-end to Amazon Web Services
   Explanation:
   Amazon CloudFront is a global content delivery network (CDN) service that accelerates delivery of your websites, APIs, video content or other web assets through CDN caching. It integrates with other Amazon Web Services products to give developers and businesses an easy way to accelerate content to end users with no minimum usage commitments.

2. You can create a CloudWatch alarm that watches a single metric. The alarm performs one or more actions based on the value of the metric relative to a threshold over a number of time periods. Which of the following states is possible for the CloudWatch alarm?

   • OK
   • ALERT
   • THRESHOLD
   • ERROR

   Explanation:
   You can create a CloudWatch alarm that watches a single metric. The alarm performs one or more actions based on the value of the metric relative to a threshold over a number of time periods. The action can be an Amazon EC2 action, an Auto Scaling action, or a notification sent to an Amazon SNS topic.
   An alarm has three possible states:
   OK–The metric is within the defined threshold
   ALARM–The metric is outside of the defined threshold
   INSUFFICIENT_DATA–The alarm has just started, the metric is not available, or not enough data is available for the metric to determine the alarm state

3. A user has enabled instance protection for his Auto Scaling group that has spot instances. If Auto Scaling wants to terminate an instance in this Auto Scaling group due to a CloudWatch trigger unre-lated to bid price, what will happen?

   • Auto Scaling will notify the user for the next action
   • Auto Scaling will remove the instance from the Auto Scaling Group
   • Auto Scaling overwrites the instance termination attribute and terminates the instances
   • The EC2 instance will not be terminated since instance protection from scale-in is enabled.

4. In a hardware security module (HSM), what is the function of a Transparent Data Encryption (TDE)?

   • To reduce the risk of confidential data theft
   • To decrease latency
   • To store SSL certificates
   • To provide backup

   Explanation:
   In a hardware security module (HSM), Transparent Data Encryption (TDE) reduces the risk of con-fidential data theft by encrypting sensitive data.

5. In IAM, a policy has to include the information about who (user) is allowed to access the resource, known as the _____.

   • permission
   • role
   • license
   • principal

   Explanation:
   To specify resource-based permissions, you can attach a policy to the resource, such as an Amazon SNS topic, an Amazon S3 bucket, or an Amazon Glacier vault. In that case, the policy has to in-clude information about who is allowed to access the resource, known as the principal. (For user-based policies, the principal is the IAM user that the policy is attached to, or the user who gets the policy from a group.)

6. Amazon S3 provides a number of security features for protection of data at rest, which you can use or not, depending on your threat profile. What feature of S3 allows you to create and manage your own encryption keys for sending data?

   • Client-side Encryption
   • Network traffic protection
   • Data integrity compromise
   • Server-side Encryption

   Explanation:
   With client-side encryption you create and manage your own encryption keys. Keys you create are not exported to AWS in clear text. Your applications encrypt data before submitting it to Amazon S3, and decrypt data after receiving it from Amazon S3. Data is stored in an encrypted form, with keys and algorithms only known to you. While you can use any encryption algorithm, and either symmetric or asymmetric keys to encrypt the data, the AWS-provided Java SDK offers Amazon S3 client-side encryption features.

7. In AWS KMS, which of the following is NOT a mode of server-side encryption that you can use to protect data at rest in Amazon S3?

   • SSE-S3
   • SSE-K
   • SSE-C
   • SSE-KMS

   Explanation:
   You can protect data at rest in Amazon S3 by using three different modes of server-side encryption: SSE-S3, SSE-C, or SSE-KMS.

8. AWS Cloud Hardware Security Modules (HSMs) are designed to _____.

   • store your AWS keys safely
   • provide another level of login security specifically for LDAP
   • allow AWS to audit your infrastructure
   • securely store cryptographic key material and use the key material without exposing it outside the cryptographic boundary of the appliance

   Explanation:
   A Hardware Security Module (HSM) is a hardware appliance that provides secure key storage and cryptographic operations within a tamper-resistant hardware device. They are designed to securely store cryptographic key material and also to be able to use this key material without exposing it out-side the cryptographic boundary of the appliance.

9. Which of the following statements is true of IAM?

   • If you are configuring MFA for a user who will use a smartphone to generate an OTP, you must have the smartphone available in order to finish the wizard.
   • If you are configuring MFA for a user who will use a smartphone to generate an OTP, the smartphone is not required in order to finish the wizard.
   • If you are configuring MFA for a user who will use a smartphone to generate an OTP, you can finish the wizard on any device and later use the smartphone for authentication.
   • None of these are correct.

   Explanation:
   MFA can be used either with a specific MFA-enabled device or by installing an application on a smartphone. If a user chooses to use her smartphone, physical access to the device is required in or-der to complete the configuration wizard.

10. Could you use IAM to grant access to Amazon DynamoDB resources and API actions?

    • In DynamoDB there is no need to grant access
    • Depended to the type of access
    • No
    • Yes

    Explanation:
    Amazon DynamoDB integrates with AWS Identity and Access Management (IAM). You can use AWS IAM to grant access to Amazon DynamoDB resources and API actions. To do this, you first write an AWS IAM policy, which is a document that explicitly lists the permissions you want to grant. You then attach that policy to an AWS IAM user or role.

11. A user is planning to schedule a backup for an existing EBS volume. The user wants the backup to be created through snapshot, and for it to be encrypted. How can the user achieve data encryption with a snapshot?

    • Encrypt the existing EBS volumes so that the snapshot will be encrypted by AWS when it is cre-ated
    • By default the snapshot is encrypted by AWS
    • While creating a snapshot select the snapshot with encryption
    • Enable server side encryption for the snapshot using S3

    Explanation:
    AWS EBS supports encryption of the volume. It also supports creating volumes from existing snap-shots provided the snapshots are created from encrypted volumes. The data at rest, the I/O as well as all the snapshots of the encrypted EBS will also be encrypted. EBS encryption is based on the AES-256 cryptographic algorithm, which is the industry standard.

12. What does the Server-side encryption provide in Amazon S3?

    • Server-side encryption doesn’t exist for Amazon S3, but only for Amazon EC2.
    • Server-side encryption protects data at rest using Amazon S3-managed encryption keys (SSE-S3).
    • Server-side encryption provides an encrypted virtual disk in the cloud.
    • Server-side encryption allows to upload files using an SSL endpoint for a secure transfer.

    Explanation:
    Server-side encryption is about protecting data at rest. Server-side encryption with Amazon S3-managed encryption keys (SSE-S3) employs strong multi-factor encryption. Amazon S3 encrypts each object with a unique key. As an additional safeguard, it encrypts the key itself with a master key that it regularly rotates.

13. The Statement element, of an AWS IAM policy, contains an array of individual statements. Each individual statement is a(n) ______ block enclosed in braces { }.

    • JSON
    • AJAX
    • JavaScript
    • jQuery

    Explanation:
    The Statement element, of an IAM policy, contains an array of individual statements. Each individ-ual statement is a JSON block enclosed in braces { }.

14. You need to set up security for your VPC and you know that Amazon VPC provides two features that you can use to increase security for your VPC: Security groups and network access control lists (ACLs). You start to look into security groups first. Which statement below is incorrect in relation to security groups?

    • Are stateful: Return traffic is automatically allowed, regardless of any rules.
    • Support addition of individual allow and deny rules in both inbound and outbound.
    • Security Groups can be added or removed from EC2 instances in a VPC at any time.
    • Evaluate all rules before deciding whether to allow traffic.

    Explanation:
    Amazon VPC provides two features that you can use to increase security for your VPC:
    Security groups–Act as a firewall for associated Amazon EC2 instances, controlling both inbound and outbound traffic at the instance level and supports allow rules only.
    Network access control lists (ACLs)–Act as a firewall for associated subnets, controlling both in-bound and outbound traffic at the subnet level and supports allow rules and deny rules.

15. What does Amazon IAM stand for?

    • Amazon Identity and Authentication Mechanism
    • Amazon Integrated Access Management
    • Amazon Identity and Access Management
    • None of these

    Explanation:
    Amazon IAM stands for Amazon Identity and Access Management. The “identity” aspect of AWS IAM helps you with the question “Who is that user?”, often referred to as authentication.

16. Can you use the AWS Identity and Access Management (IAM) to assign permissions determining who can manage or modify RDS resources?

    • No, AWS IAM is used only to assign IDs to AWS users.
    • No, this permission cannot be assigned by AWS IAM.
    • Yes, you can.
    • No, AWS IAM is used only to assign activities.

    Explanation:
    Use AWS Identity and Access Management (IAM) policies to assign permissions that determine who is allowed to manage RDS resources. For example, you can use IAM to determine who is allowed to create, describe, modify, and delete DB instances, tag resources, or modify DB security groups.

17. You have been asked to design a layered security solution for protecting your organization’s net-work infrastructure. You research several options and decide to deploy a network-level security con-trol appliance, inline, where traffic is intercepted and analyzed prior to being forwarded to its final destination, such as an application server. Which of the following is NOT considered an inline threat protection technology?

    • Intrusion prevention systems
    • Third-party firewall devices installed on Amazon EC2 instances
    • Data loss management gateways
    • Augmented security groups with Network ACLs

    Explanation:
    Many organizations consider layered security to be a best practice for protecting network infrastruc-ture. In the cloud, you can use a combination of Amazon VPC, implicit firewall rules at the hypervi-sor-layer, alongside network access control lists, security groups, host-based firewalls, and IDS/IPS systems to create a layered solution for network security. While security groups, NACLs and host-based firewalls meet the needs of many customers, if you’re looking for defense in-depth, you should deploy a network-level security control appliance, and you should do so inline, where traffic is intercepted and analyzed prior to being forwarded to its final destination, such as an application server.
    Examples of inline threat protection technologies include the following:
    Third-party firewall devices installed on Amazon EC2 instances (also known as soft blades)
    Unified threat management (UTM) gateways
    Intrusion prevention systems
    Data loss management gateways
    Anomaly detection gateways
    Advanced persistent threat detection gateways
    

18. Is it possible to protect the connections between your application servers and your MySQL instances using SSL encryption?

    • Yes, it is possible but only in certain regions.
    • Yes
    • No
    • Yes, it is possible but only in VPC.

    Explanation:
    To further enhance the security of your infrastructure, AWS allows you to SSL encrypt the commu-nications between your EC2 instances and your MySQL instances. Amazon RDS generates an SSL certificate for each DB Instance. Once an encrypted connection is established, data transferred be-tween the DB Instance and your application will be encrypted during transfer.

19. You need to determine what encryption operations were taken with which key in AWS KMS to ei-ther encrypt or decrypt data in the AWS CodeCommit repository. Which of the following actions will best help you accomplish this?

    • Searching for the AWS CodeCommit repository ID in AWS CloudTrail logs
    • Searching for the encryption key ID in AWS CloudTrail logs
    • Searching for the AWS CodeCommit repository ID in AWS CloudWatch
    • Searching for the encryption key ID in AWS CloudWatch

    Explanation:
    The encryption context is additional authenticated information AWS KMS uses to check for data integrity. When specified for the encryption operation, it must also be specified in the decryption operation or decryption will fail. AWS CodeCommit uses the AWS CodeCommit repository ID for the encryption context. You can find the repository ID by using the get-repository command or by viewing repository details in the AWS CodeCommit console. Search for the AWS CodeCommit repository ID in AWS CloudTrail logs to understand which encryption operations were taken on which key in AWS KMS to encrypt or decrypt data in the AWS CodeCommit repository.

20. The AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data. AWS KMS is integrated with oth-er AWS services including Amazon EBS, Amazon S3, Amazon Redshift, Elastic Transcoder, Ama-zon WorkMail, and Amazon RDS to make it simple to encrypt your data with encryption keys that you manage. AWS KMS is also integrated with AWS CloudTrail to provide you with key usage logs to help meet your regulatory and compliance needs. Which of the following types of cryptog-raphy keys is supported by AWS KMS currently?

    • Private ephemeral key agreement cryptography
    • Symmetric and asymmetric random number generation key cryptography
    • Asymmetric key cryptography and symmetric key cryptography
    • Only symmetric key cryptography
    Explanation:
    The AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data. AWS KMS is integrated with oth-er AWS services including Amazon EBS, Amazon S3, Amazon Redshift, Elastic Transcoder, Ama-zon WorkMail, and Amazon RDS to make it simple to encrypt your data with encryption keys that you manage. AWS KMS is also integrated with AWS CloudTrail to provide you with key usage logs to help meet your regulatory and compliance needs. AWS KMS currently supports only sym-metric (private) key cryptography.