Latest Amazon AWS-SECURITY-SPECIALTY Exam Question


Jackharry

Uploaded on May 30, 2019

Category Education

Increasing demand of Amazon Specialty has brought competition in this field of IT so students are supposed to work harder for outstanding performance and result. We have designed AWS-Security-Specialty dumps to help them out in this situation. An expertly description of the exam topics has been put forward for study in the form of questions and answers series. If you want to have a glance at the stuff then download free demo questions quickly from Dumps4Download. You can go through AWS-Security-Specialty Dumps in very short time as it is a brief explanation of the discipline. You will find no concept difficult for you and pass the exam by the first attempt with money back guarantee. The importance of practice can never be ignored so we have also designed online practice test for further preparation after AWS-Security-Specialty dumps material. For More info: https://www.dumps4download.us/free-aws-security-specialty/amazon-question-answers.html

Category Education

Comments

                     

Latest Amazon AWS-SECURITY-SPECIALTY Exam Question

A m a z o n A W S-Security-Specialty Dumps AWS Certified Security Specialty (SCS-C01) For More Info: https://www.dumps4download.us/free-aws-security-specialty/amazon-question-answers.html Question: 1 A company hosts a popular web application that connects to an Amazon RDS MySQL DB instance running in a private VPC subnet that was created with default ACL settings. The IT Security department has a suspicion that a DDos attack is coming from a suspecting IP. How can you protect the subnets from this attack? Please select: A. Change the Inbound Security Groups to deny access from the suspecting IP B. Change the Outbound Security Groups to deny access from the suspecting IP C. Change the Inbound NACL to deny access from the suspecting IP D. Change the Outbound NACL to deny access from the suspecting IP Answer: C Explanation: Option A and B are invalid because by default the Security Groups already block traffic. You can use NACL's as an additional security layer for the subnet to deny traffic. Option D is invalid since just changing the Inbound Rules is sufficient The AWS Documentation mentions the following A network access control list (ACLJ is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC. The correct answer is: Change the Inbound NACL to deny access from the suspecting IP Question: 2 You are designing a custom 1AM policy that would allow uses to list buckets in S3 only if they are MFA authenticated. Which of the following would best match this requirement? A. Option B. Option C. Option D. Option Answer: A Explanation: The Condition clause can be used to ensure users can only work with resources if they are MFA authenticated. Option B and C are wrong since the aws:MultiFactorAuthPresent clause should be marked as true. Here you are saying that onl if the user has been MFA activated, that means it is true, then allow access. Option D is invalid because the "boor clause is missing in the evaluation for the condition clause. Boolean conditions let you construct Condition elements that restrict access based on comparing a key to "true" or "false." Here in this scenario the boot attribute in the condition element will return a value True for option A which will ensure that access is allowed on S3 resources. For more information on an example on such a policy, please visit the following URL: Question: 3 You are hosting a web site via website hosting on an S3 bucket - http://demo.s3-website-us-east-l .amazonaws.com. You have some web pages that use Javascript that access resources in another bucket which has web site hosting also enabled. But when users access the web pages , they are getting a blocked Javascript error. How can you rectify this? Please select: A. Enable CORS for the bucket B. Enable versioning for the bucket C. Enable MFA for the bucket D. Enable CRR for the bucket Answer: A Explanation: Your answer is incorrect Answer-A Such a scenario is also given in the AWS Documentation Cross-Origin Resource Sharing: Use-case Scenarios The following are example scenarios for using CORS: • Scenario 1: Suppose that you are hosting a website in an Amazon S3 bucket named website as described in Hosting a Static Website on Amazon S3. Your users load the website endpoint http://website.s3-website-us-east-1 .amazonaws.com. Now you want to use JavaScript on the webpages that are stored in this bucket to be able to make authenticated GET and PUT requests against the same bucket by using the Amazon S3 API endpoint for the bucket website.s3.amazonaws.com. A browser would normally block JavaScript from allowing those requests, but with CORS you can configure your bucket to explicitly enable cross-origin requests from website.s3-website-us-east-1 .amazonaws.com. • Scenario 2: Suppose that you want to host a web font from your S3 bucket. Again, browsers require a CORS check (also called a preflight check) for loading web fonts. You would configure the bucket that is hosting the web font to allow any origin to make these requests. Option Bis invalid because versioning is only to create multiple versions of an object and can help in accidental deletion of objects Option C is invalid because this is used as an extra measure of caution for deletion of objects Option D is invalid because this is used for Cross region replication of objects For more information on Cross Origin Resource sharing, please visit the following URL • ittps://docs.aws.amazon.com/AmazonS3/latest/dev/cors.html The correct answer is: Enable CORS for the bucket Submit your Feedback/Queries to our Experts Question: 4 You have a vendor that needs access to an AWS resource. You create an AWS user account. You want to restrict access to the resource using a policy for just that user over a brief period. Which of the following would be an ideal policy to use? Please select: A. An AWS Managed Policy B. An Inline Policy C. A Bucket Policy D. A bucket ACL Answer: B Explanation: The AWS Documentation gives an example on such a case Inline policies are useful if you want to maintain a strict one-to-one relationship between a policy and the principal entity that if s applied to. For example, you want to be sure that the permissions in a policy are not inadvertently assigned to a principal entity other than the one they're intended for. When you use an inline policy, the permissions in the policy cannot be inadvertently attached to the wrong principal entity. In addition, when you use the AWS Management Console to delete that principal entit the policies embedded in the principal entity are deleted as well. That's because they are part of the principal entity. Option A is invalid because AWS Managed Polices are ok for a group of users, but for individual users, inline policies are better. Option C and D are invalid because they are specifically meant for access to S3 buckets For more information on policies, please visit the following URL: https://docs.aws.amazon.com/IAM/lateHYPERLINK "https://docs.aws.amazon.com/IAM/latest/UserGuide/access"st/UserGuide/access managed-vs-inline The correct answer is: An Inline Policy Submit your Feedback/Queries to our Experts Question: 5 Your company has a requirement to monitor all root user activity by notification. How can this best be achieved? Choose 2 answers from the options given below. Each answer forms part of the solution Please select: A. Create a Cloudwatch Events Rule s B. Create a Cloudwatch Logs Rule C. Use a Lambda function D. Use Cloudtrail API call Answer: A, C Explanation: Below is a snippet from the AWS blogs on a solution Option B is invalid because you need to create a Cloudwatch Events Rule and there is such thing as a Cloudwatch Logs Rule Option D is invalid because Cloud Trail API calls can be recorded but cannot be used to send across notifications For more information on this blog article, please visit the following URL: https://aws.amazon.com/blogs/mt/monitor-and-notify-on-aws-account-root-user-activityy The correct answers are: Create a Cloudwatch Events Rule, Use a Lambda function Submit your Feedback/Queries to our Experts Question: 6 A company wants to have a secure way of generating, storing and managing cryptographic exclusive access for the keys. Which of the following can be used for this purpose? Please select: A. Use KMS and the normal KMS encryption keys B. Use KMS and use an external key material C. Use S3 Server Side encryption D. Use Cloud HSM Answer: D Explanation: The AWS Documentation mentions the following The AWS CloudHSM service helps you meet corporate, contractual and regulatory compliance requirements for data security by using dedicated Hardware Security Module (HSM) instances within the AWS cloud. AWS and AWS Marketplace partners offer a variety of solutions for protecting sensitive data within the AWS platform, but for some applications and data subject to contractual or regulatory mandates for managing cryptographic keys, additional protection may be necessary. CloudHSM complements existing data protection solutions and allows you to protect your encryption keys within HSMs that are desigr and validated to government standards for secure key management. CloudHSM allows you to securely generate, store and manage cryptographic keys used for data encryption in a way that keys are accessible only by you. Option A.B and Care invalid because in all of these cases, the management of the key will be with AWS. Here the question specifically mentions that you want to have exclusive access over the keys. This can be achieved with Cloud HSM For more information on CloudHSM, please visit the following URL: https://aws.amazon.com/cloudhsm/faq: The correct answer is: Use Cloud HSM Submit your Feedback/Queries to our Experts Question: 7 A company is hosting a website that must be accessible to users for HTTPS traffic. Also port 22 should be open for administrative purposes. The administrator's workstation has a static IP address of 203.0.113.1/32. Which of the following security group configurations are the MOST secure but still functional to support these requirements? Choose 2 answers from the options given below Please select: A. Port 443 coming from 0.0.0.0/0 B. Port 443 coming from 10.0.0.0/16 C. Port 22 coming from 0.0.0.0/0 D. Port 22 coming from 203.0.113.1/32 Answer: A, D Explanation: Since HTTPS traffic is required for all users on the Internet, Port 443 should be open on all IP addresses. For port 22, the traffic should be restricted to an internal subnet. Option B is invalid, because this only allow traffic from a particular CIDR block and not from the internet Option C is invalid because allowing port 22 from the internet is a security risk For more information on AWS Security Groups, please visit the following UR https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/usins-network-secunty.htmll The correct answers are: Port 443 coming from 0.0.0.0/0, Port 22 coming from 203.0.113.1 /32 Submit your Feedback/Queries to our Experts Question: 8 Your company has an EC2 Instance that is hosted in an AWS VPC. There is a requirement to ensure that logs files from the EC2 Instance are stored accordingly. The access should also be limited for the destination of the log files. How can this be accomplished? Choose 2 answers from the options given below. Each answer forms part of the solution Please select: A. Stream the log files to a separate Cloudtrail trail B. Stream the log files to a separate Cloudwatch Log group C. Create an 1AM policy that gives the desired level of access to the Cloudtrail trail D. Create an 1AM policy that gives the desired level of access to the Cloudwatch Log group Answer: B, D Explanation: You can create a Log group and send all logs from the EC2 Instance to that group. You can then limit the access to the Log groups via an 1AM policy. Option A is invalid because Cloudtrail is used to record API activity and not for storing log files Option C is invalid because Cloudtrail is the wrong service to be used for this requirement For more information on Log Groups and Log Streams, please visit the following URL: * https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/Workinj For more information on Access to Cloudwatch logs, please visit the following URL: * https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/auth-and-access-control-cwl.html The correct answers are: Stream the log files to a separate Cloudwatch Log group. Create an 1AM policy that gives the desired level of access to the Cloudwatch Log group Submit your Feedback/Queries to our Experts Question: 9 You have an Ec2 Instance in a private subnet which needs to access the KMS service. Which of the following methods can help fulfil this requirement, keeping security in perspective Please select: A. Use a VPC endpoint B. Attach an Internet gateway to the subnet C. Attach a VPN connection to the VPC D. Use VPC Peering Answer: A Explanation: The AWS Documentation mentions the following You can connect directly to AWS KMS through a private endpoint in your VPC instead of connecting over the internet. When you use a VPC endpoint communication between your VPC and AWS KMS is conducted entirely within the AWS network. Option B is invalid because this could open threats from the internet Option C is invalid because this is normally used for communication between on-premise environments and AWS. Option D is invalid because this is normally used for communication between VPCs For more information on accessing KMS via an endpoint, please visit the following URL https://docs.aws.amazon.com/kms/latest/developerguide/kms-vpc-endpoint.htmll The correct answer is: Use a VPC endpoint Submit your Feedback/Queries to our Experts Question: 10 You have a web site that is sitting behind AWS Cloudfront. You need to protect the web site against threats such as SQL injection and Cross site scripting attacks. Which of the following service can help in such a scenario Please select: A. AWS Trusted Advisor B. AWS WAF C. AWS Inspector D. AWS Config Answer: B Explanation: The AWS Documentation mentions the following AWS WAF is a web application firewall that helps detect and block malicious web requests targeted at your web applications. AWS WAF allows you to create rules that can help protect against common web exploits like SQL injection and cross-site scripting. With AWS WAF you first identify the resource (either an Amazon CloudFront distribution or an Application Load Balancer) that you need to protect. Option A is invalid because this will only give advise on how you can better the security in your AWS account but not protect against threats mentioned in the question. Option C is invalid because this can be used to scan EC2 Instances for vulnerabilities but not protect against threats mentioned in the question. Option D is invalid because this can be used to check config changes but not protect against threats mentioned in the quest For more information on AWS WAF, please visit the following URL: https://aws.amazon.com/waf/details; The correct answer is: AWS WAF Submit your Feedback/Queries to our Experts Question: 11 Your company has a set of resources defined in the AWS Cloud. Their IT audit department has requested to get a list of resources that have been defined across the account. How can this be achieved in the easiest manner? Please select: A. Create a powershell script using the AWS CLI. Query for all resources with the tag of production. B. Create a bash shell script with the AWS CLI. Query for all resources in all regions. Store the results in an S3 bucket. C. Use Cloud Trail to get the list of all resources D. Use AWS Config to get the list of all resources Answer: D Explanation: The most feasible option is to use AWS Config. When you turn on AWS Config, you will get a list of resources defined in your AWS Account. A sample snapshot of the resources dashboard in AWS Config is shown below Option A is incorrect because this would give the list of production based resources and now all resources Option B is partially correct But this will just add more maintenance overhead. Option C is incorrect because this can be used to log API activities but not give an account of all resou For more information on AWS Config, please visit the below URL: https://docs.aws.amazon.com/config/latest/developereuide/how-does-confie-work.html The correct answer is: Use AWS Config to get the list of all resources Submit your Feedback/Queries to our Experts Question: 12 A Lambda function reads metadata from an S3 object and stores the metadata in a DynamoDB table. The function is triggered whenever an object is stored within the S3 bucket. How should the Lambda function be given access to the DynamoDB table? Please select: A. Create a VPC endpoint for DynamoDB within a VPC. Configure the Lambda function to access resources in the VPC. B. Create a resource policy that grants the Lambda function permissions to write to the DynamoDB table. Attach the poll to the DynamoDB table. C. Create an 1AM user with permissions to write to the DynamoDB table. Store an access key for that user in the Lambda environment variables. D. Create an 1AM service role with permissions to write to the DynamoDB table. Associate that role with the Lambda function. Answer: D Explanation: The ideal way is to create an 1AM role which has the required permissions and then associate it with the Lambda function The AWS Documentation additionally mentions the following Each Lambda function has an 1AM role (execution role) associated with it. You specify the 1AM role when you create your Lambda function. Permissions you grant to this role determine what AWS Lambda can do when it assumes the role. There are two types of permissions that you grant to the 1AM role: If your Lambda function code accesses other AWS resources, such as to read an object from an S3 bucket or write logs to CloudWatch Logs, you need to grant permissions for relevant Amazon S3 and CloudWatch actions to the role. If the event source is stream-based (Amazon Kinesis Data Streams and DynamoDB streams), AWS Lambda polls these streams on your behalf. AWS Lambda needs permissions to poll the stream and read new records on the stream so you need to grant the relevant permissions to this role. Option A is invalid because the VPC endpoint allows access instances in a private subnet to access DynamoDB Option B is invalid because resources policies are present for resources such as S3 and KMS, but not AWS Lambda Option C is invalid because AWS Roles should be used and not 1AM Users For more information on the Lambda permission model, please visit the below URL: https://docs.aws.amazon.com/lambda/latest/dg/intro-permission-model.html The correct answer is: Create an 1AM service role with permissions to write to the DynamoDB table. Associate that role with the Lambda function. Submit your Feedback/Queries to our Exp Question: 13 Your company has defined privileged users for their AWS Account. These users are administrators for key resources defined in the company. There is now a mandate to enhance the security authentication for these users. How can this be accomplished? Please select: A. Enable MFA for these user accounts B. Enable versioning for these user accounts C. Enable accidental deletion for these user accounts D. Disable root access for the users Answer: A Explanation: The AWS Documentation mentions the following as a best practices for 1AM users. For extra security, enable multi-factor authentication (MFA) for privileged 1AM users (users who are allowed access to sensitive resources or APIs). With MFA, users have a device that generates unique authentication code (a one-time password, or OTP). Users must provide both their normal credentials (like their user name and password) and the OTP. The MFA device can either be a special piece of hardware, or it can be a virtual device (for example, it can run in an app on a smartphone). Option B,C and D are invalid because no such security options are available in AWS For more information on 1AM best practices, please visit the below URL https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html The correct answer is: Enable MFA for these user accounts Submit your Feedback/Queries to our Experts Question: 14 An application running on EC2 instances must use a username and password to access a database. The developer has stored those secrets in the SSM Parameter Store with type SecureString using the default KMS CMK. Which combination of configuration steps will allow the application to access the secrets via the API? Select 2 answers from the options below Please select: A. Add the EC2 instance role as a trusted service to the SSM service role. B. Add permission to use the KMS key to decrypt to the SSM service role. C. Add permission to read the SSM parameter to the EC2 instance role. . D. Add permission to use the KMS key to decrypt to the EC2 instance role E. Add the SSM service role as a trusted service to the EC2 instance role. Answer: C, D Explanation: The below example policy from the AWS Documentation is required to be given to the EC2 Instance in order to read a secure string from AWS KMS. Permissions need to be given to the Get Parameter API and the KMS API call to decrypt the secret. Option A is invalid because roles can be attached to EC2 and not EC2 roles to SSM Option B is invalid because the KMS key does not need to decrypt the SSM service role. Option E is invalid because this configuration is valid For more information on the parameter store, please visit the below URL: https://docs.aws.amazon.com/kms/latest/developerguide/services-parameter-store.htmll The correct answers are: Add permission to read the SSM parameter to the EC2 instance role., Add permission to use the KMS key to decrypt to the EC2 instance role Submit your Feedback/Queries to our Experts Question: 15 When you enable automatic key rotation for an existing CMK key where the backing key is managed by AWS, after how long is the key rotated? Please select: A. After 30 days B. After 128 days C. After 365 days D. After 3 years Answer: D Explanation: The AWS Documentation states the following • AWS managed CM Ks: You cannot manage key rotation for AWS managed CMKs. AWS KMS automatically rotates AWS managed keys every three years (1095 days). Note: AWS-managed CMKs are rotated every 3yrs, Customer-Managed CMKs are rotated every 365- days from when rotation is enabled. Option A, B, C are invalid because the dettings for automatic key rotation is not changeable. For more information on key rotation please visit the below URL https://docs.aws.amazon.com/kms/latest/developereuide/rotate-keys.html AWS managed CMKs are CMKs in your account that are created, managed, and used on your behalf by an AWS service that is integrated with AWS KMS. This CMK is unique to your AWS account and region. Only the service that created the AWS managed CMK can use it You can login to you 1AM dashbaord . Click on "Encryption Keys" You will find the list based on the services you are using as follows: • aws/elasticfilesystem 1 aws/lightsail • aws/s3 • aws/rds and many more Detailed Guide: KMS You can recognize AWS managed CMKs because their aliases have the format aws/service-name, such as aws/redshift. Typically, a service creates its AWS managed CMK in your account when you set up the service or the first time you use the CMfC The AWS services that integrate with AWS KMS can use it in many different ways. Some services create AWS managed CMKs in your account. Other services require that you specify a customer managed CMK that you have created. And, others support both types of CMKs to allow you the ease of an AWS managed CMK or the control of a customer-managed CMK Rotation period for CMKs is as follows: • AWS managed CMKs: 1095 days • Customer managed CMKs: 365 days Since question mentions about "CMK where backing keys is managed by AWS", its Amazon(AWS) managed and its rotation period turns out to be 1095 days{every 3 years) For more details, please check below AWS Docs: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html The correct answer is: After 3 years Submit your Feedback/Queries to our Experts