AWS-Certified-Security-Specialty Free Practice Test

- (Exam Topic 3)
You are working for a company and been allocated the task for ensuring that there is a federated authentication mechanism setup between AWS and their On-premise Active Directory. Which of the following are important steps that need to be covered in this process? Choose 2 answers from the options given below.
Please select:

1. A. Ensure the right match is in place for On-premise AD Groups and IAM Roles.
2. B. Ensure the right match is in place for On-premise AD Groups and IAM Groups.
3. C. Configure AWS as the relying party in Active Directory
4. D. Configure AWS as the relying party in Active Directory Federation services

Correct Answer: AD
The AWS Documentation mentions some key aspects with regards to the configuration of On-premise AD with AWS
One is the Groups configuration in AD Active Directory Configuration
Determining how you will create and delineate your AD groups and IAM roles in AWS is crucial to how you secure access to your account and manage resources. SAML assertions to the AWS environment and the respective IAM role access will be managed through regular [removed]regex) matching between your
on-premises AD group name to an AWS IAM role.
One approach for creating the AD groups that uniquely identify the AWS IAM role mapping is by selecting a common group naming convention. For example, your AD groups would start with an identifier, for example, AWS-, as this will distinguish your AWS groups from others within the organization. Next include the
12- digitAWS account number. Finally, add the matching role name within the AWS account. Here is an example:
C:\Users\wk\Desktop\mudassar\Untitled.jpg

And next is the configuration of the relying party which is AWS
ADFS federation occurs with the participation of two parties; the identity or claims provider (in this case the owner of the identity repository - Active Directory) and the relying party, which is another application that wishes to outsource authentication to the identity provider; in this case Amazon Secure Token Service (STS). The relying party is a federation partner that is represented by a claims provider trust in the federation service.
Option B is invalid because AD groups should not be matched to IAM Groups
Option C is invalid because the relying party should be configured in Active Directory Federation services For more information on the federated access, please visit the following URL:
1
https://aws.amazon.com/blogs/security/aws-federated-authentication-with-active-directory-federation-services-a
The correct answers are: Ensure the right match is in place for On-premise AD Groups and IAM Roles., Configure AWS as the relying party in Active Directory Federation services
Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
A Security Engineer has been tasked with enabling AWS Security Hub to monitor Amazon EC2 instances fix CVE in a single AWS account The Engineer has already enabled AWS Security Hub and Amazon Inspector m the AWS Management Console and has installed me Amazon Inspector agent on an EC2 instances that need to be monitored.
Which additional steps should the Security Engineer lake 10 meet this requirement?

1. A. Configure the Amazon inspector agent to use the CVE rule package
2. B. Configure the Amazon Inspector agent to use the CVE rule package Configure Security Hub to ingest from AWS inspector by writing a custom resource policy
3. C. Configure the Security Hub agent to use the CVE rule package Configure AWS Inspector lo ingest from Security Hub by writing a custom resource policy
4. D. Configure the Amazon Inspector agent to use the CVE rule package Install an additional Integration library Allow the Amazon Inspector agent to communicate with Security Hub

Correct Answer: D

- (Exam Topic 1)
A company has several workloads running on AWS Employees are required to authenticate using on-premises ADFS and SSO to access the AWS Management Console Developers migrated an existing legacy web application to an Amazon EC2 instance Employees need to access this application from anywhere on the internet but currently, mere is no authentication system but into the application.
How should the Security Engineer implement employee-only access to this system without changing the application?

1. A. Place the application behind an Application Load Balancer (ALB) Use Amazon Cognito as authentication (or the ALB Define a SAML-based Amazon Cognito user pool and connect it to ADFSimplement AWS SSO in the master account and link it to ADFS as an identity provide' Define the EC2 instance as a managed resource, then apply an IAM policy on the resource
2. B. Define an Amazon Cognito identity pool then install the connector on the Active Directory server Use the Amazon Cognito SDK on the application instance to authenticate the employees using their
3. C. Active Directory user names and passwords
4. D. Create an AWS Lambda custom authorizer as the authenticator for a reverse proxy on Amazon EC2 Ensure the security group on Amazon EC2 only allows access from the Lambda function.

Correct Answer: B

- (Exam Topic 2)
An organization has a system in AWS that allows a large number of remote workers to submit data files. File sizes vary from a few kilobytes to several megabytes. A recent audit highlighted a concern that data files are not encrypted while in transit over untrusted networks.
Which solution would remediate the audit finding while minimizing the effort required?

1. A. Upload an SSL certificate to IAM, and configure Amazon CloudFront with the passphrase for the private key.
2. B. Call KMS.Encrypt() in the client, passing in the data file contents, and call KMS.Decrypt() server-side.
3. C. Use AWS Certificate Manager to provision a certificate on an Elastic Load Balancing in front of the web service’s servers.
4. D. Create a new VPC with an Amazon VPC VPN endpoint, and update the web service’s DNS record.

Correct Answer: C

- (Exam Topic 2)
A company has a few dozen application servers in private subnets behind an Elastic Load Balancer (ELB) in an AWS Auto Scaling group. The application is accessed from the web over HTTPS. The data must always be encrypted in transit. The Security Engineer is worried about potential key exposure due to vulnerabilities in the application software.
Which approach will meet these requirements while protecting the external certificate during a breach?

1. A. Use a Network Load Balancer (NLB) to pass through traffic on port 443 from the internet to port 443 on the instances.
2. B. Purchase an external certificate, and upload it to the AWS Certificate Manager (for use with the ELB) and to the instance
3. C. Have the ELB decrypt traffic, and route and re-encrypt with the same certificate.
4. D. Generate an internal self-signed certificate and apply it to the instance
5. E. Use AWS Certificate Manager to generate a new external certificate for the EL
6. F. Have the ELB decrypt traffic, and route andre-encrypt with the internal certificate.
7. G. Upload a new external certificate to the load balance
8. H. Have the ELB decrypt the traffic and forward it on port 80 to the instances.

Correct Answer: C