Free AWS-Certified-Security-Specialty Exam Braindumps

- (Exam Topic 2)
A company’s database developer has just migrated an Amazon RDS database credential to be stored and managed by AWS Secrets Manager. The developer has also enabled rotation of the credential within the Secrets Manager console and set the rotation to change every 30 days.
After a short period of time, a number of existing applications have failed with authentication errors. What is the MOST likely cause of the authentication errors?

1. A. Migrating the credential to RDS requires that all access come through requests to the Secrets Manager.
2. B. Enabling rotation in Secrets Manager causes the secret to rotate immediately, and the applications are using the earlier credential.
3. C. The Secrets Manager IAM policy does not allow access to the RDS database.
4. D. The Secrets Manager IAM policy does not allow access for the applications.

Correct Answer: B
https://docs.aws.amazon.com/secretsmanager/latest/userguide/enable-rotation-rds.html

- (Exam Topic 3)
A company is using AWS Organizations to develop a multi-account secure networking strategy. The company plans to use separate centrally managed accounts for shared services, auditing, and security inspection. The company plans to provide dozens of additional accounts to application owners for production and development environments.
Company security policy requires that all internet traffic be routed through a centrally managed security inspection layer in the security inspection account. A security engineer must recommend a solution that minimizes administrative overhead and complexity.
Which solution meets these requirements?

1. A. Use AWS Control Towe
2. B. Modify the default Account Factory networking template to automatically associate new accounts with a centrally managed VPC through a VPC peering connection and to create a default route to the VPC peer in the default route tabl
3. C. Create an SCP that denies the CreatelnternetGateway actio
4. D. Attach the SCP to all accounts except the security inspection account.
5. E. Create a centrally managed VPC in the security inspection accoun
6. F. Establish VPC peering connections between the security inspection account and other account
7. G. Instruct account owners to create default routes in their account route tables that point to the VPC pee
8. H. Create an SCP that denies theAttach InternetGateway actio
9. I. Attach the SCP to all accounts except the security inspection account.
10. J. Use AWS Control Towe
11. K. Modify the default Account Factory networking template to automatically associate new accounts with a centrally managed transitgateway and to create a default route to the transit gateway in the default route tabl
12. L. Create an SCP that denies the AttachlnternetGateway actio
13. M. Attach the SCP to all accounts except the security inspection account.
14. N. Enable AWS Resource Access Manager (AWS RAM) for AWS Organization
15. O. Create a shared transit gateway, and make it available by using an AWS RAM resource shar
16. P. Create an SCP that denies the CreatelnternetGateway actio
17. Q. Attach the SCP to all accounts except the security inspection accoun
18. R. Create routes in the route tables of all accounts that point to the shared transit gateway.

Correct Answer: C

- (Exam Topic 2)
You have an Ec2 Instance in a private subnet which needs to access the KMS service. Which of the following methods can help fulfil this requirement, keeping security in perspective
Please select:

1. A. Use a VPC endpoint
2. B. Attach an Internet gateway to the subnet
3. C. Attach a VPN connection to the VPC
4. D. Use VPC Peering

Correct Answer: A
The AWS Documentation mentions the following
You can connect directly to AWS KMS through a private endpoint in your VPC instead of connecting over the internet. When you use a VPC endpoint communication between your VPC and AWS KMS is conducted entirely within the AWS network.
Option B is invalid because this could open threats from the internet
Option C is invalid because this is normally used for communication between on-premise environments and AWS.
Option D is invalid because this is normally used for communication between VPCs
For more information on accessing KMS via an endpoint, please visit the following URL https://docs.aws.amazon.com/kms/latest/developerguide/kms-vpc-endpoint.htmll
The correct answer is: Use a VPC endpoint Submit your Feedback/Queries to our Experts

- (Exam Topic 1)
A Developer is building a serverless application that uses Amazon API Gateway as the front end. The application will not be publicly accessible. Other legacy applications running on Amazon EC2 will make calls to the application A Security Engineer Has been asked to review the security controls for authentication and authorization of the application
Which combination of actions would provide the MOST secure solution? (Select TWO )

1. A. Configure an IAM policy that allows the least permissive actions to communicate with the API Gateway Attach the policy to the role used by the legacy EC2 instances
2. B. Enable AWS WAF for API Gateway Configure rules to explicitly allow connections from the legacy EC2 instances
3. C. Create a VPC endpoint for API Gateway Attach an IAM resource policy that allows the role of the legacy EC2 instances to call specific APIs
4. D. Create a usage plan Generate a set of API keys for each application that needs to call the API.
5. E. Configure cross-origin resource sharing (CORS) in each API Share the CORS information with the applications that call the API.

Correct Answer: AE

- (Exam Topic 3)
A company is operating a website using Amazon CloudFornt. CloudFront servers some content from Amazon S3 and other from web servers running EC2 instances behind an Application. Load Balancer (ALB). Amazon DynamoDB is used as the data store. The company already uses AWS Certificate Manager (ACM) to store a public TLS certificate that can optionally secure connections between the website users and CloudFront. The company has a new requirement to enforce end-to-end encryption in transit.
Which combination of steps should the company take to meet this requirement? (Select THREE.)

1. A. Update the CloudFront distributio
2. B. configuring it to optionally use HTTPS when connecting to origins on Amazon S3
3. C. Update the web application configuration on the web servers to use HTTPS instead of HTTP when connecting to DynamoDB
4. D. Update the CloudFront distribution to redirect HTTP corrections to HTTPS
5. E. Configure the web servers on the EC2 instances to listen using HTTPS using the public ACM TLS certificate Update the ALB to connect to the target group using HTTPS
6. F. Update the ALB listen to listen using HTTPS using the public ACM TLS certificat
7. G. Update the CloudFront distribution to connect to the HTTPS listener.
8. H. Create a TLS certificate Configure the web servers on the EC2 instances to use HTTPS only with that certificat
9. I. Update the ALB to connect to the target group using HTTPS.

Correct Answer: BCE