AWS-Certified-Security-Specialty Free Practice Test

- (Exam Topic 2)
A Security Architect is evaluating managed solutions for storage of encryption keys. The requirements are:
-Storage is accessible by using only VPCs.
-Service has tamper-evident controls.
-Access logging is enabled.
-Storage has high availability.
Which of the following services meets these requirements?

1. A. Amazon S3 with default encryption
2. B. AWS CloudHSM
3. C. Amazon DynamoDB with server-side encryption
4. D. AWS Systems Manager Parameter Store

Correct Answer: B

- (Exam Topic 1)
An external Auditor finds that a company's user passwords have no minimum length. The company is currently using two identity providers:
• AWS IAM federated with on-premises Active Directory
• Amazon Cognito user pools to accessing an AWS Cloud application developed by the company Which combination o1 actions should the Security Engineer take to solve this issue? (Select TWO.)

1. A. Update the password length policy In the on-premises Active Directory configuration.
2. B. Update the password length policy In the IAM configuration.
3. C. Enforce an IAM policy In Amazon Cognito and AWS IAM with a minimum password length condition.
4. D. Update the password length policy in the Amazon Cognito configuration.
5. E. Create an SCP with AWS Organizations that enforces a minimum password length for AWS IAM and Amazon Cognito.

Correct Answer: AD

- (Exam Topic 2)
A company has a forensic logging use case whereby several hundred applications running on Docker on EC2 need to send logs to a central location. The Security Engineer must create a logging solution that is able to perform real-time analytics on the log files, grants the ability to replay events, and persists data.
Which AWS Services, together, can satisfy this use case? (Select two.)

1. A. Amazon Elasticsearch
2. B. Amazon Kinesis
3. C. Amazon SQS
4. D. Amazon CloudWatch
5. E. Amazon Athena

Correct Answer: AB
https://docs.aws.amazon.com/whitepapers/latest/aws-overview/analytics.html#amazon-athena

- (Exam Topic 3)
A company has multiple Amazon S3 buckets encrypted with customer-managed CMKs Due to regulatory requirements the keys must be rotated every year. The company's Security Engineer has enabled automatic key rotation for the CMKs; however the company wants to verity that the rotation has occurred.
What should the Security Engineer do to accomplish this?

1. A. Filter AWS CloudTrail logs for KeyRotaton events
2. B. Monitor Amazon CloudWatcn Events for any AWS KMS CMK rotation events
3. C. Using the AWS CL
4. D. run the aws kms gel-key-relation-status operation with the --key-id parameter to check the CMK rotation date
5. E. Use Amazon Athena to query AWS CloudTrail logs saved in an S3 bucket to filter Generate New Key events

Correct Answer: C

- (Exam Topic 3)
Your team is designing a web application. The users for this web application would need to sign in via an external ID provider such asfacebook or Google. Which of the following AWS service would you use for authentication?
Please select:

1. A. AWS Cognito
2. B. AWS SAML
3. C. AWS IAM
4. D. AWS Config

Correct Answer: A
The AWS Documentation mentions the following
Amazon Cognito provides authentication, authorization, and user management for your web and mobile apps. Your users ca sign in directly with a user name and password, or through a third party such as Facebook, Amazon, or Google.
Option B is incorrect since this is used for identity federation
Option C is incorrect since this is pure Identity and Access management Option D is incorrect since AWS is a configuration service
For more information on AWS Cognito please refer to the below Link: https://docs.aws.amazon.com/coenito/latest/developerguide/what-is-amazon-cognito.html The correct answer is: AWS Cognito
Submit your Feedback/Queries to our Experts