• Home
  • Articles
  • Verified AWS-Security-Specialty dumps Q&As - 100% Pass from PassExamDumps [Q17-Q37]

Verified AWS-Security-Specialty dumps Q&As - 100% Pass from PassExamDumps [Q17-Q37]

Share

Verified AWS-Security-Specialty dumps Q&As - 100% Pass from PassExamDumps

Pass AWS-Security-Specialty Exam in First Attempt Guaranteed 2023 Dumps!

NEW QUESTION 17
A company has a legacy application that outputs all logs to a local text file. Logs from all applications running on AWS must be continually monitored for security related messages.
What can be done to allow the company to deploy the legacy application on Amazon EC2 and still meet the monitoring requirement?
Please select:

  • A. Create a Lambda function that mounts the EBS volume with the logs and scans the logs for security incidents. Trigger the function every 5 minutes with a scheduled Cloudwatch event.
  • B. Install the Amazon inspector agent on any EC2 instance running the legacy application. Generate CloudWatch alerts a based on any Amazon inspector findings.
  • C. Send the local text log files to CloudWatch Logs and configure a CloudWatch metric filter. Trigger cloudwatch alarms based on the metrics.
  • D. Export the local text log files to CloudTrail. Create a Lambda function that queries the CloudTrail logs for security ' incidents using Athena.

Answer: C

Explanation:
Explanation
One can send the log files to Cloudwatch Logs. Log files can also be sent from On-premise servers. You can then specify metrii to search the logs for any specific values. And then create alarms based on these metrics.
Option A is invalid because this will be just a long over drawn process to achieve this requirement Option C is invalid because AWS Inspector cannot be used to monitor for security related messages.
Option D is invalid because files cannot be exported to AWS Cloudtrail
For more information on Cloudwatch logs agent please visit the below URL:
https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/QuickStartEC2lnstance.hti The correct answer is: Send the local text log files to Cloudwatch Logs and configure a Cloudwatch metric filter. Trigger cloudwatch alarms based on the metrics.
Submit your Feedback/Queries to our Experts

 

NEW QUESTION 18
You currently have an S3 bucket hosted in an AWS Account. It holds information that needs be accessed by a partner account. Which is the MOST secure way to allow the partner account to access the S3 bucket in your account? Select 3 options.
Please select:

  • A. Provide the Account Id to the partner account
  • B. Provide access keys for your account to the partner account
  • C. Ensure the partner uses an external id when making the request
  • D. Provide the ARN for the role to the partner account
  • E. Ensure an IAM role is created which can be assumed by the partner account.
  • F. Ensure an IAM user is created which can be assumed by the partner account.

Answer: C,D,E

Explanation:
Explanation
Option B is invalid because Roles are assumed and not IAM users
Option E is invalid because you should not give the account ID to the partner Option F is invalid because you should not give the access keys to the partner The below diagram from the AWS documentation showcases an example on this wherein an IAM role and external ID is us> access an AWS account resources

For more information on creating roles for external ID'S please visit the following URL:
The correct answers are: Ensure an IAM role is created which can be assumed by the partner account. Ensure the partner uses an external id when making the request Provide the ARN for the role to the partner account Submit your Feedback/Queries to our Experts

 

NEW QUESTION 19
Your company use AWS KMS for management of its customer keys. From time to time, there is a requirement to delete existing keys as part of housekeeping activities. What can be done during the deletion process to verify that the key is no longer being used.
Please select:

  • A. Use CloudTrail to see if any KMS API request has been issued against existing keys
  • B. Use Key policies to see the access level for the keys
  • C. Change the IAM policy for the keys to see if other services are using the keys The AWS lentation mentions the following You can use a combination of AWS CloudTrail, Amazon CloudWatch Logs, and Amazon Simple Notification Service (Amazon SNS) to create an alarm that notifies you of AWS KMS API requests that attempt to use a customer master key (CMK) that is pending deletion. If you receive a notification from such an alarm, you might want to cancel deletion of the CMK to give yourself more time to determine whether you want to delete it Options B and D are incorrect because Key policies nor IAM policies can be used to check if the keys are being used.
  • D. Rotate the keys once before deletion to see if other services are using the keys

Answer: A

Explanation:
Option C is incorrect since rotation will not help you check if the keys are being used.
For more information on deleting keys, please refer to below URL:
https://docs.aws.amazon.com/kms/latest/developereuide/deletine-keys-creatine-cloudwatch-alarm.html The correct answer is: Use CloudTrail to see if any KMS API request has been issued against existing keys Submit your Feedback/Queries to our Experts

 

NEW QUESTION 20
A company has five AWS accounts and wants to use AWS CloudTrail to log API calls. The log files must be stored in an Amazon S3 bucket that resides in a new account specifically built for centralized services with a unique top-level prefix for each trail. The configuration must also enable detection of any modification to the logs.
Which of the following steps will implement these requirements? (Choose three.)

  • A. Use an existing S3 bucket in one of the accounts, apply a bucket policy to the new centralized S3 bucket that permits the CloudTrail service to use the "s3: PutObject" action and the "s3 GetBucketACL" action, and specify the appropriate resource ARNs for the CloudTrail trails.
  • B. Use unique log file prefixes for trails in each AWS account.
  • C. Create a new S3 bucket in a separate AWS account for centralized storage of CloudTrail logs, and enable "Log file Validation" on all trails.
  • D. Enable encryption of the log files by using AWS Key Management Service
  • E. Apply a bucket policy to the new centralized S3 bucket that permits the CloudTrail service to use the "s3 PutObject" action and the "s3 GelBucketACL" action, and specify the appropriate resource ARNs for the CloudTrail trails.
  • F. Configure CloudTrail in the centralized account to log all accounts to the new centralized S3 bucket.

Answer: C,E,F

Explanation:
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html
If you have created an organization in AWS Organizations, you can create a trail that will log all events for all AWS accounts in that organization. This is sometimes referred to as an organization trail. You can also choose to edit an existing trail in the master account and apply it to an organization, making it an organization trail. Organization trails log events for the master account and all member accounts in the organization. For more information about AWS Organizations, see Organizations Terminology and Concepts. Note Reference: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html You must be logged in with the master account for the organization in order to create an organization trail. You must also have sufficient permissions for the IAM user or role in the master account in order to successfully create an organization trail. If you do not have sufficient permissions, you will not see the option to apply a trail to an organization.

 

NEW QUESTION 21
A company uses HTTP Live Streaming (HLS) to stream live video content to paying subscribers by using Amazon CloudFront. HLS splits the video content into chunks so that the user can request the right chunk based on different conditions. Because the video events last for several hours, the total video is made up of thousands of chunks.
The origin URL is not disclosed, and every user is forced to access the CloudFront URL. The company has a web application that authenticates the paying users against an internal repository and a CloudFront key pair that is already issued.
What is the simplest and MOST effective way to protect the content?

  • A. Develop the application to use the CloudFront key pair to create signed URLs that users will use to access the content.
  • B. Keep the CloudFront URL encrypted inside the application, and use AWS KMS to resolve the URL on-the- fly after the user is authenticated.
  • C. Develop the application to issue a security token that Lambda@Edge will receive to authenticate and authorize access to the content.
  • D. Develop the application to use the CloudFront key pair to set the signed cookies that users will use to access the content.

Answer: A

Explanation:
Explanation/Reference: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-signed- urls.html

 

NEW QUESTION 22
An organization must establish the ability to delete an AWS KMS Customer Master Key (CMK) within a
24-hour timeframe to keep it from being used for encrypt or decrypt operations Which of tne following actions will address this requirement?

  • A. Use the schedule key deletion function within KMS to specify the minimum wait period for deletion
  • B. Manually rotate a key within KMS to create a new CMK immediately
  • C. Change the KMS CMK alias to immediately prevent any services from using the CMK.
  • D. Use the KMS import key functionality to execute a delete key operation

Answer: A

 

NEW QUESTION 23
You have been given a new brief from your supervisor for a client who needs a web application set up on AWS. The a most important requirement is that MySQL must be used as the database, and this database must not be hosted in ts public cloud, but rather at the client's data center due to security risks. Which of the following solutions would be the ^ best to assure that the client's requirements are met? Choose the correct answer from the options below
Please select:

  • A. Use the public subnet for the application server and use RDS with a storage gateway to access and synchronize the data securely from the local data center.
  • B. Build the application server on a public subnet and build the database in a private subnet with a secure ssh connection to the private subnet from the client's data center.
  • C. Build the application server on a public subnet and the database on a private subnet with a NAT instance between them.
  • D. Build the application server on a public subnet and the database at the client's data center. Connect them with a VPN connection which uses IPsec.

Answer: D

Explanation:
Since the database should not be hosted on the cloud all other options are invalid.
The best option is to create a VPN connection for securing traffic as shown below.

Option B is invalid because this is the incorrect use of the Storage gateway Option C is invalid since this is the incorrect use of the NAT instance Option D is invalid since this is an incorrect configuration For more information on VPN connections, please visit the below URL
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_VPN.htmll
The correct answer is: Build the application server on a public subnet and the database at the client's data center. Connect them with a VPN connection which uses IPsec
Submit your Feedback/Queries to our Experts

 

NEW QUESTION 24
A company has enabled Amazon GuardDuty in all Regions as part of its security monitoring strategy. In one of the VPCs, the company hosts an Amazon EC2 instance working as an FTP server that is contacted by a high number of clients from multiple locations. This is identified by GuardDuty as a brute force attack due to the high number of connections that happen every hour.
The finding has been flagged as a false positive. However, GuardDuty keeps raising the issue. A Security Engineer has been asked to improve the signal-to-noise ratio. The Engineer needs to ensure that changes do not compromise the visibility of potential anomalous behavior.
How can the Security Engineer address the issue?

  • A. Create an AWS Lambda function that closes the finding whenever a new occurrence is reported
  • B. Disable the FTP rule in GuardDuty in the Region where the FTP server is deployed
  • C. Use GuardDuty filters with auto archiving enabled to close the findings
  • D. Add the FTP server to a trusted IP list and deploy it to GuardDuty to stop receiving the notifications

Answer: D

Explanation:
Trusted IP lists consist of IP addresses that you have whitelisted for secure communication with your AWS infrastructure and applications. GuardDuty does not generate findings for IP addresses on trusted IP lists. At any given time, you can have only one uploaded trusted IP list per AWS account per region.

 

NEW QUESTION 25
The Security Engineer implemented a new vault lock policy for 10TB of data and called initiate-vault-lock 12 hours ago. The Audit team identified a typo that is allowing incorrect access to the vault.
What is the MOST cost-effective way to correct this?

  • A. Update the policy and call initiate-vault-lock again to apply the new policy.
  • B. Call the abort-vault-lock operation, fix the typo, and call the initiate-vault-lock again.
  • C. Copy the vault data to Amazon S3, delete the vault, and create a new vault with the data.
  • D. Update the policy, keeping the vault lock in place.

Answer: B

Explanation:
Initiate the lock by attaching a vault lock policy to your vault, which sets the lock to an in-progress state and returns a lock ID. While in the in-progress state, you have 24 hours to validate your vault lock policy before the lock ID expires. Use the lock ID to complete the lock process. If the vault lock policy doesn't work as expected, you can abort the lock and restart from the beginning. For information on how to use the S3 Glacier API to lock a vault, see Locking a Vault by Using the Amazon S3 Glacier API. https://docs.aws.amazon.com/amazonglacier/latest/dev/vault-lock-policy.html

 

NEW QUESTION 26
A company had developed an incident response plan 18 months ago. Regular implementations of the response plan are carried out. No changes have been made to the response plan have been made since its creation. Which of the following is a right statement with regards to the plan?
Please select:

  • A. It places too much emphasis on already implemented security controls.
  • B. The response plan is not implemented on a regular basis
  • C. The response plan does not cater to new services
  • D. The response plan is complete in its entirety

Answer: C

Explanation:
So definitely the case here is that the incident response plan is not catering to newly created services. AWS keeps on changing and adding new services and hence the response plan must cater to these new services.
Option A and B are invalid because we don't know this for a fact.
Option D is invalid because we know that the response plan is not complete, because it does not cater to new features of AWS For more information on incident response plan please visit the following URL:
https://aws.amazon.com/blogs/publicsector/buildins-a-cloud-specific-incident-response-plan; The correct answer is: The response plan does not cater to new services Submit your Feedback/Queries to our Experts

 

NEW QUESTION 27
A large corporation is creating a multi-account strategy and needs to determine how its employees should access the AWS infrastructure.
Which of the following solutions would provide the MOST scalable solution?

  • A. Configure the IAM trust policies within each account's role to set up a trust back to the corporation's existing identity provider allowing users to assume the role based off their SAML token
  • B. Use a centralized account with IAM roles that employees can assume through federation with their existing identity provider Use cross-account roles to allow the federated users to assume their target role in the resource accounts
  • C. Configure the AWS Security Token Service to use Kerberos tokens so that users can use their existing corporate user names and passwords to access AWS resources directly
  • D. Create dedicated IAM users within each AWS account that employees can assume through federation based upon group membership in their existing identity provider

Answer: B

 

NEW QUESTION 28
An organization has launched 5 instances: 2 for production and 3 for testing. The organization wants that one particular group of 1AM users should only access the test instances and not the production ones. How can the organization set that as a part of the policy?
Please select:

  • A. Define the tags on the test and production servers and add a condition to the 1AM policy which allows access to specification tags
  • B. Create an 1AM policy with a condition which allows access to only small instances
  • C. Launch the test and production instances in separate regions and allow region wise access to the group
  • D. Define the 1AM policy which allows access based on the instance ID

Answer: A

Explanation:
Explanation
Tags enable you to categorize your AWS resources in different ways, for example, by purpose, owner, or environment. This is useful when you have many resources of the same type - you can quickly identify a specific resource based on the tags you've assigned to it Option A is invalid because this is not a recommended practices Option B is invalid because this is an overhead to maintain this in policies Option C is invalid because the instance type will not resolve the requirement For information on resource tagging, please visit the below URL:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Usine_Tags.htmll
The correct answer is: Define the tags on the test and production servers and add a condition to the 1AM policy which allows access to specific tags Submit your Feedback/Queries to our Experts

 

NEW QUESTION 29
A company's Security Engineer has been asked to monitor and report all AWS account root user activities Which of the following would enable the Security Engineer to monitor and report all root user activities? (Select TWO)

  • A. Using Amazon SNS to notify the target group
  • B. Configuring Amazon Inspector to scan the AWS account for any root user activity
  • C. Configuring AWS Organizations to monitor root user API calls on the paying account
  • D. Creating an Amazon CloudWatch Events rule that will trigger when any API call from the root user is reported
  • E. Configuring AWS Trusted Advisor to send an email to the Security team when the root user logs in to the console

Answer: A,D

 

NEW QUESTION 30
An application uses Amazon Cognito to manage end users' permissions when directly accessing AWS resources, including Amazon DynamoDB. A new feature request reads as follows:
Provide a mechanism to mark customers as suspended pending investigation or suspended permanently.
Customers should still be able to log in when suspended, but should not be able to make changes.
The priorities are to reduce complexity and avoid potential for future security issues.
Which approach will meet these requirements and priorities?

  • A. Add suspended customers to second Cognito user pool and update the application login flow to check both user pools.
  • B. Create a new database field "suspended_status" and modify the application logic to validate that field when processing requests.
  • C. Use Amazon Cognito Sync to push out a "suspension_status" parameter and split the IAM policy into normal users and suspended users.
  • D. Move suspended customers to a second Cognito group and define an appropriate IAM access policy for the group.

Answer: B

 

NEW QUESTION 31
Your company use AWS KMS for management of its customer keys. From time to time, there is a requirement to delete existing keys as part of housekeeping activities. What can be done during the deletion process to verify that the key is no longer being used.
Please select:

  • A. Use CloudTrail to see if any KMS API request has been issued against existing keys
  • B. Use Key policies to see the access level for the keys
  • C. Change the IAM policy for the keys to see if other services are using the keys
  • D. Rotate the keys once before deletion to see if other services are using the keys

Answer: A

Explanation:
The AWS lentation mentions the following
You can use a combination of AWS CloudTrail, Amazon CloudWatch Logs, and Amazon Simple Notification Service (Amazon SNS) to create an alarm that notifies you of AWS KMS API requests that attempt to use a customer master key (CMK) that is pending deletion. If you receive a notification from such an alarm, you might want to cancel deletion of the CMK to give yourself more time to determine whether you want to delete it
Options B and D are incorrect because Key policies nor IAM policies can be used to check if the keys are being used.
Option C is incorrect since rotation will not help you check if the keys are being used.
For more information on deleting keys, please refer to below URL:
https://docs.aws.amazon.com/kms/latest/developereuide/deletine-keys-creatine-cloudwatch-alarm.html
The correct answer is: Use CloudTrail to see if any KMS API request has been issued against existing keys Submit your Feedback/Queries to our Experts

 

NEW QUESTION 32
To meet regulatory requirements, a Security Engineer needs to implement an IAM policy that restricts the use of AWS services to the us-east-1 Region.
What policy should the Engineer implement?



  • A. Option C
  • B. Option A
  • C. Option B
  • D. Option D

Answer: C

 

NEW QUESTION 33
What is the function of the following AWS Key Management Service (KMS) key policy attached to a customer master key (CMK)?

  • A. The Amazon WorkMail and Amazon SES services have delegated KMS encrypt and decrypt permissions to the ExampleUser principal in the 111122223333 account.
  • B. The key policy allows WorkMail or SES to encrypt or decrypt on behalf of the user for any CMK in the account.
  • C. The CMK is to be used for encrypting and decrypting only when the principal is ExampleUser and the request comes from WorkMail or SES in the specified region.
  • D. The ExampleUser principal can transparently encrypt and decrypt email exchanges specifically between ExampleUser and AWS.

Answer: C

Explanation:
Explanation/Reference:
https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-via-service

 

NEW QUESTION 34
An application running on EC2 instances must use a username and password to access a database. The developer has stored those secrets in the SSM Parameter Store with type SecureString using the default KMS CMK. Which combination of configuration steps will allow the application to access the secrets via the API? Select 2 answers from the options below Please select:

  • A. Add permission to use the KMS key to decrypt to the SSM service role.
  • B. Add the SSM service role as a trusted service to the EC2 instance role.
  • C. Add the EC2 instance role as a trusted service to the SSM service role.
  • D. Add permission to read the SSM parameter to the EC2 instance role. .
  • E. Add permission to use the KMS key to decrypt to the EC2 instance role

Answer: D,E

Explanation:
The below example policy from the AWS Documentation is required to be given to the EC2 Instance in order to read a secure string from AWS KMS. Permissions need to be given to the Get Parameter API and the KMS API call to decrypt the secret.

Option A is invalid because roles can be attached to EC2 and not EC2 roles to SSM Option B is invalid because the KMS key does not need to decrypt the SSM service role.
Option E is invalid because this configuration is valid For more information on the parameter store, please visit the below URL:
https://docs.aws.amazon.com/kms/latest/developerguide/services-parameter-store.htmll The correct answers are: Add permission to read the SSM parameter to the EC2 instance role., Add permission to use the KMS key to decrypt to the EC2 instance role Submit your Feedback/Queries to our Experts

 

NEW QUESTION 35
A company wants to have an Intrusion detection system available for their VPC in AWS. They want to have complete control over the system. Which of the following would be ideal to implement?
Please select:

  • A. Use AWS WAF to catch all intrusions occurring on the systems in the VPC
  • B. Use a custom solution available in the AWS Marketplace
  • C. Use AWS Cloudwatch to monitor all traffic
  • D. Use VPC Flow logs to detect the issues and flag them accordingly.

Answer: B

Explanation:
Explanation
Sometimes companies want to have custom solutions in place for monitoring Intrusions to their systems. In such a case, you can use the AWS Marketplace for looking at custom solutions.

Option A.C and D are all invalid because they cannot be used to conduct intrusion detection or prevention.
For more information on using custom security solutions please visit the below URL
https://d1.awsstatic.com/Marketplace/security/AWSMP_Security_Solution%200verview.pdf
For more information on using custom security solutions please visit the below URL:
https://d1.awsstatic.com/Marketplace/security/AWSMPSecurity Solution%20Overview.pdf
The correct answer is: Use a custom solution available in the AWS Marketplace Submit your Feedback/Queries to our Experts

 

NEW QUESTION 36
You need to ensure that objects in an S3 bucket are available in another region. This is because of the criticality of the data that is hosted in the S3 bucket. How can you achieve this in the easiest way possible?
Please select:

  • A. Create an S3 snapshot in the destination region
  • B. Enable versioning which will copy the objects to the destination region
  • C. Enable cross region replication for the bucket
  • D. Write a script to copy the objects to another bucket in the destination region

Answer: C

Explanation:
Explanation
Option B is partially correct but a big maintenance over head to create and maintain a script when the functionality is already available in S3 Option C is invalid because snapshots are not available in S3 Option D is invalid because versioning will not replicate objects The AWS Documentation mentions the following Cross-region replication is a bucket-level configuration that enables automatic, asynchronous copying of objects across buck in different AWS Regions.
For more information on Cross region replication in the Simple Storage Service, please visit the below URL:
https://docs.aws.amazon.com/AmazonS3/latest/dev/crr.html
The correct answer is: Enable cross region replication for the bucket Submit your Feedback/Queries to our Experts

 

NEW QUESTION 37
......

AWS-Security-Specialty Dumps Full Questions - Exam Study Guide: https://www.passexamdumps.com/AWS-Security-Specialty-valid-exam-dumps.html

Use Real AWS-Security-Specialty - 100% Cover Real Exam Questions: https://drive.google.com/open?id=1z_WZds6FaNObG3hqM-q9ZNRrZXhCI-r-

Related Articles

more
Amazon AWS-Security-Specialty Certification Practice Exam