Free AWS-Certified-Security-Specialty Exam Braindumps

- (Exam Topic 3)
You need to create a policy and apply it for just an individual user. How could you accomplish this in the right way?
Please select:

1. A. Add an AWS managed policy for the user
2. B. Add a service policy for the user
3. C. Add an IAM role for the user
4. D. Add an inline policy for the user

Correct Answer: D
Options A and B are incorrect since you need to add an inline policy just for the user Option C is invalid because you don't assign an IAM role to a user
The AWS Documentation mentions the following
An inline policy is a policy that's embedded in a principal entity (a user, group, or role)—that is, the policy is an inherent part of the principal entity. You can create a policy and embed it in a principal entity, either when you create the principal entity or later.
For more information on IAM Access and Inline policies, just browse to the below URL: https://docs.aws.amazon.com/IAM/latest/UserGuide/access
The correct answer is: Add an inline policy for the user Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
A company is using Amazon Elastic Container Service (Amazon ECS) to deploy an application that deals with sensitive data During a recent security audit, the company identified a security issue in which Amazon RDS credentials were stored with the application code In the company's source code repository
A security engineer needs to develop a solution to ensure that database credentials are stored securely and rotated periodically. The credentials should be accessible to the application only The engineer also needs to prevent database administrators from sharing database credentials as plaintext with other teammates. The solution must also minimize administrate overhead
Which solution meets these requirements?

1. A. Use the AWS Systems Manager Parameter Store to generate database credential
2. B. Use an 1AM profile for ECS tasks to restrict access to database credentials to specific containers only.
3. C. Use AWS Secrets Manager to store database credential
4. D. Use an 1AM inline policy for ECS tasks to restrict access to database credentials to specific containers only.
5. E. Use the AWS Systems Manager Parameter Store to store database credential
6. F. Use 1AM roles for ECS tasks to restrict access to database credentials lo specific containers only
7. G. Use AWS Secrets Manager to store database credential
8. H. Use 1AM roles for ECS tasks to restrict access to database credentials to specific containers only.

Correct Answer: D

- (Exam Topic 3)
You have an EBS volume attached to an EC2 Instance which uses KMS for Encryption. Someone has now gone ahead and deleted the Customer Key which was used for the EBS encryption. What should be done to ensure the data can be decrypted.
Please select:

1. A. Create a new Customer Key using KMS and attach it to the existing volume
2. B. You cannot decrypt the data that was encrypted under the CMK, and the data is not recoverable.
3. C. Request AWS Support to recover the key
4. D. Use AWS Config to recover the key

Correct Answer: B
Deleting a customer master key (CMK) in AWS Key Management Service (AWS KMS) is destructive and potentially dangerous. It deletes the key material and all metadata associated with the CMK, and is irreversible. After a CMK is deleted you can no longer decrypt the data that was encrypted under that CMK, which means that data becomes unrecoverable. You should delete a CMK only when you are sure that you don't need to use it anymore. If you are not sure, consider disabling the CMK instead of deleting it. You can re-enable a disabled CMK if you need to use it again later, but you cannot recover a deleted CMK.
https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html
A is incorrect because Creating a new CMK and attaching it to the exiting volume will not allow the data to be decrypted, you cannot attach customer master keys after the volume is encrypted
Option C and D are invalid because once the key has been deleted, you cannot recover it For more information on EBS Encryption with KMS, please visit the following URL:
https://docs.aws.amazon.com/kms/latest/developerguide/services-ebs.html
The correct answer is: You cannot decrypt the data that was encrypted under the CMK, and the data is not recoverable. Submit your Feedback/Queries to our Experts

- (Exam Topic 2)
An organization has a system in AWS that allows a large number of remote workers to submit data files. File sizes vary from a few kilobytes to several megabytes. A recent audit highlighted a concern that data files are not encrypted while in transit over untrusted networks.
Which solution would remediate the audit finding while minimizing the effort required?

1. A. Upload an SSL certificate to IAM, and configure Amazon CloudFront with the passphrase for the private key.
2. B. Call KMS.Encrypt() in the client, passing in the data file contents, and call KMS.Decrypt() server-side.
3. C. Use AWS Certificate Manager to provision a certificate on an Elastic Load Balancing in front of the web service’s servers.
4. D. Create a new VPC with an Amazon VPC VPN endpoint, and update the web service’s DNS record.

Correct Answer: C

- (Exam Topic 3)
You company has mandated that all data in AWS be encrypted at rest. How can you achieve this for EBS volumes? Choose 2 answers from the options given below
Please select:

1. A. Use Windows bit locker for EBS volumes on Windows instances
2. B. Use TrueEncrypt for EBS volumes on Linux instances
3. C. Use AWS Systems Manager to encrypt the existing EBS volumes
4. D. Boot EBS volume can be encrypted during launch without using custom AMI

Correct Answer: AB
EBS encryption can also be enabled when the volume is created and not for existing volumes. One can use existing tools for OS level encryption.
Option C is incorrect.
AWS Systems Manager is a management service that helps you automatically collect software inventory, apply OS patches, create system images, and configure Windows and Linux operating systems.
Option D is incorrect
You cannot choose to encrypt a non-encrypted boot volume on instance launch. To have encrypted boot volumes during launch , your custom AMI must have it's boot volume encrypted before launch.
For more information on the Security Best practices, please visit the following URL: com/whit Security Practices.
The correct answers are: Use Windows bit locker for EBS volumes on Windows instances. Use TrueEncrypt for EBS volumes on Linux instances
Submit your Feedback/Queries to our Experts