AWS-Certified-Security-Specialty Free Practice Test

You want to track access requests for a particular S3 bucket. How can you achieve this in the easiest possible way?
Please select:

1. A. Enable server access logging for the bucket
2. B. Enable Cloudwatch metrics for the bucket
3. C. Enable Cloudwatch logs for the bucket
4. D. Enable AWS Config for the S3 bucket

Correct Answer: A
The AWS Documentation mentions the foil
To track requests for access to your bucket you can enable access logging. Each access log record provides details about a single access request, such as the requester, bucket name, request time, request action, response status, and error code, if any.
Options B and C are incorrect Cloudwatch is used for metrics and logging and cannot be used to track access requests.
Option D is incorrect since this can be used for Configuration management but for not for tracking S3 bucket requests.
For more information on S3 server logs, please refer to below UF https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLoes.html
The correct answer is: Enable server access logging for the bucket Submit your Feedback/Queries to our Experts

A company is using a Redshift cluster to store their data warehouse. There is a requirement from the Internal IT Security team to ensure that data gets encrypted for the Redshift database. How can this be achieved?
Please select:

1. A. Encrypt the EBS volumes of the underlying EC2 Instances
2. B. Use AWS KMS Customer Default master key
3. C. Use SSL/TLS for encrypting the data
4. D. Use S3 Encryption

Correct Answer: B
The AWS Documentation mentions the following
Amazon Redshift uses a hierarchy of encryption keys to encrypt the database. You can use either
AWS Key Management Servic (AWS KMS) or a hardware security module (HSM) to manage the toplevel
encryption keys in this hierarchy. The process that Amazon Redshift uses for encryption differs depending on how you manage keys.
Option A is invalid because its the cluster that needs to be encrypted
Option C is invalid because this encrypts objects in transit and not objects at rest Option D is invalid because this is used only for objects in S3 buckets
For more information on Redshift encryption, please visit the following URL: https://docs.aws.amazon.com/redshift/latest/memt/workine-with-db-encryption.htmll
The correct answer is: Use AWS KMS Customer Default master key Submit your Feedback/Queries to our Experts

You are working for a company and been allocated the task for ensuring that there is a federated authentication mechanism setup between AWS and their On-premise Active Directory. Which of the following are important steps that need to be covered in this process? Choose 2 answers from the options given below.
Please select:

1. A. Ensure the right match is in place for On-premise AD Groups and 1AM Roles.
2. B. Ensure the right match is in place for On-premise AD Groups and 1AM Groups.
3. C. Configure AWS as the relying party in Active Directory
4. D. Configure AWS as the relying party in Active Directory Federation services

Correct Answer: AD
The AWS Documentation mentions some key aspects with regards to the configuration of Onpremise AD with AWS
One is the Groups configuration in AD Active Directory Configuration
Determining how you will create and delineate your AD groups and 1AM roles in AWS is crucial to how you secure access to your account and manage resources. SAML assertions to the AWS environment and the respective 1AM role access will be managed through regular [removed]regex) matching between your on-premises AD group name to an AWS 1AM role.
One approach for creating the AD groups that uniquely identify the AWS 1AM role mapping is by selecting a common group naming convention. For example, your AD groups would start with an identifier, for example, AWS-, as this will distinguish your AWS groups from others within the organization. Next include the 12-digitAWS account number. Finally, add the matching role name within the AWS account. Here is an example:

And next is the configuration of the relying party which is AWS
ADFS federation occurs with the participation of two parties; the identity or claims provider (in this case the owner of the identity repository - Active Directory) and the relying party, which is another application that wishes to outsource authentication to the identity provider; in this case Amazon Secure Token Service (STS). The relying party is a federation partner that is represented by a claims provider trust in the federation service.
Option B is invalid because AD groups should not be matched to 1AM Groups
Option C is invalid because the relying party should be configured in Active Directory Federation services
For more information on the federated access, please visit the following URL:
1 https://aws.amazon.com/blogs/security/aws-federated-authentication-with-active-directoryfederation- services-ad-fs/
The correct answers are: Ensure the right match is in place for On-premise AD Groups and 1AM Roles., Configure AWS as the relying party in Active Directory Federation services
Submit your Feedback/Queries to our Experts

You currently have an S3 bucket hosted in an AWS Account. It holds information that needs be accessed by a partner account. Which is the MOST secure way to allow the partner account to access the S3 bucket in your account? Select 3 options.
Please select:

1. A. Ensure an 1AM role is created which can be assumed by the partner account.
2. B. Ensure an 1AM user is created which can be assumed by the partner account.
3. C. Ensure the partner uses an external id when making the request
4. D. Provide the ARN for the role to the partner account
5. E. Provide the Account Id to the partner account
6. F. Provide access keys for your account to the partner account

Correct Answer: ACD
Option B is invalid because Roles are assumed and not 1AM users
Option E is invalid because you should not give the account ID to the partner Option F is invalid because you should not give the access keys to the partner
The below diagram from the AWS documentation showcases an example on this wherein an 1AM role and external ID is us> access an AWS account resources

For more information on creating roles for external ID'S please visit the following URL:
The correct answers are: Ensure an 1AM role is created which can be assumed by the partner account. Ensure the partner uses an external id when making the request Provide the ARN for the role to the partner account

How can you ensure that instance in an VPC does not use AWS DNS for routing DNS requests. You want to use your own managed DNS instance. How can this be achieved?
Please select:

1. A. Change the existing DHCP options set
2. B. Create a new DHCP options set and replace the existing one.
3. C. Change the route table for the VPC
4. D. Change the subnet configuration to allow DNS requests from the new DNS Server

Correct Answer: B
In order to use your own DNS server, you need to ensure that you create a new custom DHCP options set with the IP of th custom DNS server. You cannot modify the existing set, so you need to create a new one.
Option A is invalid because you cannot make changes to an existing DHCP options Set.
Option C is invalid because this can only be used to work with Routes and not with a custom DNS solution.
Option D is invalid because this needs to be done at the VPC level and not at the Subnet level For more information on DHCP options set, please visit the following url https://docs.aws.amazon.com/AmazonVPC/latest/UserGuideA/PC DHCP Options.html
The correct answer is: Create a new DHCP options set and replace the existing one. Submit your Feedback/Queries to our Experts