1407 お客様のコメント
クリック」
質問 1:
A company is hosting a static website on Amazon S3 The company has configured an Amazon CloudFront distribution to serve the website contents The company has associated an IAM WAF web ACL with the CloudFront distribution. The web ACL ensures that requests originate from the United States to address compliance restrictions.
THE company is worried that the S3 URL might still be accessible directly and that requests can bypass the CloudFront distribution Which combination of steps should the company take to remove direct access to the S3 URL? (Select TWO. )
A. Create an origin access identity (OAI) for the S3 origin
B. Add an origin custom header that has the name Referer to the CloudFront distribution Give the header a secret value.
C. Configure the S3 bucket poky so that only the origin access identity (OAI) has read permission for objects in the bucket
D. Select "Restrict Bucket Access" in the origin settings of the CloudFront distribution
E. Update the S3 bucket policy to allow s3 GetObject with a condition that the IAM Referer key matches the secret value Deny all other requests
正解:C,D
質問 2:
A company has recently recovered from a security incident that required the restoration of Amazon EC2 instances from snapshots.
After performing a gap analysis of its disaster recovery procedures and backup strategies, the company is concerned that, next time, it will not be able to recover the EC2 instances if the IAM account was compromised and Amazon EBS snapshots were deleted.
All EBS snapshots are encrypted using an IAM KMS CMK.
Which solution would solve this problem?
A. Create a new IAM account with limited privileges. Allow the new account to access the IAM KMS key used to encrypt the EBS snapshots, and copy the encrypted snapshots to the new account on a recuning basis
B. Use IAM Backup to copy EBS snapshots to Amazon S3.
C. Use IAM Systems Manager to distribute a configuration that performs local backups of all attached disks to Amazon S3.
D. Create a new Amazon S3 bucket Use EBS lifecycle policies to move EBS snapshots to the new S3 bucket. Move snapshots to Amazon S3 Glacier using lifecycle policies, and apply Glacier Vault Lock policies to prevent deletion
正解:D
質問 3:
A Security Engineer accidentally deleted the imported key material in an IAM KMS CMK. What should the Security Engineer do to restore the deleted key material?
A. Download a new wrapping key and a new import token Import the original key material into the existing CMK.
B. Create a new CMK. Download a new wrapping key and a new import token to import the original key material
C. Use the original wrapping key and import token Import the original key material into the existing CMK
D. Create a new CMK Use the original wrapping key and import token to import the original key material.
正解:A
質問 4:
A Developer reported that IAM CloudTrail was disabled on their account. A Security Engineer investigated the account and discovered the event was undetected by the current security solution. The Security Engineer must recommend a solution that will detect future changes to the CloudTrail configuration and send alerts when changes occur.
What should the Security Engineer do to meet these requirements?
A. Use IAM Resource Access Manager (IAM RAM) to monitor the IAM CloudTrail configuration. Send notifications using Amazon SNS.
B. Use Amazon Inspector to automatically detect security issues. Send alerts using Amazon SNS.
C. Create an Amazon CloudWatch Events rule to monitor Amazon GuardDuty findings. Send email notifications using Amazon SNS.
D. Update security contact details in IAM account settings for IAM Support to send alerts when suspicious activity is detected.
正解:C
質問 5:
Due to new compliance requirements, a Security Engineer must enable encryption with customer-provided keys on corporate data that is stored in DynamoDB. The company wants to retain full control of the encryption keys.
Which DynamoDB feature should the Engineer use to achieve compliance'?
A. Create a KMS master key. Generate per-record data keys and use them to encrypt data prior to uploading it to DynamoDS. Dispose of the cleartext and encrypted data keys after encryption without storing.
B. Enable S3 server-side encryption with the customer-provided keys. Upload the data to Amazon S3, and then use S3Copy to move all data to DynamoDB
C. Use the DynamoDB Java encryption client to encrypt data prior to uploading it to DynamoDB.
D. Use IAM Certificate Manager to request a certificate. Use that certificate to encrypt data prior to uploading it to DynamoDB.
正解:C
解説: (Pass4Test メンバーにのみ表示されます)
質問 6:
You have an S3 bucket defined in IAM. You want to ensure that you encrypt the data before sending it across the wire. What is the best way to achieve this.
Please select:
A. Enable client encryption for the bucket
B. Use the IAM Encryption CLI to encrypt the data first
C. Use a Lambda function to encrypt the data before sending it to the S3 bucket.
D. Enable server side encryption for the S3 bucket. This request will ensure that the data is encrypted first.
正解:B
解説: (Pass4Test メンバーにのみ表示されます)
A company is hosting a static website on Amazon S3 The company has configured an Amazon CloudFront distribution to serve the website contents The company has associated an IAM WAF web ACL with the CloudFront distribution. The web ACL ensures that requests originate from the United States to address compliance restrictions.
THE company is worried that the S3 URL might still be accessible directly and that requests can bypass the CloudFront distribution Which combination of steps should the company take to remove direct access to the S3 URL? (Select TWO. )
A. Create an origin access identity (OAI) for the S3 origin
B. Add an origin custom header that has the name Referer to the CloudFront distribution Give the header a secret value.
C. Configure the S3 bucket poky so that only the origin access identity (OAI) has read permission for objects in the bucket
D. Select "Restrict Bucket Access" in the origin settings of the CloudFront distribution
E. Update the S3 bucket policy to allow s3 GetObject with a condition that the IAM Referer key matches the secret value Deny all other requests
正解:C,D
質問 2:
A company has recently recovered from a security incident that required the restoration of Amazon EC2 instances from snapshots.
After performing a gap analysis of its disaster recovery procedures and backup strategies, the company is concerned that, next time, it will not be able to recover the EC2 instances if the IAM account was compromised and Amazon EBS snapshots were deleted.
All EBS snapshots are encrypted using an IAM KMS CMK.
Which solution would solve this problem?
A. Create a new IAM account with limited privileges. Allow the new account to access the IAM KMS key used to encrypt the EBS snapshots, and copy the encrypted snapshots to the new account on a recuning basis
B. Use IAM Backup to copy EBS snapshots to Amazon S3.
C. Use IAM Systems Manager to distribute a configuration that performs local backups of all attached disks to Amazon S3.
D. Create a new Amazon S3 bucket Use EBS lifecycle policies to move EBS snapshots to the new S3 bucket. Move snapshots to Amazon S3 Glacier using lifecycle policies, and apply Glacier Vault Lock policies to prevent deletion
正解:D
質問 3:
A Security Engineer accidentally deleted the imported key material in an IAM KMS CMK. What should the Security Engineer do to restore the deleted key material?
A. Download a new wrapping key and a new import token Import the original key material into the existing CMK.
B. Create a new CMK. Download a new wrapping key and a new import token to import the original key material
C. Use the original wrapping key and import token Import the original key material into the existing CMK
D. Create a new CMK Use the original wrapping key and import token to import the original key material.
正解:A
質問 4:
A Developer reported that IAM CloudTrail was disabled on their account. A Security Engineer investigated the account and discovered the event was undetected by the current security solution. The Security Engineer must recommend a solution that will detect future changes to the CloudTrail configuration and send alerts when changes occur.
What should the Security Engineer do to meet these requirements?
A. Use IAM Resource Access Manager (IAM RAM) to monitor the IAM CloudTrail configuration. Send notifications using Amazon SNS.
B. Use Amazon Inspector to automatically detect security issues. Send alerts using Amazon SNS.
C. Create an Amazon CloudWatch Events rule to monitor Amazon GuardDuty findings. Send email notifications using Amazon SNS.
D. Update security contact details in IAM account settings for IAM Support to send alerts when suspicious activity is detected.
正解:C
質問 5:
Due to new compliance requirements, a Security Engineer must enable encryption with customer-provided keys on corporate data that is stored in DynamoDB. The company wants to retain full control of the encryption keys.
Which DynamoDB feature should the Engineer use to achieve compliance'?
A. Create a KMS master key. Generate per-record data keys and use them to encrypt data prior to uploading it to DynamoDS. Dispose of the cleartext and encrypted data keys after encryption without storing.
B. Enable S3 server-side encryption with the customer-provided keys. Upload the data to Amazon S3, and then use S3Copy to move all data to DynamoDB
C. Use the DynamoDB Java encryption client to encrypt data prior to uploading it to DynamoDB.
D. Use IAM Certificate Manager to request a certificate. Use that certificate to encrypt data prior to uploading it to DynamoDB.
正解:C
解説: (Pass4Test メンバーにのみ表示されます)
質問 6:
You have an S3 bucket defined in IAM. You want to ensure that you encrypt the data before sending it across the wire. What is the best way to achieve this.
Please select:
A. Enable client encryption for the bucket
B. Use the IAM Encryption CLI to encrypt the data first
C. Use a Lambda function to encrypt the data before sending it to the S3 bucket.
D. Enable server side encryption for the S3 bucket. This request will ensure that the data is encrypted first.
正解:B
解説: (Pass4Test メンバーにのみ表示されます)
安田** -
PCでもスマホでも出来るようなので、電車などの隙間時間もデスクでも、効率よくAWS-Security-Specialty学習できそうです。