What Realistic AWS-Certified-Security-Specialty Free Demo Is

NEW QUESTION 1
A company has launched an Amazon EC2 instance with an Amazon Elastic Block Store (Amazon EBS) volume in the us-east-1 Region The volume is encrypted with an AWS Key Management Service (AWS KMS) customer managed key that the company's security team created The security team has created an 1AM key policy and has assigned the policy to the key The security team has also created an 1AM instance profile and has assigned the profile to the instance
The EC2 instance will not start and transitions from the pending state to the shutting-down state to the terminated state
Which combination of steps should a security engineer take to troubleshoot this issue? (Select TWO )

• A. Verify that the KMS key policy specifies a deny statement that prevents access to the key by using the aws SourcelP condition key Check that the range includes the EC2 instance IP address that is associated with the EBS volume
• B. Verify that the KMS key that is associated with the EBS volume is set to the Symmetric key type
• C. Verify that the KMS key that is associated with the EBS volume is in the Enabled state
• D. Verify that the EC2 role that is associated with the instance profile has the correct 1AM instance policy to launch an EC2 instance with the EBS volume
• E. Verify that the key that is associated with the EBS volume has not expired and needs to be rotated

Answer: CD

Explanation:
To troubleshoot the issue of an EC2 instance failing to start and transitioning to a terminated state when it has an EBS volume encrypted with an AWS KMS customer managed key, a security engineer should take the following steps:
* C. Verify that the KMS key that is associated with the EBS volume is in the Enabled state. If the key is not enabled, it will not function properly and could cause the EC2 instance to fail.
* D. Verify that the EC2 role that is associated with the instance profile has the correct IAM instance policy to launch an EC2 instance with the EBS volume. If the instance does not have the necessary permissions, it may not be able to mount the volume and could cause the instance to fail.
Therefore, options C and D are the correct answers.

NEW QUESTION 2
A company wants to receive an email notification about critical findings in AWS Security Hub. The company does not have an existing architecture that supports this functionality.
Which solution will meet the requirement?

• A. Create an AWS Lambda function to identify critical Security Hub finding
• B. Create an Amazon Simple Notification Service (Amazon SNS) topic as the target of the Lambda functio
• C. Subscribe an email endpoint to the SNS topic to receive published messages.
• D. Create an Amazon Kinesis Data Firehose delivery strea
• E. Integrate the delivery stream with Amazon EventBridg
• F. Create an EventBridge rule that has a filter to detect critical Security Hub finding
• G. Configure the delivery stream to send the findings to an email address.
• H. Create an Amazon EventBridge rule to detect critical Security Hub finding
• I. Create an Amazon Simple Notification Service (Amazon SNS) topic as the target of the EventBridge rul
• J. Subscribe an email endpoint to the SNS topic to receive published messages.
• K. Create an Amazon EventBridge rule to detect critical Security Hub finding
• L. Create an Amazon Simple Email Service (Amazon SES) topic as the target of the EventBridge rul
• M. Use the Amazon SES API to format the messag
• N. Choose an email address to be the recipient of the message.

Answer: C

Explanation:
This solution meets the requirement of receiving an email notification about critical findings in AWS Security Hub. Amazon EventBridge is a serverless event bus that can receive events from AWS services and third-party sources, and route them to targets based on rules and filters. Amazon SNS is a fully managed pub/sub service that can send messages to various endpoints, such as email, SMS, mobile push, and HTTP. By creating an EventBridge rule that detects critical Security Hub findings and sends them to an SNS topic, the company can leverage the existing integration between these services and avoid writing custom code or managing servers. By subscribing an email endpoint to the SNS topic, the company can receive published messages in their inbox.

NEW QUESTION 3
A company uses Amazon GuardDuty. The company's security team wants all High severity findings to automatically generate a ticket in a third-party ticketing system through email integration.
Which solution will meet this requirement?

• A. Create a verified identity for the third-party ticketing email system in Amazon Simple Email Service (Amazon SES). Create an Amazon EventBridge rule that includes an event pattern that matches High severity GuardDuty finding
• B. Specify the SES identity as the target for the EventBridge rule.
• C. Create an Amazon Simple Notification Service (Amazon SNS) topi
• D. Subscribe the third-party ticketing email system to the SNS topi
• E. Create an Amazon EventBridge rule that includes an event pattern that matches High severity GuardDuty finding
• F. Specify the SNS topic as the target for the EventBridge rule.
• G. Use the GuardDuty CreateFilter API operation to build a filter in GuardDuty to monitor for High severity finding
• H. Export the results of the filter to an Amazon Simple Notification Service (Amazon SNS) topi
• I. Subscribe the third-party ticketing email system to the SNS topic.
• J. Use the GuardDuty CreateFilter API operation to build a filter in GuardDuty to monitor for High severity finding
• K. Create an Amazon Simple Notification Service (Amazon SNS) topi
• L. Subscribe the third-party ticketing email system to the SNS topi
• M. Create an Amazon EventBridge rule that includes an event pattern that matches GuardDuty findings that are selected by the filte
• N. Specify the SNS topic as the target for the EventBridge rule.

Answer: B

Explanation:
The correct answer is B. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the third-party ticketing email system to the SNS topic. Create an Amazon EventBridge rule that includes an event pattern that matches High severity GuardDuty findings. Specify the SNS topic as the target for the
Event-Bridge rule.
According to the AWS documentation1, you can use Amazon EventBridge to create rules that match events from GuardDuty and route them to targets such as Amazon SNS topics. You can use event patterns to filter events based on criteria such as severity, type, or resource. For example, you can create a rule that matches only High severity findings and sends them to an SNS topic that is subscribed by a third-party ticketing email system. This way, you can automate the creation of tickets for High severity findings and notify the security team.

NEW QUESTION 4
A company is using Amazon Elastic Container Service (Amazon ECS) to deploy an application that deals with sensitive data During a recent security audit, the company identified a security issue in which Amazon RDS credentials were stored with the application code In the company's source code repository
A security engineer needs to develop a solution to ensure that database credentials are stored securely and rotated periodically. The credentials should be accessible to the application only The engineer also needs to prevent database administrators from sharing database credentials as plaintext with other teammates. The solution must also minimize administrate overhead
Which solution meets these requirements?

• A. Use the IAM Systems Manager Parameter Store to generate database credential
• B. Use an IAM profile for ECS tasks to restrict access to database credentials to specific containers only.
• C. Use IAM Secrets Manager to store database credential
• D. Use an IAM inline policy for ECS tasks to restrict access to database credentials to specific containers only.
• E. Use the IAM Systems Manager Parameter Store to store database credential
• F. Use IAM roles for ECS tasks to restrict access to database credentials lo specific containers only
• G. Use IAM Secrets Manager to store database credential
• H. Use IAM roles for ECS tasks to restrict access to database credentials to specific containers only.

Answer: D

Explanation:
To ensure that database credentials are stored securely and rotated periodically, the security engineer should do the following:
Use AWS Secrets Manager to store database credentials. This allows the security engineer to encrypt and manage secrets centrally, and to configure automatic rotation schedules for them.
Use IAM roles for ECS tasks to restrict access to database credentials to specific containers only. This allows the security engineer to grant fine-grained permissions to ECS tasks based on their roles, and to avoid sharing credentials as plaintext with other teammates.

NEW QUESTION 5
A Security Architect has been asked to review an existing security architecture and identify why the application servers cannot successfully initiate a connection to the database servers. The following summary describes the architecture:
* 1 An Application Load Balancer, an internet gateway, and a NAT gateway are configured in the public subnet
* 2. Database, application, and web servers are configured on three different private subnets.
* 3 The VPC has two route tables: one for the public subnet and one for all other subnets The route table for the public subnet has a 0 0 0 0/0 route to the internet gateway The route table for all other subnets has a 0 0.0.0/0 route to the NAT gateway. All private subnets can route to each other
* 4 Each subnet has a network ACL implemented that limits all inbound and outbound connectivity to only the required ports and protocols
* 5 There are 3 Security Groups (SGs) database application and web Each group limits all inbound and outbound connectivity to the minimum required
Which of the following accurately reflects the access control mechanisms the Architect should verify1?

• A. Outbound SG configuration on database servers Inbound SG configuration on application servers inbound and outbound network ACL configuration on the database subnet Inbound and outbound network ACL configuration on the application server subnet
• B. Inbound SG configuration on database servers Outbound SG configuration on application serversInbound and outbound network ACL configuration on the database subnetInbound and outbound network ACL configuration on the application server subnet
• C. Inbound and outbound SG configuration on database servers Inbound and outbound SG configuration on application servers Inbound network ACL configuration on the database subnet Outbound network ACL configuration on the application server subnet
• D. Inbound SG configuration on database servers Outbound SG configuration on application servers Inbound network ACL configuration on the database subnet Outbound network ACL configuration on the application server subnet.

Answer: A

Explanation:
this is the accurate reflection of the access control mechanisms that the Architect should verify. Access control mechanisms are methods that regulate who can access what resources and how. Security groups and network ACLs are two types of access control mechanisms that can be applied to EC2 instances and subnets. Security groups are stateful, meaning they remember and return traffic that was previously allowed. Network ACLs are stateless, meaning they do not remember or return traffic that was previously allowed. Security groups and network ACLs can have inbound and outbound rules that specify the source, destination, protocol, and port of the traffic. By verifying the outbound security group configuration on database servers, the inbound security group configuration on application servers, and the inbound and outbound network ACL configuration on both the database and application server subnets, the Architect can check if there are any misconfigurations or conflicts that prevent the application servers from initiating a connection to the database servers. The other options are either inaccurate or incomplete for verifying the access control mechanisms.

NEW QUESTION 6
A company uses AWS Organizations. The company has teams that use an AWS CloudHSM hardware security module (HSM) that is hosted in a central AWS account. One of the teams creates its own new dedicated AWS account and wants to use the HSM that is hosted in the central account.
How should a security engineer share the HSM that is hosted in the central account with the new dedicated account?

• A. Use AWS Resource Access Manager (AWS RAM) to share the VPC subnet ID of the HSM that is hosted in the central account with the new dedicated accoun
• B. Configure the CloudHSM security group to accept inbound traffic from the private IP addresses of client instances in the new dedicated account.
• C. Use AWS Identity and Access Management (IAM) to create a cross-account rote to access the CloudHSM cluster that is in the central account Create a new IAM user in the new dedicated account Assign the cross-account rote to the new IAM user.
• D. Use AWS 1AM Identity Center (AWS Single Sign-On) to create an AWS Security Token Service (AWS STS) token to authenticate from the new dedicated account to the central accoun
• E. Use thecross-account permissions that are assigned to the STS token to invoke an operation on the HSM in thecentral account.
• F. Use AWS Resource Access Manager (AWS RAM) to share the ID of the HSM that is hosted in the central account with the new dedicated accoun
• G. Configure the CloudHSM security group to accept inbound traffic from the private IP addresses of client instances in the new dedicated account.

Answer: A

Explanation:
https://aws.amazon.com/premiumsupport/knowledge-center/cloudhsm-share-clusters/#:~:text=In%20the%20nav

NEW QUESTION 7
A company has an AWS account that hosts a production application. The company receives an email notification that Amazon GuardDuty has detected an Impact:lAMUser/AnomalousBehavior finding in the account. A security engineer needs to run the investigation playbook for this security incident and must collect and analyze the information without affecting the application.
Which solution will meet these requirements MOST quickly?

• A. Log in to the AWS account by using read-only credential
• B. Review the GuardDuty finding for details about the IAM credentials that were use
• C. Use the IAM console to add a DenyAll policy to the IAM principal.
• D. Log in to the AWS account by using read-only credential
• E. Review the GuardDuty finding to determine which API calls initiated the findin
• F. Use Amazon Detective to review the API calls in context.
• G. Log in to the AWS account by using administrator credential
• H. Review the GuardDuty finding for details about the IAM credentials that were use
• I. Use the IAM console to add a DenyAll policy to the IAM principal.
• J. Log in to the AWS account by using read-only credential
• K. Review the GuardDuty finding to determinewhich API calls initiated the findin
• L. Use AWS CloudTrail Insights and AWS CloudTrail Lake to review the API calls in context.

Answer: B

Explanation:
This answer is correct because logging in with read-only credentials minimizes the risk of accidental or malicious changes to the AWS account. Reviewing the GuardDuty finding can help identify which API calls initiated the finding and which IAM principal was involved. Using Amazon Detective can help analyze and visualize the API calls in context, such as which resources were affected, which IP addresses were used, and how the activity deviated from normal patterns. Amazon Detective can also help identify related findings from other sources, such as AWS Config or AWS Audit Manager.

NEW QUESTION 8
A company deployed Amazon GuardDuty In the us-east-1 Region. The company wants all DNS logs that relate to the company's Amazon EC2 instances to be inspected. What should a security engineer do to ensure that the EC2 instances are logged?

• A. Use IPv6 addresses that are configured for hostnames.
• B. Configure external DNS resolvers as internal resolvers that are visible only to IAM.
• C. Use IAM DNS resolvers for all EC2 instances.
• D. Configure a third-party DNS resolver with logging for all EC2 instances.

Answer: C

Explanation:
To ensure that the EC2 instances are logged, the security engineer should do the following:
Use AWS DNS resolvers for all EC2 instances. This allows the security engineer to use
Amazon-provided DNS servers that resolve public DNS hostnames to private IP addresses within their VPC, and that log DNS queries in Amazon CloudWatch Logs.

NEW QUESTION 9
A security engineer is designing an IAM policy for a script that will use the AWS CLI. The script currently assumes an IAM role that is attached to three AWS managed IAM policies: AmazonEC2FullAccess, AmazonDynamoDBFullAccess, and Ama-zonVPCFullAccess.
The security engineer needs to construct a least privilege IAM policy that will replace the AWS managed IAM policies that are attached to this role.
Which solution will meet these requirements in the MOST operationally efficient way?

• A. In AWS CloudTrail, create a trail for management event
• B. Run the script with the existing AWS managed IAM policie
• C. Use IAM Access Analyzer to generate a new IAM policy that is based on access activity in the trai
• D. Replace the existing AWS managed IAM policies with the generated IAM poli-cy for the role.
• E. Remove the existing AWS managed IAM policies from the rol
• F. Attach the IAM Access Analyzer Role Policy Generator to the rol
• G. Run the scrip
• H. Return to IAM Access Analyzer and generate a least privilege IAM polic
• I. Attach the new IAM policy to the role.
• J. Create an account analyzer in IAM Access Analyze
• K. Create an archive rule that has a filter that checks whether the PrincipalArn value matches the ARN of the rol
• L. Run the scrip
• M. Remove the existing AWS managed IAM poli-cies from the role.
• N. In AWS CloudTrail, create a trail for management event
• O. Remove the exist-ing AWS managed IAM policies from the rol
• P. Run the scrip
• Q. Find the au-thorization failure in the trail event that is associated with the scrip
• R. Create a new IAM policy that includes the action and resource that caused the authorization failur
• S. Repeat the process until the script succeed
• T. Attach the new IAM policy to the role.

Answer: A

NEW QUESTION 10
A company deploys a distributed web application on a fleet of Amazon EC2 instances. The fleet is behind an Application Load Balancer (ALB) that will be configured to terminate the TLS connection. All TLS traffic to the ALB must stay secure, even if the certificate private key is compromised.
How can a security engineer meet this requirement?

• A. Create an HTTPS listener that uses a certificate that is managed by IAM Certificate Manager (ACM).
• B. Create an HTTPS listener that uses a security policy that uses a cipher suite with perfect toward secrecy (PFS).
• C. Create an HTTPS listener that uses the Server Order Preference security feature.
• D. Create a TCP listener that uses a custom security policy that allows only cipher suites with perfect forward secrecy (PFS).

Answer: A

NEW QUESTION 11
A company hosts a web application on an Apache web server. The application runs on Amazon EC2 instances that are in an Auto Scaling group. The company configured the EC2 instances to send the Apache web server logs to an Amazon CloudWatch Logs group that the company has configured to expire after 1 year.
Recently, the company discovered in the Apache web server logs that a specific IP address is sending suspicious requests to the web application. A security engineer wants to analyze the past week of Apache web server logs to determine how many requests that the IP address sent and the corresponding URLs that the IP address requested.
What should the security engineer do to meet these requirements with the LEAST effort?

• A. Export the CloudWatch Logs group data to Amazon S3. Use Amazon Macie to query the logs for the specific IP address and the requested URLs.
• B. Configure a CloudWatch Logs subscription to stream the log group to an Am-azon OpenSearch Service cluste
• C. Use OpenSearch Service to analyze the logs for the specific IP address and the requested URLs.
• D. Use CloudWatch Logs Insights and a custom query syntax to analyze the CloudWatch logs for the specific IP address and the requested URLs.
• E. Export the CloudWatch Logs group data to Amazon S3. Use AWS Glue to crawl the S3 bucket for only the log entries that contain the specific IP ad-dres
• F. Use AWS Glue to view the results.

Answer: C

NEW QUESTION 12
A company has an AWS account that includes an Amazon S3 bucket. The S3 bucket uses server-side encryption with AWS KMS keys (SSE-KMS) to encrypt all the objects at rest by using a customer managed key. The S3 bucket does not have a bucket policy.
An IAM role in the same account has an IAM policy that allows s3 List* and s3 Get' permissions for the S3 bucket. When the IAM role attempts to access an object in the S3 bucket the role receives an access denied message.
Why does the IAM rote not have access to the objects that are in the S3 bucket?

• A. The IAM rote does not have permission to use the KMS CreateKey operation.
• B. The S3 bucket lacks a policy that allows access to the customer managed key that encrypts the objects.
• C. The IAM rote does not have permission to use the customer managed key that encrypts the objects that are in the S3 bucket.
• D. The ACL of the S3 objects does not allow read access for the objects when the objects ace encrypted at rest.

Answer: C

Explanation:
When using server-side encryption with AWS KMS keys (SSE-KMS), the requester must have both Amazon S3 permissions and AWS KMS permissions to access the objects. The Amazon S3 permissions are for the bucket and object operations, such as s3:ListBucket and s3:GetObject. The AWS KMS permissions are for the key operations, such as kms:GenerateDataKey and kms:Decrypt. In this case, the IAM role has the necessary Amazon S3 permissions, but not the AWS KMS permissions to use the customer managed key that encrypts the objects. Therefore, the IAM role receives an access denied message when trying to access the objects. Verified References:
https://docs.aws.amazon.com/AmazonS3/latest/userguide/troubleshoot-403-errors.html
https://repost.aws/knowledge-center/s3-access-denied-error-kms
https://repost.aws/knowledge-center/cross-account-access-denied-error-s3

NEW QUESTION 13
A company is operating a website using Amazon CloudFornt. CloudFront servers some content from Amazon S3 and other from web servers running EC2 instances behind an Application. Load Balancer (ALB). Amazon DynamoDB is used as the data store. The company already uses IAM Certificate Manager (ACM) to store a public TLS certificate that can optionally secure connections between the website users and CloudFront. The company has a new requirement to enforce end-to-end encryption in transit.
Which combination of steps should the company take to meet this requirement? (Select THREE.)

• A. Update the CloudFront distributio
• B. configuring it to optionally use HTTPS when connecting to origins on Amazon S3
• C. Update the web application configuration on the web servers to use HTTPS instead of HTTP when connecting to DynamoDB
• D. Update the CloudFront distribution to redirect HTTP corrections to HTTPS
• E. Configure the web servers on the EC2 instances to listen using HTTPS using the public ACM TLS certificate Update the ALB to connect to the target group using HTTPS
• F. Update the ALB listen to listen using HTTPS using the public ACM TLS certificat
• G. Update the CloudFront distribution to connect to the HTTPS listener.
• H. Create a TLS certificate Configure the web servers on the EC2 instances to use HTTPS only with that certificat
• I. Update the ALB to connect to the target group using HTTPS.

Answer: BCE

Explanation:
To enforce end-to-end encryption in transit, the company should do the following:
Update the web application configuration on the web servers to use HTTPS instead of HTTP when connecting to DynamoDB. This ensures that the data is encrypted when it travels from the web servers to the data store.
Update the CloudFront distribution to redirect HTTP requests to HTTPS. This ensures that the viewers always use HTTPS when they access the website through CloudFront.
Update the ALB to listen using HTTPS using the public ACM TLS certificate. Update the CloudFront distribution to connect to the HTTPS listener. This ensures that the data is encrypted when it travels from CloudFront to the ALB and from the ALB to the web servers.

NEW QUESTION 14
A company uses a third-party application to store encrypted data in Amazon S3. The company uses another third-party application trial decrypts the data from Amazon S3 to ensure separation of duties Between the applications A Security Engineer warns to separate the permissions using IAM roles attached to Amazon EC2 instances. The company prefers to use native IAM services.
Which encryption method will meet these requirements?

• A. Use encrypted Amazon EBS volumes with Amazon default keys (IAM EBS)
• B. Use server-side encryption with customer-provided keys (SSE-C)
• C. Use server-side encryption with IAM KMS managed keys (SSE-KMS)
• D. Use server-side encryption with Amazon S3 managed keys (SSE-S3)

Answer: C

NEW QUESTION 15
A company is attempting to conduct forensic analysis on an Amazon EC2 instance, but the company is unable to connect to the instance by using AWS Systems Manager Session Manager. The company has installed AWS Systems Manager Agent (SSM Agent) on the EC2 instance.
The EC2 instance is in a subnet in a VPC that does not have an internet gateway attached. The company has associated a security group with the EC2 instance. The security group does not have inbound or outbound rules. The subnet's network ACL allows all inbound and outbound traffic.
Which combination of actions will allow the company to conduct forensic analysis on the EC2 instance without compromising forensic data? (Select THREE.)

• A. Update the EC2 instance security group to add a rule that allows outbound traffic on port 443 for 0.0.0.0/0.
• B. Update the EC2 instance security group to add a rule that allows inbound traffic on port 443 to the VPC's CIDR range.
• C. Create an EC2 key pai
• D. Associate the key pair with the EC2 instance.
• E. Create a VPC interface endpoint for Systems Manager in the VPC where the EC2 instance is located.
• F. Attach a security group to the VPC interface endpoin
• G. Allow inbound traffic on port 443 to the VPC's CIDR range.
• H. Create a VPC interface endpoint for the EC2 instance in the VPC where the EC2 instance is located.

Answer: BCF

NEW QUESTION 16
......