Last Updated on October 3, 2021 by Admin 2
SOA-C01 : AWS-SysOps : Part 26
In the context of AWS Security Best Practices for RDS, if you require encryption or data integrity authentication of data at rest for compliance or other purposes, you can add protection at the _____ using SQL cryptographic functions.
- physical layer
- security layer
- application layer
- data-link layer
Amazon RDS leverages the same secure infrastructure as Amazon EC2. You can use the Amazon RDS service without additional protection, but if you require encryption or data integrity authenti-cation of data at rest for compliance or other purposes, you can add protection at the application layer, or at the platform layer using SQL cryptographic functions.
A root AWS account owner has created three IAM users: Bob, John and Michael. Michael is the IAM administrator. Bob and John are not the super users, but users with some pre-defined policies. John does not have access to modify his password. Thus, he asks Bob to change his password. How can Bob change John’s password?
- This statement is false. Only Michael can change the password for John
- This is possible if Michael can add Bob to a group which has permissions to modify the IAM passwords
- It is not possible for John to modify his password
- Provided Bob is the manager of John
Generally, with IAM users, the password can be modified in two ways. The first option is to define the IAM level policy which allows each user to modify their own passwords. The other option is to create a group and create a policy for the group which can change the passwords of various IAM users.
You know that AWS Billing and Cost Management integrates with the AWS Identity and Access Management (IAM) service so that you can control who in your organization has access to specific pages on the AWS Billing and Cost Management console. Which of the following items can you control access to in AWS Billing and Cost Management?
- You can control access to payment methods only.
- You can control access to invoices only.
- You can control access to invoices and detailed information about charges and account activity, budgets, payment methods, and credits.
- You can control access to detailed information about charges and account activity only.
In AWS Billing and Cost Management console, you can control access to the following:
– detailed information about charges
– account activity
– payment methods
What does Amazon IAM provide?
- A mechanism to authorize Internet Access Modularity (IAM)
- A mechanism to authenticate users when accessing Amazon Web Services
- A mechanism to integrate on-premises authentication protocols with the Cloud
- None of the above
Amazon IAM provides a mechanism to authenticate users when accessing Amazon Web Services.
AWS Identity and Access Management (IAM) is a web service that helps you securely control ac-cess to AWS resources for your users. You use IAM to control who can use your AWS resources (authentication) and what resources they can use and in what ways (authorization).
An IAM group is a:
- group of EC2 machines that gain the permissions specified in the group.
- collection of IAM users.
- guide for IAM users.
- collection of AWS accounts.
Within the IAM service, a group is regarded as a collection of users. You can use groups to specify permissions for a collection of users, which can make those permissions easier to manage for those users.
A group in IAM can contain many users. Can a user belong to multiple groups?
- Yes, a user can be a member of up to 150 groups.
- Yes, a user can be a member of up to 50 groups.
- Yes, a user can be a member of up to 100 groups.
- Yes, a user can be a member of up to 10 groups.
In Amazon IAM, a user can belong to up to 10 different groups.
Fill in the blanks: One of the basic characteristics of security groups for your VPC is that you
- can specify allow rules as well as deny rules
- can neither specify allow rules nor deny rules
- can specify allow rules, but not deny rules
- can specify deny rules, but not allow rules
Security Groups in VPC allow you to specify rules with reference to the protocols and ports through which communications with your instances can be established. One such rule is that you can specify allow rules, but not deny rules.
You can configure Amazon CloudFront to deliver access logs per ________ to an Amazon S3 bucket of your choice.
- Edge location
- Geo restriction
If you use a custom origin, you will need to create an Amazon S3 bucket to store your log files in. You can enable CloudFront to deliver access logs per distribution to an Amazon S3 bucket of your choice.
ABC (with AWS account ID 111122223333) has created 50 IAM users for its organization’s employees. What will be the AWS console URL for these associates?
When an organization is using AWS IAM for creating various users and manage their access rights, the IAM user cannot use the login URL http://aws.amazon.com/console to access AWS manage-ment console. The console login URL for the IAM user will have AWS account ID of that organiza-tion to identify the IAM user belongs to particular account. The AWS console login URL for the IAM user will be https:// <AWS_Account_ID>.signin.aws.amazon.com/console/. In this case it will be https://111122223333.signin.aws.amazon.com/console/
AWS IAM permissions can be assigned in two ways:
- as role-based or as resource-based.
- as identity-based or as resource-based.
- as security group-based or as key-based.
- as user-based or as key-based.
Permissions can be assigned in two ways: as identity-based or as resource-based. Identity-based, or IAM permissions, are attached to an IAM user, group, or role and let you specify what that user, group, or role can do. For example, you can assign permissions to the IAM user named Bob, stating that he has permission to use the Amazon Elastic Compute Cloud (Amazon EC2) RunInstances ac-tion and that he has permission to get items from an Amazon DynamoDB table named MyCompa-ny. The user Bob might also be granted access to manage his own IAM security credentials. Identi-ty-based permissions can be managed or inline.
Resource-based permissions are attached to a resource. You can specify resource-based permissions for Amazon S3 buckets, Amazon Glacier vaults, Amazon SNS topics, Amazon SQS queues, and AWS Key Management Service encryption keys. Resource-based permissions let you specify who has access to the resource and what actions they can perform on it. Resource-based policies are in-line only, not managed.
Can you change the security groups associated with the primary network interface (eth0) of an EC2 instance running inside a VPC?
- Only if the instance is stopped
- Only when the instance is launched
After you launch an instance in a VPC, you can change its security groups. Security groups are asso-ciated with network interfaces. Changing an instance’s security groups changes the security groups associated with the primary network interface (eth0)
Amazon Relational Database Service integrates with _____, a service that lets your organization create users and groups under your organization’s AWS account and assign unique security creden-tials to each user.
- Amazon RDS tags
- AWS IAM
- AWS Lambda
- Amazon EMR
Amazon Relational Database Service integrates with AWS IAM, a service that lets your organiza-tion create users and groups under your organization’s AWS account and assign unique security cre-dentials to each user.
The information within an IAM policy is described through a series of ______.
While creating an IAM policy, it includes many elements that you can use to define or create a poli-cy. The elements that a policy can contain are as follows: Version, Id, Statement, Sid, Effect, Prin-cipal, NotPrincipal, Action, NonAction, Resource, NotResource, Condition, and Supported Data Types.
In Amazon VPC, the ______ encryption function is used to ensure privacy among both IKE and IPsec Security Associations.
- AES 192-bit
- AES 256-bit
- SHA 180-bit
- SHA 2-bit
When configuring your customer gateway to communicate with your VPC, the AES 128-bit or AES 256-bit encryption is used to ensure privacy among both IKE and IPSec Security Associations.
In IAM, can you attach more than one inline policy to a particular entity such a user, role, or group?
- Yes, you can but only if you attach the policy within a VPC.
- Yes, you can but only if you attach the policy within the GovCloud.
In AWS IAM, you can add as many inline policies as you want to a user, role, or group, but the total aggregate policy size (the sum size of all inline policies) per entity cannot exceed the following lim-its: User policy size cannot exceed 2,048 characters.
Role policy size cannot exceed 10,240 characters. Group policy size cannot exceed 5,120 characters.
A customer enquires about whether all his data is secure on AWS, and is especially concerned about Elastic Map Reduce (EMR). You need to inform him of some of the security features in place for AWS. Which of the below statements is incorrect regarding EMR or S3?
- Every packet sent in the AWS network uses Internet Protocol Security (IPsec).
- Amazon S3 provides authentication mechanisms to ensure that stored data is secured against un-authorized access.
- Customers may encrypt the input data before they upload it to Amazon S3.
- Amazon EMR customers can choose to send data to Amazon S3 using the HTTPS protocol for secure transmission.
Amazon S3 provides authentication mechanisms to ensure that stored data is secured against unau-thorized access. Unless the customer who is uploading the data specifies otherwise, only that cus-tomer can access the data. Amazon EMR customers can also choose to send data to Amazon S3 us-ing the HTTPS protocol for secure transmission. In addition, Amazon EMR always uses HTTPS to send data between Amazon S3 and Amazon EC2. For added security, customers may encrypt the input data before they upload it to Amazon S3 (using any common data compression tool); they then need to add a decryption step to the beginning of their cluster when Amazon EMR fetches the data from Amazon S3. IPsec is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a data stream. Amazon supports Internet Protocol security (IPsec) VPN connections, but does not protect all data packets at this level.
If an IAM policy has multiple conditions, or if a condition has multiple keys, its boolean outcome will be calculated using a logical ______ operation.
- None of these
If there are multiple condition operators, or if there are multiple keys attached to a single condition operator, the conditions are evaluated using a logical AND.
You have set up an IAM policy for your users to access Elastic Load Balancers and you know that an IAM policy is a JSON document that consists of one or more statements. Which of the following elements is not a part of the statement in an IAM policy document?
When you attach a policy to a user or group of users to control access to your load balancer, it al-lows or denies the users permission to perform the specified tasks on the specified resources.
An IAM policy is a JSON document that consists of one or more statements. Each statement is structured as follows:
Effect: The effect can be Allow or Deny. By default, IAM users don’t have permission to use re-sources and API actions, so all requests are denied. An explicit allow overrides the default. An ex-plicit deny overrides any allows.
Action: The action is the specific API action for which you are granting or denying permission.
Resource: The resource that’s affected by the action. With many Elastic Load Balancing API ac-tions, you can restrict the permissions granted or denied to a specific load balancer by specifying its Amazon Resource Name (ARN) in this statement. Otherwise, you can use the * wildcard to specify all of your load balancers.
Condition: You can optionally use conditions to control when your policies in effect.
In AWS Identity and Access Management, roles can be used by an external user authenticated by an external identity provider (IdP) service that is compatible with _____.
- BNML (Business Narrative Markup Language)
- CFML (ColdFusion Markup Language)
- SAML 2.0 (Security Assertion Markup Language 2.0)
- BPML (Business Process Modeling Language)
In AWS Identity and Access Management, roles can be used by an external user authenticated by an external identity provider (IdP) service that is compatible with SAML 2.0 (Security Assertion Markup Language 2.0).
Which of the below mentioned options is not a best practice to securely manage the AWS access credentials?
- Keep rotating your secure access credentials at regular intervals
- Create individual IAM users
- Create strong access key and secret access key and attach to the root account
- Enable MFA for privileged users
It is a recommended approach to avoid using the access and secret access keys of the root account. Thus, do not download or delete it. Instead make the IAM user as powerful as the root account and use its credentials. The user cannot generate their own access and secret access keys as they are al-ways generated by AWS.