Free AWS-Certified-Security-Specialty Exam Braindumps

- (Exam Topic 3)
A company uses Amazon RDS for MySQL as a database engine for its applications. A recent security audit revealed an RDS instance that is not compliant with company policy for encrypting data at rest. A security engineer at the company needs to ensure that all existing RDS databases are encrypted using server-side encryption and that any future deviations from the policy are detected.
Which combination of steps should the security engineer take to accomplish this? (Select TWO.)

1. A. Create an AWS Config rule to detect the creation of unencrypted RDS database
2. B. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to trigger on the AWS Config rules compliance state change and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team.
3. C. Use AWS System Manager State Manager to detect RDS database encryption configuration drif
4. D. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to track state changes and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team.
5. E. Create a read replica for the existing unencrypted RDS database and enable replica encryption in the proces
6. F. Once the replica becomes active, promote it into a standalone database instance and terminate the unencrypted database instance.
7. G. Take a snapshot of the unencrypted RDS databas
8. H. Copy the snapshot and enable snapshot encryption in the proces
9. I. Restore the database instance from the newly created encrypted snapsho
10. J. Terminate the unencrypted database instance.
11. K. Enable encryption for the identified unencrypted RDS instance by changing the configurations of the existing database

Correct Answer: AD

- (Exam Topic 1)
A Developer signed in to a new account within an AWS Organizations organizations unit (OU) containing multiple accounts. Access to the Amazon S3 service is restricted with the following SCP:

How can the Security Engineer provide the Developer with Amazon S3 access without affecting other accounts?

1. A. Move the SCP to the root OU of Organizations to remove the restriction to access Amazon S3.
2. B. Add an IAM policy for the Developer, which grants S3 access.
3. C. Create a new OU without applying the SCP restricting S3 acces
4. D. Move the Developer account to this new OU.
5. E. Add an allow list for the Developer account for the S3 service.

Correct Answer: B

- (Exam Topic 3)
Your company looks at the gaming domain and hosts several Ec2 Instances as game servers. The servers each experience user loads in the thousands. There is a concern of DDos attacks on the EC2 Instances which could cause a huge revenue loss to the company. Which of the following can help mitigate this security concern and also ensure minimum downtime for the servers.
Please select:

1. A. Use VPC Flow logs to monitor the VPC and then implement NACL's to mitigate attacks
2. B. Use AWS Shield Advanced to protect the EC2 Instances
3. C. Use AWS Inspector to protect the EC2 Instances
4. D. Use AWS Trusted Advisor to protect the EC2 Instances

Correct Answer: B
Below is an excerpt from the AWS Documentation on some of the use cases for AWS Shield C:\Users\wk\Desktop\mudassar\Untitled.jpg

- (Exam Topic 1)
A security engineer has noticed that VPC Flow Logs are getting a lot REJECT traffic originating from a single Amazon EC2 instance in an Auto Scaling group. The security engineer is concerned that this EC2 instance may be compromised.
What immediate action should the security engineer take? What immediate action should the security engineer take?

1. A. Remove me instance from the Auto Seating group Close me security group mm ingress only from a single forensic P address to perform an analysis.
2. B. Remove me instance from the Auto Seating group Change me network ACL rules to allow traffic only from a single forensic IP address to perform en analysis Add a rule to deny all other traffic.
3. C. Remove the instance from the Auto Scaling group Enable Amazon GuardDuty in that AWS account Install the Amazon Inspector agent cm the suspicious EC 2 instance to perform a scan.
4. D. Take a snapshot of the suspicious EC2 instanc
5. E. Create a new EC2 instance from me snapshot in a closed security group with ingress only from a single forensic IP address to perform an analysis

Correct Answer: B

- (Exam Topic 3)
How can you ensure that instance in an VPC does not use AWS DNS for routing DNS requests. You want to use your own managed DNS instance. How can this be achieved?
Please select:

1. A. Change the existing DHCP options set
2. B. Create a new DHCP options set and replace the existing one.
3. C. Change the route table for the VPC
4. D. Change the subnet configuration to allow DNS requests from the new DNS Server

Correct Answer: B
In order to use your own DNS server, you need to ensure that you create a new custom DHCP options set with the IP of th custom DNS server. You cannot modify the existing set, so you need to create a new one.
Option A is invalid because you cannot make changes to an existing DHCP options Set.
Option C is invalid because this can only be used to work with Routes and not with a custom DNS solution. Option D is invalid because this needs to be done at the VPC level and not at the Subnet level
For more information on DHCP options set, please visit the following url https://docs.aws.amazon.com/AmazonVPC/latest/UserGuideA/PC DHCP Options.html
The correct answer is: Create a new DHCP options set and replace the existing one. Submit your Feedback/Queries to our Experts