A security engineer has enabled IAM Security Hub in their IAM account, and has enabled the Center for internet Security (CIS) IAM Foundations compliance standard. No evaluation results on compliance are returned in the Security Hub console after several hours. The engineer wants to ensure that Security Hub can evaluate their resources for CIS IAM Foundations compliance. Which steps should the security engineer take to meet these requirements?
A.
Add full Amazon Inspector IAM permissions to the Security Hub service role to allow it to perform the CIS compliance evaluation
B.
Ensure that IAM Trusted Advisor Is enabled in the account and that the Security Hub service role has permissions to retrieve the Trusted Advisor security-related recommended actions
C.
Ensure that IAM Config. is enabled in the account, and that the required IAM Config rules have been created for the CIS compliance evaluation
D.
Ensure that the correct trail in IAM CloudTrail has been configured for monitoring by Security Hub and that the Security Hub service role has permissions to perform the GetObject operation on CloudTrails Amazon S3 bucket
Ensure that IAM Config. is enabled in the account, and that the required IAM Config rules have been created for the CIS compliance evaluation
Explanation:
To ensure that Security Hub can evaluate their resources for CIS AWS Foundations compliance, the security engineer should do the following:
Ensure that AWS Config is enabled in the account. This is a service that enables continuous assessment and audit of your AWS resources for compliance.
Ensure that the required AWS Config rules have been created for the CIS compliance evaluation. These are rules that represent your desired configuration settings for specific AWS resources or for an entire AWS account.
You work at a company that makes use of IAM resources. One of the key security policies is to ensure that all data i encrypted both at rest and in transit. Which of the following is one of the right ways to implement this.
Please select:
A.
Use S3 SSE and use SSL for data in transit
B.
SSL termination on the ELB
C.
Enabling Proxy Protocol
D.
Enabling sticky sessions on your load balancer
Use S3 SSE and use SSL for data in transit
Explanation: By disabling SSL termination, you are leaving an unsecure connection from the ELB to the back end instances. Hence this means that part of the data transit is not being encrypted.
Option B is incorrect because this would not guarantee complete encryption of data in transit.
Option C and D are incorrect because these would not guarantee encryption
For more information on SSL Listeners for your load balancer, please visit the below URL:
http://docs.IAM.amazon.com/elasticloadbalancine/latest/classic/elb-https-loadbalancers.htmll
The correct answer is: Use S3 SSE and use SSL for data in transit Submit your Feedback/Queries to our Experts
A company has hundreds of AWS accounts in an organization in AWS Organizations. The company operates out of a single AWS Region. The company has a dedicated security tooling AWS account in the organization. The security tooling account is configured as the organization's delegated administrator for Amazon GuardDuty and AWS Security Hub. The company has configured the environment to automatically enable GuardDuty and Security Hub for existing AWS accounts and new AWS accounts.
The company is performing control tests on specific GuardDuty findings to make sure that the company's security team can detect and respond to security events. The security team launched an Amazon EC2 instance and attempted to run DNS requests against a test domain, example.com, to generate a DNS finding. However, the GuardDuty finding was never created in the Security Hub delegated administrator account. Why was the finding was not created in the Security Hub delegated administrator account?
A.
VPC flow logs were not turned on for the VPC where the EC2 instance was launched.
B.
The VPC where the EC2 instance was launched had the DHCP option configured for a custom OpenDNS resolver.
C.
The GuardDuty integration with Security Hub was never activated in the AWS account where the finding was generated.
D.
Cross-Region aggregation in Security Hub was not configured.
The GuardDuty integration with Security Hub was never activated in the AWS account where the finding was generated.
Explanation:
The correct answer is C. The GuardDuty integration with Security Hub was never activated in the AWS account where the finding was generated.
According to the AWS documentation1, GuardDuty findings are automatically sent to Security Hub only if the GuardDuty integration with Security Hub is enabled in the same account and Region. This means that the security tooling account, which is the delegated administrator for both GuardDuty and Security Hub, must enable the GuardDuty integration with Security Hub in each member account and Region where GuardDuty is enabled.
Otherwise, the findings from GuardDuty will not be visible in Security Hub. The other options are incorrect because:
VPC flow logs are not required for GuardDuty to generate DNS findings.
GuardDuty uses VPC DNS logs, which are automatically enabled for all VPCs, to detect malicious or unauthorized DNS activity.
The DHCP option configured for a custom OpenDNS resolver does not affect GuardDuty’s ability to generate DNS findings. GuardDuty uses its own threat intelligence sources to identify malicious domains, regardless of the DNS resolver used by the EC2 instance.
Cross-Region aggregation in Security Hub is not relevant for this scenario, because the company operates out of a single AWS Region. Cross-Region aggregation allows Security Hub to aggregate findings from multiple Regions into a single Region.
References:
1: Managing GuardDuty accounts with AWS Organizations : Amazon GuardDuty Findings :
How Amazon GuardDuty Works : Cross-Region aggregation in AWS Security Hub
A company has an organization in AWS Organizations that includes dedicated accounts for each of its business units. The company is collecting all AWS CloudTrail logs from the accounts in a single Amazon S3 bucket in the top-level account. The company's IT governance team has access to the top-level account. A security engineer needs to allow each business unit to access its own CloudTrail logs.
The security engineer creates an IAM role in the top-level account for each of the other accounts. For each role the security engineer creates an IAM policy to allow read-only permissions to objects in the S3 bucket with the prefix of the respective logs.
Which action must the security engineer take in each business unit account to allow an IAM user in that account to read the logs?
A.
Attach a policy to the IAM user to allow the user to assume the role that was created in the top-level account. Specify the role's ARN in the policy.
B.
Create an SCP that grants permissions to the top-level account.
C.
Use the root account of the business unit account to assume the role that was created in the top-level account. Specify the role's ARN in the policy.
D.
Forward the credentials of the IAM role in the top-level account to the IAM user in the business unit account.
Attach a policy to the IAM user to allow the user to assume the role that was created in the top-level account. Specify the role's ARN in the policy.
Explanation: To allow an IAM user in one AWS account to access resources in another AWS account using IAM roles, the following steps are required:
Create a role in the AWS account that contains the resources (the trusting account) and specify the AWS account that contains the IAM user (the trusted account) as a trusted entity in the role’s trust policy. This allows users from the trusted account to assume the role and access resources in the trusting account. Attach a policy to the IAM user in the trusted account that allows the user to assume the role in the trusting account. The policy must specify the ARN of the role that was created in the trusting account. The IAM user can then switch roles or use temporary credentials to access the resources in the trusting account.
Verified References:
https://repost.aws/knowledge-center/cross-account-access-iam
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html
https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-withroles.html
A company has multiple accounts in the AWS Cloud. Users in the developer account need to have access to specific resources in the production account What is the MOST secure way to provide this access?
A.
Create one IAM user in the production account. Grant the appropriate permissions to the resources that are needed. Share the password only with the users that need access.
B.
Create cross-account access with an IAM role in the developer account. Grant the
appropriate permissions to this role. Allow users in the developer account to assume this role to access the production resources.
C.
Create cross-account access with an IAM user account in the production account. Grant the appropriate permissions to this user account. Allow users in the developer account to use this user account to access the production resources.
D.
Create cross-account access with an IAM role in the production account. Grant the appropriate permissions to this role. Allow users in the developer account to assume this role to access the production resources.
Create cross-account access with an IAM role in the production account. Grant the appropriate permissions to this role. Allow users in the developer account to assume this role to access the production resources.
Your company is planning on using bastion hosts for administering the servers in IAM. Which of the following is the best description of a bastion host from a security perspective?
Please select:
A.
A Bastion host should be on a private subnet and never a public subnet due to security concerns
B.
A Bastion host sits on the outside of an internal network and is used as a gateway into the private network and is considered the critical strong point of the network
C.
Bastion hosts allow users to log in using RDP or SSH and use that session to S5H into internal network to access private subnet resources.
D.
A Bastion host should maintain extremely tight security and monitoring as it is available to the public
Bastion hosts allow users to log in using RDP or SSH and use that session to S5H into internal network to access private subnet resources.
Explanation: A bastion host is a special purpose computer on a network specifically designed and configured to withstand attacks. The computer generally hosts a single application, for example a proxy server, and all other services are removed or limited to reduce the threat to the computer.
In IAM, A bastion host is kept on a public subnet. Users log on to the bastion host via SSH or RDP and then use that session to manage other hosts in the private subnets.Options A and B are invalid because the bastion host needs to sit on the public network.
Option D is invalid because bastion hosts are not used for monitoring For more information on bastion hosts, just browse to the below URL:
https://docsIAM.amazon.com/quickstart/latest/linux-bastion/architecture.htl
The correct answer is: Bastion hosts allow users to log in using RDP or SSH and use that session to SSH into internal network to access private subnet resources. Submit your Feedback/Queries to our Experts
A company is implementing new compliance requirements to meet customer needs. According to the new requirements the company must not use any Amazon RDS DB instances or DB clusters that lack encryption of the underlying storage. The company needs a solution that will generate an email alert when an unencrypted DB instance or DB cluster is created. The solution also must terminate the unencrypted DB instance or DB cluster. Which solution will meet these requirements in the MOST operationally efficient manner?
A.
Create an AWS Config managed rule to detect unencrypted ROS storage. Configure an automatic remediation action to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic that includes an AWS Lambda function and an email delivery target as subscribers. Configure the Lambda function to delete the unencrypted resource.
B.
Create an AWS Config managed rule to detect unencrypted RDS storage. Configure a manual remediation action to invoke an AWS Lambda function. Configure the Lambda function to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic and to delete the unencrypted resource.
C.
Create an Amazon EventBridge rule that evaluates RDS event patterns and is initiated by the creation of DB instances or DB clusters Configure the rule to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic that includes an AWS Lambda function and an email delivery target as subscribers. Configure the Lambda function to delete the unencrypted resource.
D.
Create an Amazon EventBridge rule that evaluates RDS event patterns and is initiated by the creation of DB instances or DB clusters. Configure the rule to invoke an AWS Lambda function. Configure the Lambda function to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic and to delete the unencrypted resource.
Create an AWS Config managed rule to detect unencrypted ROS storage. Configure an automatic remediation action to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic that includes an AWS Lambda function and an email delivery target as subscribers. Configure the Lambda function to delete the unencrypted resource.
A company wants to protect its website from man in-the-middle attacks by using Amazon CloudFront. Which solution will meet these requirements with the LEAST operational overhead?
A.
Use the SimpleCORS managed response headers policy.
B.
Use a Lambda@Edge function to add the Strict-Transport-Security response header.
C.
Use the SecurityHeadersPolicy managed response headers policy.
D.
Include the X-XSS-Protection header in a custom response headers policy.
Use the SecurityHeadersPolicy managed response headers policy.
Explanation:
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managedresponse-headers-policies.html#managed-response-headers-policies-security
The SecurityHeadersPolicy is a managed policy provided by Amazon CloudFront that includes a set of recommended security headers to enhance the security of your website. These headers help protect against various types of attacks, including man-in-the-middle attacks. By applying the SecurityHeadersPolicy to your CloudFront distribution, the necessary security headers will be automatically added to the responses sent by CloudFront. This reduces operational overhead because you don't have to manually configure or manage the headers yourself.
During a manual review of system logs from an Amazon Linux EC2 instance, a Security Engineer noticed that there are sudo commands that were never properly alerted or reported on the Amazon CloudWatch Logs agent Why were there no alerts on the sudo commands?
A.
There is a security group blocking outbound port 80 traffic that is preventing the agent from sending the logs
B.
The IAM instance profile on the EC2 instance was not properly configured to allow the CloudWatch Logs agent to push the logs to CloudWatch
C.
CloudWatch Logs status is set to ON versus SECURE, which prevents it from pulling in OS security event logs
D.
The VPC requires that all traffic go through a proxy, and the CloudWatch Logs agent does not support a proxy configuration.
The IAM instance profile on the EC2 instance was not properly configured to allow the CloudWatch Logs agent to push the logs to CloudWatch
Explanation: the reason why there were no alerts on the sudo commands. Sudo commands are commands that allow a user to execute commands as another user, usually the superuser or root. CloudWatch Logs agent is a software agent that can send log data from an EC2 instance to CloudWatch Logs, a service that monitors and stores log data. The CloudWatch Logs agent needs an IAM instance profile, which is a container for an IAM role that allows applications running on an EC2 instance to make API requests to AWS services. If the IAM instance profile on the EC2 instance was not properly configured to allow the CloudWatch Logs agent to push the logs to CloudWatch, then there would be no alerts on the sudo commands. The other options are either irrelevant or invalid for explaining why there were no alerts on the sudo commands.
A website currently runs on Amazon EC2, wan mostly statics content on the site. Recently the site was subjected to a DDoS attack a security engineer was (asked was redesigning the edge security to help Mitigate this risk in the future.
What are some ways the engineer could achieve this (Select THREE)?
A.
Use IAM X-Ray to inspect the trafc going to the EC2 instances.
B.
Move the static content to Amazon S3, and front this with an Amazon Cloud Front
distribution.
C.
Change the security group conguration to block the source of the attack trafc
D.
Use IAM WAF security rules to inspect the inbound trafc
E.
Use Amazon Inspector assessment templates to inspect the inbound traffic
F.
Use Amazon Route 53 to distribute trafc.
Move the static content to Amazon S3, and front this with an Amazon Cloud Front
distribution.
Use IAM WAF security rules to inspect the inbound trafc
Use Amazon Route 53 to distribute trafc.
Explanation: To redesign the edge security to help mitigate the DDoS attack risk in the future, the engineer could do the following:
Move the static content to Amazon S3, and front this with an Amazon CloudFront distribution. This allows the engineer to use a global content delivery network that can cache static content at edge locations and reduce the load on the origin servers.
Use AWS WAF security rules to inspect the inbound traffic. This allows the engineer to use web application firewall rules that can filter malicious requests based on IP addresses, headers, body, or URI strings, and block them before they reach the web servers.
Use Amazon Route 53 to distribute traffic. This allows the engineer to use a scalable and highly available DNS service that can route traffic based on different policies, such as latency, geolocation, or health checks.
Page 4 out of 29 Pages |
Previous |