AWS Certified Security – Specialty Q & A

1) Which of the following is a multi-tenant managed service which allows you to securely store and manage your encryption keys?
Config
KMS
CloudTrail

Correct Answer: KMS

2) Which of the following tools can be used to give you visibility of the assets you have in AWS?
CloudFormation
AWS Config
CloudTrail

Correct Answer: AWS Config

3) For which of the following are you responsible for ensuring the Operating System is configured securely?
EC2
DynamoDB
RDS

Correct Answer: EC2

4) Which of the following services would you use to check CPU utilization of your EC2 instances?
Config
CloudFormation
CloudWatch

Correct Answer: CloudWatch

5) Which of the following AWS services can be used to enable customers to quickly adapt to the changing needs of their business? (Choose 2)
Elastic BeanStalk
CloudFormation
Config
CloudTrail

Correct Answer: Elastic BeanStalk.CloudFormation.

6) Which of the following is NOT the responsibility of AWS in terms of Security and Compliance?
Configuration of hypervisors
Configuration of the Operating System running on EC2 instances
Configuration of managed Services like S3 and DynamoDB

Correct Answer: Configuration of the Operating System running on EC2 instances

7) When using AWS, which of the following are a customer responsibility in terms of Security and Compliance? (Choose 2)
Configuring IAM
Applying security updates and patching DynamoDB
Applying security updates and patching the Operating System running on EC2 instances
Applying security updates and patching the hypervisor

Correct Answer: Configuring IAM.Applying security updates and patching the Operating System running on EC2 instances.

8) Which of the following services can be used to automate technical tasks, avoid mistakes caused by human error and ensure that processes in your organization are repeatable? (Choose 2)
OpsWorks
API Gateway
CodeDeploy
Elastic Beanstalk

Correct Answer: OpsWorks.CodeDeploy.

9) Which of the following services can you use to find out if you have accidentally configured one of your Security Groups with SSH access on port 22 open to the world?
CloudFormation
Config
Trusted Advisor

Correct Answer: Trusted Advisor

10) Which of the following services can be used to provide an audit trail of all the API activity taking place in your AWS account?
Config
CloudTrail
Trusted Advisor

Correct Answer: CloudTrail

11) The root administrator has left your company, what should you do to ensure your AWS account is secure? (Choose 4)
Delete the root account and recreate it with new credentials
Delete any root owned access keys if they exist
Create new access keys for root
Delete all IAM accounts and recreate them with new credentials
Change the root password
Deactivate and reactivate Multi Factor Authentication
Review your IAM accounts and delete any account which belongs to the user who has left the company

Correct Answer: Delete any root owned access keys if they exist.Change the root password.Deactivate and reactivate Multi Factor Authentication.Review your IAM accounts and delete any account which belongs to the user who has left the company.

12) Which kind of AWS IAM Policy would you use if you strictly want to attach the policy to a single user and be certain that it cannot be accidentally attached to any other user?
Any IAM Policy type can be configured to enforce this
AWS Managed Policy
Inline Policy

Correct Answer: Inline Policy

13) Which of the following mechanisms would you use to apply fine grained permissions on an object in S3?
Bucket Policy
S3 ACL
IAM Policy

Correct Answer: S3 ACL

14) To which of the following entities can you attach an IAM Policy? (Choose 2)
S3 Buckets
IAM Groups
IAM Roles

Correct Answer: IAM Groups.IAM Roles.

15) You have created an S3 bucket policy which denies access to all users. Later on you add an additional statement to the bucket policy to allow read only access to one of your colleagues, however even after updating the policy, your colleague is still getting an access denied message. What is the reason for this?
It takes a few minutes for a bucket policy to take effect
You need to update the ACL in the bucket
An explicit deny always overrides an allow, so access will be denied

Correct Answer: An explicit deny always overrides an allow, so access will be denied

16) Which of the following statements is correct in relation to user federation with Active Directory? (Choose 2)
All Active Directory users require corresponding IAM credentials within your AWS account
The user must browse to the ADFS sign-in page
Users do not need to have IAM credentials
The user must browse to the AWS sign-in page

Correct Answer: The user must browse to the ADFS sign-in page.Users do not need to have IAM credentials.

17) Which of the following policies work in combination to define who or what can an access an S3 bucket? (Choose 2)
S3 Bucket Policy
S3 Access Control Policies
IAM Policy
S3 Object Policy

Correct Answer: S3 Bucket Policy.IAM Policy.

18) Which of the following does AWS IAM enable you to do? (Choose 4)
Identity Federation with Active Directory
Identity Federation with Web Identity providers
Manage user access to the AWS Console
Multi-Factor Authentication
Biometric verification

Correct Answer: Identity Federation with Active Directory.Identity Federation with Web Identity providers.Manage user access to the AWS Console.Multi-Factor Authentication.

19) You have created a new s3 bucket and you want to force users to use HTTPS when uploading objects to your bucket, which approach should you use?
Configure an ACL which includes a condition statement which denies requests which do not use aws:SecureTransport
Configure a bucket policy which includes a condition statement which denies requests which do not use aws:SecureTransport
Configure an IAM policy which includes a condition statement which denies requests which do not use aws:SecureTransport

Correct Answer: Configure a bucket policy which includes a condition statement which denies requests which do not use aws:SecureTransport

20) Which of the following would you use to define the IAM permissions which specify what can be done and what actions can be taken against resources in your AWS environment?
IAM Group
IAM User
IAM Policy

Correct Answer: IAM Policy

21) Which four things are returned by GetFederationToken when a user successfully logs to AWS in using their Active Directory credentials?
Access key, secret access key, token, presigned url
Access key, secret access key, session token, expiration
User name, temporary password, SAML token, expiration

Correct Answer: Access key, secret access key, session token, expiration

22) Which of the following approaches would you use to enable an application running on EC2 to read objects located in an S3 bucket?
Create an IAM user with read access to the bucket and embed the user’s credentials in your application code.
Create an IAM role with read access to the bucket and associate the role with the EC2 instance
Create an IAM group with read access to the bucket and add the EC2 instance to the group

Correct Answer: Create an IAM role with read access to the bucket and associate the role with the EC2 instance

23) You are configuring a CloudFront web distribution for your website hosted in S3. Your marketing team has already purchased a registered domain name that they would like to use for the new website. Which kind of SSL certificate would you use in this configuration?
Use a custom SSL certificate with the certificate stored in ACM in us-east-2
Use the default CloudFront certificate with the certificate stored in IAM
Use a custom SSL certificate with the certificate stored in ACM in us-east-1

Correct Answer: Use a custom SSL certificate with the certificate stored in ACM in us-east-1

24) You have configured Cross Region Replication on your S3 bucket and would like to enforce the use of SSL. How would you approach this?
Configure a bucket policy which includes a condition statement which denies requests which do not use aws:SecureTransport
Select Use SSL in the console when configuring cross Region Replication
Do nothing, SSL is enabled by default when you configure Cross Region Replication

Correct Answer: Do nothing, SSL is enabled by default when you configure Cross Region Replication

25) Which AWS API gets called used when a user accesses AWS using their Active Directory credentials?
Security Token Service
SAML 2.0
Cognito

Correct Answer: Security Token Service

26) Which of the following types of IAM Policy is created and administered by you and can be attached to multiple users, groups or roles within your account?
All IAM Policies
Customer Managed Policies
Inline Policies

Correct Answer: Customer Managed Policies

27) The AWS STS API supports which of the following methods of access? (Choose 3)
Kubernetes Federation
Cross Account Access
Web Identity Federation
Active Directory Federation
Azure AD Federation

Correct Answer: Cross Account Access.

Web Identity Federation.

Active Directory Federation.

28) Which of the following is correct in relation to Service Control Policies? (Choose 2)
They are deny by default and can only be used to allow access to AWS resources
They can only be used to limit permissions to AWS resources
An SCP applies to all Organizational Units and accounts below the Organizational Unit to which it has been attached
They can be used to allow or deny access to AWS resources

Correct Answer: They can only be used to limit permissions to AWS resources.An SCP applies to all Organizational Units and accounts below the Organizational Unit to which it has been attached.

29) You have created a website hosted in S3 and configured a CloudFront web distribution. Which steps do you need to take to force your users to access your site using CloudFront and not directly using the S3 url? (Choose 3)
Create an origin access identity for your S3 origin
Change the permissions on your Amazon S3 bucket so that only the CloudFront endpoint has access
Configure the bucket policy on your Amazon S3 bucket so that only the origin access identity has read permission for objects in the bucket
Select “Restrict Bucket Access” in the Origin Settings of your CloudFront Distribution

Correct Answer: Create an origin access identity for your S3 origin.Configure the bucket policy on your Amazon S3 bucket so that only the origin access identity has read permission for objects in the bucket.Select “Restrict Bucket Access” in the Origin Settings of your CloudFront Distribution.

30) You would like to give a user temporary access to a single object in your S3 bucket, which of the following is the most secure way to do this?
Change the ownership of the object to the user who needs to access it
Give the user read access to the bucket
Create a presigned url and share it with the user

Correct Answer: Create a presigned url and share it with the user

31) You have created a new user and given them the following IAM permissions: s3:Get* and s3:List* for all S3 resources. Which of the following statements is correct? (Choose 2)
The user is able to read objects in any S3 bucket
The user is able to list the objects in any S3 bucket
The user is able to delete objects from any S3 bucket
The user is able to add objects to any S3 bucket

Correct Answer: The user is able to read objects in any S3 bucket.The user is able to list the objects in any S3 bucket.

32) What is a permissions boundary used for?
It is used to limit the maximum permissions for a user, group or role
It is used to prevent resources based in one region form accessing resources based in another
It is used to limit the privileges of the Root user

Correct Answer: It is used to limit the maximum permissions for a user, group or role

33) You would like to restrict access to S3 across a number of different AWS accounts in your organization. Which AWS feature can you use to do this?
Service Control Policy
S3 bucket policies
Consolidated Billing

Correct Answer: Service Control Policy

34) Which of the following can you achieve using Amazon Cognito? (Choose 2)
Self-service password resets for Facebook users
Anonymous guest access to your web application
Federated access to your web application for Active directory users outside your organisation
Federated access to your web application for Facebook users

Correct Answer: Anonymous guest access to your web application.Federated access to your web application for Facebook users.

35) What is meant by the “principal” in relation to AWS and permissions?
The principal is used to define which region the permissions you are specifying will apply to
The principal specifies the user, account, service, or other entity that is allowed or denied access to a resource
The principal specifies the AWS root account ID

Correct Answer: The principal specifies the user, account, service, or other entity that is allowed or denied access to a resource

36) Which of the following policy types is created and managed completely by AWS?
All IAM Policies
Customer Managed Policy
AWS Managed Policy
Inline Policy

Correct Answer: AWS Managed Policy

37) How would you go about enforcing a mandatory 5 year retention policy on your Glacier archives?
Use a lifecycle policy which moves all archives less than 5 years in age to WORM storage
Use an S3 Bucket policy which prevents users from deleting archives which are less than 5 years in age
Use a Vault Lock Policy which prevents any user from deleting archives which are less than 5 years in age

Correct Answer: Use a Vault Lock Policy which prevents any user from deleting archives which are less than 5 years in age

38) Which of the following steps would you need to complete in order to configure Cross Region Replication where source and destination buckets are owned by different accounts?
The owner of the source bucket must grant the owner of the destination bucket permissions to replicate objects with a bucket policy AND the owner of the destination bucket must grant the owner of the source bucket permissions to replicate objects with a bucket policy.
The owner of the destination bucket must grant the owner of the source bucket permissions to replicate objects with a bucket policy.
The owner of the source bucket must grant the owner of the destination bucket permissions to replicate objects with a bucket policy.

Correct Answer: The owner of the destination bucket must grant the owner of the source bucket permissions to replicate objects with a bucket policy.

39) Last week you created a Vault Lock Policy to prevent archived files from being deleted unless they are over 2 years old. But now your CTO has changed their mind and only wants to keep the archives for 1 year. What is your recommended approach?
Abort the Vault Lock and create a new one to fit the new requirement
Go back to the CTO and explain that once the Vault Lock is in place, it cannot be changed
Delete the Vault Lock completely and suggest using S3 lifecycle policies instead

Correct Answer: Go back to the CTO and explain that once the Vault Lock is in place, it cannot be changed

40) Which of the following statements is correct in relation to S3 cross-region replication?
You are charged extra for SSL
SSL is enabled by default
The source and destination bucket may be in the same region

Correct Answer: SSL is enabled by default

41) Which feature of AWS would you use to configure consolidate billing, group your AWS accounts into logical groupings for access control and attach Service Control Policies?
AWS IAM
Cross Account Access
AWS Organizations

Correct Answer: AWS Organizations

42) Which of the following best describes a Glacier Vault?
A secure place to store security tokens, passwords, certificates, API keys, and other secrets
A container which stores one or more Glacier archives
A single file or multiple files stored in a .tar or .zip format within Glacier

Correct Answer: A container which stores one or more Glacier archives

43) Which of the following IAM Policies can you change to update them when the needs of your organization change? (Choose 2)
All IAM Policies
Customer Managed Policies
Inline Policies
AWS Managed Policies

Correct Answer: Customer Managed Policies.Inline Policies.

44) You are looking for a security assessment tool to help improve the security and compliance in your environment by assessing your applications to check if they conform to best practices, which of the following should you use?
AWS Trusted Advisor
Amazon Inspector
AWS Config

Correct Answer: Amazon Inspector

45) There are 3 key components to CloudWatch – CloudWatch monitoring, CloudWatch Logs and CloudWatch Events. What do these 3 different features of CloudWatch provide?
CloudWatch monitoring end-to-end network latency monitoring for web applications, CloudWatch Logs records all the API level events in your AWS account, CloudWatch Events responds to Lambda event triggers to perform automated tasks on your behalf.
CloudWatch monitoring provides monitoring of all user activity in your AWS account, CloudWatch Logs gives visibility of the network flows between application components in your environment, CloudWatch Events provides visibility of data center related events which could affect customers, like operating system upgrades and planned hardware maintenance.
CloudWatch monitoring provides monitoring of performance metrics in your environment, CloudWatch Logs allows you to aggregate and monitor logs from your applications and systems, CloudWatch Events provides a near real-time stream of events within your AWS account which can be used to trigger actions such as triggering a Lambda function to perform a task.

Correct Answer: CloudWatch monitoring provides monitoring of performance metrics in your environment, CloudWatch Logs allows you to aggregate and monitor logs from your applications and systems, CloudWatch Events provides a near real-time stream of events within your AWS account which can be used to trigger actions such as triggering a Lambda function to perform a task.

46) You are looking for a tool which will assess your environment and provide Best Practice recommendations on each of the following areas: Cost Optimization, Performance, Security, Service Limits and Fault Tolerance. Which of the following should you use?
AWS Config
Amazon Inspector
AWS Trusted Advisor

Correct Answer: AWS Trusted Advisor

47) Which of the following statements is NOT correct in relation to CloudTrail?
It prevents unauthorized users from accessing your account and launching AWS resources
It enables you to comply with industry and internal compliance requirements
It allows you to perform near real-time intrusion detection

Correct Answer: It prevents unauthorized users from accessing your account and launching AWS resources

48) How can you protect your CloudTrail logs from unauthorized access? (Choose 3)
Encrypt the log files
Compress the log files
Use S3 bucket policies to restrict access to the S3 bucket containing the logs
Use IAM policies to restrict access to the S3 bucket containing the logs

Correct Answer: Encrypt the log files.Use S3 bucket policies to restrict access to the S3 bucket containing the logs.Use IAM policies to restrict access to the S3 bucket containing the logs.

49) Which Amazon Inspector rules package would you use to check for instances which enable root login over SSH? (Choose 2)
Security Best Practices
Network Reachability
Runtime Behaviour Analysis
Center For Internet Security Benchmarks

Correct Answer: Security Best Practices.

Center For Internet Security Benchmarks.

50) Which tool can you use to run a security check on your EC2 instances to check for common vulnerabilities and exposures?
Amazon Inspector
Amazon Guard Duty
AWS Config

Correct Answer: Amazon Inspector