AWS Certified Security – Specialty Practice Exam Questions and Answers – Part 2/2
Test your AWS Certified Security – Specialty knowledge with 12 exam-style questions, clean answer reveals, and concise explanations. Topics include: A security team has requested that all existing and new Amazon RDS databases are encrypted at rest using AWS Key Managem. Follow @CertPunch and visit certpunch.com for more certification practice videos and study content.
Chapters:
00:00 Intro
00:13 Question 1 of 12
02:06 Question 2 of 12
04:12 Question 3 of 12
05:36 Question 4 of 12
07:01 Question 5 of 12
08:30 Question 6 of 12
10:02 Question 7 of 12
12:01 Question 8 of 12
13:07 Question 9 of 12
14:43 Question 10 of 12
16:27 Question 11 of 12
17:52 Question 12 of 12
What you will practice
- A security team has requested that all existing and new Amazon RDS databases are encrypted at rest using AWS…
- A healthcare organization is using Amazon EC2 instances to host an application that stores sensitive patient…
- A new application requires an AWS KMS key for encrypting sensitive data. The security policy requires that se…
- A company has deployed an organization in AWS Organizations with several member accounts. The security team r…
- A fintech company has an application that relies on AWS Systems Manager Parameter Store for managing secure s…
- A company has four private subnets within a VPC. Two of the subnets are used for running database instances a…
Answers and explanations
Tap a question to expand the answer and the exam reasoning. Try to commit to your own pick first.
Q1. A security team has requested that all existing and new Amazon RDS databases are encrypted at rest using AWS Key Management Service (KMS) encryption keys. A security engineer must identify which RDS databases are currently unencrypted and…
Answer: A,B. Use AWS Config to detect any existing and new unencrypted databases. Configure an Amazon SNS notification to alert the security team. || Create a snapshot of unencrypted databases. Copy the unencrypted snapshots to created encrypted snapshots. Restore the databases from the encrypted snapshots.
AWS Config detects unencrypted RDS databases and SNS notifications alert the team. Creating an encrypted snapshot copy is the only way to enable encryption on an existing database, as direct encryption toggle is impossible.
Q2. A healthcare organization is using Amazon EC2 instances to host an application that stores sensitive patient records. In compliance with healthcare regulations, the organization must restrict access to these records. A system engineer need…
Answer: E. Use AWS Systems Manager Session Manager to access the EC2 instances. Set up Amazon CloudWatch Logs for session logging. Choose the option to upload session logs and select the option to enforce encryption.
AWS Systems Manager Session Manager provides secure access without SSH keys or bastion hosts. It logs sessions to CloudWatch Logs, and you can enforce encryption for these logs.
Q3. A new application requires an AWS KMS key for encrypting sensitive data. The security policy requires that separate keys are used for different AWS services. How can the AWS KMS key be constrained to work with only Amazon S3?
Answer: B. Configure the key policy with a kms:ViaService condition key that limits use of the KMS key to the Amazon S3 service name.
The kms:ViaService condition key restricts a KMS key to be used only by a specific AWS service. This is the correct way to separate keys by service.
Q4. A company has deployed an organization in AWS Organizations with several member accounts. The security team requires that there is at least on AWS CloudTrail trail configured for all existing accounts and any accounts that are created in t…
Answer: A. Create an organization trail in the management account and specify a central S3 bucket.
An organization trail in AWS Organizations automatically configures CloudTrail in all accounts, sending logs to a central S3 bucket. This prevents member account admins from modifying the configuration.
Q5. A fintech company has an application that relies on AWS Systems Manager Parameter Store for managing secure string parameters. This is done using the standard tier and an AWS Key Management Service (AWS KMS) custom-managed key for encrypti…
Answer: B,D. The state of the customer-managed key specified within the application is set to 'Disabled'. || The application lacks the kms:Encrypt permission for the custom-managed key.
Parameter Store needs kms:Encrypt permission to use a CMK. If the key is disabled, it cannot encrypt data, causing errors. Both are valid causes for the issue.
Q6. A company has four private subnets within a VPC. Two of the subnets are used for running database instances and the other two are used for application instances. Separate route tables are used for the database and application subnets. A NA…
Answer: E. Modify the route table of the database subnets to remove the default route to the NAT gateway.
The correct approach is to remove the 0.0.0.0/0 route to the NAT gateway from the database subnets' route table. Network ACLs and modifying the NAT gateway itself are incorrect methods.
Q7. A security engineer is attempting to setup automatic notifications that alert administrators about any changes that are made to an Amazon S3 bucket. The engineer has configured AWS Config and created an SNS topic. Changes have been made to…
Answer: B,D,E. Configure the trust policy on the IAM role AWS Config uses to allow "config.amazonaws.com" to assume the role. || Configure the role policy on the IAM role AWS Config uses to allow write access to the Amazon S3 bucket. || Configure the access policy for the Amazon SNS topic to allow "sns:publish" access to "config.amazonaws.com".
The IAM role for AWS Config must trust config.amazonaws.com and have permissions to write to the S3 bucket. The SNS topic policy must allow config.amazonaws.com to publish, not sns:write.
Q8. A company is extending a secure development environment from an on-premises data center into AWS. They have secured the VPC by removing the Internet Gateway and configuring security groups and network ACLs. An AWS Direct Connect connection…
Answer: C. Setup a Virtual Private Gateway (VGW).
AWS Direct Connect does not provide encryption. A Virtual Private Gateway (VGW) must be set up to enable a Site-to-Site VPN connection over the Direct Connect link for encryption.
Q9. A company manages all access to Amazon S3 buckets using identity-based policies. A security engineer needs to receive an alert if any user adds a bucket policy to any Amazon S3 bucket. Which approach meets the requirements MOST efficiently?
Answer: B. Create an Amazon EventBridge rule uses the "AWS API Call via CloudTrail" event source and the "s3:PutBucketPolicy" event pattern. Generate an alert using Amazon SNS.
EventBridge is the ideal service for detecting the s3:PutBucketPolicy API call via CloudTrail and triggering an SNS alert. This is a direct and efficient event-driven solution.
Q10. A company has thousands of employees that use a single Microsoft Active Directory on-premises identity provider. The company is deploying several dozen AWS accounts and needs to provide its employees with access to the AWS accounts. The so…
Answer: C. Create a landing zone using AWS Control Tower. Integrate AWS Single Sign-On (SSO) with the company's existing identity provider. Grant Active Directory users access to accounts and applications.
AWS Control Tower and AWS SSO provide a centralized, scalable solution to federate on-premises AD and grant users access to multiple AWS accounts.
Q11. A static website runs on an Amazon EC2 instance. The security engineer has been asked to suggest improvements to mitigate the risk of DDoS attacks. Which of the following may assist with this goal? (Select TWO.)
Answer: B,E. Use the AWS Web Application Firewall (WAF) service to inspect and manage web requests. || Migrate the static content to an Amazon S3 bucket and create an Amazon CloudFront distribution.
WAF can inspect and block malicious web traffic to mitigate DDoS attacks. Migrating content to S3 with CloudFront adds AWS Shield Standard, which helps with DDoS protection.
Q12. A company is archiving sensitive data to Amazon S3 Glacier. A security engineer has created a new vault lock policy for 1 TB of data and called the initiate-vault-lock operation 8 hours ago. When reviewing the policy the security engineer…
Answer: D. Call the AbortVaultLock operation. Update the policy. Call the initiate-vault-lock operation again.
Once a Glacier vault lock is in progress, it must be aborted with AbortVaultLock before the policy can be corrected. This is a required step in the locking process.
More AWS Certified Security – Specialty drills and other practice exams are on @CertPunch. New rounds drop every few days at certpunch.com.