ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 154 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 154
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company's Developers plan to migrate their on-premises applications to Amazon EC2 instances running Amazon Linux AMIs. The applications are accessed by a group of partner companies. The Security Engineer needs to implement the following host-based security measures for these instances:
✑ Block traffic from documented known bad IP addresses.
✑ Detect known software vulnerabilities and CIS Benchmarks compliance.
Which solution addresses these requirements?

  • A. Launch the EC2 instances with an IAM role attached. Include a user data script that uses the AWS CLI to retrieve the list of bad IP addresses from AWS Secrets Manager, and uploads it as a threat list in Amazon GuardDuty. Use Amazon Inspector to scan the instances for known software vulnerabilities and CIS Benchmarks compliance.
  • B. Launch the EC2 instances with an IAM role attached. Include a user data script that uses the AWS CLI to create NACLs blocking ingress traffic from the known bad IP addresses in the EC2 instance's subnets. Use AWS Systems Manager to scan the instances for known software vulnerabilities, and AWS Trusted Advisor to check instances for CIS Benchmarks compliance.
  • C. Launch the EC2 instances with an IAM role attached. Include a user data script that uses the AWS CLI to create and attach security groups that only allow an allow listed source IP address range inbound. Use Amazon Inspector to scan the instances for known software vulnerabilities, and AWS Trusted Advisor to check instances for CIS Benchmarks compliance.
  • D. Launch the EC2 instances with an IAM role attached. Include a user data script that creates a cron job to periodically retrieve the list of bad IP addresses from Amazon S3, and configures iptables on the instances blocking the list of bad IP addresses. Use Amazon Inspector to scan the instances for known software vulnerabilities and CIS Benchmarks compliance.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by PeppaPig at Aug. 30, 2020, 5:54 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
PeppaPig
Highly Voted 3 years, 9 months ago
D is the right answer for implementing host-based policies
upvoted 29 times
DahMac
3 years, 8 months ago
"Host based means being run from EC2 hosts (iptables, Inspector agent). -D-. B and C don't block from host, A doesn't block at all.
upvoted 2 times
...
freddyman
3 years, 9 months ago
"Host based" in the question is key to answering correctly. Using NACLs to block would make more sense, and probably Systems Manager Patch Manager to detect and patch issues, but for CIS Inspector is better.
upvoted 3 times
...
...
awscerti
Highly Voted 3 years, 8 months ago
D - Use Amazon Inspector to scan the instances for known software vulnerabilities and CIS Benchmarks compliance.
upvoted 5 times
...
Raphaello
Most Recent 1 year, 4 months ago
Selected Answer: D
D is the correct answer.
upvoted 1 times
...
awssecuritynewbie
1 year, 8 months ago
Selected Answer: D
Soon as you see detecting vulnerabilities you must think about "Amazon inspector"
upvoted 1 times
...
ITGURU51
2 years, 1 month ago
The question is testing your understanding of host based policies. D
upvoted 1 times
...
ITGURU51
2 years, 2 months ago
The question is poorly worded because it does not provide a way to detect the malicious IP addresses. GuardDuty uses threat intelligence from Crowdstrike and Proofpoint- However inspector has the ability to scan for software vulnerabilities and the CIS benchmark requirement. D
upvoted 1 times
Green53
2 years ago
It doesn't need do, the engineer has "documented" known bad IPs.
upvoted 1 times
...
...
Nikhil0222
2 years, 2 months ago
C Launch the EC2 instances with an IAM role attached. Include a user data script that uses the AWS CLI to create and attach security groups that only allow an allow listed source IP address range inbound. Use Amazon Inspector to scan the instances for known software vulnerabilities, and AWS Trusted Advisor to check instances for CIS Benchmarks compliance. This solution implements security groups to block traffic from known bad IP addresses, which is the most efficient way to implement host-based security measures for blocking IP addresses. It also uses Amazon Inspector to scan the instances for known software vulnerabilities, which meets the second requirement. AWS Trusted Advisor is also used to check instances for CIS Benchmarks compliance.
upvoted 1 times
...
vbal
2 years, 10 months ago
D is good, Security Hub would have been great for CIS though.
upvoted 2 times
...
Sarksa
2 years, 11 months ago
Selected Answer: D
Answer is D. IPTABLES to address the "host based" security measures and use S3 to upload custom IP lists to block. Amazon Inspector to scan using CIS. https://aws.amazon.com/about-aws/whats-new/2019/06/amazon-inspector-adds-cis-benchmark-support-for-amazon-linux-2/
upvoted 1 times
...
trongod05
3 years ago
Here's the kind of information that makes D even more tricky. Q: Does Amazon Inspector offer “CIS Operating System Security Configuration Benchmarks” scans? No. While Amazon Inspector does not currently support CIS scans, this capability will be added in the future. However, you can continue to use the CIS scan rules package offered in Amazon Inspector Classic. Reference https://aws.amazon.com/inspector/faqs/?nc=sn&loc=6
upvoted 2 times
...
LaLune
3 years, 5 months ago
To harden the host, the Iptable host-based firewall would filter the traffic for bad IP's, and the Amazon Inspector would scan for vulnerabilities and CIS compliance issues.
upvoted 1 times
...
DerekKey
3 years, 8 months ago
Amazon Inspector - CIS https://docs.aws.amazon.com/inspector/latest/userguide/inspector_cis.html
upvoted 4 times
ITGURU51
2 years, 1 month ago
CIS Benchmarks are host hardening guidelines designed to safeguard your Amazon EC2 instance by improving your security posture. The findings generated by an Inspector assessment with the CIS Benchmark rules package detail the guidance and steps needed to reduce vulnerabilities, like insecure configurations and weak password policies. With the recently released one-step setup process for Inspector, you can get started even faster than before and easily run a single security assessment with both CIS and Common Vulnerability and Exposures (CVE) rules packages. For one price, you receive the information you need to both harden and patch your hosts based on one run’s findings. Amazon Inspector charges per agent-assessment, regardless of the number of rules packages you include in your assessment run.
upvoted 1 times
...
...
Daniel76
3 years, 8 months ago
Answer D A- Bad IP addressed should not be from AWS Secrets Manager.GuardDuty also doese not block IP base on threat list but generate finding only. B, C- Trusted advisor does not support scanning for CIS benchmark compliance
upvoted 3 times
...
Paimon
3 years, 8 months ago
How can it be D.......how does S3 know bad IPs????? Answer is C. If you only allow the partners you don't worry about the bad IPs.
upvoted 1 times
DerekKey
3 years, 8 months ago
Read the question then choose answer: Block traffic from documented known bad IP addresses.
upvoted 1 times
...
babaseun
3 years, 8 months ago
documented known bad IP addresses
upvoted 1 times
...
...
sanjaym
3 years, 8 months ago
D for sure
upvoted 1 times
...
Folippp
3 years, 8 months ago
GUYS! "The applications are accessed by a group of partner companies." There is no reason to care about the bad IP addresses. So we only need to “create and attach security groups that only allow an allow listed source IP address range inbound”.. Hence the answer is C.
upvoted 1 times
HieuTT
2 years, 8 months ago
:)) absolutely wrong
upvoted 1 times
...
pal40sg
1 year, 6 months ago
Absolutely right! We should see objectively.
upvoted 1 times
...
...
akbntc
3 years, 9 months ago
Let's read the question carefully and let's focus on the keywords.... 1. Linux AMI 2. Host based 3. Vulnerability scan including CIS. Only option 'D' can address all of these requirements.
upvoted 3 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel