AWS SAP-C02教程6--安全_aws sap c02题库

2401_84254343

于 2024-06-24 16:02:57 发布

阅读量878

点赞数 11

CC 4.0 BY-SA版权

文章标签： aws 安全云计算

本文链接：https://blog.csdn.net/2401_84254343/article/details/139929117

包括： management events（管理事件）、data events（数据事件）、Insights events（见解事件）
可以将日志存入CloudWatch Logs中
可以和不同服务集成做更多事情：https://docs.aws.amazon.com/zh_cn/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html
控制台可以查看过去90天内容
默认包括创建、修改和删除事件，也可以自定义内容展示

1.2 典型架构

日志的处理架构
多账号多区域统一日志管理
通过日志采集设置报警架构
Organization下统一日志管理

1.3 方案比较

日志采集后存储及处理，会有不同方案，不同的方案有不同的应用场景，下列给出不同方案，可供不同场景使用：

方案	解决问题
CloudWatch Event	能够在CloudTrail触发API调用，是目前延迟最小的监控
CloudWatch Logs	以流式将日志过滤并可以设置警告通知
S3	将日志存储在S3，可以长期保持并且结合如Athena工具进行检索

2 AWS KMS

AWS Key Management Service（AWS KMS）是一项托管式服务，可让您轻松创建和控制用于保护您的数据的加密密钥。简单理解，就是一个加密平台，上面保存密钥，同时提供API供客户端进行加密和解密。

2.1 基本特性

基本功能是用来加密和解密（考试中但凡与加密解密有关的，那么一般跟KMS也有关系）
有AWS管理密钥，因此安全度高
AWS KMS 与大多数用于加密数据的其他 AWS 服务集成

例题：A company needs to move its write-intensive Amazon RDS for PostgreSQL database from the eu-west-1 Region to the eu-north-1 Region. As part of the migration, the company needs to change from Amazon RDS for PostgreSQL to Amazon Aurora PostgreSQL.
The company is using a new AWS account to host a new Aurora PostgreSQL DB cluster. The RDS database is encrypted with an AWS managed AWS Key Management Service (AWS KMS) key. There must be no interruption to applications that use the RDS for PostgreSQL DB instance.
Which solution will meet these requirements?
A. Create VPC peering between the VPCs in both accounts. Take a snapshot of the RDS DB instance. Export the snapshot to Amazon S3. Create an S3 gateway endpoint. Use the S3 sync command for ongoing synchronization of data. Restore the snapshot from Amazon S3 in the Aurora account. Migrate the snapshot to the Aurora DB cluster.
B. Create VPC peering between the VPCs in both accounts. Import the AWS managed KMS key to the Aurora account. Take a snapshot of the RDS DB instance. Share the snapshot with the Aurora account. Copy the shared snapshot to eu-north-1 in the Aurora account. Migrate the shared snapshot to the Aurora DB cluster. Use AWS Database Migration Service (AWS DMS) with ongoing replication to complete the migration.
C. Create VPC peering between the VPCs in both accounts. Copy the AWS managed KMS key to the Aurora account. Create an Aurora cross-Region read replica of the RDS DB instance in the Aurora account. Promote the read replica from standby DB instance to primary DB instance.
D. Create VPC peering between the VPCs in both accounts. Create a multi-Region customer managed KMS key in the RDS account, and share the key with the Aurora account. Modify the cluster to use the customer managed KMS key. Take a snapshot of the RDS DB instance. Share the snapshot with the Aurora account. Copy the shared snapshot to eu-north-1 in the Aurora account. Migrate the shared snapshot to the Aurora DB cluster. Use AWS Database Migration Service (AWS DMS) with ongoing replication to complete the migration.
答案：D
答案解析：题目要求需要跨区域迁移PostgreSQL数据库。并且使用KMS做密钥管理。因此D选项最合适。

例题：A company is implementing a serverless architecture by using AWS Lambda functions that need to access a Microsoft SQL Server DB instance on Amazon RDS. The company has separate environments for development and production, including a clone of the database system. The company’s developers are allowed to access the credentials for the development database. However, the credentials for the production database must be encrypted with a key that only members of the IT security team’s IAM user group can access. This key must be rotated on a regular basis.
What should a solutions architect do in the production environment to meet these requirements?
A. Store the database credentials in AWS Systems Manager Parameter Store by using a SecureString parameter that is encrypted by an AWS Key Management Service (AWS KMS) customer managed key. Attach a role to each Lambda function to provide access to the SecureString parameter. Restrict access to the SecureString parameter and the customer managed key so that only the IT security team can access the parameter and the key.
B. Encrypt the database credentials by using the AWS Key Management Service (AWS KMS) default Lambda key. Store the credentials in the environment variables of each Lambda function. Load the credentials from the environment variables in the Lambda code. Restrict access to the KMS key so that only the IT security team can access the key.
C. Store the database credentials in the environment variables of each Lambda function. Encrypt the environment variables by using an AWS Key Management Service (AWS KMS) customer managed key. Restrict access to the customer managed key so that only the IT security team can access the key.
D. Store the database credentials in AWS Secrets Manager as a secret that is associated with an AWS Key Management Service (AWS KMS) customer managed key. Attach a role to each Lambda function to provide access to the secret. Restrict access to the secret and t