AWS-Certified-Security-Specialty Free Practice Test

- (Exam Topic 3)
Which of the following is the responsibility of the customer? Choose 2 answers from the options given below. Please select:

1. A. Management of the Edge locations
2. B. Encryption of data at rest
3. C. Protection of data in transit
4. D. Decommissioning of old storage devices

Correct Answer: BC
Below is the snapshot of the Shared Responsibility Model C:\Users\wk\Desktop\mudassar\Untitled.jpg

For more information on AWS Security best practises, please refer to below URL awsstatic corn/whitepapers/Security/AWS Practices.
The correct answers are: Encryption of data at rest Protection of data in transit Submit your Feedback/Queries to our Experts

- (Exam Topic 1)
A Developer is building a serverless application that uses Amazon API Gateway as the front end. The application will not be publicly accessible. Other legacy applications running on Amazon EC2 will make calls to the application A Security Engineer Has been asked to review the security controls for authentication and authorization of the application
Which combination of actions would provide the MOST secure solution? (Select TWO )

1. A. Configure an IAM policy that allows the least permissive actions to communicate with the API Gateway Attach the policy to the role used by the legacy EC2 instances
2. B. Enable AWS WAF for API Gateway Configure rules to explicitly allow connections from the legacy EC2 instances
3. C. Create a VPC endpoint for API Gateway Attach an IAM resource policy that allows the role of the legacy EC2 instances to call specific APIs
4. D. Create a usage plan Generate a set of API keys for each application that needs to call the API.
5. E. Configure cross-origin resource sharing (CORS) in each API Share the CORS information with the applications that call the API.

Correct Answer: AE

- (Exam Topic 2)
An application outputs logs to a text file. The logs must be continuously monitored for security incidents.
Which design will meet the requirements with MINIMUM effort?

1. A. Create a scheduled process to copy the component’s logs into Amazon S3. Use S3 events to trigger a Lambda function that updates Amazon CloudWatch metrics with the log dat
2. B. Set up CloudWatch alerts based on the metrics.
3. C. Install and configure the Amazon CloudWatch Logs agent on the application’s EC2 instanc
4. D. Create a CloudWatch metric filter to monitor the application log
5. E. Set up CloudWatch alerts based on the metrics.
6. F. Create a scheduled process to copy the application log files to AWS CloudTrai
7. G. Use S3 events to trigger Lambda functions that update CloudWatch metrics with the log dat
8. H. Set up CloudWatch alerts based on the metrics.
9. I. Create a file watcher that copies data to Amazon Kinesis when the application writes to the log file.Have Kinesis trigger a Lambda function to update Amazon CloudWatch metrics with the log dat
10. J. Set up CloudWatch alerts based on the metrics.

Correct Answer: B
https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/QuickStartEC2Instance.html

- (Exam Topic 3)
Your developer is using the KMS service and an assigned key in their Java program. They get the below error when running the code arn:aws:iam::113745388712:user/UserB is not authorized to perform: kms:DescribeKey Which of the following could help resolve the issue?
Please select:

1. A. Ensure that UserB is given the right IAM role to access the key
2. B. Ensure that UserB is given the right permissions in the IAM policy
3. C. Ensure that UserB is given the right permissions in the Key policy
4. D. Ensure that UserB is given the right permissions in the Bucket policy

Correct Answer: C
You need to ensure that UserB is given access via the Key policy for the Key C:\Users\wk\Desktop\mudassar\Untitled.jpg

Option is invalid because you don't assign roles to IAM users
For more information on Key policies please visit the below Link: https://docs.aws.amazon.com/kms/latest/developerguide/key-poli
The correct answer is: Ensure that UserB is given the right permissions in the Key policy

- (Exam Topic 3)
Your CTO thinks your AWS account was hacked. What is the only way to know for certain if there was unauthorized access and what they did, assuming your hackers are very sophisticated AWS engineers and doing everything they can to cover their tracks?
Please select:

1. A. Use CloudTrail Log File Integrity Validation.
2. B. Use AWS Config SNS Subscriptions and process events in real time.
3. C. Use CloudTrail backed up to AWS S3 and Glacier.
4. D. Use AWS Config Timeline forensics.

Correct Answer: A
The AWS Documentation mentions the following
To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it you can use CloudTrail log file integrity validation. This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection. You can use the AWS CLI to validate the files in the location where CloudTrail delivered them
Validated log files are invaluable in security and forensic investigations. For example, a validated log file enables you to assert positively that the log file itself has not changed, or that particular user credentials performed specific API activity. The CloudTrail log file integrity validation process also lets you know if a log file has been deleted or changed, or assert positively that no log files were delivered to your account during a given period of time.
Options B.C and D is invalid because you need to check for log File Integrity Validation for cloudtrail logs
For more information on Cloudtrail log file validation, please visit the below URL: http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html The correct answer is: Use CloudTrail Log File Integrity Validation.
omit your Feedback/Queries to our Expert