Amazon Amazon Certifications DOP-C02 Questions & Answers

• Question 331:

  Amazon Inspector agent collects telemetry data during assessment run and sends this data to Amazon Inspector dedicated S3 bucket for analysis. How can you access telemetry data out of Amazon Inspector and how can you benefit from this data in securing your resources?

  A. Telemetry data is kept in S3 and encrypted with a pre-assessment test key configured in KMS, as long as you have access to that key you can download and decrypt telemetry data.

  B. Telemetry data is stored in Amazon Inspector dedicated S3 bucket that does NOT belong to your account, Amazon Inspector currently does NOT provide an API or an S3 bucket access mechanism to collected telemetry. Data is retained temporarily only to allow for assistance with support requests.

  C. Telemetry data is saved on S3 bucket in your account, therefore telemetry data is accessible with proper permissions on that bucket.

  D. Telemetry data is deleted immediately after assessment run, therefore data can NOT be accessed or analyzed by any other tools.

  Correct Answer: B

  The telemetry data stored in S3 is retained only to allow for assistance with support requests and is not used or aggregated by Amazon for any other purpose. After 30 days, telemetry data is permanently deleted per a standard Amazon Inspector-dedicated S3 bucket lifecycle policy. At present, Amazon Inspector does not provide an API or an S3 bucket access mechanism to collected telemetry.

  Reference: https://docs.aws.amazon.com/inspector/latest/userguide/inspector_agents.html

• Question 332:

  Some of your EC2 instances are configured to use a Proxy. Can you use Amazon Inspector for regular assessment of instances behind proxy?

  A. Only Windows-based systems are supported as Linux-based systems use custom configurations that are not supported by AWS Agent in the current release.

  B. Only Linux-based systems are supported, and AWS agent supports HTTPS proxy on these systems.

  C. No, AWS Agent does NOT support proxy environments.

  D. Yes, AWS Agent supports proxy environments on both Linux-based and Windows-based systems.

  Correct Answer: D

  The AWS agent supports proxy environments. For Linux instances, Inspector supports HTTPS Proxy, and for Windows instances, it supports WinHTTP proxy.

  Reference: https://docs.aws.amazon.com/inspector/latest/userguide/inspector_agents.html

• Question 333:

  For Amazon Inspector's integration with CloudTrail, what information is logged for List* and Describe* APIs?

  A. None. Amazon Inspector is an automated service and not monitored by CloudTrail.

  B. Both request and response information is logged.

  C. Only request information is logged.

  D. Request information is always logged. Response information is logged only for Completed assessment runs.

  Correct Answer: C

  For the Amazon Inspector integration with CloudTrail, for the List* and Describe* APIs, only the request information is logged.

  Reference: https://docs.aws.amazon.com/inspector/latest/userguide/logging-using-cloudtrail.html

• Question 334:

  A user is defining a policy for the IAM user. Which of the below mentioned elements can be found in an IAM policy?

  A. Not Effect

  B. Supported Data Types

  C. Principal Resource

  D. Version Management

  Correct Answer: B

  A user can define various elements for an IAM policy. The elements include Version, ID, Statement, Sid, Effect, Principal, Not Principal, Action, Not Action, Resource, Not Resource, Condition, and Supported Data Types.

  Reference: http://docs.aws.amazon.com/IAM/latest/UserGuide/AccessPolicyLanguage_ElementDescriptions.html

• Question 335:

  Which statement is true about configuring proxy support for Amazon Inspector agent on Linuxbased systems?

  A. Amazon Inspector proxy support on Linux-based systems is achieved through installing proxyenabled version of the agent which comes with pre-configured files that you need to edit to match your environment.

  B. Amazon Inspector agent does NOT support the use of proxy on Linux-based systems.

  C. Amazon Inspector proxy configuration on Linux-based system is included in awsagent.env file under /etc/init.d/

  D. Amazon Inspector agent proxy settings on Linux-based systems are configured through WinHTTP proxy.

  Correct Answer: C

  To install an AWS agent on an EC2 instance that uses a proxy server Create a file called awsagent.env and save it in the /etc/init.d/ directory. Edit awsagent.env to include these environment variables in the following format: export https_proxy=https://hostname:port export http_proxy=http://hostname:port export no_proxy= 123.456.789.111

  Reference: https://docs.aws.amazon.com/inspector/latest/userguide/inspector_agents-on-win.html#inspectoragent-proxy

• Question 336:

  To override an allow in an IAM policy, you set the Effect element to ______.

  A. Block

  B. Stop

  C. Deny

  D. Allow

  Correct Answer: C

  By default, access to resources is denied. To allow access to a resource, you must set the Effect element to Allow. To override an allow (for example, to override an allow that is otherwise in force), you set the Effect element to Deny.

  Reference: http://docs.aws.amazon.com/IAM/latest/UserGuide/AccessPolicyLanguage_ElementDescriptions.html

• Question 337:

  To access the AWS Security Token Service (STS) you can issue calls directly to the AWS STS Query API. This API is a web service interface that accepts ______ requests.

  A. PUT

  B. HTTPS

  C. POST

  D. GET

  Correct Answer: B

  The Query API for IAM and AWS STS lets you call service actions. Query API requests are HTTPS requests that must contain an Action parameter to indicate the action to be performed. IAM and AWS STS support GET and POST requests for all actions, that is, the API does not require you to use GET for some actions and POST for others.

  Reference: http://docs.aws.amazon.com/IAM/latest/UserGuide/programming.html

• Question 338:

  A root account has created an IAM group and defined the policy as:

  

  What will this policy do?

  A. Allow this group to view the password policy of all the users added only to that group

  B. Allow all the users of IAM to modify their password

  C. Allow an IAM user in this group to view the password policy and modify only his/her password

  D. Allow this group to view the password policy of all the IAM users

  Correct Answer: C

  This IAM policy grants access to the ChangePassword action, which lets the users use the console, the CLI, or the API to change their passwords. The Resource element uses a policy variable (aws:username), which is useful in policies that are attached to groups. The aws:username key resolves to the name of the current IAM user when a request is made, so that each user is allowed permission to change only his or her own password . This policy will allow all the users of this group to modify the passwords of all the IAM users.

  Reference: http://docs.aws.amazon.com/IAM/latest/UserGuide/HowToPwdIAMUser.html

• Question 339:

  You are hosting multiple environments in multiple regions and would like to use Amazon Inspector for regular security assessments on your AWS resources across all regions. Which statement about Amazon Inspector's operation across regions is true?

  A. Amazon Inspector is a global service that is not region-bound. You can include AWS resources from multiple regions in the same assessment target.

  B. Amazon Inspector is hosted within AWS regions behind a public endpoint. All regions are isolated from each other, and the telemetry and findings for all assessments performed within a region remain in that region and are not distributed by the service to other Amazon Inspector locations.

  C. Amazon Inspector is hosted in each supported region. Telemetry data and findings are shared across regions to provide complete assessment reports.

  D. Amazon Inspector is hosted in each supported region separately. You have to create assessment targets using the same name and tags in each region and Amazon Inspector will run against each assessment target in each region.

  Correct Answer: B

  At this time, Amazon Inspector supports assessment services for EC2 instances in only the following AWS regions:

  US West (Oregon)

  US East (N. Virginia)

  EU (Ireland)

  Asia Pacific (Seoul)

  Asia Pacific (Mumbai)

  Asia Pacific (Tokyo)

  Asia Pacific (Sydney)

  Amazon Inspector is hosted within AWS regions behind a public endpoint. All regions are isolated from each other, and the telemetry and findings for all assessments performed within a region remain in that region and are not distributed by

  the service to other Amazon Inspector locations.

  Reference:

  https://docs.aws.amazon.com/inspector/latest/userguide/inspector_supported_os_regions.html#in%20spector_supported-regions

• Question 340:

  As CloudTrail sends a notification each time a log file is written to the Amazon S3 bucket, an account that is very active can generate a large number of notifications. If you subscribe using email or SMS, you may end up receiving a large volume of messages. Which of the following should you use to handle notifications programmatically?

  A. Amazon Kinesis Firehose

  B. Amazon Simple Queue Service (Amazon SQS)

  C. Amazon Simple Email Service (Amazon SES)

  D. Amazon AppStream

  Correct Answer: B

  As CloudTrail sends a notification each time a log file is written to the Amazon S3 bucket, an account that's very active can generate a large number of notifications. If you subscribe using email or SMS, you can end up receiving more messages than you can handle. AWS recommends that you subscribe using Amazon Simple Queue Service (Amazon SQS), which lets you handle notifications programmatically.

  Reference: http://docs.aws.amazon.com/awscloudtrail/latest/userguide/getting_notifications_configuration.html