AWS Certified Security Specialty Practice Test 1

AWS Certified Security Specialty Practice Test 1

1) Your company has the following setup in AWS ?

a. A set of EC2 Instances hosting a web application

b. An application load balancer placed in front of the EC2 instances

There seems to be a set of malicious requests coming from a set of IP addresses. Which of the following can be used to protect against these requests?

(A)  Use VPC Flow Logs to block the IP addresses

(B)  Use AWS WAF to block The IP addresses

(C)  Use Security Groups to block the IP addresses

(D) Use AWS inspector to block the iP addresses

[efaccordion id=”01″] [efitems title=”Answer” text=”Option B“] [/efaccordion]

2) A company wants to use Cloud trail for logging all API activity. They want to segregate the logging of data events and management events. How can this be achieved? Choose 2 answers from the options given below:

Please select:

A. Create one Cloud trail log group for data events

B. Create one trail that logs data events to an S3 bucket 

C. Create another trail that logs management events to another S3 bucket

D. Create another Cloud trail log group for management events

(A)  A,B

(B)  A,D

(C)  A,C

(D) B,C

[efaccordion id=”01″] [efitems title=”Answer & Explanation” text=”Option D

Explanation

“] [/efaccordion]

3) Company policy requires that all insecure server protocols, such as FTP, Telnet, HTTP, etc be disabled on all servers. The security team would like to regularly check all servers to ensure compliance with this requirement by using a scheduled Cloud Watch event to trigger a review of the current infrastructure. What process will check compliance of the company‟s EC2 instances?

(A) Query the Trusted Advisor API for all best practice security checks and check for „action recommended” status.

(B) Trigger an AWS Configure Rules evaluation of the restricted-common-ports rule against every EC2 instance

(C)  Enable a Guard Duty threat detection analysis targeting the port configuration on every EC2 instance

(D) Run an Amazon Inspector assessment using the Runtime Behavior Analysis rules package against every EC2

[efaccordion id=”01″] [efitems title=”Answer & Explanation” text=”Option B

Explanation

“] [/efaccordion]

4) Your company is planning on AWS on hosting its AWS resources. There is a company policy which mandates that all security keys are completed managed within the company Itself. Which of the following is the correct measure of following this policy?

(A)  Use the EC2 Key pairs that come with AWS

(B)  Use S3 server-side encryption

(C)  Generating the key pairs for the EC2 Instances using puttygen

(D) Using the AWS KMS service for creation of the keys and the company managing the key life cycle thereafter

[efaccordion id=”01″] [efitems title=”Answer & Explanation” text=”Option C

Explanation

“] [/efaccordion]

5)  Your company has many AWS accounts defined and all are managed via AWS Organizations. One AWS account has an S3 bucket that has critical data. How can we ensure that all the users in the AWS organization have access to this bucket?

(A)  Ensure the bucket policy has a condition which Involves aws: Account Number

(B)  Ensure the bucket policy has a condition which involves aws: Principal Org D

(C)  Ensure the bucket policy has a condition which involves aws: Principal lD

(D) Ensure the bucket policy has a condition which involves aws:Org ID

[efaccordion id=”01″] [efitems title=”Answer & Explanation” text=”Option B

Explanation

“] [/efaccordion]

6) The CFO of a company wants to allow one of his employees to view only the AWS usage report page. Which of the below mentioned lAM policy statements allows the user to have access to the AWS usage report page?

(A)  Effect: Allow‟, Action: [aws-portal: ViewBilling9, “Resource‟

(B)  Effect: Allow”. “Action: [Describe9, Resource”: BilIing‟

(C)  Effect: Allow‟, NAction: AccountUsage]. Resource

(D) Effect: Allow. “Action: [aws-portal:ViewUsage aws-portal:ViewBilling9, Resource:

[efaccordion id=”01″] [efitems title=”Answer” text=”Option D“] [/efaccordion]

7) Your company has been using AWS for the past 2 years. They have separate 53 buckets for logging the various AWS services that have been used. They have hired an external vendor for analyzing their log files. They have their own AWS account. What Is the best way to ensure that the partner account can access the log files in the company account for analysis. Choose 2 answers from the options given below Please select:

 A. Create an lAM user In the company account x

B. Create an lAM Role in the company account

C. Ensure the lAM user has access for read-only to the 53 buckets

D. Ensure the lAM Role has access for read-only to the S3 buckets

(A)  B,C

(B)  A,B

(C)  B,D

(D) A,C

[efaccordion id=”01″] [efitems title=”Answer & Explanation” text=”Option C

Explanation

“] [/efaccordion]

8) A company continually generates sensitive records that it stores in an S3 bucket. All objects in the bucket are encrypted using SSEK MS using one of the company‟s CMKs. Company compliance policies require that no more than one month of data be encrypted using the same encryption key.

What solution below will meet the company‟s requirements?

(A) Trigger a Lambda function with a monthly Cloud Watch event that creates a new CMK and updates the S3 bucket to use the new CMK

(B)  Configure the CMK to rotate the key material every month.

(C)  Trigger a Lambda function with a monthly Cloud Watch event that rotates the key material in the CMK.

(D) Trigger a Lambda function with a monthly Cloud Watch event that creates a new CMK. updates the 53 bucket to use the new CMK. an deletes the old CMK

[efaccordion id=”01″] [efitems title=”Answer” text=”Option A

Explanation

“] [/efaccordion]

9)  Your company has an external web site. This web site needs to access the objects in an S3 bucket. Which of the following would allow the web site to access the objects in the most secure manner?

(A)  Use the aws:Referer key in the condition clause for the bucket policy

(B)  Grant public access for the bucket via the bucket policy

(C)  Use the aws:sites key in the condition clause for the bucket policy

(D) Grant a role that can be assumed by the web site

[efaccordion id=”01″] [efitems title=”Answer” text=”Option A“] [/efaccordion]

10)  Which of the below services can be integrated with the AWS Web application firewall service.

Choose 2 answers from the options given below

Please select:

A. AWS Cloud front

B. AWS Lambda

C. AWS Application Load Balancer

D. AWS Classic Load Balancer 

(A)  A,D

(B)  A,C

(C)  B,C

(D) A,B

[efaccordion id=”01″] [efitems title=”Answer” text=”Option B

Explanation

“] [/efaccordion]

11)  Your company is planning on using AWS EC2 and ELB for deployment for their web applications. The securil policy mandates that all traffic should be encrypted. Which of the following options will ensure that this requirement Is met. Choose 2 answers from the options below.

A. Ensure the load balancer listens on port 80

B. Ensure the load balancer listens on port 443

C. Ensure the HTTPS listener sends requests to the instances on port 443

D. Ensure the I-ITTPS listener sends requests to the instances on port 80

(A)  B,C

(B)  B,D

(C) A,D

(D)  A,B

[efaccordion id=”01″] [efitems title=”Answer & Explanation” text=”Option A

Explanation

“] [/efaccordion]

12)  You have an Amazon VPC that has a private subnet and a public subnet in which you have a NAT instance server. You have created a group of EC2 instances that configure themselves at startup by downloading a bootstrapping script from S3 that deploys an application via GIT. Which one of the following setups would give us the highest level of security?

Choose the correct answer from the options given below.

A. EC2 instances in our public subnet, no EIP5, route outgoing traffic via the 1GW x

B. EC2 instances in our public subnet, assigned EIPs, and route outgoing traffic via the NAT

C. EC2 Instance In our private subnet. assigned EIP5, and route our outgoing traffic via our 1GW

D. EC2 instances in our private subnet no EIP5. route outgoing traffic via the NAT

(A)  A,C

(B)  B,C

(C) A,B

(D)  A,D

[efaccordion id=”01″] [efitems title=”Answer” text=”Option D“] [/efaccordion]

13) Your organization is preparing for a security assessment of your use of AWS. In preparation for this assessment, which three lAM best practices should you consider implementing?

(A)  Configure MFA on the root account and for privileged lAM users

(B)  Create individual lAM users for everyone in your organization

(C) Ensure all users have been assigned and are frequently rotating a password. access ID/secret key, and X.5

(D)  Assign AM users and groups configured with policies granting least privilege access

[efaccordion id=”01″] [efitems title=”Answer” text=”Option B“] [/efaccordion]

14) An organization has setup multiple lAM users. The organization wants that each lAM user accesses the lAM console only within the organization and not from outside. How can it achieve this?

(A)  Create an lAM policy with the security group and use that security group for AWS console login

(B)  Configure the EC2 instance security group which allows traffic only from the organizations IP range

(C)  Create an lAM policy with VPC and allow a secure gateway between the organization and AWS Console

(D) Create an lAM policy with a condition which denies access when the IP address range is not from the organization

[efaccordion id=”01″] [efitems title=”Answer & Explanation” text=”Option D

Explanation

“] [/efaccordion]

15)  Your developer is using the KMS service and an assigned key in their Java program. They get the below erro when running the code arn:aws:iam::1 1374538871 2:user!UserB Is not authorized to perform: kms:DescribeKey Which of the following could help resolve the issue?

(A)  Ensure that User B is given the right lAM role to access the key

(B)  Ensure that User B Is given the right permissions In the lAM policy

(C)  Ensure that User B is given the right permissions in the Key policy

(D)  Ensure that User B is given the right permissions in the Bucket policy

[efaccordion id=”01″] [efitems title=”Answer” text=”Option C“] [/efaccordion]

16)  A company hosts critical data in an S3 bucket. Even though they have assigned the appropriate permissions to the bucket, they are still worried about data deletion. What measures can be taken to restrict the risk of data deletion on the bucket. Choose 2 answers from the options given below

A. Enable versioning on the S3 bucket

B. Enable data at rest for the objects in the bucket

C. Enable MFA Delete in the bucket policy

D. Enable data in transit for the objects In the bucket

(A)  A,C

(B)  A,B

(C)  B,C

(D)  A,D

[efaccordion id=”01″] [efitems title=”Answer” text=”Option A“] [/efaccordion]

17)  In your LAMP application, you have some developers that say they would like access to your logs. However, since you are using an AWS Auto Scaling group, your Instances are constantly being recreated. What would you do to make sure that these developers can access these log files? Choose the correct answer from the options below Please select?

(A)  Give only the necessary access to the Apache servers so that the developers can gain access to the log files

(B) Give read-only access to your developers to the Apache servers.

(C)  Set up a central logging server that you can use to archive your logs; archive these logs to an S3 bucket for developer-access

(D)  Give root access to your Apache servers to the developers

[efaccordion id=”01″] [efitems title=”Answer & Explanation” text=”Option C

Explanation

“] [/efaccordion]

18)  You are creating a Lambda function which will be triggered by a Cloud watch Event. The data from these events needs to be stored in a Dynamo DB table. How should the Lambda function be given access to the Dynamo DB table?

(A)  Use an AM role which has permissions to the Dynamo DB table and attach it to the Lambda function.

(B)  Create a VPC endpoint for the Dynamo DB table. Access the VPC endpoint from the Lambda function

(C)  Put the AWS Access keys in the Lambda function since the Lambda function by default is secure

(D)  Use the AWS Access keys which has access to Dynamo DB and then place it in an 53 bucket

[efaccordion id=”01″] [efitems title=”Answer & Explanation” text=”Option A

Explanation

“] [/efaccordion]

19)  Your company has an EC2 Instance hosted in AWS. This EC2 Instance hosts an application. Currently this application Is experiencing a number of issues. You need to inspect the network packets to see what the typ of error that is occurring? Which one of the below steps can help address this issue?

(A)  Use another instance. Setup a port to promiscuous mode‟ and sniff the traffic to analyze the packets

(B)  Use a network monitoring tool provided by an AWS partner.

(C)  Use the VPC Flow Logs

(D) Use Cloudwatch metric

[efaccordion id=”01″] [efitems title=”Answer & Explanation” text=”Option A

Explanation

“] [/efaccordion]

20)  A company has been using the AWS KMS service for managing its keys. They are planning on carrying out housekeeping activities and deleting keys which are no longer in use. What are the ways that can be incorporated to see which keys are in use? Choose 2 answers from the options given below Please select:

A. Determine the age of the master key

B. See who is assigned permissions to the master key

C. See Cloud trail for usage of the key

D. Use AWS cloud watch events for events generated for the key 

(A)  B,D

(B)  A,B

(C) A,C

(D)  B,C

[efaccordion id=”01″] [efitems title=”Answer & Explanation” text=”Option D

Explanation

“] [/efaccordion]