AWS Certified Security – Specialty Set4 Welcome to AWS Certified Security - Specialty Set4. 1. Under which circumstances would you use a KMS Grant to configure access for a user instead of a Key Policy? For cross-account access For temporary access For federated access2. Which of the following are valid key rotation options for a CMK which uses imported key material which was generated outside of AWS? You can choose to automatically rotate the CMK three times per year You can choose to automatically rotate the CMK once per year You can rotate the key manually according to your own schedule3. You have created a customer managed CMK in us-east-1 region and would like to use it to encrypt data located in eu-west-1, how can you achieve this? KMS is a global service, so default you will be able to use the CMK in any region This is not possible, a CMK can only be used in the region in which it was created Import the key to eu-west-1 in order to use it in that region4. Last year, you encrypted a number of files using a CMK that you manage, you now need to access the files. However one of your administrators now tells you that they thought that the CMK was no longer in use so they scheduled it for deletion over a month ago and the key has now been deleted from your account. What can you do to resolve this and get access to your files? Create a new CMK, re-encrypt, then decrypt the data with the new CMK Ask AWS to restore your CMK from backup After deleting the CMK, your data is unrecoverable, you will not be able to access the files.5. Which of the following options are available when you are configuring a Web ACL in AWS WAF? (Choose 3) Quarantine Hold Allow Block Count6. Which of the following services can you use to block common web exploits like SQL injection and cross-site scripting? AWS Shield Network ACLs and Security Groups AWS WAF7. Which of the following are valid key rotation options for a customer managed CMK that was generated in KMS? You can choose to automatically rotate the CMK once every three months You can choose to automatically rotate the CMK once every three years You can choose to automatically rotate the CMK once per year8. You are running a website on EC2 instances behind an application load balancer. You would like to block any request which come from the following IP address range: 86.130.105.0/24 which you have identified as malicious. Which of the following approaches could you use to block requests from this IP range? (Choose 2) Use an AWS WAF Web ACL to block all requests coming from the IP address range Use Security Group to block all requests coming from the IP address range Use an S3 bucket policy to block requests coming from the IP address range Use a Network ACL to block all requests coming from the IP address range9. You would like to temporarily delegate the use of your KMS CMK to another user, which of the following options is the best way to approach this? Use a grant Share the key with the user Update the IAM policy associated with the user10. Which of the following are advantages of importing your own key material into to a CMK? (Choose 2) To store multiple versions of the key material in the same CMK You can manually delete the key any time you want without waiting 7-30 days You can use key material from your own infrastructure which meets your own requirements You can use KMS to automatically rotate the keys according to a schedule that you define11. What is a Policy Condition used for in a Key Policy or IAM Policy? It allows you to reference other IAM policies according to whether the condition is true or not It allows you to specify conditions for when a policy is in effect It allows you to set properties within the policy based on a condition12. Which of the following are valid key rotation options for an AWS managed CMK? You can choose to automatically rotate the CMK once per year You can rotate the key manually according to your own schedule The key is automatically rotated every three years and this configuration cannot be changed13. You would like to limit the use of a KMS CMK to requests which originate from S3 only, how would you configure this? Use the kms:ViaService Condition Key in the Key Policy Use the kms:ViaService Condition Key in the IAM Policy Use the kms:ViaService Condition Key in the S3 Bucket Policy14 out of 2Please fill in the comment box below. Email
AWS Security