20:00

PDF|

Guide for Amazon AWS Certified Security - Specialty

Quiz Amazon AWS Certified Security - Specialty

Free Test
/ 10

Quiz

1/10
A security administrator is setting up a new AWS account. The security administrator wants to secure
the data that a company stores in an Amazon S3 bucket. The security administrator also wants to
reduce the chance of unintended data exposure and the potential for misconfiguration of objects
that are in the S3 bucket.
Which solution will meet these requirements with the LEAST operational overhead?
Select the answer
1 correct answer
A.
Configure the S3 Block Public Access feature for the AWS account.
B.
Configure the S3 Block Public Access feature for all objects that are in the bucket.
C.
Deactivate ACLs for objects that are in the bucket.
D.
Use AWS PrivateLink for Amazon S3 to access the bucket.

Quiz

2/10
A company’s developers are using AWS Lambda function URLs to invoke functions directly. The
company must ensure that developers cannot configure or deploy unauthenticated functions in
production accounts. The company wants to meet this requirement by using AWS Organizations. The
solution must not require additional work for the developers.
Which solution will meet these requirements?
Select the answer
1 correct answer
A.
Require the developers to configure all function URLs to support cross-origin resource sharing (CORS) when the functions are called from a different domain.
B.
Use an AWS WAF delegated administrator account to view and block unauthenticated access to function URLs in production accounts, based on the OU of accounts that are using the functions.
C.
Use SCPs to allow all lambda:CreateFunctionUrlConfig and lambda:UpdateFunctionUrlConfig actions that have a lambda:FunctionUrlAuthType condition key value of AWS_IAM.
D.
Use SCPs to deny all lambda:CreateFunctionUrlConfig and lambda:UpdateFunctionUrlConfig actions that have a lambda:FunctionUrlAuthType condition key value of NONE.

Quiz

3/10
A security engineer receives a notice about suspicious activity from a Linux-based Amazon EC2
instance that uses Amazon Elastic Block Store (Amazon EBS)-based storage. The instance is making
connections to known malicious addresses.
The instance is in a development account within a VPC that is in the us-east-1 Region. The VPC
contains an internet gateway and has a subnet in us-east-1a and us-east-1b. Each subnet is
associated with a route table that uses the internet gateway as a default route. Each subnet also uses
the default network ACL. The suspicious EC2 instance runs within the us-east-1b subnet. During an
initial investigation, a security engineer discovers that the suspicious instance is the only instance
that runs in the subnet.
Which response will immediately mitigate the attack and help investigate the root cause?
Select the answer
1 correct answer
A.
Log in to the suspicious instance and use the netstat command to identify remote connections. Use the IP addresses from these remote connections to create deny rules in the security group of the instance. Install diagnostic tools on the instance for investigation. Update the outbound network ACL for the subnet in us-east-1b to explicitly deny all connections as the first rule during the investigation of the instance.
B.
Update the outbound network ACL for the subnet in us-east-1b to explicitly deny all connections as the first rule. Replace the security group with a new security group that allows connections only from a diagnostics security group. Update the outbound network ACL for the us-east-1b subnet to remove the deny all rule. Launch a new EC2 instance that has diagnostic tools. Assign the new security group to the new EC2 instance. Use the new EC2 instance to investigate the suspicious instance.
C.
Ensure that the Amazon Elastic Block Store (Amazon EBS) volumes that are attached to the suspicious EC2 instance will not delete upon termination. Terminate the instance. Launch a new EC2 instance in us-east-1a that has diagnostic tools. Mount the EBS volumes from the terminated instance for investigation.
D.
Create an AWS WAF web ACL that denies traffic to and from the suspicious instance. Attach the AWS WAF web ACL to the instance to mitigate the attack. Log in to the instance and install diagnostic tools to investigate the instance.

Quiz

4/10
A company has a VPC that has no internet access and has the private DNS hostnames option
enabled. An Amazon Aurora database is running inside the VPC. A security engineer wants to use
AWS Secrets Manager to automatically rotate the credentials for the Aurora database. The security
engineer configures the Secrets Manager default AWS Lambda rotation function to run inside the
same VPC that the Aurora database uses. However, the security engineer determines that the
password cannot be rotated properly because the Lambda function cannot communicate with the
Secrets Manager endpoint.
What is the MOST secure way that the security engineer can give the Lambda function the ability to
communicate with the Secrets Manager endpoint?
Select the answer
1 correct answer
A.
Add a NAT gateway to the VPC to allow access to the Secrets Manager endpoint.
B.
Add a gateway VPC endpoint to the VPC to allow access to the Secrets Manager endpoint.
C.
Add an interface VPC endpoint to the VPC to allow access to the Secrets Manager endpoint.
D.
Add an internet gateway for the VPC to allow access to the Secrets Manager endpoint.

Quiz

5/10
A security engineer wants to forward custom application-security logs from an Amazon EC2 instance
to Amazon CloudWatch. The security engineer installs the CloudWatch agent on the EC2 instance and
adds the path of the logs to the CloudWatch configuration file.
However, CloudWatch does not receive the logs. The security engineer verifies that the awslogs
service is running on the EC2 instance.
What should the security engineer do next to resolve the issue?
Select the answer
1 correct answer
A.
Add AWS CloudTrail to the trust policy of the EC2 instance. Send the custom logs to CloudTrail instead of CloudWatch.
B.
Add Amazon S3 to the trust policy of the EC2 instance. Configure the application to write the custom logs to an S3 bucket that CloudWatch can use to ingest the logs.
C.
Add Amazon Inspector to the trust policy of the EC2 instance. Use Amazon Inspector instead of the CloudWatch agent to collect the custom logs.
D.
Attach the CloudWatchAgentServerPolicy AWS managed policy to the EC2 instance role.

Quiz

6/10
A company is attempting to conduct forensic analysis on an Amazon EC2 instance, but the company is
unable to connect to the instance by using AWS Systems Manager Session Manager. The company
has installed AWS Systems Manager Agent (SSM Agent) on the EC2 instance.
The EC2 instance is in a subnet in a VPC that does not have an internet gateway attached. The
company has associated a security group with the EC2 instance. The security group does not have
inbound or outbound rules. The subnet’s network ACL allows all inbound and outbound traffic.
Which combination of actions will allow the company to conduct forensic analysis on the EC2
instance without compromising forensic data? (Select THREE.)
Select the answer
3 correct answers
A.
Update the EC2 instance security group to add a rule that allows outbound traffic on port 443 for 0.0.0.0/0.
B.
Update the EC2 instance security group to add a rule that allows inbound traffic on port 443 to the VPC's CIDR range.
C.
Create an EC2 key pair. Associate the key pair with the EC2 instance.
D.
Create a VPC interface endpoint for Systems Manager in the VPC where the EC2 instance is located.
E.
Attach a security group to the VPC interface endpoint. Allow inbound traffic on port 443 to the VPC's CIDR range.
F.
Create a VPC interface endpoint for the EC2 instance in the VPC where the EC2 instance is located.

Quiz

7/10
A security team manages a company’s AWS Key Management Service (AWS KMS) customer managed
keys. Only members of the security team can administer the KMS keys. The company's application
team has a software process that needs temporary access to the keys occasionally. The security team
needs to provide the application team's software process with access to the keys.
Which solution will meet these requirements with the LEAST operational overhead?
Select the answer
1 correct answer
A.
Export the KMS key material to an on-premises hardware security module (HSM). Give the application team access to the key material.
B.
Edit the key policy that grants the security team access to the KMS keys by adding the application team as principals. Revert this change when the application team no longer needs access.
C.
Create a key grant to allow the application team to use the KMS keys. Revoke the grant when the application team no longer needs access.
D.
Create a new KMS key by generating key material on premises. Import the key material to AWS KMS whenever the application team needs access. Grant the application team permissions to use the key.

Quiz

8/10
A company is using AWS CloudTrail and Amazon CloudWatch to monitor resources in an AWS
account. The company’s developers have been using an IAM role in the account for the last 3
months.
A security engineer needs to refine the customer managed IAM policy attached to the role to ensure
that the role provides least privilege access.
Which solution will meet this requirement with the LEAST effort?
Select the answer
1 correct answer
A.
Implement AWS IAM Access Analyzer policy generation on the role.
B.
Implement AWS IAM Access Analyzer policy validation on the role.
C.
Search CloudWatch logs to determine the actions the role invoked and to evaluate the permissions.
D.
Use AWS Trusted Advisor to compare the policies assigned to the role against AWS best practices.

Quiz

9/10
A company uses AWS IAM Identity Center with SAML 2.0 federation. The company decides to change
its federation source from one identity provider (IdP) to another. The underlying directory for both
IdPs is Active Directory.
Which solution will meet this requirement?
Select the answer
1 correct answer
A.
Disable all existing users and groups within IAM Identity Center that were part of the federation with the original IdP.
B.
Modify the attribute mappings within the IAM Identity Center trust relationship to match information that the new IdP sends.
C.
Reconfigure all existing IAM roles in the company's AWS accounts to explicitly trust the new IdP as the principal.
D.
Confirm that the Network Time Protocol (NTP) clock skew is correctly set between IAM Identity Center and the new IdP endpoints.

Quiz

10/10
A company is running its application on AWS. The company has a multi-environment setup, and each
environment is isolated in a separate AWS account. The company has an organization in AWS
Organizations to manage the accounts. There is a single dedicated security account for the
organization. The company must create an inventory of all sensitive data that is stored in Amazon S3
buckets across the organization's accounts. The findings must be visible from a single location.
Which solution will meet these requirements?
Select the answer
1 correct answer
A.
Set the security account as the delegated administrator for Amazon Macie and AWS Security Hub. Enable and configure Macie to publish sensitive data findings to Security Hub.
B.
Set the security account as the delegated administrator for AWS Security Hub. In each account, configure Amazon Inspector to scan the S3 buckets for sensitive data. Publish sensitive data findings to Security Hub.
C.
In each account, configure Amazon Inspector to scan the S3 buckets for sensitive data. Enable Amazon Inspector integration with AWS Trusted Advisor. Publish sensitive data findings to Trusted Advisor.
D.
In each account, enable and configure Amazon Macie to detect sensitive data. Enable Macie integration with AWS Trusted Advisor. Publish sensitive data findings to Trusted Advisor.
Looking for more questions?Buy now

Amazon AWS Certified Security - Specialty Practice test unlocks all online simulator questions

Thank you for choosing the free version of the Amazon AWS Certified Security - Specialty practice test! Further deepen your knowledge on Amazon Simulator; by unlocking the full version of our Amazon AWS Certified Security - Specialty Simulator you will be able to take tests with over 81 constantly updated questions and easily pass your exam. 98% of people pass the exam in the first attempt after preparing with our 81 questions.

BUY NOW

What to expect from our Amazon AWS Certified Security - Specialty practice tests and how to prepare for any exam?

The Amazon AWS Certified Security - Specialty Simulator Practice Tests are part of the Amazon Database and are the best way to prepare for any Amazon AWS Certified Security - Specialty exam. The Amazon AWS Certified Security - Specialty practice tests consist of 81 questions and are written by experts to help you and prepare you to pass the exam on the first attempt. The Amazon AWS Certified Security - Specialty database includes questions from previous and other exams, which means you will be able to practice simulating past and future questions. Preparation with Amazon AWS Certified Security - Specialty Simulator will also give you an idea of the time it will take to complete each section of the Amazon AWS Certified Security - Specialty practice test . It is important to note that the Amazon AWS Certified Security - Specialty Simulator does not replace the classic Amazon AWS Certified Security - Specialty study guides; however, the Simulator provides valuable insights into what to expect and how much work needs to be done to prepare for the Amazon AWS Certified Security - Specialty exam.

BUY NOW

Amazon AWS Certified Security - Specialty Practice test therefore represents an excellent tool to prepare for the actual exam together with our Amazon practice test . Our Amazon AWS Certified Security - Specialty Simulator will help you assess your level of preparation and understand your strengths and weaknesses. Below you can read all the quizzes you will find in our Amazon AWS Certified Security - Specialty Simulator and how our unique Amazon AWS Certified Security - Specialty Database made up of real questions:

Info quiz:

  • Quiz name:Amazon AWS Certified Security - Specialty
  • Total number of questions:81
  • Number of questions for the test:50
  • Pass score:80%

You can prepare for the Amazon AWS Certified Security - Specialty exams with our mobile app. It is very easy to use and even works offline in case of network failure, with all the functions you need to study and practice with our Amazon AWS Certified Security - Specialty Simulator.

Use our Mobile App, available for both Android and iOS devices, with our Amazon AWS Certified Security - Specialty Simulator . You can use it anywhere and always remember that our mobile app is free and available on all stores.

Our Mobile App contains all Amazon AWS Certified Security - Specialty practice tests which consist of 81 questions and also provide study material to pass the final Amazon AWS Certified Security - Specialty exam with guaranteed success. Our Amazon AWS Certified Security - Specialty database contain hundreds of questions and Amazon Tests related to Amazon AWS Certified Security - Specialty Exam. This way you can practice anywhere you want, even offline without the internet.

BUY NOW