Free Amazon AWS-Security-Specialty Exam Dumps Questions & Answers

An Amazon S3 bucket is encrypted using an IAM KMS CMK. An IAM user is unable to download objects from the S3 bucket using the IAM Management Console; however, other users can download objects from the S3 bucket.
Which policies should the Security Engineer review and modify to resolve this issue? (Select three.)

• A.  The CMK policy
• B.  The VPC endpoint policy
• C.  The IAM policy
• D.  The S3 ACL
• E.  The S3 bucket policy

A recent security audit found that IAM CloudTrail logs are insufficiently protected from tampering and unauthorized access Which actions must the Security Engineer take to address these audit findings? (Select THREE )

• A.  Use an S3 bucket with tight access controls that exists m a separate account
• B.  Ensure CloudTrail log file validation is turned on
• C.  Request a certificate through ACM and use a generated certificate private key to encrypt CloudTrail log files
• D.  Use Amazon Inspector to monitor the file integrity of CloudTrail log files.
• E.  Encrypt the CloudTrail log files with server-side encryption with IAM KMS-managed keys (SSE-KMS)
• F.  Configure an S3 lifecycle rule to periodically archive CloudTrail logs into Glacier for long-term storage

Your organization is preparing for a security assessment of your use of IAM. In preparation for this assessment, which three IAM best practices should you consider implementing?
Please select:

• A.  Ensure all users have been assigned and dre frequently rotating a password, access ID/secret key, and X.509 certificate
• B.  Configure MFA on the root account and for privileged IAM users
• C.  Create individual IAM users
• D.  Assign IAM users and groups configured with policies granting least privilege access

A company has two VPCs in the same AWS Region and in the same AWS account Each VPC uses a CIDR block that does not overlap with the CIDR block of the other VPC One VPC contains AWS Lambda functions that run inside a subnet that accesses the internet through a NAT gateway. The Lambda functions require access to a publicly accessible Amazon Aurora MySQL database that is running in the other VPC A security engineer determines that the Aurora database uses a security group rule that allows connections from the NAT gateway IP address that the Lambda functions use. The company's security policy states that no database should be publicly accessible.
What is the MOST secure way that the security engineer can provide the Lambda functions with access to the Aurora database?

• A.  Move the Lambda functions into a public subnet in their VPC Move the Aurora database into a private subnet in its VPC Configure the Lambda functions to use the Aurora database's new private IP address to access the database Configure the Aurora database to allow access from the public IP addresses of the Lambda functions
• B.  Move the Aurora database into a private subnet that has no internet access routes in the database's current VPC Configure the Lambda functions to use the Aurora database's new private IP address to access the database Configure the Aurora databases security group to allow access from the private IP addresses of the Lambda functions
• C.  Establish a VPC endpoint between the two VPCs in the Aurora database's VPC configure a service VPC endpoint for Amazon RDS In the Lambda functions' VPC.
  configure an interface VPC endpoint that uses the service endpoint in the Aurora database's VPC Configure the service endpoint to allow connections from the Lambda functions.
• D.  Establish an AWS Direct Connect interface between the VPCs Configure the Lambda functions to use a new route table that accesses the Aurora database through the Direct Connect interface Configure the Aurora database's security group to allow access from the Direct Connect interface IP address

Your company has a set of EC2 Instances defined in IAM. They need to ensure that all traffic packets are monitored and inspected for any security threats. How can this be achieved? Choose 2 answers from the options given below Please select:

• A.  Use a third party firewall installed on a central EC2 instance
• B.  Use VPC Flow logs
• C.  Use a host based intrusion detection system
• D.  Use Network Access control lists logging