AWS-Certified-Security-Specialty Free Practice Test

- (Exam Topic 3)
A company is running an application in The eu-west-1 Region. The application uses an AWS Key Management Service (AWS KMS) CMK to encrypt sensitive data. The company plans to deploy the application in the eu-north-1 Region.
A security engineer needs to implement a key management solution for the application deployment in the new Region. The security engineer must minimize changes to the application code.
Which change should the security engineer make to the AWS KMS configuration to meet these requirements?

1. A. Update the key policies in eu-west-1. Point the application in eu-north-1 to use the same CMK as the application in eu-west-1.
2. B. Allocate a new CMK to eu-north-1 to be used by the application that is deployed in that Region.
3. C. Allocate a new CMK to eu-north-1. Create the same alias name for both key
4. D. Configure the application deployment to use the key alias.
5. E. Allocate a new CMK to eu-north-1. Create an alias for eu-'-1. Change the application code to point to the alias for eu-'-1.

Correct Answer: B

- (Exam Topic 3)
When managing permissions for the API gateway, what can be used to ensure that the right level of permissions are given to developers, IT admins and users? These permissions should be easily managed.
Please select:

1. A. Use the secure token service to manage the permissions for the different users
2. B. Use IAM Policies to create different policies for the different types of users.
3. C. Use the AWS Config tool to manage the permissions for the different users
4. D. Use IAM Access Keys to create sets of keys for the different types of users.

Correct Answer: B
The AWS Documentation mentions the following
You control access to Amazon API Gateway with IAM permissions by controlling access to the following two API Gateway component processes:
* To create, deploy, and manage an API in API Gateway, you must grant the API developer permissions to perform the required actions supported by the API management component of API Gateway.
* To call a deployed API or to refresh the API caching, you must grant the API caller permissions to perform required IAM actions supported by the API execution component of API Gateway.
Option A, C and D are invalid because these cannot be used to control access to AWS services. This needs to be done via policies. For more information on permissions with the API gateway, please visit the following URL:
https://docs.aws.amazon.com/apisateway/latest/developerguide/permissions.html
The correct answer is: Use IAM Policies to create different policies for the different types of users. Submit your Feedback/Queries to our Experts

- (Exam Topic 1)
A security engineer need to ensure their company’s uses of AWS meets AWS security best practices. As part of this, the AWS account root user must not be used for daily work. The root user must be monitored for use, and the Security team must be alerted as quickly as possible if the root user is used. Which solution meets these requirements?

1. A. Set up an Amazon CloudWatch Events rule that triggers an Amazon SNS notification.
2. B. Set up an Amazon CloudWatch Events rule that triggers an Amazon SNS notification logs from S3 and generate notifications using Amazon SNS.
3. C. Set up a rule in AWS config to trigger root user event
4. D. Trigger an AWS Lambda function and generate notifications using Amazon SNS.
5. E. Use Amazon Inspector to monitor the usage of the root user and generate notifications using Amazon SNS

Correct Answer: A

- (Exam Topic 2)
A Security Architect is evaluating managed solutions for storage of encryption keys. The requirements are:
-Storage is accessible by using only VPCs.
-Service has tamper-evident controls.
-Access logging is enabled.
-Storage has high availability.
Which of the following services meets these requirements?

1. A. Amazon S3 with default encryption
2. B. AWS CloudHSM
3. C. Amazon DynamoDB with server-side encryption
4. D. AWS Systems Manager Parameter Store

Correct Answer: B

- (Exam Topic 1)
An external Auditor finds that a company's user passwords have no minimum length. The company is currently using two identity providers:
• AWS IAM federated with on-premises Active Directory
• Amazon Cognito user pools to accessing an AWS Cloud application developed by the company Which combination o1 actions should the Security Engineer take to solve this issue? (Select TWO.)

1. A. Update the password length policy In the on-premises Active Directory configuration.
2. B. Update the password length policy In the IAM configuration.
3. C. Enforce an IAM policy In Amazon Cognito and AWS IAM with a minimum password length condition.
4. D. Update the password length policy in the Amazon Cognito configuration.
5. E. Create an SCP with AWS Organizations that enforces a minimum password length for AWS IAM and Amazon Cognito.

Correct Answer: AD