AWS-Certified-Security-Specialty Free Practice Test

- (Exam Topic 3)
Developers in an organization have moved from a standard application deployment to containers. The Security Engineer is tasked with ensuring that the containers are secure. Which strategies will reduce the attack surface and enhance the security of the containers? (Select TWO.)

1. A. Use the containers to automate security deployments.
2. B. Limit resource consumption (CPU, memory), networking connections, ports, and unnecessary container libraries.
3. C. Segregate containers by host, function, and data classification.
4. D. Use Docker Notary framework to sign task definitions.
5. E. Enable container breakout at the host kernel.

Correct Answer: AC

- (Exam Topic 3)
You have an EBS volume attached to an EC2 Instance which uses KMS for Encryption. Someone has now gone ahead and deleted the Customer Key which was used for the EBS encryption. What should be done to ensure the data can be decrypted.
Please select:

1. A. Create a new Customer Key using KMS and attach it to the existing volume
2. B. You cannot decrypt the data that was encrypted under the CMK, and the data is not recoverable.
3. C. Request AWS Support to recover the key
4. D. Use AWS Config to recover the key

Correct Answer: B
Deleting a customer master key (CMK) in AWS Key Management Service (AWS KMS) is destructive and potentially dangerous. It deletes the key material and all metadata associated with the CMK, and is irreversible. After a CMK is deleted you can no longer decrypt the data that was encrypted under that CMK, which means that data becomes unrecoverable. You should delete a CMK only when you are sure that you don't need to use it anymore. If you are not sure, consider disabling the CMK instead of deleting it. You can re-enable a disabled CMK if you need to use it again later, but you cannot recover a deleted CMK.
https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html
A is incorrect because Creating a new CMK and attaching it to the exiting volume will not allow the data to be decrypted, you cannot attach customer master keys after the volume is encrypted
Option C and D are invalid because once the key has been deleted, you cannot recover it For more information on EBS Encryption with KMS, please visit the following URL:
https://docs.aws.amazon.com/kms/latest/developerguide/services-ebs.html
The correct answer is: You cannot decrypt the data that was encrypted under the CMK, and the data is not recoverable. Submit your Feedback/Queries to our Experts

- (Exam Topic 2)
Which of the following minimizes the potential attack surface for applications?

1. A. Use security groups to provide stateful firewalls for Amazon EC2 instances at the hypervisor level.
2. B. Use network ACLs to provide stateful firewalls at the VPC level to prevent access to any specific AWS resource.
3. C. Use AWS Direct Connect for secure trusted connections between EC2 instances within private subnets.
4. D. Design network security in a single layer within the perimeter network (also known as DMZ, demilitarized zone, and screened subnet) to facilitate quicker responses to threats.

Correct Answer: A
https://aws.amazon.com/answers/networking/vpc-security-capabilities/ Security Group is stateful and hypervisor level.

- (Exam Topic 1)
A security engineer is designing a solution that will provide end-to-end encryption between clients and Docker containers running In Amazon Elastic Container Service (Amazon ECS). This solution will also handle volatile traffic patterns
Which solution would have the MOST scalability and LOWEST latency?

1. A. Configure a Network Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers
2. B. Configure an Application Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers
3. C. Configure a Network Load Balancer with a TCP listener to pass through TLS traffic to the containers
4. D. Configure Amazon Route 53 to use multivalue answer routing to send traffic to the containers

Correct Answer: A

- (Exam Topic 1)
A company is configuring three Amazon EC2 instances with each instance in a separate Availability Zone. The EC2 instances wilt be used as transparent proxies for outbound internet traffic for ports 80 and 443 so the proxies can block traffic to certain internet destinations as required by the company's security policies. A Security Engineer completed the following:
• Set up the proxy software on the EC2 instances.
• Modified the route tables on the private subnets to use the proxy EC2 instances as the default route.
• Created a security group rule opening inbound port 80 and 443 TCP protocols on the proxy EC2 instance security group.
However, the proxy EC2 instances are not successfully forwarding traffic to the internet.
What should the Security Engineer do to make the proxy EC2 instances route traffic to the internet?

1. A. Put all the proxy EC2 instances in a cluster placement group.
2. B. Disable source and destination checks on the proxy EC2 instances.
3. C. Open all inbound ports on the proxy EC2 instance security group.
4. D. Change the VPC's DHCP domain-name-servers options set to the IP addresses of proxy EC2 instances.

Correct Answer: B