AWS-Certified-Security-Specialty Free Practice Test

- (Exam Topic 2)
A Security Engineer who was reviewing AWS Key Management Service (AWS KMS) key policies found this statement in each key policy in the company AWS account.

What does the statement allow?

1. A. All principals from all AWS accounts to use the key.
2. B. Only the root user from account 111122223333 to use the key.
3. C. All principals from account 111122223333 to use the key but only on Amazon S3.
4. D. Only principals from account 111122223333 that have an IAM policy applied that grants access to this key to use the key.

Correct Answer: D

- (Exam Topic 1)
Users report intermittent availability of a web application hosted on AWS. Monitoring systems report an excess of abnormal network traffic followed by high CPU utilization on the application web tier. Which of the following techniques will improve the availability of the application? (Select TWO.)

1. A. Deploy AWS WAF to block all unsecured web applications from accessing the internet.
2. B. Deploy an Intrusion Detection/Prevention System (IDS/IPS) to monitor or block unusual incoming network traffic.
3. C. Configure security groups to allow outgoing network traffic only from hosts that are protected with up-to-date antivirus software.
4. D. Create Amazon CloudFront distribution and configure AWS WAF rules to protect the web applications from malicious traffic.
5. E. Use the default Amazon VPC for externakfacing systems to allow AWS to actively block malicious network traffic affecting Amazon EC2 instances.

Correct Answer: BD

- (Exam Topic 3)
A company requires that data stored in AWS be encrypted at rest. Which of the following approaches achieve this requirement? Select 2 answers from the options given below.
Please select:

1. A. When storing data in Amazon EBS, use only EBS-optimized Amazon EC2 instances.
2. B. When storing data in EBS, encrypt the volume by using AWS KMS.
3. C. When storing data in Amazon S3, use object versioning and MFA Delete.
4. D. When storing data in Amazon EC2 Instance Store, encrypt the volume by using KMS.
5. E. When storing data in S3, enable server-side encryption.

Correct Answer: BE
The AWS Documentation mentions the following
To create an encrypted Amazon EBS volume, select the appropriate box in the Amazon EBS section of the Amazon EC2 console. You can use a custom customer master key (CMK) by choosing one from the list that appears below the encryption box. If you do not specify a custom CMK, Amazon EBS uses the
AWS-managed CMK for Amazon EBS in your account. If there is no AWS-managed CMK for Amazon EBS in your account, Amazon EBS creates one.
Data protection refers to protecting data while in-transit (as it travels to and from Amazon S3) and at rest (while it is stored on disks in Amazon S3 data centers). You can protect data in transit by using SSL or by using client-side encryption. You have the following options of protecting data at rest in Amazon S3.
• Use Server-Side Encryption - You request Amazon S3 to encrypt your object before saving it on disks in its data centers and decrypt it when you download the objects.
• Use Client-Side Encryption - You can encrypt data client-side and upload the encrypted data to Amazon S3. In this case, you manage the encryption process, the encryption keys, and related tools.
Option A is invalid because using EBS-optimized Amazon EC2 instances alone will not guarantee protection of instances at rest. Option C is invalid because this will not encrypt data at rest for S3 objects. Option D is invalid because you don't store data in Instance store. For more information on EBS encryption, please visit the below URL:
https://docs.aws.amazon.com/kms/latest/developerguide/services-ebs.html For more information on S3 encryption, please visit the below URL: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsinEEncryption.html
The correct answers are: When storing data in EBS, encrypt the volume by using AWS KMS. When storing data in S3, enable server-side encryption.
Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
An application team wants to use AWS Certificate Manager (ACM) to request public certificates to ensure that data is secured in transit. The domains that are being used are not currently hosted on Amazon Route 53
The application team wants to use an AWS managed distribution and caching solution to optimize requests to its systems and provide better points of presence to customers The distribution solution will use a primary domain name that is customized The distribution solution also will use several alternative domain names The certificates must renew automatically over an indefinite period of time
Which combination of steps should the application team take to deploy this architecture? (Select THREE.)

1. A. Request a certificate (torn ACM in the us-west-2 Region Add the domain names that the certificate will secure
2. B. Send an email message to the domain administrators to request vacation of the domains for ACM
3. C. Request validation of the domains for ACM through DNS Insert CNAME records into each domain's DNS zone
4. D. Create an Application Load Balancer for me caching solution Select the newly requested certificate from ACM to be used for secure connections
5. E. Create an Amazon CloudFront distribution for the caching solution Enter the main CNAME record as the Origin Name Enter the subdomain names or alternate names in the Alternate Domain Names Distribution Settings Select the newly requested certificate from ACM to be used for secure connections
6. F. Request a certificate from ACM in the us-east-1 Region Add the domain names that the certificate wil secure

Correct Answer: CDF

- (Exam Topic 3)
A company is building an application on AWS that will store sensitive Information. The company has a support team with access to the IT infrastructure, including databases. The company's security engineer must introduce measures to protect the sensitive data against any data breach while minimizing management overhead. The credentials must be regularly rotated.
What should the security engineer recommend?

1. A. Enable Amazon RDS encryption to encrypt the database and snapshot
2. B. Enable Amazon Elastic Block Store (Amazon EBS) encryption on Amazon EC2 instance
3. C. Include the database credential in the EC2 user data fiel
4. D. Use an AWS Lambda function to rotate database credential
5. E. Set up TLS for the connection to the database.
6. F. Install a database on an Amazon EC2 Instanc
7. G. Enable third-party disk encryption to encrypt the Amazon Elastic Block Store (Amazon EBS) volum
8. H. Store the database credentials in AWS CloudHSM with automatic rotatio
9. I. Set up TLS for the connection to the database.
10. J. Enable Amazon RDS encryption to encrypt the database and snapshot
11. K. Enable Amazon Elastic Block Store (Amazon EBS) encryption on Amazon EC2 instance
12. L. Store the database credentials in AWS Secrets Manager with automatic rotatio
13. M. Set up TLS for the connection to the RDS hosted database.
14. N. Set up an AWS CloudHSM cluster with AWS Key Management Service (AWS KMS) to store KMS key
15. O. Set up Amazon RDS encryption using AWS KMS to encrypt the databas
16. P. Store database credentials in the AWS Systems Manager Parameter Store with automatic rotatio
17. Q. Set up TLS for the connection to the RDS hosted database.

Correct Answer: C