AWS-Certified-Security-Specialty Free Practice Test

- (Exam Topic 3)
An application team wants to use AWS Certificate Manager (ACM) to request public certificates to ensure that data is secured in transit. The domains that are being used are not currently hosted on Amazon Route 53
The application team wants to use an AWS managed distribution and caching solution to optimize requests to its systems and provide better points of presence to customers The distribution solution will use a primary domain name that is customized The distribution solution also will use several alternative domain names The certificates must renew automatically over an indefinite period of time
Which combination of steps should the application team take to deploy this architecture? (Select THREE.)

1. A. Request a certificate (torn ACM in the us-west-2 Region Add the domain names that the certificate will secure
2. B. Send an email message to the domain administrators to request vacation of the domains for ACM
3. C. Request validation of the domains for ACM through DNS Insert CNAME records into each domain's DNS zone
4. D. Create an Application Load Balancer for me caching solution Select the newly requested certificate from ACM to be used for secure connections
5. E. Create an Amazon CloudFront distribution for the caching solution Enter the main CNAME record as the Origin Name Enter the subdomain names or alternate names in the Alternate Domain Names Distribution Settings Select the newly requested certificate from ACM to be used for secure connections
6. F. Request a certificate from ACM in the us-east-1 Region Add the domain names that the certificate wil secure

Correct Answer: CDF

- (Exam Topic 3)
A company is building an application on AWS that will store sensitive Information. The company has a support team with access to the IT infrastructure, including databases. The company's security engineer must introduce measures to protect the sensitive data against any data breach while minimizing management overhead. The credentials must be regularly rotated.
What should the security engineer recommend?

1. A. Enable Amazon RDS encryption to encrypt the database and snapshot
2. B. Enable Amazon Elastic Block Store (Amazon EBS) encryption on Amazon EC2 instance
3. C. Include the database credential in the EC2 user data fiel
4. D. Use an AWS Lambda function to rotate database credential
5. E. Set up TLS for the connection to the database.
6. F. Install a database on an Amazon EC2 Instanc
7. G. Enable third-party disk encryption to encrypt the Amazon Elastic Block Store (Amazon EBS) volum
8. H. Store the database credentials in AWS CloudHSM with automatic rotatio
9. I. Set up TLS for the connection to the database.
10. J. Enable Amazon RDS encryption to encrypt the database and snapshot
11. K. Enable Amazon Elastic Block Store (Amazon EBS) encryption on Amazon EC2 instance
12. L. Store the database credentials in AWS Secrets Manager with automatic rotatio
13. M. Set up TLS for the connection to the RDS hosted database.
14. N. Set up an AWS CloudHSM cluster with AWS Key Management Service (AWS KMS) to store KMS key
15. O. Set up Amazon RDS encryption using AWS KMS to encrypt the databas
16. P. Store database credentials in the AWS Systems Manager Parameter Store with automatic rotatio
17. Q. Set up TLS for the connection to the RDS hosted database.

Correct Answer: C

- (Exam Topic 3)
A company is running an application in The eu-west-1 Region. The application uses an AWS Key Management Service (AWS KMS) CMK to encrypt sensitive data. The company plans to deploy the application in the eu-north-1 Region.
A security engineer needs to implement a key management solution for the application deployment in the new Region. The security engineer must minimize changes to the application code.
Which change should the security engineer make to the AWS KMS configuration to meet these requirements?

1. A. Update the key policies in eu-west-1. Point the application in eu-north-1 to use the same CMK as the application in eu-west-1.
2. B. Allocate a new CMK to eu-north-1 to be used by the application that is deployed in that Region.
3. C. Allocate a new CMK to eu-north-1. Create the same alias name for both key
4. D. Configure the application deployment to use the key alias.
5. E. Allocate a new CMK to eu-north-1. Create an alias for eu-'-1. Change the application code to point to the alias for eu-'-1.

Correct Answer: B

- (Exam Topic 3)
When managing permissions for the API gateway, what can be used to ensure that the right level of permissions are given to developers, IT admins and users? These permissions should be easily managed.
Please select:

1. A. Use the secure token service to manage the permissions for the different users
2. B. Use IAM Policies to create different policies for the different types of users.
3. C. Use the AWS Config tool to manage the permissions for the different users
4. D. Use IAM Access Keys to create sets of keys for the different types of users.

Correct Answer: B
The AWS Documentation mentions the following
You control access to Amazon API Gateway with IAM permissions by controlling access to the following two API Gateway component processes:
* To create, deploy, and manage an API in API Gateway, you must grant the API developer permissions to perform the required actions supported by the API management component of API Gateway.
* To call a deployed API or to refresh the API caching, you must grant the API caller permissions to perform required IAM actions supported by the API execution component of API Gateway.
Option A, C and D are invalid because these cannot be used to control access to AWS services. This needs to be done via policies. For more information on permissions with the API gateway, please visit the following URL:
https://docs.aws.amazon.com/apisateway/latest/developerguide/permissions.html
The correct answer is: Use IAM Policies to create different policies for the different types of users. Submit your Feedback/Queries to our Experts

- (Exam Topic 1)
A security engineer need to ensure their company’s uses of AWS meets AWS security best practices. As part of this, the AWS account root user must not be used for daily work. The root user must be monitored for use, and the Security team must be alerted as quickly as possible if the root user is used. Which solution meets these requirements?

1. A. Set up an Amazon CloudWatch Events rule that triggers an Amazon SNS notification.
2. B. Set up an Amazon CloudWatch Events rule that triggers an Amazon SNS notification logs from S3 and generate notifications using Amazon SNS.
3. C. Set up a rule in AWS config to trigger root user event
4. D. Trigger an AWS Lambda function and generate notifications using Amazon SNS.
5. E. Use Amazon Inspector to monitor the usage of the root user and generate notifications using Amazon SNS

Correct Answer: A