CAS-004 Security Architecture • Complete Question Bank
Complete CAS-004 Security Architecture question bank — all 0 questions with answers and detailed explanations.
Refer to the exhibit. ``` interface GigabitEthernet0/0 ip address 192.168.1.1 255.255.255.0 ip access-group ACL-IN in ! interface GigabitEthernet0/1 ip address 10.0.0.1 255.255.255.0 ! access-list 100 deny tcp any host 192.168.1.100 eq 22 access-list 100 deny tcp any host 192.168.1.100 eq 3389 access-list 100 permit ip any any ```
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag a concept onto its matching description — or click a concept then click the description.
Forbidden
Not Found
Internal Server Error
Bad Gateway
Unauthorized
access-list 100 deny ip any any access-list 100 permit tcp any host 10.0.0.10 eq 80
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mybucket/*"
}
]
}type=AVC msg=audit(1234567890.123:456): avc: denied { connectto } for pid=1234 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:unconfined_t:s0 tclass=unix_stream_socketRefer to the exhibit. ``` $ iptables -L -n -v --line-numbers Chain INPUT (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 2 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 3 0 0 ACCEPT tcp -- * * 192.168.1.0/24 0.0.0.0/0 tcp dpt:443 4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 5 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP) Chain OUTPUT (policy ACCEPT) ```
Refer to the exhibit.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "123456789012"
}
}
},
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-sensitive-bucket/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "10.0.0.0/8"
}
}
}
]
}
```Refer to the exhibit. ``` interface GigabitEthernet0/0 ip address 192.168.1.1 255.255.255.0 ip access-group OUTSIDE_IN in ! ip access-list extended OUTSIDE_IN permit tcp any host 192.168.1.100 eq 80 permit tcp any host 192.168.1.100 eq 443 deny ip any any log ! interface GigabitEthernet0/1 ip address 10.0.0.1 255.255.255.0 ip access-group INSIDE_OUT out ! ip access-list extended INSIDE_OUT permit ip 10.0.0.0 0.0.0.255 any deny ip any any log ```
An organization has recently migrated its on-premises data center to a public cloud. The security team notices that several virtual machines (VMs) in the same subnet are communicating with each other without any restrictions. The company policy requires that only specific application traffic (e.g., database queries from web servers) be allowed between VMs, and all other inter-VM traffic must be blocked to comply with a zero-trust model. The cloud provider offers native security group and network ACL features. The architect must design a solution that enforces the policy with minimal administrative overhead and supports future expansion.
Which of the following is the BEST course of action?
A multinational corporation is deploying a new application that will be accessed by employees, partners, and customers. The security architecture must support single sign-on (SSO) across different identity providers (IdPs) while maintaining strict access control based on user attributes such as role, location, and device posture. The company uses Active Directory for employees, a cloud IdP for partners, and self-registration for customers. The architect needs to design a centralized policy enforcement point that can evaluate access requests from multiple IdPs and enforce dynamic access policies before granting access to the application.
Which of the following is the BEST architectural approach?
access-list extended OUTSIDE-IN permit tcp any host 10.0.1.100 eq 443 permit tcp any host 10.0.1.100 eq 8443 deny ip any any