AWS-Certified-Security-Specialty Free Practice Test

- (Exam Topic 3)
The CFO of a company wants to allow one of his employees to view only the AWS usage report page. Which of the below mentioned IAM policy statements allows the user to have access to the AWS usage report page?
Please select:

1. A. "Effect": "Allow". "Action": ["Describe"], "Resource": "Billing"
2. B. "Effect": "Allow", "Action": ["AccountUsage], "Resource": "*"
3. C. "Effect': "Allow", "Action": ["aws-portal:ViewUsage"," aws-portal:ViewBilling"], "Resource": "*"
4. D. "Effect": "Allow", "Action": ["aws-portal: ViewBilling"], "Resource": "*"

Correct Answer: C
the aws documentation, below is the access required for a user to access the Usage reports page and as per this, Option C is the right answer.
C:\Users\wk\Desktop\mudassar\Untitled.jpg

- (Exam Topic 3)
You have an EC2 instance with the following security configured:
* a. ICMP inbound allowed on Security Group
* b. ICMP outbound not configured on Security Group
* c. ICMP inbound allowed on Network ACL
* d. ICMP outbound denied on Network ACL
If Flow logs is enabled for the instance, which of the following flow records will be recorded? Choose 3 answers from the options give below
Please select:

1. A. An ACCEPT record for the request based on the Security Group
2. B. An ACCEPT record for the request based on the NACL
3. C. A REJECT record for the response based on the Security Group
4. D. A REJECT record for the response based on the NACL

Correct Answer: ABD
This example is given in the AWS documentation as well
For example, you use the ping command from your home computer (IP address is 203.0.113.12) to your instance (the network interface's private IP address is 172.31.16.139). Your security group's inbound rules allow ICMP traffic and the outbound rules do not allow ICMP traffic however, because security groups are stateful, the response ping from your instance is allowed. Your network ACL permits inbound ICMP traffic but does not permit outbound ICMP traffic. Because network ACLs are stateless, the response ping is dropped and will not reach your home computer. In a flow log, this is displayed as 2 flow log records:
An ACCEPT record for the originating ping that was allowed by both the network ACL and the security group, and therefore was allowed to reach your instance.
A REJECT record for the response ping that the network ACL denied.
Option C is invalid because the REJECT record would not be present For more information on Flow Logs, please refer to the below URL:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-loes.html
The correct answers are: An ACCEPT record for the request based on the Security Group, An ACCEPT record for the request based on the NACL, A REJECT record for the response based on the NACL
Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
A company needs a security engineer to implement a scalable solution for multi-account authentication and authorization. The solution should not introduce additional user-managed architectural components. Native AWS features should be used as much as possible The security engineer has set up AWS Organizations w1th all features activated and AWS SSO enabled.
Which additional steps should the security engineer take to complete the task?

1. A. Use AD Connector to create users and groups for all employees that require access to AWS accounts.Assign AD Connector groups to AWS accounts and link to the IAM roles in accordance with the employees‘job functions and access requirements Instruct employees to access AWS accounts by using the AWS Directory Service user portal.
2. B. Use an AW5 SSO default directory to create users and groups for all employees that require access to AWS account
3. C. Assign groups to AWS accounts and link to permission sets in accordance with the employees‘job functions and access requirement
4. D. Instruct employees to access AWS accounts by using the AWS SSO user portal.
5. E. Use an AWS SSO default directory to create users and groups for all employees that require access to AWS account
6. F. Link AWS SSO groups to the IAM users present in all accounts to inherit existing permission
7. G. Instruct employees to access AWS accounts by using the AW5 SSO user portal.
8. H. Use AWS Directory Service tor Microsoft Active Directory to create users and groups for all employees that require access to AWS accounts Enable AWS Management Console access in the created directory and specify AWS SSO as a source cl information tor integrated accounts and permission set
9. I. Instruct employees to access AWS accounts by using the AWS Directory Service user portal.

Correct Answer: B

- (Exam Topic 1)
A company has implemented centralized logging and monitoring of AWS CloudTrail logs from all Regions in
an Amazon S3 bucket. The log Hies are encrypted using AWS KMS. A Security Engineer is attempting to review the log files using a third-party tool hosted on an Amazon EC2 instance The Security Engineer is unable to access the logs in the S3 bucket and receives an access denied error message
What should the Security Engineer do to fix this issue?

1. A. Check that the role the Security Engineer uses grants permission to decrypt objects using the KMS CMK.
2. B. Check that the role the Security Engineer uses grants permission to decrypt objects using the KMS CMK and gives access to the S3 bucket and objects
3. C. Check that the role the EC2 instance profile uses grants permission lo decrypt objects using the KMS CMK and gives access to the S3 bucket and objects
4. D. Check that the role the EC2 instance profile uses grants permission to decrypt objects using the KMS CMK

Correct Answer: C

- (Exam Topic 3)
Your company has many AWS accounts defined and all are managed via AWS Organizations. One AWS account has a S3 bucket that has critical data. How can we ensure that all the users in the AWS organisation have access to this bucket?
Please select:

1. A. Ensure the bucket policy has a condition which involves aws:PrincipalOrglD
2. B. Ensure the bucket policy has a condition which involves aws:AccountNumber
3. C. Ensure the bucket policy has a condition which involves aws:PrincipaliD
4. D. Ensure the bucket policy has a condition which involves aws:OrglD

Correct Answer: A
The AWS Documentation mentions the following
AWS Identity and Access Management (IAM) now makes it easier for you to control access to your AWS resources by using the AWS organization of IAM principals (users and roles). For some services, you grant permissions using resource-based policies to specify the accounts and principals that can access the resource and what actions they can perform on it. Now, you can use a new condition key, aws:PrincipalOrglD, in these policies to require all principals accessing the resource to be from an account in the organization
Option B.C and D are invalid because the condition in the bucket policy has to mention aws:PrincipalOrglD For more information on controlling access via Organizations, please refer to the below Link:
https://aws.amazon.com/blogs/security/control-access-to-aws-resources-by-usins-the-aws-organization-of-iam-p (
The correct answer is: Ensure the bucket policy has a condition which involves aws:PrincipalOrglD Submit your Feedback/Queries to our Experts