Start preparing for your Next Exam | Use coupon – TOGETHER | Avail 30% discount

AWS Certified Security – Specialty Sample Questions

  1. Home
  3. AWS Certified Security – Specialty Sample Questions
AWS Certified Security - Specialty Sample Questions
Question 1. It is imperative that a worldwide company protect against and recover from DDoS attacks targeting Layers 3, 4, and 7. The whole architecture of the organization is AWS serverless, while the static content is hosted on Amazon S3 via Amazon CloudFront and Amazon Route 53.
Which solution will meet these requirements?
  • A. Creating a new trail with the updated log file prefix, and then deleting the original trail. Updating the existing bucket policy in the Amazon S3 console with the new log file prefix, and then updating the log file prefix in the CloudTrail console.
  • B. Updating the existing bucket policy in the Amazon S3 console for allowing the Security Engineer’s Principal to perform PutBucketPolicy, and then updating the log file prefix in the CloudTrail console.
  • C. Updating the existing bucket policy in the Amazon S3 console with the new log file prefix, and then updating the log file prefix in the CloudTrail console.
  • D. Updating the existing bucket policy in the Amazon S3 console for allowing the Security Engineer’s Principal for performing GetBucketPolicy, and then updating the log file prefix in the CloudTrail console.

Correct Answer:

Reference: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.html

Question 2. If an organization wants to ensure that an AWS KMS Customer Master Key (CMK) cannot be used for encryption or decryption activities, it needs to provide the capability to remove it within a 24-hour period.
Which of the following activities would satisfy this criterion?
  • A. Manually rotating a key within KMS for creating a new CMK immediately.
  • B. Using the KMS import key functionality for executing a delete key operation.
  • C. Using the schedule key deletion function within KMS for specifying the minimum wait period for deletion.
  • D. Changing the KMS CMK alias for preventing any services from using the CMK, immediately.

Correct Answer:

Reference: https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html

Question 3. It has been assigned to a Systems Engineer to set up outbound
What are the appropriate endpoints and ports for the mail application to be
  • A. email.us-east-1.amazonaws.com over port 8080
  • B. email-pop3.us-east-1.amazonaws.com over port 995
  • C. email-smtp.us-east-1.amazonaws.com over port 587
  • D. email-imap.us-east-1.amazonaws.com over port 993

Correct Answer:

Reference: https://docs.aws.amazon.com/ses/latest/DeveloperGuide/smtp-connect.html

Question 4. A business is using imported key materials for the creation of a customer master key (CMK). All encryption keys must necessarily rotate annually per company policy.
What steps can be taken for executing the aforementioned policy?
  • A. Enabling automatic key rotation annually for the CMK.
  • B. Using AWS Command Line Interface for creating an AWS Lambda function for rotating the existing CMK annually.
  • C. Importing new key material to the existing CMK and manually rotating the CMK.
  • D. Creating a new CMK, importing new key material to it, and pointing the key alias to the new CMK.

Correct Answer: D

Question 5. In the event that a large number of illegal API queries are discovered, which technique will trigger an automatic security warning?
  • A. Creating an Amazon CloudWatch metric filter that would look for API call error codes. And then implementing an alarm based on that metric’s rate.
  • B. Configuring AWS CloudTrail for streaming event data to Amazon Kinesis. Configuring an AWS Lambda function on the stream for alarming when the threshold exceeds.
  • C. Running an Amazon Athena SQL query against CloudTrail log files. Using Amazon QuickSight for creating an operational dashboard.
  • D. Using the Amazon Personal Health Dashboard for monitoring the account’s use of AWS services, and raising an alert if service error rates increase.

Correct Answer: B

Question 6. Which of the following are the most appropriate setups for Amazon CloudFront’s use of SSL certificates? 
  • A. Default AWS Certificate Manager certificate
  • B. Custom SSL certificate that is stored in AWS KMS
  • C. Default CloudFront certificate
  • D. Custom SSL certificate that is stored in AWS Certificate Manager
  • E. Default SSL certificate that is stored in AWS Secrets Manager
  • F. Custom SSL certificate that is stored in AWS IAM

Correct Answer: ACD

Question 7. For complying with the rules, a business must store its log data archives for several years. The log data must be preserved, even though it is no longer required,
Which method would be the MOST SECURE AND COST-EFFECTIVE to meet these requirements?
  • A. Archiving the data to Amazon S3 and applying a restrictive bucket policy for denying the s3:DeleteObject API.
  • B. Archiving the data to Amazon S3 Glacier and applying a Vault Lock policy.
  • C. Archiving the data to Amazon S3 and replicating it to a second bucket in a second AWS Region. Choosing the S3 Standard-Infrequent Access (S3 Standard-IA) storage class and applying a restrictive bucket policy for denying the s3:DeleteObject API.
  • D. Migrating the log data to a 16 TB Amazon Elastic Block Store (Amazon EBS) volume. Creating a snapshot of the EBS volume.

Correct Answer: C

Question 8. Due to previous DDoS experiences, a Security Engineer configured a distribution for an Amazon S3 bucket using Amazon CloudFront. Some users have expressed concerns about bypassing CloudFront distribution and accessing S3 buckets directly.
What should be done for preventing people from directly accessing S3 items through URLs?
  • A. Changing the S3 bucket/object permission so that only the bucket owner has access.
  • B. Setting up a CloudFront origin access identity (OAI), and changing the S3 bucket/object permission so that only the OAI has access.
  • C. Creating IAM roles for CloudFront, and changing the S3 bucket/object permission so that only the IAM role has access.
  • D. Redirecting S3 bucket access to the corresponding CloudFront distribution.

Correct Answer: B

Question 9. A business has an AWS account, and a third-party contractor is authorized to use another AWS account to manage its IAM. Multi-factor authentication must be enabled on current contractors’ IAM user accounts in order for them to accept IAM responsibilities.
What actions should the business take to achieve this?
  • A. Adding the following condition to the IAM policy attached to all IAM roles: “Effect”: “Deny”, “Condition” : { “BoolItExists” : { “aws:MultiFactorAuthPresent” : false } }
  • B. Adding the following condition to the IAM policy attached to all IAM roles: “Effect”: “Deny”, “Condition” : { “Bool” : { “aws:MultiFactorAuthPresent” : false } }
  • C. Adding the following condition to the IAM policy attached to all IAM roles: “Effect”: “Allow”, “Condition” : { “Null” : { “aws:MultiFactorAuthPresent” : false } }
  • D. Adding the following condition to the IAM policy attached to all IAM roles: “Effect”: “Allow”, “Condition” : { “BoolItExists” : { “aws:MultiFactorAuthPresent” : false } }

Correct Answer:

Reference: https://aws-orgs.readthedocs.io/_/downloads/en/latest/pdf/

Question 10. Which of the following events is typically triggered by AWS WAF rules in conjunction with web access control lists?
  • A. Amazon S3 static web hosting
  • B. Amazon CloudFront distribution
  • C. Application Load Balancer
  • D. Amazon Route 53
  • E. VPC Flow Logs

Correct Answer: BC 

Explanation: Web access control lists (web ACLs) provide fine-grained control over how your Amazon API Gateway API, Amazon CloudFront distribution or Application Load Balancer handles web requests.

Reference: https://docs.aws.amazon.com/waf/latest/developerguide/web-acl.html

Question 11. CloudWatch Logs service is receiving logs in a stable manner from the Amazon CloudWatch Logs agent. In any event, logs are no longer provided once the linked log stream is active for some period of time.
Which of the given measures would be required to determine the cause of this occurrence? (Select two.)
  • A. Ensuring that file permissions for monitored files that allow the CloudWatch Logs agent to read the file have not been modified.
  • B. Verifying that the OS Log rotation rules are compatible with the configuration requirements for agent streaming.
  • C. Configuring an Amazon Kinesis producer to first put the logs into Amazon Kinesis Streams.
  • D. Creating a CloudWatch Logs metric to isolate a value that changes at least once during the period before logging stops.
  • E. Using AWS CloudFormation for dynamically creating and maintaining the configuration file for the CloudWatch Logs agent.

Correct Answer: BE

Question 12. Communication between an on-premises host and an EC2 instance must be encrypted while in transit to meet compliance requirements. In order to provide high availability, EC2 instances must be routed through a load balancer using proprietary protocols.
Which of the following options is appropriate for fulfilling these criteria?
  • A. Offloading SSL termination onto an SSL listener on a Classic Load Balancer, and using a TCP connection between the load balancer and the EC2 instances.
  • B. Routing all traffic through a TCP listener on a Classic Load Balancer, and terminating the TLS connection on the EC2 instances.
  • C. Creating an HTTPS listener using an Application Load Balancer, and routing all of the communication through that load balancer.
  • D. Offloading SSL termination onto an SSL listener using an Application Load Balancer, and re-spawning an SSL connection between the load balancer and the EC2 instances.

Correct Answer: B

Question 13. A developer’s laptop was taken. It was not secured and it also held the SSH key required for connecting to several Amazon EC2 instances. While creating a response strategy, the Security Engineer verified that the key hadn’t been used and blocked ports 22 to all EC2 instances.
As a Security Engineer, how would you strengthen the protections presently in place?
  • A. Deleting the key-pair key from the EC2 console, then creating a new key pair.
  • B. Using the modify-instance-attribute API for changing the key on any EC2 instance that is using the key.
  • C. Using the EC2 RunCommand for modifying the authorized_keys file on any EC2 instance that is using the key.
  • D. Updating the key pair in any AMI used for launching the EC2 instances, then restarting the EC2 instances.

Correct Answer:

Reference: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html#delete-key-pair

Question 14. In a corporation, noncritical business applications are being moved to AWS while a mission-critical application stays on-premises. AWS apps must be able to communicate restricted amounts of secret data with on-premises applications. Internet performance is erratic.
Which of the following arrangements will be most suitable for providing the MOST SECURE continuation of communication across the sites?
  • A. VPN and a cached storage gateway
  • B. AWS Snowball Edge
  • C. VPN Gateway over AWS Direct Connect
  • D. AWS Direct Connect

Correct Answer: C

Question 15. For compliance reasons, a business limits its AWS resource use to three distinct regions. It would like to be notified when resources are deployed in unauthorized zones.
Which of the following methods will notify you when resources are deployed in an unauthorized region?
  • A. Developing an alerting mechanism based on processing AWS CloudTrail logs.
  • B. Monitoring Amazon S3 Event Notifications for objects stored in buckets in unapproved regions.
  • C. Analyzing Amazon CloudWatch Logs for activities in unapproved regions.
  • D. Using AWS Trusted Advisor to alert on all resources being created.

Correct Answer: A

Question 16. An Amazon EC2 Linux bastion server cannot be accessed via SSH over the Internet by authorized administrators. There are two possible outcomes: either the connection does not reply or the error message follows:
The connection ran out due to a network problem.
What could be causing this connection failure? (Select three.)
  • A. Misconfiguration of the NAT gateway in the subnet where the EC2 instance is deployed
  • B. Misconfiguration of the internet gateway of the VPC
  • C. Outbound traffic on ephemeral ports, is denied by the security
  • D. A route to the internet gateway is missing from the Route table
  • E. Outbound traffic on ephemeral ports, is denied by the NACL
  • F. SSH traffic is being denied by the host-based firewall

Correct Answer: BDF 

Reference:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/TroubleshootingInstancesConnecting.html

Question 17. Towards the future, all Amazon Machine Images (AMIs) must be authorized by the Information Security team.
What is the possible way in which the InfoSec team can verify that this directive is followed?
  • A. Terminating all Amazon EC2 instances and relaunching them with approved AMIs.
  • B. Patching all running instances by using AWS Systems Manager.
  • C. Deploying AWS Config rules and checking all running instances for compliance.
  • D. Defining a metric filter in Amazon CloudWatch Logs for verifying compliance.

Correct Answer: C

Question 18. Audit results reveal that Amazon CloudTrail does not deliver events to Amazon S3 as planned for API calls made inside an organization.
What should be the first step for enabling CloudTrail event delivery to S3? (Select two.)
  • A. Verifying that the S3 bucket policy is allowing CloudTrail to write objects.
  • B. Verifying that the IAM role used by CloudTrail has access for writing to Amazon CloudWatch Logs.
  • C. Removing any lifecycle policies on the S3 bucket that are archiving objects to Amazon Glacier.
  • D. Verifying that the S3 bucket defined in CloudTrail exists.
  • E. Verifying that the log file prefix defined in CloudTrail exists in the S3 bucket.

Correct Answer: DE

Question 19. A DDoS attack halted an e-commerce website for about an hour. User access to the website was blocked during the assault phase. The e-commerce firm’s security personnel is concerned about fending off possible future attacks. It is important that the company responds quickly to future assaults of this type.
What measures can assist in doing this? (Select two.)
  • A. Enabling Amazon GuardDuty for automatically monitoring for malicious activity and blocking unauthorized access.
  • B. Subscribing to AWS Shield Advanced and reaching out to AWS Support in the event of an attack.
  • C. Using VPC Flow Logs for monitoring network traffic and an AWS Lambda function for automatically blocking an attacker’s IP using security groups.
  • D. Setting up an Amazon CloudWatch Events rule for monitoring the AWS CloudTrail events in real-time, using AWS Config rules for auditing the configuration, and using AWS Systems Manager for remediation.
  • E. Using AWS WAF for creating rules for responding to such attacks. 

Correct Answer: BE

Question 20. It has been determined that environment variables will be used to store connection and logging information for an AWS Lambda function. Developers must use an AWS KMS Customer Master Key (CMK) issued by Information Security to protect Lambda environment variables in accordance with business rules.
Which of the following is a necessity for this arrangement to function properly? (Select two.)
  • A. Developer should configure Lambda access to the VPC using the –vpc-config parameter.
  • B. Lambda function execution role should have the KMS: Decrypt permission added in the AWS IAM policy.
  • C. KMS key policy should allow permissions for the Developer to use the KMS key.
  • D. AWS IAM policy assigned to the Developer should have the KMS: GenerateDataKey permission added.
  • E. Lambda execution role should have the KMS: Encrypt permission added in the AWS IAM policy.

Correct Answer: DE

AWS-Certified-Security-Specialty-free-practice-tests
Menu