• Home
  • Articles
  • [Mar-2022] Amazon AWS-Security-Specialty Dumps – Reduce Your Chance of Failure in AWS-Security-Specialty Exam [Q213-Q230]

[Mar-2022] Amazon AWS-Security-Specialty Dumps – Reduce Your Chance of Failure in AWS-Security-Specialty Exam [Q213-Q230]

Share

[Mar-2022] Amazon AWS-Security-Specialty Dumps – Reduce Your Chance of Failure in AWS-Security-Specialty Exam

To help you achieve your ultimate goal, we suggest the actual Amazon AWS-Security-Specialty dumps for your AWS Certified Security - Specialty exam preparation to use as your guideline.

NEW QUESTION 213
You are trying to use the Systems Manager to patch a set of EC2 systems. Some of the systems are not getting covered in the patching process. Which of the following can be used to troubleshoot the issue? Choose 3 answers from the options given below.
Please select:

  • A. Check to see if the IAM user has the right permissions for EC2
  • B. Ensure that agent is running on the instances.
  • C. Check to see if the right role has been assigned to the EC2 instances
  • D. Check the Instance status by using the Health API.

Answer: B,C,D

Explanation:
Explanation
For ensuring that the instances are configured properly you need to ensure the followi .
1) You installed the latest version of the SSM Agent on your instance
2) Your instance is configured with an AWS Identity and Access Management (IAM) role that enables the instance to communicate with the Systems Manager API
3) You can use the Amazon EC2 Health API to quickly determine the following information about Amazon EC2 instances The status of one or more instances The last time the instance sent a heartbeat value The version of the SSM Agent The operating system The version of the EC2Config service (Windows) The status of the EC2Config service (Windows) Option B is invalid because IAM users are not supposed to be directly granted permissions to EC2 Instances For more information on troubleshooting AWS SSM, please visit the following URL:
https://docs.aws.amazon.com/systems-manager/latest/userguide/troubleshooting-remote-commands.html The correct answers are: Check to see if the right role has been assigned to the EC2 Instances, Ensure that agent is running on the Instances., Check the Instance status by using the Health API.
Submit your Feedback/Queries to our Experts

 

NEW QUESTION 214
Some highly sensitive analytics workloads are to be moved to Amazon EC2 hosts. Threat modeling has found that a risk exists where a subnet could be maliciously or accidentally exposed to the internet.
Which of the following mitigations should be recommended?

  • A. Within the Amazon VPC configuration, mark the VPC as private and disable Elastic IP addresses.
  • B. Move the workload to a Dedicated Host, as this provides additional network security controls and monitoring.
  • C. Use IPv6 addressing exclusively on the EC2 hosts, as this prevents the hosts from being accessed from the internet.
  • D. Use AWS Config to detect whether an Internet Gateway is added and use an AWS Lambda function to provide auto-remediation.

Answer: A

 

NEW QUESTION 215
A web application runs in a VPC on EC2 instances behind an ELB Application Load Balancer. The application stores data in an RDS MySQL DB instance. A Linux bastion host is used to apply schema updates to the database - administrators connect to the host via SSH from a corporate workstation. The following security groups are applied to the infrastructure-
* sgLB - associated with the ELB
* sgWeb - associated with the EC2 instances.
* sgDB - associated with the database
* sgBastion - associated with the bastion host Which security group configuration will allow the application to be secure and functional?
Please select:

  • A. sgLB :allow port 80 and 443 traffic from 0.0.0.0/0
    sgWeb :allow port 80 and 443 traffic from 0.0.0.0/0
    sgDB :allow port 3306 traffic from sgWeb and sgBastion
    sgBastion: allow port 22 traffic from the corporate IP address range
  • B. sgLB :aIlow port 80 and 443 traffic from 0.0.0.0/0
    sgWeb :allow port 80 and 443 traffic from sgLB
    sgDB :allow port 3306 traffic from sgWeb and sgLB
    sgBastion: allow port 22 traffic from the VPC IP address range
  • C. sgLB :allow port 80 and 443 traffic from 0.0.0.0/0
    sgWeb :allow port 80 and 443 traffic from sgLB
    sgDB :allow port 3306 traffic from sgWeb and sgBastion
    sgBastion: allow port 22 traffic from the VPC IP address range
  • D. sgLB :allow port 80 and 443 traffic from 0.0.0.0/0
    sgWeb :allow port 80 and 443 traffic from sgLB
    sgDB :al!ow port 3306 traffic from sgWeb and sgBastion
    sgBastion: allow port 22 traffic from the corporate IP address range

Answer: D

Explanation:
Explanation
The Load Balancer should accept traffic on ow port 80 and 443 traffic from 0.0.0.0/0 The backend EC2 Instances should accept traffic from the Load Balancer The database should allow traffic from the Web server And the Bastion host should only allow traffic from a specific corporate IP address range Option A is incorrect because the Web group should only allow traffic from the Load balancer For more information on AWS Security Groups, please refer to below URL:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/usins-network-security.htmll The correct answer is: sgLB :allow port 80 and 443 traffic from 0.0.0.0/0 sgWeb :allow port 80 and 443 traffic from sgLB sgDB :allow port 3306 traffic from sgWeb and sgBastion sgBastion: allow port 22 traffic from the corporate IP address range Submit your Feedback/Queries to our Experts

 

NEW QUESTION 216
Development teams in your organization use S3 buckets to store the log files for various applications hosted ir development environments in AWS. The developers want to keep the logs for one month for troubleshooting purposes, and then purge the logs. What feature will enable this requirement?
Please select:

  • A. Enabling CORS on the S3 bucket.
  • B. Adding a bucket policy on the S3 bucket.
  • C. Configuring lifecycle configuration rules on the S3 bucket.
  • D. Creating an 1AM policy for the S3 bucket.

Answer: C

Explanation:
Explanation
The AWS Documentation mentions the following on lifecycle policies
Lifecycle configuration enables you to specify the lifecycle management of objects in a bucket. The configuration is a set of one or more rules, where each rule defines an action for Amazon S3 to apply to a group of objects. These actions can be classified as follows:
Transition actions - In which you define when objects transition to another . For example, you may choose to transition objects to the STANDARDJA (IA, for infrequent access) storage class 30 days after creation, or archive objects to the GLACIER storage class one year after creation.
Expiration actions - In which you specify when the objects expire. Then Amazon S3 deletes the expired objects on your behalf.
Option A and C are invalid because neither bucket policies neither 1AM policy's can control the purging of logs Option D is invalid CORS is used for accessing objects across domains and not for purging of logs For more information on AWS S3 Lifecycle policies, please visit the following URL:
com/AmazonS3/latest/d<
The correct answer is: Configuring lifecycle configuration rules on the S3 bucket. Submit your Feedback/Queries to our Experts

 

NEW QUESTION 217
An organization receives an alert that indicates that an EC2 instance behind an ELB Classic Load Balancer has been compromised.
What techniques will limit lateral movement and allow evidence gathering?

  • A. Remove the instance from the load balancer and terminate it.
  • B. Remove the instance from the load balancer, and shut down access to the instance by tightening the security group.
  • C. Reboot the instance and check for any Amazon CloudWatch alarms.
  • D. Stop the instance and make a snapshot of the root EBS volume.

Answer: C

 

NEW QUESTION 218
A company became aware that one of its access keys was exposed on a code sharing website 11 days ago. A Security Engineer must review all use of the exposed access keys to determine the extent of the exposure. The company enabled AWS CloudTrail m an regions when it opened the account Which of the following will allow (he Security Engineer 10 complete the task?

  • A. Use Amazon Athena to query the CloudTrail logs from Amazon S3 Retrieve the rows for the exposed access key tor the past 11 days.
  • B. Use the AWS CLI lo generate an IAM credential report Extract all the data from the past 11 days.
  • C. Filter the event history on the exposed access key in the CloudTrail console Examine the data from the past 11 days.
  • D. Use the Access Advisor tab in the IAM console to view all of the access key activity for the past 11 days.

Answer: A

 

NEW QUESTION 219
You are designing a custom 1AM policy that would allow uses to list buckets in S3 only if they are MFA authenticated.
Which of the following would best match this requirement?

Answer:

Explanation:
The Condition clause can be used to ensure users can only work with resources if they are MFA authenticated.
Option B and C are wrong since the aws:MultiFactorAuthPresent clause should be marked as true. Here you are saying that onl if the user has been MFA activated, that means it is true, then allow access.
Option D is invalid because the "boor clause is missing in the evaluation for the condition clause.
Boolean conditions let you construct Condition elements that restrict access based on comparing a key to "true" or "false."
Here in this scenario the boot attribute in the condition element will return a value True for option A which will ensure that access is allowed on S3 resources.
For more information on an example on such a policy, please visit the following URL:

 

NEW QUESTION 220
You are designing a custom 1AM policy that would allow uses to list buckets in S3 only if they are MFA authenticated. Which of the following would best match this requirement?

Answer:

Explanation:
Explanation
The Condition clause can be used to ensure users can only work with resources if they are MFA authenticated.
Option B and C are wrong since the aws:MultiFactorAuthPresent clause should be marked as true. Here you are saying that onl if the user has been MFA activated, that means it is true, then allow access.
Option D is invalid because the "boor clause is missing in the evaluation for the condition clause.
Boolean conditions let you construct Condition elements that restrict access based on comparing a key to "true" or "false."
Here in this scenario the boot attribute in the condition element will return a value True for option A which will ensure that access is allowed on S3 resources.
For more information on an example on such a policy, please visit the following URL:

 

NEW QUESTION 221
A Security Engineer is building a Java application that is running on Amazon EC2. The application communicates with an Amazon RDS instance and authenticates with a user name and password.
Which combination of steps can the Engineer take to protect the credentials and minimize downtime when the credentials are rotated? (Choose two.)

  • A. Store the credential in an encrypted string parameter in AWS Systems Manager Parameter Store. Grant permission to the instance role associated with the EC2 instance to access the parameter and the AWS KMS key that is used to encrypt it.
  • B. Configure the Java application to catch a connection failure and make a call to AWS Secrets Manager to retrieve updated credentials when the password is rotated. Grant permission to the instance role associated with the EC2 instance to access Secrets Manager.
  • C. Have a Database Administrator encrypt the credentials and store the ciphertext in Amazon S3. Grant permission to the instance role associated with the EC2 instance to read the object and decrypt the ciphertext.
  • D. Configure automatic rotation of credentials in AWS Secrets Manager.
  • E. Configure a scheduled job that updates the credential in AWS Systems Manager Parameter Store and notifies the Engineer that the application needs to be restarted.

Answer: B,D

 

NEW QUESTION 222
An AWS Lambda function was misused to alter data, and a Security Engineer must identify who invoked the function and what output was produced. The Engineer cannot find any logs created by the Lambda function in Amazon CloudWatch Logs.
Which of the following explains why the logs are not available?

  • A. The Lambda function was executed by using Amazon API Gateway, so the logs are not stored in CloudWatch Logs.
  • B. The version of the Lambda function that was executed was not current.
  • C. The execution role for the Lambda function did not grant permissions to write to the Amazon S3 bucket where CloudWatch Logs stores the logs.
  • D. The execution role for the Lambda function did not grant permissions to write log data to CloudWatch Logs.

Answer: D

 

NEW QUESTION 223
A Security Engineer has created an Amazon CloudWatch event that invokes an AWS Lambda function daily.
The Lambda function runs an Amazon Athena query that checks AWS CloudTrail logs in Amazon S3 to detect whether any IAM user accounts or credentials have been created in the past 30 days. The results of the Athena query are created in the same S3 bucket. The Engineer runs a test execution of the Lambda function via the AWS Console, and the function runs successfully.
After several minutes, the Engineer finds that his Athena query has failed with the error message: "Insufficient Permissions". The IAM permissions of the Security Engineer and the Lambda function are shown below:
Security Engineer

Lambda function execution role

What is causing the error?

  • A. The Lambda function does not have permissions to start the Athena query execution.
  • B. The Security Engineer does not have permissions to start the Athena query execution.
  • C. The Athena service does not support invocation through Lambda.
  • D. The Lambda function does not have permissions to access the CloudTrail S3 bucket.

Answer: B

 

NEW QUESTION 224
During a manual review of system logs from an Amazon Linux EC2 instance, a Security Engineer noticed that there are sudo commands that were never properly alerted or reported on the Amazon CloudWatch Logs agent Why were there no alerts on the sudo commands?

  • A. The VPC requires that all traffic go through a proxy, and the CloudWatch Logs agent does not support a proxy configuration.
  • B. CloudWatch Logs status is set to ON versus SECURE, which prevents it from pulling in OS security event logs
  • C. There is a security group blocking outbound port 80 traffic that is preventing the agent from sending the logs
  • D. The 1AM instance profile on the EC2 instance was not properly configured to allow the CloudWatch Logs agent to push the logs to CloudWatch

Answer: D

 

NEW QUESTION 225
Your company has an external web site. This web site needs to access the objects in an S3 bucket. Which of the following would allow the web site to access the objects in the most secure manner?
Please select:

  • A. Grant public access for the bucket via the bucket policy
  • B. Grant a role that can be assumed by the web site
  • C. Use the aws:sites key in the condition clause for the bucket policy
  • D. Use the aws:Referer key in the condition clause for the bucket policy

Answer: D

Explanation:
Explanation
An example of this is given intheAWS Documentatioi
Restricting Access to a Specific HTTP Referrer
Suppose you have a website with domain name (www.example.com or example.com) with links to photos and videos stored in your S3 bucket examplebucket. By default, all the S3 resources are private, so only the AWS account that created the resources can access them. To allow read access to these objects from your website, you can add a bucket policy that allows s3:GetObject permission with a condition, using the aws:referer key, that the get request must originate from specific webpages. The following policy specifies the StringLike condition with the aws:Referer condition key.

Option A is invalid because giving public access is not a secure way to provide access Option C is invalid because aws:sites is not a valid condition key Option D is invalid because IAM roles will not be assigned to web sites For more information on example bucket policies please visit the below Link:
1 https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html The correct answer is: Use the aws:Referer key in the condition clause for the bucket policy Submit your Feedback/Queries to our Experts

 

NEW QUESTION 226
An Application team has requested a new AWS KMS master key for use with Amazon S3, but the organizational security policy requires separate master keys for different AWS services to limit blast radius.
How can an AWS KMS customer master key (CMK) be constrained to work with only Amazon S3?

  • A. Configure the 1AM user's policy to allow only Amazon S3 operations when they are combined with the CMK
  • B. Configure the CMK key policy to allow only the Amazon S3 service to use the kms Encrypt action
  • C. Configure the 1AM user's policy lo allow KMS to pass a rote lo Amazon S3
  • D. Configure the CMK key policy to allow AWS KMS actions only when the kms ViaService condition matches the Amazon S3 service name.

Answer: D

 

NEW QUESTION 227
A company uses an external identity provider to allow federation into different AWS accounts. A security engineer for the company needs to identify the federated user that terminated a production Amazon EC2 instance a week ago.
What is the FASTEST way for the security engineer to identify the federated user?

  • A. Search the AWS CloudTrail logs for the Terminatelnstances event and note the event time. Review the 1AM Access Advisor tab for all federated roles. The last accessed time should match the time when the instance was terminated.
  • B. Filter the AWS CloudTrail event history for the Terminatelnstances event and identify the assumed 1AM role. Review the AssumeRoleWithSAML event call in CloudTrail to identify the corresponding username.
  • C. Review the AWS CloudTrail event history logs in an Amazon S3 bucket and look for the Terminatelnstances event to identify the federated user from the role session name.
  • D. Use Amazon Athena to run a SQL query on the AWS CloudTrail logs stored in an Amazon S3 bucket and filter on the Terminatelnstances event. Identify the corresponding role and run another query to filter the AssumeRoleWithWebldentity event for the user name.

Answer: B

 

NEW QUESTION 228
An organization policy states that all encryption keys must be automatically rotated every 12 months.
Which AWS Key Management Service (KMS) key type should be used to meet this requirement?

  • A. Customer managed CMK with AWS generated key material
  • B. AWS managed data key
  • C. Customer managed CMK with imported key material
  • D. AWS managed Customer Master Key (CMK)

Answer: D

Explanation:
Explanation/Reference: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html

 

NEW QUESTION 229
A Security Engineer manages AWS Organizations for a company. The Engineer would like to restrict AWS usage to allow Amazon S3 only in one of the organizational units (OUs). The Engineer adds the following SCP to the OU:

The next day, API calls to AWS IAM appear in AWS CloudTrail logs in an account under that OU.
How should the Security Engineer resolve this issue?

  • A. Change the policy to:
  • B. Add a Deny policy for all non-S3 services at the account level.
  • C. Move the account to a new OU and deny IAM:* permissions.
  • D. Detach the default FullAWSAccess SCP.

Answer: B

Explanation:
Explanation/Reference: https://docs.aws.amazon.com/organizations/latest/userguide/organizations-userguide.pdf (22)

 

NEW QUESTION 230
......

Accurate & Verified Answers As Seen in the Real Exam here: https://theexamcerts.lead2passexam.com/Amazon/valid-AWS-Security-Specialty-exam-dumps.html

Related Articles

more
Amazon AWS-Security-Specialty Certification Practice Exam