Free AWS-Certified-Security-Specialty Exam Braindumps

- (Exam Topic 3)
Your company has a set of EBS volumes defined in AWS. The security mandate is that all EBS volumes are encrypted. What can be done to notify the IT admin staff if there are any unencrypted volumes in the account.
Please select:

1. A. Use AWS Inspector to inspect all the EBS volumes
2. B. Use AWS Config to check for unencrypted EBS volumes
3. C. Use AWS Guard duty to check for the unencrypted EBS volumes
4. D. Use AWS Lambda to check for the unencrypted EBS volumes

Correct Answer: B
The enc
config rule for AWS Config can be used to check for unencrypted volumes. encrypted-volurrn
5 volumes that are in an attached state are encrypted. If you specify the ID of a KMS key for encryptio using the kmsld parameter, the rule checks if the EBS volumes in an attached state are encrypted with that KMS key*1.
Options A and C are incorrect since these services cannot be used to check for unencrypted EBS volumes Option D is incorrect because even though this is possible, trying to implement the solution alone with just the Lambda servk
would be too difficult
For more information on AWS Config and encrypted volumes, please refer to below URL:
https://docs.aws.amazon.com/config/latest/developerguide/encrypted-volumes.html
Submit your Feedback/Queries to our Experts

- (Exam Topic 1)
The Security Engineer is managing a traditional three-tier web application that is running on Amazon EC2 instances. The application has become the target of increasing numbers of malicious attacks from the Internet.
What steps should the Security Engineer take to check for known vulnerabilities and limit the attack surface? (Choose two.)

1. A. Use AWS Certificate Manager to encrypt all traffic between the client and application servers.
2. B. Review the application security groups to ensure that only the necessary ports are open.
3. C. Use Elastic Load Balancing to offload Secure Sockets Layer encryption.
4. D. Use Amazon Inspector to periodically scan the backend instances.
5. E. Use AWS Key Management Services to encrypt all the traffic between the client and application servers.

Correct Answer: BD

- (Exam Topic 1)
A company needs its Amazon Elastic Block Store (Amazon EBS) volumes to be encrypted at all times. During a security incident. EBS snapshots of suspicious instances are shared to a forensics account for analysis A security engineer attempting to share a suspicious EBS snapshot to the forensics account receives the following error
"Unable to share snapshot: An error occurred (OperationNotPermitted) when calling the ModifySnapshotAttribute operation: Encrypted snapshots with EBS default key cannot be shared.
Which combination of steps should the security engineer take in the incident account to complete the sharing operation? (Select THREE )

1. A. Create a customer managed CMK Copy the EBS snapshot encrypting the destination snapshot using the new CMK.
2. B. Allow forensics accounting principals to use the CMK by modifying its policy.
3. C. Create an Amazon EC2 instanc
4. D. Attach the encrypted and suspicious EBS volum
5. E. Copy data from the suspicious volume to an unencrypted volum
6. F. Snapshot the unencrypted volume
7. G. Copy the EBS snapshot to the new decrypted snapshot
8. H. Restore a volume from the suspicious EBS snapsho
9. I. Create an unencrypted EBS volume of the samesize.
10. J. Share the target EBS snapshot with the forensics account.

Correct Answer: ABF

- (Exam Topic 3)
You have a set of Customer keys created using the AWS KMS service. These keys have been used for around 6 months. You are now trying to use the new KMS features for the existing set of key's but are not able to do so. What could be the reason for this.
Please select:

1. A. You have not explicitly given access via the key policy
2. B. You have not explicitly given access via the IAM policy
3. C. You have not given access via the IAM roles
4. D. You have not explicitly given access via IAM users

Correct Answer: A
By default, keys created in KMS are created with the default key policy. When features are added to KMS, you need to explii update the default key policy for these keys.
Option B,C and D are invalid because the key policy is the main entity used to provide access to the keys For more information on upgrading key policies please visit the following URL: https://docs.aws.ama20n.com/kms/latest/developerguide/key-policy-upgrading.html
(
The correct answer is: You have not explicitly given access via the key policy Submit your Feedback/Queries to our Experts

- (Exam Topic 2)
An application has a requirement to be resilient across not only Availability Zones within the application’s primary region but also be available within another region altogether.
Which of the following supports this requirement for AWS resources that are encrypted by AWS KMS?

1. A. Copy the application’s AWS KMS CMK from the source region to the target region so that it can be used to decrypt the resource after it is copied to the target region.
2. B. Configure AWS KMS to automatically synchronize the CMK between regions so that it can be used to decrypt the resource in the target region.
3. C. Use AWS services that replicate data across regions, and re-wrap the data encryption key created in the source region by using the CMK in the target region so that the target region’s CMK can decrypt the database encryption key.
4. D. Configure the target region’s AWS service to communicate with the source region’s AWS KMS so that it can decrypt the resource in the target region.

Correct Answer: C