A company has a VPC that has no internet access and has the private DNS hostnames option enabled. An Amazon Aurora database is running inside the VPC. A security engineer wants to use AWS Secrets Manager to automatically rotate the credentials for the Aurora database The security engineer configures the Secrets Manager default AWS Lambda rotation function to run inside the same VPC that the Aurora database uses. However, the security engineer determines that the password cannot be rotated properly because the Lambda function cannot communicate with the Secrets Manager endpoint. What is the MOST secure way that the security engineer can give the Lambda function the ability to communicate with the Secrets Manager endpoint?
A. Add a NAT gateway to the VPC to allow access to the Secrets Manager endpoint. B. Add a gateway VPC endpoint to the VPC to allow access to the Secrets Managerendpoint. C. Add an interface VPC endpoint to the VPC to allow access to the Secrets Managerendpoint. D. Add an internet gateway for the VPC to allow access to the Secrets Manager endpoint.
Answer: C Explanation:In an AWS environment where a VPC has no internet access and requires communicationwith AWS services such as Secrets Manager, the most secure method is to use aninterface VPC endpoint (AWS PrivateLink). This allows private connectivity to services likeSecrets Manager, enabling AWS Lambda functions and other resources within the VPC toaccess Secrets Manager without requiring an internet gateway, NAT gateway, or VPNconnection. Interface VPC endpoints are powered by AWS PrivateLink, a technology thatenables private connectivity between AWS services using Elastic Network Interfaces (ENI)with private IPs in your VPCs. This option is more secure than creating a NAT gatewaybecause it doesn't expose the resources to the internet and adheres to the principle of leastprivilege by providing direct access to only the required service.
Question # 42
A company is evaluating the use of AWS Systems Manager Session Manager to gam access to the company's Amazon EC2 instances. However, until the company implements the change, the company must protect the key file for the EC2 instances from read and write operations by any other users. When a security administrator tries to connect to a critical EC2 Linux instance during an emergency, the security administrator receives the following error. "Error Unprotected private key file - Permissions for' ssh/my_private_key pern' are too open". Which command should the security administrator use to modify the private key Me permissions to resolve this error?
A. chmod 0040 ssh/my_private_key pern B. chmod 0400 ssh/my_private_key pern C. chmod 0004 ssh/my_private_key pern D. chmod 0777 ssh/my_private_key pern
Answer: B Explanation: The error message indicates that the private key file permissions are tooopen, meaning that other users can read or write to the file. This is a security risk, as theprivate key should be accessible only by the owner of the file. To fix this error, the securityadministrator should use the chmod command to change the permissions of the private keyfile to 0400, which means that only the owner can read the file and no one else can read orwrite to it.The chmod command takes a numeric argument that represents the permissions for theowner, group, and others in octal notation. Each digit corresponds to a set of permissions:read (4), write (2), and execute (1). The digits are added together to get the finalpermissions for each category. For example, 0400 means that the owner has readpermission (4) and no other permissions (0), and the group and others have nopermissions at all (0).The other options are incorrect because they either do not change the permissions at all(D), or they give too much or too little permissions to the owner, group, or others (A, C).Verified References:https://superuser.com/questions/215504/permissions-on-private-key-in-ssh-folderhttps://www.baeldung.com/linux/ssh-key-permissions
Question # 43
A company has deployed servers on Amazon EC2 instances in a VPC. External vendors access these servers over the internet. Recently, the company deployed a new application on EC2 instances in a new CIDR range. The company needs to make the application available to the vendors. A security engineer verified that the associated security groups and network ACLs are allowing the required ports in the inbound diction. However, the vendors cannot connect to the application. Which solution will provide the vendors access to the application?
A. Modify the security group that is associated with the EC2 instances to have the sameoutbound rules as inbound rules. B. Modify the network ACL that is associated with the CIDR range to allow outbound trafficto ephemeral ports. C. Modify the inbound rules on the internet gateway to allow the required ports. D. Modify the network ACL that is associated with the CIDR range to have the sameoutbound rules as inbound rules.
Answer: B Explanation: The correct answer is B. Modify the network ACL that is associated with the CIDR range toallow outbound traffic to ephemeral ports.This answer is correct because network ACLs are stateless, which means that they do notautomatically allow return traffic for inbound connections. Therefore, the network ACL thatis associated with the CIDR range of the new application must have outbound rules thatallow traffic to ephemeral ports, which are the temporary ports used by the vendors’machines to communicate with the application servers. Ephemeral ports are typically in therange of 1024-655351. If the network ACL does not have such rules, the vendors will notbe able to connect to the application. The other options are incorrect because:A. Modifying the security group that is associated with the EC2 instances to havethe same outbound rules as inbound rules is not a solution, because securitygroups are stateful, which means that they automatically allow return traffic forinbound connections. Therefore, there is no need to add outbound rules to thesecurity group for the vendors to access the application2.C. Modifying the inbound rules on the internet gateway to allow the required portsis not a solution, because internet gateways do not have inbound or outboundrules. Internet gateways are VPC components that enable communicationbetween instances in a VPC and the internet. They do not filter traffic based onports or protocols3.D. Modifying the network ACL that is associated with the CIDR range to have thesame outbound rules as inbound rules is not a solution, because it does notaddress the issue of ephemeral ports. The outbound rules of the network ACLmust match the ephemeral port range of the vendors’ machines, not necessarilythe inbound rules of the network ACL4.References:1: Ephemeral port - Wikipedia 2: Security groups for your VPC - Amazon Virtual PrivateCloud 3: Internet gateways - Amazon Virtual Private Cloud 4: Network ACLs - AmazonVirtual Private Cloud
Question # 44
A company uses AWS Signer with all of the company’s AWS Lambda functions. A developer recently stopped working for the company. The company wants to ensure that all the code that the developer wrote can no longer be deployed to the Lambda functions. Which solution will meet this requirement?
A. Revoke all versions of the signing profile assigned to the developer. B. Examine the developer’s IAM roles. Remove all permissions that grant access to Signer. C. Re-encrypt all source code with a new AWS Key Management Service (AWS KMS) key. D. Use Amazon CodeGuru to profile all the code that the Lambda functions use.
Answer: A Explanation: The correct answer is A. Revoke all versions of the signing profile assigned to thedeveloper.According to the AWS documentation1, AWS Signer is a fully managed code-signingservice that helps you ensure the trust and integrity of your code. You can use Signer tosign code artifacts, such as Lambda deployment packages, with code-signing certificatesthat you control and manage.A signing profile is a collection of settings that Signer uses to sign your code artifacts. Asigning profile includes information such as the following:The type of signature that you want to create (for example, a code-signingsignature).The signing algorithm that you want Signer to use to sign your code.The code-signing certificate and its private key that you want Signer to use to signyour code.You can create multiple versions of a signing profile, each with a different code-signingcertificate. You can also revoke a version of a signing profile if you no longer want to use itfor signing code artifacts.In this case, the company wants to ensure that all the code that the developer wrote can nolonger be deployed to the Lambda functions. One way to achieve this is to revoke allversions of the signing profile that was assigned to the developer. This will prevent Signerfrom using that signing profile to sign any new code artifacts, and also invalidate anyexisting signatures that were created with that signing profile. This way, the company canensure that only trusted and authorized code can be deployed to the Lambda functions.The other options are incorrect because:B. Examining the developer’s IAM roles and removing all permissions that grantaccess to Signer may not be sufficient to prevent the deployment of thedeveloper’s code. The developer may have already signed some code artifactswith a valid signing profile before leaving the company, and those signatures maystill be accepted by Lambda unless the signing profile is revoked.C. Re-encrypting all source code with a new AWS Key Management Service(AWS KMS) key may not be effective or practical. AWS KMS is a service that letsyou create and manage encryption keys for your data. However, Lambda does notrequire encryption keys for deploying code artifacts, only valid signatures fromSigner. Therefore, re-encrypting the source code may not prevent the deploymentof the developer’s code if it has already been signed with a valid signing profile.Moreover, re-encrypting all source code may be time-consuming and disruptive forother developers who are working on the same code base.D. Using Amazon CodeGuru to profile all the code that the Lambda functions usemay not help with preventing the deployment of the developer’s code. Amazon CodeGuru is a service that provides intelligent recommendations to improve yourcode quality and identify an application’s most expensive lines of code. However,CodeGuru does not perform any security checks or validations on your codeartifacts, nor does it interact with Signer or Lambda in any way. Therefore, usingCodeGuru may not prevent unauthorized or untrusted code from being deployed tothe Lambda functions.References:1: What is AWS Signer? - AWS Signer
Question # 45
A Network Load Balancer (NLB) target instance is not entering the InService state. A security engineer determines that health checks are failing. Which factors could cause the health check failures? (Select THREE.)
A. Revoke all versions of the signing profile assigned to the developer. B. Examine the developer’s IAM roles. Remove all permissions that grant access to Signer. C. Re-encrypt all source code with a new AWS Key Management Service (AWS KMS) key. D. Use Amazon CodeGuru to profile all the code that the Lambda functions use.
Answer: A Explanation: The correct answer is A. Revoke all versions of the signing profile assigned to thedeveloper.According to the AWS documentation1, AWS Signer is a fully managed code-signingservice that helps you ensure the trust and integrity of your code. You can use Signer tosign code artifacts, such as Lambda deployment packages, with code-signing certificatesthat you control and manage.A signing profile is a collection of settings that Signer uses to sign your code artifacts. Asigning profile includes information such as the following:The type of signature that you want to create (for example, a code-signingsignature).The signing algorithm that you want Signer to use to sign your code.The code-signing certificate and its private key that you want Signer to use to signyour code.You can create multiple versions of a signing profile, each with a different code-signingcertificate. You can also revoke a version of a signing profile if you no longer want to use itfor signing code artifacts.In this case, the company wants to ensure that all the code that the developer wrote can nolonger be deployed to the Lambda functions. One way to achieve this is to revoke allversions of the signing profile that was assigned to the developer. This will prevent Signerfrom using that signing profile to sign any new code artifacts, and also invalidate anyexisting signatures that were created with that signing profile. This way, the company canensure that only trusted and authorized code can be deployed to the Lambda functions.The other options are incorrect because:B. Examining the developer’s IAM roles and removing all permissions that grantaccess to Signer may not be sufficient to prevent the deployment of thedeveloper’s code. The developer may have already signed some code artifactswith a valid signing profile before leaving the company, and those signatures maystill be accepted by Lambda unless the signing profile is revoked.C. Re-encrypting all source code with a new AWS Key Management Service(AWS KMS) key may not be effective or practical. AWS KMS is a service that letsyou create and manage encryption keys for your data. However, Lambda does notrequire encryption keys for deploying code artifacts, only valid signatures fromSigner. Therefore, re-encrypting the source code may not prevent the deploymentof the developer’s code if it has already been signed with a valid signing profile.Moreover, re-encrypting all source code may be time-consuming and disruptive forother developers who are working on the same code base.D. Using Amazon CodeGuru to profile all the code that the Lambda functions usemay not help with preventing the deployment of the developer’s code. Amazon CodeGuru is a service that provides intelligent recommendations to improve yourcode quality and identify an application’s most expensive lines of code. However,CodeGuru does not perform any security checks or validations on your codeartifacts, nor does it interact with Signer or Lambda in any way. Therefore, usingCodeGuru may not prevent unauthorized or untrusted code from being deployed tothe Lambda functions.References:1: What is AWS Signer? - AWS Signer
Question # 46
A security engineer recently rotated all IAM access keys in an AWS account. The security engineer then configured AWS Config and enabled the following AWS Config managed rules; mfa-enabled-for-iam-console-access, iam-user-mfa-enabled, access-key-rotated, and iam-user-unused-credentials-check. The security engineer notices that all resources are displaying as noncompliant after the IAM GenerateCredentialReport API operation is invoked. What could be the reason for the noncompliant status?
A. The IAM credential report was generated within the past 4 hours. B. The security engineer does not have the GenerateCredentialReport permission. C. The security engineer does not have the GetCredentialReport permission. D. The AWS Config rules have a MaximumExecutionFrequency value of 24 hours.
Answer: D Explanation: The correct answer is D. The AWS Config rules have a MaximumExecutionFrequencyvalue of 24 hours.According to the AWS documentation1, the MaximumExecutionFrequency parameterspecifies the maximum frequency with which AWS Config runs evaluations for a rule. ForAWS Config managed rules, this value can be one of the following:One_HourThree_HoursSix_HoursTwelve_HoursTwentyFour_HoursIf the rule is triggered by configuration changes, it will still run evaluations when AWSConfig delivers the configuration snapshot. However, if the rule is triggered periodically, itwill not run evaluations more often than the specified frequency.In this case, the security engineer enabled four AWS Config managed rules that aretriggered periodically. Therefore, these rules will only run evaluations every 24 hours,regardless of when the IAM credential report is generated. This means that the resourceswill display as noncompliant until the next evaluation cycle, which could take up to 24 hoursafter the IAM access keys are rotated.The other options are incorrect because:A. The IAM credential report can be generated at any time, but it will not affect thecompliance status of the resources until the next evaluation cycle of the AWSConfig rules.B. The security engineer was able to invoke the IAM GenerateCredentialReportAPI operation, which means they have the GenerateCredentialReport permission.This permission is required to generate a credential report that lists all IAM usersin an AWS account and their credential status2.C. The security engineer does not need the GetCredentialReport permission toenable or evaluate AWS Config rules. This permission is required to retrieve acredential report that was previously generated by using theGenerateCredentialReport operation2.References:1: AWS::Config::ConfigRule - AWS CloudFormation 2: IAM: Generate and retrieve IAMcredential reports
Question # 47
A Systems Engineer is troubleshooting the connectivity of a test environment that includes a virtual security appliance deployed inline. In addition to using the virtual security appliance, the Development team wants to use security groups and network ACLs to accomplish various security requirements in the environment. What configuration is necessary to allow the virtual security appliance to route the traffic?
A. Disable network ACLs. B. Configure the security appliance's elastic network interface for promiscuous mode. C. Disable the Network Source/Destination check on the security appliance's elastic network interface D. Place the security appliance in the public subnet with the internet gateway
Answer: C Explanation: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html#eni-basicsSource/destination checking "You must disable source/destination checks if the instanceruns services such as network address translation, routing, or firewalls."The correct answer is C. Disable the Network Source/Destination check on the securityappliance’s elastic network interface.This answer is correct because disabling the Network Source/Destination check allows thevirtual security appliance to route traffic that is not addressed to or from itself. By default,this check is enabled on all EC2 instances, and it prevents them from forwarding traffic thatdoes not match their own IP or MAC addresses. However, for a virtual security appliancethat acts as a router or a firewall, this check needs to be disabled, otherwise it will drop thetraffic that it is supposed to route12.The other options are incorrect because:A. Disabling network ACLs is not a solution, because network ACLs are optionallayers of security for the subnets in a VPC. They can be used to allow or denytraffic based on IP addresses and ports, but they do not affect the routing behaviorof the virtual security appliance3.B. Configuring the security appliance’s elastic network interface for promiscuousmode is not a solution, because promiscuous mode is a mode for a networkinterface that causes it to pass all traffic it receives to the CPU, rather than passingonly the frames that it is programmed to receive. Promiscuous mode is normallyused for packet sniffing or monitoring, but it does not enable the network interfaceto route traffic4.D. Placing the security appliance in the public subnet with the internet gateway isnot a solution, because it does not address the routing issue of the virtual securityappliance. The security appliance can be placed in either a public or a privatesubnet, depending on the network design and security requirements, but it stillneeds to have the Network Source/Destination check disabled to route traffic properly5.References:1: Enabling or disabling source/destination checks - Amazon Elastic Compute Cloud 2:Virtual security appliance - Wikipedia 3: Network ACLs - Amazon Virtual Private Cloud 4:Promiscuous mode - Wikipedia 5: NAT instances - Amazon Virtual Private Cloud
Question # 48
A Security Engineer is building a Java application that is running on Amazon EC2. The application communicates with an Amazon RDS instance and authenticates with a user name and password. Which combination of steps can the Engineer take to protect the credentials and minimize downtime when the credentials are rotated? (Choose two.)
A. Have a Database Administrator encrypt the credentials and store the ciphertext inAmazon S3. Grant permission to the instance role associated with the EC2 instance toread the object and decrypt the ciphertext. B. Configure a scheduled job that updates the credential in AWS Systems ManagerParameter Store and notifies the Engineer that the application needs to be restarted. C. Configure automatic rotation of credentials in AWS Secrets Manager. D. Store the credential in an encrypted string parameter in AWS Systems ManagerParameter Store. Grant permission to the instance role associated with the EC2 instance toaccess the parameter and the AWS KMS key that is used to encrypt it. E. Configure the Java application to catch a connection failure and make a call to AWSSecrets Manager to retrieve updated credentials when the password is rotated. Grantpermission to the instance role associated with the EC2 instance to access SecretsManager.
Answer: C,E Explanation: AWS Secrets Manager is a service that helps you manage, retrieve, and rotate secretssuch as database credentials, API keys, and other sensitive information. By configuringautomatic rotation of credentials in AWS Secrets Manager, you can ensure that yoursecrets are changed regularly and securely, without requiring manual intervention orapplication downtime. You can also specify the rotation frequency and the rotation functionthat performs the logic of changing the credentials on the database and updating the secretin Secrets Manager1.E. Configure the Java application to catch a connection failure and make a call to AWSSecrets Manager to retrieve updated credentials when the password is rotated. Grantpermission to the instance role associated with the EC2 instance to access SecretsManager.By configuring the Java application to catch a connection failure and make a call to AWSSecrets Manager to retrieve updated credentials, you can avoid hard-coding the credentialsin your application code or configuration files. This way, your application can dynamicallyobtain the latest credentials from Secrets Manager whenever the password is rotated,without needing to restart or redeploy the application. To enable this, you need to grantpermission to the instance role associated with the EC2 instance to access SecretsManager using IAM policies2. You can also use the AWS SDK for Java to integrate yourapplication with Secrets Manager3.
Question # 49
A company has a group of Amazon EC2 instances in a single private subnet of a VPC with no internet gateway attached. A security engineer has installed the Amazon CloudWatch agent on all instances in that subnet to capture logs from a specific application. To ensure that the logs flow securely, the company's networking team has created VPC endpoints for CloudWatch monitoring and CloudWatch logs. The networking team has attached the endpoints to the VPC. The application is generating logs. However, when the security engineer queries CloudWatch, the logs do not appear. Which combination of steps should the security engineer take to troubleshoot this issue? (Choose three.)
A. Ensure that the EC2 instance profile that is attached to the EC2 instances haspermissions to create log streams and write logs. B. Create a metric filter on the logs so that they can be viewed in the AWS Management Console. C. Check the CloudWatch agent configuration file on each EC2 instance to make sure thatthe CloudWatch agent is collecting the proper log files. D. Check the VPC endpoint policies of both VPC endpoints to ensure that the EC2instances have permissions to use them. E. Create a NAT gateway in the subnet so that the EC2 instances can communicate withCloudWatch. F. Ensure that the security groups allow all the EC2 instances to communicate with eachother to aggregate logs before sending.
Answer: A,C,D Explanation: The possible steps to troubleshoot this issue are: A. Ensure that the EC2 instance profile that is attached to the EC2 instances haspermissions to create log streams and write logs. This is a necessary stepbecause the CloudWatch agent uses the credentials from the instance profile tocommunicate with CloudWatch1.C. Check the CloudWatch agent configuration file on each EC2 instance to makesure that the CloudWatch agent is collecting the proper log files. This is anecessary step because the CloudWatch agent needs to know which log files tomonitor and send to CloudWatch2.D. Check the VPC endpoint policies of both VPC endpoints to ensure that the EC2instances have permissions to use them. This is a necessary step because theVPC endpoint policies control which principals can access the AWS servicesthrough the endpoints3.The other options are incorrect because:B. Creating a metric filter on the logs is not a troubleshooting step, but a way toextract metric data from the logs. Metric filters do not affect the visibility of the logsin the AWS Management Console.E. Creating a NAT gateway in the subnet is not a solution, because the EC2instances do not need internet access to communicate with CloudWatch throughthe VPC endpoints. A NAT gateway would also incur additional costs.F. Ensuring that the security groups allow all the EC2 instances to communicatewith each other is not a necessary step, because the CloudWatch agent does notrequire log aggregation before sending. Each EC2 instance can send its own logsindependently to CloudWatch.References:1: IAM Roles for Amazon EC2 2: CloudWatch Agent Configuration File: Logs Section 3:Using Amazon VPC Endpoints : Metric Filters : NAT Gateways : CloudWatch AgentReference: Log Aggregation
Question # 50
An AWS account administrator created an IAM group and applied the following managed policy to require that each individual user authenticate using multi-factor authentication:
After implementing the policy, the administrator receives reports that users are unable to perform Amazon EC2 commands using the AWS CLI. What should the administrator do to resolve this problem while still enforcing multi-factor authentication?
A. Change the value of aws:MultiFactorAuthPresent to true. B. Instruct users to run the aws sts get-session-token CLI command and pass the multifactorauthentication --serial-number and --token-code parameters. Use these resultingvalues to make API/CLI calls. C. Implement federated API/CLI access using SAML 2.0, then configure the identity provider to enforce multi-factor authentication. D. Create a role and enforce multi-factor authentication in the role trust policy. Instructusers to run the sts assume-role CLI command and pass --serial-number and --token-codeparameters. Store the resulting values in environment variables. Add sts:AssumeRole toNotAction in the policy.
Answer: B Explanation:The correct answer is B. Instruct users to run the aws sts get-session-token CLI commandand pass the multi-factor authentication --serial-number and --token-code parameters. Usethese resulting values to make API/CLI calls.According to the AWS documentation1, the aws sts get-session-token CLI commandreturns a set of temporary credentials for an AWS account or IAM user. The credentialsconsist of an access key ID, a secret access key, and a security token. These credentialsare valid for the specified duration only. The session duration for IAM users can bebetween 15 minutes and 36 hours, with a default of 12 hours.You can use the --serial-number and --token-code parameters to provide the MFA deviceserial number and the MFA code from the device. The MFA device must be associated withthe user who is making the get-session-token call. If you do not provide these parameterswhen your IAM user or role has a policy that requires MFA, you will receive an AccessDenied error.The temporary security credentials that are returned by the get-session-token commandcan then be used to make subsequent API or CLI calls that require MFA authentication.You can use environment variables or a profile in your AWS CLI configuration file to specifythe temporary credentials.Therefore, this solution will resolve the problem of users being unable to perform EC2commands using the AWS CLI, while still enforcing MFA.The other options are incorrect because:A. Changing the value of aws:MultiFactorAuthPresent to true will not work,because this is a condition key that is evaluated by AWS when a request is made.You cannot set this value manually in your policy or request. You must providevalid MFA information to AWS for this condition key to be true.C. Implementing federated API/CLI access using SAML 2.0 may work, but itrequires more operational effort than using the get-session-token command. Youwould need to configure a SAML identity provider and trust relationship with AWS,and use a custom SAML client to request temporary credentials from AWS STS.This solution may also introduce additional security risks if the identity provider iscompromised.D. Creating a role and enforcing MFA in the role trust policy may work, but it alsorequires more operational effort than using the get-session-token command. Youwould need to create a role for each user or group that needs to perform EC2commands, and specify a trust policy that requires MFA. You would also need togrant the users permission to assume the role, and instruct them to use the sts assume-role command instead of the get-session-token command.References:1: get-session-token — AWS CLI Command Reference
