AWS Certified Security – Specialty Practice Exam – 13 Questions with Answers, Part 1
Boost your AWS Certified Security – Specialty exam prep with this practice test. This video presents 13 multiple-choice questions, followed by answer reveals and in-depth explanations to help solidify your understanding. Topics include CloudTrail event delivery, EC2 incident response, and SSH key pair management. Follow CertPunch for more study resources and visit certpunch.com.
Chapters:
00:00 Intro
00:13 Question 1 of 13
01:32 Question 2 of 13
02:43 Question 3 of 13
04:22 Question 4 of 13
06:05 Question 5 of 13
07:31 Question 6 of 13
08:35 Question 7 of 13
10:01 Question 8 of 13
11:29 Question 9 of 13
13:22 Question 10 of 13
15:41 Question 11 of 13
16:46 Question 12 of 13
17:47 Question 13 of 13
What you will practice
- A company is using AWS CloudTrail is being used to monitor API calls. An audit revealed that CloudTrail is fa…
- A security team are designing a plan to respond to incidents of compromised Amazon EC2 instances. The inciden…
- A developer who recently left a company was found to have published many access keys IDs to a public source c…
- A security engineer needs to automate SSH key pair management for many Amazon EC2 instances. The security eng…
- An application runs on Amazon EC2 instances that use an Amazon SQS queue and an Amazon DynamoDB table. The ap…
- An Amazon EC2 instance requires permissions to read and write data in an Amazon S3 bucket. A security enginee…
Answers and explanations
Tap a question to expand the answer and the exam reasoning. Try to commit to your own pick first.
Q1. A company is using AWS CloudTrail is being used to monitor API calls. An audit revealed that CloudTrail is failing to deliver events to Amazon S3 as expected. A security engineer is attempting to resolve the issue. What initial actions sho…
Answer: D,E. Verify that the S3 bucket and prefix defined in CloudTrail exists. || Verify that the S3 bucket policy grants CloudTrail the s3:PutObject permission.
The correct answers identify the core requirements: a valid S3 location for the log files and the proper IAM permissions via the bucket policy. This avoids common mistakes like confusing IAM roles with service principals or relying on bucket ACLs.
Q2. A security team are designing a plan to respond to incidents of compromised Amazon EC2 instances. The incident response plan should include the automated provisioning of a secure forensic environment and orchestration of incident response…
Answer: A,C. AWS CloudFormation || AWS Step Functions
CloudFormation automates the setup of the secure forensic environment, and Step Functions orchestrates the incident response workflow. This directly addresses the automation requirement, unlike services like GuardDuty which only detect threats.
Q3. A developer who recently left a company was found to have published many access keys IDs to a public source code repository. A list of the exposed access key IDs has been created. A security engineer needs to quickly identify which users t…
Answer: A. Generate a credential report in each account in the Organization. Consolidate the reports and identify the users the access key IDs belong to. Rotate the access key IDs.
IAM Access Analyzer is for resource sharing, not for finding compromised credentials. You must generate a credential report in each account because reports are scoped to a single account, not an entire organization.
Q4. A security engineer needs to automate SSH key pair management for many Amazon EC2 instances. The security engineer must create a solution that automatically stores and rotates SSH key pairs that are more than 90 days old. There must also b…
Answer: C. Use AWS Secrets Manager to store the SSH key pairs. Create an AWS Lambda function that rotates the SSH keys every 90 days. Create an AWS CloudTrail trail that logs to an S3 bucket.
Secrets Manager with a Lambda function provides the rotation logic required for SSH keys, which isn't available through its built-in automatic rotation feature. CloudTrail is needed for the audit trail, as Secret Manager doesn't provide S3 audit logs itself.
Q5. An application runs on Amazon EC2 instances that use an Amazon SQS queue and an Amazon DynamoDB table. The application processes highly confidential information and the connectivity between these AWS services should be private. Which combi…
Answer: A,C,D. Modify the endpoint policies on all VPC endpoints. Specify the SQS and DynamoDB resources that the application uses. || Create an interface VPC endpoint for Amazon SQS. || Create a gateway VPC endpoint for Amazon DynamoDB.
VPC endpoints provide private connectivity within the VPC without exposing resources to the internet. Using interface and gateway endpoints and their policies ensures private, secure communication for SQS and DynamoDB.
Q6. An Amazon EC2 instance requires permissions to read and write data in an Amazon S3 bucket. A security engineer is creating an IAM role that will be assumed by the EC2 instance. When creating the role using the AWS CLI create-role command…
Answer: D. Trust policy
A trust policy defines which principals can assume the role, which is a core requirement when an EC2 instance needs to assume an IAM role. Inline and managed policies grant permissions, but the trust policy enables the assumption.
Q7. A security engineer requires a solution for allowing employees to connect to a command line interface on Amazon EC2 Linux instances without using SSH keys or ports. Which solutions meets these requirements?
Answer: A. Use AWS Systems Manager Session Manager. Grant the IAM user accounts permissions to use Systems Manager Session Manager.
Session Manager provides secure, auditable CLI access without opening SSH ports or managing keys. This directly meets all requirements, unlike Run Command, bastion hosts, or Secrets Manager.
Q8. A security engineer received a notification that an administrative user account may have been compromised. The engineer wants to immediately rotate the access key for the user whilst ensuring that applications that use the access key are n…
Answer: B. Create a second access key and modify applications to use the new key. Disable the old access key and check applications are working correctly before deleting the old access key.
Creating a second key first allows for a safe, phased rotation. It prevents breaking applications by enabling you to disable the old key and test with the new one before removing the old one completely.
Q9. A company has created an organization within AWS Organizations. A security engineer created an organizational unit (OU) and moved several AWS accounts into the OU. The Amazon EC2 service is restricted with the following SCP:
Answer: F. Create a new OU without the SCP restricting EC2 access. Move the data analytics account to the new OU.
An explicit deny in an SCP overrides any allow, and the root user is also restricted. The only way to grant access is to place the account in an OU without the deny policy. The trap is an allow statement with conditions, which are invalid in SCPs.
Q10. A security engineer is troubleshooting a connectivity issue with an Amazon EC2 Linux instance. The engineer is trying to connect from the internet, but the connection attempt times out. Other instances in the VPC are contactable over the i…
Answer: A,B,D. The network ACL denies outbound traffic on ephemeral ports. || The route table of the subnet is missing a route to the internet gateway. || The host-based firewall of the instance operating system is denying traffic.
The VPC route table for the instance's subnet must direct internet traffic to the gateway. Network ACLs are stateless and can block return traffic, and a host firewall can also block connections. The elimination cue is that security groups are stateful and automatically allow response traffic.
Q11. A security architect is designing a highly secure application and must determine the best solution for storage of encryption keys. The encryption keys must be accessible only from within a VPC on single-tenant hardware security modules (HS…
Answer: C. AWS CloudHSM.
CloudHSM provides single-tenant HSMs within a VPC, satisfying the requirement for on-premise-like key management with access logging and high availability. The exam differentiates this from KMS, which is multi-tenant.
Q12. A company is experiencing a layer 3 and layer 4 DDoS attack on its web servers running on AWS. Which combination of AWS services and features will provide protection in this scenario? (Select THREE).
Answer: B,C,F. Amazon Route 53 || Elastic Load Balancer || AWS Shield
AWS Shield provides L3/L4 DDoS protection, Route 53 handles DNS-based attacks and scales traffic, and ELB distributes traffic to prevent instance overload. GuardDuty is for detection, not protection.
Q13. A company requires that only trusted code can be deployed to AWS Lambda functions. A method of validating the integrity of the code should be implemented and developers should not be able to bypass the solution. Which combination of steps…
Answer: B,D. Use AWS Signer to verify code integrity when code packages are deployed to Lambda. || Use IAM policies to enforce that developers can only create functions that have code signing enabled.
AWS Signer verifies code integrity, and IAM policies can enforce that functions require code signing, preventing developers from bypassing the check. The exam requires both validation and enforcement.
More AWS Certified Security – Specialty drills and other practice exams are on @CertPunch. New rounds drop every few days at certpunch.com.