CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. Amazon
  5. AWS Certified Security - Specialty

Free AWS Certified Security - Specialty Exam Braindumps (page: 19)

Page 18 of 76
PDF with 297 Questions

A security engineer needs to configure an Amazon S3 bucket policy to restrict access to an S3 bucket that is named DOC-EXAMPLE-BUCKET. The policy must allow access to only DOC-EXAMPLE-BUCKET from only the following endpoint: vpce-1a2b3c4d. The policy must deny all access to DOC-EXAMPLE-BUCKET if the specified endpoint is not used.
Which bucket policy statement meets these requirements?

Answer(s): B



A company has a group of Amazon EC2 instances in a single private subnet of a VPC with no internet gateway attached. A security engineer has installed the Amazon CloudWatch agent on all instances in that subnet to capture logs from a specific application. To ensure that the logs flow securely, the company's networking team has created VPC endpoints for CloudWatch monitoring and CloudWatch logs. The networking team has attached the endpoints to the VPC.
The application is generating logs However, when the security engineer queries CloudWatch, the logs do not appear.
Which combination of steps should the security engineer take to troubleshoot this issue? (Choose three.)

  1. Ensure that the EC2 instance profile that is attached to the EC2 instances has permissions to create log streams and write logs.
  2. Create a metric filter on the logs so that they can be viewed in the AWS Management Console.
  3. Check the CloudWatch agent configuration file on each EC2 instance to make sure that the CloudWatch agent is collecting the proper log files.
  4. Check the VPC endpoint policies of both VPC endpoints to ensure that the EC2 instances have permissions to use them.
  5. Create a NAT gateway in the subnet so that the EC2 instances can communicate with CloudWatch.
  6. Ensure that the security groups allow all the EC2 instances to communicate with each other to aggregate logs before sending.

Answer(s): A,C,D



A company uses AWS Signer with all of the company's AWS Lambda functions. A developer recently stopped working for the company. The company wants to ensure that all the code that the developer wrote can no longer be deployed to the Lambda functions.
Which solution will meet this requirement?

  1. Revoke all versions of the signing profile assigned to the developer.
  2. Examine the developer's IAM roles. Remove all permissions that grant access to Signer.
  3. Re-encrypt all source code with a new AWS Key Management Service (AWS KMS) key.
  4. Use Amazon CodeGuru to profile all the code that the Lambda functions use.

Answer(s): A



A company plans to use AWS Key Management Service (AWS KMS) to implement an encryption strategy to protect data at rest. The company requires client-side encryption for company projects. The company is currently conducting multiple projects to test the company's use of AWS KMS. These tests have led to a sudden increase in the company's AWS resource consumption. The test projects include applications that issue multiple requests each second to KMS endpoints for encryption activities.
The company needs to develop a solution that does not throttle the company's ability to use AWS KMS. The solution must improve key usage for client-side encryption and must be cost optimized.
Which solution will meet these requirements?

  1. Use keyrings with the AWS Encryption SDK. Use each keyring individually or combine keyrings into a multi-keyring. Decrypt the data by using a keyring that has the primary key in the multi-keyring.
  2. Use data key caching. Use the local cache that the AWS Encryption SDK provides with a caching cryptographic materials manager.
  3. Use KMS key rotation. Use a local cache in the AWS Encryption SDK with a caching cryptographic materials manager.
  4. Use keyrings with the AWS Encryption SDK. Use each keyring individually or combine keyrings into a multi-keyring. Use any of the wrapping keys in the multi-keyring to decrypt the data.

Answer(s): B






Post your Comments and Discuss Amazon AWS Certified Security - Specialty exam with other Community members:

AWS Certified Security - Specialty Discussions & Posts