AWS-Certified-Security-Specialty Free Practice Test

- (Exam Topic 2)
While analyzing a company's security solution, a Security Engineer wants to secure the AWS account root user.
What should the Security Engineer do to provide the highest level of security for the account?

1. A. Create a new IAM user that has administrator permissions in the AWS accoun
2. B. Delete the password forthe AWS account root user.
3. C. Create a new IAM user that has administrator permissions in the AWS accoun
4. D. Modify the permissions for the existing IAM users.
5. E. Replace the access key for the AWS account root use
6. F. Delete the password for the AWS account root user.
7. G. Create a new IAM user that has administrator permissions in the AWS accoun
8. H. Enable multi-factor authentication for the AWS account root user.

Correct Answer: D
If you continue to use the root user credentials, we recommend that you follow the security best practice to enable multi-factor authentication (MFA) for your account. Because your root user can perform sensitive operations in your account, adding an additional layer of authentication helps you to better secure your account. Multiple types of MFA are available.

- (Exam Topic 1)
A Security Administrator at a university is configuring a fleet of Amazon EC2 instances. The EC2 instances are shared among students, and non-root SSH access is allowed. The Administrator is concerned about students attacking other AWS account resources by using the EC2 instance metadata service.
What can the Administrator do to protect against this potential attack?

1. A. Disable the EC2 instance metadata service.
2. B. Log all student SSH interactive session activity.
3. C. Implement ip tables-based restrictions on the instances.
4. D. Install the Amazon Inspector agent on the instances.

Correct Answer: A
"To turn off access to instance metadata on an existing instance....." https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html You can disable the service for existing (running or stopped) ec2 instances. https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-instance-metadata-options.html

- (Exam Topic 3)
A company deployed AWS Organizations to help manage its increasing number of AWS accounts. A security engineer wants to ensure only principals in the Organization structure can access a specic Amazon S3 bucket. The solution must also minimize operational overhead
Which solution will meet these requirements?

1. A. 1 Put all users into an IAM group with an access policy granting access to the J bucket.
2. B. Have the account creation trigger an AWS Lambda function that manages the bucket policy, allowing access to accounts listed in the policy only.
3. C. Add an SCP to the Organizations master account, allowing all principals access to the bucket.
4. D. Specify the organization ID in the global key condition element of a bucket policy, allowing all principals access.

Correct Answer: D

- (Exam Topic 2)
A Security Administrator is restricting the capabilities of company root user accounts. The company uses AWS Organizations and has enabled it for all feature sets, including consolidated billing. The top-level account is used for billing and administrative purposes, not for operational AWS resource purposes.
How can the Administrator restrict usage of member root user accounts across the organization?

1. A. Disable the use of the root user account at the organizational roo
2. B. Enable multi-factor authentication of the root user account for each organizational member account.
3. C. Configure IAM user policies to restrict root account capabilities for each Organizations member account.
4. D. Create an organizational unit (OU) in Organizations with a service control policy that controls usage of the root use
5. E. Add all operational accounts to the new OU.
6. F. Configure AWS CloudTrail to integrate with Amazon CloudWatch Logs and then create a metric filter for RootAccountUsage.

Correct Answer: C
Applying a "Control Policy" in your organization. A policy applied to: 1) root applies to all accounts in the organization 2) OU applies to all accounts in the OU and to any child OUs 3) account applies to one account only Note- this requires that Acquirements: -all features are enabled for the organization in AWS Organizations -Only service control policy (SCP) are supported https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html

- (Exam Topic 1)
A Security Engineer has been asked to troubleshoot inbound connectivity to a web server. This single web server is not receiving inbound connections from the internet, whereas all other web servers are functioning properly.
The architecture includes network ACLs, security groups, and a virtual security appliance. In addition, the Development team has implemented Application Load Balancers (ALBs) to distribute the load across all web servers. It is a requirement that traffic between the web servers and the internet flow through the virtual
security appliance.
The Security Engineer has verified the following:
* 1. The rule set in the Security Groups is correct
* 2. The rule set in the network ACLs is correct
* 3. The rule set in the virtual appliance is correct
Which of the following are other valid items to troubleshoot in this scenario? (Choose two.)

1. A. Verify that the 0.0.0.0/0 route in the route table for the web server subnet points to a NAT gateway.
2. B. Verify which Security Group is applied to the particular web server’s elastic network interface (ENI).
3. C. Verify that the 0.0.0.0/0 route in the route table for the web server subnet points to the virtual security appliance.
4. D. Verify the registered targets in the ALB.
5. E. Verify that the 0.0.0.0/0 route in the public subnet points to a NAT gateway.

Correct Answer: CD
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html