AWS Certified Security – Specialty Practice Exam – 12 Questions with Answers – Part 2

Answer: A,B. Configure the Lambda function to connect to private subnets in an Amazon VPC. || Configure a VPC endpoint for accessing the DynamoDB table using private addresses.

Placing Lambda in private subnets and using a VPC endpoint for DynamoDB secures the application by removing public internet access. The key is using a VPC endpoint, which is not the same as DynamoDB connecting to a subnet.

Answer: C,E. The IAM role assigned to the EC2 instance profile does not have permissions to retrieve parameters in Systems Manager Parameter Store. || The IAM role assigned to the EC2 instance profile does not have decrypt permissions on the AWS KMS key used to encrypt the parameter.

Reading a secure string requires SSM GetParameter and KMS Decrypt permissions on the IAM role. The trap is confusing who needs the KMS permission.

Answer: C. Modify the configuration of AWS WAF to add an IP match condition to block the malicious IP address.

AWS WAF is the correct location for blocking specific IPs as it's designed for web application firewalling. Security groups can't have deny rules, and the ALB sees traffic from the WAF, not the client's original IP address.

Answer: D. Modify the web ACL with an IP set match rule statement and a block action to deny incoming requests from the IP address range.

The IP set match rule in WAF is designed specifically for blocking requests from a list of IP addresses. A rate-based rule is for throttling traffic by volume, not by source IP.

Answer: B. Share an encrypted snapshot, use a customer managed KMS key, and allow the Decrypt and CreateGrant actions for the target account in the key policy.

Shared encrypted snapshots require a customer managed KMS key. The key policy must grant the target account Decrypt and CreateGrant actions for re-encryption. The trap is using an AWS managed key, which cannot be shared across accounts with fine-grained permissions.

Answer: A. Use the DynamoDB Encryption Client for client-side encryption and to digitally sign the table items.

Client-side encryption with the DynamoDB Encryption Client provides end-to-end protection and digital signatures to detect data tampering. The trap is KMS, which only encrypts at rest and does not provide integrity checks.

Answer: D. Use the SecurityHeadersPolicy managed response headers policy.

The SecurityHeadersPolicy managed policy enforces security best practices like HSTS with minimal overhead. The trap is using Lambda@Edge, which works but adds unnecessary complexity for a standard requirement.

Answer: D. Generate a new access key for the IAM user. Update the inventory management system to utilize the new access key. Subsequently, deactivate the compromised access key.

Generating a new key and updating the app first avoids downtime. The trap is deleting the key immediately, which would break the application until the new key is configured.

Answer: D. Designate a delegated administrator for Amazon Inspector for the entire organization. Set up automatic scanning for all existing and new member accounts.

Amazon Inspector is the service for vulnerability scanning. A delegated administrator automatically enables scanning across all organization accounts.

Answer: D. Create a new customer-managed key in AWS KMS and import the new key material. Provide Amazon RDS permissions to use the key. Create a new RDS instance and choose the new key as the encryption key. Migrate the data into RDS.

You can only import key material into customer-managed KMS keys, not AWS-managed ones. This allows you to use an external HSM for RDS encryption.

Answer: E. The S3 bucket ACL and object ACLs will need to be checked to determine if public access is possible.

S3 bucket policies can be overridden by bucket or object ACLs, which must also be checked to ensure no public access is granted. The exam rule is to check all policy layers for public access, not just the bucket policy.

Answer: E. Create an IAM account for the new employee and add the account to the security team IAM group. Set a permissions boundary that grants access to manage Amazon DynamoDB, Amazon RDS, and Amazon CloudWatch. When the employee takes on new management responsibilities, add the additional services to the permissions boundary IAM policy.

Permissions boundaries allow a user to stay in the group while limiting their permissions. It's more efficient than creating separate groups for limited access.