AWS-Certified-Security-Specialty Free Practice Test

- (Exam Topic 1)
A convoys data lake uses Amazon S3 and Amazon Athena. The company's security engineer has been asked to design an encryption solution that meets the company's data protection requirements. The encryption solution must work with Amazon S3 and keys managed by the company. The encryption solution must be protected in a hardware security module that is validated id Federal information Processing Standards (FPS) 140-2 Level 3.
Which solution meets these requirements?

1. A. Use client-side encryption with an AWS KMS customer-managed key implemented with the AWS Encryption SDK
2. B. Use AWS CloudHSM to store the keys and perform cryptographic operations Save the encrypted text inAmazon S3
3. C. Use an AWS KMS customer-managed key that is backed by a custom key store using AWS CloudHSM
4. D. Use an AWS KMS customer-managed key with the bring your own key (BYOK) feature to import a key stored in AWS CloudHSM

Correct Answer: B

- (Exam Topic 2)
A company is using CloudTrail to log all AWS API activity for all regions in all of its accounts. The CISO has asked that additional steps be taken to protect the integrity of the log files.
What combination of steps will protect the log files from intentional or unintentional alteration? Choose 2 answers from the options given below
Please select:

1. A. Create an S3 bucket in a dedicated log account and grant the other accounts write only acces
2. B. Deliver all log files from every account to this S3 bucket.
3. C. Write a Lambda function that queries the Trusted Advisor Cloud Trail check
4. D. Run the function every 10 minutes.
5. E. Enable CloudTrail log file integrity validation
6. F. Use Systems Manager Configuration Compliance to continually monitor the access policies of S3 buckets containing Cloud Trail logs.
7. G. Create a Security Group that blocks all traffic except calls from the CloudTrail servic
8. H. Associate the security group with) all the Cloud Trail destination S3 buckets.

Correct Answer: AC
The AWS Documentation mentions the following
To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it you can use CloudTrail log fill integrity validation. This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection.
Option B is invalid because there is no such thing as Trusted Advisor Cloud Trail checks Option D is invalid because Systems Manager cannot be used for this purpose.
Option E is invalid because Security Groups cannot be used to block calls from other services For more information on Cloudtrail log file validation, please visit the below URL:
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-loe-file-validation-intro.htmll For more information on delivering Cloudtrail logs from multiple accounts, please visit the below URL:
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.htm
The correct answers are: Create an S3 bucket in a dedicated log account and grant the other accounts write only access. Deliver all log files from every account to this S3 bucket, Enable Cloud Trail log file integrity validation
Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
A recent security audit found that AWS CloudTrail logs are insufficiently protected from tampering and unauthorized access Which actions must the Security Engineer take to address these audit findings? (Select THREE )

1. A. Ensure CloudTrail log file validation is turned on
2. B. Configure an S3 lifecycle rule to periodically archive CloudTrail logs into Glacier for long-term storage
3. C. Use an S3 bucket with tight access controls that exists m a separate account
4. D. Use Amazon Inspector to monitor the file integrity of CloudTrail log files.
5. E. Request a certificate through ACM and use a generated certificate private key to encrypt CloudTrail log files
6. F. Encrypt the CloudTrail log files with server-side encryption with AWS KMS-managed keys (SSE-KMS)

Correct Answer: ADE

- (Exam Topic 1)
After a recent security audit involving Amazon S3, a company has asked assistance reviewing its S3 buckets to determine whether data is properly secured. The first S3 bucket on the list has the following bucket policy.

Is this bucket policy sufficient to ensure that the data is not publicity accessible?

1. A. Yes, the bucket policy makes the whole bucket publicly accessible despite now the S3 bucket ACL orobject ACLs are configured.
2. B. Yes, none of the data in the bucket is publicity accessible, regardless of how the S3 bucket ACL and object ACLs are configured.
3. C. No, the IAM user policy would need to be examined first to determine whether any data is publicly accessible.
4. D. No, the S3 bucket ACL and object ACLs need to be examined first to determine whether any data is publicly accessible.

Correct Answer: A

- (Exam Topic 3)
A user has enabled versioning on an S3 bucket. The user is using server side encryption for data at Rest. If the user is supplying his own keys for encryption SSE-C, which of the below mentioned statements is true?
Please select:

1. A. The user should use the same encryption key for all versions of the same object
2. B. It is possible to have different encryption keys for different versions of the same object
3. C. AWS S3 does not allow the user to upload his own keys for server side encryption
4. D. The SSE-C does not work when versioning is enabled

Correct Answer: B
anaging your own encryption keys, y
You can encrypt the object and send it across to S3
Option A is invalid because ideally you should use different encryption keys Option C is invalid because you can use you own encryption keys Option D is invalid because encryption works even if versioning is enabled For more information on client side encryption please visit the below Link:
""Keys.html https://docs.aws.ama2on.com/AmazonS3/latest/dev/UsingClientSideEncryption.html
The correct answer is: It is possible to have different encryption keys for different versions of the same object Submit your Feedback/Queries to our Experts