Amazon AWS Certified Security Specialist Set 1

1.

An organization wants to be alerted when an unauthorized Amazon EC2 instance in its VPC performs a network port scan against other instances in the VPC. When the Security team performs its own internal tests in a separate account by using pre-approved third-party scanners from the AWS Marketplace, the Security team also then receives multiple Amazon GuardDuty events from Amazon CloudWatch alerting on its test activities.
How can the Security team suppress alerts about authorized security tests while still receiving alerts about the unauthorized activity?

Use a filter in AWS CloudTrail to exclude the IP addresses of the Security team Add the Elastic IP addresses of the Security team Install the Amazon Inspector agent on the EC2 instances that the Security team uses. Grant the Security team

2.

A distributed web application is installed across several EC2 instances in public subnets residing in two Availability Zones. Apache logs show several intermittent brute-force attacks from hundreds of IP addresses at the layer 7 level over the past six months. What would be the BEST way to reduce the potential impact of these attacks in the future?

Use custom route tables to prevent malicious traffic from routing to the instances. Update security groups to deny traffic from the originating source IP addresses. Use network ACLs. Install intrusion prevention software (IPS) on each instance.

3.

Which of the following minimizes the potential attack surfacefor applications?

Use security groups to provide stateful firewalls for Amazon EC2 instances at the hypervisor level. Use network ACLs to provide stateful firewalls at the VPC level to prevent access to any specific AWS resource. Use AWS Direct Connect for secure trusted connections between EC2 instances within private subnets. Design network security in a single layer within the perimeter network (also known as DMZ, demilitarized zone, and screened subnet) to facilitate quicker responses to threats.

4.

A company has deployed a custom DNS server in AWS. The Security Engineer wants to ensure that Amazon EC2 instances cannot use the Amazon-provided DNS.
How can the Security Engineer block access to the Amazon-provided DNS in the VPC?

Deny access to the Amazon DNS IP within all security groups. Add a rule to all network access control lists that deny access to the Amazon DNS IP. Add a route to all route tables that black holes traffic to the Amazon DNS IP. Disable DNS resolution within the VPC configuration.

5.

Which approach will generate automated security alerts should too many unauthorized AWS API requests be identified?

Create an Amazon CloudWatch metric filter that looks for API call error codes and then implement an alarm based on that metric Configure AWS CloudTrail to stream event data to Amazon Kinesis. Configure an AWS Lambda function on the stream to alarm when the threshold has been exceeded. Run an Amazon Athena SQL query against CloudTrail log files. Use Amazon QuickSight to create an operational dashboard. Use the Amazon Personal Health Dashboard to monitor the account

Amazon AWS Certified Security Specialist Set 1

Congratulations

COMPANY

Products

OTHERS

Partner

Amazon AWS Certified Security Specialist Set 1

Congratulations

Detail Form

COMPANY

Products

OTHERS

Partner