• ホーム
  • ブログ
  • PDF問題(2023年最新)実際のAmazon AWS-Security-Specialty試験問題 [Q257-Q274]

PDF問題(2023年最新)実際のAmazon AWS-Security-Specialty試験問題 [Q257-Q274]

Share

PDF問題(2023年最新)実際のAmazon AWS-Security-Specialty試験問題

問題集返金保証付きのAWS-Security-Specialty問題集には90%オフされます


SCS-C01試験に合格することは、候補者がAWSセキュリティのベストプラクティスを深く理解し、AWSワークロードを安全に保護するためにそれらを適用できることを示しています。この認定は業界で高く評価されており、セキュリティ専門職がキャリアを進めるのに役立ちます。また、この認定に合格したセキュリティ専門職を特定し、AWSワークロードを保護するのに役立つこともあります。


AWS-Security-Specialty試験は、AWSセキュリティのベストプラクティスに強い理解が必要な難しい試験です。試験に臨む前に、AWSでセキュリティソリューションを設計・実装する経験が2年以上あることが推奨されます。試験は複数選択肢や複数回答式問題から成り、受験者は170分以内に解答する必要があります。

 

質問 # 257
A Security Engineer is setting up an IAM CloudTrail trail for all regions in an IAM account. For added security, the logs are stored using server-side encryption with IAM KMS-managed keys (SSE-KMS) and have log integrity validation enabled.
While testing the solution, the Security Engineer discovers that the digest files are readable, but the log files are not. What is the MOST likely cause?

  • A. An IAM policy applicable to the Security Engineer's IAM user or role denies access to the "CloudTrail/" prefix in the Amazon S3 bucket
  • B. The bucket is set up to use server-side encryption with Amazon S3-managed keys (SSE-S3) as the default and does not allow SSE-KMS-encrypted files.
  • C. The KMS key policy does not grant the Security Engineer's IAM user or role permissions to decrypt with it.
  • D. The log files fail integrity validation and automatically are marked as unavailable.

正解:C

解説:
Enabling server-side encryption encrypts the log files but not the digest files with SSE-KMS. Digest files are encrypted with Amazon S3-managed encryption keys (SSE-S3). https://docs.IAM.amazon.com/IAMcloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-IAM-kms.html


質問 # 258
A Security Engineer has been asked to create an automated process to disable IAM user access keys that are more than three months old.
Which of the following options should the Security Engineer use?

  • A. In the AWS Console, choose the IAM service and select "Users". Review the "Access Key Age" column.
  • B. Define an IAM policy that denies access if the key age is more than three months and apply to all users.
  • C. Create an Amazon CloudWatch alarm to detect aged access keys and use an AWS Lambda function to disable the keys older than 90 days.
  • D. Write a script that uses the GenerateCredentialReport, GetCredentialReport, and UpdateAccessKey APIs.

正解:A


質問 # 259
A Web Administrator for the website example.com has created an Amazon CloudFront distribution for dev.example.com, with a requirement to configure HTTPS using a custom TLS certificate imported to AWS Certificate Manager.
Which combination of steps is required to ensure availability of the certificate in the CloudFront console?
(Choose two.)

  • A. Import the certificate with a 4,096-bit RSA public key.
  • B. Import the certificate in the us-east-1 (N. Virginia) Region.
  • C. Call UploadServerCertificate with /cloudfront/dev/ in the path parameter.
  • D. Ensure that the certificate, private key, and certificate chain are PKCS #12-encoded.
  • E. Ensure that the certificate, private key, and certificate chain are PEM-encoded.

正解:B、E


質問 # 260
A Security Engineer launches two Amazon EC2 instances in the same Amazon VPC but in separate Availability Zones. Each instance has a public IP address and is able to connect to external hosts on the internet. The two instances are able to communicate with each other by using their private IP addresses, but they are not able to communicate with each other when using their public IP addresses.
Which action should the Security Engineer take to allow communication over the public IP addresses?

  • A. Add 0.0.0.0/0 to the egress rules of the instance security groups.
  • B. Add the instance IDs to the ingress rules of the instance security groups.
  • C. Associate the instances to the same security groups.
  • D. Add the public IP addresses to the ingress rules of the instance security groups.

正解:D


質問 # 261
Auditors tor a health care company have mandated mat all data volumes be encrypted at rest Infrastructure is deployed mainly via AWS CloudFormation however third-party frameworks and manual deployment are required on some legacy systems What is the BEST way to monitor, on a recurring basis, whether all EBS volumes are encrypted?

  • A. Configure an AWS Config rule lo run on a recurring basis 'or volume encryption
  • B. On a recurring basis, update an IAM user policies to require that EC2 instances are created with an encrypted volume
  • C. Set up Amazon Inspector rules tor volume encryption to run on a recurring schedule
  • D. Use CloudWatch Logs to determine whether instances were created with an encrypted volume

正解:B


質問 # 262
You have just recently set up a web and database tier in a VPC and hosted the application. When testing the app , you are not able to reach the home page for the app. You have verified the security groups. What can help you diagnose the issue.
Please select:

  • A. Use the AWS Trusted Advisor to see what can be done.
  • B. Use VPC Flow logs to diagnose the traffic
  • C. Use AWS Guard Duty to analyze the traffic
  • D. Use AWS WAF to analyze the traffic

正解:B

解説:
Explanation
Option A is invalid because this can be used to check for security issues in your account, but not verify as to why you cannot reach the home page for your application Option C is invalid because this used to protect your app against application layer attacks, but not verify as to why you cannot reach the home page for your application Option D is invalid because this used to protect your instance against attacks, but not verify as to why you cannot reach the home page for your application The AWS Documentation mentions the following VPC Flow Logs capture network flow information for a VPC, subnet or network interface and stores it in Amazon CloudWatch Logs. Flow log data can help customers troubleshoot network issues; for example, to diagnose why specific traffic is not reaching an instance, which might be a result of overly restrictive security group rules. Customers can also use flow logs as a security toi to monitor the traffic that reaches their instances, to profile network traffic, and to look for abnormal traffic behaviors.
For more information on AWS Security, please visit the following URL:
https://aws.amazon.com/answers/networking/vpc-security-capabilities>
The correct answer is: Use VPC Flow logs to diagnose the traffic Submit your Feedback/Queries to our Experts


質問 # 263
A company hosts multiple externally facing applications, each isolated in its own AWS account The company'B Security team has enabled AWS WAF. AWS Config. and Amazon GuardDuty on all accounts. The company's Operations team has also joined all of the accounts to AWS Organizations and established centralized logging for CloudTrail. AWS Config, and GuardDuty. The company wants the Security team to take a reactive remediation in one account, and automate implementing this remediation as proactive prevention in all the other accounts.
How should the Security team accomplish this?

  • A. Update the AWS WAF rules in the affected account and use AWS Firewall Manager to push updated AWS WAF rules across all other accounts.
  • B. Use GuardDuty centralized logging and Amazon SNS to set up alerts to notify all application teams of security incidents.
  • C. Use AWS Shield Advanced to identify threats in each individual account and then apply the account-based protections to all other accounts through Organizations.
  • D. Use GuardDuty alerts to write an AWS Lambda function that updates all accounts by adding additional NACLs on the Amazon EC2 instances to block known malicious IP addresses.

正解:D


質問 # 264
A Lambda function reads metadata from an S3 object and stores the metadata in a DynamoDB table. The function is triggered whenever an object is stored within the S3 bucket.
How should the Lambda function be given access to the DynamoDB table?
Please select:

  • A. Create a resource policy that grants the Lambda function permissions to write to the DynamoDB table. Attach the poll to the DynamoDB table.
  • B. Create an 1AM service role with permissions to write to the DynamoDB table. Associate that role with the Lambda function.
  • C. Create a VPC endpoint for DynamoDB within a VPC. Configure the Lambda function to access resources in the VPC.
  • D. Create an 1AM user with permissions to write to the DynamoDB table. Store an access key for that user in the Lambda environment variables.

正解:B

解説:
The ideal way is to create an 1AM role which has the required permissions and then associate it with the Lambda function The AWS Documentation additionally mentions the following Each Lambda function has an 1AM role (execution role) associated with it. You specify the 1AM role when you create your Lambda function. Permissions you grant to this role determine what AWS Lambda can do when it assumes the role. There are two types of permissions that you grant to the 1AM role:
If your Lambda function code accesses other AWS resources, such as to read an object from an S3 bucket or write logs to CloudWatch Logs, you need to grant permissions for relevant Amazon S3 and CloudWatch actions to the role.
If the event source is stream-based (Amazon Kinesis Data Streams and DynamoDB streams), AWS Lambda polls these streams on your behalf. AWS Lambda needs permissions to poll the stream and read new records on the stream so you need to grant the relevant permissions to this role.
Option A is invalid because the VPC endpoint allows access instances in a private subnet to access DynamoDB Option B is invalid because resources policies are present for resources such as S3 and KMS, but not AWS Lambda Option C is invalid because AWS Roles should be used and not 1AM Users For more information on the Lambda permission model, please visit the below URL:
https://docs.aws.amazon.com/lambda/latest/dg/intro-permission-model.html The correct answer is: Create an 1AM service role with permissions to write to the DynamoDB table. Associate that role with the Lambda function.
Submit your Feedback/Queries to our Exp


質問 # 265
What is the function of the following AWS Key Management Service (KMS) key policy attached to a customer master key (CMK)?

  • A. The CMK is to be used for encrypting and decrypting only when the principal is ExampleUser and the request comes from WorkMail or SES in the specified region.
  • B. The ExampleUser principal can transparently encrypt and decrypt email exchanges specifically between ExampleUser and AWS.
  • C. The key policy allows WorkMail or SES to encrypt or decrypt on behalf of the user for any CMK in the account.
  • D. The Amazon WorkMail and Amazon SES services have delegated KMS encrypt and decrypt permissions to the ExampleUser principal in the 111122223333 account.

正解:A


質問 # 266
A company deploys a set of standard IAM roles in IAM accounts. The IAM roles are based on job functions within the company. To balance operational efficiency and security, a security engineer implemented IAM Organizations SCPs to restrict access to critical security services in all company accounts.
All of the company's accounts and OUs within IAM Organizations have a default FullIAMAccess SCP that is attached. The security engineer needs to ensure that no one can disable Amazon GuardDuty and IAM Security Hub. The security engineer also must not override other permissions that are granted by IAM policies that are defined in the accounts.
Which SCP should the security engineer attach to the root of the organization to meet these requirements?

  • A.
  • B.
  • C.
  • D.

正解:A


質問 # 267
Your company is planning on using bastion hosts for administering the servers in IAM. Which of the following is the best description of a bastion host from a security perspective?
Please select:

  • A. Bastion hosts allow users to log in using RDP or SSH and use that session to S5H into internal network to access private subnet resources.
  • B. A Bastion host sits on the outside of an internal network and is used as a gateway into the private network and is considered the critical strong point of the network
  • C. A Bastion host should be on a private subnet and never a public subnet due to security concerns
  • D. A Bastion host should maintain extremely tight security and monitoring as it is available to the public

正解:A

解説:
A bastion host is a special purpose computer on a network specifically designed and configured to withstand attacks. The computer generally hosts a single application, for example a proxy server, and all other services are removed or limited to reduce the threat to the computer.
In IAM, A bastion host is kept on a public subnet. Users log on to the bastion host via SSH or RDP and then use that session to manage other hosts in the private subnets.
Options A and B are invalid because the bastion host needs to sit on the public network. Option D is invalid because bastion hosts are not used for monitoring For more information on bastion hosts, just browse to the below URL:
https://docsIAM.amazon.com/quickstart/latest/linux-bastion/architecture.htl The correct answer is: Bastion hosts allow users to log in using RDP or SSH and use that session to SSH into internal network to access private subnet resources.
Submit your Feedback/Queries to our Experts


質問 # 268
A company is configuring three Amazon EC2 instances with each instance in a separate Availability Zone. The EC2 instances will be used as transparent proxies for outbound internet traffic for ports 80 and 443 so the proxies can block traffic to certain internet destinations as required by the company's security policies. A Security Engineer completed the following:
* Set up the proxy software on the EC2 instances.
* Modified the route tables on the private subnets to use the proxy EC2 instances as the default route.
* Created a security group rule opening inbound port 80 and 443 TCP protocols on the proxy EC2 instance security group.
However, the proxy EC2 instances are not successfully forwarding traffic to the internet.
What should the Security Engineer do to make the proxy EC2 instances route traffic to the internet?

  • A. Open all inbound ports on the proxy EC2 instance security group.
  • B. Put all the proxy EC2 instances in a cluster placement group.
  • C. Change the VPC's DHCP domain-name-servers options set to the IP addresses of proxy EC2 instances.
  • D. Disable source and destination checks on the proxy EC2 instances.

正解:D

解説:
Explanation/Reference: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html


質問 # 269
A company has a serverless application for internal users deployed on IAM. The application uses IAM Lambda for the front end and for business logic. The Lambda function accesses an Amazon RDS database inside a VPC The company uses IAM Systems Manager Parameter Store for storing database credentials. A recent security review highlighted the following issues The Lambda function has internet access.
The relational database is publicly accessible.
The database credentials are not stored in an encrypted state.
Which combination of steps should the company take to resolve these security issues? (Select THREE)

  • A. Edit the IAM role used by Lambda to restrict internet access.
  • B. Disable public access to the RDS database inside the VPC
  • C. Move all the Lambda functions inside the VPC.
  • D. Create a VPC endpoint for Systems Manager. Store the credentials as a SecureString parameter.
  • E. Edit the IAM role used by RDS to restrict internet access.
  • F. Create a VPC endpoint for Systems Manager. Store the credentials as a string parameter. Change the parameter type to an advanced parameter.

正解:B、C、E


質問 # 270
Your company has defined a set of S3 buckets in AWS. They need to monitor the S3 buckets and know the source IP address and the person who make requests to the S3 bucket. How can this be achieved?
Please select:

  • A. Monitor the S3 API calls by using Cloudtrail logging
  • B. Enable AWS Inspector for the S3 bucket
  • C. Monitor the S3 API calls by using Cloudwatch logging
  • D. Enable VPC flow logs to know the source IP addresses

正解:A

解説:
The AWS Documentation mentions the following
Amazon S3 is integrated with AWS CloudTrail. CloudTrail is a service that captures specific API calls made to Amazon S3 from your AWS account and delivers the log files to an Amazon S3 bucket that you specify. It captures API calls made from the Amazon S3 console or from the Amazon S3 API.
Using the information collected by CloudTrail, you can determine what request was made to Amazon S3, the source IP address from which the request was made, who made the request when it was made, and so on Options A,C and D are invalid because these services cannot be used to get the source IP address of the calls to S3 buckets For more information on Cloudtrail logging, please refer to the below Link:
https://docs.aws.amazon.com/AmazonS3/latest/dev/cloudtrail-logeins.htmll The correct answer is: Monitor the S3 API calls by using Cloudtrail logging Submit your Feedback/Queries to our Experts


質問 # 271
You need to inspect the running processes on an EC2 Instance that may have a security issue. How can you achieve this in the easiest way possible. Also you need to ensure that the process does not interfere with the continuous running of the instance.
Please select:

  • A. Use AWS Config to see the changed process information on the server
  • B. Use the SSM Run command to send the list of running processes information to an S3 bucket.
  • C. Use AWS Cloudtrail to record the processes running on the server to an S3 bucket.
  • D. Use AWS Cloudwatch to record the processes running on the server

正解:B

解説:
Explanation
The SSM Run command can be used to send OS specific commands to an Instance. Here you can check and see the running processes on an instance and then send the output to an S3 bucket.
Option A is invalid because this is used to record API activity and cannot be used to record running processes.
Option B is invalid because Cloudwatch is a logging and metric service and cannot be used to record running processes.
Option D is invalid because AWS Config is a configuration service and cannot be used to record running processes.
For more information on the Systems Manager Run command, please visit the following URL:
https://docs.aws.amazon.com/systems-manaEer/latest/usereuide/execute-remote-commands.htmll The correct answer is: Use the SSM Run command to send the list of running processes information to an S3 bucket. Submit your Feedback/Queries to our Experts


質問 # 272
A financial institution has the following security requirements:
Cloud-based users must be contained in a separate authentication domain.
Cloud-based users cannot access on-premises systems.
As part of standing up a cloud environment, the financial institution is creating a number of Amazon managed databases and Amazon EC2 instances. An Active Directory service exists on-premises that has all the administrator accounts, and these must be able to access the databases and instances.
How would the organization manage its resources in the MOST secure manner? (Choose two.)

  • A. Configure an AWS Managed Microsoft AD to manage the cloud resources.
  • B. Establish a two-way trust between the new and existing Active Directory services.
  • C. Establish a one-way trust relationship from the new Active Directory to the existing Active Directory service.
  • D. Configure an additional on-premises Active Directory service to manage the cloud resources.
  • E. Establish a one-way trust relationship from the existing Active Directory to the new Active Directory service.

正解:A、B

解説:
Deploy a new forest/domain on AWS with one-way trust. If you are planning on leveraging credentials from an on-premises AD on AWS member servers, you must establish at least a one-way trust to the Active Directory running on AWS. In this model, the AWS domain becomes the resource domain where computer objects are located and on-premises domain becomes the account domain. Ref: https://d1.awsstatic.com/whitepapers/adds-on-aws.pdf


質問 # 273
A company has five IAM accounts and wants to use IAM CloudTrail to log API calls. The log files must be stored in an Amazon S3 bucket that resides in a new account specifically built for centralized services with a unique top-level prefix for each trail. The configuration must also enable detection of any modification to the logs.
Which of the following steps will implement these requirements? (Choose three.)

  • A. Use an existing S3 bucket in one of the accounts, apply a bucket policy to the new centralized S3 bucket that permits the CloudTrail service to use the "s3: PutObject" action and the "s3 GetBucketACL" action, and specify the appropriate resource ARNs for the CloudTrail trails.
  • B. Create a new S3 bucket in a separate IAM account for centralized storage of CloudTrail logs, and enable "Log File Validation" on all trails.
  • C. Enable encryption of the log files by using IAM Key Management Service
  • D. Configure CloudTrail in the centralized account to log all accounts to the new centralized S3 bucket.
  • E. Use unique log file prefixes for trails in each IAM account.
  • F. Apply a bucket policy to the new centralized S3 bucket that permits the CloudTrail service to use the "s3 PutObject" action and the "s3 GelBucketACL" action, and specify the appropriate resource ARNs for the CloudTrail trails.

正解:B、D、F

解説:
https://docs.IAM.amazon.com/IAMcloudtrail/latest/userguide/best-practices-security.html If you have created an organization in IAM Organizations, you can create a trail that will log all events for all IAM accounts in that organization. This is sometimes referred to as an organization trail. You can also choose to edit an existing trail in the master account and apply it to an organization, making it an organization trail. Organization trails log events for the master account and all member accounts in the organization. For more information about IAM Organizations, see Organizations Terminology and Concepts. Note Reference: https://docs.IAM.amazon.com/IAMcloudtrail/latest/userguide/creating-trail-organization.html You must be logged in with the master account for the organization in order to create an organization trail. You must also have sufficient permissions for the IAM user or role in the master account in order to successfully create an organization trail. If you do not have sufficient permissions, you will not see the option to apply a trail to an organization.


質問 # 274
......

更新された2023年12月合格させるAWS-Security-Specialty試験リアル練習テスト問題:https://www.goshiken.com/Amazon/AWS-Security-Specialty-mondaishu.html

あなたを合格させる試験には100%確認済みAWS-Security-Specialty試験問題:https://drive.google.com/open?id=1I1ncrtwnNmlWfPKBOyUFMV94tm_FXKbZ

関するブログ

もっと
AWS-Security-Specialty無料問題集