AWS Certified Security - Specialty Intermediate Practice Exam: Medium Difficulty 2025

A security team needs to detect and respond to unauthorized API calls made with compromised IAM credentials in their AWS account. The solution must automatically disable the compromised credentials and notify the security team within minutes of detection. Which combination of services would BEST accomplish this requirement?

A financial services company must retain all API activity logs for 7 years to meet regulatory compliance requirements. The logs must be tamper-proof and available for audit. CloudTrail logs are currently stored in an S3 bucket. Which combination of actions should a security engineer implement? (Choose the BEST approach)

A company hosts a three-tier web application in a VPC with public and private subnets across multiple Availability Zones. The application tier in private subnets needs to access external third-party APIs over HTTPS while preventing inbound access from the internet. Database instances should have no internet access. What is the MOST secure network architecture to meet these requirements?

A development team needs temporary access to production AWS resources for troubleshooting. The security policy requires that access be granted for a maximum of 4 hours, require MFA authentication, and be automatically revoked after the time period. Developers should assume a role from their existing IAM user accounts. How should this be implemented?

A company stores sensitive customer data in Amazon S3 and must encrypt data at rest using keys that are rotated every 90 days. The security team must maintain complete control over key rotation, usage auditing, and the ability to immediately disable keys if needed. Which encryption solution meets these requirements?

A security engineer is reviewing CloudTrail logs and notices multiple 'UnauthorizedOperation' errors from an IAM role used by an EC2 instance. The application team reports that their application is functioning correctly. What is the BEST approach to address this situation following the principle of least privilege?

A company needs to implement centralized security monitoring across 50 AWS accounts in an AWS Organization. Security findings from AWS Security Hub, GuardDuty, and IAM Access Analyzer must be aggregated in a central security account. Compliance reports need to be generated monthly. What is the MOST operationally efficient approach?

An application running on EC2 instances stores application logs containing sensitive data in Amazon CloudWatch Logs. The security team requires that logs be encrypted using a customer managed KMS key, and that only specific IAM roles can decrypt and read the logs. How should this be configured?

A company's VPC has multiple EC2 instances that were launched without proper security group configurations. A security audit reveals several instances have security groups allowing unrestricted inbound access (0.0.0.0/0) on ports 22, 3389, and 3306. What is the MOST effective way to continuously monitor and automatically remediate such misconfigurations in the future?

A security incident has been detected where an attacker gained access to an EC2 instance. The security team needs to preserve the instance for forensic analysis while preventing any further damage to the environment. What is the BEST immediate response action?