CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. Amazon
  5. AWS Certified Security - Specialty

Free AWS Certified Security - Specialty Exam Braindumps

A corporation is preparing to acquire several companies. A Security Engineer must design a solution to ensure that newly acquired IAM accounts follow the corporation's security best practices. The solution should monitor each Amazon S3 bucket for unrestricted public write access and use IAM managed services.

What should the Security Engineer do to meet these requirements?

  1. Configure Amazon Macie to continuously check the configuration of all S3 buckets.
  2. Enable IAM Config to check the configuration of each S3 bucket.
  3. Set up IAM Systems Manager to monitor S3 bucket policies for public write access.
  4. Configure an Amazon EC2 instance to have an IAM role and a cron job that checks the status of all S3 buckets.

Answer(s): C

Explanation:

because this is a solution that can monitor each S3 bucket for unrestricted public write access and use IAM managed services. S3 is a service that provides object storage in the cloud. Systems Manager is a service that helps you automate and manage your AWS resources. You can use Systems Manager to monitor S3 bucket policies for public write access by using a State Manager association that runs a predefined document called AWS-FindS3BucketWithPublicWriteAccess. This document checks each S3 bucket in an account and reports any bucket that has public write access enabled. The other options are either not suitable or not feasible for meeting the requirements.



A Security Engineer is troubleshooting an issue with a company's custom logging application. The application logs are written to an Amazon S3 bucket with event notifications enabled to send events lo an Amazon SNS topic. All logs are encrypted at rest using an IAM KMS CMK. The SNS topic is subscribed to an encrypted Amazon SQS queue. The logging application polls the queue for new messages that contain metadata about the S3 object. The application then reads the content of the object from the S3 bucket for indexing.

The Logging team reported that Amazon CloudWatch metrics for the number of messages sent or received is showing zero. No togs are being received.

What should the Security Engineer do to troubleshoot this issue?

  1. Add the following statement to the IAM managed CMKs:



  2. Add the following statement to the CMK key policy:



  3. Add the following statement to the CMK key policy:



  4. Add the following statement to the CMK key policy:

Answer(s): D



Developers in an organization have moved from a standard application deployment to containers. The Security Engineer is tasked with ensuring that the containers are secure.
Which strategies will reduce the attack surface and enhance the security of the containers? (Select TWO.)

  1. Use the containers to automate security deployments.
  2. Limit resource consumption (CPU, memory), networking connections, ports, and unnecessary container libraries.
  3. Segregate containers by host, function, and data classification.
  4. Use Docker Notary framework to sign task definitions.
  5. Enable container breakout at the host kernel.

Answer(s): A,C

Explanation:

these are the strategies that can reduce the attack surface and enhance the security of the containers. Containers are a method of packaging and running applications in isolated environments. Using containers to automate security deployments can help ensure that security patches and updates are applied consistently and quickly across the container fleet. Segregating containers by host, function, and data classification can help limit the impact of a compromise and enforce the principle of least privilege. The other options are either irrelevant or risky for securing containers.



An organization wants to log all IAM API calls made within all of its IAM accounts, and must have a central place to analyze these logs.
What steps should be taken to meet these requirements in the MOST secure manner? (Select TWO)

  1. Turn on IAM CloudTrail in each IAM account.
  2. Turn on CloudTrail in only the account that will be storing the logs.
  3. Update the bucket ACL of the bucket in the account that will be storing the logs so that other accounts can log to it.
  4. Create a service-based role for CloudTrail and associate it with CloudTrail in each account.
  5. Update the bucket policy of the bucket in the account that will be storing the logs so that other accounts can log to it.

Answer(s): A,E

Explanation:

these are the steps that can meet the requirements in the most secure manner. CloudTrail is a service that records AWS API calls and delivers log files to an S3 bucket. Turning on CloudTrail in each IAM account can help capture all IAM API calls made within those accounts. Updating the bucket policy of the bucket in the account that will be storing the logs can help grant other accounts permission to write log files to that bucket. The other options are either unnecessary or insecure for logging and analyzing IAM API calls.






Post your Comments and Discuss Amazon AWS Certified Security - Specialty exam with other Community members:

P commented on September 16, 2023
ok they re good
Anonymous
upvote

P commented on September 16, 2023
Ok they re good
Anonymous
upvote

Julianne commented on November 07, 2022
I have taken this exam before with no success. It is satisfying to see familiar questions from real exam in your exam dumps questions.
SINGAPORE
upvote

Pat commented on October 15, 2021
For everyone else thinking of taking this exam, this exam dumps is an absolutely fantastic resource and one that is going to certainly help you pass the exam.
UNITED STATES
upvote

Mx commented on October 13, 2021
excellent document
UNITED STATES
upvote

Dreamer commented on August 10, 2021
Excellent questions and answers.
UNITED STATES
upvote