CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. Amazon
  5. AWS Certified Security - Specialty

Free AWS Certified Security - Specialty Exam Braindumps (page: 5)

Page 5 of 63
PDF with 249 Questions

A company has multiple Amazon S3 buckets encrypted with customer-managed CMKs Due to regulatory requirements the keys must be rotated every year. The company's Security Engineer has enabled automatic key rotation for the CMKs; however the company wants to verity that the rotation has occurred.

What should the Security Engineer do to accomplish this?

  1. Filter IAM CloudTrail logs for KeyRotaton events.
  2. Monitor Amazon CloudWatcn Events for any IAM KMS CMK rotation events.
  3. Using the IAM CLI. run the IAM kms gel-key-relation-status operation with the --key-id parameter to check the CMK rotation date.
  4. Use Amazon Athena to query IAM CloudTrail logs saved in an S3 bucket to filter Generate New Key events.

Answer(s): C

Explanation:

the aws kms get-key-rotation-status command returns a boolean value that indicates whether automatic rotation of the customer master key (CMK) is enabled1. This command also shows the date and time when the CMK was last rotated2. The other options are not valid ways to check the CMK rotation status.



A company needs a forensic-logging solution for hundreds of applications running in Docker on Amazon EC2 The solution must perform real-time analytics on the togs must support the replay of messages and must persist the logs.

Which IAM services should be used to meet these requirements? (Select TWO)

  1. Amazon Athena.
  2. Amazon Kinesis.
  3. Amazon SQS
  4. Amazon Elasticsearch.
  5. Amazon EMR

Answer(s): B,D

Explanation:

Amazon Kinesis and Amazon Elasticsearch are both suitable for forensic-logging solutions. Amazon Kinesis can collect, process, and analyze streaming data in real time3. Amazon Elasticsearch can store, search, and analyze log data using the popular open-source tool Elasticsearch. The other options are not designed for forensic-logging purposes. Amazon Athena is a query service that can analyze data in S3, Amazon SQS is a message queue service that can decouple and scale microservices, and Amazon EMR is a big data platform that can run Apache Spark and Hadoop clusters.



Auditors for a health care company have mandated that all data volumes be encrypted at rest Infrastructure is deployed mainly via IAM CloudFormation however third-party frameworks and manual deployment are required on some legacy systems.

What is the BEST way to monitor, on a recurring basis, whether all EBS volumes are encrypted?

  1. On a recurring basis, update an IAM user policies to require that EC2 instances are created with an encrypted volume.
  2. Configure an IAM Config rule lo run on a recurring basis 'or volume encryption.
  3. Set up Amazon Inspector rules tor volume encryption to run on a recurring schedule.
  4. Use CloudWatch Logs to determine whether instances were created with an encrypted volume.

Answer(s): B

Explanation:

To support answer B, use the reference https://d1.IAMstatic.com/whitepapers/IAM-security- whitepaper.pdf.

"For example, IAM Config provides a managed IAM Config Rules to ensure that encryption is turned on for all EBS volumes in your account."



A company became aware that one of its access keys was exposed on a code sharing website 11 days ago. A Security Engineer must review all use of the exposed access keys to determine the extent of the exposure. The company enabled IAM CloudTrail m an regions when it opened the account.

Which of the following will allow (he Security Engineer 10 complete the task?

  1. Filter the event history on the exposed access key in the CloudTrail console Examine the data from the past 11 days.
  2. Use the IAM CLI lo generate an IAM credential report Extract all the data from the past 11 days.
  3. Use Amazon Athena to query the CloudTrail logs from Amazon S3 Retrieve the rows for the exposed access key tor the past 11 days.
  4. Use the Access Advisor tab in the IAM console to view all of the access key activity for the past 11 days.

Answer(s): C

Explanation:

Amazon Athena is a service that enables you to analyze data in Amazon S3 using standard SQL1. You can use Athena to query the CloudTrail logs that are stored in S3 and filter them by the exposed access key and the date range2. The other options are not effective ways to review the use of the exposed access key.



Page 5 of 63



Post your Comments and Discuss Amazon AWS Certified Security - Specialty exam with other Community members:

P commented on September 16, 2023
ok they re good
Anonymous
upvote

P commented on September 16, 2023
Ok they re good
Anonymous
upvote

Julianne commented on November 07, 2022
I have taken this exam before with no success. It is satisfying to see familiar questions from real exam in your exam dumps questions.
SINGAPORE
upvote

Pat commented on October 15, 2021
For everyone else thinking of taking this exam, this exam dumps is an absolutely fantastic resource and one that is going to certainly help you pass the exam.
UNITED STATES
upvote

Mx commented on October 13, 2021
excellent document
UNITED STATES
upvote

Dreamer commented on August 10, 2021
Excellent questions and answers.
UNITED STATES
upvote