ANS-C01 Network Security, Compliance and Governance • Complete Question Bank
Complete ANS-C01 Network Security, Compliance and Governance question bank — all 0 questions with answers and detailed explanations.
Refer to the exhibit.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeSecurityGroups"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*",
"Condition": {
"StringNotEquals": {
"ec2:InstanceType": "t2.micro"
}
}
}
]
}Refer to the exhibit. [root@ip-10-0-1-5 ~]# tcpdump -i eth0 -n port 443 09:32:15.123456 IP 203.0.113.5.34567 > 10.0.1.5.443: Flags [S], seq 12345, win 65535, options [mss 1460], length 0 09:32:15.123456 IP 10.0.1.5.443 > 203.0.113.5.34567: Flags [S.], seq 54321, ack 12346, win 65535, options [mss 1460], length 0 09:32:15.123456 IP 203.0.113.5.34567 > 10.0.1.5.443: Flags [.], ack 54322, win 65535, length 0
Refer to the exhibit.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::example-bucket/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
},
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::example-bucket/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "203.0.113.0/24"
}
}
}
]
}Refer to the exhibit.
Resource Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::example-bucket/confidential/*",
"Condition": {
"StringEquals": {
"s3:ExistingObjectTag/classification": "public"
}
}
}
]
}Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag a concept onto its matching description — or click a concept then click the description.
Static public IP that can be remapped to another instance
DNS-based routing to healthy endpoints
Distributes traffic evenly across all registered targets in all AZs
Improves availability and performance using Anycast IPs
Captures IP traffic information for troubleshooting
Drag a concept onto its matching description — or click a concept then click the description.
Layer 4 (Transport)
Layer 7 (Application)
Layer 3 and 4 (Network and Transport)
Layer 3 (Network)
Layer 2 (Data Link) or Layer 1 (Physical)
Drag a concept onto its matching description — or click a concept then click the description.
Access to VPCs using private IP addresses
Access to public AWS services (e.g., S3, DynamoDB) using public IPs
Connect to a Direct Connect Gateway for multiple VPCs
Virtual interface provisioned by an AWS Direct Connect Partner
Encrypted virtual interface using MACsec
Refer to the exhibit.
Exhibit (IAM Policy JSON):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeSecurityGroups",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress"
],
"Resource": "*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "203.0.113.0/24"
}
}
},
{
"Effect": "Deny",
"Action": "ec2:AuthorizeSecurityGroupIngress",
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:AuthorizeSecurityGroupIngress": "0.0.0.0/0"
}
}
}
]
}Refer to the exhibit.
Exhibit (CloudFormation snippet):
Resources:
MySecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow HTTP from anywhere
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
SecurityGroupEgress:
- IpProtocol: -1
CidrIp: 0.0.0.0/0
MyInstance:
Type: AWS::EC2::Instance
Properties:
ImageId: ami-12345678
InstanceType: t2.micro
SecurityGroupIds:
- !Ref MySecurityGroupRefer to the exhibit.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::example-bucket/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "192.0.2.0/24"
}
}
}
]
}Refer to the exhibit.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}Refer to the exhibit.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::example-bucket/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"10.0.0.0/16",
"203.0.113.0/24"
]
},
"Bool": {
"aws:SecureTransport": "true"
}
}
}
]
}Refer to the exhibit. [VPC Flow Logs output] 2 123456789010 eni-12345678 10.0.1.5 10.0.2.10 443 443 6 10 1000 1620000000 1620000010 ACCEPT OK 2 123456789010 eni-12345678 10.0.1.5 10.0.2.10 22 22 6 5 500 1620000010 1620000020 ACCEPT OK 2 123456789010 eni-12345678 10.0.1.5 203.0.113.5 443 443 6 20 2000 1620000020 1620000030 ACCEPT OK 2 123456789010 eni-12345678 203.0.113.5 10.0.1.5 443 443 6 15 1500 1620000030 1620000040 REJECT OK
Refer to the exhibit.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:CreateVpc",
"ec2:CreateSubnet",
"ec2:CreateInternetGateway",
"ec2:AttachInternetGateway",
"ec2:CreateRouteTable",
"ec2:CreateRoute"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": "us-east-1"
}
}
},
{
"Effect": "Deny",
"Action": "ec2:CreateInternetGateway",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:ResourceTag/purpose": "production"
}
}
}
]
}Refer to the exhibit.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "10.0.0.0/16"
}
}
}
]
}
```Refer to the exhibit.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::my-bucket/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
```Refer to the exhibit.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:StartInstances",
"ec2:StopInstances"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Environment": "production"
}
}
}
]
}
```Refer to the exhibit.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::example-bucket/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "aws:kms"
}
}
}
]
}Refer to the exhibit.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "ec2:Describe*",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": "us-east-1"
}
}
}
]
}{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::important-bucket/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "aws:kms"
}
}
}
]
}arn:aws:iam::123456789012:role/AdminRole
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::example-bucket/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "192.0.2.0/24"
}
}
}
]
}vpc-flow-log-1234567890 2 123456789010 eni-1234567890abcdef 10.0.1.5 10.0.2.10 12345 80 6 100 2000 1625097600 1625097660 REJECT OK
Refer to the exhibit.
Exhibit: IAM Policy JSON
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "10.0.0.0/8"
}
}
}
]
}
```Refer to the exhibit.
Exhibit: CloudWatch Logs Log Entry
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "Root",
"principalId": "123456789012",
"arn": "arn:aws:iam::123456789012:root",
"accountId": "123456789012"
},
"eventTime": "2023-11-01T12:00:00Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "CreateSecurityGroup",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.5",
"userAgent": "console.amazonaws.com",
"requestParameters": {
"groupName": "test-sg",
"groupDescription": "Test security group"
},
"responseElements": {
"groupId": "sg-12345678"
}
}
```Refer to the exhibit.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowVPCAccess",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/AdminRole"
},
"Action": "ec2:AcceptVpcPeeringConnection",
"Resource": "arn:aws:ec2:us-east-1:123456789012:vpc-peering-connection/*",
"Condition": {
"StringEquals": {
"ec2:AccepterVpc": "arn:aws:ec2:us-east-1:123456789012:vpc/vpc-0abcdef1234567890"
}
}
}
]
}
```Refer to the exhibit.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::my-bucket/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "203.0.113.0/24"
}
}
}
]
}
```Refer to the exhibit.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::example-bucket/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "203.0.113.0/24"
}
}
},
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::example-bucket/*",
"Condition": {
"StringEquals": {
"aws:SourceVpc": "vpc-12345"
}
}
}
]
}Refer to the exhibit.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::example-bucket/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "true"
}
}
}
]
}
```