Boost your AWS Certified Security – Specialty exam readiness with this practice test. This video provides 13 multiple-choice questions, followed by detailed answer reveals and explanations to deepen your understanding. Topics include: automatic discovery of security groups, managing EC2 instances, and configuring AWS WAF. Follow CertPunch for more certification practice and visit certpunch.com.
What you will practice
- The security department in a company requires automatic discovery of any security groups that allow unrestric…
- A company currently manages Amazon EC2 instances running Windows and Linux in public and private subnets. The…
- A company has created an AWS account structure with a centralized management account and several child accoun…
- A security engineer must configure AWS WAF to store logs in a central location for later analysis. What is th…
- An application runs across multiple Amazon EC2 instances in multiple Availability Zones behind an Application…
- A company runs an ecommerce website and is concerned about the risk of DDoS attacks. The company needs to ide…
Answers and explanations
Tap a question to expand the answer and the exam reasoning. Try to commit to your own pick first.
Q1. The security department in a company requires automatic discovery of any security groups that allow unrestricted inbound traffic on port 22 (SSH). The security administrators should be notified of any violations Which solution meets these…
Answer: C. Configure the restricted-ssh managed rule in AWS Config. When the rule is NON_COMPLIANT, use the AWS Config remediation feature to publish a notification to an Amazon SNS topic.
AWS Config's 'restricted-ssh' managed rule is designed specifically for this purpose, offering a low-overhead way to detect and remediate non-compliant security group configurations.
Q2. A company currently manages Amazon EC2 instances running Windows and Linux in public and private subnets. The operations team currently connects over the Internet to manage the instances as there is no private connection to the corporate n…
Answer: B. Deploy the AWS Systems Manager Agent on the EC2 instances. Access the EC2 instances using Session Manager restricting access to users with permission to manage the instances.
Systems Manager Session Manager provides secure, auditable access without exposing RDP or SSH ports, making it the most secure solution for managing instances remotely.
Q3. A company has created an AWS account structure with a centralized management account and several child accounts. An AWS Organization has been created to manage this configuration. The security team require API auditing using AWS CloudTrail…
Answer: D. Create an Amazon S3 bucket in the management account and create an Organization trail in the management account that logs to the S3 bucket.
An organization trail in the management account logging to a single S3 bucket provides centralized auditing with minimal overhead.
Q4. A security engineer must configure AWS WAF to store logs in a central location for later analysis. What is the MOST operationally efficient solution that meets this requirement?
Answer: D. Configure AWS WAF to send its log files directly to an Amazon S3 bucket for later analysis.
WAF can send logs directly to S3, which is the most operationally efficient method for long-term storage without additional services.
Q5. An application runs across multiple Amazon EC2 instances in multiple Availability Zones behind an Application Load Balancer (ALB). The application is experiencing a DDoS attack from malicious software that is distributed across hosts aroun…
Answer: D. Create a Web ACL with a string match condition that matches the value in the User-Agent header. Configure WAF to block requests that match the condition.
AWS WAF's string match condition is designed to inspect request headers like User-Agent and block based on their content, mitigating Layer 7 attacks.
Q6. A company runs an ecommerce website and is concerned about the risk of DDoS attacks. The company needs to identify methods to minimize the downtime associated with any attacks that might happen in the future. Which steps would help achieve…
Answer: B,D. Subscribe to AWS Shield Advanced and reach out to AWS Support in the event of an attack. || Create rule statements in AWS WAF web ACLs to block matching requests relating to the attack traffic.
AWS Shield Advanced provides expert DDoS mitigation and support, while AWS WAF gives you the granular control to block malicious traffic. GuardDuty is for detection, not blocking, and VPC Flow Logs don't auto-remediate.
Q7. A company manages an application that runs on Amazon EC2 instances behind a Network Load Balancer (NLB). The NLB has access logs enabled which are being stored in an Amazon S3 bucket. A security engineer requires a solution to run ad hoc q…
Answer: C. Create an Amazon Athena table that uses the S3 bucket containing the access logs. Run SQL queries using Athena.
Athena is the most direct, serverless service for running ad-hoc SQL queries on data stored in S3 with minimal setup. The other options require more complex scripting or data movement.
Q8. A company has deployed an application on Amazon EC2 instances with an Amazon RDS database. A security architect needs a secure solution for storing the database credentials and enabling automatic rotation on a regular basis. The credential…
Answer: A. Use AWS Secrets Manager and configure automatic rotation of the credentials.
Secrets Manager is the dedicated AWS service for secure credential storage and automatic rotation for databases like RDS, with encryption in transit and at rest built-in.
Q9. A security engineer is deploying a proxy server solution in an Amazon VPC. The engineer has deployed proxy software on multiple EC2 instances across Availability Zones. Route tables have been configured to forward traffic to the proxy inst…
Answer: D. Disable source/destination checks on the EC2 proxy instances.
Proxy servers must disable source/destination checks to act as a middleman, forwarding traffic that is not addressed to the instance itself. This is a fundamental networking configuration.
Q10. An application running on Amazon EC2 instances generates log files in a folder on the Linux file system. The security team requires that the logs are collected and centrally stored using an AWS managed service. Automatic monitoring should…
Answer: A. Install the unified Amazon CloudWatch agent on the EC2 instances. Configure the agent to collect the application log files and send them to Amazon CloudWatch Logs.
The unified CloudWatch agent is the standard AWS-managed solution for collecting logs from EC2 instances and sending them to CloudWatch Logs for analysis with minimal effort.
Q11. An enterprise has two VPCs in the ap-south-1 Region: vpc-alpha and vpc-beta. The enterprise has recently created an Amazon API Gateway REST API with the endpoint type set to PRIVATE. It also created a VPC endpoint for the REST API in vpc-a…
Answer: F. Maintain the API endpoint type as PRIVATE. Attach a resource policy to the REST API permitting access from vpc-beta.
For a PRIVATE API Gateway endpoint, a resource policy is required to grant access to other VPCs, as the endpoint policy alone is insufficient. Peering or changing to REGIONAL adds unnecessary exposure.
Q12. A security team has mandated that only approved Amazon Machine Images (AMIs) can be used for launching Amazon EC2 instances. The security team requires a method of automatically validating compliance with the new mandate. Which solution ca…
Answer: C. Deploy the AWS Config rule "approved_ami_by_id" and specify the approved AMI IDs.
AWS Config's 'approved_ami_by_id' rule is a managed service that continuously checks EC2 instances against a list of approved AMIs, identifying non-compliance for both new and existing instances.
Q13. A multinational company is operating a global web application on AWS behind a CloudFront distribution. As part of their security enhancement, the company has enabled AWS WAF on the CloudFront distribution with a Web ACL. For compliance pur…
Answer: E,F. Enable logging in AWS WAF settings, associate the web ACL with an Amazon Kinesis Data Firehose delivery stream. || Create an Amazon Kinesis Data Firehose delivery stream in the same AWS Region as the web ACL. Specify the S3 bucket as the destination for the delivery stream.
Enabling WAF logging and using Kinesis Firehose to deliver logs to S3 is the standard AWS method for centralized, scalable logging of WAF activity.
More AWS Certified Security – Specialty drills and other practice exams are on @CertPunch. New rounds drop every few days at certpunch.com.