Cloud Security Specialty –2 ALL SOLUTION LATEST EDITION SPRING FALL-2023/24 GUARANTEED GRADE A+

CloudHSM Certificates - AWS Root Certificate - Manufacturer Root Certificate - AWS Hardware Certificate - Manufacturer Hardware Certificate - HSM Certificate - Cluster CSR CloudHSM Meet corporate, contractual and regulatory compliance requirements for data security by using dedicated Hardware Security Module (HSM) appliances within the AWS cloud; see also HSM and KMS - Security CloudHSM - Verifying our certificates Concatenate the two certificates - AWS Hardware Certificate + AWS Root Certificate. - Manufacturer Hardware CSR + Manufacturer Root CSR - Then run openssl on both to verify its validity. After that you must generate public key through these and then run diff to find if there is any different between the two public keys. Accept it only if these match 100% or else redeploy the cluster. An application running on EC2 instances must use a username and password to access a database. The developer has stored those secrets in the SSM Parameter Store with type SecureString using the default KMS CMK.Which combination of configuration steps will allow the application to access the secrets via the API? Select 2 answers from the options below- Ad - Add permission to read the SSM parameter to the EC2 instance role. - Add permission to use the KMS keys to decrypt to the EC2 instance role. An application running on EC2 instances in a VPC must call an external web service via TLS (port 443). The instances run in public subnets.Which configurations below allow the application to function and minimize the exposure of the instances? Select 2 answers from the options given below 1. A network ACL with rules that allow outgoing traffic on port 443 and incoming traffic on ephemeral ports. 2. A security group with a rule that allows outgoing traffic on port 443. A company has an existing AWS account and a set of critical resources hosted in that account. The employee who was in-charge of the root account has left the company. What must be now done to secure the account. Choose 3 answers from the options given below. 1. Delete Access Keys for the root account. 2. Confirm MFA account to a secure device. 3. Change the password of root account. You are designing a connectivity solution between on-premises infrastructure and Amazon VPC. Your servers on-premises will be communicating with your VPC instances. You will be establishing IPSec tunnels over the internet. You will be using VPN gateways and terminating the IPsec tunnels on AWS-supported customer gateways. Which of the following objectives would you achieve by implementing an IPSec tunnel as outlined above? Choose 4 answers form the options below 1. Data encryption across the internet 2. Protection of data in transit over the internet. 3. Peer identity authentication between VPN Gateway and Customer Gateway. 4. Data integrity protection across the internet. When you enable automatic key rotation for an existing CMK key where the backing key is managed by AWS , after how long is the key rotated? 365 days Your company has a requirement to monitor all root user activity. How can this best be achieved? Choose 2 answers from the options given below. Each answer forms part of the solution Right answers are: - Create Cloudwatch Event Rule - Use a Lambda function. Incorrect answers are: - Create Cloudwatch logs rule - Use Cloudtrail API call Your development team has started using AWS resources for development purposes. The AWS account has just been created. Your IT Security team is worried about possible leakage of AWS keys. What is the first level of measure that should be taken to protect the AWS account. Correct answer - Delete the AWS keys for the root account Wrong answer - Restrict access using IAM policies. Which of the following is not a best practice for carrying out a security audit? Conducting audit on yearly basis is not good practice. It must be conducted when there are new account added, suspect of compromise and changes in the environment. Every application in a company's portfolio has a separate AWS account for development and production. The security team wants to prevent the root user and all IAM users in the production accounts from accessing a specific set of unneeded services.How can they control this functionality? Create a Service Control Policy that denies access to the services. Assemble all the account in that OU and apply the policy to that organization unit. You are building a large-scale confidential documentation web server on AWS and all of the documentation for it will be stored on S3. One of the requirements is that it cannot be publicly accessible from S3 directly, and you will need to use CloudFront to accomplish this. Which of the methods listed below would satisfy the requirements as outlined? Choose an answer from the options below Create Origin Access Identity for CloudFront and grant access to the S3 object to the OAI. An application running on EC2 instances in a VPC must access sensitive data in the data center. The access must be encrypted in transit and have consistent low latency. Which hybrid architecture will meet these requirements? Have VPN over Direct Connect between VPC and Data center. How can you ensure that instance in an VPC does not use AWS DNS for routing DNS requests. You want to use your own managed DNS instance. How can this be achieved? Correct Response it: Create new DHCP options set and replace the existing one. DO NOT get confused with "Change the existing DHCP Options set.". A company continually generates sensitive records that it stores in an S3 bucket. All objects in the bucket are encrypted using SSE-KMS using one of the company's CMKs. Company compliance policies require that no more than one month of data be encrypted using the same encryption key.What solution below will meet the company's requirements? Create Lambda function with monthly CloudWatch event that creates the new CMK and updates the Bucket policy to use the new CMK. Company policy requires that all insecure server protocols, such as FTP, Telnet, HTTP, etc be disabled on all servers. The security team would like to regularly check all servers to ensure compliance with this requirement by using a scheduled CloudWatch event to trigger a review of the current infrastructure.What process will check compliance of the company's EC2 instances? Trigger AWS Config rule that evaluates restricted common ports rule against every EC2 instance. Note - You cannot Query Trusted Advisor, it is a one time advisor. Also, Amazon Inspector is used for finding vulnerabilities with EC2 instance. You need to have a requirement to store objects in an S3 bucket with a key that is automatically managed and rotated. Which of the following can be used for this purpose? AWS SSE-S3. Note - AWS KMS is incorrect as Customer owned CMK's cannot be rotated. Your company manages thousands of EC2 Instances. There is a mandate to ensure that all servers don't have any critical security flaws. Which of the following can be done to ensure this? Choose 2 answers from the options given below. 1. Use AWS Inspector that finds critical vulnerabilities and flaws and creates detailed report. 2. Use SSM to patch the server. You have an EBS volume attached to an EC2 Instance which uses KMS for Encryption. Someone has now gone ahead and deleted the Customer Key which was used for the EBS encryption. What should be done to ensure the data can be decrypted. Copy the data from EBS volume before detaching it from the instance. You are trying to use the Systems Manager to patch a set of EC2 systems. Some of the systems are not getting covered in the patching process. Which of the following can be used to troubleshoot the issue? Choose 3 answers from the options given below. 1. Check if the right role is assigned to EC2 instances. 2. Ensure that the SSM agent is running on each EC2 instance. 3. Check the instance status using the Health API. You are trying to use the AWS Systems Manager run command on a set of Instances. The run command is not working on a set of Instances. What can you do to diagnose the issue? Choose 2 answers from the options given below 1. Ensure that SSM agent is running on each EC2 instances. 2. Refer /var/log/amazon/ssm/ A company had developed an incident response plan 18 months ago. Regular implementations of the response plan are carried out. No changes have been made to the response plan since its creation. Which of the following is a right statement with regards to the plan? The response plan doesn't cater the new services. Your company has just started using AWS and created an AWS account. They are aware of the potential issues when root access is enabled. How can they best safeguard the account when it comes to root access? Choose 2 answers from the options given below 1. Create Admin IAM User with necessary permission. 2. Delete the root access key. You want to track access requests for a particular S3 bucket. How can you achieve this in the easiest possible way? Enable access logging for the bucket. You have a bucket and a VPC defined in AWS. You need to ensure that the bucket can only be accessed by the VPC endpoint. How can you accomplish this? Modify bucket policy to allow access for VPC endpoint. An auditor needs access to logs that record all API events on AWS. The auditor only needs read-only access to the log files and does not need access to each AWS account. The company has multiple AWS accounts, and the auditor needs access to all the logs for all the accounts. What is the best way to configure access for the auditor to view event logs from all accounts? Choose the correct answer from the options below Configure Cloudtrail service in each AWS Account and have logs delivered to a single AWS bucket. In the Primary account grant auditor access to that single bucket in the primary account. A large organization is planning on AWS to host their resources. They have a number of autonomous departments that wish to use AWS. What could be the strategy to adopt for managing the accounts. Use multiple AWS Account, each account for each department. Which of the following is the correct sequence of how KMS manages the keys when used along with the Redshift cluster service. The Master key encrypts the cluster keys, cluster keys encrypts the database keys and database key encrypts the data encryption keys. You have several S3 buckets defined in your AWS account. You need to give access to external AWS accounts to these S3 buckets. Which of the following can allow you to define the permissions for the external accounts? Choose 2 answers from the options given below Bucket Policies and Bucket ACL's. Your company has a hybrid environment , with on-premise servers and servers hosted in the AWS cloud. They are planning to use the Systems Manager for patching servers. Which of the following is a pre-requisite for this to work? Ensure that the IAM service role is created. You company has mandated that all data in AWS be encrypted at rest. How can you achieve this for EBS volumes? Choose 2 answers from the options given below Use Windows Blocker for Windows based instances. Use Treuencrypt for Linux based instances. An organization has setup multiple IAM users. The organization wants that each IAM user accesses the IAM console only within the organization and not from outside. How can it achieve this? Create the IAM Policy that denies the access if it is not from the organization IP address range. ttp:// A company is planning on using AWS for hosting their applications. They want complete separation and isolation of their production , testing and development environments. Which of the following is an ideal way to design such a setup? Create separate AWS Account for each of the environment. Which of the below services can be integrated with the AWS Web application firewall service. Choose 2 answers from the options given below Amazon Cloudfront Application Loadbalancer. Your company has an EC2 Instance hosted in AWS. This EC2 Instance hosts an application. Currently this application is experiencing a number of issues. You need to inspect the network packets to see what the type of error that is occurring? Which one of the below steps can help address this issue? Use network monitoring tool provided by AWS partner. VPC Flowlogs is not the right answer. A user has enabled versioning on an S3 bucket. The user is using server side encryption for data at Rest. If the user is supplying his own keys for encryption SSE-C., which of the below mentioned statements is true? It is possible to use different keys for different version of the same object. An application running on EC2 instances must use a username and password to access a database. The developer has stored those secrets in the SSM Parameter Store with type SecureString using the default KMS CMK.Which combination of configuration steps will allow the application to access the secrets via the API? Select 2 answers from the options below Correct Answer: 1. Add permission to read the SSM parameter to the EC2 instance role. 2. Add permission to use the KMS key to decrpt to the EC2 instance role. Incorrect answers are - Add the EC2 instance role as a trusted service to the SSM service role. - Add permission to use the KMS key to decrypt to the SSM service role. An application running on EC2 instances in a VPC must call an external web service via TLS (port 443). The instances run in public subnets.Which configurations below allow the application to function and minimize the exposure of the instances? Select 2 answers from the options given below 1. NACL with rules that allow outgoing traffic on port 443 and incoming traffic on ephemeral ports. 2. A security group with a rule that allows outfoing traffic on port 443. Incorrect - A NACL with a rule that allows outgoing traffic on port 443. Because NACL is stateless and hence incoming and outgoing both need to be defined. A company has an existing AWS account and a set of critical resources hosted in that account. The employee who was in-charge of the root account has left the company. What must be now done to secure the account. Choose 3 answers from the options given below. - Delete the access key of Root account. - Confirm MFA to a secure device - Change the password of the root account. You have an EC2 Instance with the following Security configured a) Inbound allowed for ICMP b) Outbound denied for ICMP c) Network ACL allowed for ICMP d) Network ACL denied for ICMP If Flow logs is enabled for the instance , which of the following flow records will be recorded. Choose 3 answers from the options give below 1. An Accept record for the request based on the Security Group 2. An Accept record for the request based on the NACL. 3. A Reject record for the response based on the NACL. Your company is planning on using bastion hosts for administering the servers in AWS. Which of the following is the right way to setup the bastion host from a security perspective? Correct 1. Bastion Host is used for SSH or RDP into the internal network to access private resources without a VPN. You work at a company that makes use of AWS resources. One of the key security policies is to ensure that all data is encrypted both at rest and in transit. Which of the following is not a right implementation which aligns to this policy? Correct answer is - SSL termination on the ELB. Incorrect - Enabling the sticky session on your load balancer. You are planning to use AWS Config to check the configuration of the resources in your AWS account. You are planning on using an existing IAM role and using it for the AWS Config resource. Which of the following is required to ensure the AWS config service can work as required? Ensure that there is a trust policy in place for the AWS Config service withing the role. Incorrect is Ensure that there is a grant policy in place for the AWS Config service within the role. Your company has an external web site. This web site needs to access the objects in an S3 bucket. Which of the following would allow the web site to access the objects in the most secure manner? Use AWS:Referer Key in the condition clause for the bucket policy. Incorrect is Grant a role that can be assumed bt the web site. You are creating a Lambda function which will be triggered by a Cloudwatch Event. The data from these events needs to be stored in a DynamoDB table. How should the Lambda function be given access to the DynamoDB table? Use IAM Role which has permission to the DynamoDB and attach it to the Lambda fuction. Incorrect answer is Create a VPC endpoint for the DynaboDB table. Access the VPC endpoint from the Lambda function. What is the result of the following bucket policy?{"Statement": [{"Sid": "Sid1","Action": "s3:","Effect": "Allow","Resource": "arn:aws:s3:::mybucket/.","Principal": {‌{"AWS": ["arn:aws:iam:::user/mark"]}}}, {"Sid": "Sid2","Action": "s3:","Effect": "Deny","Resource": "arn:aws:s3:::mybucket/","Principal": {"AWS": ["*"]}}]} Choose the correct answer: It will deny all the request to the bucket mybucket. Your company has many AWS accounts defined and all are managed via AWS Organizations. One AWS account has an S3 bucket that has critical data. How can it be ensured that only users from that account access the bucket? Ensure Bucket Policy has a condition which involves aws:PrincipalOrgID. Your organization is preparing for a security assessment of your use of AWS. In preparation for this assessment, which three IAM best practices should you consider implementing? - Create individual IAM users for everyone in your organization. - Configure MFA on the root account and for privileged IAM users. - Assign IAM users and groups configured with policies granting least privilege access. Why do we need 12 factor apps? In order to build Cloud Native Applications a set of best practices - Called 12 Factor Applications. 1. For maximum scalability and Agility 2. Enhanced Resiliency 3. Facilitates Continuous Integration 4. Supports Containerization and 5. Supports portability across infrastructure. 12 Factor - Codebase - You should track your code in Version Control System such as GIT. - Developers can work on code by checking out the code into their development environment. - Storing code in the Version Control System enables your team to collaborate with audit trail of the changes in the code. - At any given time the source of truth is the code in Version Control System. - Code in repository is what gets built, tested, and deployed. - It is a systemic way of resolving conflicts, ability to roll back etc. - it proces a place from which to do CI/CD. 12 Factor - Dependencies As principle, there are two considerations for dependencies. 1. Explicit Dependency declaration and - Check these dependencies in Version Control - It enables you to get started with the code quickly in a repeatable way and makes it easy to track changes to dependencies. - Many programming languages offer a way to explicitly declare dependencies, such as pip for Python and Bundler for Ruby. 2. Dependency Isolation. - You should isolate an app and its dependencies by packaging then into a container. - Containers allow you to isolate an app and its dependencies from its environment and ensure that the app works uniformly despite any differences between development and staging environment. Container Registry Single place for your team to manage container images and perform vulnerability analysis. - You can apply fine grained access control to the container images. - Existing CI/CD integrations use these registries for automated pipelines. - You can push images to respective registry, and then pull images using an HTTP endpoint from any machine. Container Analysis It can provide vulnerability information for the images in Container Registry. 12 Factor - Configuration Apps sometimes store config as constants in the code, which is violation of 12-facto principle and requires strict separation of config from code. - The internal config doesn not vary between deployes and so it is best to be done with in the code. - The external configuration should be stored in the environment variables (often shortened to env vars). These env vars are easy to change between deploys and hence should be stored as environment variables . Some examples are like - ----- Resource handles to database, Memcached and backing services. Credentials of external services, per deploys values such as canonical hostnames etc. ConfigMaps As per 12 factor rules, the environment should be stored in Environment Variables instead of as constant in code. - ConfigMaps bind configuration files, command line arguments, environment variables, port numbers and other configuration artifacts to your Pods. - ConfigMaps allow you to separate your configurations from your Pods and components, which helps you keep your workloads portable, makes their configuration easier to change and manage, and prevents hardcoding configuration data to Pod specifications. - ConfigMaps are useful for storing and sharing non-sensitive unencrypted configuration information. Creating ConfigMaps in Kubernetes # kubectl create configumap [NAME] [DATE] 12 Factor - Backing Services Every service that the app use as part of normal operation, such as file system, database, caching service, message queues, should be accessed as a service and externalized in the configuration. - This approach helps decoupling of code with backing resources. 12 Factor - Build Release Run It is important to separate the software deployment process into three distinct stages: Build, release and run. - The build stage is a transform which converts a code repo into an executable bundle known as a build. Using a version of the code at a commit specified by the deployment process, the build stage fetches vendors dependencies and compiles binaries and assets. - The release stage takes the build produced by the build stage and combines it with the deploy’s current config. The resulting release contains both the build and the config and is ready for immediate execution in the execution environment. - The run stage (also known as “runtime”) runs the app in the execution environment, by launching some set of the app’s processes against a selected release. 12 Factor - Processes The processes should be stateless and should not share data with each other. This allows apps to - Scale up through replication of their processes - Stateless apps also make processes portable across the computing infrastructures. - To achieve this you must explicitly persist any data in an external backing service such as a database. 12 Factor - Port Binding In non cloud environments, app are written to run in app containers such as GlassFish, Apache Tomcat and Apache HTTP Server. In contrast, the 12 factor app don't rely on external app containers. Instead they bundle the web server library as a part of the app itself. The container must listen for requests on 0.0.0.0 on the port defined by the PORT environment variable. In Cloud Run container instances, the PORT environment variable is always set to 8080, but for portability reasons, your code should not hardcode this value. CONTINUED..