SCS-C01

The Security team believes that a former employee may have gained unauthorized access to AWS resources sometime in the past 3 months by using an identified access key. What approach would enable the Security team to find out what the former employee may have done within AWS?. Use the AWS CloudTrail console to search for user activity. Use the Amazon CloudWatch Logs console to filter CloudTrail data by user. Use AWS Config to see what actions were taken by the user. Use Amazon Athena to query CloudTrail logs stored in Amazon S3.

A company is storing data in Amazon S3 Glacier. The security engineer implemented a new vault lock policy for 10TB of data and called initiate-vault-lock operation 12 hours ago. The audit team identified a typo in the policy that is allowing unintended access to the vault. What is the MOST cost-effective way to correct this?. Call the abort-vault-lock operation. Update the policy. Call the initiate-vault-lock operation again. Copy the vault data to a new S3 bucket. Delete the vault. Create a new vault with the data. Update the policy to keep the vault lock in place. Update the policy. Call initiate-vault-lock operation again to apply the new policy.

A company wants to control access to its AWS resources by using identities and groups that are defined in its existing Microsoft Active Directory. What must the company create in its AWS account to map permissions for AWS services to Active Directory user attributes?. AWS IAM groups. AWS IAM users. AWS IAM roles. AWS IAM access keys.

A company has contracted with a third party to audit several AWS accounts. To enable the audit, cross-account IAM roles have been created in each account targeted for audit. The Auditor is having trouble accessing some of the accounts. Which of the following may be causing this problem? (Choose three.). The external ID used by the Auditor is missing or incorrect. The Auditor is using the incorrect password. The Auditor has not been granted sts:AssumeRole for the role in the destination account. The Amazon EC2 role used by the Auditor must be set to the destination account role. The secret key used by the Auditor is missing or incorrect. The role ARN used by the Auditor is missing or incorrect.

Compliance requirements state that all communications between company on-premises hosts and EC2 instances be encrypted in transit. Hosts use custom proprietary protocols for their communication, and EC2 instances need to be fronted by a load balancer for increased availability. Which of the following solutions will meet these requirements?. Offload SSL termination onto an SSL listener on a Classic Load Balancer, and use a TCP connection between the load balancer and the EC2 instances. Route all traffic through a TCP listener on a Classic Load Balancer, and terminate the TLS connection on the EC2 instances. Create an HTTPS listener using an Application Load Balancer, and route all of the communication through that load balancer. Offload SSL termination onto an SSL listener using an Application Load Balancer, and re-spawn and SSL connection between the load balancer and the EC2 instances.

An application is currently secured using network access control lists and security groups. Web servers are located in public subnets behind an Application Load Balancer (ALB); application servers are located in private subnets. How can edge security be enhanced to safeguard the Amazon EC2 instances against attack? (Choose two.). Configure the application's EC2 instances to use NAT gateways for all inbound traffic. Move the web servers to private subnets without public IP addresses. Configure AWS WAF to provide DDoS attack protection for the ALB. Require all inbound network traffic to route through a bastion host in the private subnet. Require all inbound and outbound network traffic to route through an AWS Direct Connect connection.

A Security Administrator is restricting the capabilities of company root user accounts. The company uses AWS Organizations and has enabled it for all feature sets, including consolidated billing. The top-level account is used for billing and administrative purposes, not for operational AWS resource purposes. How can the Administrator restrict usage of member root user accounts across the organization?. Disable the use of the root user account at the organizational root. Enable multi-factor authentication of the root user account for each organizational member account. Configure IAM user policies to restrict root account capabilities for each Organizations member account. Create an organizational unit (OU) in Organizations with a service control policy that controls usage of the root user. Add all operational accounts to the new OU. Configure AWS CloudTrail to integrate with Amazon CloudWatch Logs and then create a metric filter for RootAccountUsage.

A Systems Engineer has been tasked with configuring outbound mail through Simple Email Service (SES) and requires compliance with current TLS standards. The mail application should be configured to connect to which of the following endpoints and corresponding ports?. email.us-east-1.amazonaws.com over port 8080. email-pop3.us-east-1.amazonaws.com over port 995. email-smtp.us-east-1.amazonaws.com over port 587. email-imap.us-east-1.amazonaws.com over port 993.

A threat assessment has identified a risk whereby an internal employee could exfiltrate sensitive data from production host running inside AWS (Account 1). The threat was documented as follows: Threat description: A malicious actor could upload sensitive data from Server X by configuring credentials for an AWS account (Account 2) they control and uploading data to an Amazon S3 bucket within their control. Server X has outbound internet access configured via a proxy server. Legitimate access to S3 is required so that the application can upload encrypted files to an S3 bucket. Server X is currently using an IAM instance role. The proxy server is not able to inspect any of the server communication due to TLS encryption. Which of the following options will mitigate the threat? (Choose two.). Bypass the proxy and use an S3 VPC endpoint with a policy that whitelists only certain S3 buckets within Account 1. Block outbound access to public S3 endpoints on the proxy server. Configure Network ACLs on Server X to deny access to S3 endpoints. Modify the S3 bucket policy for the legitimate bucket to allow access only from the public IP addresses associated with the application server. Remove the IAM instance role from the application server and save API access keys in a trusted and encrypted application config file.

A company will store sensitive documents in three Amazon S3 buckets based on a data classification scheme of ג€Sensitive,ג€ ג€Confidential,ג€ and ג€Restricted.ג€ The security solution must meet all of the following requirements: ✑ Each object must be encrypted using a unique key. ✑ Items that are stored in the ג€Restrictedג€ bucket require two-factor authentication for decryption. ✑ AWS KMS must automatically rotate encryption keys annually. Which of the following meets these requirements?. Create a Customer Master Key (CMK) for each data classification type, and enable the rotation of it annually. For the ג€Restrictedג€ CMK, define the MFA policy within the key policy. Use S3 SSE-KMS to encrypt the objects. Create a CMK grant for each data classification type with EnableKeyRotation and MultiFactorAuthPresent set to true. S3 can then use the grants to encrypt each object with a unique CMK. Create a CMK for each data classification type, and within the CMK policy, enable rotation of it annually, and define the MFA policy. S3 can then create DEK grants to uniquely encrypt each object within the S3 bucket. Create a CMK with unique imported key material for each data classification type, and rotate them annually. For the ג€Restrictedג€ key material, define the MFA policy in the key policy. Use S3 SSE-KMS to encrypt the objects.

An organization wants to deploy a three-tier web application whereby the application servers run on Amazon EC2 instances. These EC2 instances need access to credentials that they will use to authenticate their SQL connections to an Amazon RDS DB instance. Also, AWS Lambda functions must issue queries to the RDS database by using the same database credentials. The credentials must be stored so that the EC2 instances and the Lambda functions can access them. No other access is allowed. The access logs must record when the credentials were accessed and by whom. What should the Security Engineer do to meet these requirements?. Store the database credentials in AWS Key Management Service (AWS KMS). Create an IAM role with access to AWS KMS by using the EC2 and Lambda service principals in the role's trust policy. Add the role to an EC2 instance profile. Attach the instance profile to the EC2 instances. Set up Lambda to use the new role for execution. Store the database credentials in AWS KMS. Create an IAM role with access to KMS by using the EC2 and Lambda service principals in the role's trust policy. Add the role to an EC2 instance profile. Attach the instance profile to the EC2 instances and the Lambda function. Store the database credentials in AWS Secrets Manager. Create an IAM role with access to Secrets Manager by using the EC2 and Lambda service principals in the role's trust policy. Add the role to an EC2 instance profile. Attach the instance profile to the EC2 instances and the Lambda function. Store the database credentials in AWS Secrets Manager. Create an IAM role with access to Secrets Manager by using the EC2 and Lambda service principals in the role's trust policy. Add the role to an EC2 instance profile. Attach the instance profile to the EC2 instances. Set up Lambda to use the new role for execution.

A company has a customer master key (CMK) with imported key materials. Company policy requires that all encryption keys must be rotated every year. What can be done to implement the above policy?. Enable automatic key rotation annually for the CMK. Use AWS Command Line Interface to create an AWS Lambda function to rotate the existing CMK annually. Import new key material to the existing CMK and manually rotate the CMK. Create a new CMK, import new key material to it, and point the key alias to the new CMK.

A water utility company uses a number of Amazon EC2 instances to manage updates to a fleet of 2,000 Internet of Things (IoT) field devices that monitor water quality. These devices each have unique access credentials. An operational safety policy requires that access to specific credentials is independently auditable. What is the MOST cost-effective way to manage the storage of credentials?. Use AWS Systems Manager to store the credentials as Secure Strings Parameters. Secure by using an AWS KMS key. Use AWS Key Management System to store a master key, which is used to encrypt the credentials. The encrypted credentials are stored in an Amazon RDS instance. Use AWS Secrets Manager to store the credentials. Store the credentials in a JSON file on Amazon S3 with server-side encryption.

An organization is using Amazon CloudWatch Logs with agents deployed on its Linux Amazon EC2 instances. The agent configuration files have been checked and the application log files to be pushed are configured correctly. A review has identified that logging from specific instances is missing. Which steps should be taken to troubleshoot the issue? (Choose two.). Use an EC2 run command to confirm that the ג€awslogsג€ service is running on all instances. Verify that the permissions used by the agent allow creation of log groups/streams and to put log events. Check whether any application log entries were rejected because of invalid time stamps by reviewing /var/cwlogs/rejects.log. Check that the trust relationship grants the service ג€cwlogs.amazonaws.comג€ permission to write objects to the Amazon S3 staging bucket. Verify that the time zone on the application servers is in UTC.

A Security Engineer must design a solution that enables the incident Response team to audit for changes to a user's IAM permissions in the case of a security incident. How can this be accomplished?. Use AWS Config to review the IAM policy assigned to users before and after the incident. Run the GenerateCredentialReport via the AWS CLI, and copy the output to Amazon S3 daily for auditing purposes. Copy AWS CloudFormation templates to S3, and audit for changes from the template. Use Amazon EC2 Systems Manager to deploy images, and review AWS CloudTrail logs for changes.

A company has complex connectivity rules governing ingress, egress, and communications between Amazon EC2 instances. The rules are so complex that they cannot be implemented within the limits of the maximum number of security groups and network access control lists (network ACLs). What mechanism will allow the company to implement all required network rules without incurring additional cost?. Configure AWS WAF rules to implement the required rules. Use the operating system built-in, host-based firewall to implement the required rules. Use a NAT gateway to control ingress and egress according to the requirements. Launch an EC2-based firewall product from the AWS Marketplace, and implement the required rules in that product.

An IAM user with fill EC2 permissions could bot start an Amazon EC2 instance after it was stopped for a maintenance task. Upon starting the instance, the instance state would change to ג€Pendingג€, but after a few seconds, it would switch back to ג€Stoppedג€. An inspection revealed that the instance has attached Amazon EBS volumes that were encrypted by using a Customer Master Key (CMK). When these encrypted volumes were detached, the IAM user was able to start the EC2 instances. The IAM user policy is as follows: What additional items need to be added to the IAM user policy? (Choose two.). kms:GenerateDataKey. kms:Decrypt. kms:CreateGrant. ג€Conditionג€: { ג€Boolג€: { ג€kms:ViaServiceג€: ג€ec2.us-west-2.amazonaws.comג€ } }. ג€Conditionג€: { ג€Boolג€: { ג€kms:GrantIsForAWSResourceג€: true } }.

A Security Administrator has a website hosted in Amazon S3. The Administrator has been given the following requirements: ✑ Users may access the website by using an Amazon CloudFront distribution. ✑ Users may not access the website directly by using an Amazon S3 URL. Which configurations will support these requirements? (Choose two.). Associate an origin access identity with the CloudFront distribution. Implement a ג€Principalג€: ג€cloudfront.amazonaws.comג€ condition in the S3 bucket policy. Modify the S3 bucket permissions so that only the origin access identity can access the bucket contents. Implement security groups so that the S3 bucket can be accessed only by using the intended CloudFront distribution. Configure the S3 bucket policy so that it is accessible only through VPC endpoints, and place the CloudFront distribution into the specified VPC.

A Security Engineer has created an Amazon CloudWatch event that invokes an AWS Lambda function daily. The Lambda function runs an Amazon Athena query that checks AWS CloudTrail logs in Amazon S3 to detect whether any IAM user accounts or credentials have been created in the past 30 days. The results of the Athena query are created in the same S3 bucket. The Engineer runs a test execution of the Lambda function via the AWS Console, and the function runs successfully. After several minutes, the Engineer finds that his Athena query has failed with the error message: ג€Insufficient Permissionsג€. The IAM permissions of the Security Engineer and the Lambda function are shown below: What is causing the error?. The Lambda function does not have permissions to start the Athena query execution. The Security Engineer does not have permissions to start the Athena query execution. The Athena service does not support invocation through Lambda. The Lambda function does not have permissions to access the CloudTrail S3 bucket.

A company requires that IP packet data be inspected for invalid or malicious content. Which of the following approaches achieve this requirement? (Choose two.). Configure a proxy solution on Amazon EC2 and route all outbound VPC traffic through it. Perform inspection within proxy software on the EC2 instance. Configure the host-based agent on each EC2 instance within the VPC. Perform inspection within the host-based agent. Enable VPC Flow Logs for all subnets in the VPC. Perform inspection from the Flow Log data within Amazon CloudWatch Logs. Configure Elastic Load Balancing (ELB) access logs. Perform inspection from the log data within the ELB access log files. Configure the CloudWatch Logs agent on each EC2 instance within the VPC. Perform inspection from the log data within CloudWatch Logs.

An organization has a system in AWS that allows a large number of remote workers to submit data files. File sizes vary from a few kilobytes to several megabytes. A recent audit highlighted a concern that data files are not encrypted while in transit over untrusted networks. Which solution would remediate the audit finding while minimizing the effort required?. Upload an SSL certificate to IAM, and configure Amazon CloudFront with the passphrase for the private key. Call KMS.Encrypt() in the client, passing in the data file contents, and call KMS.Decrypt() server-side. Use AWS Certificate Manager to provision a certificate on an Elastic Load Balancing in front of the web service's servers. Create a new VPC with an Amazon VPC VPN endpoint, and update the web service's DNS record.

Which option for the use of the AWS Key Management Service (KMS) supports key management best practices that focus on minimizing the potential scope of data exposed by a possible future key compromise?. Use KMS automatic key rotation to replace the master key, and use this new master key for future encryption operations without re-encrypting previously encrypted data. Generate a new Customer Master Key (CMK), re-encrypt all existing data with the new CMK, and use it for all future encryption operations. Change the CMK alias every 90 days, and update key-calling applications with the new key alias. Change the CMK permissions to ensure that individuals who can provision keys are not the same individuals who can use the keys.

A Security Engineer must enforce the use of only Amazon EC2, Amazon S3, Amazon RDS, Amazon DynamoDB, and AWS STS in specific accounts. What is a scalable and efficient approach to meet this requirement?. Set up an AWS Organizations hierarchy, and replace the FullAWSAccess policy with the following Service Control Policy for the governed organization units:. Create multiple IAM users for the regulated accounts, and attach the following policy statement to restrict services as required:. Set up an Organizations hierarchy, replace the global FullAWSAccess with the following Service Control Policy at the top level:. Set up all users in the Active Directory for federated access to all accounts in the company. Associate Active Directory groups with IAM groups, and attach the.

A company's database developer has just migrated an Amazon RDS database credential to be stored and managed by AWS Secrets Manager. The developer has also enabled rotation of the credential within the Secrets Manager console and set the rotation to change every 30 days. After a short period of time, a number of existing applications have failed with authentication errors. What is the MOST likely cause of the authentication errors?. Migrating the credential to RDS requires that all access come through requests to the Secrets Manager. Enabling rotation in Secrets Manager causes the secret to rotate immediately, and the applications are using the earlier credential. The Secrets Manager IAM policy does not allow access to the RDS database. The Secrets Manager IAM policy does not allow access for the applications.

A Security Engineer launches two Amazon EC2 instances in the same Amazon VPC but in separate Availability Zones. Each instance has a public IP address and is able to connect to external hosts on the internet. The two instances are able to communicate with each other by using their private IP addresses, but they are not able to communicate with each other when using their public IP addresses. Which action should the Security Engineer take to allow communication over the public IP addresses?. Associate the instances to the same security groups. Add 0.0.0.0/0 to the egress rules of the instance security groups. Add the instance IDs to the ingress rules of the instance security groups. Add the public IP addresses to the ingress rules of the instance security groups.

The Security Engineer is managing a web application that processes highly sensitive personal information. The application runs on Amazon EC2. The application has strict compliance requirements, which instruct that all incoming traffic to the application is protected from common web exploits and that all outgoing traffic from the EC2 instances is restricted to specific whitelisted URLs. Which architecture should the Security Engineer use to meet these requirements?. Use AWS Shield to scan inbound traffic for web exploits. Use VPC Flow Logs and AWS Lambda to restrict egress traffic to specific whitelisted URLs. Use AWS Shield to scan inbound traffic for web exploits. Use a third-party AWS Marketplace solution to restrict egress traffic to specific whitelisted URLs. Use AWS WAF to scan inbound traffic for web exploits. Use VPC Flow Logs and AWS Lambda to restrict egress traffic to specific whitelisted URLs. Use AWS WAF to scan inbound traffic for web exploits. Use a third-party AWS Marketplace solution to restrict egress traffic to specific whitelisted URLs.

A company recently experienced a DDoS attack that prevented its web server from serving content. The website is static and hosts only HTML, CSS, and PDF files that users download. Based on the architecture shown in the image, what is the BEST way to protect the site against future attacks while minimizing the ongoing operational overhead?. Move all the files to an Amazon S3 bucket. Have the web server serve the files from the S3 bucket. Launch a second Amazon EC2 instance in a new subnet. Launch an Application Load Balancer in front of both instances. Launch an Application Load Balancer in front of the EC2 instance. Create an Amazon CloudFront distribution in front of the Application Load Balancer. Move all the files to an S3 bucket. Create a CloudFront distribution in front of the bucket and terminate the web server.

The Information Technology department has stopped using Classic Load Balancers and switched to Application Load Balancers to save costs. After the switch, some users on older devices are no longer able to connect to the website. What is causing this situation?. Application Load Balancers do not support older web browsers. The Perfect Forward Secrecy settings are not configured correctly. The intermediate certificate is installed within the Application Load Balancer. The cipher suites on the Application Load Balancers are blocking connections.

A security team is responsible for reviewing AWS API call activity in the cloud environment for security violations. These events must be recorded and retained in a centralized location for both current and future AWS regions. What is the SIMPLEST way to meet these requirements?. Enable AWS Trusted Advisor security checks in the AWS Console, and report all security incidents for all regions. Enable AWS CloudTrail by creating individual trails for each region, and specify a single Amazon S3 bucket to receive log files for later analysis. Enable AWS CloudTrail by creating a new trail and applying the trail to all regions. Specify a single Amazon S3 bucket as the storage location. Enable Amazon CloudWatch logging for all AWS services across all regions, and aggregate them to a single Amazon S3 bucket for later analysis.

A Security Administrator is performing a log analysis as a result of a suspected AWS account compromise. The Administrator wants to analyze suspicious AWS CloudTrail log files but is overwhelmed by the volume of audit logs being generated. What approach enables the Administrator to search through the logs MOST efficiently?. Implement a ג€write-onlyג€ CloudTrail event filter to detect any modifications to the AWS account resources. Configure Amazon Macie to classify and discover sensitive data in the Amazon S3 bucket that contains the CloudTrail audit logs. Configure Amazon Athena to read from the CloudTrail S3 bucket and query the logs to examine account activities. Enable Amazon S3 event notifications to trigger an AWS Lambda function that sends an email alarm when there are new CloudTrail API entries.

During a recent security audit, it was discovered that multiple teams in a large organization have placed restricted data in multiple Amazon S3 buckets, and the data may have been exposed. The auditor has requested that the organization identify all possible objects that contain personally identifiable information (PII) and then determine whether this information has been accessed. What solution will allow the Security team to complete this request?. Using Amazon Athena, query the impacted S3 buckets by using the PII query identifier function. Then, create a new Amazon CloudWatch metric for Amazon S3 object access to alert when the objects are accessed. Enable Amazon Macie on the S3 buckets that were impacted, then perform data classification. For identified objects that contain PII, use the research function for auditing AWS CloudTrail logs and S3 bucket logs for GET operations. Enable Amazon GuardDuty and enable the PII rule set on the S3 buckets that were impacted, then perform data classification. Using the PII findings report from GuardDuty, query the S3 bucket logs by using Athena for GET operations. Enable Amazon Inspector on the S3 buckets that were impacted, then perform data classification. For identified objects that contain PII, query the S3 bucket logs by using Athena for GET operations.

During a recent internal investigation, it was discovered that all API logging was disabled in a production account, and the root user had created new API keys that appear to have been used several times. What could have been done to detect and automatically remediate the incident?. Using Amazon Inspector, review all of the API calls and configure the inspector agent to leverage SNS topics to notify security of the change to AWS CloudTrail, and revoke the new API keys for the root user. Using AWS Config, create a config rule that detects when AWS CloudTrail is disabled, as well as any calls to the root user create-api-key. Then use a Lambda function to re-enable CloudTrail logs and deactivate the root API keys. Using Amazon CloudWatch, create a CloudWatch event that detects AWS CloudTrail deactivation and a separate Amazon Trusted Advisor check to automatically detect the creation of root API keys. Then use a Lambda function to enable AWS CloudTrail and deactivate the root API keys. Using Amazon CloudTrail, create a new CloudTrail event that detects the deactivation of CloudTrail logs, and a separate CloudTrail event that detects the creation of root API keys. Then use a Lambda function to enable CloudTrail and deactivate the root API keys.

An application has a requirement to be resilient across not only Availability Zones within the application's primary region but also be available within another region altogether. Which of the following supports this requirement for AWS resources that are encrypted by AWS KMS?. Copy the application's AWS KMS CMK from the source region to the target region so that it can be used to decrypt the resource after it is copied to the target region. Configure AWS KMS to automatically synchronize the CMK between regions so that it can be used to decrypt the resource in the target region. Use AWS services that replicate data across regions, and re-wrap the data encryption key created in the source region by using the CMK in the target region so that the target region's CMK can decrypt the database encryption key. Configure the target region's AWS service to communicate with the source region's AWS KMS so that it can decrypt the resource in the target region.

An organization policy states that all encryption keys must be automatically rotated every 12 months. Which AWS Key Management Service (KMS) key type should be used to meet this requirement?. AWS managed Customer Master Key (CMK). Customer managed CMK with AWS generated key material. Customer managed CMK with imported key material. AWS managed data key.

A Security Engineer received an AWS Abuse Notice listing EC2 instance IDs that are reportedly abusing other hosts. Which action should the Engineer take based on this situation? (Choose three.). Use AWS Artifact to capture an exact image of the state of each instance. Create EBS Snapshots of each of the volumes attached to the compromised instances. Capture a memory dump. Log in to each instance with administrative credentials to restart the instance. Revoke all network ingress and egress except for to/from a forensics workstation. Run Auto Recovery for Amazon EC2.

A Security Administrator is configuring an Amazon S3 bucket and must meet the following security requirements: ✑ Encryption in transit ✑ Encryption at rest ✑ Logging of all object retrievals in AWS CloudTrail Which of the following meet these security requirements? (Choose three.). Specify ג€aws:SecureTransportג€: ג€trueג€ within a condition in the S3 bucket policy. Enable a security group for the S3 bucket that allows port 443, but not port 80. Set up default encryption for the S3 bucket. Enable Amazon CloudWatch Logs for the AWS account. Enable API logging of data events for all S3 objects. Enable S3 object versioning for the S3 bucket.

What is the function of the following AWS Key Management Service (KMS) key policy attached to a customer master key (CMK)?. The Amazon WorkMail and Amazon SES services have delegated KMS encrypt and decrypt permissions to the ExampleUser principal in the 111122223333 account. The ExampleUser principal can transparently encrypt and decrypt email exchanges specifically between ExampleUser and AWS. The CMK is to be used for encrypting and decrypting only when the principal is ExampleUser and the request comes from WorkMail or SES in the specified region. The key policy allows WorkMail or SES to encrypt or decrypt on behalf of the user for any CMK in the account.

A Security Engineer who was reviewing AWS Key Management Service (AWS KMS) key policies found this statement in each key policy in the company AWS account. What does the statement allow?. All principals from all AWS accounts to use the key. Only the root user from account 111122223333 to use the key. All principals from account 111122223333 to use the key but only on Amazon S3. Only principals from account 111122223333 that have an IAM policy applied that grants access to this key to use the key.

A Software Engineer wrote a customized reporting service that will run on a fleet of Amazon EC2 instances. The company security policy states that application logs for the reporting service must be centrally collected. What is the MOST efficient way to meet these requirements?. Write an AWS Lambda function that logs into the EC2 instance to pull the application logs from the EC2 instance and persists them into an Amazon S3 bucket. Enable AWS CloudTrail logging for the AWS account, create a new Amazon S3 bucket, and then configure Amazon CloudWatch Logs to receive the application logs from CloudTrail. Create a simple cron job on the EC2 instances that synchronizes the application logs to an Amazon S3 bucket by using rsync. Install the Amazon CloudWatch Logs Agent on the EC2 instances, and configure it to send the application logs to CloudWatch Logs.

A Security Engineer is trying to determine whether the encryption keys used in an AWS service are in compliance with certain regulatory standards. Which of the following actions should the Engineer perform to get further guidance?. Read the AWS Customer Agreement. Use AWS Artifact to access AWS compliance reports. Post the question on the AWS Discussion Forums. Run AWS Config and evaluate the configuration outputs.

The Development team receives an error message each time the team members attempt to encrypt or decrypt a Secure String parameter from the SSM Parameter Store by using an AWS KMS customer managed key (CMK). Which CMK-related issues could be responsible? (Choose two.). The CMK specified in the application does not exist. The CMK specified in the application is currently in use. The CMK specified in the application is using the CMK KeyID instead of CMK Amazon Resource Name. The CMK specified in the application is not enabled. The CMK specified in the application is using an alias.

An application has been written that publishes custom metrics to Amazon CloudWatch. Recently, IAM changes have been made on the account and the metrics are no longer being reported. Which of the following is the LEAST permissive solution that will allow the metrics to be delivered?. Add a statement to the IAM policy used by the application to allow logs:putLogEvents and logs:createLogStream. Modify the IAM role used by the application by adding the CloudWatchFullAccess managed policy. Add a statement to the IAM policy used by the application to allow cloudwatch:putMetricData. Add a trust relationship to the IAM role used by the application for cloudwatch.amazonaws.com.

A Developer's laptop was stolen. The laptop was not encrypted, and it contained the SSH key used to access multiple Amazon EC2 instances. A Security Engineer has verified that the key has not been used, and has blocked port 22 to all EC2 instances while developing a response plan. How can the Security Engineer further protect currently running instances?. Delete the key-pair key from the EC2 console, then create a new key pair. Use the modify-instance-attribute API to change the key on any EC2 instance that is using the key. Use the EC2 RunCommand to modify the authorized_keys file on any EC2 instance that is using the key. Update the key pair in any AMI used to launch the EC2 instances, then restart the EC2 instances.

An organization has tens of applications deployed on thousands of Amazon EC2 instances. During testing, the Application team needs information to let them know whether the network access control lists (network ACLs) and security groups are working as expected. How can the Application team's requirements be met?. Turn on VPC Flow Logs, send the logs to Amazon S3, and use Amazon Athena to query the logs. Install an Amazon Inspector agent on each EC2 instance, send the logs to Amazon S3, and use Amazon EMR to query the logs. Create an AWS Config rule for each network ACL and security group configuration, send the logs to Amazon S3, and use Amazon Athena to query the logs. Turn on AWS CloudTrail, send the trails to Amazon S3, and use AWS Lambda to query the trails.

An application outputs logs to a text file. The logs must be continuously monitored for security incidents. Which design will meet the requirements with MINIMUM effort?. Create a scheduled process to copy the component's logs into Amazon S3. Use S3 events to trigger a Lambda function that updates Amazon CloudWatch metrics with the log data. Set up CloudWatch alerts based on the metrics. Install and configure the Amazon CloudWatch Logs agent on the application's EC2 instance. Create a CloudWatch metric filter to monitor the application logs. Set up CloudWatch alerts based on the metrics. Create a scheduled process to copy the application log files to AWS CloudTrail. Use S3 events to trigger Lambda functions that update CloudWatch metrics with the log data. Set up CloudWatch alerts based on the metrics. Create a file watcher that copies data to Amazon Kinesis when the application writes to the log file. Have Kinesis trigger a Lambda function to update Amazon CloudWatch metrics with the log data. Set up CloudWatch alerts based on the metrics.

The Security Engineer for a mobile game has to implement a method to authenticate users so that they can save their progress. Because most of the users are part of the same OpenID-Connect compatible social media website, the Security Engineer would like to use that as the identity provider. Which solution is the SIMPLEST way to allow the authentication of users using their social media identities?. Amazon Cognito. AssumeRoleWithWebIdentity API. Amazon Cloud Directory. Active Directory (AD) Connector.

A Software Engineer is trying to figure out why network connectivity to an Amazon EC2 instance does not appear to be working correctly. Its security group allows inbound HTTP traffic from 0.0.0.0/0, and the outbound rules have not been modified from the default. A custom network ACL associated with its subnet allows inbound HTTP traffic from 0.0.0.0/0 and has no outbound rules. What would resolve the connectivity issue?. The outbound rules on the security group do not allow the response to be sent to the client on the ephemeral port range. The outbound rules on the security group do not allow the response to be sent to the client on the HTTP port. An outbound rule must be added to the network ACL to allow the response to be sent to the client on the ephemeral port range. An outbound rule must be added to the network ACL to allow the response to be sent to the client on the HTTP port.

A Security Engineer has been asked to create an automated process to disable IAM user access keys that are more than three months old. Which of the following options should the Security Engineer use?. In the AWS Console, choose the IAM service and select ג€Usersג€. Review the ג€Access Key Ageג€ column. Define an IAM policy that denies access if the key age is more than three months and apply to all users. Write a script that uses the GenerateCredentialReport, GetCredentialReport, and UpdateAccessKey APIs. Create an Amazon CloudWatch alarm to detect aged access keys and use an AWS Lambda function to disable the keys older than 90 days.

The InfoSec team has mandated that in the future only approved Amazon Machine Images (AMIs) can be used. How can the InfoSec team ensure compliance with this mandate?. Terminate all Amazon EC2 instances and relaunch them with approved AMIs. Patch all running instances by using AWS Systems Manager. Deploy AWS Config rules and check all running instances for compliance. Define a metric filter in Amazon CloudWatch Logs to verify compliance.

A pharmaceutical company has digitized versions of historical prescriptions stored on premises. The company would like to move these prescriptions to AWS and perform analytics on the data in them. Any operation with this data requires that the data be encrypted in transit and at rest. Which application flow would meet the data protection requirements on AWS?. Digitized files -> Amazon Kinesis Data Analytics. Digitized files -> Amazon Kinesis Data Firehose -> Amazon S3 -> Amazon Athena. Digitized files -> Amazon Kinesis Data Streams -> Kinesis Client Library consumer -> Amazon S3 -> Athena. Digitized files -> Amazon Kinesis Data Firehose -> Amazon Elasticsearch.

The Security Engineer created a new AWS Key Management Service (AWS KMS) key with the following key policy: What are the effects of the key policy? (Choose two.). The policy allows access for the AWS account 111122223333 to manage key access though IAM policies. The policy allows all IAM users in account 111122223333 to have full access to the KMS key. The policy allows the root user in account 111122223333 to have full access to the KMS key. The policy allows the KMS service-linked role in account 111122223333 to have full access to the KMS key. The policy allows all IAM roles in account 111122223333 to have full access to the KMS key.

A company uses AWS Organization to manage 50 AWS accounts. The finance staff members log in as AWS IAM users in the FinanceDept AWS account. The staff members need to read the consolidated billing information in the MasterPayer AWS account. They should not be able to view any other resources in the MasterPayer AWS account. IAM access to billing has been enabled in the MasterPayer account. Which of the following approaches grants the finance staff the permissions they require without granting any unnecessary permissions?. Create an IAM group for the finance users in the FinanceDept account, then attach the AWS managed ReadOnlyAccess IAM policy to the group. Create an IAM group for the finance users in the MasterPayer account, then attach the AWS managed ReadOnlyAccess IAM policy to the group. Create an AWS IAM role in the FinanceDept account with the ViewBilling permission, then grant the finance users in the MasterPayer account the permission to assume that role. Create an AWS IAM role in the MasterPayer account with the ViewBilling permission, then grant the finance users in the FinanceDept account the permission to assume that role.

A Solutions Architect is designing a web application that uses Amazon CloudFront, an Elastic Load Balancing Application Load Balancer, and an Auto Scaling group of Amazon EC2 instances. The load balancer and EC2 instances are in the US West (Oregon) region. It has been decided that encryption in transit is necessary by using a customer-branded domain name from the client to CloudFront and from CloudFront to the load balancer. Assuming that AWS Certificate Manager is used, how many certificates will need to be generated?. One in the US West (Oregon) region and one in the US East (Virginia) region. Two in the US West (Oregon) region and none in the US East (Virginia) region. One in the US West (Oregon) region and none in the US East (Virginia) region. Two in the US East (Virginia) region and none in the US West (Oregon) region.

A Security Engineer has been asked to troubleshoot inbound connectivity to a web server. This single web server is not receiving inbound connections from the internet, whereas all other web servers are functioning properly. The architecture includes network ACLs, security groups, and a virtual security appliance. In addition, the Development team has implemented Application Load Balancers (ALBs) to distribute the load across all web servers. It is a requirement that traffic between the web servers and the internet flow through the virtual security appliance. The Security Engineer has verified the following: 1. The rule set in the Security Groups is correct 2. The rule set in the network ACLs is correct 3. The rule set in the virtual appliance is correct Which of the following are other valid items to troubleshoot in this scenario? (Choose two.). Verify that the 0.0.0.0/0 route in the route table for the web server subnet points to a NAT gateway. Verify which Security Group is applied to the particular web server's elastic network interface (ENI). Verify that the 0.0.0.0/0 route in the route table for the web server subnet points to the virtual security appliance. Verify that the 0.0.0.0/0 route in the route table for the web server subnet points to the virtual security appliance. Verify that the 0.0.0.0/0 route in the public subnet points to a NAT gateway.

Which approach will generate automated security alerts should too many unauthorized AWS API requests be identified?. Create an Amazon CloudWatch metric filter that looks for API call error codes and then implement an alarm based on that metric's rate. Configure AWS CloudTrail to stream event data to Amazon Kinesis. Configure an AWS Lambda function on the stream to alarm when the threshold has been exceeded. Run an Amazon Athena SQL query against CloudTrail log files. Use Amazon QuickSight to create an operational dashboard. Use the Amazon Personal Health Dashboard to monitor the account's use of AWS services, and raise an alert if service error rates increase.

A company has multiple production AWS accounts. Each account has AWS CloudTrail configured to log to a single Amazon S3 bucket in a central account. Two of the production accounts have trails that are not logging anything to the S3 bucket. Which steps should be taken to troubleshoot the issue? (Choose three.). Verify that the log file prefix is set to the name of the S3 bucket where the logs should go. Verify that the S3 bucket policy allows access for CloudTrail from the production AWS account IDs. Create a new CloudTrail configuration in the account, and configure it to log to the account's S3 bucket. Confirm in the CloudTrail Console that each trail is active and healthy. Open the global CloudTrail configuration in the master account, and verify that the storage location is set to the correct S3 bucket. Confirm in the CloudTrail Console that the S3 bucket name is set correctly.

Amazon CloudWatch Logs agent is successfully delivering logs to the CloudWatch Logs service. However, logs stop being delivered after the associated log stream has been active for a specific number of hours. What steps are necessary to identify the cause of this phenomenon? (Choose two.). Ensure that file permissions for monitored files that allow the CloudWatch Logs agent to read the file have not been modified. Verify that the OS Log rotation rules are compatible with the configuration requirements for agent streaming. Configure an Amazon Kinesis producer to first put the logs into Amazon Kinesis Streams. Create a CloudWatch Logs metric to isolate a value that changes at least once during the period before logging stops. Use AWS CloudFormation to dynamically create and maintain the configuration file for the CloudWatch Logs agent.

A company has deployed a custom DNS server in AWS. The Security Engineer wants to ensure that Amazon EC2 instances cannot use the Amazon-provided DNS. How can the Security Engineer block access to the Amazon-provided DNS in the VPC?. Deny access to the Amazon DNS IP within all security groups. Add a rule to all network access control lists that deny access to the Amazon DNS IP. Add a route to all route tables that black holes traffic to the Amazon DNS IP. Disable DNS resolution within the VPC configuration.

An employee accidentally exposed an AWS access key and secret access key during a public presentation. The company Security Engineer immediately disabled the key. How can the Engineer assess the impact of the key exposure and ensure that the credentials were not misused? (Choose two.). Analyze AWS CloudTrail for activity. Analyze Amazon CloudWatch Logs for activity. Download and analyze the IAM Use report from AWS Trusted Advisor. Analyze the resource inventory in AWS Config for IAM user activity. Download and analyze a credential report from IAM.

Which of the following minimizes the potential attack surface for applications?. Use security groups to provide stateful firewalls for Amazon EC2 instances at the hypervisor level. Use network ACLs to provide stateful firewalls at the VPC level to prevent access to any specific AWS resource. Use AWS Direct Connect for secure trusted connections between EC2 instances within private subnets. Design network security in a single layer within the perimeter network (also known as DMZ, demilitarized zone, and screened subnet) to facilitate quicker responses to threats.

A distributed web application is installed across several EC2 instances in public subnets residing in two Availability Zones. Apache logs show several intermittent brute-force attacks from hundreds of IP addresses at the layer 7 level over the past six months. What would be the BEST way to reduce the potential impact of these attacks in the future?. Use custom route tables to prevent malicious traffic from routing to the instances. Update security groups to deny traffic from the originating source IP addresses. Use network ACLs. Install intrusion prevention software (IPS) on each instance.

A company plans to move most of its IT infrastructure to AWS. They want to leverage their existing on-premises Active Directory as an identity provider for AWS. Which combination of steps should a Security Engineer take to federate the company's on-premises Active Directory with AWS? (Choose two.). Create IAM roles with permissions corresponding to each Active Directory group. Create IAM groups with permissions corresponding to each Active Directory group. Configure Amazon Cloud Directory to support a SAML provider. Configure Active Directory to add relying party trust between Active Directory and AWS. Configure Amazon Cognito to add relying party trust between Active Directory and AWS.

A security alert has been raised for an Amazon EC2 instance in a customer account that is exhibiting strange behavior. The Security Engineer must first isolate the EC2 instance and then use tools for further investigation. What should the Security Engineer use to isolate and research this event? (Choose three.). AWS CloudTrail. Amazon Athena. AWS Key Management Service (AWS KMS). VPC Flow Logs. AWS Firewall Manager. Security groups.

A financial institution has the following security requirements: ✑ Cloud-based users must be contained in a separate authentication domain. ✑ Cloud-based users cannot access on-premises systems. As part of standing up a cloud environment, the financial institution is creating a number of Amazon managed databases and Amazon EC2 instances. An Active Directory service exists on-premises that has all the administrator accounts, and these must be able to access the databases and instances. How would the organization manage its resources in the MOST secure manner? (Choose two.). Configure an AWS Managed Microsoft AD to manage the cloud resources. Configure an additional on-premises Active Directory service to manage the cloud resources. Establish a one-way trust relationship from the existing Active Directory to the new Active Directory service. Establish a one-way trust relationship from the new Active Directory to the existing Active Directory service. Establish a two-way trust between the new and existing Active Directory services.

An organization wants to be alerted when an unauthorized Amazon EC2 instance in its VPC performs a network port scan against other instances in the VPC. When the Security team performs its own internal tests in a separate account by using pre-approved third-party scanners from the AWS Marketplace, the Security team also then receives multiple Amazon GuardDuty events from Amazon CloudWatch alerting on its test activities. How can the Security team suppress alerts about authorized security tests while still receiving alerts about the unauthorized activity?. Use a filter in AWS CloudTrail to exclude the IP addresses of the Security team's EC2 instances. Add the Elastic IP addresses of the Security team's EC2 instances to a trusted IP list in Amazon GuardDuty. Install the Amazon Inspector agent on the EC2 instances that the Security team uses. Grant the Security team's EC2 instances a role with permissions to call Amazon GuardDuty API operations.

An organization is moving non-business-critical applications to AWS while maintaining a mission-critical application in an on-premises data center. An on-premises application must share limited confidential information with the applications in AWS. The internet performance is unpredictable. Which configuration will ensure continued connectivity between sites MOST securely?. VPN and a cached storage gateway. AWS Snowball Edge. VPN Gateway over AWS Direct Connect. AWS Direct Connect.

An application has been built with Amazon EC2 instances that retrieve messages from Amazon SQS. Recently, IAM changes were made and the instances can no longer retrieve messages. What actions should be taken to troubleshoot the issue while maintaining least privilege? (Choose two.). Configure and assign an MFA device to the role used by the instances. Verify that the SQS resource policy does not explicitly deny access to the role used by the instances. Verify that the access key attached to the role used by the instances is active. Attach the AmazonSQSFullAccess managed policy to the role used by the instances. Verify that the role attached to the instances contains policies that allow access to the queue.

A company has a forensic logging use case whereby several hundred applications running on Docker on EC2 need to send logs to a central location. The Security Engineer must create a logging solution that is able to perform real-time analytics on the log files, grants the ability to replay events, and persists data. Which AWS Services, together, can satisfy this use case? (Choose two.). Amazon Elasticsearch. Amazon Kinesis. Amazon SQS. Amazon CloudWatch. Amazon Athena.

Which of the following is the most efficient way to automate the encryption of AWS CloudTrail logs using a Customer Master Key (CMK) in AWS KMS?. Use the KMS direct encrypt function on the log data every time a CloudTrail log is generated. Use the default Amazon S3 server-side encryption with S3-managed keys to encrypt and decrypt the CloudTrail logs. Configure CloudTrail to use server-side encryption using KMS-managed keys to encrypt and decrypt CloudTrail logs. Use encrypted API endpoints so that all AWS API calls generate encrypted CloudTrail log entries using the TLS certificate from the encrypted API call.

An organization is using AWS CloudTrail, Amazon CloudWatch Logs, and Amazon CloudWatch to send alerts when new access keys are created. However, the alerts are no longer appearing in the Security Operations mail box. Which of the following actions would resolve this issue?. In CloudTrail, verify that the trail logging bucket has a log prefix configured. . In Amazon SNS, determine whether the ג€Account spend limitג€ has been reached for this alert. In SNS, ensure that the subscription used by these alerts has not been deleted. In CloudWatch, verify that the alarm threshold ג€consecutive periodsג€ value is equal to, or greater than 1.

A Security Engineer must add additional protection to a legacy web application by adding the following HTTP security headers: -Content Security-Policy -X-Frame-Options -X-XSS-Protection The Engineer does not have access to the source code of the legacy web application. Which of the following approaches would meet this requirement?. Configure an Amazon Route 53 routing policy to send all web traffic that does not include the required headers to a black hole. Implement an AWS Lambda@Edge origin response function that inserts the required headers. Migrate the legacy application to an Amazon S3 static website and front it with an Amazon CloudFront distribution. Construct an AWS WAF rule to replace existing HTTP headers with the required security headers by using regular expressions.

During a security event, it is discovered that some Amazon EC2 instances have not been sending Amazon CloudWatch logs. Which steps can the Security Engineer take to troubleshoot this issue? (Choose two.). Connect to the EC2 instances that are not sending the appropriate logs and verify that the CloudWatch Logs agent is running. Log in to the AWS account and select CloudWatch Logs. Check for any monitored EC2 instances that are in the ג€Alertingג€ state and restart them using the EC2 console. Verify that the EC2 instances have a route to the public AWS API endpoints. Connect to the EC2 instances that are not sending logs. Use the command prompt to verify that the right permissions have been set for the Amazon SNS topic. Verify that the network access control lists and security groups of the EC2 instances have the access to send logs over SNMP.

A Security Engineer discovers that developers have been adding rules to security groups that allow SSH and RDP traffic from 0.0.0.0/0 instead of the organization firewall IP. What is the most efficient way to remediate the risk of this activity?. Delete the internet gateway associated with the VPC. Use network access control lists to block source IP addresses matching 0.0.0.0/0. Use a host-based firewall to prevent access from all but the organization's firewall IP. Use AWS Config rules to detect 0.0.0.0/0 and invoke an AWS Lambda function to update the security group with the organization's firewall IP.

In response to the past DDoS attack experiences, a Security Engineer has set up an Amazon CloudFront distribution for an Amazon S3 bucket. There is concern that some users may bypass the CloudFront distribution and access the S3 bucket directly. What must be done to prevent users from accessing the S3 objects directly by using URLs?. Change the S3 bucket/object permission so that only the bucket owner has access. Set up a CloudFront origin access identity (OAI), and change the S3 bucket/object permission so that only the OAI has access. Create IAM roles for CloudFront, and change the S3 bucket/object permission so that only the IAM role has access. Redirect S3 bucket access to the corresponding CloudFront distribution.

A company plans to move most of its IT infrastructure to AWS. The company wants to leverage its existing on-premises Active Directory as an identity provider for AWS. Which steps should be taken to authenticate to AWS services using the company's on-premises Active Directory? (Choose three.). Create IAM roles with permissions corresponding to each Active Directory group. Create IAM groups with permissions corresponding to each Active Directory group. Create a SAML provider with IAM. Create a SAML provider with Amazon Cloud Directory. Configure AWS as a trusted relying party for the Active Directory. Configure IAM as a trusted relying party for Amazon Cloud Directory.

A Security Analyst attempted to troubleshoot the monitoring of suspicious security group changes. The Analyst was told that there is an Amazon CloudWatch alarm in place for these AWS CloudTrail log events. The Analyst tested the monitoring setup by making a configuration change to the security group but did not receive any alerts. Which of the following troubleshooting steps should the Analyst perform?. Ensure that CloudTrail and S3 bucket access logging is enabled for the Analyst's AWS account. B. Verify that a metric filter was created and then mapped to an alarm. Check the alarm notification action. Check the CloudWatch dashboards to ensure that there is a metric configured with an appropriate dimension for security group changes. Verify that the Analyst's account is mapped to an IAM policy that includes permissions for cloudwatch: GetMetricStatistics and Cloudwatch: ListMetrics.

Example.com hosts its internal document repository on Amazon EC2 instances. The application runs on EC2 instances and previously stored the documents on encrypted Amazon EBS volumes. To optimize the application for scale, example.com has moved the files to Amazon S3. The security team has mandated that all the files are securely deleted from the EBS volume, and it must certify that the data is unreadable before releasing the underlying disks. Which of the following methods will ensure that the data is unreadable by anyone else?. Change the volume encryption on the EBS volume to use a different encryption mechanism. Then, release the EBS volumes back to AWS. Release the volumes back to AWS. AWS immediately wipes the disk after it is deprovisioned. Delete the encryption key used to encrypt the EBS volume. Then, release the EBS volumes back to AWS. Delete the data by using the operating system delete commands. Run Quick Format on the drive and then release the EBS volumes back to AWS.

A Systems Administrator has written the following Amazon S3 bucket policy designed to allow access to an S3 bucket for only an authorized AWS IAM user from the IP address range 10.10.10.0/24: When trying to download an object from the S3 bucket from 10.10.10.40, the IAM user receives an access denied message. What does the Administrator need to change to grant access to the user?. Change the ג€Resourceג€ from ג€arn: aws:s3:::Bucketג€ to ג€arn:aws:s3:::Bucket/*ג€. Change the ג€Principalג€ from ג€*ג€ to {AWS:ג€arn:aws:iam: : account-number: user/usernameג€}. Change the ג€Versionג€ from ג€2012-10-17ג€ to the last revised date of the policy. Change the ג€Actionג€ from [ג€s3:*ג€] to [ג€s3:GetObjectג€, ג€s3:ListBucketג€].

The Security Engineer has discovered that a new application that deals with highly sensitive data is storing Amazon S3 objects with the following key pattern, which itself contains highly sensitive data. Pattern: "randomID_datestamp_PII.csv" Example: "1234567_12302017_000-00-0000 csv" The bucket where these objects are being stored is using server-side encryption (SSE). Which solution is the most secure and cost-effective option to protect the sensitive data?. Remove the sensitive data from the object name, and store the sensitive data using S3 user-defined metadata. Add an S3 bucket policy that denies the action s3:GetObject. Use a random and unique S3 object key, and create an S3 metadata index in Amazon DynamoDB using client-side encrypted attributes. Store all sensitive objects in Binary Large Objects (BLOBS) in an encrypted Amazon RDS instance.

AWS CloudTrail is being used to monitor API calls in an organization. An audit revealed that CloudTrail is failing to deliver events to Amazon S3 as expected. What initial actions should be taken to allow delivery of CloudTrail events to S3? (Choose two.). Verify that the S3 bucket policy allow CloudTrail to write objects. Verify that the IAM role used by CloudTrail has access to write to Amazon CloudWatch Logs. Remove any lifecycle policies on the S3 bucket that are archiving objects to Amazon Glacier. Verify that the S3 bucket defined in CloudTrail exists. Verify that the log file prefix defined in CloudTrail exists in the S3 bucket.

Due to new compliance requirements, a Security Engineer must enable encryption with customer-provided keys on corporate data that is stored in DynamoDB. The company wants to retain full control of the encryption keys. Which DynamoDB feature should the Engineer use to achieve compliance'?. Use AWS Certificate Manager to request a certificate. Use that certificate to encrypt data prior to uploading it to DynamoDB. Enable S3 server-side encryption with the customer-provided keys. Upload the data to Amazon S3, and then use S3Copy to move all data to DynamoDB. Create a KMS master key. Generate per-record data keys and use them to encrypt data prior to uploading it to DynamoDS. Dispose of the cleartext and encrypted data keys after encryption without storing. Use the DynamoDB Java encryption client to encrypt data prior to uploading it to DynamoDB.

A Security Engineer must design a system that can detect whether a file on an Amazon EC2 host has been modified. The system must then alert the Security Engineer of the modification. What is the MOST efficient way to meet these requirements?. Install antivirus software and ensure that signatures are up-to-date. Configure Amazon CloudWatch alarms to send alerts for security events. Install host-based IDS software to check for file integrity. Export the logs to Amazon CloudWatch Logs for monitoring and alerting. Export system log files to Amazon S3. Parse the log files using an AWS Lambda function that will send alerts of any unauthorized system login attempts through Amazon SNS. Use Amazon CloudWatch Logs to detect file system changes. If a change is detected, automatically terminate and recreate the instance from the most recent AMI. Use Amazon SNS to send notification of the event.

A company has multiple VPCs in their account that are peered, as shown in the diagram. A Security Engineer wants to perform penetration tests of the Amazon EC2 instances in all three VPCs. How can this be accomplished? (Choose two.). Deploy a pre-authorized scanning engine from the AWS Marketplace into VPC B, and use it to scan instances in all three VPCs. Do not complete the penetration test request form. Deploy a pre-authorized scanning engine from the Marketplace into each VPC, and scan instances in each VPC from the scanning engine in that VPC. Do not complete the penetration test request form. Create a VPN connection from the data center to VPC A. Use an on-premises scanning engine to scan the instances in all three VPCs. Complete the penetration test request form for all three VPCs. Create a VPN connection from the data center to each of the three VPCs. Use an on-premises scanning engine to scan the instances in each VPC. Do not complete the penetration test request form. Create a VPN connection from the data center to each of the three VPCs. Use an on-premises scanning engine to scan the instances in each VPC. Complete the penetration test request form for all three VPCs.

The Security Engineer is managing a traditional three-tier web application that is running on Amazon EC2 instances. The application has become the target of increasing numbers of malicious attacks from the Internet. What steps should the Security Engineer take to check for known vulnerabilities and limit the attack surface? (Choose two.). Use AWS Certificate Manager to encrypt all traffic between the client and application servers. Review the application security groups to ensure that only the necessary ports are open. Use Elastic Load Balancing to offload Secure Sockets Layer encryption. Use Amazon Inspector to periodically scan the backend instances. Use AWS Key Management Services to encrypt all the traffic between the client and application servers.

For compliance reasons, an organization limits the use of resources to three specific AWS regions. It wants to be alerted when any resources are launched in unapproved regions. Which of the following approaches will provide alerts on any resources launched in an unapproved region?. Develop an alerting mechanism based on processing AWS CloudTrail logs. Monitor Amazon S3 Event Notifications for objects stored in buckets in unapproved regions. Analyze Amazon CloudWatch Logs for activities in unapproved regions. Use AWS Trusted Advisor to alert on all resources being created.

A company runs an application on AWS that needs to be accessed only by employees. Most employees work from the office, but others work remotely or travel. How can the Security Engineer protect this workload so that only employees can access it?. Add each employee's home IP address to the security group for the application so that only those users can access the workload. Create a virtual gateway for VPN connectivity for each employee, and restrict access to the workload from within the VPC. Use a VPN appliance from the AWS Marketplace for users to connect to, and restrict workload access to traffic from that appliance. Route all traffic to the workload through AWS WAF. Add each employee's home IP address into an AWS WAF rule, and block all other traffic.

A Systems Engineer is troubleshooting the connectivity of a test environment that includes a virtual security appliance deployed inline. In addition to using the virtual security appliance, the Development team wants to use security groups and network ACLs to accomplish various security requirements in the environment. What configuration is necessary to allow the virtual security appliance to route the traffic?. Disable network ACLs. Configure the security appliance's elastic network interface for promiscuous mode. Disable the Network Source/Destination check on the security appliance's elastic network interface. Place the security appliance in the public subnet with the internet gateway.

A Security Architect is evaluating managed solutions for storage of encryption keys. The requirements are: -Storage is accessible by using only VPCs. -Service has tamper-evident controls. -Access logging is enabled. -Storage has high availability. Which of the following services meets these requirements?. Amazon S3 with default encryption. AWS CloudHSM. Amazon DynamoDB with server-side encryption. AWS Systems Manager Parameter Store.

An AWS account includes two S3 buckets: bucket1 and bucket2. The bucket2 does not have a policy defined, but bucket1 has the following bucket policy: In addition, the same account has an IAM User named ג€aliceג€, with the following IAM policy. Which buckets can user ג€aliceג€ access?. Bucket1 only. Bucket2 only. Both bucket1 and bucket2. Neither bucket1 nor bucket2.

An organization has three applications running on AWS, each accessing the same data on Amazon S3. The data on Amazon S3 is server-side encrypted by using an AWS KMS Customer Master Key (CMK). What is the recommended method to ensure that each application has its own programmatic access control permissions on the KMS CMK?. Change the key policy permissions associated with the KMS CMK for each application when it must access the data in Amazon S3. Have each application assume an IAM role that provides permissions to use the AWS Certificate Manager CMK. Have each application use a grant on the KMS CMK to add or remove specific access controls on the KMS CMK. Have each application use an IAM policy in a user context to have specific access permissions on the KMS CMK.

The Security Engineer is given the following requirements for an application that is running on Amazon EC2 and managed by using AWS CloudFormation templates with EC2 Auto Scaling groups: -Have the EC2 instances bootstrapped to connect to a backend database. -Ensure that the database credentials are handled securely. -Ensure that retrievals of database credentials are logged. Which of the following is the MOST efficient way to meet these requirements?. Pass databases credentials to EC2 by using CloudFormation stack parameters with the property set to true. Ensure that the instance is configured to log to Amazon CloudWatch Logs. Store database passwords in AWS Systems Manager Parameter Store by using SecureString parameters. Set the IAM role for the EC2 instance profile to allow access to the parameters. Store database passwords in AWS Systems Manager Parameter Store by using SecureString parameters. Set the IAM role for the EC2 instance profile to allow access to the parameters. Write a script that is passed in as UserData so that it is executed upon launch of the EC2 instance. Ensure that the instance is configured to log to Amazon CloudWatch Logs.

A company has two AWS accounts, each containing one VPC. The first VPC has a VPN connection with its corporate network. The second VPC, without a VPN, hosts an Amazon Aurora database cluster in private subnets. Developers manage the Aurora database from a bastion host in a public subnet as shown in the image. A security review has flagged this architecture as vulnerable, and a Security Engineer has been asked to make this design more secure. The company has a short deadline and a second VPN connection to the Aurora account is not possible. How can the Security Engineer securely set up the bastion host?. Move the bastion host to the VPC with VPN connectivity. Create a VPC peering relationship between the bastion host VPC and Aurora VPC. Create an SSH port forwarding tunnel on the Developer's workstation to the bastion host to ensure that only authorized SSH clients can access the bastion host. Move the bastion host to the VPC with VPN connectivity. Create a cross-account trust relationship between the bastion VPC and Aurora VPC, and update the Aurora security group for the relationship. Create an AWS Direct Connect connection between the corporate network and the Aurora account, and adjust the Aurora security group for this connection.

An organization operates a web application that serves users globally. The application runs on Amazon EC2 instances behind an Application Load Balancer. There is an Amazon CloudFront distribution in front of the load balancer, and the organization uses AWS WAF. The application is currently experiencing a volumetric attack whereby the attacker is exploiting a bug in a popular mobile game. The application is being flooded with HTTP requests from all over the world with the User-Agent set to the following string: Mozilla/5.0 (compatible; ExampleCorp; ExampleGame/1.22; Mobile/1.0) What mitigation can be applied to block attacks resulting from this bug while continuing to service legitimate requests?. Create a rule in AWS WAF rules with conditions that block requests based on the presence of ExampleGame/1.22 in the User-Agent header. Create a geographic restriction on the CloudFront distribution to prevent access to the application from most geographic regions. Create a rate-based rule in AWS WAF to limit the total number of requests that the web application services. Create an IP-based blacklist in AWS WAF to block the IP addresses that are originating from requests that contain ExampleGame/1.22 in the User-Agent header.

Some highly sensitive analytics workloads are to be moved to Amazon EC2 hosts. Threat modeling has found that a risk exists where a subnet could be maliciously or accidentally exposed to the internet. Which of the following mitigations should be recommended?. Use AWS Config to detect whether an Internet Gateway is added and use an AWS Lambda function to provide auto-remediation. Within the Amazon VPC configuration, mark the VPC as private and disable Elastic IP addresses. Use IPv6 addressing exclusively on the EC2 hosts, as this prevents the hosts from being accessed from the internet. Move the workload to a Dedicated Host, as this provides additional network security controls and monitoring.

A Developer who is following AWS best practices for secure code development requires an application to encrypt sensitive data to be stored at rest, locally in the application, using AWS KMS. What is the simplest and MOST secure way to decrypt this data when required?. Request KMS to provide the stored unencrypted data key and then use the retrieved data key to decrypt the data. Keep the plaintext data key stored in Amazon DynamoDB protected with IAM policies. Query DynamoDB to retrieve the data key to decrypt the data. Use the Encrypt API to store an encrypted version of the data key with another customer managed key. Decrypt the data key and use it to decrypt the data when required. Store the encrypted data key alongside the encrypted data. Use the Decrypt API to retrieve the data key to decrypt the data when required.

A Security Administrator at a university is configuring a fleet of Amazon EC2 instances. The EC2 instances are shared among students, and non-root SSH access is allowed. The Administrator is concerned about students attacking other AWS account resources by using the EC2 instance metadata service. What can the Administrator do to protect against this potential attack?. Disable the EC2 instance metadata service. Log all student SSH interactive session activity. Implement iptables-based restrictions on the instances. Install the Amazon Inspector agent on the instances.

An organization receives an alert that indicates that an EC2 instance behind an ELB Classic Load Balancer has been compromised. What techniques will limit lateral movement and allow evidence gathering?. Remove the instance from the load balancer and terminate it. Remove the instance from the load balancer, and shut down access to the instance by tightening the security group. Reboot the instance and check for any Amazon CloudWatch alarms. Stop the instance and make a snapshot of the root EBS volume.

Development team has asked for help configuring the IAM roles and policies in a new AWS account. The team using the account expects to have hundreds of master keys and therefore does not want to manage access control for customer master keys (CMKs). Which of the following will allow the team to manage AWS KMS permissions in IAM without the complexity of editing individual key policies?. The account's CMK key policy must allow the account's IAM roles to perform KMS EnableKey. Newly created CMKs must have a key policy that allows the root principal to perform all actions. Newly created CMKs must allow the root principal to perform the kms CreateGrant API operation. Newly created CMKs must mirror the IAM policy of the KMS key administrator.

An Amazon EC2 instance is part of an EC2 Auto Scaling group that is behind an Application Load Balancer (ALB). It is suspected that the EC2 instance has been compromised. Which steps should be taken to investigate the suspected compromise? (Choose three.). Detach the elastic network interface from the EC2 instance. Initiate an Amazon Elastic Block Store volume snapshot of all volumes on the EC2 instance. Disable any Amazon Route 53 health checks associated with the EC2 instance. De-register the EC2 instance from the ALB and detach it from the Auto Scaling group. Attach a security group that has restrictive ingress and egress rules to the EC2 instance. Add a rule to an AWS WAF to block access to the EC2 instance.

A company has five AWS accounts and wants to use AWS CloudTrail to log API calls. The log files must be stored in an Amazon S3 bucket that resides in a new account specifically built for centralized services with a unique top-level prefix for each trail. The configuration must also enable detection of any modification to the logs. Which of the following steps will implement these requirements? (Choose three.). Create a new S3 bucket in a separate AWS account for centralized storage of CloudTrail logs, and enable ג€Log File Validationג€ on all trails. Use an existing S3 bucket in one of the accounts, apply a bucket policy to the new centralized S3 bucket that permits the CloudTrail service to use the "s3: PutObject" action and the "s3 GetBucketACL" action, and specify the appropriate resource ARNs for the CloudTrail trails. Apply a bucket policy to the new centralized S3 bucket that permits the CloudTrail service to use the "s3 PutObject" action and the "s3 GelBucketACL" action, and specify the appropriate resource ARNs for the CloudTrail trails. Use unique log file prefixes for trails in each AWS account. Configure CloudTrail in the centralized account to log all accounts to the new centralized S3 bucket. Enable encryption of the log files by using AWS Key Management Service.

A Security Engineer is implementing a solution to allow users to seamlessly encrypt Amazon S3 objects without having to touch the keys directly. The solution must be highly scalable without requiring continual management. Additionally, the organization must be able to immediately delete the encryption keys. Which solution meets these requirements?. Use AWS KMS with AWS managed keys and the ScheduleKeyDeletion API with a PendingWindowInDays set to 0 to remove the keys if necessary. Use KMS with AWS imported key material and then use the DeletelmportedKeyMaterial API to remove the key material if necessary. Use AWS CloudHSM to store the keys and then use the CloudHSM API or the PKCS11 library to delete the keys if necessary. Use the Systems Manager Parameter Store to store the keys and then use the service API operations to delete the key if necessary.

An application uses Amazon Cognito to manage end users' permissions when directly accessing AWS resources, including Amazon DynamoDB. A new feature request reads as follows: Provide a mechanism to mark customers as suspended pending investigation or suspended permanently. Customers should still be able to log in when suspended, but should not be able to make changes. The priorities are to reduce complexity and avoid potential for future security issues. Which approach will meet these requirements and priorities?. Create a new database field ג€suspended_statusג€ and modify the application logic to validate that field when processing requests. Add suspended customers to second Cognito user pool and update the application login flow to check both user pools. Use Amazon Cognito Sync to push out a ג€suspension_statusג€ parameter and split the IAM policy into normal users and suspended users. Move suspended customers to a second Cognito group and define an appropriate IAM access policy for the group.

A company stores data on an Amazon EBS volume attached to an Amazon EC2 instance. The data is asynchronously replicated to an Amazon S3 bucket. Both the EBS volume and the S3 bucket are encrypted with the same AWS KMS Customer Master Key (CMK). A former employee scheduled a deletion of that CMK before leaving the company. The company's Developer Operations department learns about this only after the CMK has been deleted. Which steps must be taken to address this situation?. Copy the data directly from the EBS encrypted volume before the volume is detached from the EC2 instance. Recover the data from the EBS encrypted volume using an earlier version of the KMS backing key. Make a request to AWS Support to recover the S3 encrypted data. Make a request to AWS Support to restore the deleted CMK, and use it to recover the data.

An AWS Lambda function was misused to alter data, and a Security Engineer must identify who invoked the function and what output was produced. The Engineer cannot find any logs created by the Lambda function in Amazon CloudWatch Logs. Which of the following explains why the logs are not available?. The execution role for the Lambda function did not grant permissions to write log data to CloudWatch Logs. The Lambda function was executed by using Amazon API Gateway, so the logs are not stored in CloudWatch Logs. The execution role for the Lambda function did not grant permissions to write to the Amazon S3 bucket where CloudWatch Logs stores the logs. The version of the Lambda function that was executed was not current.

A company has Windows Amazon EC2 instances in a VPC that are joined to on-premises Active Directory servers for domain services. The security team has enabled Amazon GuardDuty on the AWS account to alert on issues with the instances. During a weekly audit of network traffic, the Security Engineer notices that one of the EC2 instances is attempting to communicate with a known command-and- control server but failing. This alert does not show up in GuardDuty. Why did GuardDuty fail to alert to this behavior?. GuardDuty did not have the appropriate alerts activated. GuardDuty does not see these DNS requests. GuardDuty only monitors active network traffic flow for command-and-control activity. GuardDuty does not report on command-and-control activity.

The AWS Systems Manager Parameter Store is being used to store database passwords used by an AWS Lambda function. Because this is sensitive data, the parameters are stored as type SecureString and protected by an AWS KMS key that allows access through IAM. When the function executes, this parameter cannot be retrieved as the result of an access denied error. Which of the following actions will resolve the access denied error?. Update the ssm.amazonaws.com principal in the KMS key policy to allow kms: Decrypt. Update the Lambda configuration to launch the function in a VPC. Add a policy to the role that the Lambda function uses, allowing kms: Decrypt for the KMS key. Add lambda.amazonaws.com as a trusted entity on the IAM role that the Lambda function uses.

A company's security policy requires that VPC Flow Logs are enabled on all VPCs. A Security Engineer is looking to automate the process of auditing the VPC resources for compliance. What combination of actions should the Engineer take? (Choose two.). Create an AWS Lambda function that determines whether Flow Logs are enabled for a given VPC. Create an AWS Config configuration item for each VPC in the company AWS account. Create an AWS Config configuration item for each VPC in the company AWS account. Create an Amazon CloudWatch Event rule that triggers on events emitted by AWS Config. Create an AWS Config custom rule, and associate it with an AWS Lambda function that contains the evaluating logic.

A Security Engineer is looking for a way to control access to data that is being encrypted under a CMK. The Engineer is also looking to use additional authenticated data (AAD) to prevent tampering with ciphertext. Which action would provide the required functionality?. Pass the key alias to AWS KMS when calling Encrypt and Decrypt API actions. Use IAM policies to restrict access to Encrypt and Decrypt API actions. Use kms:EncryptionContext as a condition when defining IAM policies for the CMK. Use key policies to restrict access to the appropriate IAM groups.

An application makes calls to AWS services using the AWS SDK. The application runs on Amazon EC2 instances with an associated IAM role. When the application attempts to access an object within an Amazon S3 bucket; the Administrator receives the following error message: HTTP 403: Access Denied. Which combination of steps should the Administrator take to troubleshoot this issue? (Choose three.). Confirm that the EC2 instance's security group authorizes S3 access. Verify that the KMS key policy allows decrypt access for the KMS key for this IAM principle. Check the S3 bucket policy for statements that deny access to objects. Confirm that the EC2 instance is using the correct key pair. Confirm that the IAM role associated with the EC2 instance has the proper privileges. Confirm that the instance and the S3 bucket are in the same Region.

A Security Engineer must implement mutually authenticated TLS connections between containers that communicate inside a VPC. Which solution would be MOST secure and easy to maintain?. Use AWS Certificate Manager to generate certificates from a public certificate authority and deploy them to all the containers. Create a self-signed certificate in one container and use AWS Secrets Manager to distribute the certificate to the other containers to establish trust. Use AWS Certificate Manager Private Certificate Authority (ACM PCA) to create a subordinate certificate authority, then create the private keys in the containers and sign them using the ACM PCA API. Use AWS Certificate Manager Private Certificate Authority (ACM PCA) to create a subordinate certificate authority, then use AWS Certificate Manager to generate the private certificates and deploy them to all the containers.

The Accounting department at Example Corp. has made a decision to hire a third-party firm, AnyCompany, to monitor Example Corp.'s AWS account to help optimize costs. The Security Engineer for Example Corp. has been tasked with providing AnyCompany with access to the required Example Corp. AWS resources. The Engineer has created an IAM role and granted permission to AnyCompany's AWS account to assume this role. When customers contact AnyCompany, they provide their role ARN for validation. The Engineer is concerned that one of AnyCompany's other customers might deduce Example Corp.'s role ARN and potentially compromise the company's account. What steps should the Engineer perform to prevent this outcome?. Create an IAM user and generate a set of long-term credentials. Provide the credentials to AnyCompany. Monitor access in IAM access advisor and plan to rotate credentials on a recurring basis. Request an external ID from AnyCompany and add a condition with sts:Externald to the role's trust policy. Require two-factor authentication by adding a condition to the role's trust policy with aws:MultiFactorAuthPresent. Request an IP range from AnyCompany and add a condition with aws:SourceIp to the role's trust policy.

A company maintains sensitive data in an Amazon S3 bucket that must be protected using an AWS KMS CMK. The company requires that keys be rotated automatically every year. How should the bucket be configured?. Select server-side encryption with Amazon S3-managed keys (SSE-S3) and select an AWS-managed CMK. Select Amazon S3-AWS KMS managed encryption keys (S3-KMS) and select a customer-managed CMK with key rotation enabled. Select server-side encryption with Amazon S3-managed keys (SSE-S3) and select a customer-managed CMK that has imported key material. Select server-side encryption with AWS KMS-managed keys (SSE-KMS) and select an alias to an AWS-managed CMK.

An Amazon S3 bucket is encrypted using an AWS KMS CMK. An IAM user is unable to download objects from the S3 bucket using the AWS Management Console; however, other users can download objects from the S3 bucket. Which policies should the Security Engineer review and modify to resolve this issue? (Choose three.). The CMK policy. The VPC endpoint policy. The S3 bucket policy. The S3 ACL. The IAM policy.

While analyzing a company's security solution, a Security Engineer wants to secure the AWS account root user. What should the Security Engineer do to provide the highest level of security for the account?. Create a new IAM user that has administrator permissions in the AWS account. Delete the password for the AWS account root user. Create a new IAM user that has administrator permissions in the AWS account. Modify the permissions for the existing IAM users. Replace the access key for the AWS account root user. Delete the password for the AWS account root user. Create a new IAM user that has administrator permissions in the AWS account. Enable multi-factor authentication for the AWS account root user.

A Security Engineer is working with a Product team building a web application on AWS. The application uses Amazon S3 to host the static content, Amazon API Gateway to provide RESTful services; and Amazon DynamoDB as the backend data store. The users already exist in a directory that is exposed through a SAML identity provider. Which combination of the following actions should the Engineer take to enable users to be authenticated into the web application and call APIs? (Choose three.). Create a custom authorization service using AWS Lambda. Configure a SAML identity provider in Amazon Cognito to map attributes to the Amazon Cognito user pool attributes. Configure the SAML identity provider to add the Amazon Cognito user pool as a relying party. Configure an Amazon Cognito identity pool to integrate with social login providers. Update DynamoDB to store the user email addresses and passwords. Update API Gateway to use a COGNITO_USER_POOLS authorizer.

While securing the connection between a company's VPC and its on-premises data center, a Security Engineer sent a ping command from an on-premises host (IP address 203.0.113.12) to an Amazon EC2 instance (IP address 172.31.16.139). The ping command did not return a response. The flow log in the VPC showed the following: 2 123456789010 eni-1235b8ca 203.0.113.12 172.31.16.139 0 0 1 4 336 1432917027 1432917142 ACCEPT OK 2 123456789010 eni-1235b8ca 172.31.16.139 203.0.113.12 0 0 1 4 336 1432917094 1432917142 REJECT OK What action should be performed to allow the ping to work?. In the security group of the EC2 instance, allow inbound ICMP traffic. In the security group of the EC2 instance, allow outbound ICMP traffic. In the VPC's NACL, allow inbound ICMP traffic. In the VPC's NACL, allow outbound ICMP traffic.

A Security Engineer is building a Java application that is running on Amazon EC2. The application communicates with an Amazon RDS instance and authenticates with a user name and password. Which combination of steps can the Engineer take to protect the credentials and minimize downtime when the credentials are rotated? (Choose two.). Have a Database Administrator encrypt the credentials and store the ciphertext in Amazon S3. Grant permission to the instance role associated with the EC2 instance to read the object and decrypt the ciphertext. Configure a scheduled job that updates the credential in AWS Systems Manager Parameter Store and notifies the Engineer that the application needs to be restarted. Configure automatic rotation of credentials in AWS Secrets Manager. Store the credential in an encrypted string parameter in AWS Systems Manager Parameter Store. Grant permission to the instance role associated with the EC2 instance to access the parameter and the AWS KMS key that is used to encrypt it. Configure the Java application to catch a connection failure and make a call to AWS Secrets Manager to retrieve updated credentials when the password is rotated. Grant permission to the instance role associated with the EC2 instance to access Secrets Manager.

A company has several production AWS accounts and a central security AWS account. The security account is used for centralized monitoring and has IAM privileges to all resources in every corporate account. All of the company's Amazon S3 buckets are tagged with a value denoting the data classification of their contents. A Security Engineer is deploying a monitoring solution in the security account that will enforce bucket policy compliance. The system must monitor S3 buckets in all production accounts and confirm that any policy change is in accordance with the bucket's data classification. If any change is out of compliance, the Security team must be notified quickly. Which combination of actions would build the required solution? (Choose three.). Configure Amazon CloudWatch Events in the production accounts to send all S3 events to the security account event bus. Enable Amazon GuardDuty in the security account, and join the production accounts as members. Configure an Amazon CloudWatch Events rule in the security account to detect S3 bucket creation or modification events. Enable AWS Trusted Advisor and activate email notifications for an email address assigned to the security contact. Invoke an AWS Lambda function in the security account to analyze S3 bucket settings in response to S3 events, and send non-compliance notifications to the Security team. Configure event notifications on S3 buckets for PUT, POST, and DELETE events.

A company plans to migrate a sensitive dataset to Amazon S3. A Security Engineer must ensure that the data is encrypted at rest. The encryption solution must enable the company to generate its own keys without needing to manage key storage or the encryption process. What should the Security Engineer use to accomplish this?. Server-side encryption with Amazon S3-managed keys (SSE-S3). Server-side encryption with AWS KMS-managed keys (SSE-KMS). Server-side encryption with customer-provided keys (SSE-C). Client-side encryption with an AWS KMS-managed CMK.

A Security Engineer is defining the logging solution for a newly developed product. Systems Administrators and Developers need to have appropriate access to event log files in AWS CloudTrail to support and troubleshoot the product. Which combination of controls should be used to protect against tampering with and unauthorized access to log files? (Choose two.). Ensure that the log file integrity validation mechanism is enabled. Ensure that all log files are written to at least two separate Amazon S3 buckets in the same account. Ensure that Systems Administrators and Developers can edit log files, but prevent any other access. Ensure that Systems Administrators and Developers with job-related need-to-know requirements only are capable of viewing ג€" but not modifying ג€" the log files. Ensure that all log files are stored on Amazon EC2 instances that allow SSH access from the internal corporate network only.

A company has a few dozen application servers in private subnets behind an Elastic Load Balancer (ELB) in an AWS Auto Scaling group. The application is accessed from the web over HTTPS. The data must always be encrypted in transit. The Security Engineer is worried about potential key exposure due to vulnerabilities in the application software. Which approach will meet these requirements while protecting the external certificate during a breach?. Use a Network Load Balancer (NLB) to pass through traffic on port 443 from the internet to port 443 on the instances. Purchase an external certificate, and upload it to the AWS Certificate Manager (for use with the ELB) and to the instances. Have the ELB decrypt traffic, and route and re-encrypt with the same certificate. Generate an internal self-signed certificate and apply it to the instances. Use AWS Certificate Manager to generate a new external certificate for the ELB. Have the ELB decrypt traffic, and route and re-encrypt with the internal certificate. Upload a new external certificate to the load balancer. Have the ELB decrypt the traffic and forward it on port 80 to the instances.

Which of the following are valid event sources that are associated with web access control lists that trigger AWS WAF rules? (Choose two.). Amazon S3 static web hosting. Amazon CloudFront distribution. Application Load Balancer. Amazon Route 53. VPC Flow Logs.

A company uses identity federation to authenticate users into an identity account (987654321987) where the users assume an IAM role named IdentityRole. The users then assume an IAM role named JobFunctionRole in the target AWS account (123456789123) to perform their job functions. A user is unable to assume the IAM role in the target account. The policy attached to the role in the identity account is: Update the IAM policy attached to the role in the identity account to be:. Update the trust policy on the role in the target account to be:. Update the trust policy on the role in the identity account to be:. Update the IAM policy attached to the role in the target account to be:.

A Security Engineer is working with the development team to design a supply chain application that stores sensitive inventory data in an Amazon S3 bucket. The application will use an AWS KMS customer master key (CMK) to encrypt the data on Amazon S3. The inventory data on Amazon S3 will be shared of vendors. All vendors will use AWS principals from their own AWS accounts to access the data on Amazon S3. The vendor list may change weekly, and the solution must support cross-account access. What is the MOST efficient way to manage access control for the KMS CMK7?. Use KMS grants to manage key access. Programmatically create and revoke grants to manage vendor access. Use an IAM role to manage key access. Programmatically update the IAM role policies to manage vendor access. Use KMS key policies to manage key access. Programmatically update the KMS key policies to manage vendor access. Use delegated access across AWS accounts by using IAM roles to manage key access. Programmatically update the IAM trust policy to manage cross- account vendor access.

A Security Engineer is setting up an AWS CloudTrail trail for all regions in an AWS account. For added security, the logs are stored using server-side encryption with AWS KMS-managed keys (SSE-KMS) and have log integrity validation enabled. While testing the solution, the Security Engineer discovers that the digest files are readable, but the log files are not. What is the MOST likely cause?. The log files fail integrity validation and automatically are marked as unavailable. The KMS key policy does not grant the Security Engineer's IAM user or role permissions to decrypt with it. The bucket is set up to use server-side encryption with Amazon S3-managed keys (SSE-S3) as the default and does not allow SSE-KMS-encrypted files. An IAM policy applicable to the Security Engineer's IAM user or role denies access to the "CloudTrail/" prefix in the Amazon S3 bucket.

A corporate cloud security policy states that communications between the company's VPC and KMS must travel entirely within the AWS network and not use public service endpoints. Which combination of the following actions MOST satisfies this requirement? (Choose two.). Add the aws:sourceVpce condition to the AWS KMS key policy referencing the company's VPC endpoint ID. Remove the VPC internet gateway from the VPC and add a virtual private gateway to the VPC to prevent direct, public internet connectivity. Create a VPC endpoint for AWS KMS with private DNS enabled. Use the KMS Import Key feature to securely transfer the AWS KMS key over a VPN. Add the following condition to the AWS KMS key policy: "aws:SourceIp": "10.0.0.0/16".

A company had one of its Amazon EC2 key pairs compromised. A Security Engineer must identify which current Linux EC2 instances were deployed and used the compromised key pair. How can this task be accomplished?. Obtain the list of instances by directly querying Amazon EC2 using: aws ec2 describe-instances --filters "Name=key- name,Values=KEYNAMEHERE". Obtain the fingerprint for the key pair from the AWS Management Console, then search for the fingerprint in the Amazon Inspector logs. Obtain the output from the EC2 instance metadata using: curl http://169.254.169.254/latest/meta-data/public-keys/0/. Obtain the fingerprint for the key pair from the AWS Management Console, then search for the fingerprint in Amazon CloudWatch Logs using: aws logs filter-log-events.

A Security Engineer for a large company is managing a data processing application used by 1,500 subsidiary companies. The parent and subsidiary companies all use AWS. The application uses TCP port 443 and runs on Amazon EC2 behind a Network Load Balancer (NLB). For compliance reasons, the application should only be accessible to the subsidiaries and should not be available on the public internet. To meet the compliance requirements for restricted access, the Engineer has received the public and private CIDR block ranges for each subsidiary. What solution should the Engineer use to implement the appropriate access restrictions for the application?. Create a NACL to allow access on TCP port 443 from the 1,500 subsidiary CIDR block ranges. Associate the NACL to both the NLB and EC2 instances. Create an AWS security group to allow access on TCP port 443 from the 1,500 subsidiary CIDR block ranges. Associate the security group to the NLB. Create a second security group for EC2 instances with access on TCP port 443 from the NLB security group. Create an AWS PrivateLink endpoint service in the parent company account attached to the NLB. Create an AWS security group for the instances to allow access on TCP port 443 from the AWS PrivateLink endpoint. Use AWS PrivateLink interface endpoints in the 1,500 subsidiary AWS accounts to connect to the data processing application. Create an AWS security group to allow access on TCP port 443 from the 1,500 subsidiary CIDR block ranges. Associate the security group with EC2 instances.

To meet regulatory requirements, a Security Engineer needs to implement an IAM policy that restricts the use of AWS services to the us-east-1 Region. What policy should the Engineer implement?. A. B.

A company uses user data scripts that contain sensitive information to bootstrap Amazon EC2 instances. A Security Engineer discovers that this sensitive information is viewable by people who should not have access to it. What is the MOST secure way to protect the sensitive information used to bootstrap the instances?. Store the scripts in the AMI and encrypt the sensitive data using AWS KMS Use the instance role profile to control access to the KMS keys needed to decrypt the data. Store the sensitive data in AWS Systems Manager Parameter Store using the encrypted string parameter and assign the GetParameters permission to the EC2 instance role. Externalize the bootstrap scripts in Amazon S3 and encrypt them using AWS KMS. Remove the scripts from the instance and clear the logs after the instance is configured. Block user access of the EC2 instance's metadata service using IAM policies. Remove all scripts and clear the logs after execution.

A company is building a data lake on Amazon S3. The data consists of millions of small files containing sensitive information. The Security team has the following requirements for the architecture: ג€¢ Data must be encrypted in transit. ג€¢ Data must be encrypted at rest. ג€¢ The bucket must be private, but if the bucket is accidentally made public, the data must remain confidential. Which combination of steps would meet the requirements? (Choose two.). Enable AES-256 encryption using server-side encryption with Amazon S3-managed encryption keys (SSE-S3) on the S3 bucket. Enable default encryption with server-side encryption with AWS KMS-managed keys (SSE-KMS) on the S3 bucket. Add a bucket policy that includes a deny if a PutObject request does not include aws:SecureTransport. Add a bucket policy with aws:SourceIp to Allow uploads and downloads from the corporate intranet only. Add a bucket policy that includes a deny if a PutObject request does not include s3:x-amz-server-side-encryption: "aws:kms". Enable Amazon Macie to monitor and act on changes to the data lake's S3 bucket.

A Security Engineer discovered a vulnerability in an application running on Amazon ECS. The vulnerability allowed attackers to install malicious code. Analysis of the code shows it exfiltrates data on port 5353 in batches at random time intervals. While the code of the containers is being patched, how can Engineers quickly identify all compromised hosts and stop the egress of data on port 5353?. Enable AWS Shield Advanced and AWS WAF. Configure an AWS WAF custom filter for egress traffic on port 5353. Enable Amazon Inspector on Amazon ECS and configure a custom assessment to evaluate containers that have port 5353 open. Update the NACLs to block port 5353 outbound. Create an Amazon CloudWatch custom metric on the VPC Flow Logs identifying egress traffic on port 5353. Update the NACLs to block port 5353 outbound. Use Amazon Athena to query AWS CloudTrail logs in Amazon S3 and look for any traffic on port 5353. Update the security groups to block port 5353 outbound.

An Amazon EC2 instance is denied access to a newly created AWS KMS CMK used for decrypt actions. The environment has the following configuration: ✑ The instance is allowed the kms:Decrypt action in its IAM role for all resources ✑ The AWS KMS CMK status is set to enabled ✑ The instance can communicate with the KMS API using a configured VPC endpoint What is causing the issue?. The kms:GenerateDataKey permission is missing from the EC2 instance's IAM role. The ARN tag on the CMK contains the EC2 instance's ID instead of the instance's ARN. The kms:Encrypt permission is missing from the EC2 IAM role. The KMS CMK key policy that enables IAM user permissions is missing.

A company has enabled Amazon GuardDuty in all Regions as part of its security monitoring strategy. In one of the VPCs, the company hosts an Amazon EC2 instance working as an FTP server that is contacted by a high number of clients from multiple locations. This is identified by GuardDuty as a brute force attack due to the high number of connections that happen every hour. The finding has been flagged as a false positive. However, GuardDuty keeps raising the issue. A Security Engineer has been asked to improve the signal-to-noise ratio. The Engineer needs to ensure that changes do not compromise the visibility of potential anomalous behavior. How can the Security Engineer address the issue?. Disable the FTP rule in GuardDuty in the Region where the FTP server is deployed. Add the FTP server to a trusted IP list and deploy it to GuardDuty to stop receiving the notifications. Use GuardDuty filters with auto archiving enabled to close the findings. Create an AWS Lambda function that closes the finding whenever a new occurrence is reported.

What are the MOST secure ways to protect the AWS account root user of a recently opened AWS account? (Choose two.). Use the AWS account root user access keys instead of the AWS Management Console. Enable multi-factor authentication for the AWS IAM users with the AdministratorAccess managed policy attached to them. Enable multi-factor authentication for the AWS account root user. Use AWS KMS to encrypt all AWS account root user and AWS IAM access keys and set automatic rotation to 30 days. Do not create access keys for the AWS account root user; instead, create AWS IAM users.

A company has decided to migrate sensitive documents from on-premises data centers to Amazon S3. Currently, the hard drives are encrypted to meet a compliance requirement regarding data encryption. The CISO wants to improve security by encrypting each file using a different key instead of a single key. Using a different key would limit the security impact of a single exposed key. Which of the following requires the LEAST amount of configuration when implementing this approach?. Place each file into a different S3 bucket. Set the default encryption of each bucket to use a different AWS KMS customer managed key. Put all the files in the same S3 bucket. Using S3 events as a trigger, write an AWS Lambda function to encrypt each file as it is added using different AWS KMS data keys. Use the S3 encryption client to encrypt each file individually using S3-generated data keys. Place all the files in the same S3 bucket. Use server-side encryption with AWS KMS-managed keys (SSE-KMS) to encrypt the data.

A company has an encrypted Amazon S3 bucket. An Application Developer has an IAM policy that allows access to the S3 bucket, but the Application Developer is unable to access objects within the bucket. What is a possible cause of the issue?. The S3 ACL for the S3 bucket fails to explicitly grant access to the Application Developer. The AWS KMS key for the S3 bucket fails to list the Application Developer as an administrator. The S3 bucket policy fails to explicitly grant access to the Application Developer. The S3 bucket policy explicitly denies access to the Application Developer.

A Web Administrator for the website example.com has created an Amazon CloudFront distribution for dev.example.com, with a requirement to configure HTTPS using a custom TLS certificate imported to AWS Certificate Manager. Which combination of steps is required to ensure availability of the certificate in the CloudFront console? (Choose two.). Call UploadServerCertificate with /cloudfront/dev/ in the path parameter. Import the certificate with a 4,096-bit RSA public key. Ensure that the certificate, private key, and certificate chain are PKCS #12-encoded. Import the certificate in the us-east-1 (N. Virginia) Region. Ensure that the certificate, private key, and certificate chain are PEM-encoded.

A Security Engineer has discovered that, although encryption was enabled on the Amazon S3 bucket examplebucket, anyone who has access to the bucket has the ability to retrieve the files. The Engineer wants to limit access to each IAM user can access an assigned folder only. What should the Security Engineer do to achieve this?. Use envelope encryption with the AWS-managed CMK aws/s3. Create a customer-managed CMK with a key policy granting ג€kms:Decryptג€ based on the ג€${aws:username}ג€ variable. Create a customer-managed CMK for each user. Add each user as a key user in their corresponding key policy. Change the applicable IAM policy to grant S3 access to ג€Resourceג€: ג€arn:aws:s3:::examplebucket/${aws:username}/*ג€.

A Security Engineer manages AWS Organizations for a company. The Engineer would like to restrict AWS usage to allow Amazon S3 only in one of the organizational units (OUs). The Engineer adds the following SCP to the OU: The next day, API calls to AWS IAM appear in AWS CloudTrail logs in an account under that OU. How should the Security Engineer resolve this issue?. Move the account to a new OU and deny IAM:* permissions. Add a Deny policy for all non-S3 services at the account level. Change the policy to:. Detach the default FullAWSAccess SCP.

A Developer is creating an AWS Lambda function that requires environment variables to store connection information and logging settings. The Developer is required to use an AWS KMS Customer Master Key (CMK) supplied by the Information Security department in order to adhere to company standards for securing Lambda environment variables. Which of the following are required for this configuration to work? (Choose two.). The Developer must configure Lambda access to the VPC using the --vpc-config parameter. The Lambda function execution role must have the kms:Decrypt permission added in the AWS IAM policy. The KMS key policy must allow permissions for the Developer to use the KMS key. The AWS IAM policy assigned to the Developer must have the kms:GenerateDataKey permission added. The Lambda execution role must have the kms:Encrypt permission added in the AWS IAM policy.

A Developer signed in to a new account within an AWS Organizations organizational unit (OU) containing multiple accounts. Access to the Amazon S3 service is restricted with the following SCP: How can the Security Engineer provide the Developer with Amazon S3 access without affecting other accounts?. Move the SCP to the root OU of Organizations to remove the restriction to access Amazon S3. Add an IAM policy for the Developer, which grants S3 access. Create a new OU without applying the SCP restricting S3 access. Move the Developer account to this new OU. Add an allow list for the Developer account for the S3 service.

A company has several workloads running on AWS. Employees are required to authenticate using on-premises ADFS and SSO to access the AWS Management Console. Developers migrated an existing legacy web application to an Amazon EC2 instance. Employees need to access this application from anywhere on the internet, but currently, there is no authentication system built into the application. How should the Security Engineer implement employee-only access to this system without changing the application?. lace the application behind an Application Load Balancer (ALB). Use Amazon Cognito as authentication for the ALB. Define a SAML-based Amazon Cognito user pool and connect it to ADFS. Implement AWS SSO in the master account and link it to ADFS as an identity provider. Define the EC2 instance as a managed resource, then apply an IAM policy on the resource. Define an Amazon Cognito identity pool, then install the connector on the Active Directory server. Use the Amazon Cognito SDK on the application instance to authenticate the employees using their Active Directory user names and passwords. Create an AWS Lambda custom authorizer as the authenticator for a reverse proxy on Amazon EC2. Ensure the security group on Amazon EC2 only allows access from the Lambda function.

An Application Developer is using an AWS Lambda function that must use AWS KMS to perform encrypt and decrypt operations for API keys that are less than 2 KB. Which key policy would allow the application to do this while granting least privilege?. A. C.

A company is migrating its legacy workloads to AWS. The current security information events management (SIEM) system that analyzes logs is aging, and different SIEM systems are being evaluated to replace it. The company wants to change SIEMs without re-architecture the solution. What should the Security Engineer do to accomplish this with minimal operational impact?. Prepare an AMI with the SIEM log forwarder agent for each workload, and configure it to send logs to a centralized SIEM located in the Security team AWS account. Configure an Amazon EC2 instance base AMI to forward logs to its local log forwarder agent. Deploy an AMI in each workload. Configure an Amazon EC2 base AMI with an Amazon Kinesis Agent, and configure it to send to Amazon Kinesis Data Streams in the Security team AWS account. Add an AWS Lambda function at Kinesis Data Streams to push streamed logs to the SIEM. Configure an Amazon EC2 base AMI to send logs to a local AWS CloudTrail log file. Configure CloudTrail to send logs to Amazon CloudWatch. Set up a central SIEM in the Security team AWS account and configure a puller to get information on CloudWatch. Select a pay-per-use SIEM in the AWS Marketplace. Deploy the AMI in each workload to provide elasticity when required. Use Amazon Athena to send real- time alerts.

An Application team has requested a new AWS KMS master key for use with Amazon S3, but the organizational security policy requires separate master keys for different AWS services to limit blast radius. How can an AWS KMS customer master key (CMK) be constrained to work with only Amazon S3?. Configure the CMK key policy to allow only the Amazon S3 service to use the kms:Encrypt action. Configure the CMK key policy to allow AWS KMS actions only when the kms:ViaService condition matches the Amazon S3 service name. Configure the IAM user's policy to allow KMS to pass a role to Amazon S3. Configure the IAM user's policy to allow only Amazon S3 operations when they are combined with the CMK.

A company is developing a highly resilient application to be hosted on multiple Amazon EC2 instances. The application will store highly sensitive user data in Amazon RDS tables. The application must: ✑ Include migration to a different AWS Region in the application disaster recovery plan. ✑ Provide a full audit trail of encryption key administration events. ✑ Allow only company administrators to administer keys. ✑ Protect data at rest using application layer encryption. A Security Engineer is evaluating options for encryption key management. Why should the Security Engineer choose AWS CloudHSM over AWS KMS for encryption key management in this situation?. The key administration event logging generated by CloudHSM is significantly more extensive than AWS KMS. CloudHSM ensures that only company support staff can administer encryption keys, whereas AWS KMS allows AWS staff to administer keys. The ciphertext produced by CloudHSM provides more robust protection against brute force decryption attacks than the ciphertext produced by AWS KMS. CloudHSM provides the ability to copy keys to a different Region, whereas AWS KMS does not.

A global company must mitigate and respond to DDoS attacks at Layers 3, 4 and 7. All of the company's AWS applications are serverless with static content hosted on Amazon S3 using Amazon CloudFront and Amazon Route 53. Which solution will meet these requirements?. Use AWS WAF with an upgrade to the AWS Business support plan. Use AWS Certificate Manager with an Application Load Balancer configured with an origin access identity. Use AWS Shield Advanced. Use AWS WAF to protect AWS Lambda functions encrypted with AWS KMS, and a NACL restricting all ingress traffic.

A Security Engineer signed in to the AWS Management Console as an IAM user and switched to the security role IAM role. To perform a maintenance operation, the Security Engineer needs to switch to the maintainer role IAM role, which lists the security role as a trusted entity. The Security Engineer attempts to switch to the maintainer role, but it fails. What is the likely cause of the failure?. The security role and the maintainer role are not assigned to the IAM user that the Security Engineer used to sign in to the account. The Security Engineer should have logged in as the AWS account root user, which is allowed to assume any role directly. The maintainer role does not include the IAM user as a trusted entity. The security role does not include a statement in its policy to allow an sts:AssumeRole action.

A company is configuring three Amazon EC2 instances with each instance in a separate Availability Zone. The EC2 instances will be used as transparent proxies for outbound internet traffic for ports 80 and 443 so the proxies can block traffic to certain internet destinations as required by the company's security policies. A Security Engineer completed the following: Set up the proxy software on the EC2 instances. ✑ Modified the route tables on the private subnets to use the proxy EC2 instances as the default route. ✑ Created a security group rule opening inbound port 80 and 443 TCP protocols on the proxy EC2 instance security group. However, the proxy EC2 instances are not successfully forwarding traffic to the internet. What should the Security Engineer do to make the proxy EC2 instances route traffic to the internet?. Put all the proxy EC2 instances in a cluster placement group. Disable source and destination checks on the proxy EC2 instances. Open all inbound ports on the proxy EC2 instance security group. Change the VPC's DHCP domain-name-servers options set to the IP addresses of proxy EC2 instances.

Which of the following is NOT considered an asymmetric key encryption mechanism?. Diffie-Hellman. Advanced Encryption Standard (AES). Digital Signature Algorithm. RSA.

Amazon GuardDuty works seamlessly with which AWS services? (Choose two.). Amazon EC2. AWS CloudTrail. Amazon S3. Amazon VPC flow logs. Amazon CloudWatch.

Your engineering team is trying to configure Amazon S3 server access logging. They want to use a source bucket named MyBucket within account A in eu-west-2, with a target bucket named MyTarget in account B in eu-west-2. However, they are not able to configure access logging. What is the most logical reason for this?. The engineering team does not have cross-account access to the buckets. The source and target buckets need to be in the same account. The bucket permissions are restricting the engineering team's access. The source and target buckets need to be in different regions.

A company decides to place database hosts in its own VPC, and to set up VPC peering to different VPCs containing the application and web tiers. The application servers are unable to connect to the database. Which network troubleshooting steps should be taken to resolve the issue? (Select TWO.). Check to see if the application servers are in a private subnet or public subnet. Check the route tables for the application server subnets for routes to the VPC peering connection. Check the NACLs for the database subnets for rules that allow traffic from the internet. Check the database security groups for rules that allow traffic from the application servers. Check to see if the database VPC has an internet gateway.

Which of the following are valid threat purpose values for Amazon GuardDuty? (Choose three.). Policy. Ideal. Recon. Cryptocurrency. Virus. Authorized access.

Which of the following is not a best practice for carrying out a security audit?. Conduct an audit on a yearly basis. Conduct an audit if application instances have been added to your account. Conduct an audit if you ever suspect that an unauthorized person might have accessed your account. Wherever there are changes in your organization, such as people leaving.

You are configuring a number of different service roles to be associated with EC2 instances. During the creation of these roles, two components are established: the role itself and one other. Which component is also created, following the creation of a service role?. An IAM group that the role is attached to. An instance profile. Temporary instance access keys. A new instance associated with the new service role.

You want to configure an SSL connection to your website. Which of these AWS services permits you to do so?. EC2. ACM. EFS. S3.

You are being audited by an external auditor against PCI-DSS, who is accessing your solutions that utilize AWS. You have been asked to provide evidence that certain controls are being met against infrastructure that is maintained by AWS. What is the best way to provide this evidence?. Contact your AWS account management team, asking them to speak with the auditor. As a customer, you have no control over the AWS infrastructure or if it meets certain compliance programs. Use AWS Auditing to download the appropriate compliance reports. Use AWS Artifact to download the appropriate compliance records.

You are creating a Lambda function which will be triggered by a Cloudwatch Event. The data from these events needs to be stored in a DynamoDB table. How should the Lambda function be given access to the DynamoDB table?. Use the AWS Access keys which has access to DynamoDB and then place it in an S3 bucket. Put the AWS Access keys in the Lambda function since the Lambda function by default is secure. Use an 1AM role which has permissions to the DynamoDB table and attach it to the Lambda function. Create a VPC endpoint for the DynamoDB table. Access the VPC endpoint from the Lambda function.

Which of the following ciphers provide perfect forward secrecy?. DHE. RC4. PSK. AES. ECDHE.

A company is hosting a web application on AWS and is using an Amazon S3 bucket to store images. Users should have the ability to read objects in the bucket. A Security Engineer has written the following bucket policy to grant public read access: Attempts to read an object, however, receive the error: "Action does not apply to any resource(s) in statement.” What should the Engineer do to fix the error?. Add an s3:ListBucket action. Verify that the policy has the same name as the bucket name. If not, make it the same. Change the IAM permissions by applying PutBucketPolicy permissions. Change the resource section to "arn:aws:s3:::appbucket/*".

Which of the following security policies are NOT written in JSON format?. AWS Organizational Service Control Policies. AWS KMS key policies. AWS Amazon S3 ACLs. AWS IAM identity-based policies.

You are experiencing an increase in the level of attacks across multiple different AWS accounts against your applications from the internet. This includes XSS and SQL injection attacks. As the security architect for your organization, you are responsible for implementing a solution to help reduce and minimize these threats. Which AWS services should you implement to help protect against these attacks? (Choose two.). AWS Web Application Firewall. AWS Shield. AWS Systems Manager. AWS Firewall Manager. AWS Secrets Manager.

Which of the following AWS services can be used to mitigate a DDoS attack? (Choose all that apply.). VPC flow logs. EC2. Elastic Load Balancing. CloudFront. Route 53.

How can you enhance the security of your AWS CloudTrail logs? (Choose two.). Enable log file verification . Enable log file validation. Encrypt log files using CSE-KMS. Encrypt log files using SSE-KMS.

Your development team has started using AWS resources for development purposes. The AWS account has just been created. Your IT Security team is worried about possible leakage of AWS keys. What is the first level of measure that should be taken to protect the AWS account. Delete the AWS keys for the root account. Create IAM Groups. Create IAM Roles. Restrict access using IAM policies.

In a three-way handshake where a client-server is establishing a connection, which is the correct order for the operations to be carried out in?. Syn, Syn-Ack, Ack. Syn-Ack, Syn, Ack. Ack, Syn, Syn, Ack. Syn, Ack, Syn, Ack.

Which of the following traffic types are NOT captured by VPC flow logs?. Ingress traffic to private subnets. Traffic to the private IPv4 address of a NAT gateway. Traffic to the reserved IP address for the default VPC router. Egress traffic from public subnets.

When testing a new AWS Lambda function that retrieves items from an Amazon DynamoDB table, the Security Engineer notices that the function was not logging any data to Amazon CloudWatch Logs. The following policy was assigned to the role assumed by the Lambda function: { "Version": "2012-10-17", "Statement": [ { "Sid": "Dynamo-1234567", "Action": [ "dynamodb:GetItem" ], "Effect": "Allow", "Resource": "*" } } Which least-privilege policy addition would allow this function to log properly?. { "Sid": "Logging-12345", "Resource": "*", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DeleteLogGroup", "logs:DeleteLogStream", "logs:getLogEvents", "logs:PutLogEvents" ], "Effect": "Allow" }. { "Sid": "Logging-12345", "Resource": "*", "Action": [ "logs:CreateLogStream" ], "Effect": "Allow" }. { "Sid": "Logging-12345", "Resource": "*", "Action": [ "logs:*" ], "Effect": "Allow" }. Should have chosen { "Sid": "Logging-12345", "Resource": "*", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Effect": "Allow" }.

A Security Engineer must set up security group rules for a three-tier application: - Presentation tier – Accessed by users over the web, protected by the security group presentation-sg - Logic tier – RESTful API accessed from the presentation tier through HTTPS, protected by the security group logic-sg - Data tier – SQL Server database accessed over port 1433 from the logic tier, protected by the security group data-sg Which combination of the following security group rules will allow the application to be secure and functional? (Select THREE.). data-sg: Allow port 1433 from logic-sg. presentation-sg: Allow port 1433 from data-sg. data-sg: Allow port 1433 from presentation-sg. logic-sg: Allow port 443 from 0.0.0.0/0. logic-sg: Allow port 443 from presentation-sg. presentation-sg: Allow ports 80 and 443 from 0.0.0.0/0.

AWS Firewall Manager works with which AWS services? (Choose two.). AWS Shield Advanced. AWS WAF Classic. AWS Shield Standard. AWS WAF. AWS IAM.

Using Amazon Macie, you need to classify your S3 data based on a list of predefined keywords that exist within the actual content of the object being stored. What would be the best content classification type to use to capture this information?. Theme. File Extension. Regex. Content type.

New security policies state that specific IAM users require a higher level of authentication due to their enhanced level of permissions. Acting as the company's security administrator, what could you introduce to follow these new corporate guidelines?. MFA. TLS. SSL. SNS. SQS.

A Security Engineer must ensure that all API calls are collected across all company accounts, and that they are preserved online and are instantly available for analysis for 90 days. For compliance reasons, this data must be restorable for 7 years. Which steps must be taken to meet the retention needs in a scalable, cost-effective way?. Enable AWS CloudTrail logging across all accounts to a centralized Amazon S3 bucket with versioning enabled. Set a lifecycle policy to move the data to Amazon Glacier daily, and expire the data after 90 days. Enable AWS CloudTrail logging across all accounts to S3 buckets. Set a lifecycle policy to expire the data in each bucket after 7 years. Enable AWS CloudTrail logging across all accounts to Amazon Glacier. Set a lifecycle policy to expire the data after 7 years. Enable AWS CloudTrail logging across all accounts to a centralized Amazon S3 bucket. Set a lifecycle policy to move the data to Amazon Glacier after 90 days, and expire the data after 7 years.

How can you ensure that instance in an VPC does not use AWS DNS for routing DNS requests. You want to use your own managed DNS instance. How can this be achieved?. Change the existing DHCP options set. Create a new DHCP options set and replace the existing one. Change the route table for the VPC. Change the subnet configuration to allow DNS requests from the new DNS Server.

AWS Security Hub integrates smoothly with which AWS Service. (Choose two.). Amazon GuardDuty. Amazon Macie. AWS Config. AWS KMS.