Free AWS-Certified-Security-Specialty Exam Braindumps

- (Exam Topic 1)
A security engineer is asked to update an AW3 CoudTrail log file prefix for an existing trail. When attempting to save the change in the CloudTrail console, the security engineer receives the following error message. "There is a problem with the bucket policy''
What will enable the security engineer to saw the change?

1. A. Create a new trail with the updated log file prefix, and then delete the original nail Update the existing bucket policy in the Amazon S3 console with the new log the prefix, and then update the log file prefix in the CloudTrail console
2. B. Update the existing bucket policy in the Amazon S3 console to allow the security engineers principal to perform PutBucketPolic
3. C. and then update the log file prefix in the CloudTrail console
4. D. Update the existing bucket policy in the Amazon S3 console with the new log file prefix, and then update the log file prefix in the CloudTrail console.
5. E. Update the existing bucket policy in the Amazon S3 console to allow the security engineers principal to perform GetBucketPolicy, and then update the log file prefix in the CloudTrail console

Correct Answer: B

- (Exam Topic 1)
A Security Engineer has been asked to troubleshoot inbound connectivity to a web server. This single web server is not receiving inbound connections from the internet, whereas all other web servers are functioning properly.
The architecture includes network ACLs, security groups, and a virtual security appliance. In addition, the Development team has implemented Application Load Balancers (ALBs) to distribute the load across all web servers. It is a requirement that traffic between the web servers and the internet flow through the virtual
security appliance.
The Security Engineer has verified the following:
* 1. The rule set in the Security Groups is correct
* 2. The rule set in the network ACLs is correct
* 3. The rule set in the virtual appliance is correct
Which of the following are other valid items to troubleshoot in this scenario? (Choose two.)

1. A. Verify that the 0.0.0.0/0 route in the route table for the web server subnet points to a NAT gateway.
2. B. Verify which Security Group is applied to the particular web server’s elastic network interface (ENI).
3. C. Verify that the 0.0.0.0/0 route in the route table for the web server subnet points to the virtual security appliance.
4. D. Verify the registered targets in the ALB.
5. E. Verify that the 0.0.0.0/0 route in the public subnet points to a NAT gateway.

Correct Answer: CD
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html

- (Exam Topic 2)
You have enabled Cloudtrail logs for your company's AWS account. In addition, the IT Security department has mentioned that the logs need to be encrypted. How can this be achieved?
Please select:

1. A. Enable SSL certificates for the Cloudtrail logs
2. B. There is no need to do anything since the logs will already be encrypted
3. C. Enable Server side encryption for the trail
4. D. Enable Server side encryption for the destination S3 bucket

Correct Answer: B
The AWS Documentation mentions the following.
By default CloudTrail event log files are encrypted using Amazon S3 server-side encryption (SSE). You can also choose to encryption your log files with an AWS Key Management Service (AWS KMS) key. You can store your log files in your bucket for as long as you want. You can also define Amazon S3 lifecycle rules to archive or delete log files automatically. If you want notifications about lo file delivery and validation, you can set up Amazon SNS notifications.
Option A.C and D are not valid since logs will already be encrypted
For more information on how Cloudtrail works, please visit the following URL: https://docs.aws.amazon.com/awscloudtrail/latest/usereuide/how-cloudtrail-works.htmll
The correct answer is: There is no need to do anything since the logs will already be encrypted Submit your Feedback/Queries to our Experts

- (Exam Topic 1)
A security engineer must use AWS Key Management Service (AWS KMS) to design a key management solution for a set of Amazon Elastic Block Store (Amazon EBS) volumes that contain sensitive data. The solution needs to ensure that the key material automatically expires in 90 days.
Which solution meets these criteria?

1. A. A customer managed CMK that uses customer provided key material
2. B. A customer managed CMK that uses AWS provided key material
3. C. An AWS managed CMK
4. D. Operating system-native encryption that uses GnuPG

Correct Answer: B

- (Exam Topic 2)
An application makes calls to AWS services using the AWS SDK. The application runs on Amazon EC2 instances with an associated IAM role. When the application attempts to access an object within an Amazon S3 bucket; the Administrator receives the following error message: HTTP 403: Access Denied.
Which combination of steps should the Administrator take to troubleshoot this issue? (Select three.)

1. A. Confirm that the EC2 instance's security group authorizes S3 access.
2. B. Verify that the KMS key policy allows decrypt access for the KMS key for this IAM principle.
3. C. Check the S3 bucket policy for statements that deny access to objects.
4. D. Confirm that the EC2 instance is using the correct key pair.
5. E. Confirm that the IAM role associated with the EC2 instance has the proper privileges.
6. F. Confirm that the instance and the S3 bucket are in the same Region.

Correct Answer: BCE