Free AWS-Certified-Security-Specialty Exam Braindumps

- (Exam Topic 3)
Developers in an organization have moved from a standard application deployment to containers. The Security Engineer is tasked with ensuring that the containers are secure. Which strategies will reduce the attack surface and enhance the security of the containers? (Select TWO.)

1. A. Use the containers to automate security deployments.
2. B. Limit resource consumption (CPU, memory), networking connections, ports, and unnecessary container libraries.
3. C. Segregate containers by host, function, and data classification.
4. D. Use Docker Notary framework to sign task definitions.
5. E. Enable container breakout at the host kernel.

Correct Answer: AC

- (Exam Topic 2)
A company has Windows Amazon EC2 instances in a VPC that are joined to on-premises Active Directory servers for domain services. The security team has enabled Amazon GuardDuty on the AWS account to alert on issues with the instances.
During a weekly audit of network traffic, the Security Engineer notices that one of the EC2 instances is attempting to communicate with a known command-and-control server but failing. This alert does not show up in GuardDuty.
Why did GuardDuty fail to alert to this behavior?

1. A. GuardDuty did not have the appropriate alerts activated.
2. B. GuardDuty does not see these DNS requests.
3. C. GuardDuty only monitors active network traffic flow for command-and-control activity.
4. D. GuardDuty does not report on command-and-control activity.

Correct Answer: B
https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_data-sources.html https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_backdoor.html

- (Exam Topic 3)
Your company is planning on using AWS EC2 and ELB for deployment for their web applications. The security policy mandates that all traffic should be encrypted. Which of the following options will ensure that this requirement is met. Choose 2 answers from the options below.
Please select:

1. A. Ensure the load balancer listens on port 80
2. B. Ensure the load balancer listens on port 443
3. C. Ensure the HTTPS listener sends requests to the instances on port 443
4. D. Ensure the HTTPS listener sends requests to the instances on port 80

Correct Answer: BC
The AWS Documentation mentions the following
You can create a load balancer that listens on both the HTTP (80) and HTTPS (443) ports. If you specify that the HTTPS listener sends requests to the instances on port 80, the load balancer terminates the requests and communication from the load balancer to the instances is not encrypted, if the HTTPS listener sends requests to the instances on port 443, communication from the load balancer to the instances is encrypted.
Option A is invalid because there is a need for secure traffic, so port 80 should not be used
Option D is invalid because for the HTTPS listener you need to use port 443 For more information on HTTPS with ELB, please refer to the below Link:
https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-load-balancer.htmll
The correct answers are: Ensure the load balancer listens on port 443, Ensure the HTTPS listener sends requests to the instances on port 443
Submit your Feedback/Queries to our Experts

- (Exam Topic 2)
A Security Engineer is building a Java application that is running on Amazon EC2. The application communicates with an Amazon RDS instance and authenticates with a user name and password.
Which combination of steps can the Engineer take to protect the credentials and minimize downtime when the credentials are rotated? (Choose two.)

1. A. Have a Database Administrator encrypt the credentials and store the ciphertext in Amazon S3. Grant permission to the instance role associated with the EC2 instance to read the object and decrypt the ciphertext.
2. B. Configure a scheduled job that updates the credential in AWS Systems Manager Parameter Store and notifies the Engineer that the application needs to be restarted.
3. C. Configure automatic rotation of credentials in AWS Secrets Manager.
4. D. Store the credential in an encrypted string parameter in AWS Systems Manager Parameter Stor
5. E. Grant permission to the instance role associated with the EC2 instance to access the parameter and the AWS KMS key that is used to encrypt it.
6. F. Configure the Java application to catch a connection failure and make a call to AWS Secrets Manager to retrieve updated credentials when the password is rotate
7. G. Grant permission to the instance role associated with the EC2 instance to access Secrets Manager.

Correct Answer: CE

- (Exam Topic 1)
A Security Engineer is setting up an AWS CloudTrail trail for all regions in an AWS account. For added security, the logs are stored using server-side encryption with AWS KMS-managed keys (SSE-KMS) and have log integrity validation enabled.
While testing the solution, the Security Engineer discovers that the digest files are readable, but the log files are not. What is the MOST likely cause?

1. A. The log files fail integrity validation and automatically are marked as unavailable.
2. B. The KMS key policy does not grant the Security Engineer's IAM user or role permissions to decrypt with it.
3. C. The bucket is set up to use server-side encryption with Amazon S3-managed keys (SSE-S3) as the default and does not allow SSE-KMS-encrypted files.
4. D. An IAM policy applicable to the Security Engineer’s IAM user or role denies access to the "CloudTrail/" prefix in the Amazon S3 bucket

Correct Answer: D