A company wants to deploy a distributed web application on a fleet of EC2 instances. The fleet will be fronted by a Classic Load Balancer that will be configured to terminate the TLS connection The company wants to make sure that all past and current TLS traffic to the Classic Load Balancer stays secure even if the certificate private key is leaked. To ensure the company meets these requirements, a Security Engineer can configure a Classic Load Balancer with:
A.
An HTTPS listener that uses a certificate that is managed by Amazon Certification Manager.
B.
An HTTPS listener that uses a custom security policy that allows only perfect forward secrecy cipher suites
C.
An HTTPS listener that uses the latest IAM predefined ELBSecuntyPolicy-TLS-1-2- 2017-01 security policy
D.
A TCP listener that uses a custom security policy that allows only perfect forward secrecy cipher suites.
An HTTPS listener that uses a custom security policy that allows only perfect forward secrecy cipher suites
this is a way to configure a Classic Load Balancer with perfect forward secrecy cipher suites. Perfect forward secrecy is a property of encryption protocols that ensures that past and current TLS traffic stays secure even if the certificate private key is leaked. Cipher suites are sets of algorithms that determine how encryption is performed. A custom security policy is a set of cipher suites and protocols that you can select for your load balancer to support. An HTTPS listener is a process that checks for connection requests using encrypted SSL/TLS protocol. By using an HTTPS listener that uses a custom security policy that allows only perfect forward secrecy cipher suites, you can ensure that your Classic Load Balancer meets the requirements. The other options are either invalid or insufficient for configuring a Classic Load Balancer with perfect forward secrecy cipher suites.
A corporation is preparing to acquire several companies. A Security Engineer must design a solution to ensure that newly acquired IAM accounts follow the corporation's security best practices. The solution should monitor each Amazon S3 bucket for unrestricted public write access and use IAM managed services. What should the Security Engineer do to meet these requirements?
A.
Configure Amazon Macie to continuously check the configuration of all S3 buckets.
B.
Enable IAM Config to check the configuration of each S3 bucket
C.
Set up IAM Systems Manager to monitor S3 bucket policies for public write access
D.
Configure an Amazon EC2 instance to have an IAM role and a cron job that checks the status of all S3 buckets.
Set up IAM Systems Manager to monitor S3 bucket policies for public write access
Explanation:
Because this is a solution that can monitor each S3 bucket for unrestricted public write access and use IAM managed services. S3 is a service that provides object storage in the cloud. Systems Manager is a service that helps you automate and manage your AWS resources. You can use Systems Manager to monitor S3 bucket policies for public write access by using a State Manager association that runs a predefined document called AWS-FindS3BucketWithPublicWriteAccess. This document checks each S3 bucket in an account and reports any bucket that has public write access enabled. The other options are either not suitable or not feasible for meeting the requirements.
A company is using Amazon Macie, AWS Firewall Manager, Amazon Inspector, and AWS Shield Advanced in its AWS account. The company wants to receive alerts if a DDoS attack occurs against the account. Which solution will meet this requirement?
A.
Use Macie to detect an active DDoS event. Create Amazon CloudWatch alarms that respond to Macie findings.
B.
Use Amazon Inspector to review resources and to invoke Amazon CloudWatch alarms for any resources that are vulnerable to DDoS attacks.
C.
Create an Amazon CloudWatch alarm that monitors Firewall Manager metrics for an active DDoS event.
D.
Create an Amazon CloudWatch alarm that monitors Shield Advanced metrics for an active DDoS event.
Create an Amazon CloudWatch alarm that monitors Shield Advanced metrics for an active DDoS event.
This answer is correct because AWS Shield Advanced is a service that provides comprehensive protection against DDoS attacks of any size or duration. It also provides metrics and reports on the DDoS attack vectors, duration, and size. You can create an Amazon CloudWatch alarm that monitors Shield Advanced metrics such as DDoSAttackBitsPerSecond, DDoSAttackPacketsPerSecond, and DDoSAttackRequestsPerSecond to receive alerts if a DDoS attack occurs against your account. For more information, see Monitoring AWS Shield Advanced with Amazon CloudWatch and AWS Shield Advanced metrics and alarms.
A security team is using Amazon EC2 Image Builder to build a hardened AMI with forensic capabilities. An AWS Key Management Service (AWS KMS) key will encrypt the forensic AMI EC2 Image Builder successfully installs the required patches and packages in the security team's AWS account. The security team uses a federated IAM role m the same AWS account to sign in to the AWS Management Console and attempts to launch the forensic AMI. The EC2 instance launches and immediately terminates.
What should the security learn do lo launch the EC2 instance successfully?
A.
Update the policy that is associated with the federated IAM role to allow the ec2. Describelmages action for the forensic AMI.
B.
Update the policy that is associated with the federated IAM role to allow the ec2 Start Instances action m the security team's AWS account.
C.
Update the policy that is associated with the KMS key that is used to encrypt the forensic AMI. Configure the policy to allow the kms. Encrypt and kms Decrypt actions for the federated IAM role.
D.
Update the policy that is associated with the federated IAM role to allow the kms. DescribeKey action for the KMS key that is used to encrypt the forensic AMI.
Update the policy that is associated with the KMS key that is used to encrypt the forensic AMI. Configure the policy to allow the kms. Encrypt and kms Decrypt actions for the federated IAM role.
Explanation: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/troubleshootinglaunch.
html#troubleshooting-launch-internal
A company has two teams, and each team needs to access its respective Amazon S3 buckets. The company anticipates adding more teams that also will have their own S3 buckets. When the company adds these teams, team members will need the ability to be assigned to multiple teams. Team members also will need the ability to change teams.
Additional S3 buckets can be created or deleted.
An IAM administrator must design a solution to accomplish these goals. The solution also must be scalable and must require the least possible operational overhead. Which solution meets these requirements?
A.
Add users to groups that represent the teams. Create a policy for each team that allows the team to access its respective S3 buckets only. Attach the policy to the corresponding group.
B.
Create an IAM role for each team. Create a policy for each team that allows the team to access its respective S3 buckets only. Attach the policy to the corresponding role.
C.
Create IAM roles that are labeled with an access tag value of a team. Create one policy that allows dynamic access to S3 buckets with the same tag. Attach the policy to the IAM roles. Tag the S3 buckets accordingly.
D.
Implement a role-based access control (RBAC) authorization model. Create the corresponding policies, and attach them to the IAM users.
Add users to groups that represent the teams. Create a policy for each team that allows the team to access its respective S3 buckets only. Attach the policy to the corresponding group.
Amazon GuardDuty has detected communications to a known command and control endpoint from a company's Amazon EC2 instance. The instance was found to be running a vulnerable version of a common web framework. The company's security operations team wants to quickly identity other compute resources with the specific version of that framework installed. Which approach should the team take to accomplish this task?
A.
Scan all the EC2 instances for noncompliance with IAM Config. Use Amazon Athena to query IAM CloudTrail logs for the framework installation
B.
Scan all the EC2 instances with the Amazon Inspector Network Reachability rules package to identity instances running a web server with RecognizedPortWithListener findings.
C.
Scan all the EC2 instances with IAM Systems Manager to identify the vulnerable version of the web framework
D.
Scan an the EC2 instances with IAM Resource Access Manager to identify the vulnerable version of the web framework
Scan all the EC2 instances with IAM Systems Manager to identify the vulnerable version of the web framework
Explanation: To quickly identify other compute resources with the specific version of the web framework installed, the team should do the following:
Scan all the EC2 instances with AWS Systems Manager to identify the vulnerable version of the web framework. This allows the team to use AWS Systems Manager Inventory to collect and query information about the software installed on their EC2 instances, and to filter the results by software name and version.
Developers in an organization have moved from a standard application deployment to containers. The Security Engineer is tasked with ensuring that the containers are secure. Which strategies will reduce the attack surface and enhance the security of the containers? (Select TWO.)
A.
Use the containers to automate security deployments.
B.
Limit resource consumption (CPU, memory), networking connections, ports, and unnecessary container libraries.
C.
Segregate containers by host, function, and data classification
D.
Use Docker Notary framework to sign task definitions.
E.
Enable container breakout at the host kernel
Use the containers to automate security deployments.
Segregate containers by host, function, and data classification
Explanation:
These are the strategies that can reduce the attack surface and enhance the security of the containers. Containers are a method of packaging and running applications in isolated environments. Using containers to automate security deployments can help ensure that security patches and updates are applied consistently and quickly across the container fleet. Segregating containers by host, function, and data classification can help limit the impact of a compromise and enforce the principle of least privilege. The other options are either irrelevant or risky for securing containers.
A security engineer needs to develop a process to investigate and respond to po-tential security events on a company's Amazon EC2 instances. All the EC2 in-stances are backed by Amazon Elastic Block Store (Amazon EBS). The company uses AWS Systems Manager to manage all the EC2 instances and has installed Systems Manager Agent (SSM Agent) on all the EC2 instances.
The process that the security engineer is developing must comply with AWS secu-rity best practices and must meet the following requirements:
• A compromised EC2 instance's volatile memory and non-volatile memory must be preserved for forensic purposes.
• A compromised EC2 instance's metadata must be updated with corresponding inci-dent ticket information.
• A compromised EC2 instance must remain online during the investigation but must be isolated to prevent the spread of malware.
• Any investigative activity during the collection of volatile data must be cap-tured as part of the process.
Which combination of steps should the security engineer take to meet these re-quirements with the LEAST operational overhead? (Select THREE.)
A.
Gather any relevant metadata for the compromised EC2 instance. Enable ter-mination protection. Isolate the instance by updating the instance's secu-rity groups to restrict access. Detach the instance from any Auto Scaling groups that the instance is a member of. Deregister the instance from any Elastic Load Balancing (ELB) resources.
B.
Gather any relevant metadata for the compromised EC2 instance. Enable ter-mination protection. Move the instance to an isolation subnet that denies all source and destination traffic. Associate the instance with the subnet to restrict access. Detach the instance from any Auto Scaling groups that the instance is a member of. Deregister the instance from any Elastic Load Balancing (ELB) resources.
C.
Use Systems Manager Run Command to invoke scripts that collect volatile data.
D.
Establish a Linux SSH or Windows Remote Desktop Protocol (RDP) session to the compromised EC2 instance to invoke scripts that collect volatile data.
E.
Create a snapshot of the compromised EC2 instance's EBS volume for follow-up investigations. Tag the instance with any relevant metadata and inci-dent ticket information.
F.
Create a Systems Manager State Manager association to generate an EBS vol-ume snapshot of the compromised EC2 instance. Tag the instance with any relevant metadata and incident ticket information.
Gather any relevant metadata for the compromised EC2 instance. Enable ter-mination protection. Isolate the instance by updating the instance's secu-rity groups to restrict access. Detach the instance from any Auto Scaling groups that the instance is a member of. Deregister the instance from any Elastic Load Balancing (ELB) resources.
Use Systems Manager Run Command to invoke scripts that collect volatile data.
Create a snapshot of the compromised EC2 instance's EBS volume for follow-up investigations. Tag the instance with any relevant metadata and inci-dent ticket information.
A company needs to use HTTPS when connecting to its web applications to meet compliance requirements. These web applications run in Amazon VPC on Amazon EC2 instances behind an Application Load Balancer (ALB). A security engineer wants to ensure that the load balancer win only accept connections over port 443. even if the ALB is mistakenly configured with an HTTP listener. Which configuration steps should the security engineer take to accomplish this task?
A.
Create a security group with a rule that denies Inbound connections from 0.0.0 0/0 on port 00. Attach this security group to the ALB to overwrite more permissive rules from the ALB's default security group.
B.
Create a network ACL that denies inbound connections from 0 0.0.0/0 on port 80 Associate the network ACL with the VPC s internet gateway.
C.
Create a network ACL that allows outbound connections to the VPC IP range on port 443 only. Associate the network ACL with the VPC's internet gateway.
D.
Create a security group with a single inbound rule that allows connections from 0.0.0 0/0 on port 443. Ensure this security group is the only one associated with the ALB.
Create a security group with a single inbound rule that allows connections from 0.0.0 0/0 on port 443. Ensure this security group is the only one associated with the ALB.
Explanation: To ensure that the load balancer only accepts connections over port 443, the security engineer should do the following:
Create a security group with a single inbound rule that allows connections from 0.0.0.0/0 on port 443. This means that the security group allows HTTPS traffic
from any source IP address.
Ensure this security group is the only one associated with the ALB. This means that the security group overrides any other rules that might allow HTTP traffic on port 80.
A company has a web server in the AWS Cloud. The company will store the content for the web server in an Amazon S3 bucket. A security engineer must use an Amazon CloudFront distribution to speed up delivery of the content. None of the files can be publicly accessible from the S3 bucket direct.
Which solution will meet these requirements?
A.
Configure the permissions on the individual files in the S3 bucket so that only the CloudFront distribution has access to them.
B.
Create an origin access identity (OAI). Associate the OAI with the CloudFront distribution. Configure the S3 bucket permissions so that only the OAI can access the files in the S3 bucket.
C.
Create an S3 role in AWS Identity and Access Management (IAM). Allow only the CloudFront distribution to assume the role to access the files in the S3 bucket.
D.
Create an S3 bucket policy that uses only the CloudFront distribution ID as the principal and the Amazon Resource Name (ARN) as the target.
Create an origin access identity (OAI). Associate the OAI with the CloudFront distribution. Configure the S3 bucket permissions so that only the OAI can access the files in the S3 bucket.