AWS-Certified-Security-Specialty Free Practice Test

- (Exam Topic 3)
You have a set of 100 EC2 Instances in an AWS account. You need to ensure that all of these instances are patched and kept to date. All of the instances are in a private subnet. How can you achieve this. Choose 2 answers from the options given below
Please select:

1. A. Ensure a NAT gateway is present to download the updates
2. B. Use the Systems Manager to patch the instances
3. C. Ensure an internet gateway is present to download the updates
4. D. Use the AWS inspector to patch the updates

Correct Answer: AB
Option C is invalid because the instances need to remain in the private: Option D is invalid because AWS inspector can only detect the patches
One of the AWS Blogs mentions how patching of Linux servers can be accomplished. Below is the diagram representation of the architecture setup
C:\Users\wk\Desktop\mudassar\Untitled.jpg

For more information on patching Linux workloads in AWS, please refer to the Lin. https://aws.amazon.com/blogs/security/how-to-patch-linux-workloads-on-awsj
The correct answers are: Ensure a NAT gateway is present to download the updates. Use the Systems Manager to patch the instances
Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
A company is hosting sensitive data in an AWS S3 bucket. It needs to be ensured that the bucket always remains private. How can this be ensured continually? Choose 2 answers from the options given below
Please select:

1. A. Use AWS Config to monitor changes to the AWS Bucket
2. B. Use AWS Lambda function to change the bucket policy
3. C. Use AWS Trusted Advisor API to monitor the changes to the AWS Bucket
4. D. Use AWS Lambda function to change the bucket ACL

Correct Answer: AD
One of the AWS Blogs mentions the usage of AWS Config and Lambda to achieve this. Below is the diagram representation of this
C:\Users\wk\Desktop\mudassar\Untitled.jpg

ption C is invalid because the Trusted Advisor API cannot be used to monitor changes to the AWS Bucket Option B doesn't seems to be the most appropriate.
* 1. If the object is in a bucket in which all the objects need to be private and the object is not private anymore, the Lambda function makes a PutObjectAcI call to S3 to make the object private.
|https://aws.amazon.com/blogs/security/how-to-detect-and-automatically-remediate-unintended-permissions-in-a The following link also specifies that
Create a new Lambda function to examine an Amazon S3 buckets ACL and bucket policy. If the bucket ACL is found to al public access, the Lambda function overwrites it to be private. If a bucket policy is found, the Lambda function creatt an SNS message, puts the policy in the message body, and publishes it to the Amazon SNS topic we created. Bucket policies can be complex, and overwriting your policy may cause unexpected loss of access, so this Lambda function doesn't attempt to alter your policy in any way.
https://aws.amazon.com/blogs/security/how-to-use-aws-config-to-monitor-for-and-respond-to-amazon-s3-bucke Based on these facts Option D seems to be more appropriate then Option B.
For more information on implementation of this use case, please refer to the Link: https://aws.amazon.com/blogs/security/how-to-use-aws-config-to-monitor-for-and-respond-to-amazon-s3-bucke
The correct answers are: Use AWS Config to monitor changes to the AWS Bucket Use AWS Lambda function to change the bucket ACL

- (Exam Topic 1)
A convoys data lake uses Amazon S3 and Amazon Athena. The company's security engineer has been asked to design an encryption solution that meets the company's data protection requirements. The encryption solution must work with Amazon S3 and keys managed by the company. The encryption solution must be protected in a hardware security module that is validated id Federal information Processing Standards (FPS) 140-2 Level 3.
Which solution meets these requirements?

1. A. Use client-side encryption with an AWS KMS customer-managed key implemented with the AWS Encryption SDK
2. B. Use AWS CloudHSM to store the keys and perform cryptographic operations Save the encrypted text inAmazon S3
3. C. Use an AWS KMS customer-managed key that is backed by a custom key store using AWS CloudHSM
4. D. Use an AWS KMS customer-managed key with the bring your own key (BYOK) feature to import a key stored in AWS CloudHSM

Correct Answer: B

- (Exam Topic 2)
A company is using CloudTrail to log all AWS API activity for all regions in all of its accounts. The CISO has asked that additional steps be taken to protect the integrity of the log files.
What combination of steps will protect the log files from intentional or unintentional alteration? Choose 2 answers from the options given below
Please select:

1. A. Create an S3 bucket in a dedicated log account and grant the other accounts write only acces
2. B. Deliver all log files from every account to this S3 bucket.
3. C. Write a Lambda function that queries the Trusted Advisor Cloud Trail check
4. D. Run the function every 10 minutes.
5. E. Enable CloudTrail log file integrity validation
6. F. Use Systems Manager Configuration Compliance to continually monitor the access policies of S3 buckets containing Cloud Trail logs.
7. G. Create a Security Group that blocks all traffic except calls from the CloudTrail servic
8. H. Associate the security group with) all the Cloud Trail destination S3 buckets.

Correct Answer: AC
The AWS Documentation mentions the following
To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it you can use CloudTrail log fill integrity validation. This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection.
Option B is invalid because there is no such thing as Trusted Advisor Cloud Trail checks Option D is invalid because Systems Manager cannot be used for this purpose.
Option E is invalid because Security Groups cannot be used to block calls from other services For more information on Cloudtrail log file validation, please visit the below URL:
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-loe-file-validation-intro.htmll For more information on delivering Cloudtrail logs from multiple accounts, please visit the below URL:
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.htm
The correct answers are: Create an S3 bucket in a dedicated log account and grant the other accounts write only access. Deliver all log files from every account to this S3 bucket, Enable Cloud Trail log file integrity validation
Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
A recent security audit found that AWS CloudTrail logs are insufficiently protected from tampering and unauthorized access Which actions must the Security Engineer take to address these audit findings? (Select THREE )

1. A. Ensure CloudTrail log file validation is turned on
2. B. Configure an S3 lifecycle rule to periodically archive CloudTrail logs into Glacier for long-term storage
3. C. Use an S3 bucket with tight access controls that exists m a separate account
4. D. Use Amazon Inspector to monitor the file integrity of CloudTrail log files.
5. E. Request a certificate through ACM and use a generated certificate private key to encrypt CloudTrail log files
6. F. Encrypt the CloudTrail log files with server-side encryption with AWS KMS-managed keys (SSE-KMS)

Correct Answer: ADE