CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. Amazon
  5. AWS Certified Security - Specialty

Free AWS Certified Security - Specialty Exam Braindumps (page: 30)

Page 30 of 63
PDF with 249 Questions

A development team is attempting to encrypt and decode a secure string parameter from the IAM Systems Manager Parameter Store using an IAM Key Management Service (IAM KMS) CMK. However, each attempt results in an error message being sent to the development team.

Which CMK-related problems possibly account for the error? (Select two.)

  1. The CMK is used in the attempt does not exist.
  2. The CMK is used in the attempt needs to be rotated.
  3. The CMK is used in the attempt is using the CMK TMs key ID instead of the CMK ARN.
  4. The CMK is used in the attempt is not enabled.
  5. The CMK is used in the attempt is using an alias.

Answer(s): A,D

Explanation:

https://docs.IAM.amazon.com/kms/latest/developerguide/services-parameter- store.html#parameter-store-cmk-fail.



A business stores website images in an Amazon S3 bucket. The firm serves the photos to end users through Amazon CloudFront. The firm learned lately that the photographs are being accessible from nations in which it does not have a distribution license.

Which steps should the business take to safeguard the photographs and restrict their distribution? (Select two.)

  1. Update the S3 bucket policy to restrict access to a CloudFront origin access identity (OAI).
  2. Update the website DNS record to use an Amazon Route 53 geolocation record deny list of countries where the company lacks a license.
  3. Add a CloudFront geo restriction deny list of countries where the company lacks a license.
  4. Update the S3 bucket policy with a deny list of countries where the company lacks a license.
  5. Enable the Restrict Viewer Access option in CloudFront to create a deny list of countries where the company lacks a license.

Answer(s): A,C

Explanation:

For Enable Geo-Restriction, choose Yes. For Restriction Type, choose Whitelist to allow access to certain countries, or choose Blacklist to block access from certain countries. https://IAM.amazon.com/premiumsupport/knowledge-center/cloudfront-geo-restriction/



A company has multiple departments. Each department has its own IAM account. All these accounts belong to the same organization in IAM Organizations.

A large .csv file is stored in an Amazon S3 bucket in the sales department's IAM account. The company wants to allow users from the other accounts to access the .csv file's content through the combination of IAM Glue and Amazon Athen.

  1. However, the company does not want to allow users from the other accounts to access other files in the same folder.
    Which solution will meet these requirements?
  2. Apply a user policy in the other accounts to allow IAM Glue and Athena lo access the .csv We.
  3. Use S3 Select to restrict access to the .csv lie. In IAM Glue Data Catalog, use S3 Select as the source of the IAM Glue database.
  4. Define an IAM Glue Data Catalog resource policy in IAM Glue to grant cross-account S3 object access to the .csv file.
  5. Grant IAM Glue access to Amazon S3 in a resource-based policy that specifies the organization as the principal.

Answer(s): A



A company is attempting to conduct forensic analysis on an Amazon EC2 instance, but the company is unable to connect to the instance by using AWS Systems Manager Session Manager. The company has installed AWS Systems Manager Agent (SSM Agent) on the EC2 instance.

The EC2 instance is in a subnet in a VPC that does not have an internet gateway attached. The company has associated a security group with the EC2 instance. The security group does not have inbound or outbound rules. The subnet's network ACL allows all inbound and outbound traffic.

Which combination of actions will allow the company to conduct forensic analysis on the EC2 instance without compromising forensic data? (Select THREE.)

  1. Update the EC2 instance security group to add a rule that allows outbound traffic on port 443 for 0.0.0.0/0.
  2. Update the EC2 instance security group to add a rule that allows inbound traffic on port 443 to the VPC's CIDR range.
  3. Create an EC2 key pair. Associate the key pair with the EC2 instance.
  4. Create a VPC interface endpoint for Systems Manager in the VPC where the EC2 instance is located.
  5. Attach a security group to the VPC interface endpoint. Allow inbound traffic on port 443 to the VPC's CIDR range.
  6. Create a VPC interface endpoint for the EC2 instance in the VPC where the EC2 instance is located.

Answer(s): B,C,F



Page 30 of 63



Post your Comments and Discuss Amazon AWS Certified Security - Specialty exam with other Community members:

P commented on September 16, 2023
ok they re good
Anonymous
upvote

P commented on September 16, 2023
Ok they re good
Anonymous
upvote

Julianne commented on November 07, 2022
I have taken this exam before with no success. It is satisfying to see familiar questions from real exam in your exam dumps questions.
SINGAPORE
upvote

Pat commented on October 15, 2021
For everyone else thinking of taking this exam, this exam dumps is an absolutely fantastic resource and one that is going to certainly help you pass the exam.
UNITED STATES
upvote

Mx commented on October 13, 2021
excellent document
UNITED STATES
upvote

Dreamer commented on August 10, 2021
Excellent questions and answers.
UNITED STATES
upvote