Free AWS-Certified-Security-Specialty Exam Braindumps

- (Exam Topic 3)
There are currently multiple applications hosted in a VPC. During monitoring it has been noticed that multiple port scans are coming in from a specific IP Address block. The internal security team has requested that all offending IP Addresses be denied for the next 24 hours. Which of the following is the best method to quickly and temporarily deny access from the specified IP Address's.
Please select:

1. A. Create an AD policy to modify the Windows Firewall settings on all hosts in the VPC to deny access from the IP Address block.
2. B. Modify the Network ACLs associated with all public subnets in the VPC to deny access from the IP Address block.
3. C. Add a rule to all of the VPC Security Groups to deny access from the IP Address block.
4. D. Modify the Windows Firewall settings on all AMI'S that your organization uses in that VPC to deny access from the IP address block.

Correct Answer: B
NACL acts as a firewall at the subnet level of the VPC and we can deny the offending IP address block at the subnet level using NACL rules to block the incoming traffic to the VPC instances. Since NACL rules are applied as per the Rule numbers make sure that this rule number should take precedence over other rule numbers if there are any such rules that will allow traffic from these IP ranges. The lowest rule number has more precedence over a rule that has a higher number.
The AWS Documentation mentions the following as a best practices for IAM users
For extra security, enable multi-factor authentication (MFA) for privileged IAM users (users who are allowed access to sensitive resources or APIs). With MFA, users have a device that generates a unique authentication code (a one-time password, or OTP). Users must provide both their normal credentials (like their user name and password) and the OTP. The MFA device can either be a special piece of hardware, or it can be a virtual device (for example, it can run in an app on a smartphone).
Options C is invalid because these options are not available Option D is invalid because there is not root access for users
For more information on IAM best practices, please visit the below URL: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
The correct answer is: Modify the Network ACLs associated with all public subnets in the VPC to deny access from the IP Address block.
omit your Feedback/Queries to our Experts

- (Exam Topic 2)
A Security Administrator is restricting the capabilities of company root user accounts. The company uses AWS Organizations and has enabled it for all feature sets, including consolidated billing. The top-level account is used for billing and administrative purposes, not for operational AWS resource purposes.
How can the Administrator restrict usage of member root user accounts across the organization?

1. A. Disable the use of the root user account at the organizational roo
2. B. Enable multi-factor authentication of the root user account for each organizational member account.
3. C. Configure IAM user policies to restrict root account capabilities for each Organizations member account.
4. D. Create an organizational unit (OU) in Organizations with a service control policy that controls usage of the root use
5. E. Add all operational accounts to the new OU.
6. F. Configure AWS CloudTrail to integrate with Amazon CloudWatch Logs and then create a metric filter for RootAccountUsage.

Correct Answer: C
Applying a "Control Policy" in your organization. A policy applied to: 1) root applies to all accounts in the organization 2) OU applies to all accounts in the OU and to any child OUs 3) account applies to one account only Note- this requires that Acquirements: -all features are enabled for the organization in AWS Organizations -Only service control policy (SCP) are supported https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html

- (Exam Topic 1)
A company's application runs on Amazon EC2 and stores data in an Amazon S3 bucket The company wants additional security controls in place to limit the likelihood of accidental exposure of data to external parties
Which combination of actions will meet this requirement? (Select THREE.)

1. A. Encrypt the data in Amazon S3 using server-side encryption with Amazon S3 managed encryption keys (SSE-S3)
2. B. Encrypt the data in Amazon S3 using server-side encryption with AWS KMS managed encryption keys (SSE-KMS)
3. C. Create a new Amazon S3 VPC endpoint and modify the VPC's routing tables to use the new endpoint
4. D. Use the Amazon S3 Block Public Access feature.
5. E. Configure the bucket policy to allow access from the application instances only
6. F. Use a NACL to filter traffic to Amazon S3

Correct Answer: BCE

- (Exam Topic 2)
The Security Engineer created a new AWS Key Management Service (AWS KMS) key with the following key policy:

What are the effects of the key policy? (Choose two.)

1. A. The policy allows access for the AWS account 111122223333 to manage key access though IAM policies.
2. B. The policy allows all IAM users in account 111122223333 to have full access to the KMS key.
3. C. The policy allows the root user in account 111122223333 to have full access to the KMS key.
4. D. The policy allows the KMS service-linked role in account 111122223333 to have full access to the KMS key.
5. E. The policy allows all IAM roles in account 111122223333 to have full access to the KMS key.

Correct Answer: AC
Giving the AWS account full access to the CMK does this; it enables you to use IAM policies to give IAM users and roles in the account access to the CMK. It does not by itself give any IAM users or roles access to the CMK, but it enables you to use IAM policies to do so.
https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable

- (Exam Topic 1)
A Security Engineer creates an Amazon S3 bucket policy that denies access to all users. A few days later, the Security Engineer adds an additional statement to the bucket policy to allow read-only access to one other employee Even after updating the policy the employee still receives an access denied message.
What is the likely cause of this access denial?

1. A. The ACL in the bucket needs to be updated.
2. B. The IAM policy does not allow the user to access the bucket
3. C. It takes a few minutes for a bucket policy to take effect
4. D. The allow permission is being overridden by the deny.

Correct Answer: D