Podcast
Questions and Answers
What approach should the Security team take to find out what a former employee may have done within AWS?
What approach should the Security team take to find out what a former employee may have done within AWS?
- Use the AWS CloudTrail console to search for user activity. (correct)
- Use the Amazon CloudWatch Logs console to filter CloudTrail data by user.
- Use AWS Config to see what actions were taken by the user.
- Use Amazon Athena to query CloudTrail logs stored in Amazon S3.
What is the MOST cost-effective way to correct an error in a newly implemented vault lock policy?
What is the MOST cost-effective way to correct an error in a newly implemented vault lock policy?
- Copy the vault data to Amazon S3, delete the vault, and create a new vault with the data.
- Update the policy and call initiate-vault-lock again to apply the new policy.
- Update the policy, keeping the vault lock in place.
- Call the abort-vault-lock operation, fix the typo, and call the initiate-vault-lock again. (correct)
What must a company create in its AWS account to map permissions for AWS services to Active Directory user attributes?
What must a company create in its AWS account to map permissions for AWS services to Active Directory user attributes?
- AWS IAM roles (correct)
- AWS IAM groups
- AWS IAM users
- AWS IAM access keys
Which factor may prevent an auditor from accessing some AWS accounts despite the creation of cross-account IAM roles?
Which factor may prevent an auditor from accessing some AWS accounts despite the creation of cross-account IAM roles?
Which AWS service allows monitoring API calls and user activity within a given account?
Which AWS service allows monitoring API calls and user activity within a given account?
What is the first step when executing a vault lock operation for a data vault?
What is the first step when executing a vault lock operation for a data vault?
To view which actions have been taken by a user on AWS resources, which service provides this functionality?
To view which actions have been taken by a user on AWS resources, which service provides this functionality?
Which of the following actions is NOT part of correcting a vault lock policy error?
Which of the following actions is NOT part of correcting a vault lock policy error?
Which two options would effectively mitigate the threat described regarding Server X?
Which two options would effectively mitigate the threat described regarding Server X?
What is a requirement for the items stored in the 'Restricted' bucket?
What is a requirement for the items stored in the 'Restricted' bucket?
Which key management feature must be enabled for the Customer Master Key (CMK) used for 'Restricted' documents?
Which key management feature must be enabled for the Customer Master Key (CMK) used for 'Restricted' documents?
How should each object in S3 be encrypted according to the requirements?
How should each object in S3 be encrypted according to the requirements?
What is NOT a recommended security measure for the sensitive documents stored in S3?
What is NOT a recommended security measure for the sensitive documents stored in S3?
What specific policy must be defined within the key policy for the 'Restricted' CMK?
What specific policy must be defined within the key policy for the 'Restricted' CMK?
What solution would NOT provide individual encryption for each document in S3?
What solution would NOT provide individual encryption for each document in S3?
Which measure specifically enhances security for the documents classified as 'Restricted' in terms of access?
Which measure specifically enhances security for the documents classified as 'Restricted' in terms of access?
Which of the following is a valid step to troubleshoot a web server's connectivity issues?
Which of the following is a valid step to troubleshoot a web server's connectivity issues?
What action creates automated security alerts for unauthorized AWS API requests?
What action creates automated security alerts for unauthorized AWS API requests?
Which task should be performed to ensure CloudTrail is logging correctly to an S3 bucket?
Which task should be performed to ensure CloudTrail is logging correctly to an S3 bucket?
Which option identifies a potential issue if CloudTrail is not logging data?
Which option identifies a potential issue if CloudTrail is not logging data?
What is essential to confirm for troubleshooting CloudTrail's logging issue?
What is essential to confirm for troubleshooting CloudTrail's logging issue?
How can unauthorized error codes from AWS API calls be monitored effectively?
How can unauthorized error codes from AWS API calls be monitored effectively?
What would be necessary to troubleshoot the virtual appliance for networking issues?
What would be necessary to troubleshoot the virtual appliance for networking issues?
When troubleshooting API request issues, which of the following steps could be unnecessary?
When troubleshooting API request issues, which of the following steps could be unnecessary?
What is the best way for the Security team to suppress alerts about authorized security tests?
What is the best way for the Security team to suppress alerts about authorized security tests?
What configuration ensures the most secure continuation of connectivity for a mission-critical application sharing information with AWS?
What configuration ensures the most secure continuation of connectivity for a mission-critical application sharing information with AWS?
Which actions should be taken to troubleshoot IAM access issues for EC2 instances retrieving messages from SQS while maintaining least privilege?
Which actions should be taken to troubleshoot IAM access issues for EC2 instances retrieving messages from SQS while maintaining least privilege?
Which of the following actions will NOT help in troubleshooting why EC2 instances cannot retrieve messages from SQS?
Which of the following actions will NOT help in troubleshooting why EC2 instances cannot retrieve messages from SQS?
What could potentially cause EC2 instances to fail in retrieving messages from an SQS queue after IAM changes?
What could potentially cause EC2 instances to fail in retrieving messages from an SQS queue after IAM changes?
Which AWS service allows secure and private connectivity to AWS resources, especially for sensitive applications?
Which AWS service allows secure and private connectivity to AWS resources, especially for sensitive applications?
Which service or method is NOT suitable for sending logs from Docker applications on EC2 to a central location?
Which service or method is NOT suitable for sending logs from Docker applications on EC2 to a central location?
Why is it important to verify that the SQS resource policy does not deny access to the role used by the EC2 instances?
Why is it important to verify that the SQS resource policy does not deny access to the role used by the EC2 instances?
What is the primary method to restrict access to a CloudFront distribution from certain geographic regions?
What is the primary method to restrict access to a CloudFront distribution from certain geographic regions?
What mitigation should be recommended to prevent a subnet from being exposed to the internet?
What mitigation should be recommended to prevent a subnet from being exposed to the internet?
Which method is the simplest and most secure way to decrypt sensitive data stored at rest using AWS KMS?
Which method is the simplest and most secure way to decrypt sensitive data stored at rest using AWS KMS?
What is a potential risk of using a public IP address for EC2 instances in a subnet?
What is a potential risk of using a public IP address for EC2 instances in a subnet?
When using AWS KMS, how should sensitive data be handled in terms of encryption?
When using AWS KMS, how should sensitive data be handled in terms of encryption?
Which AWS service can automatically detect the addition of an Internet Gateway to a VPC?
Which AWS service can automatically detect the addition of an Internet Gateway to a VPC?
What role does an IP-based blacklist serve in enhancing application security?
What role does an IP-based blacklist serve in enhancing application security?
What is the purpose of using a rate-based rule in AWS WAF?
What is the purpose of using a rate-based rule in AWS WAF?
Study Notes
AWS Security Specialty Exam Questions
- Question 1: A Security team suspects a former employee accessed AWS resources using an access key. The best way to find out what the former employee did is to use the AWS CloudTrail console to search for user activity.
- Question 2: A Security Engineer implemented a vault lock policy with a typo, allowing incorrect access. The most cost-effective way to correct this is to abort the vault lock, fix the typo, and then initiate the vault lock again.
- Question 3: To integrate an existing Microsoft Active Directory with AWS resources, the company needs to create AWS IAM roles. These roles map permissions for AWS services to Active Directory user attributes.
- Question 4: A third-party auditor is having trouble accessing some AWS accounts using cross-account IAM roles. Potential issues include:
- Incorrect trust relationships between the auditor's role and the target account roles.
- Insufficient permissions granted to the auditor's role in the target accounts..
- Account lockout due to security violations or password resets.
- Question 5: A threat involves a malicious actor uploading sensitive data from a server to an S3 bucket they control. To counter this, the following mitigation steps should be implemented:
- Bypass the proxy server and use an S3 VPC endpoint with a policy that whitelists only certain S3 buckets in the legitimate account.
- Configure Network ACLs on the server to deny access to S3 endpoints.
- Question 10: A company wants to store sensitive documents in three S3 buckets with different classification levels ("Sensitive", "Confidential", "Restricted"), encrypting each object with a unique key, requiring two-factor authentication for decryption of "Restricted" data, and automatic key rotation annually.
- The solution requires creating a Customer Master Key (CMK) for each data classification type, enabling annual rotation, and utilizing S3 SSE-KMS to encrypt objects.
- For the "Restricted" CMK, define the MFA policy within the key policy.
- Question 55: To generate automated security alerts for unauthorized AWS API requests, configure AWS CloudTrail to stream event data to Amazon Kinesis. Then, set up an AWS Lambda function on the stream to trigger alarms when the threshold of unauthorized requests is exceeded.
- Question 56: Two production AWS accounts with CloudTrail configured to log to a central S3 bucket are not logging anything. To troubleshoot, the following steps should be taken:
- Verify the S3 bucket policy allows access for CloudTrail from the production accounts.
- Confirm that each CloudTrail configuration is active and healthy in the CloudTrail console.
- Check the log file prefix setting to ensure it matches the S3 bucket name.
- Question 66: To connect an on-premises application with AWS applications securely, considering unpredictable internet performance and the need to share confidential information, the ideal solution is a VPN Gateway over AWS Direct Connect.
- This ensures secure and reliable connectivity over a dedicated connection, minimizing internet reliance and enhancing security.
- Question 67: An application using EC2 instances to retrieve messages from an Amazon SQS queue is unable to retrieve messages after IAM changes. To troubleshoot, while maintaining least privilege:
- Verify the SQS resource policy does not have explicit access denial for the role used by the instances.
- Check if the role attached to the instances has policies allowing access to the queue.
- Question 68: To restrict access to a web application from certain geographic regions, configure AWS CloudFront with a geographic restriction policy.
- Question 94: To mitigate the risk of a subnet being accidentally or maliciously exposed to the internet, the best approach is to mark the VPC as private and disable Elastic IP addresses within the Amazon VPC configuration.
- This ensures the subnet remains isolated and inaccessible from the public internet.
- Question 95: An application needs to encrypt sensitive data locally using AWS KMS. The simplest yet secure approach is to store the encrypted data key alongside the encrypted data. When decryption is required, use the Decrypt API to retrieve the data key and decrypt the data.
- Question 96: A security administrator is setting up a fleet of Amazon EC2 instances for a university.
- Consider implementing AWS Inspector for automated vulnerability assessments and security checks on the instances.
- Review Amazon GuardDuty to detect any unusual behavior or potential threats on the EC2 fleet.
- Use AWS Config to monitor configuration changes and enforce security compliance rules.
- Deploy Amazon CloudWatch for comprehensive logging and monitoring of EC2 instances, helping to identify and respond to security events.
- Enable AWS CloudTrail to audit and track API calls made to the EC2 fleet.
- Configure IAM roles to provide least privilege access to the EC2 instances.
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.
Related Documents
Description
Test your knowledge with these AWS Security Specialty exam questions focused on IAM roles, CloudTrail, and vault lock policies. Each question challenges your understanding of AWS best practices and security measures. Prepare effectively for your certification!