AWS Security Specialty Exam Questions
40 Questions
37 Views

Choose a study mode

Play Quiz
Study Flashcards
Spaced Repetition
Chat to lesson

Podcast

Play an AI-generated podcast conversation about this lesson

Questions and Answers

What approach should the Security team take to find out what a former employee may have done within AWS?

  • Use the AWS CloudTrail console to search for user activity. (correct)
  • Use the Amazon CloudWatch Logs console to filter CloudTrail data by user.
  • Use AWS Config to see what actions were taken by the user.
  • Use Amazon Athena to query CloudTrail logs stored in Amazon S3.
  • What is the MOST cost-effective way to correct an error in a newly implemented vault lock policy?

  • Copy the vault data to Amazon S3, delete the vault, and create a new vault with the data.
  • Update the policy and call initiate-vault-lock again to apply the new policy.
  • Update the policy, keeping the vault lock in place.
  • Call the abort-vault-lock operation, fix the typo, and call the initiate-vault-lock again. (correct)
  • What must a company create in its AWS account to map permissions for AWS services to Active Directory user attributes?

  • AWS IAM roles (correct)
  • AWS IAM groups
  • AWS IAM users
  • AWS IAM access keys
  • Which factor may prevent an auditor from accessing some AWS accounts despite the creation of cross-account IAM roles?

    <p>Incorrect trust relationship settings between IAM roles.</p> Signup and view all the answers

    Which AWS service allows monitoring API calls and user activity within a given account?

    <p>AWS CloudTrail</p> Signup and view all the answers

    What is the first step when executing a vault lock operation for a data vault?

    <p>Call the initiate-vault-lock operation.</p> Signup and view all the answers

    To view which actions have been taken by a user on AWS resources, which service provides this functionality?

    <p>AWS CloudTrail</p> Signup and view all the answers

    Which of the following actions is NOT part of correcting a vault lock policy error?

    <p>Creating a new vault with the correct policy.</p> Signup and view all the answers

    Which two options would effectively mitigate the threat described regarding Server X?

    <p>Configure Network ACLs on Server X to deny access to S3 endpoints.</p> Signup and view all the answers

    What is a requirement for the items stored in the 'Restricted' bucket?

    <p>They require two-factor authentication for decryption.</p> Signup and view all the answers

    Which key management feature must be enabled for the Customer Master Key (CMK) used for 'Restricted' documents?

    <p>Automatic rotation of keys annually.</p> Signup and view all the answers

    How should each object in S3 be encrypted according to the requirements?

    <p>Using a unique key for each object.</p> Signup and view all the answers

    What is NOT a recommended security measure for the sensitive documents stored in S3?

    <p>Removing all IAM roles for managing document access.</p> Signup and view all the answers

    What specific policy must be defined within the key policy for the 'Restricted' CMK?

    <p>An MFA policy that requires two-factor authentication.</p> Signup and view all the answers

    What solution would NOT provide individual encryption for each document in S3?

    <p>Using a single CMK to encrypt all objects.</p> Signup and view all the answers

    Which measure specifically enhances security for the documents classified as 'Restricted' in terms of access?

    <p>Implementing two-factor authentication for decryption.</p> Signup and view all the answers

    Which of the following is a valid step to troubleshoot a web server's connectivity issues?

    <p>Verify which Security Group is applied to the web server’s elastic network interface.</p> Signup and view all the answers

    What action creates automated security alerts for unauthorized AWS API requests?

    <p>Create an Amazon CloudWatch metric filter based on API call error codes.</p> Signup and view all the answers

    Which task should be performed to ensure CloudTrail is logging correctly to an S3 bucket?

    <p>Verify that the S3 bucket policy allows access for CloudTrail from production AWS accounts.</p> Signup and view all the answers

    Which option identifies a potential issue if CloudTrail is not logging data?

    <p>The S3 bucket's log file prefix is incorrectly set.</p> Signup and view all the answers

    What is essential to confirm for troubleshooting CloudTrail's logging issue?

    <p>Confirm that CloudTrail trails are active and healthy.</p> Signup and view all the answers

    How can unauthorized error codes from AWS API calls be monitored effectively?

    <p>Set an alarm based on an Amazon CloudWatch metric filter for API error codes.</p> Signup and view all the answers

    What would be necessary to troubleshoot the virtual appliance for networking issues?

    <p>Validate the routing table and ensure it points correctly.</p> Signup and view all the answers

    When troubleshooting API request issues, which of the following steps could be unnecessary?

    <p>Update the billing information on the AWS account.</p> Signup and view all the answers

    What is the best way for the Security team to suppress alerts about authorized security tests?

    <p>Install the Amazon Inspector agent on the EC2 instances that the Security team uses.</p> Signup and view all the answers

    What configuration ensures the most secure continuation of connectivity for a mission-critical application sharing information with AWS?

    <p>VPN Gateway over AWS Direct Connect.</p> Signup and view all the answers

    Which actions should be taken to troubleshoot IAM access issues for EC2 instances retrieving messages from SQS while maintaining least privilege?

    <p>Verify that the SQS resource policy does not explicitly deny access to the role used by the instances.</p> Signup and view all the answers

    Which of the following actions will NOT help in troubleshooting why EC2 instances cannot retrieve messages from SQS?

    <p>Assign the EC2 instance role a full administrator access.</p> Signup and view all the answers

    What could potentially cause EC2 instances to fail in retrieving messages from an SQS queue after IAM changes?

    <p>Modification of the IAM policies attached to the roles used by the EC2 instances.</p> Signup and view all the answers

    Which AWS service allows secure and private connectivity to AWS resources, especially for sensitive applications?

    <p>AWS Direct Connect.</p> Signup and view all the answers

    Which service or method is NOT suitable for sending logs from Docker applications on EC2 to a central location?

    <p>Sending logs directly through EC2 instance console output.</p> Signup and view all the answers

    Why is it important to verify that the SQS resource policy does not deny access to the role used by the EC2 instances?

    <p>Resource policies can override IAM roles.</p> Signup and view all the answers

    What is the primary method to restrict access to a CloudFront distribution from certain geographic regions?

    <p>Create a geographic restriction on the CloudFront distribution.</p> Signup and view all the answers

    What mitigation should be recommended to prevent a subnet from being exposed to the internet?

    <p>Mark the VPC as private and disable Elastic IP addresses.</p> Signup and view all the answers

    Which method is the simplest and most secure way to decrypt sensitive data stored at rest using AWS KMS?

    <p>Store the encrypted data key alongside the data and use the Decrypt API.</p> Signup and view all the answers

    What is a potential risk of using a public IP address for EC2 instances in a subnet?

    <p>It can lead to accidental exposure of the subnet to the internet.</p> Signup and view all the answers

    When using AWS KMS, how should sensitive data be handled in terms of encryption?

    <p>Retrieve the key from AWS KMS only when needed for decryption.</p> Signup and view all the answers

    Which AWS service can automatically detect the addition of an Internet Gateway to a VPC?

    <p>AWS Config.</p> Signup and view all the answers

    What role does an IP-based blacklist serve in enhancing application security?

    <p>It blocks requests from specific IP addresses to prevent attacks.</p> Signup and view all the answers

    What is the purpose of using a rate-based rule in AWS WAF?

    <p>To limit the number of incoming requests to prevent DDoS attacks.</p> Signup and view all the answers

    Study Notes

    AWS Security Specialty Exam Questions

    • Question 1: A Security team suspects a former employee accessed AWS resources using an access key. The best way to find out what the former employee did is to use the AWS CloudTrail console to search for user activity.
    • Question 2: A Security Engineer implemented a vault lock policy with a typo, allowing incorrect access. The most cost-effective way to correct this is to abort the vault lock, fix the typo, and then initiate the vault lock again.
    • Question 3: To integrate an existing Microsoft Active Directory with AWS resources, the company needs to create AWS IAM roles. These roles map permissions for AWS services to Active Directory user attributes.
    • Question 4: A third-party auditor is having trouble accessing some AWS accounts using cross-account IAM roles. Potential issues include:
      • Incorrect trust relationships between the auditor's role and the target account roles.
      • Insufficient permissions granted to the auditor's role in the target accounts..
      • Account lockout due to security violations or password resets.
    • Question 5: A threat involves a malicious actor uploading sensitive data from a server to an S3 bucket they control. To counter this, the following mitigation steps should be implemented:
      • Bypass the proxy server and use an S3 VPC endpoint with a policy that whitelists only certain S3 buckets in the legitimate account.
      • Configure Network ACLs on the server to deny access to S3 endpoints.
    • Question 10: A company wants to store sensitive documents in three S3 buckets with different classification levels ("Sensitive", "Confidential", "Restricted"), encrypting each object with a unique key, requiring two-factor authentication for decryption of "Restricted" data, and automatic key rotation annually.
      • The solution requires creating a Customer Master Key (CMK) for each data classification type, enabling annual rotation, and utilizing S3 SSE-KMS to encrypt objects.
      • For the "Restricted" CMK, define the MFA policy within the key policy.
    • Question 55: To generate automated security alerts for unauthorized AWS API requests, configure AWS CloudTrail to stream event data to Amazon Kinesis. Then, set up an AWS Lambda function on the stream to trigger alarms when the threshold of unauthorized requests is exceeded.
    • Question 56: Two production AWS accounts with CloudTrail configured to log to a central S3 bucket are not logging anything. To troubleshoot, the following steps should be taken:
      • Verify the S3 bucket policy allows access for CloudTrail from the production accounts.
      • Confirm that each CloudTrail configuration is active and healthy in the CloudTrail console.
      • Check the log file prefix setting to ensure it matches the S3 bucket name.
    • Question 66: To connect an on-premises application with AWS applications securely, considering unpredictable internet performance and the need to share confidential information, the ideal solution is a VPN Gateway over AWS Direct Connect.
      • This ensures secure and reliable connectivity over a dedicated connection, minimizing internet reliance and enhancing security.
    • Question 67: An application using EC2 instances to retrieve messages from an Amazon SQS queue is unable to retrieve messages after IAM changes. To troubleshoot, while maintaining least privilege:
      • Verify the SQS resource policy does not have explicit access denial for the role used by the instances.
      • Check if the role attached to the instances has policies allowing access to the queue.
    • Question 68: To restrict access to a web application from certain geographic regions, configure AWS CloudFront with a geographic restriction policy.
    • Question 94: To mitigate the risk of a subnet being accidentally or maliciously exposed to the internet, the best approach is to mark the VPC as private and disable Elastic IP addresses within the Amazon VPC configuration.
      • This ensures the subnet remains isolated and inaccessible from the public internet.
    • Question 95: An application needs to encrypt sensitive data locally using AWS KMS. The simplest yet secure approach is to store the encrypted data key alongside the encrypted data. When decryption is required, use the Decrypt API to retrieve the data key and decrypt the data.
    • Question 96: A security administrator is setting up a fleet of Amazon EC2 instances for a university.
      • Consider implementing AWS Inspector for automated vulnerability assessments and security checks on the instances.
      • Review Amazon GuardDuty to detect any unusual behavior or potential threats on the EC2 fleet.
      • Use AWS Config to monitor configuration changes and enforce security compliance rules.
      • Deploy Amazon CloudWatch for comprehensive logging and monitoring of EC2 instances, helping to identify and respond to security events.
      • Enable AWS CloudTrail to audit and track API calls made to the EC2 fleet.
      • Configure IAM roles to provide least privilege access to the EC2 instances.

    Studying That Suits You

    Use AI to generate personalized quizzes and flashcards to suit your learning preferences.

    Quiz Team

    Related Documents

    Description

    Test your knowledge with these AWS Security Specialty exam questions focused on IAM roles, CloudTrail, and vault lock policies. Each question challenges your understanding of AWS best practices and security measures. Prepare effectively for your certification!

    More Like This

    AWS Security and IAM
    40 questions

    AWS Security and IAM

    BlissfulHarpGuitar avatar
    BlissfulHarpGuitar
    Network ACLs vs Security Groups in AWS
    4 questions
    AWS CloudTrail Quiz
    18 questions

    AWS CloudTrail Quiz

    FastGrowingBaltimore5920 avatar
    FastGrowingBaltimore5920
    Use Quizgecko on...
    Browser
    Browser