Free AWS-Certified-Security-Specialty Exam Braindumps

- (Exam Topic 3)
During a manual review of system logs from an Amazon Linux EC2 instance, a Security Engineer noticed that there are sudo commands that were never properly alerted or reported on the Amazon CloudWatch Logs agent
Why were there no alerts on the sudo commands?

1. A. There is a security group blocking outbound port 80 traffic that is preventing the agent from sending the logs
2. B. The IAM instance profile on the EC2 instance was not properly configured to allow the CloudWatch Logs agent to push the logs to CloudWatch
3. C. CloudWatch Logs status is set to ON versus SECURE, which prevents it from pulling in OS security event logs
4. D. The VPC requires that all traffic go through a proxy, and the CloudWatch Logs agent does not support a proxy configuration.

Correct Answer: B

- (Exam Topic 3)
A company wants to deploy a distributed web application on a fleet of EC2 instances. The fleet will be fronted by a Classic Load Balancer that will be configured to terminate the TLS connection The company wants to make sure that all past and current TLS traffic to the Classic Load Balancer stays secure even if the certificate private key is leaked.
To ensure the company meets these requirements, a Security Engineer can configure a Classic Load Balancer with:

1. A. An HTTPS listener that uses a certificate that is managed by Amazon Certification Manager.
2. B. An HTTPS listener that uses a custom security policy that allows only perfect forward secrecy cipher suites
3. C. An HTTPS listener that uses the latest AWS predefined ELBSecuntyPolicy-TLS-1 -2-2017-01 security policy
4. D. A TCP listener that uses a custom security policy that allows only perfect forward secrecy cipher suites.

Correct Answer: C

- (Exam Topic 1)
A Security Engineer is looking for a way to control access to data that is being encrypted under a CMK. The Engineer is also looking to use additional authenticated data (AAD) to prevent tampering with ciphertext.
Which action would provide the required functionality?

1. A. Pass the key alias to AWS KMS when calling Encrypt and Decrypt API actions.
2. B. Use IAM policies to restrict access to Encrypt and Decrypt API actions.
3. C. Use kms:EncryptionContext as a condition when defining IAM policies for the CMK.
4. D. Use key policies to restrict access to the appropriate IAM groups.

Correct Answer: B

- (Exam Topic 3)
Your team is experimenting with the API gateway service for an application. There is a need to implement a custom module which can be used for authentication/authorization for calls made to the API gateway. How can this be achieved?
Please select:

1. A. Use the request parameters for authorization
2. B. Use a Lambda authorizer
3. C. Use the gateway authorizer
4. D. Use CORS on the API gateway

Correct Answer: B
The AWS Documentation mentions the following
An Amazon API Gateway Lambda authorizer (formerly known as a custom authorize?) is a Lambda function that you provide to control access to your API methods. A Lambda authorizer uses bearer token authentication strategies, such as OAuth or SAML. It can also use information described by headers, paths, query strings, stage variables, or context variables request parameters.
Options A,C and D are invalid because these cannot be used if you need a custom authentication/authorization for calls made to the API gateway
For more information on using the API gateway Lambda authorizer please visit the URL: https://docs.aws.amazon.com/apisateway/latest/developerguide/apieateway-use-lambda-authorizer.htmll The correct answer is: Use a Lambda authorizer
Submit your Feedback/Queries to our Experts

- (Exam Topic 2)
A company stores data on an Amazon EBS volume attached to an Amazon EC2 instance. The data is asynchronously replicated to an Amazon S3 bucket. Both the EBS volume and the S3 bucket are encrypted with the same AWS KMS Customer Master Key (CMK). A former employee scheduled a deletion of that CMK before leaving the company.
The company’s Developer Operations department learns about this only after the CMK has been deleted. Which steps must be taken to address this situation?

1. A. Copy the data directly from the EBS encrypted volume before the volume is detached from the EC2 instance.
2. B. Recover the data from the EBS encrypted volume using an earlier version of the KMS backing key.
3. C. Make a request to AWS Support to recover the S3 encrypted data.
4. D. Make a request to AWS Support to restore the deleted CMK, and use it to recover the data.

Correct Answer: C