AWS-Certified-Security-Specialty Free Practice Test

- (Exam Topic 3)
A customer has an instance hosted in the AWS Public Cloud. The VPC and subnet used to host the Instance have been created with the default settings for the Network Access Control Lists. They need to provide an IT Administrator secure access to the underlying instance. How can this be accomplished.
Please select:

1. A. Ensure the Network Access Control Lists allow Inbound SSH traffic from the IT Administrator's Workstation
2. B. Ensure the Network Access Control Lists allow Outbound SSH traffic from the IT Administrator's Workstation
3. C. Ensure that the security group allows Inbound SSH traffic from the IT Administrator's Workstation
4. D. Ensure that the security group allows Outbound SSH traffic from the IT Administrator's Workstation

Correct Answer: C
Options A & B are invalid as default NACL rule will allow all inbound and outbound traffic.
The requirement is that the IT administrator should be able to access this EC2 instance from his workstation. For that we need to enable the Security Group of EC2 instance to allow traffic from the IT administrator's workstation. Hence option C is correct.
Option D is incorrect as we need to enable the Inbound SSH traffic on the EC2 instance Security Group since the traffic originate' , from the IT admin's workstation.
The correct answer is: Ensure that the security group allows Inbound SSH traffic from the IT Administrator's Workstation Submit your Feedback/Queries to our Experts

- (Exam Topic 1)
A company has multiple production AWS accounts. Each account has AWS CloudTrail configured to log to a single Amazon S3 bucket in a central account. Two of the production accounts have trails that are not logging anything to the S3 bucket.
Which steps should be taken to troubleshoot the issue? (Choose three.)

1. A. Verify that the log file prefix is set to the name of the S3 bucket where the logs should go.
2. B. Verify that the S3 bucket policy allows access for CloudTrail from the production AWS account IDs.
3. C. Create a new CloudTrail configuration in the account, and configure it to log to the account’s S3 bucket.
4. D. Confirm in the CloudTrail Console that each trail is active and healthy.
5. E. Open the global CloudTrail configuration in the master account, and verify that the storage location is set to the correct S3 bucket.
6. F. Confirm in the CloudTrail Console that the S3 bucket name is set correctly.

Correct Answer: BDF

- (Exam Topic 3)
Your development team is using access keys to develop an application that has access to S3 and DynamoDB. A new security policy has outlined that the credentials should not be older than 2 months, and should be rotated. How can you achieve this?
Please select:

1. A. Use the application to rotate the keys in every 2 months via the SDK
2. B. Use a script to query the creation date of the key
3. C. If older than 2 months, create new access key and update all applications to use it inactivate the old key and delete it.
4. D. Delete the user associated with the keys after every 2 month
5. E. Then recreate the user again.
6. F. Delete the IAM Role associated with the keys after every 2 month
7. G. Then recreate the IAM Role again.

Correct Answer: B
One can use the CLI command list-access-keys to get the access keys. This command also returns the "CreateDate" of the keys. If the CreateDate is older than 2 months, then the keys can be deleted.
The Returns list-access-keys CLI command returns information about the access key IDs associated with the specified IAM user. If there are none, the action returns an empty list
Option A is incorrect because you might as use a script for such maintenance activities Option C is incorrect because you would not rotate the users themselves
Option D is incorrect because you don't use IAM roles for such a purpose For more information on the CLI command, please refer to the below Link: http://docs.aws.amazon.com/cli/latest/reference/iam/list-access-keys.htmll
The correct answer is: Use a script to query the creation date of the keys. If older than 2 months, create new access key and update all applications to use it inactivate the old key and delete it.
Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
A company needs to retain tog data archives for several years to be compliant with regulations. The tog data is no longer used but It must be retained
What Is the MOST secure and cost-effective solution to meet these requirements?

1. A. Archive the data to Amazon S3 and apply a restrictive bucket policy to deny the s3 DeleteOotect API
2. B. Archive the data to Amazon S3 Glacier and apply a Vault Lock policy
3. C. Archive the data to Amazon S3 and replicate it to a second bucket in a second AWS Region Choose the S3 Standard-Infrequent Access (S3 Standard-1A) storage class and apply a restrictive bucket policy to deny the s3 DeleteObject API
4. D. Migrate the log data to a 16 T8 Amazon Elastic Block Store (Amazon EBS) volume Create a snapshot of the EBS volume

Correct Answer: B

- (Exam Topic 3)
A company manages three separate AWS accounts for its production, development, and test environments, Each Developer is assigned a unique IAM user under the development account. A new application hosted on an Amazon EC2 instance in the developer account requires read access to the archived documents stored in an Amazon S3 bucket in the production account.
How should access be granted?

1. A. Create an IAM role in the production account and allow EC2 instances in the development account toassume that role using the trust polic
2. B. Provide read access for the required S3 bucket to this role.
3. C. Use a custom identity broker to allow Developer IAM users to temporarily access the S3 bucket.
4. D. Create a temporary IAM user for the application to use in the production account.
5. E. Create a temporary IAM user in the production account and provide read access to Amazon S3.Generate the temporary IAM user's access key and secret key and store these on the EC2 instance used by the application in the development account.

Correct Answer: B