AWS-Certified-Security-Specialty Free Practice Test

- (Exam Topic 2)
Which of the following minimizes the potential attack surface for applications?

1. A. Use security groups to provide stateful firewalls for Amazon EC2 instances at the hypervisor level.
2. B. Use network ACLs to provide stateful firewalls at the VPC level to prevent access to any specific AWS resource.
3. C. Use AWS Direct Connect for secure trusted connections between EC2 instances within private subnets.
4. D. Design network security in a single layer within the perimeter network (also known as DMZ, demilitarized zone, and screened subnet) to facilitate quicker responses to threats.

Correct Answer: A
https://aws.amazon.com/answers/networking/vpc-security-capabilities/ Security Group is stateful and hypervisor level.

- (Exam Topic 1)
A security engineer is designing a solution that will provide end-to-end encryption between clients and Docker containers running In Amazon Elastic Container Service (Amazon ECS). This solution will also handle volatile traffic patterns
Which solution would have the MOST scalability and LOWEST latency?

1. A. Configure a Network Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers
2. B. Configure an Application Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers
3. C. Configure a Network Load Balancer with a TCP listener to pass through TLS traffic to the containers
4. D. Configure Amazon Route 53 to use multivalue answer routing to send traffic to the containers

Correct Answer: A

- (Exam Topic 1)
A company is configuring three Amazon EC2 instances with each instance in a separate Availability Zone. The EC2 instances wilt be used as transparent proxies for outbound internet traffic for ports 80 and 443 so the proxies can block traffic to certain internet destinations as required by the company's security policies. A Security Engineer completed the following:
• Set up the proxy software on the EC2 instances.
• Modified the route tables on the private subnets to use the proxy EC2 instances as the default route.
• Created a security group rule opening inbound port 80 and 443 TCP protocols on the proxy EC2 instance security group.
However, the proxy EC2 instances are not successfully forwarding traffic to the internet.
What should the Security Engineer do to make the proxy EC2 instances route traffic to the internet?

1. A. Put all the proxy EC2 instances in a cluster placement group.
2. B. Disable source and destination checks on the proxy EC2 instances.
3. C. Open all inbound ports on the proxy EC2 instance security group.
4. D. Change the VPC's DHCP domain-name-servers options set to the IP addresses of proxy EC2 instances.

Correct Answer: B

- (Exam Topic 3)
You are responsible to deploying a critical application onto AWS. Part of the requirements for this application is to ensure that the controls set for this application met PCI compliance. Also there is a need to monitor web application logs to identify any malicious activity. Which of the following services can be used to fulfil this requirement. Choose 2 answers from the options given below
Please select:

1. A. Amazon Cloudwatch Logs
2. B. Amazon VPC Flow Logs
3. C. Amazon AWS Config
4. D. Amazon Cloudtrail

Correct Answer: AD
The AWS Documentation mentions the following about these services
AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. CloudTrail provides event history of your AWS account activity,
including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This event history simplifies security analysis, resource change tracking, and troubleshooting.
Option B is incorrect because VPC flow logs can only check for flow to instances in a VPC Option C is incorrect because this can check for configuration changes only
For more information on Cloudtrail, please refer to below URL: https://aws.amazon.com/cloudtrail;
You can use Amazon CloudWatch Logs to monitor, store, and access your log files from Amazon Elastic Compute Cloud (Amazon EC2) instances, AWS CloudTrail, Amazon Route 53, and other sources. You can then retrieve the associated log data from CloudWatch Logs.
For more information on Cloudwatch logs, please refer to below URL: http://docs.aws.amazon.com/AmazonCloudWatch/latest/loes/WhatisCloudWatchLoES.htmll The correct answers are: Amazon Cloudwatch Logs, Amazon Cloudtrail

- (Exam Topic 3)
You need to ensure that objects in an S3 bucket are available in another region. This is because of the criticality of the data that is hosted in the S3 bucket. How can you achieve this in the easiest way possible?
Please select:

1. A. Enable cross region replication for the bucket
2. B. Write a script to copy the objects to another bucket in the destination region
3. C. Create an S3 snapshot in the destination region
4. D. Enable versioning which will copy the objects to the destination region

Correct Answer: A
Option B is partially correct but a big maintenance over head to create and maintain a script when the functionality is already available in S3
Option C is invalid because snapshots are not available in S3 Option D is invalid because versioning will not replicate objects The AWS Documentation mentions the following
Cross-region replication is a bucket-level configuration that enables automatic, asynchronous copying of objects across buck in different AWS Regions.
For more information on Cross region replication in the Simple Storage Service, please visit the below URL: https://docs.aws.amazon.com/AmazonS3/latest/dev/crr.html
The correct answer is: Enable cross region replication for the bucket Submit your Feedback/Queries to our Experts