AWS-Certified-Security-Specialty Free Practice Test

- (Exam Topic 3)
Your company hosts a large section of EC2 instances in AWS. There are strict security rules governing the EC2 Instances. During a potential security breach , you need to ensure quick investigation of the underlying EC2 Instance. Which of the following service can help you quickly provision a test environment to look into the breached instance.
Please select:

1. A. AWS Cloudwatch
2. B. AWS Cloudformation
3. C. AWS Cloudtrail
4. D. AWS Config

Correct Answer: B
The AWS Security best practises mentions the following
Unique to AWS, security practitioners can use CloudFormation to quickly create a new, trusted environment in which to conduct deeper investigation. The CloudFormation template can pre-configure instances in an isolated environment that contains all the necessary tools forensic teams need to determine the cause of the incident This cuts down on the time it takes to gather necessary tools, isolates systems under examination, and ensures that the team is operating in a clean room.
Option A is incorrect since this is a logging service and cannot be used to provision a test environment Option C is incorrect since this is an API logging service and cannot be used to provision a test environment Option D is incorrect since this is a configuration service and cannot be used to provision a test environment For more information on AWS Security best practises, please refer to below URL: https://d1.awsstatic.com/whitepapers/architecture/AWS-Security-Pillar.pd1
The correct answer is: AWS Cloudformation Submit your Feedback/Queries to our Experts

- (Exam Topic 2)
A company uses user data scripts that contain sensitive information to bootstrap Amazon EC2 instances. A Security Engineer discovers that this sensitive information is viewable by people who should not have access to it.
What is the MOST secure way to protect the sensitive information used to bootstrap the instances?

1. A. Store the scripts in the AMI and encrypt the sensitive data using AWS KMS Use the instance role profile to control access to the KMS keys needed to decrypt the data.
2. B. Store the sensitive data in AWS Systems Manager Parameter Store using the encrypted string parameter and assign the GetParameters permission to the EC2 instance role.
3. C. Externalize the bootstrap scripts in Amazon S3 and encrypt them using AWS KM
4. D. Remove the scripts from the instance and clear the logs after the instance is configured.
5. E. Block user access of the EC2 instance's metadata service using IAM policie
6. F. Remove all scripts and clear the logs after execution.

Correct Answer: B

- (Exam Topic 3)
A company's application team wants to replace an internal application with a new AWS architecture that consists of Amazon EC2 instances, an AWS Lambda function, and an Amazon S3 bucket in a single AWS Region. After an architecture review, the security team mandates that no application network traffic can traverse the public internet at any point. The security team already has an SCP in place for the company's organization in AWS Organizations to restrict the creation of internet gateways. NAT gateways, and egress-only gateways.
Which combination of steps should the application team take to meet these requirements? (Select THREE.)

1. A. Create an S3 endpoint that has a full-access policy for the application's VPC.
2. B. Create an S3 access point for the S3 bucke
3. C. Include a policy that restricts the network origin to VPCs.
4. D. Launch the Lambda functio
5. E. Enable the block public access configuration.
6. F. Create a security group that has an outbound rule over port 443 with a destination of the S3 endpomt.Associate the security group with the EC2 instances.
7. G. Create a security group that has an outbound rule over port 443 with a destination of the S3 access point.Associate the security group with the EC2 instances.
8. H. Launch the Lambda function in a VPC.

Correct Answer: ADF

- (Exam Topic 3)
A company has a set of resources defined in AWS. It is mandated that all API calls to the resources be monitored. Also all API calls must be stored for lookup purposes. Any log data greater than 6 months must be archived. Which of the following meets these requirements? Choose 2 answers from the options given below. Each answer forms part of the solution.
Please select:

1. A. Enable CloudTrail logging in all accounts into S3 buckets
2. B. Enable CloudTrail logging in all accounts into Amazon Glacier
3. C. Ensure a lifecycle policy is defined on the S3 bucket to move the data to EBS volumes after 6 months.
4. D. Ensure a lifecycle policy is defined on the S3 bucket to move the data to Amazon Glacier after 6 months.

Correct Answer: AD
Cloudtrail publishes the trail of API logs to an S3 bucket
Option B is invalid because you cannot put the logs into Glacier from CloudTrail
Option C is invalid because lifecycle policies cannot be used to move data to EBS volumes For more information on Cloudtrail logging, please visit the below URL: https://docs.aws.amazon.com/awscloudtrail/latest/usereuide/cloudtrail-find-log-files.htmll
You can then use Lifecycle policies to transfer data to Amazon Glacier after 6 months For more information on S3 lifecycle policies, please visit the below URL:
https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lifecycle-mgmt.html
The correct answers are: Enable CloudTrail logging in all accounts into S3 buckets. Ensure a lifecycle policy is defined on the bucket to move the data to Amazon Glacier after 6 months.
Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
You are planning on hosting a web application on AWS. You create an EC2 Instance in a public subnet. This instance needs to connect to an EC2 Instance that will host an Oracle database. Which of the following steps should be followed to ensure a secure setup is in place? Select 2 answers.
Please select:

1. A. Place the EC2 Instance with the Oracle database in the same public subnet as the Web server for faster communication
2. B. Place the EC2 Instance with the Oracle database in a separate private subnet
3. C. Create a database security group and ensure the web security group to allowed incoming access
4. D. Ensure the database security group allows incoming traffic from 0.0.0.0/0

Correct Answer: BC
The best secure option is to place the database in a private subnet. The below diagram from the AWS Documentation shows this setup. Also ensure that access is not allowed from all sources but just from the web servers.
C:\Users\wk\Desktop\mudassar\Untitled.jpg

Option A is invalid because databases should not be placed in the public subnet
Option D is invalid because the database security group should not allow traffic from the internet For more information on this type of setup, please refer to the below URL:
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuideA/PC Scenario2.
The correct answers are: Place the EC2 Instance with the Oracle database in a separate private subnet Create a database security group and ensure the web security group to allowed incoming access
Submit your Feedback/Queries to our Experts