AWS-Certified-Security-Specialty Free Practice Test

- (Exam Topic 2)
A Software Engineer is trying to figure out why network connectivity to an Amazon EC2 instance does not appear to be working correctly. Its security group allows inbound HTTP traffic from 0.0.0.0/0, and the outbound rules have not been modified from the default. A custom network ACL associated with its subnet allows inbound HTTP traffic from 0.0.0.0/0 and has no outbound rules.
What would resolve the connectivity issue?

1. A. The outbound rules on the security group do not allow the response to be sent to the client on the ephemeral port range.
2. B. The outbound rules on the security group do not allow the response to be sent to the client on the HTTP port.
3. C. An outbound rule must be added to the network ACL to allow the response to be sent to the client on the ephemeral port range.
4. D. An outbound rule must be added to the network ACL to allow the response to be sent to the client on the HTTP port.

Correct Answer: C
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html

- (Exam Topic 1)
A Security Engineer accidentally deleted the imported key material in an AWS KMS CMK. What should the Security Engineer do to restore the deleted key material?

1. A. Create a new CM
2. B. Download a new wrapping key and a new import token to import the original key material
3. C. Create a new CMK Use the original wrapping key and import token to import the original key material.
4. D. Download a new wrapping key and a new import token Import the original key material into the existing CMK.
5. E. Use the original wrapping key and import token Import the original key material into the existing CMK

Correct Answer: C

- (Exam Topic 2)
A Security Engineer who was reviewing AWS Key Management Service (AWS KMS) key policies found this statement in each key policy in the company AWS account.

What does the statement allow?

1. A. All principals from all AWS accounts to use the key.
2. B. Only the root user from account 111122223333 to use the key.
3. C. All principals from account 111122223333 to use the key but only on Amazon S3.
4. D. Only principals from account 111122223333 that have an IAM policy applied that grants access to this key to use the key.

Correct Answer: D

- (Exam Topic 1)
Users report intermittent availability of a web application hosted on AWS. Monitoring systems report an excess of abnormal network traffic followed by high CPU utilization on the application web tier. Which of the following techniques will improve the availability of the application? (Select TWO.)

1. A. Deploy AWS WAF to block all unsecured web applications from accessing the internet.
2. B. Deploy an Intrusion Detection/Prevention System (IDS/IPS) to monitor or block unusual incoming network traffic.
3. C. Configure security groups to allow outgoing network traffic only from hosts that are protected with up-to-date antivirus software.
4. D. Create Amazon CloudFront distribution and configure AWS WAF rules to protect the web applications from malicious traffic.
5. E. Use the default Amazon VPC for externakfacing systems to allow AWS to actively block malicious network traffic affecting Amazon EC2 instances.

Correct Answer: BD

- (Exam Topic 3)
A company requires that data stored in AWS be encrypted at rest. Which of the following approaches achieve this requirement? Select 2 answers from the options given below.
Please select:

1. A. When storing data in Amazon EBS, use only EBS-optimized Amazon EC2 instances.
2. B. When storing data in EBS, encrypt the volume by using AWS KMS.
3. C. When storing data in Amazon S3, use object versioning and MFA Delete.
4. D. When storing data in Amazon EC2 Instance Store, encrypt the volume by using KMS.
5. E. When storing data in S3, enable server-side encryption.

Correct Answer: BE
The AWS Documentation mentions the following
To create an encrypted Amazon EBS volume, select the appropriate box in the Amazon EBS section of the Amazon EC2 console. You can use a custom customer master key (CMK) by choosing one from the list that appears below the encryption box. If you do not specify a custom CMK, Amazon EBS uses the
AWS-managed CMK for Amazon EBS in your account. If there is no AWS-managed CMK for Amazon EBS in your account, Amazon EBS creates one.
Data protection refers to protecting data while in-transit (as it travels to and from Amazon S3) and at rest (while it is stored on disks in Amazon S3 data centers). You can protect data in transit by using SSL or by using client-side encryption. You have the following options of protecting data at rest in Amazon S3.
• Use Server-Side Encryption - You request Amazon S3 to encrypt your object before saving it on disks in its data centers and decrypt it when you download the objects.
• Use Client-Side Encryption - You can encrypt data client-side and upload the encrypted data to Amazon S3. In this case, you manage the encryption process, the encryption keys, and related tools.
Option A is invalid because using EBS-optimized Amazon EC2 instances alone will not guarantee protection of instances at rest. Option C is invalid because this will not encrypt data at rest for S3 objects. Option D is invalid because you don't store data in Instance store. For more information on EBS encryption, please visit the below URL:
https://docs.aws.amazon.com/kms/latest/developerguide/services-ebs.html For more information on S3 encryption, please visit the below URL: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsinEEncryption.html
The correct answers are: When storing data in EBS, encrypt the volume by using AWS KMS. When storing data in S3, enable server-side encryption.
Submit your Feedback/Queries to our Experts