• Home
  • Articles
  • Pass AWS-Security-Specialty Exam - Real Test Engine PDF with 530 Questions [Q170-Q187]

Pass AWS-Security-Specialty Exam - Real Test Engine PDF with 530 Questions [Q170-Q187]

Share

Pass AWS-Security-Specialty Exam - Real Test Engine PDF with 530 Questions

Get New AWS-Security-Specialty Certification Practice Test Questions Exam Dumps


For more info read reference:

Amazon Web Services Website

 

NEW QUESTION 170
An AWS Lambda function was misused to alter data, and a Security Engineer must identify who invoked the function and what output was produced. The Engineer cannot find any logs created by the Lambda function in Amazon CloudWatch Logs.
Which of the following explains why the logs are not available?

  • A. The Lambda function was executed by using Amazon API Gateway, so the logs are not stored in CloudWatch Logs.
  • B. The version of the Lambda function that was executed was not current.
  • C. The execution role for the Lambda function did not grant permissions to write log data to CloudWatch Logs.
  • D. The execution role for the Lambda function did not grant permissions to write to the Amazon S3 bucket where CloudWatch Logs stores the logs.

Answer: C

 

NEW QUESTION 171
You company has mandated that all data in AWS be encrypted at rest. How can you achieve this for EBS volumes? Choose 2 answers from the options given below Please select:

  • A. Use AWS Systems Manager to encrypt the existing EBS volumes
  • B. Use TrueEncrypt for EBS volumes on Linux instances
  • C. Boot EBS volume can be encrypted during launch without using custom AMI
  • D. Use Windows bit locker for EBS volumes on Windows instances

Answer: B,D

Explanation:
EBS encryption can also be enabled when the volume is created and not for existing volumes. One can use existing tools for OS level encryption.
Option C is incorrect.
AWS Systems Manager is a management service that helps you automatically collect software inventory, apply OS patches, create system images, and configure Windows and Linux operating systems.
Option D is incorrect
You cannot choose to encrypt a non-encrypted boot volume on instance launch. To have encrypted boot volumes during launch , your custom AMI must have it's boot volume encrypted before launch.
For more information on the Security Best practices, please visit the following URL:
.com/whit Security Practices.
The correct answers are: Use Windows bit locker for EBS volumes on Windows instances. Use TrueEncrypt for EBS volumes on Linux instances Submit your Feedback/Queries to our Experts

 

NEW QUESTION 172
A company's security information events management (SIEM) tool receives new AWS CloudTrail logs from an Amazon S3 bucket that is configured to send all object created event notifications to an Amazon SNS topic. An Amazon SQS queue is subscribed to this SNS topic. The company's SIEM tool then polls this SQS queue for new messages using an IAM role and fetches new log events from the S3 bucket based on the SQS messages.
After a recent security review that resulted in restricted permissions, the SIEM tool has stopped receiving new CloudTrail logs.
Which of the following are possible causes of this issue? (Choose three.)

  • A. The S3 bucket policy does not allow CloudTrail to perform the PutObject action.
  • B. The IAM role used by the SIEM tool does not allow the SQS:DeleteMessage action.
  • C. The SNS topic is not delivering raw messages to the SQS queue.
  • D. The SNS topic does not allow the SNS:Publish action from Amazon S3.
  • E. The IAM role used by the SIEM tool does not have permission to subscribe to the SNS topic.
  • F. The SQS queue does not allow the SQS:SendMessage action from the SNS topic.

Answer: A,D,E

 

NEW QUESTION 173
Your development team has started using AWS resources for development purposes. The AWS account has just been created. Your IT Security team is worried about possible leakage of AWS keys. What is the first level of measure that should be taken to protect the AWS account.
Please select:

  • A. Create 1AM Groups
  • B. Create 1AM Roles
  • C. Restrict access using 1AM policies
  • D. Delete the AWS keys for the root account

Answer: D

Explanation:
Explanation
The first level or measure that should be taken is to delete the keys for the 1AM root user When you log into your account and go to your Security Access dashboard, this is the first step that can be seen

Option B and C are wrong because creation of 1AM groups and roles will not change the impact of leakage of AWS root access keys Option D is wrong because the first key aspect is to protect the access keys for the root account For more information on best practises for Security Access keys, please visit the below URL:
https://docs.aws.amazon.com/eeneral/latest/gr/aws-access-keys-best-practices.html The correct answer is: Delete the AWS keys for the root account Submit your Feedback/Queries to our Experts

 

NEW QUESTION 174
One of your company's EC2 Instances have been compromised. The company has strict po thorough investigation on finding the culprit for the security breach. What would you do in from the options given below.
Please select:

  • A. Make sure that logs are stored securely for auditing and troubleshooting purpose
  • B. Ensure that all access kevs are rotated.
  • C. Ensure all passwords for all 1AM users are changed
  • D. Take a snapshot of the EBS volume
  • E. Isolate the machine from the network

Answer: A,D,E

Explanation:
Some of the important aspects in such a situation are
1) First isolate the instance so that no further security harm can occur on other AWS resources
2) Take a snapshot of the EBS volume for further investigation. This is incase if you need to shutdown the initial instance and do a separate investigation on the data
3) Next is Option C. This indicates that we have already got logs and we need to make sure that it is stored securely so that n unauthorised person can access it and manipulate it.
Option D and E are invalid because they could have adverse effects for the other 1AM users.
For more information on adopting a security framework, please refer to below URL
https://d1 .awsstatic.com/whitepapers/compliance/NIST Cybersecurity Framework Note:
In the question we have been asked to take actions to find the culprit and to help the investigation or to further reduce the damage that has happened due to the security breach. So by keeping logs secure is one way of helping the investigation.
The correct answers are: Take a snapshot of the EBS volume. Isolate the machine from the network. Make sure that logs are stored securely for auditing and troubleshooting purpose Submit your Feedback/Queries to our Experts

 

NEW QUESTION 175
A company is configuring three Amazon EC2 instances with each instance in a separate Availability Zone. The EC2 instances will be used as transparent proxies for outbound internet traffic for ports 80 and 443 so the proxies can block traffic to certain internet destinations as required by the company's security policies. A Security Engineer completed the following:
* Set up the proxy software on the EC2 instances.
* Modified the route tables on the private subnets to use the proxy EC2 instances as the default route.
* Created a security group rule opening inbound port 80 and 443 TCP protocols on the proxy EC2 instance security group.
However, the proxy EC2 instances are not successfully forwarding traffic to the internet.
What should the Security Engineer do to make the proxy EC2 instances route traffic to the internet?

  • A. Change the VPC's DHCP domain-name-servers options set to the IP addresses of proxy EC2 instances.
  • B. Open all inbound ports on the proxy EC2 instance security group.
  • C. Disable source and destination checks on the proxy EC2 instances.
  • D. Put all the proxy EC2 instances in a cluster placement group.

Answer: C

Explanation:
Explanation/Reference: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html

 

NEW QUESTION 176
A large company wants its Compliance team to audit its Amazon S3 buckets to identify if personally identifiable information (PII) is stored in them. The company has hundreds of S3 buckets and has asked the Security Engineers to scan every bucket.
How can this task be accomplished?

  • A. Check the AWS Trusted Advisor data loss prevention page in the AWS Management Console. Download the Amazon S3 data confidentiality report and send it to the Compliance team. Configure Amazon CloudWatch Events to capture Trusted Advisor alerts and target an Amazon SNS topic to be notified if PII is detected.
  • B. Enable Amazon GuardDuty in multiple Regions to scan the S3 buckets. Configure Amazon CloudWatch Events to capture GuardDuty alerts and target an Amazon SNS topic to be notified if PII is detected.
  • C. Configure Amazon Macie to classify data in the S3 buckets and check the dashboard for PII findings.
    Configure Amazon CloudWatch Events to capture Macie alerts and target an Amazon SNS topic to be notified if PII is detected.
  • D. Configure Amazon CloudWatch Events to trigger Amazon Inspector to scan the S3 buckets daily for PII.
    Configure Amazon Inspector to publish Amazon SNS notifications to the Compliance team if PII is detected.

Answer: C

 

NEW QUESTION 177
An enterprise wants to use a third-party SaaS application. The SaaS application needs to have access to issue several API commands to discover Amazon EC2 resources running within the enterprise's account. The enterprise has internal security policies that require any outside access to their environment must conform to the principles of least privilege and there must be controls in place to ensure that the credentials used by the SaaS vendor cannot be used by any other third party. Which of the following would meet all of these conditions?
Please select:

  • A. Create an 1AM role for EC2 instances, assign it a policy that allows only the actions required tor the Saas application to work, provide the role ARN to the SaaS provider to use when launching their application instances.
  • B. From the AWS Management Console, navigate to the Security Credentials page and retrieve the access and secret key for your account.
  • C. Create an 1AM role for cross-account access allows the SaaS provider's account to assume the role and assign it a policy that allows only the actions required by the SaaS application.
  • D. Create an 1AM user within the enterprise account assign a user policy to the 1AM user that allows only the actions required by the SaaS application. Create a new access and secret key for the user and provide these credentials to the SaaS provider.

Answer: C

Explanation:
Explanation
The below diagram from an AWS blog shows how access is given to other accounts for the services in your own account

Options A and B are invalid because you should not user 1AM users or 1AM Access keys Options D is invalid because you need to create a role for cross account access For more information on Allowing access to external accounts, please visit the below URL:
|https://aws.amazon.com/blogs/apn/how-to-best-architect-your-aws-marketplace-saas-subscription-across-multip The correct answer is: Create an 1AM role for cross-account access allows the SaaS provider's account to assume the role and assign it a policy that allows only the actions required by the SaaS application.
Submit your Feedback/Queries to our Experts

 

NEW QUESTION 178
The Security team believes that a former employee may have gained unauthorized access to AWS resources sometime in the past 3 months by using an identified access key.
What approach would enable the Security team to find out what the former employee may have done within AWS?

  • A. Use the Amazon CloudWatch Logs console to filter CloudTrail data by user.
  • B. Use the AWS CloudTrail console to search for user activity.
  • C. Use Amazon Athena to query CloudTrail logs stored in Amazon S3.
  • D. Use AWS Config to see what actions were taken by the user.

Answer: B

Explanation:
You can use CloudTrail to search event history for the last 90 days. You can use CloudWatch queries to search API history beyond the last 90 days. You can use Athena to query CloudTrail logs over the last 90 days. https://aws.amazon.com/premiumsupport/knowledge-center/view-iam-history/

 

NEW QUESTION 179
Due to new compliance requirements, a Security Engineer must enable encryption with customer-provided keys on corporate data that is stored in DynamoDB. The company wants to retain full control of the encryption keys.
Which DynamoDB feature should the Engineer use to achieve compliance'?

  • A. Enable S3 server-side encryption with the customer-provided keys. Upload the data to Amazon S3, and then use S3Copy to move all data to DynamoDB
  • B. Use the DynamoDB Java encryption client to encrypt data prior to uploading it to DynamoDB.
  • C. Use AWS Certificate Manager to request a certificate. Use that certificate to encrypt data prior to uploading it to DynamoDB.
  • D. Create a KMS master key. Generate per-record data keys and use them to encrypt data prior to uploading it to DynamoDS. Dispose of the cleartext and encrypted data keys after encryption without storing.

Answer: B

 

NEW QUESTION 180
An organization is moving non-business-critical applications to AWS while maintaining a mission-critical application in an on-premises data center. An on-premises application must share limited confidential information with the applications in AWS. The internet performance is unpredictable.
Which configuration will ensure continued connectivity between sites MOST securely?

  • A. VPN Gateway over AWS Direct Connect
  • B. VPN and a cached storage gateway
  • C. AWS Snowball Edge
  • D. AWS Direct Connect

Answer: A

Explanation:
https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/aws-direct-connect-plus-vpn-network-to-amazon.html

 

NEW QUESTION 181
You are designing a custom IAM policy that would allow uses to list buckets in S3 only if they are MFA authenticated. Which of the following would best match this requirement?

  • A. Option
  • B. Option
  • C. Option
  • D. Option

Answer: B

Explanation:
Explanation
The Condition clause can be used to ensure users can only work with resources if they are MFA authenticated.
Option B and C are wrong since the aws:MultiFactorAuthPresent clause should be marked as true. Here you are saying that onl if the user has been MFA activated, that means it is true, then allow access.
Option D is invalid because the "boor clause is missing in the evaluation for the condition clause.
Boolean conditions let you construct Condition elements that restrict access based on comparing a key to
"true" or "false."
Here in this scenario the boot attribute in the condition element will return a value True for option A which will ensure that access is allowed on S3 resources.
For more information on an example on such a policy, please visit the following URL:

 

NEW QUESTION 182
Your company has many AWS accounts defined and all are managed via AWS Organizations. One AWS account has a S3 bucket that has critical dat a. How can we ensure that all the users in the AWS organisation have access to this bucket?
Please select:

  • A. Ensure the bucket policy has a condition which involves aws:OrglD
  • B. Ensure the bucket policy has a condition which involves aws:PrincipaliD
  • C. Ensure the bucket policy has a condition which involves aws:PrincipalOrglD
  • D. Ensure the bucket policy has a condition which involves aws:AccountNumber

Answer: C

Explanation:
The AWS Documentation mentions the following
AWS Identity and Access Management (1AM) now makes it easier for you to control access to your AWS resources by using the AWS organization of 1AM principals (users and roles). For some services, you grant permissions using resource-based policies to specify the accounts and principals that can access the resource and what actions they can perform on it. Now, you can use a new condition key, aws:PrincipalOrglD, in these policies to require all principals accessing the resource to be from an account in the organization Option B.C and D are invalid because the condition in the bucket policy has to mention aws:PrincipalOrglD For more information on controlling access via Organizations, please refer to the below Link:
https://aws.amazon.com/blogs/security/control-access-to-aws-resources-by-usins-the-aws-organization-of-iam-principal ( The correct answer is: Ensure the bucket policy has a condition which involves aws:PrincipalOrglD Submit your Feedback/Queries to our Experts

 

NEW QUESTION 183
A security engineer needs to ensure their company's use of AWS meets AWS security best practices. As part of this, the AWS account root user must not be used for daily work. The root user must be monitored for use, and the security team must be alerted as quickly as possible if the root user is used.
Which solution meets these requirements?

  • A. Create root user access keys. Use an AWS Lambda function to parse AWS CloudTrail logs from Amazon S3 and generate notifications using Amazon SNS.
  • B. Use Amazon Inspector to monitor the usage of the root user and generate notifications using Amazon SNS.
  • C. Set up a rule in AWS Config to trigger root user events. Trigger an AWS Lambda function and generate notifications using Amazon SNS.
  • D. Set up an Amazon CloudWatch Events rule that triggers an Amazon SNS notification.

Answer: C

 

NEW QUESTION 184
You have just developed a new mobile application that handles analytics workloads on large scale datasets that are stored on Amazon Redshift. Consequently, the application needs to access Amazon Redshift tables. Which of the belov methods would be the best both practically and security-wise, to access the tables? Choose the correct answer from the options below Please select:

  • A. Create an 1AM user and generate encryption keys for that user. Create a policy for Redshift read-only access. Embed th keys in the application.
  • B. Use roles that allow a web identity federated user to assume a role that allows access to the Redshift table by providing temporary credentials.
  • C. Create a Redshift read-only access policy in 1AM and embed those credentials in the application.
  • D. Create an HSM client certificate in Redshift and authenticate using this certificate.

Answer: B

Explanation:
Explanation
The AWS Documentation mentions the following
"When you write such an app, you'll make requests to AWS services that must be signed with an AWS access key. However, we strongly recommend that you do not embed or distribute long-term AWS credentials with apps that a user downloads t device, even in an encrypted store. Instead, build your app so that it requests temporary AWS security credentials dynamica when needed using web identify federation. The supplied temporary credentials map to an AWS role that has only the permissioi needed to perform the tasks required by the mobile app".
Option A.B and C are all automatically incorrect because you need to use 1AM Roles for Secure access to services For more information on web identity federation please refer to the below Link:

http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html The correct answer is: Use roles that allow a web identity federated user to assume a role that allows access to the RedShift table by providing temporary credentials.
Submit your Feedback/Queries to our Experts

 

NEW QUESTION 185
A company wants to have an Intrusion detection system available for their VPC in AWS. They want to have complete control over the system. Which of the following would be ideal to implement?
Please select:

  • A. Use a custom solution available in the AWS Marketplace
  • B. Use VPC Flow logs to detect the issues and flag them accordingly.
  • C. Use AWS Cloudwatch to monitor all traffic
  • D. Use AWS WAF to catch all intrusions occurring on the systems in the VPC

Answer: A

Explanation:
Explanation
Sometimes companies want to have custom solutions in place for monitoring Intrusions to their systems. In such a case, you can use the AWS Marketplace for looking at custom solutions.

Option A.C and D are all invalid because they cannot be used to conduct intrusion detection or prevention.
For more information on using custom security solutions please visit the below URL
https://d1.awsstatic.com/Marketplace/security/AWSMP_Security_Solution%200verview.pdf For more information on using custom security solutions please visit the below URL:
https://d1 .awsstatic.com/Marketplace/security/AWSMP Security Solution%20Overview.pd1 The correct answer is: Use a custom solution available in the AWS Marketplace Submit your Feedback/Queries to our Experts

 

NEW QUESTION 186
A Security Engineer has discovered that, although encryption was enabled on the Amazon S3 bucket examplebucket, anyone who has access to the bucket has the ability to retrieve the files. The Engineer wants to limit access to each IAM user can access an assigned folder only.
What should the Security Engineer do to achieve this?

  • A. Create a customer-managed CMK with a key policy granting "kms:Decrypt" based on the "${aws:username}" variable.
  • B. Create a customer-managed CMK for each user. Add each user as a key user in their corresponding key policy.
  • C. Use envelope encryption with the AWS-managed CMK aws/s3.
  • D. Change the applicable IAM policy to grant S3 access to "Resource": "arn:aws:s3:::examplebucket/${aws:username}/*"

Answer: D

 

NEW QUESTION 187
......

AWS-Security-Specialty Exam Dumps - PDF Questions and Testing Engine: https://www.validtorrent.com/AWS-Security-Specialty-valid-exam-torrent.html

Real AWS-Security-Specialty Exam Dumps Questions Valid AWS-Security-Specialty Dumps PDF: https://drive.google.com/open?id=1ie9aa9uiZOGylK_YD9wBSc5DEVh6j1DZ

Related Articles

more
Amazon AWS-Security-Specialty Certification Practice Exam

Copyright © 2026 ValidTorrent NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy