AWS-Certified-Security-Specialty Free Practice Test

A company has an AWS account that includes an Amazon S3 bucket. The S3 bucket uses server-side encryption with AWS KMS keys (SSE-KMS) to encrypt all the objects at rest by using a customer managed key. The S3 bucket does not have a bucket policy.
An IAM role in the same account has an IAM policy that allows s3 List* and s3 Get' permissions for the S3 bucket. When the IAM role attempts to access an object in the S3 bucket the role receives an access denied message.
Why does the IAM rote not have access to the objects that are in the S3 bucket?

1. A. The IAM rote does not have permission to use the KMS CreateKey operation.
2. B. The S3 bucket lacks a policy that allows access to the customer managed key that encrypts the objects.
3. C. The IAM rote does not have permission to use the customer managed key that encrypts the objects that are in the S3 bucket.
4. D. The ACL of the S3 objects does not allow read access for the objects when the objects ace encrypted at rest.

Correct Answer: C
When using server-side encryption with AWS KMS keys (SSE-KMS), the requester must have both Amazon S3 permissions and AWS KMS permissions to access the objects. The Amazon S3 permissions are for the bucket and object operations, such as s3:ListBucket and s3:GetObject. The AWS KMS permissions are for the key operations, such as kms:GenerateDataKey and kms:Decrypt. In this case, the IAM role has the necessary Amazon S3 permissions, but not the AWS KMS permissions to use the customer managed key that encrypts the objects. Therefore, the IAM role receives an access denied message when trying to access the objects. Verified References:
https://docs.aws.amazon.com/AmazonS3/latest/userguide/troubleshoot-403-errors.html
https://repost.aws/knowledge-center/s3-access-denied-error-kms
https://repost.aws/knowledge-center/cross-account-access-denied-error-s3

A company uses Amazon API Gateway to present REST APIs to users. An API developer wants to analyze API access patterns without the need to parse the log files.
Which combination of steps will meet these requirements with the LEAST effort? (Select TWO.)

1. A. Configure access logging for the required API stage.
2. B. Configure an AWS CloudTrail trail destination for API Gateway event
3. C. Configure filters on the userldentity, userAgent, and sourcelPAddress fields.
4. D. Configure an Amazon S3 destination for API Gateway log
5. E. Run Amazon Athena queries to analyze API access information.
6. F. Use Amazon CloudWatch Logs Insights to analyze API access information.
7. G. Select the Enable Detailed CloudWatch Metrics option on the required API stage.

Correct Answer: CD

A company’s security team needs to receive a notification whenever an AWS access key has not been rotated in 90 or more days. A security engineer must develop a solution that provides these notifications automatically.
Which solution will meet these requirements with the LEAST amount of effort?

1. A. Deploy an AWS Config managed rule to run on a periodic basis of 24 hour
2. B. Select theaccess-keys-rotated managed rule, and set the maxAccessKeyAge parameter to 90 day
3. C. Create an Amazon EventBridge (Amazon CloudWatch Events) rule with an event pattern that matches the compliance type of NON_COMPLIANT from AWS Config for the managed rul
4. D. Configure EventBridge (CloudWatch Events) to send an Amazon Simple Notification Service (Amazon SNS) notification to the security team.
5. E. Create a script to export a .csv file from the AWS Trusted Advisor check for IAM access key rotation.Load the script into an AWS Lambda function that will upload the .csv file to an Amazon S3 bucke
6. F. Create an Amazon Athena table query that runs when the .csv file is uploaded to the S3 bucke
7. G. Publish the results for any keys older than 90 days by using an invocation of an Amazon Simple Notification Service (Amazon SNS) notification to the security team.
8. H. Create a script to download the IAM credentials report on a periodic basi
9. I. Load the script into an AWS Lambda function that will run on a schedule through Amazon EventBridge (Amazon CloudWatch Events). Configure the Lambda script to load the report into memory and to filter the report for recordsin which the key was last rotated at least 90 days ag
10. J. If any records are detected, send an Amazon Simple Notification Service (Amazon SNS) notification to the security team.
11. K. Create an AWS Lambda function that queries the IAM API to list all the user
12. L. Iterate through the users by using the ListAccessKeys operatio
13. M. Verify that the value in the CreateDate field is not at least 90 days ol
14. N. Send an Amazon Simple Notification Service (Amazon SNS) notification to the security team if the value is at least 90 days ol
15. O. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to schedule the Lambda function to run each day.

Correct Answer: A

A company is using Amazon Elastic Container Service (Amazon ECS) to deploy an application that deals with sensitive data During a recent security audit, the company identified a security issue in which Amazon RDS credentials were stored with the application code In the company's source code repository
A security engineer needs to develop a solution to ensure that database credentials are stored securely and rotated periodically. The credentials should be accessible to the application only The engineer also needs to prevent database administrators from sharing database credentials as plaintext with other teammates. The solution must also minimize administrate overhead
Which solution meets these requirements?

1. A. Use the IAM Systems Manager Parameter Store to generate database credential
2. B. Use an IAM profile for ECS tasks to restrict access to database credentials to specific containers only.
3. C. Use IAM Secrets Manager to store database credential
4. D. Use an IAM inline policy for ECS tasks to restrict access to database credentials to specific containers only.
5. E. Use the IAM Systems Manager Parameter Store to store database credential
6. F. Use IAM roles for ECS tasks to restrict access to database credentials lo specific containers only
7. G. Use IAM Secrets Manager to store database credential
8. H. Use IAM roles for ECS tasks to restrict access to database credentials to specific containers only.

Correct Answer: D
To ensure that database credentials are stored securely and rotated periodically, the security engineer should do the following:
Use AWS Secrets Manager to store database credentials. This allows the security engineer to encrypt and manage secrets centrally, and to configure automatic rotation schedules for them.
Use IAM roles for ECS tasks to restrict access to database credentials to specific containers only. This allows the security engineer to grant fine-grained permissions to ECS tasks based on their roles, and to avoid sharing credentials as plaintext with other teammates.

A company accidentally deleted the private key for an Amazon Elastic Block Store (Amazon EBS)-backed Amazon EC2 instance. A security engineer needs to regain access to the instance.
Which combination of steps will meet this requirement? (Choose two.)

1. A. Stop the instanc
2. B. Detach the root volum
3. C. Generate a new key pair.
4. D. Keep the instance runnin
5. E. Detach the root volum
6. F. Generate a new key pair.
7. G. When the volume is detached from the original instance, attach the volume to another instance as a data volum
8. H. Modify the authorized_keys file with a new public ke
9. I. Move the volume back to the original instanc
10. J. Start the instance.
11. K. When the volume is detached from the original instance, attach the volume to another instance as a data volum
12. L. Modify the authorized_keys file with a new private ke
13. M. Move the volume back to the original instanc
14. N. Start the instance.
15. O. When the volume is detached from the original instance, attach the volume to another instance as a data volum
16. P. Modify the authorized_keys file with a new public ke
17. Q. Move the volume back to the original instance that is running.

Correct Answer: AC
If you lose the private key for an EBS-backed instance, you can regain access to your instance. You must stop the instance, detach its root volume and attach it to another instance as a data volume, modify the authorized_keys file with a new public key, move the volume back to the original instance, and restart the instance. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/TroubleshootingInstancesConnecting.html#replacing