AWS-Certified-Security-Specialty Free Practice Test

- (Exam Topic 3)
Every application in a company's portfolio has a separate AWS account for development and production. The security team wants to prevent the root user and all IAM users in the production accounts from accessing a specific set of unneeded services. How can they control this functionality?
Please select:

1. A. Create a Service Control Policy that denies access to the service
2. B. Assemble all production accounts in an organizational uni
3. C. Apply the policy to that organizational unit.
4. D. Create a Service Control Policy that denies access to the service
5. E. Apply the policy to the root account.
6. F. Create an IAM policy that denies access to the service
7. G. Associate the policy with an IAM group and enlist all users and the root users in this group.
8. H. Create an IAM policy that denies access to the service
9. I. Create a Config Rule that checks that all users have the policy m assigne
10. J. Trigger a Lambda function that adds the policy when found missing.

Correct Answer: A
As an administrator of the master account of an organization, you can restrict which AWS services and individual API actions the users and roles in each member account can access. This restriction even overrides the administrators of member accounts in the organization. When AWS Organizations blocks access to a service or API action for a member account a user or role in that account can't access any prohibited service or API action, even if an administrator of a member account explicitly grants such permissions in an IAM policy. Organization permissions overrule account permissions.
Option B is invalid because service policies cannot be assigned to the root account at the account level. Option C and D are invalid because IAM policies alone at the account level would not be able to suffice the
requirement
For more information, please visit the below URL id=docs_orgs_console https://docs.aws.amazon.com/IAM/latest/UserGi manage attach-policy.html
The correct answer is: Create a Service Control Policy that denies access to the services. Assemble all production accounts in an organizational unit. Apply the policy to that organizational unit
Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
A company hosts data in S3. There is now a mandate that going forward all data in the S3 bucket needs to encrypt at rest. How can this be achieved?
Please select:

1. A. Use AWS Access keys to encrypt the data
2. B. Use SSL certificates to encrypt the data
3. C. Enable server side encryption on the S3 bucket
4. D. Enable MFA on the S3 bucket

Correct Answer: C
The AWS Documentation mentions the following
Server-side encryption is about data encryption at rest—that is, Amazon S3 encrypts your data at the object level as it writes it to disks in its data centers and decrypts it for you when you access it. As long as you authenticate your request and you have access permissions, there is no difference in the way you access encrypted or unencrypted objects.
Options A and B are invalid because neither Access Keys nor SSL certificates can be used to encrypt data. Option D is invalid because MFA is just used as an extra level of security for S3 buckets
For more information on S3 server side encryption, please refer to the below Link: https://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.html Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
Your organization is preparing for a security assessment of your use of AWS. In preparation for this assessment, which three IAM best practices should you consider implementing?
Please select:

1. A. Create individual IAM users
2. B. Configure MFA on the root account and for privileged IAM users
3. C. Assign IAM users and groups configured with policies granting least privilege access
4. D. Ensure all users have been assigned and dre frequently rotating a password, access ID/secret key, andX.509 certificate

Correct Answer: ABC
When you go to the security dashboard, the security status will show the best practices for initiating the first level of security.
C:\Users\wk\Desktop\mudassar\Untitled.jpg

Option D is invalid because as per the dashboard, this is not part of the security recommendation For more information on best security practices please visit the URL:
https://aws.amazon.com/whitepapers/aws-security-best-practices;
The correct answers are: Create individual IAM users, Configure MFA on the root account and for privileged IAM users. Assign IAM users and groups configured with policies granting least privilege access
Submit your Feedback/Queries to our Experts

- (Exam Topic 1)
A company uses HTTP Live Streaming (HLS) to stream live video content to paying subscribers by using Amazon CloudFront. HLS splits the video content into chunks so that the user can request the right chunk based on different conditions Because the video events last for several hours, the total video is made up of thousands of chunks
The origin URL is not disclosed and every user is forced to access the CloudFront URL The company has a web application that authenticates the paying users against an internal repository and a CloudFront key pair that is already issued.
What is the simplest and MOST effective way to protect the content?

1. A. Develop the application to use the CloudFront key pair to create signed URLs that users will use to access the content.
2. B. Develop the application to use the CloudFront key pair to set the signed cookies that users will use to access the content.
3. C. Develop the application to issue a security token that Lambda@Edge will receive to authenticate and authorize access to the content
4. D. Keep the CloudFront URL encrypted inside the application, and use AWS KMS to resolve the URL on-the-fly after the user is authenticated.

Correct Answer: B

- (Exam Topic 1)
A company's Director of information Security wants a daily email report from AWS that contains recommendations for each company account to meet AWS Security best practices.
Which solution would meet these requirements?

1. A. in every AWS account, configure AWS Lambda to query me AWS Support API tor AWS Trusted Advisor security checks Send the results from Lambda to an Amazon SNS topic to send reports.
2. B. Configure Amazon GuardDuty in a master account and invite all other accounts to be managed by the master account Use GuardDuty's integration with Amazon SNS to report on findings
3. C. Use Amazon Athena and Amazon QuickSight to build reports off of AWS CloudTrail Create a daily Amazon CloudWatch trigger to run the report dally and email It using Amazon SNS
4. D. Use AWS Artifact's prebuilt reports and subscriptions Subscribe the Director of Information Security to the reports by adding the Director as the security alternate contact tor each account

Correct Answer: A