AWS-Security-Specialty Practice Exam Questions and Answers

The IAM Documentation mentions the following

Automatic key rotation is available for all customer managed CMKs with KMS-generated key material. It is not available for CMKs that have imported key material (the value of the Origin field is External), but you can rotate these CMKs manually.

Rotating Keys Manually

You might want to create a newCMKand use it in place of a current CMK instead of enabling automatic key rotation. When the new CMK has different cryptographic material than the current CMK, using the new CMK has the same effect as changing the backing key in an existing CMK. The process of replacing one CMK with another is known as manual key rotation.

When you begin using the new CMK, be sure to keep the original CMK enabled so that IAM KMS can decrypt data that the original CMK encrypted. When decrypting data, KMS identifies the CMK that was used to encrypt the data, and it uses the sam CMK to decrypt the data. As long as you keep both the original and new CMKs enabled, IAM KMS can decrypt any data that was encrypted by either CMK.

Option B is invalid because you also need to point the key alias to the new key

Option C is invalid because existing CMK keys cannot be rotated as they are

Option E is invalid because deleting existing keys will not guarantee the creation of a new default CMK key

For more information on Key rotation please see the below Link:

https://docs.IAM.amazon.com/kms/latest/developereuide/rotate-keys.html

The correct answers are: Enable automatic key rotation for a CMK, Import new key material to a new CMK; Point the key alias to the new CMK.

Submit your Feedback/Queries to our Experts

The IAM Documentation mentions the following

You can use Amazon EC2 to create your key pair. Alternatively, you could use a third-party tool and then import the public key to Amazon EC2. Each key pair requires a name. Be sure to choose a name that is easy to remember. Amazon EC2 associates the public key with the name that you specify as the key name.

Amazon EC2 stores the public key only, and you store the private key. Anyone who possesses your private key can decrypt login information, so it's important that you store your private keys in a secure place.

Options A and D are incorrect since you should use key pairs for secure access to Ec2 Instances

For more information on EC2 key pairs, please refer to below URL:

https://docs.IAM.amazon.com/IAMEC2/latest/UserGuide/ec2-key-pairs.html

The correct answers are: Create a key pair using putty. Use the private key to log into the instance

Submit your Feedback/Queries to our Experts

The IAM Security whitepaper gives the type of access control and to what level the control can be given

C:\Users\wk\Desktop\mudassar\Untitled.jpg

Options A and C are incorrect since for external access to buckets, you need to use either Bucket policies or Bucket ACL's or more information on Security for storage services role please refer to the below URL:

https://d1.IAMstatic.com/whitepapers/Security/Security Storage Services Whitepaper.pdf

The correct answers are: Buckets ACL's, Bucket policies

Submit your Feedback/Queries to our Experts

The IAM Documentation mentions the following on IAM Inspector

Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on IAM. Amazon Inspector automatically assesses applications for vulnerabilities or deviations from best practices. After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity. These findings can be reviewed directly or as part of detailed assessment reports which are available via the Amazon Inspector console or API.

Option A is invalid because the IAM Config service is not used to check the vulnerabilities on servers

Option C is invalid because the IAM Inspector service is not used to patch servers

For more information on IAM Inspector, please visit the following URL:

https://IAM.amazon.com/inspector >

Once you understand the list of servers which require critical updates, you can rectify them by installing the required patches via the SSM tool.

For more information on the Systems Manager, please visit the following URL:

https://docs.IAM.amazon.com/systems-manager/latest/APIReference/Welcome.html

The correct answers are: Use IAM Inspector to ensure that the servers have no critical flIAM.. Use IAM SSM to patch the servers

(

The IAM Document mention the following which supports the requirement

C:\Users\wk\Desktop\mudassar\Untitled.jpg

Option B is invalid because VPC peering is only used for connection between VPCs and cannot be used to connect On-premise infrastructure to the IAM Cloud.

Option C is invalid because NAT gateways is used to connect instances in a private subnet to the internet For more information on VPN Connections, please visit the following url

https://docs.IAM.amazon.com/AmazonVPC/latest/UserGuideA/pn-connections.html

The correct answers are: IAM VPN, IAM Direct Connect Submit your Feedback/Queries to our Experts

You can use a pre-approved solution from the IAM Marketplace. But till date the IAM Documentation still mentions that you have to get prior approval before conducting a test on the IAM Cloud for EC2 Instances.

Option C and D are invalid because you have to get prior approval first.

IAM Docs Provides following details:

"For performing a penetration test on IAM resources first of all we need to take permission from IAM and complete a requisition form and submit it for approval. The form should contain information about the instances you wish to test identify the expected start and end dates/times of your test and requires you to read and agree to Terms and Conditions specific to penetration testing and to the use of appropriate tools for testing. Note that the end date may not be more than 90 days from the start date."

(

At this time, our policy does not permit testing small or micro RDS instance types. Testing of ml .small, t1 .micro or t2.nano EC2 instance types is not permitted.

For more information on penetration testing please visit the following URL:

https://IAM.amazon.eom/security/penetration-testine/l

The correct answers are: Get prior approval from IAM for conducting the test Use a pre-approved penetration testing tool. Submit your Feedback/Queries to our Experts