CSA-C01 시험 - Alibaba Cloud실제시험문제와 답 - 295문항

Question No : 1

A company needs to grant developers permission to start and stop ECS instances, but not to delete instances or modify RAM policies.
Which solution is best?

A.Attach AliyunAdministratorAccess and monitor actions with ActionTrail
B.Create a custom RAM policy that allows only the required ECS actions
C.Share a root account session during maintenance windows
D.Grant full ECS and RAM permissions and use approval by email

정답:

Question No : 2

A security administrator wants to reduce the impact if a privileged RAM user's password is stolen.
Which control should be prioritized?

A.Assigning the user to more RAM groups
B.Disabling all RAM policy conditions
C.Creating a second AccessKey for backup access
D.Enabling MFA and limiting the user's permissions

정답:

Question No : 3

A company wants a RAM user to read objects from one specific OSS bucket but not from other buckets.
Which policy design is most appropriate?

A.Specify the required OSS actions and the target bucket resource in a custom RAM policy
B.Grant full OSS access and rely on ActionTrail to detect misuse later
C.Use only a password policy and require a complex console password
D.Create a security group rule that allows access to the OSS bucket

정답:

Question No : 4

An Alibaba Cloud service needs to access other cloud resources on behalf of the user, and the required permissions are managed for that service scenario.
Which identity type is most relevant?

A.RAM group
B.Console password
C.Service-linked role
D.Root account AccessKey

정답:

Question No : 5

A RAM user belongs to two RAM groups. One group allows an operation, and another group explicitly denies the same operation.
What is the final authorization result?

A.The operation is allowed because group permissions are merged
B.The operation is denied because explicit deny has higher priority
C.The operation is allowed if the user has an AccessKey
D.The operation is denied only when MFA is disabled

정답:

Question No : 6

An enterprise wants employees from its corporate identity provider to access Alibaba Cloud without creating long-term RAM users for every employee.
Which access method is most appropriate?

A.Shared root account access
B.Permanent AccessKeys for all employees
C.Federated access using RAM roles
D.Public anonymous access to cloud resources

정답:

Question No : 7

A company creates a separate RAM user for each administrator instead of sharing one administrator account.
Which security goal does this mainly support?

A.Lowering ECS storage cost
B.Improving DNS resolution performance
C.Reducing the number of RAM policies
D.Improving accountability and operation traceability

정답:

Question No : 8

A company wants to grant permissions to a RAM user to manage only specific ECS instances that match a defined resource scope.
Where should this permission be defined?

A.In a RAM policy attached to the user, group, or role
B.In an ECS security group attached to the RAM user
C.In a Cloud Firewall access control policy only
D.In a Bastionhost approval rule only

정답:

Question No : 9

Which statement best describes a RAM role?

A.A permanent identity used only by a human administrator to log on to the console
B.A group object used only to organize RAM users
C.An identity that can be assumed by a trusted entity to obtain temporary permissions
D.A security group rule used to control inbound and outbound network traffic

정답:

Question No : 10

A company wants to review who modified a RAM policy, what API was called, and when the operation occurred.
Which Alibaba Cloud service should be used?

A.Security Center
B.ActionTrail
C.Bastionhost
D.Cloud Firewall

정답:

Question No : 11

A RAM user can list ECS instances but cannot stop them.
Which part of the RAM policy most likely needs to be changed?

A.The resource group's display name
B.The billing method of the ECS instances
C.The user's login password complexity rule
D.The allowed ECS API actions

정답:

Question No : 12

In a RAM policy statement, which element specifies whether the policy statement allows or denies the listed operations?

A.Effect
B.Action
C.Resource
D.Condition

정답:

Question No : 13

A mobile application needs time-limited access to upload files to OSS. The company wants to avoid issuing long-term credentials to the application.
Which mechanism should be used?

A.Root account AccessKey
B.Public bucket access
C.RAM user console password
D.STS temporary credentials generated by assuming a RAM role

정답:

Question No : 14

An administrator wants to allow a RAM user to perform sensitive operations only from the corporate office network.
Which RAM policy capability should be used?

A.Policy version
B.Policy condition
C.RAM group description
D.Console theme setting

정답:

Question No : 15

A security team finds that a RAM user's AccessKey has been committed to a public source code repository.
What should be done first?

A.Disable or delete the exposed AccessKey and rotate credentials
B.Attach a read-only policy to the RAM user
C.Move the RAM user to a different RAM group
D.Disable ActionTrail to prevent further exposure of logs

정답:

Alibaba Cloud CSA-C01 시험