AWS-Certified-Security-Specialty Free Practice Test

- (Exam Topic 3)
Your company has a requirement to work with a DynamoDB table. There is a security mandate that all data should be encrypted at rest. What is the easiest way to accomplish this for DynamoDB.
Please select:

1. A. Use the AWS SDK to encrypt the data before sending it to the DynamoDB table
2. B. Encrypt the DynamoDB table using KMS during its creation
3. C. Encrypt the table using AWS KMS after it is created
4. D. Use S3 buckets to encrypt the data before sending it to DynamoDB

Correct Answer: B
The most easiest option is to enable encryption when the DynamoDB table is created. The AWS Documentation mentions the following
Amazon DynamoDB offers fully managed encryption at rest. DynamoDB encryption at rest provides enhanced security by encrypting your data at rest using an AWS Key Management Service (AWS KMS) managed encryption key for DynamoDB. This functionality eliminates the operational burden and complexity involved in protecting sensitive data.
Option A is partially correct, you can use the AWS SDK to encrypt the data, but the easier option would be to encrypt the table before hand.
Option C is invalid because you cannot encrypt the table after it is created
Option D is invalid because encryption for S3 buckets is for the objects in S3 only.
For more information on securing data at rest for DynamoDB please refer to below URL: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/EncryptionAtRest.htmll The correct answer is: Encrypt the DynamoDB table using KMS during its creation Submit your
Feedback/Queries to our Experts

- (Exam Topic 2)
An application uses Amazon Cognito to manage end users’ permissions when directly accessing AWS resources, including Amazon DynamoDB. A new feature request reads as follows:
Provide a mechanism to mark customers as suspended pending investigation or suspended permanently. Customers should still be able to log in when suspended, but should not be able to make changes.
The priorities are to reduce complexity and avoid potential for future security issues. Which approach will meet these requirements and priorities?

1. A. Create a new database field “suspended_status” and modify the application logic to validate that field when processing requests.
2. B. Add suspended customers to second Cognito user pool and update the application login flow to check both user pools.
3. C. Use Amazon Cognito Sync to push out a “suspension_status” parameter and split the lAM policy into normal users and suspended users.
4. D. Move suspended customers to a second Cognito group and define an appropriate IAM access policy for the group.

Correct Answer: D
https://aws.amazon.com/blogs/aws/new-amazon-cognito-groups-and-fine-grained-role-based-access-control-2/

- (Exam Topic 3)
An EC2 Instance hosts a Java based application that access a DynamoDB table. This EC2 Instance is currently serving production based users. Which of the following is a secure way of ensuring that the EC2 Instance access the Dynamo table
Please select:

1. A. Use IAM Roles with permissions to interact with DynamoDB and assign it to the EC2 Instance
2. B. Use KMS keys with the right permissions to interact with DynamoDB and assign it to the EC2 Instance
3. C. Use IAM Access Keys with the right permissions to interact with DynamoDB and assign it to the EC2 Instance
4. D. Use IAM Access Groups with the right permissions to interact with DynamoDB and assign it to the EC2 Instance

Correct Answer: A
To always ensure secure access to AWS resources from EC2 Instances, always ensure to assign a Role to the EC2 Instance Option B is invalid because KMS keys are not used as a mechanism for providing EC2 Instances access to AWS services. Option C is invalid Access keys is not a safe mechanism for providing EC2 Instances access to AWS services. Option D is invalid because there is no way access groups can be assigned to EC2 Instances. For more information on IAM Roles, please refer to the below URL:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id roles.html
The correct answer is: Use IAM Roles with permissions to interact with DynamoDB and assign it to the EC2 Instance Submit your Feedback/Queries to our Experts

- (Exam Topic 2)
During a security event, it is discovered that some Amazon EC2 instances have not been sending Amazon CloudWatch logs.
Which steps can the Security Engineer take to troubleshoot this issue? (Select two.)

1. A. Connect to the EC2 instances that are not sending the appropriate logs and verify that the CloudWatch Logs agent is running.
2. B. Log in to the AWS account and select CloudWatch Log
3. C. Check for any monitored EC2 instances that are in the “Alerting” state and restart them using the EC2 console.
4. D. Verify that the EC2 instances have a route to the public AWS API endpoints.
5. E. Connect to the EC2 instances that are not sending log
6. F. Use the command prompt to verify that the right permissions have been set for the Amazon SNS topic.
7. G. Verify that the network access control lists and security groups of the EC2 instances have the access to send logs over SNMP.

Correct Answer: AB
https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch-and-interface-VPC.html

- (Exam Topic 2)
You want to get a list of vulnerabilities for an EC2 Instance as per the guidelines set by the Center of Internet Security. How can you go about doing this?
Please select:

1. A. Enable AWS Guard Duty for the Instance
2. B. Use AWS Trusted Advisor
3. C. Use AWS inspector
4. D. UseAWSMacie

Correct Answer: C
The AWS Inspector service can inspect EC2 Instances based on specific Rules. One of the rules packages is based on the guidelines set by the Center of Internet Security
Center for Internet security (CIS) Benchmarks
The CIS Security Benchmarks program provides well-defined, un-biased and consensus-based industry best practices to help organizations assess and improve their security. Amazon Web Services is a CIS Security Benchmarks Member company and the list of Amazon Inspector certifications can be viewed nere.
Option A is invalid because this can be used to protect an instance but not give the list of vulnerabilities Options B and D are invalid because these services cannot give a list of vulnerabilities For more information
on the guidelines, please visit the below URL:
* https://docs.aws.amazon.com/inspector/latest/userguide/inspector_cis.html The correct answer is: Use AWS Inspector
Submit your Feedback/Queries to our Experts