• Home
  • Articles
  • Latest AWS-Security-Specialty exam dumps with real Amazon questions and answers [Q13-Q38]

Latest AWS-Security-Specialty exam dumps with real Amazon questions and answers [Q13-Q38]

Share

Latest AWS-Security-Specialty exam dumps with real Amazon questions and answers

AWS-Security-Specialty Exam in First Attempt Guaranteed

NEW QUESTION # 13
An organization has tens of applications deployed on thousands of Amazon EC2 instances. During testing, the Application team needs information to let them know whether the network access control lists (network ACLs) and security groups are working as expected.
How can the Application team's requirements be met?

  • A. Turn on VPC Flow Logs, send the logs to Amazon S3, and use Amazon Athena to query the logs.
  • B. Create an AWS Config rule for each network ACL and security group configuration, send the logs to Amazon S3, and use Amazon Athena to query the logs.
  • C. Install an Amazon Inspector agent on each EC2 instance, send the logs to Amazon S3, and use Amazon EMR to query the logs.
  • D. Turn on AWS CloudTrail, send the trails to Amazon S3, and use AWS Lambda to query the trails.

Answer: A

Explanation:
Explanation/Reference:
https://aws.amazon.com/blogs/aws/vpc-flow-logs-log-and-view-network-traffic-flows/


NEW QUESTION # 14
A company has decided to migrate sensitive documents from on-premises data centers to Amazon S3.
Currently, the hard drives are encrypted to meet a compliance requirement regarding data encryption. The CISO wants to improve security by encrypting each file using a different key instead of a single key. Using a different key would limit the security impact of a single exposed key.
Which of the following requires the LEAST amount of configuration when implementing this approach?

  • A. Use the S3 encryption client to encrypt each file individually using S3-generated data keys
  • B. Put all the files in the same S3 bucket. Using S3 events as a trigger, write an AWS Lambda function to encrypt each file as it is added using different AWS KMS data keys.
  • C. Place each file into a different S3 bucket. Set the default encryption of each bucket to use a different AWS KMS customer managed key.
  • D. Place all the files in the same S3 bucket. Use server-side encryption with AWS KMS-managed keys (SSE-KMS) to encrypt the data

Answer: D


NEW QUESTION # 15
A user has created a VPC with the public and private subnets using the VPC wizard. The VPC has CIDR 20.0.0.0/16. The public subnet uses CIDR 20.0.1.0/24. The user is planning to host a web server in the public subnet with port 80 and a Database server in the private subnet with port 3306. The user is configuring a security group for the public subnet (WebSecGrp) and the private subnet (DBSecGrp). which of the below mentioned entries is required in the private subnet database security group DBSecGrp?
Please select:

  • A. Allow Inbound on port 3306 from source 20.0.0.0/16
  • B. Allow Outbound on port 80 for Destination NAT Instance IP
  • C. Allow Inbound on port 3306 for Source Web Server Security Group WebSecGrp.
  • D. Allow Outbound on port 3306 for Destination Web Server Security Group WebSecGrp.

Answer: C

Explanation:
Since the Web server needs to talk to the database server on port 3306 that means that the database server should allow incoming traffic on port 3306. The below table from the aws documentation shows how the security groups should be set up.

Option B is invalid because you need to allow incoming access for the database server from the WebSecGrp security group.
Options C and D are invalid because you need to allow Outbound traffic and not inbound traffic For more information on security groups please visit the below Link:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC Scenario2.html The correct answer is: Allow Inbound on port 3306 for Source Web Server Security Group WebSecGrp. Submit your Feedback/Queries to our Experts


NEW QUESTION # 16
You have a requirement to conduct penetration testing on the AWS Cloud for a couple of EC2 Instances. How could you go about doing this? Choose 2 right answers from the options given below.
Please select:

  • A. Get prior approval from AWS for conducting the test
  • B. Work with an AWS partner and no need for prior approval request from AWS
  • C. Use a pre-approved penetration testing tool.
  • D. Choose any of the AWS instance type

Answer: A,C

Explanation:
You can use a pre-approved solution from the AWS Marketplace. But till date the AWS Documentation still mentions that you have to get prior approval before conducting a test on the AWS Cloud for EC2 Instances.
Option C and D are invalid because you have to get prior approval first.
AWS Docs Provides following details:
"For performing a penetration test on AWS resources first of all we need to take permission from AWS and complete a requisition form and submit it for approval. The form should contain information about the instances you wish to test identify the expected start and end dates/times of your test and requires you to read and agree to Terms and Conditions specific to penetration testing and to the use of appropriate tools for testing. Note that the end date may not be more than 90 days from the start date." ( At this time, our policy does not permit testing small or micro RDS instance types. Testing of ml .small, t1 .micro or t2.nano EC2 instance types is not permitted.
For more information on penetration testing please visit the following URL:
https://aws.amazon.eom/security/penetration-testine/l
The correct answers are: Get prior approval from AWS for conducting the test Use a pre-approved penetration testing tool. Submit your Feedback/Queries to our Experts


NEW QUESTION # 17
Your company has a set of resources defined in the AWS Cloud. Their IT audit department has requested to get a list of resources that have been defined across the account. How can this be achieved in the easiest manner?
Please select:

  • A. Use AWS Config to get the list of all resources
  • B. Create a bash shell script with the AWS CLI. Query for all resources in all regions. Store the results in an S3 bucket.
  • C. Create a powershell script using the AWS CLI. Query for all resources with the tag of production.
  • D. Use Cloud Trail to get the list of all resources

Answer: A

Explanation:
The most feasible option is to use AWS Config. When you turn on AWS Config, you will get a list of resources defined in your AWS Account.
A sample snapshot of the resources dashboard in AWS Config is shown below

Option A is incorrect because this would give the list of production based resources and now all resources Option B is partially correct But this will just add more maintenance overhead.
Option C is incorrect because this can be used to log API activities but not give an account of all resou For more information on AWS Config, please visit the below URL:
https://docs.aws.amazon.com/config/latest/developereuide/how-does-confie-work.html The correct answer is: Use AWS Config to get the list of all resources Submit your Feedback/Queries to our Experts


NEW QUESTION # 18
A developer at a company uses an SSH key to access multiple Amazon EC2 instances. The company discovers that the SSH key has been posted on a public GitHub repository. A security engineer verifies that the key has not been used recently.
How should the security engineer prevent unauthorized access to the EC2 instances?

  • A. Use the ModifylnstanceAttribute API operation to change the key on any EC2 instance that is using the key.
  • B. Delete the key pair from the EC2 console. Create a new key pair.
  • C. Update the key pair in any AMI that is used to launch the EC2 instances. Restart the EC2 instances.
  • D. Restrict SSH access in the security group to only known corporate IP addresses.

Answer: D


NEW QUESTION # 19
You are planning to use AWS Configto check the configuration of the resources in your AWS account. You are planning on using an existing 1AM role and using it for the AWS Config resource. Which of the following is required to ensure the AWS config service can work as required?
Please select:

  • A. Ensure that there is a grant policy in place for the AWS Config service within the role
  • B. Ensure that there is a trust policy in place for the AWS Config service within the role
  • C. Ensure that there is a group policy in place for the AWS Config service within the role
  • D. Ensure that there is a user policy in place for the AWS Config service within the role

Answer: B

Explanation:
Explanation

Options B,C and D are invalid because you need to ensure a trust policy is in place and not a grant, user or group policy or more information on the 1AM role permissions please visit the below Link:
https://docs.aws.amazon.com/config/latest/developerguide/iamrole-permissions.htmll The correct answer is: Ensure that there is a trust policy in place for the AWS Config service within the role Submit your Feedback/Queries to our Experts


NEW QUESTION # 20
In order to encrypt data in transit for a connection to an AWS RDS instance, which of the following would you implement Please select:

  • A. Data Keys from CloudHSM
  • B. SSL from your application
  • C. Transparent data encryption
  • D. Data keys from AWS KMS

Answer: B

Explanation:
Explanation
This is mentioned in the AWS Documentation
You can use SSL from your application to encrypt a connection to a DB instance running MySQL MariaDB, Amazon Aurora, SQL Server, Oracle, or PostgreSQL.
Option A is incorrect since Transparent data encryption is used for data at rest and not in transit Options C and D are incorrect since keys can be used for encryption of data at rest For more information on working with RDS and SSL, please refer to below URL:
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html The correct answer is: SSL from your application Submit your Feedback/Queries to our Experts


NEW QUESTION # 21
You are planning on using the AWS KMS service for managing keys for your application. For which of the following can the KMS CMK keys be used for encrypting? Choose 2 answers from the options given below Please select:

  • A. Password
  • B. Large files
  • C. Image Objects
  • D. RSA Keys

Answer: A,D

Explanation:
Explanation
The CMK keys themselves can only be used for encrypting data that is maximum 4KB in size. Hence it can be used for encryptii information such as passwords and RSA keys.
Option A and B are invalid because the actual CMK key can only be used to encrypt small amounts of data and not large amoui of data. You have to generate the data key from the CMK key in order to encrypt high amounts of data For more information on the concepts for KMS, please visit the following URL:
https://docs.aws.amazon.com/kms/latest/developereuide/concepts.htmll
The correct answers are: Password, RSA Keys Submit your Feedback/Queries to our Experts


NEW QUESTION # 22
A company has five AWS accounts and wants to use AWS CloudTrail to log API calls. The log files must be stored in an Amazon S3 bucket that resides in a new account specifically built for centralized services with a unique top-level prefix for each trail. The configuration must also enable detection of any modification to the logs.
Which of the following steps will implement these requirements? (Choose three.)

  • A. Use an existing S3 bucket in one of the accounts, apply a bucket policy to the new centralized S3 bucket that permits the CloudTrail service to use the "s3: PutObject" action and the "s3 GetBucketACL" action, and specify the appropriate resource ARNs for the CloudTrail trails.
  • B. Apply a bucket policy to the new centralized S3 bucket that permits the CloudTrail service to use the "s3 PutObject" action and the "s3 GelBucketACL" action, and specify the appropriate resource ARNs for the CloudTrail trails.
  • C. Configure CloudTrail in the centralized account to log all accounts to the new centralized S3 bucket.
  • D. Create a new S3 bucket in a separate AWS account for centralized storage of CloudTrail logs, and enable "Log File Validation" on all trails.
  • E. Use unique log file prefixes for trails in each AWS account.
  • F. Enable encryption of the log files by using AWS Key Management Service

Answer: B,C,D

Explanation:
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html If you have created an organization in AWS Organizations, you can create a trail that will log all events for all AWS accounts in that organization. This is sometimes referred to as an organization trail. You can also choose to edit an existing trail in the master account and apply it to an organization, making it an organization trail. Organization trails log events for the master account and all member accounts in the organization. For more information about AWS Organizations, see Organizations Terminology and Concepts. Note Reference: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html You must be logged in with the master account for the organization in order to create an organization trail. You must also have sufficient permissions for the IAM user or role in the master account in order to successfully create an organization trail. If you do not have sufficient permissions, you will not see the option to apply a trail to an organization.


NEW QUESTION # 23
A Website currently runs on Amazon EC2, with mostly static content on the site. Recently, the site was subjected to a DDoS attack, and a Security Engineer was tasked with redesigning the edge security to help mitigate this risk in the future.
What are some ways the Engineer could achieve this? (Choose three.)

  • A. Use Amazon Route 53 to distribute traffic.
  • B. Use AWS X-Ray to inspect the traffic going to the EC2 instances.
  • C. Change the security group configuration to block the source of the attack traffic.
  • D. Use AWS WAF security rules to inspect the inbound traffic.
  • E. Use Amazon Inspector assessment templates to inspect the inbound traffic.
  • F. Move the static content to Amazon S3, and front this with an Amazon CloudFront distribution.

Answer: B,E,F


NEW QUESTION # 24
A company hosts a web-based application that captures and stores sensitive data in an Amazon DynamoDB table. A security audit reveals that the application does not provide end-to-end data protection or the ability to detect unauthorized data changes The software engineering team needs to make changes that will address the audit findings.
Which set of steps should the software engineering team take?

  • A. Use an AWS Key Management Service (AWS KMS) CMK. Encrypt the data at rest.
  • B. Use the AWS Encryption SDK. Use client-side encryption and sign the table items.
  • C. Use AWS Certificate Manager (ACM) Private Certificate Authority Encrypt the data in transit.
  • D. Use a DynamoDB encryption client. Use client-side encryption and sign the table items

Answer: A


NEW QUESTION # 25
Your CTO is very worried about the security of your AWS account. How best can you prevent hackers from completely hijacking your account?
Please select:

  • A. Use short but complex password on the root account and any administrators.
  • B. Don't write down or remember the root account password after creating the AWS account.
  • C. Use AWS 1AM Geo-Lock and disallow anyone from logging in except for in your city.
  • D. Use MFA on all users and accounts, especially on the root account.

Answer: D

Explanation:
Multi-factor authentication can add one more layer of security to your AWS account Even when you go to your Security Credentials dashboard one of the items is to enable MFA on your root account

Option A is invalid because you need to have a good password policy Option B is invalid because there is no 1AM Geo-Lock Option D is invalid because this is not a recommended practices For more information on MFA, please visit the below URL
http://docs.aws.amazon.com/IAM/latest/UserGuide/id credentials mfa.htmll The correct answer is: Use MFA on all users and accounts, especially on the root account.
Submit your Feedback/Queries to our Experts


NEW QUESTION # 26
You have a set of 100 EC2 Instances in an IAM account. You need to ensure that all of these instances are patched and kept to date. All of the instances are in a private subnet. How can you achieve this. Choose 2 answers from the options given below Please select:

  • A. Use the Systems Manager to patch the instances
  • B. Ensure a NAT gateway is present to download the updates
  • C. Ensure an internet gateway is present to download the updates
  • D. Use the IAM inspector to patch the updates

Answer: A,B

Explanation:
Explanation
Option C is invalid because the instances need to remain in the private:
Option D is invalid because IAM inspector can only detect the patches
One of the IAM Blogs mentions how patching of Linux servers can be accomplished. Below is the diagram representation of the architecture setup

For more information on patching Linux workloads in IAM, please refer to the Lin.
https://IAM.amazon.com/blogs/security/how-to-patch-linux-workloads-on-IAMj The correct answers are: Ensure a NAT gateway is present to download the updates. Use the Systems Manager to patch the instances Submit your Feedback/Queries to our Experts


NEW QUESTION # 27
You have a 2 tier application hosted in AWS. It consists of a web server and database server (SQL Server) hosted on separate EC2 Instances. You are devising the security groups for these EC2 Instances. The Web tier needs to be accessed by users across the Internet. You have created a web security group(wg-123) and database security group(db-345). Which combination of the following security group rules will allow the application to be secure and functional. Choose 2 answers from the options given below.
Please select:

  • A. db-345 -Allow ports 1433 from 0.0.0.0/0
  • B. wg-123 -Allow ports 80 and 443 from 0.0.0.0/0
  • C. db-345 - Allow port 1433 from wg-123
  • D. wg-123 - Allow port 1433 from wg-123

Answer: B,C

Explanation:
The Web security groups should allow access for ports 80 and 443 for HTTP and HTTPS traffic to all users from the internet.
The database security group should just allow access from the web security group from port 1433.
Option C is invalid because this is not a valid configuration
Option D is invalid because database security should not be allowed on the internet For more information on Security Groups please visit the below URL:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/usins-network-security.htmll The correct answers are: wg-123 - Allow ports 80 and 443 from 0.0.0.0/0, db-345 - Allow port 1433 from wg-123 Submit your Feedback/Queries to our Experts


NEW QUESTION # 28
A company has deployed a custom DNS server in AWS. The Security Engineer wants to ensure that Amazon EC2 instances cannot use the Amazon-provided DNS.
How can the Security Engineer block access to the Amazon-provided DNS in the VPC?

  • A. Deny access to the Amazon DNS IP within all security groups.
  • B. Add a rule to all network access control lists that deny access to the Amazon DNS IP.
  • C. Disable DNS resolution within the VPC configuration.
  • D. Add a route to all route tables that black holes traffic to the Amazon DNS IP.

Answer: B

Explanation:
Explanation
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html


NEW QUESTION # 29
You are working for a company and been allocated the task for ensuring that there is a federated authentication mechanism setup between AWS and their On-premise Active Directory. Which of the following are important steps that need to be covered in this process? Choose 2 answers from the options given below.
Please select:

  • A. Configure AWS as the relying party in Active Directory
  • B. Ensure the right match is in place for On-premise AD Groups and IAM Groups.
  • C. Ensure the right match is in place for On-premise AD Groups and IAM Roles.
  • D. Configure AWS as the relying party in Active Directory Federation services

Answer: C,D

Explanation:
The AWS Documentation mentions some key aspects with regards to the configuration of On-premise AD with AWS
One is the Groups configuration in AD
Active Directory Configuration
Determining how you will create and delineate your AD groups and IAM roles in AWS is crucial to how you secure access to your account and manage resources. SAML assertions to the AWS environment and the respective IAM role access will be managed through regular expression (regex) matching between your on-premises AD group name to an AWS IAM role.
One approach for creating the AD groups that uniquely identify the AWS IAM role mapping is by selecting a common group naming convention. For example, your AD groups would start with an identifier, for example, AWS-, as this will distinguish your AWS groups from others within the organization. Next include the 12-digitAWS account number. finally, add the matching role name within the AWS account. Here is an example:

And next is the configuration of the relying party which is AWS
ADFS federation occurs with the participation of two parties; the identity or claims provider (in this case the owner of the identity repository - Active Directory) and the relying party, which is another application that wishes to outsource authentication to the identity provider; in this case Amazon Secure Token Service (STS). The relying party is a federation partner that is represented by a claims provider trust in the federation service.
Option B is invalid because AD groups should not be matched to IAM Groups
Option C is invalid because the relying party should be configured in Active Directory Federation services
For more information on the federated access, please visit the following URL:
1 https://aws.amazon.com/blogs/security/aws-federated-authentication-with-active-directory-federation-services-ad-fs/
The correct answers are: Ensure the right match is in place for On-premise AD Groups and IAM Roles., Configure AWS as the relying party in Active Directory Federation services
Submit your Feedback/Queries to our Experts


NEW QUESTION # 30
A company has two VPCs in the same AWS Region and in the same AWS account Each VPC uses a CIDR block that does not overlap with the CIDR block of the other VPC One VPC contains AWS Lambda functions that run inside a subnet that accesses the internet through a NAT gateway. The Lambda functions require access to a publicly accessible Amazon Aurora MySQL database that is running in the other VPC A security engineer determines that the Aurora database uses a security group rule that allows connections from the NAT gateway IP address that the Lambda functions use. The company's security policy states that no database should be publicly accessible.
What is the MOST secure way that the security engineer can provide the Lambda functions with access to the Aurora database?

  • A. Move the Aurora database into a private subnet that has no internet access routes in the database's current VPC Configure the Lambda functions to use the Aurora database's new private IP address to access the database Configure the Aurora databases security group to allow access from the private IP addresses of the Lambda functions
  • B. Establish an AWS Direct Connect interface between the VPCs Configure the Lambda functions to use a new route table that accesses the Aurora database through the Direct Connect interface Configure the Aurora database's security group to allow access from the Direct Connect interface IP address
  • C. Establish a VPC endpoint between the two VPCs in the Aurora database's VPC configure a service VPC endpoint for Amazon RDS In the Lambda functions' VPC.
    configure an interface VPC endpoint that uses the service endpoint in the Aurora database's VPC Configure the service endpoint to allow connections from the Lambda functions.
  • D. Move the Lambda functions into a public subnet in their VPC Move the Aurora database into a private subnet in its VPC Configure the Lambda functions to use the Aurora database's new private IP address to access the database Configure the Aurora database to allow access from the public IP addresses of the Lambda functions

Answer: C

Explanation:
Explanation
This option involves creating a VPC Endpoint between the two VPCs that allows private communication between them without going through the internet or exposing any public IP addresses. In this option, a VPC endpoint for Amazon RDS will be established, and an interface VPC endpoint will be created that points to the service endpoint in the Aurora database's VPC. This way, the Lambda functions can use the private IP address of the Aurora database to access it through the VPC endpoint without exposing any public IP addresses or allowing public internet access to the database.


NEW QUESTION # 31
Your company has a set of EBS volumes defined in AWS. The security mandate is that all EBS volumes are encrypted. What can be done to notify the IT admin staff if there are any unencrypted volumes in the account.
Please select:

  • A. Use AWS Guard duty to check for the unencrypted EBS volumes
  • B. Use AWS Config to check for unencrypted EBS volumes
  • C. Use AWS Lambda to check for the unencrypted EBS volumes
  • D. Use AWS Inspector to inspect all the EBS volumes

Answer: B

Explanation:
The enc
config rule for AWS Config can be used to check for unencrypted volumes.
encrypted-volurrn
5 volumes that are in an attached state are encrypted. If you specify the ID of a KMS key for encryptio using the kmsld parameter, the rule checks if the EBS volumes in an attached state are encrypted with that KMS key*1.
Options A and C are incorrect since these services cannot be used to check for unencrypted EBS volumes Option D is incorrect because even though this is possible, trying to implement the solution alone with just the Lambda servk would be too difficult For more information on AWS Config and encrypted volumes, please refer to below URL:
https://docs.aws.amazon.com/config/latest/developerguide/encrypted-volumes.html Submit your Feedback/Queries to our Experts


NEW QUESTION # 32
Your current setup in AWS consists of the following architecture. 2 public subnets, one subnet which has the web servers accessed by users across the internet and the other subnet for the database server. Which of the following changes to the architecture would add a better security boundary to the resources hosted in your setup Please select:

  • A. Consider creating a private subnet and adding a NAT instance to that subnet
  • B. Consider moving the database server to a private subnet
  • C. Consider moving the web server to a private subnet
  • D. Consider moving both the web and database server to a private subnet

Answer: B

Explanation:
Explanation
The ideal setup is to ensure that the web server is hosted in the public subnet so that it can be accessed by users on the internet. The database server can be hosted in the private subnet.
The below diagram from the AWS Documentation shows how this can be setup

Option A and C are invalid because if you move the web server to a private subnet, then it cannot be accessed by users Option D is invalid because NAT instances should be present in the public subnet For more information on public and private subnets in AWS, please visit the following url com/AmazonVPC/latest/UserGuide/VPC Scenario2.
The correct answer is: Consider moving the database server to a private subnet Submit your Feedback/Queries to our Experts


NEW QUESTION # 33
A Security Engineer discovers that developers have been adding rules to security groups that allow SSH and RDP traffic from 0.0.0.0/0 instead of the organization firewall IP.
What is the most efficient way to remediate the risk of this activity?

  • A. Delete the internet gateway associated with the VPC.
  • B. Use network access control lists to block source IP addresses matching 0.0.0.0/0.
  • C. Use AWS Config rules to detect 0.0.0.0/0 and invoke an AWS Lambda function to update the security group with the organization's firewall IP.
  • D. Use a host-based firewall to prevent access from all but the organization's firewall IP.

Answer: B


NEW QUESTION # 34
A company hosts an end user application on AWS Currently the company deploys the application on Amazon EC2 instances behind an Elastic Load Balancer The company wants to configure end-to-end encryption between the Elastic Load Balancer and the EC2 instances.
Which solution will meet this requirement with the LEAST operational effort?

  • A. Deploy AWS CloudHSM Import a third-party certificate Configure the EC2 instances and the Elastic Load Balancer to use the CloudHSM imported certificate
  • B. Import a third-party SSL certificate to AWS Certificate Manager (ACM) Install the third-party certificate on the EC2 instances Associate the ACM imported third-party certificate with the Elastic Load Balancer
  • C. Use Amazon issued AWS Certificate Manager (ACM) certificates on the EC2 instances and the Elastic Load Balancer to configure end-to-end encryption
  • D. Import a third-party certificate bundle to AWS Certificate Manager (ACM) Install the third-party certificate on the EC2 instances Associate the ACM imported third-party certificate with the Elastic Load Balancer.

Answer: C

Explanation:
Explanation
To configure end-to-end encryption between the Elastic Load Balancer and the EC2 instances with the least operational effort, the most appropriate solution would be to use Amazon issued AWS Certificate Manager (ACM) certificates on the EC2 instances and the Elastic Load Balancer to configure end-to-end encryption.
AWS Certificate Manager - Amazon Web Services : Elastic Load Balancing - Amazon Web Services : Amazon Elastic Compute Cloud - Amazon Web Services : AWS Certificate Manager - Amazon Web Services


NEW QUESTION # 35
For compliance reasons a Security Engineer must produce a weekly report that lists any instance that does not have the latest approved patches applied. The Engineer must also ensure that no system goes more than 30 days without the latest approved updates being applied What would the MOST efficient way to achieve these goals?

  • A. Examine IAM CloudTrail togs to determine whether any instances have not restarted in the last 30 days, and redeploy those instances
  • B. Use Amazon inspector to determine which systems do not have the latest patches applied, and after 30 days, redeploy those instances with the latest AMI version
  • C. Configure Amazon EC2 Systems Manager to report on instance patch compliance and enforce updates during the defined maintenance windows
  • D. Update the AMls with the latest approved patches and redeploy each instance during the defined maintenance window

Answer: C


NEW QUESTION # 36
During a recent internal investigation, it was discovered that all API logging was disabled in a production account, and the root user had created new API keys that appear to have been used several times.
What could have been done to detect and automatically remediate the incident?

  • A. Using Amazon CloudWatch, create a CloudWatch event that detects AWS CloudTrail deactivation and a separate Amazon Trusted Advisor check to automatically detect the creation of root API keys. Then use a Lambda function to enable AWS CloudTrail and deactivate the root API keys.
  • B. Using Amazon CloudTrail, create a new CloudTrail event that detects the deactivation of CloudTrail logs, and a separate CloudTrail event that detects the creation of root API keys. Then use a Lambda function to enable CloudTrail and deactivate the root API keys.
  • C. Using AWS Config, create a config rule that detects when AWS CloudTrail is disabled, as well as any calls to the root user create-api-key. Then use a Lambda function to re-enable CloudTrail logs and deactivate the root API keys.
  • D. Using Amazon Inspector, review all of the API calls and configure the inspector agent to leverage SNS topics to notify security of the change to AWS CloudTrail, and revoke the new API keys for the root user.

Answer: C


NEW QUESTION # 37
During a manual review of system logs from an Amazon Linux EC2 instance, a Security Engineer noticed that there are sudo commands that were never properly alerted or reported on the Amazon CloudWatch Logs agent Why were there no alerts on the sudo commands?

  • A. CloudWatch Logs status is set to ON versus SECURE, which prevents it from pulling in OS security event logs
  • B. There is a security group blocking outbound port 80 traffic that is preventing the agent from sending the logs
  • C. The 1AM instance profile on the EC2 instance was not properly configured to allow the CloudWatch Logs agent to push the logs to CloudWatch
  • D. The VPC requires that all traffic go through a proxy, and the CloudWatch Logs agent does not support a proxy configuration.

Answer: C


NEW QUESTION # 38
......


Amazon SCS-C01 (AWS Certified Security – Specialty) certification exam is designed for professionals who want to demonstrate their expertise and knowledge of security technologies and best practices on the AWS Cloud. AWS Certified Security - Specialty certification exam validates the skills of candidates to design, implement, and maintain secure and resilient AWS solutions. Successful candidates will have a deep understanding of security concepts and best practices, and will be able to implement security controls to maintain the confidentiality, integrity, and availability of AWS resources.

 

Exam Sure Pass Amazon Certification with AWS-Security-Specialty exam questions: https://www.passtestking.com/Amazon/AWS-Security-Specialty-practice-exam-dumps.html

Download Real AWS-Security-Specialty Exam Dumps for candidates. 100% Free Dump Files: https://drive.google.com/open?id=1EBZPWeBuDjEgkdE5RNM8T273eAEVsplV

Related Articles

more
Go To AWS-Security-Specialty Questions