Questions
ayuda
option
My Daypo

ERASED TEST, YOU MAY BE INTERESTED ONAWS Certified Security - Specialty

COMMENTS STATISTICS RECORDS
TAKE THE TEST
Title of test:
AWS Certified Security - Specialty

Description:
AWS Certified Security - Specialty

Author:
AVATAR

Creation Date:
21/08/2022

Category:
Others

Number of questions: 52
Share the Test:
Facebook
Twitter
Whatsapp
Share the Test:
Facebook
Twitter
Whatsapp
Last comments
No comments about this test.
Content:
The Security team believes that a former employee may have gained unauthorized access to AWS resources sometime in the past 3 months by using an identified access key. What approach would enable the Security team to find out what the former employee may have done within AWS? Use the AWS CloudTrail console to search for user activity. Use the Amazon CloudWatch Logs console to filter CloudTrail data by user. Use AWS Config to see what actions were taken by the user. Use Amazon Athena to query CloudTrail logs stored in Amazon S3.
A company is designing the security architecture for a global latency-sensitive web application it plans to deploy to AWS. A security engineer needs to configure a highly available and secure two-tier architecture. The security design must include controls to prevent common attacks such as DDoS, cross-site scripting, and SQL injection.<br /><br />Which solution meets these requirements? Create an Application Load Balancer (ALB) that uses public subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create an Amazon CloudFront distribution that uses the ALB as its origin. Create appropriate AWS WAF ACLs and enable them on the CloudFront distribution. Create an Application Load Balancer (ALB) that uses private subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create an Amazon CloudFront distribution that uses the ALB as its origin. Create appropriate AWS WAF ACLs and enable them on the CloudFront distribution. Create an Application Load Balancer (ALB) that uses public subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create appropriate AWS WAF ACLs and enable them on the ALB. Create an Application Load Balancer (ALB) that uses private subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create appropriate AWS WAF ACLs and enable them on the ALB.
A company is using AWS Organizations to manage multiple AWS member accounts. All of these accounts have Amazon GuardDuty enabled in all Regions. The company’s AWS Security Operations Center has a centralized security account for logging and monitoring. One of the member accounts has received an excessively high bill. A security engineer discovers that a compromised Amazon EC2 instance is being used to mine cryptocurrency. The Security Operations Center did not receive a GuardDuty finding in the central security account, but there was a GuardDuty finding in the account containing the compromised EC2 instance. The security engineer needs to ensure all GuardDuty findings are available in the security account. What should the security engineer do to resolve this issue? Set up an Amazon CloudWatch Events rule to forward all GuardDuty findings to the security account. Use an AWS Lambda function as a target to raise findings. Set up an Amazon CloudWatch Events rule to forward all GuardDuty findings to the security account. Use an AWS Lambda function as a target to raise findings in AWS Security Hub. Check that GuardDuty in the security account is able to assume a role in the compromised account using the guardduty;listfindings permission. Schedule an Amazon CloudWatch Events rule and an AWS Lambda function to periodically check for GuardDuty findings. Use the aws guardduty get-members AWS CLI command in the security account to see if the account is listed. Send an invitation from GuardDuty in the security account to GuardDuty in the compromised account. Accept the invitation to forward all future GuardDuty findings. .
A company’s director of information security wants a daily email report from AWS that contains recommendations for each company account to meet AWS Security best practices. Which solution would meet these requirements? In every AWS account, configure AWS Lambda to query the AWS Support API for AWS Trusted Advisor security checks. Send the results from Lambda to an Amazon SNS topic to send reports. Configure Amazon GuardDuty in a master account and invite all other accounts to be managed by the master account. Use GuardDuty’s integration with Amazon SNS to report on findings. Use Amazon Athena and Amazon QuickSight to build reports off of AWS CloudTrail. Create a daily Amazon CloudWatch trigger to run the report daily and email it using Amazon SNS. Use AWS Artifact’s prebuilt reports and subscriptions. Subscribe the director of information security to the reports by adding the director as the security alternate contact for each account.
A security engineer has noticed that VPC Flow Logs are getting a lot of REJECT traffic originating from a single Amazon EC2 instance in an Auto Scaling group. The security engineer is concerned that this EC2 instance may be compromised. What immediate action should the security engineer take? Remove the instance from the Auto Scaling group. Close the security group with ingress only from a single forensic IP address to perform an analysis. Remove the instance from the Auto Scaling group. Change the network ACL rules to allow traffic only from a single forensic IP address to perform an analysis. Add a rule to deny all other traffic. Remove the instance from the Auto Scaling group. Enable Amazon GuardDuty in that AWS account. Install the Amazon Inspector agent on the suspicious EC2 instance to perform a scan. Take a snapshot of the suspicious EC2 instance. Create a new EC2 instance from the snapshot in a closed security group with ingress only from a single forensic IP address to perform an analysis.
A company’s security information events management (SIEM) tool receives new AWS CloudTrail logs from an Amazon S3 bucket that is configured to send all object created event notifications to an Amazon SNS topic. An Amazon SQS queue is subscribed to this SNS topic. The company’s SIEM tool then polls this SQS queue for new messages using an IAM role and fetches new log events from the S3 bucket based on the SQS messages. After a recent security review that resulted in restricted permissions, the SIEM tool has stopped receiving new CloudTrail logs. Which of the following are possible causes of this issue? (Choose three.) The SQS queue does not allow the SQS:SendMessage action from the SNS topic. The SNS topic does not allow the SNS:Publish action from Amazon S3. The SNS topic is not delivering raw messages to the SQS queue. The S3 bucket policy does not allow CloudTrail to perform the PutObject action. The IAM role used by the SIEM tool does not have permission to subscribe to the SNS topic. The IAM role used by the SIEM tool does not allow the SQS:DeleteMessage action.
A security engineer is designing an incident response plan to address the risk of a compromised Amazon EC2 instance. The plan must recommend a solution to meet the following requirements:<br /><br />A trusted forensic environment must be provisioned. Automated response processes must be orchestrated.<br /><br />Which AWS services should be included in the plan? (Choose two.) AWS CloudFormation Amazon GuardDuty Amazon Inspector Amazon Macie AWS Step Functions.
A security engineer needs to ensure their company’s use of AWS meets AWS security best practices. As part of this, the AWS account root user must not be used for daily work. The root user must be monitored for use, and the security team must be alerted as quickly as possible if the root user is used. Which solution meets these requirements? Set up an Amazon CloudWatch Events rule that triggers an Amazon SNS notification. Create root user access keys. Use an AWS Lambda function to parse AWS CloudTrail logs from Amazon S3 and generate notifications using Amazon SNS. Set up a rule in AWS Config to trigger root user events. Trigger an AWS Lambda function and generate notifications using Amazon SNS. Use Amazon Inspector to monitor the usage of the root user and generate notifications using Amazon SNS.
A company is using AWS Organizations to manage multiple AWS accounts. The company has an application that allows users to assume the AppUser IAM role to download files from an Amazon S3 bucket that is encrypted with an AWS KMS CMK. However, when users try to access the files in the S3 bucket, they get an access denied error. What should a security engineer do to troubleshoot this error? (Choose three.) Ensure the KMS policy allows the AppUser role to have permission to decrypt for the CMK. Ensure the S3 bucket policy allows the AppUser role to have permission to get objects for the S3 bucket. Ensure the CMK was created before the S3 bucket. Ensure the S3 block public access feature is enabled for the S3 bucket. Ensure that automatic key rotation is disabled for the CMK. Ensure the SCPs within Organizations allow access to the S3 bucket.
A company’s security engineer has been asked to monitor and report all AWS account root user activities. Which of the following would enable the security engineer to monitor and report all root user activities? (Choose two.) Configuring AWS Organizations to monitor root user API calls on the paying account Creating an Amazon CloudWatch Events rule that will trigger when any API call from the root user is reported Configuring Amazon Inspector to scan the AWS account for any root user activity Configuring AWS Trusted Advisor to send an email to the security team when the root user logs in to the console Using Amazon SNS to notify the target group.
An external auditor finds that a company’s user passwords have no minimum length. The company is currently using two identity providers: AWS IAM federated with on-premises Active Directory Amazon Cognito user pools to accessing an AWS Cloud application developed by the company Which combination of actions should the security engineer take to solve this issue? (Choose two.) Update the password length policy in the on-premises Active Directory configuration. Update the password length policy in the IAM configuration. Enforce an IAM policy in Amazon Cognito and AWS IAM with a minimum password length condition. Update the password length policy in the Amazon Cognito configuration. Create an SCP with AWS Organizations that enforces a minimum password length for AWS IAM and Amazon Cognito.
A security engineer noticed an anomaly within a company EC2 instance as shown in the image. The engineer must now investigate what is causing the anomaly. What are the MOST effective steps to take to ensure that the instance is not further manipulated, while allowing the engineer to understand what happened? Remove the instance from the Auto Scaling group. Place the instance within an isolation security group, detach the EBS volume, launch an EC2 instance with a forensic toolkit, and attach the EBS volume to investigate. Remove the instance from the Auto Scaling group and the Elastic Load Balancer. Place the instance within an isolation security group, launch an EC2 instance with a forensic toolkit, and allow the forensic toolkit image to connect to the suspicious instance to perform the investigation. Remove the instance from the Auto Scaling group. Place the instance within an isolation security group, launch an EC2 instance with a forensic toolkit, and use the forensic toolkit image to deploy an ENI as a network span port to inspect all traffic coming from the suspicious instance Remove the instance from the Auto Scaling group and the Elastic Load Balancer. Place the instance within an isolation security group, make a copy of the EBS volume from a new snapshot, launch an EC2 instance with a forensic toolkit, and attach the copy of the EBS volume to investigate .
A developer reported that AWS CloudTrail was disabled on their account. A security engineer investigated the account and discovered the event was undetected by the current security solution. The security engineer must recommend a solution that will detect future changes to the CloudTrail configuration and send alerts when changes occur. What should the security engineer do to meet these requirements? Use AWS Resource Access Manager (AWS RAM) to monitor the AWS CloudTrail configuration. Send notifications using Amazon SNS. Create an Amazon CloudWatch Events rule to monitor Amazon GuardDuty findings. Send email notifications using Amazon SNS. Update security contact details in AWS account settings for AWS Support to send alerts when suspicious activity is detected. Use Amazon Inspector to automatically detect security issues. Send alerts using Amazon SNS.
A company uses multiple AWS accounts managed with AWS Organizations. Security engineers have created a standard set of security groups for all these. accounts. The security policy requires that these security groups be used for all applications and delegates modification authority to the security team only. A recent security audit found that the security groups are inconsistently implemented across accounts and that unauthorized changes have been made to the security groups. A security engineer needs to recommend a solution to improve consistency and to prevent unauthorized changes in the individual accounts in the future. Which solution should the security engineer recommend? Use AWS Resource Access Manager to create shared resources for each required security group and apply an IAM policy that permits read-only access to the security groups only. Create an AWS CloudFormation template that creates the required security groups. Execute the template as part of configuring new accounts. Enable Amazon Simple Notification Service (Amazon SNS) notifications when changes occur. Use AWS Firewall Manager to create a security group policy, enable the policy feature to identify and revert local changes, and enable automatic remediation. Use AWS Control Tower to edit the account factory template to enable the share security groups option. Apply an SCP to the OU or individual accounts that prohibits security group modifications from local account users. .
A company wants to deploy an application in a private VPC that will not be connected to the internet. The company’s security team will not allow bastion hosts or methods using SSH to log in to Amazon EC2 instances. The application team plans to use AWS Systems Manager Session Manager to connect to and manage the EC2 instances. Which combination of steps should the security team take? (Choose three.) Make sure the Systems Manager Agent is installed and running on all EC2 instances inside the VPC. Ensure the IAM role attached to the EC2 instances in the VPC allows access to Systems Manager. Create an SCP that prevents the creation of SSH key pairs. Launch a NAT gateway in the VPC. Update the routing policies to forward traffic to this NAT gateway. Ensure proper VPC endpoints are in place for Systems Manager and Amazon EC2. Ensure the VPC has a transit gateway attachment. Update the routing policies to forward traffic to this transit gateway.
A company has a serverless application for internal users deployed on AWS. The application uses AWS Lambda for the front end and for business logic. The Lambda function accesses an Amazon RDS database inside a VPC. The company uses AWS Systems Manager Parameter Store for storing database credentials. A recent security review highlighted the following issues: •The Lambda function has internet access. •The relational database is publicly accessible. •The database credentials are not stored in an encrypted state. Which combination of steps should the company take to resolve these security issues? (Choose three.) Disable public access to the RDS database inside the VPC. Move all the Lambda functions inside the VPC. Edit the IAM role used by Lambda to restrict internet access. Create a VPC endpoint for Systems Manager. Store the credentials as a string parameter. Change the parameter type to an advanced parameter. Edit the IAM role used by RDS to restrict internet access. Create a VPC endpoint for Systems Manager. Store the credentials as a SecureString parameter.
A company’s on-premises data center forwards DNS logs to a third-party security incident events management (SIEM) solution that alerts on suspicious behavior. The company wants to introduce a similar capability to its AWS accounts that includes automatic remediation. The company expects to double in size within the next few months. Which solution meets the company’s current and future logging requirements? Enable Amazon GuardDuty and AWS Security Hub in all Regions and all accounts. Designate a master security account to receive all alerts from the child accounts. Set up specific rules within Amazon EventBridge to trigger an AWS Lambda function for remediation steps. Ingest all AWS CloudTrail logs, VPC Flow Logs, and DNS logs into a single Amazon S3 bucket in a designated security account. Use the current on-premises SIEM to monitor the logs and send a notification to an Amazon SNS topic to alert the security team of remediation steps. Ingest all AWS CloudTrail logs, VPC Flow Logs, and DNS logs into a single Amazon S3 bucket in a designated security account. Launch an Amazon EC2 instance and install the current SIEM to monitor the logs and send a notification to an Amazon SNS topic to alert the security team of remediation steps. Enable Amazon GuardDuty and AWS Security Hub in all Regions and all accounts. Designate a master security account to receive all alerts from the child accounts. Create an AWS Organizations SCP that denies access to certain API calls that are on an ignore list. .
A company’s data lake uses Amazon S3 and Amazon Athena. The company’s security engineer has been asked to design an encryption solution that meets the company’s data protection requirements. The encryption solution must work with Amazon S3 and keys managed by the company. The encryption solution must be protected in a hardware security module that is validated to Federal Information Processing Standards (FIPS) 140-2 Level 3. Which solution meets these requirements? Use client-side encryption with an AWS KMS customer-managed key implemented with the AWS Encryption SDK. Use AWS CloudHSM to store the keys and perform cryptographic operations. Save the encrypted text in Amazon S3. Use an AWS KMS customer-managed key that is backed by a custom key store using AWS CloudHSM. Use an AWS KMS customer-managed key with the bring your own key (BYOK) feature to import a key stored in AWS CloudHSM.
An ecommerce website was down for 1 hour following a DDoS attack. Users were unable to connect to the website during the attack period. The ecommerce company’s security team is worried about future potential attacks and wants to prepare for such events. The company needs to minimize downtime in its response to similar attacks in the future. Which steps would help achieve this? (Choose two.) Enable Amazon GuardDuty to automatically monitor for malicious activity and block unauthorized access. Subscribe to AWS Shield Advanced and reach out to AWS Support in the event of an attack. Use VPC Flow Logs to monitor network traffic and an AWS Lambda function to automatically block an attacker’s IP using security groups. Set up an Amazon CloudWatch Events rule to monitor the AWS CloudTrail events in real time, use AWS Config rules to audit the configuration, and use AWS Systems Manager for remediation. Use AWS WAF to create rules to respond to such attacks.
A city is implementing an election results reporting website that will use Amazon CloudFront. The website runs on a fleet of Amazon EC2 instances behind an Application Load Balancer (ALB) in an Auto Scaling group. Election results are updated hourly and are stored as .pdf files in an Amazon S3 bucket. A security engineer needs to ensure that all external access to the website goes through CloudFront. Which solution meets these requirements? Create an IAM role that allows CloudFront to access the specific S3 bucket. Modify the S3 bucket policy to allow only the new IAM role to access its contents. Create an interface VPC endpoint for CloudFront to securely communicate with the ALB. Create an IAM role that allows CloudFront to access the specific S3 bucket. Modify the S3 bucket policy to allow only the new IAM role to access its contents. Associate the ALB with a security group that allows only incoming traffic from the CloudFront service to communicate with the AL Create an origin access identity (OAI) in CloudFront. Modify the S3 bucket policy to allow only the new OAI to access the bucket contents. Create an interface VPC endpoint for CloudFront to securely communicate with the ALB. Create an origin access identity (OAI) in CloudFront. Modify the S3 bucket policy to allow only the new OAI to access the bucket contents. Associate the ALB with a security group that allows only incoming traffic from the CloudFront service to communicate with the ALB.
An AWS account administrator created an IAM group and applied the following managed policy to require that each individual user authenticate using multi-factor authentication: After implementing the policy, the administrator receives reports that users are unable to perform Amazon EC2 commands using the AWS CLI. What should the administrator do to resolve this problem while still enforcing multi-factor authentication? Change the value of aws:MultiFactorAuthPresent to true. Instruct users to run the aws sts get-session-token CLI command and pass the multi-factor authentication -- serial-number and --token-code parameters. Use these resulting values to make API/CLI calls. Implement federated API/CLI access using SAML 2.0, then configure the identity provider to enforce multi- factor authentication. Create a role and enforce multi-factor authentication in the role trust policy. Instruct users to run the sts assume-role CLI command and pass --serial-number and --token-code parameters. Store the resulting values in environment variables. Add sts:AssumeRole to NotAction in the policy. .
A company uses an AWS Key Management Service (AWS KMS) CMK to encrypt application data before it is stored. The company’s security policy was recently modified to require encryption key rotation annually. A security engineer must ensure that annual global key rotation is enabled for the key without making changes to the application. What should the security engineer do to accomplish this requirement? Create new AWS managed keys. Configure the key schedule for the annual rotation. Create an alias to point to the new keys. Enable automatic annual key rotation for the existing customer managed CMKs. Update the application encryption library to use a new key ID for all encryption operations. Fall back to the old key ID to decrypt data that was encrypted with previous versions of the key. Create new AWS managed CMKs. Configure the key schedule for annual rotation. Create an alias to point to the new CMKs. Enable automatic annual key rotation for the existing customer managed CMKs. Update the application encryption library to use a new key ID for all encryption operations. Create a key grant for the old CMKs and update the code to point to the ARN of the grants.
A security engineer is designing a solution that will provide end-to-end encryption between clients and Docker containers running in Amazon Elastic Container Service (Amazon ECS). This solution will also handle volatile traffic patterns. Which solution would have the MOST scalability and LOWEST latency? Configure a Network Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers. Configure an Application Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers. Configure a Network Load Balancer with a TCP listener to pass through TLS traffic to the containers. Configure Amazon Route to use multivalue answer routing to send traffic to the containers.
A company has two software development teams that are creating applications that store sensitive data in Amazon S3. Each team’s data must always be separate. The company’s security team must design a data encryption strategy for both teams that provides the ability to audit key usage. The solution must also minimize operational overhead. What should the security team recommend? Tell the application teams to use two different S3 buckets with separate AWS Key Management Service (AWS KMS) AWS managed CMKs. Limit the key policies to allow encryption and decryption of the CMKs to their respective teams only. Force the teams to use encryption context to encrypt and decrypt. Tell the application teams to use two different S3 buckets with a single AWS Key Management Service (AWS KMS) AWS managed CMK. Limit the key policy to allow encryption and decryption of the CMK only. Do not allow the teams to use encryption context to encrypt and decrypt. Tell the application teams to use two different S3 buckets with separate AWS Key Management Service (AWS KMS) customer managed CMKs. Limit the key policies to allow encryption and decryption of the CMKs to their respective teams only. Force the teams to use encryption context to encrypt and decrypt. Tell the application teams to use two different S3 buckets with a single AWS Key Management Service (AWS KMS) customer managed CMK. Limit the key policy to allow encryption and decryption of the CMK only. Do not allow the teams to use encryption context to encrypt and decrypt.
A company uses an external identity provider to allow federation into different AWS accounts. A security engineer for the company needs to identify the federated user that terminated a production Amazon EC2 instance a week ago. What is the FASTEST way for the security engineer to identify the federated user? Review the AWS CloudTrail event history logs in an Amazon S3 bucket and look for the TerminateInstances event to identify the federated user from the role session name. Filter the AWS CloudTrail event history for the TerminateInstances event and identify the assumed IAM role. Review the AssumeRoleWithSAML event call in CloudTrail to identify the corresponding username. Search the AWS CloudTrail logs for the TerminateInstances event and note the event time. Review the IAM Access Advisor tab for all federated roles. The last accessed time should match the time when the instance was terminated. Use Amazon Athena to run a SQL query on the AWS CloudTrail logs stored in an Amazon S3 bucket and filter on the TerminateInstances event. Identify the corresponding role and run another query to filter the AssumeRoleWithWebIdentity event for the user name. .
A developer is building a serverless application hosted on AWS that uses Amazon Redshift as a data store. The application has separate module for read/write and read-only functionality. The modules need their own database users for compliance reasons. Which combination of steps should a security engineer implement to grant appropriate access? (Choose two.) Configure cluster security groups for each application module to control access to database users that are required for read-only and read-write. Configure a VPC endpoint for Amazon Redshift. Configure an endpoint policy that maps database users to each application module, and allow access to the tables that are required for read-only and read/write. Configure an IAM policy for each module. Specify the ARN of an Amazon Redshift database user that allows the GetClusterCredentials API call. Create local database users for each module. Configure an IAM policy for each module. Specify the ARN of an IAM user that allows the GetClusterCredentials API call.
A company website runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances run in an Auto Scaling group across multiple Availability Zones. There is an Amazon CloudFront distribution in front of the ALB. Users are reporting performance problems. A security engineer discovers that the website is receiving a high rate of unwanted requests to the CloudFront distribution originating from a series of source IP addresses. How should the security engineer address this problem? Using AWS Shield, configure a deny rule with an IP match condition containing the source IPs of the unwanted requests. Using Auto Scaling, configure the maximum an instance value to an increased count that will absorb the unwanted requests. Using an Amazon VPC NACL, configure an inbound deny rule for each source IP CIDR address of the unwanted requests. Using AWS WAF, configure a web ACL rate-based rule on the CloudFront distribution with a rate limit below that of the unwanted requests.
A company uses an Amazon S3 bucket to store reports. Management has mandated that all new objects stored in this bucket must be encrypted at rest using server-side encryption with a client specified AWS Key Management Service (AWS KMS) CMK owned by the same account as the S3 bucket. The AWS account number is 111122223333, and the bucket name is reportbucket. The company’s security specialist must write the S3 bucket policy to ensure the mandate can be implemented Which statement should the security specialist include in the policy? A B.
Which of the following are valid configurations for using SSL certificates with Amazon CloudFront? (Choose three.) Default AWS Certificate Manager certificate Custom SSL certificate stored in AWS KMS Default CloudFront certificate Custom SSL certificate stored in AWS Certificate Manager Default SSL certificate stored in AWS Secrets Manager Custom SSL certificate stored in AWS IAM.
A company needs to retain log data archives for several years to be compliant with regulations. The log data is no longer used, but it must be retained. What is the MOST secure and cost-effective solution to meet these requirements? Archive the data to Amazon S3 and apply a restrictive bucket policy to deny the s3:DeleteObject API. Archive the data to Amazon S3 Glacier and apply a Vault Lock policy. Archive the data to Amazon S3 and replicated it to a second bucket in a second AWS Region. Choose the S3 Standard-Infrequent Access (S3 Standard-IA) storage class and apply a restrictive bucket policy to deny the s3:DeleteObject API. Migrate the log data to a 16 TB Amazon Elastic Block Store (Amazon EBS) volume. Create a snapshot of the EBS volume.
A company is implementing a new application in a new AWS account. A VPC and subnets have been created for the application. The application has been peered to an existing VPC in another account in the same AWS Region for database access. Amazon EC2 instances will regularly be created and terminated in the application VPC, but only some of them will need access to the databases in the peered VPC over TCP port 1521. A security engineer must ensure that only the EC2 instances than need access to the databases can access them through the network. How can the security engineer implement this solution? Create a new security group in the database VPC and create an inbound rule that allows all traffic from the IP address range of the application VPC. Add a new network ACL rule on the database subnets. Configure the rule to TCP port 1521 from the IP address range of the application VPC. Attach the new security group to the database instances that the application instances need to access. Create a new security group in the application VPC with an inbound rule that allows the IP address range of the database VPC over TCP port 1521. Create a new security group in the database VPC with an inbound rule that allows the IP address range of the application VPC over port 1521. Attach the new security group to the database instances and the application instances that need database access. Create a new security group in the application VPC with no inbound rules. Create a new security group in the database VPC with an inbound rule that allows TCP port 1521 from the new application security group in the application VP Attach the application security group to the application instances that need database access, and attach the database security group to the database instances. Create a new security group in the application VPC with an inbound rule that allows the IP address range of the database VPC over TCP port 1521. Add a new network ACL rule on the database subnets. Configure the rule to allow all traffic from the IP address range of the application VPC. Attach the new security group to the application instances that need database access.
A company is setting up products to deploy in AWS Service Catalog. Management is concerned that when users launch products, elevated IAM privileges will be required to create resources. How should the company mitigate this concern? Add a template constraint to each product in the portfolio. Add a launch constraint to each product in the portfolio. Define resource update constraints for each product in the portfolio. Update the AWS CloudFormation template backing the product to include a service role configuration.
A company wants to encrypt data locally while meeting regulatory requirements related to key exhaustion. The encryption key can be no more than 10 days old or encrypt more than 2^16 objects. Any encryption key must be generated on a FIPS-validated hardware security module (HSM). The company is cost-conscious, as it plans to upload an average of 100 objects to Amazon S3 each second for sustained operations across 5 data producers. Which approach MOST efficiently meets the company’s needs? Use the AWS Encryption SDK and set the maximum age to 10 days and the maximum number of messages encrypted to 2^16. Use AWS Key Management Service (AWS KMS) to generate the master key and data key. Use data key caching with the Encryption SDK during the encryption process. Use AWS Key Management Service (AWS KMS) to generate an AWS managed CMK. Then use Amazon S3 client-side encryption configured to automatically rotate with every object. Use AWS CloudHSM to generate the master key and data keys. Then use Boto 3 and Python to locally encrypt data before uploading the object. Rotate the data key every 10 days or after 2^16 objects have been uploaded to Amazon S3. Use server-side encryption with Amazon S3 managed encryption keys (SSE-S3) and set the master key to automatically rotate. .
A company’s security officer is concerned about the risk of AWS account root user logins and has assigned a security engineer to implement a notification solution for near-real-time alerts upon account root user logins. How should the security engineer meet these requirements? Create a cron job that runs a script to download the AWS IAM security credentials file, parse the file for account root user logins, and email the security team’s distribution list. Run AWS CloudTrail logs through Amazon CloudWatch Events to detect account root user logins and trigger an AWS Lambda function to send an Amazon SNS notification to the security team’s distribution list Save AWS CloudTrail logs to an Amazon S3 bucket in the security team’s account. Process the CloudTrail logs with the security engineer’s logging solution for account root user logins. Send an Amazon SNS notification to the security team upon encountering the account root user login events. Save VPC Flow Logs to an Amazon S3 bucket in the security team’s account, and process the VPC Flow Logs with their logging solutions for account root user logins. Send an Amazon SNS notification to the security team upon encountering the account root user login events. .
A company hosts an application on Amazon EC2 that is subject to specific rules for regulatory compliance. One rule states that traffic to and from the workload must be inspected for network-level attacks. This involves inspecting the whole packet. To comply with this regulatory rule, a security engineer must install intrusion detection software on a c5n.4xlarge EC2 instance. The engineer must then configure the software to monitor traffic to and from the application instances. What should the security engineer do next? Place the network interface in promiscuous mode to capture the traffic Configure VPC Flow Logs to send traffic to the monitoring EC2 instance using a Network Load Balancer. Configure VPC traffic mirroring to send traffic to the monitoring EC2 instance using a Network Load Balancer. Use Amazon Inspector to detect network-level attacks and trigger an AWS Lambda function to send the suspicious packets to the EC2 instance.
A security engineer is responsible for providing secure access to AWS resources for thousands of developers in a company’s corporate identity provider (IdP). The developers access a set of AWS services from their corporate premises using IAM credentials. Due to the volume of requests for provisioning new IAM users, it is taking a long time to grant access permissions. The security engineer receives reports that developers are sharing their IAM credentials with others to avoid provisioning delays. This causes concern about overall security for the security engineer. Which actions will meet the program requirements that address security? Create an Amazon CloudWatch alarm for AWS CloudTrail events. Create a metric filter to send a notification when the same set of IAM credentials is used by multiple developers.</li> Create a federation between AWS and the existing corporate IdP. Leverage IAM roles to provide federated access to AWS resources.</li> Create a VPN tunnel between the corporate premises and the VP Allow permissions to all AWS services only if it originates from corporate premises.</li> Create multiple IAM roles for each IAM user. Ensure that users who use the same IAM credentials cannot assume the same IAM role at the same time.
A recent security audit identified that a company’s application team injects database credentials into the environment variables of an AWS Fargate task. The company’s security policy mandates that all sensitive data be encrypted at rest and in transit. Which combination of actions should the security team take to make the application compliant with the security policy? (Choose three.) Store the credentials securely in a file in an Amazon S3 bucket with restricted access to the application team IAM role. Ask the application team to read the credentials from the S3 object instead. Create an AWS Secrets Manager secret and specify the key/value pairs to be stored in this secret. Modify the application to pull credentials from the AWS Secrets Manager secret instead of the environment variables. Add the following statement to the container instance IAM role policy: Add the following statement to the task execution role policy: Log in to the AWS Fargate instance, create a script to read the secret value from AWS Secrets Manager, and inject the environment variables. Ask the application team to redeploy the application.
A company is running an application on Amazon EC2 instances in an Auto Scaling group. The application stores logs locally. A security engineer noticed that logs were lost after a scale-in event. The security engineer needs to recommend a solution to ensure the durability and availability of log data. All logs must be kept for a minimum of 1 year for auditing purposes. What should the security engineer recommend? Within the Auto Scaling lifecycle, add a hook to create an attach an Amazon Elastic Block Store (Amazon EBS) log volume each time an EC2 instance is created. When the instance is terminated, the EBS volume can be reattached to another instance for log review. Create an Amazon Elastic File System (Amazon EFS) file system and add a command in the user data section of the Auto Scaling launch template to mount the EFS file system during EC2 instance creation. Configure a process on the instance to copy the logs once a day from an instance Amazon Elastic Block Store (Amazon EBS) volume to a directory in the EFS file system. Build the Amazon CloudWatch agent into the AMI used in the Auto Scaling group. Configure the CloudWatch agent to send the logs to Amazon CloudWatch Logs for review. Within the Auto Scaling lifecycle, add a lifecycle hook at the terminating state transition and alert the engineering team by using a lifecycle notification to Amazon Simple Notification Service (Amazon SNS). Configure the hook to remain in the Terminating:Wait state for 1 hour to allow manual review of the security logs prior to instance termination .
A company has a VPC with an IPv6 address range and a public subnet with an IPv6 address block. The VPC currently hosts some public Amazon EC2 instances, but a security engineer needs to migrate a second application into the VPC that also requires IPv6 connectivity. This new application will occasionally make API requests to an external, internet-accessible endpoint to receive updates. However, the security team does not want the application’s EC2 instance exposed directly to the internet. The security engineer intends to create a private subnet with a custom route table and to associate the route table with the private subnet. What else does the security engineer need to do to ensure the application will not be exposed directly to the internet, but can still communicate as required? Launch a NAT instance in the public subnet. Update the custom route table with a new route to the NAT instance. Remove the internet gateway, and add AWS PrivateLink to the VPC. Then update the custom route table with a new route to AWS PrivateLink. Add a managed NAT gateway to the VP Update the custom route table with a new route to the gateway. Add an egress-only internet gateway to the VPC. Update the custom route table with a new route to the gateway.
A company has a VPC with several Amazon EC2 instances behind a NAT gateway. The company’s security policy states that all network traffic must be logged and must include the original source and destination IP addresses. The existing VPC Flow Logs do not include this information. A security engineer needs to recommend a solution. Which combination of steps should the security engineer recommend? (Choose two.) Edit the existing VPC Flow Logs. Change the log format of the VPC Flow Logs from the Amazon default format to a custom format. Delete and recreate the existing VPC Flow Logs. Change the log format of the VPC Flow Logs from the Amazon default format to a custom format. Change the destination to Amazon CloudWatch Logs. Include the pkt-srcaddr and pkt-dstaddr fields in the log format. Include the subnet-id and instance-id fields in the log format.
A security engineer is setting up a new AWS account. The engineer has been asked to continuously monitor the company’s AWS account using automated compliance checks based on AWS best practices and Center for Internet Security (CIS) AWS Foundations Benchmarks. How can the security engineer accomplish this using AWS services? Enable AWS Config and set it to record all resources in all Regions and global resources. Then enable AWS Security Hub and confirm that the CIS AWS Foundations compliance standard is enabled. Enable Amazon Inspector and configure it to scan all Regions for the CIS AWS Foundations Benchmarks. Then enable AWS Security Hub and configure it to ingest the Amazon Inspector findings. Enable Amazon Inspector and configure it to scan all Regions for the CIS AWS Foundations Benchmarks. Then enable AWS Shield in all Regions to protect the account from DDoS attacks.</li> Enable AWS Config and set it to record all resources in all Regions and global resources. Then enable Amazon Inspector and configure it to enforce CIS AWS Foundations Benchmarks using AWS Config rules. .
A company uses HTTP Live Streaming (HLS) to stream live video content to paying subscribers by using Amazon CloudFront. HLS splits the video content into chunks so that the user can request the right chunk based on different conditions. Because the video events last for several hours, the total video is made up of thousands of chunks. The origin URL is not disclosed, and every user is forced to access the CloudFront URL. The company has a web application that authenticates the paying users against an internal repository and a CloudFront key pair that is already issued. What is the simplest and MOST effective way to protect the content? Develop the application to use the CloudFront key pair to create signed URLs that users will use to access the content. Develop the application to use the CloudFront key pair to set the signed cookies that users will use to access the content. Develop the application to issue a security token that Lambda@Edge will receive to authenticate and authorize access to the content. Keep the CloudFront URL encrypted inside the application, and use AWS KMS to resolve the URL on-the- fly after the user is authenticated.
An organization wants to log all AWS API calls made within all of its AWS accounts, and must have a central place to analyze these logs. What steps should be taken to meet these requirements in the MOST secure manner? (Choose two.) Turn on AWS CloudTrail in each AWS account. Turn on CloudTrail in only the account that will be storing the logs. Update the bucket ACL of the bucket in the account that will be storing the logs so that other accounts can log to it Create a service-based role for CloudTrail and associate it with CloudTrail in each account. Update the bucket policy of the bucket in the account that will be storing the logs so that other accounts can log to it.
A company plans to use custom AMIs to launch Amazon EC2 instances across multiple AWS accounts in a single Region to perform security monitoring and analytics tasks. The EC2 instances are launched in EC2 Auto Scaling groups. To increase the security of the solution, a Security Engineer will manage the lifecycle of the custom AMIs in a centralized account and will encrypt them with a centrally managed AWS KMS CMK. The Security Engineer configured the KMS key policy to allow cross-account access. However, the EC2 instances are still not being properly launched by the EC2 Auto Scaling groups. Which combination of configuration steps should the Security Engineer take to ensure the EC2 Auto Scaling groups have been granted the proper permissions to execute tasks? Create a customer-managed CMK in the centralized account. Allow other applicable accounts to use that key for cryptographical operations by applying proper cross-account permissions in the key policy. Create an IAM role in all applicable accounts and configure its access policy to allow the use of the centrally managed CMK for cryptographical operations. Configure EC2 Auto Scaling groups within each applicable account to use the created IAM role to launch EC2 instances. Create a customer-managed CMK in the centralized account. Allow other applicable accounts to use that key for cryptographical operations by applying proper cross-account permissions in the key policy. Create an IAM role in all applicable accounts and configure its access policy with permissions to create grants for the centrally managed CMK. Use this IAM role to create a grant for the centrally managed CMK with permissions to perform cryptographical operations and with the EC2 Auto Scaling service-linked role defined as the grantee principal. Create a customer-managed CMK or an AWS managed CMK in the centralized account. Allow other applicable accounts to use that key for cryptographical operations by applying proper cross-account permissions in the key policy. Use the CMK administrator to create a CMK grant that includes permissions to perform cryptographical operations that define EC2 Auto Scaling service-linked roles from all other accounts as the grantee principal.</li> Create a customer-managed CMK or an AWS managed CMK in the centralized account. Allow other applicable accounts to use that key for cryptographical operations by applying proper cross-account permissions in the key policy. Modify the access policy for the EC2 Auto Scaling roles to perform cryptographical operations against the centrally managed CMK.</li> .
A Security Engineer creates an Amazon S3 bucket policy that denies access to all users. A few days later, the Security Engineer adds an additional statement to the bucket policy to allow read-only access to one other employee. Even after updating the policy, the employee still receives an access denied message. What is the likely cause of this access denial? The ACL in the bucket needs to be updated The IAM policy does not allow the user to access the bucket It takes a few minutes for a bucket policy to take effect The allow permission is being overridden by the deny.
Two Amazon EC2 instances in different subnets should be able to connect to each other but cannot. It has been confirmed that other hosts in the same subnets are able to communicate successfully, and that security groups have valid ALLOW rules in place to permit this traffic. Which of the following troubleshooting steps should be performed? Check inbound and outbound security groups, looking for DENY rules Check inbound and outbound Network ACL rules, looking for DENY rules Review the rejected packet reason codes in the VPC Flow Logs Use AWS X-Ray to trace the end-to-end application flow.
A company’s Information Security team wants to analyze Amazon EC2 performance and utilization data in near-real time for anomalies. A Security Engineer is responsible for log aggregation. The Engineer must collect logs from all of the company’s AWS accounts in a centralized location to perform the analysis. How should the Security Engineer do this? Log in to each account four times a day and filter the AWS CloudTrail log data, then copy and paste the logs in to the Amazon S3 bucket in the destination account. Set up Amazon CloudWatch to stream data to an Amazon S3 bucket in each source account. Set up bucket replication for each source account into a centralized bucket owned by the Security Engineer. Set up an AWS Config aggregator to collect AWS configuration data from multiple sources. Set up Amazon CloudWatch cross-account log data sharing with subscriptions in each account. Send the logs to Amazon Kinesis Data Firehose in the Security Engineer’s account.
After multiple compromises of its Amazon EC2 instances, a company’s Security Officer is mandating that memory dumps of compromised instances be captured for further analysis. A Security Engineer just received an EC2 abuse notification report from AWS stating that an EC2 instance running the most recent Windows Server 2019 Base AMI is compromised. How should the Security Engineer collect a memory dump of the EC2 instance for forensic analysis? Give consent to the AWS Security team to dump the memory core on the compromised instance and provide it to AWS Support for analysis. Review memory dump data that the AWS Systems Manager Agent sent to Amazon CloudWatch Logs. Download and run the EC2Rescue for Windows Server utility from AWS. Reboot the EC2 Windows Server, enter safe mode, and select memory dump.
A company’s web application is hosted on Amazon EC2 instances running behind an Application Load Balancer (ALB) in an Auto Scaling group. An AWS WAF web ACL is associated with the ALB. AWS CloudTrail is enabled, and stores logs in Amazon S3 and Amazon CloudWatch Logs. The Operations team has observed some EC2 instances reboot at random. After rebooting, all access logs on the instances have been deleted. During an investigation, the Operations team found that each reboot happened just after a PHP error occurred on the new-user-creation.php file. The Operations team needs to view log information to determine if the company is being attacked. Which set of actions will identify the suspect attacker’s IP address for future occurrences? Configure VPC Flow Logs on the subnet where the ALB is located, and stream the data CloudWatch. Search for the new-user-creation.php occurrences in CloudWatch. Configure the CloudWatch agent on the AL Configure the agent to send application logs to CloudWatch. Update the instance role to allow CloudWatch Logs access. Export the logs to CloudWatch. Search for the new-user-creation.php occurrences in CloudWatch. Configure the ALB to export access logs to an Amazon Elasticsearch Service cluster, and use the service to search for the new-user-creation.php occurrences. Configure the web ACL to send logs to Amazon Kinesis Data Firehose, which delivers the logs to an S3 bucket. Use Amazon Athena to query the logs and find the new-user-creation.php occurrences. .
Authorized Administrators are unable to connect to an Amazon EC2 Linux bastion host using SSH over the Internet. The connection either fails to respond or generates the following error message: Network error: Connection timed out What could be responsible for the connection failure? (Choose three.) The NAT gateway in the subnet where the EC2 instance is deployed has been misconfigured. The internet gateway of the VPC has been misconfigured. The security group denies outbound traffic on ephemeral ports. The route table is missing a route to the internet gateway. The NACL denies outbound traffic on ephemeral ports. The host-based firewall is denying SSH traffic.
A company’s architecture requires that its three Amazon EC2 instances run behind an Application Load Balancer (ALB). The EC2 instances transmit sensitive data between each other. Developers use SSL certificates to encrypt the traffic between the public users and the ALB. However, the Developers are unsure of how to encrypt the data in transit between the ALB and the EC2 instances and the traffic between the EC2 instances. Which combination of activities must the company implement to meet its encryption requirements? (Choose two.) Configure SSL/TLS on the EC2 instances and configure the ALB target group to use HTTPS. Ensure that all resources are in the same VPC so the default encryption provided by the VPC is used to encrypt the traffic between the EC2 instances. In the ALB, select the default encryption to encrypt the traffic between the ALB and the EC2 instances. In the code for the application, include a cryptography library and encrypt the data before sending it between the EC2 instances. Configure AWS Direct Connect to provide an encrypted tunnel between the EC2 instances.
A company needs a forensic-logging solution for hundreds of applications running in Docker on Amazon EC2. The solution must perform real-time analytics on the logs, must support the replay of messages, and must persist the logs. Which AWS services should be used to meet these requirements? (Choose two.) Amazon Athena Amazon Kinesis Amazon SQS Amazon Elasticsearch Amazon EMR.
Report abuse Consent Terms of use