AWS-Certified-Security-Specialty Free Practice Test

- (Exam Topic 1)
A developer is creating an AWS Lambda function that requires environment variables to store connection information and logging settings. The developer is required to use an AWS KMS Customer Master Key (CMK> supplied by the information security department in order to adhere to company standards for securing Lambda environment variables.
Which of the following are required for this configuration to work? (Select TWO.)

1. A. The developer must configure Lambda access to the VPC using the --vpc-config parameter.
2. B. The Lambda function execution role must have the kms:Decrypt- permission added in the AWS IAM policy.
3. C. The KMS key policy must allow permissions for the developer to use the KMS key.
4. D. The AWS IAM policy assigned to the developer must have the kmseGcnerate-DataKcy permission added.
5. E. The Lambda execution role must have the kms:Encrypt permission added in the AWS IAM policy.

Correct Answer: BC

- (Exam Topic 2)
You have just received an email from AWS Support stating that your AWS account might have been compromised. Which of the following steps would you look to carry out immediately. Choose 3 answers from the options below.
Please select:

1. A. Change the root account password.
2. B. Rotate all IAM access keys
3. C. Keep all resources running to avoid disruption
4. D. Change the password for all IAM users.

Correct Answer: ABD
One of the articles from AWS mentions what should be done in such a scenario
If you suspect that your account has been compromised, or if you have received a notification from AWS that the account has been compromised, perform the following tasks:
Change your AWS root account password and the passwords of any IAM users.
Delete or rotate all root and AWS Identity and Access Management (IAM) access keys.
Delete any resources on your account you didn't create, especially running EC2 instances, EC2 spot bids, or IAM users.
Respond to any notifications you received from AWS Support through the AWS Support Center.
Option C is invalid because there could be compromised instances or resources running on your environment. They should be shutdown or stopped immediately.
For more information on the article, please visit the below URL: https://aws.amazon.com/premiumsupport/knowledee-center/potential-account-compromise>
The correct answers are: Change the root account password. Rotate all IAM access keys. Change the password for all IAM users. Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
A System Administrator is unable to start an Amazon EC2 instance in the eu-west-1 Region using an IAM role The same System Administrator is able to start an EC2 instance in the eu-west-2 and eu-west-3 Regions. The AWSSystemAdministrator access policy attached to the System Administrator IAM role allows unconditional access to all AWS services and resources within the account
Which configuration caused this issue?
A) An SCP is attached to the account with the following permission statement:

B)
A permission boundary policy is attached to the System Administrator role with the following permission
statement:

C)
A permission boundary is attached to the System Administrator role with the following permission statement:

D)
An SCP is attached to the account with the following statement:

1. A. Option A
2. B. Option B
3. C. Option C
4. D. Option D

Correct Answer: B

- (Exam Topic 2)
An application running on EC2 instances must use a username and password to access a database. The developer has stored those secrets in the SSM Parameter Store with type SecureString using the default KMS CMK. Which combination of configuration steps will allow the application to access the secrets via the API? Select 2 answers from the options below
Please select:

1. A. Add the EC2 instance role as a trusted service to the SSM service role.
2. B. Add permission to use the KMS key to decrypt to the SSM service role.
3. C. Add permission to read the SSM parameter to the EC2 instance rol
4. D. .
5. E. Add permission to use the KMS key to decrypt to the EC2 instance role
6. F. Add the SSM service role as a trusted service to the EC2 instance role.

Correct Answer: CD
The below example policy from the AWS Documentation is required to be given to the EC2 Instance in order to read a secure string from AWS KMS. Permissions need to be given to the Get Parameter API and the KMS API call to decrypt the secret.
C:\Users\wk\Desktop\mudassar\Untitled.jpg

Option A is invalid because roles can be attached to EC2 and not EC2 roles to SSM Option B is invalid because the KMS key does not need to decrypt the SSM service role.
Option E is invalid because this configuration is valid For more information on the parameter store, please visit the below URL:
https://docs.aws.amazon.com/kms/latest/developerguide/services-parameter-store.htmll
The correct answers are: Add permission to read the SSM parameter to the EC2 instance role., Add permission to use the KMS key to decrypt to the EC2 instance role
Submit your Feedback/Queries to our Experts

- (Exam Topic 2)
An application makes calls to AWS services using the AWS SDK. The application runs on Amazon EC2 instances with an associated IAM role. When the application attempts to access an object within an Amazon S3 bucket; the Administrator receives the following error message: HTTP 403: Access Denied.
Which combination of steps should the Administrator take to troubleshoot this issue? (Select three.)

1. A. Confirm that the EC2 instance's security group authorizes S3 access.
2. B. Verify that the KMS key policy allows decrypt access for the KMS key for this IAM principle.
3. C. Check the S3 bucket policy for statements that deny access to objects.
4. D. Confirm that the EC2 instance is using the correct key pair.
5. E. Confirm that the IAM role associated with the EC2 instance has the proper privileges.
6. F. Confirm that the instance and the S3 bucket are in the same Region.

Correct Answer: BCE