Free AWS-Certified-Security-Specialty Exam Braindumps

- (Exam Topic 1)
A global company must mitigate and respond to DDoS attacks at Layers 3, 4 and 7 All of the company's AWS applications are serverless with static content hosted on Amazon S3 using Amazon CloudFront and Amazon Route 53
Which solution will meet these requirements?

1. A. Use AWS WAF with an upgrade to the AWS Business support plan
2. B. Use AWS Certificate Manager with an Application Load Balancer configured with an origin access identity
3. C. Use AWS Shield Advanced
4. D. Use AWS WAF to protect AWS Lambda functions encrypted with AWS KMS and a NACL restricting all Ingress traffic

Correct Answer: C

- (Exam Topic 2)
Your company has an EC2 Instance that is hosted in an AWS VPC. There is a requirement to ensure that logs files from the EC2 Instance are stored accordingly. The access should also be limited for the destination of the log files. How can this be accomplished? Choose 2 answers from the options given below. Each answer forms part of the solution
Please select:

1. A. Stream the log files to a separate Cloudtrail trail
2. B. Stream the log files to a separate Cloudwatch Log group
3. C. Create an IAM policy that gives the desired level of access to the Cloudtrail trail
4. D. Create an IAM policy that gives the desired level of access to the Cloudwatch Log group

Correct Answer: BD
You can create a Log group and send all logs from the EC2 Instance to that group. You can then limit the access to the Log groups via an IAM policy.
Option A is invalid because Cloudtrail is used to record API activity and not for storing log files Option C is invalid because Cloudtrail is the wrong service to be used for this requirement
For more information on Log Groups and Log Streams, please visit the following URL:
* https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/Workinj
For more information on Access to Cloudwatch logs, please visit the following URL:
* https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/auth-and-access-control-cwl.html
The correct answers are: Stream the log files to a separate Cloudwatch Log group. Create an IAM policy that gives the desired level of access to the Cloudwatch Log group
Submit your Feedback/Queries to our Experts

- (Exam Topic 2)
You are deivising a policy to allow users to have the ability to access objects in a bucket called appbucket. You define the below custom bucket policy

But when you try to apply the policy you get the error "Action does not apply to any resource(s) in statement." What should be done to rectify the error
Please select:

1. A. Change the IAM permissions by applying PutBucketPolicy permissions.
2. B. Verify that the policy has the same name as the bucket nam
3. C. If no
4. D. make it the same.
5. E. Change the Resource section to "arn:aws:s3:::appbucket/*'.
6. F. Create the bucket "appbucket" and then apply the policy.

Correct Answer: C
When you define access to objects in a bucket you need to ensure that you specify to which objects in the bucket access needs to be given to. In this case, the * can be used to assign the permission to all objects in the bucket
Option A is invalid because the right permissions are already provided as per the question requirement Option B is invalid because it is not necessary that the policy has the same name as the bucket
Option D is invalid because this should be the default flow for applying the policy For more information on bucket policies please visit the below URL:
https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.htmll
The correct answer is: Change the Resource section to "arn:aws:s3:::appbucket/" Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
Which of the following bucket policies will ensure that objects being uploaded to a bucket called 'demo' are encrypted.
Please select:

1. A. C:\Users\wk\Desktop\mudassar\Untitled.jpg
2. B. C:\Users\wk\Desktop\mudassar\Untitled.jpg
3. C. C:\Users\wk\Desktop\mudassar\Untitled.jpg
4. D. C:\Users\wk\Desktop\mudassar\Untitled.jpg

Correct Answer: A
The condition of "s3:x-amz-server-side-encryption":"aws:kms" ensures that objects uploaded need to be encrypted.
Options B,C and D are invalid because you have to ensure the condition of ns3:x-amz-server-side-encryption":"aws:kms" is present
For more information on AWS KMS best practices, just browse to the below URL: https://dl.awsstatic.com/whitepapers/aws-kms-best-praaices.pdf

C:\Users\wk\Desktop\mudassar\Untitled.jpg
Submit your Feedback/Queries to our Expert

- (Exam Topic 2)
A company wants to control access to its AWS resources by using identities and groups that are defined in its existing Microsoft Active Directory.
What must the company create in its AWS account to map permissions for AWS services to Active Directory user attributes?

1. A. AWS IAM groups
2. B. AWS IAM users
3. C. AWS IAM roles
4. D. AWS IAM access keys

Correct Answer: C
Prerequisites to establish Federation Services in AWS - You have a working AD directory and AD FS server. - You have created an identity provider (IdP) in your AWS account using your XML file from your AD FS server. Remember the name of your IdP because you will use it later in this solution. -You have created the appropriate IAM roles in your AWS account, which will be used for federated access. https://aws.amazon.com/blogs/security/how-to-establish-federated-access-to-your-aws-resources-by-using-activ