Time up. You can restart the Quiz
Sample Exam : AWS Certified Security Specialty Set (10 Questions)
This is free Sample Practice Test. You will have 20 mins to complete this test. Please purchase to get life time access to all 210 Real exam questions.
Please fill your Name and Email address and click on next to Start the Exam
1 / 10
A company has hired a third-party security auditor, and the auditor needs read-only access to all AWS resources and logs of all VPC records and events that have occurred on AWS. How can the company meet the auditor's requirements without comprising security in the AWS environment? Choose the correct answer from the options below
AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain events related to API calls across your AWS infrastructure. CloudTrail provides a history of AWS API calls for your account, including API calls made through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This history simplifies security analysis, resource change tracking, and troubleshooting.Option A and C are incorrect since Cloudtrail needs to be used as part of the solutionOption B is incorrect since the auditor needs to have access to CloudtrailFor more information on cloudtrail , please visit the below URL:https://aws.amazon.com/cloudtrail/The correct answer is: Enable CloudTrail logging and create an IAM user who has read-only permissions to the required AWS resources, including the bucket containing the CloudTrail logs.
2 / 10
You have a bucket and a VPC defined in AWS. You need to ensure that the bucket can only be accessed by the VPC endpoint. How can you accomplish this?
This is mentioned in the AWS DocumentationOptions A and B are incorrect because using Security Groups nor route tables will help to allow access specifically for that bucket via the VPC endpoint. Here you specifically need to ensure the bucket policy is changed.Option C is incorrect because it is the bucket policy that needs to be changed and not the IAM policy. For more information on example bucket policies for VPC endpoints, please refer to below URL:https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies-vpc-endpoint.htmlThe correct answer is: Modify the bucket Policy for the bucket to allow access for the VPC endpoint
3 / 10
Your company use AWS KMS for management of its customer keys. From time to time , there is a requirement to delete existing keys as part of housekeeping activities. What can be done during the deletion process to verify that the key is no longer being used.
The AWS Documentation mentions the followingYou can use a combination of AWS CloudTrail, Amazon CloudWatch Logs, and Amazon Simple Notification Service (Amazon SNS) to create an alarm that notifies you of AWS KMS API requests that attempt to use a customer master key (CMK) that is pending deletion. If you receive a notification from such an alarm, you might want to cancel deletion of the CMK to give yourself more time to determine whether you want to delete it.Options B and D are incorrect because Key policies nor IAM policies can be used to check if the keys are being used.Option C is incorrect since rotation will not help you check if the keys are being used.For more information on deleting keys, please refer to below URL:https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys-creating-cloudwatch-alarm.htmlThe correct answer is: Use CloudTrail to see if any KMS API request has been issued against existing keys
4 / 10
One of the EC2 Instances in your company has been compromised. What steps would you take to ensure that you could apply digital forensics on the Instance. Select 2 answers from the options given below
Option A is invalid because removing the role will not help completely in such a situationOption D is invalid because terminating the instance means that you cannot conduct forensic analysis on the instanceOne way to isolate an affected EC2 instance for investigation is to place it in a Security Group that only the forensic investigators can access. Close all ports except to receive inbound SSH or RDP traffic from one single IP address from which the investigators can safely examine the instance.For more information on security scenarios for your EC2 Instance, please refer to below URL:https://d1.awsstatic.com/Marketplace/scenarios/security/SEC_11_TSB_Final.pdfThe correct answers are: Create a separate forensic instance, Ensure that the security groups only allow communication to this forensic instance
5 / 10
A company has a large set of keys defined in AWS KMS. Their developers frequently use the keys for the applications being developed. What is one of the ways that can be used to reduce the cost of accessing the keys in the AWS KMS service.
The AWS Documentation mentions the followingData key caching stores data keys and related cryptographic material in a cache. When you encrypt or decrypt data, the AWS Encryption SDK looks for a matching data key in the cache. If it finds a match, it uses the cached data key rather than generating a new one. Data key caching can improve performance, reduce cost, and help you stay within service limits as your application scales.Option A,C and D are all incorrect since these options will not impact how the key is used.For more information on data key caching, please refer to below URL:https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/data-key-caching.htmlThe correct answer is: Use Data key caching
6 / 10
You are responsible to deploying a critical application onto AWS. Part of the requirements for this application is to ensure that the controls set for this application met PCI compliance. Also there is a need to monitor web application logs to identify any malicious activity. Which of the following services can be used to fulfil this requirement. Choose 2 answers from the options given below
The AWS Documentation mentions the following about these servicesAWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This event history simplifies security analysis, resource change tracking, and troubleshooting.Option B is invalid because this is only used for VPC’sOption C is invalid because this is a configuration service and cannot be used for logging purposesFor more information on Cloudtrail, please refer to below URL:https://aws.amazon.com/cloudtrail/The correct answers are: Amazon Cloudwatch Logs, Amazon Cloudtrail
7 / 10
You have a requirement to conduct penetration testing on the AWS Cloud for a couple of EC2 Instances. How could you go about doing this? Choose 2 right answers from the options given below.
You can use a pre-approved solution from the AWS Marketplace. But till date the AWS Documentation still mentions that you have to get prior approval before conducting a test on the AWS Cloud for EC2 Instances.Option C and D are invalid because you have to get prior approval firstFor more information on penetration testing please visit the following URL:https://aws.amazon.com/security/penetration-testing/The correct answers are: Get prior approval from AWS for conducting the test, Use a pre-approved penetration testing tool.
8 / 10
Company policy requires that all insecure server protocols, such as FTP, Telnet, HTTP, etc be disabled on all servers. The security team would like to regularly check all servers to ensure compliance with this requirement by using a scheduled CloudWatch event to trigger a review of the current infrastructure.What process will check compliance of the company’s EC2 instances?
Option B is incorrect because querying Trusted Advisor API’s are not possibleOption C is incorrect because GuardDuty should be used to detect threats and not check the compliance of security protocols.Option D is incorrect because Amazon Inspector can be used to check for vulnerabilities onlyOne of the Inbuilt AWS Config Rules is built specifically for this purposeFor more information on AWS Config managed rules , please refer to below URL:https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.htmlThe correct answer is: Trigger an AWS Config Rules evaluation of the restricted-common-ports rule against every EC2 instance.
9 / 10
A company continually generates sensitive records that it stores in an S3 bucket. All objects in the bucket are encrypted using SSE-KMS using one of the company’s CMKs. Company compliance policies require that no more than one month of data be encrypted using the same encryption key.What solution below will meet the company’s requirements?
You can use a Lambda function to create a new key and then update the S3 bucket to use the new key. Remember not to delete the old key , else you will not be able to decrypt the documents stored in the S3 bucket using the older key.Option B is incorrect because AWS KMS cannot rotate keys on a monthly basisOption C is incorrect because deleting the old key means that you cannot access the older objectsOption D is incorrect because rotating key material is not possible.For more information on AWS KMS keys , please refer to below URL:https://docs.aws.amazon.com/kms/latest/developerguide/concepts.htmlThe correct answer is: Trigger a Lambda function with a monthly CloudWatch event that creates a new CMK and updates the S3 bucket to use the new CMK.
10 / 10
When managing permissions for the API gateway, what can be used to ensure that the right level of permissions are given to developers, IT admins and users? These permissions should be easily managed.
The AWS Documentation mentions the followingYou control access to Amazon API Gateway with IAM permissions by controlling access to the following two API Gateway component processes:To create, deploy, and manage an API in API Gateway, you must grant the API developer permissions to perform the required actions supported by the API management component of API Gateway.To call a deployed API or to refresh the API caching, you must grant the API caller permissions to perform required IAM actions supported by the API execution component of API Gateway.Option A , C and D are invalid because these cannot be used to control access to AWS services. This needs to be done via policiesFor more information on permissions with the API gateway, please visit the following URL:https://docs.aws.amazon.com/apigateway/latest/developerguide/permissions.htmlThe correct answer is: Use IAM Policies to create different policies for the different types of users.
Your score is
The AWS Certified Security – Specialty is intended for individuals who perform a security role with at least two years of hands-on experience securing AWS workloads.
– June 17, 2020
A definite must-have if you are planning to take the certification! The exams are continuously updated with the latest exam topics. The explanations are in-depth and well-detailed. I’ve used their other courses to pass my other AWS sysops and solutions rchitect exam.
– June 30, 2020
The first time I took these practice exams . I like the explanations on the answers of the ones I missed and also the ones I got right to reinforce the concepts. These exams gave me a good feel for what to expect on the exam. I’m now AWS Certified. Thank you!
– August 22, 2020
Solutions to the questions are explained in detail. Queries asked were answered quickly in 24 hrs in detail and satisfactory way. I recommend this course to every cloud aspirant.
– September 13, 2020
The content for the explanations was thorough and very specific. I learned a lot from the questions that were right and those that were wrong. Very good supportive detail attached to each test.
Ravi Sankar Chamarthi
– September 19, 2020
This will surely help you to understand features of AWS services thoroughly. I would suggest to new members. Please go though all explanations given for correct as well as incorrect options given. Passed my exam with good score.
– November 25, 2020
Espectacular. Helps a lot to understand AWS and clarify better each concept in it. Not only for the exam but to know more about AWS Security in many aspects of it. Passed!
– December 7, 2020
Cleared the exam.
These mock tests would really help anyone who wants to get the certification in less than 1-2 weeks’ time.
Would recommend this test series to everyone.
– December 28, 2020
Very well structured set of questions in each of these sample tests. It was quite similar in difficulty to the questions that I faced in the actual certification exam. Provided a great hand-on experience in how one should go about choosing answers in the multi-choice, as many questions in the actual exam have tricky choices. I would greatly recommend these tests for anyone wishing to take the Security specialty certifications. The recommendation to retake the exams till we achieve 80% consistently was spot on!
I was able to successfully get a passing grade thanks to these!
Mohamed Kibriya Kauser
– January 21, 2021
Answers with detail description helped me in getting a better understanding of. AWS products and offering as well as the value proposition. I took and passed the exam last Monday with a score of. 947/1000
– February 25, 2021
I feel much more confident after practicing the test. These tests are obviously twisted well which I do recommend. The explanations are very specific and up to the point.
– April 12, 2021
I passed the Security Speciality exam with 94%. These practice tests were extremely useful. All the questions are carefully drafted along with detailed explanation for all questions.
Your email address will not be published. Required fields are marked *
Your review *
Save my name, email, and website in this browser for the next time I comment.
We have helped over thousands of working professionals to achieve their certification goals with our practice tests.