AWS Certified Security – Specialty Set 7 Welcome to AWS Certified Security - Specialty Set 7. Please enter your email details to get QUIZ Details on your email id. Click on Next Button to proceed. Email 1. You have configured a Lambda function to deal with unauthorized EC2 instances by terminating them immediately. A number of unauthorized EC2 instances were created in your account over the weekend which has triggered a number of CloudWatch Events. However by Monday morning, these instances are still running and have not been terminated. What could be the reason for this? (Choose 2) The Lambda function does not have permission to read CloudWatch events Your IAM user account does not have permission to read the CloudTrail logs CloudWatch events does not have permission to invoke the Lambda function The Lambda function does not have permission to terminate EC2 instances2. Which of the following policies would you use to define which AWS resources are permitted to invoke a Lambda function? Execution role policy Function policy The resource policy of the event source which triggers the function3. You are trying to configure Active Directory Federation to allow your AD users to access your AWS resources. You cannot get it to work as expected. You are reviewing the CloudTrail Logs to check which STS API calls are being made. Which STS API call should you look out for? STS:ChangeRole STS:AssumeRoleWithSAML STS:AssumeRole4. Your Lambda function is successfully completing and is returning a status code of 200, however no logs are appearing in CloudWatch Logs. What could be the problem? Lambda does not have permission to write logs to CloudWatch CloudWatch does not have permission to invoke the Lambda function Lambda does not have permission to write to CloudTrail5. You are trying to create a public subnet in your VPC you have added an Internet Gateway and configured the relevant Security Groups and Network ACLs, however you are still unable to access any of the web servers in your subnet over the internet. What could be the problem? You haven't configured a route to the internet via the Internet Gateway You haven't configured a route to the internet via the Virtual Private Gateway You didn't configure the routing table in your peered VPC6. Your S3 bucket policy allows your IAM user account full access to all S3 resources, however when you try to delete an object from the bucket, you are unable to do so. What could the problem be? The object is encrypted Key policy associated with the object includes a deny statement which is preventing you from deleting it The IAM policy associated with your user account includes a deny statement which is preventing you from deleting the object7. You have written a Lambda function designed to attach a restrictive IAM policy denying access to create EC2 instances to any user found to be creating unauthorized Internet Gateways in your secure VPC. However, during testing you find that the function doesn't work as expected and the user's permissions remain the same. Which of the following would you to do to investigate this? Check the Execution Policy allows permission to update the IAM policy and attach it to the user Check the Execution Role allows permission to update the IAM policy and attach it to the user Check the Function Policy allows permission to update the IAM policy and attach it to the user8. Which of the following must be in place in order for an EC2 instance to successfully send logs to CloudWatch logs? (Choose 2) The CloudTrail must be enabled The EC2 instance role must have permission to write to CloudWatch Logs The CloudWatch agent must be running Your IAM user must have permission to write to CloudWatch Logs9. You are attempting to decrypt a file which you have already successfully encrypted using your CMK, however when you try to decrypt you are not authorized to do so. Which policy should you check? The IAM policy attached to your user The S3 Access Control List The CMK Key policy10. You are trying to configure cross account access to enable your development team to access S3 objects in your production account. However when one of your developers performs a test, they are not able to access the objects. What could the problem be? (Choose 2) The Production account does not have permission to call STS:AssumeRole The Development account is not a trusted entity The Development account does not have permission to call STS:AssumeRole The Production account is not a trusted entity11. You have configured a new VPC with a private subnet and added a NAT Gateway and configured the subnet route table to route all internet traffic via the NAT Gateway. However when you try to run a yum update, none of your instances are able to reach the internet. What could be the problem? You have forgotten to configure an outbound Security Group rule allowing outbound HTTPS traffic to 0.0.0.0/0 You have forgotten to configure an inbound Security Group rule allowing incoming HTTPS traffic from 0.0.0.0/0 Create Network ACLs allowing incoming traffic on ports 80 and 443 from 0.0.0.0/012. You are logged into the AWS console and you are attempting to access the CloudWatch dashboard, however you are not able to do so. What could the problem be? You have selected the wrong Region CloudWatch has not been enabled You do not have the required IAM permissions to access the CloudWatch console13 out of Please fill in the comment box below.