Free AWS-Certified-Security-Specialty Exam Braindumps

- (Exam Topic 2)
A Development team has asked for help configuring the IAM roles and policies in a new AWS account. The team using the account expects to have hundreds of master keys and therefore does not want to manage access control for customer master keys (CMKs).
Which of the following will allow the team to manage AWS KMS permissions in IAM without the complexity of editing individual key policies?

1. A. The account’s CMK key policy must allow the account’s IAM roles to perform KMS EnableKey.
2. B. Newly created CMKs must have a key policy that allows the root principal to perform all actions.
3. C. Newly created CMKs must allow the root principal to perform the kms CreateGrant API operation.
4. D. Newly created CMKs must mirror the IAM policy of the KMS key administrator.

Correct Answer: B
https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable

- (Exam Topic 3)
DDoS attacks that happen at the application layer commonly target web applications with lower volumes of traffic compared to infrastructure attacks. To mitigate these types of attacks, you should probably want to include a WAF (Web Application Firewall) as part of your infrastructure. To inspect all HTTP requests, WAFs sit in-line with your application traffic. Unfortunately, this creates a scenario where WAFs can become a point of failure or bottleneck. To mitigate this problem, you need the ability to run multiple WAFs on demand during traffic spikes. This type of scaling for WAF is done via a "WAF sandwich." Which of the following statements best describes what a "WAF sandwich" is? Choose the correct answer from the options below
Please select:

1. A. The EC2 instance running your WAF software is placed between your private subnets and any NATed connections to the internet.
2. B. The EC2 instance running your WAF software is placed between your public subnets and your Internet Gateway.
3. C. The EC2 instance running your WAF software is placed between your public subnets and your private subnets.
4. D. The EC2 instance running your WAF software is included in an Auto Scaling group and placed in between two Elastic load balancers.

Correct Answer: D
The below diagram shows how a WAF sandwich is created. Its the concept of placing the Ec2 instance which hosts the WAF software in between 2 elastic load balancers.
C:\Users\wk\Desktop\mudassar\Untitled.jpg

Option A.B and C are incorrect since the EC2 Instance with the WAF software needs to be placed in an Autoscaling Group For more information on a WAF sandwich please refer to the below Link:
https://www.cloudaxis.eom/2016/11/2l/waf-sandwich/l
The correct answer is: The EC2 instance running your WAF software is included in an Auto Scaling group and placed in between two Elastic load balancers.
Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
A company is hosting multiple applications within a single VPC in its AWS account. The applications are running behind an Application Load Balancer that is associated with an AWS WAF web ACL. The company's security team has identified that multiple port scans are originating from a specific range of IP addresses on the internet.
A security engineer needs to deny access from the offending IP addresses. Which solution will meet these requirements?

1. A. Modify the AWS WAF web ACL with an IP set match rule statement to deny incoming requests from the IP address range.
2. B. Add a rule to all security groups to deny the incoming requests from the IP address range.
3. C. Modify the AWS WAF web ACL with a rate-based rule statement to deny the incoming requests from the IP address range.
4. D. Configure the AWS WAF web ACL with regex match condition
5. E. Specify a pattern set to deny the incoming requests based on the match condition

Correct Answer: D

- (Exam Topic 3)
Your company has a set of EC2 Instances defined in AWS. These Ec2 Instances have strict security groups attached to them. You need to ensure that changes to the Security groups are noted and acted on accordingly. How can you achieve this?
Please select:

1. A. Use Cloudwatch logs to monitor the activity on the Security Group
2. B. Use filters to search for the changes and use SNS for the notification.
3. C. Use Cloudwatch metrics to monitor the activity on the Security Group
4. D. Use filters to search for the changes and use SNS for the notification.
5. E. Use AWS inspector to monitor the activity on the Security Group
6. F. Use filters to search for the changes and use SNS f the notification.
7. G. Use Cloudwatch events to be triggered for any changes to the Security Group
8. H. Configure the Lambda function for email notification as well.

Correct Answer: D
The below diagram from an AWS blog shows how security groups can be monitored C:\Users\wk\Desktop\mudassar\Untitled.jpg

Option A is invalid because you need to use Cloudwatch Events to check for chan, Option B is invalid because you need to use Cloudwatch Events to check for chang
Option C is invalid because AWS inspector is not used to monitor the activity on Security Groups For more information on monitoring security groups, please visit the below URL:
Ihttpsy/aws.amazon.com/blogs/security/how-to-automatically-revert-and-receive-notifications-about-changes-to 'pc-security-groups/
The correct answer is: Use Cloudwatch events to be triggered for any changes to the Security Groups. Configure the Lambda function for email notification as well.
Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
A company deployed Amazon GuardDuty In the us-east-1 Region. The company wants all DNS logs that relate to the company's Amazon EC2 instances to be inspected. What should a security engineer do to ensure that the EC2 instances are logged?

1. A. Use IPv6 addresses that are configured for hostnames.
2. B. Configure external DNS resolvers as internal resolvers that are visible only to AWS.
3. C. Use AWS DNS resolvers for all EC2 instances.
4. D. Configure a third-party DNS resolver with logging for all EC2 instances.

Correct Answer: C