A company has multiple applications and is now building a new multi-tier application. The company will host the new application on Amazon EC2 instances. The company wants the network routing and traffic between the various applications to follow the security principle of least privilege.
Which AWS service or feature should the company use to enforce this principle?
Security groups
AWS Shield
AWS Global Accelerator
AWS Direct Connect gateway
Answer is Security groups
A security group acts as a virtual firewall for your EC2 instances to control incoming and outgoing traffic. Inbound rules control the incoming traffic to your instance, and outbound rules control the outgoing traffic from your instance. When you launch an instance, you can specify one or more security groups. If you don't specify a security group, Amazon EC2 uses the default security group for the VPC. You can add rules to each security group that allow traffic to or from its associated instances. You can modify the rules for a security group at any time. New and modified rules are automatically applied to all instances that are associated with the security group. When Amazon EC2 decides whether to allow traffic to reach an instance, it evaluates all of the rules from all of the security groups that are associated with the instance.
A company's web application requires AWS credentials and authorizations to use an AWS service.
Which IAM entity should the company use as best practice?
IAM role
IAM user
IAM group
IAM multi-factor authentication (MFA)
Answer is IAM role
The company should use IAM roles to grant AWS credentials and authorizations to its web application.
IAM roles are a secure way to grant permissions to an entity that needs to access AWS resources. In this case, the web application needs to access AWS services using AWS credentials and authorizations. By using an IAM role, the web application can assume the role and gain temporary security credentials to access the AWS services. This eliminates the need to store and manage long-term access keys or secret keys within the application code, reducing the risk of accidental exposure or misuse.
IAM roles can be assigned policies that define the specific permissions required by the web application to access the necessary AWS services. This allows the company to grant the least privilege required for the web application to function correctly.
Which of the following actions are controlled with AWS Identity and Access Management (IAM)? (Choose two.)
Control access to AWS service APIs and to other specific resources.
Provide intelligent threat detection and continuous monitoring.
Protect the AWS environment using multi-factor authentication (MFA).
Grant users access to AWS data centers.
Provide firewall protection for applications from common web attacks.
Answers are;
A. Control access to AWS service APIs and to other specific resources.
C. Protect the AWS environment using multi-factor authentication (MFA).
A. IAM allows you to manage permissions and access to various AWS service APIs and specific resources such as Amazon S3 buckets, EC2 instances, and more. IAM provides fine-grained control over what actions users and roles can perform within the AWS environment.
C. IAM supports multi-factor authentication (MFA), which adds an extra layer of security to AWS accounts. MFA requires users to provide two or more forms of identification (e.g., password and a temporary authentication code from a virtual MFA device or hardware MFA token) before they can access AWS resources.
D is incorrect, IAM does not control physical access to AWS data centers.
Question 144
What information is found on an AWS Identity and Access Management (IAM) credential report? (Choose two.)
The date and time when an IAM user's password was last used to sign in to the AWS Management Console.
The type of multi-factor authentication (MFA) device assigned to an IAM user.
The User-Agent browser identifier for each IAM user currently logged in.
Whether multi-factor authentication (MFA) has been enabled for an IAM user.
The number of incorrect login attempts by each IAM user in the previous 30 days.
Answers are;
A. The date and time when an IAM user's password was last used to sign in to the AWS Management Console.
D. Whether multi-factor authentication (MFA) has been enabled for an IAM user.
The IAM credential report provides details about the IAM users in an AWS account, including their access keys, passwords, MFA devices, and various other security-related information. However, the report does not include information such as the type of MFA device assigned to an IAM user, the User-Agent browser identifier for each logged-in IAM user, or the number of incorrect login attempts.
A company wants to migrate to AWS and use the same security software it uses on premises. The security software vendor offers its security software as a service on AWS.
Where can the company purchase the security solution?
AWS Partner Solutions Finder
AWS Support Center
AWS Management Console
AWS Marketplace
Answer is AWS Marketplace
The AWS Marketplace is an online store that offers a wide selection of third-party software, including security solutions, that can be used on AWS. It provides a platform for customers to find, compare, and purchase software solutions that meet their specific needs. Vendors can list their software offerings on the AWS Marketplace, making it a convenient and centralized location for customers to discover and acquire the software they require.
Question 146
Which of the following actions are controlled with AWS Identity and Access Management (IAM)? (Choose two.)
Control access to AWS service APIs and to other specific resources.
Provide intelligent threat detection and continuous monitoring.
Protect the AWS environment using multi-factor authentication (MFA).
Grant users access to AWS data centers.
Provide firewall protection for applications from common web attacks.
Answers are;
A. Control access to AWS service APIs and to other specific resources.
C. Protect the AWS environment using multi-factor authentication (MFA).
A. IAM allows you to manage permissions and access to various AWS service APIs and specific resources such as Amazon S3 buckets, EC2 instances, and more. IAM provides fine-grained control over what actions users and roles can perform within the AWS environment.
C. IAM supports multi-factor authentication (MFA), which adds an extra layer of security to AWS accounts. MFA requires users to provide two or more forms of identification (e.g., password and a temporary authentication code from a virtual MFA device or hardware MFA token) before they can access AWS resources.
D is incorrect, IAM does not control physical access to AWS data centers.
Question 147
What information is found on an AWS Identity and Access Management (IAM) credential report? (Choose two.)
The date and time when an IAM user's password was last used to sign in to the AWS Management Console.
The type of multi-factor authentication (MFA) device assigned to an IAM user.
The User-Agent browser identifier for each IAM user currently logged in.
Whether multi-factor authentication (MFA) has been enabled for an IAM user.
The number of incorrect login attempts by each IAM user in the previous 30 days.
Answers are;
A. The date and time when an IAM user's password was last used to sign in to the AWS Management Console.
D. Whether multi-factor authentication (MFA) has been enabled for an IAM user.
The IAM credential report provides details about the IAM users in an AWS account, including their access keys, passwords, MFA devices, and various other security-related information. However, the report does not include information such as the type of MFA device assigned to an IAM user, the User-Agent browser identifier for each logged-in IAM user, or the number of incorrect login attempts.
What is the primary use case for Amazon GuardDuty?
Prevention of DDoS attacks
Protection against SQL injection attacks
Automatic monitoring for threats to AWS workloads
Automatic provisioning of AWS resources
Answer is Automatic monitoring for threats to AWS workloads
Amazon GuardDuty is a threat detection service offered by AWS. It continuously monitors and analyzes various data sources, such as AWS CloudTrail logs, VPC Flow Logs, and DNS logs, to detect potential security threats and malicious activities within your AWS environment.
GuardDuty uses machine learning algorithms and anomaly detection techniques to identify patterns and behaviors that indicate unauthorized access attempts, compromised instances, data exfiltration, and other malicious activities. It provides detailed findings and alerts to help you quickly respond to and mitigate security incidents.
By leveraging GuardDuty, customers can enhance the security of their AWS workloads by proactively identifying and addressing potential security threats and vulnerabilities. It helps to improve the overall security posture of your AWS environment by automating the detection and response to security events.
A company has deployed applications on Amazon EC2 instances. The company needs to assess application vulnerabilities and must identify infrastructure deployments that do not meet best practices.
Which AWS service can the company use to meet these requirements?
AWS Trusted Advisor
Amazon Inspector
AWS Config
Amazon GuardDuty
Answer is Amazon Inspector
Amazon Inspector is an automated vulnerability management service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for exposure, vulnerabilities, and deviations from best practices. After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity.