AWS-Certified-Security-Specialty Free Practice Test

- (Exam Topic 1)
A company has several workloads running on AWS Employees are required to authenticate using on-premises ADFS and SSO to access the AWS Management Console Developers migrated an existing legacy web application to an Amazon EC2 instance Employees need to access this application from anywhere on the internet but currently, mere is no authentication system but into the application.
How should the Security Engineer implement employee-only access to this system without changing the application?

1. A. Place the application behind an Application Load Balancer (ALB) Use Amazon Cognito as authentication (or the ALB Define a SAML-based Amazon Cognito user pool and connect it to ADFSimplement AWS SSO in the master account and link it to ADFS as an identity provide' Define the EC2 instance as a managed resource, then apply an IAM policy on the resource
2. B. Define an Amazon Cognito identity pool then install the connector on the Active Directory server Use the Amazon Cognito SDK on the application instance to authenticate the employees using their
3. C. Active Directory user names and passwords
4. D. Create an AWS Lambda custom authorizer as the authenticator for a reverse proxy on Amazon EC2 Ensure the security group on Amazon EC2 only allows access from the Lambda function.

Correct Answer: B

- (Exam Topic 2)
An organization has a system in AWS that allows a large number of remote workers to submit data files. File sizes vary from a few kilobytes to several megabytes. A recent audit highlighted a concern that data files are not encrypted while in transit over untrusted networks.
Which solution would remediate the audit finding while minimizing the effort required?

1. A. Upload an SSL certificate to IAM, and configure Amazon CloudFront with the passphrase for the private key.
2. B. Call KMS.Encrypt() in the client, passing in the data file contents, and call KMS.Decrypt() server-side.
3. C. Use AWS Certificate Manager to provision a certificate on an Elastic Load Balancing in front of the web service’s servers.
4. D. Create a new VPC with an Amazon VPC VPN endpoint, and update the web service’s DNS record.

Correct Answer: C

- (Exam Topic 2)
A company has a few dozen application servers in private subnets behind an Elastic Load Balancer (ELB) in an AWS Auto Scaling group. The application is accessed from the web over HTTPS. The data must always be encrypted in transit. The Security Engineer is worried about potential key exposure due to vulnerabilities in the application software.
Which approach will meet these requirements while protecting the external certificate during a breach?

1. A. Use a Network Load Balancer (NLB) to pass through traffic on port 443 from the internet to port 443 on the instances.
2. B. Purchase an external certificate, and upload it to the AWS Certificate Manager (for use with the ELB) and to the instance
3. C. Have the ELB decrypt traffic, and route and re-encrypt with the same certificate.
4. D. Generate an internal self-signed certificate and apply it to the instance
5. E. Use AWS Certificate Manager to generate a new external certificate for the EL
6. F. Have the ELB decrypt traffic, and route andre-encrypt with the internal certificate.
7. G. Upload a new external certificate to the load balance
8. H. Have the ELB decrypt the traffic and forward it on port 80 to the instances.

Correct Answer: C

- (Exam Topic 3)
The CFO of a company wants to allow one of his employees to view only the AWS usage report page. Which of the below mentioned IAM policy statements allows the user to have access to the AWS usage report page?
Please select:

1. A. "Effect": "Allow". "Action": ["Describe"], "Resource": "Billing"
2. B. "Effect": "Allow", "Action": ["AccountUsage], "Resource": "*"
3. C. "Effect': "Allow", "Action": ["aws-portal:ViewUsage"," aws-portal:ViewBilling"], "Resource": "*"
4. D. "Effect": "Allow", "Action": ["aws-portal: ViewBilling"], "Resource": "*"

Correct Answer: C
the aws documentation, below is the access required for a user to access the Usage reports page and as per this, Option C is the right answer.
C:\Users\wk\Desktop\mudassar\Untitled.jpg

- (Exam Topic 3)
You have an EC2 instance with the following security configured:
* a. ICMP inbound allowed on Security Group
* b. ICMP outbound not configured on Security Group
* c. ICMP inbound allowed on Network ACL
* d. ICMP outbound denied on Network ACL
If Flow logs is enabled for the instance, which of the following flow records will be recorded? Choose 3 answers from the options give below
Please select:

1. A. An ACCEPT record for the request based on the Security Group
2. B. An ACCEPT record for the request based on the NACL
3. C. A REJECT record for the response based on the Security Group
4. D. A REJECT record for the response based on the NACL

Correct Answer: ABD
This example is given in the AWS documentation as well
For example, you use the ping command from your home computer (IP address is 203.0.113.12) to your instance (the network interface's private IP address is 172.31.16.139). Your security group's inbound rules allow ICMP traffic and the outbound rules do not allow ICMP traffic however, because security groups are stateful, the response ping from your instance is allowed. Your network ACL permits inbound ICMP traffic but does not permit outbound ICMP traffic. Because network ACLs are stateless, the response ping is dropped and will not reach your home computer. In a flow log, this is displayed as 2 flow log records:
An ACCEPT record for the originating ping that was allowed by both the network ACL and the security group, and therefore was allowed to reach your instance.
A REJECT record for the response ping that the network ACL denied.
Option C is invalid because the REJECT record would not be present For more information on Flow Logs, please refer to the below URL:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-loes.html
The correct answers are: An ACCEPT record for the request based on the Security Group, An ACCEPT record for the request based on the NACL, A REJECT record for the response based on the NACL
Submit your Feedback/Queries to our Experts