Free AWS-Certified-Security-Specialty Exam Braindumps

- (Exam Topic 1)
A company has an encrypted Amazon S3 bucket. An Application Developer has an IAM policy that allows access to the S3 bucket, but the Application Developer is unable to access objects within the bucket.
What is a possible cause of the issue?

1. A. The S3 ACL for the S3 bucket fails to explicitly grant access to the Application Developer
2. B. The AWS KMS key for the S3 bucket fails to list the Application Developer as an administrator
3. C. The S3 bucket policy fails to explicitly grant access to the Application Developer
4. D. The S3 bucket policy explicitly denies access to the Application Developer

Correct Answer: C

- (Exam Topic 3)
A security engineer needs to create an AWS Key Management Service server-side encryption. Usage of the key must be limited to requests coming from Amazon S3 within the company's account.
Which statement in the KMS key policy will meet these requirements?
A)

B)

C)

1. A. Option A
2. B. Option B
3. C. Option C

Correct Answer: C

- (Exam Topic 2)
Some highly sensitive analytics workloads are to be moved to Amazon EC2 hosts. Threat modeling has found that a risk exists where a subnet could be maliciously or accidentally exposed to the internet.
Which of the following mitigations should be recommended?

1. A. Use AWS Config to detect whether an Internet Gateway is added and use an AWS Lambda function to provide auto-remediation.
2. B. Within the Amazon VPC configuration, mark the VPC as private and disable Elastic IP addresses.
3. C. Use IPv6 addressing exclusively on the EC2 hosts, as this prevents the hosts from being accessed from the internet.
4. D. Move the workload to a Dedicated Host, as this provides additional network security controls and monitoring.

Correct Answer: A
By default, Private instance has a private IP address, but no public IP address. These instances can communicate with each other, but can't access the Internet. You can enable Internet access for an instance launched into a nondefault subnet by attaching an Internet gateway to its VPC (if its VPC is not a default VPC) and associating an Elastic IP address with the instance. Alternatively, to allow an instance in your VPC to initiate outbound connections to the Internet but prevent unsolicited inbound connections from the Internet, you can use a network address translation (NAT) instance. NAT maps multiple private IP addresses to a single public IP address. A NAT instance has an Elastic IP address and is connected to the Internet through an Internet gateway.You can connect an instance in a private subnet to the Internet through the NAT instance, which routes traffic from the instance to the Internet gateway, and routes any responses to the instance.

- (Exam Topic 2)
A company wants to have an Intrusion detection system available for their VPC in AWS. They want to have complete control over the system. Which of the following would be ideal to implement?
Please select:

1. A. Use AWS WAF to catch all intrusions occurring on the systems in the VPC
2. B. Use a custom solution available in the AWS Marketplace
3. C. Use VPC Flow logs to detect the issues and flag them accordingly.
4. D. Use AWS Cloudwatch to monitor all traffic

Correct Answer: B
Sometimes companies want to have custom solutions in place for monitoring Intrusions to their systems. In such a case, you can use the AWS Marketplace for looking at custom solutions.
C:\Users\wk\Desktop\mudassar\Untitled.jpg

Option A.C and D are all invalid because they cannot be used to conduct intrusion detection or prevention. For more information on using custom security solutions please visit the below URL https://d1.awsstatic.com/Marketplace/security/AWSMP_Security_Solution 0verview.pdf
For more information on using custom security solutions please visit the below URL: https://d1 .awsstatic.com/Marketplace/security/AWSMP Security Solution Overview.pd1
The correct answer is: Use a custom solution available in the AWS Marketplace Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
A company is implementing a new application in a new AWS account. A VPC and subnets have been created for the application. The application has been peered to an existing VPC in another account in the same AWS Region for database access. Amazon EC2 instances will regularly be created and terminated in the application VPC, but only some of them will need access to the databases in the peered VPC over TCP port 1521. A security engineer must ensure that only the EC2 instances that need access to the databases can access them through the network.
How can the security engineer implement this solution?

1. A. Create a new security group in the database VPC and create an inbound rule that allows all traffic from the IP address range of the application VP
2. B. Add a new network ACL rule on the database subnet
3. C. Configure the rule to TCP port 1521 from the IP address range of the application VP
4. D. Attach the new security group to the database instances that the application instances need to access.
5. E. Create a new security group in the application VPC with an inbound rule that allows the IP address range of the database VPC over TCP port 1521. Create a new security group in the database VPC with an inbound rule that allows the IP address range of the application VPC over port 1521. Attach the new security group to the database instances and the application instances that need database access.
6. F. Create a new security group in the application VPC with no inbound rule
7. G. Create a new security group in the database VPC with an inbound rule that allows TCP port 1521 from the new application security group in the application VP
8. H. Attach the application security group to the application instances that need database access, and attach the database security group to the database instances.
9. I. Create a new security group in the application VPC with an inbound rule that allows the IP address range of the database VPC over TCP port 1521. Add a new network ACL rule on the database subnet
10. J. Configure the rule to allow all traffic from the IP address range of the application VP
11. K. Attach the new security group to the application instances that need database access.

Correct Answer: C