AWS-Certified-Security-Specialty Free Practice Test

- (Exam Topic 2)
During a recent internal investigation, it was discovered that all API logging was disabled in a production account, and the root user had created new API keys that appear to have been used several times.
What could have been done to detect and automatically remediate the incident?

1. A. Using Amazon Inspector, review all of the API calls and configure the inspector agent to leverage SNS topics to notify security of the change to AWS CloudTrail, and revoke the new API keys for the root user.
2. B. Using AWS Config, create a config rule that detects when AWS CloudTrail is disabled, as well as any calls to the root user create-api-ke
3. C. Then use a Lambda function to re-enable CloudTrail logs and deactivate the root API keys.
4. D. Using Amazon CloudWatch, create a CloudWatch event that detects AWS CloudTrail deactivation and a separate Amazon Trusted Advisor check to automatically detect the creation of root API key
5. E. Then use a Lambda function to enable AWS CloudTrail and deactivate the root API keys.
6. F. Using Amazon CloudTrail, create a new CloudTrail event that detects the deactivation of CloudTrail logs, and a separate CloudTrail event that detects the creation of root API key
7. G. Then use a Lambda function to enable CloudTrail and deactivate the root API keys.

Correct Answer: B
https://docs.aws.amazon.com/config/latest/developerguide/cloudtrail-enabled.html https://docs.aws.amazon.com/config/latest/developerguide/iam-root-access-key-check.html

- (Exam Topic 3)
A company uses a third-party application to store encrypted data in Amazon S3. The company uses another third-party application trial decrypts the data from Amazon S3 to ensure separation of duties Between the applications A Security Engineer warns to separate the permissions using IAM roles attached to Amazon EC2 instances. The company prefers to use native AWS services.
Which encryption method will meet these requirements?

1. A. Use encrypted Amazon EBS volumes with Amazon default keys (AWS EBS)
2. B. Use server-side encryption with customer-provided keys (SSE-C)
3. C. Use server-side encryption with AWS KMS managed keys (SSE-KMS)
4. D. Use server-side encryption with Amazon S3 managed keys (SSE-S3)

Correct Answer: C

- (Exam Topic 3)
A company's Security Team received an email notification from the Amazon EC2 Abuse team that one or more of the company's Amazon EC2 instances may have been compromised
Which combination of actions should the Security team take to respond to (be current modem? (Select TWO.)

1. A. Open a support case with the AWS Security team and ask them to remove the malicious code from the affected instance
2. B. Respond to the notification and list the actions that have been taken to address the incident
3. C. Delete all IAM users and resources in the account
4. D. Detach the internet gateway from the VPC remove aft rules that contain 0.0.0.0V0 from the security groups, and create a NACL rule to deny all traffic Inbound from the internet
5. E. Delete the identified compromised instances and delete any associated resources that the Security team did not create.

Correct Answer: DE

- (Exam Topic 2)
An Amazon EC2 instance is part of an EC2 Auto Scaling group that is behind an Application Load Balancer (ALB). It is suspected that the EC2 instance has been compromised.
Which steps should be taken to investigate the suspected compromise? (Choose three.)

1. A. Detach the elastic network interface from the EC2 instance.
2. B. Initiate an Amazon Elastic Block Store volume snapshot of all volumes on the EC2 instance.
3. C. Disable any Amazon Route 53 health checks associated with the EC2 instance.
4. D. De-register the EC2 instance from the ALB and detach it from the Auto Scaling group.
5. E. Attach a security group that has restrictive ingress and egress rules to the EC2 instance.
6. F. Add a rule to an AWS WAF to block access to the EC2 instance.

Correct Answer: BDE
https://d1.awsstatic.com/whitepapers/aws_security_incident_response.pdf

- (Exam Topic 3)
A company has developed a new Amazon RDS database application. The company must secure the ROS database credentials for encryption in transit and encryption at rest. The company also must rotate the credentials automatically on a regular basis.
Which solution meets these requirements?

1. A. Use AWS Systems Manager Parameter Store to store the database credentiai
2. B. Configure automatic rotation of the credentials.
3. C. Use AWS Secrets Manager to store the database credential
4. D. Configure automat* rotation of the credentials
5. E. Store the database credentials in an Amazon S3 bucket that is configured with server-side encryption with S3 managed encryption keys (SSE-S3) Rotate the credentials with 1AM database authentication.
6. F. Store the database credentials m Amazon S3 Glacier, and use S3 Glacier Vault Lock Configure an AWS Lambda function to rotate the credentials on a scheduled basts

Correct Answer: A