Latest Amazon AWS-Security-Specialty Actual Free Exam Questions & Community Discussion, Page 3

Question #23

A company usesAWS Organizations to run workloads in multiple AWS accounts Currently the individual team members at the company access all Amazon EC2 instances remotely by using SSH or Remote Desktop Protocol (RDP) The company does not have any audit trails and security groups are occasionally open The company must secure access management and implement a centralized togging solution Which solution will meet these requirements MOST securely?

A. Replace SSH and RDP with AWS Systems Manager Session Manager Install Systems Manager Agent (SSM Agent) on the instances Attach the

B. Install a bastion host in the management account Reconfigure all SSH and RDP to allow access only from the bastion host Install AWS Systems Manager Agent (SSM Agent) on the bastion host Attach the AmazonSSMManagedlnstanceCore role to the bastion host Configure session data streaming to Amazon CloudWatch Logs in a separate logging account to audit log data

C. Configure trusted access for AWS System Manager in Organizations Configure a bastion host from the management account Replace SSH and RDP by using Systems Manager Session Manager from the management account Configure Session Manager logging to Amazon CloudWatch Logs

D. Replace SSH and RDP with AWS Systems Manager State Manager Install Systems Manager Agent (SSM Agent) on the instances Attach the

E. AmazonSSMManagedlnstanceCore role to the instances Configure session data streaming to Amazon CloudWatch Logs Create a separate logging account that has appropriate cross-account permissions to audit the log data

Discussion 0

Correct Answer: E Vote an answer

Explanation: Only visible for EduDump members. You can sign-up / login (it's free).

Question #24

A security engineer needs to see up an Amazon CloudFront distribution for an Amazon S3 bucket that hosts a static website. The security engineer must allow only specified IP addresses to access the website. The security engineer also must prevent users from accessing the website directly by using S3 URLs.
Which solution will meet these requirements?

A. Implement security groups to allow only the specified IP addresses access and to restrict S3 bucket access by using the CloudFront distribution.

B. Create a CloudFront origin access identity (OAl). Create the S3 bucket policy so that only the OAl has access. Create an AWS WAF web ACL and add an IP set rule. Associate the web ACL with the CloudFront distribution.

C. Generate an S3 bucket policy. Specify cloudfront amazonaws com as the principal. Use the aws Sourcelp condition key to allow access only if the request conies from the specified IP addresses.

D. Create an S3 bucket access point to allow access from only the CloudFront distribution. Create an AWS WAF web ACL and add an IP set rule. Associate the web ACL with the CloudFront distribution.

Discussion 0

Correct Answer: B Vote an answer

Question #25

While securing the connection between a company's VPC and its on-premises data center, a Security Engineer sent a ping command from an on-premises host (IP address 203.0.113.12) to an Amazon EC2 instance (IP address 172.31.16.139). The ping command did not return a response. The flow log in the VPC showed the following:
2 123456789010 eni-1235b8ca 203.0.113.12 172.31.16.139 0 0 1 4 336 1432917027 1432917142 ACCEPT OK
2 123456789010 eni-1235b8ca 172.31.16.139 203.0.113.12 0 0 1 4 336 1432917094 1432917142 REJECT OK What action should be performed to allow the ping to work?

A. In the security group of the EC2 instance, allow outbound ICMP traffic.

B. In the VPC's NACL, allow inbound ICMP traffic.

C. In the VPC's NACL, allow outbound ICMP traffic.

D. In the security group of the EC2 instance, allow inbound ICMP traffic.

Discussion 0

Correct Answer: C Vote an answer

Question #26

A security engineer is auditing a production system and discovers several additional IAM roles that are not required and were not previously documented during the last audit 90 days ago. The engineer is trying to find out who created these IAM roles and when they were created. The solution must have the lowest operational overhead.
Which solution will meet this requirement?

A. Create a table in Amazon Athena for IAM CloudTrail events. Query the table in Amazon Athena for CreateRole events.

B. Import IAM CloudTrail logs from Amazon S3 into an Amazon Elasticsearch Service cluster, and search through the combined logs for CreateRole events.

C. Download the credentials report from the IAM console to view the details for each IAM entity, including the creation dates.

D. Use IAM Config to look up the configuration timeline for the additional IAM roles and view the linked IAM CloudTrail event.

Discussion 0

Correct Answer: B Vote an answer

Question #27

Users report intermittent availability of a web application hosted on IAM. Monitoring systems report an excess of abnormal network traffic followed by high CPU utilization on the application web tier. Which of the following techniques will improve the availability of the application? (Select TWO.)

A. Deploy an Intrusion Detection/Prevention System (IDS/IPS) to monitor or block unusual incoming network traffic.

B. Create Amazon CloudFront distribution and configure IAM WAF rules to protect the web applications from malicious traffic.

C. Use the default Amazon VPC for externakfacing systems to allow IAM to actively block malicious network traffic affecting Amazon EC2 instances.

D. Deploy IAM WAF to block all unsecured web applications from accessing the internet.

E. Configure security groups to allow outgoing network traffic only from hosts that are protected with up-to-date antivirus software.

Discussion 0

Correct Answer: A,B Vote an answer

Question #28

A security engineer is defining the controls required to protect the IAM account root user credentials in an IAM Organizations hierarchy. The controls should also limit the impact in case these credentials have been compromised.
Which combination of controls should the security engineer propose? (Select THREE.) A)

B)

C) Enable multi-factor authentication (MFA) for the root user.
D) Set a strong randomized password and store it in a secure location.
E) Create an access key ID and secret access key, and store them in a secure location.
F) Apply the following permissions boundary to the toot user:

A. Option B

B. Option F

C. Option D

D. Option C

E. Option E

F. Option A

Discussion 0

Correct Answer: D,E,F Vote an answer

Question #29

What are the MOST secure ways to protect the IAM account root user of a recently opened IAM account? (Choose two.)

A. Do not create access keys for the IAM account root user; instead, create IAM IAM users

B. Enable multi-factor authentication for the IAM IAM users with the AdministratorAccess managed policy attached to them

C. Enable multi-factor authentication for the IAM account root user

D. Use the IAM account root user access keys instead of the IAM Management Console

E. Use IAM KMS to encrypt all IAM account root user and IAM IAM access keys and set automatic rotation to 30 days

Discussion 0

Correct Answer: A,C Vote an answer

Question #30

A security engineer must troubleshoot an administrator's inability to make an existing Amazon S3 bucket public in an account that is part of an organization n IAM Organizations. The administrator switched the role from the master account to a member account and then attempted to make one S3 bucket public. This action was immediately denied Which actions should the security engineer take to troubleshoot the permissions issue? (Select TWO.)

A. Review the cross-account role permissions and the S3 bucket policy Verify that the Amazon S3 block public access option in the member account is deactivated.

B. Review the role permissions m the master account and ensure it has sufficient privileges to perform S3 operations

C. Ensure the S3 bucket policy explicitly allows the s3 PutBucketPublicAccess action for the role m the member account

D. Filter IAM CloudTrail logs for the master account to find the original deny event and update the cross-account role m the member account accordingly Verify that the Amazon S3 block public access option in the master account is deactivated.

E. Evaluate the SCPs covering the member account and the permissions boundary of the role in the member account for missing permissions and explicit denies.

Discussion 0

Correct Answer: B,C Vote an answer

Question #31

A company has resources hosted in their IAM Account. There is a requirement to monitor all API activity for all regions. The audit needs to be applied for future regions as well. Which of the following can be used to fulfil this requirement.
Please select:

A. Ensure one Cloudtrail trail is enabled for all regions.

B. Create a Cloudtrail for each region. Use Cloudformation to enable the trail for all future regions.

C. Ensure Cloudtrail for each region. Then enable for each future region.

D. Create a Cloudtrail for each region. Use IAM Config to enable the trail for all future regions.

Discussion 0

Correct Answer: A Vote an answer

Explanation: Only visible for EduDump members. You can sign-up / login (it's free).

Question #32

Your company has mandated that all calls to the IAM KMS service be recorded. How can this be achieved?
Please select:

A. Enable Cloudwatch logs

B. Use Cloudwatch metrics

C. Enable a trail in Cloudtrail

D. Enable logging on the KMS service

Discussion 0

Correct Answer: C Vote an answer

Explanation: Only visible for EduDump members. You can sign-up / login (it's free).

Question #33

A security engineer wants to evaluate configuration changes to a specific AWS resource to ensure that the resource meets compliance standards. However, the security engineer is concerned about a situation in which several configuration changes are made to the resource in quick succession. The security engineer wants to record only the latest configuration of that resource to indicate the cumulative impact of the set of changes.
Which solution will meet this requirement in the MOST operationally efficient way?

A. Use AWS CloudTrail to detect the configuration changes by filtering API calls to monitor the changes. Use the most recent API call to indicate the cumulative impact of multiple calls

B. Use AWS Cloud Map to detect the configuration changes. Generate a report of configuration changes from AWS Cloud Map to track the latest state by using a sliding time window.

C. Use AWS Config to detect the configuration changes and to record the latest configuration in case of multiple configuration changes.

D. Use Amazon CloudWatch to detect the configuration changes by filtering API calls to monitor the changes. Use the most recent API call to indicate the cumulative impact of multiple calls.

Discussion 0

Correct Answer: C Vote an answer

Explanation: Only visible for EduDump members. You can sign-up / login (it's free).

Amazon AWS-Security-Specialty Actual Free Exam Questions & Community Discussion

Download Free Amazon AWS-Security-Specialty Demo