AWS-Certified-Security-Specialty Free Practice Test

- (Exam Topic 1)
A company uses HTTP Live Streaming (HLS) to stream live video content to paying subscribers by using Amazon CloudFront. HLS splits the video content into chunks so that the user can request the right chunk based on different conditions Because the video events last for several hours, the total video is made up of thousands of chunks
The origin URL is not disclosed and every user is forced to access the CloudFront URL The company has a web application that authenticates the paying users against an internal repository and a CloudFront key pair that is already issued.
What is the simplest and MOST effective way to protect the content?

1. A. Develop the application to use the CloudFront key pair to create signed URLs that users will use to access the content.
2. B. Develop the application to use the CloudFront key pair to set the signed cookies that users will use to access the content.
3. C. Develop the application to issue a security token that Lambda@Edge will receive to authenticate and authorize access to the content
4. D. Keep the CloudFront URL encrypted inside the application, and use AWS KMS to resolve the URL on-the-fly after the user is authenticated.

Correct Answer: B

- (Exam Topic 1)
A company's Director of information Security wants a daily email report from AWS that contains recommendations for each company account to meet AWS Security best practices.
Which solution would meet these requirements?

1. A. in every AWS account, configure AWS Lambda to query me AWS Support API tor AWS Trusted Advisor security checks Send the results from Lambda to an Amazon SNS topic to send reports.
2. B. Configure Amazon GuardDuty in a master account and invite all other accounts to be managed by the master account Use GuardDuty's integration with Amazon SNS to report on findings
3. C. Use Amazon Athena and Amazon QuickSight to build reports off of AWS CloudTrail Create a daily Amazon CloudWatch trigger to run the report dally and email It using Amazon SNS
4. D. Use AWS Artifact's prebuilt reports and subscriptions Subscribe the Director of Information Security to the reports by adding the Director as the security alternate contact tor each account

Correct Answer: A

- (Exam Topic 3)
Your application currently use AWS Cognito for authenticating users. Your application consists of different types of users. Some users are only allowed read access to the application and others are given contributor access. How wou you manage the access effectively?
Please select:

1. A. Create different cognito endpoints, one for the readers and the other for the contributors.
2. B. Create different cognito groups, one for the readers and the other for the contributors.
3. C. You need to manage this within the application itself
4. D. This needs to be managed via Web security tokens

Correct Answer: B
The AWS Documentation mentions the following
You can use groups to create a collection of users in a user pool, which is often done to set the permissions for those users. For example, you can create separate groups for users who are readers, contributors, and editors of your website and app.
Option A is incorrect since you need to create cognito groups and not endpoints
Options C and D are incorrect since these would be overheads when you can use AWS Cognito For more information on AWS Cognito user groups please refer to the below Link: https://docs.aws.amazon.com/coenito/latest/developersuide/cognito-user-pools-user-groups.htmll
The correct answer is: Create different cognito groups, one for the readers and the other for the contributors. Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
A user has created a VPC with the public and private subnets using the VPC wizard. The VPC has CIDR 20.0.0.0/16. The public subnet uses CIDR 20.0.1.0/24. The user is planning to host a web server in the public subnet with port 80 and a Database server in the private subnet with port 3306. The user is configuring a security group for the public subnet (WebSecGrp) and the private subnet (DBSecGrp). which of the below mentioned entries is required in the private subnet database security group DBSecGrp?
Please select:

1. A. Allow Inbound on port 3306 for Source Web Server Security Group WebSecGrp.
2. B. Allow Inbound on port 3306 from source 20.0.0.0/16
3. C. Allow Outbound on port 3306 for Destination Web Server Security Group WebSecGrp.
4. D. Allow Outbound on port 80 for Destination NAT Instance IP

Correct Answer: A
Since the Web server needs to talk to the database server on port 3306 that means that the database server should allow incoming traffic on port 3306. The below table from the aws documentation shows how the security groups should be set up.
C:\Users\wk\Desktop\mudassar\Untitled.jpg

Option B is invalid because you need to allow incoming access for the database server from the WebSecGrp security group.
Options C and D are invalid because you need to allow Outbound traffic and not inbound traffic For more information on security groups please visit the below Link:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC
Scenario2.html
The correct answer is: Allow Inbound on port 3306 for Source Web Server Security Group WebSecGrp. Submit your Feedback/Queries to our Experts

- (Exam Topic 1)
A Web Administrator for the website example.com has created an Amazon CloudFront distribution for dev.example.com, with a requirement to configure HTTPS using a custom TLS certificate imported to AWS Certificate Manager.
Which combination of steps is required to ensure availability of the certificate in the CloudFront console? (Choose two.)

1. A. Call UploadServerCertificate with /cloudfront/dev/ in the path parameter.
2. B. Import the certificate with a 4,096-bit RSA public key.
3. C. Ensure that the certificate, private key, and certificate chain are PKCS #12-encoded.
4. D. Import the certificate in the us-east-1 (
5. E. Virginia) Region.
6. F. Ensure that the certificate, private key, and certificate chain are PEM-encoded.

Correct Answer: DE