Amazon AWS Certified Security Specialist

1.

An application has been written that publishes custom metrics to Amazon CloudWatch. Recently, IAM change have been made on the account and the metrics are no longer being reported.
Which of the following is the LEAST permissive solution that will allow the metrics to be delivered?

Add a statement to the IAM policy used by the application to allow logs:putLogEvents and logs:createLogStream Modify the IAM role used by the application by adding the CloudWatchFullAccess managed policy. Add a statement to the IAM policy used by the application to allow cloudwatch:putMetricData. Add a trust relationship to the IAM role used by the application for cloudwatch.amazonaws.com.

2.

A Security Engineer is trying to determine whether the encryption keys used in an AWS service are in compliance with certain regulatory standards.
Which of the following actions should the Engineer perform to get further guidance?

Read the AWS Customer Agreement. Use AWS Artifact to access AWS compliance reports. Post the question on the AWS Discussion Forums. Run AWS Config and evaluate the configuration outputs.

3.

A Software Engineer wrote a customized reporting service that will run on a fleet of Amazon EC2 instances. The company security policy states that application logs for the reporting service must becentrally collected.
What is the MOST efficient way to meet these requirements?

Write an AWS Lambda function that logs into the EC2 instance to pull the application logs from the EC2 instance and persists them into an Amazon S3 bucket. Enable AWS CloudTrail logging for the AWS account, create a new Amazon S3 bucket, and then configure Amazon CloudWatch Logs to receive the application logs from CloudTrail. Create a simple cron job on the EC2 instances that synchronizes the application logs to an Amazon S3 bucket by using rsync. Install the Amazon CloudWatch Logs Agent on the EC2 instances, and configure it to send the application logs to CloudWatch Logs.

4.

A Security Engineer who was reviewing AWS Key Management Service (AWS KMS) key policies found this statement in each key policy in the company AWS account.

What does the statement allow?

All principals from all AWS accounts to use the key. Only the root user from account 111122223333 to use the key. All principals from account 111122223333 to use the key but only on Amazon S3. Only principals from account 111122223333 that have an IAM policy applied that grants access to this key to use the key.

5.

What is the function of the following AWS Key Management Service (KMS) key policy attached to a customer master key (CMK)?

The Amazon WorkMail and Amazon SES services have delegated KMS encrypt and delegated KMS encrypt and decrypt permissions to the ExampleUser principal in the 111122223333 account. The ExampleUser principal can transparently encrypt and decrypt email exchanges specifically between ExampleUser and AWS. The CMK is to be used for encrypting and decrypting only when the principal is ExampleUser and the request comes from WorkMail or SES in the specified region. The key policy allows WorkMail or SES to encrypt or decrypt on behalf of the user for any CMK in the account.

Amazon AWS Certified Security Specialist

Congratulations

COMPANY

Products

OTHERS

Partner

Amazon AWS Certified Security Specialist

Congratulations

Detail Form

COMPANY

Products

OTHERS

Partner