• Home
  • Articles
  • 100% Free AWS Certified Security AWS-Security-Specialty Dumps PDF Demo Cert Guide Cover [Q280-Q295]

100% Free AWS Certified Security AWS-Security-Specialty Dumps PDF Demo Cert Guide Cover [Q280-Q295]

Share

100% Free AWS Certified Security AWS-Security-Specialty Dumps PDF Demo Cert Guide Cover

PDF Exam Material 2022 Realistic AWS-Security-Specialty Dumps Questions

NEW QUESTION 280
A company has a forensic logging use case whereby several hundred applications running on Docker on EC2 need to send logs to a central location. The Security Engineer must create a logging solution that is able to perform real-time analytics on the log files, grants the ability to replay events, and persists data.
Which AWS Services, together, can satisfy this use case? (Select two.)

  • A. Amazon CloudWatch
  • B. Amazon Kinesis
  • C. Amazon Athena
  • D. Amazon SQS
  • E. Amazon Elasticsearch

Answer: A,B

 

NEW QUESTION 281
A company has external vendors that must deliver files to the company. These vendors have cross-account that gives them permission to upload objects to one of the company's S3 buckets.
What combination of steps must the vendor follow to successfully deliver a file to the company? Select 2 answers from the options given below Please select:

  • A. Add a bucket policy to the bucket that grants the bucket owner full permissions to the object
  • B. Add a grant to the objects ACL giving full permissions to bucket owner.
  • C. Attach an 1AM role to the bucket that grants the bucket owner full permissions to the object
  • D. Upload the file to the company's S3 bucket
  • E. Encrypt the object with a KMS key controlled by the company.

Answer: B,D

Explanation:
Explanation
This scenario is given in the AWS Documentation
A bucket owner can enable other AWS accounts to upload objects. These objects are owned by the accounts that created them. The bucket owner does not own objects that were not created by the bucket owner.
Therefore, for the bucket owner to grant access to these objects, the object owner must first grant permission to the bucket owner using an object ACL. The bucket owner can then delegate those permissions via a bucket policy. In this example, the bucket owner delegates permission to users in its own account.

Option A and D are invalid because bucket ACL's are used to give grants to bucket Option C is not required since encryption is not part of the requirement For more information on this scenario please see the below Link:
https://docs.aws.amazon.com/AmazonS3/latest/dev/example-walkthroushs-manaeing-access-example3.htmll The correct answers are: Add a grant to the objects ACL giving full permissions to bucket owner., Upload the file to the company's S3 bucket Submit your Feedback/Queries to our Experts

 

NEW QUESTION 282
Which of the following is not a best practice for carrying out a security audit?
Please select:

  • A. Conduct an audit if you ever suspect that an unauthorized person might have accessed your account
  • B. Whenever there are changes in your organization
  • C. Conduct an audit if application instances have been added to your account
  • D. Conduct an audit on a yearly basis

Answer: D

Explanation:
Explanation
A year's time is generally too long a gap for conducting security audits The AWS Documentation mentions the following You should audit your security configuration in the following situations:
On a periodic basis.
If there are changes in your organization, such as people leaving.
If you have stopped using one or more individual AWS services. This is important for removing permissions that users in your account no longer need.
If you've added or removed software in your accounts, such as applications on Amazon EC2 instances, AWS OpsWor stacks, AWS CloudFormation templates, etc.
If you ever suspect that an unauthorized person might have accessed your account.
Option B, C and D are all the right ways and recommended best practices when it comes to conducting audits For more information on Security Audit guideline, please visit the below URL:
https://docs.aws.amazon.com/eeneral/latest/gr/aws-security-audit-euide.html The correct answer is: Conduct an audit on a yearly basis Submit your Feedback/Queries to our Experts

 

NEW QUESTION 283
The InfoSec team has mandated that in the future only approved Amazon Machine Images (AMIs) can be used.
How can the InfoSec team ensure compliance with this mandate?

  • A. Define a metric filter in Amazon CloudWatch Logs to verify compliance.
  • B. Terminate all Amazon EC2 instances and relaunch them with approved AMIs.
  • C. Patch all running instances by using AWS Systems Manager.
  • D. Deploy AWS Config rules and check all running instances for compliance.

Answer: D

 

NEW QUESTION 284
A company wishes to enable Single Sign On (SSO) so its employees can login to the management console using their corporate directory identity. Which steps below are required as part of the process? Select 2 answers from the options given below.
Please select:

  • A. Create IAM policies that can be mapped to group memberships in the corporate directory.
  • B. Create a Lambda function to assign IAM roles to the temporary security tokens provided to the users.
  • C. Create IAM users that can be mapped to the employees' corporate identities
  • D. Create a Direct Connect connection between on-premise network and AWS. Use an AD connector for connecting AWS with on-premise active directory.
  • E. Create an IAM role that establishes a trust relationship between IAM and the corporate directory identity provider (IdP) Create a Direct Connect connection so that corporate users can access the AWS account Option B is incorrect because IAM policies are not directly mapped to group memberships in the corporate directory. It is IAM roles which are mapped.

Answer: D,E

Explanation:
Option C is incorrect because Lambda functions is an incorrect option to assign roles.
Option D is incorrect because IAM users are not directly mapped to employees' corporate identities.
For more information on Direct Connect, please refer to below URL:
' https://aws.amazon.com/directconnect/
From the AWS Documentation, for federated access, you also need to ensure the right policy permissions are in place Configure permissions in AWS for your federated users The next step is to create an IAM role that establishes a trust relationship between IAM and your organization's IdP that identifies your IdP as a principal (trusted entity) for purposes of federation. The role also defines what users authenticated your organization's IdP are allowed to do in AWS. You can use the IAM console to create this role. When you create the trust policy that indicates who can assume the role, you specify the SAML provider that you created earlier in IAM along with one or more SAML attributes that a user must match to be allowed to assume the role. For example, you can specify that only users whose SAML eduPersonOrgDN value is ExampleOrg are allowed to sign in. The role wizard automatically adds a condition to test the saml:aud attribute to make sure that the role is assumed only for sign-in to the AWS Management Console. The trust policy for the role might look like this:

For more information on SAML federation, please refer to below URL:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enabli Note:
What directories can I use with AWS SSO?
You can connect AWS SSO to Microsoft Active Directory, running either on-premises or in the AWS Cloud. AWS SSO supports AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft AD, and AD Connector. AWS SSO does not support Simple AD. See AWS Directory Service Getting Started to learn more.
To connect to your on-premises directory with AD Connector, you need the following:
VPC
Set up a VPC with the following:
* At least two subnets. Each of the subnets must be in a different Availability Zone.
* The VPC must be connected to your on-premises network through a virtual private network (VPN) connection or AWS Direct Connect.
* The VPC must have default hardware tenancy.
* https://aws.amazon.com/single-sign-on/
* https://aws.amazon.com/single-sign-on/faqs/
* https://aws.amazon.com/bloj using-corporate-credentials/
* https://docs.aws.amazon.com/directoryservice/latest/admin-
The correct answers are: Create a Direct Connect connection between on-premise network and AWS. Use an AD connector connecting AWS with on-premise active directory.. Create an IAM role that establishes a trust relationship between IAM and corporate directory identity provider (IdP) Submit your Feedback/Queries to our Experts

 

NEW QUESTION 285
A company plans to move most of its IT infrastructure to AWS. They want to leverage their existing on-premises Active Directory as an identity provider for AWS.
Which combination of steps should a Security Engineer take to federate the company's on-premises Active Directory with AWS? (Choose two.)

  • A. Configure Amazon Cloud Directory to support a SAML provider.
  • B. Create IAM roles with permissions corresponding to each Active Directory group.
  • C. Configure Amazon Cognito to add relying party trust between Active Directory and AWS.
  • D. Configure Active Directory to add relying party trust between Active Directory and AWS.
  • E. Create IAM groups with permissions corresponding to each Active Directory group.

Answer: B,D

 

NEW QUESTION 286
A Software Engineer wrote a customized reporting service that will run on a fleet of Amazon EC2 instances.
The company security policy states that application logs for the reporting service must be centrally collected.
What is the MOST efficient way to meet these requirements?

  • A. Write an AWS Lambda function that logs into the EC2 instance to pull the application logs from the EC2 instance and persists them into an Amazon S3 bucket.
  • B. Install the Amazon CloudWatch Logs Agent on the EC2 instances, and configure it to send the application logs to CloudWatch Logs.
  • C. Enable AWS CloudTrail logging for the AWS account, create a new Amazon S3 bucket, and then configure Amazon CloudWatch Logs to receive the application logs from CloudTrail.
  • D. Create a simple cron job on the EC2 instances that synchronizes the application logs to an Amazon S3 bucket by using rsync.

Answer: B

 

NEW QUESTION 287
An organization has setup multiple 1AM users. The organization wants that each 1AM user accesses the 1AM console only within the organization and not from outside. How can it achieve this?
Please select:

  • A. Configure the EC2 instance security group which allows traffic only from the organization's IP range
  • B. Create an 1AM policy with a condition which denies access when the IP address range is not from the organization
  • C. Create an 1AM policy with VPC and allow a secure gateway between the organization and AWS Console
  • D. Create an 1AM policy with the security group and use that security group for AWS console login

Answer: B

Explanation:
You can actually use a Deny condition which will not allow the person to log in from outside. The below example shows the Deny condition to ensure that any address specified in the source address is not allowed to access the resources in aws.
Option A is invalid because you don't mention the security group in the 1AM policy Option C is invalid because security groups by default don't allow traffic Option D is invalid because the 1AM policy does not have such an option For more information on 1AM policy conditions, please visit the URL:
http://docs.aws.amazon.com/IAM/latest/UserGuide/access pol
examples.htm l#iam-policy-example-ec2-two-condition!
The correct answer is: Create an 1AM policy with a condition which denies access when the IP address range is not from the organization Submit your Feedback/Queries to our Experts

 

NEW QUESTION 288
Your company has a requirement to monitor all root user activity by notification. How can this best be achieved? Choose 2 answers from the options given below. Each answer forms part of the solution Please select:

  • A. Create a Cloudwatch Events Rule s
  • B. Create a Cloudwatch Logs Rule
  • C. Use a Lambda function
  • D. Use Cloudtrail API call

Answer: A,C

Explanation:
Below is a snippet from the AWS blogs on a solution

Option B is invalid because you need to create a Cloudwatch Events Rule and there is such thing as a Cloudwatch Logs Rule Option D is invalid because Cloud Trail API calls can be recorded but cannot be used to send across notifications For more information on this blog article, please visit the following URL:
https://aws.amazon.com/blogs/mt/monitor-and-notify-on-aws-account-root-user-activityy The correct answers are: Create a Cloudwatch Events Rule, Use a Lambda function Submit your Feedback/Queries to our Experts

 

NEW QUESTION 289
An organization receives an alert that indicates that an EC2 instance behind an ELB Classic Load Balancer has been compromised.
What techniques will limit lateral movement and allow evidence gathering?

  • A. Remove the instance from the load balancer and terminate it.
  • B. Remove the instance from the load balancer, and shut down access to the instance by tightening the security group.
  • C. Reboot the instance and check for any Amazon CloudWatch alarms.
  • D. Stop the instance and make a snapshot of the root EBS volume.

Answer: C

 

NEW QUESTION 290
A company is using a Redshift cluster to store their data warehouse. There is a requirement from the Internal IT Security team to ensure that data gets encrypted for the Redshift database. How can this be achieved?
Please select:

  • A. Encrypt the EBS volumes of the underlying EC2 Instances
  • B. Use SSL/TLS for encrypting the data
  • C. Use AWS KMS Customer Default master key
  • D. Use S3 Encryption

Answer: C

Explanation:
The AWS Documentation mentions the following
Amazon Redshift uses a hierarchy of encryption keys to encrypt the database. You can use either AWS Key Management Servic (AWS KMS) or a hardware security module (HSM) to manage the top-level encryption keys in this hierarchy. The process that Amazon Redshift uses for encryption differs depending on how you manage keys.
Option A is invalid because its the cluster that needs to be encrypted
Option C is invalid because this encrypts objects in transit and not objects at rest Option D is invalid because this is used only for objects in S3 buckets For more information on Redshift encryption, please visit the following URL:
https://docs.aws.amazon.com/redshift/latest/memt/workine-with-db-encryption.htmll The correct answer is: Use AWS KMS Customer Default master key Submit your Feedback/Queries to our Experts

 

NEW QUESTION 291
Your company has created a set of keys using the AWS KMS service. They need to ensure that each key is only used for certain services. For example , they want one key to be used only for the S3 service. How can this be achieved?
Please select:

  • A. Create a bucket policy that allows the key to be accessed by only the S3 service.
  • B. Create an 1AM policy that allows the key to be accessed by only the S3 service.
  • C. Use the kms:ViaService condition in the Key policy
  • D. Define an 1AM user, allocate the key and then assign the permissions to the required service

Answer: C

Explanation:
Option A and B are invalid because mapping keys to services cannot be done via either the 1AM or bucket policy Option D is invalid because keys for 1AM users cannot be assigned to services This is mentioned in the AWS Documentation The kms:ViaService condition key limits use of a customer-managed CMK to requests from particular AWS services. (AWS managed CMKs in your account, such as aws/s3, are always restricted to the AWS service that created them.) For example, you can use kms:V1aService to allow a user to use a customer managed CMK only for requests that Amazon S3 makes on their behalf. Or you can use it to deny the user permission to a CMK when a request on their behalf comes from AWS Lambda.
For more information on key policy's for KMS please visit the following URL:
https://docs.aws.amazon.com/kms/latest/developereuide/policy-conditions.html The correct answer is: Use the kms:ViaServtce condition in the Key policy Submit your Feedback/Queries to our Experts

 

NEW QUESTION 292
A Security Administrator is configuring an Amazon S3 bucket and must meet the following security requirements:
* Encryption in transit
* Encryption at rest
* Logging of all object retrievals in AWS CloudTrail
Which of the following meet these security requirements? (Choose three.)

  • A. Enable API logging of data events for all S3 objects.
  • B. Set up default encryption for the S3 bucket.
  • C. Enable Amazon CloudWatch Logs for the AWS account.
  • D. Enable S3 object versioning for the S3 bucket.
  • E. Enable a security group for the S3 bucket that allows port 443, but not port 80.
  • F. Specify "aws:SecureTransport": "true" within a condition in the S3 bucket policy.

Answer: A,B,F

 

NEW QUESTION 293
While analyzing a company's security solution, a Security Engineer wants to secure the AWS account root user.
What should the Security Engineer do to provide the highest level of security for the account?

  • A. Create a new IAM user that has administrator permissions in the AWS account. Delete the password for the AWS account root user.
  • B. Create a new IAM user that has administrator permissions in the AWS account. Modify the permissions for the existing IAM users.
  • C. Replace the access key for the AWS account root user. Delete the password for the AWS account root user.
  • D. Create a new IAM user that has administrator permissions in the AWS account. Enable multi-factor authentication for the AWS account root user.

Answer: D

Explanation:
Explanation
If you continue to use the root user credentials, we recommend that you follow the security best practice to enable multi-factor authentication (MFA) for your account. Because your root user can perform sensitive operations in your account, adding an additional layer of authentication helps you to better secure your account. Multiple types of MFA are available.

 

NEW QUESTION 294
You have a vendor that needs access to an AWS resource. You create an AWS user account. You want to restrict access to the resource using a policy for just that user over a brief period. Which of the following would be an ideal policy to use?
Please select:

  • A. A Bucket Policy
  • B. An Inline Policy
  • C. An AWS Managed Policy
  • D. A bucket ACL

Answer: B

Explanation:
Explanation
The AWS Documentation gives an example on such a case
Inline policies are useful if you want to maintain a strict one-to-one relationship between a policy and the principal entity that if s applied to. For example, you want to be sure that the permissions in a policy are not inadvertently assigned to a principal entity other than the one they're intended for. When you use an inline policy, the permissions in the policy cannot be inadvertently attached to the wrong principal entity. In addition, when you use the AWS Management Console to delete that principal entit the policies embedded in the principal entity are deleted as well. That's because they are part of the principal entity.
Option A is invalid because AWS Managed Polices are ok for a group of users, but for individual users, inline policies are better.
Option C and D are invalid because they are specifically meant for access to S3 buckets For more information on policies, please visit the following URL:
https://docs.aws.amazon.com/IAM/latest/UserGuide/accessmanaged-vs-inline
The correct answer is: An Inline Policy Submit your Feedback/Queries to our Experts

 

NEW QUESTION 295
......

Updated Amazon AWS-Security-Specialty Dumps – PDF & Online Engine: https://www.passreview.com/AWS-Security-Specialty_exam-braindumps.html

AWS-Security-Specialty.pdf - Questions Answers PDF Sample Questions Reliable: https://drive.google.com/open?id=1ADK97PrRDV-JTX0DkAeNAwYa8nUF_DpG

Related Articles

more
Amazon AWS-Security-Specialty Certification Practice Exam

Copyright © 2026 PassReview NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy