Amazon SCS-C01 Practice Test - Questions Answers, Page 31

In addition to VPC peering and setting the right route tables, the security groups for the AD EC2 instance needs to ensure the right rules are put in place for allowing incoming traffic. Option A and B is invalid because changing the connection type will not help. This is a problem with the Security Groups. Option D is invalid since the AD should not be placed in a public subnet For more information on allowing ingress traffic for AD, please visit the following url |https://docs.aws.amazon.com/quickstart/latest/active-directory-ds/ingress.html| The correct answer is: Ensure the security groups for the AD hosted subnet has the right rule for relevant subnets Submit your Feedback/Queries to our Experts

AWS Key Management Service (KMS) now uses FIPS 140-2 validated hardware security modules

(HSM) and supports FIPS 140-2 validated endpoints, which provide independent assurances about the confidentiality and integrity of your keys. All master keys in AWS KMS regardless of their creation date or origin are automatically protected using FIPS 140-2 validated HSMs. defines four levels of security, simply named "Level 1'' to "Level 4". It does not specify in detail what level of security is required by any particular application.

• FIPS 140-2 Level 1 the lowest, imposes very limited requirements; loosely, all components must be "production-grade" anc various egregious kinds of insecurity must be absent • FIPS 140-2 Level 2 adds requirements for physical tamper-evidence and role-based authentication.

• FIPS 140-2 Level 3 adds requirements for physical tamper-resistance (making it difficult for attackers to gain access to sensitive information contained in the module) and identity-based authentication, and for a physical or logical separation between the interfaces by which "critical security parameters" enter and leave the module, and its other interfaces.

• FIPS 140-2 Level 4 makes the physical security requirements more stringent and requires robustness against environmental attacks. AWSCIoudHSM provides you with a FIPS 140-2 Level 3 validated single-tenant HSM cluster in your Amazon Virtual Private Cloud (VPQ to store and use your keys. You have exclusive control over how your keys are used via an authentication mechanism independent from AWS. You interact with keys in your AWS CloudHSM cluster similar to the way you interact with your applications running in Amazon EC2. AWS KMS allows you to create and control the encryption keys used by your applications and supported AWS services in multiple regions around the world from a single console. The service uses a FIPS 140-2 validated HSM to protect the security of your keys. Centralized management of all your keys in AWS KMS lets you enforce who can use your keys under which conditions, when they get rotated, and who can manage them. AWS KMS HSMs are validated at level 2 overall and at level 3 in the following areas:

• Cryptographic Module Specification

• Roles, Services, and Authentication

• Physical Security

• Design Assurance

So I think that we can have 2 answers for this question. Both A & D.

• https://aws.amazon.com/blo15s/security/aws-key-management-service- now-ffers-flps-140-2-validated-cryptographic-m< enabling-easier-adoption-of-the-service-for-regulated-workloads/ • https://a ws.amazon.com/cloudhsm/faqs/

• https://aws.amazon.com/kms/faqs/

• https://en.wikipedia.org/wiki/RPS

The AWS Documentation mentions the following

AWS CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud. With CloudHSM, you can manage your own encryption keys using FIPS 140-2 Level 3 validated HSMs. CloudHSM offers you the flexibility to integrate with your applications using industry-standard APIs, such as PKCS#11, Java Cryptography Extensions ()CE). and Microsoft CryptoNG (CNG) libraries. CloudHSM is also standardscompliant and enables you to export all of your keys to most other commercially-available HSMs. It is a fully-managed service that automates time-consuming administrative tasks for you, such as hardware provisioning, software patching, high-availability, and backups. CloudHSM also enables you to scale quickly by adding and removing HSM capacity on-demand, with no up-front costs. All other options are invalid since AWS Cloud HSM is the prime service that offers FIPS 140-2 Level 3 compliance For more information on CloudHSM, please visit the following url https://aws.amazon.com/cloudhsm;The correct answers are: AWS KMS, AWS Cloud HSM Submit your Feedback/Queries to our Experts

The AWS Documentation mentions the following

Server-side encryption protects data at rest. Server-side encryption with Amazon S3-managed encryption keys (SSE-S3) uses strong multi-factor encryption. Amazon S3 encrypts each object with a unique key. As an additional safeguard, it encrypts the key itself with a master key that it rotates regularly. Amazon S3 server-side encryption uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt your data. All other options are invalid since here you need to ensure the keys are manually rotated since you manage the entire key set Using AWS S3 Server side encryption, AWS will manage the rotation of keys automatically. For more information on Server side encryption, please visit the following URL:

https://docs.aws.amazon.com/AmazonS3/latest/dev/UsineServerSideEncryption.htmllThe correct answer is: AWS S3 Server side encryption Submit your Feedback/Queries to our Experts

The AWS Documentation mentions the following

Adding a Bucket Policy to Require MFA

Amazon S3 supports MFA-protected API access, a feature that can enforce multi-factor authentication (MFA) for access to your Amazon S3 resources. Multi-factor authentication provides an extra level of security you can apply to your AWS environment. It is a security feature that requires users to prove physical possession of an MFA device by providing a valid MFA code. For more information, go to AWS Multi-Factor Authentication. You can require MFA authentication for any requests to access your Amazoi. S3 resources.

You can enforce the MFA authentication requirement using the aws:MultiFactorAuthAge key in a bucket policy. IAM users car access Amazon S3 resources by using temporary credentials issued by the AWS Security Token Service (STS). You provide the MFA code at the time of the STS request.

When Amazon S3 receives a request with MFA authentication, the aws:MultiFactorAuthAge key provides a numeric value indicating how long ago (in seconds) the temporary credential was created. If the temporary credential provided in the request was not created using an MFA device, this key value is null (absent). In a bucket policy, you can add a condition to check this value, as shown in the following example bucket policy. The policy denies any Amazon S3 operation on the /taxdocuments folder in the examplebucket bucket if the request is not MFA authenticated. To learn more about MFA authentication, see Using Multi-Factor Authentication (MFA) in AWS in the IAM User Guide.

Option B is invalid because just enabling bucket versioning will not guarantee replication of objects

Option D is invalid because the condition for the bucket policy needs to be set accordingly For more information on example bucket policies, please visit the following URL:

• https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.htmlAlso versioning and Cross Region replication can ensure that objects will be available in the destination region in case the primary region fails. For more information on CRR, please visit the following URL:

https://docs.aws.amazon.com/AmazonS3/latest/dev/crr.htmlThe correct answers are: Enable bucket versioning and also enable CRR, For the Bucket policy add a condition for {"Null": { "aws:MultiFactorAuthAge": true}}Submit your Feedback/ Queries to our Experts

The AWS Documentation mentions the following on AWS Inspector

Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for vulnerabilities or deviations from best practices. After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity. These findings can be reviewed directly or as part of detailed assessment reports which are available via the Amazon Inspector console or API.

Option A is invalid because the AWS Config service is not used to check the vulnerabilities on servers Option C is invalid because the AWS Inspector service is not used to patch servers For more information on AWS Inspector, please visit the following URL:

https://aws.amazon.com/inspector>Once you understand the list of servers which require critical updates, you can rectify them by installing the required patches via the SSM tool. For more information on the Systems Manager, please visit the following URL:

https://docs.aws.amazon.com/systems-manager/latest/APIReference/Welcome.htmlThe correct answers are: Use AWS Inspector to ensure that the servers have no critical flaws.. UseAWS SSM to patch the servers (

The SSM Run command can be used to send OS specific commands to an Instance. Here you can check and see the running processes on an instance and then send the output to an S3 bucket. Option A is invalid because this is used to record API activity and cannot be used to record running processes. Option B is invalid because Cloudwatch is a logging and metric service and cannot be used to record running processes. Option D is invalid because AWS Config is a configuration service and cannot be used to record running processes. For more information on the Systems Manager Run command, please visit the following URL:

https://docs.aws.amazon.com/systems-manaEer/latest/usereuide/execute-remote-commands.htmllThe correct answer is: Use the SSM Run command to send the list of running processes informationto an S3 bucket. Submit your Feedback/ Queries to our Experts

For ensuring that the instances are configured properly you need to ensure the followi .

1) You installed the latest version of the SSM Agent on your instance 2) Your instance is configured with an AWS Identity and Access Management (IAM) role that enables the instance to communicate with the Systems Manager API 3) You can use the Amazon EC2 Health API to quickly determine the following information about Amazon EC2 instances The status of one or more instances The last time the instance sent a heartbeat value The version of the SSM Agent The operating system The version of the EC2Config service (Windows) The status of the EC2Config service (Windows) Option B is invalid because IAM users are not supposed to be directly granted permissions to EC2 Instances For more information on troubleshooting AWS SSM, please visit the following URL:

https://docs.aws.amazon.com/systems-manager/latest/userguide/troubleshooting-remotecommands.htmlThe correct answers are: Check to see if the right role has been assigned to the EC2 Instances, Ensurethat agent is running on the Instances., Check the Instance status by using the Health API.

Submit your Feedback/Queries to our Experts

The AWS Documentation mentions the following

If you experience problems executing commands using Run Command, there might be a problem with the SSM Agent. Use the following information to help you troubleshoot the agent View Agent Logs The SSM Agent logs information in the following files. The information in these files can help you troubleshoot problems.

On Windows

%PROGRAMDATA%\Amazon\SSM\Logs\amazon-ssm-agent.log

%PROGRAMDATA%\Amazon\SSM\Logs\error.log

The default filename of the seelog is seelog-xml.template. If you modify a seelog, you must rename the file to seelog.xml. On Linux

/var/log/amazon/ssm/amazon-ssm-agentlog /var/log/amazon/ssm/errors.log

Option C is invalid because the right AMI has nothing to do with the issues. The agent which is used to execute run commands can run on a variety of AMI'S Option D is invalid because security groups does not come into the picture with the communication between the agent and the SSM service For more information on troubleshooting AWS SSM, please visit the following URL:

https://docs.aws.amazon.com/systems-manaeer/latest/userguide/troubleshootine-remotecommands.htmllThe correct answers are: Ensure that the SSM agent is running on the target machine. Check the /var/log/amazon/ssm/errors.log file

Submit your Feedback/Queries to our Experts

The AWS Documentation mentions some key aspects with regards to the configuration of Onpremise AD with AWS One is the Groups configuration in AD Active Directory Configuration Determining how you will create and delineate your AD groups and IAM roles in AWS is crucial to how you secure access to your account and manage resources. SAML assertions to the AWS environment and the respective IAM role access will be managed through regular expression (regex) matching between your on-premises AD group name to an AWS IAM role.

One approach for creating the AD groups that uniquely identify the AWS IAM role mapping is by selecting a common group naming convention. For example, your AD groups would start with an identifier, for example, AWS-, as this will distinguish your AWS groups from others within the organization. Next include the 12-digitAWS account number. Finally, add the matching role name within the AWS account. Here is an example:

And next is the configuration of the relying party which is AWS

ADFS federation occurs with the participation of two parties; the identity or claims provider (in this case the owner of the identity repository - Active Directory) and the relying party, which is another application that wishes to outsource authentication to the identity provider; in this case Amazon Secure Token Service (STS). The relying party is a federation partner that is represented by a claims provider trust in the federation service. Option B is invalid because AD groups should not be matched to IAM Groups

Option C is invalid because the relying party should be configured in Active Directory Federation services For more information on the federated access, please visit the following URL:

1 https://aws.amazon.com/blogs/security/aws-federated-authentication-with-active-directoryfederation-services-ad-fs/The correct answers are: Ensure the right match is in place for On-premise AD Groups and IAMRoles., Configure AWS as the relying party in Active Directory Federation servicesSubmit your Feedback/Queries to our Experts