Exam: AWS Certified Security - Specialty

Answer: A

Answer: CD

Answer: AB
✅ Explanation
-You have a 2 tier application hosted in AWS. It consists of a web server and database server (SQL Server) hosted on separate EC2 Instances. You are devising
the security groups for these EC2 Instances. The Web tier needs to be accessed by users across the Internet. You have created a web security group(wg-123)
and database security group(db-345). Which combination of the following security group rules will allow the application to be secure and functional. Choose 2
answers from the options given below.
-Please select:
A. wg-123 -Allow ports 80 and 443 from 0.0.0.0/0
B. db-345 - Allow port 1433 from wg-123
C. wg-123 - Allow port 1433 from wg-123
D. db-345 -Allow ports 1433 from 0.0.0.0/0

Answer: C
✅ Explanation
-AWS Inspector is a security assessment service that helps you identify vulnerabilities and deviations from best practices on your Amazon EC2 instances.
-It uses rules packages that include checks aligned with standards such as:
-Center for Internet Security (CIS) Benchmarks
-Common Vulnerabilities and Exposures (CVEs)
-Security best practices
-When run against an EC2 instance, Amazon Inspector assesses:
-Operating system vulnerabilities
Application security issues
Deviations from CIS benchmarks

Answer: C
✅ Explanation
-AWS CloudTrail supports server-side encryption (SSE) using AWS Key Management Service (KMS) to encrypt the log files before they are delivered to the S3 bucket.
-When you enable SSE-KMS on the CloudTrail trail, each log file is encrypted using the KMS key you specify, ensuring end-to-end encryption during delivery and storage.

Answer: A
✅ Explanation
-The root account in AWS has full, unrestricted access to all resources in the account. If the root user's access keys are leaked, an attacker would gain complete control over the account. Therefore, deleting (or never creating) access keys for the root account is the first and most important security measure.
- Option Analysis:
A. Delete the AWS keys for the root account
✅ Correct – This is the most critical initial step. Best practice is to not use the root account for daily tasks and to delete any access keys that may have been created for it.
B. Create IAM Groups
❌ Useful for managing permissions, but it doesn’t protect the root account directly. It's a later step in organizing access control for users.
C. Create IAM Roles
❌ Roles are important for service-to-service permissions and cross-account access but don’t secure the root user specifically.
D. Restrict access using IAM policies
❌ IAM policies are essential for permission management but again do not apply to the root account, which has inherent full access.

Answer: B
✅ Explanation
-To securely log into an EC2 Linux instance, AWS uses SSH key pairs. When launching an EC2 instance, you specify a key pair. The private key file (.pem) is used with SSH to authenticate your login.
🔍 Option Analysis:
A. IAM User name and password
❌ Not used for logging into EC2 instances. IAM credentials are for AWS Console/API access.
B. Key pairs
✅ Correct – This is the standard and secure method for connecting to EC2 Linux instances via SSH.
C. AWS Access keys
❌ Used for programmatic access to AWS services (via CLI/SDK), not for SSH login.
D. AWS SDK keys
❌ SDKs also use access keys for calling AWS services—not for SSH or system-level access.

Answer: BE
✅ Explanation
-AWS provides multiple ways to encrypt data at rest using services like Amazon EBS, Amazon S3, and AWS KMS (Key Management Service).
🔍 Option Analysis:
A. When storing data in Amazon EBS, use only EBS-optimized Amazon EC2 instances.
❌ EBS-optimized instances improve I/O performance, but they do not handle encryption.
B. When storing data in EBS, encrypt the volume by using AWS KMS.
✅ This is the recommended and secure method to encrypt EBS volumes at rest.
C. When storing data in Amazon S3, use object versioning and MFA Delete.
❌ Object versioning and MFA Delete improve data integrity and protection, but do not encrypt data.
D. When storing data in Amazon EC2 Instance Store, encrypt the volume by using KMS.
❌ EC2 instance store volumes are ephemeral and do not support native KMS-based encryption.
E. When storing data in S3, enable server-side encryption
✅ Server-side encryption (SSE) with Amazon S3-managed keys (SSE-S3) or KMS (SSE-KMS) is the correct approach for encrypting S3 data at rest.

Answer: B
✅ B. Use the AWS Systems Manager Run Command
✅ Explanation
-AWS Systems Manager Run Command allows you to remotely and securely automate administrative tasks (such as installing patches, managing software, running scripts, and gathering information) on thousands of EC2 instances without needing SSH access.
-It is designed for exactly this use case—centralized control and automation across a fleet of instances.