Free AWS-Certified-Security-Specialty Exam Braindumps

- (Exam Topic 3)
Your company has the following setup in AWS
* a. A set of EC2 Instances hosting a web application
* b. An application load balancer placed in front of the EC2 Instances
There seems to be a set of malicious requests coming from a set of IP addresses. Which of the following can be used to protect against these requests?
Please select:

1. A. Use Security Groups to block the IP addresses
2. B. Use VPC Flow Logs to block the IP addresses
3. C. Use AWS inspector to block the IP addresses
4. D. Use AWS WAF to block the IP addresses

Correct Answer: D
Your answer is incorrect Answer -D
The AWS Documentation mentions the following on AWS WAF which can be used to protect Application Load Balancers and Cloud front
A web access control list (web ACL) gives you fine-grained control over the web requests that your Amazon CloudFront distributions or Application Load Balancers respond to. You can allow or block the following types of requests:
Originate from an IP address or a range of IP addresses Originate from a specific country or countries
Contain a specified string or match a regular [removed]regex) pattern in a particular part of requests Exceed a specified length
Appear to contain malicious SQL code (known as SQL injection) Appear to contain malicious scripts (known as cross-site scripting)
Option A is invalid because by default Security Groups have the Deny policy
Options B and C are invalid because these services cannot be used to block IP addresses For information on AWS WAF, please visit the below URL: https://docs.aws.amazon.com/waf/latest/developerguide/web-acl.html
The correct answer is: Use AWS WAF to block the IP addresses Submit your Feedback/Queries to our Experts

- (Exam Topic 1)
A company has a VPC with several Amazon EC2 instances behind a NAT gateway. The company's security policy states that all network traffic must be logged and must include the original source and destination IP addresses. The existing VPC Flow Logs do not include this information. A security engineer needs to recommend a solution.
Which combination of steps should the security engineer recommend? (Select TWO )

1. A. Edit the existing VPC Flow Log
2. B. Change the log format of the VPC Flow Logs from the Amazon default format to a custom format.
3. C. Delete and recreate the existing VPC Flow Log
4. D. Change the log format of the VPC Flow Logs from the Amazon default format to a custom format.
5. E. Change the destination to Amazon CloudWatch Logs.
6. F. Include the pkt-srcaddr and pkt-dstaddr fields in the log format.
7. G. Include the subnet-id and instance-id fields in the log format.

Correct Answer: AE

- (Exam Topic 2)
A Security Engineer must design a solution that enables the Incident Response team to audit for changes to a user’s IAM permissions in the case of a security incident.
How can this be accomplished?

1. A. Use AWS Config to review the IAM policy assigned to users before and after the incident.
2. B. Run the GenerateCredentialReport via the AWS CLI, and copy the output to Amazon S3 daily for auditing purposes.
3. C. Copy AWS CloudFormation templates to S3, and audit for changes from the template.
4. D. Use Amazon EC2 Systems Manager to deploy images, and review AWS CloudTrail logs for changes.

Correct Answer: A
https://aws.amazon.com/blogs/security/how-to-record-and-govern-your-iam-resource-configurations-using-aws

- (Exam Topic 1)
While securing the connection between a company's VPC and its on-premises data center, a Security Engineer sent a ping command from an on-premises host (IP address 203.0.113.12) to an Amazon EC2 instance (IP address 172.31.16.139). The ping command did not return a response. The flow log in the VPC showed the following:
2 123456789010 eni-1235b8ca 203.0.113.12 172.31.16.139 0 0 1 4 336 1432917027 1432917142 ACCEPT OK
2 123456789010 eni-1235b8ca 172.31.16.139 203.0.113.12 0 0 1 4 336 1432917094 1432917142 REJECT OK
What action should be performed to allow the ping to work?

1. A. In the security group of the EC2 instance, allow inbound ICMP traffic.
2. B. In the security group of the EC2 instance, allow outbound ICMP traffic.
3. C. In the VPC's NACL, allow inbound ICMP traffic.
4. D. In the VPC's NACL, allow outbound ICMP traffic.

Correct Answer: D

- (Exam Topic 2)
A company has complex connectivity rules governing ingress, egress, and communications between Amazon EC2 instances. The rules are so complex that they cannot be implemented within the limits of the maximum number of security groups and network access control lists (network ACLs).
What mechanism will allow the company to implement all required network rules without incurring additional cost?

1. A. Configure AWS WAF rules to implement the required rules.
2. B. Use the operating system built-in, host-based firewall to implement the required rules.
3. C. Use a NAT gateway to control ingress and egress according to the requirements.
4. D. Launch an EC2-based firewall product from the AWS Marketplace, and implement the required rules in that product.

Correct Answer: B