• Home
  • Articles
  • [Q179-Q195] Pass Your AWS-Security-Specialty Exam Easily With 100% Exam Passing Guarantee [2023]

[Q179-Q195] Pass Your AWS-Security-Specialty Exam Easily With 100% Exam Passing Guarantee [2023]

Share

Pass Your AWS-Security-Specialty Exam Easily With 100% Exam Passing Guarantee [2023]

AWS-Security-Specialty Dumps are Available for Instant Access from PassTestking


Amazon AWS-Security-Specialty Exam Syllabus Topics:

TopicDetails
Topic 1
  • An Understanding of Secure Internet Protocols and AWS Mechanisms to Implement Them
Topic 2
  • Competency Gained from Two or More Years of Production Deployment Experience Using AWS Security Services and Features
Topic 3
  • An Understanding of Security Operations and Risk

 

NEW QUESTION # 179
A company uses SAML federation with AWS Identity and Access Management (IAM) to provide internal users with SSO for their AWS accounts. The company's identity provider certificate was rotated as part of its normal lifecycle. Shortly after, users started receiving the following error when attempting to log in:
"Error: Response Signature Invalid (Service: AWSSecuntyTokenService; Status Code: 400; Error Code:
InvalidldentltyToken)"
A security engineer needs to address the immediate issue and ensure that it will not occur again.
Which combination of steps should the securtty engineer take to accomplish this? (Select TWO.)

  • A. Download a new copy of the SAML metadata file from the identity provider Upload the new metadata to the IAM identity provider entity configured for the SAML integration in question.
  • B. Download a new copy of the SAML metadata file from the identity provider Create a new IAM identity provider entity. Upload the new metadata file to the new IAM identity provider entity.
  • C. During the next certificate rotation period and before the current certificate expires, add a new certificate as the secondary to the identity provider. Generate a new copy of the metadata file and create a new IAM identity provider entity. Upload the metadata file to the new IAM identity provider entity. Perform automated or manual rotation of the certificate when required.
  • D. During the next certificate rotation period and before the current certificate expires, add a new certificate as the secondary to the identity provider. Generate a new metadata file and upload it to the IAM identity provider entity. Perform automated or manual rotation of the certificate when required.
  • E. Download a new copy of the SAML metadata file from the identity provider Create a new IAM identity provider entity. Upload the new metadata file to the new IAM identity provider entity. Update the identity provider configurations to pass a new IAM identity provider entity name in the SAML assertion.

Answer: B,C


NEW QUESTION # 180
A user has enabled versioning on an S3 bucket. The user is using server side encryption for data at Rest. If the user is supplying his own keys for encryption SSE-C, which of the below mentioned statements is true?
Please select:

  • A. It is possible to have different encryption keys for different versions of the same object
  • B. AWS S3 does not allow the user to upload his own keys for server side encryption
  • C. The user should use the same encryption key for all versions of the same object
  • D. The SSE-C does not work when versioning is enabled

Answer: A

Explanation:
.anaging your own encryption keys, y
You can encrypt the object and send it across to S3
Option A is invalid because ideally you should use different encryption keys Option C is invalid because you can use you own encryption keys Option D is invalid because encryption works even if versioning is enabled For more information on client side encryption please visit the below Link:
""Keys.html
https://docs.aws.ama2on.com/AmazonS3/latest/dev/UsingClientSideEncryption.html The correct answer is: It is possible to have different encryption keys for different versions of the same object Submit your Feedback/Queries to our Experts


NEW QUESTION # 181
You need to ensure that objects in an S3 bucket are available in another region. This is because of the criticality of the data that is hosted in the S3 bucket. How can you achieve this in the easiest way possible?
Please select:

  • A. Enable versioning which will copy the objects to the destination region
  • B. Write a script to copy the objects to another bucket in the destination region
  • C. Create an S3 snapshot in the destination region
  • D. Enable cross region replication for the bucket

Answer: D

Explanation:
Explanation
Option B is partially correct but a big maintenance over head to create and maintain a script when the functionality is already available in S3 Option C is invalid because snapshots are not available in S3 Option D is invalid because versioning will not replicate objects The AWS Documentation mentions the following Cross-region replication is a bucket-level configuration that enables automatic, asynchronous copying of objects across buck in different AWS Regions.
For more information on Cross region replication in the Simple Storage Service, please visit the below URL:
https://docs.aws.amazon.com/AmazonS3/latest/dev/crr.html
The correct answer is: Enable cross region replication for the bucket Submit your Feedback/Queries to our Experts


NEW QUESTION # 182
You are planning on using the AWS KMS service for managing keys for your application. For which of the following can the KMS CMK keys be used for encrypting? Choose 2 answers from the options given below Please select:

  • A. Image Objects
  • B. Password
  • C. RSA Keys
  • D. Large files

Answer: B,C

Explanation:
The CMK keys themselves can only be used for encrypting data that is maximum 4KB in size. Hence it can be used for encryptii information such as passwords and RSA keys.
Option A and B are invalid because the actual CMK key can only be used to encrypt small amounts of data and not large amoui of data. You have to generate the data key from the CMK key in order to encrypt high amounts of data For more information on the concepts for KMS, please visit the following URL:
https://docs.aws.amazon.com/kms/latest/developereuide/concepts.htmll
The correct answers are: Password, RSA Keys Submit your Feedback/Queries to our Experts


NEW QUESTION # 183
A company had one of its Amazon EC2 key pairs compromised. A Security Engineer must identify which current Linux EC2 instances were deployed and used the compromised key pair.
How can this task be accomplished?

  • A. Obtain the list of instances by directly querying Amazon EC2 using: aws ec2 describe-instances --fi1ters
    "Name=key-name,Values=KEYNAMEHERE".
  • B. Obtain the fingerprint for the key pair from the AWS Management Console, then search for the fingerprint in the Amazon Inspector logs.
  • C. Obtain the fingerprint for the key pair from the AWS Management Console, then search for the fingerprint in Amazon CloudWatch Logs using: aws logs filter-log-events.
  • D. Obtain the output from the EC2 instance metadata using: curl http:
    //169.254.169.254/latest/meta-data/public- keys/0/.

Answer: A


NEW QUESTION # 184
A company's security policy requires that VPC Flow Logs are enabled on all VPCs. A Security Engineer is looking to automate the process of auditing the VPC resources for compliance.
What combination of actions should the Engineer take? (Choose two.)

  • A. Create an AWS Config custom rule, and associate it with an AWS Lambda function that contains the evaluating logic.
  • B. Create an AWS Config managed rule with a resource type of AWS:: Lambda:: Function.
  • C. Create an Amazon CloudWatch Event rule that triggers on events emitted by AWS Config.
  • D. Create an AWS Lambda function that determines whether Flow Logs are enabled for a given VPC.
  • E. Create an AWS Config configuration item for each VPC in the company AWS account.

Answer: C,E


NEW QUESTION # 185
Which of the following minimizes the potential attack surface for applications?

  • A. Use network ACLs to provide stateful firewalls at the VPC level to prevent access to any specific AWS resource.
  • B. Use security groups to provide stateful firewalls for Amazon EC2 instances at the hypervisor level.
  • C. Design network security in a single layer within the perimeter network (also known as DMZ, demilitarized zone, and screened subnet) to facilitate quicker responses to threats.
  • D. Use AWS Direct Connect for secure trusted connections between EC2 instances within private subnets.

Answer: B

Explanation:
https://aws.amazon.com/answers/networking/vpc-security-capabilities/ Security Group is stateful and hypervisor level.


NEW QUESTION # 186
An employee accidentally exposed an AWS access key and secret access key during a public presentation.
The company Security Engineer immediately disabled the key.
How can the Engineer assess the impact of the key exposure and ensure that the credentials were not misused? (Choose two.)

  • A. Analyze the resource inventory in AWS Config for IAM user activity.
  • B. Analyze Amazon CloudWatch Logs for activity.
  • C. Download and analyze the IAM Use report from AWS Trusted Advisor.
  • D. Download and analyze a credential report from IAM.
  • E. Analyze AWS CloudTrail for activity.

Answer: D,E


NEW QUESTION # 187
A Software Engineer wrote a customized reporting service that will run on a fleet of Amazon EC2 instances.
The company security policy states that application logs for the reporting service must be centrally collected.
What is the MOST efficient way to meet these requirements?

  • A. Write an IAM Lambda function that logs into the EC2 instance to pull the application logs from the EC2 instance and persists them into an Amazon S3 bucket.
  • B. Enable IAM CloudTrail logging for the IAM account, create a new Amazon S3 bucket, and then configure Amazon CloudWatch Logs to receive the application logs from CloudTrail.
  • C. Create a simple cron job on the EC2 instances that synchronizes the application logs to an Amazon S3 bucket by using rsync.
  • D. Install the Amazon CloudWatch Logs Agent on the EC2 instances, and configure it to send the application logs to CloudWatch Logs.

Answer: D

Explanation:
Explanation
https://IAM.amazon.com/blogs/IAM/cloudwatch-log-service/


NEW QUESTION # 188
A company has deployed a custom DNS server in IAM. The Security Engineer wants to ensure that Amazon EC2 instances cannot use the Amazon-provided DNS.
How can the Security Engineer block access to the Amazon-provided DNS in the VPC?

  • A. Disable DNS resolution within the VPC configuration.
  • B. Add a rule to all network access control lists that deny access to the Amazon DNS IP.
  • C. Deny access to the Amazon DNS IP within all security groups.
  • D. Add a route to all route tables that black holes traffic to the Amazon DNS IP.

Answer: A

Explanation:
https://docs.IAM.amazon.com/vpc/latest/userguide/vpc-dns.html


NEW QUESTION # 189
An organization receives an alert that indicates that an EC2 instance behind an ELB Classic Load Balancer has been compromised.
What techniques will limit lateral movement and allow evidence gathering?

  • A. Remove the instance from the load balancer, and shut down access to the instance by tightening the security group.
  • B. Remove the instance from the load balancer and terminate it.
  • C. Stop the instance and make a snapshot of the root EBS volume.
  • D. Reboot the instance and check for any Amazon CloudWatch alarms.

Answer: A

Explanation:
Explanation
https://d1.awsstatic.com/whitepapers/aws_security_incident_response.pdf


NEW QUESTION # 190
A Security Engineer has several thousand Amazon EC2 instances split across production and development environments. Each instance is tagged with its environment. The Engineer needs to analyze and patch all the development EC2 instances to ensure they are not currently exposed to any common vulnerabilities or exposures (CVEs)
Which combination of steps is the MOST efficient way for the Engineer to meet these requirements? (Select TWO.)

  • A. Install the Amazon Inspector agent on all development instances Configure Inspector to perform a scan using the CVE rule package on all instances tagged as being in the development environment.
  • B. Log on to each EC2 instance, check and export the different software versions installed, and verify this against a list of current CVEs.
  • C. Install the Amazon EC2 System Manager agent on all development instances Issue the Run command to EC2 System Manager to update all instances
  • D. Install the Amazon Inspector agent on all development instances Build a custom rule package, and configure Inspector to perform a scan using this custom rule on all instances tagged as being in the development environment.
  • E. Use AWS Trusted Advisor to check that all EC2 instances have been patched to the most recent version of operating system and installed software.

Answer: A,C


NEW QUESTION # 191
A company wants to have a secure way of generating, storing and managing cryptographic exclusive access for the keys. Which of the following can be used for this purpose?
Please select:

  • A. Use S3 Server Side encryption
  • B. Use Cloud HSM
  • C. Use KMS and the normal KMS encryption keys
  • D. Use KMS and use an external key material

Answer: B

Explanation:
Explanation
The AWS Documentation mentions the following
The AWS CloudHSM service helps you meet corporate, contractual and regulatory compliance requirements for data security by using dedicated Hardware Security Module (HSM) instances within the AWS cloud. AWS and AWS Marketplace partners offer a variety of solutions for protecting sensitive data within the AWS platform, but for some applications and data subject to contractual or regulatory mandates for managing cryptographic keys, additional protection may be necessary. CloudHSM complements existing data protection solutions and allows you to protect your encryption keys within HSMs that are desigr and validated to government standards for secure key management. CloudHSM allows you to securely generate, store and manage cryptographic keys used for data encryption in a way that keys are accessible only by you.
Option A.B and Care invalid because in all of these cases, the management of the key will be with AWS. Here the question specifically mentions that you want to have exclusive access over the keys. This can be achieved with Cloud HSM For more information on CloudHSM, please visit the following URL:
https://aws.amazon.com/cloudhsm/faq:
The correct answer is: Use Cloud HSM Submit your Feedback/Queries to our Experts


NEW QUESTION # 192
An Application Developer is using an AWS Lambda function that must use AWS KMS to perform encrypt and decrypt operations for API keys that are less than 2 KB.
Which key policy would allow the application to do this while granting least privilege?

  • A.
  • B.
  • C.
  • D.

Answer: A


NEW QUESTION # 193
The Security Engineer is given the following requirements for an application that is running on Amazon EC2 and managed by using AWS CloudFormation templates with EC2 Auto Scaling groups:
-Have the EC2 instances bootstrapped to connect to a backend database.
-Ensure that the database credentials are handled securely.
-Ensure that retrievals of database credentials are logged.
Which of the following is the MOST efficient way to meet these requirements?

  • A. Store database passwords in AWS Systems Manager Parameter Store by using SecureString parameters.
    Set the IAM role for the EC2 instance profile to allow access to the parameters.
  • B. Write a script that is passed in as UserData so that it is executed upon launch of the EC2 instance.
    Ensure that the instance is configured to log to Amazon CloudWatch Logs.
  • C. Create an AWS Lambda that ingests the database password and persists it to Amazon S3 with server-side encryption. Have the EC2 instances retrieve the S3 object on startup, and log all script invocations to syslog.
  • D. Pass databases credentials to EC2 by using CloudFormation stack parameters with the property set to true. Ensure that the instance is configured to log to Amazon CloudWatch Logs.

Answer: A


NEW QUESTION # 194
An application is designed to run on an EC2 Instance. The applications needs to work with an S3 bucket. From a security perspective , what is the ideal way for the EC2 instance/ application to be configured?
Please select:

  • A. Assign an IAM user to the application that has specific access to only that S3 bucket
  • B. Assign an IAM Role and assign it to the EC2 Instance
  • C. Assign an IAM group and assign it to the EC2 Instance
  • D. Use the IAM access keys ensuring that they are frequently rotated.

Answer: B

Explanation:
The below diagram from the IAM whitepaper shows the best security practicse of allocating a role that has access to the S3 bucket

Options A,B and D are invalid because using users, groups or access keys is an invalid security practise when giving access to resources from other IAM resources.
For more information on the Security Best practices, please visit the following URL:
https://d1.IAMstatic.com/whitepapers/Security/IAM Security Best Practices.pdl The correct answer is: Assign an IAM Role and assign it to the EC2 Instance Submit your Feedback/Queries to our Experts


NEW QUESTION # 195
......

Study resources for the Valid AWS-Security-Specialty Braindumps: https://www.passtestking.com/Amazon/AWS-Security-Specialty-practice-exam-dumps.html

Latest AWS Certified Security AWS-Security-Specialty Actual Free Exam Questions: https://drive.google.com/open?id=17q76ewBWyuLpYUh0YWAb8G1dxllle_9W

Related Articles

more
Go To AWS-Security-Specialty Questions