AWS-Certified-Security-Specialty Free Practice Test

- (Exam Topic 1)
After a recent security audit involving Amazon S3, a company has asked assistance reviewing its S3 buckets to determine whether data is properly secured. The first S3 bucket on the list has the following bucket policy.

Is this bucket policy sufficient to ensure that the data is not publicity accessible?

1. A. Yes, the bucket policy makes the whole bucket publicly accessible despite now the S3 bucket ACL orobject ACLs are configured.
2. B. Yes, none of the data in the bucket is publicity accessible, regardless of how the S3 bucket ACL and object ACLs are configured.
3. C. No, the IAM user policy would need to be examined first to determine whether any data is publicly accessible.
4. D. No, the S3 bucket ACL and object ACLs need to be examined first to determine whether any data is publicly accessible.

Correct Answer: A

- (Exam Topic 3)
A user has enabled versioning on an S3 bucket. The user is using server side encryption for data at Rest. If the user is supplying his own keys for encryption SSE-C, which of the below mentioned statements is true?
Please select:

1. A. The user should use the same encryption key for all versions of the same object
2. B. It is possible to have different encryption keys for different versions of the same object
3. C. AWS S3 does not allow the user to upload his own keys for server side encryption
4. D. The SSE-C does not work when versioning is enabled

Correct Answer: B
anaging your own encryption keys, y
You can encrypt the object and send it across to S3
Option A is invalid because ideally you should use different encryption keys Option C is invalid because you can use you own encryption keys Option D is invalid because encryption works even if versioning is enabled For more information on client side encryption please visit the below Link:
""Keys.html https://docs.aws.ama2on.com/AmazonS3/latest/dev/UsingClientSideEncryption.html
The correct answer is: It is possible to have different encryption keys for different versions of the same object Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
An organization has a multi-petabyte workload that it is moving to Amazon S3, but the CISO is concerned about cryptographic wear-out and the blast radius if a key is compromised. How can the CISO be assured that AWS KMS and Amazon S3 are addressing the concerns? (Select TWO )

1. A. There is no API operation to retrieve an S3 object in its encrypted form.
2. B. Encryption of S3 objects is performed within the secure boundary of the KMS service.
3. C. S3 uses KMS to generate a unique data key for each individual object.
4. D. Using a single master key to encrypt all data includes having a single place to perform audits and usage validation.
5. E. The KMS encryption envelope digitally signs the master key during encryption to prevent cryptographic wear-out

Correct Answer: CE

- (Exam Topic 2)
A Software Engineer wrote a customized reporting service that will run on a fleet of Amazon EC2 instances. The company security policy states that application logs for the reporting service must be centrally collected.
What is the MOST efficient way to meet these requirements?

1. A. Write an AWS Lambda function that logs into the EC2 instance to pull the application logs from the EC2 instance and persists them into an Amazon S3 bucket.
2. B. Enable AWS CloudTrail logging for the AWS account, create a new Amazon S3 bucket, and then configure Amazon CloudWatch Logs to receive the application logs from CloudTrail.
3. C. Create a simple cron job on the EC2 instances that synchronizes the application logs to an Amazon S3 bucket by using rsync.
4. D. Install the Amazon CloudWatch Logs Agent on the EC2 instances, and configure it to send the application logs to CloudWatch Logs.

Correct Answer: D
https://aws.amazon.com/blogs/aws/cloudwatch-log-service/

- (Exam Topic 3)
An audit determined that a company's Amazon EC2 instance security group violated company policy by allowing unrestricted incoming SSH traffic. A security engineer must implement a near-real-time monitoring and alerting solution that will notify administrators of such violations.
Which solution meets these requirements with the MOST operational efficiency?

1. A. Create a recurring Amazon Inspector assessment run that runs every day and uses the Network Reachability packag
2. B. Create an Amazon CloudWatch rule that invokes an AWS Lambda function when an assessment run start
3. C. Configure the Lambda function to retrieve and evaluate the assessment run report when it complete
4. D. Configure the Lambda function also to publish an Amazon Simple Notification Service (Amazon SNS) notification if there are any violations for unrestricted incoming SSH traffic.
5. E. Use the restricted-ssh AWS Config managed rule that is invoked by security group configuration changes that are not complian
6. F. Use the AWS Config remediation feature to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic.
7. G. Configure VPC Flow Logs for the VP
8. H. and specify an Amazon CloudWatch Logs grou
9. I. Subscribe the CloudWatch Logs group to an AWS Lambda function that parses new log entries, detects successful connections on port 22, and publishes a notification through Amazon Simple Notification Service (Amazon SNS).
10. J. Create a recurring Amazon Inspector assessment run that runs every day and uses the Security Best Practices packag
11. K. Create an Amazon CloudWatch rule that invokes an AWS Lambda function when an assessment run start
12. L. Configure the Lambda function to retrieve and evaluate the assessment run report when it complete
13. M. Configure the Lambda function also to publish an Amazon Simple Notification Service (Amazon SNS) notification if there are any violations for unrestricted incoming SSH traffic.

Correct Answer: A