AWS-Security-Specialty試験無料問題集「Amazon AWS Certified Security - Specialty 認定」

ページ: 1 / 43
トータル 592 問

サインアップ、ログインされた後に、試験全体を無料で表示できるようになります。

出題：1

A security engineer needs to see up an Amazon CloudFront distribution for an Amazon S3 bucket that hosts a static website. The security engineer must allow only specified IP addresses to access the website. The security engineer also must prevent users from accessing the website directly by using S3 URLs.
Which solution will meet these requirements?

A. Implement security groups to allow only the specified IP addresses access and to restrict S3 bucket access by using the CloudFront distribution.

B. Create a CloudFront origin access identity (OAl). Create the S3 bucket policy so that only the OAl has access. Create an AWS WAF web ACL and add an IP set rule. Associate the web ACL with the CloudFront distribution.

C. Generate an S3 bucket policy. Specify cloudfront amazonaws com as the principal. Use the aws Sourcelp condition key to allow access only if the request conies from the specified IP addresses.

D. Create an S3 bucket access point to allow access from only the CloudFront distribution. Create an AWS WAF web ACL and add an IP set rule. Associate the web ACL with the CloudFront distribution.

正解：B 解答を投票する

出題：2

A company had developed an incident response plan 18 months ago. Regular implementations of the response plan are carried out. No changes have been made to the response plan have been made since its creation. Which of the following is a right statement with regards to the plan?
Please select:

A. The response plan is complete in its entirety

B. It places too much emphasis on already implemented security controls.

C. The response plan does not cater to new services

D. The response plan is not implemented on a regular basis

正解：C 解答を投票する

解説: (GoShiken メンバーにのみ表示されます)

出題：3

A user has created a VPC with the public and private subnets using the VPC wizard. The VPC has CIDR 20.0.0.0/16. The public subnet uses CIDR 20.0.1.0/24. The user is planning to host a web server in the public subnet with port 80 and a Database server in the private subnet with port 3306. The user is configuring a security group for the public subnet (WebSecGrp) and the private subnet (DBSecGrp). which of the below mentioned entries is required in the private subnet database security group DBSecGrp?
Please select:

A. Allow Inbound on port 3306 for Source Web Server Security Group WebSecGrp.

B. Allow Outbound on port 80 for Destination NAT Instance IP

C. Allow Outbound on port 3306 for Destination Web Server Security Group WebSecGrp.

D. Allow Inbound on port 3306 from source 20.0.0.0/16

正解：A 解答を投票する

解説: (GoShiken メンバーにのみ表示されます)

出題：4

A company has a customer master key (CMK) with imported key materials. Company policy requires that all encryption keys must be rotated every year.
What can be done to implement the above policy?

A. Use IAM Command Line Interface to create an IAM Lambda function to rotate the existing CMK annually.

B. Import new key material to the existing CMK and manually rotate the CMK.

C. Enable automatic key rotation annually for the CMK.

D. Create a new CMK, import new key material to it, and point the key alias to the new CMK.

正解：D 解答を投票する

解説: (GoShiken メンバーにのみ表示されます)

出題：5

A company uses an external identity provider to allow federation into different IAM accounts. A security engineer for the company needs to identify the federated user that terminated a production Amazon EC2 instance a week ago.
What is the FASTEST way for the security engineer to identify the federated user?

A. Search the IAM CloudTrail logs for the Terminatelnstances event and note the event time. Review the IAM Access Advisor tab for all federated roles. The last accessed time should match the time when the instance was terminated.

B. Review the IAM CloudTrail event history logs in an Amazon S3 bucket and look for the Terminatelnstances event to identify the federated user from the role session name.

C. Use Amazon Athena to run a SQL query on the IAM CloudTrail logs stored in an Amazon S3 bucket and filter on the Terminatelnstances event. Identify the corresponding role and run another query to filter the AssumeRoleWithWebldentity event for the user name.

D. Filter the IAM CloudTrail event history for the Terminatelnstances event and identify the assumed IAM role. Review the AssumeRoleWithSAML event call in CloudTrail to identify the corresponding username.

正解：D 解答を投票する

出題：6

A company's on-premises data center forwards DNS logs to a third-party security incident events management (SIEM) solution that alerts on suspicious behavior. The company wants to introduce a similar capability to its IAM accounts that includes automatic remediation. The company expects to double in size within the next few months.
Which solution meets the company's current and future logging requirements?

A. Enable Amazon GuardDuty and IAM Security Hub in all Regions and all accounts. Designate a master security account to receive all alerts from the child accounts. Create an IAM Organizations SCP that denies access to certain API calls that are on an ignore list.

B. Enable Amazon GuardDuty and IAM Security Hub in all Regions and all accounts. Designate a master security account to receive all alerts from the child accounts. Set up specific rules within Amazon Even;Bridge to trigger an IAM Lambda function for remediation steps.

C. Ingest all IAM CloudTrail logs, VPC Flow Logs, and DNS logs into a single Amazon S3 bucket in a designated security account. Launch an Amazon EC2 instance and install the current SIEM to monitor the logs and send a notification to an Amazon SNS topic to alert the security team of remediation steps.

D. Ingest all IAM CloudTrail logs, VPC Flow Logs, and DNS logs into a single Amazon S3 bucket in a designated security account. Use the current on-premises SIEM to monitor the logs and send a notification to an Amazon SNS topic to alert the security team of remediation steps.

正解：B 解答を投票する

出題：7

Your company has a requirement to monitor all root user activity by notification. How can this best be achieved? Choose 2 answers from the options given below. Each answer forms part of the solution Please select:

A. Use Cloudtrail API call

B. Create a Cloudwatch Logs Rule

C. Use a Lambda function

D. Create a Cloudwatch Events Rule s

正解：C,D 解答を投票する

解説: (GoShiken メンバーにのみ表示されます)

出題：8

A Security Engineer is implementing a solution to allow users to seamlessly encrypt Amazon S3 objects without having to touch the keys directly. The solution must be highly scalable without requiring continual management. Additionally, the organization must be able to immediately delete the encryption keys.
Which solution meets these requirements?

A. Use the Systems Manager Parameter Store to store the keys and then use the service API operations to delete the key if necessary.

B. Use KMS with IAM imported key material and then use the DeletelmportedKeyMaterial API to remove the key material if necessary.

C. Use IAM CloudHSM to store the keys and then use the CloudHSM API or the PKCS11 library to delete the keys if necessary.

D. Use IAM KMS with IAM managed keys and the ScheduleKeyDeletion API with a PendingWindowInDays set to 0 to remove the keys if necessary.

正解：B 解答を投票する

解説: (GoShiken メンバーにのみ表示されます)

出題：9

A company needs to use HTTPS when connecting to its web applications to meet compliance requirements. These web applications run in Amazon VPC on Amazon EC2 instances behind an Application Load Balancer (ALB). A security engineer wants to ensure that the load balancer win only accept connections over port 443. even if the ALB is mistakenly configured with an HTTP listener Which configuration steps should the security engineer take to accomplish this task?

A. Create a network ACL that allows outbound connections to the VPC IP range on port 443 only. Associate the network ACL with the VPC's internet gateway.

B. Create a security group with a rule that denies Inbound connections from 0.0.0 0/0 on port 00. Attach this security group to the ALB to overwrite more permissive rules from the ALB's default security group.

C. Create a network ACL that denies inbound connections from 0 0.0.0/0 on port 80 Associate the network ACL with the VPC s internet gateway

D. Create a security group with a single inbound rule that allows connections from 0.0.0 0/0 on port 443. Ensure this security group is the only one associated with the ALB

正解：D 解答を投票する

出題：10

You have just recently set up a web and database tier in a VPC and hosted the application. When testing the app , you are not able to reach the home page for the app. You have verified the security groups. What can help you diagnose the issue.
Please select:

A. Use IAM WAF to analyze the traffic

B. Use VPC Flow logs to diagnose the traffic

C. Use IAM Guard Duty to analyze the traffic

D. Use the IAM Trusted Advisor to see what can be done.

正解：B 解答を投票する

解説: (GoShiken メンバーにのみ表示されます)

出題：11

A security engineer has noticed an unusually high amount of traffic coming from a single IP address. This was discovered by analyzing the Application Load Balancer's access logs. How can the security engineer limit the number of requests from a specific IP address without blocking the IP address?

A. Use IAM Shield to limit the originating traffic hit rate.

B. Add a rule to the Application Load Balancer to route the traffic originating from the IP address in question and show a static webpage.

C. Implement the GeoLocation feature in Amazon Route 53.

D. Implement a rate-based rule with IAM WAF

正解：A 解答を投票する

出題：12

A company is configuring three Amazon EC2 instances with each instance in a separate Availability Zone. The EC2 instances wilt be used as transparent proxies for outbound internet traffic for ports 80 and 443 so the proxies can block traffic to certain internet destinations as required by the company's security policies. A Security Engineer completed the following:
* Set up the proxy software on the EC2 instances.
* Modified the route tables on the private subnets to use the proxy EC2 instances as the default route.
* Created a security group rule opening inbound port 80 and 443 TCP protocols on the proxy EC2 instance security group.
However, the proxy EC2 instances are not successfully forwarding traffic to the internet.
What should the Security Engineer do to make the proxy EC2 instances route traffic to the internet?

A. Change the VPC's DHCP domain-name-server's options set to the IP addresses of proxy EC2 instances.

B. Disable source and destination checks on the proxy EC2 instances.

C. Put all the proxy EC2 instances in a cluster placement group.

D. Open all inbound ports on the proxy EC2 instance security group.

正解：B 解答を投票する

出題：13

Your company has just started using IAM and created an IAM account. They are aware of the potential issues when root access is enabled. How can they best safeguard the account when it comes to root access? Choose 2 answers fro the options given below Please select:

A. Change the password for the root account.

B. Delete the root access keys

C. Create an Admin IAM user with the necessary permissions

D. Delete the root access account

正解：B,C 解答を投票する

解説: (GoShiken メンバーにのみ表示されます)

出題：14

A company wants to protect its website from man in-the-middle attacks by using Amazon CloudFront. Which solution will meet these requirements with the LEAST operational overhead?

A. Use a Lambda@Edge function to add the Strict-Transport-Security response header.

B. Include the X-XSS-Protection header in a custom response headers policy.

C. Use the SecurityHeadersPolicy managed response headers policy.

D. Use the SimpleCORS managed response headers policy.

正解：C 解答を投票する

解説: (GoShiken メンバーにのみ表示されます)

ページ: 1 / 43
トータル 592 問

AWS-Security-Specialty の機能をすべて解除する

キャプチャ不要
365日無料更新サービス
希望する合格率を設定できる
時間の割り当てられる（時間：分）
AWS-Security-Specialty に2つの練習用モード
サポートサービス対応

完全版を入手する

弊社のサイトにはあなたの試験合格を助けるために研究された効果的な知能問題集を提供しています。材料はすべてのユーザーによって称賛されています。弊社のサイトは、最短時間で多くの証明書を取得するのに役立つ学習プラットフォームになります。

掲示板

試験6V0-21.25 トピック11 問題57 スレッド
試験1Z0-184-25 トピック1 問題28 スレッド
試験SSM トピック1 問題14 スレッド
試験1Z0-1195-25 トピック7 問題34 スレッド
試験1Z0-1127-25 トピック1 問題72 スレッド
試験CSA-JPN トピック2 問題226 スレッド
試験Associate-Reactive-Developer-JPN トピック4 問題76 スレッド

弊社を連絡する

我々の働いている時間：( UTC+9 ) 9:00-24:00

月曜日から土曜日まで

サポート：現在連絡

我々は１２時間以内ですべてのお問い合わせを答えます。