AWS-Certified-Security-Specialty Free Practice Test

- (Exam Topic 2)
AWS CloudTrail is being used to monitor API calls in an organization. An audit revealed that CloudTrail is failing to deliver events to Amazon S3 as expected.
What initial actions should be taken to allow delivery of CloudTrail events to S3? (Select two.)

1. A. Verify that the S3 bucket policy allow CloudTrail to write objects.
2. B. Verify that the IAM role used by CloudTrail has access to write to Amazon CloudWatch Logs.
3. C. Remove any lifecycle policies on the S3 bucket that are archiving objects to Amazon Glacier.
4. D. Verify that the S3 bucket defined in CloudTrail exists.
5. E. Verify that the log file prefix defined in CloudTrail exists in the S3 bucket.

Correct Answer: BD
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.html

- (Exam Topic 2)
A company has complex connectivity rules governing ingress, egress, and communications between Amazon EC2 instances. The rules are so complex that they cannot be implemented within the limits of the maximum number of security groups and network access control lists (network ACLs).
What mechanism will allow the company to implement all required network rules without incurring additional cost?

1. A. Configure AWS WAF rules to implement the required rules.
2. B. Use the operating system built-in, host-based firewall to implement the required rules.
3. C. Use a NAT gateway to control ingress and egress according to the requirements.
4. D. Launch an EC2-based firewall product from the AWS Marketplace, and implement the required rules in that product.

Correct Answer: B

- (Exam Topic 3)
A security engineer is defining the controls required to protect the AWS account root user credentials in an AWS Organizations hierarchy. The controls should also limit the impact in case these credentials have been compromised.
Which combination of controls should the security engineer propose? (Select THREE.)
A)

B)

C) Enable multi-factor authentication (MFA) for the root user.
D) Set a strong randomized password and store it in a secure location.
E) Create an access key ID and secret access key, and store them in a secure location.
F) Apply the following permissions boundary to the toot user:

1. A. Option A
2. B. Option B
3. C. Option C
4. D. Option D
5. E. Option E
6. F. Option F

Correct Answer: ACE

- (Exam Topic 3)
A security engineer must ensure that all infrastructure launched in the company AWS account be monitored for deviation from compliance rules, specifically that all EC2 instances are launched from one of a specified list of AM Is and that all attached EBS volumes are encrypted. Infrastructure not in compliance should be terminated. What combination of steps should the Engineer implement? Select 2 answers from the options given below.
Please select:

1. A. Set up a CloudWatch event based on Trusted Advisor metrics
2. B. Trigger a Lambda function from a scheduled CloudWatch event that terminates non-compliant infrastructure.
3. C. Set up a CloudWatch event based on Amazon inspector findings
4. D. Monitor compliance with AWS Config Rules triggered by configuration changes
5. E. Trigger a CLI command from a CloudWatch event that terminates the infrastructure

Correct Answer: BD
You can use AWS Config to monitor for such Event
Option A is invalid because you cannot set Cloudwatch events based on Trusted Advisor checks.
Option C is invalid Amazon inspector cannot be used to check whether instances are launched from a specific A
Option E is invalid because triggering a CLI command is not the preferred option, instead you should use Lambda functions for all automation purposes.
For more information on Config Rules please see the below Link: https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config-rules.html
These events can then trigger a lambda function to terminate instances For more information on Cloudwatch events please see the below Link:
https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/WhatlsCloudWatchEvents. (
The correct answers are: Trigger a Lambda function from a scheduled Cloudwatch event that terminates non-compliant infrastructure., Monitor compliance with AWS Config Rules triggered by configuration changes
Submit your Feedback/Queries to our Experts

- (Exam Topic 2)
A company uses AWS Organization to manage 50 AWS accounts. The finance staff members log in as AWS IAM users in the FinanceDept AWS account. The staff members need to read the consolidated billing information in the MasterPayer AWS account. They should not be able to view any other resources in the MasterPayer AWS account. IAM access to billing has been enabled in the MasterPayer account.
Which of the following approaches grants the finance staff the permissions they require without granting any unnecessary permissions?

1. A. Create an IAM group for the finance users in the FinanceDept account, then attach the AWS managed ReadOnlyAccess IAM policy to the group.
2. B. Create an IAM group for the finance users in the MasterPayer account, then attach the AWS managed ReadOnlyAccess IAM policy to the group.
3. C. Create an AWS IAM role in the FinanceDept account with the ViewBilling permission, then grant the finance users in the MasterPayer account the permission to assume that role.
4. D. Create an AWS IAM role in the MasterPayer account with the ViewBilling permission, then grant the finance users in the FinanceDept account the permission to assume that role.

Correct Answer: D
AWS Region that You Request a Certificate In (for AWS Certificate Manager) If you want to require HTTPS between viewers and CloudFront, you must change the AWS region to US East (N. Virginia) in the AWS Certificate Manager console before you request or import a certificate. If you want to require HTTPS between CloudFront and your origin, and you're using an ELB load balancer as your origin, you can request or import a certificate in any region.
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.html