AWS Certified Security – Specialty Practice Exam Questions and Answers – Part 1/2

Answer: E. Disable or delete the compromised IAM access key. Stop using static IAM access keys and instead, create a new IAM role for the Lambda automation process. Assign this role to the AWS Lambda functions. Respond to the AWS Trust and Safety team detailing the remediation actions.

The best practice is to replace static IAM keys with an IAM role for Lambda. This eliminates long-term credentials. This option directly follows security best practices.

Answer: D. 1. Specify '' as the principal and aws:PrincipalOrgld as a condition.

Specifying '' as the principal and aws:PrincipalOrgId as a condition allows any AWS principal access while restricting it only to accounts within the specified AWS Organization. Using the organization ID as a condition is more scalable and efficient than listing each account individually.

Answer: B. Enable the awslogs log driver by including awslogs-group and awslogs-region parameters in the LogConfiguration property.

The awslogs log driver is the native and most efficient method for Fargate containers to send logs directly to a specified CloudWatch log group. The CloudWatch agent cannot be used on Fargate as it runs on a separate EC2 instance, which is not available in the Fargate launch type.

Answer: B,C. Create an origin access identity (OAI) and associate it with the CloudFront distribution. || Configure the S3 bucket permissions so that only the origin access identity can access the bucket contents.

Creating and associating an Origin Access Identity (OAI) with CloudFront and then configuring the S3 bucket policy to grant access only to that OAI ensures all requests must go through the CloudFront distribution. Direct S3 access is blocked because the OAI is not a standard AWS user.

Answer: F,G,H. Configure a password policy in Active Directory for the federation scenario. || Configure an IAM password policy for the IAM user scenario. || Configure a password policy in the Amazon Cognito user pool.

Password policies must be configured at the source of the identity: Active Directory for federation, IAM for IAM users, and Cognito user pools for managed Cognito users. IAM policies do not apply to federated users, and Cognito identity pools are for temporary credentials, not user management.

Answer: D. Connect to each EC2 instance and replace the public key information in the authorized_keys file.

Connecting to the EC2 instance and editing the .ssh/authorized_keys file is the only way to revoke a compromised key. AWS does not provide a way to change an instance's key pair after it's launched; you must manage the keys at the operating system level.

Answer: E. Create an AWS WAF rate-based rule to block this traffic when it exceeds a defined threshold.

AWS WAF rate-based rules are designed to automatically block IP addresses that exceed a configured request threshold in a 5-minute window, providing the least effort solution for mitigating suspicious traffic originating from a series of source IPs.

Answer: C. Configure VPC traffic mirroring to send traffic to the intrusion detection EC2 instance using a Network Load Balancer.

VPC traffic mirroring is the correct AWS service to copy live network traffic from an elastic network interface and send it to a security appliance, such as an EC2-based intrusion detection system. This provides full packet capture for inspection.

Answer: A. Use imported key material with an AWS KMS key.

Imported key material in AWS KMS can be deleted immediately, rendering the encrypted data cryptographically erased. Other key types require a waiting period of at least 7 days for scheduled deletion, which does not meet the 15-minute requirement.

Answer: B. Service Control Policies (SCPs)

Service Control Policies (SCPs) in AWS Organizations provide a scalable way to apply permissions across all member accounts automatically. S3 bucket policies or ACLs would need to be configured on every bucket in every account, making them less scalable.

Answer: D,E. Enable access logging for the appropriate API stage. || Use Amazon CloudWatch Logs Insights for analyzing API usage data.

Enabling access logging sends detailed request logs to CloudWatch, and CloudWatch Logs Insights provides powerful query capabilities to analyze the data without manual file parsing. This is more direct than using S3 and Athena or just CloudTrail.

Answer: B,C. On the DBSG security group, create a custom TCP rule for TCP 3306 and configure the AppSG security group as the source. || On the AppSG security group, create a custom TCP rule for TCP 1030 and configure the WebSG security group as the source.

Application tier security group must allow traffic from the web tier on port 1030. Database tier security group must allow traffic from the application tier on port 3306. This follows the principle of least privilege.

Answer: D. An explicit deny will always override an explicit allow.

An explicit deny in the bucket policy takes precedence over any new explicit allow statements, preventing access for the forensic analyst.