CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. Amazon
  5. AWS Certified Security - Specialty

Free AWS Certified Security - Specialty Exam Braindumps (page: 23)

Page 23 of 63
PDF with 249 Questions

A company is running an application in The eu-west-1 Region. The application uses an IAM Key Management Service (IAM KMS) CMK to encrypt sensitive dat.

  1. The company plans to deploy the application in the eu-north-1 Region.
    A security engineer needs to implement a key management solution for the application deployment in the new Region. The security engineer must minimize changes to the application code.
    Which change should the security engineer make to the IAM KMS configuration to meet these requirements?
  2. Update the key policies in eu-west-1. Point the application in eu-north-1 to use the same CMK as the application in eu-west-1.
  3. Allocate a new CMK to eu-north-1 to be used by the application that is deployed in that Region.
  4. Allocate a new CMK to eu-north-1. Create the same alias name for both keys. Configure the application deployment to use the key alias.
  5. Allocate a new CMK to eu-north-1. Create an alias for eu-'-1. Change the application code to point to the alias for eu-'-1.

Answer(s): B



A development team is using an IAM Key Management Service (IAM KMS) CMK to try to encrypt and decrypt a secure string parameter from IAM Systems Manager Parameter Store. However, the development team receives an error message on each attempt.

Which issues that are related to the CMK could be reasons for the error? (Select TWO.)

  1. The CMK that is used in the attempt does not exist.
  2. The CMK that is used in the attempt needs to be rotated.
  3. The CMK that is used in the attempt is using the CMK's key ID instead of the CMK ARN.
  4. The CMK that is used in the attempt is not enabled.
  5. The CMK that is used in the attempt is using an alias.

Answer(s): A,D



A company wants to ensure that its IAM resources can be launched only in the us-east-1 and us-west- 2 Regions.

What is the MOST operationally efficient solution that will prevent developers from launching Amazon EC2 instances in other Regions?

  1. Enable Amazon GuardDuty in all Regions. Create alerts to detect unauthorized activity outside us- east-1 and us-west-2.
  2. Use an organization in IAM Organizations. Attach an SCP that allows all actions when the IAM:
    Requested Region condition key is either us-east-1 or us-west-2. Delete the FullIAMAccess policy.
  3. Provision EC2 resources by using IAM Cloud Formation templates through IAM CodePipeline.
    Allow only the values of us-east-1 and us-west-2 in the IAM CloudFormation template's parameters.
  4. Create an IAM Config rule to prevent unauthorized activity outside us-east-1 and us-west-2.

Answer(s): C



A company is implementing a new application in a new IAM account. A VPC and subnets have been created for the application. The application has been peered to an existing VPC in another account in the same IAM Region for database access. Amazon EC2 instances will regularly be created and terminated in the application VPC, but only some of them will need access to the databases in the peered VPC over TCP port 1521. A security engineer must ensure that only the EC2 instances that need access to the databases can access them through the network.

How can the security engineer implement this solution?

  1. Create a new security group in the database VPC and create an inbound rule that allows all traffic from the IP address range of the application VPC. Add a new network ACL rule on the database subnets. Configure the rule to TCP port 1521 from the IP address range of the application VPC. Attach the new security group to the database instances that the application instances need to access.
  2. Create a new security group in the application VPC with an inbound rule that allows the IP address range of the database VPC over TCP port 1521. Create a new security group in the database VPC with an inbound rule that allows the IP address range of the application VPC over port 1521. Attach the new security group to the database instances and the application instances that need database access.
  3. Create a new security group in the application VPC with no inbound rules. Create a new security group in the database VPC with an inbound rule that allows TCP port 1521 from the new application security group in the application VP Attach the application security group to the application instances that need database access, and attach the database security group to the database instances.
  4. Create a new security group in the application VPC with an inbound rule that allows the IP address range of the database VPC over TCP port 1521. Add a new network ACL rule on the database subnets. Configure the rule to allow all traffic from the IP address range of the application VPC.
    Attach the new security group to the application instances that need database access.

Answer(s): C



Page 23 of 63



Post your Comments and Discuss Amazon AWS Certified Security - Specialty exam with other Community members:

P commented on September 16, 2023
ok they re good
Anonymous
upvote

P commented on September 16, 2023
Ok they re good
Anonymous
upvote

Julianne commented on November 07, 2022
I have taken this exam before with no success. It is satisfying to see familiar questions from real exam in your exam dumps questions.
SINGAPORE
upvote

Pat commented on October 15, 2021
For everyone else thinking of taking this exam, this exam dumps is an absolutely fantastic resource and one that is going to certainly help you pass the exam.
UNITED STATES
upvote

Mx commented on October 13, 2021
excellent document
UNITED STATES
upvote

Dreamer commented on August 10, 2021
Excellent questions and answers.
UNITED STATES
upvote