Summer Sale Limited Time Flat 70% Discount offer - Ends in 0d 00h 00m 00s - Coupon code: 70spcl

Amazon Web Services SCS-C03 AWS Certified Security – Specialty Exam Practice Test

Page: 1 / 23
Total 231 questions

AWS Certified Security – Specialty Questions and Answers

Question 1

A company is using AWS to run a long-running analysis process on data that is stored in Amazon S3 buckets. The process runs on a fleet of Amazon EC2 instances in an Auto Scaling group. The EC2 instances are deployed in a private subnet that does not have internet access.

The EC2 instances access Amazon S3 through an S3 gateway endpoint that has the default access policy. Each EC2 instance uses an instance profile role that allows s3:GetObject and s3:PutObject only for required S3 buckets.

The company learns that one or more EC2 instances are compromised and are exfiltrating data to an S3 bucket that isoutside the company’s AWS Organization. The processing job must continue to function.

Which solution will meet these requirements?

Options:

A.

Update the policy on the S3 gateway endpoint to allow S3 actions only if aws:ResourceOrgId and aws:PrincipalOrgId match the company’s organization.

B.

Update the instance profile role policy to require aws:ResourceOrgId.

C.

Add a network ACL rule to block outbound traffic on port 443.

D.

Apply an SCP that restricts S3 actions using organization condition keys.

Question 2

A security engineer wants to evaluate configuration changes to a specific AWS resource to ensure that the resource meets compliance standards. However, the security engineer is concerned about a situation in which several configuration changes are made to the resource in quick succession. The security engineer wants to record only the latest configuration of that resource to indicate the cumulative impact of the set of changes.

Which solution will meet this requirement in the MOST operationally efficient way?

Options:

A.

Use AWS CloudTrail to detect the configuration changes by filtering API calls to monitor the changes. Use the most recent API call to indicate the cumulative impact of multiple calls.

B.

Use AWS Config to detect the configuration changes and to record the latest configuration in case of multiple configuration changes.

C.

Use Amazon CloudWatch to detect the configuration changes by filtering API calls to monitor the changes. Use the most recent API call to indicate the cumulative impact of multiple calls.

D.

Use AWS Cloud Map to detect the configuration changes. Generate a report of configuration changes from AWS Cloud Map to track the latest state by using a sliding time window.

Question 3

A company wants to remove all SSH keys permanently from a specific subset of its Amazon Linux 2 Amazon EC2 instances that are using the same IAM instance profile. However, three individuals who have IAM user accounts will need to access these instances by using an SSH session to perform critical duties.

How can a security engineer provide the access to meet these requirements?

Options:

A.

Assign an IAM policy to the instance profile to allow the EC2 instances to be managed by AWS Systems Manager. Provide the IAM user accounts with permission to use Systems Manager. Remove the SSH keys from the EC2 instances. Use Systems Manager Inventory to select the EC2 instance and connect.

B.

Assign an IAM policy to the IAM user accounts to provide permission to use AWS Systems Manager Run Command. Remove the SSH keys from the EC2 instances. Use Run Command to open an SSH connection to the EC2 instance.

C.

Assign an IAM policy to the instance profile to allow the EC2 instances to be managed by AWS Systems Manager. Provide the IAM user accounts with permission to use Systems Manager. Remove the SSH keys from the EC2 instances. Use Systems Manager Session Manager to select the EC2 instance and connect.

D.

Assign an IAM policy to the IAM user accounts to provide permission to use the EC2 service in the AWS Management Console. Remove the SSH keys from the EC2 instances. Connect to the EC2 instance as the ec2-user through the AWS Management Console’s EC2 SSH client method.

Question 4

A company needs to deploy AWS CloudFormation templates that configure sensitive database credentials. The company already uses AWS Key Management Service (AWS KMS) and AWS Secrets Manager.

Which solution will meet the requirements?

Options:

A.

Use a dynamic reference in the CloudFormation template to reference the database credentials in Secrets Manager.

B.

Use encrypted parameters in the CloudFormation template.

C.

Use SecureString parameters to reference Secrets Manager.

D.

Use SecureString parameters encrypted by AWS KMS.

Question 5

A company uses AWS IAM Identity Center to manage access to its AWS accounts. The accounts are in an organization in AWS Organizations. A security engineer needs to set up delegated administration of IAM Identity Center in the organization’s management account.

Which combination of steps should the security engineer perform in IAM Identity Center before configuring delegated administration? (Select THREE.)

Options:

A.

Grant least privilege access to the organization ' s management account.

B.

Create a new IAM Identity Center directory in the organization ' s management account.

C.

Set up a second AWS Region in the organization’s management account.

D.

Create permission sets for use only in the organization ' s management account.

E.

Create IAM users for use only in the organization ' s management account.

F.

Create user assignments only in the organization ' s management account.

Question 6

A company uploads data files as objects into an Amazon S3 bucket. A vendor downloads the objects to perform data processing.

A security engineer must implement a solution that prevents objects from residing in the S3 bucket for longer than 72 hours.

Options:

A.

Configure S3 Versioning to expire object versions that have been in the bucket for 72 hours.

B.

Configure an S3 Lifecycle configuration rule on the bucket to expire objects after 72 hours.

C.

Use the S3 Intelligent-Tiering storage class and configure expiration after 72 hours.

D.

Generate presigned URLs that expire after 72 hours.

Question 7

A security engineer needs to prepare for a security audit of an AWS account.

Select the correct AWS resource from the following list to meet each requirement. Select each resource one time or not at all. (Select THREE.)

• AWS Artifact reports

• AWS Audit Manager controls

• AWS Config conformance packs

• AWS Config rules

• Amazon Detective investigations

• AWS Identity and Access Management Access Analyzer internal access analyzers

Question # 7

Options:

Question 8

A security engineer needs to implement a logging solution that captures detailed information about objects in an Amazon S3 bucket. The solution must include details such as the IAM identity that makes the request and the time the object was accessed. The data must be structured and available in near real time.

Which solution meets these requirements?

Options:

A.

Enable Amazon S3 server access logging on the S3 bucket. Create a new S3 bucket to store the logs. Analyze the logs from the logging S3 bucket.

B.

Enable AWS CloudTrail data event logging. Create a new S3 bucket to store the logs. Analyze the logs from the logging S3 bucket.

C.

Configure AWS Config rules to log access to the objects stored in the S3 bucket.

D.

Enable Amazon Macie to log access to the objects stored in the S3 bucket.

Question 9

A security engineer received an Amazon GuardDuty alert indicating a finding involving the Amazon EC2 instance that hosts the company ' s primary website. The GuardDuty finding received read:UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration. The security engineer confirmed that a malicious actor used API access keys intended for the EC2 instance from a country where the company does not operate. The security engineer needs to deny access to the malicious actor.

What is the first step the security engineer should take?

Options:

A.

Open the EC2 console and remove any security groups that allow inbound traffic from 0.0.0.0/0.

B.

Install the AWS Systems Manager Agent on the EC2 instance and run an inventory report.

C.

Install the Amazon Inspector agent on the host and run an assessment with the CVE rules package.

D.

Open the IAM console and revoke all IAM sessions that are associated with the instance profile.

Question 10

A company is running a containerized application on an Amazon Elastic Container Service (Amazon ECS) cluster that uses AWS Fargate. The application runs as several ECS services.

The ECS services are in individual target groups for an internet-facing Application Load Balancer (ALB). The ALB is the origin for an Amazon CloudFront distribution. An AWS WAF web ACL is associated with the CloudFront distribution.

Web clients access the ECS services through the CloudFront distribution. The company learns that the web clients can bypass the web ACL and can access the ALB directly.

Which solution will prevent the web clients from directly accessing the ALB?

Options:

A.

Create an AWS PrivateLink endpoint and set it as the CloudFront origin.

B.

Create a new internal ALB and delete the internet-facing ALB.

C.

Modify the ALB listener rules to allow only CloudFront IP ranges.

D.

Add a custom X-Shared-Secret header in CloudFront and configure the ALB listener rules to allow requests only when the header value matches.

Question 11

A company is running a new workload across accounts that are in an organization in AWS Organizations. All running resources must have a tag ofCostCenter, and the tag must have one of three approved values. The company must enforce this policy and must prevent any changes of the CostCenter tag to a non-approved value.

Which solution will meet these requirements?

Options:

A.

Create an AWS Config Custom Policy rule by using AWS CloudFormation Guard. Include the tag key of CostCenter and the approved values. Create an SCP that denies the creation of resources when the value of the aws:RequestTag/CostCenter condition key is not one of the three approved values.

B.

Create an AWS CloudTrail trail. Create an Amazon EventBridge rule that includes a rule statement that matches the creation of new resources. Configure the EventBridge rule to invoke an AWS Lambda function that checks for the CostCenter tag. Program the Lambda function to block creation in case of a noncompliant value.

C.

Enable tag policies for the organization. Create a tag policy that specifies a tag key of CostCenter and the approved values. Configure the policy to enforce noncompliant operations. Create an SCP that denies the creation of resources when the aws:RequestTag/CostCenter condition key has a null value.

D.

Enable tag policies for the organization. Create a tag policy that specifies a tag key of CostCenter and the approved values. Create an Amazon EventBridge rule that invokes an AWS Lambda function when a noncompliant tag is created. Program the Lambda function to block changes to the tag.

Question 12

A company uses several AWS CloudFormation stacks to handle the deployment of a suite of applications. The leader of the company ' s application development team notices that the stack deployments fail with permission errors when some team members try to deploy the stacks. However, other team members can deploy the stacks successfully.

The team members access the account by assuming a role that has a specific set of permissions. All team members have permissions to perform operations on the stacks.

Which combination of steps will ensure consistent deployment of the stacksMOST securely? (Select THREE.)

Options:

A.

Create a service role that has a composite principal that contains each service that needs the necessary permissions.

B.

Create a service role that has cloudformation.amazonaws.com as the service principal.

C.

Add policies that reference each CloudFormation stack ARN.

D.

Add policies that reference the ARNs of each AWS service that requires permissions.

E.

Update each stack to use the service role.

F.

Add a policy to each member role to allow the iam:PassRole action for the service role.

Question 13

A company runs several applications on Amazon Elastic Kubernetes Service (Amazon EKS). The company needs a solution to detect any Kubernetes security risks by monitoring Amazon EKS audit logs in addition to operating system, networking, and file events. The solution must send email alerts for any identified risks to a mailing list that is associated with a security team.

Which solution will meet these requirements?

Options:

A.

Deploy AWS Security Hub and enable security standards that contain EKS controls. Create an Amazon Simple Notification Service (Amazon SNS) topic and set the security team’s mailing list as a subscriber. Use an Amazon EventBridge rule to send relevant Security Hub events to the SNS topic.

B.

Enable Amazon Inspector container image scanning. Configure Amazon Detective to analyze EKS security logs. Create Amazon CloudWatch log groups for EKS audit logs. Use an AWS Lambda function to process the logs and to send email alerts to the security team.

C.

Enable Amazon GuardDuty. Enable EKS Protection and Runtime Monitoring for Amazon EKS in GuardDuty. Create an Amazon Simple Notification Service (Amazon SNS) topic and set the security team ' s mailing list as a subscriber. Use an Amazon EventBridge rule to send relevant GuardDuty events to the SNS topic.

D.

Install the AWS Systems Manager Agent (SSM Agent) on all EKS nodes. Configure Amazon CloudWatch Logs to collect EKS audit logs. Create an Amazon Simple Notification Service (Amazon SNS) topic and set the security team ' s mailing list as a subscriber. Configure a CloudWatch alarm to publish a message to the SNS topic when new audit logs are generated.

Question 14

A company uses SAML federation with IAM to provide internal users with SSO for their AWS accounts. The company’s identity provider certificate was rotated as part of its normal lifecycle. Shortly after, users started receiving the following error when attempting to log in:

“Error: Response Signature Invalid (Service: AWSSecurityTokenService; Status Code: 400; Error Code: InvalidIdentityToken)”

A security engineer needs to address the immediate issue and ensure that it will not occur again.

Which combination of steps should the security engineer take to accomplish this? (Select TWO.)

Options:

A.

Download a new copy of the SAML metadata file from the identity provider. Create a new IAM identity provider entity. Upload the new metadata file to the new IAM identity provider entity.

B.

During the next certificate rotation period and before the current certificate expires, add a new certificate as the secondary certificate to the identity provider. Generate a new metadata file and upload it to the IAM identity provider entity. Perform automated or manual rotation of the certificate when required.

C.

Download a new copy of the SAML metadata file from the identity provider. Upload the new metadata to the IAM identity provider entity configured for the SAML integration in question.

D.

During the next certificate rotation period and before the current certificate expires, add a new certificate as the secondary certificate to the identity provider. Generate a new copy of the metadata file and create a new IAM identity provider entity. Upload the metadata file to the new IAM identity provider entity. Perform automated or manual rotation of the certificate when required.

E.

Download a new copy of the SAML metadata file from the identity provider. Create a new IAM identity provider entity. Upload the new metadata file to the new IAM identity provider entity. Update the identity provider configurations to pass a new IAM identity provider entity name in the SAML assertion.

Question 15

A security engineer for a company is investigating suspicious traffic on a web application in the AWS Cloud. The web application is protected by an Application Load Balancer (ALB) behind an Amazon CloudFront distribution. There is an AWS WAF web ACL associated with the ALB. The company stores AWS WAF logs in an Amazon S3 bucket.

The engineer notices that all incoming requests in the AWS WAF logs originate from a small number of IP addresses that correspond to CloudFront edge locations. The security engineer must identify the source IP addresses of the clients that are initiating the suspicious requests.

Which solution will meet this requirement?

Options:

A.

Enable VPC Flow Logs in the VPC where the ALB is deployed. Examine the source field to capture the client IP addresses.

B.

Inspect the X-Forwarded-For header in the AWS WAF logs to determine the original client IP addresses.

C.

Modify the CloudFront distribution to disable ALB connection reuse. Examine the clientIp field in the AWS WAF logs to identify the original client IP addresses.

D.

Configure CloudFront to add a custom header named Client-IP to origin requests that are sent to the ALB.

Question 16

A security engineer needs to prepare a company ' s Amazon EC2 instances for quarantine during a security incident. The AWS Systems Manager Agent (SSM Agent) has been deployed to all EC2 instances. The security engineer has developed a script to install and update forensics tools on the EC2 instances.

Which solution will quarantine EC2 instances during a security incident?

Options:

A.

Create a rule in AWS Config to track SSM Agent versions.

B.

Configure Systems Manager Session Manager to deny all connection requests from external IP addresses.

C.

Store the script in Amazon S3 and grant read access to the instance profile.

D.

Configure IAM permissions for the SSM Agent to run the script as a predefined Systems Manager Run Command document.

Question 17

A consultant agency needs to perform a security audit for a company ' s production AWS account. Several consultants need access to the account. The consultant agency already has its own AWS account. The company requires multi-factor authentication (MFA) for all access to its production account. The company also forbids the use of long-term credentials.

Which solution will provide the consultant agency with access that meets these requirements?

Options:

A.

Create an IAM group. Create an IAM user for each consultant. Add each user to the group. Turn on MFA for each consultant.

B.

Configure Amazon Cognito on the company’s production account to authenticate against the consultant agency ' s identity provider (IdP). Add MFA to a Cognito user pool.

C.

Create an IAM role in the consultant agency ' s AWS account. Define a trust policy that requires MFA. In the trust policy, specify the company ' s production account as the principal. Attach the trust policy to the role.

D.

Create an IAM role in the company’s production account. Define a trust policy that requires MFA. In the trust policy, specify the consultant agency ' s AWS account as the principal. Attach the trust policy to the role.

Question 18

A company uses AWS IAM Identity Center to manage access to its AWS accounts. The accounts are in an organization in AWS Organizations. A security engineer needs to set up delegated administration of IAM Identity Center in the organization ' s management account.

Which combination of steps should the security engineer perform in IAM Identity Center before configuring delegated administration? (Select THREE.)

Options:

A.

Grant least privilege access to the organization ' s management account.

B.

Create a new IAM Identity Center directory in the organization ' s management account.

C.

Set up a second AWS Region in the organization ' s management account.

D.

Create permission sets for use only in the organization ' s management account.

E.

Create IAM users for use only in the organization ' s management account.

F.

Create user assignments only in the organization ' s management account.

Question 19

A company wants to deploy an application in a private VPC that will not be connected to the internet. The company’s security team will not allow bastion hosts or methods using SSH to log in to Amazon EC2 instances. The application team plans to use AWS Systems Manager Session Manager to connect to and manage the EC2 instances.

Which combination of steps should the security team take? (Select THREE.)

Options:

A.

Make sure the Systems Manager Agent is installed and running on all EC2 instances inside the VPC.

B.

Ensure the IAM role attached to the EC2 instances in the VPC allows access to Systems Manager.

C.

Create an SCP that prevents the creation of SSH key pairs.

D.

Launch a NAT gateway in the VPC. Update the routing policies to forward traffic to this NAT gateway.

E.

Ensure proper VPC endpoints are in place for Systems Manager and Amazon EC2.

F.

Ensure the VPC has a transit gateway attachment. Update the routing policies to forward traffic to this transit gateway.

Question 20

A systems administrator was attempting to launch a new Amazon EC2 instance with an encrypted boot volume using a new AWS KMS customer managed key. The EC2 console initially stated the launch was successful, but the instance was subsequently terminated. The IAM role used by the systems administrator has the following IAM permissions:

• ec2:Describe*

• ec2:AuthorizeSecurityGroupIngress

• kms:Encrypt

• kms:Decrypt

• kms:ReEncrypt*

• kms:GenerateDataKey*

• kms:DescribeKey

Which IAM permission is the systems administrator missing?

Options:

A.

kms:GetKeyRotationStatus

B.

kms:CreateGrant

C.

kms:GenerateRandom

D.

kms:EnableKey

Question 21

A security engineer discovers that a company ' s user passwords have no required minimum length. The company uses the following identity providers (IdPs):

• AWS Identity and Access Management (IAM) federated with on-premises Active Directory

• Amazon Cognito user pools that contain the user database for an AWS Cloud application

Which combination of actions should the security engineer take to implement a required minimum password length? (Select TWO.)

Options:

A.

Update the password length policy in the IAM configuration.

B.

Update the password length policy in the Amazon Cognito configuration.

C.

Update the password length policy in the on-premises Active Directory configuration.

D.

Create an SCP in AWS Organizations to enforce minimum password length.

E.

Create an IAM policy with a minimum password length condition.

Question 22

A security engineer for a company needs to design an incident response plan that addresses compromised IAM user account credentials. The company uses an organization in AWS Organizations and AWS IAM Identity Center to manage user access. The company uses a delegated administrator account to implement AWS Security Hub. The delegated administrator account contains an organizational trail in AWS CloudTrail that logs all events to an Amazon S3 bucket. The company has also configured an organizational event data store that captures all events from the trail.

The incident response plan must provide steps that the security engineer can take to immediately disable any compromised IAM user when the security engineer receives a notification of a security incident. The plan must prevent the IAM user from being used in any AWS account. The plan must also collect all AWS actions that the compromised IAM user performed across all accounts in the previous 7 days.

Which solution will meet these requirements?

Options:

A.

Disable the compromised IAM user in the organization management account. Use Amazon Athena to query the organizational CloudTrail logs in the S3 bucket for actions that the IAM user performed in the previous 7 days.

B.

Remove all IAM policies that are attached to the IAM user in the organization management account. Use AWS Security Hub to query the CloudTrail logs for actions that the IAM user performed in the previous 7 days.

C.

Remove any permission sets that are assigned to the IAM user in IAM Identity Center. Use Amazon CloudWatch Logs Insights to query the CloudTrail logs in the S3 bucket for actions that the IAM user performed in the previous 7 days.

D.

Disable the IAM user’s access in IAM Identity Center. Use AWS CloudTrail to query the organizational event data store for actions that the IAM user performed in the previous 7 days.

Question 23

A security engineer needs to control access to data that is encrypted with an AWS Key Management Service (AWS KMS) customer managed key. The security engineer also needs to use additional authenticated data (AAD) to prevent tampering with ciphertext.

Which solution will meet these requirements?

Options:

A.

Pass the key alias to AWS KMS when calling the Encrypt and Decrypt API actions.

B.

Use IAM policies to restrict access to the Encrypt and Decrypt API actions.

C.

Use the kms:EncryptionContext condition key when defining IAM policies for the customer managed key.

D.

Use key policies to restrict access to the appropriate IAM groups.

Question 24

A company wants to use a suite of AWS Lambda functions to automatically remediate noncompliant resources. The company packages the suite of Lambda functions into an AWS CloudFormation template. The company wants to deploy the suite of Lambda functions to all AWS Organizations accounts. However, the company cannot use the Organizations management account for deployment.

Which solution provides centralized deployment of the Lambda function suite to all accounts in the organization?

Options:

A.

Register a delegated administrator for CloudFormation. Deploy the template to every account in the organization by using StackSets.

B.

Create a cross-account IAM role with a unique external ID in each AWS account. Assume the cross-account role to deploy the template.

C.

Package the template as an AWS Service Catalog product. Log in to each account and provision the product to each account.

D.

Set up AWS CodePipeline in each account. Configure a pipeline to pull the template from an Amazon S3 bucket in the Organizations management account.

Question 25

A company uses AWS Organizations to manage its AWS accounts in a single organization. The company applies the FullAWSAccess SCP to every OU. However, now the company must explicitly deny specific services. The company needs a solution that restricts any users in the organization from using the explicitly denied services.

Additionally, the solution must enforce all Amazon S3 buckets across the organization to have a minimum TLS version of 1.2. The company requires a central solution that applies to all existing accounts and any new accounts that the company creates in the future.

Which solution will meet these requirements?

Options:

A.

Create an SCP that denies a list of services that are restricted in the organization. Create an RCP to deny s3:* where the TLS version is less than 1.2. Attach both policies to the root of the organization.

B.

Create an SCP that denies a list of services that are restricted in the organization. Create an RCP to deny s3:* where the TLS version is less than 1.2. Attach the SCP to the root OU. Attach the RCP to each account within the organization.

C.

Create an SCP deny statement to disallow s3:* where the TLS version is less than 1.2. Create an RCP that denies a list of services that are restricted in the organization. Attach both policies to the root OU.

D.

Create an SCP that denies a list of services that are restricted in the organization. Create a declarative policy to deny s3:* where the TLS version is less than 1.2. Attach both policies to the root of the organization.

Question 26

A company runs an application on a fleet of Amazon EC2 instances. The application is accessible to users around the world. The company associates an AWS WAF web ACL with an Application Load Balancer (ALB) that routes traffic to the EC2 instances.

A security engineer is investigating a sudden increase in traffic to the application. The security engineer discovers a significant amount of potentially malicious requests coming from hundreds of IP addresses in two countries. The security engineer wants to quickly limit the potentially malicious requests. The security engineer does not want to prevent legitimate users from accessing the application.

Which solution will meet these requirements?

Options:

A.

Use AWS WAF to implement a rate-based rule for all incoming requests.

B.

Use AWS WAF to implement a geographical match rule to block all incoming traffic from the two countries.

C.

Edit the ALB security group to include a geographical match rule to block all incoming traffic from the two countries.

D.

Add deny rules to the ALB security group that prohibit incoming requests from the IP addresses.

Question 27

A company experienced a security incident caused by a vulnerable container image that was pushed from an external CI/CD pipeline into Amazon ECR.

Which solution will prevent vulnerable images from being pushed?

Options:

A.

Enable ECR enhanced scanning with Lambda blocking.

B.

Use Amazon Inspector with EventBridge and Lambda.

C.

Integrate Amazon Inspector into the CI/CD pipeline using SBOM generation and fail the pipeline on critical findings.

D.

Enable basic continuous ECR scanning.

Question 28

A company recently experienced a malicious attack on its cloud-based environment. The company successfully contained and eradicated the attack. A security engineer is performing incident response work. The security engineer needs to recover an Amazon RDS database cluster to the last known good version. The database cluster is configured to generate automated backups with a retention period of 14 days. The initial attack occurred 5 days ago at exactly 3:15 PM.

Which solution will meet this requirement?

Options:

A.

Identify the Regional cluster ARN for the database. Use the ARN to restore the Regional cluster by using the restore to point in time feature. Set a target time 5 days ago at 3:14 PM.

B.

Identify the Regional cluster ARN for the database. List snapshots that have been taken of the cluster. Restore the database by using the snapshot that has a creation time that is closest to 5 days ago at 3:14 PM.

C.

List all snapshots that have been taken of all the company ' s RDS databases. Identify the snapshot that was taken closest to 5 days ago at 3:14 PM and restore it.

D.

Identify the Regional cluster ARN for the database. Use the ARN to restore the Regional cluster by using the restore to point in time feature. Set a target time 14 days ago.

Question 29

A company ' s security engineer receives an abuse notification from AWS. The notification indicates that someone is hosting malware from the company ' s AWS account. After investigation, the security engineer finds a new Amazon S3 bucket that an IAM user created without authorization.

Which combination of steps should the security engineer take toMINIMIZE the consequencesof this compromise? (Select THREE.)

Options:

A.

Encrypt all AWS CloudTrail logs.

B.

Turn on Amazon GuardDuty.

C.

Change the password for all IAM users.

D.

Rotate or delete all AWS access keys.

E.

Take snapshots of all Amazon Elastic Block Store (Amazon EBS) volumes.

F.

Delete any resources that are unrecognized or unauthorized.

Question 30

A company runs a web application on a fleet of Amazon EC2 instances that are in an Auto Scaling group. The EC2 instances are in the same VPC subnet as other workloads.

A security engineer deploys Amazon GuardDuty and integrates it with AWS Security Hub. The security engineer needs to implement anautomated solutionto detect and respond to anomalous traffic patterns. The solution must follow AWS best practices forinitial incident responseand mustminimize disruptionto the web application.

Which solution will meet these requirements?

Options:

A.

Disable the instance profile access keys by using AWS Lambda.

B.

Remove the affected instance from the Auto Scaling group and isolate it with a restricted security group by using AWS Lambda.

C.

Update the network ACL to block the detected traffic source.

D.

Send GuardDuty findings to Amazon SNS for email notification.

Question 31

A company ' s security engineer receives an abuse notification from AWS indicating that malware is being hosted from the company’s AWS account. The security engineer discovers that an IAM user created a new Amazon S3 bucket without authorization.

Which combination of steps should the security engineer take to MINIMIZE the consequences of this compromise? (Select THREE.)

Options:

A.

Encrypt all AWS CloudTrail logs.

B.

Turn on Amazon GuardDuty.

C.

Change the password for all IAM users.

D.

Rotate or delete all AWS access keys.

E.

Take snapshots of all Amazon Elastic Block Store (Amazon EBS) volumes.

F.

Delete any resources that are unrecognized or unauthorized.

Question 32

A company uses an incident response team to troubleshoot incidents. The incident response team must use temporary credentials from AWS STS for cross-account IAM role access when troubleshooting. Occasionally, each team member will need to respond to multiple different types of incidents simultaneously. Based on the type of incident, the company wants to dynamically assign minimal permissions to whichever team member responds.

Which solution will meet these requirements?

Options:

A.

Attach a policy to the cross-account role that grants the appropriate permissions for all types of incidents. Reduce the scope of those permissions by using a session policy.

B.

Attach a policy to the cross-account role that grants the appropriate permissions for all types of incidents. Reduce the scope of those permissions by using a permissions boundary.

C.

Do not assign any permissions to the cross-account role initially. Assign a session policy to the role being assumed with the required permission for that type of incident.

D.

Use an AWS Lambda function for each incident. Configure the function to create a temporary cross-account role that uses the AWS managed policy AWSSecurityIncidentResponseServiceRolePolicy. Reduce the scope of those permissions by using a permissions boundary.

Question 33

A company is using Amazon EC2 instances to host an application in a private subnet in a VPC. The application needs to use AWS KMS.

What is the MOST secure way for a security engineer to meet this requirement?

Options:

A.

Attach an internet gateway to the VPC. Move the EC2 instances to a public subnet. Use the internet gateway to connect to AWS KMS.

B.

Create a gateway VPC endpoint. Use the endpoint to connect to AWS KMS.

C.

Attach a NAT gateway to the VPC. Leave the EC2 instances in the private subnet. Use the NAT gateway to connect to AWS KMS.

D.

Create an interface VPC endpoint. Use the endpoint to connect to AWS KMS.

Question 34

A company runs a web application on a fleet of Amazon EC2 instances in an Auto Scaling group. Amazon GuardDuty and AWS Security Hub are enabled. The security engineer needs an automated response to anomalous traffic that follows AWS best practices and minimizes application disruption.

Which solution will meet these requirements?

Options:

A.

Use EventBridge to disable the instance profile access keys.

B.

Use EventBridge to invoke a Lambda function that removes the affected instance from the Auto Scaling group and isolates it with a restricted security group.

C.

Use Security Hub to update the subnet network ACL to block traffic.

D.

Send GuardDuty findings to Amazon SNS for email notification.

Question 35

A company is storing data in Amazon S3 Glacier. A security engineer implemented a new vault lock policy for 10 TB of data and called the initiate-vault-lock operation 12 hours ago. The audit team identified a typo in the policy that is allowing unintended access to the vault.

What is the MOST cost-effective way to correct this error?

Options:

A.

Call the abort-vault-lock operation. Update the policy. Call the initiate-vault-lock operation again.

B.

Copy the vault data to a new S3 bucket. Delete the vault. Create a new vault with the data.

C.

Update the policy to keep the vault lock in place.

D.

Update the policy. Call the initiate-vault-lock operation again to apply the new policy.

Question 36

Notify when IAM roles are modified.

Options:

A.

Use Amazon Detective.

B.

Use EventBridge with CloudTrail events.

C.

Use CloudWatch metric filters.

D.

Use CloudWatch subscription filters.

Question 37

A company uses AWS Organizations and has an SCP at the root that prevents sharing resources with external accounts. The company now needs to allow only the marketing account to share resources externally while preventing all other accounts from doing so. All accounts are in the same OU.

Which solution will meet these requirements?

Options:

A.

Create a new SCP in the marketing account to explicitly allow sharing.

B.

Edit the existing SCP to add a condition that excludes the marketing account.

C.

Edit the SCP to include an Allow statement for the marketing account.

D.

Use a permissions boundary in the marketing account.

Question 38

A company that uses AWS Organizations is using AWS IAM Identity Center to administer access to AWS accounts. A security engineer is creating a custom permission set in IAM Identity Center. The company will use the permission set across multiple accounts. An AWS managed policy and a customer managed policy are attached to the permission set. The security engineer has full administrative permissions and is operating in the management account.

When the security engineer attempts to assign the permission set to an IAM Identity Center user who has access to multiple accounts, the assignment fails.

What should the security engineer do to resolve this failure?

Options:

A.

Create the customer managed policy in every account where the permission set is assigned. Give the customer managed policy the same name and same permissions in each account.

B.

Remove either the AWS managed policy or the customer managed policy from the permission set. Create a second permission set that includes the removed policy. Apply the permission sets separately to the user.

C.

Evaluate the logic of the AWS managed policy and the customer managed policy. Resolve any policy conflicts in the permission set before deployment.

D.

Do not add the new permission set to the user. Instead, edit the user ' s existing permission set to include the AWS managed policy and the customer managed policy.

Question 39

A security engineer is asked to update an AWS CloudTrail log file prefix for an existing trail. When attempting to save the change in the CloudTrail console, the security engineer receives the following error message: “There is a problem with the bucket policy.”

What will enable the security engineer to save the change?

Options:

A.

Create a new trail with the updated log file prefix, and then delete the original trail.

B.

Update the existing bucket policy in the Amazon S3 console to allow the security engineer’s principal to perform PutBucketPolicy, and then update the log file prefix in the CloudTrail console.

C.

Update the existing bucket policy in the Amazon S3 console with the new log file prefix, and then update the log file prefix in the CloudTrail console.

D.

Update the existing bucket policy in the Amazon S3 console to allow the security engineer’s principal to perform GetBucketPolicy, and then update the log file prefix in the CloudTrail console.

Question 40

A security engineer is troubleshooting an AWS Lambda function that is namedMyLambdaFunction. The function is encountering an error when the function attempts to read the objects in an Amazon S3 bucket that is namedDOC-EXAMPLE-BUCKET. The S3 bucket has the following bucket policy:

{

" Effect " : " Allow " ,

" Principal " : { " Service " : " lambda.amazonaws.com " },

" Action " : " s3:GetObject " ,

" Resource " : " arn:aws:s3:::DOC-EXAMPLE-BUCKET " ,

" Condition " : {

" ArnLike " : {

" aws:SourceArn " : " arn:aws:lambda:::function:MyLambdaFunction "

}

}

}

Which change should the security engineer make to the policy to ensure that the Lambda function can read the bucket objects?

Options:

A.

Remove the Condition element. Change the Principal element to the following:{ " AWS " : " arn:aws:lambda:::function:MyLambdaFunction " }

B.

Change the Action element to the following:[ " s3:GetObject* " , " s3:GetBucket* " ]

C.

Change the Resource element to " arn:aws:s3:::DOC-EXAMPLE-BUCKET/* " .

D.

Change the Resource element to " arn:aws:lambda:::function:MyLambdaFunction " . Change the Principal element to the following:{ " Service " : " s3.amazonaws.com " }

Question 41

A company has a VPC that has no internet access and has the private DNS hostnames option enabled. An Amazon Aurora database is running inside the VPC. A security engineer wants to use AWS Secrets Manager to automatically rotate the credentials for the Aurora database. The security engineer configures the Secrets Manager default AWS Lambda rotation function to run inside the same VPC that the Aurora database uses. However, the security engineer determines that the password cannot be rotated properly because the Lambda function cannot communicate with the Secrets Manager endpoint.

What is the MOST secure way that the security engineer can give the Lambda function the ability to communicate with the Secrets Manager endpoint?

Options:

A.

Add a NAT gateway to the VPC to allow access to the Secrets Manager endpoint.

B.

Add a gateway VPC endpoint to the VPC to allow access to the Secrets Manager endpoint.

C.

Add an interface VPC endpoint to the VPC to allow access to the Secrets Manager endpoint.

D.

Add an internet gateway for the VPC to allow access to the Secrets Manager endpoint.

Question 42

A company’s security policy requires all Amazon EC2 instances to use the Amazon Time Sync Service. AWS CloudTrail trails are enabled in all of the company’s AWS accounts. VPC Flow Logs are enabled for all VPCs.

A security engineer must identify any EC2 instances that attempt to use Network Time Protocol (NTP) servers on the internet.

Which solution will meet these requirements?

Options:

A.

Monitor CloudTrail logs for API calls to non-standard time servers.

B.

Monitor CloudTrail logs for API calls to the Amazon Time Sync Service.

C.

Monitor VPC Flow Logs for traffic to non-standard time servers.

D.

Monitor VPC Flow Logs for traffic to the Amazon Time Sync Service.

Question 43

A company is running a new workload across accounts in an organization in AWS Organizations. All running resources must have a tag of CostCenter, and the tag must have one of three approved values. The company must enforce this policy and must prevent any changes of the CostCenter tag to a non-approved value.

Which solution will meet these requirements?

Options:

A.

Use AWS Config custom policy rule and an SCP to deny non-approved aws:RequestTag/CostCenter values.

B.

Use CloudTrail + EventBridge + Lambda to block creation.

C.

Enable tag policies, define allowed values, enforce noncompliant operations, and use an SCP to deny creation when aws:RequestTag/CostCenter is null.

D.

Enable tag policies and use EventBridge + Lambda to block changes.

Question 44

AWS Config cannot deliver configuration snapshots to Amazon S3.

Which TWO actions will remediate this issue?

Options:

A.

Verify the S3 bucket policy allows config.amazonaws.com.

B.

Verify the IAM role has s3:GetBucketAcl and s3:PutObject permissions.

C.

Verify the S3 bucket can assume the IAM role.

D.

Verify IAM policy allows AWS Config to write logs.

E.

Modify AWS Config API permissions.

Question 45

A company uses Amazon API Gateway to present REST APIs to users. An API developer wants to analyze API access patterns without the need to parse the log files.

Which combination of steps will meet these requirements with the LEAST effort? (Select TWO.)

Options:

A.

Configure access logging for the required API stage.

B.

Configure an AWS CloudTrail trail destination for API Gateway events. Configure filters on the userIdentity, userAgent, and sourceIPAddress fields.

C.

Configure an Amazon S3 destination for API Gateway logs. Run Amazon Athena queries to analyze API access information.

D.

Use Amazon CloudWatch Logs Insights to analyze API access information.

E.

Select the Enable Detailed CloudWatch Metrics option on the required API stage.

Question 46

A security engineer needs to implement a solution to identify any sensitive data that is stored in an Amazon S3 bucket. The solution must report on sensitive data in the S3 bucket by using an existing Amazon Simple Notification Service (Amazon SNS) topic.

Which solution will meet these requirements with the LEAST implementation effort?

Options:

A.

Enable AWS Config. Configure AWS Config to monitor for sensitive data in the S3 bucket and to send notifications to the SNS topic.

B.

Create an AWS Lambda function to scan the S3 bucket for sensitive data that matches a pattern. Program the Lambda function to send notifications to the SNS topic.

C.

Configure Amazon Macie to use managed data identifiers to identify and categorize sensitive data. Create an Amazon EventBridge rule to send notifications to the SNS topic.

D.

Enable Amazon GuardDuty. Configure AWS CloudTrail S3 data events. Create an Amazon CloudWatch alarm that reacts to GuardDuty findings and sends notifications to the SNS topic.

Question 47

A company has a web-based application that runs behind an Application Load Balancer (ALB). The application is experiencing a credential stuffing attack that is producing many failed login attempts. The attack is coming from many IP addresses. The login attempts are using a user agent string of a known mobile device emulator. A security engineer needs to implement a solution to mitigate the credential stuffing attack. The solution must still allow legitimate logins to the application.

Which solution will meet these requirements?

Options:

A.

Create an Amazon CloudWatch alarm that reacts to login attempts that contain the specified user agent string. Add an Amazon Simple Notification Service (Amazon SNS) topic to the alarm.

B.

Modify the inbound security group on the ALB to deny traffic from the IP addresses that are involved in the attack.

C.

Create an AWS WAF web ACL for the ALB. Create a custom rule that blocks requests that contain the user agent string of the device emulator.

D.

Create an AWS WAF web ACL for the ALB. Create a custom rule that allows requests from legitimate user agent strings.

Question 48

A company ' s public website consists of an Application Load Balancer (ALB), a set of Amazon EC2 instances that run a stateless application behind the ALB, and an Amazon DynamoDB table from which the application reads data. The company is concerned about malicious scanning and DDoS attacks. The company wants to impose a restriction in which each client IP address can read the data only3 times in any 5-minute period.

Which solution will meet this requirement with the LEAST effort?

Options:

A.

Set up AWS WAF in front of the ALB. Create a rule that blocks requests that exceed the limit of 3 requests in any 5-minute period for each IP address.

B.

Create an AWS Lambda function based on an Amazon CloudWatch request. Configure the Lambda function to count the requests for each IP address in rolling 5-minute intervals and to provide notification if the count exceeds 3.

C.

Modify the EC2 application to count the source IP address of requests and calculate a rolling 5-minute sum. Return an error message if the count sum is greater than 3.

D.

Add source IP address and request time to the DynamoDB table. Add a 5-minute TTL setting based on request time. Change the read capacity of the DynamoDB table throughput to 3.

Question 49

A company needs a solution to protect critical data from being permanently deleted. The data is stored in Amazon S3 buckets. The company needs to replicate the S3 objects from the company ' s primary AWS Region to a secondary Region to meet disaster recovery requirements. The company must also ensure that users who have administrator access cannot permanently delete the data in the secondary Region.

Which solution will meet these requirements?

Options:

A.

Configure AWS Backup to perform cross-Region S3 backups. Select a backup vault in the secondary Region. Enable AWS Backup Vault Lock in governance mode for the backups in the secondary Region.

B.

Implement S3 Object Lock in compliance mode in the primary Region. Configure S3 replication to replicate the objects to an S3 bucket in the secondary Region.

C.

Configure S3 replication to replicate the objects to an S3 bucket in the secondary Region. Create an S3 bucket policy to deny the s3:ReplicateDelete action on the S3 bucket in the secondary Region.

D.

Configure S3 replication to replicate the objects to an S3 bucket in the secondary Region. Configure S3 object versioning on the S3 bucket in the secondary Region.

Question 50

A company ' s web application is hosted on Amazon EC2 instances running behind an Application Load Balancer (ALB) in an Auto Scaling group. An AWS WAF web ACL is associated with the ALB. AWS CloudTrail is enabled and stores logs in Amazon S3 and Amazon CloudWatch Logs.

The operations team has observed some EC2 instances reboot at random. After rebooting, all access logs on the instances have been deleted. During an investigation, the operations team found that each reboot happened just after a PHP error occurred on the new-user-creation.php file. The operations team needs to view log information to determine if the company is being attacked.

Which set of actions will identify the suspect attacker ' s IP address for future occurrences?

Options:

A.

Configure VPC Flow Logs on the subnet where the ALB is located and stream the data to CloudWatch. Search for the new-user-creation.php occurrences in CloudWatch.

B.

Configure the CloudWatch agent on the ALB and send application logs to CloudWatch Logs.

C.

Configure the ALB to export access logs to an Amazon OpenSearch Service cluster and search for the new-user-creation.php occurrences.

D.

Configure the web ACL to send logs to Amazon Data Firehose, which delivers the logs to an S3 bucket. Use Amazon Athena to query the logs and find the new-user-creation.php occurrences.

Question 51

A company uses an organization in AWS Organizations to manage multiple AWS accounts. A security engineer creates a WAF policy in AWS Firewall Manager in the us-east-1 Region. The security engineer sets the policy scope to apply to resources that are tagged withWAF-protected:truein one of the member accounts in the organization. The security engineer sets up a configuration to automatically remediate any noncompliant resources.

In a member account, the security engineer attempts to protect an Amazon API Gateway REST API in the us-east-1 Region by using a web ACL. However, after several minutes, the REST API is still not associated with the web ACL.

What is the likely cause of this issue?

Options:

A.

Web ACLs cannot be applied to REST APIs.

B.

The REST API is missing a tag that includes theWAF-protectedkey and a value oftrue.

C.

The web ACL is already associated with another REST API.

D.

The web ACL is already associated with an Amazon CloudFront distribution.

Question 52

A company has AWS accounts in an organization in AWS Organizations. An Amazon S3 bucket in one account is publicly accessible. A security engineer must remove public access and ensure the bucket cannot be made public again.

Which solution will meet these requirements?

Options:

A.

Enforce KMS encryption and deny s3:GetObject by SCP.

B.

Enable PublicAccessBlock and deny s3:GetObject by SCP.

C.

Enable PublicAccessBlock and deny s3:PutPublicAccessBlock by SCP.

D.

Enable Object Lock governance and deny s3:PutPublicAccessBlock by SCP.

Question 53

A company has contracted with a third party to audit several AWS accounts. To enable the audit, cross-account IAM roles have been created in each account targeted for audit. The auditor is having trouble accessing some of the accounts.

Which of the following may be causing this problem? (Select THREE.)

Options:

A.

The external ID used by the auditor is missing or incorrect.

B.

The auditor is using the incorrect password.

C.

The auditor has not been grantedsts:AssumeRolefor the role in the destination account.

D.

The Amazon EC2 role used by the auditor must be set to the destination account role.

E.

The secret key used by the auditor is missing or incorrect.

F.

The role ARN used by the auditor is missing or incorrect.

Question 54

A company uses Amazon EC2 instances to host frontend services behind an Application Load Balancer. Amazon Elastic Block Store (Amazon EBS) volumes are attached to the EC2 instances. The company uses Amazon S3 buckets to store large files for images and music. The company has implemented a security architecture on AWS to prevent, identify, and isolate potential ransomware attacks. The company now wants to further reduce risk. A security engineer must develop a disaster recovery solution that can recover to normal operations if an attacker bypasses preventive and detective controls. The solution must meet an RPO of1 hour.

Which solution will meet these requirements?

Options:

A.

Use AWS Backup to create backups of the EC2 instances and S3 buckets every hour. Create AWS CloudFormation templates that replicate existing architecture components. Use a Git repository to store the CloudFormation templates alongside application configuration code.

B.

Use AWS Backup to create backups of the EBS volumes and S3 objects every day. Use Amazon Security Lake to create a centralized data lake for AWS CloudTrail logs and VPC flow logs. Use the logs for automated response.

C.

Use Amazon Security Lake to create a centralized data lake for AWS CloudTrail logs and VPC flow logs. Use the logs for automated response. Enable AWS Security Hub to establish a single location for recovery procedures. Create AWS CloudFormation templates that replicate existing architecture components. Use a Git repository to store the CloudFormation templates alongside application configuration code.

D.

Create EBS snapshots every 4 hours. Enable Amazon GuardDuty Malware Protection. Create automation to immediately restore the most recent snapshot for any EC2 instances that produce an Execution:EC2/MaliciousFile finding in GuardDuty.

Question 55

CloudFormation stack deployments fail for some users due to permission inconsistencies.

Which combination of steps will ensure consistent deployments MOST securely? (Select THREE.)

Options:

A.

Create a composite principal service role.

B.

Create a service role with cloudformation.amazonaws.com as the principal.

C.

Attach scoped policies to the service role.

D.

Attach service ARNs in policy resources.

E.

Update each stack to use the service role.

F.

Allow iam:PassRole to the service role.

Question 56

A company runs an application on an Amazon EC2 instance. The application generates invoices and stores them in an Amazon S3 bucket. The instance profile that is attached to the instance has appropriate access to the S3 bucket. The company needs to share each invoice with multiple clients that do not have AWS credentials. Each client must be able to download only the client ' s own invoices. Clients must download their invoices within 1 hour of invoice creation. Clients must use only temporary credentials to access the company ' s AWS resources.

Which additional step will meet these requirements?

Options:

A.

Update the S3 bucket policy to ensure that clients that use pre-signed URLs have the S3:Get* permission and the S3:List* permission to access S3 objects in the bucket.

B.

Add a StringEquals condition to the IAM role policy for the EC2 instance profile. Configure the policy condition to restrict access based on the s3:ResourceTag/ClientId tag of each invoice. Tag each generated invoice with the ID of its corresponding client.

C.

Update the script to use AWS Security Token Service (AWS STS) to obtain new credentials each time the script runs by assuming a new role that has S3:GetObject permissions. Use the credentials to generate the pre-signed URLs.

D.

Generate an access key and a secret key for an IAM user that has S3:GetObject permissions on the S3 bucket. Embed the keys into the script. Use the keys to generate the pre-signed URLs.

Question 57

A company ' s security team wants to receive email notification from AWS about any abuse reports regarding DoS attacks. A security engineer needs to implement a solution that will provide a near-real-time alert for any abuse reports that AWS sends for the account. The security engineer already has created an Amazon Simple Notification Service (Amazon SNS) topic and has subscribed the security team ' s email address to the topic.

What should the security engineer do next to meet these requirements?

Options:

A.

Use the AWS Trusted Advisor API and a scheduled Lambda function to detect AWS_ABUSE_DOS_REPORT notifications.

B.

Create an Amazon EventBridge rule that uses AWS Health and identifies a specific event for AWS_ABUSE_DOS_REPORT. Configure the rule action to publish a message to the SNS topic.

C.

Use the AWS Support API and a scheduled Lambda function to detect abuse report cases.

D.

Use AWS CloudTrail logs with metric filters to detect AWS_ABUSE_DOS_REPORT events.

Question 58

A company needs to implement data lifecycle management for Amazon RDS snapshots. The company will use AWS Backup to manage the snapshots. The company must retain RDS automated snapshots for 5 years and will use Amazon S3 for long-term archival storage.

Which solution will meet these requirements?

Options:

A.

Use AWS Backup to apply a 5-year retention tag to the RDS snapshots.

B.

Enable versioning on the S3 bucket that AWS Backup uses for the RDS snapshots. Configure a 5-year retention period.

C.

Create an S3 Lifecycle policy. Include a 5-year retention period for the S3 bucket that AWS Backup uses for the RDS snapshots.

D.

Create a backup plan in AWS Backup. Configure a 5-year retention period.

Question 59

A security engineer is designing a solution that will provide end-to-end encryption between clients and Docker containers running in Amazon Elastic Container Service (Amazon ECS). This solution must also handle volatile traffic patterns.

Which solution would have the MOST scalability and LOWEST latency?

Options:

A.

Configure a Network Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers.

B.

Configure an Application Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers.

C.

Configure a Network Load Balancer with a TCP listener to pass through TLS traffic to the containers.

D.

Configure Amazon Route 53 to use multivalue answer routing to send traffic to the containers.

Question 60

A security engineer needs to implement AWS IAM Identity Center with an external identity provider (IdP).

Select and order the correct steps from the following list to meet this requirement. Select each step one time or not at all. (Select and order THREE.)

. Configure the external IdP as the identity source in IAM Identity Center.

. Create an IAM role that has a trust policy that specifies the IdP ' s API endpoint.

. Enable automatic provisioning in IAM Identity Center settings.

. Enable automatic provisioning in the external IdP.

. Obtain the SAML metadata from IAM Identity Center.

. Obtain the SAML metadata from the external IdP.

Question # 60

Options:

Question 61

A company is developing an application that runs across a combination of Amazon EC2 On-Demand Instances and Spot Instances. A security engineer needs to provide a logging solution that makes logs for all instances available from a single location. The solution must allow only a specific set of users to analyze the logs for event patterns. The users must be able to use SQL queries on the logs to perform root cause analysis.

Which solution will meet these requirements?

Options:

A.

Configure the EC2 instances to send application logs to a single Amazon CloudWatch Logs log group. Allow only specific users to access the log group. Use CloudWatch Logs Insights to query the log group.

B.

Configure the EC2 instances to send application logs to a single Amazon S3 bucket. Allow only specific users to access the S3 bucket. Use Amazon CloudWatch Logs Insights to query the log files in the S3 bucket.

C.

Configure each EC2 instance to send its application logs to its own specific Amazon CloudWatch Logs log group. Allow only specific users to access the log groups. Use Amazon Athena to query all the log groups.

D.

Configure the EC2 instances to send application logs to a single Amazon CloudWatch Logs log group. Grant Amazon Detective access to the log group. Allow only specific users to use Detective to analyze the logs.

Question 62

A company has several Amazon S3 buckets that do not enforce encryption in transit. A security engineer must implement a solution that enforces encryption in transit for all the company ' s existing and future S3 buckets.

Which solution will meet these requirements?

Options:

A.

Enable AWS Config. Create a proactive AWS Config Custom Policy rule. Create a Guard clause to evaluate the S3 bucket policies to check for a value of True for the aws:SecureTransport condition key. If the AWS Config rule evaluates to NON_COMPLIANT, block resource creation.

B.

Enable AWS Config. Configure the s3-bucket-ssl-requests-only AWS Config managed rule and set the rule trigger type to Hybrid. Create an AWS Systems Manager Automation runbook that applies a bucket policy to deny requests when the value of the aws:SecureTransport condition key is False. Configure automatic remediation. Set the runbook as the target of the rule.

C.

Enable Amazon Inspector. Create a custom AWS Lambda rule. Create a Lambda function that applies a bucket policy to deny requests when the value of the aws:SecureTransport condition key is False. Set the Lambda function as the target of the rule.

D.

Create an AWS CloudTrail trail. Enable S3 data events on the trail. Create an AWS Lambda function that applies a bucket policy to deny requests when the value of the aws:SecureTransport condition key is False. Configure the CloudTrail trail to invoke the Lambda function.

Question 63

A company must inventory sensitive data across all Amazon S3 buckets in all accounts from a single security account.

Options:

A.

Delegate Amazon Macie and Security Hub administration.

B.

Use Amazon Inspector with Security Hub.

C.

Use Inspector with Trusted Advisor.

D.

Use Macie with Trusted Advisor.

Question 64

A company uses an organization in AWS Organizations to manage multiple AWS accounts. The company wants to centrally give users the ability to access Amazon Q Developer.

Which solution will meet this requirement?

Options:

A.

Enable AWS IAM Identity Center and set up Amazon Q Developer as an AWS managed application.

B.

Enable Amazon Cognito and create a new identity pool for Amazon Q Developer.

C.

Enable Amazon Cognito and set up Amazon Q Developer as an AWS managed application.

D.

Enable AWS IAM Identity Center and create a new identity pool for Amazon Q Developer.

Question 65

A company is operating an open-source software platform that is internet facing. The legacy software platform no longer receives security updates. The software platform operates using Amazon Route 53 weighted load balancing to send traffic to two Amazon EC2 instances that connect to an Amazon RDS cluster. A recent report suggests this software platform is vulnerable to SQL injection attacks, with samples of attacks provided. The company ' s security engineer must secure this system against SQL injection attacks within 24 hours. The solution must involve the least amount of effort and maintain normal operations during implementation.

What should the security engineer do to meet these requirements?

Options:

A.

Create an Application Load Balancer with the existing EC2 instances as a target group. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the ALB. Test to ensure the vulnerability has been mitigated, then redirect the Route 53 records to point to the ALB. Update security groups on the EC2 instances to prevent direct access from the internet.

B.

Create an Amazon CloudFront distribution specifying one EC2 instance as an origin. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the distribution. Test to ensure the vulnerability has been mitigated, then redirect the Route 53 records to point to CloudFront.

C.

Obtain the latest source code for the platform and make the necessary updates. Test the updated code to ensure that the vulnerability has been mitigated, then deploy the patched version of the platform to the EC2 instances.

D.

Update the security group that is attached to the EC2 instances, removing access from the internet to the TCP port used by the SQL database. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the EC2 instances.

Question 66

A corporate cloud security policy states that communications between the company ' s VPC and KMS must travel entirely within the AWS network and not use public service endpoints.

Which combination of the following actions MOST satisfies this requirement? (Select TWO.)

Options:

A.

Add theaws:sourceVpcecondition to the AWS KMS key policy referencing the company ' s VPC endpoint ID.

B.

Remove the VPC internet gateway from the VPC and add a virtual private gateway to the VPC to prevent direct, public internet connectivity.

C.

Create a VPC endpoint for AWS KMS withprivate DNS enabled.

D.

Use the KMS Import Key feature to securely transfer the AWS KMS key over a VPN.

E.

Add the following condition to the AWS KMS key policy: " aws:SourceIp " : " 10.0.0.0/16 " .

Question 67

A company’s security team needs to receive a notification whenever an AWS access key has not been rotated in 90 or more days. A security engineer must develop a solution that provides these notifications automatically.

Which solution will meet these requirements with the LEAST amount of effort?

Options:

A.

Deploy an AWS Config managed rule to run on a periodic basis of 24 hours. Select the access-keys-rotated managed rule, and set the maxAccessKeyAge parameter to 90 days. Create an Amazon EventBridge rule with an event pattern that matches the compliance type of NON_COMPLIANT from AWS Config for the managed rule. Configure EventBridge to send an Amazon SNS notification to the security team.

B.

Create a script to export a .csv file from the AWS Trusted Advisor check for IAM access key rotation. Load the script into an AWS Lambda function that will upload the .csv file to an Amazon S3 bucket. Create an Amazon Athena table query that runs when the .csv file is uploaded to the S3 bucket. Publish the results for any keys older than 90 days by using an invocation of an Amazon SNS notification to the security team.

C.

Create a script to download the IAM credentials report on a periodic basis. Load the script into an AWS Lambda function that will run on a schedule through Amazon EventBridge. Configure the Lambda script to load the report into memory and to filter the report for records in which the key was last rotated at least 90 days ago. If any records are detected, send an Amazon SNS notification to the security team.

D.

Create an AWS Lambda function that queries the IAM API to list all the users. Iterate through the users by using the ListAccessKeys operation. Verify that the value in the CreateDate field is not at least 90 days old. Send an SNS notification to the security team if the value is at least 90 days old. Create an EventBridge rule to schedule the Lambda function to run each day.

Question 68

A company runs critical workloads in an on-premises data center. The company wants to implement an AWS based disaster recovery (DR) solution that will achieve an RTO of less than 1 hour. The company needs to continuously replicate physical and virtual servers. The company must optimize costs for data storage and bandwidth usage. The DR solution must be automated.

Which solution will meet these requirements?

Options:

A.

Use AWS Backup to directly replicate the on-premises servers to AWS. Enable cross-Region backup copying and data vaulting. Configure recovery points to match the defined RTO. Use AWS Step Functions to automate recovery steps.

B.

Configure an AWS Storage Gateway Volume Gateway to use Amazon Elastic Block Store (Amazon EBS) snapshots for recovery. Configure AWS Backup to manage the snapshots. Create automated recovery procedures.

C.

Enable AWS Elastic Disaster Recovery. Configure replication agents to continuously replicate each on-premises server. Enable the default staging area subnet configuration.

D.

Create an AWS Direct Connect connection between the on-premises data center and AWS. Configure Amazon EventBridge to monitor for failures and to invoke AWS Lambda functions that launch preconfigured Amazon EC2 instances from AMIs in the event of an incident.

Page: 1 / 23
Total 231 questions