Detailed Exam Domain Coverage

This practice test course is strictly aligned with the official AWS Certified Security – Specialty exam blueprint. The questions are distributed across the following domains to reflect the actual exam weightings:

• Detection (16%)

  • Threat detection services (e.g., GuardDuty)

  • Anomaly detection and alerting

  • AWS Detective investigations

• Incident Response (14%)

  • Design and implement incident response plans

  • AWS Security Finding Format (ASFF) Version 1.1

  • Roles and responsibilities in incident response

• Infrastructure Security (18%)

  • Network segmentation and security groups

  • Hardening of EC2 instances

  • AWS WAF and Shield protections

• Identity and Access Management (20%)

  • IAM policies and role-based access

  • AWS Single Sign‑On (SSO) configuration

  • Federated identity and temporary credentials

• Data Protection (18%)

  • Encryption at rest with KMS

  • S3 bucket encryption and object lock

  • Secure key management and rotation

• Security Foundations and Governance (14%)

  • Compliance frameworks and AWS Artifact

  • AWS Config rules and continuous compliance

  • Security best‑practice foundations

Course Description

Passing the AWS Certified Security – Specialty exam requires more than a baseline understanding of cloud concepts. You need a deep, operational grasp of how to secure complex AWS environments, troubleshoot access issues, and automate incident response. I designed these practice tests to mirror the exact difficulty, scenario format, and domain weighting of the real certification exam.

Instead of just testing rote memorization, this question bank challenges you with real-world scenarios. You will evaluate IAM policies for cross-account access, design network segmentation using VPCs and Security Groups, and determine the most cost-effective data protection strategies using AWS KMS and S3 Object Lock. I have written detailed explanations for every single option to ensure you understand exactly why a specific AWS service configuration is secure, and why the distractors fail to meet AWS best practices.

Whether you are struggling with interpreting AWS Config rules or need to refine your incident response workflows using GuardDuty and AWS Detective, these mock exams will highlight your blind spots before you sit for the actual test.

Practice Questions Preview

Below are three sample questions to give you an idea of the depth and format of the practice tests inside the course.

Question 1: Data Protection A security engineer needs to enforce encryption at rest for all newly created Amazon EBS volumes within an AWS account. The solution must ensure that no user, including administrators, can provision unencrypted volumes. What is the MOST operationally efficient way to achieve this?

• Options:

  • A) Create an AWS Config rule to automatically delete any unencrypted EBS volumes immediately after creation.

  • B) Use an AWS Organizations Service Control Policy (SCP) to deny the ec2:CreateVolume action if the Encrypted condition is false.

  • C) Enable the EBS Encryption by Default feature at the account level for each required AWS Region.

  • D) Attach an IAM policy to all developers and administrators that explicitly denies the creation of unencrypted volumes.

  • E) Trigger an AWS Lambda function via EventBridge that automatically encrypts all new EBS volumes post-creation.

  • F) Monitor AWS CloudTrail for CreateVolume API calls and manually encrypt volumes that violate the company policy.

• Correct Answer: C

• Overall Explanation: Enabling EBS Encryption by Default is a native, account-level setting that automatically encrypts all new EBS volumes and snapshot copies. It requires zero custom logic, policies, or reactive remediation, making it the most operationally efficient solution to enforce encryption.

• Detailed Option Analysis:

  • A is incorrect: Deleting volumes after creation is a reactive approach that could disrupt ongoing deployments and applications. It is not operationally efficient.

  • B is incorrect: While an SCP will block the creation of unencrypted volumes, it forces users to manually check the encryption box or add encryption parameters to their API calls. It prevents the action but doesn't automatically solve the issue as seamlessly as option C.

  • C is correct: This is a built-in feature that ensures every new volume is encrypted automatically with no extra effort from the user provisioning the volume.

  • D is incorrect: Managing IAM policies across all users is administratively burdensome. Like an SCP, it blocks the creation but doesn't automatically encrypt the volumes by default.

  • E is incorrect: You cannot encrypt an existing unencrypted EBS volume in place. You would have to take a snapshot, copy it with encryption, and create a new volume, making this Lambda approach highly complex and inefficient.

  • F is incorrect: Manual monitoring and remediation is the least efficient approach and leaves a window of time where data could be written to an unencrypted volume.

Question 2: Identity and Access Management Your company has hired a third-party auditing firm to analyze AWS CloudTrail logs. The firm requires cross-account access to your AWS environment. To follow security best practices, you create an IAM role for the third party to assume. How can you prevent the "confused deputy" problem in this cross-account scenario?

• Options:

  • A) Require the third party to use an IAM user credential instead of assuming an IAM role.

  • B) Attach an AWS WAF rule to the IAM role to restrict the incoming IP addresses of the auditing firm.

  • C) Configure the IAM role's trust policy to require an sts:ExternalId condition specified by the third party.

  • D) Enable multi-factor authentication (MFA) on the auditing firm's AWS account root user.

  • E) Store the cross-account role ARN in AWS Secrets Manager and rotate it every 30 days.

  • F) Restrict the IAM role to only allow AssumeRole API calls originating from an AWS Direct Connect link.

• Correct Answer: C

• Overall Explanation: The "confused deputy" problem occurs when an entity that doesn't have permission to perform an action can coerce a more-privileged entity to perform the action. In cross-account role assumption, the best practice to prevent this is using an ExternalId provided by the third party in your role's trust policy.

• Detailed Option Analysis:

  • A is incorrect: Creating IAM users for third parties is an anti-pattern. Cross-account roles are the recommended AWS best practice for granting access to external entities.

  • B is incorrect: AWS WAF is used to protect web applications (like API Gateway or ALB) from web exploits. It cannot be attached to an IAM role.

  • C is correct: The ExternalId condition ensures that the auditing firm must pass a specific, unique ID when assuming the role, preventing another customer of the auditing firm from guessing your Role ARN and using the firm's system to access your account.

  • D is incorrect: MFA on the root user of the third-party account provides no protection regarding which role the third party's software can assume in your account.

  • E is incorrect: Secrets Manager is for storing credentials like database passwords or API keys. An IAM role ARN is not a secret credential, and rotating it does not prevent the confused deputy problem.

  • F is incorrect: Requiring a Direct Connect link restricts the network path but does not solve the fundamental authentication vulnerability of the confused deputy problem.

Question 3: Incident Response & Detection Amazon GuardDuty has generated a high-severity finding indicating that an EC2 instance in your public subnet is communicating with a known command-and-control (C2) IP address. According to incident response best practices, what should be your FIRST action to contain the threat without destroying forensic evidence?

• Options:

  • A) Terminate the compromised EC2 instance immediately to stop the malicious communication.

  • B) Modify the Security Group attached to the EC2 instance to isolate it from the internet.

  • C) Delete the public subnet containing the compromised EC2 instance.

  • D) Reboot the EC2 instance to terminate any malicious processes running in memory.

  • E) Deregister the EC2 instance from AWS Systems Manager to prevent lateral movement.

  • F) Pause the AWS billing account to prevent malicious crypto-mining charges.

• Correct Answer: B

• Overall Explanation: When dealing with a compromised instance, the primary goal of the containment phase is to stop the malicious activity while preserving the state of the machine for forensic analysis (AWS Detective investigations). Isolating the network traffic via Security Groups achieves this.

• Detailed Option Analysis:

  • A is incorrect: Terminating the instance destroys volatile memory (RAM) and potentially the root volume, eliminating valuable forensic evidence needed to understand how the breach occurred.

  • B is correct: Changing the Security Group to deny all inbound and outbound traffic (or restricting it strictly to a forensic subnet/IP) immediately stops the C2 communication while keeping the instance running so you can capture memory dumps and analyze logs.

  • C is incorrect: Deleting an entire subnet will impact any other healthy resources residing in that subnet and is an overly destructive administrative action.

  • D is incorrect: Rebooting clears volatile memory (RAM), which destroys forensic evidence of active malicious processes, network connections, and loaded malware.

  • E is incorrect: Deregistering Systems Manager (SSM) prevents you from securely accessing the instance to run forensic commands. It does nothing to stop the communication with the C2 server.

  • F is incorrect: You cannot "pause" an AWS billing account to stop an instance. You must isolate the resource at the infrastructure level.

• Welcome to the Mock Exam Practice Tests Academy to help you prepare for your AWS Certified Security – Specialty.

• You can retake the exams as many times as you want.

• This is a huge original question bank.

• You get support from instructors if you have questions.

• Each question has a detailed explanation.

• Mobile-compatible with the Udemy app.

I hope that by now you're convinced! And there are a lot more questions inside the course.