AWS-Certified-Security-Specialty Free Practice Test

Your company uses IAM to host its resources. They have the following requirements
1) Record all API calls and Transitions
2) Help in understanding what resources are there in the account
3) Facility to allow auditing credentials and logins
Which services would suffice the above requirements Please select:

1. A. IAM Inspector, CloudTrail, IAM Credential Reports
2. B. CloudTrai
3. C. IAM Credential Reports, IAM SNS
4. D. CloudTrail, IAM Config, IAM Credential Reports
5. E. IAM SQS, IAM Credential Reports, CloudTrail

Correct Answer: C
You can use IAM CloudTrail to get a history of IAM API calls and related events for your account. This history includes calls made with the IAM Management Console, IAM Command Line Interface, IAM SDKs, and other IAM services.
Options A,B and D are invalid because you need to ensure that you use the services of CloudTrail, IAM Config, IAM Credential Reports
For more information on Cloudtrail, please visit the below URL:
http://docs.IAM.amazon.com/IAMcloudtrail/latest/userguide/cloudtrail-user-guide.html
IAM Config is a service that enables you to assess, audit and evaluate the configurations of your IAM resources. Config continuously monitors and records your IAM resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. With Config, you can review changes in configurations and relationships between IAM resources, dive into detailed resource configuration histories, and determine your overall compliance against the configurations specified in your internal guidelines. This enables you to simplify compliance auditing, security analysis, char management and operational troubleshooting.
For more information on the config service, please visit the below URL https://IAM.amazon.com/config/
You can generate and download a credential report that lists all users in your account and the status of their various credentials, including passwords, access keys, and MFA devices. You can get a credential report from the IAM Management Console, the IAM SDKs and Command Line Tools, or the IAM API.
For more information on Credentials Report, please visit the below URL: http://docs.IAM.amazon.com/IAM/latest/UserGuide/id credentials_getting-report.html
The correct answer is: CloudTrail, IAM Config, IAM Credential Reports Submit your Feedback/Queries to our Experts

A company's Security Auditor discovers that users are able to assume roles without using multi-factor authentication (MFA). An example of a current policy being applied to these users is as follows:

The Security Auditor finds that the users who are able to assume roles without MFA are alt coming from the IAM CLI. These users are using long-term IAM credentials. Which changes should a Security Engineer implement to resolve this security issue? (Select TWO.)
A)

B)

C)

D)

E)

1. A. Option A
2. B. Option B
3. C. Option C
4. D. Option D
5. E. Option E

Correct Answer: AD

A company's application team wants to replace an internal application with a new IAM architecture that consists of Amazon EC2 instances, an IAM Lambda function, and an Amazon S3 bucket in a single IAM Region. After an architecture review, the security team mandates that no application network traffic can traverse the public internet at any point. The security team already has an SCP in place for the company's organization in IAM Organizations to restrict the creation of internet gateways. NAT gateways, and egress-only gateways.
Which combination of steps should the application team take to meet these requirements? (Select THREE.)

1. A. Create an S3 endpoint that has a full-access policy for the application's VPC.
2. B. Create an S3 access point for the S3 bucke
3. C. Include a policy that restricts the network origin to VPCs.
4. D. Launch the Lambda functio
5. E. Enable the block public access configuration.
6. F. Create a security group that has an outbound rule over port 443 with a destination of the S3 endpomt.Associate the security group with the EC2 instances.
7. G. Create a security group that has an outbound rule over port 443 with a destination of the S3 access point.Associate the security group with the EC2 instances.
8. H. Launch the Lambda function in a VPC.

Correct Answer: ADF

A security engineer needs to create an IAM Key Management Service server-side encryption. Usage of the key must be limited to requests coming from Amazon S3 within the company's account.
Which statement in the KMS key policy will meet these requirements?
A)

B)

C)

1. A. Option A
2. B. Option B
3. C. Option C

Correct Answer: A

An application is running on an Amazon EC2 instance that has an IAM role attached. The IAM role provides access to an AWS Key Management Service (AWS KMS) customer managed key and an Amazon S3 bucket. The key is used to access 2 TB of sensitive data that is stored in the S3 bucket.
A security engineer discovers a potential vulnerability on the EC2 instance that could result in the compromise of the sensitive data. Due to other critical operations, the security engineer cannot immediately shut down the EC2 instance for vulnerability patching.
What is the FASTEST way to prevent the sensitive data from being exposed?

1. A. Download the data from the existing S3 bucket to a new EC2 instanc
2. B. Then delete the data from the S3 bucke
3. C. Re-encrypt the data with a client-based ke
4. D. Upload the data to a new S3 bucket.
5. E. Block access to the public range of S3 endpoint IP addresses by using a host-based firewal
6. F. Ensure that internet-bound traffic from the affected EC2 instance is routed through the host-based firewall.
7. G. Revoke the IAM role's active session permission
8. H. Update the S3 bucket policy to deny access to the IAM rol
9. I. Remove the IAM role from the EC2 instance profile.
10. J. Disable the current ke
11. K. Create a new KMS key that the IAM role does not have access to, and re-encrypt all the data with the new ke
12. L. Schedule the compromised key for deletion.

Correct Answer: D