AWS-Certified-Security-Specialty Free Practice Test

- (Exam Topic 2)
An AWS Lambda function was misused to alter data, and a Security Engineer must identify who invoked the function and what output was produced. The Engineer cannot find any logs created by the Lambda function in Amazon CloudWatch Logs.
Which of the following explains why the logs are not available?

1. A. The execution role for the Lambda function did not grant permissions to write log data to CloudWatch Logs.
2. B. The Lambda function was executed by using Amazon API Gateway, so the logs are not stored in CloudWatch Logs.
3. C. The execution role for the Lambda function did not grant permissions to write to the Amazon S3 bucket where CloudWatch Logs stores the logs.
4. D. The version of the Lambda function that was executed was not current.

Correct Answer: A

- (Exam Topic 1)
A company Is building a data lake on Amazon S3. The data consists of millions of small files containing sensitive information. The security team has the following requirements for the architecture:
• Data must be encrypted in transit.
• Data must be encrypted at rest.
• The bucket must be private, but if the bucket is accidentally made public, the data must remain confidential. Which combination of steps would meet the requirements? (Select THREE.)

1. A. Enable AES-256 encryption using server-side encryption with Amazon S3-managed encryption keys (SSE-S3) on the S3 bucket
2. B. Enable default encryption with server-side encryption with AWS KMS-managed keys (SSE-KMS) on the S3 bucket.
3. C. Add a bucket policy that includes a deny if a PutObject request does not include awsiSecureTcanspoct.
4. D. Add a bucket policy with ws: Sourcelpto Allow uploads and downloads from the corporate intranet only.
5. E. Add a bucket policy that includes a deny if a PutObject request does not include s3:x-amz-sairv9r-side-enctyption: "aws: kms".
6. F. Enable Amazon Macie to monitor and act on changes to the data lake's S3 bucket.

Correct Answer: BDF

- (Exam Topic 1)
A city is implementing an election results reporting website that will use Amazon GoudFront The website runs on a fleet of Amazon EC2 instances behind an Application Load Balancer (ALB) in an Auto Scaling group. Election results are updated hourly and are stored as .pdf tiles in an Amazon S3 bucket. A Security Engineer needs to ensure that all external access to the website goes through CloudFront.
Which solution meets these requirements?

1. A. Create an IAM role that allows CloudFront to access the specific S3 bucke
2. B. Modify the S3 bucket policy to allow only the new IAM role to access its content
3. C. Create an interface VPC endpoint for CloudFront to securely communicate with the ALB.
4. D. Create an IAM role that allows CloudFront to access the specific S3 bucke
5. E. Modify the S3 bucket policy to allow only the new IAM role to access its content
6. F. Associate the ALB with a security group that allows only incoming traffic from the CloudFront service to communicate with the ALB.
7. G. Create an origin access identity (OAI) in CloudFron
8. H. Modify the S3 bucket policy to allow only the new OAI to access the bucket content
9. I. Create an interface VPC endpoint for CloudFront to securely communicate with the ALB.
10. J. Create an origin access identity (OAI) in CloudFron
11. K. Modify the S3 bucket policy to allow only the new OAI to access the bucket content
12. L. Associate the ALB with a security group that allows onlyincoming traffic from the CloudFront service to communicate with the ALB.

Correct Answer: C

- (Exam Topic 3)
Your company has a hybrid environment, with on-premise servers and servers hosted in the AWS cloud. They are planning to use the Systems Manager for patching servers. Which of the following is a pre-requisite for this to work;
Please select:

1. A. Ensure that the on-premise servers are running on Hyper-V.
2. B. Ensure that an IAM service role is created
3. C. Ensure that an IAM User is created
4. D. Ensure that an IAM Group is created for the on-premise servers

Correct Answer: B
You need to ensure that an IAM service role is created for allowing the on-premise servers to communicate with the AWS Systems Manager.
Option A is incorrect since it is not necessary that servers should only be running Hyper-V Options C and D are incorrect since it is not necessary that IAM users and groups are created For more information on the Systems Manager role please refer to the below URL: com/systems-rnanaeer/latest/usereuide/sysman-!
The correct answer is: Ensure that an IAM service role is created Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
A web application runs in a VPC on EC2 instances behind an ELB Application Load Balancer. The application stores data in an RDS MySQL DB instance. A Linux bastion host is used to apply schema updates to the database - administrators connect to the host via SSH from a corporate workstation. The following security groups are applied to the infrastructure
* sgLB - associated with the ELB
* sgWeb - associated with the EC2 instances.
* sgDB - associated with the database
* sgBastion - associated with the bastion host Which security group configuration will allow the application to be secure and functional?
Please select:

1. A. sgLB :allow port 80 and 443 traffic from 0.0.0.0/0 sgWeb :allow port 80 and 443 traffic from 0.0.0.0/0 sgDB :allow port 3306 traffic from sgWeb and sgBastionsgBastion: allow port 22 traffic from the corporate IP address range
2. B. sgLB :aIlow port 80 and 443 traffic from 0.0.0.0/0 sgWeb :allow port 80 and 443 traffic from sgLB sgDB :allow port 3306 traffic from sgWeb and sgLBsgBastion: allow port 22 traffic from the VPC IP address range
3. C. sgLB :allow port 80 and 443 traffic from 0.0.0.0/0 sgWeb :allow port 80 and 443 traffic from sgLBsgDB :allow port 3306 traffic from sgWeb and sgBastion sgBastion: allow port 22 traffic from the VPC IP address range
4. D. sgLB :allow port 80 and 443 traffic from 0.0.0.0/0 sgWeb :allow port 80 and 443 traffic from sgLBsgDB :al!ow port 3306 traffic from sgWeb and sgBastion sgBastion: allow port 22 traffic from the corporate IP address range

Correct Answer: D
The Load Balancer should accept traffic on ow port 80 and 443 traffic from 0.0.0.0/0 The backend EC2 Instances should accept traffic from the Load Balancer
The database should allow traffic from the Web server
And the Bastion host should only allow traffic from a specific corporate IP address range Option A is incorrect because the Web group should only allow traffic from the Load balancer For more information on AWS Security Groups, please refer to below URL: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/usins-network-security.htmll
The correct answer is: sgLB :allow port 80 and 443 traffic from 0.0.0.0/0 sgWeb :allow port 80 and 443 traffic from sgLB
sgDB :allow port 3306 traffic from sgWeb and sgBastion
sgBastion: allow port 22 traffic from the corporate IP address range Submit your Feedback/Queries to our Experts