A company uses SAML federation with AWS Identity and Access Management (IAM) to provide internal users with SSO for their AWS accounts. The company's identity provider certificate was rotated as part of its normal lifecycle. Shortly after, users started receiving the following error when attempting to log in:
"Error: Response Signature Invalid (Service: AWSSecuntyTokenService; Status Code: 400; Error Code: InvalidldentltyToken)" A security engineer needs to address the immediate issue and ensure that it will not occur again.
Which combination of steps should the security engineer take to accomplish this? (Select TWO.) During the next certificate rotation period and before the current certificate expires, add a new certificate as the secondary to the identity provider. Generate a new metadata file and upload it to the IAM identity provider entity. Perform automated or manual rotation of the certificate when required. Download a new copy of the SAML metadata file from the identity provider Create a new IAM identity provider entity. Upload the new metadata file to the new IAM identity provider entity. Download a new copy of the SAML metadata file from the identity provider Create a new IAM identity provider entity. Upload the new metadata file to the new IAM identity provider entity. Update the identity provider configurations to pass a new IAM identity provider entity name in the SAML assertion. Download a new copy of the SAML metadata file from the identity provider Upload the new metadata to the IAM identity provider entity configured for the SAML integration in question. During the next certificate rotation period and before the current certificate expires, add a new certificate as the secondary to the identity provider. Generate a new copy of the metadata file and create a new IAM identity provider entity. Upload the metadata file to the new IAM identity provider entity. Perform automated or manual rotation of the certificate when required.
A company's engineering team is developing a new application that creates AWS Key Management Service (AWS KMS) CMK grants for users immediately after a grant IS created users must be able to use the CMK tu encrypt a 512-byte payload. During load testing, a bug appears |intermittently where AccessDeniedExceptions are occasionally triggered when a user first attempts to encrypt using the CMK Which solution should the c0mpany's security specialist recommend'? Instruct the engineering team to create a random name for the grant when calling the CreateGrant operation. Return the name to the users and instruct them to provide the name as the grant token in the call to encrypt. Instruct the engineering team to pass the grant token returned in the CreateGrant response to users. Instruct users to use that grant token in their call to encrypt. Instruct the engineering team to consume a random grant token from users, and to call the CreateGrant operation, passing it the grant token. Instruct use to use that grant token in their call to encrypt. Instruct users to implement a retry mechanism every 2 minutes until the call succeeds.
A Lambda function reads metadata from an S3 object and stores the metadata in a DynamoDB table. The function is triggered whenever an object is stored within the S3 bucket.
How should the Lambda function be given access to the DynamoDB table?
Please select: Create a VPC endpoint for DynamoDB within a VPC. Configure the Lambda function to access resources in the VPC. Create a resource policy that grants the Lambda function permissions to write to the DynamoDB table. Attach the poll to the DynamoDB table. Create an IAM user with permissions to write to the DynamoDB table. Store an access key for that user in the Lambda environment variables. Create an IAM service role with permissions to write to the DynamoDB table. Associate that role with the Lambda function.
Example.com is hosted on Amazon EC2 instances behind an Application Load Balancer (ALB). Third-party host intrusion detection system (HIDS) agents that capture the traffic of the EC2 instance are running on each host. The company must ensure they are using privacy enhancing technologies for users, without losing the assurance the third-party solution offers.
What is the MOST secure way to meet these requirements? Create a listener on the ALB that uses encrypted connections with Elliptic Curve Diffie-Hellman (ECDHE) cipher suites, and use encrypted connections to the servers that do not enable Perfect Forward Secrecy (PFS). Create a listener on the ALB that uses encrypted connections with Elliptic Curve Diffie-Hellman (ECDHE) cipher suites, and pass the traffic in the clear to the server. Create a listener on the ALB that does not enable Perfect Forward Secrecy (PFS) cipher suites, and use encrypted connections to the servers using Elliptic Curve Diffie-Hellman (ECDHE) cipher suites. Enable TLS pass through on the ALB, and handle decryption at the server using Elliptic Curve Diffie-Hellman (ECDHE) cipher suites.
Your company has defined a set of S3 buckets in AWS. They need to monitor the S3 buckets and know the source IP address and the person who make requests to the S3 bucket. How can this be achieved?
Please select: Enable VPC flow logs to know the source IP addresses Monitor the S3 API calls by using Cloudtrail logging Monitor the S3 API calls by using Cloudwatch logging Enable AWS Inspector for the S3 bucket.
A company's security information events management (SIEM) tool receives new AWS CloudTrail logs from an Amazon S3 bucket that is configured to send all object created event notification to an Amazon SNS topic An Amazon SQS queue is subscribed to this SNS topic. The company's SEM tool then ports this SQS queue for new messages using an IAM role and fetches new log events from the S3 bucket based on the SQS messages.
After a recent security review that resulted m restricted permissions, the SEM tool has stopped receiving new CloudTral logs Which of the following are possible causes of this issue? (Select THREE) The SQS queue does not allow the SQS SendMessage action from the SNS topic The SNS topic is not delivering raw messages to the SQS queue The IAM role used by the 5EM tool does not have permission to subscribe to the SNS topic The SNS topic does not allow the SNS Publish action from Amazon S3 The S3 bucket policy does not allow CloudTrail to perform the PutObject action The IAM role used by the SEM tool does not allow the SQS DeleteMessage action.
A company's application runs on Amazon EC2 and stores data in an Amazon S3 bucket The company wants additional security controls in place to limit the likelihood of accidental exposure of data to external parties Which combination of actions will meet this requirement? (Select THREE.) Create a new Amazon S3 VPC endpoint and modify the VPC's routing tables to use the new endpoint Encrypt the data in Amazon S3 using server-side encryption with AWS KMS managed encryption keys (SSE-KMS) Configure the bucket policy to allow access from the application instances only Encrypt the data in Amazon S3 using server-side encryption with Amazon S3 managed encryption keys (SSE-S3) Use a NACL to filter traffic to Amazon S3 Use the Amazon S3 Block Public Access feature.
A company had developed an incident response plan 18 months ago. Regular implementations of the response plan are carried out. No changes have been made to the response plan have been made since its creation. Which of the following is a right statement with regards to the plan?
Please select: It places too much emphasis on already implemented security controls. The response plan is not implemented on a regular basis The response plan does not cater to new services The response plan is complete in its entirety.
An application running on EC2 instances must use a username and password to access a database. The developer has stored those secrets in the SSM Parameter Store with type SecureString using the default KMS CMK. Which combination of configuration steps will allow the application to access the secrets via the API? Select 2 answers from the options below Please select: Add the EC2 instance role as a trusted service to the SSM service role. Add permission to use the KMS key to decrypt to the SSM service role. Add permission to read the SSM parameter to the EC2 instance role. . Add permission to use the KMS key to decrypt to the EC2 instance role Add the SSM service role as a trusted service to the EC2 instance role.
An organization is using Amazon CloudWatch Logs with agents deployed on its Linux Amazon EC2 instances. The agent configuration files have been checked and the application log files to be pushed are configured correctly. A review has identified that logging from specific instances is missing.
Which steps should be taken to troubleshoot the issue? (Choose two.) Use an EC2 run command to confirm that the "awslogs" service is running on all instances. Verify that the permissions used by the agent allow creation of log groups/streams and to put log events. Check whether any application log entries were rejected because of invalid time stamps by reviewing /var/cwlogs/rejects.log. Check that the trust relationship grants the service "cwlogs.amazonaws.com" permission to write objects to the Amazon S3 staging bucket. Verify that the time zone on the application servers is in UTC.
An Incident Response team is investigating an AWS access key leak that resulted in Amazon EC2 instances being launched. The company did not discover the incident until many months later The Director of Information Security wants to implement new controls that will alert when similar incidents happen in the future Which controls should the company implement to achieve this? {Select TWO.) Verify that Amazon GuardDuty is enabled in all Regions, and create an Amazon CloudWatch Events rule for Amazon GuardDuty findings Add an Amazon SNS topic as the rule's target Use AWS CloudTrail to make a trail, and apply it to all Regions Specify an Amazon S3 bucket to receive all the CloudTrail log files Enable VPC Flow Logs in all VPCs Create a scheduled AWS Lambda function that downloads and parses the logs, and sends an Amazon SNS notification for violations. Create a Security Auditor role with permissions to access Amazon CloudWatch Logs m all Regions Ship the logs to an Amazon S3 bucket and make a lifecycle policy to ship the logs to Amazon S3 Glacier.
A company is using AWS Organizations to manage multiple AWS member accounts. All of these accounts have Amazon GuardDuty enabled in all Regions. The company's AW5 Security Operations Center has a centralized security account for logging and monitoring. One of the member accounts has received an excessively high bill A security engineer discovers that a compromised Amazon EC2 instance is being used to mine crypto currency. The Security Operations Center did not receive a GuardDuty finding in the central security account.
but there was a GuardDuty finding in the account containing the compromised EC2 instance. The security engineer needs to ensure an GuardDuty finding are available in the security account.
What should the security engineer do to resolve this issue?
Check that GuardDuty in the security account is able to assume a role in the compromised account using the GuardDuty fast findings permission Schedule an Amazon CloudWatch Events rule and an AWS Lambda function to periodically check for GuardDuty findings Set up an Amazon CloudWatch Event rule to forward ail GuardDuty findings to the security account Use an AWS Lambda function as a target to raise findings Set up an Amazon CloudWatch Events rule to forward all GuardDuty findings to the security account Use an AWS Lambda function as a target to raise findings in AWS Security Hub Use the aws GuardDuty get-members AWS CLI command in the security account to see if the account is listed Send an invitation from GuardDuty m the security account to GuardDuty in the compromised account Accept the invitation to forward all future GuardDuty findings.
A Security Architect has been asked to review an existing security architecture and identify why the application servers cannot successfully initiate a connection to the database servers. The following summary describes the architecture:
1 An Application Load Balancer, an internet gateway, and a NAT gateway are configured in the public subnet 2. Database, application, and web servers are configured on three different private subnets.
3 The VPC has two route tables: one for the public subnet and one for all other subnets The route table for the public subnet has a 0 0 0 0/0 route to the internet gateway The route table for all other subnets has a 0 0.0.0/0 route to the NAT gateway. All private subnets can route to each other
4 Each subnet has a network ACL implemented that limits all inbound and outbound connectivity to only the required ports and protocols
5 There are 3 Security Groups (SGs) database application and web Each group limits all inbound and outbound connectivity to the minimum required Which of the following accurately reflects the access control mechanisms the Architect should verify1? Inbound and outbound SG configuration on database servers Inbound and outbound SG configuration on application servers Inbound network ACL configuration on the database subnet Outbound network ACL configuration on the application server subnet Inbound SG configuration on database servers
Outbound SG configuration on application servers
Inbound and outbound network ACL configuration on the database subnet
Inbound and outbound network ACL configuration on the application server subnet Outbound SG configuration on database servers Inbound SG configuration on application servers inbound and outbound network ACL configuration on the database subnet Inbound and outbound network ACL configuration on the application server subnet Inbound SG configuration on database servers Outbound SG configuration on application servers Inbound network ACL configuration on the database subnet Outbound network ACL configuration on the application server subnet.
A company's architecture requires that its three Amazon EC2 instances run behind an Application Load Balancer (ALB). The EC2 instances transmit sensitive data between each other Developers use SSL certificates to encrypt the traffic between the public users and the ALB However the Developers are unsure of how to encrypt the data in transit between the ALB and the EC2 instances and the traffic between the EC2 instances Which combination of activities must the company implement to meet its encryption requirements'? (Select TWO ) Configure SSLTLS on the EC2 instances and configure the ALB target group to use HTTPS Configure AWS Direct Connect to provide an encrypted tunnel between the EC2 instances In the ALB. select the default encryption to encrypt the traffic between the ALB and the EC2 instances Ensure that all resources are in the same VPC so the default encryption provided by the VPC is used to encrypt the traffic between the EC2 instances. In the code for the application, include a cryptography library and encrypt the data before sending it between the EC2 instances.
Amazon CloudWatch Logs agent is successfully delivering logs to the CloudWatch Logs service. However, logs stop being delivered after the associated log stream has been active for a specific number of hours.
What steps are necessary to identify the cause of this phenomenon? (Choose two.) Ensure that file permissions for monitored files that allow the CloudWatch Logs agent to read the file have not been modified. Verify that the OS Log rotation rules are compatible with the configuration requirements for agent streaming. Configure an Amazon Kinesis producer to first put the logs into Amazon Kinesis Streams. Create a CloudWatch Logs metric to isolate a value that changes at least once during the period before logging stops. Use AWS CloudFormation to dynamically create and maintain the configuration file for the CloudWatch Logs agent.
A company plans to move most of its IT infrastructure to AWS. The company wants to leverage its existing on-premises Active Directory as an identity provider for AWS.
Which steps should be taken to authenticate to AWS services using the company's on-premises Active Directory? (Choose three). Create IAM roles with permissions corresponding to each Active Directory group. Create IAM groups with permissions corresponding to each Active Directory group. Create a SAML provider with IAM. Create a SAML provider with Amazon Cloud Directory. Configure AWS as a trusted relying party for the Active Directory Configure IAM as a trusted relying party for Amazon Cloud Directory.
Which of the following are valid event sources that are associated with web access control lists that trigger AWS WAF rules? (Choose two.) Amazon S3 static web hosting Amazon CloudFront distribution Application Load Balancer Amazon Route 53 VPC Flow Logs.
A Development team has built an experimental environment to test a simple stale web application It has built an isolated VPC with a private and a public subnet. The public subnet holds only an Application Load Balancer a NAT gateway, and an internet gateway. The private subnet holds ail of the Amazon EC2 instances There are 3 different types of servers Each server type has its own Security Group that limits access lo only required connectivity. The Security Groups nave both inbound and outbound rules applied Each subnet has both inbound and outbound network ACls applied to limit access to only required connectivity Which of the following should the team check if a server cannot establish an outbound connection to the internet? (Select THREE.) The rules on any host-based firewall that may be applied on the Amazon EC2 instances The outbound network ACL rules on the private subnet and both the inbound and outbound rules on the public subnet The outbound network ACL rules on the private subnet and the Inbound network ACL rules on the public subnet The route tables and the outbound rules on the appropriate private subnet security group The Security Group applied to the Application Load Balancer and NAT gateway That the 0.0.0./0 route in the private subnet route table points to the internet gateway in the public subnet.
A Security Engineer is setting up a new AWS account. The Engineer has been asked to continuously monitor the company's AWS account using automated compliance checks based on AWS best practices and Center for Internet Security (CIS) AWS Foundations Benchmarks How can the Security Engineer accomplish this using AWS services? Enable AWS Config and set it to record all resources in all Regions and global resources. Then enable AWS Security Hub and confirm that the CIS AWS Foundations compliance standard is enabled Enable Amazon Inspector and configure it to scan all Regions for the CIS AWS Foundations Benchmarks. Then enable AWS Security Hub and configure it to ingest the Amazon Inspector findings Enable AWS Config and set it to record all resources in all Regions and global resources Then enable Amazon Inspector and configure it to enforce CIS AWS Foundations Benchmarks using AWS Config rules. Enable Amazon Inspector and configure it to scan all Regions for the CIS AWS Foundations Benchmarks. Then enable AWS Shield in all Regions to protect the account from DDoS attacks.
Your company has been using AWS for hosting EC2 Instances for their web and database applications. They want to have a compliance check to see the following Whether any ports are left open other than admin ones like SSH and RDP Whether any ports to the database server other than ones from the web server security group are open Which of the following can help achieve this in the easiest way possible. You don't want to carry out an extra configuration changes?
Please select: AWS Config AWS Trusted Advisor AWS Inspector AWSGuardDuty.
A Security Engineer receives alerts that an Amazon EC2 instance on a public subnet is under an SFTP brute force attack from a specific IP address, which is a known malicious bot. What should the Security Engineer do to block the malicious bot? Add the malicious IP to AWS WAF backhsted IPs Configure Linux iptables or Windows Firewall to block any traffic from the malicious IP Add a deny rule to the public VPC security group to block the malicious IP Modify the hosted zone in Amazon Route 53 and create a DNS sinkhole for the malicious IP.
You have a bucket and a VPC defined in AWS. You need to ensure that the bucket can only be accessed by the VPC endpoint. How can you accomplish this?
Please select: Modify the security groups for the VPC to allow access to the 53 bucket Modify the route tables to allow access for the VPC endpoint Modify the IAM Policy for the bucket to allow access for the VPC endpoint Modify the bucket Policy for the bucket to allow access for the VPC endpoint.
A company is using AWS Organizations to manage multiple AWS accounts. The company has an application that allows users to assume the AppUser IAM role to download files from an Amazon S3 bucket that is encrypted with an AWS KMS CMK However when users try to access the files in the S3 bucket they get an access denied error.
What should a Security Engineer do to troubleshoot this error? (Select THREE ) Ensure the SCPs within Organizations allow access to the S3 bucket. Ensure the KMS policy allows the AppUser role to have permission to decrypt for the CMK Ensure the S3 block public access feature is enabled for the S3 bucket. Ensure the CMK was created before the S3 bucket. Ensure the S3 bucket policy allows the AppUser role to have permission to get objects for the S3 bucket Ensure that automatic key rotation is disabled for the CMK.
A company has several Customer Master Keys (CMK), some of which have imported key material. Each CMK must be rotated annually.
What two methods can the security team use to rotate each key? Select 2 answers from the options given below Please select: Enable automatic key rotation for a CMK Import new key material to an existing CMK Use the CLI or console to explicitly rotate an existing CMK Import new key material to a new CMK; Point the key alias to the new CMK. Delete an existing CMK and a new default CMK will be created.
An organization has a system in AWS that allows a large number of remote workers to submit data files. File sizes vary from a few kilobytes to several megabytes. A recent audit highlighted a concern that data files are not encrypted while in transit over untrusted networks.
Which solution would remediate the audit finding while minimizing the effort required? Use AWS Certificate Manager to provision a certificate on an Elastic Load Balancing in front of the web service's servers. Create a new VPC with an Amazon VPC VPN endpoint, and update the web service's DNS record. Call KMS.Encrypt() in the client, passing in the data file contents, and call KMS.Decrypt() server-side. Upload an SSL certificate to IAM, and configure Amazon CloudFront with the passphrase for the private key.
During a recent internal investigation, it was discovered that all API logging was disabled in a production account, and the root user had created new API keys that appear to have been used several times.
What could have been done to detect and automatically remediate the incident? Using Amazon Inspector, review all of the API calls and configure the inspector agent to leverage SNS topics to notify security of the change to AWS CloudTrail, and revoke the new API keys for the root user. Using AWS Config, create a config rule that detects when AWS CloudTrail is disabled, as well as any calls to the root user create-api-key. Then use a Lambda function to re-enable CloudTrail logs and deactivate the root API keys. Using Amazon CloudWatch, create a CloudWatch event that detects AWS CloudTrail deactivation and a separate Amazon Trusted Advisor check to automatically detect the creation of root API keys. Then use a Lambda function to enable AWS CloudTrail and deactivate the root API keys. Using Amazon CloudTrail, create a new CloudTrail event that detects the deactivation of CloudTrail logs, and a separate CloudTrail event that detects the creation of root API keys. Then use a Lambda function to enable CloudTrail and deactivate the root API keys.
A company's on-premises data center forwards DNS logs to a third-party security incident events management (SIEM) solution that alerts on suspicious behavior. The company wants to introduce a similar capability to its AWS accounts that includes automatic remediation. The company expects to double in size within the next few months.
Which solution meets the company's current and future logging requirements? Ingest all AWS CloudTrail logs, VPC Flow Logs, and DNS logs into a single Amazon S3 bucket in a designated security account. Launch an Amazon EC2 instance and install the current SIEM to monitor the logs and send a notification to an Amazon SNS topic to alert the security team of remediation steps. Ingest all AWS CloudTrail logs, VPC Flow Logs, and DNS logs into a single Amazon S3 bucket in a designated security account. Use the current on-premises SIEM to monitor the logs and send a notification to an Amazon SNS topic to alert the security team of remediation steps. Enable Amazon GuardDuty and AWS Security Hub in all Regions and all accounts. Designate a master security account to receive all alerts from the child accounts. Set up specific rules within Amazon Even;Bridge to trigger an AWS Lambda function for remediation steps. Enable Amazon GuardDuty and AWS Security Hub in all Regions and all accounts. Designate a master security account to receive all alerts from the child accounts. Create an AWS Organizations SCP that denies access to certain API calls that are on an ignore list.
A Security Engineer received an AWS Abuse Notice listing EC2 instance IDs that are reportedly abusing other hosts.
Which action should the Engineer take based on this situation? (Choose three.) Revoke all network ingress and egress except for to/from a forensics workstation. Use AWS Artifact to capture an exact image of the state of each instance. Log in to each instance with administrative credentials to restart the instance. Capture a memory dump. Create EBS Snapshots of each of the volumes attached to the compromised instances. Run Auto Recovery for Amazon EC2.
The Security Engineer is managing a traditional three-tier web application that is running on Amazon EC2 instances. The application has become the target of increasing numbers of malicious attacks from the Internet.
What steps should the Security Engineer take to check for known vulnerabilities and limit the attack surface? (Choose two.) Use AWS Key Management Services to encrypt all the traffic between the client and application servers. Review the application security groups to ensure that only the necessary ports are open. Use Elastic Load Balancing to offload Secure Sockets Layer encryption. Use AWS Certificate Manager to encrypt all traffic between the client and application servers. Use Amazon Inspector to periodically scan the backend instances.
An enterprise wants to use a third-party SaaS application. The SaaS application needs to have access to issue several API commands to discover Amazon EC2 resources running within the enterprise's account. The enterprise has internal security policies that require any outside access to their environment must conform to the principles of least privilege and there must be controls in place to ensure that the credentials used by the SaaS vendor cannot be used by any other third party. Which of the following would meet all of these conditions?
Please select: From the AWS Management Console, navigate to the Security Credentials page and retrieve the access and secret key for your account. Create an IAM user within the enterprise account assign a user policy to the IAM user that allows only the actions required by the SaaS application. Create a new access and secret key for the user and provide these credentials to the SaaS provider. Create an IAM role for cross-account access allows the SaaS provider's account to assume the role and assign it a policy that allows only the actions required by the SaaS application. Create an IAM role for EC2 instances, assign it a policy that allows only the actions required tor the Saas application to work, provide the role ARN to the SaaS provider to use when launching their application instances.
You have several S3 buckets defined in your AWS account. You need to give access to external AWS accounts to these S3 buckets. Which of the following can allow you to define the permissions for the external accounts? Choose 2 answers from the options given below Please select: IAM policies Buckets ACL's IAM users Bucket policies.
A user has enabled versioning on an S3 bucket. The user is using server side encryption for data at Rest. If the user is supplying his own keys for encryption SSE-C, which of the below mentioned statements is true?
Please select: The user should use the same encryption key for all versions of the same object It is possible to have different encryption keys for different versions of the same object AWS S3 does not allow the user to upload his own keys for server side encryption The SSE-C does not work when versioning is enabled.
A company's development team is designing an application using AWS Lambda and Amazon Elastic Container Service (Amazon ECS). The development team needs to create IAM roles to support these systems. The company's security team wants to allow the developers to build IAM roles directly, but the security team wants to retain control over the permissions the developers can delegate to those roles. The development team needs access to more permissions than those required for the application's AWS services. The solution must minimize management overhead.
How should the security team prevent privilege escalation for both teams? Enable AWS CloudTrail. Create a Lambda function that monitors the event history for privilege escalation events and notifies the security team. Create a managed IAM policy for the permissions required. Reference the IAM policy as a permissions boundary within the development team's IAM role. Create an IAM policy with a deny on the IAMCreateUser action and assign the policy to the development team. Use a ticket system to allow the developers to request new IAM roles for their applications. The IAM roles will then be created by the security team. Enable AWS Organizations Create an SCP that allows the IAM CreateUser action but that has a condition that prevents API calls other than those required by the development team.
A company is using a Redshift cluster to store their data warehouse. There is a requirement from the Internal IT Security team to ensure that data gets encrypted for the Redshift database. How can this be achieved?
Please select: Encrypt the EBS volumes of the underlying EC2 Instances Use AWS KMS Customer Default master key Use SSL/TLS for encrypting the data Use S3 Encryption.
You have an EC2 instance with the following security configured:
a. ICMP inbound allowed on Security Group
b. ICMP outbound not configured on Security Group
c. ICMP inbound allowed on Network ACL
d. ICMP outbound denied on Network ACL
If Flow logs is enabled for the instance, which of the following flow records will be recorded? Choose 3 answers from the options give below Please select: An ACCEPT record for the request based on the Security Group An ACCEPT record for the request based on the NACL A REJECT record for the response based on the Security Group A REJECT record for the response based on the NACL.
A company uses a third-party application to store encrypted data in Amazon S3. The company uses another third-party application trial decrypts the data from Amazon S3 to ensure separation of duties Between the applications A Security Engineer warns to separate the permissions using IAM roles attached to Amazon EC2 instances. The company prefers to use native AWS services.
Which encryption method will meet these requirements? Use server-side encryption with Amazon S3 managed keys (SSE-S3) Use server-side encryption with AWS KMS managed keys (SSE-KMS) Use server-side encryption with customer-provided keys (SSE-C) Use encrypted Amazon EBS volumes with Amazon default keys (AWS EBS).
An application has been written that publishes custom metrics to Amazon CloudWatch. Recently, IAM changes have been made on the account and the metrics are no longer being reported.
Which of the following is the LEAST permissive solution that will allow the metrics to be delivered? Add a statement to the IAM policy used by the application to allow logs:putLogEvents and logs:createLogStream Modify the IAM role used by the application by adding the CloudWatchFullAccess managed policy. Add a statement to the IAM policy used by the application to allow cloudwatch:putMetricData. Add a trust relationship to the IAM role used by the application for cloudwatch.amazonaws.com.
Your company has an external web site. This web site needs to access the objects in an S3 bucket. Which of the following would allow the web site to access the objects in the most secure manner?
Please select: Use the aws:sites key in the condition clause for the bucket policy Grant public access for the bucket via the bucket policy Grant a role that can be assumed by the web site
An example of this is given intheAWS Documentatioi
Restricting Access to a Specific HTTP Referrer Use the aws:Referer key in the condition clause for the bucket policy.
You need to create a Linux EC2 instance in AWS. Which of the following steps is used to ensure secure authentication the EC2 instance from a windows machine. Choose 2 answers from the options given below.
Please select: Ensure to create a strong password for logging into the EC2 Instance Create a key pair using putty Use the private key to log into the instance Ensure the password is passed securely using SSL.
A security engineer needs to configure monitonng and auditing for AWS Lambda.
Which combination of actions using AWS services should the security engineer take to accomplish this goal? (Select TWO.) Use AWS Resource Access Manager to track configuration changes to Lambda functions, runtime environments, tags, handler names, code sizes, memory allocation, timeout settings, and concurrency settings, along with Lambda IAM execution role, subnet, and security group associations. Use AWS Config to track configuration changes to Lambda functions, runtime environments, tags, handler names, code sizes, memory allocation, timeout settings, and concurrency settings, along with Lambda IAM execution role, subnet, and security group associations. Use AWS CloudTrail to implement governance, compliance, operational, and risk auditing for Lambda. Use Amazon Macie to discover, classify, and protect sensitive data being executed inside the Lambda function. Use Amazon Inspector to automatically monitor for vulnerabilities and perform governance, compliance, operational, and risk auditing for Lambda.
Unapproved changes were previously made to a company's Amazon S3 bucket. A security engineer configured AWS Config to record configuration changes made to the company's S3 buckets. The engineer discovers there are S3 configuration changes being made, but no Amazon SNS notifications are being sent. The engineer has already checked the configuration of the SNS topic and has confirmed the configuration is valid.
Which combination of steps should the security engineer take to resolve the issue? (Select TWO.) Configure the S3 bucket ACLs to allow AWS Config to record changes to the buckets. Verify the security engineer's IAM user has an attached policy that allows all AWS Config actions. Assign the AWSConfigRole managed policy to the AWS Config role Attach the AmazonS3ReadOnryAccess managed policy to the IAM user. Configure policies attached to S3 buckets to allow AWS Config to record changes to the buckets.
A company has contracted with a third party to audit several AWS accounts. To enable the audit, cross-account IAM roles have been created in each account targeted for audit. The Auditor is having trouble accessing some of the accounts.
Which of the following may be causing this problem? (Choose three.) The external ID used by the Auditor is missing or incorrect. The Auditor is using the incorrect password. The Auditor has not been granted sts:AssumeRole for the role in the destination account The Amazon EC2 role used by the Auditor must be set to the destination account role. The secret key used by the Auditor is missing or incorrect. The role ARN used by the Auditor is missing or incorrect.
Your team is experimenting with the API gateway service for an application. There is a need to implement a custom module which can be used for authentication/authorization for calls made to the API gateway. How can this be achieved?
Please select: Use the request parameters for authorization Use a Lambda authorizer Use the gateway authorizer Use CORS on the API gateway.
A developer signed in to a new account within an AWS Organization organizational unit (OU) containing multiple accounts. Access to the Amazon $3 service is restricted with the following SCP.
How can the security engineer provide the developer with Amazon $3 access without affecting other account? Create a new OU without applying the SCP restricting $3 access. Move the developer account to this new OU. Add an IAM policy for the developer, which grants $3 access. Move the SCP to the root OU of organization to remove the restriction to access Amazon $3. Add an allow list for the developer account for the $3 service.
A Security Engineer noticed an anomaly within a company EC2 instance as shown in the image. The Engineer must now investigate what e causing the anomaly. What are the MOST effective steps to take lo ensure that the instance is not further manipulated while allowing the Engineer to understand what happened? Remove the instance from the Auto Scaling group and the Elastic Load Balancer Place the instance within an isolation security group, launch an EC2 instance with a forensic toolkit, and allow the forensic toolkit image to connect to the suspicious Instance to perform the Investigation. Remove the instance from the Auto Scaling group Place the Instance within an isolation security group, launch an EC2 Instance with a forensic toolkit and use the forensic toolkit imago to deploy an ENI as a network span port to inspect all traffic coming from the suspicious instance. Remove the instance from the Auto Scaling group Place the instance within an isolation security group, detach the EBS volume launch an EC2 instance with a forensic toolkit and attach the E8S volume to investigate Remove the instance from the Auto Scaling group and the Elastic Load Balancer Place the instance within an isolation security group, make a copy of the EBS volume from a new snapshot, launch an EC2 Instance with a forensic toolkit and attach the copy of the EBS volume to investigate.
A security alert has been raised for an Amazon EC2 instance in a customer account that is exhibiting strange behavior. The Security Engineer must first isolate the EC2 instance and then use tools for further investigation.
What should the Security Engineer use to isolate and research this event? (Choose three.) AWS CloudTrail Amazon Athena AWS Key Management Service (AWS KMS) VPC Flow Logs AWS Firewall Manager Security groups.
A security engineer must develop an encryption tool for a company. The company requires a cryptographic solution that supports the ability to perform cryptographic erasure on all resources protected by the key material in 15 minutes or less Which AWS Key Management Service (AWS KMS) key solution will allow the security engineer to meet these requirements? Use an AWS KMS CMK Use an AWS KMS customer managed CMK Use an AWS managed CMK. Use Imported key material with CMK.
A Security Engineer discovered a vulnerability in an application running on Amazon ECS. The vulnerability allowed attackers to install malicious code. Analysis of the code shows it exfiltrates data on port 5353 in batches at random time intervals.
While the code of the containers is being patched, how can Engineers quickly identify all compromised hosts and stop the egress of data on port 5353? Enable Amazon Inspector on Amazon ECS and configure a custom assessment to evaluate containers that have port 5353 open. Update the NACLs to block port 5353 outbound. Use Amazon Athena to query AWS CloudTrail logs in Amazon S3 and look for any traffic on port 5353. Update the security groups to block port 5353 outbound. Create an Amazon CloudWatch custom metric on the VPC Flow Logs identifying egress traffic on port 5353. Update the NACLs to block port 5353 outbound. Enable AWS Shield Advanced and AWS WAF. Configure an AWS WAF custom filter for egress traffic on port 5353.
Which approach will generate automated security alerts should too many unauthorized AWS API requests be identified? Create an Amazon CloudWatch metric filter that looks for API call error codes and then implement an alarm based on that metric's rate. Configure AWS CloudTrail to stream event data to Amazon Kinesis. Configure an AWS Lambda function on the stream to alarm when the threshold has been exceeded. Run an Amazon Athena SQL query against CloudTrail log files. Use Amazon QuickSight to create an operational dashboard. Use the Amazon Personal Health Dashboard to monitor the account's use of AWS services, and raise an alert if service error rates increase.
A pharmaceutical company has digitized versions of historical prescriptions stored on premises. The company would like to move these prescriptions to AWS and perform analytics on the data in them. Any operation with this data requires that the data be encrypted in transit and at rest.
Which application flow would meet the data protection requirements on AWS? Digitized files -> Amazon Kinesis Data Firehose -> Amazon S3 -> Amazon Athena Digitized files -> Amazon Kinesis Data Streams -> Kinesis Client Library consumer -> Amazon S3 -> Athena Digitized files -> Amazon Kinesis Data Analytics Digitized files -> Amazon Kinesis Data Firehose -> Amazon Elasticsearch.
You are planning on hosting a web application on AWS. You create an EC2 Instance in a public subnet. This instance needs to connect to an EC2 Instance that will host an Oracle database. Which of the following steps should be followed to ensure a secure setup is in place? Select 2 answers.
Please select: Place the EC2 Instance with the Oracle database in the same public subnet as the Web server for faster communication Place the EC2 Instance with the Oracle database in a separate private subnet Create a database security group and ensure the web security group to allowed incoming access Ensure the database security group allows incoming traffic from 0.0.0.0/0.
A company continually generates sensitive records that it stores in an S3 bucket. All objects in the bucket are encrypted using SSE-KMS using one of the company's CMKs. Company compliance policies require that no more than one month of data be encrypted using the same encryption key. What solution below will meet the company's requirements?
Please select: Trigger a Lambda function with a monthly CloudWatch event that creates a new CMK and updates the S3 bucket to use the new CMK. Configure the CMK to rotate the key material every month. Trigger a Lambda function with a monthly CloudWatch event that creates a new CMK, updates the S3 bucket to use thfl new CMK, and deletes the old CMK. Trigger a Lambda function with a monthly CloudWatch event that rotates the key material in the CMK.
A security engineer is designing an incident response plan to address the risk of a compromised Amazon EC2 instance. The plan must recommend a solution to meet the following requirements:
* A trusted forensic environment must be provisioned
* Automated response processes must be orchestrated
Which AWS services should be included in the plan? {Select TWO) Amazon Macie Amazon GuardDuty Amazon Inspector AWS Step Functions AWS CloudFormation.
A company has a VPC with several Amazon EC2 instances behind a NAT gateway. The company's security policy states that all network traffic must be logged and must include the original source and destination IP addresses. The existing VPC Flow Logs do not include this information. A security engineer needs to recommend a solution.
Which combination of steps should the security engineer recommend? (Select TWO ) Change the destination to Amazon CloudWatch Logs. Include the subnet-id and instance-id fields in the log format. Include the pkt-srcaddr and pkt-dstaddr fields in the log format. Edit the existing VPC Flow Logs. Change the log format of the VPC Flow Logs from the Amazon default format to a custom format. Delete and recreate the existing VPC Flow Logs. Change the log format of the VPC Flow Logs from the Amazon default format to a custom format.
A large government organization is moving to the cloud and has specific encryption requirements. The first workload to move requires that a customer's data be immediately destroyed when the customer makes that request.
Management has asked the security team to provide a solution that will securely store the data, allow only authorized applications to perform encryption and decryption and allow for immediate destruction of the data Which solution will meet these requirements? Use AWS Key Management Service (AWS KMS) with service-managed keys to generate and store customer-specific data encryption keys Use AWS Secrets Manager and an AWS SDK to create a unique secret for the customer-specific data Use AWS Key Management Service (AWS KMS) and create an AWS CloudHSM custom key store Use CloudHSM to generate and store a new CMK for each customer. Use AWS Key Management Service (AWS KMS) and the AWS Encryption SDK to generate and store a data encryption key for each customer.
A threat assessment has identified a risk whereby an internal employee could exfiltrate sensitive data from production host running inside AWS (Account 1). The threat was documented as follows:
Threat description: A malicious actor could upload sensitive data from Server X by configuring credentials for an AWS account (Account 2) they control and uploading data to an Amazon S3 bucket within their control.
Server X has outbound internet access configured via a proxy server. Legitimate access to S3 is required so that the application can upload encrypted files to an S3 bucket. Server X is currently using an IAM instance role. The proxy server is not able to inspect any of the server communication due to TLS encryption.
Which of the following options will mitigate the threat? (Choose two.) Configure Network ACLs on Server X to deny access to S3 endpoints. Remove the IAM instance role from the application server and save API access keys in a trusted and encrypted application config file. Bypass the proxy and use an S3 VPC endpoint with a policy that whitelists only certain S3 buckets within Account 1. Block outbound access to public S3 endpoints on the proxy server. Modify the S3 bucket policy for the legitimate bucket to allow access only from the public IP addresses associated with the application server.
An IAM user with fill EC2 permissions could bot start an Amazon EC2 instance after it was stopped for a maintenance task. Upon starting the instance, the instance state would change to "Pending", but after a few seconds, it would switch back to "Stopped".
An inspection revealed that the instance has attached Amazon EBS volumes that were encrypted by using a Customer Master Key (CMK). When these encrypted volumes were detached, the IAM user was able to start the EC2 instances.
The IAM user policy is as follows: kms:GenerateDataKey kms:Decrypt kms:CreateGrant Condition": {"Bool": {"kms:ViaService": "ec2.us-west-2.amazonaws.com"}} "Condition": {"Bool": {"kms:GrantIsForAWSResource": true}}.
A Security Engineer is working with the development team to design a supply chain application that stores sensitive inventory data in an Amazon S3 bucket. The application will use an AWS KMS customer master key (CMK) to encrypt the data on Amazon S3. The inventory data on Amazon S3 will be shared of vendors. All vendors will use AWS principals from their own AWS accounts to access the data on Amazon S3. The vendor list may change weekly, and the solution must support cross-account access.
What is the MOST efficient way to manage access control for the KMS CMK7? Use delegated access across AWS accounts by using IAM roles to manage key access. Programmatically update the IAM trust policy to manage cross-account vendor access. Use an IAM role to manage key access. Programmatically update the IAM role policies to manage vendor access. Use KMS key policies to manage key access. Programmatically update the KMS key policies to manage vendor access. Use KMS grants to manage key access. Programmatically create and revoke grants to manage vendor access.
A company will store sensitive documents in three Amazon S3 buckets based on a data classification scheme of "Sensitive," "Confidential," and "Restricted." The security solution must meet all of the following requirements:
Each object must be encrypted using a unique key.
Items that are stored in the "Restricted" bucket require two-factor authentication for decryption.
AWS KMS must automatically rotate encryption keys annually.
Which of the following meets these requirements? Create a Customer Master Key (CMK) for each data classification type, and enable the rotation of it annually. For the "Restricted" CMK, define the MFA policy within the key policy. Use S3 SSE-KMS to encrypt the objects. Create a CMK grant for each data classification type with EnableKeyRotation and MultiFactorAuthPresent set to true. S3 can then use the grants to encrypt each object with a unique CMK. Create a CMK for each data classification type, and within the CMK policy, enable rotation of it annually, and define the MFA policy. S3 can then create DEK grants to uniquely encrypt each object within the S3 bucket. Create a CMK with unique imported key material for each data classification type, and rotate them annually. For the "Restricted" key material, define the MFA policy in the key policy. Use S3 SSE-KMS to encrypt the objects.
Your company is planning on using AWS EC2 and ELB for deployment for their web applications. The security policy mandates that all traffic should be encrypted. Which of the following options will ensure that this requirement is met. Choose 2 answers from the options below.
Please select: Ensure the load balancer listens on port 80 Ensure the load balancer listens on port 443 Ensure the HTTPS listener sends requests to the instances on port 443 Ensure the HTTPS listener sends requests to the instances on port 80 The AWS Documentation mentions the following You can create a load balancer that listens on both the HTTP (80) and HTTPS (443) ports. If you specify that the HTTPS listener sends requests to the instances on port 80, the load balancer terminates the requests and communication from the load balancer to the instances is not encrypted, if the HTTPS listener sends requests to the instances on port 443, communication from the load balancer to the instances is encrypted.
A company has a serverless application for internal users deployed on AWS. The application uses AWS Lambda for the front end and for business logic. The Lambda function accesses an Amazon RDS database inside a VPC The company uses AWS Systems Manager Parameter Store for storing database credentials. A recent security review highlighted the following issues The Lambda function has internet access.
The relational database is publicly accessible.
The database credentials are not stored in an encrypted state.
Which combination of steps should the company take to resolve these security issues? (Select THREE) Create a VPC endpoint for Systems Manager. Store the credentials as a SecureString parameter. Move all the Lambda functions inside the VPC. Edit the IAM role used by Lambda to restrict internet access. Create a VPC endpoint for Systems Manager. Store the credentials as a string parameter. Change the parameter type to an advanced parameter. Disable public access to the RDS database inside the VPC Edit the IAM role used by Lambda to restrict internet access.
A security engineer must ensure that all infrastructure launched in the company AWS account be monitored for deviation from compliance rules, specifically that all EC2 instances are launched from one of a specified list of AM Is and that all attached EBS volumes are encrypted. Infrastructure not in compliance should be terminated. What combination of steps should the Engineer implement? Select 2 answers from the options given below.
Please select: Set up a CloudWatch event based on Trusted Advisor metrics Trigger a Lambda function from a scheduled CloudWatch event that terminates non-compliant infrastructure. Set up a CloudWatch event based on Amazon inspector findings Monitor compliance with AWS Config Rules triggered by configuration changes Trigger a CLI command from a CloudWatch event that terminates the infrastructure You can use AWS Config to monitor for such Event Option A is invalid because you cannot set Cloudwatch events based on Trusted Advisor checks.
A Security Engineer is building a Java application that is running on Amazon EC2. The application communicates with an Amazon RDS instance and authenticates with a user name and password.
Which combination of steps can the Engineer take to protect the credentials and minimize downtime when the credentials are rotated? (Choose two.) Configure the Java application to catch a connection failure and make a call to AWS Secrets Manager to retrieve updated credentials when the password is rotated. Grant permission to the instance role associated with the EC2 instance to access Secrets Manager. Have a Database Administrator encrypt the credentials and store the ciphertext in Amazon S3. Grant permission to the instance role associated with the EC2 instance to read the object and decrypt the ciphertext. Configure a scheduled job that updates the credential in AWS Systems Manager Parameter Store and notifies the Engineer that the application needs to be restarted. Configure automatic rotation of credentials in AWS Secrets Manager. Store the credential in an encrypted string parameter in AWS Systems Manager Parameter Store. Grant permission to the instance role associated with the EC2 instance to access the parameter and the AWS KMS key that is used to encrypt it.
|
