[Identity and Access Management]
Your CTO thinks your IAM account was hacked. What is the only way to know for certain if there was
unauthorized access and what they did, assuming your hackers are very sophisticated IAM engineers
and doing everything they can to cover their tracks?
Please select:
A
Explanation:
The IAM Documentation mentions the following
To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it you
can use CloudTrail log file integrity validation. This feature is built using industry standard algorithms:
SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally
infeasible to modify, delete or forge CloudTrail log files without detection. You can use the IAM CLI to
validate the files in the location where CloudTrail delivered them
Validated log files are invaluable in security and forensic investigations. For example, a validated log
file enables you to assert positively that the log file itself has not changed, or that particular user
credentials performed specific API activity. The CloudTrail log file integrity validation process also lets
you know if a log file has been deleted or changed, or assert positively that no log files were
delivered to your account during a given period of time.
Options B.C and D is invalid because you need to check for log File Integrity Validation for cloudtrail
logs
For more information on Cloudtrail log file validation, please visit the below URL:
http://docs.IAM.amazon.com/IAMcloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html
The correct answer is: Use CloudTrail Log File Integrity Validation.
omit your Feedback/Queries to our Expert
[Identity and Access Management]
Your development team is using access keys to develop an application that has access to S3 and
DynamoDB. A new security policy has outlined that the credentials should not be older than 2
months, and should be rotated. How can you achieve this?
Please select:
B
Explanation:
One can use the CLI command list-access-keys to get the access keys. This command also returns the
"CreateDate" of the keys. If the CreateDate is older than 2 months, then the keys can be deleted.
The Returns list-access-keys CLI command returns information about the access key IDs associated
with the specified IAM user. If there are none, the action returns an empty list
Option A is incorrect because you might as use a script for such maintenance activities
Option C is incorrect because you would not rotate the users themselves
Option D is incorrect because you don't use IAM roles for such a purpose
For more information on the CLI command, please refer to the below Link:
http://docs.IAM.amazon.com/cli/latest/reference/iam/list-access-keys.htmll
The correct answer is: Use a script to query the creation date of the keys. If older than 2 months,
create new access key and update all applications to use it inactivate the old key and delete it.
Submit your Feedback/Queries to our Experts
[Identity and Access Management]
You work at a company that makes use of IAM resources. One of the key security policies is to ensure
that all data i encrypted both at rest and in transit. Which of the following is one of the right ways to
implement this.
Please select:
A
Explanation:
By disabling SSL termination, you are leaving an unsecure connection from the ELB to the back end
instances. Hence this means that part of the data transit is not being encrypted.
Option B is incorrect because this would not guarantee complete encryption of data in transit
Option C and D are incorrect because these would not guarantee encryption
For more information on SSL Listeners for your load balancer, please visit the below URL:
http://docs.IAM.amazon.com/elasticloadbalancine/latest/classic/elb-https-load-balancers.htmll
The correct answer is: Use S3 SSE and use SSL for data in transit
Submit your Feedback/Queries to our Experts
[Logging and Monitoring]
There are currently multiple applications hosted in a VPC. During monitoring it has been noticed that
multiple port scans are coming in from a specific IP Address block. The internal security team has
requested that all offending IP Addresses be denied for the next 24 hours. Which of the following is
the best method to quickly and temporarily deny access from the specified IP Address's.
Please select:
B
Explanation:
NACL acts as a firewall at the subnet level of the VPC and we can deny the offending IP address block
at the subnet level using NACL rules to block the incoming traffic to the VPC instances. Since NACL
rules are applied as per the Rule numbers make sure that this rule number should take precedence
over other rule numbers if there are any such rules that will allow traffic from these IP ranges. The
lowest rule number has more precedence over a rule that has a higher number.
The IAM Documentation mentions the following as a best practices for IAM users
For extra security, enable multi-factor authentication (MFA) for privileged IAM users (users who are
allowed access to sensitive resources or APIs). With MFA, users have a device that generates a
unique authentication code (a one-time password, or OTP). Users must provide both their normal
credentials (like their user name and password) and the OTP. The MFA device can either be a special
piece of hardware, or it can be a virtual device (for example, it can run in an app on a smartphone).
Options C is invalid because these options are not available
Option D is invalid because there is not root access for users
For more information on IAM best practices, please visit the below URL:
https://docs.IAM.amazon.com/IAM/latest/UserGuide/best-practices.html
The correct answer is: Modify the Network ACLs associated with all public subnets in the VPC to deny
access from the IP Address block.
omit your Feedback/Queries to our Experts
[Identity and Access Management]
A company has a set of EC2 Instances hosted in IAM. The EC2 Instances have EBS volumes which is
used to store critical information. There is a business continuity requirement to ensure high
availability for the EBS volumes. How can you achieve this?
B
Explanation:
Data stored in Amazon EBS volumes is redundantly stored in multiple physical locations as part of
normal operation of those services and at no additional charge. However, Amazon EBS replication is
stored within the same availability zone, not across multiple zones; therefore, it is highly
recommended that you conduct regular snapshots to Amazon S3 for long-term data durability Option
A is invalid because there is no lifecycle policy for EBS volumes Option C is invalid because there is no
EBS volume replication Option D is invalid because EBS volume encryption will not ensure business
continuity For information on security for Compute Resources, please visit the below
URL:https://d1.awsstatic.com/whitepapers/Security/Security_Compute_Services_Whitepaper.pdf
[Incident Response]
A company is developing a highly resilient application to be hosted on multiple Amazon EC2
instances . The application will store highly sensitive user data in Amazon RDS tables
The application must
• Include migration to a different IAM Region in the application disaster recovery plan.
• Provide a full audit trail of encryption key administration events
• Allow only company administrators to administer keys.
• Protect data at rest using application layer encryption
A Security Engineer is evaluating options for encryption key management
Why should the Security Engineer choose IAM CloudHSM over IAM KMS for encryption key
management in this situation?
B
Explanation:
CloudHSM allows full control of your keys such including Symmetric (AES), Asymmetric (RSA), Sha-
256, SHA 512, Hash Based, Digital Signatures (RSA). On the other hand, AWS Key Management
Service is a multi-tenant key storage that is owned and managed byAWS1.
References: 1: What are the differences between AWS Cloud HSM and KMS?
[Data Protection]
A company has multiple Amazon S3 buckets encrypted with customer-managed CMKs Due to
regulatory requirements the keys must be rotated every year. The company's Security Engineer has
enabled automatic key rotation for the CMKs; however the company wants to verity that the rotation
has occurred.
What should the Security Engineer do to accomplish this?
C
Explanation:
the aws kms get-key-rotation-status command returns a boolean value that indicates
whetherautomatic rotation of the customer master key (CMK) is enabled1. This
commandalsoshowsthe date and time when the CMK was last rotated2. The other options are not
valid ways to check the CMK rotation status.
[Incident Response]
A company needs a forensic-logging solution for hundreds of applications running in Docker on
Amazon EC2 The solution must perform real-time analytics on the togs must support the replay of
messages and must persist the logs.
Which IAM services should be used to meet these requirements? (Select TWO)
B,D
Explanation:
Amazon Kinesis and Amazon Elasticsearch are both suitable for forensic-logging solutions. Amazon
Kinesis can collect, process, and analyze streaming data in real time3. Amazon Elasticsearch can
store, search, and analyze log data using the popular open-source tool Elasticsearch. The other
options are not designed for forensic-logging purposes. Amazon Athena is a query service that can
analyze data in S3, Amazon SQS is a message queue service that can decouple and scale
microservices, and AmazonEMR is a big data platform that can run Apache Spark and Hadoop
clusters.
[Logging and Monitoring]
Auditors for a health care company have mandated that all data volumes be encrypted at rest
Infrastructure is deployed mainly via IAM CloudFormation however third-party frameworks and
manual deployment are required on some legacy systems
What is the BEST way to monitor, on a recurring basis, whether all EBS volumes are encrypted?
B
Explanation:
To support answer B, use the referencehttps://d1.IAMstatic.com/whitepapers/IAM-security-
whitepaper.pdf
"For example, IAM Config provides a managed IAM Config Rules to ensure that encryption is turned
on for all EBS volumes in your account."
[Logging and Monitoring]
A company became aware that one of its access keys was exposed on a code sharing website 11 days
ago. A Security Engineer must review all use of the exposed access keys to determine the extent of
the exposure. The company enabled IAM CloudTrail m an regions when it opened the account
Which of the following will allow (he Security Engineer 10 complete the task?
C
Explanation:
Amazon Athena is a service that enables you to analyze data in Amazon S3 using standard SQL1. You
can use Athena to query the CloudTrail logs that are stored in S3 and filter them by the exposed
access key and the date range2. The other options are not effective ways to review the use of the
exposed access key.