AWS-Certified-Security-Specialty Free Practice Test

- (Exam Topic 3)
A company needs to retain tog data archives for several years to be compliant with regulations. The tog data is no longer used but It must be retained
What Is the MOST secure and cost-effective solution to meet these requirements?

1. A. Archive the data to Amazon S3 and apply a restrictive bucket policy to deny the s3 DeleteOotect API
2. B. Archive the data to Amazon S3 Glacier and apply a Vault Lock policy
3. C. Archive the data to Amazon S3 and replicate it to a second bucket in a second AWS Region Choose the S3 Standard-Infrequent Access (S3 Standard-1A) storage class and apply a restrictive bucket policy to deny the s3 DeleteObject API
4. D. Migrate the log data to a 16 T8 Amazon Elastic Block Store (Amazon EBS) volume Create a snapshot of the EBS volume

Correct Answer: B

- (Exam Topic 3)
A company manages three separate AWS accounts for its production, development, and test environments, Each Developer is assigned a unique IAM user under the development account. A new application hosted on an Amazon EC2 instance in the developer account requires read access to the archived documents stored in an Amazon S3 bucket in the production account.
How should access be granted?

1. A. Create an IAM role in the production account and allow EC2 instances in the development account toassume that role using the trust polic
2. B. Provide read access for the required S3 bucket to this role.
3. C. Use a custom identity broker to allow Developer IAM users to temporarily access the S3 bucket.
4. D. Create a temporary IAM user for the application to use in the production account.
5. E. Create a temporary IAM user in the production account and provide read access to Amazon S3.Generate the temporary IAM user's access key and secret key and store these on the EC2 instance used by the application in the development account.

Correct Answer: B

- (Exam Topic 3)
A company has set up the following structure to ensure that their S3 buckets always have logging enabled

If there are any changes to the configuration to an S3 bucket, a config rule gets checked. If logging is disabled, then Lambda function is invoked. This Lambda function will again enable logging on the S3 bucket. Now there is an issue being encoutered with the entire flow. You have verified that the Lambda function is being invoked. But when logging is disabled for the bucket, the lambda function does not enable it again. Which of the following could be an issue
Please select:

1. A. The AWS Config rule is not configured properly
2. B. The AWS Lambda function does not have appropriate permissions for the bucket
3. C. The AWS Lambda function should use Node.js instead of python.
4. D. You need to also use the API gateway to invoke the lambda function

Correct Answer: B
The most probable cause is that you have not allowed the Lambda functions to have the appropriate permissions on the S3 bucket to make the relevant changes.
Option A is invalid because this is more of a permission instead of a configuration rule issue. Option C is invalid because changing the language will not be the core solution.
Option D is invalid because you don't necessarily need to use the API gateway service
For more information on accessing resources from a Lambda function, please refer to below URL https://docs.aws.amazon.com/lambda/latest/ds/accessing-resources.htmll
The correct answer is: The AWS Lambda function does not have appropriate permissions for the bucket Submit your Feedback/Queries to our Experts

- (Exam Topic 2)
Which of the following are valid event sources that are associated with web access control lists that trigger AWS WAF rules? (Choose two.)

1. A. Amazon S3 static web hosting
2. B. Amazon CloudFront distribution
3. C. Application Load Balancer
4. D. Amazon Route 53
5. E. VPC Flow Logs

Correct Answer: BC
A web access control list (web ACL) gives you fine-grained control over the web requests that your Amazon API Gateway API, Amazon CloudFront distribution or Application Load Balancer responds to.

- (Exam Topic 2)
A corporate cloud security policy states that communications between the company's VPC and KMS must travel entirely within the AWS network and not use public service endpoints.
Which combination of the following actions MOST satisfies this requirement? (Choose two.)

1. A. Add the aws:sourceVpce condition to the AWS KMS key policy referencing the company's VPC endpoint ID.
2. B. Remove the VPC internet gateway from the VPC and add a virtual private gateway to the VPC to prevent direct, public internet connectivity.
3. C. Create a VPC endpoint for AWS KMS with private DNS enabled.
4. D. Use the KMS Import Key feature to securely transfer the AWS KMS key over a VPN.
5. E. Add the following condition to the AWS KMS key policy: "aws:SourceIp": "10.0.0.0/16".

Correct Answer: AC

An IAM policy can deny access to KMS except through your VPC endpoint with the following condition statement:
"Condition": { "StringNotEquals": {
"aws:sourceVpce": "vpce-0295a3caf8414c94a"
}
}
If you select the Enable Private DNS Name option, the standard AWS KMS DNS hostname
(https://kms..amazonaws.com) resolves to your VPC endpoint.