AWS SAP-C02教程6--安全_aws sap c02题库(1)
3 Parameter storeParameter Store(AWS Systems Manager(SSM) 的一项功能)可提供安全的分层存储,用于配置数据管理和密钥管理。您可以将暗码、数据库字符串、Amazon Machine Image (AMI) ID 和许可证代码等数据存储为参数值。可以将值存储为纯文本或加密数据。在考试中出现概率较高,重点关注其与Secrets manager的区别。
3.1 基本特性
[*]severless的服务,利用SDK调用API
[*]可以自动联合KMS举行加密
[*]有版本和追踪功能
[*]能够触发CloudWatch Event
[*]能够被CloudFormation中引用
3.2 典范架构
[*]开辟情况和生产情况配置
https://img-blog.csdnimg.cn/dccff9fca5574b489d1aa82b8d180999.png
4 AWS Secrets manager
AWS Secrets Manager,您可以在数据库凭证、应用步伐凭证、OAuth 令牌、API 密钥和其他密钥的整个生命周期内对其举行管理、检索和轮换。许多 AWS 服务将密钥存储在 Secrets Manager 中。其加密也是可以与KMS自动联合。在考试中出现概率较高,重点关注其与Parameter store的区别。
4.1 基本特性
注意点(考试中与Parameter store区别,但出现下面2个应用需求时,基本上就选择Secrets manager):
[*]其能利用Lambda自动生成密钥,且能每隔一段时间将密钥轮转(出现密钥轮转,基本上就要选择Secrets manager,固然Parameter store也能设计轮转但比较贫苦)
例题:A security engineer determined that an existing application retrieves credentials to an Amazon RDS for MySQL database from an encrypted file in Amazon S3. For the next version of the application, the security engineer wants to implement the following application design changes to improve security:
– The database must use strong, randomly generated passwords stored in a secure AWS managed service.
– The application resources must be deployed through AWS CloudFormation.
– The application must rotate credentials for the database every 90 days.
A solutions architect will generate a CloudFormation template to deploy the application.
Which resources specified in the CloudFormation template will meet the security engineer’s requirements with the LEAST amount of operational overhead?
A. Generate the database password as a secret resource using AWS Secrets Manager. Create an AWS Lambda function resource to rotate the database password. Specify a Secrets Manager RotationSchedule resource to rotate the database password every 90 days.
B. Generate the database password as a SecureString parameter type using AWS Systems Manager Parameter Store. Create an AWS Lambda function resource to rotate the database password. Specify a Parameter Store RotationSchedule resource to rotate the database password every 90 days.
C. Generate the database password as a secret resource using AWS Secrets Manager. Create an AWS Lambda function resource to rotate the database password. Create an Amazon EventBridge scheduled rule resource to trigger the Lambda function password rotation every 90 days.
D. Generate the database password as a SecureString parameter type using AWS Systems Manager Parameter Store. Specify an AWS AppSync DataSource resource to automatically rotate the database password every 90 days.
答案:A
答案解析:标题关键词:randomly generated passwords, rotate credentials。B选项和D选项对于轮换密钥过复杂,因此只能选择A选项或者C选项;而设置RotationSchedule做自动轮转不需要EventBridge,因此答案为A
A company has Linux-based Amazon EC2 instances. Users must access the instances by using SSH with EC2 SSH key pairs. Each machine requires a unique EC2 key pair.
The company wants to implement a key rotation policy that will, upon request, automatically rotate all the EC2 key pairs and keep the keys in a securely encrypted place. The company will accept less than 1 minute of downtime during key rotation.
Which solution will meet these requirements?
A. Store all the keys in AWS Secrets Manager. Define a Secrets Manager rotation schedule to invoke an AWS Lambda function to generate new key pairs. Replace public keys on EC2 instances. Update the private keys in Secrets Manager.
B. Store all the keys in Parameter Store, a capability of AWS Systems Manager, as a string. Define a Systems Manager maintenance window to invoke an AWS Lambda function to generate new key pairs. Replace public keys on EC2 instances. Update the private keys in Parameter Store.
C. Import the EC2 key pairs into AWS Key Management Service (AWS KMS). Configure automatic key rotation for these key pairs. Create an Amazon EventBridge scheduled rule to invoke an AWS Lambda function to initiate the key rotation in AWS KMS.
D. Add all the EC2 instances to Fleet Manager, a capability of AWS Systems Manager. Define a Systems Manager maintenance window to issue a Systems Manager Run Command document to generate new key pairs and to rotate public keys to all the instances in Fleet Manager.
答案:A
答案解析:标题要求维护一批EC2的不同密钥,且自动轮转密钥,轮转期间少于1分钟。参考:https://aws.amazon.com/blogs/security/how-to-use-aws-secrets-manager-securely-store-rotate-ssh-key-pairs/。A选项整个过程不需要手动生成密钥。
[*]与RDS深度联合
4.2 典范架构
[*]与CloudFormation集成
https://img-blog.csdnimg.cn/da1076671b8a4eebbd38f2efa99e349f.png
[*]跨账号共享Secrets
https://img-blog.csdnimg.cn/ba365d79e4d2455d9c665cabe5ae4987.png
5 AWS Certificate manager(ACM)
AWS Certificate Manager (ACM) 处理创建、存储和续订公有及私有 SSL/TLS X.509 证书和密钥的复杂操作,这些证书和密钥可保护您的AWS网站和应用步伐。您可以直接通过 ACM 签发证书,或者通过将第三方证书导入 ACM 管理体系中,为集成AWS服务提供证书。很显着,它是一个SSL/TLS X.509 证书和密钥的管理平台,要真正弄清晰ACM,我们先要弄清晰几个内容:SSL/TLS、SNI、DNSSEC。
5.1 SSL/TLS、SNI、DNSSEC
5.1.1 SSL/TLS
网络传输中,如果我们利用HTTP传输,其实是不安全的,因此需要加密。而SSL/TLS(安全套接层/传输套接层)是Netscape公司率先接纳的网络安全协议。它是在传输通讯协议(TCP/IP)上实现的一种安全协议,接纳公开密钥技能。也就是说通过SSL/TLS可实现加密,HTTPS就是通过SSL/TLS技能实现安全加密。加密原理如下:
https://img-blog.csdnimg.cn/6f52bef523a24bbfa76347faccb679d8.png
5.1.2 SNI
从4.1.1图中知道加密需要一个叫SSL Certificate,也就是所谓的安全证书。SNI的作用就是可以在同一个web服务器中实现多个SSL Certificate,AWS的负载平衡服务ALB和NLB都有此功能,但CLB不具备。
5.1.3 DNSSEC
下图是一个“Man-in-the-MiddleAttack(中心人攻击)”,以及通过SSL加密后防止的原理:
https://img-blog.csdnimg.cn/e303cf609dc64affb0cf28cc50c2ba1c.png
除了利用SSL外,尚有一种可以放在这种中心人攻击,那就是DNSSEC,但是AWS Route53不支持DNSSEC,除非你利用第三方的DNS。
5.2 基本特性
[*]管理和颁发Certificate的AWS服务
[*]可以与多个组件集成(ELB、CloudFormation、API gateway等)
[*]公有证书:必须利用符合 DNS 的主题名称
[*]私有证书:CA 大概位于您的账户中,也大概由其他账户与您共享
[*]证书更新可以托给ACM管理
[*]只是一个单区域的,不能跨区域
6 AWS CloudHSM
AWS CloudHSM将AWS云的上风与硬件安全模块 (HSM) 的安全性相联合。硬件安全模块 (HSM) 是一种盘算设备,可处理加密操作并提供加密密钥的安全存储。借助AWS CloudHSM,您可以完全控制 AWS 云中的高可用性 HSM,这些暗码具有低延迟访问权限,并拥有可自动执行 HSM 管理(包罗备份、配置、配置和维护)的安全信托根。简朴来说就是一个硬件版本的KMS。主要记住以下几点特性和与KMS的比较即可
6.1 基本特性
[*]是一个基于硬件的加密工具
[*]支持对称和非对称加密
[*]密钥需要自己管理,不能托管AWS
[*]可以部署多可用区集群
[*]必须利用CloudHSM Client Software
[*]不是免费的(注意:考试中出现过S3存储加密,有SSE-S3和CloudHSM的选择,CloudHSM是收费的,并非开销最小的选择)
6.2 与KMS比较
https://img-blog.csdnimg.cn/c629c2b7ef824ff0808adc51bf0ef14a.png
7 AWS Inspector
Amazon Inspector 是一项毛病管理服务,持续扫描您的AWS工作负载中是否存在软件毛病和意外网络袒露。Amazon Inspector 会自动发现和扫描正在运行的 Amazon EC2 实例、亚马逊Elastic Container Registry (Amazon ECR) 中的容器映像,以及针对已知软件毛病和意外网络泄露的AWS Lambda函数。这里只需要记住以下几点:
[*]它只用于EC2、ECR和Lambda的毛病扫描即可
[*]毛病规则是AWS管理的
[*]最后生成陈诉
8 Amazon GuardDuty
Amazon GuardDuty 是一项安全监控服务,用于分析和处理AWS CloudTrail管理事件基础数据源、AWS CloudTrail事件日志、VPC 流日志(来自 Amazon EC2 实例)和 DNS 日志。它还处理 Kubernetes 审计日志、RDS 登录运动、S3 日志、EBS 卷、运行时监控和 Lambda 网络运动日志等功能。简朴明白就是一个安全监测工具,将通过一些日志作为输入,然后通过机器学习等算法分析出存在非常的内容,再通过CloudWatch发出告诫。
https://img-blog.csdnimg.cn/c023d4d6167c4b48858495fe9b21166f.png
9 AWS Systems Manager(SSM)
AWS Systems Manager 是您 AWS 应用步伐和资源的操作中央,也是混淆和多云情况的安全端到端管理办理方案,可以实现大规模的安全操作。简朴明白就是一个可以对你的EC2、当地数据中央的服务器的操作体系做管理的平台。
9.1 特性
[*]管理你的EC2或者当地数据中央的服务器
[*]发现你基础办法存在的安全问题
[*]可以更新你服务器的补丁(注意:考试中遇到patching,基本上就是与SSM相干)
A Solutions Architect must establish a patching plan for a large mixed fleet of Windows and Linux servers.The patching plan must be implemented securely, be audit ready, and comply with the company’s business requirements. Which option will meet these requirements with MINIMAL effort?
A. Install and use an OS-native patching service to manage the update frequency and release approval for all instances.Use AWS Config to verify the OS state on each instance and report on any patch compliance issues
B. Use AWS Systems Manager on all instances to manage patching. Test patches outside of production and then deployduring a maintenance window with the appropriate approval.
C. Use AWS OpsWorks for Chef Automate to run a set of scripts that will iterate through all instances of a given typessue the appropriate OS command to get and install updates on each instance, including any required restarts during themaintenance window.
D. Migrate all applications to AWS Ops Works and use Ops Works automatic patching support to keep the OS up-to-datefollowing the initial installation. Use AWS Config to provide audit and compliance reporting.
答案:B
答案解析:这道题关键词:Windows and Linux servers,patching plan,MINIMAL effort。主要考察AWS Config、Systems Manager、OpsWorks的利用场景。AWS Config主要是配置管理,OpsWorks也有更新补丁功能,是Puppet 或 Chef迁移到AWS云上利用,但是AWS如果不强调Puppet 或 Chef迁移,补丁修复发起都是利用Systems Manager(https://docs.aws.amazon.com/zh_cn/opsworks/latest/userguide/workingsecurity-updates.html)。而Systems Manager此中一个紧张功能就是更新服务器补丁。因此选B。
例题:A company needs to implement a patching process for its servers. The on-premises servers and Amazon EC2 instances use a variety of tools to perform patching.
Management requires a single report showing the patch status of all the servers and instances.
Which set of actions should a solutions architect take to meet these requirements?
A. Use AWS Systems Manager to manage patches on the on-premises servers and EC2 instances. Use Systems Manager to generate patch compliance reports
B. Use AWS OpsWorks to manage patches on the on-premises servers and EC2 instances. Use Amazon QuickSight integration with OpsWorks to generate patch compliance reports.
C. Use an Amazon EventBridge (Amazon CloudWatch Events) rule to apply patches by scheduling an AWS Systems Manager patch remediation job. Use Amazon Inspector to generate patch compliance reports.
D. Use AWS OpsWorks to manage patches on the on-premises servers and EC2 instances. Use AWS X-Ray to post the patch status to AWS Systems Manager OpsCenter to generate patch compliance reports.
答案:A
答案解析:标题要求给当地和EC2更新补丁。OpsWorks是主要是做配置管理;EventBridge更多是应用步伐组件连接在一起的bus。而Systems Manager本身就有patching功能
[*]实用于Windows和Linux OS
[*]集成了CloudWatch metrics/dashboards/AWS Config
[*]Session Manager:可以管理 Amazon Elastic Compute Cloud(Amazon EC2)实例、边缘设备、当地服务器和假造机(VM)。您可利用基于浏览器的一键式交互 Shell 或 AWS Command Line Interface (AWS CLI)。Session Manager 提供安全且可审计的节点管理,而无需打开入站端口、维护堡垒主机或管理 SSH 密钥。
例题:A startup company hosts a fleet of Amazon EC2 instances in private subnets using the latest Amazon Linux 2 AMI. The company’s engineers rely heavily on SSH access to the instances for troubleshooting.
The company’s existing architecture includes the following:
– A VPC with private and public subnets, and a NAT gateway
– Site-to-Site VPN for connectivity with the on-premises environment
– EC2 security groups with direct SSH access from the on-premises environment
The company needs to increase security controls around SSH access and provide auditing of commands run by the engineers.
Which strategy should a solutions architect use?
A. Install and configure EC2 Instance Connect on the fleet of EC2 instances. Remove all security group rules attached to EC2 instances that allow inbound TCP on port 22. Advise the engineers to remotely access the instances by using the EC2 Instance Connect CLI.
B. Update the EC2 security groups to only allow inbound TCP on port 22 to the IP addresses of the engineer’s devices. Install the Amazon CloudWatch agent on all EC2 instances and send operating system audit logs to CloudWatch Logs.
C. Update the EC2 security groups to only allow inbound TCP on port 22 to the IP addresses of the engineer’s devices. Enable AWS Config for EC2 security group resource changes. Enable AWS Firewall Manager and apply a security group policy that automatically remediates changes to rules.
D. Create an IAM role with the AmazonSSMManagedInstanceCore managed policy attached. Attach the IAM role to all the EC2 instances. Remove all security group rules attached to the EC2 instances that allow inbound TCP on port 22. Have the engineers install the AWS Systems Manager Session Manager plugin for their devices and remotely access the instances by using the start-session API call from Systems Manager
答案:D
答案解析:标题要求管理SSH登录,最好的就是利用Systems Manager的Session Manager方案,参考:https://docs.aws.amazon.com//systems-manager/latest/userguide/session-manager.html
例题:A research company is running daily simulations in the AWS Cloud to meet high demand. The simulations run on several hundred Amazon EC2 instances that are based on Amazon Linux 2. Occasionally, a simulation gets stuck and requires a cloud operations engineer to solve the problem by connecting to an EC2 instance through SSH.
Company policy states that no EC2 instance can use the same SSH key and that all connections must be logged in AWS CloudTrail.
How can a solutions architect meet these requirements?
A. Launch new EC2 instances, and generate an individual SSH key for each instance. Store the SSH key in AWS Secrets Manager. Create a new IAM policy, and attach it to the engineers’ IAM role with an Allow statement for the GetSecretValue action. Instruct the engineers to fetch the SSH key from Secrets Manager when they connect through any SSH client.
B. Create an AWS Systems Manager document to run commands on EC2 instances to set a new unique SSH key. Create a new IAM policy, and attach it to the engineers’ IAM role with an Allow statement to run Systems Manager documents. Instruct the engineers to run the document to set an SSH key and to connect through any SSH client.
C. Launch new EC2 instances without setting up any SSH key for the instances. Set up EC2 Instance Connect on each instance. Create a new IAM policy, and attach it to the engineers’ IAM role with an Allow statement for the SendSSHPublicKey action. Instruct the engineers to connect to the instance by using a browser-based SSH client from the EC2 console.
D. Set up AWS Secrets Manager to store the EC2 SSH key. Create a new AWS Lambda function to create a new SSH key and to call AWS Systems Manager Session Manager to set the SSH key on the EC2 instance. Configure Secrets Manager to use the Lambda function for automatic rotation once daily. Instruct the engineers to fetch the SSH key from Secrets Manager when they connect through any SSH client.
答案:D
答案解析:要求不需要利用SSH直接登录,那么利用Systems Manager的Session Manager方案是最好的方案,参考:https://docs.aws.amazon.com//systems-manager/latest/userguide/session-manager.html
例题:A company’s AWS architecture currently uses access keys and secret access keys stored on each instance to access AWS services. Database credentials are hard-coded on each instance. SSH keys for command-line remote access are stored in a secured Amazon S3 bucket. The company has asked its solutions architect to improve the security posture of the architecture without adding operational complexity.
Which combination of steps should the solutions architect take to accomplish this? (Choose three.)
A. Use Amazon EC2 instance profiles with an IAM role
B. Use AWS Secrets Manager to store access keys and secret access keys
C. Use AWS Systems Manager Parameter Store to store database credentials
D. Use a secure fleet of Amazon EC2 bastion hosts for remote access
E. Use AWS KMS to store database credentials
F. Use AWS Systems Manager Session Manager for remote access
答案:ACF
答案解析:标题要改进安全访问EC2方式。因此利用Systems Manager Session Manager是最符合,因此步骤是ACF。
9.2 工作原理
[*]在操作体系中安装SSM Agent
[*]EC2还需要授权角色给SSM
9.3 Run Command
[*]可以执行document、script、command
[*]同时给多台实例执行命令
[*]不需要利用SSH(而是通过SSM Agent)
9.4 Systems Manager Parameter Store
请参照本章的第3点《3 Parameter store》。
10 AWS Security Hub
AWS Security Hub 可让您全面了解您的安全状态AWS并资助您评估您的AWS情况与安全行业尺度和最佳实践南辕北辙。简朴来说就是评估你AWS上面存在的一些大概的安全隐患(这个安全隐患是行业一些尺度或者实践)。
https://img-blog.csdnimg.cn/8771470ed4134c9b861767cd7cb8c373.png
[*]支持多账号安全管理(注意:如果出现多账号情况安全状态评估,一样平常与Security Hub相干)
[*]能够自动查找更新和调停步伐
[*]与Control Tower的区别,都是做安全合规的,但是有一个最大区别Control Tower是检测权限是否泄漏,Security Hub是检测是否存在安全隐患。(注意:考试中经常选项会同时出现Control Tower和Security Hub,请注意2者利用场景)
11 Amazon Detective
Amazon Detective 可资助您分析、观察和快速识别安全结果或可疑运动的根本原因。Detective 会自动从您的AWS资源中收集日志数据。然后,它利用机器学习、统计分析和图论来生成可视化效果,资助您更快、更高效地举行安全观察。
当你利用7 GuardDuty、Security Hub等工具发现出问题,需要知道详细造成问题的原因,那么就需要Detective,它提供可视化的日志分析,最终让你敏捷发现问题所在。
12 Amazon Macie
Amazon Macie 是一项数据安全服务,该服务利用机器学习和模式匹配来发现敏感数据,提供对数据安全风险的可见性,并实现针对这些风险的自动防护。
https://img-blog.csdnimg.cn/b9ea7a54963d4c4a9d7a10789058b78b.png
13 AWS组件内的安全
13.1 Web Server 集成SSL
[*]基于ALB的SSL加密
https://img-blog.csdnimg.cn/14ca1332448f4072b719f714be86d89a.png
例题:A company is planning to host a web application on AWS and wants to load balance the traffic across a group of Amazon EC2 instances. One of the security requirements is to enable end-to-end encryption in transit between the client and the web server.Which solution will meet this requirement?
A. Place the EC2 instances behind an Application Load Balancer (ALB). Provision an SSL certificate using AWS Certificate Manager (ACM), and associate the SSL certificate with the ALB. Export the SSL certificate and install it on each EC2 instance. Configure the ALB to listen on port 443 and to forward traffic to port 443 on the instances.
B. Associate the EC2 instances with a target group. Provision an SSL certificate using AWS Certificate Manager (ACM). Create an Amazon CloudFront distribution and configure it to use the SSL certificate. Set CloudFront to use the target group as the origin server.
C. Place the EC2 instances behind an Application Load Balancer (ALB) Provision an SSL certificate using AWS Certificate Manager (ACM), and associate the SSL certificate with the ALB. Provision a third-party SSL certificate and install it on each EC2 instance. Configure the ALB to listen on port 443 and to forward traffic to port 443 on the instances.
D. Place the EC2 instances behind a Network Load Balancer (NLB). Provision a third-party SSL certificate and install it on the NLB and on each EC2 instance. Configure the NLB to listen on port 443 and to forward traffic to port 443 on the instances.
答案:C
答案解析:Amazon颁发的公共证书不能安装在EC2实例上。启用端到端加密时,必须利用第三方SSL证书,以是是C或D。而D会存在大概有被入侵风险,如果参加CloudHSM管理则可避免。因此答案选择C。
[*]基于NLB在EC2举行SSL加密(缺点:证书会绑定在EC2,大概有被入侵风险,利用CloudHSM可以避免该风险)
https://img-blog.csdnimg.cn/f30ea07dc1494d389fc0f8f52999dd42.png
[*]基于CloudHSM对EC2举行SSL加密
https://img-blog.csdnimg.cn/a70ac9b6868b45d3b3558c7d46bc1cd9.png
13.2 RDS security
关于RDS的安全方面,需要知道以下几点:
[*]Transparent Data Encryption(TDE)只能适合Oracle和SQL Server
[*]SSL 加密RDS,实用于所有数据库
[*]IAM可以用于MySQL和PostgreSQL,但实际验证还需要RDS本身
[*]CloudTrail不能用于查询RDS
13.3 S3 security
13.3.1 四种加密方式
[*]SSE-S3:有AWS自动加密S3对象,密钥管理完全有AWS管理
[*]SSE-KMS:有KMS做加密密钥管理
[*]SSE-C:自己管理密钥
[*]Client Side Encryption:完全有自己管理密钥平台
别的:尚有Glacier(本身利用AEC-256加密)
发起:利用HTTPS作为endpoint,由于HTTPS逼迫利用SSE-C
13.3.2 S3的Events
[*]S2 Access Logs:记载对于S3存储桶的所有哀求操作
[*]S3 Events Notifications:属于监控桶级别的通知,可用于监听通知
[*]Trusted Advisor:查抄S3存储桶的权限(当存储桶为public情况下)
[*]CloudWatch Events:属于监控对象级别的通知
13.3.3 S3的安全
[*]用户层面:基于IAM policies控制
[*]资源层面:基于bucket policies或者ACL。此中bucket policies为考试重点,可以跨账户授权
13.3.4 其它相干安全步伐
[*]S3 pre-signed URLs:生成一个pre-signed URLs,用于上传和下载。一样平常用于临时权限,偶然间限制。
[*]Endpoint Gateway:这个在网络那一章讲过,通过Endpoint Gateway可以让VPC通过内网方式访问S3,更加安全可靠,但不能通报边缘路由。
[*]对象锁定:借助 S3 对象锁定,您可以利用一次写入,多次读取 (WORM) 模式存储对象。对象锁定可资助防止在固定的时间段内或无限期地删除或覆盖对象。可以利用对象锁定来资助您满足需要 WORM 存储的法规要求,或只是添加另一个保护层来防止对象被更改和删除。
13.4 Network Security, DDoS, Shield & WAF
关于网络安全方面,在网络那一章分散讲过一些,这里体系讲一下
13.4.1 Network Security
https://img-blog.csdnimg.cn/7aa8d33aaf754f0fbda89dec9576595a.png
如上图,有3个安全管理的内容:
[*]NACL:网络访问控制列表 (ACL) 在子网级别允许或拒绝特定的入站或出站流量。您可以利用 VPC 的默认网络 ACL,也可以为 VPC 创建自界说网络 ACL,使其规则与您安全组的规则相似,以便为您的 VPC 添加额外安全层。注意:NACL是无状态(意味着入出都需要界说规则)
[*]安全组:这不是VPC,这是EC2、ALB等自带的安全组,也是用于控制网络访问。注意:安全组是有状态的(意味着界说入流量,自动允许响应)
[*]Firewall:EC2本身的防火墙
13.4.2 DDoS&Shield
[*]基本概念:通过大量机器的访问导致你的web服务哀求或者连接占满,导致正常用户无法访问
[*]类别:SYN Flood、UDP Reflection、DNS flood attack、Slow Loris attack
[*]AWS的防御步伐:AWS Shield Standard、AWS Shield Advanced、AWS WAF(考试经常出现)
[*]CloudFront和Route53默认能够防备DDoS攻击
https://img-blog.csdnimg.cn/a1655d3d3ce740899d923a39f9208aaa.png
例题:A company maintains a restaurant review website. The website is a single-page application where files are stored in Amazon S3 and delivered using Amazon CloudFront. The company receives several fake postings every day that are manually removed. The security team has identified that most of the fake posts are from bots with IP addresses that have a bad reputation within the same global region. The team needs to create a solution to help restrict the bots from accessing the website. Which strategy should a solutions architect use?
A. Use AWS Firewall Manager to control the CloudFront distribution security settings. Create a geographical block rule and associate it with Firewall Manager.
B. Associate an AWS WAF web ACL with the CloudFront distribution. Select the managed Amazon IP reputation rule group for the web ACL with a deny action.
C. Use AWS Firewall Manager to control the CloudFront distribution security settings. Select the managed Amazon IP reputation rule group and associate it with Firewall Manager with a deny action.
D. Associate an AWS WAF web ACL with the CloudFront distribution. Create a rule group for the web ACL with a geographical match statement with a deny action.
答案:B
答案解析:标题要求阻止来说某些IP。参考:https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-ip-rep.html
例题:A company has a website that runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances are in an Auto Scaling group. The ALB is associated with an AWS WAF web ACL.
The website often encounters attacks in the application layer. The attacks produce sudden and significant increases in traffic on the application server. The access logs show that each attack originates from different IP addresses. A solutions architect needs to implement a solution to mitigate these attacks.
Which solution will meet these requirements with the LEAST operational overhead?
A. Create an Amazon CloudWatch alarm that monitors server access. Set a threshold based on access by IP address. Configure an alarm action that adds the IP address to the web ACL’s deny list.
B. Deploy AWS Shield Advanced in addition to AWS WAF. Add the ALB as a protected resource.
C. Create an Amazon CloudWatch alarm that monitors user IP addresses. Set a threshold based on access by IP address. Configure the alarm to invoke an AWS Lambda function to add a deny rule in the application server’s subnet route table for any IP addresses that activate the alarm.
D. Inspect access logs to find a pattern of IP addresses that launched the attacks. Use an Amazon Route 53 geolocation routing policy to deny traffic from the countries that host those IP addresses.
答案:B
答案解析:标题出现大量不同地方IP攻击,很显着是一个DDos攻击,因此利用Shield 防御DDos。因此选择B选项
13.5 Network Firewall
写在最后
在结束之际,我想重申的是,学习并非如攀登险峻高峰,而是如滴水穿石般的持久累积。尤其当我们步入工作岗位之后,持之以恒的学习变得愈发不易,犹如在茫茫大海中独自划舟,稍有松懈便大概被巨浪吞噬。然而,对于我们步伐员而言,学习是生存之本,是我们在激烈市场竞争中立于不败之地的关键。一旦停止学习,我们便犹如逆水行舟,不进则退,终将被期间的洪流所镌汰。因此,不停汲取新知识,不仅是对自己的提升,更是对自己的一份珍贵投资。让我们不停磨砺自己,与期间共同进步,书写属于我们的辉煌篇章。
需要完备版PDF学习资源私我
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。
页:
[1]