AWS-DOP-C02 & AWS CERTIFICATION | Sample Questions - Domain 6: Security & Compliance - AWS Certified DevOps Engineer

4.3.6. Sample Questions - Domain 6: Security & Compliance

Question 1:

A company is implementing a multi-account AWS strategy and needs to enforce a security policy that prevents any IAM user or role in member accounts from creating S3 buckets that are publicly accessible. This policy must apply to all existing and future accounts within their AWS Organization. Which AWS service should be used to centrally enforce this preventive control?

A) IAM Roles B) IAM Policies C) Service Control Policies (SCPs) D) AWS Config Rules

Correct Answer: C

Explanation:

A) IAM Roles: IAM Roles grant temporary permissions to AWS entities. While essential for access management, they are applied within an account and cannot centrally restrict actions across multiple accounts in an AWS Organization.
B) IAM Policies: IAM Policies define permissions for IAM users, groups, and roles. Like roles, they are applied within an account and cannot centrally enforce preventive controls across an entire AWS Organization.
C) Service Control Policies (SCPs): SCPs are a type of organization policy that you can use to manage permissions in your organization. SCPs offer central control over the maximum available permissions for all accounts in your organization. They can be used to restrict access to certain services or actions for all users and roles in affected accounts, including the root user. This directly addresses the need for central, preventive enforcement across multiple accounts, aligning with the First Principle of Centralized Governance and Preventive Security Controls.
D) AWS Config Rules: AWS Config Rules continuously evaluate whether your AWS resource configurations comply with desired settings. While Config can detect non-compliant S3 buckets, it is a detective control, not a preventive one. It cannot prevent the creation of publicly accessible buckets; it can only flag them after they are created.

Question 2:

A DevOps team needs to ensure that all data stored in Amazon S3 buckets is encrypted at rest. They want to enforce this encryption by default for all new objects uploaded to specific buckets without requiring application-level changes. Which S3 encryption option should they configure on the buckets?

A) Client-Side Encryption B) Server-Side Encryption with S3-Managed Keys (SSE-S3) C) Server-Side Encryption with Customer-Provided Keys (SSE-C) D) Server-Side Encryption with KMS-Managed Keys (SSE-KMS)

Correct Answer: B

Explanation:

A) Client-Side Encryption: With client-side encryption, you encrypt data before sending it to S3. This requires application-level changes to handle encryption and decryption, which the requirement explicitly seeks to avoid.
B) Server-Side Encryption with S3-Managed Keys (SSE-S3): SSE-S3 uses Amazon S3-managed encryption keys to encrypt your data at rest. When you enable default encryption with SSE-S3 on a bucket, all new objects uploaded to that bucket are automatically encrypted using AES-256, without requiring any changes to the application code. This is the simplest way to enforce encryption at rest by default, aligning with the First Principle of Data Protection by Default and Operational Simplicity.
C) Server-Side Encryption with Customer-Provided Keys (SSE-C): SSE-C allows you to encrypt objects with encryption keys that you manage. You provide the encryption key as part of the request. This also requires application-level changes to manage and provide the keys.
D) Server-Side Encryption with KMS-Managed Keys (SSE-KMS): SSE-KMS uses AWS Key Management Service (KMS) to manage encryption keys. While it offers more control over keys than SSE-S3, it still requires specifying the KMS key in the upload request or configuring it as the default encryption, which might involve more setup than simple SSE-S3 for default encryption. SSE-S3 is the most straightforward for "by default without application changes."

Question 3:

A company needs to regularly assess their AWS environment for security vulnerabilities and deviations from security best practices. They want an automated service that can identify common security issues, such as open security groups, unencrypted S3 buckets, and overly permissive IAM policies. Which AWS service is designed to continuously monitor and report on these security posture issues?

A) AWS CloudTrail B) Amazon GuardDuty C) AWS Security Hub D) AWS WAF

Correct Answer: C

Explanation:

A) AWS CloudTrail: CloudTrail records API calls for auditing and governance. While it provides data that can be analyzed for security, it doesn't automatically assess for vulnerabilities or deviations from best practices.
B) Amazon GuardDuty: GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior. It focuses on detecting threats, not on assessing the overall security posture or configuration best practices.
C) AWS Security Hub: AWS Security Hub provides a comprehensive view of your security alerts and security posture across your AWS accounts. It collects security data from across AWS services (like GuardDuty, Inspector, Macie, Config) and third-party partners, and helps you analyze your security trends and identify the highest priority security issues. It performs automated security checks against AWS security best practices and industry standards, aligning with the First Principle of Centralized Security Posture Management and Continuous Compliance.
D) AWS WAF: AWS WAF (Web Application Firewall) helps protect your web applications or APIs against common web exploits. It's a protective control for web traffic, not a service for assessing overall security posture.

Question 4:

A DevOps team is deploying a new web application and needs to protect it from common web exploits, such as SQL injection and cross-site scripting (XSS). They also want to control access based on IP addresses and HTTP headers. Which AWS service should they use to provide this layer of protection for their application?

A) AWS Shield B) Amazon GuardDuty C) AWS Network Firewall D) AWS WAF

Correct Answer: D

Explanation:

A) AWS Shield: AWS Shield is a managed Distributed Denial of Service (DDoS) protection service. It protects against large-scale network attacks, not application-layer exploits like SQL injection or XSS.
B) Amazon GuardDuty: GuardDuty is a threat detection service that continuously monitors for malicious activity. It detects threats but does not actively protect against web exploits or allow for custom access control rules based on IP addresses or HTTP headers.
C) AWS Network Firewall: AWS Network Firewall is a managed service that makes it easier to deploy essential network protections for all of your Amazon VPCs. It provides network-level filtering, not application-layer protection against web exploits.
D) AWS WAF (Web Application Firewall): AWS WAF helps protect your web applications or APIs against common web exploits that may affect availability, compromise security, or consume excessive resources. It allows you to create custom rules to block common attack patterns and control traffic based on conditions like IP addresses, HTTP headers, and query strings, aligning with the First Principle of Application-Layer Security and Threat Mitigation.

Question 5:

A company needs to ensure that all changes to their AWS infrastructure are auditable and that they can trace who made specific changes to resources. They also need to be able to detect if any resource configurations have drifted from their desired state. Which two AWS services, when used together, provide comprehensive auditing of API calls and continuous monitoring of resource configuration changes?

A) AWS CloudTrail and AWS Config B) Amazon CloudWatch and AWS Systems Manager C) AWS Security Hub and Amazon Inspector D) AWS Organizations and Service Control Policies (SCPs)

Correct Answer: A

Explanation:

A) AWS CloudTrail and AWS Config:
- AWS CloudTrail: Provides a record of actions taken by a user, role, or an AWS service in AWS. It logs API calls, which is essential for auditing who made what changes, when, and from where. This addresses the "auditable API calls" requirement.
- AWS Config: Continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. It can detect "configuration drift" by comparing the current state of resources to a desired baseline.
- Together, these two services provide a comprehensive solution for auditing changes and monitoring configuration compliance, aligning with the First Principle of Accountability and Configuration Integrity.
B) Amazon CloudWatch and AWS Systems Manager: CloudWatch is for monitoring metrics and logs, and Systems Manager is for operational automation. While valuable, they don't directly provide the auditing of API calls or continuous configuration change monitoring in the same way as CloudTrail and Config.
C) AWS Security Hub and Amazon Inspector: Security Hub aggregates security findings, and Inspector assesses for vulnerabilities. These are important for security posture but don't cover the comprehensive auditing of all API calls or continuous configuration change monitoring.
D) AWS Organizations and Service Control Policies (SCPs): Organizations help manage multiple accounts, and SCPs enforce maximum permissions. These are for governance and control at an organizational level, not for detailed auditing of individual API calls or continuous monitoring of resource configurations.