Amazon SCS-C02 ACTUAL EXAM QUESTIONS
327 Total Questions
$45 3 Months Free Updates
$65 3 Months Free Updates
327 Total Questions
$55 3 Months Free Updates
Experience the quality of our Amazon AWS Certified Security - Specialty SCS-C02 exam with free practice questions and answers. At Pass4Exams, we take pride in being a trusted source for Amazon SCS-C02 exam preparation. Download our reliable and up-to-date SCS-C02 dumps today and prepare to pass your exam with complete confidence backed by our money-back guarantee.
Question # 1
A company has AWS accounts in an organization in AWS Organizations. The organizationincludes a dedicated security account.All AWS account activity across all member accounts must be logged and reported to thededicated security account. The company must retain all the activity logs in a securestorage location within the dedicated security account for 2 years. No changes or deletions of the logs are allowed.Which combination of steps will meet these requirements with the LEAST operationaloverhead? (Select TWO.)
A. In the dedicated security account, create an Amazon S3 bucket. Configure S3 ObjectLock in compliance mode and a retention period of 2 years on the S3 bucket. Set thebucket policy to allow the organization's management account to write to the S3 bucket.
B. In the dedicated security account, create an Amazon S3 bucket. Configure S3 ObjectLock in compliance mode and a retention period of 2 years on the S3 bucket. Set thebucket policy to allow the organization's member accounts to write to the S3 bucket.
C. In the dedicated security account, create an Amazon S3 bucket that has an S3 Lifecycleconfiguration that expires objects after 2 years. Set the bucket policy to allow theorganization's member accounts to write to the S3 bucket.
D. Create an AWS Cloud Trail trail for the organization. Configure logs to be delivered tothe logging Amazon S3 bucket in the dedicated security account.
E. Turn on AWS CloudTrail in each account. Configure logs to be delivered to an AmazonS3 bucket that is created in the organization's management account. Forward the logs tothe S3 bucket in the dedicated security account by using AWS Lambda and AmazonKinesis Data Firehose.
Question # 2
A company wants to monitor the deletion of customer managed CMKs A security engineermust create an alarm that will notify the company before a CMK is deleted The securityengineer has configured the integration of IAM CloudTrail with Amazon CloudWatchWhat should the security engineer do next to meet this requirement?
A. Use inbound rule 100 to allow traffic on TCP port 443 Use inbound rule 200 to denytraffic on TCP port 3306 Use outbound rule 100 to allow traffic on TCP port 443
B. Use inbound rule 100 to deny traffic on TCP port 3306. Use inbound rule 200 to allowtraffic on TCP port range 1024-65535. Use outbound rule 100 to allow traffic on TCP port443
C. Use inbound rule 100 to allow traffic on TCP port range 1024-65535 Use inbound rule200 to deny traffic on TCP port 3306 Use outbound rule 100 to allow traffic on TCP port443
D. Use inbound rule 100 to deny traffic on TCP port 3306 Use inbound rule 200 to allowtraffic on TCP port 443 Use outbound rule 100 to allow traffic on TCP port 443
Question # 3
A company has implemented IAM WAF and Amazon CloudFront for an application. Theapplication runs on Amazon EC2 instances that are part of an Auto Scaling group. TheAuto Scaling group is behind an Application Load Balancer (ALB).The IAM WAF web ACL uses an IAM Managed Rules rule group and is associated with theCloudFront distribution. CloudFront receives the request from IAM WAF and then uses theALB as the distribution's origin.During a security review, a security engineer discovers that the infrastructure is susceptibleto a large, layer 7 DDoS attack.How can the security engineer improve the security at the edge of the solution to defendagainst this type of attack?
A. Configure the CloudFront distribution to use the Lambda@Edge feature. Create an IAMLambda function that imposes a rate limit on CloudFront viewer requests. Block the requestif the rate limit is exceeded.
B. Configure the IAM WAF web ACL so that the web ACL has more capacity units toprocess all IAM WAF rules faster.
C. Configure IAM WAF with a rate-based rule that imposes a rate limit that automaticallyblocks requests when the rate limit is exceeded.
D. Configure the CloudFront distribution to use IAM WAF as its origin instead of the ALB.
Question # 4
An IT department currently has a Java web application deployed on Apache Tomcatrunning on Amazon EC2 instances. All traffic to the EC2 instances is sent through aninternet-facing Application Load Balancer (ALB) The Security team has noticed during thepast two days thousands of unusual read requests coming from hundreds of IP addresses.This is causing the Tomcat server to run out of threads and reject new connectionsWhich the SIMPLEST change that would address this server issue?
A. Create an Amazon CloudFront distribution and configure the ALB as the origin
B. Block the malicious IPs with a network access list (NACL).
C. Create an IAM Web Application Firewall (WAF). and attach it to the ALB
D. Map the application domain name to use Route 53
Question # 5
A company recently had a security audit in which the auditors identified multiple potentialthreats. These potential threats can cause usage pattern changes such as DNS access peak, abnormal instance traffic, abnormal network interface traffic, and unusual Amazon S3API calls. The threats can come from different sources and can occur at any time. Thecompany needs to implement a solution to continuously monitor its system and identify allthese incoming threats in near-real time.Which solution will meet these requirements?
A. Enable AWS CloudTrail logs, VPC flow logs, and DNS logs. Use Amazon CloudWatchLogs to manage these logs from a centralized account.
B. Enable AWS CloudTrail logs, VPC flow logs, and DNS logs. Use Amazon Macie tomonitor these logs from a centralized account.
C. Enable Amazon GuardDuty from a centralized account. Use GuardDuty to manageAWS CloudTrail logs, VPC flow logs, and DNS logs.
D. Enable Amazon Inspector from a centralized account. Use Amazon Inspector to manageAWS CloudTrail logs, VPC flow logs, and DNS logs.
Question # 6
A company has multiple Amazon S3 buckets encrypted with customer-managed CMKsDue to regulatory requirements the keys must be rotated every year. The company'sSecurity Engineer has enabled automatic key rotation for the CMKs; however the companywants to verity that the rotation has occurred.What should the Security Engineer do to accomplish this?
A. Filter IAM CloudTrail logs for KeyRotaton events
B. Monitor Amazon CloudWatcn Events for any IAM KMS CMK rotation events
C. Using the IAM CLI. run the IAM kms gel-key-relation-status operation with the --key-idparameter to check the CMK rotation date
D. Use Amazon Athena to query IAM CloudTrail logs saved in an S3 bucket to filterGenerate New Key events
Question # 7
A security engineer needs to build a solution to turn IAM CloudTrail back on in multiple IAMRegions in case it is ever turned off.What is the MOST efficient way to implement this solution?
A. Use IAM Config with a managed rule to trigger the IAM-EnableCloudTrail remediation.
B. Create an Amazon EventBridge (Amazon CloudWatch Events) event with acloudtrail.amazonIAM.com event source and a StartLogging event name to trigger an IAMLambda function to call the StartLogging API.
C. Create an Amazon CloudWatch alarm with a cloudtrail.amazonIAM.com event sourceand a StopLogging event name to trigger an IAM Lambda function to call the StartLoggingAPI.
D. Monitor IAM Trusted Advisor to ensure CloudTrail logging is enabled.
Question # 8
An application is running on an Amazon EC2 instance that has an IAM role attached. TheIAM role provides access to an AWS Key Management Service (AWS KMS) customermanaged key and an Amazon S3 bucket. The key is used to access 2 TB of sensitive datathat is stored in the S3 bucket.A security engineer discovers a potential vulnerability on the EC2 instance that could resultin the compromise of the sensitive data. Due to other critical operations, the securityengineer cannot immediately shut down the EC2 instance for vulnerability patching.What is the FASTEST way to prevent the sensitive data from being exposed?
A. Download the data from the existing S3 bucket to a new EC2 instance. Then delete thedata from the S3 bucket. Re-encrypt the data with a client-based key. Upload the data to anew S3 bucket.
B. Block access to the public range of S3 endpoint IP addresses by using a host-basedfirewall. Ensure that internet-bound traffic from the affected EC2 instance is routed throughthe host-based firewall.
C. Revoke the IAM role's active session permissions. Update the S3 bucket policy to denyaccess to the IAM role. Remove the IAM role from the EC2 instance profile.
D. Disable the current key. Create a new KMS key that the IAM role does not have accessto, and re-encrypt all the data with the new key. Schedule the compromised key fordeletion.
Question # 9
A company uses Amazon API Gateway to present REST APIs to users. An API developerwants to analyze API access patterns without the need to parse the log files.Which combination of steps will meet these requirements with the LEAST effort? (SelectTWO.)
A. Configure access logging for the required API stage.
B. Configure an AWS CloudTrail trail destination for API Gateway events. Configure filterson the userldentity, userAgent, and sourcelPAddress fields.
C. Configure an Amazon S3 destination for API Gateway logs. Run Amazon Athenaqueries to analyze API access information.
D. Use Amazon CloudWatch Logs Insights to analyze API access information.
E. Select the Enable Detailed CloudWatch Metrics option on the required API stage.
Question # 10
A company has an application that uses dozens of Amazon DynamoDB tables to storedata. Auditors find that the tables do not comply with the company's data protection policy.The company's retention policy states that all data must be backed up twice each month:once at midnight on the 15th day of the month and again at midnight on the 25th day of themonth. The company must retain the backups for 3 months.Which combination of steps should a security engineer take to meet these re-quirements?(Select TWO.)
A. Use the DynamoDB on-demand backup capability to create a backup plan. Con-figure alifecycle policy to expire backups after 3 months.
B. Use AWS DataSync to create a backup plan. Add a backup rule that includes a retentionperiod of 3 months.
C. Use AVVS Backup to create a backup plan. Add a backup rule that includes a retentionperiod of 3 months.
D. Set the backup frequency by using a cron schedule expression. Assign eachDynamoDB table to the backup plan.
E. Set the backup frequency by using a rate schedule expression. Assign each DynamoDBtable to the backup plan.
Question # 11
A company has multiple departments. Each department has its own IAM account. All theseaccounts belong to the same organization in IAM Organizations.A large .csv file is stored in an Amazon S3 bucket in the sales department's IAM account.The company wants to allow users from the other accounts to access the .csv file's contentthrough the combination of IAM Glue and Amazon Athena. However, the company doesnot want to allow users from the other accounts to access other files in the same folder.Which solution will meet these requirements?
A. Apply a user policy in the other accounts to allow IAM Glue and Athena lo access the.csv We.
B. Use S3 Select to restrict access to the .csv lie. In IAM Glue Data Catalog, use S3 Selectas the source of the IAM Glue database.
C. Define an IAM Glue Data Catalog resource policy in IAM Glue to grant cross-account S3object access to the .csv file.
D. Grant IAM Glue access to Amazon S3 in a resource-based policy that specifies theorganization as the principal.
Question # 12
A development team is attempting to encrypt and decode a secure string parameter fromthe IAM Systems Manager Parameter Store using an IAM Key Management Service (IAMKMS) CMK. However, each attempt results in an error message being sent to the development team.Which CMK-related problems possibly account for the error? (Select two.)
A. The CMK is used in the attempt does not exist.
B. The CMK is used in the attempt needs to be rotated.
C. The CMK is used in the attempt is using the CMK€™s key ID instead of the CMK ARN.
D. The CMK is used in the attempt is not enabled.
E. The CMK is used in the attempt is using an alias.
Question # 13
A company in France uses Amazon Cognito with the Cognito Hosted Ul as an identitybroker for sign-in and sign-up processes. The company is marketing an application andexpects that all the application's users will come from France.When the company launches the application the company's security team observesfraudulent sign-ups for the application. Most of the fraudulent registrations are from usersoutside of France.The security team needs a solution to perform custom validation at sign-up Based on theresults of the validation the solution must accept or deny the registration request.Which combination of steps will meet these requirements? (Select TWO.)
A. Create a pre sign-up AWS Lambda trigger. Associate the Amazon Cognito function withthe Amazon Cognito user pool.
B. Use a geographic match rule statement to configure an AWS WAF web ACL. Associatethe web ACL with the Amazon Cognito user pool.
C. Configure an app client for the application's Amazon Cognito user pool. Use the appclient ID to validate the requests in the hosted Ul.
D. Update the application's Amazon Cognito user pool to configure a geographic restrictionsetting.
E. Use Amazon Cognito to configure a social identity provider (IdP) to validate the requestson the hosted Ul.
Question # 14
A company's IAM account consists of approximately 300 IAM users. Now there is amandate that an access change is required for 100 IAM users to have unlimited privilegesto S3.As a system administrator, how can you implement this effectively so that there is noneed to apply the policy at the individual user level?Please select:
A. Create a new role and add each user to the IAM role
B. Use the IAM groups and add users, based upon their role, to different groups and applythe policy to group
C. Create a policy and apply it to multiple users using a JSON script
D. Create an S3 bucket policy with unlimited access which includes each user's IAMaccount ID
Question # 15
A company needs to encrypt all of its data stored in Amazon S3. The company wants touse IAM Key Management Service (IAM KMS) to create and manage its encryption keys.The company's security policies require the ability to Import the company's own keymaterial for the keys, set an expiration date on the keys, and delete keys immediately, ifneeded.How should a security engineer set up IAM KMS to meet these requirements?
A. Configure IAM KMS and use a custom key store. Create a customer managed CMK withno key material Import the company's keys and key material into the CMK
B. Configure IAM KMS and use the default Key store Create an IAM managed CMK withno key material Import the company's key material into the CMK
C. Configure IAM KMS and use the default key store Create a customer managed CMKwith no key material import the company's key material into the CMK
D. Configure IAM KMS and use a custom key store. Create an IAM managed CMK with nokey material. Import the company's key material into the CMK.
Question # 16
A company has an organization in AWS Organizations. The company wants to use AWSCloudFormation StackSets in the organization to deploy various AWS design patterns intoenvironments. These patterns consist of Amazon EC2 instances, Elastic Load Balancing(ELB) load balancers, Amazon RDS databases, and Amazon Elastic Kubernetes Service(Amazon EKS) clusters or Amazon Elastic Container Service (Amazon ECS) clusters.Currently, the company's developers can create their own CloudFormation stacks toincrease the overall speed of delivery. A centralized CI/CD pipeline in a shared servicesAWS account deploys each CloudFormation stack.The company's security team has already provided requirements for each service inaccordance with internal standards. If there are any resources that do not comply with theinternal standards, the security team must receive notification to take appropriate action.The security team must implement a notification solution that gives developers the ability tomaintain the same overall delivery speed that they currently have.Which solution will meet these requirements in the MOST operationally efficient way?
A. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe thesecurity team's email addresses to the SNS topic. Create a custom AWS Lambda functionthat will run the aws cloudformation validate-template AWS CLI command on all CloudFormation templates before the build stage in the CI/CD pipeline. Configure theCI/CD pipeline to publish a notification to the SNS topic if any issues are found.
B. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe thesecurity team's email addresses to the SNS topic. Create custom rules in CloudFormationGuard for each resource configuration. In the CllCD pipeline, before the build stage,configure a Docker image to run the cfn-guard command on the CloudFormation template.Configure the CI/CD pipeline to publish a notification to the SNS topic if any issues arefound.
C. Create an Amazon Simple Notification Service (Amazon SNS) topic and an Am-azonSimple Queue Service (Amazon SQS) queue. Subscribe the security team's emailaddresses to the SNS topic. Create an Amazon S3 bucket in the shared services AWSaccount. Include an event notification to publish to the SQS queue when new objects areadded to the S3 bucket. Require the de-velopers to put their CloudFormation templates inthe S3 bucket. Launch EC2 instances that automatically scale based on the SQS queuedepth. Con-figure the EC2 instances to use CloudFormation Guard to scan the templatesand deploy the templates if there are no issues. Configure the CllCD pipe-line to publish anotification to the SNS topic if any issues are found.
D. Create a centralized CloudFormation stack set that includes a standard set of resourcesthat the developers can deploy in each AWS account. Configure each CloudFormationtemplate to meet the security requirements. For any new resources or configurations,update the CloudFormation template and send the template to the security team for review.When the review is com-pleted, add the new CloudFormation stack to the repository for thedevel-opers to use.
Question # 17
A company's policy requires that all API keys be encrypted and stored separately fromsource code in a centralized security account. This security account is managed by thecompany's security team However, an audit revealed that an API key is steed with thesource code of an IAM Lambda function m an IAM CodeCommit repository in the DevOpsaccountHow should the security learn securely store the API key?
A. Create a CodeCommit repository in the security account using IAM Key ManagementService (IAM KMS) tor encryption Require the development team to migrate the Lambdasource code to this repository
B. Store the API key in an Amazon S3 bucket in the security account using server-sideencryption with Amazon S3 managed encryption keys (SSE-S3) to encrypt the key Createa resigned URL tor the S3 key. and specify the URL m a Lambda environmental variable inthe IAM CloudFormation template Update the Lambda function code to retrieve the keyusing the URL and call the API
C. Create a secret in IAM Secrets Manager in the security account to store the API keyusing IAM Key Management Service (IAM KMS) tor encryption Grant access to the IAMrole used by the Lambda function so that the function can retrieve the key from Secrets Manager and call the API
D. Create an encrypted environment variable for the Lambda function to store the API keyusing IAM Key Management Service (IAM KMS) tor encryption Grant access to the IAMrole used by the Lambda function so that the function can decrypt the key at runtime
Question # 18
Example.com is hosted on Amazon EC2 instances behind an Application Load Balancer(ALB). Third-party host intrusion detection system (HIDS) agents that capture the traffic ofthe EC2 instance are running on each host. The company must ensure they are usingprivacy enhancing technologies for users, without losing the assurance the third-partysolution offers.What is the MOST secure way to meet these requirements?
A. Enable TLS pass through on the ALB, and handle decryption at the server using EllipticCurve Diffie-Hellman (ECDHE) cipher suites.
B. Create a listener on the ALB that uses encrypted connections with Elliptic Curve Diffie-Hellman (ECDHE) cipher suites, and pass the traffic in the clear to the server.
C. Create a listener on the ALB that uses encrypted connections with Elliptic Curve Diffie- Hellman (ECDHE) cipher suites, and use encrypted connections to the servers that do notenable Perfect Forward Secrecy (PFS).
D. Create a listener on the ALB that does not enable Perfect Forward Secrecy (PFS) ciphersuites, and use encrypted connections to the servers using Elliptic Curve Diffie-Hellman(ECDHE) cipher suites.
Question # 19
A company wants to receive an email notification about critical findings in AWS SecurityHub. The company does not have an existing architecture that supports this functionality.Which solution will meet the requirement?
A. Create an AWS Lambda function to identify critical Security Hub findings. Create anAmazon Simple Notification Service (Amazon SNS) topic as the target of the Lambdafunction. Subscribe an email endpoint to the SNS topic to receive published messages.
B. Create an Amazon Kinesis Data Firehose delivery stream. Integrate the delivery stream with Amazon EventBridge. Create an EventBridge rule that has a filter to detect criticalSecurity Hub findings. Configure the delivery stream to send the findings to an emailaddress.
C. Create an Amazon EventBridge rule to detect critical Security Hub findings. Create anAmazon Simple Notification Service (Amazon SNS) topic as the target of the EventBridgerule. Subscribe an email endpoint to the SNS topic to receive published messages.
D. Create an Amazon EventBridge rule to detect critical Security Hub findings. Create anAmazon Simple Email Service (Amazon SES) topic as the target of the EventBridge rule.Use the Amazon SES API to format the message. Choose an email address to be therecipient of the message.
Question # 20
A company has recently recovered from a security incident that required the restoration ofAmazon EC2 instances from snapshots. After performing a gap analysis of its disaster recovery procedures and backup strategies,the company is concerned that, next time, it will not be able to recover the EC2 instances ifthe AWS account was compromised and Amazon EBS snapshots were deleted.All EBS snapshots are encrypted using an AWS KMS CMK.Which solution would solve this problem?
A. Create a new Amazon S3 bucket. Use EBS lifecycle policies to move EBS snapshots tothe new S3 bucket. Move snapshots to Amazon S3 Glacier using lifecycle policies, andapply Glacier Vault Lock policies to prevent deletion.
B. Use AWS Systems Manager to distribute a configuration that performs local backups ofall attached disks to Amazon S3.
C. Create a new AWS account with limited privileges. Allow the new account to access theAWS KMS key used to encrypt the EBS snapshots, and copy the encrypted snapshots tothe new account on a recurring basis.stent.
D. Use AWS Backup to copy EBS snapshots to Amazon S3.
Question # 21
A company uses AWS Organizations to manage a multi-accountAWS environment in asingle AWS Region. The organization's management account is named management-01.The company has turned on AWS Config in all accounts in the organization. The companyhas designated an account named security-01 as the delegated administra-tor for AWSConfig.All accounts report the compliance status of each account's rules to the AWS Configdelegated administrator account by using an AWS Config aggregator. Each accountadministrator can configure and manage the account's own AWS Config rules to handleeach account's unique compliance requirements.A security engineer needs to implement a solution to automatically deploy a set of 10 AWSConfig rules to all existing and future AWS accounts in the organiza-tion. The solution mustturn on AWS Config automatically during account crea-tion.Which combination of steps will meet these requirements? (Select TWO.)
A. Create an AWS CloudFormation template that contains the 1 0 required AVVS Configrules. Deploy the template by using CloudFormation StackSets in the security-01 account.
B. Create a conformance pack that contains the 10 required AWS Config rules. Deploy theconformance pack from the security-01 account.
C. Create a conformance pack that contains the 10 required AWS Config rules. Deploy theconformance pack from the management-01 account.
D. Create an AWS CloudFormation template that will activate AWS Config. De-ploy thetemplate by using CloudFormation StackSets in the security-01 ac-count.
E. Create an AWS CloudFormation template that will activate AWS Config. De-ploy thetemplate by using CloudFormation StackSets in the management-01 account.
Question # 22
A company uses an external identity provider to allow federation into different IAMaccounts. A security engineer for the company needs to identify the federated user thatterminated a production Amazon EC2 instance a week ago.What is the FASTEST way for the security engineer to identify the federated user?
A. Review the IAM CloudTrail event history logs in an Amazon S3 bucket and look for theTerminatelnstances event to identify the federated user from the role session name.
B. Filter the IAM CloudTrail event history for the Terminatelnstances event and identify theassumed IAM role. Review the AssumeRoleWithSAML event call in CloudTrail to identifythe corresponding username.
C. Search the IAM CloudTrail logs for the Terminatelnstances event and note the eventtime. Review the IAM Access Advisor tab for all federated roles. The last accessed timeshould match the time when the instance was terminated.
D. Use Amazon Athena to run a SQL query on the IAM CloudTrail logs stored in anAmazon S3 bucket and filter on the Terminatelnstances event. Identify the correspondingrole and run another query to filter the AssumeRoleWithWebldentity event for the username.
Question # 23
A company is using an AWS Key Management Service (AWS KMS) AWS owned key in itsapplication to encrypt files in an AWS account The company's security team wants theability to change to new key material for new files whenever a potential key breach occursA security engineer must implement a solution that gives the security team the ability tochange the key whenever the team wants to do soWhich solution will meet these requirements?
A. Create a new customer managed key Add a key rotation schedule to the key Invoke thekey rotation schedule every time the security team requests a key change
B. Create a new AWS managed key Add a key rotation schedule to the key Invoke the keyrotation schedule every time the security team requests a key change
C. Create a key alias Create a new customer managed key every time the security teamrequests a key change Associate the alias with the new key
D. Create a key alias Create a new AWS managed key every time the security teamrequests a key change Associate the alias with the new key
Question # 24
A company has two VPCs in the same AWS Region and in the same AWS account EachVPC uses a CIDR block that does not overlap with the CIDR block of the other VPC OneVPC contains AWS Lambda functions that run inside a subnet that accesses the internetthrough a NAT gateway. The Lambda functions require access to a publicly accessibleAmazon Aurora MySQL database that is running in the other VPCA security engineer determines that the Aurora database uses a security group rule thatallows connections from the NAT gateway IP address that the Lambda functions use. Thecompany's security policy states that no database should be publicly accessible.What is the MOST secure way that the security engineer can provide the Lambda functionswith access to the Aurora database?
A. Move the Aurora database into a private subnet that has no internet access routes in thedatabase's current VPC Configure the Lambda functions to use the Auroradatabase's new private IP address to access the database Configure the Aurora databasessecurity group to allow access from the private IP addresses of the Lambda functions
B. Establish a VPC endpoint between the two VPCs in the Aurora database's VPCconfigure a service VPC endpoint for Amazon RDS In the Lambda functions' VPC.configure an interface VPC endpoint that uses the service endpoint in the Auroradatabase's VPC Configure the service endpoint to allow connections from the Lambdafunctions.
C. Establish an AWS Direct Connect interface between the VPCs Configure the Lambdafunctions to use a new route table that accesses the Aurora database through the DirectConnect interface Configure the Aurora database's security group to allow access from theDirect Connect interface IP address
D. Move the Lambda functions into a public subnet in their VPC Move the Aurora databaseinto a private subnet in its VPC Configure the Lambda functions to use the Auroradatabase's new private IP address to access the database Configure the Aurora databaseto allow access from the public IP addresses of the Lambda functions
Question # 25
An Incident Response team is investigating an IAM access key leak that resulted inAmazon EC2 instances being launched. The company did not discover the incident untilmany months later The Director of Information Security wants to implement new controlsthat will alert when similar incidents happen in the futureWhich controls should the company implement to achieve this? {Select TWO.)
A. Enable VPC Flow Logs in all VPCs Create a scheduled IAM Lambda function thatdownloads and parses the logs, and sends an Amazon SNS notification for violations.
B. Use IAM CloudTrail to make a trail, and apply it to all Regions Specify an Amazon S3bucket to receive all the CloudTrail log files
C. Add the following bucket policy to the company's IAM CloudTrail bucket to prevent logtampering{"Version": "2012-10-17-,"Statement": {"Effect": "Deny", "Action": "s3:PutObject","Principal": "-","Resource": "arn:IAM:s3:::cloudtrail/IAMLogs/111122223333/*"}}Create an Amazon S3 data event for an PutObject attempts, which sends notifications toan Amazon SNS topic.
D. Create a Security Auditor role with permissions to access Amazon CloudWatch Logs mall Regions Ship the logs to an Amazon S3 bucket and make a lifecycle policy to ship thelogs to Amazon S3 Glacier.
E. Verify that Amazon GuardDuty is enabled in all Regions, and create an AmazonCloudWatch Events rule for Amazon GuardDuty findings Add an Amazon SNS topic as therule's target
Question # 26
A company that uses AWS Organizations wants to see AWS Security Hub findings formany AWS accounts and AWS Regions. Some of the accounts are in the company'sorganization, and some accounts are in organizations that the company manages forcustomers. Although the company can see findings in the Security Hub administratoraccount for accounts in the company's organization, there are no findings from accounts inother organizations.Which combination of steps should the company take to see findings from accounts thatare outside the organization that includes the Security Hub administrator account? (SelectTWO.)
A. Use a designated administration account to automatically set up member accounts.
B. Create the AWS Service Role ForSecurrty Hub service-linked rote for Security Hub.
C. Send an administration request from the member accounts.
D. Enable Security Hub for all member accounts.
E. Send invitations to accounts that are outside the company's organization from theSecurity Hub administrator account.
Question # 27
A company is running workloads in a single IAM account on Amazon EC2 instances andAmazon EMR clusters a recent security audit revealed that multiple Amazon Elastic BlockStore (Amazon EBS) volumes and snapshots are not encryptedThe company's security engineer is working on a solution that will allow users to deployEC2 Instances and EMR clusters while ensuring that all new EBS volumes and EBSsnapshots are encrypted at rest. The solution must also minimize operational overheadWhich steps should the security engineer take to meet these requirements?
A. Create an Amazon Event Bridge (Amazon Cloud watch Events) event with an EC2instance as the source and create volume as the event trigger. When the event is triggeredinvoke an IAM Lambda function to evaluate and notify the security engineer if the EBSvolume that was created is not encrypted.
B. Use a customer managed IAM policy that will verify that the encryption ag of theCreatevolume context is set to true. Apply this rule to all users.
C. Create an IAM Config rule to evaluate the conguration of each EC2 instance on creationor modication. Have the IAM Cong rule trigger an IAM Lambdafunction to alert the securityteam and terminate the instance it the EBS volume is not encrypted. 5
D. Use the IAM Management Console or IAM CLi to enable encryption by default for EBSvolumes in each IAM Region where the company operates.
Question # 28
A security engineer needs to implement a solution to create and control the keys that acompany uses for cryptographic operations. The security engineer must create symmetrickeys in which the key material is generated and used within a custom key store that isbacked by an AWS CloudHSM cluster.The security engineer will use symmetric and asymmetric data key pairs for local use withinapplications. The security engineer also must audit the use of the keys.How can the security engineer meet these requirements?
A. To create the keys use AWS Key Management Service (AWS KMS) and the custom keystores with the CloudHSM cluster. For auditing, use Amazon Athena
B. To create the keys use Amazon S3 and the custom key stores with the CloudHSMcluster. For auditing use AWS CloudTrail.
C. To create the keys use AWS Key Management Service (AWS KMS) and the custom keystores with the CloudHSM cluster. For auditing, use Amazon GuardDuty.
D. To create the keys use AWS Key Management Service (AWS KMS) and the custom keystores with the CloudHSM cluster. For auditing, use AWS CloudTrail.
Question # 29
A security engineer receives an IAM abuse email message. According to the message, anAmazon EC2 instance that is running in the security engineer's IAM account is sendingphishing email messages.The EC2 instance is part of an application that is deployed in production. The applicationruns on many EC2 instances behind an Application Load Balancer. The instances run in anAmazon EC2 Auto Scaling group across multiple subnets and multiple Availability Zones.The instances normally communicate only over the HTTP. HTTPS, and MySQL protocols.Upon investigation, the security engineer discovers that email messages are being sentover port 587. All other traffic is normal.The security engineer must create a solution that contains the compromised EC2 instance,preserves forensic evidence for analysis, and minimizes application downtime. Whichcombination of steps must the security engineer take to meet these requirements? (SelectTHREE.)
A. Add an outbound rule to the security group that is attached to the compromised EC2 instance to deny traffic to 0.0.0.0/0 and port 587.
B. Add an outbound rule to the network ACL for the subnet that contains the compromisedEC2 instance to deny traffic to 0.0.0.0/0 and port 587.
C. Gather volatile memory from the compromised EC2 instance. Suspend thecompromised EC2 instance from the Auto Scaling group. Then take a snapshot of thecompromised EC2 instance. v
D. Take a snapshot of the compromised EC2 instance. Suspend the compromised EC2instance from the Auto Scaling group. Then gather volatile memory from the compromisedEC2 instance.
E. Move the compromised EC2 instance to an isolated subnet that has a network ACL thathas no inbound rules or outbound rules.
F. Replace the existing security group that is attached to the compromised EC2 instancewith a new security group that has no inbound rules or outbound rules.
Question # 30
A company's on-premises networks are connected to VPCs using an IAM Direct Connectgateway. The company's on-premises application needs to stream data using an existingAmazon Kinesis Data Firehose delivery stream. The company's security policy requiresthat data be encrypted in transit using a private network.How should the company meet these requirements?
A. Create a VPC endpoint tor Kinesis Data Firehose. Configure the application to connect to the VPC endpoint.
B. Configure an IAM policy to restrict access to Kinesis Data Firehose using a source IPcondition. Configure the application to connect to the existing Firehose delivery stream.
C. Create a new TLS certificate in IAM Certificate Manager (ACM). Create a public-facingNetwork Load Balancer (NLB) and select the newly created TLS certificate. Configure theNLB to forward all traffic to Kinesis Data Firehose. Configure the application to connect tothe NLB.
D. Peer the on-premises network with the Kinesis Data Firehose VPC using DirectConnect. Configure the application to connect to the existing Firehose delivery stream.
Question # 31
A company hosts a web application on an Apache web server. The application runs onAmazon EC2 instances that are in an Auto Scaling group. The company configured theEC2 instances to send the Apache web server logs to an Amazon CloudWatch Logs groupthat the company has configured to expire after 1 year.Recently, the company discovered in the Apache web server logs that a specific IP addressis sending suspicious requests to the web application. A security engineer wants to analyzethe past week of Apache web server logs to determine how many requests that the IPaddress sent and the corresponding URLs that the IP address requested.What should the security engineer do to meet these requirements with the LEAST effort?
A. Export the CloudWatch Logs group data to Amazon S3. Use Amazon Macie to query thelogs for the specific IP address and the requested URLs.
B. Configure a CloudWatch Logs subscription to stream the log group to an Am-azonOpenSearch Service cluster. Use OpenSearch Service to analyze the logs for the specificIP address and the requested URLs.
C. Use CloudWatch Logs Insights and a custom query syntax to analyze the CloudWatchlogs for the specific IP address and the requested URLs.
D. Export the CloudWatch Logs group data to Amazon S3. Use AWS Glue to crawl the S3bucket for only the log entries that contain the specific IP ad-dress. Use AWS Glue to viewthe results.
Question # 32
A company has a set of EC2 Instances hosted in IAM. The EC2 Instances have EBSvolumes which is used to store critical information. There is a business continuityrequirement to ensure high availability for the EBS volumes. How can you achieve this?
A. Use lifecycle policies for the EBS volumes
B. Use EBS Snapshots
C. Use EBS volume replication
D. Use EBS volume encryption
Question # 33
A company has a large fleet of Linux Amazon EC2 instances and Windows EC2 instancesthat run in private subnets. The company wants all remote administration to be performedas securely as possible in the AWS Cloud.Which solution will meet these requirements?
A. Do not use SSH-RSA private keys during the launch of new instances. Implement AWSSystems Manager Session Manager.
B. Generate new SSH-RSA private keys for existing instances. Implement AWS SystemsManager Session Manager.
C. Do not use SSH-RSA private keys during the launch of new instances. Configure EC2Instance Connect.
D. Generate new SSH-RSA private keys for existing instances. Configure EC2 InstanceConnect.
Question # 34
A security engineer must troubleshoot an administrator's inability to make an existingAmazon S3 bucket public in an account that is part of an organization n IAM Organizations.The administrator switched the role from the master account to a member account andthen attempted to make one S3 bucket public. This action was immediately deniedWhich actions should the security engineer take to troubleshoot the permissions issue?(Select TWO.)
A. Review the cross-account role permissions and the S3 bucket policy Verify that theAmazon S3 block public access option in the member account is deactivated.
B. Review the role permissions m the master account and ensure it has sufficient privilegesto perform S3 operations
C. Filter IAM CloudTrail logs for the master account to find the original deny event andupdate the cross-account role m the member account accordingly Verify that the AmazonS3 block public access option in the master account is deactivated.
D. Evaluate the SCPs covering the member account and the permissions boundary of therole in the member account for missing permissions and explicit denies.
E. Ensure the S3 bucket policy explicitly allows the s3 PutBucketPublicAccess action forthe role m the member account
Question # 35
A team is using AWS Secrets Manager to store an application database password. Only alimited number of IAM principals within the account can have access to the secret. The principals who require access to the secret change frequently. A security engineer mustcreate a solution that maximizes flexibility and scalability.Which solution will meet these requirements?
A. Use a role-based approach by creating an IAM role with an inline permissions policy thatallows access to the secret. Update the IAM principals in the role trust policy as required.
B. Deploy a VPC endpoint for Secrets Manager. Create and attach an endpoint policy thatspecifies the IAM principals that are allowed to access the secret. Update the list of IAMprincipals as required.
C. Use a tag-based approach by attaching a resource policy to the secret. Apply tags to thesecret and the IAM principals. Use the aws:PrincipalTag and aws:ResourceTag IAMcondition keys to control access.
D. Use a deny-by-default approach by using IAM policies to deny access to the secretexplicitly. Attach the policies to an IAM group. Add all IAM principals to the IAM group.Remove principals from the group when they need access. Add the principals to the groupagain when access is no longer allowed.
Question # 36
A company has several workloads running on AWS. Employees are required toauthenticate using on-premises ADFS and SSO to access the AWS ManagementConsole. Developers migrated an existing legacy web application to an Amazon EC2instance. Employees need to access this application from anywhere on the internet, butcurrently, there is no authentication system built into the application.How should the Security Engineer implement employee-only access to this system withoutchanging the application?
A. Place the application behind an Application Load Balancer (ALB). Use Amazon Cognitoas authentication for the ALB. Define a SAML-based Amazon Cognito user pool andconnect it to ADFS.
B. Implement AWS SSO in the master account and link it to ADFS as an identity provider.Define the EC2 instance as a managed resource, then apply an IAM policy on theresource.
C. Define an Amazon Cognito identity pool, then install the connector on the ActiveDirectory server. Use the Amazon Cognito SDK on the application instance to authenticatethe employees using their Active Directory user names and passwords.
D. Create an AWS Lambda custom authorizer as the authenticator for a reverse proxy onAmazon EC2. Ensure the security group on Amazon EC2 only allows access from theLambda function.
Question # 37
An AWS account that is used for development projects has a VPC that contains twosubnets. The first subnet is named public-subnet-1 and has the CIDR block 192.168.1.0/24assigned. The other subnet is named private-subnet-2 and has the CIDR block192.168.2.0/24 assigned. Each subnet contains Amazon EC2 instances.Each subnet is currently using the VPC's default network ACL. The security groups that theEC2 instances in these subnets use have rules that allow traffic between each instancewhere required. Currently, all network traffic flow is working as expected between the EC2instances that are using these subnets.A security engineer creates a new network ACL that is named subnet-2-NACL with defaultentries. The security engineer immediately configures private-subnet-2 to use the newnetwork ACL and makes no other changes to the infrastructure. The security engineerstarts to receive reports that the EC2 instances in public-subnet-1 and public-subnet-2cannot communicate with each other.Which combination of steps should the security engineer take to allow the EC2 instancesthat are running in these two subnets to communicate again? (Select TWO.)
A. Add an outbound allow rule for 192.168.2.0/24 in the VPC's default network ACL.
B. Add an inbound allow rule for 192.168.2.0/24 in the VPC's default network ACL.
C. Add an outbound allow rule for 192.168.2.0/24 in subnet-2-NACL.
D. Add an inbound allow rule for 192.168.1.0/24 in subnet-2-NACL.
E. Add an outbound allow rule for 192.168.1.0/24 in subnet-2-NACL.
Question # 38
A Security Engineer has been tasked with enabling IAM Security Hub to monitor AmazonEC2 instances fix CVE in a single IAM account The Engineer has already enabled IAMSecurity Hub and Amazon Inspector m the IAM Management Console and has installed meAmazon Inspector agent on an EC2 instances that need to be monitored.Which additional steps should the Security Engineer lake 10 meet this requirement?
A. Configure the Amazon inspector agent to use the CVE rule package
B. Configure the Amazon Inspector agent to use the CVE rule package Configure SecurityHub to ingest from IAM inspector by writing a custom resource policy
C. Configure the Security Hub agent to use the CVE rule package Configure IAM Inspectorlo ingest from Security Hub by writing a custom resource policy
D. Configure the Amazon Inspector agent to use the CVE rule package Install an additionalIntegration library Allow the Amazon Inspector agent to communicate with Security Hub
Question # 39
An ecommerce company has a web application architecture that runs primarily oncontainers. The application containers are deployed on Amazon Elastic Container Service(Amazon ECS). The container images for the application are stored in Amazon ElasticContainer Registry (Amazon ECR).The company's security team is performing an audit of components of the application architecture. The security team identifies issues with some container images that arestored in the container repositories.The security team wants to address these issues by implementing continual scanning andon-push scanning of the container images. The security team needs to implement asolution that makes any findings from these scans visible in a centralized dashboard. Thesecurity team plans to use the dashboard to view these findings along with other securityrelatedfindings that they intend to generate in the future.There are specific repositories that the security team needs to exclude from the scanningprocess.Which solution will meet these requirements?
A. Use Amazon Inspector. Create inclusion rules in Amazon ECR to match repos-itoriesthat need to be scanned. Push Amazon Inspector findings to AWS Se-curity Hub.
B. Use ECR basic scanning of container images. Create inclusion rules in Ama-zon ECR tomatch repositories that need to be scanned. Push findings to AWS Security Hub.
C. Use ECR basic scanning of container images. Create inclusion rules in Ama-zon ECR tomatch repositories that need to be scanned. Push findings to Amazon Inspector.
D. Use Amazon Inspector. Create inclusion rules in Amazon Inspector to matchrepositories that need to be scanned. Push Amazon Inspector findings to AWS Config.
Question # 40
A company uses AWS Organizations and has production workloads across multiple AWSaccounts. A security engineer needs to design a solution that will proactively monitor forsuspicious behavior across all the accounts that contain production workloads.The solution must automate remediation of incidents across the production accounts. Thesolution also must publish a notification to an Amazon Simple Notification Service (AmazonSNS) topic when a critical security finding is detected. In addition, the solution must send all security incident logs to a dedicated account.Which solution will meet these requirements?
A. Activate Amazon GuardDuty in each production account. In a dedicated loggingaccount. aggregate all GuardDuty logs from each production account. Remediate incidentsby configuring GuardDuty to directly invoke an AWS Lambda function. Configure theLambda function to also publish notifications to the SNS topic.
B. Activate AWS security Hub in each production account. In a dedicated logging account.aggregate all security Hub findings from each production account. Remediate incidents byustng AWS Config and AWS Systems Manager. Configure Systems Manager to alsopub11Sh notifications to the SNS topic.
C. Activate Amazon GuardDuty in each production account. In a dedicated loggingaccount. aggregate all GuardDuty logs from each production account Remediate incidentsby using Amazon EventBridge to invoke a custom AWS Lambda function from theGuardDuty findings. Configure the Lambda function to also publish notifications to the SNStopic.
D. Activate AWS Security Hub in each production account. In a dedicated logging account.aggregate all Security Hub findings from each production account. Remediate incidents byusing Amazon EventBridge to invoke a custom AWS Lambda function from the SecurityHub findings. Configure the Lambda function to also publish notifications to the SNS topic.
Question # 41
A company's security engineer has been tasked with restricting a contractor's IAM accountaccess to the company's Amazon EC2 console without providing access to any other IAMservices The contractors IAM account must not be able to gain access to any other IAMservice, even it the IAM account rs assigned additional permissions based on IAM groupmembership What should the security engineer do to meet these requirements''
A. Create an mime IAM user policy that allows for Amazon EC2 access for the contractor'sIAM user
B. Create an IAM permissions boundary policy that allows Amazon EC2 access Associatethe contractor's IAM account with the IAM permissions boundary policy
C. Create an IAM group with an attached policy that allows for Amazon EC2 accessAssociate the contractor's IAM account with the IAM group
D. Create a IAM role that allows for EC2 and explicitly denies all other services Instruct thecontractor to always assume this role
Question # 42
A company Is planning to use Amazon Elastic File System (Amazon EFS) with its onpremisesservers. The company has an existing IAM Direct Connect connectionestablished between its on-premises data center and an IAM Region Security policy statesthat the company's on-premises firewall should only have specific IP addresses added tothe allow list and not a CIDR range. The company also wants to restrict access so that onlycertain data center-based servers have access to Amazon EFS How should a security engineer implement this solution''
A. Add the file-system-id efs IAM-region amazonIAM com URL to the allow list for the datacenter firewall Install the IAM CLI on the data center-based servers to mount the EFS filesystem in the EFS security group add the data center IP range to the allow list Mount theEFS using the EFS file system name
B. Assign an Elastic IP address to Amazon EFS and add the Elastic IP address to the allowlist for the data center firewall Install the IAM CLI on the data center-based servers tomount the EFS file system In the EFS security group, add the IP addresses of the datacenter servers to the allow list Mount the EFS using the Elastic IP address
C. Add the EFS file system mount target IP addresses to the allow list for the data centerfirewall In the EFS security group, add the data center server IP addresses to the allow listUse the Linux terminal to mount the EFS file system using the IP address of one of themount targets
D. Assign a static range of IP addresses for the EFS file system by contacting IAM SupportIn the EFS security group add the data center server IP addresses to the allow list Use theLinux terminal to mount the EFS file system using one of the static IP addresses
Question # 43
A Network Load Balancer (NLB) target instance is not entering the InService state. Asecurity engineer determines that health checks are failing.Which factors could cause the health check failures? (Select THREE.)
A. The target instance's security group does not allow traffic from the NLB.
B. The target instance's security group is not attached to the NLB.
C. The NLB's security group is not attached to the target instance.
D. The target instance's subnet network ACL does not allow traffic from the NLB.
E. The target instance's security group is not using IP addresses to allow traffic from theNLB.
F. The target network ACL is not attached to the NLB.
Question # 44
A security engineer recently rotated the host keys for an Amazon EC2 instance. Thesecurity engineer is trying to access the EC2 instance by using the EC2 Instance. Connectfeature. However, the security engineer receives an error (or failed host key validation.Before the rotation of the host keys EC2 Instance Connect worked correctly with this EC2instance.What should the security engineer do to resolve this error?
A. Import the key material into AWS Key Management Service (AWS KMS).
B. Manually upload the new host key to the AWS trusted host keys database.
C. Ensure that the AmazonSSMManagedInstanceCore policy is attached to the EC2instance profile.
D. Create a new SSH key pair for the EC2 instance.
Question # 45
A Security Engineer receives alerts that an Amazon EC2 instance on a public subnet isunder an SFTP brute force attack from a specific IP address, which is a known maliciousbot. What should the Security Engineer do to block the malicious bot?
A. Add a deny rule to the public VPC security group to block the malicious IP
B. Add the malicious IP to IAM WAF backhsted IPs
C. Configure Linux iptables or Windows Firewall to block any traffic from the malicious IPD. Modify the hosted zone in Amazon Route 53 and create a DNS sinkhole for themalicious IP
Question # 46
You work at a company that makes use of IAM resources. One of the key security policiesis to ensure that all data i encrypted both at rest and in transit. Which of the following is oneof the right ways to implement this.Please select:
A. Use S3 SSE and use SSL for data in transit
B. SSL termination on the ELB
C. Enabling Proxy Protocol
D. Enabling sticky sessions on your load balancer
Question # 47
A company discovers a billing anomaly in its AWS account. A security consultantinvestigates the anomaly and discovers that an employee who left the company 30 daysago still has access to the account.The company has not monitored account activity in the past.The security consultant needs to determine which resources have been deployed orreconfigured by the employee as quickly as possible.Which solution will meet these requirements?
A. In AWS Cost Explorer, filter chart data to display results from the past 30 days. Exportthe results to a data table. Group the data table by re-source.
B. Use AWS Cost Anomaly Detection to create a cost monitor. Access the detec-tionhistory. Set the time frame to Last 30 days. In the search area, choose the servicecategory.
C. In AWS CloudTrail, filter the event history to display results from the past 30 days.Create an Amazon Athena table that contains the data. Parti-tion the table by event source.
D. Use AWS Audit Manager to create an assessment for the past 30 days. Apply a usagebasedframework to the assessment. Configure the assessment to as-sess by resource.
Question # 48
While securing the connection between a company's VPC and its on-premises data center,a Security Engineer sent a ping command from an on-premises host(IP address 203.0.113.12) to an Amazon EC2 instance (IP address 172.31.16.139). Theping command did not return a response. The flow log in the VPC showed the following:2 123456789010 eni-1235b8ca 203.0.113.12 172.31.16.139 0 0 1 4 336 14329170271432917142 ACCEPT OK2 123456789010 eni-1235b8ca 172.31.16.139 203.0.113.12 0 0 1 4 336 14329170941432917142 REJECT OKWhat action should be performed to allow the ping to work?
A. In the security group of the EC2 instance, allow inbound ICMP traffic.
B. In the security group of the EC2 instance, allow outbound ICMP traffic.
C. In the VPC's NACL, allow inbound ICMP traffic.
D. In the VPC's NACL, allow outbound ICMP traffic.
Question # 49
A company has deployed Amazon GuardDuty and now wants to implement automation forpotential threats. The company has decided to start with RDP brute force attacks that comefrom Amazon EC2 instances in the company’s AWS environment. A security engineerneeds to implement a solution that blocks the detected communication from a suspiciousinstance until investigation and potential remediation can occur.Which solution will meet these requirements?
A. Configure GuardDuty to send the event to an Amazon Kinesis data stream. Process theevent with an Amazon Kinesis Data Analytics for Apache Flink application that sends anotification to the company through Amazon Simple Notification Service (Amazon SNS).Add rules to the network ACL to block traffic to and from the suspicious instance.
B. Configure GuardDuty to send the event to Amazon EventBridge (Amazon CloudWatchEvents). Deploy an AWS WAF web ACL. Process the event with an AWS Lambda functionthat sends a notification to the company through Amazon Simple Notification Service(Amazon SNS) and adds a web ACL rule to block traffic to and from the suspiciousinstance.
C. Enable AWS Security Hub to ingest GuardDuty findings and send the event to AmazonEventBridge (Amazon CloudWatch Events). Deploy AWS Network Firewall. Process theevent with an AWS Lambda function that adds a rule to a Network Firewall firewall policy toblock traffic to and from the suspicious instance.
D. Enable AWS Security Hub to ingest GuardDuty findings. Configure an Amazon Kinesisdata stream as an event destination for Security Hub. Process the event with an AWSLambda function that replaces the security group of the suspicious instance with a securitygroup that does not allow any connections.
Question # 50
A security engineer needs to see up an Amazon CloudFront distribution for an Amazon S3bucket that hosts a static website. The security engineer must allow only specified IPaddresses to access the website. The security engineer also must prevent users fromaccessing the website directly by using S3 URLs.Which solution will meet these requirements?
A. Generate an S3 bucket policy. Specify cloudfront amazonaws com as the principal. Usethe aws Sourcelp condition key to allow access only if the request conies from the specifiedIP addresses.
B. Create a CloudFront origin access identity (OAl). Create the S3 bucket policy so thatonly the OAl has access. Create an AWS WAF web ACL and add an IP set rule. Associatethe web ACL with the CloudFront distribution.
C. Implement security groups to allow only the specified IP addresses access and torestrict S3 bucket access by using the CloudFront distribution.
D. Create an S3 bucket access point to allow access from only the CloudFront distribution.Create an AWS WAF web ACL and add an IP set rule. Associate the web ACL with theCloudFront distribution.
Question # 51
A company needs to follow security best practices to deploy resources from an AWSCloudFormation template. The CloudFormation template must be able to configuresensitive database credentials.The company already uses AWS Key Management Service (AWS KMS) and AWS SecretsManager.Which solution will meet the requirements?
A. Use a dynamic reference in the CloudFormation template to reference the databasecredentials in Secrets Manager.
B. Use a parameter in the CloudFormation template to reference the database credentials.Encrypt the CloudFormation template by using AWS KMS.
C. Use a SecureString parameter in the CloudFormation template to reference thedatabase credentials in Secrets Manager.
D. Use a SecureString parameter in the CloudFormation template to reference anencrypted value in AWS KMS
Question # 52
A company wants to monitor the deletion of AWS Key Management Service (AWS KMS)customer managed keys. A security engineer needs to create an alarm that will notify thecompany before a KMS key is deleted. The security engineer has configured theintegration of AWS CloudTrail with Amazon CloudWatch.What should the security engineer do next to meet these requirements?
A. Specify the deletion time of the key material during KMS key creation. Create a customAWS Config rule to assess the key's scheduleddeletion. Configure the rule to trigger upon a configuration change. Send a message to anAmazon Simple Notification Service (Amazon SNS) topic if the key is scheduled fordeletion.
B. Create an Amazon EventBridge rule to detect KMS API calls of DeleteAlias. Create anAWS Lambda function to send an Amazon Simple Notification Service (Amazon SNS)message to the company. Add the Lambda function as the target of the EventBridge rule.
C. Create an Amazon EventBridge rule to detect KMS API calls of DisableKey andScheduleKeyDeletion. Create an AWS Lambda function to send an Amazon SimpleNotification Service (Amazon SNS) message to the company. Add the Lambda function asthe target of the EventBridge rule.
D. Create an Amazon Simple Notification Service (Amazon SNS) policy to detect KMS APIcalls of RevokeGrant and ScheduleKeyDeletion.Create an AWS Lambda function to generate the alarm and send the notification to thecompany. Add the Lambda function as the target of the SNS policy.
Question # 53
A company that uses AWS Organizations is migrating workloads to AWS. The compa-nysapplication team determines that the workloads will use Amazon EC2 instanc-es, AmazonS3 buckets, Amazon DynamoDB tables, and Application Load Balancers. For eachresource type, the company mandates that deployments must comply with the followingrequirements:• All EC2 instances must be launched from approved AWS accounts.• All DynamoDB tables must be provisioned with a standardized naming convention.• All infrastructure that is provisioned in any accounts in the organization must be deployedby AWS CloudFormation templates.Which combination of steps should the application team take to meet these re-quirements?(Select TWO.)
A. Create CloudFormation templates in an administrator AWS account. Share the stacksets with an application AWS account. Restrict the template to be used specifically by theapplication AWS account.
B. Create CloudFormation templates in an application AWS account. Share the output withan administrator AWS account to review compliant resources. Restrict output to only theadministrator AWS account.
C. Use permissions boundaries to prevent the application AWS account from provisioningspecific resources unless conditions for the internal compli-ance requirements are met.
D. Use SCPs to prevent the application AWS account from provisioning specific resourcesunless conditions for the internal compliance requirements are met.
E. Activate AWS Config managed rules for each service in the application AWS account.
Question # 54
A company maintains an open-source application that is hosted on a public GitHubrepository. While creating a new commit to the repository, an engineer uploaded their IAMaccess key and secret access key. The engineer reported the mistake to a manager, andthe manager immediately disabled the access key.The company needs to assess the impact of the exposed access key. A security engineermust recommend a solution that requires the least possible managerial overhead.Which solution meets these requirements?
A. Analyze an IAM Identity and Access Management (IAM) use report from IAM TrustedAdvisor to see when the access key was last used.
B. Analyze Amazon CloudWatch Logs for activity by searching for the access key.
C. Analyze VPC flow logs for activity by searching for the access key
D. Analyze a credential report in IAM Identity and Access Management (IAM) to see whenthe access key was last used.
Question # 55
A company manages three separate IAM accounts for its production, development, and test environments, Each Developer is assigned a unique IAM user under the developmentaccount. A new application hosted on an Amazon EC2 instance in the developer accountrequires read access to the archived documents stored in an Amazon S3 bucket in theproduction account.How should access be granted?
A. Create an IAM role in the production account and allow EC2 instances in thedevelopment account to assume that role using the trust policy. Provide read access for therequired S3 bucket to this role.
B. Use a custom identity broker to allow Developer IAM users to temporarily access the S3bucket.
C. Create a temporary IAM user for the application to use in the production account.
D. Create a temporary IAM user in the production account and provide read access toAmazon S3. Generate the temporary IAM user's access key and secret key and storethese on the EC2 instance used by the application in the development account.
Question # 56
A business requires a forensic logging solution for hundreds of Docker-based apps runningon Amazon EC2. The solution must analyze logs in real time, provide message replay, andpersist logs.Which Amazon Web Offerings (IAM) services should be employed to satisfy theserequirements? (Select two.)
A. Amazon Athena
B. Amazon Kinesis
C. Amazon SQS
D. Amazon Elasticsearch
E. Amazon EMR
Question # 57
A company needs to store multiple years of financial records. The company wants to useAmazon S3 to store copies of these documents. The company must implement a solutionto prevent the documents from being edited, replaced, or deleted for 7 years after thedocuments are stored in Amazon S3. The solution must also encrypt the documents at rest.A security engineer creates a new S3 bucket to store the documents.What should the security engineer do next to meet these requirements?
A. Configure S3 server-side encryption. Create an S3 bucket policy that has an explicitdeny rule for all users for s3:DeleteObject and s3:PutObject API calls. Configure S3 ObjectLock to use governance mode with a retention period of 7 years.
B. Configure S3 server-side encryption. Configure S3 Versioning on the S3 bucket.Configure S3 Object Lock to use compliance mode with a retention period of 7 years.
C. Configure S3 Versioning. Configure S3 Intelligent-Tiering on the S3 bucket to move thedocuments to S3 Glacier Deep Archive storage. Use S3 server-side encryptionimmediately. Expire the objects after 7 years.
D. Set up S3 Event Notifications and use S3 server-side encryption. Configure S3 EventNotifications to target an AWS Lambda function that will review any S3 API call to the S3bucket and deny the s3:DeleteObject and s3:PutObject API calls. Remove the S3 eventnotification after 7 years.
Question # 58
An organization has a multi-petabyte workload that it is moving to Amazon S3, but theCISO is concerned about cryptographic wear-out and the blast radius if a key iscompromised. How can the CISO be assured that IAM KMS and Amazon S3 areaddressing the concerns? (Select TWO )
A. There is no API operation to retrieve an S3 object in its encrypted form.
B. Encryption of S3 objects is performed within the secure boundary of the KMS service.
C. S3 uses KMS to generate a unique data key for each individual object.
D. Using a single master key to encrypt all data includes having a single place to performaudits and usage validation.
E. The KMS encryption envelope digitally signs the master key during encryption to preventcryptographic wear-out
Question # 59
A company has two IAM accounts within IAM Organizations. In Account-1. Amazon EC2Auto Scaling is launched using a service-linked role. In Account-2. Amazon EBS volumesare encrypted with an IAM KMS key A Security Engineer needs to ensure that the servicelinkedrole can launch instances with these encrypted volumesWhich combination of steps should the Security Engineer take in both accounts? (SelectTWO.)
A. Allow Account-1 to access the KMS key in Account-2 using a key policy
B. Attach an IAM policy to the service-linked role in Account-1 that allows these actionsCreateGrant. DescnbeKey, Encrypt, GenerateDataKey, Decrypt, and ReEncrypt
C. Create a KMS grant for the service-linked role with these actions CreateGrant,DescnbeKey Encrypt GenerateDataKey Decrypt, and ReEncrypt
D. Attach an IAM policy to the role attached to the EC2 instances with KMS actions andthen allow Account-1 in the KMS key policy.
E. Attach an IAM policy to the user who is launching EC2 instances and allow the user toaccess the KMS key policy of Account-2.
Question # 60
A company uses Amazon Elastic Container Service (Amazon ECS) containers that havethe Fargate launch type. The containers run web and mobile applications that are written inJava and Node.js. To meet network segmentation requirements, each of the company'sbusiness units deploys applications in its own dedicated AWS account.Each business unit stores container images in an Amazon Elastic Container Registry(Amazon ECR) private registry in its own account.A security engineer must recommend a solution to scan ECS containers and ECRregistries for vulnerabilities in operating systems and programming language libraries.The company's audit team must be able to identify potential vulnerabilities that exist in anyof the accounts where applications are deployed.Which solution will meet these requirements?
A. In each account, update the ECR registry to use Amazon Inspector instead of thedefault scanning service. Configure Amazon Inspector to forward vulnerability findings toAWS Security Hub in a central security account. Provide access for the audit team to useSecurity Hub to review the findings.
B. In each account, configure AWS Config to monitor the configuration of the ECScontainers and the ECR registry. Configure AWS Config conformance packs forvulnerability scanning. Create an AWS Config aggregator in a central account to collectconfiguration and compliance details from all accounts. Provide the audit team with accessto AWS Config in the account where the aggregator is configured.
C. In each account, configure AWS Audit Manager to scan the ECS containers and theECR registry. Configure Audit Manager to forward vulnerability findings to AWS SecurityHub in a central security account. Provide access for the audit team to use Security Hub toreview the findings.
D. In each account, configure Amazon GuardDuty to scan the ECS containers and theECR registry. Configure GuardDuty to forward vulnerability findings to AWS Security Hub ina central security account. Provide access for the audit team to use Security Hub to reviewthe findings.
Question # 61
A company has a new partnership with a vendor. The vendor will process data from thecompany's customers. The company will upload data files as objects into an Amazon S3bucket. The vendor will download the objects to perform data processing. The objects willcontain sensi-tive data.A security engineer must implement a solution that prevents objects from resid-ing in theS3 bucket for longer than 72 hours.Which solution will meet these requirements?
A. Use Amazon Macie to scan the S3 bucket for sensitive data every 72 hours. ConfigureMacie to delete the objects that contain sensitive data when they are discovered.
B. Configure an S3 Lifecycle rule on the S3 bucket to expire objects that have been in theS3 bucket for 72 hours.
C. Create an Amazon EventBridge scheduled rule that invokes an AWS Lambda functionevery day. Program the Lambda function to remove any objects that have been in the S3 bucket for 72 hours.
D. Use the S3 Intelligent-Tiering storage class for all objects that are up-loaded to the S3bucket. Use S3 Intelligent-Tiering to expire objects that have been in the S3 bucket for 72hours.
Question # 62
A company needs a security engineer to implement a scalable solution for multi-accountauthentication and authorization. The solution should not introduce additional usermanagedarchitectural components. Native IAM features should be used as much aspossible The security engineer has set up IAM Organizations w1th all features activatedand IAM SSO enabled. Which additional steps should the security engineer take to complete the task?
A. Use AD Connector to create users and groups for all employees that require access toIAM accounts. Assign AD Connector groups to IAM accounts and link to the IAM roles inaccordance with the employees‘job functions and access requirements Instruct employeesto access IAM accounts by using the IAM Directory Service user portal.
B. Use an IAM SSO default directory to create users and groups for all employees thatrequire access to IAM accounts. Assign groups to IAM accounts and link to permission setsin accordance with the employees‘job functions and access requirements. Instructemployees to access IAM accounts by using the IAM SSO user portal.
C. Use an IAM SSO default directory to create users and groups for all employees thatrequire access to IAM accounts. Link IAM SSO groups to the IAM users present in allaccounts to inherit existing permissions. Instruct employees to access IAM accounts byusing the IAM SSO user portal.
D. Use IAM Directory Service tor Microsoft Active Directory to create users and groups forall employees that require access to IAM accounts Enable IAM Management Consoleaccess in the created directory and specify IAM SSO as a source cl information torintegrated accounts and permission sets. Instruct employees to access IAM accounts byusing the IAM Directory Service user portal.
Question # 63
A security engineer needs to implement a write-once-read-many (WORM) model for datathat a company will store in Amazon S3 buckets. The company uses the S3 Standardstorage class for all of its S3 buckets. The security engineer must en-sure that objectscannot be overwritten or deleted by any user, including the AWS account root user.Which solution will meet these requirements?
A. Create new S3 buckets with S3 Object Lock enabled in compliance mode. Place objectsin the S3 buckets.
B. Use S3 Glacier Vault Lock to attach a Vault Lock policy to new S3 buckets. Wait 24hours to complete the Vault Lock process. Place objects in the S3 buckets.
C. Create new S3 buckets with S3 Object Lock enabled in governance mode. Place objectsin the S3 buckets.
D. Create new S3 buckets with S3 Object Lock enabled in governance mode. Add a legalhold to the S3 buckets. Place objects in the S3 buckets.
Question # 64
Within a VPC, a corporation runs an Amazon RDS Multi-AZ DB instance. The databaseinstance is connected to the internet through a NAT gateway via two subnets.Additionally, the organization has application servers that are hosted on Amazon EC2instances and use the RDS database. These EC2 instances have been deployed onto twomore private subnets inside the same VPC. These EC2 instances connect to the internetthrough a default route via the same NAT gateway. Each VPC subnet has its own routetable.The organization implemented a new security requirement after a recent securityexamination. Never allow the database instance to connect to the internet. A securityengineer must perform this update promptly without interfering with the network traffic ofthe application servers.How will the security engineer be able to comply with these requirements?
A. Remove the existing NAT gateway. Create a new NAT gateway that only the applicationserver subnets can use.
B. Configure the DB instance€™s inbound network ACL to deny traffic from the securitygroup ID of the NAT gateway.
C. Modify the route tables of the DB instance subnets to remove the default route to theNAT gateway.
D. Configure the route table of the NAT gateway to deny connections to the DB instancesubnets.
Question # 65
A company has enabled Amazon GuardDuty in all AWS Regions as part of its securitymonitoring strategy. In one of its VPCs, the company hosts an Amazon EC2 instance thatworks as an FTP server. A high number of clients from multiple locations contact the FTPserver. GuardDuty identifies this activity as a brute force attack because of the high numberof connections that happen every hour.The company has flagged the finding as a false positive, but GuardDuty continues to raisethe issue. A security engineer must improve the signal-to-noise ratio without compromisingthe companys visibility of potential anomalous behavior. Which solution will meet these requirements?
A. Disable the FTP rule in GuardDuty in the Region where the FTP server is deployed.
B. Add the FTP server to a trusted IP list. Deploy the list to GuardDuty to stop receiving thenotifications.
C. Create a suppression rule in GuardDuty to filter findings by automatically archiving newfindings that match the specified criteria.
D. Create an AWS Lambda function that has the appropriate permissions to de-lete thefinding whenever a new occurrence is reported.
Question # 66
A company is implementing a new application in a new IAM account. A VPC and subnetshave been created for the application. The application has been peered to an existing VPCin another account in the same IAM Region for database access. Amazon EC2 instances will regularly be created and terminated in the application VPC, but only some of them willneed access to the databases in the peered VPC over TCP port 1521. A security engineermust ensure that only the EC2 instances that need access to the databases can accessthem through the network.How can the security engineer implement this solution?
A. Create a new security group in the database VPC and create an inbound rule that allowsall traffic from the IP address range of the application VPC. Add a new network ACL rule onthe database subnets. Configure the rule to TCP port 1521 from the IP address range ofthe application VPC. Attach the new security group to the database instances that theapplication instances need to access.
B. Create a new security group in the application VPC with an inbound rule that allows theIP address range of the database VPC over TCP port 1521. Create a new security group inthe database VPC with an inbound rule that allows the IP address range of the applicationVPC over port 1521. Attach the new security group to the database instances and theapplication instances that need database access.
C. Create a new security group in the application VPC with no inbound rules. Create a newsecurity group in the database VPC with an inbound rule that allows TCP port 1521 fromthe new application security group in the application VPC. Attach the application securitygroup to the application instances that need database access, and attach the databasesecurity group to the database instances.
D. Create a new security group in the application VPC with an inbound rule that allows theIP address range of the database VPC over TCP port 1521. Add a new network ACL ruleon the database subnets. Configure the rule to allow all traffic from the IP address range ofthe application VPC. Attach the new security group to the application instances that needdatabase access.
Question # 67
A company hosts multiple externally facing applications, each isolated in its own IAMaccount The company'B Security team has enabled IAM WAF. IAM Config. and AmazonGuardDuty on all accounts. The company's Operations team has also joined all of theaccounts to IAM Organizations and established centralized logging for CloudTrail. IAMConfig, and GuardDuty. The company wants the Security team to take a reactiveremediation in one account, and automate implementing this remediation as proactiveprevention in all the other accounts.How should the Security team accomplish this?
A. Update the IAM WAF rules in the affected account and use IAM Firewall Manager topush updated IAM WAF rules across all other accounts.
B. Use GuardDuty centralized logging and Amazon SNS to set up alerts to notify allapplication teams of security incidents.
C. Use GuardDuty alerts to write an IAM Lambda function that updates all accounts byadding additional NACLs on the Amazon EC2 instances to block known malicious IPaddresses.
D. Use IAM Shield Advanced to identify threats in each individual account and then applythe account-based protections to all other accounts through Organizations.
Question # 68
An ecommerce company is developing new architecture for an application release. Thecompany needs to implement TLS for incoming traffic to the application. Traffic for theapplication will originate from the internet TLS does not have to be implemented in an endto-end configuration because the company is concerned about impacts on performance.The incoming traffic types will be HTTP and HTTPS The application uses ports 80 and 443.What should a security engineer do to meet these requirements?
A. Create a public Application Load Balancer. Create two listeners one listener on port 80and one listener on port 443. Create one target group. Create a rule to forward traffic fromport 80 to the listener on port 443 Provision a public TLS certificate in AWS CertificateManager (ACM). Attach the certificate to the listener on port 443.
B. Create a public Application Load Balancer. Create two listeners one listener on port 80and one listener on port 443. Create one target group. Create a rule to forward traffic fromport 80 to the listener on port 443 Provision a public TLS certificate in AWS CertificateManager (ACM). Attach the certificate to the listener on port 80.
C. Create a public Network Load Balancer. Create two listeners one listener on port 80 andone listener on port 443. Create one target group. Create a rule to forward traffic from port80 to the listener on port 443. Set the protocol for the listener on port 443 to TLS.
D. Create a public Network Load Balancer. Create a listener on port 443. Create one targetgroup. Create a rule to forward traffic from port 443 to the target group. Set the protocol forthe listener on port 443 to TLS.
Question # 69
A security engineer receives a notice from the AWS Abuse team about suspicious activityfrom a Linux-based Amazon EC2 instance that uses Amazon Elastic Block Store (AmazonEBS>-based storage The instance is making connections to known malicious addressesThe instance is in a development account within a VPC that is in the us-east-1 Region TheVPC contains an internet gateway and has a subnet in us-east-1a and us-easMb Eachsubnet is associate with a route table that uses the internet gateway as a default routeEach subnet also uses the default network ACL The suspicious EC2 instance runs withinthe us-east-1 b subnet. During an initial investigation a security engineer discovers that thesuspicious instance is the only instance that runs in the subnetWhich response will immediately mitigate the attack and help investigate the root cause?
A. Log in to the suspicious instance and use the netstat command to identify remoteconnections Use the IP addresses from these remote connections to create deny rules inthe security group of the instance Install diagnostic tools on the instance for investigationUpdate the outbound network ACL for the subnet in us-east- lb to explicitly deny allconnections as the first rule during the investigation of the instance
B. Update the outbound network ACL for the subnet in us-east-1b to explicitly deny allconnections as the first rule Replace the security group with a new security group thatallows connections only from a diagnostics security group Update the outbound networkACL for the us-east-1b subnet to remove the deny all rule Launch a new EC2 instance thathas diagnostic tools Assign the new security group to the new EC2 instance Use the newEC2 instance to investigate the suspicious instance
C. Ensure that the Amazon Elastic Block Store (Amazon EBS) volumes that are attached tothe suspicious EC2 instance will not delete upon termination Terminate the instanceLaunch a new EC2 instance in us-east-1a that has diagnostic tools Mount the EBSvolumes from the terminated instance for investigation
D. Create an AWS WAF web ACL that denies traffic to and from the suspicious instanceAttach the AWS WAF web ACL to the instance to mitigate the attack Log in to the instanceand install diagnostic tools to investigate the instance
Question # 70
A company is using AWS WAF to protect a customized public API service that is based onAmazon EC2 instances. The API uses an Application Load Balancer.The AWS WAF web ACL is configured with an AWS Managed Rules rule group. After asoftware upgrade to the API and the client application, some types of requests are nolonger working and are causing application stability issues. A security engineer discoversthat AWS WAF logging is not turned on for the web ACL.The security engineer needs to immediately return the application to service, resolve theissue, and ensure that logging is not turned off in the future. The security engineer turns onlogging for the web ACL and specifies Amazon Cloud-Watch Logs as the destination.Which additional set of steps should the security engineer take to meet the re-quirements?
A. Edit the rules in the web ACL to include rules with Count actions. Review the logs todetermine which rule is blocking the request. Modify the IAM policy of all AWS WAF administrators so that they cannot remove the log-ging configuration for any AWS WAFweb ACLs.
B. Edit the rules in the web ACL to include rules with Count actions. Review the logs todetermine which rule is blocking the request. Modify the AWS WAF resource policy so thatAWS WAF administrators cannot remove the log-ging configuration for any AWS WAF webACLs.
C. Edit the rules in the web ACL to include rules with Count and Challenge actions. Reviewthe logs to determine which rule is blocking the request. Modify the AWS WAF resourcepolicy so that AWS WAF administrators cannot remove the logging configuration for anyAWS WAF web ACLs.
D. Edit the rules in the web ACL to include rules with Count and Challenge actions. Reviewthe logs to determine which rule is blocking the request. Modify the IAM policy of all AWSWAF administrators so that they cannot remove the logging configuration for any AWSWAF web ACLs.
Question # 71
For compliance reasons a Security Engineer must produce a weekly report that lists anyinstance that does not have the latest approved patches applied. The Engineer must alsoensure that no system goes more than 30 days without the latest approved updates beingappliedWhat would the MOST efficient way to achieve these goals?
A. Use Amazon inspector to determine which systems do not have the latest patchesapplied, and after 30 days, redeploy those instances with the latest AMI version
B. Configure Amazon EC2 Systems Manager to report on instance patch compliance andenforce updates during the defined maintenance windows
C. Examine IAM CloudTrail togs to determine whether any instances have not restarted inthe last 30 days, and redeploy those instances
D. Update the AMls with the latest approved patches and redeploy each instance duringthe defined maintenance window
Question # 72
A company developed an application by using AWS Lambda, Amazon S3, Amazon SimpleNotification Service (Amazon SNS), and Amazon DynamoDB. An external application putsobjects into the company's S3 bucket and tags the objects with date and time. A Lambdafunction periodically pulls data from the company's S3 bucket based on date and time tagsand inserts specific values into a DynamoDB table for further processing.The data includes personally identifiable information (Pll). The company must remove datathat is older than 30 days from the S3 bucket and the DynamoDB table.Which solution will meet this requirement with the MOST operational efficiency?
A. Update the Lambda function to add a TTL S3 flag to S3 objects. Create an S3 Lifecyclepolicy to expire objects that are older than 30 days by using the TTL S3 flag.0 days.
B. Create an S3 Lifecycle policy to expire objects that are older than 30 days. Update theLambda function to add the TTL attribute in the DynamoDB table. Enable TTL on theDynamoDB table to expire entires that are older than 30 days based on the TTL attribute.
C. Create an S3 Lifecycle policy to expire objects that are older than 30 days and to add allprefixes to the S3 bucket. Update the Lambda function to delete entries that are older than30 days.
D. Create an S3 Lifecycle policy to expire objects that are older than 30 days by usingobject tags. Update the Lambda function to delete entries that are older than 3
Question # 73
A company is using AWS Organizations to create OUs for its accounts. The company hasmore than 20 accounts that are all part of the OUs. A security engineer must implement asolution to ensure that no account can stop to file delivery to AWS CloudTrail. Which solution will meet this requirement?
A. Use the --is-multi-region-trail option while running the create-trail command to ensurethat logs are configured across all AWS Regions.
B. Create an SCP that includes a Deny rule tor the cloudtrail. StopLogging action Apply theSCP to all accounts in the OUs.
C. Create an SCP that includes an Allow rule for the cloudtrail. StopLogging action Applythe SCP to all accounts in the OUs.
D. Use AWS Systems Manager to ensure that CloudTrail is always turned on.
Question # 74
A security engineer is creating an AWS Lambda function. The Lambda function needs touse a role that is named LambdaAuditRole to assume a role that is namedAcmeAuditFactoryRole in a different AWS account.When the code is processed, the following error message appears: "An error oc-curred(AccessDenied) when calling the AssumeRole operation."Which combination of steps should the security engineer take to resolve this er-ror? (SelectTWO.)
A. Ensure that LambdaAuditRole has the sts:AssumeRole permission for AcmeAuditFactoryRole.
B. Ensure that LambdaAuditRole has the AWSLambdaBasicExecutionRole managedpolicy attached.
C. Ensure that the trust policy for AcmeAuditFactoryRole allows the sts:AssumeRole actionfrom LambdaAuditRole.
D. Ensure that the trust policy for LambdaAuditRole allows the sts:AssumeRole action fromthe lambda.amazonaws.com service.
E. Ensure that the sts:AssumeRole API call is being issued to the us-east-I Regionendpoint.
Question # 75
A company is running an application in The eu-west-1 Region. The application uses an IAMKey Management Service (IAM KMS) CMK to encrypt sensitive data. The company plansto deploy the application in the eu-north-1 Region.A security engineer needs to implement a key management solution for the applicationdeployment in the new Region. The security engineer must minimize changes to theapplication code.Which change should the security engineer make to the IAM KMS configuration to meetthese requirements?
A. Update the key policies in eu-west-1. Point the application in eu-north-1 to use the sameCMK as the application in eu-west-1.
B. Allocate a new CMK to eu-north-1 to be used by the application that is deployed in that Region.
C. Allocate a new CMK to eu-north-1. Create the same alias name for both keys. Configurethe application deployment to use the key alias.
D. Allocate a new CMK to eu-north-1. Create an alias for eu-'-1. Change the applicationcode to point to the alias for eu-'-1.
Question # 76
A company is using IAM Organizations to develop a multi-account secure networkingstrategy. The company plans to use separate centrally managed accounts for sharedservices, auditing, and security inspection. The company plans to provide dozens ofadditional accounts to application owners for production and development environments.Company security policy requires that all internet traffic be routed through a centrallymanaged security inspection layer in the security inspection account. A security engineermust recommend a solution that minimizes administrative overhead and complexity.Which solution meets these requirements?
A. Use IAM Control Tower. Modify the default Account Factory networking template toautomatically associate new accounts with a centrally managed VPC through a VPCpeering connection and to create a default route to the VPC peer in the default route table.Create an SCP that denies the CreatelnternetGateway action. Attach the SCP to allaccounts except the security inspection account.
B. Create a centrally managed VPC in the security inspection account. Establish VPCpeering connections between the security inspection account and other accounts. Instructaccount owners to create default routes in their account route tables that point to the VPCpeer. Create an SCP that denies theAttach InternetGateway action. Attach the SCP to all accounts except the securityinspection account.
C. Use IAM Control Tower. Modify the default Account Factory networking template toautomatically associate new accounts with a centrally managed transitgateway and to create a default route to the transit gateway in the default route table.Create an SCP that denies the AttachlnternetGateway action. Attach the SCP to allaccounts except the security inspection account.
D. Enable IAM Resource Access Manager (IAM RAM) for IAM Organizations. Create ashared transit gateway, and make it available by using an IAM RAM resource share.Create an SCP that denies the CreatelnternetGateway action. Attach the SCP to allaccounts except the security inspection account. Create routes in the route tables of allaccounts that point to the shared transit gateway.
Question # 77
A company has recently recovered from a security incident that required the restoration ofAmazon EC2 instances from snapshots. The company uses an AWS KeyManagement Service (AWS KMS) customer managed key to encrypt all Amazon ElasticBlock Store (Amazon EBS) snapshots.The company performs a gap analysis of its disaster recovery procedures and backupstrategies. A security engineer needs to implement a solution so that the company canrecover the EC2 instances if the AWS account is compromised and the EBS snapshots aredeleted. Which solution will meet this requirement?
A. Create a new Amazon S3 bucket. Use EBS lifecycle policies to move EBS snapshots tothe new S3 bucket. Use lifecycle policies to move snapshots to the S3 Glacier InstantRetrieval storage class. Use S3 Object Lock to prevent deletion of the snapshots.
B. Use AWS Systems Manager to distribute a configuration that backs up all attached disksto Amazon S3.
C. Create a new AWS account that has limited privileges. Allow the new account to accessthe KMS key that encrypts the EBS snapshots. Copy the encrypted snapshots to the newaccount on a recurring basis.
D. Use AWS Backup to copy EBS snapshots to Amazon S3. Use S3 Object Lock toprevent deletion of the snapshots.
Question # 78
A company uses Amazon GuardDuty. The company's security team wants all High severityfindings to automatically generate a ticket in a third-party ticketing system through emailintegration.Which solution will meet this requirement?
A. Create a verified identity for the third-party ticketing email system in Amazon SimpleEmail Service (Amazon SES). Create an Amazon EventBridge rule that includes an eventpattern that matches High severity GuardDuty findings. Specify the SES identity as thetarget for the EventBridge rule.
B. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the thirdpartyticketing email system to the SNS topic. Create an Amazon EventBridge rule thatincludes an event pattern that matches High severity GuardDuty findings. Specify the SNStopic as the target for the EventBridge rule.
C. Use the GuardDuty CreateFilter API operation to build a filter in GuardDuty to monitorfor High severity findings. Export the results of the filter to an Amazon Simple NotificationService (Amazon SNS) topic. Subscribe the third-party ticketing email system to the SNStopic.
D. Use the GuardDuty CreateFilter API operation to build a filter in GuardDuty to monitorfor High severity findings. Create an Amazon Simple Notification Service (Amazon SNS)topic. Subscribe the third-party ticketing email system to the SNS topic. Create an AmazonEventBridge rule that includes an event pattern that matches GuardDuty findings that areselected by the filter. Specify the SNS topic as the target for the EventBridge rule.
Question # 79
A company deploys a distributed web application on a fleet of Amazon EC2 instances. Thefleet is behind an Application Load Balancer (ALB) that will be configured to terminate theTLS connection. All TLS traffic to the ALB must stay secure, even if the certificate privatekey is compromised.How can a security engineer meet this requirement?
A. Create an HTTPS listener that uses a certificate that is managed by IAM CertificateManager (ACM).
B. Create an HTTPS listener that uses a security policy that uses a cipher suite with perfecttoward secrecy (PFS).
C. Create an HTTPS listener that uses the Server Order Preference security feature.
D. Create a TCP listener that uses a custom security policy that allows only cipher suiteswith perfect forward secrecy (PFS).
Question # 80
You need to create a policy and apply it for just an individual user. How could youaccomplish this in the right way?Please select:
A. Add an IAM managed policy for the user
B. Add a service policy for the user
C. Add an IAM role for the user
D. Add an inline policy for the user
Question # 81
A company's security engineer is designing an isolation procedure for Amazon EC2instances as part of an incident response plan. The security engineer needs to isolate atarget instance to block any traffic to and from the target instance, except for traffic from thecompany's forensics team. Each of the company's EC2 instances has its own dedicatedsecurity group. The EC2 instances are deployed in subnets of a VPC. A subnet can containmultiple instances.The security engineer is testing the procedure for EC2 isolation and opens an SSH sessionto the target instance. The procedure starts to simulate access to the target instance by anattacker. The security engineer removes the existing security group rules and adds security group rules to give the forensics team access to the target instance on port 22.After these changes, the security engineer notices that the SSH connection is still activeand usable. When the security engineer runs a ping command to the public IP address ofthe target instance, the ping command is blocked.What should the security engineer do to isolate the target instance?
A. Add an inbound rule to the security group to allow traffic from 0.0.0.0/0 for all ports. Addan outbound rule to the security group to allow traffic to 0.0.0.0/0 for all ports. Thenimmediately delete these rules.
B. Remove the port 22 security group rule. Attach an instance role policy that allows AWSSystems Manager Session Manager connections so that the forensics team can access thetarget instance.
C. Create a network ACL that is associated with the target instance's subnet. Add a rule atthe top of the inbound rule set to deny all traffic from 0.0.0.0/0. Add a rule at the top of theoutbound rule set to deny all traffic to 0.0.0.0/0.
D. Create an AWS Systems Manager document that adds a host-level firewall rule to blockall inbound traffic and outbound traffic. Run the document on the target instance.
Question # 82
A company deployed IAM Organizations to help manage its increasing number of IAMaccounts. A security engineer wants to ensure only principals in the Organization structurecan access a specic Amazon S3 bucket. The solution must also minimize operationaloverheadWhich solution will meet these requirements?
A. 1 Put all users into an IAM group with an access policy granting access to the J bucket.
B. Have the account creation trigger an IAM Lambda function that manages the bucketpolicy, allowing access to accounts listed in the policy only.
C. Add an SCP to the Organizations master account, allowing all principals access to thebucket.
D. Specify the organization ID in the global key condition element of a bucket policy,allowing all principals access.
Question # 83
What are the MOST secure ways to protect the AWS account root user of a recentlyopened AWS account? (Select TWO.)
A. Use the AWS account root user access keys instead of the AWS Management Console.
B. Enable multi-factor authentication for the AWS IAM users with the Adminis-tratorAccess managed policy attached to them.
C. Enable multi-factor authentication for the AWS account root user.
D. Use AWS KMS to encrypt all AWS account root user and AWS IAM access keys and setautomatic rotation to 30 days.
E. Do not create access keys for the AWS account root user; instead, create AWS IAMusers.
Question # 84
A company is hosting multiple applications within a single VPC in its IAM account. Theapplications are running behind an Application Load Balancer that is associated with anIAM WAF web ACL. The company's security team has identified that multiple port scansare originating from a specific range of IP addresses on the internet.A security engineer needs to deny access from the offending IP addresses.Which solution will meet these requirements?
A. Modify the IAM WAF web ACL with an IP set match rule statement to deny incomingrequests from the IP address range.
B. Add a rule to all security groups to deny the incoming requests from the IP addressrange.
C. Modify the IAM WAF web ACL with a rate-based rule statement to deny the incomingrequests from the IP address range.
D. Configure the IAM WAF web ACL with regex match conditions. Specify a pattern set todeny the incoming requests based on the match condition
Question # 85
A company is testing its incident response plan for compromised credentials. The companyruns a database on an Amazon EC2 instance and stores the sensitive data-basecredentials as a secret in AWS Secrets Manager. The secret has rotation configured withan AWS Lambda function that uses the generic rotation function template. The EC2instance and the Lambda function are deployed in the same pri-vate subnet. The VPC hasa Secrets Manager VPC endpoint.A security engineer discovers that the secret cannot rotate. The security engi-neerdetermines that the VPC endpoint is working as intended. The Amazon Cloud-Watch logscontain the following error:"setSecret: Unable to log into database".Which solution will resolve this error?
A. Use the AWS Management Console to edit the JSON structure of the secret in SecretsManager so that the secret automatically conforms with the struc-ture that the databaserequires.
B. Ensure that the security group that is attached to the Lambda function al-lows outboundconnections to the EC2 instance. Ensure that the security group that is attached to the EC2instance allows inbound connections from the security group that is attached to theLambda function.
C. Use the Secrets Manager list-secrets command in the AWS CLI to list the secret.Identify the database credentials. Use the Secrets Manager rotate-secret command in theAWS CLI to force the immediate rotation of the se-cret.
D. Add an internet gateway to the VPC. Create a NAT gateway in a public sub-net. Updatethe VPC route tables so that traffic from the Lambda function and traffic from the EC2instance can reach the Secrets Manager public endpoint.
Question # 86
A company’s public Application Load Balancer (ALB) recently experienced a DDoS attack.To mitigate this issue. the company deployed Amazon CloudFront in front of the ALB sothat users would not directly access the Amazon EC2 instances behind the ALB.The company discovers that some traffic is still coming directly into the ALB and is stillbeing handled by the EC2 instances.Which combination of steps should the company take to ensure that the EC2 instances willreceive traffic only from CloudFront? (Choose two.)
A. Configure CloudFront to add a cache key policy to allow a custom HTTP header thatCloudFront sends to the ALB.
B. Configure CloudFront to add a custom: HTTP header to requests that CloudFront sendsto the ALB.
C. Configure the ALB to forward only requests that contain the custom HTTP header.
D. Configure the ALB and CloudFront to use the X-Forwarded-For header to check client IPaddresses.
E. Configure the ALB and CloudFront to use the same X.509 certificate that is generatedby AWS Certificate Manager (ACM).
Question # 87
A company's engineering team is developing a new application that creates IAM KeyManagement Service (IAM KMS) CMK grants for users immediately after a grant IScreated users must be able to use the CMK tu encrypt a 512-byte payload. During loadtesting, a bug appears |intermittently where AccessDeniedExceptions are occasionallytriggered when a user rst attempts to encrypt using the CMKWhich solution should the c0mpany‘s security specialist recommend‘?
A. Instruct users to implement a retry mechanism every 2 minutes until the call succeeds.
B. Instruct the engineering team to consume a random grant token from users, and to callthe CreateGrant operation, passing it the grant token. Instruct use to use that grant token intheir call to encrypt.
C. Instruct the engineering team to create a random name for the grant when calling theCreateGrant operation. Return the name to the users and instruct them to provide thename as the grant token in the call to encrypt.
D. Instruct the engineering team to pass the grant token returned in the CreateGrantresponse to users. Instruct users to use that grant token in their call to encrypt.
Question # 88
A company needs a forensic-logging solution for hundreds of applications running inDocker on Amazon EC2 The solution must perform real-time analytics on the togs mustsupport the replay of messages and must persist the logs.Which IAM services should be used to meet these requirements? (Select TWO)
A. Amazon Athena
B. Amazon Kinesis
C. Amazon SQS
D. Amazon Elasticsearch
E. Amazon EMR
Question # 89
You have an S3 bucket defined in IAM. You want to ensure that you encrypt the databefore sending it across the wire. What is the best way to achieve this.Please select:
A. Enable server side encryption for the S3 bucket. This request will ensure that the data isencrypted first.
B. Use the IAM Encryption CLI to encrypt the data first
C. Use a Lambda function to encrypt the data before sending it to the S3 bucket.
D. Enable client encryption for the bucket
Question # 90
An audit determined that a company's Amazon EC2 instance security group violatedcompany policy by allowing unrestricted incoming SSH traffic. A security engineer mustimplement a near-real-time monitoring and alerting solution that will notify administrators ofsuch violations.Which solution meets these requirements with the MOST operational efficiency?
A. Create a recurring Amazon Inspector assessment run that runs every day and uses the Network Reachability package. Create an Amazon CloudWatch rule that invokes an IAMLambda function when an assessment run starts. Configure the Lambda function toretrieve and evaluate the assessment run report when it completes. Configure the Lambdafunction also to publish an Amazon Simple Notification Service (Amazon SNS) notificationif there are any violations for unrestricted incoming SSH traffic.
B. Use the restricted-ssh IAM Config managed rule that is invoked by security groupconfiguration changes that are not compliant. Use the IAM Config remediation feature topublish a message to an Amazon Simple Notification Service (Amazon SNS) topic.
C. Configure VPC Flow Logs for the VPC. and specify an Amazon CloudWatch Logsgroup. Subscribe the CloudWatch Logs group to an IAM Lambda function that parses newlog entries, detects successful connections on port 22, and publishes a notification throughAmazon Simple Notification Service (Amazon SNS).
D. Create a recurring Amazon Inspector assessment run that runs every day and uses theSecurity Best Practices package. Create an Amazon CloudWatch rule that invokes an IAMLambda function when an assessment run starts. Configure the Lambda function toretrieve and evaluate the assessment run report when it completes. Configure the Lambdafunction also to publish an Amazon Simple Notification Service (Amazon SNS) notificationif there are any violations for unrestricted incoming SSH traffic.
Question # 91
Company A has an AWS account that is named Account A. Company A recently acquiredCompany B, which has an AWS account that is named Account B. Company B stores itsfiles in an Amazon S3 bucket.The administrators need to give a user from Account A full access to the S3 bucket inAccount B.After the administrators adjust the IAM permissions for the user in AccountA to access the S3 bucket in Account B, the user still cannot access any files in the S3 bucket.Which solution will resolve this issue?
A. In Account B, create a bucket ACL to allow the user from Account A to access the S3bucket in Account B.
B. In Account B, create an object ACL to allow the user from Account A to access all theobjects in the S3 bucket in Account B.
C. In Account B, create a bucket policy to allow the user from Account A to access the S3bucket in Account B.
D. In Account B, create a user policy to allow the user from Account A to access the S3bucket in Account B.
Question # 92
During a manual review of system logs from an Amazon Linux EC2 instance, a SecurityEngineer noticed that there are sudo commands that were never properly alerted orreported on the Amazon CloudWatch Logs agentWhy were there no alerts on the sudo commands?
A. There is a security group blocking outbound port 80 traffic that is preventing the agentfrom sending the logs
B. The IAM instance profile on the EC2 instance was not properly configured to allow theCloudWatch Logs agent to push the logs to CloudWatch
C. CloudWatch Logs status is set to ON versus SECURE, which prevents it from pulling inOS security event logs
D. The VPC requires that all traffic go through a proxy, and the CloudWatch Logs agentdoes not support a proxy configuration.
Question # 93
A development team is using an IAM Key Management Service (IAM KMS) CMK to try toencrypt and decrypt a secure string parameter from IAM Systems Manager ParameterStore. However, the development team receives an error message on each attempt.Which issues that are related to the CMK could be reasons for the error? (Select TWO.)
A. The CMK that is used in the attempt does not exist.
B. The CMK that is used in the attempt needs to be rotated.
C. The CMK that is used in the attempt is using the CMK's key ID instead of the CMK ARN.
D. The CMK that is used in the attempt is not enabled.
E. The CMK that is used in the attempt is using an alias.
Question # 94
A company's security team is building a solution for logging and visualization. The solutionwill assist the company with the large variety and velocity of data that it receives from IAMacross multiple accounts. The security team has enabled IAM CloudTrail and VPC FlowLogs in all of its accounts. In addition, the company has an organization in IAMOrganizations and has an IAM Security Hub master account.The security team wants to use Amazon Detective However the security team cannotenable Detective and is unsure whyWhat must the security team do to enable Detective?
A. Enable Amazon Macie so that Secunty H jb will allow Detective to process findings fromMacie.
B. Disable IAM Key Management Service (IAM KMS) encryption on CtoudTrail logs inevery member account of the organization
C. Enable Amazon GuardDuty on all member accounts Try to enable Detective in 48 hours
D. Ensure that the principal that launches Detective has the organizations ListAccountspermission
Question # 95
A company is implementing new compliance requirements to meet customer needs.According to the new requirements the company must not use any Amazon RDS DBinstances or DB clusters that lack encryption of the underlying storage. The companyneeds a solution that will generate an email alert when an unencrypted DB instance or DBcluster is created. The solution also must terminate the unencrypted DB instance or DBcluster.Which solution will meet these requirements in the MOST operationally efficient manner?
A. Create an AWS Config managed rule to detect unencrypted ROS storage. Configure anautomatic remediation action to publish messages to an Amazon Simple NotificationService (Amazon SNS) topic that includes an AWS Lambda function and an email deliverytarget as subscribers. Configure the Lambda function to delete the unencrypted resource.
B. Create an AWS Config managed rule to detect unencrypted RDS storage. Configure amanual remediation action to invoke an AWS Lambda function. Configure the Lambdafunction to publish messages to an Amazon Simple Notification Service (Amazon SNS)topic and to delete the unencrypted resource.
C. Create an Amazon EventBridge rule that evaluates RDS event patterns and is initiatedby the creation of DB instances or DB clusters Configure the rule to publish messages toan Amazon Simple Notification Service (Amazon SNS) topic that includes an AWS Lambdafunction and an email delivery target as subscribers. Configure the Lambda function todelete the unencrypted resource.
D. Create an Amazon EventBridge rule that evaluates RDS event patterns and is initiatedby the creation of DB instances or DB clusters. Configure the rule to invoke an AWSLambda function. Configure the Lambda function to publish messages to an AmazonSimple Notification Service (Amazon SNS) topic and to delete the unencrypted resource.
Question # 96
A startup company is using a single AWS account that has resources in a single AWSRegion. A security engineer configures an AWS Cloud Trail trail in the same Region todeliver log files to an Amazon S3 bucket by using the AWS CLI.Because of expansion, the company adds resources in multiple Regions. The secu-rityengineer notices that the logs from the new Regions are not reaching the S3 bucket.What should the security engineer do to fix this issue with the LEAST amount ofoperational overhead?
A. Create a new CloudTrail trail. Select the new Regions where the company addedresources.
B. Change the S3 bucket to receive notifications to track all actions from all Regions.
C. Create a new CloudTrail trail that applies to all Regions.
D. Change the existing CloudTrail trail so that it applies to all Regions.
Question # 97
A company is hosting a web application on Amazon EC2 instances behind an ApplicationLoad Balancer (ALB). The application has become the target of a DoS attack. Applicationlogging shows that requests are coming from small number of client IP addresses, but theaddresses change regularly.The company needs to block the malicious traffic with a solution that requires the leastamount of ongoing effort. Which solution meets these requirements?
A. Create an AWS WAF rate-based rule, and attach it to the ALB.
B. Update the security group that is attached to the ALB to block the attacking IPaddresses.
C. Update the ALB subnet's network ACL to block the attacking client IP addresses.
D. Create a AWS WAF rate-based rule, and attach it to the security group of the EC2instances.
Question # 98
A company is designing a new application stack. The design includes web servers andbackend servers that are hosted on Amazon EC2 instances. The design also includes anAmazon Aurora MySQL DB cluster.The EC2 instances are m an Auto Scaling group that uses launch templates. The EC2instances for the web layer and the backend layer are backed by Amazon Elastic BlockStore (Amazon EBS) volumes. No layers are encrypted at rest. A security engineer needsto implement encryption at rest.Which combination of steps will meet these requirements? (Select TWO.)
A. Modify EBS default encryption settings in the target AWS Region to enable encryption.Use an Auto Scaling group instance refresh.
B. Modify the launch templates for the web layer and the backend layer to add AWSCertificate Manager (ACM) encryption for the attached EBS volumes. Use an Auto Scalinggroup instance refresh.
C. Create a new AWS Key Management Service (AWS KMS) encrypted DB cluster from asnapshot of the existing DB cluster.
D. Apply AWS Key Management Service (AWS KMS) encryption to the existing DB cluster.
E. Apply AWS Certificate Manager (ACM) encryption to the existing DB cluster.
Question # 99
A company uses AWS Organizations to manage a small number of AWS accounts.However, the company plans to add 1 000 more accounts soon. The company allows onlya centralized security team to create IAM roles for all AWS accounts and teams.Application teams submit requests for IAM roles to the security team. The security teamhas a backlog of IAM role requests and cannot review and provision the IAM roles quickly.The security team must create a process that will allow application teams to provision theirown IAM roles. The process must also limit the scope of IAM roles and prevent privilegeescalation.Which solution will meet these requirements with the LEAST operational overhead?
A. Create an IAM group for each application team. Associate policies with each IAM group.Provision IAM users for each application team member. Add the new IAM users to theappropriate IAM group by using role-based access control (RBAC).
B. Delegate application team leads to provision IAM rotes for each team. Conduct aquarterly review of the IAM rotes the team leads have provisioned. Ensure that theapplication team leads have the appropriate training to review IAM roles.
C. Put each AWS account in its own OU. Add an SCP to each OU to grant access to onlythe AWS services that the teams plan to use. Include conditions tn the AWS account ofeach team.
D. Create an SCP and a permissions boundary for IAM roles. Add the SCP to the root OUso that only roles that have the permissions boundary attached can create any new IAMroles.
Question # 100
A company is using Amazon Elastic Container Service (Amazon ECS) to deploy anapplication that deals with sensitive data During a recent security audit, the companyidentified a security issue in which Amazon RDS credentials were stored with theapplication code In the company's source code repositoryA security engineer needs to develop a solution to ensure that database credentials arestored securely and rotated periodically. The credentials should be accessible to theapplication only The engineer also needs to prevent database administrators from sharingdatabase credentials as plaintext with other teammates. The solution must also minimizeadministrate overheadWhich solution meets these requirements?
A. Use the IAM Systems Manager Parameter Store to generate database credentials. Usean IAM profile for ECS tasks to restrict access to database credentials to specificcontainers only.
B. Use IAM Secrets Manager to store database credentials. Use an IAM inline policy forECS tasks to restrict access to database credentials to specific containers only.
C. Use the IAM Systems Manager Parameter Store to store database credentials. Use IAMroles for ECS tasks to restrict access to database credentials lo specific containers only
D. Use IAM Secrets Manager to store database credentials. Use IAM roles for ECS tasksto restrict access to database credentials to specific containers only.
Question # 101
A company wants to ensure that its IAM resources can be launched only in the us-east-1and us-west-2 Regions.What is the MOST operationally efficient solution that will prevent developers fromlaunching Amazon EC2 instances in other Regions?
A. Enable Amazon GuardDuty in all Regions. Create alerts to detect unauthorized activityoutside us-east-1 and us-west-2.
B. Use an organization in IAM Organizations. Attach an SCP that allows all actions whenthe IAM: Requested Region condition key is either us-east-1 or us-west-2. Delete theFullIAMAccess policy.
C. Provision EC2 resources by using IAM Cloud Formation templates through IAM CodePipeline. Allow only the values of us-east-1 and us-west-2 in the IAM CloudFormationtemplate's parameters.
D. Create an IAM Config rule to prevent unauthorized activity outside us-east-1 and uswest-2.
Question # 102
Which of the following are valid configurations for using SSL certificates with AmazonCloudFront? (Select THREE )
A. Default AWS Certificate Manager certificate
B. Custom SSL certificate stored in AWS KMS
C. Default CloudFront certificate
D. Custom SSL certificate stored in AWS Certificate Manager
E. Default SSL certificate stored in AWS Secrets Manager
F. Custom SSL certificate stored in AWS IAM
Question # 103
A company wants to remove all SSH keys permanently from a specific subset of itsAmazon Linux 2 Amazon EC2 instances that are using the same 1AM instance profileHowever three individuals who have IAM user accounts will need to access theseinstances by using an SSH session to perform critical dutiesHow can a security engineer provide the access to meet these requirements'?
A. Assign an 1AM policy to the instance profile to allow the EC2 instances to be managedby AWS Systems Manager Provide the 1AM user accounts with permission to use SystemsManager Remove the SSH keys from the EC2 instances Use Systems Manager Inventoryto select the EC2 instance and connect
B. Assign an 1AM policy to the 1AM user accounts to provide permission to use AWSSystems Manager Run Command Remove the SSH keys from the EC2 instances Use RunCommand to open an SSH connection to the EC2 instance
C. Assign an 1AM policy to the instance profile to allow the EC2 instances to be managedby AWS Systems Manager Provide the 1AM user accounts with permission to use SystemsManager Remove the SSH keys from the EC2 instances Use Systems Manager SessionManager to select the EC2 instance and connect
D. Assign an 1AM policy to the 1AM user accounts to provide permission to use the EC2service in the AWS Management Console Remove the SSH keys from the EC2 instancesConnect to the EC2 instance as the ec2-user through the AWS Management Console'sEC2 SSH client method
Question # 104
A company has several petabytes of data. The company must preserve this data for 7years to comply with regulatory requirements. The company's compliance team asks asecurity officer to develop a strategy that will prevent anyone from changing or deleting thedata.Which solution will meet this requirement MOST cost-effectively?
A. Create an Amazon S3 bucket. Configure the bucket to use S3 Object Lock incompliance mode. Upload the data to the bucket. Create a resource-based bucket policythat meets all the regulatory requirements.
B. Create an Amazon S3 bucket. Configure the bucket to use S3 Object Lock ingovernance mode. Upload the data to the bucket. Create a user-based IAM policy thatmeets all the regulatory requirements.
C. Create a vault in Amazon S3 Glacier. Create a Vault Lock policy in S3 Glacier thatmeets all the regulatory requirements. Upload the data to the vault.
D. Create an Amazon S3 bucket. Upload the data to the bucket. Use a lifecycle rule totransition the data to a vault in S3 Glacier. Create a Vault Lock policy that meets all theregulatory requirements.
Question # 105
A recent security audit found that IAM CloudTrail logs are insufficiently protected fromtampering and unauthorized access Which actions must the Security Engineer take toaddress these audit findings? (Select THREE )
A. Ensure CloudTrail log file validation is turned on
B. Configure an S3 lifecycle rule to periodically archive CloudTrail logs into Glacier for longtermstorage
C. Use an S3 bucket with tight access controls that exists m a separate account
D. Use Amazon Inspector to monitor the file integrity of CloudTrail log files.
E. Request a certificate through ACM and use a generated certificate private key to encrypt CloudTrail log files
F. Encrypt the CloudTrail log files with server-side encryption with IAM KMS-managed keys(SSE-KMS)
Question # 106
A company is operating a website using Amazon CloudFornt. CloudFront servers somecontent from Amazon S3 and other from web servers running EC2 instances behind anApplication. Load Balancer (ALB). Amazon DynamoDB is used as the data store. Thecompany already uses IAM Certificate Manager (ACM) to store a public TLS certificate thatcan optionally secure connections between the website users and CloudFront. Thecompany has a new requirement to enforce end-to-end encryption in transit. Which combination of steps should the company take to meet this requirement? (SelectTHREE.)
A. Update the CloudFront distribution. configuring it to optionally use HTTPS whenconnecting to origins on Amazon S3
B. Update the web application configuration on the web servers to use HTTPS instead ofHTTP when connecting to DynamoDB
C. Update the CloudFront distribution to redirect HTTP corrections to HTTPS
D. Configure the web servers on the EC2 instances to listen using HTTPS using the publicACM TLS certificate Update the ALB to connect to the target group using HTTPS
E. Update the ALB listen to listen using HTTPS using the public ACM TLS certificate.Update the CloudFront distribution to connect to the HTTPS listener.
F. Create a TLS certificate Configure the web servers on the EC2 instances to use HTTPSonly with that certificate. Update the ALB to connect to the target group using HTTPS.
Question # 107
A company usesAWS Organizations to run workloads in multiple AWS accounts Currentlythe individual team members at the company access all Amazon EC2 instances remotelyby using SSH or Remote Desktop Protocol (RDP) The company does not have any audittrails and security groups are occasionally open The company must secure accessmanagement and implement a centralized togging solutionWhich solution will meet these requirements MOST securely?
A. Configure trusted access for AWS System Manager in Organizations Configure abastion host from the management account Replace SSH and RDP by using SystemsManager Session Manager from the management account Configure Session Managerlogging to Amazon CloudWatch Logs
B. Replace SSH and RDP with AWS Systems Manager Session Manager Install SystemsManager Agent (SSM Agent) on the instances Attach the
C. AmazonSSMManagedlnstanceCore role to the instances Configure session da streaming to Amazon CloudWatch Logs Create a separate logging account that hasappropriate cross-account permissions to audit the log data
D. Install a bastion host in the management account Reconfigure all SSH and RDP to allowaccess only from the bastion host Install AWS Systems Manager Agent (SSM Agent) onthe bastion host Attach the AmazonSSMManagedlnstanceCore role to the bastion hostConfigure session data streaming to Amazon CloudWatch Logs in a separate loggingaccount to audit log data
E. Replace SSH and RDP with AWS Systems Manager State Manager Install SystemsManager Agent (SSM Agent) on the instances Attach theAmazonSSMManagedlnstanceCore role to the instances Configure session data streamingto Amazon CloudTrail Use CloudTrail Insights to analyze the trail data
Question # 108
Your company is planning on using bastion hosts for administering the servers in IAM.Which of the following is the best description of a bastion host from a security perspective?Please select:
A. A Bastion host should be on a private subnet and never a public subnet due to securityconcerns
B. A Bastion host sits on the outside of an internal network and is used as a gateway intothe private network and is considered the critical strong point of the network
C. Bastion hosts allow users to log in using RDP or SSH and use that session to S5H intointernal network to access private subnet resources.
D. A Bastion host should maintain extremely tight security and monitoring as it is availableto the public
Question # 109
A Development team has built an experimental environment to test a simple stale webapplication It has built an isolated VPC with a private and a public subnet. The publicsubnet holds only an Application Load Balancer a NAT gateway, and an internet gateway.The private subnet holds ail of the Amazon EC2 instancesThere are 3 different types of servers Each server type has its own Security Group thatlimits access lo only required connectivity. The Security Groups nave both inbound andoutbound rules applied Each subnet has both inbound and outbound network ACls appliedto limit access to only required connectivityWhich of the following should the team check if a server cannot establish an outboundconnection to the internet? (Select THREE.)
A. The route tables and the outbound rules on the appropriate private subnet securitygroup
B. The outbound network ACL rules on the private subnet and the Inbound network ACLrules on the public subnet
C. The outbound network ACL rules on the private subnet and both the inbound andoutbound rules on the public subnet
D. The rules on any host-based firewall that may be applied on the Amazon EC2 instances
E. The Security Group applied to the Application Load Balancer and NAT gateway
F. That the 0.0.0./0 route in the private subnet route table points to the internet gateway inthe public subnet
Question # 110
Amazon GuardDuty has detected communications to a known command and controlendpoint from a company's Amazon EC2 instance. The instance was found to be running avulnerable version of a common web framework. The company's security operations teamwants to quickly identity other compute resources with the specific version of thatframework installed.Which approach should the team take to accomplish this task?
A. Scan all the EC2 instances for noncompliance with IAM Config. Use Amazon Athena toquery IAM CloudTrail logs for the framework installation
B. Scan all the EC2 instances with the Amazon Inspector Network Reachability rulespackage to identity instances running a web server with RecognizedPortWithListenerfindings
C. Scan all the EC2 instances with IAM Systems Manager to identify the vulnerable versionof the web framework
D. Scan an the EC2 instances with IAM Resource Access Manager to identify thevulnerable version of the web framework
Question # 111
A security team is developing an application on an Amazon EC2 instance to get objectsfrom an Amazon S3 bucket. All objects in the S3 bucket are encrypted with an AWS KeyManagement Service (AWS KMS) customer managed key. All network traffic for requeststhat are made within the VPC is restricted to the AWS infrastructure. This traffic does nottraverse the public internet.The security team is unable to get objects from the S3 bucketWhich factors could cause this issue? (Select THREE.)
A. The IAM instance profile that is attached to the EC2 instance does not allow the s3ListBucket action to the S3: bucket in the AWS accounts.
B. The I AM instance profile that is attached to the EC2 instance does not allow the s3ListParts action to the S3; bucket in the AWS accounts.
C. The KMS key policy that encrypts the object in the S3 bucket does not allow the kms;ListKeys action to the EC2 instance profile ARN.
D. The KMS key policy that encrypts the object in the S3 bucket does not allow the kmsDecrypt action to the EC2 instance profile ARN.
E. The security group that is attached to the EC2 instance is missing an outbound rule tothe S3 managed prefix list over port 443.
F. The security group that is attached to the EC2 instance is missing an inbound rule fromthe S3 managed prefix list over port 443.
Question # 112
A company is running internal microservices on Amazon Elastic Container Service(Amazon ECS) with the Amazon EC2 launch type. The company is using Amazon ElasticContainer Registry (Amazon ECR) private repositories.A security engineer needs to encrypt the private repositories by using AWS KeyManagement Service (AWS KMS). The security engineer also needs to analyze thecontainer images for any common vulnerabilities and exposures (CVEs).Which solution will meet these requirements?
A. Enable KMS encryption on the existing ECR repositories. Install Amazon InspectorAgent from the ECS container instances’ user data. Run an assessment with the CVErules.
B. Recreate the ECR repositories with KMS encryption and ECR scanning enabled.Analyze the scan report after the next push of images.
C. Recreate the ECR repositories with KMS encryption and ECR scanning enabled. InstallAWS Systems Manager Agent on the ECS container instances. Run an inventory report.
D. Enable KMS encryption on the existing ECR repositories. Use AWS Trusted Advisor tocheck the ECS container instances and to verily the findings against a list of current CVEs.
Question # 113
A company uses Amazon RDS for MySQL as a database engine for its applications. Arecent security audit revealed an RDS instance that is not compliant with company policyfor encrypting data at rest. A security engineer at the company needs to ensure that allexisting RDS databases are encrypted using server-side encryption and that any futuredeviations from the policy are detected.Which combination of steps should the security engineer take to accomplish this? (SelectTWO.)
A. Create an IAM Config rule to detect the creation of unencrypted RDS databases. Createan Amazon EventBridge (Amazon CloudWatch Events) rule to trigger on the IAM Configrules compliance state change and use Amazon Simple Notification Service (Amazon SNS)to notify the security operations team.
B. Use IAM System Manager State Manager to detect RDS database encryptionconfiguration drift. Create an Amazon EventBridge (Amazon CloudWatch Events) rule totrack state changes and use Amazon Simple Notification Service (Amazon SNS) to notifythe security operations team.
C. Create a read replica for the existing unencrypted RDS database and enable replicaencryption in the process. Once the replica becomes active, promote it into a standalonedatabase instance and terminate the unencrypted database instance.
D. Take a snapshot of the unencrypted RDS database. Copy the snapshot and enablesnapshot encryption in the process. Restore the database instance from the newly createdencrypted snapshot. Terminate the unencrypted database instance.
E. Enable encryption for the identified unencrypted RDS instance by changing theconfigurations of the existing database
Question # 114
A security engineer has enabled IAM Security Hub in their IAM account, and has enabledthe Center for internet Security (CIS) IAM Foundations compliance standard. No evaluationresults on compliance are returned in the Security Hub console after several hours. Theengineer wants to ensure that Security Hub can evaluate their resources for CIS IAMFoundations compliance.Which steps should the security engineer take to meet these requirements?
A. Add full Amazon Inspector IAM permissions to the Security Hub service role to allow it toperform the CIS compliance evaluation
B. Ensure that IAM Trusted Advisor Is enabled in the account and that the Security Hubservice role has permissions to retrieve the Trusted Advisor security-related recommendedactions
C. Ensure that IAM Config. is enabled in the account, and that the required IAM Configrules have been created for the CIS compliance evaluation
D. Ensure that the correct trail in IAM CloudTrail has been configured for monitoring bySecurity Hub and that the Security Hub service role has permissions to perform theGetObject operation on CloudTrails Amazon S3 bucket
Question # 115
A company's application team wants to replace an internal application with a new IAMarchitecture that consists of Amazon EC2 instances, an IAM Lambda function, and anAmazon S3 bucket in a single IAM Region. After an architecture review, the security teammandates that no application network traffic can traverse the public internet at any point.The security team already has an SCP in place for the company's organization in IAMOrganizations to restrict the creation of internet gateways. NAT gateways, and egress-onlygateways.Which combination of steps should the application team take to meet these requirements?(Select THREE.)
A. Create an S3 endpoint that has a full-access policy for the application's VPC.
B. Create an S3 access point for the S3 bucket. Include a policy that restricts the networkorigin to VPCs.
C. Launch the Lambda function. Enable the block public access configuration.
D. Create a security group that has an outbound rule over port 443 with a destination of theS3 endpomt. Associate the security group with the EC2 instances.
E. Create a security group that has an outbound rule over port 443 with a destination of theS3 access point. Associate the security group with the EC2 instances.
F. Launch the Lambda function in a VPC.
Question # 116
A company has multiple accounts in the AWS Cloud. Users in the developer account needto have access to specific resources in the production account.What is the MOST secure way to provide this access?
A. Create one IAM user in the production account. Grant the appropriate permissions to the resources that are needed. Share the password only with the users that need access.
B. Create cross-account access with an IAM role in the developer account. Grant theappropriate permissions to this role. Allow users in the developer account to assume thisrole to access the production resources.
C. Create cross-account access with an IAM user account in the production account. Grantthe appropriate permissions to this user account. Allow users in the developer account touse this user account to access the production resources.
D. Create cross-account access with an IAM role in the production account. Grant theappropriate permissions to this role. Allow users in the developer account to assume thisrole to access the production resources.
Question # 117
An international company has established a new business entity in South Korea. Thecompany also has established a new AWS account to contain the workload for the SouthKorean region. The company has set up the workload in the new account in the apnortheast-2 Region. The workload consists of three Auto Scaling groups of Amazon EC2instances. All workloads that operate in this Region must keep system logs and applicationlogs for 7 years.A security engineer must implement a solution to ensure that no logging data is lost foreach instance during scaling activities. The solution also must keep the logs for only therequired period of 7 years.Which combination of steps should the security engineer take to meet these requirements?(Choose three.)
A. Ensure that the Amazon CloudWatch agent is installed on all the EC2 instances that theAuto Scaling groups launch. Generate a CloudWatch agent configuration file to forward therequired logs to Amazon CloudWatch Logs.
B. Set the log retention for desired log groups to 7 years.
C. Attach an IAM role to the launch configuration or launch template that the Auto Scalinggroups use. Configure the role to provide the necessary permissions to forward logs toAmazon CloudWatch Logs.
D. Attach an IAM role to the launch configuration or launch template that the Auto Scalinggroups use. Configure the role to provide the necessary permissions to forward logs toAmazon S3.
E. Ensure that a log forwarding application is installed on all the EC2 instances that theAuto Scaling groups launch. Configure the log forwarding application to periodically bundlethe logs and forward the logs to Amazon S3.
F. Configure an Amazon S3 Lifecycle policy on the target S3 bucket to expire objects after7 years.
Question # 118
Your company uses IAM to host its resources. They have the following requirements1) Record all API calls and Transitions2) Help in understanding what resources are there in the account3) Facility to allow auditing credentials and logins Which services would suffice the aboverequirementsPlease select:
A. IAM Inspector, CloudTrail, IAM Credential Reports
B. CloudTrail. IAM Credential Reports, IAM SNS
C. CloudTrail, IAM Config, IAM Credential Reports
D. IAM SQS, IAM Credential Reports, CloudTrail
Question # 119
A company needs to use HTTPS when connecting to its web applications to meetcompliance requirements. These web applications run in Amazon VPC on Amazon EC2instances behind an Application Load Balancer (ALB). A security engineer wants to ensurethat the load balancer win only accept connections over port 443. even if the ALB ismistakenly configured with an HTTP listenerWhich configuration steps should the security engineer take to accomplish this task?
A. Create a security group with a rule that denies Inbound connections from 0.0.0 0/0 onport 00. Attach this security group to the ALB to overwrite more permissive rules from theALB's default securitygroup.
B. Create a network ACL that denies inbound connections from 0 0.0.0/0 on port 80Associate the network ACL with the VPC s internet gateway
C. Create a network ACL that allows outbound connections to the VPC IP range on port443 only. Associate the network ACL with the VPC's internet gateway.
D. Create a security group with a single inbound rule that allows connections from 0.0.0 0/0on port 443. Ensure this security group is the only one associated with the ALB
Question # 120
A company has an AWS Lambda function that creates image thumbnails from largerimages. The Lambda function needs read and write access to an Amazon S3 bucket in thesame AWS account.Which solutions will provide the Lambda function this access? (Select TWO.)
A. Create an IAM user that has only programmatic access. Create a new access key pair.Add environmental variables to the Lambda function with the ac-cess key ID and secretaccess key. Modify the Lambda function to use the environmental variables at run timeduring communication with Amazon S3.
B. Generate an Amazon EC2 key pair. Store the private key in AWS Secrets Man-ager.Modify the Lambda function to retrieve the private key from Secrets Manager and to usethe private key during communication with Amazon S3.
C. Create an IAM role for the Lambda function. Attach an IAM policy that al-lows access tothe S3 bucket.
D. Create an IAM role for the Lambda function. Attach a bucket policy to the S3 bucket toallow access. Specify the function's IAM role as the princi-pal.
E. Create a security group. Attach the security group to the Lambda function. Attach abucket policy that allows access to the S3 bucket through the se-curity group ID.
Question # 121
A security team is using Amazon EC2 Image Builder to build a hardened AMI with forensiccapabilities. An AWS Key Management Service (AWS KMS) key will encrypt the forensicAMI EC2 Image Builder successfully installs the required patches and packages in thesecurity team's AWS account. The security team uses a federated IAM role m the sameAWS account to sign in to the AWS Management Console and attempts to launch theforensic AMI. The EC2 instance launches and immediately terminates.What should the security learn do lo launch the EC2 instance successfully
A. Update the policy that is associated with the federated IAM role to allow the ec2.Describelmages action for the forensic AMI.
B. Update the policy that is associated with the federated IAM role to allow the ec2 StartInstances action m the security team's AWS account.
C. Update the policy that is associated with the KMS key that is used to encrypt theforensic AMI. Configure the policy to allow the kms. Encrypt and kms Decrypt actions forthe federated IAM role.
D. Update the policy that is associated with the federated IAM role to allow the kms.DescribeKey action for the KMS key that is used to encrypt the forensic AMI.
Question # 122
A company stores images for a website in an Amazon S3 bucket. The company is usingAmazon CloudFront to serve the images to end users. The company recently discoveredthat the images are being accessed from countries where the company does not have adistribution license.Which actions should the company take to secure the images to limit their distribution?(Select TWO.)
A. Update the S3 bucket policy to restrict access to a CloudFront origin access identity(OAI).
B. Update the website DNS record to use an Amazon Route 53 geolocation record denylist of countries where the company lacks a license.
C. Add a CloudFront geo restriction deny list of countries where the company lacks alicense.
D. Update the S3 bucket policy with a deny list of countries where the company lacks alicense.
E. Enable the Restrict Viewer Access option in CloudFront to create a deny list of countrieswhere the company lacks a license.
Question # 123
A large corporation is creating a multi-account strategy and needs to determine how itsemployees should access the IAM infrastructure.Which of the following solutions would provide the MOST scalable solution?
A. Create dedicated IAM users within each IAM account that employees can assumethrough federation based upon group membership in their existing identity provider
B. Use a centralized account with IAM roles that employees can assume throughfederation with their existing identity provider Use cross-account roles to allow thefederated users to assume their target role in the resource accounts.
C. Configure the IAM Security Token Service to use Kerberos tokens so that users can usetheir existing corporate user names and passwords to access IAM resources directly
D. Configure the IAM trust policies within each account's role to set up a trust back to thecorporation's existing identity provider allowing users to assume the role based off theirSAML token
Question # 124
A developer has created an AWS Lambda function in a company's development account.The Lambda function requires the use of an AWS Key Management Service (AWS KMS)customer managed key that exists in a security account that the company's security teamcontrols. The developer obtains the ARN of the KMS key from a previous Lambda functionin the development account. The previous Lambda function had been working properly withthe KMS key.When the developer uses the ARN and tests the new Lambda function an error messagestates that access is denied to the KMS key in the security account. The developer teststhe previous Lambda function that uses the same KMS key and discovers that the previousLambda function still can encrypt data as expected.A security engineer must resolve the problem so that the new Lambda function in thedevelopment account can use the KMS key from the security account.Which combination of steps should the security engineer take to meet these requirements?(Select TWO.)
A. In the security account configure an IAM role for the new Lambda function. Attach anIAM policy that allows access to the KMS key in the security account.
B. In the development account configure an IAM role for the new Lambda function. Attacha key policy that allows access to the KMS key in the security account.
C. In the development account configure an IAM role for the new Lambda function. Attachan IAM policy that allows access to the KMS key in the security account.
D. Configure a key policy for the KMS key m the security account to allow access to theIAM role of the new Lambda function in the security account.
E. Configure a key policy for the KMS key in the security account to allow access to theIAM role of the new Lambda function in the development account.
Question # 125
A company is using Amazon Macie, AWS Firewall Manager, Amazon Inspector, and AWSShield Advanced in its AWS account. The company wants to receive alerts if a DDoSattack occurs against the account.Which solution will meet this requirement?
A. Use Macie to detect an active DDoS event. Create Amazon CloudWatch alarms thatrespond to Macie findings.
B. Use Amazon Inspector to review resources and to invoke Amazon CloudWatch alarmsfor any resources that are vulnerable to DDoS attacks.
C. Create an Amazon CloudWatch alarm that monitors Firewall Manager metrics for anactive DDoS event.
D. Create an Amazon CloudWatch alarm that monitors Shield Advanced metrics for anactive DDoS event.
Question # 126
A company has a single AWS account and uses an Amazon EC2 instance to testapplication code. The company recently discovered that the instance was compromised.The instance was serving up malware. The analysis of the instance showed that theinstance was compromised 35 days ago.A security engineer must implement a continuous monitoring solution that automatically notifies the company’s security team about compromised instances through an emaildistribution list for high severity findings. The security engineer must implement the solutionas soon as possible.Which combination of steps should the security engineer take to meet these requirements?(Choose three.)
A. Enable AWS Security Hub in the AWS account.
B. Enable Amazon GuardDuty in the AWS account.
C. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe thesecurity team’s email distribution list to the topic.
D. Create an Amazon Simple Queue Service (Amazon SQS) queue. Subscribe the securityteam’s email distribution list to the queue.
E. Create an Amazon EventBridge (Amazon CloudWatch Events) rule for GuardDutyfindings of high severity. Configure the rule to publish a message to the topic.
F. Create an Amazon EventBridge (Amazon CloudWatch Events) rule for Security Hubfindings of high severity. Configure the rule to publish a message to the queue.
Question # 127
An application team wants to use IAM Certificate Manager (ACM) to request publiccertificates to ensure that data is secured in transit. The domains that are being used arenot currently hosted on Amazon Route 53The application team wants to use an IAM managed distribution and caching solution tooptimize requests to its systems and provide better points of presence to customers Thedistribution solution will use a primary domain name that is customized The distributionsolution also will use several alternative domain names The certificates must renewautomatically over an indefinite period of timeWhich combination of steps should the application team take to deploy this architecture?(Select THREE.)
A. Request a certificate (torn ACM in the us-west-2 Region Add the domain names that thecertificate will secure
B. Send an email message to the domain administrators to request vacation of thedomains for ACM
C. Request validation of the domains for ACM through DNS Insert CNAME records intoeach domain's DNS zone
D. Create an Application Load Balancer for me caching solution Select the newly requestedcertificate from ACM to be used for secure connections
E. Create an Amazon CloudFront distribution for the caching solution Enter the mainCNAME record as the Origin Name Enter the subdomain names or alternate names in theAlternate Domain Names Distribution Settings Select the newly requested certificate fromACM to be used for secure connections
F. Request a certificate from ACM in the us-east-1 Region Add the domain names that thecertificate wil secure
Question # 128
A company is undergoing a layer 3 and layer 4 DDoS attack on its web servers running onIAM.Which combination of IAM services and features will provide protection in this scenario?(Select THREE).
A. Amazon Route 53
B. IAM Certificate Manager (ACM)
C. Amazon S3
D. IAM Shield
E. Elastic Load Balancer
F. Amazon GuardDuty
Question # 129
Your company has just set up a new central server in a VPC. There is a requirement forother teams who have their servers located in different VPC's in the same region toconnect to the central server. Which of the below options is best suited to achieve thisrequirement.Please select:
A. Set up VPC peering between the central server VPC and each of the teams VPCs.
B. Set up IAM DirectConnect between the central server VPC and each of the teamsVPCs.
C. Set up an IPSec Tunnel between the central server VPC and each of the teams VPCs.
D. None of the above options will work.
Question # 130
A security engineer wants to evaluate configuration changes to a specific AWS resource toensure that the resource meets compliance standards. However, the security engineer isconcerned about a situation in which several configuration changes are made to theresource in quick succession. The security engineer wants to record only the latestconfiguration of that resource to indicate the cumulative impact of the set of changes.Which solution will meet this requirement in the MOST operationally efficient way?
A. Use AWS CloudTrail to detect the configuration changes by filtering API calls to monitorthe changes. Use the most recent API call to indicate the cumulative impact of multiplecalls
B. Use AWS Config to detect the configuration changes and to record the latestconfiguration in case of multiple configuration changes.
C. Use Amazon CloudWatch to detect the configuration changes by filtering API calls tomonitor the changes. Use the most recent API call to indicate the cumulative impact ofmultiple calls.
D. Use AWS Cloud Map to detect the configuration changes. Generate a report ofconfiguration changes from AWS Cloud Map to track the latest state by using a sliding timewindow.
Question # 131
A company has an AWS account that hosts a production application. The companyreceives an email notification that Amazon GuardDuty has detected anImpact:lAMUser/AnomalousBehavior finding in the account. A security engineer needs torun the investigation playbook for this security incident and must collect and analyze theinformation without affecting the application.Which solution will meet these requirements MOST quickly?
A. Log in to the AWS account by using read-only credentials. Review the GuardDutyfinding for details about the IAM credentials that were used. Use the IAM console to add aDenyAll policy to the IAM principal.
B. Log in to the AWS account by using read-only credentials. Review the GuardDutyfinding to determine which API calls initiated the finding. Use Amazon Detective to reviewthe API calls in context.
C. Log in to the AWS account by using administrator credentials. Review the GuardDutyfinding for details about the IAM credentials that were used. Use the IAM console to add aDenyAll policy to the IAM principal.
D. Log in to the AWS account by using read-only credentials. Review the GuardDutyfinding to determine which API calls initiated the finding. Use AWS CloudTrail Insights andAWS CloudTrail Lake to review the API calls in context.