• ホーム
  • ブログ
  • 究極のガイドはAWS-Security-Specialty最新2025年05月18日時間限定!今すぐダウンロード! [Q114-Q138]

究極のガイドはAWS-Security-Specialty最新2025年05月18日時間限定!今すぐダウンロード! [Q114-Q138]

Share

究極のガイドはAWS-Security-Specialty最新2025年05月18日時間限定!今すぐダウンロード!

2025年最新のな厳密検証された合格させるAWS-Security-Specialty試験にはリアル問題と解答

質問 # 114
A Security Administrator is performing a log analysis as a result of a suspected AWS account compromise.
The Administrator wants to analyze suspicious AWS CloudTrail log files but is overwhelmed by the volume of audit logs being generated.
What approach enables the Administrator to search through the logs MOST efficiently?

  • A. Configure Amazon Macie to classify and discover sensitive data in the Amazon S3 bucket that contains the CloudTrail audit logs.
  • B. Configure Amazon Athena to read from the CloudTrail S3 bucket and query the logs to examine account activities.
  • C. Implement a "write-only" CloudTrail event filter to detect any modifications to the AWS account resources.
  • D. Enable Amazon S3 event notifications to trigger an AWS Lambda function that sends an email alarm when there are new CloudTrail API entries.

正解:B

解説:
Explanation/Reference: https://docs.aws.amazon.com/athena/latest/ug/cloudtrail-logs.html


質問 # 115
An enterprise wants to use a third-party SaaS application. The SaaS application needs to have access to issue several API commands to discover Amazon EC2 resources running within the enterprise's account. The enterprise has internal security policies that require any outside access to their environment must conform to the principles of least privilege and there must be controls in place to ensure that the credentials used by the SaaS vendor cannot be used by any other third party. Which of the following would meet all of these conditions?
Please select:

  • A. Create an IAM role for EC2 instances, assign it a policy that allows only the actions required tor the Saas application to work, provide the role ARN to the SaaS provider to use when launching their application instances.
  • B. From the AWS Management Console, navigate to the Security Credentials page and retrieve the access and secret key for your account.
  • C. Create an IAM role for cross-account access allows the SaaS provider's account to assume the role and assign it a policy that allows only the actions required by the SaaS application.
  • D. Create an IAM user within the enterprise account assign a user policy to the IAM user that allows only the actions required by the SaaS application. Create a new access and secret key for the user and provide these credentials to the SaaS provider.

正解:C

解説:
The below diagram from an AWS blog shows how access is given to other accounts for the services in your own account

Options A and B are invalid because you should not user IAM users or IAM Access keys Options D is invalid because you need to create a role for cross account access For more information on Allowing access to external accounts, please visit the below URL:
|https://aws.amazon.com/blogs/apn/how-to-best-architect-your-aws-marketplace-saas-subscription-across-multiple-aws-accounts; The correct answer is: Create an IAM role for cross-account access allows the SaaS provider's account to assume the role and assign it a policy that allows only the actions required by the SaaS application.
Submit your Feedback/Queries to our Experts


質問 # 116
During a recent internal investigation, it was discovered that all API logging was disabled in a production account, and the root user had created new API keys that appear to have been used several times.
What could have been done to detect and automatically remediate the incident?

  • A. Using Amazon CloudWatch, create a CloudWatch event that detects AWS CloudTrail deactivation and a separate Amazon Trusted Advisor check to automatically detect the creation of root API keys. Then use a Lambda function to enable AWS CloudTrail and deactivate the root API keys.
  • B. Using Amazon Inspector, review all of the API calls and configure the inspector agent to leverage SNS topics to notify security of the change to AWS CloudTrail, and revoke the new API keys for the root user.
  • C. Using Amazon CloudTrail, create a new CloudTrail event that detects the deactivation of CloudTrail logs, and a separate CloudTrail event that detects the creation of root API keys. Then use a Lambda function to enable CloudTrail and deactivate the root API keys.
  • D. Using AWS Config, create a config rule that detects when AWS CloudTrail is disabled, as well as any calls to the root user create-api-key. Then use a Lambda function to re-enable CloudTrail logs and deactivate the root API keys.

正解:D


質問 # 117
A Security Engineer received an AWS Abuse Notice listing EC2 instance IDs that are reportedly abusing other hosts.
Which action should the Engineer take based on this situation? (Choose three.)

  • A. Revoke all network ingress and egress except for to/from a forensics workstation.
  • B. Create EBS Snapshots of each of the volumes attached to the compromised instances.
  • C. Log in to each instance with administrative credentials to restart the instance.
  • D. Run Auto Recovery for Amazon EC2.
  • E. Capture a memory dump.
  • F. Use AWS Artifact to capture an exact image of the state of each instance.

正解:A、B、D


質問 # 118
In order to encrypt data in transit for a connection to an AWS RDS instance, which of the following would you implement Please select:

  • A. SSL from your application
  • B. Transparent data encryption
  • C. Data keys from AWS KMS
  • D. Data Keys from CloudHSM

正解:A

解説:
Explanation
This is mentioned in the AWS Documentation
You can use SSL from your application to encrypt a connection to a DB instance running MySQL MariaDB, Amazon Aurora, SQL Server, Oracle, or PostgreSQL.
Option A is incorrect since Transparent data encryption is used for data at rest and not in transit Options C and D are incorrect since keys can be used for encryption of data at rest For more information on working with RDS and SSL, please refer to below URL:
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html The correct answer is: SSL from your application Submit your Feedback/Queries to our Experts


質問 # 119
A company had one of its Amazon EC2 key pairs compromised. A Security Engineer must identify which current Linux EC2 instances were deployed and used the compromised key pair.
How can this task be accomplished?

  • A. Obtain the fingerprint for the key pair from the AWS Management Console, then search for the fingerprint in Amazon CloudWatch Logs using: aws logs filter-log-events.
  • B. Obtain the list of instances by directly querying Amazon EC2 using: aws ec2 describe-instances -- filters "Name=key-name,Values=KEYNAMEHERE".
  • C. Obtain the output from the EC2 instance metadata using: curl http://169.254.169.254/latest/ meta-data/public-keys/0/.
  • D. Obtain the fingerprint for the key pair from the AWS Management Console, then search for the fingerprint in the Amazon Inspector logs.

正解:A


質問 # 120
For compliance reasons, an organization limits the use of resources to three specific IAM regions. It wants to be alerted when any resources are launched in unapproved regions.
Which of the following approaches will provide alerts on any resources launched in an unapproved region?

  • A. Use IAM Trusted Advisor to alert on all resources being created.
  • B. Monitor Amazon S3 Event Notifications for objects stored in buckets in unapproved regions.
  • C. Develop an alerting mechanism based on processing IAM CloudTrail logs.
  • D. Analyze Amazon CloudWatch Logs for activities in unapproved regions.

正解:C

解説:
Explanation
https://stackoverflow.com/questions/45449053/cloudwatch-alert-on-any-instance-creation


質問 # 121
An ecommerce company is developing new architecture for an application release. The company needs to implement TLS for incoming traffic to the application. Traffic for the application will originate from the internet TLS does not have to be implemented in an end-to-end configuration because the company is concerned about impacts on performance. The incoming traffic types will be HTTP and HTTPS The application uses ports 80 and 443.
What should a security engineer do to meet these requirements?

  • A. Create a public Application Load Balancer. Create two listeners one listener on port 80 and one listener on port 443. Create one target group. Create a rule to forward traffic from port 80 to the listener on port 443 Provision a public TLS certificate in AWS Certificate Manager (ACM). Attach the certificate to the listener on port 80.
  • B. Create a public Application Load Balancer. Create two listeners one listener on port 80 and one listener on port 443. Create one target group. Create a rule to forward traffic from port 80 to the listener on port 443 Provision a public TLS certificate in AWS Certificate Manager (ACM). Attach the certificate to the listener on port 443.
  • C. Create a public Network Load Balancer. Create a listener on port 443. Create one target group. Create a rule to forward traffic from port 443 to the target group. Set the protocol for the listener on port 443 to TLS.
  • D. Create a public Network Load Balancer. Create two listeners one listener on port 80 and one listener on port 443. Create one target group. Create a rule to forward traffic from port 80 to the listener on port 443. Set the protocol for the listener on port 443 to TLS.

正解:B

解説:
An Application Load Balancer (ALB) is a type of load balancer that operates at the application layer (layer 7) of the OSI model. It can distribute incoming traffic based on the content of the request, such as the host header, path, or query parameters. An ALB can also terminate TLS connections and decrypt requests from clients before sending them to the targets.
To implement TLS for incoming traffic to the application, the following steps are required:
Create a public ALB in a public subnet and register the EC2 instances as targets in a target group.
Create two listeners for the ALB, one on port 80 for HTTP traffic and one on port 443 for HTTPS traffic.
Create a rule for the listener on port 80 to redirect HTTP requests to HTTPS using the same host, path, and query parameters.
Provision a public TLS certificate in AWS Certificate Manager (ACM) for the domain name of the application. ACM is a service that lets you easily provision, manage, and deploy public and private SSL/TLS certificates for use with AWS services and your internal connected resources.
Attach the certificate to the listener on port 443 and configure the security policy to negotiate secure connections between clients and the ALB.
Configure the security groups for the ALB and the EC2 instances to allow inbound traffic on ports 80 and 443 from the internet and outbound traffic on any port to the EC2 instances.
This solution will meet the requirements of implementing TLS for incoming traffic without impacting performance or requiring end-to-end encryption. The ALB will handle the TLS termination and decryption, while forwarding unencrypted requests to the EC2 instances.
Verified Reference:
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/introduction.html
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html
https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html


質問 # 122
A company has an existing AWS account and a set of critical resources hosted in that account. The employee who was in-charge of the root account has left the company. What must be now done to secure the account. Choose 3 answers from the options given below.
Please select:

  • A. Confirm MFAtoa secure device
  • B. Delete the access keys for the root account
  • C. Change the password for the root account
  • D. Change the access keys for all 1AM users.
  • E. Change the password for all 1AM users
  • F. Delete all custom created 1AM policies

正解:A、B、C

解説:
Now if the root account has a chance to be compromised, then you have to carry out the below steps
1. Delete the access keys for the root account
2. Confirm MFA to a secure device
3. Change the password for the root account
This will ensure the employee who has left has no change to compromise the resources in AWS.
Option A is invalid because this would hamper the working of the current IAM users Option B is invalid because this could hamper the current working of services in your AWS account Option F is invalid because this would hamper the working of the current IAM users For more information on IAM root user, please visit the following URL:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id root-user.html
The correct answers are: Delete the access keys for the root account Confirm MFA to a secure device. Change the password for the root account Submit Your Feedback/Queries to our Experts


質問 # 123
Your development team has started using AWS resources for development purposes. The AWS account has just been created. Your IT Security team is worried about possible leakage of AWS keys. What is the first level of measure that should be taken to protect the AWS account.
Please select:

  • A. Create 1AM Groups
  • B. Restrict access using 1AM policies
  • C. Create 1AM Roles
  • D. Delete the AWS keys for the root account

正解:D

解説:
Explanation
The first level or measure that should be taken is to delete the keys for the 1AM root user When you log into your account and go to your Security Access dashboard, this is the first step that can be seen

Option B and C are wrong because creation of 1AM groups and roles will not change the impact of leakage of AWS root access keys Option D is wrong because the first key aspect is to protect the access keys for the root account For more information on best practises for Security Access keys, please visit the below URL:
https://docs.aws.amazon.com/eeneral/latest/gr/aws-access-keys-best-practices.html The correct answer is: Delete the AWS keys for the root account Submit your Feedback/Queries to our Experts


質問 # 124
The Security Engineer is managing a traditional three-tier web application that is running on Amazon EC2 instances. The application has become the target of increasing numbers of malicious attacks from the Internet.
What steps should the Security Engineer take to check for known vulnerabilities and limit the attack surface?
(Choose two.)

  • A. Use Elastic Load Balancing to offload Secure Sockets Layer encryption.
  • B. Use AWS Certificate Manager to encrypt all traffic between the client and application servers.
  • C. Use Amazon Inspector to periodically scan the backend instances.
  • D. Review the application security groups to ensure that only the necessary ports are open.
  • E. Use AWS Key Management Services to encrypt all the traffic between the client and application servers.

正解:A、C


質問 # 125
When managing permissions for the API gateway, what can be used to ensure that the right level of permissions are given to developers, IT admins and users? These permissions should be easily managed.
Please select:

  • A. Use IAM Policies to create different policies for the different types of users.
  • B. Use IAM Access Keys to create sets of keys for the different types of users.
  • C. Use the secure token service to manage the permissions for the different users
  • D. Use the IAM Config tool to manage the permissions for the different users

正解:A

解説:
The IAM Documentation mentions the following
You control access to Amazon API Gateway with IAM permissions by controlling access to the following two API Gateway component processes:
* To create, deploy, and manage an API in API Gateway, you must grant the API developer permissions to perform the required actions supported by the API management component of API Gateway.
* To call a deployed API or to refresh the API caching, you must grant the API caller permissions to perform required IAM actions supported by the API execution component of API Gateway.
Option A, C and D are invalid because these cannot be used to control access to IAM services. This needs to be done via policies. For more information on permissions with the API gateway, please visit the following URL:
https://docs.IAM.amazon.com/apisateway/latest/developerguide/permissions.html The correct answer is: Use IAM Policies to create different policies for the different types of users. Submit your Feedback/Queries to our Experts


質問 # 126
A company's Security Engineer is copying all application logs to centralized Amazon S3 buckets. Currently, each of the company's applications is in its own AWS account, and logs are pushed into S3 buckets associated with each account. The Engineer will deploy an AWS Lambda function into each account that copies the relevant log files to the centralized S3 bucket.
The Security Engineer is unable to access the log files in the centralized S3 bucket. The Engineer's IAM user policy from the centralized account looks like this:

The centralized S3 bucket policy looks like this:

Why is the Security Engineer unable to access the log files?

  • A. The S3 bucket policy does not explicitly allow the Security Engineer access to the objects in the bucket.
  • B. The s3:PutObject and s3:PutObjectAcl permissions should be applied at the S3 bucket level
  • C. The object ACLs are not being updated to allow the users within the centralized account to access the objects
  • D. The Security Engineers IAM policy does not grant permissions to read objects in the S3 bucket

正解:D


質問 # 127
A security engineer must use IAM Key Management Service (IAM KMS) to design a key management solution for a set of Amazon Elastic Block Store (Amazon EBS) volumes that contain sensitive data. The solution needs to ensure that the key material automatically expires in 90 days.
Which solution meets these criteria?

  • A. A customer managed CMK that uses customer provided key material
  • B. A customer managed CMK that uses IAM provided key material
  • C. Operating system-native encryption that uses GnuPG
  • D. An IAM managed CMK

正解:B


質問 # 128
An organization is using Amazon CloudWatch Logs with agents deployed on its Linux Amazon EC2 instances.
The agent configuration files have been checked and the application log files to be pushed are configured correctly. A review has identified that logging from specific instances is missing.
Which steps should be taken to troubleshoot the issue? (Choose two.)

  • A. Verify that the time zone on the application servers is in UTC.
  • B. Use an EC2 run command to confirm that the "awslogs" service is running on all instances.
  • C. Check that the trust relationship grants the service "cwlogs.amazonaws.com" permission to write objects to the Amazon S3 staging bucket.
  • D. Verify that the permissions used by the agent allow creation of log groups/streams and to put log events.
  • E. Check whether any application log entries were rejected because of invalid time stamps by reviewing /var/ cwlogs/rejects.log.

正解:D、E


質問 # 129
A large corporation is creating a multi-account strategy and needs to determine how its employees should access the IAM infrastructure.
Which of the following solutions would provide the MOST scalable solution?

  • A. Configure the IAM Security Token Service to use Kerberos tokens so that users can use their existing corporate user names and passwords to access IAM resources directly
  • B. Use a centralized account with IAM roles that employees can assume through federation with their existing identity provider Use cross-account roles to allow the federated users to assume their target role in the resource accounts.
  • C. Configure the IAM trust policies within each account's role to set up a trust back to the corporation's existing identity provider allowing users to assume the role based off their SAML token
  • D. Create dedicated IAM users within each IAM account that employees can assume through federation based upon group membership in their existing identity provider

正解:B


質問 # 130
A company has multiple AWS accounts that are part of AW5 Organizations. The company's Security team wants to ensure that even those Administrators with full access to the company's AWS accounts are unable to access the company's Amazon S3 buckets How should this be accomplished?

  • A. UseSCPs
  • B. Create a VPC endpoint for Amazon S3 and deny statements for access to Amazon S3
  • C. Use an S3 bucket policy
  • D. Add a permissions boundary to deny access to Amazon S3 and attach it to all roles

正解:A


質問 # 131
A Security Engineer must enforce the use of only Amazon EC2, Amazon S3, Amazon RDS, Amazon DynamoDB, and AWS STS in specific accounts.
What is a scalable and efficient approach to meet this requirement?

  • A. Create multiple IAM users for the regulated accounts, and attach the following policy statement to restrict services as required:
  • B. Set up an Organizations hierarchy, replace the global FullAWSAccess with the following Service Control Policy at the top level:
  • C. Set up an AWS Organizations hierarchy, and replace the FullAWSAccess policy with the following Service Control Policy for the governed organization units:
  • D. Set up all users in the Active Directory for federated access to all accounts in the company. Associate Active Directory groups with IAM groups, and attach the following policy statement to restrict services as required:

正解:C


質問 # 132
You are planning on using the AWS KMS service for managing keys for your application. For which of the following can the KMS CMK keys be used for encrypting? Choose 2 answers from the options given below Please select:

  • A. Password
  • B. Image Objects
  • C. RSA Keys
  • D. Large files

正解:A、C

解説:
Explanation
The CMK keys themselves can only be used for encrypting data that is maximum 4KB in size. Hence it can be used for encryptii information such as passwords and RSA keys.
Option A and B are invalid because the actual CMK key can only be used to encrypt small amounts of data and not large amoui of data. You have to generate the data key from the CMK key in order to encrypt high amounts of data For more information on the concepts for KMS, please visit the following URL:
https://docs.aws.amazon.com/kms/latest/developereuide/concepts.htmll
The correct answers are: Password, RSA Keys Submit your Feedback/Queries to our Experts


質問 # 133
Your company has a set of EC2 Instances defined in AWS. They need to ensure that all traffic packets are monitored and inspected for any security threats. How can this be achieved? Choose 2 answers from the options given below Please select:

  • A. Use Network Access control lists logging
  • B. Use a third party firewall installed on a central EC2 instance
  • C. Use a host based intrusion detection system
  • D. Use VPC Flow logs

正解:B、C

解説:
Explanation
If you want to inspect the packets themselves, then you need to use custom based software A diagram representation of this is given in the AWS Security best practices

Option C is invalid because VPC Flow logs cannot conduct packet inspection.
For more information on AWS Security best practices, please refer to below URL:
The correct answers are: Use a host based intrusion detection system. Use a third party firewall installed on a central EC2 Submit your Feedback/Queries to our Experts


質問 # 134
Your company has an EC2 Instance that is hosted in an AWS VPC. There is a requirement to ensure that logs files from the EC2 Instance are stored accordingly. The access should also be limited for the destination of the log files. How can this be accomplished? Choose 2 answers from the options given below. Each answer forms part of the solution
Please select:

  • A. Stream the log files to a separate Cloudtrail trail
  • B. Create an IAM policy that gives the desired level of access to the Cloudtrail trail
  • C. Stream the log files to a separate Cloudwatch Log group
  • D. Create an IAM policy that gives the desired level of access to the Cloudwatch Log group

正解:C、D

解説:
You can create a Log group and send all logs from the EC2 Instance to that group. You can then limit the access to the Log groups via an IAM policy.
Option A is invalid because Cloudtrail is used to record API activity and not for storing log files
Option C is invalid because Cloudtrail is the wrong service to be used for this requirement
For more information on Log Groups and Log Streams, please visit the following URL:
* https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/Workinj
For more information on Access to Cloudwatch logs, please visit the following URL:
* https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/auth-and-access-control-cwl.html
The correct answers are: Stream the log files to a separate Cloudwatch Log group. Create an IAM policy that gives the desired level of access to the Cloudwatch Log group
Submit your Feedback/Queries to our Experts


質問 # 135
The Accounting department at Example Corp. has made a decision to hire a third-party firm, AnyCompany, to monitor Example Corp.'s AWS account to help optimize costs.
The Security Engineer for Example Corp. has been tasked with providing AnyCompany with access to the required Example Corp. AWS resources. The Engineer has created an IAM role and granted permission to AnyCompany's AWS account to assume this role.
When customers contact AnyCompany, they provide their role ARN for validation. The Engineer is concerned that one of AnyCompany's other customers might deduce Example Corp.'s role ARN and potentially compromise the company's account.
What steps should the Engineer perform to prevent this outcome?

  • A. Create an IAM user and generate a set of long-term credentials. Provide the credentials to AnyCompany. Monitor access in IAM access advisor and plan to rotate credentials on a recurring basis.
  • B. Request an external ID from AnyCompany and add a condition with sts:Externald to the role's trust policy.
  • C. Require two-factor authentication by adding a condition to the role's trust policy with aws:MultiFactorAuthPresent.
  • D. Request an IP range from AnyCompany and add a condition with aws:SourceIp to the role's trust policy.

正解:B


質問 # 136
You have just developed a new mobile application that handles analytics workloads on large scale datasets that are stored on Amazon Redshift. Consequently, the application needs to access Amazon Redshift tables. Which of the belov methods would be the best both practically and security-wise, to access the tables? Choose the correct answer from the options below Please select:

  • A. Create an HSM client certificate in Redshift and authenticate using this certificate.
  • B. Create a Redshift read-only access policy in IAM and embed those credentials in the application.
  • C. Create an IAM user and generate encryption keys for that user. Create a policy for Redshift read-only access. Embed th keys in the application.
  • D. Use roles that allow a web identity federated user to assume a role that allows access to the Redshift table by providing temporary credentials.

正解:D

解説:
Explanation
The IAM Documentation mentions the following
"When you write such an app, you'll make requests to IAM services that must be signed with an IAM access key. However, we strongly recommend that you do not embed or distribute long-term IAM credentials with apps that a user downloads t device, even in an encrypted store. Instead, build your app so that it requests temporary IAM security credentials dynamica when needed using web identify federation. The supplied temporary credentials map to an IAM role that has only the permissioi needed to perform the tasks required by the mobile app".
Option A.B and C are all automatically incorrect because you need to use IAM Roles for Secure access to services For more information on web identity federation please refer to the below Link:
* http://docs.IAM.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html The correct answer is: Use roles that allow a web identity federated user to assume a role that allows access to the RedShift table by providing temporary credentials.
Submit your Feedback/Queries to our Experts


質問 # 137
An Amazon S3 bucket is encrypted using an IAM KMS CMK. An IAM user is unable to download objects from the S3 bucket using the IAM Management Console; however, other users can download objects from the S3 bucket.
Which policies should the Security Engineer review and modify to resolve this issue? (Select three.)

  • A. The S3 ACL
  • B. The S3 bucket policy
  • C. The VPC endpoint policy
  • D. The IAM policy
  • E. The CMK policy

正解:B、D、E

解説:
https://IAM.amazon.com/premiumsupport/knowledge-center/decrypt-kms-encrypted-objects-s3/


質問 # 138
......

問題集全額返金保証付き!AWS-Security-Specialty問題公式問題集:https://www.goshiken.com/Amazon/AWS-Security-Specialty-mondaishu.html

厳密検証されたAWS-Security-Specialty試験問題集PDF[2025年最新] 時間限定無料アクセスGoShiken:https://drive.google.com/open?id=1aU9HdNiyyc2vWTmoUJcBsGqzVbh_fcPt

関するブログ

もっと
AWS-Security-Specialty無料問題集