Home Guides Blogs Your Exams Certifications

    Exam: AWS Certified Security - Specialty

    Total Questions: 210
    Page of

    You need to the merge the POC branch into the default branch. The solution must meet the technical requirements.
    Which command should you run?
    A. git rebase
    B. git merge --squash
    C. git push
    D. git merge --allow-unrelated-histories
    Answer : A ✅ Explanation -The commit history of the POC branch must replace the history of the default branch. -Rebasing is the process of moving or combining a sequence of commits to a new base commit. --------Rebasing is most useful and easily visualized in the context of a feature branching workflow. The general process can be visualized as the following: -Note: The primary reason for rebasing is to maintain a linear project history. For example, consider a situation where the main branch has progressed since you started working on a feature branch. You want to get the latest updates to the main branch in your feature branch, but you want to keep your branch's history clean so it appears as if you've been working off the latest main branch. This gives the later benefit of a clean merge of your feature branch back into the main branch. Why do we want to maintain a "clean history"? The benefits of having a clean history become tangible when performing Git operations to investigate the introduction of a regression.

    You have an Ec2 Instance in a private subnet which needs to access the KMS service. Which of the following methods can help fulfil this requirement, keeping
    security in perspective
    Please select:

    A. Use a VPC endpoint
    B. Attach an Internet gateway to the subnet
    C. Attach a VPN connection to the VPC
    D. Use VPC Peering
    Answer: A

    An application running on EC2 instances must use a username and password to access a database. The developer has stored those secrets in the SSM
    Parameter Store with type SecureString using the default KMS CMK. Which combination of configuration steps will allow the application to access the secrets via
    the API? Select 2 answers from the options below
    Please select:

    A. Add the EC2 instance role as a trusted service to the SSM service role.
    B. Add permission to use the KMS key to decrypt to the SSM service role.
    C. Add permission to read the SSM parameter to the EC2 instance role..
    D. Add permission to use the KMS key to decrypt to the EC2 instance role
    E. Add the SSM service role as a trusted service to the EC2 instance rol
    Answer: CD

    You have a 2 tier application hosted in AWS. It consists of a web server and database server (SQL Server) hosted on separate EC2 Instances. You are devising
    the security groups for these EC2 Instances. The Web tier needs to be accessed by users across the Internet. You have created a web security group(wg-123)
    and database security group(db-345). Which combination of the following security group rules will allow the application to be secure and functional. Choose 2
    answers from the options given below.
    Please select:

    A. wg-123 -Allow ports 80 and 443 from 0.0.0.0/0
    B. db-345 - Allow port 1433 from wg-123
    C. wg-123 - Allow port 1433 from wg-123
    D. db-345 -Allow ports 1433 from 0.0.0.0/0
    Answer: AB ✅ Explanation -You have a 2 tier application hosted in AWS. It consists of a web server and database server (SQL Server) hosted on separate EC2 Instances. You are devising the security groups for these EC2 Instances. The Web tier needs to be accessed by users across the Internet. You have created a web security group(wg-123) and database security group(db-345). Which combination of the following security group rules will allow the application to be secure and functional. Choose 2 answers from the options given below. -Please select: A. wg-123 -Allow ports 80 and 443 from 0.0.0.0/0 B. db-345 - Allow port 1433 from wg-123 C. wg-123 - Allow port 1433 from wg-123 D. db-345 -Allow ports 1433 from 0.0.0.0/0

    You want to get a list of vulnerabilities for an EC2 Instance as per the guidelines set by the Center of Internet Security. How can you go about doing this?
    Please select:

    A. Enable AWS Guard Duty for the Instance
    B. Use AWS Trusted Advisor
    C. Use AWS inspector
    D. UseAWSMacie
    Answer: C ✅ Explanation -AWS Inspector is a security assessment service that helps you identify vulnerabilities and deviations from best practices on your Amazon EC2 instances. -It uses rules packages that include checks aligned with standards such as: -Center for Internet Security (CIS) Benchmarks -Common Vulnerabilities and Exposures (CVEs) -Security best practices -When run against an EC2 instance, Amazon Inspector assesses: -Operating system vulnerabilities Application security issues Deviations from CIS benchmarks

    You have enabled Cloudtrail logs for your company's AWS account. In addition, the IT Security department has mentioned that the logs need to be encrypted. How
    can this be achieved?
    Please select:

    A. Enable SSL certificates for the Cloudtrail logs
    B. There is no need to do anything since the logs will already be encrypted
    C. Enable Server side encryption for the trail
    D. Enable Server side encryption for the destination S3 bucket
    Answer: C ✅ Explanation -AWS CloudTrail supports server-side encryption (SSE) using AWS Key Management Service (KMS) to encrypt the log files before they are delivered to the S3 bucket. -When you enable SSE-KMS on the CloudTrail trail, each log file is encrypted using the KMS key you specify, ensuring end-to-end encryption during delivery and storage.

    Your development team has started using AWS resources for development purposes. The AWS account has just been created. Your IT Security team is worried
    about possible leakage of AWS keys. What is the first level of measure that should be taken to protect the AWS account.
    Please select:

    A. Delete the AWS keys for the root account
    B. Create 1AM Groups
    C. Create 1AM Roles
    D. Restrict access using 1AM policies
    Answer: A ✅ Explanation -The root account in AWS has full, unrestricted access to all resources in the account. If the root user's access keys are leaked, an attacker would gain complete control over the account. Therefore, deleting (or never creating) access keys for the root account is the first and most important security measure. - Option Analysis: A. Delete the AWS keys for the root account ✅ Correct – This is the most critical initial step. Best practice is to not use the root account for daily tasks and to delete any access keys that may have been created for it. B. Create IAM Groups ❌ Useful for managing permissions, but it doesn’t protect the root account directly. It's a later step in organizing access control for users. C. Create IAM Roles ❌ Roles are important for service-to-service permissions and cross-account access but don’t secure the root user specifically. D. Restrict access using IAM policies ❌ IAM policies are essential for permission management but again do not apply to the root account, which has inherent full access.

    Which of the following is used as a secure way to log into an EC2 Linux Instance? Please select:

    A. 1AM User name and password
    B. Key pairs
    C. AWS Access keys
    D. AWS SDK keys
    Answer: B ✅ Explanation -To securely log into an EC2 Linux instance, AWS uses SSH key pairs. When launching an EC2 instance, you specify a key pair. The private key file (.pem) is used with SSH to authenticate your login. 🔍 Option Analysis: A. IAM User name and password ❌ Not used for logging into EC2 instances. IAM credentials are for AWS Console/API access. B. Key pairs ✅ Correct – This is the standard and secure method for connecting to EC2 Linux instances via SSH. C. AWS Access keys ❌ Used for programmatic access to AWS services (via CLI/SDK), not for SSH login. D. AWS SDK keys ❌ SDKs also use access keys for calling AWS services—not for SSH or system-level access.

    A company requires that data stored in AWS be encrypted at rest. Which of the following approaches achieve this requirement? Select 2 answers from the options
    given below.
    Please select:

    A. When storing data in Amazon EBS, use only EBS-optimized Amazon EC2 instances.
    B. When storing data in EBS, encrypt the volume by using AWS KMS.
    C. When storing data in Amazon S3, use object versioning and MFA Delete.
    D. When storing data in Amazon EC2 Instance Store, encrypt the volume by using KMS.
    E. When storing data in S3, enable server-side encryptio
    Answer: BE ✅ Explanation -AWS provides multiple ways to encrypt data at rest using services like Amazon EBS, Amazon S3, and AWS KMS (Key Management Service). 🔍 Option Analysis: A. When storing data in Amazon EBS, use only EBS-optimized Amazon EC2 instances. ❌ EBS-optimized instances improve I/O performance, but they do not handle encryption. B. When storing data in EBS, encrypt the volume by using AWS KMS. ✅ This is the recommended and secure method to encrypt EBS volumes at rest. C. When storing data in Amazon S3, use object versioning and MFA Delete. ❌ Object versioning and MFA Delete improve data integrity and protection, but do not encrypt data. D. When storing data in Amazon EC2 Instance Store, encrypt the volume by using KMS. ❌ EC2 instance store volumes are ephemeral and do not support native KMS-based encryption. E. When storing data in S3, enable server-side encryption ✅ Server-side encryption (SSE) with Amazon S3-managed keys (SSE-S3) or KMS (SSE-KMS) is the correct approach for encrypting S3 data at rest.

    Your company has a set of 1000 EC2 Instances defined in an AWS Account. They want to effectively automate several administrative tasks on these instances.
    Which of the following would be an effective way to achieve this?
    Please select:

    A. Use the AWS Systems Manager Parameter Store
    B. Use the AWS Systems Manager Run Command
    C. Use the AWS Inspector
    D. Use AWS Config
    Answer: B ✅ B. Use the AWS Systems Manager Run Command ✅ Explanation -AWS Systems Manager Run Command allows you to remotely and securely automate administrative tasks (such as installing patches, managing software, running scripts, and gathering information) on thousands of EC2 instances without needing SSH access. -It is designed for exactly this use case—centralized control and automation across a fleet of instances.
    Back View All Questions