AWS-Certified-Security-Specialty Free Practice Test

- (Exam Topic 2)
An organization has three applications running on AWS, each accessing the same data on Amazon S3. The data on Amazon S3 is server-side encrypted by using an AWS KMS Customer Master Key (CMK).
What is the recommended method to ensure that each application has its own programmatic access control permissions on the KMS CMK?

1. A. Change the key policy permissions associated with the KMS CMK for each application when it must access the data in Amazon S3.
2. B. Have each application assume an IAM role that provides permissions to use the AWS Certificate Manager CMK.
3. C. Have each application use a grant on the KMS CMK to add or remove specific access controls on the KMS CMK.
4. D. Have each application use an IAM policy in a user context to have specific access permissions on the KMS CMK.

Correct Answer: C

- (Exam Topic 1)
A company had one of its Amazon EC2 key pairs compromised. A Security Engineer must identify which current Linux EC2 instances were deployed and used the compromised key pair.
How can this task be accomplished?

1. A. Obtain the list of instances by directly querying Amazon EC2 using: aws ec2 describe-instances --fi1ters "Name=key-name,Values=KEYNAMEHERE".
2. B. Obtain the fingerprint for the key pair from the AWS Management Console, then search for the fingerprint in the Amazon Inspector logs.
3. C. Obtain the output from the EC2 instance metadata using: curl http: //169.254.169.254/latest/meta-data/public- keys/0/.
4. D. Obtain the fingerprint for the key pair from the AWS Management Console, then search for the fingerprint in Amazon CloudWatch Logs using: aws logs filter-log-events.

Correct Answer: A

- (Exam Topic 1)
A company is using AWS Organizations to manage multiple AWS accounts. The company has an application that allows users to assume the AppUser IAM role to download files from an Amazon S3 bucket that is encrypted with an AWS KMS CMK However when users try to access the files in the S3 bucket they get an access denied error.
What should a Security Engineer do to troubleshoot this error? (Select THREE )

1. A. Ensure the KMS policy allows the AppUser role to have permission to decrypt for the CMK
2. B. Ensure the S3 bucket policy allows the AppUser role to have permission to get objects for the S3 bucket
3. C. Ensure the CMK was created before the S3 bucket.
4. D. Ensure the S3 block public access feature is enabled for the S3 bucket.
5. E. Ensure that automatic key rotation is disabled for the CMK
6. F. Ensure the SCPs within Organizations allow access to the S3 bucket.

Correct Answer: ABF

- (Exam Topic 2)
An organization is using Amazon CloudWatch Logs with agents deployed on its Linux Amazon EC2 instances. The agent configuration files have been checked and the application log files to be pushed are configured correctly. A review has identified that logging from specific instances is missing.
Which steps should be taken to troubleshoot the issue? (Choose two.)

1. A. Use an EC2 run command to confirm that the “awslogs” service is running on all instances.
2. B. Verify that the permissions used by the agent allow creation of log groups/streams and to put log events.
3. C. Check whether any application log entries were rejected because of invalid time stamps by reviewing/var/cwlogs/rejects.log.
4. D. Check that the trust relationship grants the service “cwlogs.amazonaws.com” permission to write objects to the Amazon S3 staging bucket.
5. E. Verify that the time zone on the application servers is in UTC.

Correct Answer: AB
EC2 run command - can run scripts, install software, collect metrics and log files, manage patches and more. Bringing these two services together - can create CloudWatch Events rules that use EC2 Run Command to perform actions on EC2 instances or on-premises servers.

- (Exam Topic 3)
Your IT Security team has identified a number of vulnerabilities across critical EC2 Instances in the company's AWS Account. Which would be the easiest way to ensure these vulnerabilities are remediated?
Please select:

1. A. Create AWS Lambda functions to download the updates and patch the servers.
2. B. Use AWS CLI commands to download the updates and patch the servers.
3. C. Use AWS inspector to patch the servers
4. D. Use AWS Systems Manager to patch the servers

Correct Answer: D
The AWS Documentation mentions the following
You can quickly remediate patch and association compliance issues by using Systems Manager Run Command. You can tat either instance IDs or Amazon EC2 tags and execute the AWS-RefreshAssociation document or the AWS-RunPatchBaseline document. If refreshing the association or re-running the patch baseline fails to resolve the compliance issue, then you need to investigate your associations, patch baselines, or instance configurations to understand why the Run Command executions did not resolve the problem
Options A and B are invalid because even though this is possible, still from a maintenance perspective it would be difficult to maintain the Lambda functions
Option C is invalid because this service cannot be used to patch servers
For more information on using Systems Manager for compliance remediation please visit the below Link: https://docs.aws.amazon.com/systems-manaeer/latest/usereuide/sysman-compliance-fixing.html
The correct answer is: Use AWS Systems Manager to patch the servers Submit your Feedback/Queries to our Experts