Question 1mediummultiple choice
Read the full Cloud Data Security explanation →CCSP Cloud Data Security • Complete Question Bank
Complete CCSP Cloud Data Security question bank — all 0 questions with answers and detailed explanations.
Refer to the exhibit.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::my-bucket/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}Refer to the exhibit.
Error: Failed to create resource. Status: 403 Forbidden.
{
"Code": "AccessDenied",
"Message": "Access denied. Please ensure that the key policy grants the necessary permissions.",
"Resource": "arn:aws:kms:us-east-1:123456789012:key/abc123"
}Refer to the exhibit. $ gsutil ls gs://my-bucket/ AccessDeniedException: 403 my-service-account@project.iam.gserviceaccount.com does not have storage.objects.list access to the Google Cloud Storage bucket.
Refer to the exhibit.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::example-bucket/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
```Refer to the exhibit.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::company-data/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "true"
}
}
},
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::company-data/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "203.0.113.0/24"
}
}
}
]
}Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag a concept onto its matching description — or click a concept then click the description.
Develop incident response plan and tools
Identify potential security incidents
Isolate affected systems and prevent spread
Restore normal operations and verify integrity
Refer to the exhibit.
```
# Example of cloud KMS key policy (JSON)
{
"Version": "2012-10-17",
"Id": "key-default",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/AppRole"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
]
}
```Refer to the exhibit.
```
{
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::public-bucket/*"
}
]
}
```
After applying this bucket policy, the owner notices that the bucket is publicly accessible. Which additional configuration must be adjusted to make the bucket private?Refer to the exhibit.
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/BackupRole"
},
"Action": [
"kms:Decrypt",
"kms:ReEncrypt*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:CallerAccount": "123456789012",
"kms:ViaService": "s3.us-west-2.amazonaws.com"
}
}
}
]
}
```Refer to the exhibit.
```
$ az keyvault key list --vault-name myVault
[
{
"kid": "https://myVault.vault.azure.net/keys/myKey/abc123",
"attributes": {
"enabled": true,
"created": 1590000000,
"updated": 1590000000
},
"tags": {
"usage": "encryption"
}
}
]
$ openssl s_client -connect myserver.cloudapp.net:443 -servername myserver.cloudapp.net
CONNECTED(00000003)
140735123456:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1487:SSL alert number 40
```Refer to the exhibit. ``` Error: Access Denied. status code: 403, request id: QWERTY1234, host id: ABCD5678 User: arn:aws:iam::123456789012:user/data-analyst Action: s3:GetObject Resource: arn:aws:s3:::proprietary-data/reports/q4-2023.csv Additional detail: Encryption key access required. ```
Refer to the exhibit.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::my-bucket/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
}
]
}
```Refer to the exhibit. ``` Oct 12 09:15:22 cloudhost sshd[1234]: Failed password for admin from 203.0.113.55 port 2213 ssh2 Oct 12 09:15:25 cloudhost sshd[1234]: Accepted password for admin from 203.0.113.55 port 2213 ssh2 Oct 12 09:15:30 cloudhost sudo: admin : TTY=pts/0 ; PWD=/home/admin ; USER=root ; COMMAND=/usr/bin/mysql -h db-internal -u root -pS3cur3P@ss Oct 12 09:16:00 cloudhost mysqld[2345]: 2023-10-12 9:16:00 2 [Note] Access denied for user 'root'@'cloudhost' (using password: YES) ```
Refer to the exhibit.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::mybucket/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "aws:kms"
}
}
}
]
}Refer to the exhibit.
CloudTrail log entry:
{
"eventVersion": "1.05",
"userIdentity": { "arn": "arn:aws:iam::123456789012:user/Alice" },
"eventTime": "2023-08-15T14:30:00Z",
"eventSource": "kms.amazonaws.com",
"eventName": "Decrypt",
"sourceIPAddress": "203.0.113.5",
"resources": [{ "ARN": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab" }],
"errorCode": "AccessDenied",
"errorMessage": "User: arn:aws:iam::123456789012:user/Alice is not authorized to perform: kms:Decrypt on resource: arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}Refer to the exhibit. Cloud storage architecture description: "Data is stored in a bucket with default encryption using AES-256. Access is controlled via IAM policies and bucket policies. Additionally, a VPC endpoint is used to restrict access to the bucket only from a specific VPC."
Refer to the exhibit.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::example-bucket/*",
"Condition": {
"StringNotEquals": {
"aws:SourceVpc": "vpc-12345678"
}
}
},
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::example-bucket/*",
"Condition": {
"StringEquals": {
"aws:SourceVpc": "vpc-12345678"
}
}
}
]
}Refer to the exhibit.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::example-bucket/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": "true"
}
}
}
]
}