AWS-Certified-Security-Specialty Free Practice Test

- (Exam Topic 2)
The Security Engineer implemented a new vault lock policy for 10TB of data and called initiate-vault-lock 12 hours ago. The Audit team identified a typo that is allowing incorrect access to the vault.
What is the MOST cost-effective way to correct this?

1. A. Call the abort-vault-lock operation, fix the typo, and call the initiate-vault-lock again.
2. B. Copy the vault data to Amazon S3, delete the vault, and create a new vault with the data.
3. C. Update the policy, keeping the vault lock in place.
4. D. Update the policy and call initiate-vault-lock again to apply the new policy.

Correct Answer: A
Initiate the lock by attaching a vault lock policy to your vault, which sets the lock to an in-progress state and returns a lock ID. While in the in-progress state, you have 24 hours to validate your vault lock policy before the lock ID expires. Use the lock ID to complete the lock process. If the vault lock policy doesn't work as expected, you can abort the lock and restart from the beginning. For information on how to use the S3 Glacier API to lock a vault, see Locking a Vault by Using the Amazon S3 Glacier API. https://docs.aws.amazon.com/amazonglacier/latest/dev/vault-lock-policy.html

- (Exam Topic 3)
A company stores sensitive documents in Amazon S3 by using server-side encryption with an AWS Key Management Service (AWS KMS) CMK. A new requirement mandates that the CMK that is used for these documents can be used only for S3 actions.
Which statement should the company add to the key policy to meet this requirement?
A)

B)

1. A. Option A
2. B. Option B

Correct Answer: A

- (Exam Topic 2)
An AWS Lambda function was misused to alter data, and a Security Engineer must identify who invoked the function and what output was produced. The Engineer cannot find any logs created by the Lambda function in Amazon CloudWatch Logs.
Which of the following explains why the logs are not available?

1. A. The execution role for the Lambda function did not grant permissions to write log data to CloudWatch Logs.
2. B. The Lambda function was executed by using Amazon API Gateway, so the logs are not stored in CloudWatch Logs.
3. C. The execution role for the Lambda function did not grant permissions to write to the Amazon S3 bucket where CloudWatch Logs stores the logs.
4. D. The version of the Lambda function that was executed was not current.

Correct Answer: A

- (Exam Topic 1)
A company Is building a data lake on Amazon S3. The data consists of millions of small files containing sensitive information. The security team has the following requirements for the architecture:
• Data must be encrypted in transit.
• Data must be encrypted at rest.
• The bucket must be private, but if the bucket is accidentally made public, the data must remain confidential. Which combination of steps would meet the requirements? (Select THREE.)

1. A. Enable AES-256 encryption using server-side encryption with Amazon S3-managed encryption keys (SSE-S3) on the S3 bucket
2. B. Enable default encryption with server-side encryption with AWS KMS-managed keys (SSE-KMS) on the S3 bucket.
3. C. Add a bucket policy that includes a deny if a PutObject request does not include awsiSecureTcanspoct.
4. D. Add a bucket policy with ws: Sourcelpto Allow uploads and downloads from the corporate intranet only.
5. E. Add a bucket policy that includes a deny if a PutObject request does not include s3:x-amz-sairv9r-side-enctyption: "aws: kms".
6. F. Enable Amazon Macie to monitor and act on changes to the data lake's S3 bucket.

Correct Answer: BDF

- (Exam Topic 1)
A city is implementing an election results reporting website that will use Amazon GoudFront The website runs on a fleet of Amazon EC2 instances behind an Application Load Balancer (ALB) in an Auto Scaling group. Election results are updated hourly and are stored as .pdf tiles in an Amazon S3 bucket. A Security Engineer needs to ensure that all external access to the website goes through CloudFront.
Which solution meets these requirements?

1. A. Create an IAM role that allows CloudFront to access the specific S3 bucke
2. B. Modify the S3 bucket policy to allow only the new IAM role to access its content
3. C. Create an interface VPC endpoint for CloudFront to securely communicate with the ALB.
4. D. Create an IAM role that allows CloudFront to access the specific S3 bucke
5. E. Modify the S3 bucket policy to allow only the new IAM role to access its content
6. F. Associate the ALB with a security group that allows only incoming traffic from the CloudFront service to communicate with the ALB.
7. G. Create an origin access identity (OAI) in CloudFron
8. H. Modify the S3 bucket policy to allow only the new OAI to access the bucket content
9. I. Create an interface VPC endpoint for CloudFront to securely communicate with the ALB.
10. J. Create an origin access identity (OAI) in CloudFron
11. K. Modify the S3 bucket policy to allow only the new OAI to access the bucket content
12. L. Associate the ALB with a security group that allows onlyincoming traffic from the CloudFront service to communicate with the ALB.

Correct Answer: C