Free AWS-Certified-Security-Specialty Exam Braindumps

- (Exam Topic 3)
You are planning to use AWS Configto check the configuration of the resources in your AWS account. You are planning on using an existing IAM role and using it for the AWS Config resource. Which of the following is required to ensure the AWS config service can work as required?
Please select:

1. A. Ensure that there is a trust policy in place for the AWS Config service within the role
2. B. Ensure that there is a grant policy in place for the AWS Config service within the role
3. C. Ensure that there is a user policy in place for the AWS Config service within the role
4. D. Ensure that there is a group policy in place for the AWS Config service within the role

Correct Answer: A

C:\Users\wk\Desktop\mudassar\Untitled.jpg
Options B,C and D are invalid because you need to ensure a trust policy is in place and not a grant, user or group policy or more information on the IAM role permissions please visit the below Link:
https://docs.aws.amazon.com/config/latest/developerguide/iamrole-permissions.htmll
The correct answer is: Ensure that there is a trust policy in place for the AWS Config service within the role Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
A company's Security Team received an email notification from the Amazon EC2 Abuse team that one or more of the company's Amazon EC2 instances may have been compromised
Which combination of actions should the Security team take to respond to (be current modem? (Select TWO.)

1. A. Open a support case with the AWS Security team and ask them to remove the malicious code from the affected instance
2. B. Respond to the notification and list the actions that have been taken to address the incident
3. C. Delete all IAM users and resources in the account
4. D. Detach the internet gateway from the VPC remove aft rules that contain 0.0.0.0V0 from the security groups, and create a NACL rule to deny all traffic Inbound from the internet
5. E. Delete the identified compromised instances and delete any associated resources that the Security team did not create.

Correct Answer: DE

- (Exam Topic 1)
A company has a VPC with an IPv6 address range and a public subnet with an IPv6 address block. The VPC currently hosts some public Amazon EC2 instances but a Security Engineer needs to migrate a second application into the VPC that also requires IPv6 connectivity.
This new application will occasionally make API requests to an external, internet-accessible endpoint to receive updates However, the Security team does not want the application's EC2 instance exposed directly to the internet The Security Engineer intends to create a private subnet with a custom route table and to associate the route table with the private subnet
What else does the Security Engineer need to do to ensure the application will not be exposed directly to the internet, but can still communicate as required''

1. A. Launch a NAT instance in the public subnet Update the custom route table with a new route to the NAT instance
2. B. Remove the internet gateway, and add AWS PrivateLink to the VPC Then update the custom route table with a new route to AWS PrivateLink
3. C. Add a managed NAT gateway to the VPC Update the custom route table with a new route to the gateway
4. D. Add an egress-only internet gateway to the VP
5. E. Update the custom route table with a new route to the gateway

Correct Answer: D

- (Exam Topic 3)
A company is using AWS Secrets Manager to store secrets for its production Amazon RDS database. The Security Officer has asked that secrets be rotated every 3 months. Which solution would allow the company to securely rotate the secrets? (Select TWO.)

1. A. Place the RDS instance in a public subnet and an AWS Lambda function outside the VP
2. B. Schedule the Lambda function to run every 3 months to rotate the secrets.
3. C. Place the RDS instance in a private subnet and an AWS Lambda function inside the VPC in the private subne
4. D. Configure the private subnet to use a NAT gatewa
5. E. Schedule the Lambda function to run every 3 months to rotate the secrets.
6. F. Place the RDS instance in a private subnet and an AWS Lambda function outside the VP
7. G. Configure the private subnet to use an internet gatewa
8. H. Schedule the Lambda function to run every 3 months lo rotate the secrets.
9. I. Place the RDS instance in a private subnet and an AWS Lambda function inside the VPC in the private subne
10. J. Schedule the Lambda function to run quarterly to rotate the secrets.
11. K. Place the RDS instance in a private subnet and an AWS Lambda function inside the VPC in the private subne
12. L. Configure a Secrets Manager interface endpoin
13. M. Schedule the Lambda function to run every 3 months to rotate the secrets.

Correct Answer: BE

- (Exam Topic 2)
A Security Engineer discovers that developers have been adding rules to security groups that allow SSH and RDP traffic from 0.0.0.0/0 instead of the organization firewall IP.
What is the most efficient way to remediate the risk of this activity?

1. A. Delete the internet gateway associated with the VPC.
2. B. Use network access control lists to block source IP addresses matching 0.0.0.0/0.
3. C. Use a host-based firewall to prevent access from all but the organization’s firewall IP.
4. D. Use AWS Config rules to detect 0.0.0.0/0 and invoke an AWS Lambda function to update the security group with the organization's firewall IP.

Correct Answer: D