AWS_CERTIFIED_SECURITY_SPECIALTY questions • Exam prepare

amazon AWS_CERTIFIED_SECURITY_SPECIALTY

Exam contains 509 questions

Page 14 of 85

Question 79 🔥

AWS CloudTrail is being used to monitor API calls in an organization. An audit revealed that CloudTrail is failing to deliver events to Amazon S3 as expected.What initial actions should be taken to allow delivery of CloudTrail events to S3? (Choose two.)

Which database solution meets these requirements?

A. Verify that the S3 bucket policy allow CloudTrail to write objects.

Highly voted

B. Verify that the IAM role used by CloudTrail has access to write to Amazon CloudWatch Logs.

C. Remove any lifecycle policies on the S3 bucket that are archiving objects to Amazon Glacier.

D. Verify that the S3 bucket defined in CloudTrail exists.

Highly voted

E. Verify that the log file prefix defined in CloudTrail exists in the S3 bucket.

Discussion of the question

Question 80 🔥

Due to new compliance requirements, a Security Engineer must enable encryption with customer-provided keys on corporate data that is stored in DynamoDB.The company wants to retain full control of the encryption keys.Which DynamoDB feature should the Engineer use to achieve compliance'?

Which database solution meets these requirements?

A. Use AWS Certificate Manager to request a certificate. Use that certificate to encrypt data prior to uploading it to DynamoDB.

B. Enable S3 server-side encryption with the customer-provided keys. Upload the data to Amazon S3, and then use S3Copy to move all data to DynamoDB

C. Create a KMS master key. Generate per-record data keys and use them to encrypt data prior to uploading it to DynamoDS. Dispose of the cleartext and encrypted data keys after encryption without storing.

D. Use the DynamoDB Java encryption client to encrypt data prior to uploading it to DynamoDB.

Highly voted

Discussion of the question

Question 81 🔥

A Security Engineer must design a system that can detect whether a file on an Amazon EC2 host has been modified. The system must then alert the SecurityEngineer of the modification.What is the MOST efficient way to meet these requirements?

Which database solution meets these requirements?

A. Install antivirus software and ensure that signatures are up-to-date. Configure Amazon CloudWatch alarms to send alerts for security events.

B. Install host-based IDS software to check for file integrity. Export the logs to Amazon CloudWatch Logs for monitoring and alerting.

Highly voted

C. Export system log files to Amazon S3. Parse the log files using an AWS Lambda function that will send alerts of any unauthorized system login attempts through Amazon SNS.

D. Use Amazon CloudWatch Logs to detect file system changes. If a change is detected, automatically terminate and recreate the instance from the most recent AMI. Use Amazon SNS to send notification of the event.

Discussion of the question

Question 82 🔥

A company has multiple VPCs in their account that are peered, as shown in the diagram. A Security Engineer wants to perform penetration tests of the AmazonEC2 instances in all three VPCs.How can this be accomplished? (Choose two.)

Which database solution meets these requirements?

A. Deploy a pre-authorized scanning engine from the AWS Marketplace into VPC B, and use it to scan instances in all three VPCs. Do not complete the penetration test request form.

B. Deploy a pre-authorized scanning engine from the Marketplace into each VPC, and scan instances in each VPC from the scanning engine in that VPC. Do not complete the penetration test request form.

Highly voted

C. Create a VPN connection from the data center to VPC A. Use an on-premises scanning engine to scan the instances in all three VPCs. Complete the penetration test request form for all three VPCs.

D. Create a VPN connection from the data center to each of the three VPCs. Use an on-premises scanning engine to scan the instances in each VPC. Do not complete the penetration test request form.

Highly voted

E. Create a VPN connection from the data center to each of the three VPCs. Use an on-premises scanning engine to scan the instances in each VPC. Complete the penetration test request form for all three VPCs.

Discussion of the question

Question 83 🔥

The Security Engineer is managing a traditional three-tier web application that is running on Amazon EC2 instances. The application has become the target of increasing numbers of malicious attacks from the Internet.What steps should the Security Engineer take to check for known vulnerabilities and limit the attack surface? (Choose two.)

Which database solution meets these requirements?

A. Use AWS Certificate Manager to encrypt all traffic between the client and application servers.

B. Review the application security groups to ensure that only the necessary ports are open.

Highly voted

C. Use Elastic Load Balancing to offload Secure Sockets Layer encryption.

D. Use Amazon Inspector to periodically scan the backend instances.

Highly voted

E. Use AWS Key Management Services to encrypt all the traffic between the client and application servers.

Discussion of the question

Question 84 🔥

The Security team believes that a former employee may have gained unauthorized access to AWS resources sometime in the past 3 months by using an identified access key.What approach would enable the Security team to find out what the former employee may have done within AWS?

Which database solution meets these requirements?

A. Use the AWS CloudTrail console to search for user activity.

Highly voted

B. Use the Amazon CloudWatch Logs console to filter CloudTrail data by user.

C. Use AWS Config to see what actions were taken by the user.

D. Use Amazon Athena to query CloudTrail logs stored in Amazon S3.

Discussion of the question

Ready to Pass Your Certification Test

amazon AWS_CERTIFIED_SECURITY_SPECIALTY

Exam contains 509 questions

Lorem ipsum dolor sit amet consectetur. Eget sed turpis aenean sit aenean. Integer at nam ullamcorper a.

Company

Product

Resources

Follow us