Free AWS-Certified-Security-Specialty Exam Braindumps

- (Exam Topic 3)
There is a requirement for a company to transfer large amounts of data between AWS and an on-premise location. There is an additional requirement for low latency and high consistency traffic to AWS. Given these requirements how would you design a hybrid architecture? Choose the correct answer from the options below
Please select:

1. A. Provision a Direct Connect connection to an AWS region using a Direct Connect partner.
2. B. Create a VPN tunnel for private connectivity, which increases network consistency and reduces latency.
3. C. Create an iPSec tunnel for private connectivity, which increases network consistency and reduces latency.
4. D. Create a VPC peering connection between AWS and the Customer gateway.

Correct Answer: A
AWS Direct Connect makes it easy to establish a dedicated network connection from your premises to AWS. Using AWS Direct Connect you can establish private connectivity between AWS and your datacenter, office, or colocation environment which in many cases can reduce your network costs, increase bandwidth throughput and provide a more consistent network experience than Internet-based connections.
Options B and C are invalid because these options will not reduce network latency Options D is invalid because this is only used to connect 2 VPC's
For more information on AWS direct connect, just browse to the below URL: https://aws.amazon.com/directconnect
The correct answer is: Provision a Direct Connect connection to an AWS region using a Direct Connect partner. omit your Feedback/Queries to our Experts

- (Exam Topic 3)
An Application team has requested a new AWS KMS master key for use with Amazon S3, but the organizational security policy requires separate master keys for different AWS services to limit blast radius.
How can an AWS KMS customer master key (CMK) be constrained to work with only Amazon S3?

1. A. Configure the CMK key policy to allow only the Amazon S3 service to use the kms Encrypt action
2. B. Configure the CMK key policy to allow AWS KMS actions only when the kms ViaService condition matches the Amazon S3 service name.
3. C. Configure the IAM user's policy lo allow KMS to pass a rote lo Amazon S3
4. D. Configure the IAM user's policy to allow only Amazon S3 operations when they are combined with the CMK

Correct Answer: B

- (Exam Topic 3)
A company has two teams, and each team needs to access its respective Amazon S3 buckets. The company anticipates adding more teams that also will have their own S3 buckets. When the company adds these teams, team members will need the ability to be assigned to multiple teams. Team members also will need the ability to change teams. Additional S3 buckets can be created or deleted.
An 1AM administrator must design a solution to accomplish these goals. The solution also must be scalable and must require the least possible operational overhead.
Which solution meets these requirements?

1. A. Add users to groups that represent the team
2. B. Create a policy for each team that allows the team to access its respective S3 buckets onl
3. C. Attach the policy to the corresponding group.
4. D. Create an 1AM role for each tea
5. E. Create a policy for each team that allows the team to access its respective S3 buckets onl
6. F. Attach the policy to the corresponding role.
7. G. Create 1AM roles that are labeled with an access tag value of a tea
8. H. Create one policy that allowsdynamic access to S3 buckets with the same ta
9. I. Attach the policy to the 1AM role
10. J. Tag the S3 buckets accordingly.
11. K. Implement a role-based access control (RBAC) authorization mode
12. L. Create the corresponding policies, and attach them to the 1AM users.

Correct Answer: A

- (Exam Topic 3)
You need to ensure that the cloudtrail logs which are being delivered in your AWS account is encrypted. How can this be achieved in the easiest way possible?
Please select:

1. A. Don't do anything since CloudTrail logs are automatically encrypted.
2. B. Enable S3-SSE for the underlying bucket which receives the log files
3. C. Enable S3-KMS for the underlying bucket which receives the log files
4. D. Enable KMS encryption for the logs which are sent to Cloudwatch

Correct Answer: A
The AWS Documentation mentions the following
By default the log files delivered by CloudTrail to your bucket are encrypted by Amazon server-side encryption with Amazon S3-managed encryption keys (SSE-S3)
Option B,C and D are all invalid because by default all logs are encrypted when they sent by Cloudtrail to S3 buckets
For more information on AWS Cloudtrail log encryption, please visit the following URL: https://docs.aws.amazon.com/awscloudtrail/latest/usereuide/encryptine-cloudtrail-loe-files-with-aws-kms.htmll The correct answer is: Don't do anything since CloudTrail logs are automatically encrypted. Submit your
Feedback/Queries to our Experts

- (Exam Topic 1)
Users report intermittent availability of a web application hosted on AWS. Monitoring systems report an excess of abnormal network traffic followed by high CPU utilization on the application web tier. Which of the following techniques will improve the availability of the application? (Select TWO.)

1. A. Deploy AWS WAF to block all unsecured web applications from accessing the internet.
2. B. Deploy an Intrusion Detection/Prevention System (IDS/IPS) to monitor or block unusual incoming network traffic.
3. C. Configure security groups to allow outgoing network traffic only from hosts that are protected with up-to-date antivirus software.
4. D. Create Amazon CloudFront distribution and configure AWS WAF rules to protect the web applications from malicious traffic.
5. E. Use the default Amazon VPC for externakfacing systems to allow AWS to actively block malicious network traffic affecting Amazon EC2 instances.

Correct Answer: BD