AWS Certified Security – Specialty ( Security Engineering on AWS ) Quiz Questions and Answers

A company hosts a popular web application that connects to an Amazon RDS MySQL DB instance running in a private VPC subnet that was created with default ACL settings. The IT Security department has a suspicion that a DDos attack is coming from a suspecting IP. How can you protect the subnets from this attack?

Answer :
  • Change the Inbound NACL to deny access from the suspecting IP

A company is hosting a website that must be accessible to users for HTTPS traffic. Also, port 22 should be open for administrative purposes. The administrator's workstation has a static IP address of 203.0.113.1/32. Which of the following security group configurations is the most secure but still functional to support these requirements? Choose 2 answers from the options given below.

Answer :
  • Port443 coming from 0.0.0.0/0
  • Port 22 coming from 203.0.113.1/32

You have a website that is sitting behind AWS Cloudfront. You need to protect the website against threats such as SQL injection and Cross-site scripting attacks. Which of the following service can help in such a scenario?

Answer :
  • AWS WAF

Your company has a set of resources defined in the AWS Cloud. Their IT audit department has requested to get a list of resources that have been defined across the account. How can this be achieved in the easiest manner?

Answer :
  • Use AWS Config to get the list of all resources

Your company has defined privileged users for their AWS Account. These users are administrators for key resources defined in the company. There is now a mandate to enhance the security authentication for these users. How can this be accomplished?

Answer :
  • Enable MFA for these user accounts

You have a 2 tier application hosted in AWS. It consists of a web server and database server (SQL Server) hosted on separate EC2 Instances. You are devising the security groups for these EC2 Instances. The Web tier needs to be accessed by users across the Internet. You have created a web security group(wg-123) and a database security group(db-345). Which combination of the following security group rules will allow the application to be secure and functional? Choose 2 answers from the options given below.

Answer :
  • wg-123- Allow ports 80 and 443 from 0.0.0.0/0
  • db-345- Allow port 1433 from wg-123

GuardDuty requires manual updates from ProofPoint.

Answer :
  • False

Which service is useful to check Common Vulnerabilities and Exposures in the OS?

Answer :
  • AWS Inspector

A security team must present a daily briefing to the CISO that includes a report of which of the company’s thousands of EC2 instances and on-premises servers are missing the latest security patches. All instances/servers must be brought into compliance within 24 hours so they do not show up on the next day’s report. How can the security team fulfill these requirements?

Answer :
  • Use Systems Manager Patch Manager to generate the report of out-of-compliance instances/ servers. Use Systems Manager Patch Manager to install the missing patches

With the help of which service can I detect credit card numbers in my excel files stored in S3?

Answer :
  • AWS Macie