Free AWS-Certified-Security-Specialty Exam Braindumps

- (Exam Topic 3)
A company is developing a highly resilient application to be hosted on multiple Amazon EC2 instances . The application will store highly sensitive user data in Amazon RDS tables
The application must
• Include migration to a different AWS Region in the application disaster recovery plan.
• Provide a full audit trail of encryption key administration events
• Allow only company administrators to administer keys.
• Protect data at rest using application layer encryption
A Security Engineer is evaluating options for encryption key management
Why should the Security Engineer choose AWS CloudHSM over AWS KMS for encryption key management in this situation?

1. A. The key administration event logging generated by CloudHSM is significantly more extensive than AWS KMS.
2. B. CloudHSM ensures that only company support staff can administer encryption keys, whereas AWS KMS allows AWS staff to administer keys
3. C. The ciphertext produced by CloudHSM provides more robust protection against brute force decryption attacks than the ciphertext produced by AWS KMS
4. D. CloudHSM provides the ability to copy keys to a different Region, whereas AWS KMS does not

Correct Answer: B

- (Exam Topic 3)
A Development team has built an experimental environment to test a simple stale web application It has built an isolated VPC with a private and a public subnet. The public subnet holds only an Application Load Balancer a NAT gateway, and an internet gateway. The private subnet holds ail of the Amazon EC2 instances
There are 3 different types of servers Each server type has its own Security Group that limits access lo only required connectivity. The Security Groups nave both inbound and outbound rules applied Each subnet has both inbound and outbound network ACls applied to limit access to only required connectivity
Which of the following should the team check if a server cannot establish an outbound connection to the internet? (Select THREE.)

1. A. The route tables and the outbound rules on the appropriate private subnet security group
2. B. The outbound network ACL rules on the private subnet and the Inbound network ACL rules on the public subnet
3. C. The outbound network ACL rules on the private subnet and both the inbound and outbound rules on the public subnet
4. D. The rules on any host-based firewall that may be applied on the Amazon EC2 instances
5. E. The Security Group applied to the Application Load Balancer and NAT gateway
6. F. That the 0.0.0./0 route in the private subnet route table points to the internet gateway in the public subnet

Correct Answer: CEF

- (Exam Topic 1)
A security engineer has noticed an unusually high amount of traffic coming from a single IP address. This was discovered by analyzing the Application Load Balancer's access logs. How can the security engineer limit the number of requests from a specific IP address without blocking the IP address?

1. A. Add a rule to the Application Load Balancer to route the traffic originating from the IP address in question and show a static webpage.
2. B. Implement a rate-based rule with AWS WAF
3. C. Use AWS Shield to limit the originating traffic hit rate.
4. D. Implement the GeoLocation feature in Amazon Route 53.

Correct Answer: B

- (Exam Topic 2)
A water utility company uses a number of Amazon EC2 instances to manage updates to a fleet of 2,000 Internet of Things (IoT) field devices that monitor water quality. These devices each have unique access credentials.
An operational safety policy requires that access to specific credentials is independently auditable. What is the MOST cost-effective way to manage the storage of credentials?

1. A. Use AWS Systems Manager to store the credentials as Secure Strings Parameter
2. B. Secure by using an AWS KMS key.
3. C. Use AWS Key Management System to store a master key, which is used to encrypt the credential
4. D. The encrypted credentials are stored in an Amazon RDS instance.
5. E. Use AWS Secrets Manager to store the credentials.
6. F. Store the credentials in a JSON file on Amazon S3 with server-side encryption.

Correct Answer: A
https://docs.aws.amazon.com/systems-manager/latest/userguide/parameter-store-advanced-parameters.html

- (Exam Topic 1)
A company has an application hosted in an Amazon EC2 instance and wants the application to access secure strings stored in AWS Systems Manager Parameter Store When the application tries to access the secure string key value, it fails.
Which factors could be the cause of this failure? (Select TWO.)

1. A. The EC2 instance role does not have decrypt permissions on the AWS Key Management Sen/ice (AWS KMS) key used to encrypt the secret
2. B. The EC2 instance role does not have read permissions to read the parameters In Parameter Store
3. C. Parameter Store does not have permission to use AWS Key Management Service (AWS KMS) to decrypt the parameter
4. D. The EC2 instance role does not have encrypt permissions on the AWS Key Management Service (AWS KMS) key associated with the secret
5. E. The EC2 instance does not have any tags associated.

Correct Answer: CE