AWS Certified Security – Specialty Practice Exam – 12 Questions with Answers (Part 2)

Boost your AWS Certified Security – Specialty exam prep with this practice test. This video provides 12 multiple-choice questions, reveals the correct answers, and offers clear explanations to help you understand the concepts. Topics include: EC2 security, DynamoDB access, KMS key rotation, and SQS queue access. Follow CertPunch for more certification practice and visit certpunch.com.

What you will practice

  • An Amazon EC2 web server has been deployed into Subnet B within a VPC. An EC2 instance in Subnet A within the…
  • A company is running a batch data processing application in an Amazon EC2 instance, which requires frequent a…
  • A company created an AWS KMS key in the AWS Key Management Service (KMS) with imported key materials. The com…
  • An application uses Amazon EC2 instances to retrieve messages from an Amazon SQS queue. The EC2 instances hav…
  • A large enterprise has an AWS setup which contains multiple accounts managed through AWS Organizations. The a…
  • A company hosts video files for a website in an Amazon S3 bucket that is configured as an origin for an Amazo…

Answers and explanations

Tap a question to expand the answer and the exam reasoning. Try to commit to your own pick first.

Q1. An Amazon EC2 web server has been deployed into Subnet B within a VPC. An EC2 instance in Subnet A within the same VPC must be able to connect to the web service. A network administrator has created a security group and added both instance…

Answer: A,E. Security group TCP port 80 inbound and TCP port 80 outbound. || Network ACL: TCP port 80 inbound and TCP ports 1024-65535 outbound.

The security group must allow inbound traffic on port 80. Network ACLs are stateless, so a rule for the high return port range is necessary.

Q2. A company is running a batch data processing application in an Amazon EC2 instance, which requires frequent access to an Amazon DynamoDB table. The company's security policies mandate that all connections to DynamoDB should be private and…

Answer: C. Associate the Gateway VPC Endpoint with the route table of the private subnet, where the EC2 instance resides.

EC2 instances use the route table to determine traffic destinations. Associating the endpoint with the route table forces DynamoDB traffic through the private endpoint.

Q3. A company created an AWS KMS key in the AWS Key Management Service (KMS) with imported key materials. The company policy requires that all encryption keys must be rotated every 365 days. What must be done to implement policy requirements?

Answer: B. Create a new KMS key, import new key material, and point the key alias to the new KMS key.

KMS keys with imported material cannot be automatically rotated. You must create a new key and update the alias to point to the new key.

Q4. An application uses Amazon EC2 instances to retrieve messages from an Amazon SQS queue. The EC2 instances have an instance profile assigned that uses an IAM role to provide permissions to the queue. A security engineer has been asked to in…

Answer: D,E. Check if an Amazon SQS policy explicitly denies access to the IAM role used by the instances. || Check the configuration of the IAM role attached to the instance profile to ensure it has sufficient permissions.

First, check the IAM role's permissions for sqs:ReceiveMessage. Second, check the SQS policy for an explicit deny that might override the IAM permissions.

Q5. A large enterprise has an AWS setup which contains multiple accounts managed through AWS Organizations. The accounts are categorized into several OUs based on the company's departmental structure. The security team now wants to enforce a p…

Answer: A. Create an SCP that includes a Deny rule for the s3:DeleteBucket action. Apply this SCP to all the OUs in the organization.

SCPs are designed for centralized governance across multiple AWS accounts, making this the ideal solution for enforcing an organization-wide S3 deletion block. The other options are either impossible or require impractical per-account management.

Q6. A company hosts video files for a website in an Amazon S3 bucket that is configured as an origin for an Amazon CloudFront distribution. The company was recently notified that the videos were being accessed from unauthorized countries. Whic…

Answer: B,C. Create an origin access identity (OAI) for the CloudFront distribution and update the S3 bucket policy to restrict access to the OAI. || Update the distribution settings in CloudFront and configure restrictions based on the geography of the request.

CloudFront's geo-restriction feature directly blocks countries, and using an Origin Access Identity ensures requests can't bypass CloudFront to access S3 directly. IP-based restrictions in S3 are hard to manage against proxies.

Q7. A company stores highly confidential information in an Amazon S3 bucket. The security team requires that any changes to the bucket policy are automatically remediated, and alerts of these changes are sent to their team members. Which actio…

Answer: A. Use AWS Config with Auto Remediation to remediate any changes to S3 bucket policies. Configure alerting with AWS Config and Amazon SNS.

AWS Config is specifically built for continuous monitoring and automated remediation of resource configurations, which perfectly meets the requirement for the least effort. Custom solutions like Lambda require more development.

Q8. An IAM user is unable to assume an IAM role using the AWS CLI. The IAM policy assigned to the user includes the following statement:

Answer: E. "Action": "sts:AssumeRole"

The sts:AssumeRole action is the correct API call for an IAM user to assume a role, as it's part of the Security Token Service. The 'ec2' action is a common trap.

Q9. A media company is streaming their content globally via AWS, but due to legal constraints, it needs to restrict data storage to a specific AWS region using AWS Organizations. A security engineer is tasked with preventing users from storing…

Answer: C. Implement an SCP that uses the "aws:RequestedRegion" condition to deny actions outside the approved region. Attach the SCP to the AWS account under AWS Organizations.

AWS Organizations SCPs enforce region restrictions at the organizational level, providing the minimum overhead compared to manually applying IAM policies to individual users.

Q10. A company has started to deploy resources to the AWS cloud. Initial resources have been deployed in the US West (Oregon) Region and an AWS CloudTrail trail has been created to record API activity in a bucket in the same Region. The securit…

Answer: D. Change the existing single-region trail to log all regions and capture API activity in a single central Amazon S3 bucket.

Modifying an existing trail to log all regions is the simplest method to centralize CloudTrail logs, as it avoids managing multiple trails.

Q11. A developer is attempting to access an Amazon S3 bucket in a member account in AWS Organizations. The developer is logged in to the account with user credentials and has received an access denied error with no bucket listed. The developer…

Answer: C,E. Check the SCPs set at the organizational units (OUs). || Check for the permissions boundaries set for the IAM user.

SCPs restrict all accounts in an OU, while permissions boundaries set the maximum permissions for an identity, both could cause 'access denied'.

Q12. A company uses an Amazon RDS MySQL database instance to store customer order data. The security team have requested that SSL/TLS encryption in transit must be used for encrypting connections to the database from application servers. The da…

Answer: C. Download the AWS-provided root certificates. Use the certificates when connecting to the RDS DB instance.

AWS provides root certificates for clients to use when connecting to RDS with TLS encryption. Option A is a trap as KMS is for encryption at rest, not in transit. Option B is wrong because self-signed certificates are not supported.

More AWS Certified Security – Specialty drills and other practice exams are on @CertPunch. New rounds drop every few days at certpunch.com.

Scroll to Top