CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. Amazon
  5. AWS Certified Security - Specialty

Free AWS Certified Security - Specialty Exam Braindumps (page: 27)

Page 27 of 63
PDF with 249 Questions

A company is hosting multiple applications within a single VPC in its IAM account. The applications are running behind an Application Load Balancer that is associated with an IAM WAF web ACL. The company's security team has identified that multiple port scans are originating from a specific range of IP addresses on the internet.

A security engineer needs to deny access from the offending IP addresses.

Which solution will meet these requirements?

  1. Modify the IAM WAF web ACL with an IP set match rule statement to deny incoming requests from the IP address range.
  2. Add a rule to all security groups to deny the incoming requests from the IP address range.
  3. Modify the IAM WAF web ACL with a rate-based rule statement to deny the incoming requests from the IP address range.
  4. Configure the IAM WAF web ACL with regex match conditions. Specify a pattern set to deny the incoming requests based on the match condition.

Answer(s): A

Explanation:

Note that the IP is known and the question wants us to deny access from that particular address and so we can use IP set match policy of WAF to block access.



A company's application team needs to host a MySQL database on IAM. According to the company's security policy, all data that is stored on IAM must be encrypted at rest. In addition, all cryptographic material must be compliant with FIPS 140-2 Level 3 validation.

The application team needs a solution that satisfies the company's security requirements and minimizes operational overhead.

Which solution will meet these requirements?

  1. Host the database on Amazon RDS. Use Amazon Elastic Block Store (Amazon EBS) for encryption.
    Use an IAM Key Management Service (IAM KMS) custom key store that is backed by IAM CloudHSM for key management.
  2. Host the database on Amazon RDS. Use Amazon Elastic Block Store (Amazon EBS) for encryption.
    Use an IAM managed CMK in IAM Key Management Service (IAM KMS) for key management.
  3. Host the database on an Amazon EC2 instance. Use Amazon Elastic Block Store (Amazon EBS) for encryption. Use a customer managed CMK in IAM Key Management Service (IAM KMS) for key management.
  4. Host the database on an Amazon EC2 instance. Use Transparent Data Encryption (TDE) for encryption and key management.

Answer(s): B



A Network Load Balancer (NLB) target instance is not entering the InService state. A security engineer determines that health checks are failing.

Which factors could cause the health check failures? (Select THREE.)

  1. The target instance's security group does not allow traffic from the NLB.
  2. The target instance's security group is not attached to the NL
  3. The NLB's security group is not attached to the target instance.
  4. The target instance's subnet network ACL does not allow traffic from the NLB.
  5. The target instance's security group is not using IP addresses to allow traffic from the NLB.
  6. The target network ACL is not attached to the NLB.

Answer(s): A,C,D



A security engineer is working with a company to design an ecommerce application. The application will run on Amazon EC2 instances that run in an Auto Scaling group behind an Application Load Balancer (ALB). The application will use an Amazon RDS DB instance for its database.

The only required connectivity from the internet is for HTTP and HTTPS traffic to the application. The application must communicate with an external payment provider that allows traffic only from a preconfigured allow list of IP addresses. The company must ensure that communications with the external payment provider are not interrupted as the environment scales.

Which combination of actions should the security engineer recommend to meet these requirements? (Select THREE.)

  1. Deploy a NAT gateway in each private subnet for every Availability Zone that is in use.
  2. Place the DB instance in a public subnet.
  3. Place the DB instance in a private subnet.
  4. Configure the Auto Scaling group to place the EC2 instances in a public subnet.
  5. Configure the Auto Scaling group to place the EC2 instances in a private subnet.
  6. Deploy the ALB in a private subnet.

Answer(s): A,C,E



Page 27 of 63



Post your Comments and Discuss Amazon AWS Certified Security - Specialty exam with other Community members:

P commented on September 16, 2023
ok they re good
Anonymous
upvote

P commented on September 16, 2023
Ok they re good
Anonymous
upvote

Julianne commented on November 07, 2022
I have taken this exam before with no success. It is satisfying to see familiar questions from real exam in your exam dumps questions.
SINGAPORE
upvote

Pat commented on October 15, 2021
For everyone else thinking of taking this exam, this exam dumps is an absolutely fantastic resource and one that is going to certainly help you pass the exam.
UNITED STATES
upvote

Mx commented on October 13, 2021
excellent document
UNITED STATES
upvote

Dreamer commented on August 10, 2021
Excellent questions and answers.
UNITED STATES
upvote