• ホーム
  • ブログ
  • [2023年11月15日] 無料AWS Certified Security AWS-Security-Specialty試験問題を使おう [Q43-Q64]

[2023年11月15日] 無料AWS Certified Security AWS-Security-Specialty試験問題を使おう [Q43-Q64]

Share

[2023年11月15日] 無料AWS Certified Security AWS-Security-Specialty試験問題を使おう

AWS-Security-Specialty問題集でAWS Certified Security必ず合格できる練習問題集


Amazon SCS-C01(AWS認定セキュリティ - スペシャルティ)認定試験は、AWSワークロードのセキュリティを確保する専門知識を証明するための試験です。この認定試験は、AWSのセキュリティコントロールを実装および管理する責任があるセキュリティ専門家に適しています。この試験は、アイデンティティおよびアクセス管理、インフラストラクチャセキュリティ、データ保護、インシデント対応などのトピックを含めて、候補者をテストします。

 

質問 # 43
An organization has launched 5 instances: 2 for production and 3 for testing. The organization wants that one particular group of IAM users should only access the test instances and not the production ones. How can the organization set that as a part of the policy?
Please select:

  • A. Create an IAM policy with a condition which allows access to only small instances
  • B. Launch the test and production instances in separate regions and allow region wise access to the group
  • C. Define the tags on the test and production servers and add a condition to the IAM policy which allows access to specification tags
  • D. Define the IAM policy which allows access based on the instance ID

正解:C

解説:
Tags enable you to categorize your AWS resources in different ways, for example, by purpose, owner, or environment. This is useful when you have many resources of the same type - you can quickly identify a specific resource based on the tags you've assigned to it
Option A is invalid because this is not a recommended practices
Option B is invalid because this is an overhead to maintain this in policies
Option C is invalid because the instance type will not resolve the requirement
For information on resource tagging, please visit the below URL:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Usine_Tags.htmll
The correct answer is: Define the tags on the test and production servers and add a condition to the IAM policy which allows access to specific tags
Submit your Feedback/Queries to our Experts


質問 # 44
Amazon CloudWatch Logs agent is successfully delivering logs to the CloudWatch Logs service. However, logs stop being delivered after the associated log stream has been active for a specific number of hours.
What steps are necessary to identify the cause of this phenomenon? (Choose two.)

  • A. Configure an Amazon Kinesis producer to first put the logs into Amazon Kinesis Streams.
  • B. Use AWS CloudFormation to dynamically create and maintain the configuration file for the CloudWatch Logs agent.
  • C. Create a CloudWatch Logs metric to isolate a value that changes at least once during the period before logging stops.
  • D. Ensure that file permissions for monitored files that allow the CloudWatch Logs agent to read the file have not been modified.
  • E. Verify that the OS Log rotation rules are compatible with the configuration requirements for agent streaming.

正解:B、E


質問 # 45
A security engineer is asked to update an AW3 CoudTrail log file prefix for an existing trail. When attempting to save the change in the CloudTrail console, the security engineer receives the following error message.
"There is a problem with the bucket policy''
What will enable the security engineer to saw the change?

  • A. Update the existing bucket policy in the Amazon S3 console with the new log file prefix, and then update the log file prefix in the CloudTrail console.
  • B. Update the existing bucket policy in the Amazon S3 console to allow the security engineers principal to perform GetBucketPolicy, and then update the log file prefix in the CloudTrail console
  • C. Create a new trail with the updated log file prefix, and then delete the original nail Update the existing bucket policy in the Amazon S3 console with the new log the prefix, and then update the log file prefix in the CloudTrail console
  • D. Update the existing bucket policy in the Amazon S3 console to allow the security engineers principal to perform PutBucketPolicy. and then update the log file prefix in the CloudTrail console

正解:D


質問 # 46
A company's Security Engineer is copying all application logs to centralized Amazon S3 buckets. Currently, each of the company's application is in its own AWS account, and logs are pushed into S3 buckets associated with each account. The Engineer will deploy an AWS Lambda function into each account that copies the relevant log files to the centralized S3 bucket.
The Security Engineer is unable to access the log files in the centralized S3 bucket. The Engineer's IAM user policy from the centralized account looks like this:

The centralized S3 bucket policy looks like this:

Why is the Security Engineer unable to access the log files?

  • A. The s3:PutObject and s3:PutObjectAcl permissions should be applied at the S3 bucket level.
  • B. The Security Engineer's IAM policy does not grant permissions to read objects in the S3 bucket.
  • C. The object ACLs are not being updated to allow the users within the centralized account to access the objects.
  • D. The S3 bucket policy does not explicitly allow the Security Engineer access to the objects in the bucket.

正解:A


質問 # 47
A Security Engineer must design a system that can detect whether a file on an Amazon EC2 host has been modified. The system must then alert the Security Engineer of the modification.
What is the MOST efficient way to meet these requirements?

  • A. Install host-based IDS software to check for file integrity. Export the logs to Amazon CloudWatch Logs for monitoring and alerting.
  • B. Use Amazon CloudWatch Logs to detect file system changes. If a change is detected, automatically terminate and recreate the instance from the most recent AMI. Use Amazon SNS to send notification of the event.
  • C. Install antivirus software and ensure that signatures are up-to-date. Configure Amazon CloudWatch alarms to send alerts for security events.
  • D. Export system log files to Amazon S3. Parse the log files using an IAM Lambda function that will send alerts of any unauthorized system login attempts through Amazon SNS.

正解:A


質問 # 48
A Security Analyst attempted to troubleshoot the monitoring of suspicious security group changes. The Analyst was told that there is an Amazon CloudWatch alarm in place for these AWS CloudTrail log events. The Analyst tested the monitoring setup by making a configuration change to the security group but did not receive any alerts.
Which of the following troubleshooting steps should the Analyst perform?

  • A. Check the CloudWatch dashboards to ensure that there is a metric configured with an appropriate dimension for security group changes.
  • B. Ensure that CloudTrail and S3 bucket access logging is enabled for the Analyst's AWS account. B. Verify that a metric filter was created and then mapped to an alarm. Check the alarm notification action.
  • C. Verify that the Analyst's account is mapped to an IAM policy that includes permissions for cloudwatch:
    GetMetricStatistics and Cloudwatch: ListMetrics.

正解:A


質問 # 49
An organization is using AWS CloudTrail, Amazon CloudWatch Logs, and Amazon CloudWatch to send alerts when new access keys are created. However, the alerts are no longer appearing in the Security Operations mail box.
Which of the following actions would resolve this issue?

  • A. In CloudWatch, verify that the alarm threshold "consecutive periods" value is equal to, or greater than 1.
  • B. In Amazon SNS, determine whether the "Account spend limit" has been reached for this alert.
  • C. In SNS, ensure that the subscription used by these alerts has not been deleted.
  • D. In CloudTrail, verify that the trail logging bucket has a log prefix configured.

正解:B


質問 # 50
Your company has a requirement to monitor all root user activity by notification. How can this best be achieved? Choose 2 answers from the options given below. Each answer forms part of the solution Please select:

  • A. Use Cloudtrail API call
  • B. Use a Lambda function
  • C. Create a Cloudwatch Logs Rule
  • D. Create a Cloudwatch Events Rule s

正解:B、D

解説:
Explanation
Below is a snippet from the AWS blogs on a solution

Option B is invalid because you need to create a Cloudwatch Events Rule and there is such thing as a Cloudwatch Logs Rule Option D is invalid because Cloud Trail API calls can be recorded but cannot be used to send across notifications For more information on this blog article, please visit the following URL:
https://aws.amazon.com/blogs/mt/monitor-and-notify-on-aws-account-root-user-activityy The correct answers are: Create a Cloudwatch Events Rule, Use a Lambda function Submit your Feedback/Queries to our Experts


質問 # 51
You need to ensure that objects in an S3 bucket are available in another region. This is because of the criticality of the data that is hosted in the S3 bucket. How can you achieve this in the easiest way possible?
Please select:

  • A. Create an S3 snapshot in the destination region
  • B. Enable versioning which will copy the objects to the destination region
  • C. Enable cross region replication for the bucket
  • D. Write a script to copy the objects to another bucket in the destination region

正解:C

解説:
Explanation
Option B is partially correct but a big maintenance over head to create and maintain a script when the functionality is already available in S3 Option C is invalid because snapshots are not available in S3 Option D is invalid because versioning will not replicate objects The AWS Documentation mentions the following Cross-region replication is a bucket-level configuration that enables automatic, asynchronous copying of objects across buck in different AWS Regions.
For more information on Cross region replication in the Simple Storage Service, please visit the below URL:
https://docs.aws.amazon.com/AmazonS3/latest/dev/crr.html
The correct answer is: Enable cross region replication for the bucket Submit your Feedback/Queries to our Experts


質問 # 52
A company's security policy requires that VPC Flow Logs are enabled on all VPCs. A Security Engineer is looking to automate the process of auditing the VPC resources for compliance.
What combination of actions should the Engineer take? (Choose two.)

  • A. Create an IAM Config configuration item for each VPC in the company IAM account.
  • B. Create an IAM Lambda function that determines whether Flow Logs are enabled for a given VPC.
  • C. Create an IAM Config custom rule, and associate it with an IAM Lambda function that contains the evaluating logic.
  • D. Create an IAM Config managed rule with a resource type of IAM:: Lambda:: Function.
  • E. Create an Amazon CloudWatch Event rule that triggers on events emitted by IAM Config.

正解:B、C

解説:
https://medium.com/mudita-misra/how-to-audit-your-aws-resources-for-security-compliance-by-using-custom-IAM-config-rules-2e53b09006de


質問 # 53
A company has several Customer Master Keys (CMK), some of which have imported key material. Each CMK must be rotated annually.
What two methods can the security team use to rotate each key? Select 2 answers from the options given below Please select:

  • A. Use the CLI or console to explicitly rotate an existing CMK
  • B. Delete an existing CMK and a new default CMK will be created.
  • C. Import new key material to a new CMK; Point the key alias to the new CMK.
  • D. Import new key material to an existing CMK
  • E. Enable automatic key rotation for a CMK

正解:C、E

解説:
The IAM Documentation mentions the following
Automatic key rotation is available for all customer managed CMKs with KMS-generated key material. It is not available for CMKs that have imported key material (the value of the Origin field is External), but you can rotate these CMKs manually.
Rotating Keys Manually
You might want to create a newCMKand use it in place of a current CMK instead of enabling automatic key rotation. When the new CMK has different cryptographic material than the current CMK, using the new CMK has the same effect as changing the backing key in an existing CMK. The process of replacing one CMK with another is known as manual key rotation.
When you begin using the new CMK, be sure to keep the original CMK enabled so that IAM KMS can decrypt data that the original CMK encrypted. When decrypting data, KMS identifies the CMK that was used to encrypt the data, and it uses the sam CMK to decrypt the data. As long as you keep both the original and new CMKs enabled, IAM KMS can decrypt any data that was encrypted by either CMK.
Option B is invalid because you also need to point the key alias to the new key Option C is invalid because existing CMK keys cannot be rotated as they are Option E is invalid because deleting existing keys will not guarantee the creation of a new default CMK key For more information on Key rotation please see the below Link:
https://docs.IAM.amazon.com/kms/latest/developereuide/rotate-keys.html
The correct answers are: Enable automatic key rotation for a CMK, Import new key material to a new CMK; Point the key alias to the new CMK.
Submit your Feedback/Queries to our Experts


質問 # 54
A company's security engineer has been tasked with restricting a contractor's 1AM account access to the company's Amazon EC2 console without providing access to any other AWS services The contractors 1AM account must not be able to gain access to any other AWS service, even it the 1AM account rs assigned additional permissions based on 1AM group membership
What should the security engineer do to meet these requirements''

  • A. Create an mime 1AM user policy that allows for Amazon EC2 access for the contractor's 1AM user
  • B. Create a 1AM role that allows for EC2 and explicitly denies all other services Instruct the contractor to always assume this role
  • C. Create an 1AM permissions boundary policy that allows Amazon EC2 access Associate the contractor's 1AM account with the 1AM permissions boundary policy
  • D. Create an 1AM group with an attached policy that allows for Amazon EC2 access Associate the contractor's 1AM account with the 1AM group

正解:C


質問 # 55
A Security Engineer creates an Amazon S3 bucket policy that denies access to all users. A few days later, the Security Engineer adds an additional statement to the bucket policy to allow read-only access to one other employee. Even after updating the policy, the employee still receives an access denied message.
What is the likely cause of this access denial?

  • A. The ACL in the bucket needs to be updated
  • B. It takes a few minutes for a bucket policy to take effect
  • C. The allow permission is being overridden by the deny
  • D. The IAM policy does not allow the user to access the bucket

正解:D

解説:
Explanation/Reference: https://aws.amazon.com/premiumsupport/knowledge-center/s3-access-denied-bucket-policy/


質問 # 56
A company is planning on using AWS for hosting their applications. They want complete separation and isolation of their production , testing and development environments. Which of the following is an ideal way to design such a setup?
Please select:

  • A. Use separate 1AM Policies for each of the environments
  • B. Use separate AWS accounts for each of the environments
  • C. Use separate VPCs for each of the environments
  • D. Use separate 1AM Roles for each of the environments

正解:B

解説:
Explanation
A recommendation from the AWS Security Best practices highlights this as well

option A is partially valid, you can segregate resources, but a best practise is to have multiple accounts for this setup.
Options B and C are invalid because from a maintenance perspective this could become very difficult For more information on the Security Best practices, please visit the following URL:
https://dl.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf The correct answer is: Use separate AWS accounts for each of the environments Submit your Feedback/Queries to our Experts


質問 # 57
An organization must establish the ability to delete an AWS KMS Customer Master Key (CMK) within a
24-hour timeframe to keep it from being used for encrypt or decrypt operations Which of tne following actions will address this requirement?

  • A. Change the KMS CMK alias to immediately prevent any services from using the CMK.
  • B. Use the schedule key deletion function within KMS to specify the minimum wait period for deletion
  • C. Manually rotate a key within KMS to create a new CMK immediately
  • D. Use the KMS import key functionality to execute a delete key operation

正解:B


質問 # 58
You are planning to use AWS Configto check the configuration of the resources in your AWS account. You are planning on using an existing 1AM role and using it for the AWS Config resource. Which of the following is required to ensure the AWS config service can work as required?
Please select:

  • A. Ensure that there is a grant policy in place for the AWS Config service within the role
  • B. Ensure that there is a group policy in place for the AWS Config service within the role
  • C. Ensure that there is a user policy in place for the AWS Config service within the role
  • D. Ensure that there is a trust policy in place for the AWS Config service within the role

正解:D

解説:
Explanation

Options B,C and D are invalid because you need to ensure a trust policy is in place and not a grant, user or group policy or more information on the 1AM role permissions please visit the below Link:
https://docs.aws.amazon.com/config/latest/developerguide/iamrole-permissions.htmll The correct answer is: Ensure that there is a trust policy in place for the AWS Config service within the role Submit your Feedback/Queries to our Experts


質問 # 59
A company has set up the following structure to ensure that their S3 buckets always have logging enabled

If there are any changes to the configuration to an S3 bucket, a config rule gets checked. If logging is disabled , then Lambda function is invoked. This Lambda function will again enable logging on the S3 bucket. Now there is an issue being encoutered with the entire flow. You have verified that the Lambda function is being invoked. But when logging is disabled for the bucket, the lambda function does not enable it again. Which of the following could be an issue Please select:

  • A. The AWS Lambda function does not have appropriate permissions for the bucket
  • B. The AWS Config rule is not configured properly
  • C. The AWS Lambda function should use Node.js instead of python.
  • D. You need to also use the API gateway to invoke the lambda function

正解:A

解説:
The most probable cause is that you have not allowed the Lambda functions to have the appropriate permissions on the S3 bucket to make the relevant changes.
Option A is invalid because this is more of a permission instead of a configuration rule issue.
Option C is invalid because changing the language will not be the core solution.
Option D is invalid because you don't necessarily need to use the API gateway service For more information on accessing resources from a Lambda function, please refer to below URL
https://docs.aws.amazon.com/lambda/latest/ds/accessing-resources.htmll
The correct answer is: The AWS Lambda function does not have appropriate permissions for the bucket Submit your Feedback/Queries to our Experts


質問 # 60
You have a set of Keys defined using the AWS KMS service. You want to stop using a couple of keys , but are not sure of which services are currently using the keys. Which of the following would be a safe option to stop using the keys from further usage.
Please select:

  • A. Change the key material for the key
  • B. Set an alias for the key
  • C. Disable the keys
  • D. Delete the keys since anyway there is a 7 day waiting period before deletion

正解:C

解説:
Explanation
Option A is invalid because once you schedule the deletion and waiting period ends, you cannot come back from the deletion process.
Option C and D are invalid because these will not check to see if the keys are being used or not The AWS Documentation mentions the following Deleting a customer master key (CMK) in AWS Key Management Service (AWS KMS) is destructive and potentially dangerous. It deletes the key material and all metadata associated with the CMK, and is irreversible. After a CMK is deleted you can no longer decrypt the data that was encrypted under that CMK, which means that data becomes unrecoverable. You should delete a CMK only when you are sure that you don't need to use it anymore. If you are not sure, consider disabling the CMK instead of deleting it. You can re-enable a disabled CMK if you need to use it again later, but you cannot recover a deleted CMK.
For more information on deleting keys from KMS, please visit the below URL:
https://docs.aws.amazon.com/kms/latest/developereuide/deleting-keys.html The correct answer is: Disable the keys Submit your Feedback/Queries to our Experts


質問 # 61
A security engineer is responsible for providing secure access to AWS resources for thousands of developers in a company's corporate identity provider (IdP). The developers access a set of AWS services from their corporate premises using IAM credentials. Due to the volume of requests for provisioning new IAM users, it is taking a long time to grant access permissions. The security engineer receives reports that developers are sharing their IAM credentials with others to avoid provisioning delays. This causes concern about overall security for the security engineer.
Which actions will meet the program requirements that address security?

  • A. Create multiple IAM roles for each IAM user. Ensure that users who use the same IAM credentials cannot assume the same IAM role at the same time.
  • B. Create an Amazon CloudWatch alarm for AWS CloudTrail events. Create a metric filter to send a notification when the same set of IAM credentials is used by multiple developers.
  • C. Create a VPN tunnel between the corporate premises and the VPC. Allow permissions to all AWS services only if it originates from corporate premises.
  • D. Create a federation between AWS and the existing corporate IdP. Leverage IAM roles to provide federated access to AWS resources.

正解:D

解説:
Explanation/Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_federated- users.html


質問 # 62
A Software Engineer wrote a customized reporting service that will run on a fleet of Amazon EC2 instances.
The company security policy states that application logs for the reporting service must be centrally collected.
What is the MOST efficient way to meet these requirements?

  • A. Enable AWS CloudTrail logging for the AWS account, create a new Amazon S3 bucket, and then configure Amazon CloudWatch Logs to receive the application logs from CloudTrail.
  • B. Install the Amazon CloudWatch Logs Agent on the EC2 instances, and configure it to send the application logs to CloudWatch Logs.
  • C. Write an AWS Lambda function that logs into the EC2 instance to pull the application logs from the EC2 instance and persists them into an Amazon S3 bucket.
  • D. Create a simple cron job on the EC2 instances that synchronizes the application logs to an Amazon S3 bucket by using rsync.

正解:B


質問 # 63
A company has two IAM accounts, each containing one VPC. The first VPC has a VPN connection with its corporate network. The second VPC, without a VPN, hosts an Amazon Aurora database cluster in private subnets. Developers manage the Aurora database from a bastion host in a public subnet as shown in the image.

A security review has flagged this architecture as vulnerable, and a Security Engineer has been asked to make this design more secure. The company has a short deadline and a second VPN connection to the Aurora account is not possible.
How can a Security Engineer securely set up the bastion host?

  • A. Move the bastion host to the VPC with VPN connectivity. Create a VPC peering relationship between the bastion host VPC and Aurora VPC.
  • B. Move the bastion host to the VPC with VPN connectivity. Create a cross-account trust relationship between the bastion VPC and Aurora VPC, and update the Aurora security group for the relationship.
  • C. Create a SSH port forwarding tunnel on the Developer's workstation to the bastion host to ensure that only authorized SSH clients can access the bastion host.
  • D. Create an IAM Direct Connect connection between the corporate network and the Aurora account, and adjust the Aurora security group for this connection.

正解:A


質問 # 64
......


この試験は、65個の多肢選択問題と多数回答問題から構成されており、170分以内に完了する必要があります。試験の費用は300ドルで、認定試験を受けることができる認定テストセンターまたはプロクターされたオンラインで受験することができます。この試験に合格することは、候補者が安全なAWSソリューションを設計し実装する能力を示し、求人市場で競争優位性を提供します。さらに、AWS-Security-Specialty認定は3年間有効であり、その後、候補者は再認証する必要があります。

 

Amazon AWS-Security-Specialty実際の問題とブレーン問題集:https://www.goshiken.com/Amazon/AWS-Security-Specialty-mondaishu.html

合格させるAWS-Security-Specialty試験には更新されたのはAWS-Security-Specialty試験問題集PDF2023:https://drive.google.com/open?id=1QV9VhTEzbdg2yIem1X0QAKVBHJEyC2PT

関するブログ

もっと
AWS-Security-Specialty無料問題集