AWS-Certified-Security-Specialty Free Practice Test

A company deployed Amazon GuardDuty In the us-east-1 Region. The company wants all DNS logs that relate to the company's Amazon EC2 instances to be inspected. What should a security engineer do to ensure that the EC2 instances are logged?

1. A. Use IPv6 addresses that are configured for hostnames.
2. B. Configure external DNS resolvers as internal resolvers that are visible only to IAM.
3. C. Use IAM DNS resolvers for all EC2 instances.
4. D. Configure a third-party DNS resolver with logging for all EC2 instances.

Correct Answer: C
To ensure that the EC2 instances are logged, the security engineer should do the following:
Use AWS DNS resolvers for all EC2 instances. This allows the security engineer to use
Amazon-provided DNS servers that resolve public DNS hostnames to private IP addresses within their VPC, and that log DNS queries in Amazon CloudWatch Logs.

An IAM user receives an Access Denied message when the user attempts to access objects in an Amazon S3 bucket. The user and the S3 bucket are in the same AWS account. The S3 bucket is configured to use server-side encryption with AWS KMS keys (SSE-KMS) to encrypt all of its objects at rest by using a customer managed key from the same AWS account. The S3 bucket has no bucket policy defined. The IAM user has been granted permissions through an IAM policy that allows the kms:Decrypt permission to the customer managed key. The IAM policy also allows the s3:List* and s3:Get* permissions for the S3 bucket and its objects.
Which of the following is a possible reason that the IAM user cannot access the objects in the S3 bucket?

1. A. The IAM policy needs to allow the kms:DescribeKey permission.
2. B. The S3 bucket has been changed to use the AWS managed key to encrypt objects at rest.
3. C. An S3 bucket policy needs to be added to allow the IAM user to access the objects.
4. D. The KMS key policy has been edited to remove the ability for the AWS account to have full access to the key.

Correct Answer: D
The possible reason that the IAM user cannot access the objects in the S3 bucket is D. The KMS key policy has been edited to remove the ability for the AWS account to have full access to the key.
This answer is correct because the KMS key policy is the primary way to control access to the KMS key, and it must explicitly allow the AWS account to have full access to the key. If the KMS key policy has been edited to remove this permission, then the IAM policy that grants kms:Decrypt permission to the IAM user has no effect, and the IAM user cannot decrypt the objects in the S3 bucket12.
The other options are incorrect because:
A. The IAM policy does not need to allow the kms:DescribeKey permission, because this permission is not required for decrypting objects in S3 using SSE-KMS. The kms:DescribeKey permission allows getting information about a KMS key, such as its creation date, description, and key state3.
B. The S3 bucket has not been changed to use the AWS managed key to encrypt objects at rest, because this would not cause an Access Denied message for the IAM user. The AWS managed key is a default KMS key that is created and managed by AWS for each AWS account and Region. The IAM user does not need any permissions on this key to use it for SSE-KMS4.
C. An S3 bucket policy does not need to be added to allow the IAM user to access the objects, because the IAM user already has s3:List* and s3:Get* permissions for the S3 bucket and its objects through an IAM policy. An S3 bucket policy is an optional way to grant cross-account access or public access to an S3 bucket5.
References:
1: Key policies in AWS KMS 2: Using server-side encryption with AWS KMS keys (SSE-KMS) 3: AWS KMS API Permissions Reference 4: Using server-side encryption with Amazon S3 managed keys (SSE-S3) 5: Bucket policy examples

A company is using AWS Organizations to manage multiple AWS accounts for its hu-man resources, finance, software development, and production departments. All the company's developers are part of the software development AWS account.
The company discovers that developers have launched Amazon EC2 instances that were preconfigured with software that the company has not approved for use. The company wants to implement a solution to ensure that developers can launch EC2 instances with only approved software applications and only in the software de-velopment AWS account.
Which solution will meet these requirements?

1. A. In the software development account, create AMIS of preconfigured instanc-es that include only approved softwar
2. B. Include the AMI IDs in the condi-tion section of an AWS CloudFormation template to launch the appropriate AMI based on the AWS Regio
3. C. Provide the developers with theCloudFor-mation template to launch EC2 instances in the software development ac-count.
4. D. Create an Amazon EventBridge rule that runs when any EC2 Runlnstances API event occurs in the software development accoun
5. E. Specify AWS Systems Man-ager Run Command as a target of the rul
6. F. Configure Run Command to run a script that will install all approved software onto the instances that the developers launch.
7. G. Use an AWS Service Catalog portfolio that contains EC2 products with ap-propriate AMIS that include only approved softwar
8. H. Grant the developers permission to portfolio access only the Service Catalog to launch a prod-uct in the software development account.
9. I. In the management account, create AMIS of preconfigured instances that in-clude only approved softwar
10. J. Use AWS CloudFormation StackSets to launch the AMIS across any AWS account in the organizatio
11. K. Grant the developers permission to launch the stack sets within the management account.

Correct Answer: C

A company is operating a website using Amazon CloudFornt. CloudFront servers some content from Amazon S3 and other from web servers running EC2 instances behind an Application. Load Balancer (ALB). Amazon DynamoDB is used as the data store. The company already uses IAM Certificate Manager (ACM) to store a public TLS certificate that can optionally secure connections between the website users and CloudFront. The company has a new requirement to enforce end-to-end encryption in transit.
Which combination of steps should the company take to meet this requirement? (Select THREE.)

1. A. Update the CloudFront distributio
2. B. configuring it to optionally use HTTPS when connecting to origins on Amazon S3
3. C. Update the web application configuration on the web servers to use HTTPS instead of HTTP when connecting to DynamoDB
4. D. Update the CloudFront distribution to redirect HTTP corrections to HTTPS
5. E. Configure the web servers on the EC2 instances to listen using HTTPS using the public ACM TLS certificate Update the ALB to connect to the target group using HTTPS
6. F. Update the ALB listen to listen using HTTPS using the public ACM TLS certificat
7. G. Update the CloudFront distribution to connect to the HTTPS listener.
8. H. Create a TLS certificate Configure the web servers on the EC2 instances to use HTTPS only with that certificat
9. I. Update the ALB to connect to the target group using HTTPS.

Correct Answer: BCE
To enforce end-to-end encryption in transit, the company should do the following:
Update the web application configuration on the web servers to use HTTPS instead of HTTP when connecting to DynamoDB. This ensures that the data is encrypted when it travels from the web servers to the data store.
Update the CloudFront distribution to redirect HTTP requests to HTTPS. This ensures that the viewers always use HTTPS when they access the website through CloudFront.
Update the ALB to listen using HTTPS using the public ACM TLS certificate. Update the CloudFront distribution to connect to the HTTPS listener. This ensures that the data is encrypted when it travels from CloudFront to the ALB and from the ALB to the web servers.

A security engineer must troubleshoot an administrator's inability to make an existing Amazon S3 bucket public in an account that is part of an organization n IAM Organizations. The administrator switched the role from the master account to a member account and then attempted to make one S3 bucket public. This action was immediately denied
Which actions should the security engineer take to troubleshoot the permissions issue? (Select TWO.)

1. A. Review the cross-account role permissions and the S3 bucket policy Verify that the Amazon S3 block public access option in the member account is deactivated.
2. B. Review the role permissions m the master account and ensure it has sufficient privileges to perform S3 operations
3. C. Filter IAM CloudTrail logs for the master account to find the original deny event and update the cross-account role m the member account accordingly Verify that the Amazon S3 block public access option in the master account is deactivated.
4. D. Evaluate the SCPs covering the member account and the permissions boundary of the role in the member account for missing permissions and explicit denies.
5. E. Ensure the S3 bucket policy explicitly allows the s3 PutBucketPublicAccess action for the role m the member account

Correct Answer: DE
A is incorrect because reviewing the cross-account role permissions and the S3 bucket policy is not enough to troubleshoot the permissions issue. You also need to verify that the Amazon S3 block public access option in the member account is deactivated, as well as the permissions boundary and the SCPs of the role in the member account.
D is correct because evaluating the SCPs and the permissions boundary of the role in the member account can help you identify any missing permissions or explicit denies that could prevent the administrator from making the S3 bucket public.
E is correct because ensuring that the S3 bucket policy explicitly allows the s3 PutBucketPublicAccess action for the role in the member account can help you override any block public access settings that could prevent the administrator from making the S3 bucket public.