AWS-Certified-Security-Specialty Free Practice Test

- (Exam Topic 2)
A company wants to have an Intrusion detection system available for their VPC in AWS. They want to have complete control over the system. Which of the following would be ideal to implement?
Please select:

1. A. Use AWS WAF to catch all intrusions occurring on the systems in the VPC
2. B. Use a custom solution available in the AWS Marketplace
3. C. Use VPC Flow logs to detect the issues and flag them accordingly.
4. D. Use AWS Cloudwatch to monitor all traffic

Correct Answer: B
Sometimes companies want to have custom solutions in place for monitoring Intrusions to their systems. In such a case, you can use the AWS Marketplace for looking at custom solutions.
C:\Users\wk\Desktop\mudassar\Untitled.jpg

Option A.C and D are all invalid because they cannot be used to conduct intrusion detection or prevention. For more information on using custom security solutions please visit the below URL https://d1.awsstatic.com/Marketplace/security/AWSMP_Security_Solution 0verview.pdf
For more information on using custom security solutions please visit the below URL: https://d1 .awsstatic.com/Marketplace/security/AWSMP Security Solution Overview.pd1
The correct answer is: Use a custom solution available in the AWS Marketplace Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
A company is using AWS Organizations to develop a multi-account secure networking strategy. The company plans to use separate centrally managed accounts for shared services, auditing, and security inspection. The company plans to provide dozens of additional accounts to application owners for production and development environments.
Company security policy requires that all internet traffic be routed through a centrally managed security inspection layer in the security inspection account. A security engineer must recommend a solution that minimizes administrative overhead and complexity.
Which solution meets these requirements?

1. A. Use AWS Control Towe
2. B. Modify the default Account Factory networking template to automatically associate new accounts with a centrally managed VPC through a VPC peering connection and to create a default route to the VPC peer in the default route tabl
3. C. Create an SCP that denies the CreatelnternetGateway actio
4. D. Attach the SCP to all accounts except the security inspection account.
5. E. Create a centrally managed VPC in the security inspection accoun
6. F. Establish VPC peering connections between the security inspection account and other account
7. G. Instruct account owners to create default routes in their account route tables that point to the VPC pee
8. H. Create an SCP that denies theAttach InternetGateway actio
9. I. Attach the SCP to all accounts except the security inspection account.
10. J. Use AWS Control Towe
11. K. Modify the default Account Factory networking template to automatically associate new accounts with a centrally managed transitgateway and to create a default route to the transit gateway in the default route tabl
12. L. Create an SCP that denies the AttachlnternetGateway actio
13. M. Attach the SCP to all accounts except the security inspection account.
14. N. Enable AWS Resource Access Manager (AWS RAM) for AWS Organization
15. O. Create a shared transit gateway, and make it available by using an AWS RAM resource shar
16. P. Create an SCP that denies the CreatelnternetGateway actio
17. Q. Attach the SCP to all accounts except the security inspection accoun
18. R. Create routes in the route tables of all accounts that point to the shared transit gateway.

Correct Answer: C

- (Exam Topic 3)
You currently have an S3 bucket hosted in an AWS Account. It holds information that needs be accessed by a partner account. Which is the MOST secure way to allow the partner account to access the S3 bucket in your account? Select 3 options.
Please select:

1. A. Ensure an IAM role is created which can be assumed by the partner account.
2. B. Ensure an IAM user is created which can be assumed by the partner account.
3. C. Ensure the partner uses an external id when making the request
4. D. Provide the ARN for the role to the partner account
5. E. Provide the Account Id to the partner account
6. F. Provide access keys for your account to the partner account

Correct Answer: ACD
Option B is invalid because Roles are assumed and not IAM users
Option E is invalid because you should not give the account ID to the partner Option F is invalid because you should not give the access keys to the partner
The below diagram from the AWS documentation showcases an example on this wherein an IAM role and external ID is us> access an AWS account resources
C:\Users\wk\Desktop\mudassar\Untitled.jpg

For more information on creating roles for external ID'S please visit the following URL:
The correct answers are: Ensure an IAM role is created which can be assumed by the partner account. Ensure the partner uses an external id when making the request Provide the ARN for the role to the partner account
Submit your Feedback/Queries to our Experts

- (Exam Topic 2)
AWS CloudTrail is being used to monitor API calls in an organization. An audit revealed that CloudTrail is failing to deliver events to Amazon S3 as expected.
What initial actions should be taken to allow delivery of CloudTrail events to S3? (Select two.)

1. A. Verify that the S3 bucket policy allow CloudTrail to write objects.
2. B. Verify that the IAM role used by CloudTrail has access to write to Amazon CloudWatch Logs.
3. C. Remove any lifecycle policies on the S3 bucket that are archiving objects to Amazon Glacier.
4. D. Verify that the S3 bucket defined in CloudTrail exists.
5. E. Verify that the log file prefix defined in CloudTrail exists in the S3 bucket.

Correct Answer: BD
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.html

- (Exam Topic 2)
A company has complex connectivity rules governing ingress, egress, and communications between Amazon EC2 instances. The rules are so complex that they cannot be implemented within the limits of the maximum number of security groups and network access control lists (network ACLs).
What mechanism will allow the company to implement all required network rules without incurring additional cost?

1. A. Configure AWS WAF rules to implement the required rules.
2. B. Use the operating system built-in, host-based firewall to implement the required rules.
3. C. Use a NAT gateway to control ingress and egress according to the requirements.
4. D. Launch an EC2-based firewall product from the AWS Marketplace, and implement the required rules in that product.

Correct Answer: B