AWS-Certified-Security-Specialty Free Practice Test

- (Exam Topic 3)
Your company is planning on using AWS EC2 and ELB for deployment for their web applications. The security policy mandates that all traffic should be encrypted. Which of the following options will ensure that this requirement is met. Choose 2 answers from the options below.
Please select:

1. A. Ensure the load balancer listens on port 80
2. B. Ensure the load balancer listens on port 443
3. C. Ensure the HTTPS listener sends requests to the instances on port 443
4. D. Ensure the HTTPS listener sends requests to the instances on port 80

Correct Answer: BC
The AWS Documentation mentions the following
You can create a load balancer that listens on both the HTTP (80) and HTTPS (443) ports. If you specify that the HTTPS listener sends requests to the instances on port 80, the load balancer terminates the requests and communication from the load balancer to the instances is not encrypted, if the HTTPS listener sends requests to the instances on port 443, communication from the load balancer to the instances is encrypted.
Option A is invalid because there is a need for secure traffic, so port 80 should not be used
Option D is invalid because for the HTTPS listener you need to use port 443 For more information on HTTPS with ELB, please refer to the below Link:
https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-load-balancer.htmll
The correct answers are: Ensure the load balancer listens on port 443, Ensure the HTTPS listener sends requests to the instances on port 443
Submit your Feedback/Queries to our Experts

- (Exam Topic 2)
A company has contracted with a third party to audit several AWS accounts. To enable the audit,
cross-account IAM roles have been created in each account targeted for audit. The Auditor is having trouble accessing some of the accounts.
Which of the following may be causing this problem? (Choose three.)

1. A. The external ID used by the Auditor is missing or incorrect.
2. B. The Auditor is using the incorrect password.
3. C. The Auditor has not been granted sts:AssumeRole for the role in the destination account.
4. D. The Amazon EC2 role used by the Auditor must be set to the destination account role.
5. E. The secret key used by the Auditor is missing or incorrect.
6. F. The role ARN used by the Auditor is missing or incorrect.

Correct Answer: ACF
Using IAM to grant access to a Third-Party Account 1) Create a role to provide access to the require resources 1.1) Create a role policy that specifies the AWS Account ID to be accessed, "sts:AssumeRole" as action, and "sts:ExternalID" as condition 1.2) Create a role using the role policy just created 1.3) Assign a resouce policy to the role. This will provide permission to access resource ARNs to the auditor 2) Repeat steps 1 and 2 on all AWS accounts 3) The auditor connects to the AWS account AWS Security Token Service (STS). The auditor must provide its ExternalID from step 1.2, the ARN of the role he is trying to assume from step 1.3, sts:ExternalID 4) STS provide the auditor with temporary credentials that provides the role access from step 1 https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
https://aws.amazon.com/blogs/security/how-to-audit-cross-account-roles-using-aws-cloudtrail-and-amazon-clou

- (Exam Topic 3)
A company is planning on extending their on-premise AWS Infrastructure to the AWS Cloud. They need to have a solution that would give core benefits of traffic encryption and ensure latency is kept to a minimum. Which of the following would help fulfil this requirement? Choose 2 answers from the options given below
Please select:

1. A. AWS VPN
2. B. AWS VPC Peering
3. C. AWS NAT gateways
4. D. AWS Direct Connect

Correct Answer: AD
The AWS Document mention the following which supports the requirement C:\Users\wk\Desktop\mudassar\Untitled.jpg

Option B is invalid because VPC peering is only used for connection between VPCs and cannot be used to connect On-premise infrastructure to the AWS Cloud.
Option C is invalid because NAT gateways is used to connect instances in a private subnet to the internet For more information on VPN Connections, please visit the following url
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuideA/pn-connections.html
The correct answers are: AWS VPN, AWS Direct Connect Submit your Feedback/Queries to our Experts

- (Exam Topic 2)
A Security Administrator is performing a log analysis as a result of a suspected AWS account compromise. The Administrator wants to analyze suspicious AWS CloudTrail log files but is overwhelmed by the volume of audit logs being generated.
What approach enables the Administrator to search through the logs MOST efficiently?

1. A. Implement a “write-only” CloudTrail event filter to detect any modifications to the AWS account resources.
2. B. Configure Amazon Macie to classify and discover sensitive data in the Amazon S3 bucket that contains the CloudTrail audit logs.
3. C. Configure Amazon Athena to read from the CloudTrail S3 bucket and query the logs to examine account activities.
4. D. Enable Amazon S3 event notifications to trigger an AWS Lambda function that sends an email alarm when there are new CloudTrail API entries.

Correct Answer: C

- (Exam Topic 2)
A water utility company uses a number of Amazon EC2 instances to manage updates to a fleet of 2,000 Internet of Things (IoT) field devices that monitor water quality. These devices each have unique access credentials.
An operational safety policy requires that access to specific credentials is independently auditable. What is the MOST cost-effective way to manage the storage of credentials?

1. A. Use AWS Systems Manager to store the credentials as Secure Strings Parameter
2. B. Secure by using an AWS KMS key.
3. C. Use AWS Key Management System to store a master key, which is used to encrypt the credential
4. D. The encrypted credentials are stored in an Amazon RDS instance.
5. E. Use AWS Secrets Manager to store the credentials.
6. F. Store the credentials in a JSON file on Amazon S3 with server-side encryption.

Correct Answer: A
https://docs.aws.amazon.com/systems-manager/latest/userguide/parameter-store-advanced-parameters.html