AWS-Certified-Security-Specialty Free Practice Test

- (Exam Topic 3)
A company needs a security engineer to implement a scalable solution for multi-account authentication and authorization. The solution should not introduce additional user-managed architectural components. Native AWS features should be used as much as possible The security engineer has set up AWS Organizations w1th all features activated and AWS SSO enabled.
Which additional steps should the security engineer take to complete the task?

1. A. Use AD Connector to create users and groups for all employees that require access to AWS accounts.Assign AD Connector groups to AWS accounts and link to the IAM roles in accordance with the employees‘job functions and access requirements Instruct employees to access AWS accounts by using the AWS Directory Service user portal.
2. B. Use an AW5 SSO default directory to create users and groups for all employees that require access to AWS account
3. C. Assign groups to AWS accounts and link to permission sets in accordance with the employees‘job functions and access requirement
4. D. Instruct employees to access AWS accounts by using the AWS SSO user portal.
5. E. Use an AWS SSO default directory to create users and groups for all employees that require access to AWS account
6. F. Link AWS SSO groups to the IAM users present in all accounts to inherit existing permission
7. G. Instruct employees to access AWS accounts by using the AW5 SSO user portal.
8. H. Use AWS Directory Service tor Microsoft Active Directory to create users and groups for all employees that require access to AWS accounts Enable AWS Management Console access in the created directory and specify AWS SSO as a source cl information tor integrated accounts and permission set
9. I. Instruct employees to access AWS accounts by using the AWS Directory Service user portal.

Correct Answer: B

- (Exam Topic 1)
A company has implemented centralized logging and monitoring of AWS CloudTrail logs from all Regions in
an Amazon S3 bucket. The log Hies are encrypted using AWS KMS. A Security Engineer is attempting to review the log files using a third-party tool hosted on an Amazon EC2 instance The Security Engineer is unable to access the logs in the S3 bucket and receives an access denied error message
What should the Security Engineer do to fix this issue?

1. A. Check that the role the Security Engineer uses grants permission to decrypt objects using the KMS CMK.
2. B. Check that the role the Security Engineer uses grants permission to decrypt objects using the KMS CMK and gives access to the S3 bucket and objects
3. C. Check that the role the EC2 instance profile uses grants permission lo decrypt objects using the KMS CMK and gives access to the S3 bucket and objects
4. D. Check that the role the EC2 instance profile uses grants permission to decrypt objects using the KMS CMK

Correct Answer: C

- (Exam Topic 3)
Your company has many AWS accounts defined and all are managed via AWS Organizations. One AWS account has a S3 bucket that has critical data. How can we ensure that all the users in the AWS organisation have access to this bucket?
Please select:

1. A. Ensure the bucket policy has a condition which involves aws:PrincipalOrglD
2. B. Ensure the bucket policy has a condition which involves aws:AccountNumber
3. C. Ensure the bucket policy has a condition which involves aws:PrincipaliD
4. D. Ensure the bucket policy has a condition which involves aws:OrglD

Correct Answer: A
The AWS Documentation mentions the following
AWS Identity and Access Management (IAM) now makes it easier for you to control access to your AWS resources by using the AWS organization of IAM principals (users and roles). For some services, you grant permissions using resource-based policies to specify the accounts and principals that can access the resource and what actions they can perform on it. Now, you can use a new condition key, aws:PrincipalOrglD, in these policies to require all principals accessing the resource to be from an account in the organization
Option B.C and D are invalid because the condition in the bucket policy has to mention aws:PrincipalOrglD For more information on controlling access via Organizations, please refer to the below Link:
https://aws.amazon.com/blogs/security/control-access-to-aws-resources-by-usins-the-aws-organization-of-iam-p (
The correct answer is: Ensure the bucket policy has a condition which involves aws:PrincipalOrglD Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
A Devops team is currently looking at the security aspect of their CI/CD pipeline. They are making use of AWS resource? for their infrastructure. They want to ensure that the EC2 Instances don't have any high security vulnerabilities. They want to ensure a complete DevSecOps process. How can this be achieved?
Please select:

1. A. Use AWS Config to check the state of the EC2 instance for any sort of security issues.
2. B. Use AWS Inspector API's in the pipeline for the EC2 Instances
3. C. Use AWS Trusted Advisor API's in the pipeline for the EC2 Instances
4. D. Use AWS Security Groups to ensure no vulnerabilities are present

Correct Answer: B
Amazon Inspector offers a programmatic way to find security defects or misconfigurations in your operating systems and applications. Because you can use API calls to access both the processing of assessments and the results of your assessments, integration of the findings into workflow and notification systems is simple.
DevOps teams can integrate Amazon Inspector into their CI/CD pipelines and use it to identify any pre-existing issues or when new issues are introduced.
Option A.C and D are all incorrect since these services cannot check for Security Vulnerabilities. These can only be checked by the AWS Inspector service.
For more information on AWS Security best practices, please refer to below URL: https://d1.awsstatic.com/whitepapers/Security/AWS Security Best Practices.pdl
The correct answer is: Use AWS Inspector API's in the pipeline for the EC2 Instances Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
You have private video content in S3 that you want to serve to subscribed users on the Internet. User IDs, credentials, and subscriptions are stored in an Amazon RDS database. Which configuration will allow you to securely serve private content to your users?
Please select:

1. A. Generate pre-signed URLs for each user as they request access to protected S3 content
2. B. Create an IAM user for each subscribed user and assign the GetObject permission to each IAM user
3. C. Create an S3 bucket policy that limits access to your private content to only your subscribed users'credentials
4. D. Crpafp a Cloud Front Clriein Identity user for vnur suhsrrihprl users and assign the GptOhiprt oprmissinn to this user

Correct Answer: A
All objects and buckets by default are private. The pre-signed URLs are useful if you want your user/customer to be able upload a specific object to your bucket but you don't require them to have AWS security credentials or permissions. When you create a pre-signed URL, you must provide your security credentials, specify a bucket name, an object key, an HTTP method (PUT for uploading objects), and an expiration date and time. The pre-signed URLs are valid only for the specified duration.
Option B is invalid because this would be too difficult to implement at a user level. Option C is invalid because this is not possible
Option D is invalid because this is used to serve private content via Cloudfront For more information on pre-signed urls, please refer to the Link:
http://docs.aws.amazon.com/AmazonS3/latest/dev/PresienedUrlUploadObiect.htmll
The correct answer is: Generate pre-signed URLs for each user as they request access to protected S3 content Submit your Feedback/Queries to our Experts