Is this exam completely free?

Examcademy offers a free preview for every exam, covering around 20% of the total questions. Full access is available with a paid upgrade.

Can I practice IT certification exams from Microsoft, AWS, or CompTIA?

Yes! Examcademy supports a wide range of IT certification exams including Microsoft Azure, AWS Cloud Practitioner, and CompTIA A+ and Security+.

How accurate are the mock exams?

Our mock exams are built and reviewed with the help of AI and community contributions, staying aligned with real-world exam objectives.

Free preview mode

Enjoy the free questions and consider upgrading to gain full access!

AWS Certified Security - SpecialtyFree trial

By amazon

Verified

25Q per page

Question 51

An Application Developer is using an AWS Lambda function that must use AWS KMS to perform encrypt and decrypt operations for API keys that are less than 2
KB.
Which key policy would allow the application to do this while granting least privilege?
A.

—

Question 52

A company is migrating its legacy workloads to AWS. The current security information events management (SIEM) system that analyzes logs is aging, and different SIEM systems are being evaluated to replace it. The company wants to change SIEMs without re-architecture the solution.
What should the Security Engineer do to accomplish this with minimal operational impact?

A: Prepare an AMI with the SIEM log forwarder agent for each workload, and configure it to send logs to a centralized SIEM located in the Security team AWS account. Configure an Amazon EC2 instance base AMI to forward logs to its local log forwarder agent. Deploy an AMI in each workload.
B: Configure an Amazon EC2 base AMI with an Amazon Kinesis Agent, and configure it to send to Amazon Kinesis Data Streams in the Security team AWS account. Add an AWS Lambda function at Kinesis Data Streams to push streamed logs to the SIEM.
C: Configure an Amazon EC2 base AMI to send logs to a local AWS CloudTrail log file. Configure CloudTrail to send logs to Amazon CloudWatch. Set up a central SIEM in the Security team AWS account and configure a puller to get information on CloudWatch.
D: Select a pay-per-use SIEM in the AWS Marketplace. Deploy the AMI in each workload to provide elasticity when required. Use Amazon Athena to send real- time alerts.

—

Question 53

An Application team has requested a new AWS KMS master key for use with Amazon S3, but the organizational security policy requires separate master keys for different AWS services to limit blast radius.
How can an AWS KMS customer master key (CMK) be constrained to work with only Amazon S3?

A: Configure the CMK key policy to allow only the Amazon S3 service to use the kms:Encrypt action.
B: Configure the CMK key policy to allow AWS KMS actions only when the kms:ViaService condition matches the Amazon S3 service name.
C: Configure the IAM user's policy to allow KMS to pass a role to Amazon S3.
D: Configure the IAM user's policy to allow only Amazon S3 operations when they are combined with the CMK.

—

Question 54

A company is developing a highly resilient application to be hosted on multiple Amazon EC2 instances. The application will store highly sensitive user data in
Amazon RDS tables.
The application must:
✑ Include migration to a different AWS Region in the application disaster recovery plan.
✑ Provide a full audit trail of encryption key administration events.
✑ Allow only company administrators to administer keys.
✑ Protect data at rest using application layer encryption.
A Security Engineer is evaluating options for encryption key management.
Why should the Security Engineer choose AWS CloudHSM over AWS KMS for encryption key management in this situation?

A: The key administration event logging generated by CloudHSM is significantly more extensive than AWS KMS.
B: CloudHSM ensures that only company support staff can administer encryption keys, whereas AWS KMS allows AWS staff to administer keys.
C: The ciphertext produced by CloudHSM provides more robust protection against brute force decryption attacks than the ciphertext produced by AWS KMS.
D: CloudHSM provides the ability to copy keys to a different Region, whereas AWS KMS does not.

—

Question 55

A global company must mitigate and respond to DDoS attacks at Layers 3, 4 and 7. All of the company's AWS applications are serverless with static content hosted on Amazon S3 using Amazon CloudFront and Amazon Route 53.
Which solution will meet these requirements?

A: Use AWS WAF with an upgrade to the AWS Business support plan.
B: Use AWS Certificate Manager with an Application Load Balancer configured with an origin access identity.
C: Use AWS Shield Advanced.
D: Use AWS WAF to protect AWS Lambda functions encrypted with AWS KMS, and a NACL restricting all ingress traffic.

—

Question 56

A Security Engineer signed in to the AWS Management Console as an IAM user and switched to the security role IAM role. To perform a maintenance operation, the Security Engineer needs to switch to the maintainer role IAM role, which lists the security role as a trusted entity. The Security Engineer attempts to switch to the maintainer role, but it fails.
What is the likely cause of the failure?

A: The security role and the maintainer role are not assigned to the IAM user that the Security Engineer used to sign in to the account.
B: The Security Engineer should have logged in as the AWS account root user, which is allowed to assume any role directly.
C: The maintainer role does not include the IAM user as a trusted entity.
D: The security role does not include a statement in its policy to allow an sts:AssumeRole action.

—

Question 57

A Security Engineer must design a solution that enables the incident Response team to audit for changes to a user's IAM permissions in the case of a security incident.
How can this be accomplished?

A: Use AWS Config to review the IAM policy assigned to users before and after the incident.
B: Run the GenerateCredentialReport via the AWS CLI, and copy the output to Amazon S3 daily for auditing purposes.
C: Copy AWS CloudFormation templates to S3, and audit for changes from the template.
D: Use Amazon EC2 Systems Manager to deploy images, and review AWS CloudTrail logs for changes.

—

Question 58

A company is configuring three Amazon EC2 instances with each instance in a separate Availability Zone. The EC2 instances will be used as transparent proxies for outbound internet traffic for ports 80 and 443 so the proxies can block traffic to certain internet destinations as required by the company's security policies. A
Security Engineer completed the following:
Set up the proxy software on the EC2 instances.

✑ Modified the route tables on the private subnets to use the proxy EC2 instances as the default route.
✑ Created a security group rule opening inbound port 80 and 443 TCP protocols on the proxy EC2 instance security group.
However, the proxy EC2 instances are not successfully forwarding traffic to the internet.
What should the Security Engineer do to make the proxy EC2 instances route traffic to the internet?

A: Put all the proxy EC2 instances in a cluster placement group.
B: Disable source and destination checks on the proxy EC2 instances.
C: Open all inbound ports on the proxy EC2 instance security group.
D: Change the VPC's DHCP domain-name-servers options set to the IP addresses of proxy EC2 instances.

—

Question 59

For compliance reasons, a Security Engineer must produce a weekly report that lists any instance that does not have the latest approved patches applied. The
Engineer must also ensure that no system goes more than 30 days without the latest approved updates being applied.
What would be the MOST efficient way to achieve these goals?

A: Use Amazon Inspector to determine which systems do not have the latest patches applied, and after 30 days, redeploy those instances with the latest AMI version.
B: Configure Amazon EC2 Systems Manager to report on instance patch compliance, and enforce updates during the defined maintenance windows.
C: Examine AWS CloudTrail logs to determine whether any instances have not restarted in the last 30 days, and redeploy those instances.
D: Update the AMIs with the latest approved patches, and redeploy each instance during the defined maintenance window.

—

Question 60

A company is operating an open-source software platform that is internet facing. The legacy software platform no longer receives security updates. The software platform operates using Amazon Route 53 weighted load balancing to send traffic to two Amazon EC2 instances that connect to an Amazon RDS cluster. A recent report suggests this software platform is vulnerable to SQL injection attacks, with samples of attacks provided. The company's Security Engineer must secure this system against SQL injection attacks within 24 hours. The Security Engineer's solution must involve the least amount of effort and maintain normal operations during implementation.
What should the Security Engineer do to meet these requirements?

A: Create an Application Load Balancer with the existing EC2 instances as a target group. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the ALB. Test to ensure the vulnerability has been mitigated, then redirect the Route 53 records to point to the ALB. Update security groups on the EC2 instances to prevent direct access from the internet.
B: Create an Amazon CloudFront distribution specifying one EC2 instance as an origin. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the distribution. Test to ensure the vulnerability has been mitigated, then redirect the Route 53 records to point to CloudFront.
C: Obtain the latest source code for the platform and make the necessary updates. Test the updated code to ensure that the vulnerability has been mitigated, then deploy the patched version of the platform to the EC2 instances.
D: Update the security group that is attached to the EC2 instances, removing access from the internet to the TCP port used by the SQL database. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the EC2 instances. Test to ensure the vulnerability has been mitigated, then restore the security group to the original setting.

—

Question 61

A recent security audit found that AWS CloudTrail logs are insufficiently protected from tampering and unauthorized access.
Which actions must the Security Engineer take to access these audit findings? (Choose three.)

A: Ensure CloudTrail log file validation is turned on.
B: Configure an S3 lifecycle rule to periodically archive CloudTrail logs into Glacier for long-term storage.
C: Use an S3 bucket with tight access controls that exists in a separate account.
D: Use Amazon Inspector to monitor the file integrity of CloudTrail log files.
E: Request a certificate through ACM and use a generated certificate private key to encrypt CloudTrail log files.
F: Encrypt the CloudTrail log files with server-side encryption AWS KMS-managed keys (SSE-KMS).

—

Question 62

A company's Developers plan to migrate their on-premises applications to Amazon EC2 instances running Amazon Linux AMIs. The applications are accessed by a group of partner companies. The Security Engineer needs to implement the following host-based security measures for these instances:
✑ Block traffic from documented known bad IP addresses.
✑ Detect known software vulnerabilities and CIS Benchmarks compliance.
Which solution addresses these requirements?

A: Launch the EC2 instances with an IAM role attached. Include a user data script that uses the AWS CLI to retrieve the list of bad IP addresses from AWS Secrets Manager, and uploads it as a threat list in Amazon GuardDuty. Use Amazon Inspector to scan the instances for known software vulnerabilities and CIS Benchmarks compliance.
B: Launch the EC2 instances with an IAM role attached. Include a user data script that uses the AWS CLI to create NACLs blocking ingress traffic from the known bad IP addresses in the EC2 instance's subnets. Use AWS Systems Manager to scan the instances for known software vulnerabilities, and AWS Trusted Advisor to check instances for CIS Benchmarks compliance.
C: Launch the EC2 instances with an IAM role attached. Include a user data script that uses the AWS CLI to create and attach security groups that only allow an allow listed source IP address range inbound. Use Amazon Inspector to scan the instances for known software vulnerabilities, and AWS Trusted Advisor to check instances for CIS Benchmarks compliance.
D: Launch the EC2 instances with an IAM role attached. Include a user data script that creates a cron job to periodically retrieve the list of bad IP addresses from Amazon S3, and configures iptables on the instances blocking the list of bad IP addresses. Use Amazon Inspector to scan the instances for known software vulnerabilities and CIS Benchmarks compliance.

—

Question 63

A Security Architect has been asked to review an existing security architecture and identity why the application servers cannot successfully initiate a connection to the database servers. The following summary describes the architecture:

An Application Load Balancer, an internet gateway and a NAT gateway are configured in the pubic subnet.
Database, application, and web servers are configured on three different private subnets.
The VPC has two route tables: one for the public subnet and one for all other subnets. The route table for the public subnet has a 0.0.0.0/0 route to the internet gateway. The route table for all other subnets has a 0.0.0.0/0 route to the NAT gateway. All private subnets can route to each other.
Each subnet has a network ACL implemented that limits all inbound and outbound connectivity to only the required ports and protocols.
There are 3 Security Groups (SGs): database, application, and web. Each group limits all inbound and outbound connectivity to the minimum required.
Which of the following accurately reflects the access control mechanisms the Architect should verify?

A: Outbound SG configuration on database servers Inbound SG configuration on application servers Inbound and outbound network ACL configuration on the database subnet Inbound and outbound network ACL configuration on the application server subnet
B: Inbound SG configuration on database servers Outbound SG configuration on application servers Inbound and outbound network ACL configuration on the database subnet Inbound and outbound network ACL configuration on the application server subnet
C: Inbound and outbound SG configuration on database servers Inbound and outbound SG configuration on application servers Inbound network ACL configuration on the database subnet Outbound network ACL configuration on the application server subnet
D: Inbound SG configuration on database servers Outbound SG configuration on application servers Inbound network ACL configuration on the database subnet Outbound network ACL configuration on the application server subnet

—

Question 64

Developers in an organization have moved from a standard application deployment to containers. The Security Engineer is tasked with ensuring that containers are secure.
Which strategies will reduce the attack surface and enhance the security of the containers? (Choose two.)

A: Use the containers to automate security deployments.
B: Limit resource consumption (CPU, memory), networking connections, ports, and unnecessary container libraries.
C: Segregate container by host, function, and data classification.
D: Use Docker Notary framework to sign task definitions.
E: Enable container breakout at the host kernel.

—

Question 65

Auditors for a health care company have mandated that all data volumes be encrypted at rest. Infrastructure is deployed mainly via AWS CloudFormation; however, third-party frameworks and manual deployment are required on some legacy systems.
What is the BEST way to monitor, on a recurring basis, whether all EBS volumes are encrypted?

A: On a recurring basis, update all IAM user policies to require that EC2 instances are created with an encrypted volume.
B: Configure an AWS Config rule to run on a recurring basis for volume encryption.
C: Set up Amazon Inspector rules for volume encryption to run on a recurring schedule.
D: Use CloudWatch Logs to determine whether instances were created with an encrypted volume.

—

Question 66

A company became aware that one of its access keys was exposed on a code sharing website 11 days ago. A Security Engineer must review all use of the exposed keys to determine the extent of the exposure. The company enabled AWS CloudTrail in all regions when it opened the account.
Which of the following will allow the Security Engineer to complete the task?

A: Filter the event history on the exposed access key in the CloudTrail console. Examine the data from the past 11 days.
B: Use the AWS CLI to generate an IAM credential report. Extract all the data from the past 11 days.
C: Use Amazon Athena to query the CloudTrail logs from Amazon S3. Retrieve the rows for the exposed access key for the past 11 days.
D: Use the Access Advisor tab in the IAM console to view all of the access key activity for the past 11 days.

—

Question 67

A Development team has built an experimental environment to test a simple static web application. It has built an isolated VPC with a private and a public subnet.
The public subnet holds only an Application Load Balancer, a NAT gateway, and an internet gateway. The private subnet holds all of the Amazon EC2 instances.
There are 3 different types of servers. Each server type has its own Security Group that limits access to only required connectivity. The Security Groups have both inbound and outbound rules applied. Each subnet has both inbound and outbound network ACLs applied to limit access to only required connectivity.
Which of the following should the team check if a server cannot establish an outbound connection to the internet? (Choose three.)

A: The route tables and the outbound rules on the appropriate private subnet security group.
B: The outbound network ACL rules on the private subnet and the inbound network ACL rules on the public subnet.
C: The outbound network ACL rules on the private subnet and both the inbound and outbound rules on the public subnet.
D: The rules on any host-based firewall that may be applied on the Amazon EC2 instances.
E: The Security Group applied to the Application Load Balancer and NAT gateway.
F: That the 0.0.0.0/0 route in the private subnet route table points to the Internet gateway in the public subnet.

—

Question 68

A company has complex connectivity rules governing ingress, egress, and communications between Amazon EC2 instances. The rules are so complex that they cannot be implemented within the limits of the maximum number of security groups and network access control lists (network ACLs).
What mechanism will allow the company to implement all required network rules without incurring additional cost?

A: Configure AWS WAF rules to implement the required rules.
B: Use the operating system built-in, host-based firewall to implement the required rules.
C: Use a NAT gateway to control ingress and egress according to the requirements.
D: Launch an EC2-based firewall product from the AWS Marketplace, and implement the required rules in that product.

—

Question 69

Example.com is hosted on Amazon EC2 instance behind an Application Load Balancer (ALB). Third-party host intrusion detection system (HIDS) agents that capture the traffic of the EC2 instance are running on each host. The company must ensure they are using privacy enhancing technologies for users, without losing the assurance the third-party solution offers.
What is the MOST secure way to meet these requirements?

A: Enable TLS pass through on the ALB, and handle decryption at the server using Elliptic Curve Diffie-Hellman (ECDHE) cipher suites.
B: Create a listener on the ALB that uses encrypted connections with Elliptic Curve Diffie-Hellman (ECDHE) cipher suites, and pass the traffic in the clear to the server.
C: Create a listener on the ALB that uses encrypted connections with Elliptic Curve Diffie-Hellman (ECDHE) cipher suites, and use encrypted connections to the servers that do not enable Perfect Forward Secrecy (PFS).
D: Create a listener on the ALB that does not enable Perfect Forward Secrecy (PFS) cipher suites, and use encrypted connections to the servers using Elliptic Curve Diffie-Hellman (ECDHE) cipher suites.

—

Question 70

A Website currently runs on Amazon EC2, with mostly static content on the site. Recently, the site was subjected to a DDoS attack, and a Security Engineer was tasked with redesigning the edge security to help mitigate this risk in the future.
What are some ways the Engineer could achieve this? (Choose three.)

A: Use AWS X-Ray to inspect the traffic going to the EC2 instances.
B: Move the static content to Amazon S3, and front this with an Amazon CloudFront distribution.
C: Change the security group configuration to block the source of the attack traffic.
D: Use AWS WAF security rules to inspect the inbound traffic.
E: Use Amazon Inspector assessment templates to inspect the inbound traffic.
F: Use Amazon Route 53 to distribute traffic.

—

Question 71

A company manages three separate AWS accounts for its production, development, and test environments. Each Developer is assigned a unique IAM user under the development account. A new application hosted on an Amazon EC2 instance in the development account requires read access to the archived documents stored in an Amazon S3 bucket in the production account.
How should access be granted?

A: Create an IAM role in the production account and allow EC2 instance in the development account to assume that role using the trust policy. Provide read access for the required S3 bucket to this role.
B: Use a custom identity broker to allow Developer IAM users to temporarily access the S3 bucket.
C: Create a temporary IAM user for the application to use in the production account.
D: Create a temporary IAM user in the production account and provide read access to Amazon S3. Generate the temporary IAM user's access key and secret key and store these keys on the EC2 instance used by the application in the development account.

—

Question 72

A company requires that SSH commands used to access its AWS instance be traceable to the user who executed each command.
How should a Security Engineer accomplish this?

A: Allow inbound access on port 22 at the security group attached to the instance. Use AWS Systems Manager Session Manager for shell access to Amazon EC2 instances with the user tag defined. Enable Amazon CloudWatch logging for Systems Manager sessions.
B: Use Amazon S3 to securely store one Privacy Enhanced Mail Certificate (PEM file) for each user. Allow Amazon EC2 to read from Amazon S3 and import every user that wants to use SSH to access EC2 instances. Allow inbound access on port 22 at the security group attached to the instance. Install the Amazon CloudWatch agent on the EC2 instance and configure it to ingest audit logs for the instance.
C: Deny inbound access on port 22 at the security group attached to the instance. Use AWS Systems Manager Session Manager for shell access to Amazon EC2 instances with the user tag defined. Enable Amazon CloudWatch logging for Systems Manager sessions.
D: Use Amazon S3 to securely store one Privacy Enhanced Mail Certificate (PEM file) for each team or group. Allow Amazon EC2 to read from Amazon S3 and import every user that wants to use SSH to access EC2 instance. Allow inbound access on port 22 at the security group attached to the instance. Install the Amazon CloudWatch agent on the EC2 instance and configure it to ingest audit logs for the instances.

—

Question 73

An organizational must establish the ability to delete an AWS KMS Customer Master Key (CMK) within a 24-hour timeframe to keep it from being used for encrypt or decrypt operations.
Which of the following actions will address this requirement?

A: Manually rotate a key within KMS to create a new CMK immediately.
B: Use the KMS import key functionality to execute a delete key operation.
C: Use the schedule key deletion function within KMS to specify the minimum wait period for deletion.
D: Change the KMS CMK alias to immediately prevent any services from using the CMK.

—

Question 74

A company uses Microsoft Active Directory for access management for on-premises resources, and wants to use the same mechanism for accessing its AWS accounts. Additionally, the Development team plans to launch a public-facing application for which they need a separate authentication solution.
Which combination of the following would satisfy these requirements? (Choose two.)

A: Set up domain controllers on Amazon EC2 to extend the on-premises directory to AWS.
B: Establish network connectivity between on-premises and the user's VPC.
C: Use Amazon Cognito user pools for application authentication.
D: Use AD Connector for application authentication.
E: Set up federated sign-in to AWS through ADFS and SAML.

—

Question 75

A company wants to encrypt the private network between its on-premises environment and AWS. The company also wants a consistent network experience for its employees.
What should the company do to meet these requirements?

A: Establish an AWS Direct Connect connection with AWS and set up a Direct Connect gateway. In the Direct Connect gateway configuration, enable IPsec and BGP, and then leverage native AWS network encryption between Availability Zones and Regions.
B: Establish an AWS Direct Connect connection with AWS and set up a Direct Connect gateway. Using the Direct Connect gateway, create a private virtual interface and advertise the customer gateway private IP addresses. Create a VPN connection using the customer gateway and the virtual private gateway.
C: Establish a VPN connection with the AWS virtual private cloud over the Internet.
D: Establish an AWS Direct Connect connection with AWS and establish a public virtual interface. For prefixes that need to be advertised, enter the customer gateway public IP addresses. Create a VPN connection over Direct Connect using the customer gateway and the virtual private gateway.

—

Page 3 of 21 • Questions 51-75 of 509

←

1 2 3 4 5

→

Free preview mode

Enjoy the free questions and consider upgrading to gain full access!