CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. Amazon
  5. AWS Certified Security - Specialty

Free AWS Certified Security - Specialty Exam Braindumps (page: 3)

Page 3 of 63
PDF with 249 Questions

Your company uses IAM to host its resources. They have the following requirements.

1) Record all API calls and Transitions.

2) Help in understanding what resources are there in the account.

3) Facility to allow auditing credentials and logins Which services would suffice the above requirements.

  1. IAM Inspector, CloudTrail, IAM Credential Reports.
  2. CloudTrail. IAM Credential Reports, IAM SNS
  3. CloudTrail, IAM Config, IAM Credential Reports.
  4. IAM SQS, IAM Credential Reports, CloudTrail.

Answer(s): C

Explanation:

You can use IAM CloudTrail to get a history of IAM API calls and related events for your account. This history includes calls made with the IAM Management Console, IAM Command Line Interface, IAM SDKs, and other IAM services.

Options A,B and D are invalid because you need to ensure that you use the services of CloudTrail, IAM Config, IAM Credential Reports.

For more information on Cloudtrail, please visit the below URL:

http://docs.IAM.amazon.com/IAMcloudtrail/latest/userguide/cloudtrail-user-guide.html.

IAM Config is a service that enables you to assess, audit and evaluate the configurations of your IAM resources. Config continuously monitors and records your IAM resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. With Config, you can review changes in configurations and relationships between IAM resources, dive into detailed resource configuration histories, and determine your overall compliance against the configurations specified in your internal guidelines. This enables you to simplify compliance auditing, security analysis, char management and operational troubleshooting.

For more information on the config service, please visit the below URL

https://IAM.amazon.com/config/

You can generate and download a credential report that lists all users in your account and the status of their various credentials, including passwords, access keys, and MFA devices. You can get a credential report from the IAM Management Console, the IAM SDKs and Command Line Tools, or the IAM API.

For more information on Credentials Report, please visit the below URL:

http://docs.IAM.amazon.com/IAM/latest/UserGuide/id credentials_getting-report.html.

The correct answer is: CloudTrail, IAM Config, IAM Credential Reports.



Your CTO is very worried about the security of your IAM account. How best can you prevent hackers from completely hijacking your account?

  1. Use short but complex password on the root account and any administrators.
  2. Use IAM IAM Geo-Lock and disallow anyone from logging in except for in your city.
  3. Use MFA on all users and accounts, especially on the root account.
  4. Don't write down or remember the root account password after creating the IAM account.

Answer(s): C

Explanation:

Multi-factor authentication can add one more layer of security to your IAM account Even when you go to your Security Credentials dashboard one of the items is to enable MFA on your root account.



Option A is invalid because you need to have a good password policy Option B is invalid because there is no IAM Geo-Lock Option D is invalid because this is not a recommended practices For more information on MFA, please visit the below URL

http://docs.IAM.amazon.com/IAM/latest/UserGuide/id credentials mfa.htmll.

The correct answer is: Use MFA on all users and accounts, especially on the root account.



Your CTO thinks your IAM account was hacked.
What is the only way to know for certain if there was unauthorized access and what they did, assuming your hackers are very sophisticated IAM engineers and doing everything they can to cover their tracks?

  1. Use CloudTrail Log File Integrity Validation.
  2. Use IAM Config SNS Subscriptions and process events in real time.
  3. Use CloudTrail backed up to IAM S3 and Glacier.
  4. Use IAM Config Timeline forensics.

Answer(s): A

Explanation:

The IAM Documentation mentions the following.

To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it you can use CloudTrail log file integrity validation. This feature is built using industry standard algorithms:
SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection. You can use the IAM CLI to validate the files in the location where CloudTrail delivered them.

Validated log files are invaluable in security and forensic investigations. For example, a validated log file enables you to assert positively that the log file itself has not changed, or that particular user credentials performed specific API activity. The CloudTrail log file integrity validation process also lets you know if a log file has been deleted or changed, or assert positively that no log files were delivered to your account during a given period of time.

Options B.C and D is invalid because you need to check for log File Integrity Validation for cloudtrail logs.

For more information on Cloudtrail log file validation, please visit the below URL:

http://docs.IAM.amazon.com/IAMcloudtrail/latest/userguide/cloudtrail-log-file-validation- intro.html.

The correct answer is: Use CloudTrail Log File Integrity Validation.

omit your Feedback/Queries to our Expert.



Your development team is using access keys to develop an application that has access to S3 and DynamoDB. A new security policy has outlined that the credentials should not be older than 2 months, and should be rotated. How can you achieve this?

  1. Use the application to rotate the keys in every 2 months via the SDK
  2. Use a script to query the creation date of the keys. If older than 2 months, create new access key and update all applications to use it inactivate the old key and delete it.
  3. Delete the user associated with the keys after every 2 months. Then recreate the user again.
  4. Delete the IAM Role associated with the keys after every 2 months. Then recreate the IAM Role again.

Answer(s): B

Explanation:

One can use the CLI command list-access-keys to get the access keys. This command also returns the "CreateDate" of the keys. If the CreateDate is older than 2 months, then the keys can be deleted.

The Returns list-access-keys CLI command returns information about the access key IDs associated with the specified IAM user. If there are none, the action returns an empty list.

Option A is incorrect because you might as use a script for such maintenance activities.

Option C is incorrect because you would not rotate the users themselves.

Option D is incorrect because you don't use IAM roles for such a purpose.

For more information on the CLI command, please refer to the below Link:

http://docs.IAM.amazon.com/cli/latest/reference/iam/list-access-keys.htmll.

The correct answer is: Use a script to query the creation date of the keys. If older than 2 months,

create new access key and update all applications to use it inactivate the old key and delete it.



Page 3 of 63



Post your Comments and Discuss Amazon AWS Certified Security - Specialty exam with other Community members:

P commented on September 16, 2023
ok they re good
Anonymous
upvote

P commented on September 16, 2023
Ok they re good
Anonymous
upvote

Julianne commented on November 07, 2022
I have taken this exam before with no success. It is satisfying to see familiar questions from real exam in your exam dumps questions.
SINGAPORE
upvote

Pat commented on October 15, 2021
For everyone else thinking of taking this exam, this exam dumps is an absolutely fantastic resource and one that is going to certainly help you pass the exam.
UNITED STATES
upvote

Mx commented on October 13, 2021
excellent document
UNITED STATES
upvote

Dreamer commented on August 10, 2021
Excellent questions and answers.
UNITED STATES
upvote