Free AWS-Certified-Security-Specialty Exam Braindumps

- (Exam Topic 3)
Your company has been using AWS for hosting EC2 Instances for their web and database applications. They want to have a compliance check to see the following
Whether any ports are left open other than admin ones like SSH and RDP
Whether any ports to the database server other than ones from the web server security group are open Which of the following can help achieve this in the easiest way possible. You don't want to carry out an extra configuration changes?
Please select:

1. A. AWS Config
2. B. AWS Trusted Advisor
3. C. AWS Inspector D.AWSGuardDuty

Correct Answer: B
Trusted Advisor checks for compliance with the following security recommendations:
Limited access to common administrative ports to only a small subset of addresses. This includes ports 22 (SSH), 23 (Telnet) 3389 (RDP), and 5500 (VNQ.
Limited access to common database ports. This includes ports 1433 (MSSQL Server), 1434 (MSSQL Monitor), 3306 (MySQL), Oracle (1521) and 5432 (PostgreSQL).
Option A is partially correct but then you would need to write custom rules for this. The AWS trusted advisor can give you all o these checks on its dashboard
Option C is incorrect. Amazon Inspector needs a software agent to be installed on all EC2 instances that are included in th.
assessment target, the security of which you want to evaluate with Amazon Inspector. It monitors the behavior of the EC2 instance on which it is installed, including network, file system, and process activity, and collects a wide set of behavior and configuration data (telemetry), which it then passes to the Amazon Inspector service.
Our question's requirement is to choose a choice that is easy to implement. Hence Trusted Advisor is more appropriate for this question.
Options D is invalid because this service dont provide these details.
For more information on the Trusted Advisor, please visit the following URL https://aws.amazon.com/premiumsupport/trustedadvisor>
The correct answer is: AWS Trusted Advisor Submit your Feedback/Queries to our Experts

- (Exam Topic 2)
A Security Engineer is working with the development team to design a supply chain application that stores sensitive inventory data in an Amazon S3 bucket. The application will use an AWS KMS customer master key (CMK) to encrypt the data on Amazon S3. The inventory data on Amazon S3 will be shared of vendors. All vendors will use AWS principals from their own AWS accounts to access the data on Amazon S3. The vendor list may change weekly, and the solution must support cross-account access.
What is the MOST efficient way to manage access control for the KMS CMK7?

1. A. Use KMS grants to manage key acces
2. B. Programmatically create and revoke grants to manage vendor access.
3. C. Use an IAM role to manage key acces
4. D. Programmatically update the IAM role policies to manage vendor access.
5. E. Use KMS key policies to manage key acces
6. F. Programmatically update the KMS key policies to manage vendor access.
7. G. Use delegated access across AWS accounts by using IAM roles to manage key access.Programmatically update the IAM trust policy to manage cross-account vendor access.

Correct Answer: A

- (Exam Topic 2)
The AWS Systems Manager Parameter Store is being used to store database passwords used by an AWS Lambda function. Because this is sensitive data, the parameters are stored as type SecureString and protected by an AWS KMS key that allows access through IAM. When the function executes, this parameter cannot be retrieved as the result of an access denied error.
Which of the following actions will resolve the access denied error?

1. A. Update the ssm.amazonaws.com principal in the KMS key policy to allow kms: Decrypt.
2. B. Update the Lambda configuration to launch the function in a VPC.
3. C. Add a policy to the role that the Lambda function uses, allowing kms: Decrypt for the KMS key.
4. D. Add lambda.amazonaws.com as a trusted entity on the IAM role that the Lambda function uses.

Correct Answer: C
https://docs.amazonaws.cn/en_us/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Integrating.Authorizing

- (Exam Topic 2)
What are the MOST secure ways to protect the AWS account root user of a recently opened AWS account? (Choose two.)

1. A. Use the AWS account root user access keys instead of the AWS Management Console
2. B. Enable multi-factor authentication for the AWS IAM users with the AdministratorAccess managed policy attached to them
3. C. Enable multi-factor authentication for the AWS account root user
4. D. Use AWS KMS to encrypt all AWS account root user and AWS IAM access keys and set automatic rotation to 30 days
5. E. Do not create access keys for the AWS account root user; instead, create AWS IAM users

Correct Answer: CE

- (Exam Topic 2)
A company’s security policy requires that VPC Flow Logs are enabled on all VPCs. A Security Engineer is looking to automate the process of auditing the VPC resources for compliance.
What combination of actions should the Engineer take? (Choose two.)

1. A. Create an AWS Lambda function that determines whether Flow Logs are enabled for a given VPC.
2. B. Create an AWS Config configuration item for each VPC in the company AWS account.
3. C. Create an AWS Config managed rule with a resource type of AWS:: Lambda:: Function.
4. D. Create an Amazon CloudWatch Event rule that triggers on events emitted by AWS Config.
5. E. Create an AWS Config custom rule, and associate it with an AWS Lambda function that contains the evaluating logic.

Correct Answer: AE
https://medium.com/mudita-misra/how-to-audit-your-aws-resources-for-security-compliance-by-using-custom-a