Question 1

A company uses Amazon Elastic Container Service (Amazon ECS) containers that have the Fargate launch type. The containers run web and mobile application that are written in Java and Node.js. To meet network segmentation requirements, each of the company's business units deploys applications in its own de AWS account.

Each business unit stores container images in an Amazon Elastic Container Registry (Amazon ECR) private registry in its own account.

A security engineer must recommend a solution to scan ECS containers and ECR registries for vulnerabilities in operating systems and programming languag libraries.

The company's audit team must be able to identify potential vulnerabilities that exist in any of the accounts where applications are deployed. Which solution will meet these requirements?

Accepted Answer

Option B: This option meets the requirements of scanning ECS containers and ECR registries for vulnerabilities, and providing a centralized view of findings for the audit team. AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. AWS Confi conformance packs are a collection of AWS Config rules and remediation actions that can be easily deployed as a single entity in an account and a Region across an organization in AWS Organizations. Conformance packs can help you manage configuration compliance of your AWS resources at scale by using a common framework and packaging model. You can use prebuilt conformance packs for vulnerability scanning, such as CIS Operating System Security Configuration Benchmarks or Amazon Inspector Rules for Linux Instances1. You can also create custom conformance packs to scan for vulnerabilities in programming language libraries. AWS Config aggregator is a feature that enables you to aggregate configuration and compliance data from multiple account Regions into a single account and Region2. You can provide access for the audit team to use AWS Config in the account where the aggregator is configured, and vi aggregated data in the AWS Config console or API.

Question 2

A company manages three separate IAM accounts for its production, development, and test environments, Each Developer is assigned a unique IAM user under the development account. A new application hosted on an Amazon EC2 instance in the developer account requires read access to the archived documents stor in an Amazon S3 bucket in the production account.

How should access be granted?

Accepted Answer

https://IAM.amazon.com/premiumsupport/knowledge-center/cross-account-access-s3/

Question 3

A company wants to prevent SSH access through the use of SSH key pairs for any Amazon Linux 2 Amazon EC2 instances in its AWS account. However, a system administrator occasionally will need to access these EC2 instances through SSH in an emergency. For auditing purposes, the company needs to recor any commands that a user runs in an EC2 instance.

What should a security engineer do to configure access to these EC2 instances to meet these requirements?

Accepted Answer

## Welcome to download the Newest 2passeasy AWS-Certified-Security-Specialty dumps

Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/. In the navigation pane, choose Session Manager. Choose the Preferences tab, and then choose Edit. Select the check box next to Enable under S3 logging. (Recommended) Select the check box next to Allow only encry S3 buckets. With this option turned on, log data is encrypted using the server-side encryption key specified for the bucket. If you don't want to encryp that is sent to Amazon S3, clear the check box. You must also clear the check box if encryption isn't allowed on the S3 bucket.

Question 4

Company A has an AWS account that is named Account A. Company A recently acquired Company B, which has an AWS account that is named Account B. Company B stores its files in an Amazon S3 bucket.

The administrators need to give a user from Account A full access to the S3 bucket in Account B.

After the administrators adjust the IAM permissions for the user in AccountA to access the S3 bucket in Account B, the user still cannot access any file bucket.

Which solution will resolve this issue?

A. In Account B, create a bucket ACL to allow the user from Account A to access the S3 bucket in Account B.

Accepted Answer

A bucket policy is a resource-based policy that defines permissions for a specific S3 bucket. It can be used to grant cross-account access to another AW or an IAM user or role in another account. A bucket policy can also specify which actions, resources, and conditions are allowed or denied.

A bucket ACL is an access control list that grants basic read or write permissions to predefined groups of users. It cannot be used to grant cross-accou a specific IAM user or role in another account.

An object ACL is an access control list that grants basic read or write permissions to predefined groups of users for a specific object in an S3 bucket. used to grant cross-account access to a specific IAM user or role in another account.

A user policy is an IAM policy that defines permissions for an IAM user or role in the same account. It cannot be used to grant cross-account access to AWS account or an IAM user or role in another account.

For more information, see Provide cross-account access to objects in Amazon S3 buckets and Example 2: Bucket owner granting cross-account bucket permissions.

Question 5

A company has retail stores The company is designing a solution to store scanned copies of customer receipts on Amazon S3 Files will be between 100 KB a MB in Prep Exam Each retail store must have a unique encryption key Each object must be encrypted with a unique key Which solution will meet these requirements?

Accepted Answer

To meet the requirements of storing scanned copies of customer receipts on Amazon S3, where files will be between 100 KB and 5 MB in Prep Exam, each re store must have a unique encryption key, and each object must be encrypted with a unique key, the most appropriate solution would be to create a dedicat Key Management Service (AWS KMS) customer managed key for each retail store. Then, use the S3 Put operation to upload the objects to Amazon S3, specifying server-side encryption with AWS KMS keys (SSE-KMS) and the key ID of the store's key.

References: : Amazon S3 - Amazon Web Services : AWS Key Management Service - Amazon Web

Services : Amazon S3 - Amazon Web Services : AWS Key Management Service - Amazon Web Service

Question 6

A company has two IAM accounts within IAM Organizations. In Account-1. Amazon EC2 Auto Scaling is launched using a service-linked role. In Account-2. Amazon EBS volumes are encrypted with an IAM KMS key A Security Engineer needs to ensure that the service-linked role can launch instances with these encrypted volumes

Which combination of steps should the Security Engineer take in both accounts? (Select TWO.)

Accepted Answer

because these are the steps that can ensure that the service-linked role can launch instances with encrypted volumes. A service-linked role is a type of that is linked to an AWS service and allows the service to perform actions on your behalf. A KMS grant is a mechanism that allows you to delegate permis use a customer master key (CMK) to a principal such as a service-linked role. A KMS grant specifies the actions that the principal can perform, such as and decrypting data. By creating a KMS grant for the service-linked role with the specified actions, you can allow the service-linked role to use the CM Account-2 to launch instances with encrypted volumes. By attaching an IAM policy to the role attached to the EC2 instances with KMS actions and then all Account-1 in the KMS key policy, you can also enable cross-account access to the CMK and allow the EC2 instances to use the encrypted volumes. The other options are either incorrect or unnecessary for meeting the requirement.

Question 7

A company deploys a set of standard IAM roles in AWS accounts. The IAM roles are based on job functions within the company. To balance operational effic and security, a security engineer implemented AWS Organizations SCPs to restrict access to critical security services in all company accounts. All of the company's accounts and OUs within AWS Organizations have a default FullAWSAccess SCP that is attached. The security engineer needs to ensure that no one can disable Amazon GuardDuty and AWS Security Hub. The security engineer also must not override other permissions that are granted by IAM policies that are defined in the accounts.

Which SCP should the security engineer attach to the root of the organization to meet these requirements? A)

```
B) C) D) "version": "2012-10-17", "statement"": [ 1 "Effect": "Deny", "Action":[ "guardduty:DeleteDetector", "guardduty:UpdateDetector", "securityhub:DisableSecurityHub" 1 "Resource":[ 1 1 "Version": "2012-10-17", "statement"": [ "Effect":"Deny" "Action":"*" "Resource": "Effect": "Allow", "NotAction":[ "guardduty:DeleteDetector", "guardduty:UpdateDetector", "securityhub:DisableSecurityHub" 1, "Resource":[ 1 "Version": "2012-10-17", "Statement"": [ { "Effect": "Allow", "Action":"*" "Resource": "Effect":"Deny", "NotAction": [ "guardduty:DeleteDetector" "guardduty:UpdateDetector", "securityhub:DisableSecurityHub" 1 "Resource": [ 1*" 1
```

```
1 "version": "2012-10-17", "statement"": [ 1 "Effect": "Allow", "NotAction":[ "guardduty:DeleteDetector", "guardduty:UpdateDetector", "securityhub:DisableSecurityHub" "Resource":[ 1 1 1
```

Accepted Answer

Correct answer: A

Question 8

A security engineer is creating an AWS Lambda function. The Lambda function needs to use a role that is named LambdaAuditRole to assume a role that is named AcmeAuditFactoryRole in a different AWS account.

When the code is processed, the following error message appears: "An error oc-curred (AccessDenied) when calling the AssumeRole operation."

Which combination of steps should the security engineer take to resolve this er-ror? (Select TWO.)

Accepted Answer

Correct answer: AC

Question 9

A company has an organization in AWS Organizations. The company wants to use AWS CloudFormation StackSets in the organization to deploy various AWS design patterns into environments. These patterns consist of Amazon EC2 instances, Elastic Load Balancing (ELB) load balancers, Amazon RDS databases, an Amazon Elastic Kubernetes Service (Amazon EKS) clusters or Amazon Elastic Container Service (Amazon ECS) clusters.

Currently, the company's developers can create their own CloudFormation stacks to increase the overall speed of delivery. A centralized CI/CD pipeline i shared services AWS account deploys each CloudFormation stack.

The company's security team has already provided requirements for each service in accordance with internal standards. If there are any resources that do comply with the internal standards, the security team must receive notification to take appropriate action. The security team must implement a notificat that gives developers the ability to maintain the same overall delivery speed that they currently have.

Which solution will meet these requirements in the MOST operationally efficient way?

Accepted Answer

Correct answer: B

Question 10

A company has a large fleet of Linux Amazon EC2 instances and Windows EC2 instances that run in private subnets. The company wants all remote administration to be performed as securely as possible in the AWS Cloud.

Which solution will meet these requirements?

Accepted Answer

AWS Systems Manager Session Manager is a fully managed service that allows you to securely and remotely administer your EC2 instances without the need t open inbound ports, maintain bastion hosts, or manage SSH keys. Session Manager provides an interactive browser-based shell or CLI access to your instan as well as port forwarding and auditing capabilities. Session Manager works with both Linux and Windows instances, and supports hybrid environments and devices.

EC2 Instance Connect is a feature that allows you to use SSH to connect to your Linux instances using short-lived keys that are generated on demand and delivered securely through the AWS metadata service. EC2 Instance Connect does not require any additio software installation or configuration on the instance, but it does require you to use SSH-RSA keys during the launch of new instances.

The correct answer is to use Session Manager, as it provides more security and flexibility than EC2 Instance Connect, and does not require SSH-RSA keys inbound ports. Session Manager also works with Windows instances, while EC2 Instance Connect does not.

Verified References:

- https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Connect-using-EC2-Instance-Connect.html
- https://repost.aws/questions/QUnV4R9EoeSdW0GT3cKBUR7w/what-is-the-difference-between-ec-2-ins