[Jul 16, 2023] Get New AWS-Security-Specialty Practice Test Questions Answers [Q76-Q97]

[Jul 16, 2023] Get New AWS-Security-Specialty Practice Test Questions Answers

AWS-Security-Specialty Dumps and Exam Test Engine

NEW QUESTION # 76
A Developer reported that AWS CloudTrail was disabled on their account. A Security Engineer investigated the account and discovered the event was undetected by the current security solution. The Security Engineer must recommend a solution that will detect future changes to the CloudTrail configuration and send alerts when changes occur.
What should the Security Engineer do to meet these requirements?

• A. Create an Amazon CloudWatch Events rule to monitor Amazon GuardDuty findings. Send email notifications using Amazon SNS.
• B. Use AWS Resource Access Manager (AWS RAM) to monitor the AWS CloudTrail configuration. Send notifications using Amazon SNS.
• C. Use Amazon Inspector to automatically detect security issues. Send alerts using Amazon SNS.
• D. Update security contact details in AWS account settings for AWS Support to send alerts when suspicious activity is detected.

Answer: A

NEW QUESTION # 77
An employee keeps terminating EC2 instances on the production environment. You've determined the best way to ensure this doesn't happen is to add an extra layer of defense against terminating the instances. What is the best method to ensure the employee does not terminate the production instances? Choose the 2 correct answers from the options below Please select:

• A. Modify the IAM policy on the user to require MFA before deleting EC2 instances
• B. Tag the instance with a production-identifying tag and add resource-level permissions to the employee user with an explicit deny on the terminate API call to instances with the production tag. <
• C. Tag the instance with a production-identifying tag and modify the employees group to allow only start stop, and reboot API calls and not the terminate instance call.
• D. Modify the IAM policy on the user to require MFA before deleting EC2 instances and disable MFA access to the employee

Answer: B,C

Explanation:
Tags enable you to categorize your AWS resources in different ways, for example, by purpose, owner, or environment. This is useful when you have many resources of the same type - you can quickly identify a specific resource based on the tags you've assigned to it. Each tag consists of a key and an optional value, both of which you define Options C&D are incorrect because it will not ensure that the employee cannot terminate the instance.
For more information on tagging answer resources please refer to the below URL:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Usins_Tags.htmll
The correct answers are: Tag the instance with a production-identifying tag and add resource-level permissions to the employe user with an explicit deny on the terminate API call to instances with the production tag.. Tag the instance with a production-identifying tag and modify the employees group to allow only start stop, and reboot API calls and not the terminate instance Submit your Feedback/Queries to our Experts

NEW QUESTION # 78
An Amazon EC2 instance is part of an EC2 Auto Scaling group that is behind an Application Load Balancer (ALB). It is suspected that the EC2 instance has been compromised.
Which steps should be taken to investigate the suspected compromise? (Choose three.)

• A. Disable any Amazon Route 53 health checks associated with the EC2 instance.
• B. Attach a security group that has restrictive ingress and egress rules to the EC2 instance.
• C. Initiate an Amazon Elastic Block Store volume snapshot of all volumes on the EC2 instance.
• D. De-register the EC2 instance from the ALB and detach it from the Auto Scaling group.
• E. Detach the elastic network interface from the EC2 instance.
• F. Add a rule to an AWS WAF to block access to the EC2 instance.

Answer: B,C,D

NEW QUESTION # 79
A company has hired a third-party security auditor, and the auditor needs read-only access to all AWS resources and logs of all VPC records and events that have occurred on AWS. How can the company meet the auditor's requirements without comprising security in the AWS environment? Choose the correct answer from the options below Please select:

• A. Create a role that has the required permissions for the auditor.
• B. The company should contact AWS as part of the shared responsibility model, and AWS will grant required access to th^ third-party auditor.
• C. Enable CloudTrail logging and create an 1AM user who has read-only permissions to the required AWS resources, including the bucket containing the CloudTrail logs.
• D. Create an SNS notification that sends the CloudTrail log files to the auditor's email when CIoudTrail delivers the logs to S3, but do not allow the auditor access to the AWS environment.

Answer: C

Explanation:
AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain events related to API calls across your AWS infrastructure. CloudTrail provides a history of AWS API calls for your account including API calls made through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This history simplifies security analysis, resource change tracking, and troubleshooting.
Option A and C are incorrect since Cloudtrail needs to be used as part of the solution Option B is incorrect since the auditor needs to have access to Cloudtrail For more information on cloudtrail, please visit the below URL:
https://aws.amazon.com/cloudtraiL
The correct answer is: Enable CloudTrail logging and create an 1AM user who has read-only permissions to the required AWS resources, including the bucket containing the CloudTrail logs.
Submit your Feedback/Queries to our Experts

NEW QUESTION # 80
A company's Security Engineer has been asked to monitor and report all AWS account root user activities.
Which of the following would enable the Security Engineer to monitor and report all root user activities? (Select TWO)

• A. Configuring AWS Organizations to monitor root user API calls on the paying account
• B. Configuring AWS Trusted Advisor to send an email to the Security team when the root user logs in to the console
• C. Creating an Amazon CloudWatch Events rule that will trigger when any API call from the root user is reported
• D. Configuring Amazon Inspector to scan the AWS account for any root user activity
• E. Using Amazon SNS to notify the target group

Answer: C,E

NEW QUESTION # 81
A company is developing a highly resilient application to be hosted on multiple Amazon EC2 instances . The application will store highly sensitive user data in Amazon RDS tables The application must
* Include migration to a different IAM Region in the application disaster recovery plan.
* Provide a full audit trail of encryption key administration events
* Allow only company administrators to administer keys.
* Protect data at rest using application layer encryption
A Security Engineer is evaluating options for encryption key management Why should the Security Engineer choose IAM CloudHSM over IAM KMS for encryption key management in this situation?

• A. The ciphertext produced by CloudHSM provides more robust protection against brute force decryption attacks than the ciphertext produced by IAM KMS
• B. The key administration event logging generated by CloudHSM is significantly more extensive than IAM KMS.
• C. CloudHSM ensures that only company support staff can administer encryption keys, whereas IAM KMS allows IAM staff to administer keys
• D. CloudHSM provides the ability to copy keys to a different Region, whereas IAM KMS does not

Answer: C

NEW QUESTION # 82
Your company makes use of S3 buckets for storing data. There is a company policy that all services should have logging enabled. How can you ensure that logging is always enabled for created S3 buckets in the AWS Account?
Please select:

• A. Use AWS Inspector to inspect all S3 buckets and enable logging for those where it is not enabled
• B. Use AWS Cloudwatch metrics to check whether logging is enabled for buckets
• C. Use AWS Cloudwatch logs to check whether logging is enabled for buckets
• D. Use AWS Config Rules to check whether logging is enabled for buckets

Answer: D

Explanation:
Explanation
This is given in the AWS Documentation as an example rule in AWS Config Example rules with triggers Example rule with configuration change trigger
1. You add the AWS Config managed rule, S3_BUCKET_LOGGING_ENABLED, to your account to check whether your Amazon S3 buckets have logging enabled.
2. The trigger type for the rule is configuration changes. AWS Config runs the evaluations for the rule when an Amazon S3 bucket is created, changed, or deleted.
3. When a bucket is updated, the configuration change triggers the rule and AWS Config evaluates whether the bucket is compliant against the rule.
Option A is invalid because AWS Inspector cannot be used to scan all buckets Option C and D are invalid because Cloudwatch cannot be used to check for logging enablement for buckets.
For more information on Config Rules please see the below Link:

https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config-rules.html The correct answer is: Use AWS Config Rules to check whether logging is enabled for buckets Submit your Feedback/Queries to our Experts

NEW QUESTION # 83
Your company is planning on AWS on hosting its AWS resources. There is a company policy which mandates that all security keys are completely managed within the company itself. Which of the following is the correct measure of following this policy?
Please select:

• A. Generating the key pairs for the EC2 Instances using puttygen
• B. Use the EC2 Key pairs that come with AWS
• C. Use S3 server-side encryption
• D. Using the AWS KMS service for creation of the keys and the company managing the key lifecycle thereafter.

Answer: A

Explanation:
y ensuring that you generate the key pairs for EC2 Instances, you will have complete control of the access keys.
Options A,C and D are invalid because all of these processes means that AWS has ownership of the keys. And the question specifically mentions that you need ownership of the keys For information on security for Compute Resources, please visit the below URL:
https://d1.awsstatic.com/whitepapers/Security/Security Compute Services Whitepaper.pdfl The correct answer is: Generating the key pairs for the EC2 Instances using puttygen Submit your Feedback/Queries to our Experts

NEW QUESTION # 84
A company has external vendors that must deliver files to the company. These vendors have cross-account that gives them permission to upload objects to one of the company's S3 buckets.
What combination of steps must the vendor follow to successfully deliver a file to the company? Select 2 answers from the options given below Please select:

• A. Add a bucket policy to the bucket that grants the bucket owner full permissions to the object
• B. Upload the file to the company's S3 bucket
• C. Attach an IAM role to the bucket that grants the bucket owner full permissions to the object
• D. Add a grant to the objects ACL giving full permissions to bucket owner.
• E. Encrypt the object with a KMS key controlled by the company.

Answer: B,D

Explanation:
This scenario is given in the AWS Documentation
A bucket owner can enable other AWS accounts to upload objects. These objects are owned by the accounts that created them. The bucket owner does not own objects that were not created by the bucket owner. Therefore, for the bucket owner to grant access to these objects, the object owner must first grant permission to the bucket owner using an object ACL. The bucket owner can then delegate those permissions via a bucket policy. In this example, the bucket owner delegates permission to users in its own account.

Option A and D are invalid because bucket ACL's are used to give grants to bucket Option C is not required since encryption is not part of the requirement For more information on this scenario please see the below Link:
https://docs.aws.amazon.com/AmazonS3/latest/dev/example-walkthroushs-manaeing-access-example3.htmll The correct answers are: Add a grant to the objects ACL giving full permissions to bucket owner., Upload the file to the company's S3 bucket Submit your Feedback/Queries to our Experts

NEW QUESTION # 85
An application outputs logs to a text file. The logs must be continuously monitored for security incidents.
Which design will meet the requirements with MINIMUM effort?

• A. Create a scheduled process to copy the component's logs into Amazon S3. Use S3 events to trigger a Lambda function that updates Amazon CloudWatch metrics with the log data. Set up CloudWatch alerts based on the metrics.
• B. Create a file watcher that copies data to Amazon Kinesis when the application writes to the log file. Have Kinesis trigger a Lambda function to update Amazon CloudWatch metrics with the log data. Set up CloudWatch alerts based on the metrics.
• C. Create a scheduled process to copy the application log files to AWS CloudTrail. Use S3 events to trigger Lambda functions that update CloudWatch metrics with the log data. Set up CloudWatch alerts based on the metrics.
• D. Install and configure the Amazon CloudWatch Logs agent on the application's EC2 instance. Create a CloudWatch metric filter to monitor the application logs. Set up CloudWatch alerts based on the metrics.

Answer: D

Explanation:
https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/QuickStartEC2Instance.html

NEW QUESTION # 86
A Security Engineer is working with a Product team building a web application on IAM. The application uses Amazon S3 to host the static content, Amazon API Gateway to provide RESTful services; and Amazon DynamoDB as the backend data store. The users already exist in a directory that is exposed through a SAML identity provider.
Which combination of the following actions should the Engineer take to enable users to be authenticated into the web application and call APIs? (Choose three.)

• A. Configure a SAML identity provider in Amazon Cognito to map attributes to the Amazon Cognito user pool attributes.
• B. Update DynamoDB to store the user email addresses and passwords.
• C. Create a custom authorization service using IAM Lambda.
• D. Update API Gateway to use a COGNITO_USER_POOLS authorizer.
• E. Configure the SAML identity provider to add the Amazon Cognito user pool as a relying party.
• F. Configure an Amazon Cognito identity pool to integrate with social login providers.

Answer: A,B,F

NEW QUESTION # 87
A Systems Engineer is troubleshooting the connectivity of a test environment that includes a virtual security appliance deployed inline. In addition to using the virtual security appliance, the Development team wants to use security groups and network ACLs to accomplish various security requirements in the environment.
What configuration is necessary to allow the virtual security appliance to route the traffic?

• A. Disable network ACLs.
• B. Configure the security appliance's elastic network interface for promiscuous mode.
• C. Disable the Network Source/Destination check on the security appliance's elastic network interface
• D. Place the security appliance in the public subnet with the internet gateway

Answer: C

Explanation:
Explanation
Each EC2 instance performs source/destination checks by default. This means that the instance must be the source or destination of any traffic it sends or receives. In this case virtual security appliance instance must be able to send and receive traffic when the source or destination is not itself. Therefore, you must disable source/destination checks on the NAT instance."

NEW QUESTION # 88
Your company is planning on developing an application in AWS. This is a web based application. The application user will use their facebook or google identities for authentication. You want to have the ability to manage user profiles without having to add extra coding to manage this. Which of the below would assist in this.
Please select:

• A. Create a SAML provider in AWS
• B. Use AWS Cognito to manage the user profiles
• C. Use IAM users to manage the user profiles
• D. Create an OlDC identity provider in AWS

Answer: B

Explanation:
Explanation
The AWS Documentation mentions the following
A user pool is a user directory in Amazon Cognito. With a user pool, your users can sign in to your web or mobile app through Amazon Cognito. Your users can also sign in through social identity providers like Facebook or Amazon, and through SAML identity providers. Whether your users sign in directly or through a third party, all members of the user pool have a directory profile that you can access through an SDK.
User pools provide:
Sign-up and sign-in services.
A built-in, customizable web Ul to sign in users.
Social sign-in with Facebook, Google, and Login with Amazon, as well as sign-in with SAML identity providers from your user pool.
User directory management and user profiles.
Security features such as multi-factor authentication (MFA), checks for compromised credentials, account takeover protection, and phone and email verification.
Customized workflows and user migration through AWS Lambda triggers.
Options A and B are invalid because these are not used to manage users
Option D is invalid because this would be a maintenance overhead
For more information on Cognito User Identity pools, please refer to the below Link:
https://docs.aws.amazon.com/coenito/latest/developerguide/cognito-user-identity-pools.html The correct answer is: Use AWS Cognito to manage the user profiles Submit your Feedback/Queries to our Experts

NEW QUESTION # 89
Which of the following is the most efficient way to automate the encryption of IAM CloudTrail logs using a Customer Master Key (CMK) in IAM KMS?

• A. Use the default Amazon S3 server-side encryption with S3-managed keys to encrypt and decrypt the CloudTrail logs.
• B. Configure CloudTrail to use server-side encryption using KMS-managed keys to encrypt and decrypt CloudTrail logs.
• C. Use encrypted API endpoints so that all IAM API calls generate encrypted CloudTrail log entries using the TLS certificate from the encrypted API call.
• D. Use the KMS direct encrypt function on the log data every time a CloudTrail log is generated.

Answer: B

Explanation:
Explanation
https://docs.IAM.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html

NEW QUESTION # 90
An employee accidentally exposed an IAM access key and secret access key during a public presentation. The company Security Engineer immediately disabled the key.
How can the Engineer assess the impact of the key exposure and ensure that the credentials were not misused?
(Choose two.)

• A. Download and analyze the IAM Use report from IAM Trusted Advisor.
• B. Analyze the resource inventory in IAM Config for IAM user activity.
• C. Analyze Amazon CloudWatch Logs for activity.
• D. Analyze IAM CloudTrail for activity.
• E. Download and analyze a credential report from IAM.

Answer: B,D

Explanation:
Explanation
https://docs.IAM.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html

NEW QUESTION # 91
One of your company's EC2 Instances have been compromised. The company has strict po thorough investigation on finding the culprit for the security breach. What would you do in from the options given below.
Please select:

• A. Make sure that logs are stored securely for auditing and troubleshooting purpose
• B. Ensure all passwords for all 1AM users are changed
• C. Isolate the machine from the network
• D. Ensure that all access kevs are rotated.
• E. Take a snapshot of the EBS volume

Answer: A,C,E

Explanation:
Explanation
Some of the important aspects in such a situation are
1) First isolate the instance so that no further security harm can occur on other AWS resources
2) Take a snapshot of the EBS volume for further investigation. This is incase if you need to shutdown the initial instance and do a separate investigation on the data
3) Next is Option C.
This indicates that we have already got logs and we need to make sure that it is stored securely so that n unauthorised person can access it and manipulate it.
Option D and E are invalid because they could have adverse effects for the other 1AM users.
For more information on adopting a security framework, please refer to below URL
https://d1 .awsstatic.com/whitepapers/compliance/NIST Cybersecurity Framework Note:
In the question we have been asked to take actions to find the culprit and to help the investigation or to further reduce the damage that has happened due to the security breach. So by keeping logs secure is one way of helping the investigation.
The correct answers are: Take a snapshot of the EBS volume. Isolate the machine from the network. Make sure that logs are stored securely for auditing and troubleshooting purpose Submit your Feedback/Queries to our Experts

NEW QUESTION # 92
An organization policy states that all encryption keys must be automatically rotated every 12 months.
Which IAM Key Management Service (KMS) key type should be used to meet this requirement?

• A. Customer managed CMK with imported key material
• B. IAM managed Customer Master Key (CMK)
• C. Customer managed CMK with IAM generated key material
• D. IAM managed data key

Answer: C

NEW QUESTION # 93
A company's engineering team is developing a new application that creates IAM Key Management Service (IAM KMS) CMK grants for users immediately after a grant IS created users must be able to use the CMK tu encrypt a 512-byte payload. During load testing, a bug appears |intermittently where AccessDeniedExceptions are occasionally triggered when a user rst attempts to encrypt using the CMK Which solution should the c0mpany's security specialist recommend'?

• A. Instruct the engineering team to create a random name for the grant when calling the CreateGrant operation. Return the name to the users and instruct them to provide the name as the grant token in the call to encrypt.
• B. Instruct the engineering team to pass the grant token returned in the CreateGrant response to users.
  Instruct users to use that grant token in their call to encrypt.
• C. Instruct users to implement a retry mechanism every 2 minutes until the call succeeds.
• D. Instruct the engineering team to consume a random grant token from users, and to call the CreateGrant operation, passing it the grant token. Instruct use to use that grant token in their call to encrypt.

Answer: B

NEW QUESTION # 94
You are planning to use AWS Configto check the configuration of the resources in your AWS account. You are planning on using an existing 1AM role and using it for the AWS Config resource. Which of the following is required to ensure the AWS config service can work as required?
Please select:

• A. Ensure that there is a grant policy in place for the AWS Config service within the role
• B. Ensure that there is a trust policy in place for the AWS Config service within the role
• C. Ensure that there is a group policy in place for the AWS Config service within the role
• D. Ensure that there is a user policy in place for the AWS Config service within the role

Answer: B

Explanation:
Explanation

Options B,C and D are invalid because you need to ensure a trust policy is in place and not a grant, user or group policy or more information on the 1AM role permissions please visit the below Link:
https://docs.aws.amazon.com/config/latest/developerguide/iamrole-permissions.htmll The correct answer is: Ensure that there is a trust policy in place for the AWS Config service within the role Submit your Feedback/Queries to our Experts

NEW QUESTION # 95
A Developer signed in to a new account within an AWS Organizations organizational unit (OU) containing multiple accounts. Access to the Amazon S3 service is restricted with the following SCP:

How can the Security Engineer provide the Developer with Amazon S3 access without affecting other accounts?

• A. Add an IAM policy for the Developer, which grants S3 access.
• B. Move the SCP to the root OU of Organizations to remove the restriction to access Amazon S3.
• C. Add an allow list for the Developer account for the S3 service.
• D. Create a new OU without applying the SCP restricting S3 access. Move the Developer account to this new OU.

Answer: D

NEW QUESTION # 96
A company is deploying a new web application on AWS. Based on their other web applications, they anticipate being the target of frequent DDoS attacks. Which steps can the company use to protect their application? Select 2 answers from the options given below.
Please select:

• A. Use an ELB Application Load Balancer and Auto Scaling group to scale to absorb application layer traffic.
• B. Associate the EC2 instances with a security group that blocks traffic from blacklisted IP addresses.
• C. Use CloudFront and AWS WAF to prevent malicious traffic from reaching the application
• D. Enable GuardDuty to block malicious traffic from reaching the application
• E. Use Amazon Inspector on the EC2 instances to examine incoming traffic and discard malicious traffic.

Answer: A,C

Explanation:
The below diagram from AWS shows the best case scenario for avoiding DDos attacks using services such as AWS Cloudfro WAF, ELB and Autoscaling

Option A is invalid because by default security groups don't allow access
Option C is invalid because AWS Inspector cannot be used to examine traffic
Option E is invalid because this can be used for attacks on EC2 Instances but not against DDos attacks on the entire application For more information on DDos mitigation from AWS, please visit the below URL:
https://aws.amazon.com/answers/networking/aws-ddos-attack-mitieationi
The correct answers are: Use an ELB Application Load Balancer and Auto Scaling group to scale to absorb application layer traffic., Use CloudFront and AWS WAF to prevent malicious traffic from reaching the application
Submit your Feedback/Queries to our Experts

NEW QUESTION # 97
......

2023 New ITexamReview AWS-Security-Specialty PDF Recently Updated Questions: https://examkiller.itexamreview.com/AWS-Security-Specialty-valid-exam-braindumps.html