AWS-Certified-Security-Specialty Free Practice Test

There is a requirement for a company to transfer large amounts of data between IAM and an on-premise location. There is an additional requirement for low latency and high consistency traffic to IAM. Given these requirements how would you design a hybrid architecture? Choose the correct answer from the options below
Please select:

1. A. Provision a Direct Connect connection to an IAM region using a Direct Connect partner.
2. B. Create a VPN tunnel for private connectivity, which increases network consistency and reduces latency.
3. C. Create an iPSec tunnel for private connectivity, which increases network consistency and reduces latency.
4. D. Create a VPC peering connection between IAM and the Customer gateway.

Correct Answer: A
IAM Direct Connect makes it easy to establish a dedicated network connection from your premises to IAM. Using IAM Direct Connect you can establish private connectivity between IAM and your datacenter, office, or colocation environment which in many cases can reduce your network costs, increase bandwidth throughput and provide a more consistent network experience than Internet-based connections.
Options B and C are invalid because these options will not reduce network latency Options D is invalid because this is only used to connect 2 VPC's
For more information on IAM direct connect, just browse to the below URL: https://IAM.amazon.com/directconnect
The correct answer is: Provision a Direct Connect connection to an IAM region using a Direct Connect partner. omit your Feedback/Queries to our Experts

A security engineer needs to develop a process to investigate and respond to po-tential security events on a company's Amazon EC2 instances. All the EC2 in-stances are backed by Amazon Elastic Block Store (Amazon EBS). The company uses AWS Systems Manager to manage all the EC2 instances and has installed Systems Manager Agent (SSM Agent) on all the EC2 instances.
The process that the security engineer is developing must comply with AWS secu-rity best practices and must meet the following requirements:
• A compromised EC2 instance's volatile memory and non-volatile memory must be preserved for forensic purposes.
• A compromised EC2 instance's metadata must be updated with corresponding inci-dent ticket information.
• A compromised EC2 instance must remain online during the investigation but must be isolated to prevent the spread of malware.
• Any investigative activity during the collection of volatile data must be cap-tured as part of the process. Which combination of steps should the security engineer take to meet these re-quirements with the LEAST
operational overhead? (Select THREE.)

1. A. Gather any relevant metadata for the compromised EC2 instanc
2. B. Enable ter-mination protectio
3. C. Isolate the instance by updating the instance's secu-rity groups to restrict acces
4. D. Detach the instance from anyAuto Scaling groups that the instance is a member o
5. E. Deregister the instance from any Elastic Load Balancing (ELB) resources.
6. F. Gather any relevant metadata for the compromised EC2 instanc
7. G. Enable ter-mination protectio
8. H. Move the instance to an isolation subnet that denies all source and destination traffi
9. I. Associate the instance with the subnet to restrict acces
10. J. Detach the instance from any Auto Scaling groups that the instance is a member o
11. K. Deregister the instance from any Elastic Load Balancing (ELB) resources.
12. L. Use Systems Manager Run Command to invoke scripts that collect volatile data.
13. M. Establish a Linux SSH or Windows Remote Desktop Protocol (RDP) session to the compromised EC2 instance to invoke scripts that collect volatile data.
14. N. Create a snapshot of the compromised EC2 instance's EBS volume for follow-up investigation
15. O. Tag the instance with any relevant metadata and inci-dent ticket information.
16. P. Create a Systems Manager State Manager association to generate an EBS vol-ume snapshot of the compromised EC2 instanc
17. Q. Tag the instance with any relevant metadata and incident ticket information.

Correct Answer: ACE

A company deploys a set of standard IAM roles in AWS accounts. The IAM roles are based on job functions within the company. To balance operational efficiency and security, a security engineer implemented AWS Organizations SCPs to restrict access to critical security services in all company accounts.
All of the company's accounts and OUs within AWS Organizations have a default FullAWSAccess SCP that is attached. The security engineer needs to ensure that no one can disable Amazon GuardDuty and AWS Security Hub. The security engineer also must not override other permissions that are granted by IAM policies that are defined in the accounts.
Which SCP should the security engineer attach to the root of the organization to meet these requirements? A)

B)

C)

D)

1. A. Option A
2. B. Option B
3. C. Option C
4. D. Option D

Correct Answer: A

A company maintains an open-source application that is hosted on a public GitHub repository. While creating a new commit to the repository, an engineer uploaded their IAM access key and secret access key. The engineer reported the mistake to a manager, and the manager immediately disabled the access key.
The company needs to assess the impact of the exposed access key. A security engineer must recommend a solution that requires the least possible managerial overhead.
Which solution meets these requirements?

1. A. Analyze an IAM Identity and Access Management (IAM) use report from IAM Trusted Advisor to see when the access key was last used.
2. B. Analyze Amazon CloudWatch Logs for activity by searching for the access key.
3. C. Analyze VPC flow logs for activity by searching for the access key
4. D. Analyze a credential report in IAM Identity and Access Management (IAM) to see when the access key was last used.

Correct Answer: A
To assess the impact of the exposed access key, the security engineer should recommend the following solution:
Analyze an IAM use report from AWS Trusted Advisor to see when the access key was last used. This allows the security engineer to use a tool that provides information about IAM entities and credentials in their account, and check if there was any unauthorized activity with the exposed access key.

A company is running internal microservices on Amazon Elastic Container Service (Amazon ECS) with the Amazon EC2 launch type. The company is using Amazon Elastic Container Registry (Amazon ECR) private repositories.
A security engineer needs to encrypt the private repositories by using AWS Key Management Service (AWS KMS). The security engineer also needs to analyze the container images for any common vulnerabilities and exposures (CVEs).
Which solution will meet these requirements?

1. A. Enable KMS encryption on the existing ECR repositorie
2. B. Install Amazon Inspector Agent from the ECS container instances’ user dat
3. C. Run an assessment with the CVE rules.
4. D. Recreate the ECR repositories with KMS encryption and ECR scanning enable
5. E. Analyze the scan report after the next push of images.
6. F. Recreate the ECR repositories with KMS encryption and ECR scanning enable
7. G. Install AWS Systems Manager Agent on the ECS container instance
8. H. Run an inventory report.
9. I. Enable KMS encryption on the existing ECR repositorie
10. J. Use AWS Trusted Advisor to check the ECS container instances and to verily the findings against a list of current CVEs.

Correct Answer: B