Latest [Dec 27, 2021] Real Amazon AWS-Security-Specialty Exam Dumps Questions [Q208-Q226]

Latest [Dec 27, 2021]  Real Amazon AWS-Security-Specialty Exam Dumps Questions

AWS-Security-Specialty Dumps To Pass AWS Certified Security Exam in One Day (Updated 530 Questions)

How to book the Amazon AWS-Security-Specialty: AWS Certified Security - Specialty Exam

To apply for the Amazon AWS-Security-Specialty: AWS Certified Security - Specialty Exam, You have to follow these steps:

• Step 1: Go to the AWS-Solutions-Architect-Professional Official Site
• Step 2: Read the instruction Carefully
• Step 3: Follow the given steps
• Step 4: Apply for the AWS-Solutions-Architect-Professional Exam

How to study the Amazon AWS-Security-Specialty: AWS Certified Security - Specialty Exam

A broad range of Solutions Architect-Professional dumps pdf for AWS certified security-specialty Certification have been recognized for certification issues. The reality that students need to prepare attentively does not make certificates easy. It also takes a long time to learn from AWS certified security-specialty. Every exam includes answers and questions that help students pass their final test. You will pass the test after you have taken and learned our modules. But it doesn’t end there; thanks to our full guides, you will still be good in your career. You will produce your goods in the future. To plan any material for you, we have an advanced method. In the development of and commodity, we have used the latest details.

AWS certified security - specialty practice test are easy to use, so that anyone can appreciate them. In such dynamic areas, where qualification requires a lot of study, planning, and focus, no one likes loss. An effort is so hard that even the students' nerves can be shattered. Our waste management systems are so legitimate and best that you have no pain to pass your AWS accredited Developer Professional.

 

NEW QUESTION 208
In your LAMP application, you have some developers that say they would like access to your logs. However, since you are using an AWS Auto Scaling group, your instances are constantly being re-created. What would you do to make sure that these developers can access these log files? Choose the correct answer from the options below Please select:

• A. Give only the necessary access to the Apache servers so that the developers can gain access to the log files.
• B. Set up a central logging server that you can use to archive your logs; archive these logs to an S3 bucket for developer-access.
• C. Give root access to your Apache servers to the developers.
• D. Give read-only access to your developers to the Apache servers.

Answer: B

Explanation:
Explanation
One important security aspect is to never give access to actual servers, hence Option A.B and C are just totally wrong from a security perspective.
The best option is to have a central logging server that can be used to archive logs. These logs can then be stored in S3.
Options A,B and C are all invalid because you should not give access to the developers on the Apache se For more information on S3, please refer to the below link
https://aws.amazon.com/documentation/s3j
The correct answer is: Set up a central logging server that you can use to archive your logs; archive these logs to an S3 bucket for developer-access.
Submit vour Feedback/Queries to our Experts

 

NEW QUESTION 209
A company has decided to migrate sensitive documents from on-premises data centers to Amazon S3. Currently, the hard drives are encrypted to meet a compliance requirement regarding data encryption. The CISO wants to improve security by encrypting each file using a different key instead of a single key. Using a different key would limit the security impact of a single exposed key.
Which of the following requires the LEAST amount of configuration when implementing this approach?

• A. Use the S3 encryption client to encrypt each file individually using S3-generated data keys
• B. Place all the files in the same S3 bucket. Use server-side encryption with AWS KMS-managed keys (SSE-KMS) to encrypt the data
• C. Put all the files in the same S3 bucket. Using S3 events as a trigger, write an AWS Lambda function to encrypt each file as it is added using different AWS KMS data keys.
• D. Place each file into a different S3 bucket. Set the default encryption of each bucket to use a different AWS KMS customer managed key.

Answer: A

 

NEW QUESTION 210
A company's security policy requires that VPC Flow Logs are enabled on all VPCs. A Security Engineer is looking to automate the process of auditing the VPC resources for compliance.
What combination of actions should the Engineer take? (Choose two.)

• A. Create an AWS Config managed rule with a resource type of AWS:: Lambda:: Function.
• B. Create an AWS Config custom rule, and associate it with an AWS Lambda function that contains the evaluating logic.
• C. Create an AWS Config configuration item for each VPC in the company AWS account.
• D. Create an Amazon CloudWatch Event rule that triggers on events emitted by AWS Config.
• E. Create an AWS Lambda function that determines whether Flow Logs are enabled for a given VPC.

Answer: B,E

Explanation:
Explanation
https://medium.com/mudita-misra/how-to-audit-your-aws-resources-for-security-compliance-by-using-custom-a

 

NEW QUESTION 211
A company requires that SSH commands used to access its AWS instance be traceable to the user who executed each command.
How should a Security Engineer accomplish this?

• A. Deny inbound access on port 22 at the security group attached to the instance Use AWS Systems Manager Session Manager tor shell access to Amazon EC2 instances with the user tag defined Enable Amazon CloudWatch togging for Systems Manager sessions
• B. Allow inbound access on port 22 at the security group attached to the instance Use AWS Systems Manager Session Manager for shell access to Amazon EC2 instances with the user tag defined Enable Amazon CloudWatch togging tor Systems Manager sessions
• C. Use Amazon S3 to securely store one Privacy Enhanced Mall Certificate (PEM fie) for each team or group Allow Amazon EC2 to read from Amazon S3 and import every user that wants to use SSH to access EC2 instances Allow inbound access on pod 22 at the security group attached to the instance Install the Amazon CloudWatch agent on the EC2 instance and configure it to ingest audit logs for the instance
• D. Use Amazon S3 to securely store one Privacy Enhanced Mail Certificate (PEM file) for each user Allow Amazon EC2 to read from Amazon S3 and import every user that wants to use SSH to access EC2 instances Allow inbound access on port 22 at the security group attached to the instance Install the Amazon CloudWatch agent on the EC2 instance and configure it to ingest audit logs for the instance

Answer: D

 

NEW QUESTION 212
You have a web site that is sitting behind AWS Cloudfront. You need to protect the web site against threats such as SQL injection and Cross site scripting attacks. Which of the following service can help in such a scenario Please select:

• A. AWS Inspector
• B. AWS Trusted Advisor
• C. AWS WAF
• D. AWS Config

Answer: C

Explanation:
Explanation
The AWS Documentation mentions the following
AWS WAF is a web application firewall that helps detect and block malicious web requests targeted at your web applications. AWS WAF allows you to create rules that can help protect against common web exploits like SQL injection and cross-site scripting. With AWS WAF you first identify the resource (either an Amazon CloudFront distribution or an Application Load Balancer) that you need to protect.
Option A is invalid because this will only give advise on how you can better the security in your AWS account but not protect against threats mentioned in the question.
Option C is invalid because this can be used to scan EC2 Instances for vulnerabilities but not protect against threats mentioned in the question.
Option D is invalid because this can be used to check config changes but not protect against threats mentioned in the quest For more information on AWS WAF, please visit the following URL:
https://aws.amazon.com/waf/details;
The correct answer is: AWS WAF
Submit your Feedback/Queries to our Experts

 

NEW QUESTION 213
A large corporation is creating a multi-account strategy and needs to determine how its employees should access the AWS infrastructure.
Which of the following solutions would provide the MOST scalable solution?

• A. Use a centralized account with 1AM roles that employees can assume through federation with their existing identity provider Use cross-account roles to allow the federated users to assume their target role in the resource accounts
• B. Create dedicated 1AM users within each AWS account that employees can assume through federation based upon group membership in their existing identity provider
• C. Configure the 1AM trust policies within each account's role to set up a trust back to the corporation's existing identity provider allowing users to assume the role based off their SAML token
• D. Configure the AWS Security Token Service to use Kerberos tokens so that users can use their existing corporate user names and passwords to access AWS resources directly

Answer: A

 

NEW QUESTION 214
Your development team has started using AWS resources for development purposes. The AWS account has just been created. Your IT Security team is worried about possible leakage of AWS keys. What is the first level of measure that should be taken to protect the AWS account.
Please select:

• A. Delete the AWS keys for the root account
• B. Restrict access using IAM policies
• C. Create IAM Groups
• D. Create IAM Roles

Answer: A

Explanation:
Explanation
The first level or measure that should be taken is to delete the keys for the IAM root user When you log into your account and go to your Security Access dashboard, this is the first step that can be seen

Option B and C are wrong because creation of IAM groups and roles will not change the impact of leakage of AWS root access keys Option D is wrong because the first key aspect is to protect the access keys for the root account For more information on best practises for Security Access keys, please visit the below URL:
https://docs.aws.amazon.com/eeneral/latest/gr/aws-access-keys-best-practices.html The correct answer is: Delete the AWS keys for the root account Submit your Feedback/Queries to our Experts

 

NEW QUESTION 215
You have a set of Keys defined using the AWS KMS service. You want to stop using a couple of keys , but are not sure of which services are currently using the keys. Which of the following would be a safe option to stop using the keys from further usage.
Please select:

• A. Change the key material for the key
• B. Set an alias for the key
• C. Delete the keys since anyway there is a 7 day waiting period before deletion
• D. Disable the keys

Answer: D

Explanation:
Explanation
Option A is invalid because once you schedule the deletion and waiting period ends, you cannot come back from the deletion process.
Option C and D are invalid because these will not check to see if the keys are being used or not The AWS Documentation mentions the following Deleting a customer master key (CMK) in AWS Key Management Service (AWS KMS) is destructive and potentially dangerous. It deletes the key material and all metadata associated with the CMK, and is irreversible. After a CMK is deleted you can no longer decrypt the data that was encrypted under that CMK, which means that data becomes unrecoverable. You should delete a CMK only when you are sure that you don't need to use it anymore. If you are not sure, consider disabling the CMK instead of deleting it. You can re-enable a disabled CMK if you need to use it again later, but you cannot recover a deleted CMK.
For more information on deleting keys from KMS, please visit the below URL:
https://docs.aws.amazon.com/kms/latest/developereuide/deleting-keys.html The correct answer is: Disable the keys Submit your Feedback/Queries to our Experts

 

NEW QUESTION 216
A Systems Engineer is troubleshooting the connectivity of a test environment that includes a virtual security appliance deployed inline. In addition to using the virtual security appliance, the Development team wants to use security groups and network ACLs to accomplish various security requirements in the environment.
What configuration is necessary to allow the virtual security appliance to route the traffic?

• A. Configure the security appliance's elastic network interface for promiscuous mode.
• B. Place the security appliance in the public subnet with the internet gateway
• C. Disable the Network Source/Destination check on the security appliance's elastic network interface
• D. Disable network ACLs.

Answer: A

 

NEW QUESTION 217
A Security Engineer must design a solution that enables the Incident Response team to audit for changes to a user's IAM permissions in the case of a security incident.
How can this be accomplished?

• A. Use Amazon EC2 Systems Manager to deploy images, and review AWS CloudTrail logs for changes.
• B. Run the GenerateCredentialReport via the AWS CLI, and copy the output to Amazon S3 daily for auditing purposes.
• C. Use AWS Config to review the IAM policy assigned to users before and after the incident.
• D. Copy AWS CloudFormation templates to S3, and audit for changes from the template.

Answer: C

Explanation:
Explanation
https://aws.amazon.com/blogs/security/how-to-record-and-govern-your-iam-resource-configurations-using-aws-c

 

NEW QUESTION 218
A company has two teams, and each team needs to access its respective Amazon S3 buckets. The company anticipates adding more teams that also will have their own S3 buckets. When the company adds these teams, team members will need the ability to be assigned to multiple teams. Team members also will need the ability to change teams. Additional S3 buckets can be created or deleted.
An 1AM administrator must design a solution to accomplish these goals. The solution also must be scalable and must require the least possible operational overhead.
Which solution meets these requirements?

• A. Implement a role-based access control (RBAC) authorization model. Create the corresponding policies, and attach them to the 1AM users.
• B. Create 1AM roles that are labeled with an access tag value of a team. Create one policy that allows dynamic access to S3 buckets with the same tag. Attach the policy to the 1AM roles. Tag the S3 buckets accordingly.
• C. Create an 1AM role for each team. Create a policy for each team that allows the team to access its respective S3 buckets only. Attach the policy to the corresponding role.
• D. Add users to groups that represent the teams. Create a policy for each team that allows the team to access its respective S3 buckets only. Attach the policy to the corresponding group.

Answer: D

 

NEW QUESTION 219
The Information Technology department has stopped using Classic Load Balancers and switched to
Application Load Balancers to save costs. After the switch, some users on older devices are no longer able
to connect to the website.
What is causing this situation?

• A. The cipher suites on the Application Load Balancers are blocking connections.
• B. The Perfect Forward Secrecy settings are not configured correctly.
• C. Application Load Balancers do not support older web browsers.
• D. The intermediate certificate is installed within the Application Load Balancer.

Answer: D

 

NEW QUESTION 220
An organization receives an alert that indicates that an EC2 instance behind an ELB Classic Load Balancer has been compromised.
What techniques will limit lateral movement and allow evidence gathering?

• A. Remove the instance from the load balancer and terminate it.
• B. Reboot the instance and check for any Amazon CloudWatch alarms.
• C. Stop the instance and make a snapshot of the root EBS volume.
• D. Remove the instance from the load balancer, and shut down access to the instance by tightening the security group.

Answer: D

Explanation:
https://d1.awsstatic.com/whitepapers/aws_security_incident_response.pdf

 

NEW QUESTION 221
Your company has an EC2 Instance that is hosted in an AWS VPC. There is a requirement to ensure that logs files from the EC2 Instance are stored accordingly. The access should also be limited for the destination of the log files. How can this be accomplished? Choose 2 answers from the options given below. Each answer forms part of the solution Please select:

• A. Stream the log files to a separate Cloudtrail trail
• B. Create an 1AM policy that gives the desired level of access to the Cloudtrail trail
• C. Create an 1AM policy that gives the desired level of access to the Cloudwatch Log group
• D. Stream the log files to a separate Cloudwatch Log group

Answer: C,D

Explanation:
Explanation
You can create a Log group and send all logs from the EC2 Instance to that group. You can then limit the access to the Log groups via an 1AM policy.
Option A is invalid because Cloudtrail is used to record API activity and not for storing log files Option C is invalid because Cloudtrail is the wrong service to be used for this requirement For more information on Log Groups and Log Streams, please visit the following URL:
* https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/Workinj
For more information on Access to Cloudwatch logs, please visit the following URL:
* https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/auth-and-access-control-cwl.html The correct answers are: Stream the log files to a separate Cloudwatch Log group. Create an 1AM policy that gives the desired level of access to the Cloudwatch Log group Submit your Feedback/Queries to our Experts

 

NEW QUESTION 222
A company hosts a critical web application on the AWS Cloud. This is a key revenue generating application for the company. The IT Security team is worried about potential DDos attacks against the web site. The senior management has also specified that immediate action needs to be taken in case of a potential DDos attack. What should be done in this regard?
Please select:

• A. Consider using Cloudwatch logs to monitor traffic for DDos attack and quickly take actions on a trigger of a potential attack.
• B. Consider using VPC Flow logs to monitor traffic for DDos attack and quickly take actions on a trigger of a potential attack.
• C. Consider using the AWS Shield Advanced Service
• D. Consider using the AWS Shield Service

Answer: C

Explanation:
Explanation
Option A is invalid because the normal AWS Shield Service will not help in immediate action against a DDos attack. This can be done via the AWS Shield Advanced Service Option B is invalid because this is a logging service for VPCs traffic flow but cannot specifically protect against DDos attacks.
Option D is invalid because this is a logging service for AWS Services but cannot specifically protect against DDos attacks.
The AWS Documentation mentions the following
AWS Shield Advanced provides enhanced protections for your applications running on Amazon EC2. Elastic Load Balancing (ELB), Amazon CloudFront and Route 53 against larger and more sophisticated attacks. AWS Shield Advanced is available to AWS Business Support and AWS Enterprise Support customers. AWS Shield Advanced protection provides always-on, flow-based monitoring of network traffic and active application monitoring to provide near real-time notifications of DDoS attacks. AWS Shield Advanced also gives customers highly flexible controls over attack mitigations to take actions instantly. Customers can also engage the DDoS Response Team (DRT) 24X7 to manage and mitigate their application layer DDoS attacks.
For more information on AWS Shield, please visit the below URL:
https://aws.amazon.com/shield/faqs;
The correct answer is: Consider using the AWS Shield Advanced Service Submit your Feedback/Queries to our Experts

 

NEW QUESTION 223
A large corporation is creating a multi-account strategy and needs to determine how its employees should access the AWS Infrastructure.
Which of the following solutions would provide the MOST scalable solution?

• A. Create dedicated IAM users within each AWS account that employees can assume though federation based upon group membership in their existing identity provider.
• B. Use a centralized account with IAM roles that employees can assume through federation with their existing identity provider. Use cross-account roles to allow the federated users to assume their target role in the resource accounts.
• C. Configure the AWS Security Token Service to use Kerberos tokens so that users can use their existing corporate user names and passwords to access AWS resources directly.
• D. Configure the IAM trust policies within each account's role to set up a trust back to the corporation's existing identity provider, allowing users to assume the role based off their SAML token.

Answer: A

 

NEW QUESTION 224
An organization has three applications running on AWS, each accessing the same data on Amazon S3. The data on Amazon S3 is server-side encrypted by using an AWS KMS Customer Master Key (CMK).
What is the recommended method to ensure that each application has its own programmatic access control permissions on the KMS CMK?

• A. Change the key policy permissions associated with the KMS CMK for each application when it must access the data in Amazon S3.
• B. Have each application use an IAM policy in a user context to have specific access permissions on the KMS CMK.
• C. Have each application use a grant on the KMS CMK to add or remove specific access controls on the KMS CMK.
• D. Have each application assume an IAM role that provides permissions to use the AWS Certificate Manager CMK.

Answer: B

 

NEW QUESTION 225
You have private video content in S3 that you want to serve to subscribed users on the Internet. User IDs, credentials, and subscriptions are stored in an Amazon RDS database. Which configuration will allow you to securely serve private content to your users?
Please select:

• A. Generate pre-signed URLs for each user as they request access to protected S3 content
• B. Create an IAM user for each subscribed user and assign the GetObject permission to each IAM user
• C. Create an S3 bucket policy that limits access to your private content to only your subscribed users'credentials

Answer: A

Explanation:
n. Crpafp a Cloud Front Clriein Identity user for vnur suhsrrihprl users and assign the GptOhiprt oprmissinn to this user Explanation:
All objects and buckets by default are private. The pre-signed URLs are useful if you want your user/customer to be able upload a specific object to your bucket but you don't require them to have AWS security credentials or permissions. When you create a pre-signed URL, you must provide your security credentials, specify a bucket name, an object key, an HTTP method (PUT for uploading objects), and an expiration date and time. The pre-signed URLs are valid only for the specified duration.
Option B is invalid because this would be too difficult to implement at a user level.
Option C is invalid because this is not possible
Option D is invalid because this is used to serve private content via Cloudfront For more information on pre-signed urls, please refer to the Link:
http://docs.aws.amazon.com/AmazonS3/latest/dev/PresienedUrlUploadObiect.htmll The correct answer is: Generate pre-signed URLs for each user as they request access to protected S3 content Submit your Feedback/Queries to our Experts

 

NEW QUESTION 226
......

AWS-Security-Specialty Exam Brain Dumps - Study Notes and Theory: https://www.itexamreview.com/AWS-Security-Specialty-exam-dumps.html

100% Guaranteed Results AWS-Security-Specialty Unlimited 530 Questions: https://drive.google.com/open?id=1hwPaTCiKmcWbTbv_dvk7Ux0lfbKetJJ7