Visit Official SkillCertPro Website :-
For a full set of 550+ questions. Go to
https://skillcertpro.com/product/aws-certified-security-specialty-practice-exam-tests/
SkillCertPro offers detailed explanations to each question which helps to understand the concepts better.
It is recommended to score above 85% in SkillCertPro exams before attempting a real exam.
SkillCertPro updates exam questions every 2 weeks.
You will get life time access and life time free updates
SkillCertPro assures 100% pass guarantee in first attempt.
Question 1
An application running on EC2 instances must use a username and password to access a database. The developer has stored those secrets in the SSM Parameter Store with type SecureString using the default KMS CMK.
Which combination of configuration steps will allow the application to access the secrets via the API? Select 2 answers from the options below
A. Add the EC2 instance role as a trusted service to the SSM service role.
B. Add permission to use the KMS key to decrypt to the SSM service role.
C. Add permission to read the SSM parameter to the EC2 instance role.
D. Add permission to use the KMS key to decrypt to the EC2 instance role
E. Add the SSM service role as a trusted service to the EC2 instance role.
Answer: C, D
Explanation:
The below example policy from the AWS Documentation is required to be given to the EC2 Instance in order to read a secure string from AWS KMS. Permissions need to be given to the Get Parameter API and the KMS API call to decrypt the secret.
{
""Version"": ""2012-10-17"",
""Statement"": [
{
""Effect"": ""Allow"",
""Action"": [
""ssm:GetParameter*""
],
""Resource"": ""arn:aws:ssm:us-west-2:111122223333:/parameter/ReadableParameters/*""
},
{
""Effect"": ""Allow"",
""Action"": [
""kms:Decrypt""
],
""Resource"": ""arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab""
}
]
}
Option A is invalid because the entire service does not need to provide as a trusted service
Option B is invalid because the EC2 instance requires access to encrypt and decrypt and not the SSM service role.
Option E is invalid because the entire service does not need to provide as a trusted service
For more information on the parameter store, please visit the below URL
https://docs.aws.amazon.com/kms/latest/developerguide/services-parameter-store.html
The correct answers are: Add permission to read the SSM parameter to the EC2 instance role. , Add permission to use the KMS key to decrypt to the EC2 instance role
Question 2
A company is using CloudTrail to log all AWS API activity for all regions in all of its accounts. The CISO has asked that additional steps be taken to protect the integrity of the log files.
What combination of steps will protect the log files from intentional or unintentional alteration? Choose 2 answers from the options given below
A. Create an S3 bucket in a dedicated log account and grant the other accounts write only access. Deliver all log files from every account to this S3 bucket.
B. Write a Lambda function that queries the Trusted Advisor Cloud Trail checks. Run the function every 10 minutes.
C. Enable Cloud Trail log file integrity validation
D. Use Systems Manager Configuration Compliance to continually monitor the access policies of S3 buckets containing Cloud Trail logs.
E. Create a Security Group that blocks all traffic except calls from the CloudTrail service. Associate the security group with all the Cloud Trail destination S3 buckets.
Answer: A, C
Explanation:
The AWS Documentation mentions the following
To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it, you can use CloudTrail log file integrity validation. This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection.
Option B is invalid because querying the Trusted Advisor Cloud trail is not possible.
Option D is invalid because Systems Manager cannot be used as a service to monitor access policies.
Option E is invalid because Security Groups are used for EC2 Instances and not S3 buckets
For more information on Cloudtrail log file validation, please visit the below URL
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html
For more information on delivering Cloudtrail logs from multiple accounts, please visit the below URL
The correct answers are: Create an S3 bucket in a dedicated log account and grant the other accounts write only access. Deliver all log files from every account to this S3 bucket. , Enable Cloud Trail log file integrity validation.
Question 3
An application running on EC2 instances must use a username and password to access a database. The developer has stored those secrets in the SSM Parameter Store with type SecureString using the default KMS CMK.
Which combination of configuration steps will allow the application to access the secrets via the API? Select 2 answers from the options below
A. Add the EC2 instance role as a trusted service to the SSM service role.
B. Add permission to use the KMS key to decrypt to the SSM service role.
C. Add permission to read the SSM parameter to the EC2 instance role.
D. Add permission to use the KMS key to decrypt to the EC2 instance role
E. Add the SSM service role as a trusted service to the EC2 instance role.
Answer: C, D
Explanation:
The example policy from the AWS Documentation is required to be given to the EC2 Instance in order to read a secure string from AWS KMS. Permissions need to be given to the Get Parameter API and the KMS API call to decrypt the secret.
{
""Version"": ""2012-10-17"",
""Statement"": [
{
""Effect"": ""Allow"",
""Action"": [
""ssm:GetParameter*""
],
""Resource"": ""arn:aws:ssm:us-west-2:111122223333:/parameter/ReadableParameters/*""
},
{
""Effect"": ""Allow"",
""Action"": [
""kms:Decrypt""
],
""Resource"": ""arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab""
}
]
}
Option A is invalid because roles can be attached to EC2 and not EC2 roles to SSM
Option B is invalid because the KMS key does not need to decrypt the SSM service role.
Option E is invalid because this configuration is valid
For more information on the parameter store, please visit the below URL:
https://docs.aws.amazon.com/kms/latest/developerguide/services-parameter-store.html
The correct answers are: Add permission to read the SSM parameter to the EC2 instance role. , Add permission to use the KMS key to decrypt to the EC2 instance role
Question 4
A company is using CloudTrail to log all AWS API activity for all regions in all of its accounts. The CISO has asked that additional steps be taken to protect the integrity of the log files.
What combination of steps will protect the log files from intentional or unintentional alteration? Choose 2 answers from the options given below
A. Create an S3 bucket in a dedicated log account and grant the other accounts write only access. Deliver all log files from every account to this S3 bucket.
B. Write a Lambda function that queries the Trusted Advisor Cloud Trail checks. Run the function every 10 minutes.
C. Enable Cloud Trail log file integrity validation
D. Use Systems Manager Configuration Compliance to continually monitor the access policies of S3 buckets containing Cloud Trail logs.
E. Create a Security Group that blocks all traffic except calls from the CloudTrail service. Associate the security group with all the Cloud Trail destination S3 buckets.
Answer: A, C
Explanation:
The AWS Documentation mentions the following
To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it, you can use CloudTrail log file integrity validation. This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection.
Option B is invalid because there is no such thing as Trusted Advisor Cloud Trail checks
Option D is invalid because Systems Manager cannot be used for this purpose.
Option E is invalid because Security Groups cannot be used to block calls from other services
For more information on Cloudtrail log file validation, please visit the below URL:
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html
For more information on delivering Cloudtrail logs from multiple accounts, please visit the below URL:
The correct answers are: Create an S3 bucket in a dedicated log account and grant the other accounts write only access. Deliver all log files from every account to this S3 bucket. , Enable Cloud Trail log file integrity validation
Question 5
A company requires that data stored in AWS be encrypted at rest. Which of the following approaches achieve this requirement? Select 2 answers from the options given below.
A. When storing data in Amazon EBS, use only EBS–optimized Amazon EC2 instances.
B. When storing data in EBS, encrypt the volume by using AWS KMS.
C. When storing data in Amazon S3, use object versioning and MFA Delete.
D. When storing data in Amazon EC2 Instance Store, encrypt the volume by using KMS.
E. When storing data in S3, enable server-side encryption.
Answer: B, E
Explanation:
The AWS Documentation mentions the following
To create an encrypted Amazon EBS volume, select the appropriate box in the Amazon EBS section of the Amazon EC2 console. You can use a custom customer master key (CMK) by choosing one from the list that appears below the encryption box. If you do not specify a custom CMK, Amazon EBS uses the AWS-managed CMK for Amazon EBS in your account. If there is no AWS-managed CMK for Amazon EBS in your account, Amazon EBS creates one.
Data protection refers to protecting data while in-transit (as it travels to and from Amazon S3) and at rest (while it is stored on disks in Amazon S3 data centers). You can protect data in transit by using SSL or by using client-side encryption. You have the following options of protecting data at rest in Amazon S3.
Use Server-Side Encryption – You request Amazon S3 to encrypt your object before saving it on disks in its data centers and decrypt it when you download the objects.
Use Client-Side Encryption – You can encrypt data client-side and upload the encrypted data to Amazon S3. In this case, you manage the encryption process, the encryption keys, and related tools.
Option A is invalid because using EBS–optimized Amazon EC2 instances alone will not guarantee protection of instances at rest.
Option C is invalid because this will not encrypt data at rest for S3 objects.
Option D is invalid because you don’t store data in Instance store
For more information on EBS encryption, please visit the below URL:
https://docs.aws.amazon.com/kms/latest/developerguide/services-ebs.html
For more information on S3 encryption, please visit the below URL:
https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingEncryption.html
The correct answers are: When storing data in EBS, encrypt the volume by using AWS KMS. , When storing data in S3, enable server-side encryption.
For a full set of 550+ questions. Go to
https://skillcertpro.com/product/aws-certified-security-specialty-practice-exam-tests/
SkillCertPro offers detailed explanations to each question which helps to understand the concepts better.
It is recommended to score above 85% in SkillCertPro exams before attempting a real exam.
SkillCertPro updates exam questions every 2 weeks.
You will get life time access and life time free updates
SkillCertPro assures 100% pass guarantee in first attempt.
Question 6
An application running on EC2 instances in a VPC must call an external web service via TLS (port 443). The instances run in public subnets.
Which configurations below allow the application to function and minimize the exposure of the instances? Select 2 answers from the options given below
A. A network ACL with a rule that allows outgoing traffic on port 443.
B. A network ACL with rules that allow outgoing traffic on port 443 and incoming traffic on ephemeral ports
C. A network ACL with rules that allow outgoing traffic on port 443 and incoming traffic on port 443.
D. A security group with a rule that allows outgoing traffic on port 443
E. A security group with rules that allow outgoing traffic on port 443 and incoming traffic on ephemeral ports.
Answer: B, D
Explanation:
Since here the traffic needs to flow outbound from the Instance to a web service on Port 443, the outbound rules on both the Network and Security Groups need to allow outbound traffic. The Incoming traffic should be allowed on ephermal ports for the Operating System on the Instance to allow a connection to be established on any desired or available port.
Option A is invalid because this rule alone is not enough. You also need to ensure incoming traffic on ephemeral ports
Option C is invalid because need to ensure incoming traffic on ephemeral ports and not only port 443
Option E and F are invalid since here you are allowing additional ports on Security groups which are not required
For more information on VPC Security Groups, please visit the below URL:
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html
The correct answers are: A network ACL with rules that allow outgoing traffic on port 443 and incoming traffic on ephemeral ports, A security group with a rule that allows outgoing traffic on port 443
Question 7
A company is deploying a new web application on AWS. Based on their other web applications, they anticipate being the target of frequent DDoS attacks. Which steps can the company use to protect their application? Select 2 answers from the options given below.
A. Associate the EC2 instances with a security group that blocks traffic from blacklisted IP addresses.
B. Use an ELB Application Load Balancer and Auto Scaling group to scale to absorb application layer traffic.
C. Use Amazon Inspector on the EC2 instances to examine incoming traffic and discard malicious traffic.
D. Use CloudFront and AWS WAF to prevent malicious traffic from reaching the application
E. Enable GuardDuty to block malicious traffic from reaching the application
Answer: B, D
Explanation:
AWS Doc shows the best case scenario for avoiding DDos attacks using services such as AWS Cloudfront , WAF , ELB and Autoscaling
Option A is invalid because by default security groups don’t allow access
Option C is invalid because AWS Inspector cannot be used to examine traffic
Option E is invalid because this can be used for attacks on EC2 Instances but not against DDos attacks on the entire application
For more information on DDos mitigation from AWS, please visit the below URL:
https://aws.amazon.com/answers/networking/aws-ddos-attack-mitigation/
The correct answers are: Use an ELB Application Load Balancer and Auto Scaling group to scale to absorb application layer traffic. , Use CloudFront and AWS WAF to prevent malicious traffic from reaching the application
Question 8
A company has external vendors that must deliver files to the company. These vendors have cross-account that gives them permission to upload objects to one of the company’s S3 buckets.
What combination of steps must the vendor follow to successfully deliver a file to the company? Select 2 answers from the options given below
A. Attach an IAM role to the bucket that grants the bucket owner full permissions to the object
B. Add a grant to the object’s ACL giving full permissions to bucket owner.
C. Encrypt the object with a KMS key controlled by the company.
D. Add a bucket policy to the bucket that grants the bucket owner full permissions to the object
E. Upload the file to the company’s S3 bucket as an object
Answer: B, E
Explanation:
This scenario is given in the AWS Documentation
Option A and D are invalid because bucket ACL’s are used to give grants to bucket owners.
Option C is not required since encryption is not part of the requirement
For more information on this scenario please see the below Link:
https://docs.aws.amazon.com/AmazonS3/latest/dev/example-walkthroughs-managing-access-example3.html
The correct answers are: Add a grant to the object’s ACL giving full permissions to bucket owner. , Upload the file to the company’s S3 bucket as an object
Question 9
A security engineer must ensure that all infrastructure launched in the company AWS account be monitored for deviation from compliance rules, specifically that all EC2 instances are launched from one of a specified list of AMIs and that all attached EBS volumes are encrypted. Infrastructure not in compliance should be terminated.
What combination of steps should the Engineer implement? Select 2 answers from the options given below.
A. Set up a CloudWatch event based on Trusted Advisor metrics
B. Trigger a Lambda function from a scheduled CloudWatch event that terminates non-compliant infrastructure.
C. Set up a CloudWatch event based on Amazon inspector findings
D. Monitor compliance with AWS Config Rules triggered by configuration changes
E. Trigger a CLI command from a CloudWatch event that terminates the infrastructure
Answer: B, D
Explanation:
You can use AWS Config to monitor for such Events
Option A is invalid because you cannot set Cloudwatch events based on Trusted Advisor checks.
Option C is invalid Amazon inspector cannot be used to check whether instances are launched from a specific AMI
Option E is invalid because triggering a CLI command is not the preferred option, instead you should use Lambda functions for all automation purposes.
For more information on Config Rules please see the below Link:
https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config-rules.html
These events can then trigger a lambda function to terminate instances
For more information on Cloudwatch events please see the below Link:
https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/WhatIsCloudWatchEvents.html
The correct answers are: Trigger a Lambda function from a scheduled CloudWatch event that terminates non-compliant infrastructure. , Monitor compliance with AWS Config Rules triggered by configuration changes
Question 10
A company has several Customer Master Keys (CMK), some of which have imported key material. Each CMK must be rotated annually.
What two methods can the security team use to rotate each key? Select 2 answers from the options given below
A. Enable automatic key rotation for a CMK
B. Import new key material to an existing CMK
C. Use the CLI or console to explicitly rotate an existing CMK
D. Import new key material to a new CMK; Point the key alias to the new CMK.
E. Delete an existing CMK and a new default CMK will be created.
Answer: A, D
Explanation:
The AWS Documentation mentions the following
When you enable automatic key rotation for a customer managed CMK, AWS KMS generates new cryptographic material for the CMK every year. AWS KMS also saves the CMK's older cryptographic material so it can be used to decrypt data that it encrypted.
Because the new CMK is a different resource from the current CMK, it has a different key ID and ARN. When you change CMKs, you need to update references to the CMK ID or ARN in your applications. Aliases, which associate a friendly name with a CMK, make this process easier. Use an alias to refer to a CMK in your applications. Then, when you want to change the CMK that the application uses, change the target CMK of the alias.
Option B is invalid because you also need to point the key alias to the new key
Option C is invalid because existing CMK keys cannot be rotated as they are
Option E is invalid because deleting existing keys will not guarantee the creation of a new default CMK key
For more information on Key rotation please see the below Link:
https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
The correct answers are: Enable automatic key rotation for a CMK, Import new key material to a new CMK; Point the key alias to the new CMK.
For a full set of 550+ questions. Go to
https://skillcertpro.com/product/aws-certified-security-specialty-practice-exam-tests/
SkillCertPro offers detailed explanations to each question which helps to understand the concepts better.
It is recommended to score above 85% in SkillCertPro exams before attempting a real exam.
SkillCertPro updates exam questions every 2 weeks.
You will get life time access and life time free updates
SkillCertPro assures 100% pass guarantee in first attempt.