Best Way To Study For Amazon AWS-Security-Specialty Exam Brilliant AWS-Security-Specialty Exam Questions PDF [Q236-Q259]

Best Way To Study For Amazon AWS-Security-Specialty Exam Brilliant AWS-Security-Specialty Exam Questions PDF

Updated Verified Pass AWS-Security-Specialty Exam - Real Questions and Answers

The AWS-Security-Specialty certification is highly regarded within the IT industry and is a valuable asset for security professionals who work with AWS. It demonstrates an individual's ability to design and implement secure and scalable AWS solutions, which is a highly sought after skillset in today's market.

 

NEW QUESTION # 236
Your team is experimenting with the API gateway service for an application. There is a need to implement a custom module which can be used for authentication/authorization for calls made to the API gateway. How can this be achieved?
Please select:

• A. Use the request parameters for authorization
• B. Use a Lambda authorizer
• C. Use the gateway authorizer
• D. Use CORS on the API gateway

Answer: B

Explanation:
Explanation
The AWS Documentation mentions the following
An Amazon API Gateway Lambda authorizer (formerly known as a custom authorize?) is a Lambda function that you provide to control access to your API methods. A Lambda authorizer uses bearer token authentication strategies, such as OAuth or SAML. It can also use information described by headers, paths, query strings, stage variables, or context variables request parameters.
Options A,C and D are invalid because these cannot be used if you need a custom authentication/authorization for calls made to the API gateway For more information on using the API gateway Lambda authorizer please visit the URL:
https://docs.aws.amazon.com/apisateway/latest/developerguide/apieateway-use-lambda-authorizer.htmll The correct answer is: Use a Lambda authorizer Submit your Feedback/Queries to our Experts

NEW QUESTION # 237
You are working in the media industry and you have created a web application where users will be able to upload photos they create to your website. This web application must be able to call the S3 API in order to be able to function. Where should you store your API credentials whilst maintaining the maximum level of security?
Please select:

• A. Save your API credentials in a public Github repository.
• B. Pass API credentials to the instance using instance userdata.
• C. Don't save your API credentials, instead create a role in 1AM and assign this role to an EC2 instance when you first create it.
• D. Save the API credentials to your PHP files.

Answer: C

Explanation:
Explanation
Applications must sign their API requests with AWS credentials. Therefore, if you are an application developer, you need a strategy for managing credentials for your applications that run on EC2 instances. For example, you can securely distribute your AWS credentials to the instances, enabling the applications on those instances to use your credentials to sign requests, whil protecting your credentials from other users. However, it's challenging to securely distribute credentials to each instance. especially those that AWS creates on your behalf, such as Spot Instances or instances in Auto Scaling groups. You must also be able to update the credentials on each instance when you rotate your AWS credentials.
1AM roles are designed so that your applications can securely make API requests from your instances, without requiring yo manage the security credentials that the applications use.
Option A.C and D are invalid because using AWS Credentials in an application in production is a direct no recommendation 1 secure access For more information on 1AM Roles, please visit the below URL:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html The correct answer is: Don't save your API credentials. Instead create a role in 1AM and assign this role to an EC2 instance when you first create it Submit your Feedback/Queries to our Experts

NEW QUESTION # 238
Your company has defined privileged users for their AWS Account. These users are administrators for key resources defined in the company. There is now a mandate to enhance the security authentication for these users. How can this be accomplished?
Please select:

• A. Enable versioning for these user accounts
• B. Disable root access for the users
• C. Enable accidental deletion for these user accounts
• D. Enable MFA for these user accounts

Answer: D

Explanation:
The AWS Documentation mentions the following as a best practices for 1AM users. For extra security, enable multi-factor authentication (MFA) for privileged 1AM users (users who are allowed access to sensitive resources or APIs). With MFA, users have a device that generates unique authentication code (a one-time password, or OTP). Users must provide both their normal credentials (like their user name and password) and the OTP. The MFA device can either be a special piece of hardware, or it can be a virtual device (for example, it can run in an app on a smartphone).
Option B,C and D are invalid because no such security options are available in AWS For more information on 1AM best practices, please visit the below URL https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html The correct answer is: Enable MFA for these user accounts Submit your Feedback/Queries to our Experts

NEW QUESTION # 239
A company is developing a highly resilient application to be hosted on multiple Amazon EC2 instances. The application will store highly sensitive user data in Amazon RDS tables.
The application must:
* Include migration to a different AWS Region in the application disaster recovery plan.
* Provide a full audit trail of encryption key administration events.
* Allow only company administrators to administer keys.
* Protect data at rest using application layer encryption.
A Security Engineer is evaluating options for encryption key management.
Why should the Security Engineer choose AWS CloudHSM over AWS KMS for encryption key management in this situation?

• A. CloudHSM provides the ability to copy keys to a different Region, whereas AWS KMS does not.
• B. CloudHSM ensures that only company support staff can administer encryption keys, whereas AWS KMS allows AWS staff to administer keys.
• C. The ciphertext produced by CloudHSM provides more robust protection against brute force decryption attacks than the ciphertext produced by AWS KMS.
• D. The key administration event logging generated by CloudHSM is significantly more extensive than AWS KMS.

Answer: B

NEW QUESTION # 240
A recent security audit found that AWS CloudTrail logs are insufficiently protected from tampering and unauthorized access.
Which actions must the Security Engineer take to access these audit findings? (Choose three.)

• A. Encrypt the CloudTrail log files with server-side encryption AWS KMS-managed keys (SSE-KMS).
• B. Ensure CloudTrail log file validation is turned on.
• C. Use an S3 bucket with tight access controls that exists in a separate account.
• D. Use Amazon Inspector to monitor the file integrity of CloudTrail log files.
• E. Request a certificate through ACM and use a generated certificate private key to encrypt CloudTrail log files.
• F. Configure an S3 lifecycle rule to periodically archive CloudTrail logs into Glacier for long-term storage.

Answer: A,B,F

Explanation:
Explanation/Reference: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html

NEW QUESTION # 241
A company had one of its Amazon EC2 key pairs compromised. A Security Engineer must identify which current Linux EC2 instances were deployed and used the compromised key pair.
How can this task be accomplished?

• A. Obtain the output from the EC2 instance metadata using: curl http://169.254.169.254/latest/ meta-data/public-keys/0/.
• B. Obtain the list of instances by directly querying Amazon EC2 using: aws ec2 describe-instances -- filters "Name=key-name,Values=KEYNAMEHERE".
• C. Obtain the fingerprint for the key pair from the AWS Management Console, then search for the fingerprint in Amazon CloudWatch Logs using: aws logs filter-log-events.
• D. Obtain the fingerprint for the key pair from the AWS Management Console, then search for the fingerprint in the Amazon Inspector logs.

Answer: C

NEW QUESTION # 242
A company continually generates sensitive records that it stores in an S3 bucket. All objects in the bucket are encrypted using SSE-KMS using one of the company's CMKs. Company compliance policies require that no more than one month of data be encrypted using the same encryption key. What solution below will meet the company's requirements?
Please select:

• A. Configure the CMK to rotate the key material every month.
• B. Trigger a Lambda function with a monthly CloudWatch event that creates a new CMK, updates the S3 bucket to use thfl new CMK, and deletes the old CMK.
• C. Trigger a Lambda function with a monthly CloudWatch event that creates a new CMK and updates the S3 bucket to use the new CMK.
• D. Trigger a Lambda function with a monthly CloudWatch event that rotates the key material in the CMK.

Answer: C

Explanation:
Explanation
You can use a Lambda function to create a new key and then update the S3 bucket to use the new key.
Remember not to delete the old key, else you will not be able to decrypt the documents stored in the S3 bucket using the older key.
Option B is incorrect because AWS KMS cannot rotate keys on a monthly basis Option C is incorrect because deleting the old key means that you cannot access the older objects Option D is incorrect because rotating key material is not possible.
For more information on AWS KMS keys, please refer to below URL:
https://docs.aws.amazon.com/kms/latest/developereuide/concepts.htmll
The correct answer is: Trigger a Lambda function with a monthly CloudWatch event that creates a new CMK and updates the S3 bucket to use the new CMK.
Submit your Feedback/Queries to our Experts

NEW QUESTION # 243
A Security Engineer must design a solution that enables the Incident Response team to audit for changes to a user's IAM permissions in the case of a security incident.
How can this be accomplished?

• A. Use IAM Config to review the IAM policy assigned to users before and after the incident.
• B. Run the GenerateCredentialReport via the IAM CLI, and copy the output to Amazon S3 daily for auditing purposes.
• C. Use Amazon EC2 Systems Manager to deploy images, and review IAM CloudTrail logs for changes.
• D. Copy IAM CloudFormation templates to S3, and audit for changes from the template.

Answer: A

Explanation:
https://IAM.amazon.com/blogs/security/how-to-record-and-govern-your-iam-resource-configurations-using-IAM-config/

NEW QUESTION # 244
Which technique can be used to integrate AWS IAM (Identity and Access Management) with an on-premise LDAP (Lightweight Directory Access Protocol) directory service?
Please select:

• A. Use SAML (Security Assertion Markup Language) to enable single sign-on between AWS and LDAP.
• B. Use AWS Security Token Service from an identity broker to issue short-lived AWS credentials.
• C. Use an IAM policy that references the LDAP account identifiers and the AWS credentials.
• D. Use IAM roles to automatically rotate the IAM credentials when LDAP credentials are updated.

Answer: A

Explanation:
Explanation
On the AWS Blog site the following information is present to help on this context The newly released whitepaper. Single Sign-On: Integrating AWS, OpenLDAP, and Shibboleth, will help you integrate your existing LDAP-based user directory with AWS. When you integrate your existing directory with AWS, your users can access AWS by using their existing credentials. This means that your users don't need to maintain yet another user name and password just to access AWS resources.
Option A.C and D are all invalid because in this sort of configuration, you have to use SAML to enable single sign on.
For more information on integrating AWS with LDAP for Single Sign-On, please visit the following URL:
https://aws.amazon.eom/blogs/security/new-whitepaper-sinEle-sign-on-inteErating-aws-openldap-and-shibboleth The correct answer is: Use SAML (Security Assertion Markup Language) to enable single sign-on between AWS and LDAP. Submit your Feedback/Queries to our Experts

NEW QUESTION # 245
What is the function of the following IAM Key Management Service (KMS) key policy attached to a customer master key (CMK)?

• A. The CMK is to be used for encrypting and decrypting only when the principal is ExampleUser and the request comes from WorkMail or SES in the specified region.
• B. The Amazon WorkMail and Amazon SES services have delegated KMS encrypt and decrypt permissions to the ExampleUser principal in the 111122223333 account.
• C. The key policy allows WorkMail or SES to encrypt or decrypt on behalf of the user for any CMK in the account.
• D. The ExampleUser principal can transparently encrypt and decrypt email exchanges specifically between ExampleUser and IAM.

Answer: A

NEW QUESTION # 246
A web application runs in a VPC on EC2 instances behind an ELB Application Load Balancer. The application stores data in an RDS MySQL DB instance. A Linux bastion host is used to apply schema updates to the database - administrators connect to the host via SSH from a corporate workstation. The following security groups are applied to the infrastructure-
* sgLB - associated with the ELB
* sgWeb - associated with the EC2 instances.
* sgDB - associated with the database
* sgBastion - associated with the bastion host
Which security group configuration will allow the application to be secure and functional?
Please select:

• A. sgLB :allow port 80 and 443 traffic from 0.0.0.0/0
  sgWeb :allow port 80 and 443 traffic from 0.0.0.0/0
  sgDB :allow port 3306 traffic from sgWeb and sgBastion
  sgBastion: allow port 22 traffic from the corporate IP address range
• B. sgLB :allow port 80 and 443 traffic from 0.0.0.0/0
  sgWeb :allow port 80 and 443 traffic from sgLB
  sgDB :allow port 3306 traffic from sgWeb and sgBastion
  sgBastion: allow port 22 traffic from the VPC IP address range
• C. sgLB :aIlow port 80 and 443 traffic from 0.0.0.0/0
  sgWeb :allow port 80 and 443 traffic from sgLB
  sgDB :allow port 3306 traffic from sgWeb and sgLB
  sgBastion: allow port 22 traffic from the VPC IP address range
• D. sgLB :allow port 80 and 443 traffic from 0.0.0.0/0
  sgWeb :allow port 80 and 443 traffic from sgLB
  sgDB :al!ow port 3306 traffic from sgWeb and sgBastion
  sgBastion: allow port 22 traffic from the corporate IP address range

Answer: D

Explanation:
The Load Balancer should accept traffic on ow port 80 and 443 traffic from 0.0.0.0/0 The backend EC2 Instances should accept traffic from the Load Balancer The database should allow traffic from the Web server And the Bastion host should only allow traffic from a specific corporate IP address range Option A is incorrect because the Web group should only allow traffic from the Load balancer For more information on AWS Security Groups, please refer to below URL:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/usins-network-security.htmll
The correct answer is: sgLB :allow port 80 and 443 traffic from 0.0.0.0/0 sgWeb :allow port 80 and 443 traffic from sgLB sgDB :allow port 3306 traffic from sgWeb and sgBastion sgBastion: allow port 22 traffic from the corporate IP address range Submit your Feedback/Queries to our Experts

NEW QUESTION # 247
You have just received an email from AWS Support stating that your AWS account might have been compromised. Which of the following steps would you look to carry out immediately. Choose 3 answers from the options below.
Please select:

• A. Change the root account password.
• B. Rotate all IAM access keys
• C. Change the password for all IAM users.
• D. Keep all resources running to avoid disruption

Answer: A,B,C

Explanation:
One of the articles from AWS mentions what should be done in such a scenario
If you suspect that your account has been compromised, or if you have received a notification from AWS that the account has been compromised, perform the following tasks:
Change your AWS root account password and the passwords of any IAM users.
Delete or rotate all root and AWS Identity and Access Management (IAM) access keys.
Delete any resources on your account you didn't create, especially running EC2 instances, EC2 spot bids, or IAM users.
Respond to any notifications you received from AWS Support through the AWS Support Center.
Option C is invalid because there could be compromised instances or resources running on your environment. They should be shutdown or stopped immediately.
For more information on the article, please visit the below URL:
https://aws.amazon.com/premiumsupport/knowledee-center/potential-account-compromise>
The correct answers are: Change the root account password. Rotate all IAM access keys. Change the password for all IAM users. Submit your Feedback/Queries to our Experts

NEW QUESTION # 248
A city is implementing an election results reporting website that will use Amazon GoudFront The website runs on a fleet of Amazon EC2 instances behind an Application Load Balancer (ALB) in an Auto Scaling group.
Election results are updated hourly and are stored as .pdf tiles in an Amazon S3 bucket. A Security Engineer needs to ensure that all external access to the website goes through CloudFront.
Which solution meets these requirements?

• A. Create an IAM role that allows CloudFront to access the specific S3 bucket. Modify the S3 bucket policy to allow only the new IAM role to access its contents. Associate the ALB with a security group that allows only incoming traffic from the CloudFront service to communicate with the ALB.
• B. Create an origin access identity (OAI) in CloudFront. Modify the S3 bucket policy to allow only the new OAI to access the bucket contents. Create an interface VPC endpoint for CloudFront to securely communicate with the ALB.
• C. Create an origin access identity (OAI) in CloudFront. Modify the S3 bucket policy to allow only the new OAI to access the bucket contents. Associate the ALB with a security group that allows only incoming traffic from the CloudFront service to communicate with the ALB.
• D. Create an IAM role that allows CloudFront to access the specific S3 bucket. Modify the S3 bucket policy to allow only the new IAM role to access its contents. Create an interface VPC endpoint for CloudFront to securely communicate with the ALB.

Answer: B

NEW QUESTION # 249
You need to establish a secure backup and archiving solution for your company, using AWS. Documents should be immediately accessible for three months and available for five years for compliance reasons. Which AWS service fulfills these requirements in the most cost-effective way? Choose the correct answer:
Please select:

• A. Upload data to S3 and use lifecycle policies to move the data into Glacier for long-term archiving.
• B. Use Storage Gateway to store data to S3 and use lifecycle policies to move the data into Redshift for long-term archiving.
• C. Use Direct Connect to upload data to S3 and use IAM policies to move the data into Glacier for long-term archiving.
• D. Upload the data on EBS, use lifecycle policies to move EBS snapshots into S3 and later into Glacier for long-term archiving.

Answer: A

Explanation:
amazon Glacier is a secure, durable, and extremely low-cost cloud storage service for data archiving and long-term backup. Customers can reliably store large or small amounts of data for as little as $0,004 per gigabyte per month, a significant savings compared to on-premises solutions.
With Amazon lifecycle policies you can create transition actions in which you define when objects transition to another Amazon S3 storage class. For example, you may choose to transition objects to the STANDARDJA (IA, for infrequent access) storage class 30 days after creation, or archive objects to the GLACIER storage class one year after creation.
Option B is invalid because lifecycle policies are not available for EBS volumes Option C is invalid because IAM policies cannot be used to move data to Glacier Option D is invalid because lifecycle policies is not used to move data to Redshif For more information on S3 lifecycle policies, please visit the URL:
http://docs.aws.amazon.com/AmazonS3/latest/dev/obiect-lifecycle-mgmt.html The correct answer is: Upload data to S3 and use lifecycle policies to move the data into Glacier for long-term archiving.
Submit your Feedback/Queries to our Experts

NEW QUESTION # 250
A company runs an application on AWS that needs to be accessed only by employees. Most employees work from the office, but others work remotely or travel.
How can the Security Engineer protect this workload so that only employees can access it?

• A. Create a virtual gateway for VPN connectivity for each employee, and restrict access to the workload from within the VPC.
• B. Route all traffic to the workload through AWS WAF. Add each employee's home IP address into an AWS WAF rule, and block all other traffic.
• C. Add each employee's home IP address to the security group for the application so that only those users can access the workload.
• D. Use a VPN appliance from the AWS Marketplace for users to connect to, and restrict workload access to traffic from that appliance.

Answer: A

NEW QUESTION # 251
A Security Engineer has been asked to create an automated process to disable IAM user access keys that are more than three months old.
Which of the following options should the Security Engineer use?

• A. Write a script that uses the GenerateCredentialReport, GetCredentialReport, and UpdateAccessKey APIs.
• B. In the AWS Console, choose the IAM service and select "Users". Review the "Access Key Age" column.
• C. Define an IAM policy that denies access if the key age is more than three months and apply to all users.
• D. Create an Amazon CloudWatch alarm to detect aged access keys and use an AWS Lambda function to disable the keys older than 90 days.

Answer: B

Explanation:
Explanation/Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html

NEW QUESTION # 252
An Amazon S3 bucket is encrypted using an AWS KMS CMK. An IAM user is unable to download objects from the S3 bucket using the AWS Management Console; however, other users can download objects from the S3 bucket.
Which policies should the Security Engineer review and modify to resolve this issue? (Select three.)

• A. The S3 ACL
• B. The IAM policy
• C. The CMK policy
• D. The VPC endpoint policy
• E. The S3 bucket policy

Answer: B,C,E

Explanation:
https://aws.amazon.com/premiumsupport/knowledge-center/decrypt-kms-encrypted-objects-s3/

NEW QUESTION # 253
A website currently runs on Amazon EC2, wan mostly statics content on the site. Recently the site was subjected to a DDoS attack a security engineer was (asked was redesigning the edge security to help Mitigate this risk in the future.
What are some ways the engineer could achieve this (Select THREE)?

• A. Use IAM X-Ray to inspect the traffic going to the EC2 instances.
• B. Change the security group configuration to block the source of the attack traffic
• C. Use IAM WAF security rules to inspect the inbound traffic.
• D. Move the static content to Amazon S3, and front this with an Amazon Cloud Front distribution.
• E. Use Amazon Route 53 to distribute traffic.
• F. Use Amazon Inspector assessment templates to inspect the inbound traffic.

Answer: C,D,E

NEW QUESTION # 254
A company's on-premises data center forwards DNS logs to a third-party security incident events management (SIEM) solution that alerts on suspicious behavior. The company wants to introduce a similar capability to its AWS accounts that includes automatic remediation. The company expects to double in size within the next few months.
Which solution meets the company's current and future logging requirements?

• A. Enable Amazon GuardDuty and AWS Security Hub in all Regions and all accounts. Designate a master security account to receive all alerts from the child accounts. Create an AWS Organizations SCP that denies access to certain API calls that are on an ignore list.
• B. Ingest all AWS CloudTrail logs, VPC Flow Logs, and DNS logs into a single Amazon S3 bucket in a designated security account. Use the current on-premises SIEM to monitor the logs and send a notification to an Amazon SNS topic to alert the security team of remediation steps.
• C. Ingest all AWS CloudTrail logs, VPC Flow Logs, and DNS logs into a single Amazon S3 bucket in a designated security account. Launch an Amazon EC2 instance and install the current SIEM to monitor the logs and send a notification to an Amazon SNS topic to alert the security team of remediation steps.
• D. Enable Amazon GuardDuty and AWS Security Hub in all Regions and all accounts. Designate a master security account to receive all alerts from the child accounts. Set up specific rules within Amazon Even;Bridge to trigger an AWS Lambda function for remediation steps.

Answer: D

NEW QUESTION # 255
A company hosts data in S3. There is now a mandate that going forward all data in the S3 bucket needs to encrypt at rest. How can this be achieved?
Please select:

• A. Use AWS Access keys to encrypt the data
• B. Enable server side encryption on the S3 bucket
• C. Enable MFA on the S3 bucket
• D. Use SSL certificates to encrypt the data

Answer: B

Explanation:
The AWS Documentation mentions the following
Server-side encryption is about data encryption at rest-that is, Amazon S3 encrypts your data at the object level as it writes it to disks in its data centers and decrypts it for you when you access it. As long as you authenticate your request and you have access permissions, there is no difference in the way you access encrypted or unencrypted objects.
Options A and B are invalid because neither Access Keys nor SSL certificates can be used to encrypt data.
Option D is invalid because MFA is just used as an extra level of security for S3 buckets For more information on S3 server side encryption, please refer to the below Link:
https://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.html Submit your Feedback/Queries to our Experts

NEW QUESTION # 256
A company has an encrypted Amazon S3 bucket. An Application Developer has an IAM policy that allows access to the S3 bucket, but the Application Developer is unable to access objects within the bucket.
What is a possible cause of the issue?

• A. The AWS KMS key for the S3 bucket fails to list the Application Developer as an administrator
• B. The S3 bucket policy fails to explicitly grant access to the Application Developer
• C. The S3 ACL for the S3 bucket fails to explicitly grant access to the Application Developer
• D. The S3 bucket policy explicitly denies access to the Application Developer

Answer: B

NEW QUESTION # 257
A company wants to deploy a distributed web application on a fleet of EC2 instances. The fleet will be fronted by a Classic Load Balancer that will be configured to terminate the TLS connection The company wants to make sure that all past and current TLS traffic to the Classic Load Balancer stays secure even if the certificate private key is leaked.
To ensure the company meets these requirements, a Security Engineer can configure a Classic Load Balancer with:

• A. An HTTPS listener that uses a certificate that is managed by Amazon Certification Manager.
• B. A TCP listener that uses a custom security policy that allows only perfect forward secrecy cipher suites.
• C. An HTTPS listener that uses a custom security policy that allows only perfect forward secrecy cipher suites
• D. An HTTPS listener that uses the latest AWS predefined ELBSecuntyPolicy-TLS-1 -2-2017-01 security policy

Answer: D

NEW QUESTION # 258
A company's security information events management (SIEM) tool receives new AWS CloudTrail logs from an Amazon S3 bucket that is configured to send all object created event notifications to an Amazon SNS topic. An Amazon SQS queue is subscribed to this SNS topic. The company's SIEM tool then polls this SQS queue for new messages using an IAM role and fetches new log events from the S3 bucket based on the SQS messages.
After a recent security review that resulted in restricted permissions, the SIEM tool has stopped receiving new CloudTrail logs.
Which of the following are possible causes of this issue? (Choose three.)

• A. The S3 bucket policy does not allow CloudTrail to perform the PutObject action.
• B. The IAM role used by the SIEM tool does not allow the SQS:DeleteMessage action.
• C. The SQS queue does not allow the SQS:SendMessage action from the SNS topic.
• D. The IAM role used by the SIEM tool does not have permission to subscribe to the SNS topic.
• E. The SNS topic does not allow the SNS:Publish action from Amazon S3.
• F. The SNS topic is not delivering raw messages to the SQS queue.

Answer: A,D,E

NEW QUESTION # 259
......

Updated PDF (New 2024) Actual Amazon AWS-Security-Specialty Exam Questions: https://examcollection.prep4sureguide.com/AWS-Security-Specialty-prep4sure-exam-guide.html