SOA-C01 : AWS-SysOps : Part 25

SOA-C01 : AWS-SysOps : Part 25

1. Your customers are concerned about the security of their sensitive data and their inquiry asks about what happens to old storage devices on AWS. What would be the best answer to this question?

   • AWS uses a 3rd party security organization to destroy data as part of the decommissioning pro-cess.
   • AWS uses the techniques detailed in DoD 5220.22-M to destroy data as part of the decommis-sioning process.
   • AWS reformats the disks and uses them again.
   • AWS uses their own proprietary software to destroy data as part of the decommissioning pro-cess.

   Explanation:
   When a storage device has reached the end of its useful life, AWS procedures include a decommis-sioning process that is designed to prevent customer data from being exposed to unauthorized indi-viduals.
   AWS uses the techniques detailed in DoD 5220.22-M (“National Industrial Security Program Oper-ating Manual “) or NIST 800-88 (“Guidelines for Media Sanitization”) to destroy data as part of the decommissioning process.
   All decommissioned magnetic storage devices are degaussed and physically destroyed in accord-ance with industry-standard practices.

2. In AWS Identity and Access Management (IAM), you can make use of the ______ APIs to grant users temporary access to your resources.

   • AWS Security Transport Service (STS)
   • AWS Security Tree Service (STS)
   • AWS Security Task Service (STS)
   • AWS Security Token Service (STS)
   Explanation:
   AWS Security Token Service enables the creation of temporary credentials that can be used along with IAM in order to grant access to trusted entities and users to your AWS resources for a prede-fined amount of time.

3. An IAM user has two conflicting policies as part of two separate groups. One policy allows him to access an S3 bucket, while another policy denies him the access. Can the user access that bucket?

   • Yes, always
   • No
   • Yes, provided he accesses with the group which has S3 access
   • Yes, but just read only access of the bucket
   Explanation:
   When a request is made, the AWS IAM policy decides whether a given request should be allowed or denied. The evaluation logic follows these rules:
   By default, all requests are denied. (In general, requests made using the account credentials for re-sources in the account are always allowed.)
   An explicit allow policy overrides this default.
   An explicit deny policy overrides any allows.
   In this case since there is an explicit deny policy, it will over ride everything and the request will be denied.

4. An organization has launched 5 instances: 2 for production and 3 for testing. The organization wants a particular group of IAM users to access only the test instances and not the production ones. They want to deploy the instances in various locations based on the factors that will change from time to time, especially in the test group. They expect instances will often need to be churned, i.e. deleted and replaced, especially in the testing group. This means the five instances they have created now will soon be replaced by a different set of five instances. The members of each group, produc-tion and testing, will not change in the foreseeable future. Given the situation, what choice below is the most efficient and time-saving strategy to define the IAM policy?

   • By creating an IAM policy with a condition that allows access to only small instances
   • By defining the IAM policy that allows access based on the instance ID
   • By launching the test and production instances in separate regions and allowing region wise ac-cess to the group
   • By defining the tags on the test and production team members IAM user IDs, and adding a con-dition to the IAM policy that allows access to specific tags

   Explanation:
   AWS Identity and Access Management is a web service that allows organizations to manage users and user permissions for various AWS services. The user can add conditions as a part of the IAM policies. The condition can be set on AWS Tags, Time, and Client IP as well as on various parame-ters. If the organization wants the user to access only specific instances, he should define proper tags and add to the IAM policy condition. The sample policy is shown below.

   

5. For IAM user, a virtual Multi-Factor Authentication (MFA) device uses an application that gener-ates ______-digit authentication codes that are compatible with the time-based one-time password (TOTP) standard.

   • three
   • four
   • six
   • five
   Explanation:
   A virtual MFA device uses an application that generates six-digit authentication codes that are com-patible with the time-based one-time password (TOTP) standard. Therefore, any application that you wish to use in order to make your smart phone your virtual MFA device needs to conform with the standard.

6. The ______ IAM policy element describes the specific action or actions that will be allowed or de-nied.

   • Principal
   • Action
   • Vendor
   • Not Principal
   Explanation:
   The Action element describes the specific action or actions that will be allowed or denied.
   Statements must include either an Action or NotAction element. Each AWS service has its own set of actions that describe tasks that you can perform with that service.

7. A company wants to review the security requirements of Glacier. Which of the below mentioned statements is true with respect to the AWS Glacier data security?

   • The user can set the serverside encryption flag to encrypt the data stored on Glacier.
   • All data stored on Glacier is protected with AES-256 server-side encryption.
   • All data stored on Glacier is protected with AES-128 server-side encryption.
   • The data stored on Glacier is not encrypted by default.
   Explanation:
   For Amazon Web Services, all the data stored on Amazon Glacier is protected using serverside en-cryption. AWS generates separate unique encryption keys for each Amazon Glacier archive, and en-crypts it using AES-256. The encryption key then encrypts itself using AES-256 with a master key that is stored in a secure location.

8. A user has configured two security groups which allow traffic as given below:
   1: SecGrp1:
   Inbound on port 80 for 0.0.0.0/0
   Inbound on port 22 for 0.0.0.0/0

   2: SecGrp2:
   Inbound on port 22 for 10.10.10.1/32
   If both the security groups are associated with the same instance, which of the below mentioned statements is true?

   • It is not possible to have more than one security group assigned to a single instance
   • It allows inbound traffic for everyone on both ports 22 and 80
   • It is not possible to create the security group with conflicting rules. AWS will reject the request
   • It allows inbound traffic on port 22 for IP 10.10.10.1 and for everyone else on port 80
   Explanation:
   A user can attach more than one security group to a single EC2 instance. In this case, the rules from each security group are effectively aggregated to create one set of rules. AWS uses this set of rules to determine whether to allow access or not. Thus, here the rule for port 22 with IP 10.10.10.1/32 will merge with IP 0.0.0.0/0 and open ports 22 and 80 for all.

9. Is it possible to create an S3 bucket accessible only by a certain IAM user using policies in a Cloud-Formation template?

   • Yes, all these resources can be created using a CloudFormation template
   • S3 is not supported by CloudFormation.
   • No, you can only create the S3 bucket but not the IAM user.
   • No, in the same template you can only create the S3 bucket and the relative policy.
   Explanation:
   With AWS Identity and Access Management (IAM), you can create IAM users to control who has access to which resources in your AWS account. You can use IAM with AWS CloudFormation to control what AWS CloudFormation actions users can perform, such as view stack templates, create stacks, or delete stacks.
   In addition to AWS CloudFormation actions, you can manage what AWS services and resources are available to each user.

10. In Amazon CloudFront, if you have chosen On for Logging, the access logs are stored in _______________.

    • Amazon S3 bucket.
    • Amazon EBS.
    • Amazon Edge locations.
    • Amazon EC2 instance.
    Explanation:
    In Amazon CloudFront, if you chose On for Logging, the logs store in the Amazon S3 bucket that you want CloudFront to store access logs in. For example:
    myawslogbucket.s3.amazonaws.com
    If you enable logging, CloudFront records information about each end-user request for an object and stores the files in the specified Amazon S3 bucket.

11. Does Amazon RDS support SSL encryption for SQL Server DB Instances?

    • Yes, for all supported SQL Server editions
    • No
    • Yes, but only when the instances are in a single region
    • No, encryption using SSL is supported only in the GovCloud.
    Explanation:
    Amazon RDS supports SSL encryption for SQL Server DB Instances. Using SSL, you can encrypt connections between your applications and your SQL Server DB Instances. This is available for all the versions of Microsoft SQL Server.

12. Amazon Cognito supports web identity federation through _____.

    • custom sign-in code or own user identities
    • Facebook, Google, and Amazon
    • a configuration check for rules that deny access to specific ports
    • an AWS user group
    Explanation:
    Amazon Cognito supports developer authenticated identities, in addition to web identity federation through Facebook, Google, and Amazon.

13. A user has created an application which will be hosted on EC2. The application makes API calls to DynamoDB to fetch certain data. The application running on this instance is using the SDK for making these calls to DynamoDB. Which of the below mentioned statements is true with respect to the best practice for security in this scenario?

    • The user should create an IAM user with permissions to access DynamoDB and use its creden-tials within the application for connecting to DynamoDB
    • The user should create an IAM user with DynamoDB and EC2 permissions. Attach the user with the application so that it does not use the root account credentials
    • The user should attach an IAM role to the EC2 instance with necessary permissions for making API calls to DynamoDB.
    • The user should create an IAM role with EC2 permissions to deploy the application
    Explanation:
    With AWS IAM a user is creating an application which runs on an EC2 instance and makes requests to AWS, such as DynamoDB or S3 calls. Here it is recommended that the user should not create an IAM user and pass the user’s credentials to the application or embed those credentials inside the ap-plication. Instead, the user should use roles for EC2 and give that role access to DynamoDB /S3. When the roles are attached to EC2, it will give temporary security credentials to the application hosted on that EC2, to connect with DynamoDB / S3.

14. A user is trying to create a list of IAM users with the AWS console. When the IAM users are creat-ed which of the below mentioned credentials will be enabled by default for the user?

    • IAM X.509 certificates
    • Nothing. Everything is disabled by default
    • IAM passwords
    • IAM access key and secret access key
    Explanation:
    Newly created IAM users have no password and no access key (access key ID and secret access key). If the user needs to administer your AWS resources using the AWS Management Console, you can create a password for the user. If the user needs to interact with AWS programmatically (using the command line interface (CLI), the AWS SDK, or service-specific APIs), you can create an access key for that user. The credentials you create for users are what they use to uniquely identi-fy themselves to AWS.

15. You are setting up security groups for both incoming traffic and outgoing traffic in your VPC net-work on the AWS CLI. Which of the following AWS CLI commands would you use for adding one or more incoming traffic rules to a security group?

    • authorize-security-group-egress
    • authorize-security-group-ingress
    • Grant-EC2SecurityGroupOutgress
    • Get-EC2SecurityGroup
    Explanation:
    When setting up security groups for incoming traffic in your VPC network, to add one or more in-gress (incoming traffic) rules to a security group. authorize-security-group-ingress (AWS CLI). ec2-authorize (Amazon EC2 CLI). Grant-EC2SecurityGroupIngress (AWS Tools for Windows Pow-erShell) In computer networking, ingress filtering is a technique used to make sure that incoming packets are actually from the networks that they claim to be from. In computer networking, egress filtering is the practice of monitoring and potentially restricting the flow of information outbound from one network to another. Typically, it is information from a private TCP/IP computer network to the Internet that is controlled.

16. The IAM entity “AWS Account” is similar to:

    • The Unix concept of root or superuser
    • The Unix concept of a non privilege user
    • The Unix concept of guest user
    • The primary billing entity
    Explanation:
    In IAM the AWS Account is the role with most important permissions. It’s equivalent to the root account in a UNIX environment.

17. AWS KMS (Key Management Service) uses symmetric key cryptography to perform encryption and decryption. Symmetric key cryptography uses the same algorithm and key to both encrypt and de-crypt digital data. The unencrypted data is typically called plaintext whether it is text or not, and the encrypted data is typically called _____.

    • ciphertext
    • symtext
    • encryptext
    • cryptext
    Explanation:
    Encryption and Decryption
    AWS KMS uses symmetric key cryptography to perform encryption and decryption. Symmetric key cryptography uses the same algorithm and key to both encrypt and decrypt digital data. The Unen-crypted data is typically called plaintext whether it is text or not. The encrypted data is typically called ciphertext.

18. Bob is an IAM user who has access to the EC2 services. Admin is an IAM user who has access to all the AWS services including IAM. Can Bob change his own password?

    • No, the IAM user can never change the password
    • Yes, only from AWS CLI
    • Yes, only from the AWS console
    • Yes, provided Admin has given Bob access to change his own password

    Explanation:
    The IAM users by default cannot change their password. The root owner or IAM administrator needs to set the policy in the password policy page, which should allow the user to change their password. Once it is enabled, the IAM user can always change their own passwords from the AWS console or CLI.

19. ABC has three AWS accounts. They have created separate IAM users within each account.

    ABC wants a single IAM login URL such as https://abc.signin.aws.amazon.com/console/ for use by IAM users in all three accounts.

    How can this be achieved?

    • Merge all the accounts with consolidated billing
    • Create the S3 bucket with an alias name and use the redirect rule to forward requests to various accounts
    • Create the same account alias with each account ID
    • It is not possible to have the same IAM account login URL for separate AWS accounts
    Explanation:
    Users can create an alias for they accounts, but the alias should be unique to the account. For example, the alias “abc” can be assigned to only one account. If a user wants the URL of the AWS IAM sign-in page to have a company name instead of the AWS account ID, he can create an alias for his AWS account ID.

20. Which of the following Identity and Access Management (IAM) policy keys of AWS Direct Con-nect is used for date/time conditions?

    • aws:CurrentTime
    • aws:UserAgent
    • aws:SourceIp
    • aws:SecureTransport
    Explanation:
    AWS Direct Connect implements the following policy keys of Identity and Access Management:
    aws:CurrentTime (for date/time conditions)
    aws:EpochTime (the date in epoch or UNIX time, for use with date/time conditions)
    aws:SecureTransport (Boolean representing whether the request was sent using SSL)
    aws:SourceIp (the requester’s IP address, for use with IP address conditions) aws:UserAgent (in-formation about the requester’s client application, for use with string conditions)