[Dec 27, 2021] Get New AWS-Security-Specialty Practice Test Questions Answers [Q100-Q124]

[Dec 27, 2021] Get New AWS-Security-Specialty Practice Test Questions Answers 

AWS-Security-Specialty Dumps and Exam Test Engine

NEW QUESTION 100
A company hosts data in S3. There is a requirement to control access to the S3 buckets. Which are the 2 ways in which this can be achieved?
Please select:

• A. Use IAM user policies
• B. Use Bucket policies
• C. Use the Secure Token service
• D. Use AWS Access Keys

Answer: A,B

Explanation:
The AWS Documentation mentions the following
Amazon S3 offers access policy options broadly categorized as resource-based policies and user policies. Access policies you attach to your resources (buckets and objects) are referred to as resource-based policies. For example, bucket policies and access control lists (ACLs) are resource-based policies. You can also attach access policies to users in your account. These are called user policies. You may choose to use resource-based policies, user policies, or some combination of these to manage permissions to your Amazon S3 resources.
Option B and D are invalid because these cannot be used to control access to S3 buckets For more information on S3 access control, please refer to the below Link:
https://docs.aws.amazon.com/AmazonS3/latest/dev/s3-access-control.htmll The correct answers are: Use Bucket policies. Use IAM user policies Submit your Feedback/Queries to our Experts

 

NEW QUESTION 101
The AWS Systems Manager Parameter Store is being used to store database passwords used by an AWS Lambda function. Because this is sensitive data, the parameters are stored as type SecureString and protected by an AWS KMS key that allows access through IAM. When the function executes, this parameter cannot be retrieved as the result of an access denied error.
Which of the following actions will resolve the access denied error?

• A. Add lambda.amazonaws.com as a trusted entity on the IAM role that the Lambda function uses.
• B. Add a policy to the role that the Lambda function uses, allowing kms: Decrypt for the KMS key.
• C. Update the ssm.amazonaws.com principal in the KMS key policy to allow kms: Decrypt.
• D. Update the Lambda configuration to launch the function in a VPC.

Answer: B

Explanation:
Explanation
https://docs.amazonaws.cn/en_us/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Integrating.Authorizing.

 

NEW QUESTION 102
A Security Engineer must enforce the use of only Amazon EC2, Amazon S3, Amazon RDS, Amazon DynamoDB, and AWS STS in specific accounts.
What is a scalable and efficient approach to meet this requirement?

• A. Create multiple IAM users for the regulated accounts, and attach the following policy statement to restrict services as required:
  
• B. Set up an Organizations hierarchy, replace the global FullAWSAccess with the following Service Control Policy at the top level:
  
• C. Set up all users in the Active Directory for federated access to all accounts in the company. Associate Active Directory groups with IAM groups, and attach the following policy statement to restrict services as required:
  
• D. Set up an AWS Organizations hierarchy, and replace the FullAWSAccess policy with the following Service Control Policy for the governed organization units:
  

Answer: D

 

NEW QUESTION 103
Your company has a set of EC2 Instances defined in AWS. They need to ensure that all traffic packets are monitored and inspected for any security threats. How can this be achieved? Choose 2 answers from the options given below Please select:

• A. Use VPC Flow logs
• B. Use Network Access control lists logging
• C. Use a host based intrusion detection system
• D. Use a third party firewall installed on a central EC2 instance

Answer: C,D

Explanation:
Explanation
If you want to inspect the packets themselves, then you need to use custom based software A diagram representation of this is given in the AWS Security best practices

Option C is invalid because VPC Flow logs cannot conduct packet inspection.
For more information on AWS Security best practices, please refer to below URL:
The correct answers are: Use a host based intrusion detection system. Use a third party firewall installed on a central EC2 Submit your Feedback/Queries to our Experts

 

NEW QUESTION 104
For compliance reasons, an organization limits the use of resources to three specific AWS regions. It wants to be alerted when any resources are launched in unapproved regions.
Which of the following approaches will provide alerts on any resources launched in an unapproved region?

• A. Develop an alerting mechanism based on processing AWS CloudTrail logs.
• B. Use AWS Trusted Advisor to alert on all resources being created.
• C. Monitor Amazon S3 Event Notifications for objects stored in buckets in unapproved regions.
• D. Analyze Amazon CloudWatch Logs for activities in unapproved regions.

Answer: A

 

NEW QUESTION 105
A company needs a forensic-logging solution for hundreds of applications running in Docker on Amazon EC2.
The solution must perform real-time analytics on the logs, must support the replay of messages, and must persist the logs.
Which AWS services should be used to meet these requirements? (Choose two.)

• A. Amazon SQS
• B. Amazon Athena
• C. Amazon Kinesis
• D. Amazon EMR
• E. Amazon Elasticsearch

Answer: C,E

 

NEW QUESTION 106
An application has a requirement to be resilient across not only Availability Zones within the application's primary region but also be available within another region altogether.
Which of the following supports this requirement for AWS resources that are encrypted by AWS KMS?

• A. Configure the target region's AWS service to communicate with the source region's AWS KMS so that it can decrypt the resource in the target region.
• B. Configure AWS KMS to automatically synchronize the CMK between regions so that it can be used to decrypt the resource in the target region.
• C. Use AWS services that replicate data across regions, and re-wrap the data encryption key created in the source region by using the CMK in the target region so that the target region's CMK can decrypt the database encryption key.
• D. Copy the application's AWS KMS CMK from the source region to the target region so that it can be used to decrypt the resource after it is copied to the target region.

Answer: C

 

NEW QUESTION 107
A corporate cloud security policy states that communications between the company's VPC and KMS must travel entirely within the AWS network and not use public service endpoints.
Which combination of the following actions MOST satisfies this requirement? (Choose two.)

• A. Remove the VPC internet gateway from the VPC and add a virtual private gateway to the VPC to prevent direct, public internet connectivity.
• B. Use the KMS Import Key feature to securely transfer the AWS KMS key over a VPN.
• C. Create a VPC endpoint for AWS KMS with private DNS enabled.
• D. Add the following condition to the AWS KMS key policy: "aws:SourceIp": "10.0.0.0/16".
• E. Add the aws:sourceVpce condition to the AWS KMS key policy referencing the company's VPC endpoint ID.

Answer: C,E

Explanation:
Explanation
Explanation
An IAM policy can deny access to KMS except through your VPC endpoint with the following condition statement:
"Condition": {
"StringNotEquals": {
"aws:sourceVpce": "vpce-0295a3caf8414c94a"
}
}
If you select the Enable Private DNS Name option, the standard AWS KMS DNS hostname (https://kms.<region>.amazonaws.com) resolves to your VPC endpoint.

 

NEW QUESTION 108
Unapproved changes were previously made to a company's Amazon S3 bucket. A security engineer configured AWS Config to record configuration changes made to the company's S3 buckets. The engineer discovers there are S3 configuration changes being made, but no Amazon SNS notifications are being sent.
The engineer has already checked the configuration of the SNS topic and has confirmed the configuration is valid.
Which combination of steps should the security engineer take to resolve the issue? (Select TWO.)

• A. Assign the AWSConfigRole managed policy to the AWS Config role
• B. Attach the AmazonS3ReadOnryAccess managed policy to the IAM user.
• C. Configure the S3 bucket ACLs to allow AWS Config to record changes to the buckets.
• D. Configure policies attached to S3 buckets to allow AWS Config to record changes to the buckets.
• E. Verify the security engineer's IAM user has an attached policy that allows all AWS Config actions.

Answer: A,D

 

NEW QUESTION 109
You are working in the media industry and you have created a web application where users will be able to upload photos they create to your website. This web application must be able to call the S3 API in order to be able to function. Where should you store your API credentials whilst maintaining the maximum level of security?
Please select:

• A. Pass API credentials to the instance using instance userdata.
• B. Don't save your API credentials, instead create a role in IAM and assign this role to an EC2 instance when you first create it.
• C. Save the API credentials to your PHP files.
• D. Save your API credentials in a public Github repository.

Answer: B

Explanation:
Applications must sign their API requests with AWS credentials. Therefore, if you are an application developer, you need a strategy for managing credentials for your applications that run on EC2 instances. For example, you can securely distribute your AWS credentials to the instances, enabling the applications on those instances to use your credentials to sign requests, while protecting your credentials from other users. However, it's challenging to securely distribute credentials to each instance. especially those that AWS creates on your behalf, such as Spot Instances or instances in Auto Scaling groups. You must also be able to update the credentials on each instance when you rotate your AWS credentials.
IAM roles are designed so that your applications can securely make API requests from your instances, without requiring you manage the security credentials that the applications use.
Option A.C and D are invalid because using AWS Credentials in an application in production is a direct no recommendation 1 secure access For more information on IAM Roles, please visit the below URL:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html The correct answer is: Don't save your API credentials. Instead create a role in IAM and assign this role to an EC2 instance when you first create it Submit your Feedback/Queries to our Experts

 

NEW QUESTION 110
You are building a large-scale confidential documentation web server on AWSand all of the documentation for it will be stored on S3. One of the requirements is that it cannot be publicly accessible from S3 directly, and you will need to use Cloud Front to accomplish this. Which of the methods listed below would satisfy the requirements as outlined? Choose an answer from the options below Please select:

• A. Create an Identity and Access Management (IAM) user for CloudFront and grant access to the objects in your S3 bucket to that IAM User.
• B. Create individual policies for each bucket the documents are stored in and in that policy grant access to only CloudFront.
• C. Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket to that OAl.
• D. Create an S3 bucket policy that lists the CloudFront distribution ID as the Principal and the target bucket as the Amazon Resource Name (ARN).

Answer: C

Explanation:
Explanation
If you want to use CloudFront signed URLs or signed cookies to provide access to objects in your Amazon S3 bucket you probably also want to prevent users from accessing your Amazon S3 objects using Amazon S3 URLs. If users access your objects directly in Amazon S3, they bypass the controls provided by CloudFront signed URLs or signed cookies, for example, control over the date and time that a user can no longer access your content and control over which IP addresses can be used to access content. In addition, if user's access objects both through CloudFront and directly by using Amazon S3 URLs, CloudFront ace logs are less useful because they're incomplete.
Option A is invalid because you need to create a Origin Access Identity for Cloudfront and not an IAM user Option C and D are invalid because using policies will not help fulfil the requirement For more information on Origin Access Identity please see the below Link:
http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restrictine-access-to-s3.
The correct answer is: Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket to that OAI.
(
Submit your Feedback/Queries to our Experts

 

NEW QUESTION 111
Your company has just set up a new central server in a VPC. There is a requirement for other teams who have their servers located in different VPC's in the same region to connect to the central server. Which of the below options is best suited to achieve this requirement.
Please select:

• A. None of the above options will work.
• B. Set up VPC peering between the central server VPC and each of the teams VPCs.
• C. Set up an IPSec Tunnel between the central server VPC and each of the teams VPCs.
• D. Set up AWS DirectConnect between the central server VPC and each of the teams VPCs.

Answer: B

Explanation:
Explanation
A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses. Instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account within a single region.
Options B and C are invalid because you need to use VPC Peering
Option D is invalid because VPC Peering is available
For more information on VPC Peering please see the below Link:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-peering.html
The correct answer is: Set up VPC peering between the central server VPC and each of the teams VPCs.
Submit your Feedback/Queries to our Experts

 

NEW QUESTION 112
A large corporation is creating a multi-account strategy and needs to determine how its employees should access the AWS Infrastructure.
Which of the following solutions would provide the MOST scalable solution?

• A. Configure the AWS Security Token Service to use Kerberos tokens so that users can use their existing corporate user names and passwords to access AWS resources directly.
• B. Use a centralized account with IAM roles that employees can assume through federation with their existing identity provider. Use cross-account roles to allow the federated users to assume their target role in the resource accounts.
• C. Create dedicated IAM users within each AWS account that employees can assume though federation based upon group membership in their existing identity provider.
• D. Configure the IAM trust policies within each account's role to set up a trust back to the corporation's existing identity provider, allowing users to assume the role based off their SAML token.

Answer: C

 

NEW QUESTION 113
You need to create a Linux EC2 instance in AWS. Which of the following steps is used to ensure secure authentication the EC2 instance from a windows machine. Choose 2 answers from the options given below.
Please select:

• A. Use the private key to log into the instance
• B. Ensure to create a strong password for logging into the EC2 Instance
• C. Create a key pair using putty
• D. Ensure the password is passed securely using SSL

Answer: A,C

Explanation:
The AWS Documentation mentions the following
You can use Amazon EC2 to create your key pair. Alternatively, you could use a third-party tool and then import the public key to Amazon EC2. Each key pair requires a name. Be sure to choose a name that is easy to remember. Amazon EC2 associates the public key with the name that you specify as the key name.
Amazon EC2 stores the public key only, and you store the private key. Anyone who possesses your private key can decrypt login information, so it's important that you store your private keys in a secure place.
Options A and D are incorrect since you should use key pairs for secure access to Ec2 Instances For more information on EC2 key pairs, please refer to below URL:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html
The correct answers are: Create a key pair using putty. Use the private key to log into the instance Submit your Feedback/Queries to our Experts

 

NEW QUESTION 114
A Security Administrator is configuring an Amazon S3 bucket and must meet the following security
requirements:
Encryption in transit

Encryption at rest

Logging of all object retrievals in AWS CloudTrail

Which of the following meet these security requirements? (Choose three.)

• A. Enable a security group for the S3 bucket that allows port 443, but not port 80.
• B. Enable Amazon CloudWatch Logs for the AWS account.
• C. Specify "aws:SecureTransport": "true"within a condition in the S3 bucket policy.
• D. Enable S3 object versioning for the S3 bucket.
• E. Enable API logging of data events for all S3 objects.
• F. Set up default encryption for the S3 bucket.

Answer: B,D,F

 

NEW QUESTION 115
An Amazon EC2 instance is part of an EC2 Auto Scaling group that is behind an Application Load Balancer (ALB). It is suspected that the EC2 instance has been compromised.
Which steps should be taken to investigate the suspected compromise? (Choose three.)

• A. Add a rule to an AWS WAF to block access to the EC2 instance.
• B. Attach a security group that has restrictive ingress and egress rules to the EC2 instance.
• C. Initiate an Amazon Elastic Block Store volume snapshot of all volumes on the EC2 instance.
• D. Detach the elastic network interface from the EC2 instance.
• E. Disable any Amazon Route 53 health checks associated with the EC2 instance.
• F. De-register the EC2 instance from the ALB and detach it from the Auto Scaling group.

Answer: B,C,F

Explanation:
Explanation
https://d1.awsstatic.com/whitepapers/aws_security_incident_response.pdf

 

NEW QUESTION 116
A Security Engineer must enforce the use of only Amazon EC2, Amazon S3, Amazon RDS, Amazon DynamoDB, and AWS STS in specific accounts.
What is a scalable and efficient approach to meet this requirement?

• A. Option B
• B. Option C
• C. Option A
• D. Option D

Answer: D

 

NEW QUESTION 117
An Amazon S3 bucket is encrypted using an AWS KMS CMK. An IAM user is unable to download objects from the S3 bucket using the AWS Management Console; however, other users can download objects from the S3 bucket.
Which policies should the Security Engineer review and modify to resolve this issue? (Choose three.)

• A. The S3 ACL
• B. The S3 bucket policy
• C. The CMK policy
• D. The VPC endpoint policy
• E. The IAM policy

Answer: B,C,E

Explanation:
Explanation/Reference: https://aws.amazon.com/premiumsupport/knowledge-center/decrypt-kms-encrypted-objects-s3/

 

NEW QUESTION 118
A company has a forensic logging use case whereby several hundred applications running on Docker on EC2 need to send logs to a central location. The Security Engineer must create a logging solution that is able to perform real-time analytics on the log files, grants the ability to replay events, and persists data.
Which AWS Services, together, can satisfy this use case? (Select two.)

• A. Amazon SQS
• B. Amazon Athena
• C. Amazon Kinesis
• D. Amazon CloudWatch
• E. Amazon Elasticsearch

Answer: C,E

 

NEW QUESTION 119
A Security Administrator is performing a log analysis as a result of a suspected AWS account compromise. The Administrator wants to analyze suspicious AWS CloudTrail log files but is overwhelmed by the volume of audit logs being generated.
What approach enables the Administrator to search through the logs MOST efficiently?

• A. Enable Amazon S3 event notifications to trigger an AWS Lambda function that sends an email alarm when there are new CloudTrail API entries.
• B. Configure Amazon Athena to read from the CloudTrail S3 bucket and query the logs to examine account activities.
• C. Configure Amazon Macie to classify and discover sensitive data in the Amazon S3 bucket that contains the CloudTrail audit logs.
• D. Implement a "write-only" CloudTrail event filter to detect any modifications to the AWS account resources.

Answer: B

 

NEW QUESTION 120
A Security Engineer is building a Java application that is running on Amazon EC2. The application communicates with an Amazon RDS instance and authenticates with a user name and password.
Which combination of steps can the Engineer take to protect the credentials and minimize downtime when the credentials are rotated? (Choose two.)

• A. Configure the Java application to catch a connection failure and make a call to AWS Secrets Manager to retrieve updated credentials when the password is rotated. Grant permission to the instance role associated with the EC2 instance to access Secrets Manager.
• B. Configure automatic rotation of credentials in AWS Secrets Manager.
• C. Configure a scheduled job that updates the credential in AWS Systems Manager Parameter Store and notifies the Engineer that the application needs to be restarted.
• D. Have a Database Administrator encrypt the credentials and store the ciphertext in Amazon S3. Grant permission to the instance role associated with the EC2 instance to read the object and decrypt the ciphertext.
• E. Store the credential in an encrypted string parameter in AWS Systems Manager Parameter Store. Grant permission to the instance role associated with the EC2 instance to access the parameter and the AWS KMS key that is used to encrypt it.

Answer: A,B

 

NEW QUESTION 121
A company's security policy requires that VPC Flow Logs are enabled on all VPCs. A Security Engineer is looking to automate the process of auditing the VPC resources for compliance.
What combination of actions should the Engineer take? (Choose two.)

• A. Create an Amazon CloudWatch Event rule that triggers on events emitted by AWS Config.
• B. Create an AWS Lambda function that determines whether Flow Logs are enabled for a given VPC.
• C. Create an AWS Config configuration item for each VPC in the company AWS account.
• D. Create an AWS Config managed rule with a resource type of AWS:: Lambda:: Function.
• E. Create an AWS Config custom rule, and associate it with an AWS Lambda function that contains the evaluating logic.

Answer: B,E

 

NEW QUESTION 122
A large organization is planning on AWS to host their resources. They have a number of autonomous departments that wish to use AWS. What could be the strategy to adopt for managing the accounts.
Please select:

• A. Use multiple IAM roles, each group for each department
• B. Use multiple AWS accounts, each account for each department
• C. Use multiple IAM groups, each group for each department
• D. Use multiple VPCs in the account each VPC for each department

Answer: B

Explanation:
A recommendation for this is given in the AWS Security best practices

Option A is incorrect since this would be applicable for resources in a VPC Options B and C are incorrect since operationally it would be difficult to manage For more information on AWS Security best practices please refer to the below URL
https://d1.awsstatic.com/whitepapers/Security/AWS Security Best Practices.pdl The correct answer is: Use multiple AWS accounts, each account for each department Submit your Feedback/Queries to our Experts

 

NEW QUESTION 123
A company has deployed a custom DNS server in AWS. The Security Engineer wants to ensure that Amazon EC2 instances cannot use the Amazon-provided DNS.
How can the Security Engineer block access to the Amazon-provided DNS in the VPC?

• A. Add a rule to all network access control lists that deny access to the Amazon DNS IP.
• B. Deny access to the Amazon DNS IP within all security groups.
• C. Add a route to all route tables that black holes traffic to the Amazon DNS IP.
• D. Disable DNS resolution within the VPC configuration.

Answer: D

Explanation:
Explanation/Reference: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html

 

NEW QUESTION 124
......

Amazon SCS-C01: AWS Certified Security - Specialty Exam Certified Professional salary

The estimated average salary of Amazon AWS-Security-Specialty: AWS Certified Security - Specialty exam are listed below:

Country wise:

• Europe: 97000 EURO
• India: 8580000 INR
• United States: 114000 USD
• England: 87200 POUND

Position wise:

• Solutions Architect – Professional: $136,500

Introduction to Amazon AWS-Security-Specialty: AWS Certified Security - Specialty Exam

As businesses shift jobs rapidly into the public cloud, cloud computing has developed from an enticing capacity to a profound business. AWS is considered an industry pioneer and the most experienced provider in the cloud business as a pioneer in ideas and a benchmark among all of its rivals. This transition involves a variety of features to develop, implement, and maintain cloud infrastructure systems. Get accredited AWS systems with all of the qualifications (plus the best performers) that are better tested by one of the most popular cloud computing firms. Across an organization, certification reflects a mutual definition of a network, agreed terminology, and a basic level of cloud expertise that can speed up cloud work evaluation. The following guide includes the AWS Architect-Professional Qualification test, the Professional qualification salary of Amazon AWS-Security-Specialty: AWS Certified Security - Specialty exam, and all facts of the test such as information about AWS certified security - specialty practice exams.

 

2021 New Test4Sure AWS-Security-Specialty PDF Recently Updated Questions: https://www.test4sure.com/AWS-Security-Specialty-pass4sure-vce.html

Amazon AWS-Security-Specialty DUMPS WITH REAL EXAM QUESTIONS: https://drive.google.com/open?id=1AkYzFDx4DSUWitXTjFT_4kgYnFWSFVxy