AWS Security Specialty Exam Questions

Questions and Answers

What approach should the Security team take to find out what a former employee may have done within AWS?

Use the AWS CloudTrail console to search for user activity. (correct)

Use the Amazon CloudWatch Logs console to filter CloudTrail data by user.

Use AWS Config to see what actions were taken by the user.

Use Amazon Athena to query CloudTrail logs stored in Amazon S3.

What is the MOST cost-effective way to correct an error in a newly implemented vault lock policy?

Copy the vault data to Amazon S3, delete the vault, and create a new vault with the data.

Update the policy and call initiate-vault-lock again to apply the new policy.

Update the policy, keeping the vault lock in place.

Call the abort-vault-lock operation, fix the typo, and call the initiate-vault-lock again. (correct)

What must a company create in its AWS account to map permissions for AWS services to Active Directory user attributes?

AWS IAM roles (correct)

AWS IAM groups

AWS IAM users

AWS IAM access keys

Which factor may prevent an auditor from accessing some AWS accounts despite the creation of cross-account IAM roles?

Incorrect trust relationship settings between IAM roles.

Which AWS service allows monitoring API calls and user activity within a given account?

AWS CloudTrail

What is the first step when executing a vault lock operation for a data vault?

Call the initiate-vault-lock operation.

To view which actions have been taken by a user on AWS resources, which service provides this functionality?

AWS CloudTrail

Which of the following actions is NOT part of correcting a vault lock policy error?

Creating a new vault with the correct policy.

Which two options would effectively mitigate the threat described regarding Server X?

Configure Network ACLs on Server X to deny access to S3 endpoints.

What is a requirement for the items stored in the 'Restricted' bucket?

They require two-factor authentication for decryption.

Which key management feature must be enabled for the Customer Master Key (CMK) used for 'Restricted' documents?

Automatic rotation of keys annually.

How should each object in S3 be encrypted according to the requirements?

Using a unique key for each object.

What is NOT a recommended security measure for the sensitive documents stored in S3?

Removing all IAM roles for managing document access.

What specific policy must be defined within the key policy for the 'Restricted' CMK?

An MFA policy that requires two-factor authentication.

What solution would NOT provide individual encryption for each document in S3?

Using a single CMK to encrypt all objects.

Which measure specifically enhances security for the documents classified as 'Restricted' in terms of access?

Implementing two-factor authentication for decryption.

Which of the following is a valid step to troubleshoot a web server's connectivity issues?

Verify which Security Group is applied to the web server’s elastic network interface.

What action creates automated security alerts for unauthorized AWS API requests?

Create an Amazon CloudWatch metric filter based on API call error codes.

Which task should be performed to ensure CloudTrail is logging correctly to an S3 bucket?

Verify that the S3 bucket policy allows access for CloudTrail from production AWS accounts.

Which option identifies a potential issue if CloudTrail is not logging data?

The S3 bucket's log file prefix is incorrectly set.

What is essential to confirm for troubleshooting CloudTrail's logging issue?

Confirm that CloudTrail trails are active and healthy.

How can unauthorized error codes from AWS API calls be monitored effectively?

Set an alarm based on an Amazon CloudWatch metric filter for API error codes.

What would be necessary to troubleshoot the virtual appliance for networking issues?

Validate the routing table and ensure it points correctly.

When troubleshooting API request issues, which of the following steps could be unnecessary?

Update the billing information on the AWS account.

What is the best way for the Security team to suppress alerts about authorized security tests?

Install the Amazon Inspector agent on the EC2 instances that the Security team uses.

What configuration ensures the most secure continuation of connectivity for a mission-critical application sharing information with AWS?

VPN Gateway over AWS Direct Connect.

Which actions should be taken to troubleshoot IAM access issues for EC2 instances retrieving messages from SQS while maintaining least privilege?

Verify that the SQS resource policy does not explicitly deny access to the role used by the instances.

Which of the following actions will NOT help in troubleshooting why EC2 instances cannot retrieve messages from SQS?

Assign the EC2 instance role a full administrator access.

What could potentially cause EC2 instances to fail in retrieving messages from an SQS queue after IAM changes?

Modification of the IAM policies attached to the roles used by the EC2 instances.

Which AWS service allows secure and private connectivity to AWS resources, especially for sensitive applications?

AWS Direct Connect.

Which service or method is NOT suitable for sending logs from Docker applications on EC2 to a central location?

Sending logs directly through EC2 instance console output.

Why is it important to verify that the SQS resource policy does not deny access to the role used by the EC2 instances?

Resource policies can override IAM roles.

What is the primary method to restrict access to a CloudFront distribution from certain geographic regions?

Create a geographic restriction on the CloudFront distribution.

What mitigation should be recommended to prevent a subnet from being exposed to the internet?

Mark the VPC as private and disable Elastic IP addresses.

Which method is the simplest and most secure way to decrypt sensitive data stored at rest using AWS KMS?

Store the encrypted data key alongside the data and use the Decrypt API.

What is a potential risk of using a public IP address for EC2 instances in a subnet?

It can lead to accidental exposure of the subnet to the internet.

When using AWS KMS, how should sensitive data be handled in terms of encryption?

Retrieve the key from AWS KMS only when needed for decryption.

Which AWS service can automatically detect the addition of an Internet Gateway to a VPC?

AWS Config.

What role does an IP-based blacklist serve in enhancing application security?

It blocks requests from specific IP addresses to prevent attacks.

What is the purpose of using a rate-based rule in AWS WAF?

To limit the number of incoming requests to prevent DDoS attacks.

Study Notes

AWS Security Specialty Exam Questions

• Question 1: A Security team suspects a former employee accessed AWS resources using an access key. The best way to find out what the former employee did is to use the AWS CloudTrail console to search for user activity.
• Question 2: A Security Engineer implemented a vault lock policy with a typo, allowing incorrect access. The most cost-effective way to correct this is to abort the vault lock, fix the typo, and then initiate the vault lock again.
• Question 3: To integrate an existing Microsoft Active Directory with AWS resources, the company needs to create AWS IAM roles. These roles map permissions for AWS services to Active Directory user attributes.
• Question 4: A third-party auditor is having trouble accessing some AWS accounts using cross-account IAM roles. Potential issues include:
  • Incorrect trust relationships between the auditor's role and the target account roles.
  • Insufficient permissions granted to the auditor's role in the target accounts..
  • Account lockout due to security violations or password resets.
• Question 5: A threat involves a malicious actor uploading sensitive data from a server to an S3 bucket they control. To counter this, the following mitigation steps should be implemented:
  • Bypass the proxy server and use an S3 VPC endpoint with a policy that whitelists only certain S3 buckets in the legitimate account.
  • Configure Network ACLs on the server to deny access to S3 endpoints.
• Question 10: A company wants to store sensitive documents in three S3 buckets with different classification levels ("Sensitive", "Confidential", "Restricted"), encrypting each object with a unique key, requiring two-factor authentication for decryption of "Restricted" data, and automatic key rotation annually.
  • The solution requires creating a Customer Master Key (CMK) for each data classification type, enabling annual rotation, and utilizing S3 SSE-KMS to encrypt objects.
  • For the "Restricted" CMK, define the MFA policy within the key policy.
• Question 55: To generate automated security alerts for unauthorized AWS API requests, configure AWS CloudTrail to stream event data to Amazon Kinesis. Then, set up an AWS Lambda function on the stream to trigger alarms when the threshold of unauthorized requests is exceeded.
• Question 56: Two production AWS accounts with CloudTrail configured to log to a central S3 bucket are not logging anything. To troubleshoot, the following steps should be taken:
  • Verify the S3 bucket policy allows access for CloudTrail from the production accounts.
  • Confirm that each CloudTrail configuration is active and healthy in the CloudTrail console.
  • Check the log file prefix setting to ensure it matches the S3 bucket name.
• Question 66: To connect an on-premises application with AWS applications securely, considering unpredictable internet performance and the need to share confidential information, the ideal solution is a VPN Gateway over AWS Direct Connect.
  • This ensures secure and reliable connectivity over a dedicated connection, minimizing internet reliance and enhancing security.
• Question 67: An application using EC2 instances to retrieve messages from an Amazon SQS queue is unable to retrieve messages after IAM changes. To troubleshoot, while maintaining least privilege:
  • Verify the SQS resource policy does not have explicit access denial for the role used by the instances.
  • Check if the role attached to the instances has policies allowing access to the queue.
• Question 68: To restrict access to a web application from certain geographic regions, configure AWS CloudFront with a geographic restriction policy.
• Question 94: To mitigate the risk of a subnet being accidentally or maliciously exposed to the internet, the best approach is to mark the VPC as private and disable Elastic IP addresses within the Amazon VPC configuration.
  • This ensures the subnet remains isolated and inaccessible from the public internet.
• Question 95: An application needs to encrypt sensitive data locally using AWS KMS. The simplest yet secure approach is to store the encrypted data key alongside the encrypted data. When decryption is required, use the Decrypt API to retrieve the data key and decrypt the data.
• Question 96: A security administrator is setting up a fleet of Amazon EC2 instances for a university.
  • Consider implementing AWS Inspector for automated vulnerability assessments and security checks on the instances.
  • Review Amazon GuardDuty to detect any unusual behavior or potential threats on the EC2 fleet.
  • Use AWS Config to monitor configuration changes and enforce security compliance rules.
  • Deploy Amazon CloudWatch for comprehensive logging and monitoring of EC2 instances, helping to identify and respond to security events.
  • Enable AWS CloudTrail to audit and track API calls made to the EC2 fleet.
  • Configure IAM roles to provide least privilege access to the EC2 instances.

Description

Test your knowledge with these AWS Security Specialty exam questions focused on IAM roles, CloudTrail, and vault lock policies. Each question challenges your understanding of AWS best practices and security measures. Prepare effectively for your certification!