Login / Register   My Cart (0)

Pay attention to our Valid and Useful Exam Reviews and take our Exam Torrent as your Study Material. With little time and energy investment, you have a High Efficiency Study experience. Pass your Actual Test with the help of our Actual Reviews.

All Products Contact now
  • Home
  • Articles
  • AWS-Security-Specialty PDF Dumps Oct 25, 2021 Recently Updated Questions [Q222-Q238]

AWS-Security-Specialty PDF Dumps Oct 25, 2021 Recently Updated Questions [Q222-Q238]

Share

AWS-Security-Specialty PDF Dumps | Oct 25, 2021 Recently Updated Questions 

AWS-Security-Specialty Exam Questions – Valid AWS-Security-Specialty Dumps Pdf


Who should take the Amazon SCS-C01: AWS Certified Security - Specialty Exam

The AWS Accredited Solutions Architect-Professional Assessment is intended for individuals who have an architectural position in solutions and a realistic background of one or more years designing structures on AWS that are usable, cost-effective, tolerant, and scalable. Scs-c01 practice test illustrates successfully how safe and functional frameworks on AWS technology can be planned and applied. Defining a solution focused on consumer needs using architectural design criteria Provided advice on execution during the project life cycle, focused on best practice for the enterprise.

The scs-c01 exam test is for entry-level IT specialists and organization professionals with standard knowledge of the AWS platform. The AWS CCP certification validates the potential client’s understanding of these topics and their skills; Standard building principles, key services and also their use cases, security, and protection, as well as compliance with the AWS model, paid versions, and prices. Scs-c01 dumps is the appropriate starting point for AWS certification and is also an excellent resource for those interested in non-technical projects.

 

NEW QUESTION 222
A user has created a VPC with the public and private subnets using the VPC wizard. The VPC has CIDR
20.0.0.0/16. The public subnet uses CIDR 20.0.1.0/24. The user is planning to host a web server in the public subnet with port 80 and a Database server in the private subnet with port 3306. The user is configuring a security group for the public subnet (WebSecGrp) and the private subnet (DBSecGrp). which of the below mentioned entries is required in the private subnet database security group DBSecGrp?
Please select:

  • A. Allow Outbound on port 3306 for Destination Web Server Security Group WebSecGrp.
  • B. Allow Outbound on port 80 for Destination NAT Instance IP
  • C. Allow Inbound on port 3306 from source 20.0.0.0/16
  • D. Allow Inbound on port 3306 for Source Web Server Security Group WebSecGrp.

Answer: D

Explanation:
Explanation
Since the Web server needs to talk to the database server on port 3306 that means that the database server should allow incoming traffic on port 3306. The below table from the aws documentation shows how the security groups should be set up.

Option B is invalid because you need to allow incoming access for the database server from the WebSecGrp security group.
Options C and D are invalid because you need to allow Outbound traffic and not inbound traffic For more information on security groups please visit the below Link:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC
Scenario2.html
The correct answer is: Allow Inbound on port 3306 for Source Web Server Security Group WebSecGrp.
Submit your Feedback/Queries to our Experts

 

NEW QUESTION 223
A company deployed AWS Organizations to help manage its increasing number of AWS accounts. A security engineer wants to ensure only principals in the Organization structure can access a specific Amazon S3 bucket. The solution must also minimize operational overhead Which solution will meet these requirements?

  • A. 1 Put all users into an IAM group with an access policy granting access to the J bucket.
  • B. Specify the organization ID in the global key condition element of a bucket policy, allowing all principals access.
  • C. Have the account creation trigger an AWS Lambda function that manages the bucket policy, allowing access to accounts listed in the policy only.
  • D. Add an SCP to the Organizations master account, allowing all principals access to the bucket.

Answer: B

 

NEW QUESTION 224
A Security Engineer for a large company is managing a data processing application used by 1,500 subsidiary companies. The parent and subsidiary companies all use AWS. The application uses TCP port 443 and runs on Amazon EC2 behind a Network Load Balancer (NLB). For compliance reasons, the application should only be accessible to the subsidiaries and should not be available on the public internet. To meet the compliance requirements for restricted access, the Engineer has received the public and private CIDR block ranges for each subsidiary.
What solution should the Engineer use to implement the appropriate access restrictions for the application?

  • A. Create an AWS security group to allow access on TCP port 443 from the 1,500 subsidiary CIDR block ranges. Associate the security group with EC2 instances.
  • B. Create a NACL to allow access on TCP port 443 from the 1,500 subsidiary CIDR block ranges. Associate the NACL to both the NLB and EC2 instances
  • C. Create an AWS security group to allow access on TCP port 443 from the 1,500 subsidiary CIDR block ranges. Associate the security group to the NLB. Create a second security group for EC2 instances with access on TCP port 443 from the NLB security group.
  • D. Create an AWS PrivateLink endpoint service in the parent company account attached to the NLB. Create an AWS security group for the instances to allow access on TCP port 443 from the AWS PrivateLink endpoint.
    Use AWS PrivateLink interface endpoints in the 1,500 subsidiary AWS accounts to connect to the data processing application.

Answer: D

 

NEW QUESTION 225
A company plans to move most of its IT infrastructure to AWS. They want to leverage their existing on-premises Active Directory as an identity provider for AWS.
Which combination of steps should a Security Engineer take to federate the company's on-premises Active Directory with AWS? (Choose two.)

  • A. Create IAM roles with permissions corresponding to each Active Directory group.
  • B. Configure Active Directory to add relying party trust between Active Directory and AWS.
  • C. Configure Amazon Cognito to add relying party trust between Active Directory and AWS.
  • D. Create IAM groups with permissions corresponding to each Active Directory group.
  • E. Configure Amazon Cloud Directory to support a SAML provider.

Answer: A,E

 

NEW QUESTION 226
During a security event, it is discovered that some Amazon EC2 instances have not been sending Amazon CloudWatch logs.
Which steps can the Security Engineer take to troubleshoot this issue? (Choose two.)

  • A. Connect to the EC2 instances that are not sending the appropriate logs and verify that the CloudWatch Logs agent is running.
  • B. Verify that the network access control lists and security groups of the EC2 instances have the access to send logs over SNMP.
  • C. Verify that the EC2 instances have a route to the public AWS API endpoints.
  • D. Connect to the EC2 instances that are not sending logs. Use the command prompt to verify that the right permissions have been set for the Amazon SNS topic.
  • E. Log in to the AWS account and select CloudWatch Logs. Check for any monitored EC2 instances that are in the "Alerting" state and restart them using the EC2 console.

Answer: A,E

 

NEW QUESTION 227
A company has set up the following structure to ensure that their S3 buckets always have logging enabled

If there are any changes to the configuration to an S3 bucket, a config rule gets checked. If logging is disabled , then Lambda function is invoked. This Lambda function will again enable logging on the S3 bucket. Now there is an issue being encoutered with the entire flow. You have verified that the Lambda function is being invoked. But when logging is disabled for the bucket, the lambda function does not enable it again. Which of the following could be an issue Please select:

  • A. The AWS Config rule is not configured properly
  • B. You need to also use the API gateway to invoke the lambda function
  • C. The AWS Lambda function does not have appropriate permissions for the bucket
  • D. The AWS Lambda function should use Node.js instead of python.

Answer: C

Explanation:
The most probable cause is that you have not allowed the Lambda functions to have the appropriate permissions on the S3 bucket to make the relevant changes.
Option A is invalid because this is more of a permission instead of a configuration rule issue.
Option C is invalid because changing the language will not be the core solution.
Option D is invalid because you don't necessarily need to use the API gateway service For more information on accessing resources from a Lambda function, please refer to below URL
https://docs.aws.amazon.com/lambda/latest/ds/accessing-resources.htmll
The correct answer is: The AWS Lambda function does not have appropriate permissions for the bucket Submit your Feedback/Queries to our Experts

 

NEW QUESTION 228
You are working in the media industry and you have created a web application where users will be able to upload photos they create to your website. This web application must be able to call the S3 API in order to be able to function. Where should you store your API credentials whilst maintaining the maximum level of security?
Please select:

  • A. Pass API credentials to the instance using instance userdata.
  • B. Save the API credentials to your PHP files.
  • C. Save your API credentials in a public Github repository.
  • D. Don't save your API credentials, instead create a role in 1AM and assign this role to an EC2 instance when you first create it.

Answer: D

Explanation:
Explanation
Applications must sign their API requests with AWS credentials. Therefore, if you are an application developer, you need a strategy for managing credentials for your applications that run on EC2 instances. For example, you can securely distribute your AWS credentials to the instances, enabling the applications on those instances to use your credentials to sign requests, whil protecting your credentials from other users. However, it's challenging to securely distribute credentials to each instance. especially those that AWS creates on your behalf, such as Spot Instances or instances in Auto Scaling groups. You must also be able to update the credentials on each instance when you rotate your AWS credentials.
1AM roles are designed so that your applications can securely make API requests from your instances, without requiring yo manage the security credentials that the applications use.
Option A.C and D are invalid because using AWS Credentials in an application in production is a direct no recommendation 1 secure access For more information on 1AM Roles, please visit the below URL:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html The correct answer is: Don't save your API credentials. Instead create a role in 1AM and assign this role to an EC2 instance when you first create it Submit your Feedback/Queries to our Experts

 

NEW QUESTION 229
A Security Engineer for a large company is managing a data processing application used by 1,500 subsidiary companies. The parent and subsidiary companies all use AWS. The application uses TCP port 443 and runs on Amazon EC2 behind a Network Load Balancer (NLB). For compliance reasons, the application should only be accessible to the subsidiaries and should not be available on the public internet. To meet the compliance requirements for restricted access, the Engineer has received the public and private CIDR block ranges for each subsidiary What solution should the Engineer use to implement the appropriate access restrictions for the application?

  • A. Create an AWS PrivateLink endpoint service in the parent company account attached to the NL Create an AWS security group for the instances to allow access on TCP port 443 from the AWS PrivateLink endpoint. Use AWS PrivateLink interface endpoints in the 1,500 subsidiary AWS accounts to connect to the data processing application.
  • B. Create an AWS security group to allow access on TCP port 443 from the 1,500 subsidiary CIDR block ranges. Associate the security group to the NL Create a second security group for EC2 instances with access on TCP port 443 from the NLB security group.
  • C. Create a NACL to allow access on TCP port 443 from the 1;500 subsidiary CIDR block ranges. Associate the NACL to both the NLB and EC2 instances
  • D. Create an AWS security group to allow access on TCP port 443 from the 1,500 subsidiary CIDR block ranges. Associate the security group with EC2 instances.

Answer: D

 

NEW QUESTION 230
A company's database developer has just migrated an Amazon RDS database credential to be stored and managed by AWS Secrets Manager. The developer has also enabled rotation of the credential within the Secrets Manager console and set the rotation to change every 30 days.
After a short period of time, a number of existing applications have failed with authentication errors.
What is the MOST likely cause of the authentication errors?

  • A. The Secrets Manager IAM policy does not allow access for the applications.
  • B. Enabling rotation in Secrets Manager causes the secret to rotate immediately, and the applications are using the earlier credential.
  • C. The Secrets Manager IAM policy does not allow access to the RDS database.
  • D. Migrating the credential to RDS requires that all access come through requests to the Secrets Manager.

Answer: B

Explanation:
https://docs.aws.amazon.com/secretsmanager/latest/userguide/enable-rotation-rds.html

 

NEW QUESTION 231
A company has a set of EC2 instances hosted in AWS. These instances have EBS volumes for storing critical information. There is a business continuity requirement and in order to boost the agility of the business and to ensure data durability which of the following options are not required.
Please select:

  • A. Use EBS volume encryption
  • B. Use EBS volume replication
  • C. Use lifecycle policies for the EBS volumes
  • D. Use EBS Snapshots

Answer: A,B

Explanation:
Explanation
Data stored in Amazon EBS volumes is redundantly stored in multiple physical locations as part of normal operation of those services and at no additional charge. However, Amazon EBS replication is stored within the same availability zone, not across multiple zones; therefore, it is highly recommended that you conduct regular snapshots to Amazon S3 for long-term data durability.
You can use Amazon Data Lifecycle Manager (Amazon DLM) to automate the creation, retention, and deletion of snapshots taken to back up your Amazon EBS volumes.
With lifecycle management, you can be sure that snapshots are cleaned up regularly and keep costs under control.
EBS Lifecycle Policies
A lifecycle policy consists of these core settings:
* Resource type-The AWS resource managed by the policy, in this case, EBS volumes.
* Target tag-The tag that must be associated with an EBS volume for it to be managed by the policy.
* Schedule-Defines how often to create snapshots and the maximum number of snapshots to keep. Snapshot creation starts within an hour of the specified start time. If creating a new snapshot exceeds the maximum number of snapshots to keep for the volume, the oldest snapshot is deleted.
Option C is correct. Each Amazon EBS volume is automatically replicated within its Availability Zone to protect you from component failure, offering high availability and durability. But it does not have an explicit feature like that.
Option D is correct Encryption does not ensure data durability
For information on security for Compute Resources, please visit the below URL
https://d1.awsstatic.com/whitepapers/Security/Security Compute Services Whitepaper.pdl The correct answers are: Use EBS volume replication. Use EBS volume encryption Submit your Feedback/Queries to our Experts

 

NEW QUESTION 232
Your company has been using AWS for the past 2 years. They have separate S3 buckets for logging the various AWS services that have been used. They have hired an external vendor for analyzing their log files. They have their own AWS account. What is the best way to ensure that the partner account can access the log files in the company account for analysis. Choose 2 answers from the options given below Please select:

  • A. Ensure the 1AM Role has access for read-only to the S3 buckets
  • B. Ensure the 1AM user has access for read-only to the S3 buckets
  • C. Create an 1AM Role in the company account
  • D. Create an 1AM user in the company account

Answer: A,C

Explanation:
The AWS Documentation mentions the following
To share log files between multiple AWS accounts, you must perform the following general steps. These steps are explained in detail later in this section.
Create an 1AM role for each account that you want to share log files with.
For each of these 1AM roles, create an access policy that grants read-only access to the account you want to share the log files with.
Have an 1AM user in each account programmatically assume the appropriate role and retrieve the log files.
Options A and C are invalid because creating an 1AM user and then sharing the 1AM user credentials with the vendor is a direct 'NO' practise from a security perspective.
For more information on sharing cloudtrail logs files, please visit the following URL
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-sharine-loes.htmll The correct answers are: Create an 1AM Role in the company account Ensure the 1AM Role has access for read-only to the S3 buckets Submit your Feedback/Queries to our Experts

 

NEW QUESTION 233
A Systems Administrator has written the following Amazon S3 bucket policy designed to allow access to an S3 bucket for only an authorized AWS IAM user from the IP address range 10.10.10.0/24:

When trying to download an object from the S3 bucket from 10.10.10.40, the IAM user receives an access denied message.
What does the Administrator need to change to grant access to the user?

  • A. Change the "Principal" from "*" to {AWS:"arn:aws:iam: : account-number: user/username"}
  • B. Change the "Resource" from "arn: aws:s3:::Bucket" to "arn:aws:s3:::Bucket/*".
  • C. Change the "Action" from ["s3:*"] to ["s3:GetObject", "s3:ListBucket"]
  • D. Change the "Version" from "2012-10-17" to the last revised date of the policy

Answer: B

 

NEW QUESTION 234
You are trying to use the Systems Manager to patch a set of EC2 systems. Some of the systems are not getting covered in the patching process. Which of the following can be used to troubleshoot the issue? Choose 3 answers from the options given below.
Please select:

  • A. Ensure that agent is running on the instances.
  • B. Check to see if the right role has been assigned to the EC2 instances
  • C. Check to see if the 1AM user has the right permissions for EC2
  • D. Check the Instance status by using the Health API.

Answer: A,B,D

Explanation:
Explanation
For ensuring that the instances are configured properly you need to ensure the followi .
1) You installed the latest version of the SSM Agent on your instance
2) Your instance is configured with an AWS Identity and Access Management (1AM) role that enables the instance to communicate with the Systems Manager API
3) You can use the Amazon EC2 Health API to quickly determine the following information about Amazon EC2 instances The status of one or more instances The last time the instance sent a heartbeat value The version of the SSM Agent The operating system The version of the EC2Config service (Windows) The status of the EC2Config service (Windows) Option B is invalid because 1AM users are not supposed to be directly granted permissions to EC2 Instances For more information on troubleshooting AWS SSM, please visit the following URL:
https://docs.aws.amazon.com/systems-manager/latest/userguide/troubleshooting-remote-commands.html
The correct answers are: Check to see if the right role has been assigned to the EC2 Instances, Ensure that agent is running on the Instances., Check the Instance status by using the Health API.
Submit your Feedback/Queries to our Experts

 

NEW QUESTION 235
An AWS account administrator created an IAM group and applied the following managed policy to require that each individual user authenticate using multi-factor authentication:

After implementing the policy, the administrator receives reports that users are unable to perform Amazon EC2 commands using the AWS CLI. What should the administrator do to resolve this problem while still enforcing multi-factor authentication?

  • A. Implement federated API/CLI access using SAML 2.0, then configure the identity provider to enforce multi-factor authentication.
  • B. Create a role and enforce multi-factor authentication in the role trust policy Instruct users to run the sts assume-role CLI command and pass --serial-number and -token-code parameters Store the resulting values in environment variables. Add sts:AssumeRole to NotAction in the policy.
  • C. Change the value of aws MultiFactorAuthPresent to true.
  • D. Instruct users to run the aws sts get-session-token CLI command and pass the multi-factor authentication -serial-number and -token-code parameters. Use these resulting values to make API/CLI calls

Answer: D

 

NEW QUESTION 236
A Security Engineer accidentally deleted the imported key material in an AWS KMS CMK. What should the Security Engineer do to restore the deleted key material?

  • A. Create a new CMK Use the original wrapping key and import token to import the original key material.
  • B. Use the original wrapping key and import token Import the original key material into the existing CMK
  • C. Create a new CMK. Download a new wrapping key and a new import token to import the original key material
  • D. Download a new wrapping key and a new import token Import the original key material into the existing CMK.

Answer: D

 

NEW QUESTION 237
You currently have an S3 bucket hosted in an AWS Account. It holds information that needs be accessed by a partner account. Which is the MOST secure way to allow the partner account to access the S3 bucket in your account? Select 3 options.
Please select:

  • A. Provide the Account Id to the partner account
  • B. Ensure the partner uses an external id when making the request
  • C. Ensure an IAM role is created which can be assumed by the partner account.
  • D. Provide access keys for your account to the partner account
  • E. Ensure an IAM user is created which can be assumed by the partner account.
  • F. Provide the ARN for the role to the partner account

Answer: B,C,F

Explanation:
Option B is invalid because Roles are assumed and not IAM users
Option E is invalid because you should not give the account ID to the partner Option F is invalid because you should not give the access keys to the partner The below diagram from the AWS documentation showcases an example on this wherein an IAM role and external ID is us> access an AWS account resources

For more information on creating roles for external ID'S please visit the following URL:
The correct answers are: Ensure an IAM role is created which can be assumed by the partner account. Ensure the partner uses an external id when making the request Provide the ARN for the role to the partner account Submit your Feedback/Queries to our Experts

 

NEW QUESTION 238
......

AWS-Security-Specialty dumps Sure Practice with 530 Questions: https://www.examsreviews.com/AWS-Security-Specialty-pass4sure-exam-review.html

AWS-Security-Specialty Practice Test Questions Answers Updated 530 Questions: https://drive.google.com/open?id=1I2ob6XlZJSD_4pKf8aOLqVUJn6if6ORy

Related Articles

more
Amazon AWS-Security-Specialty Certification Practice Exam

Pay attention to our Valid and Useful Exam Reviews and take our Exam Torrent as your Study Material. With little time and energy investment, you have a High Efficiency Study experience. Pass your Actual Test with the help of our Actual Reviews.

Latest Exam

Useful Links

Contact Us

Our Working Time: ( GMT 0:00-15:00 )
From Monday to Saturday

Support: Contact now 

If you have any question please leave me your email address, we will reply and send email to you in 12 hours.

Copyright © 2026 ExamsReviews NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy