AWS-Certified-Security-Specialty Free Practice Test

- (Exam Topic 3)
A company has a web-based application using Amazon CloudFront and running on Amazon Elastic Container Service (Amazon ECS) behind an Application Load Balancer (ALB). The ALB is terminating TLS and balancing load across ECS service tasks A security engineer needs to design a solution to ensure that application content is accessible only through CloudFront and that I is never accessible directly.
How should the security engineer build the MOST secure solution?

1. A. Add an origin custom header Set the viewer protocol policy to HTTP and HTTPS Set the origin protocol pokey to HTTPS only Update the application to validate the CloudFront custom header
2. B. Add an origin custom header Set the viewer protocol policy to HTTPS only Set the origin protocol policy to match viewer Update the application to validate the CloudFront custom header.
3. C. Add an origin custom header Set the viewer protocol policy to redirect HTTP to HTTPS Set the origin protocol policy to HTTP only Update the application to validate the CloudFront custom header.
4. D. Add an origin custom header Set the viewer protocol policy to redirect HTTP to HTTP
5. E. Set the origin protocol policy to HTTPS only Update the application to validate the CloudFront custom header

Correct Answer: D

- (Exam Topic 3)
A company hosts critical data in an S3 bucket. Even though they have assigned the appropriate permissions to the bucket, they are still worried about data deletion. What measures can be taken to restrict the risk of data deletion on the bucket. Choose 2 answers from the options given below
Please select:

1. A. Enable versioning on the S3 bucket
2. B. Enable data at rest for the objects in the bucket
3. C. Enable MFA Delete in the bucket policy
4. D. Enable data in transit for the objects in the bucket

Correct Answer: AC
One of the AWS Security blogs mentions the followinj
Versioning keeps multiple versions of an object in the same bucket. When you enable it on a bucket Amazon S3 automatically adds a unique version ID to every object stored in the bucket. At that point, a simple DELETE action does not permanently delete an object version; it merely associates a delete marker with the object. If you want to permanently delete an object version, you must specify its version ID in your DELETE request.
You can add another layer of protection by enabling MFA Delete on a versioned bucket. Once you do so, you must provide your AWS accounts access keys and a valid code from the account's MFA device in order to permanently delete an object version or suspend or reactivate versioning on the bucket.
Option B is invalid because enabling encryption does not guarantee risk of data deletion. Option D is invalid because this option does not guarantee risk of data deletion.
For more information on AWS S3 versioning and MFA please refer to the below URL: https://aws.amazon.com/blogs/security/securing-access-to-aws-using-mfa-part-3/
The correct answers are: Enable versioning on the S3 bucket Enable MFA Delete in the bucket policy Submit your Feedback/Queries to our Experts

- (Exam Topic 2)
A company wants to have an Intrusion detection system available for their VPC in AWS. They want to have complete control over the system. Which of the following would be ideal to implement?
Please select:

1. A. Use AWS WAF to catch all intrusions occurring on the systems in the VPC
2. B. Use a custom solution available in the AWS Marketplace
3. C. Use VPC Flow logs to detect the issues and flag them accordingly.
4. D. Use AWS Cloudwatch to monitor all traffic

Correct Answer: B
Sometimes companies want to have custom solutions in place for monitoring Intrusions to their systems. In such a case, you can use the AWS Marketplace for looking at custom solutions.
C:\Users\wk\Desktop\mudassar\Untitled.jpg

Option A.C and D are all invalid because they cannot be used to conduct intrusion detection or prevention. For more information on using custom security solutions please visit the below URL https://d1.awsstatic.com/Marketplace/security/AWSMP_Security_Solution 0verview.pdf
For more information on using custom security solutions please visit the below URL: https://d1 .awsstatic.com/Marketplace/security/AWSMP Security Solution Overview.pd1
The correct answer is: Use a custom solution available in the AWS Marketplace Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
A company is using AWS Organizations to develop a multi-account secure networking strategy. The company plans to use separate centrally managed accounts for shared services, auditing, and security inspection. The company plans to provide dozens of additional accounts to application owners for production and development environments.
Company security policy requires that all internet traffic be routed through a centrally managed security inspection layer in the security inspection account. A security engineer must recommend a solution that minimizes administrative overhead and complexity.
Which solution meets these requirements?

1. A. Use AWS Control Towe
2. B. Modify the default Account Factory networking template to automatically associate new accounts with a centrally managed VPC through a VPC peering connection and to create a default route to the VPC peer in the default route tabl
3. C. Create an SCP that denies the CreatelnternetGateway actio
4. D. Attach the SCP to all accounts except the security inspection account.
5. E. Create a centrally managed VPC in the security inspection accoun
6. F. Establish VPC peering connections between the security inspection account and other account
7. G. Instruct account owners to create default routes in their account route tables that point to the VPC pee
8. H. Create an SCP that denies theAttach InternetGateway actio
9. I. Attach the SCP to all accounts except the security inspection account.
10. J. Use AWS Control Towe
11. K. Modify the default Account Factory networking template to automatically associate new accounts with a centrally managed transitgateway and to create a default route to the transit gateway in the default route tabl
12. L. Create an SCP that denies the AttachlnternetGateway actio
13. M. Attach the SCP to all accounts except the security inspection account.
14. N. Enable AWS Resource Access Manager (AWS RAM) for AWS Organization
15. O. Create a shared transit gateway, and make it available by using an AWS RAM resource shar
16. P. Create an SCP that denies the CreatelnternetGateway actio
17. Q. Attach the SCP to all accounts except the security inspection accoun
18. R. Create routes in the route tables of all accounts that point to the shared transit gateway.

Correct Answer: C

- (Exam Topic 3)
You currently have an S3 bucket hosted in an AWS Account. It holds information that needs be accessed by a partner account. Which is the MOST secure way to allow the partner account to access the S3 bucket in your account? Select 3 options.
Please select:

1. A. Ensure an IAM role is created which can be assumed by the partner account.
2. B. Ensure an IAM user is created which can be assumed by the partner account.
3. C. Ensure the partner uses an external id when making the request
4. D. Provide the ARN for the role to the partner account
5. E. Provide the Account Id to the partner account
6. F. Provide access keys for your account to the partner account

Correct Answer: ACD
Option B is invalid because Roles are assumed and not IAM users
Option E is invalid because you should not give the account ID to the partner Option F is invalid because you should not give the access keys to the partner
The below diagram from the AWS documentation showcases an example on this wherein an IAM role and external ID is us> access an AWS account resources
C:\Users\wk\Desktop\mudassar\Untitled.jpg

For more information on creating roles for external ID'S please visit the following URL:
The correct answers are: Ensure an IAM role is created which can be assumed by the partner account. Ensure the partner uses an external id when making the request Provide the ARN for the role to the partner account
Submit your Feedback/Queries to our Experts