CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. Amazon
  5. AWS Certified Security - Specialty

Free AWS Certified Security - Specialty Exam Braindumps (page: 18)

Page 17 of 76
PDF with 297 Questions

A company is using Amazon Route 53 Resolver for its hybrid DNS infrastructure. The company has set up Route 53 Resolver forwarding rules for authoritative domains that are hosted on on-premises DNS servers.
A new security mandate requires the company to implement a solution to log and query DNS traffic that goes to the on-premises DNS servers. The logs must show details of the source IP address of the instance from which the query originated. The logs also must show the DNS name that was requested in Route 53 Resolver.
Which solution will meet these requirements?

  1. Use VPC Traffic Mirroring. Configure all relevant elastic network interfaces as the traffic source, include amazon-dns in the mirror filter, and set Amazon CloudWatch Logs as the mirror target. Use CloudWatch Insights on the mirror session logs to run queries on the source IP address and DNS name.
  2. Configure VPC flow logs on all relevant VPCs. Send the logs to an Amazon S3 bucket. Use Amazon Athena to run SQL queries on the source IP address and DNS name.
  3. Configure Route 53 Resolver query logging on all relevant VPCs. Send the logs to Amazon CloudWatch Logs. Use CloudWatch Insights to run queries on the source IP address and DNS name.
  4. Modify the Route 53 Resolver rules on the authoritative domains that forward to the on-premises DNS servers. Send the logs to an Amazon S3 bucket. Use Amazon Athena to run SQL queries on the source IP address and DNS name.

Answer(s): C



A security engineer is configuring account-based access control (ABAC) to allow only specific principals to put objects into an Amazon S3 bucket. The principals already have access to Amazon S3.
The security engineer needs to configure a bucket policy that allows principals to put objects into the S3 bucket only if the value of the Team tag on the object matches the value of the Team tag that is associated with the principal. During testing, the security engineer notices that a principal can still put objects into the S3 bucket when the tag values do not match.
Which combination of factors are causing the PutObject operation to succeed when the tag values are different? (Choose two.)

  1. The principal's identity-based policy grants access to put objects into the S3 bucket with no conditions.
  2. The principal's identity-based policy overrides the condition because the identity-based policy contains an explicit allow.
  3. The S3 bucket's resource policy does not deny access to put objects.
  4. The S3 bucket's resource policy cannot allow actions to the principal.
  5. The bucket policy does not apply to principals in the same zone of trust.

Answer(s): A,C



A company is hosting multiple applications within a single VPC in its AWS account. The applications are running behind an Application Load Balancer that is associated with an AWS WAF web ACL. The company's security team has identified that multiple port scans are originating from a specific range of IP addresses on the internet.
A security engineer needs to deny access from the offending IP addresses.
Which solution will meet these requirements?

  1. Modify the AWS WAF web ACL with an IP set match rule statement to deny incoming requests from the IP address range.
  2. Add a rule to all security groups to deny the incoming requests from the IP address range.
  3. Modify the AWS WAF web ACL with a rate-based rule statement to deny the incoming requests from the IP address range.
  4. Configure the AWS WAF web ACL with regex match conditions. Specify a pattern set to deny the incoming requests based on the match condition.

Answer(s): A



A company has contracted with a third party to audit several AWS accounts. To enable the audit, cross-account IAM roles have been created in each account targeted for audit. The auditor is having trouble accessing some of the accounts.
Which of the following may be causing this problem? (Choose three.)

  1. The external ID used by the auditor is missing or incorrect.
  2. The auditor is using the incorrect password.
  3. The auditor has not been granted sts:AssumeRole for the role in the destination account.
  4. The Amazon EC2 role used by the auditor must be set to the destination account role.
  5. The secret key used by the auditor is missing or incorrect.
  6. The role ARN used by the auditor is missing or incorrect.

Answer(s): A,C,F






Post your Comments and Discuss Amazon AWS Certified Security - Specialty exam with other Community members:

AWS Certified Security - Specialty Discussions & Posts