AWS-Certified-Security-Specialty Free Practice Test

A startup company is using a single AWS account that has resources in a single AWS Region. A security engineer configures an AWS Cloud Trail trail in the same Region to deliver log files to an Amazon S3 bucket by using the AWS CLI.
Because of expansion, the company adds resources in multiple Regions. The secu-rity engineer notices that the logs from the new Regions are not reaching the S3 bucket.
What should the security engineer do to fix this issue with the LEAST amount of operational overhead?

1. A. Create a new CloudTrail trai
2. B. Select the new Regions where the company added resources.
3. C. Change the S3 bucket to receive notifications to track all actions from all Regions.
4. D. Create a new CloudTrail trail that applies to all Regions.
5. E. Change the existing CloudTrail trail so that it applies to all Regions.

Correct Answer: D
The correct answer is D. Change the existing CloudTrail trail so that it applies to all Regions.
According to the AWS documentation1, you can configure CloudTrail to deliver log files from multiple Regions to a single S3 bucket for a single account. To change an existing single-Region trail to log in all Regions, you must use the AWS CLI and add the --is-multi-region-trail option to the update-trail command2. This will ensure that you log global service events and capture all management event activity in your account.
Option A is incorrect because creating a new CloudTrail trail for each Region will incur additional costs and increase operational overhead. Option B is incorrect because changing the S3 bucket to receive notifications will not affect the delivery of log files from other Regions. Option C is incorrect because creating a new CloudTrail trail that applies to all Regions will result in duplicate log files for the original Region and also incur additional costs.

A company discovers a billing anomaly in its AWS account. A security consultant investigates the anomaly and discovers that an employee who left the company 30 days ago still has access to the account.
The company has not monitored account activity in the past.
The security consultant needs to determine which resources have been deployed or reconfigured by the employee as quickly as possible.
Which solution will meet these requirements?

1. A. In AWS Cost Explorer, filter chart data to display results from the past 30 day
2. B. Export the results to a data tabl
3. C. Group the data table by re-source.
4. D. Use AWS Cost Anomaly Detection to create a cost monito
5. E. Access the detec-tion histor
6. F. Set the time frame to Last 30 day
7. G. In the search area, choose the service category.
8. H. In AWS CloudTrail, filter the event history to display results from the past 30 day
9. I. Create an Amazon Athena table that contains the dat
10. J. Parti-tion the table by event source.
11. K. Use AWS Audit Manager to create an assessment for the past 30 day
12. L. Apply a usage-based framework to the assessmen
13. M. Configure the assessment to as-sess by resource.

Correct Answer: C

A Security Engineer creates an Amazon S3 bucket policy that denies access to all users. A few days later, the Security Engineer adds an additional statement to the bucket policy to allow read-only access to one other employee. Even after updating the policy, the employee still receives an access denied message.
What is the likely cause of this access denial?

1. A. The ACL in the bucket needs to be updated
2. B. The IAM policy does not allow the user to access the bucket
3. C. It takes a few minutes for a bucket policy to take effect
4. D. The allow permission is being overridden by the deny

Correct Answer: D

A company uses SAML federation to grant users access to AWS accounts. A company workload that is in an isolated AWS account runs on immutable infrastructure with no human access to Amazon EC2. The company requires a specialized user known as a break glass user to have access to the workload AWS account and instances in the case of SAML errors. A recent audit discovered that the company did not create the break glass user for the AWS account that contains the workload.
The company must create the break glass user. The company must log any activities of the break glass user and send the logs to a security team.
Which combination of solutions will meet these requirements? (Select TWO.)

1. A. Create a local individual break glass IAM user for the security tea
2. B. Create a trail in AWS CloudTrail that has Amazon CloudWatch Logs turned o
3. C. Use Amazon EventBridge to monitor local user activities.
4. D. Create a break glass EC2 key pair for the AWS accoun
5. E. Provide the key pair to the security tea
6. F. Use AWS CloudTraiI to monitor key pair activit
7. G. Send notifications to the security team by using Amazon Simple Notification Service (Amazon SNS).
8. H. Create a break glass IAM role for the accoun
9. I. Allow security team members to perform the AssumeRoleWithSAML operatio
10. J. Create an AWS Cloud Trail trail that has Amazon CloudWatch Logs turned o
11. K. Use Amazon EventBridge to monitor security team activities.
12. L. Create a local individual break glass IAM user on the operating system level of each workload instance.Configure unrestricted security groups on the instances to grant access to the break glass IAM users.
13. M. Configure AWS Systems Manager Session Manager for Amazon EC2. Configure an AWS Cloud Trail filter based on Session Manage
14. N. Send the results to an Amazon Simple Notification Service (Amazon SNS) topic.

Correct Answer: AE
The combination of solutions that will meet the requirements are:
A. Create a local individual break glass IAM user for the security team. Create a trail in AWS CloudTrail that has Amazon CloudWatch Logs turned on. Use Amazon EventBridge to monitor local user activities. This is a valid solution because it allows the security team to access the workload AWS account and instances using a local IAM user that does not depend on SAML federation. It also enables logging and monitoring of the break glass user activities using AWS CloudTrail, Amazon CloudWatch Logs, and Amazon EventBridge123.
E. Configure AWS Systems Manager Session Manager for Amazon EC2. Configure an AWS CloudTrail filter based on Session Manager. Send the results to an Amazon Simple Notification Service (Amazon SNS) topic. This is a valid solution because it allows the security team to access the workload instances without opening any inbound ports or managing SSH keys or bastion hosts. It also enables logging and notification of the break glass user activities using AWS CloudTrail, Session Manager, and Amazon SNS456.
The other options are incorrect because:
B. Creating a break glass EC2 key pair for the AWS account and providing it to the security team is not a valid solution, because it requires opening inbound ports on the instances and managing SSH keys, which increases the security risk and complexity7.
C. Creating a break glass IAM role for the account and allowing security team members to perform the AssumeRoleWithSAML operation is not a valid solution, because it still depends on SAML federation, which might not work in case of SAML errors8.
D. Creating a local individual break glass IAM user on the operating system level of each workload instance and configuring unrestricted security groups on the instances to grant access to the break glass IAM users is not a valid solution, because it requires opening inbound ports on the instances and managing multiple local users, which increases the security risk and complexity9.
References:
1: Creating an IAM User in Your AWS Account 2: Creating a Trail - AWS CloudTrail 3: Using Amazon EventBridge with AWS CloudTrail 4: Setting up Session Manager - AWS Systems Manager 5: Logging Session Manager sessions - AWS Systems Manager 6: Amazon Simple Notification Service 7: Connecting to your Linux instance using SSH - Amazon Elastic Compute Cloud 8: AssumeRoleWithSAML - AWS Security Token Service 9: IAM Users - AWS Identity and Access Management

A developer at a company uses an SSH key to access multiple Amazon EC2 instances. The company discovers that the SSH key has been posted on a public GitHub repository. A security engineer verifies that the key has not been used recently.
How should the security engineer prevent unauthorized access to the EC2 instances?

1. A. Delete the key pair from the EC2 consol
2. B. Create a new key pair.
3. C. Use the ModifylnstanceAttribute API operation to change the key on any EC2 instance that is using the key.
4. D. Restrict SSH access in the security group to only known corporate IP addresses.
5. E. Update the key pair in any AMI that is used to launch the EC2 instance
6. F. Restart the EC2 instances.

Correct Answer: C
To prevent unauthorized access to the EC2 instances, the security engineer should do the following:
Restrict SSH access in the security group to only known corporate IP addresses. This allows the security engineer to use a virtual firewall that controls inbound and outbound traffic for their EC2 instances, and limit SSH access to only trusted sources.