Free AWS-Certified-Security-Specialty Exam Braindumps

- (Exam Topic 2)
Which of the following are valid event sources that are associated with web access control lists that trigger AWS WAF rules? (Choose two.)

1. A. Amazon S3 static web hosting
2. B. Amazon CloudFront distribution
3. C. Application Load Balancer
4. D. Amazon Route 53
5. E. VPC Flow Logs

Correct Answer: BC
A web access control list (web ACL) gives you fine-grained control over the web requests that your Amazon API Gateway API, Amazon CloudFront distribution or Application Load Balancer responds to.

- (Exam Topic 2)
A threat assessment has identified a risk whereby an internal employee could exfiltrate sensitive data from production host running inside AWS (Account 1). The threat was documented as follows:
Threat description: A malicious actor could upload sensitive data from Server X by configuring credentials for an AWS account (Account 2) they control and uploading data to an Amazon S3 bucket within their control.
Server X has outbound internet access configured via a proxy server. Legitimate access to S3 is required so that the application can upload encrypted files to an S3 bucket. Server X is currently using an IAM instance role. The proxy server is not able to inspect any of the server communication due to TLS encryption.
Which of the following options will mitigate the threat? (Choose two.)

1. A. Bypass the proxy and use an S3 VPC endpoint with a policy that whitelists only certain S3 buckets within Account 1.
2. B. Block outbound access to public S3 endpoints on the proxy server.
3. C. Configure Network ACLs on Server X to deny access to S3 endpoints.
4. D. Modify the S3 bucket policy for the legitimate bucket to allow access only from the public IP addresses associated with the application server.
5. E. Remove the IAM instance role from the application server and save API access keys in a trusted and encrypted application config file.

Correct Answer: AB

- (Exam Topic 2)
Your company is planning on hosting an internal network in AWS. They want machines in the VPC to authenticate using private certificates. They want to minimize the work and maintenance in working with certificates. What is the ideal way to fulfil this requirement.
Please select:

1. A. Consider using Windows Server 2016 Certificate Manager
2. B. Consider using AWS Certificate Manager
3. C. Consider using AWS Access keys to generate the certificates
4. D. Consider using AWS Trusted Advisor for managing the certificates

Correct Answer: B
The AWS Documentation mentions the following
ACM is tightly linked with AWS Certificate Manager Private Certificate Authority. You can use ACM PCA to create a private certificate authority (CA) and then use ACM to issue private certificates. These are SSL/TLS X.509 certificates that identify users, computers, applications, services, servers, and other devices internally. Private certificates cannot be publicly trusted
Option A is partially invalid. Windows Server 2016 Certificate Manager can be used but since there is a requirement to "minimize the work and maintenance", AWS Certificate Manager should be used
Option C and D are invalid because these cannot be used for managing certificates. For more information on ACM, please visit the below URL: https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html
The correct answer is: Consider using AWS Certificate Manager Submit your Feedback/Queries to our Experts

- (Exam Topic 1)
After a recent security audit involving Amazon S3, a company has asked assistance reviewing its S3 buckets to determine whether data is properly secured. The first S3 bucket on the list has the following bucket policy.

Is this bucket policy sufficient to ensure that the data is not publicity accessible?

1. A. Yes, the bucket policy makes the whole bucket publicly accessible despite now the S3 bucket ACL orobject ACLs are configured.
2. B. Yes, none of the data in the bucket is publicity accessible, regardless of how the S3 bucket ACL and object ACLs are configured.
3. C. No, the IAM user policy would need to be examined first to determine whether any data is publicly accessible.
4. D. No, the S3 bucket ACL and object ACLs need to be examined first to determine whether any data is publicly accessible.

Correct Answer: A

- (Exam Topic 3)
Your organization is preparing for a security assessment of your use of AWS. In preparation for this assessment, which three IAM best practices should you consider implementing?
Please select:

1. A. Create individual IAM users
2. B. Configure MFA on the root account and for privileged IAM users
3. C. Assign IAM users and groups configured with policies granting least privilege access
4. D. Ensure all users have been assigned and dre frequently rotating a password, access ID/secret key, andX.509 certificate

Correct Answer: ABC
When you go to the security dashboard, the security status will show the best practices for initiating the first level of security.
C:\Users\wk\Desktop\mudassar\Untitled.jpg

Option D is invalid because as per the dashboard, this is not part of the security recommendation For more information on best security practices please visit the URL:
https://aws.amazon.com/whitepapers/aws-security-best-practices;
The correct answers are: Create individual IAM users, Configure MFA on the root account and for privileged IAM users. Assign IAM users and groups configured with policies granting least privilege access
Submit your Feedback/Queries to our Experts