• Home
  • Articles
  • AWS-Security-Specialty Updated Exam Dumps [2023] Practice Valid Exam Dumps Question [Q266-Q285]

AWS-Security-Specialty Updated Exam Dumps [2023] Practice Valid Exam Dumps Question [Q266-Q285]

Share

AWS-Security-Specialty Updated Exam Dumps [2023] Practice Valid Exam Dumps Question

AWS-Security-Specialty Sample with Accurate & Updated Questions

NEW QUESTION # 266
A Security Engineer received an AWS Abuse Notice listing EC2 instance IDs that are reportedly abusing
other hosts.
Which action should the Engineer take based on this situation? (Choose three.)

  • A. Create EBS Snapshots of each of the volumes attached to the compromised instances.
  • B. Revoke all network ingress and egress except for to/from a forensics.
  • C. Run Auto Recovery for Amazon EC2.
  • D. Log in to each instance with administrative credentials to restart the instance.
  • E. Use AWS Artifact to capture an exact image of the state of each instance.
  • F. Capture a memory dump.

Answer: A,E,F


NEW QUESTION # 267
An application uses Amazon Cognito to manage end users' permissions when directly accessing AWS resources, including Amazon DynamoDB. A new feature request reads as follows:
Provide a mechanism to mark customers as suspended pending investigation or suspended permanently.
Customers should still be able to log in when suspended, but should not be able to make changes.
The priorities are to reduce complexity and avoid potential for future security issues.
Which approach will meet these requirements and priorities?

  • A. Use Amazon Cognito Sync to push out a "suspension_status" parameter and split the lAM policy into normal users and suspended users.
  • B. Create a new database field "suspended_status" and modify the application logic to validate that field when processing requests.
  • C. Add suspended customers to second Cognito user pool and update the application login flow to check both user pools.
  • D. Move suspended customers to a second Cognito group and define an appropriate IAM access policy for the group.

Answer: D


NEW QUESTION # 268
You have a 2 tier application hosted in AWS. It consists of a web server and database server (SQL Server) hosted on separate EC2 Instances. You are devising the security groups for these EC2 Instances. The Web tier needs to be accessed by users across the Internet. You have created a web security group(wg-123) and database security group(db-345). Which combination of the following security group rules will allow the application to be secure and functional. Choose 2 answers from the options given below.
Please select:

  • A. db-345 -Allow ports 1433 from 0.0.0.0/0
  • B. wg-123 - Allow port 1433 from wg-123
  • C. wg-123 -Allow ports 80 and 443 from 0.0.0.0/0
  • D. db-345 - Allow port 1433 from wg-123

Answer: C,D

Explanation:
Explanation
The Web security groups should allow access for ports 80 and 443 for HTTP and HTTPS traffic to all users from the internet.
The database security group should just allow access from the web security group from port 1433.
Option C is invalid because this is not a valid configuration
Option D is invalid because database security should not be allowed on the internet For more information on Security Groups please visit the below URL:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/usins-network-security.htmll The correct answers are: wg-123 - Allow ports 80 and 443 from 0.0.0.0/0, db-345 - Allow port 1433 from wg-123 Submit your Feedback/Queries to our Experts


NEW QUESTION # 269
A company is designing the security architecture for a global latency-sensitive web application it plans to deploy to AWS. A security engineer needs to configure a highly available and secure two-tier architecture. The security design must include controls to prevent common attacks such as DDoS, cross-site scripting, and SQL injection.
Which solution meets these requirements?

  • A. Create an Application Load Balancer (ALB) that uses private subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create appropriate AWS WAF ACLs and enable them on the ALB.
  • B. Create an Application Load Balancer (ALB) that uses private subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create an Amazon CloudFront distribution that uses the ALB as its origin. Create appropriate AWS WAF ACLs and enable them on the CloudFront distribution.
  • C. Create an Application Load Balancer (ALB) that uses public subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create an Amazon CloudFront distribution that uses the ALB as its origin. Create appropriate AWS WAF ACLs and enable them on the CloudFront distribution.
  • D. Create an Application Load Balancer (ALB) that uses public subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create appropriate AWS WAF ACLs and enable them on the ALB.

Answer: B


NEW QUESTION # 270
A company hosts a critical web application on the AWS Cloud. This is a key revenue generating application for the company. The IT Security team is worried about potential DDos attacks against the web site. The senior management has also specified that immediate action needs to be taken in case of a potential DDos attack. What should be done in this regard?
Please select:

  • A. Consider using VPC Flow logs to monitor traffic for DDos attack and quickly take actions on a trigger of a potential attack.
  • B. Consider using Cloudwatch logs to monitor traffic for DDos attack and quickly take actions on a trigger of a potential attack.
  • C. Consider using the AWS Shield Service
  • D. Consider using the AWS Shield Advanced Service

Answer: D

Explanation:
Option A is invalid because the normal AWS Shield Service will not help in immediate action against a DDos attack. This can be done via the AWS Shield Advanced Service
Option B is invalid because this is a logging service for VPCs traffic flow but cannot specifically protect against DDos attacks.
Option D is invalid because this is a logging service for AWS Services but cannot specifically protect against DDos attacks.
The AWS Documentation mentions the following
AWS Shield Advanced provides enhanced protections for your applications running on Amazon EC2. Elastic Load Balancing (ELB), Amazon CloudFront and Route 53 against larger and more sophisticated attacks. AWS Shield Advanced is available to AWS Business Support and AWS Enterprise Support customers. AWS Shield Advanced protection provides always-on, flow-based monitoring of network traffic and active application monitoring to provide near real-time notifications of DDoS attacks. AWS Shield Advanced also gives customers highly flexible controls over attack mitigations to take actions instantly. Customers can also engage the DDoS Response Team (DRT) 24X7 to manage and mitigate their application layer DDoS attacks.
For more information on AWS Shield, please visit the below URL:
https://aws.amazon.com/shield/faqs;
The correct answer is: Consider using the AWS Shield Advanced Service Submit your Feedback/Queries to our Experts


NEW QUESTION # 271
A company has multiple accounts in the AWS Cloud. Users in the developer account need to have access to specific resources in the production account.
What is the MOST secure way to provide this access?

  • A. Create cross-account access with an IAM user account in the production account. Grant the appropriate permissions to this user account. Allow users in the developer account to use this user account to access the production resources.
  • B. Create cross-account access with an IAM role in the production account. Grant the appropriate permissions to this role. Allow users in the developer account to assume this role to access the production resources.
  • C. Create one IAM user in the production account. Grant the appropriate permissions to the resources that are needed. Share the password only with the users that need access.
  • D. Create cross-account access with an IAM role in the developer account. Grant the appropriate permissions to this role. Allow users in the developer account to assume this role to access the production resources.

Answer: B

Explanation:
https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html


NEW QUESTION # 272
A company's Security Engineer has been asked to monitor and report all AWS account root user activities.
Which of the following would enable the Security Engineer to monitor and report all root user activities? (Select TWO)

  • A. Configuring AWS Trusted Advisor to send an email to the Security team when the root user logs in to the console
  • B. Configuring Amazon Inspector to scan the AWS account for any root user activity
  • C. Creating an Amazon CloudWatch Events rule that will trigger when any API call from the root user is reported
  • D. Using Amazon SNS to notify the target group
  • E. Configuring AWS Organizations to monitor root user API calls on the paying account

Answer: C,D


NEW QUESTION # 273
The Development team receives an error message each time the team members attempt to encrypt or decrypt a Secure String parameter from the SSM Parameter Store by using an AWS KMS customer managed key (CMK).
Which CMK-related issues could be responsible? (Choose two.)

  • A. The CMK specified in the application is using an alias.
  • B. The CMK specified in the application does not exist.
  • C. The CMK specified in the application is currently in use.
  • D. The CMK specified in the application is using the CMK KeyID instead of CMK Amazon Resource Name.
  • E. The CMK specified in the application is not enabled.

Answer: B,E

Explanation:
Explanation
https://docs.amazonaws.cn/en_us/kms/latest/developerguide/services-parameter-store.html


NEW QUESTION # 274
You have a set of Keys defined using the IAM KMS service. You want to stop using a couple of keys , but are not sure of which services are currently using the keys. Which of the following would be a safe option to stop using the keys from further usage.
Please select:

  • A. Set an alias for the key
  • B. Delete the keys since anyway there is a 7 day waiting period before deletion
  • C. Change the key material for the key
  • D. Disable the keys

Answer: D

Explanation:
Option A is invalid because once you schedule the deletion and waiting period ends, you cannot come back from the deletion process.
Option C and D are invalid because these will not check to see if the keys are being used or not The IAM Documentation mentions the following Deleting a customer master key (CMK) in IAM Key Management Service (IAM KMS) is destructive and potentially dangerous. It deletes the key material and all metadata associated with the CMK, and is irreversible. After a CMK is deleted you can no longer decrypt the data that was encrypted under that CMK, which means that data becomes unrecoverable. You should delete a CMK only when you are sure that you don't need to use it anymore. If you are not sure, consider disabling the CMK instead of deleting it. You can re-enable a disabled CMK if you need to use it again later, but you cannot recover a deleted CMK.
For more information on deleting keys from KMS, please visit the below URL:
https://docs.IAM.amazon.com/kms/latest/developereuide/deleting-keys.html The correct answer is: Disable the keys Submit your Feedback/Queries to our Experts


NEW QUESTION # 275
A company has multiple departments. Each department has its own AWS account. All these accounts belong to the same organization in AWS Organizations.
A large .csv file is stored in an Amazon S3 bucket in the sales department's AWS account. The company wants to allow users from the other accounts to access the .csv file's content through the combination of AWS Glue and Amazon Athen a. However, the company does not want to allow users from the other accounts to access other files in the same folder.
Which solution will meet these requirements?

  • A. Grant AWS Glue access to Amazon S3 in a resource-based policy that specifies the organization as the principal.
  • B. Define an AWS Glue Data Catalog resource policy in AWS Glue to grant cross-account S3 object access to the .csv file.
  • C. Use S3 Select to restrict access to the .csv lie. In AWS Glue Data Catalog, use S3 Select as the source of the AWS Glue database.
  • D. Apply a user policy in the other accounts to allow AWS Glue and Athena lo access the .csv We.

Answer: D


NEW QUESTION # 276
A company wants to establish separate AWS Key Management Service (AWS KMS) keys to use for different AWS services. The company's security engineer created the following key policy lo allow the infrastructure deployment team to create encrypted Amazon Elastic Block Store (Amazon EBS) volumes by assuming the InfrastructureDeployment 1AM role:

The security engineer recently discovered that 1AM roles other than the InfrastructureDeployment role used this key (or other services. Which change to the policy should the security engineer make to resolve these issues?

  • A. In the policy document, add a new statement block that grants the kms:Disable' permission to the security engineer's IAM role.
  • B. In the policy document, remove the statement Dlock that contains the Sid "Enable 1AM User Permissions". Add key management policies to the KMS policy.
  • C. In the statement block that contains the Sid "Allow use of the Key", under the "Condition" block, change the Kms:ViaService value to ec2.us-east-1 .amazonaws com.
  • D. In the statement block that contains the Sid "Allow use of the key", under the "Condition" block, change StringEquals to StringLike.

Answer: C


NEW QUESTION # 277
Within a VPC, a corporation runs an Amazon RDS Multi-AZ DB instance. The database instance is connected to the internet through a NAT gateway via two subnets.
Additionally, the organization has application servers that are hosted on Amazon EC2 instances and use the RDS database. These EC2 instances have been deployed onto two more private subnets inside the same VPC.
These EC2 instances connect to the internet through a default route via the same NAT gateway. Each VPC subnet has its own route table.
The organization implemented a new security requirement after a recent security examination. Never allow the database instance to connect to the internet. A security engineer must perform this update promptly without interfering with the network traffic of the application servers.
How will the security engineer be able to comply with these requirements?

  • A. Configure the route table of the NAT gateway to deny connections to the DB instance subnets.
  • B. Configure the DB instance€™s inbound network ACL to deny traffic from the security group ID of the NAT gateway.
  • C. Modify the route tables of the DB instance subnets to remove the default route to the NAT gateway.
  • D. Remove the existing NAT gateway. Create a new NAT gateway that only the application server subnets can use.

Answer: C

Explanation:
Explanation
Each subnet has a route table, so modify the routing associated with DB instance subnets to prevent internet access.


NEW QUESTION # 278
There is a set of Ec2 Instances in a private subnet. The application hosted on these EC2 Instances need to access a DynamoDB table. It needs to be ensured that traffic does not flow out to the internet. How can this be achieved?
Please select:

  • A. Use a VPN connection from the VPC
  • B. Use a VPC Peering connection to the DynamoDB table
  • C. Use a VPC endpoint to the DynamoDB table
  • D. Use a VPC gateway from the VPC

Answer: C

Explanation:
The following diagram from the AWS Documentation shows how you can access the DynamoDB service from within a V without going to the Internet This can be done with the help of a VPC endpoint

Option B is invalid because this is used for connection between an on-premise solution and AWS Option C is invalid because there is no such option Option D is invalid because this is used to connect 2 VPCs For more information on VPC endpointsfor DynamoDB, please visit the URL:
The correct answer is: Use a VPC endpoint to the DynamoDB table Submit your Feedback/Queries to our Experts


NEW QUESTION # 279
You have a web site that is sitting behind IAM Cloudfront. You need to protect the web site against threats such as SQL injection and Cross site scripting attacks. Which of the following service can help in such a scenario Please select:

  • A. IAM Inspector
  • B. IAM Config
  • C. IAM WAF
  • D. IAM Trusted Advisor

Answer: C

Explanation:
Explanation
The IAM Documentation mentions the following
IAM WAF is a web application firewall that helps detect and block malicious web requests targeted at your web applications. IAM WAF allows you to create rules that can help protect against common web exploits like SQL injection and cross-site scripting. With IAM WAF you first identify the resource (either an Amazon CloudFront distribution or an Application Load Balancer) that you need to protect.
Option A is invalid because this will only give advise on how you can better the security in your IAM account but not protect against threats mentioned in the question.
Option C is invalid because this can be used to scan EC2 Instances for vulnerabilities but not protect against threats mentioned in the question.
Option D is invalid because this can be used to check config changes but not protect against threats mentioned in the quest For more information on IAM WAF, please visit the following URL:
https://IAM.amazon.com/waf/details;
The correct answer is: IAM WAF
Submit your Feedback/Queries to our Experts


NEW QUESTION # 280
A company Is trying to replace its on-premises bastion hosts used to access on-premises Linux servers with AWS Systems Manager Session Manager. A security engineer has installed the Systems Manager Agent on all servers. The security engineer verifies that the agent is running on all the servers, but Session Manager cannot connect to them. The security engineer needs to perform verification steps before Session Manager will work on the servers.
Which combination of steps should the security engineer perform? (Select THREE.)

  • A. Open inbound port 22 to 0 0.0.0/0 on all Linux servers.
  • B. Create a managed-instance activation for the on-premises servers.
  • C. Enable the advanced-instances tier in Systems Manager.
  • D. Initiate an inventory collection with Systems Manager on the on-premises servers
  • E. Reconfigure the Systems Manager Agent with the activation code and ID.
  • F. Assign an IAM role to all of the on-premises servers.

Answer: B,D,F


NEW QUESTION # 281
A company is hosting a static website on Amazon S3 The company has configured an Amazon CloudFront distribution to serve the website contents The company has associated an IAM WAF web ACL with the CloudFront distribution. The web ACL ensures that requests originate from the United States to address compliance restrictions.
THE company is worried that the S3 URL might still be accessible directly and that requests can bypass the CloudFront distribution Which combination of steps should the company take to remove direct access to the S3 URL? (Select TWO. )

  • A. Update the S3 bucket policy to allow s3 GetObject with a condition that the IAM Referer key matches the secret value Deny all other requests
  • B. Create an origin access identity (OAI) for the S3 origin
  • C. Select "Restrict Bucket Access" in the origin settings of the CloudFront distribution
  • D. Configure the S3 bucket poky so that only the origin access identity (OAI) has read permission for objects in the bucket
  • E. Add an origin custom header that has the name Referer to the CloudFront distribution Give the header a secret value.

Answer: C,D


NEW QUESTION # 282
A Security Engineer noticed an anomaly within a company EC2 instance as shown in the image. The Engineer must now investigate what e causing the anomaly. What are the MOST effective steps to take lo ensure that the instance is not further manipulated while allowing the Engineer to understand what happened?

  • A. Remove the instance from the Auto Scaling group and the Elastic Load Balancer Place the instance within an isolation security group, launch an EC2 instance with a forensic toolkit, and allow the forensic toolkit image to connect to the suspicious Instance to perform the Investigation.
  • B. Remove the instance from the Auto Scaling group and the Elastic Load Balancer Place the instance within an isolation security group, make a copy of the EBS volume from a new snapshot, launch an EC2 Instance with a forensic toolkit and attach the copy of the EBS volume to investigate.
  • C. Remove the instance from the Auto Scaling group Place the Instance within an isolation security group, launch an EC2 Instance with a forensic toolkit and use the forensic toolkit imago to deploy an ENI as a network span port to inspect all traffic coming from the suspicious instance.
  • D. Remove the instance from the Auto Scaling group Place the instance within an isolation security group, detach the EBS volume launch an EC2 instance with a forensic toolkit and attach the E8S volume to investigate

Answer: A


NEW QUESTION # 283
A company's IAM account consists of approximately 300 IAM users. Now there is a mandate that an access change is required for 100 IAM users to have unlimited privileges to S3.As a system administrator, how can you implement this effectively so that there is no need to apply the policy at the individual user level?
Please select:

  • A. Create a policy and apply it to multiple users using a JSON script
  • B. Use the IAM groups and add users, based upon their role, to different groups and apply the policy to group
  • C. Create a new role and add each user to the IAM role
  • D. Create an S3 bucket policy with unlimited access which includes each user's IAM account ID

Answer: B

Explanation:
Explanation
Option A is incorrect since you don't add a user to the IAM Role
Option C is incorrect since you don't assign multiple users to a policy Option D is incorrect since this is not an ideal approach An IAM group is used to collectively manage users who need the same set of permissions. By having groups, it becomes easier to manage permissions. So if you change the permissions on the group scale, it will affect all the users in that group For more information on IAM Groups, just browse to the below URL:
https://docs.IAM.amazon.com/IAM/latest/UserGuide/id_eroups.html
The correct answer is: Use the IAM groups and add users, based upon their role, to different groups and apply the policy to group Submit your Feedback/Queries to our Experts


NEW QUESTION # 284
A company has a website with an Amazon CloudFront HTTPS distribution, an Application Load Balancer (ALB) with multiple web instances for dynamic website content, and an Amazon S3 bucket for static website content. The company's security engineer recently updated the website security requirements:
* HTTPS needs to be enforced for all data in transit with specific ciphers.
* The CloudFront distribution needs to be accessible from the internet only.
Which solution will meet these requirements?
Set up an S3 bucket policy with the awssecuretransport key Configure the CloudFront origin access identity (OAI) with the S3 bucket Configure CloudFront to use specific ciphers. Enforce the ALB with an HTTPS listener only and select the appropriate security policy for the ciphers Link the ALB with AWS WAF to allow access from the CloudFront IP ranges.
Set up an S3 bucket policy with the aws:securetransport key. Configure the CloudFront origin access identity (OAI) with the S3 bucket. Enforce the ALB with an HTTPS listener only and select the appropriate security policy for the ciphers.
Modify the CloudFront distribution to use AWS WAF. Force HTTPS on the S3 bucket with specific ciphers in the bucket policy. Configure an HTTPS listener only for the ALB. Set up a security group to limit access to the ALB from the CloudFront IP ranges Modify the CloudFront distribution to use the ALB as the origin. Enforce an HTTPS listener on the ALB. Create a path-based routing rule on the ALB with proxies that connect lo Amazon S3. Create a bucket policy to allow access from these proxies only.
A company Is trying to replace its on-premises bastion hosts used to access on-premises Linux servers with AWS Systems Manager Session Manager. A security engineer has installed the Systems Manager Agent on all servers. The security engineer verifies that the agent is running on all the servers, but Session Manager cannot connect to them. The security engineer needs to perform verification steps before Session Manager will work on the servers.
Which combination of steps should the security engineer perform? (Select THREE.)

  • A. Open inbound port 22 to 0 0.0.0/0 on all Linux servers.
  • B. Create a managed-instance activation for the on-premises servers.
  • C. Enable the advanced-instances tier in Systems Manager.
  • D. Initiate an inventory collection with Systems Manager on the on-premises servers
  • E. Reconfigure the Systems Manager Agent with the activation code and ID.
  • F. Assign an IAM role to all of the on-premises servers.

Answer: B,D,F


NEW QUESTION # 285
......

Pass Amazon AWS-Security-Specialty Premium Files Test Engine pdf - Free Dumps Collection: https://www.passreview.com/AWS-Security-Specialty_exam-braindumps.html

AWS-Security-Specialty Exam Info and Free Practice Test | PassReview: https://drive.google.com/open?id=1AoOHgT4CpufU6VHeXAkY7Tl4FXBT7WXS

Related Articles

more
Amazon AWS-Security-Specialty Certification Practice Exam

Copyright © 2026 PassReview NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy