Amazon Web Services SCS-C01 today updated questions - Verified by Amazon Web Services Experts

AWS Certified Security - Specialty Questions and Answers

Question 1

A company uses SAML federation with IAM Identity and Access Management (IAM) to provide internal users with SSO for their IAM accounts. The company's identity provider certificate was rotated as part of its normal lifecycle. Shortly after, users started receiving the following error when attempting to log in:

"Error: Response Signature Invalid (Service: IAMSecuntyTokenService; Status Code: 400; Error Code: InvalidldentltyToken)"

A security engineer needs to address the immediate issue and ensure that it will not occur again.

Which combination of steps should the security engineer take to accomplish this? (Select TWO.)

Options:

Download a new copy of the SAML metadata file from the identity provider Create a new IAM identity provider entity. Upload the new metadata file to the new IAM identity provider entity.

During the next certificate rotation period and before the current certificate expires, add a new certificate as the secondary to the identity provider. Generate a new metadata file and upload it to the IAM identity provider entity. Perform automated or manual rotation of the certificate when required.

Download a new copy of the SAML metadata file from the identity provider Upload the new metadata to the IAM identity provider entity configured for the SAML integration in question.

During the next certificate rotation period and before the current certificate expires, add a new certificate as the secondary to the identity provider. Generate a new copy of the metadata file and create a new IAM identity provider entity. Upload the metadata file to the new IAM identity provider entity. Perform automated or manual rotation of the certificate when required.

Download a new copy of the SAML metadata file from the identity provider Create a new IAM identity provider entity. Upload the new metadata file to the new IAM identity provider entity. Update the identity provider configurations to pass a new IAM identity provider entity name in the SAML assertion.

Question 2

A Security Administrator at a university is configuring a fleet of Amazon EC2 instances. The EC2 instances are shared among students, and non-root SSH access is allowed. The Administrator is concerned about students attacking other IAM account resources by using the EC2 instance metadata service.

What can the Administrator do to protect against this potential attack?

Options:

Disable the EC2 instance metadata service.

Log all student SSH interactive session activity.

Implement ip tables-based restrictions on the instances.

Install the Amazon Inspector agent on the instances.

Question 3

A Security Engineer for a large company is managing a data processing application used by 1,500 subsidiary companies. The parent and subsidiary companies all use IAM. The application uses TCP port 443 and runs on Amazon EC2 behind a Network Load Balancer (NLB). For compliance reasons, the application should only be accessible to the subsidiaries and should not be available on the public internet. To meet the compliance requirements for restricted access, the Engineer has received the public and private CIDR block ranges for each subsidiary

What solution should the Engineer use to implement the appropriate access restrictions for the application?

Options:

Create a NACL to allow access on TCP port 443 from the 1;500 subsidiary CIDR block ranges. Associate the NACL to both the NLB and EC2 instances

Create an IAM security group to allow access on TCP port 443 from the 1,500 subsidiary CIDR block ranges. Associate the security group to the NLB. Create a second security group for EC2 instances with access on TCP port 443 from the NLB security group.

Create an IAM PrivateLink endpoint service in the parent company account attached to the NLB. Create an IAM security group for the instances to allow access on TCP port 443 from the IAM PrivateLink endpoint. Use IAM PrivateLink interface endpoints in the 1,500 subsidiary IAM accounts to connect to the data processing application.

Create an IAM security group to allow access on TCP port 443 from the 1,500 subsidiary CIDR block ranges. Associate the security group with EC2 instances.

Question 4

A company's application runs on Amazon EC2 and stores data in an Amazon S3 bucket The company wants additional security controls in place to limit the likelihood of accidental exposure of data to external parties

Which combination of actions will meet this requirement? (Select THREE.)

Options:

Encrypt the data in Amazon S3 using server-side encryption with Amazon S3 managed encryption keys (SSE-S3)

Encrypt the data in Amazon S3 using server-side encryption with IAM KMS managed encryption keys (SSE-KMS)

Create a new Amazon S3 VPC endpoint and modify the VPC's routing tables to use the new endpoint

Use the Amazon S3 Block Public Access feature.

Configure the bucket policy to allow access from the application instances only

Use a NACL to filter traffic to Amazon S3

Question 5

A Security Engineer noticed an anomaly within a company EC2 instance as shown in the image. The Engineer must now investigate what e causing the anomaly. What are the MOST effective steps to take lo ensure that the instance is not further manipulated while allowing the Engineer to understand what happened?

Options:

Remove the instance from the Auto Scaling group Place the instance within an isolation security group, detach the EBS volume launch an EC2 instance with a forensic toolkit and attach the E8S volume to investigate

Remove the instance from the Auto Scaling group and the Elastic Load Balancer Place the instance within an isolation security group, launch an EC2 instance with a forensic toolkit, and allow the forensic toolkit image to connect to the suspicious Instance to perform the Investigation.

Remove the instance from the Auto Scaling group Place the Instance within an isolation security group, launch an EC2 Instance with a forensic toolkit and use the forensic toolkit imago to deploy an ENI as a network span port to inspect all traffic coming from the suspicious instance.

Remove the instance from the Auto Scaling group and the Elastic Load Balancer Place the instance within an isolation security group, make a copy of the EBS volume from a new snapshot, launch an EC2 Instance with a forensic toolkit and attach the copy of the EBS volume to investigate.

Question 6

A company’s security engineer is configuring Amazon S3 permissions to ban all current and future public buckets However, the company hosts several websites directly off S3 buckets with public access enabled

The engineer needs to bock me pubic S3 buckets without causing any outages on me easting websites The engineer has set up an Amazon CloudFrom distribution (or each website

Which set or steps should the security engineer implement next?

Options:

Configure an S3 bucket as the origin an origin access identity (OAI) for the CloudFront distribution Switch the DNS records from websites to point to the CloudFront distribution Enable Nock public access settings at the account level

Configure an S3 bucket as the origin with an origin access identity (OAI) for the CloudFront distribution Switch the ONS records tor the websites to point to the CloudFront disinfection Then, tor each S3 bucket enable block public access settings

Configure an S3 bucket as the origin with an origin access identity (OAI) for the CloudFront distribution Enable block public access settings at the account level

Configure an S3 bucket as the origin for me CloudFront distribution Configure the S3 bucket policy to accept connections from the CloudFront points of presence only Switch the DNS records for the websites to point to the CloudFront distribution Enable block public access settings at me account level

Question 7

A security engineer need to ensure their company’s uses of IAM meets IAM security best practices. As part of this, the IAM account root user must not be used for daily work. The root user must be monitored for use, and the Security team must be alerted as quickly as possible if the root user is used.

Which solution meets these requirements?

Options:

Set up an Amazon CloudWatch Events rule that triggers an Amazon SNS notification.

Set up an Amazon CloudWatch Events rule that triggers an Amazon SNS notification logs from S3 and generate notifications using Amazon SNS.

Set up a rule in IAM config to trigger root user events. Trigger an IAM Lambda function and generate notifications using Amazon SNS.

Use Amazon Inspector to monitor the usage of the root user and generate notifications using Amazon SNS

Question 8

A company is using IAM Organizations to manage multiple IAM accounts. The company has an application that allows users to assume the AppUser IAM role to download files from an Amazon S3 bucket that is encrypted with an IAM KMS CMK However when users try to access the files in the S3 bucket they get an access denied error.

What should a Security Engineer do to troubleshoot this error? (Select THREE )

Options:

Ensure the KMS policy allows the AppUser role to have permission to decrypt for the CMK

Ensure the S3 bucket policy allows the AppUser role to have permission to get objects for the S3 bucket

Ensure the CMK was created before the S3 bucket.

Ensure the S3 block public access feature is enabled for the S3 bucket.

Ensure that automatic key rotation is disabled for the CMK

Ensure the SCPs within Organizations allow access to the S3 bucket.

Question 9

A company has decided to migrate sensitive documents from on-premises data centers to Amazon S3. Currently, the hard drives are encrypted to meet a compliance requirement regarding data encryption. The CISO wants to improve security by encrypting each file using a different key instead of a single key. Using a different key would limit the security impact of a single exposed key.

Which of the following requires the LEAST amount of configuration when implementing this approach?

Options:

Place each file into a different S3 bucket. Set the default encryption of each bucket to use a different IAM KMS customer managed key.

Put all the files in the same S3 bucket. Using S3 events as a trigger, write an IAM Lambda function to encrypt each file as it is added using different IAM KMS data keys.

Use the S3 encryption client to encrypt each file individually using S3-generated data keys

Place all the files in the same S3 bucket. Use server-side encryption with IAM KMS-managed keys (SSE-KMS) to encrypt the data

Question 10

A company has several critical applications running on a large fleet of Amazon EC2 instances. As part of a security operations review, the company needs to apply a critical operating system patch to EC2 instances within 24 hours of the patch becoming available from the operating system vendor. The company does not have a patching solution deployed on IAM, but does have IAM Systems Manager configured. The solution must also minimize administrative overhead.

What should a security engineer recommend to meet these requirements?

Options:

Create an IAM Config rule defining the patch as a required configuration for EC2 instances.

Use the IAM Systems Manager Run Command to patch affected instances.

Use an IAM Systems Manager Patch Manager predefined baseline to patch affected instances.

Use IAM Systems Manager Session Manager to log in to each affected instance and apply the patch.

Question 11

A company uses a third-party identity provider and SAML-based SSO for its IAM accounts After the third-party identity provider renewed an expired signing certificate users saw the following message when trying to log in:

A security engineer needs to provide a solution that corrects the error and minimizes operational overhead Which solution meets these requirements?

Options:

Upload the third-party signing certificate's new private key to the IAM identity provider entity defined in IAM identity and Access Management (IAM) by using the IAM Management Console

Sign the identity provider's metadata file with the new public key Upload the signature to the IAM identity provider entity defined in IAM Identity and Access Management (IAM) by using the IAM CLI.

Download the updated SAML metadata tile from the identity service provider Update the file in the IAM identity provider entity defined in IAM Identity and Access Management (IAM) by using the IAM CLI

Configure the IAM identity provider entity defined in IAM Identity and Access Management (IAM) to synchronously fetch the new public key by using the IAM Management Console.

Question 12

A Developer is building a serverless application that uses Amazon API Gateway as the front end. The application will not be publicly accessible. Other legacy applications running on Amazon EC2 will make calls to the application A Security Engineer Has been asked to review the security controls for authentication and authorization of the application

Which combination of actions would provide the MOST secure solution? (Select TWO )

Options:

Configure an IAM policy that allows the least permissive actions to communicate with the API Gateway Attach the policy to the role used by the legacy EC2 instances

Enable IAM WAF for API Gateway Configure rules to explicitly allow connections from the legacy EC2 instances

Create a VPC endpoint for API Gateway Attach an IAM resource policy that allows the role of the legacy EC2 instances to call specific APIs

Create a usage plan Generate a set of API keys for each application that needs to call the API.

Configure cross-origin resource sharing (CORS) in each API Share the CORS information with the applications that call the API.

Question 13

A company Is trying to replace its on-premises bastion hosts used to access on-premises Linux servers with IAM Systems Manager Session Manager. A security engineer has installed the Systems Manager Agent on all servers. The security engineer verifies that the agent is running on all the servers, but Session Manager cannot connect to them. The security engineer needs to perform verification steps before Session Manager will work on the servers.

Which combination of steps should the security engineer perform? (Select THREE.)

Options:

Open inbound port 22 to 0 0.0.0/0 on all Linux servers.

Enable the advanced-instances tier in Systems Manager.

Create a managed-instance activation for the on-premises servers.

Reconfigure the Systems Manager Agent with the activation code and ID.

Assign an IAM role to all of the on-premises servers.

Initiate an inventory collection with Systems Manager on the on-premises servers

Question 14

A company has several workloads running on IAM. Employees are required to authenticate using on-premises ADFS and SSO to access the IAM Management

Console. Developers migrated an existing legacy web application to an Amazon EC2 instance. Employees need to access this application from anywhere on the internet, but currently, there is no authentication system built into the application.

How should the Security Engineer implement employee-only access to this system without changing the application?

Options:

Place the application behind an Application Load Balancer (ALB). Use Amazon Cognito as authentication for the ALB. Define a SAML-based Amazon Cognito user pool and connect it to ADFS.

Implement IAM SSO in the master account and link it to ADFS as an identity provider. Define the EC2 instance as a managed resource, then apply an IAM policy on the resource.

Define an Amazon Cognito identity pool, then install the connector on the Active Directory server. Use the Amazon Cognito SDK on the application instance to authenticate the employees using their Active Directory user names and passwords.

Create an IAM Lambda custom authorizer as the authenticator for a reverse proxy on Amazon EC2. Ensure the security group on Amazon EC2 only allows access from the Lambda function.

Question 15

A financial institution has the following security requirements:

Cloud-based users must be contained in a separate authentication domain.
Cloud-based users cannot access on-premises systems.

As part of standing up a cloud environment, the financial institution is creating a number of Amazon managed databases and Amazon EC2 instances. An Active Directory service exists on-premises that has all the administrator accounts, and these must be able to access the databases and instances.

How would the organization manage its resources in the MOST secure manner? (Choose two.)

Options:

Configure an IAM Managed Microsoft AD to manage the cloud resources.

Configure an additional on-premises Active Directory service to manage the cloud resources.

Establish a one-way trust relationship from the existing Active Directory to the new Active Directory service.

Establish a one-way trust relationship from the new Active Directory to the existing Active Directory service.

Establish a two-way trust between the new and existing Active Directory services.

Question 16

An application is currently secured using network access control lists and security groups. Web servers are located in public subnets behind an Application Load Balancer (ALB); application servers are located in private subnets.

How can edge security be enhanced to safeguard the Amazon EC2 instances against attack? (Choose two.)

Options:

Configure the application’s EC2 instances to use NAT gateways for all inbound traffic.

Move the web servers to private subnets without public IP addresses.

Configure IAM WAF to provide DDoS attack protection for the ALB.

Require all inbound network traffic to route through a bastion host in the private subnet.

Require all inbound and outbound network traffic to route through an IAM Direct Connect connection.

Question 17

A Developer reported that IAM CloudTrail was disabled on their account. A Security Engineer investigated the account and discovered the event was undetected by the current security solution. The Security Engineer must recommend a solution that will detect future changes to the CloudTrail configuration and send alerts when changes occur.

What should the Security Engineer do to meet these requirements?

Options:

Use IAM Resource Access Manager (IAM RAM) to monitor the IAM CloudTrail configuration. Send notifications using Amazon SNS.

Create an Amazon CloudWatch Events rule to monitor Amazon GuardDuty findings. Send email notifications using Amazon SNS.

Update security contact details in IAM account settings for IAM Support to send alerts when suspicious activity is detected.

Use Amazon Inspector to automatically detect security issues. Send alerts using Amazon SNS.

Question 18

A developer is creating an IAM Lambda function that requires environment variables to store connection information and logging settings. The developer is required to use an IAM KMS Customer Master Key (CMK> supplied by the information security department in order to adhere to company standards for securing Lambda environment variables.

Which of the following are required for this configuration to work? (Select TWO.)

Options:

The developer must configure Lambda access to the VPC using the --vpc-config parameter.

The Lambda function execution role must have the kms:Decrypt- permission added in the IAM IAM policy.

The KMS key policy must allow permissions for the developer to use the KMS key.

The IAM IAM policy assigned to the developer must have the kmseGcnerate-DataKcy permission added.

The Lambda execution role must have the kms:Encrypt permission added in the IAM IAM policy.

Question 19

A company has a VPC with several Amazon EC2 instances behind a NAT gateway. The company's security policy states that all network traffic must be logged and must include the original source and destination IP addresses. The existing VPC Flow Logs do not include this information. A security engineer needs to recommend a solution.

Which combination of steps should the security engineer recommend? (Select TWO )

Options:

Edit the existing VPC Flow Logs. Change the log format of the VPC Flow Logs from the Amazon default format to a custom format.

Delete and recreate the existing VPC Flow Logs. Change the log format of the VPC Flow Logs from the Amazon default format to a custom format.

Change the destination to Amazon CloudWatch Logs.

Include the pkt-srcaddr and pkt-dstaddr fields in the log format.

Include the subnet-id and instance-id fields in the log format.

Question 20

A security engineer has created an Amazon Cognito user pool. The engineer needs to manually verify the ID and access token sent by the application for troubleshooting purposes

What is the MOST secure way to accomplish this?

Options:

Extract the subject (sub), audience (aud), and cognito:username from the ID token payload Manually check the subject and audience for the user name In the user pool

Search for the public key with a key ID that matches the key ID In the header of the token. Then use a JSON Web Token (JWT) library to validate the signature of the token and extract values, such as the expiry date

Verify that the token is not expired. Then use the token_use claim function In Amazon Cognito to validate the key IDs

Copy the JSON Web Token (JWT) as a JSON document Obtain the public JSON Web Key (JWK) and convert It to a pem file. Then use the file to validate the original JWT.

Question 21

A website currently runs on Amazon EC2 with mostly static content on the site. Recently, the site was subjected to a DDoS attack, and a Security Engineer was tasked with redesigning the edge security to help mitigate this risk in the future

What are some ways the Engineer could achieve this? (Select THREE )

Options:

Use IAM X-Ray to inspect the traffic going 10 the EC2 instances

Move the state content to Amazon S3 and font this with an Amazon CloudFront distribution

Change the security group configuration to block the source of the attack traffic

Use IAM WAF security rules to inspect the inbound traffic

Use Amazon inspector assessment templates to inspect the inbound traffic

Use Amazon Route 53 to distribute traffic

Question 22

A company hosts its public website on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances are in an EC2 Auto Scaling group across multiple Availability Zones. The website is under a DDoS attack by a specific loT device brand that is visible in the user agent A security engineer needs to mitigate the attack without impacting the availability of the public website.

What should the security engineer do to accomplish this?

Options:

Configure a web ACL rule for IAM WAF to block requests with a string match condition for the user agent of the loT device. Associate the v/eb ACL with the ALB.

Configure an Amazon CloudFront distribution to use the ALB as an origin. Configure a web ACL rule for IAM WAF to block requests with a string match condition for the user agent of the loT device. Associate the web ACL with the ALB Change the public DNS entry of the website to point to the CloudFront distribution.

Configure an Amazon CloudFront distribution to use a new ALB as an origin. Configure a web ACL rule for IAM WAF to block requests with a string match condition for the user agent of the loT device. Change the ALB security group to alow access from CloudFront IP address ranges only Change the public DNS entry of the website to point to the CloudFront distribution.

Activate IAM Shield Advanced to enable DDoS protection. Apply an IAM WAF ACL to the ALB. and configure a listener rule on the ALB to block loT devices based on the user agent.

Question 23

A security engineer is designing an incident response plan to address the risk of a compromised Amazon EC2 instance. The plan must recommend a solution to meet the following requirements:

• A trusted forensic environment must be provisioned

• Automated response processes must be orchestrated

Which IAM services should be included in the plan? {Select TWO)

Options:

IAM CloudFormation

Amazon GuardDuty

Amazon Inspector

Amazon Macie

IAM Step Functions

Question 24

A company is running an application on Amazon EC2 instances in an Auto Scaling group. The application stores logs locally A security engineer noticed that logs were lost after a scale-in event. The security engineer needs to recommend a solution to ensure the durability and availability of log data All logs must be kept for a minimum of 1 year for auditing purposes

What should the security engineer recommend?

Options:

Within the Auto Scaling lifecycle, add a hook to create and attach an Amazon Elastic Block Store (Amazon EBS) log volume each time an EC2 instance is created. When the instance is terminated, the EBS volume can be reattached to another instance for log review.

Create an Amazon Elastic File System (Amazon EFS) file system and add a command in the user data section of the Auto Scaling launch template to mount the EFS file system during EC2 instance creation Configure a process on the instance to copy the logs once a day from an instance Amazon Elastic Block Store (Amazon EBS) volume to a directory in the EFS file system.

Build the Amazon CloudWatch agent into the AMI used in the Auto Scaling group. Configure the CloudWatch agent to send the logs to Amazon CloudWatch Logs for review.

Within the Auto Scaling lifecycle, add a lifecycle hook at the terminating state transition and alert the engineering team by using a lifecycle notification to Amazon Simple Notification Service (Amazon SNS). Configure the hook to remain in the Terminating:Wait state for 1 hour to allow manual review of the security logs prior to instance termination.

Question 25

A company has a serverless application for internal users deployed on IAM. The application uses IAM Lambda for the front end and for business logic. The Lambda function accesses an Amazon RDS database inside a VPC The company uses IAM Systems Manager Parameter Store for storing database credentials. A recent security review highlighted the following issues

The Lambda function has internet access.
The relational database is publicly accessible.
The database credentials are not stored in an encrypted state.

Which combination of steps should the company take to resolve these security issues? (Select THREE)

Options:

Disable public access to the RDS database inside the VPC

Move all the Lambda functions inside the VPC.

Edit the IAM role used by Lambda to restrict internet access.

Create a VPC endpoint for Systems Manager. Store the credentials as a string parameter. Change the parameter type to an advanced parameter.

Edit the IAM role used by RDS to restrict internet access.

Create a VPC endpoint for Systems Manager. Store the credentials as a SecureString parameter.

Question 26

A convoys data lake uses Amazon S3 and Amazon Athena. The company's security engineer has been asked to design an encryption solution that meets the company's data protection requirements. The encryption solution must work with Amazon S3 and keys managed by the company. The encryption solution must be protected in a hardware security module that is validated id Federal information Processing Standards (FPS) 140-2 Level 3.

Which solution meets these requirements?

Options:

Use client-side encryption with an IAM KMS customer-managed key implemented with the IAM Encryption SDK

Use IAM CloudHSM to store the keys and perform cryptographic operations Save the encrypted text in Amazon S3

Use an IAM KMS customer-managed key that is backed by a custom key store using IAM CloudHSM

Use an IAM KMS customer-managed key with the bring your own key (BYOK) feature to import a key stored in IAM CloudHSM

Question 27

A Security Engineer manages IAM Organizations for a company. The Engineer would like to restrict IAM usage to allow Amazon S3 only in one of the organizational units (OUs). The Engineer adds the following SCP to the OU:

The next day. API calls to IAM IAM appear in IAM CloudTrail logs In an account under that OU. How should the Security Engineer resolve this issue?

Options:

Move the account to a new OU and deny IAM:* permissions.

Add a Deny policy for all non-S3 services at the account level.

Change the policy to:

{

“Version”: “2012-10-17”,

“Statement”: [

{

“Sid”: “AllowS3”,

"Effect": "Allow",

"Action": "s3:*",

"Resource": "*/*»

}

]

}

Detach the default FullIAMAccess SCP

Question 28

A company has multiple production IAM accounts. Each account has IAM CloudTrail configured to log to a single Amazon S3 bucket in a central account. Two of the production accounts have trails that are not logging anything to the S3 bucket.

Which steps should be taken to troubleshoot the issue? (Choose three.)

Options:

Verify that the log file prefix is set to the name of the S3 bucket where the logs should go.

Verify that the S3 bucket policy allows access for CloudTrail from the production IAM account IDs.

Create a new CloudTrail configuration in the account, and configure it to log to the account’s S3 bucket.

Confirm in the CloudTrail Console that each trail is active and healthy.

Open the global CloudTrail configuration in the master account, and verify that the storage location is set to the correct S3 bucket.

Confirm in the CloudTrail Console that the S3 bucket name is set correctly.

Question 29

A security engineer has noticed that VPC Flow Logs are getting a lot REJECT traffic originating from a single Amazon EC2 instance in an Auto Scaling group. The security engineer is concerned that this EC2 instance may be compromised.

What immediate action should the security engineer take?

Options:

Remove me instance from the Auto Seating group Close me security group mm ingress only from a single forensic P address to perform an analysis.

Remove me instance from the Auto Seating group Change me network ACL rules to allow traffic only from a single forensic IP address to perform en analysis Add a rule to deny all other traffic.

Remove the instance from the Auto Scaling group Enable Amazon GuardDuty in that IAM account Install the Amazon Inspector agent cm the suspicious EC 2 instance to perform a scan.

Take a snapshot of the suspicious EC2 instance. Create a new EC2 instance from me snapshot in a closed security group with ingress only from a single forensic IP address to perform an analysis

Question 30

The Security Engineer is managing a traditional three-tier web application that is running on Amazon EC2 instances. The application has become the target of increasing numbers of malicious attacks from the Internet.

What steps should the Security Engineer take to check for known vulnerabilities and limit the attack surface? (Choose two.)

Options:

Use IAM Certificate Manager to encrypt all traffic between the client and application servers.

Review the application security groups to ensure that only the necessary ports are open.

Use Elastic Load Balancing to offload Secure Sockets Layer encryption.

Use Amazon Inspector to periodically scan the backend instances.

Use IAM Key Management Services to encrypt all the traffic between the client and application servers.

Question 31

A company has a VPC with an IPv6 address range and a public subnet with an IPv6 address block. The VPC currently hosts some public Amazon EC2 instances but a Security Engineer needs to migrate a second application into the VPC that also requires IPv6 connectivity.

This new application will occasionally make API requests to an external, internet-accessible endpoint to receive updates However, the Security team does not want the application's EC2 instance exposed directly to the internet The Security Engineer intends to create a private subnet with a custom route table and to associate the route table with the private subnet

What else does the Security Engineer need to do to ensure the application will not be exposed directly to the internet, but can still communicate as required''

Options:

Launch a NAT instance in the public subnet Update the custom route table with a new route to the NAT instance

Remove the internet gateway, and add IAM PrivateLink to the VPC Then update the custom route table with a new route to IAM PrivateLink

Add a managed NAT gateway to the VPC Update the custom route table with a new route to the gateway

Add an egress-only internet gateway to the VPC. Update the custom route table with a new route to the gateway

Question 32

Authorized Administrators are unable to connect to an Amazon EC2 Linux bastion host using SSH over the internet. The connection either fails to respond or generates the following error message:

Network error: Connection timed out.

What could be responsible for the connection failure? (Select THREE )

Options:

The NAT gateway in the subnet where the EC2 instance is deployed has been misconfigured

The internet gateway of the VPC has been reconfigured

The security group denies outbound traffic on ephemeral ports

The route table is missing a route to the internet gateway

The NACL denies outbound traffic on ephemeral ports

The host-based firewall is denying SSH traffic

Question 33

Unapproved changes were previously made to a company's Amazon S3 bucket. A security engineer configured IAM Config to record configuration changes made to the company's S3 buckets. The engineer discovers there are S3 configuration changes being made, but no Amazon SNS notifications are being sent. The engineer has already checked the configuration of the SNS topic and has confirmed the configuration is valid.

Which combination of steps should the security engineer take to resolve the issue? (Select TWO.)

Options:

Configure the S3 bucket ACLs to allow IAM Config to record changes to the buckets.

Configure policies attached to S3 buckets to allow IAM Config to record changes to the buckets.

Attach the AmazonS3ReadOnryAccess managed policy to the IAM user.

Verify the security engineer's IAM user has an attached policy that allows all IAM Config actions.

Assign the IAMConfigRole managed policy to the IAM Config role

Question 34

A company has several production IAM accounts and a central security IAM account. The security account is used for centralized monitoring and has IAM privileges to all resources in every corporate account. All of the company's Amazon S3 buckets are tagged with a value denoting the data classification of their contents.

A Security Engineer is deploying a monitoring solution in the security account that will enforce bucket policy compliance. The system must monitor S3 buckets in all production accounts and confirm that any policy change is in accordance with the bucket's data classification. If any change is out of compliance; the Security team must be notified quickly.

Which combination of actions would build the required solution? (Choose three.)

Options:

Configure Amazon CloudWatch Events in the production accounts to send all S3 events to the security account event bus.

Enable Amazon GuardDuty in the security account. and join the production accounts as members.

Configure an Amazon CloudWatch Events rule in the security account to detect S3 bucket creation or modification events.

Enable IAM Trusted Advisor and activate email notifications for an email address assigned to the security contact.

Invoke an IAM Lambda function in the security account to analyze S3 bucket settings in response to S3 events, and send non-compliance notifications to the Security team.

Configure event notifications on S3 buckets for PUT; POST, and DELETE events.

Question 35

A security engineer needs to configure monitoring and auditing for IAM Lambda.

Which combination of actions using IAM services should the security engineer take to accomplish this goal? (Select TWO.)

Options:

Use IAM Config to track configuration changes to Lambda functions, runtime environments, tags, handler names, code sizes, memory allocation, timeout settings, and concurrency settings, along with Lambda IAM execution role, subnet, and security group associations.

Use IAM CloudTrail to implement governance, compliance, operational, and risk auditing for Lambda.

Use Amazon Inspector to automatically monitor for vulnerabilities and perform governance, compliance, operational, and risk auditing for Lambda.

Use IAM Resource Access Manager to track configuration changes to Lambda functions, runtime environments, tags, handler names, code sizes, memory allocation, timeout settings, and concurrency settings, along with Lambda IAM execution role, subnet, and security group associations.

Use Amazon Macie to discover, classify, and protect sensitive data being executed inside the Lambda function.

Question 36

A company recently performed an annual security assessment of its IAM environment. The assessment showed that audit logs are not available beyond 90 days and that unauthorized changes to IAM policies are made without detection.

How should a security engineer resolve these issues?

Options:

Create an Amazon S3 lifecycle policy that archives IAM CloudTrail trail logs to Amazon S3 Glacier after 90 days. Configure Amazon Inspector to provide a notification when a policy change is made to resources.

Configure IAM Artifact to archive IAM CloudTrail logs Configure IAM Trusted Advisor to provide a notification when a policy change is made to resources.

Configure Amazon CloudWatch to export log groups to Amazon S3. Configure IAM CloudTrail to provide a notification when a policy change is made to resources.

Create an IAM CloudTrail trail that stores audit logs in Amazon S3. Configure an IAM Config rule to provide a notification when a policy change is made to resources.

Question 37

A security engineer must develop an encryption tool for a company. The company requires a cryptographic solution that supports the ability to perform cryptographic erasure on all resources protected by the key material in 15 minutes or less

Which IAM Key Management Service (IAM KMS) key solution will allow the security engineer to meet these requirements?

Options:

Use Imported key material with CMK

Use an IAM KMS CMK

Use an IAM managed CMK.

Use an IAM KMS customer managed CMK

Question 38

A company wants to encrypt data locally while meeting regulatory requirements related to key exhaustion. The encryption key can be no more than 10 days old or encrypt more than 2" 16 objects Any encryption key must be generated on a FlPS-validated hardware security module (HSM). The company is cost-conscious, as plans to upload an average of 100 objects to Amazon S3 each second for sustained operations across 5 data producers

When approach MOST efficiently meets the company's needs?

Options:

Use the IAM Encryption SDK and set the maximum age to 10 days and the minimum number of messages encrypted to 3" 16. Use IAM Key Management Service (IAM KMS) to generate the master key and data key Use data key caching with the Encryption SDk during the encryption process.

Use IAM Key Management Service (IAM KMS) to generate an IAM managed CMK. Then use Amazon S3 client-side encryption configured to automatically rotate with every object

Use IAM CloudHSM to generate the master key and data keys. Then use Boto 3 and Python to locally encrypt data before uploading the object Rotate the data key every 10 days or after 2" 16 objects have been Uploaded to Amazon 33

Use server-side encryption with Amazon S3 managed encryption keys (SSE-S3) and set the master key to automatically rotate.

Question 39

A company is collecting IAM CloudTrail log data from multiple IAM accounts by managing individual trails in each account and forwarding log data to a centralized Amazon S3 bucket residing in a log archive account. After CloudTrail introduced support for IAM Organizations trails, the company decided to further centralize management and automate deployment of the CloudTrail logging capability across all of its IAM accounts.

The company's security engineer created an IAM Organizations trail in the master account, enabled server-side encryption with IAM KMS managed keys (SSE-KMS) for the log files, and specified the same bucket as the storage location. However, the engineer noticed that logs recorded by the new trail were not delivered to the bucket.

Which factors could cause this issue? (Select TWO.)

Options:

The CMK key policy does not allow CloudTrail to make encrypt and decrypt API calls against the key.

The CMK key policy does not allow CloudTrail to make GenerateDataKey API calls against the key.

The IAM role used by the CloudTrail trail does not have permissions to make PutObject API calls against a folder created for the Organizations trail.

The S3 bucket policy does not allow CloudTrail to make PutObject API calls against a folder created for the Organizations trail.

The CMK key policy does not allow the IAM role used by the CloudTrail trail to use the key for crypto graphicaI operations.

Question 40

A company's security information events management (SIEM) tool receives new IAM CloudTrail logs from an Amazon S3 bucket that is configured to send all object created event notification to an Amazon SNS topic An Amazon SQS queue is subscribed to this SNS topic. The company's SEM tool then ports this SQS queue for new messages using an IAM role and fetches new log events from the S3 bucket based on the SQS messages.

After a recent security review that resulted m restricted permissions, the SEM tool has stopped receiving new CloudTral logs

Which of the following are possible causes of this issue? (Select THREE)

Options:

The SOS queue does not allow the SQS SendMessage action from the SNS topic

The SNS topic does not allow the SNS Publish action from Amazon S3

The SNS topic is not delivering raw messages to the SQS queue

The S3 bucket policy does not allow CloudTrail to perform the PutObject action

The IAM role used by the 5EM tool does not have permission to subscribe to the SNS topic

The IAM role used by the SEM tool does not allow the SQS DeleteMessage action.

Question 41

An company is using IAM Secrets Manager to store secrets that are encrypted using a CMK and are stored in the security account 111122223333. One of the company's production accounts. 444455556666, must to retrieve the secret values from the security account 111122223333. A security engineer needs to apply a policy to the secret in the security account based on least privilege access so the production account can retrieve the secret value only.

Which policy should the security engineer apply?

Options:

Option A

Option B

Option C

Option D

Question 42

A recent security audit identified that a company's application team injects database credentials into the environment variables of an IAM Fargate task. The company's security policy mandates that all sensitive data be encrypted at rest and in transit.

When combination of actions should the security team take to make the application compliant within the security policy? (Select THREE)

Options:

Store the credentials securely in a file in an Amazon S3 bucket with restricted access to the application team IAM role Ask the application team to read the credentials from the S3 object instead

Create an IAM Secrets Manager secret and specify the key/value pairs to be stored in this secret

Modify the application to pull credentials from the IAM Secrets Manager secret instead of the environment variables.

Add the following statement to the container instance IAM role policy

Add the following statement to the execution role policy.

Log in to the IAM Fargate instance, create a script to read the secret value from IAM Secret Manager, and inject the environment variables. Ask the application team to redeploy the application.

Question 43

A company's information security team want to do near-real-time anomaly detection on Amazon EC2 performance and usage statistics. Log aggregation is the responsibility of a security engineer. To do the study, the Engineer needs gather logs from all of the company's IAM accounts in a single place.

How should the Security Engineer go about doing this?

Options:

Log in to each account four times a day and filter the IAM CloudTrail log data, then copy and paste the logs in to the Amazon S3 bucket in the destination account.

Set up Amazon CloudWatch to stream data to an Amazon S3 bucket in each source account. Set up bucket replication for each source account into a centralized bucket owned by the Security Engineer.

Set up an IAM Config aggregator to collect IAM configuration data from multiple sources.

Set up Amazon CloudWatch cross-account log data sharing with subscriptions in each account. Send the logs to Amazon Kinesis Data Firehose in the Security Engineer's account.

Question 44

Users report intermittent availability of a web application hosted on IAM. Monitoring systems report an excess of abnormal network traffic followed by high CPU utilization on the application web tier. Which of the following techniques will improve the availability of the application? (Select TWO.)

Options:

Deploy IAM WAF to block all unsecured web applications from accessing the internet.

Deploy an Intrusion Detection/Prevention System (IDS/IPS) to monitor or block unusual incoming network traffic.

Configure security groups to allow outgoing network traffic only from hosts that are protected with up-to-date antivirus software.

Create Amazon CloudFront distribution and configure IAM WAF rules to protect the web applications from malicious traffic.

Use the default Amazon VPC for externakfacing systems to allow IAM to actively block malicious network traffic affecting Amazon EC2 instances.

Question 45

A distributed web application is installed across several EC2 instances in public subnets residing in two Availability Zones. Apache logs show several intermittent brute-force attacks from hundreds of IP addresses at the layer 7 level over the past six months.

What would be the BEST way to reduce the potential impact of these attacks in the future?

Options:

Use custom route tables to prevent malicious traffic from routing to the instances.

Update security groups to deny traffic from the originating source IP addresses.

Use network ACLs.

Install intrusion prevention software (IPS) on each instance.

Question 46

A company has complex connectivity rules governing ingress, egress, and communications between Amazon EC2 instances. The rules are so complex that they cannot be implemented within the limits of the maximum number of security groups and network access control lists (network ACLs).

What mechanism will allow the company to implement all required network rules without incurring additional cost?

Options:

Configure IAM WAF rules to implement the required rules.

Use the operating system built-in, host-based firewall to implement the required rules.

Use a NAT gateway to control ingress and egress according to the requirements.

Launch an EC2-based firewall product from the IAM Marketplace, and implement the required rules in that product.

Question 47

A company plans to migrate a sensitive dataset to Amazon S3. A Security Engineer must ensure that the data is encrypted at rest. The encryption solution must enable the company to generate its own keys without needing to manage key storage or the encryption process.

What should the Security Engineer use to accomplish this?

Options:

Server-side encryption with Amazon S3-managed keys (SSE-S3)

Server-side encryption with IAM KMS-managed keys (SSE-KMS)

Server-side encryption with customer-provided keys (SSE-C)

Client-side encryption with an IAM KMS-managed CMK

Question 48

A Security Engineer must implement mutually authenticated TLS connections between containers that communicate inside a VPC.

Which solution would be MOST secure and easy to maintain?

Options:

Use IAM Certificate Manager to generate certificates from a public certificate authority and deploy them to all the containers.

Create a self-signed certificate in one container and use IAM Secrets Manager to distribute the certificate to the other containers to establish trust.

Use IAM Certificate Manager Private Certificate Authority (ACM PCA) to create a subordinate certificate authority, then create the private keys in the containers and sign them using the ACM PCA API.

Use IAM Certificate Manager Private Certificate Authority (ACM PCA) to create a subordinate certificate authority, then use IAM Certificate Manager to generate the private certificates and deploy them to all the containers.

Question 49

A company is using CloudTrail to log all IAM API activity for all regions in all of its accounts. The CISO has asked that additional steps be taken to protect the integrity of the log files.

What combination of steps will protect the log files from intentional or unintentional alteration? Choose 2 answers from the options given below

Please select:

Options:

Create an S3 bucket in a dedicated log account and grant the other accounts write only access. Deliver all log files from every account to this S3 bucket.

Write a Lambda function that queries the Trusted Advisor Cloud Trail checks. Run the function every 10 minutes.

Enable CloudTrail log file integrity validation

Use Systems Manager Configuration Compliance to continually monitor the access policies of S3 buckets containing Cloud Trail logs.

Create a Security Group that blocks all traffic except calls from the CloudTrail service. Associate the security group with) all the Cloud Trail destination S3 buckets.

Question 50

Your company has a set of resources defined in the IAM Cloud. Their IT audit department has requested to get a list of resources that have been defined across the account. How can this be achieved in the easiest manner?

Please select:

Options:

Create a powershell script using the IAM CLI. Query for all resources with the tag of production.

Create a bash shell script with the IAM CLI. Query for all resources in all regions. Store the results in an S3 bucket.

Use Cloud Trail to get the list of all resources

Use IAM Config to get the list of all resources

Question 51

IAM CloudTrail is being used to monitor API calls in an organization. An audit revealed that CloudTrail is failing to deliver events to Amazon S3 as expected.

What initial actions should be taken to allow delivery of CloudTrail events to S3? (Select two.)

Options:

Verify that the S3 bucket policy allow CloudTrail to write objects.

Verify that the IAM role used by CloudTrail has access to write to Amazon CloudWatch Logs.

Remove any lifecycle policies on the S3 bucket that are archiving objects to Amazon Glacier.

Verify that the S3 bucket defined in CloudTrail exists.

Verify that the log file prefix defined in CloudTrail exists in the S3 bucket.

Question 52

The Security Engineer implemented a new vault lock policy for 10TB of data and called initiate-vault-lock 12 hours ago. The Audit team identified a typo that is allowing incorrect access to the vault.

What is the MOST cost-effective way to correct this?

Options:

Call the abort-vault-lock operation, fix the typo, and call the initiate-vault-lock again.

Copy the vault data to Amazon S3, delete the vault, and create a new vault with the data.

Update the policy, keeping the vault lock in place.

Update the policy and call initiate-vault-lock again to apply the new policy.

Question 53

Which of the following is not a best practice for carrying out a security audit?

Please select:

Options:

Conduct an audit on a yearly basis

Conduct an audit if application instances have been added to your account

Conduct an audit if you ever suspect that an unauthorized person might have accessed your account

Whenever there are changes in your organization

Question 54

Compliance requirements state that all communications between company on-premises hosts and EC2 instances be encrypted in transit. Hosts use custom proprietary protocols for their communication, and EC2 instances need to be fronted by a load balancer for increased availability.

Which of the following solutions will meet these requirements?

Options:

Offload SSL termination onto an SSL listener on a Classic Load Balancer, and use a TCP connection between the load balancer and the EC2 instances.

Route all traffic through a TCP listener on a Classic Load Balancer, and terminate the TLS connection on the EC2 instances.

Create an HTTPS listener using an Application Load Balancer, and route all of the communication through that load balancer.

Offload SSL termination onto an SSL listener using an Application Load Balancer, and re-spawn and SSL connection between the load balancer and the EC2 instances.

Question 55

A company hosts a critical web application on the IAM Cloud. This is a key revenue generating application for the company. The IT Security team is worried about potential DDos attacks against the web site. The senior management has also specified that immediate action needs to be taken in case of a potential DDos attack. What should be done in this regard?

Please select:

Options:

Consider using the IAM Shield Service

Consider using VPC Flow logs to monitor traffic for DDos attack and quickly take actions on a trigger of a potential attack.

Consider using the IAM Shield Advanced Service

Consider using Cloudwatch logs to monitor traffic for DDos attack and quickly take actions on a trigger of a potential attack.

Question 56

You have a vendor that needs access to an IAM resource. You create an IAM user account. You want to restrict access to the resource using a policy for just that user over a brief period. Which of the following would be an ideal policy to use?

Please select:

Options:

An IAM Managed Policy

An Inline Policy

A Bucket Policy

A bucket ACL

Question 57

A Security Engineer has been asked to create an automated process to disable IAM user access keys that are more than three months old.

Which of the following options should the Security Engineer use?

Options:

In the IAM Console, choose the IAM service and select “Users”. Review the “Access Key Age” column.

Define an IAM policy that denies access if the key age is more than three months and apply to all users.

Write a script that uses the GenerateCredentialReport, GetCredentialReport, and UpdateAccessKey APIs.

Create an Amazon CloudWatch alarm to detect aged access keys and use an IAM Lambda function to disable the keys older than 90 days.

Question 58

A Lambda function reads metadata from an S3 object and stores the metadata in a DynamoDB table. The function is

triggered whenever an object is stored within the S3 bucket.

How should the Lambda function be given access to the DynamoDB table?

Please select:

Options:

Create a VPC endpoint for DynamoDB within a VPC. Configure the Lambda function to access resources in the VPC.

Create a resource policy that grants the Lambda function permissions to write to the DynamoDB table. Attach the poll to the DynamoDB table.

Create an IAM user with permissions to write to the DynamoDB table. Store an access key for that user in the Lambda environment variables.

Create an IAM service role with permissions to write to the DynamoDB table. Associate that role with the Lambda function.

Question 59

A Security Engineer received an IAM Abuse Notice listing EC2 instance IDs that are reportedly abusing other hosts.

Which action should the Engineer take based on this situation? (Choose three.)

Options:

Use IAM Artifact to capture an exact image of the state of each instance.

Create EBS Snapshots of each of the volumes attached to the compromised instances.

Capture a memory dump.

Revoke all network ingress and egress except for to/from a forensics workstation.

Run Auto Recovery for Amazon EC2.

Question 60

A company’s database developer has just migrated an Amazon RDS database credential to be stored and managed by IAM Secrets Manager. The developer has also enabled rotation of the credential within the Secrets Manager console and set the rotation to change every 30 days.

After a short period of time, a number of existing applications have failed with authentication errors.

What is the MOST likely cause of the authentication errors?

Options:

Migrating the credential to RDS requires that all access come through requests to the Secrets Manager.

Enabling rotation in Secrets Manager causes the secret to rotate immediately, and the applications are using the earlier credential.

The Secrets Manager IAM policy does not allow access to the RDS database.

The Secrets Manager IAM policy does not allow access for the applications.

Question 61

Your company has defined a number of EC2 Instances over a period of 6 months. They want to know if any of the security groups allow unrestricted access to a resource. What is the best option to accomplish this requirement?

Please select:

Options:

Use IAM Inspector to inspect all the security Groups

Use the IAM Trusted Advisor to see which security groups have compromised access.

Use IAM Config to see which security groups have compromised access.

Use the IAM CLI to query the security groups and then filter for the rules which have unrestricted accessd

Question 62

The Security Engineer has discovered that a new application that deals with highly sensitive data is storing Amazon S3 objects with the following key pattern, which itself contains highly sensitive data.

Pattern:

"randomID_datestamp_PII.csv"

Example:

"1234567_12302017_000-00-0000 csv"

The bucket where these objects are being stored is using server-side encryption (SSE).

Which solution is the most secure and cost-effective option to protect the sensitive data?

Options:

Remove the sensitive data from the object name, and store the sensitive data using S3 user-defined metadata.

Add an S3 bucket policy that denies the action s3:GetObject

Use a random and unique S3 object key, and create an S3 metadata index in Amazon DynamoDB using client-side encrypted attributes.

Store all sensitive objects in Binary Large Objects (BLOBS) in an encrypted Amazon RDS instance.

Question 63

Example.com hosts its internal document repository on Amazon EC2 instances. The application runs on EC2 instances and previously stored the documents on encrypted Amazon EBS volumes. To optimize the application for scale, example.com has moved the files to Amazon S3. The security team has mandated that all the files are securely deleted from the EBS volume, and it must certify that the data is unreadable before releasing the underlying disks.

Which of the following methods will ensure that the data is unreadable by anyone else?

Options:

Change the volume encryption on the EBS volume to use a different encryption mechanism. Then, release the EBS volumes back to IAM.

Release the volumes back to IAM. IAM immediately wipes the disk after it is deprovisioned.

Delete the encryption key used to encrypt the EBS volume. Then, release the EBS volumes back to IAM.

Delete the data by using the operating system delete commands. Run Quick Format on the drive and then release the EBS volumes back to IAM.

Question 64

A Security Engineer is working with a Product team building a web application on IAM. The application uses Amazon S3 to host the static content, Amazon API Gateway to provide RESTful services; and Amazon DynamoDB as the backend data store. The users already exist in a directory that is exposed through a SAML identity provider.

Which combination of the following actions should the Engineer take to enable users to be authenticated into the web application and call APIs? (Choose three.)

Options:

Create a custom authorization service using IAM Lambda.

Configure a SAML identity provider in Amazon Cognito to map attributes to the Amazon Cognito user pool attributes.

Configure the SAML identity provider to add the Amazon Cognito user pool as a relying party.

Configure an Amazon Cognito identity pool to integrate with social login providers.

Update DynamoDB to store the user email addresses and passwords.

Update API Gateway to use a COGNITO_USER_POOLS authorizer.

Question 65

A Security Engineer is defining the logging solution for a newly developed product. Systems Administrators and Developers need to have appropriate access to event log files in IAM CloudTrail to support and troubleshoot the product.

Which combination of controls should be used to protect against tampering with and unauthorized access to log files? (Choose two.)

Options:

Ensure that the log file integrity validation mechanism is enabled.

Ensure that all log files are written to at least two separate Amazon S3 buckets in the same account.

Ensure that Systems Administrators and Developers can edit log files, but prevent any other access.

Ensure that Systems Administrators and Developers with job-related need-to-know requirements only are capable of viewing—but not modifying—the log files.

Ensure that all log files are stored on Amazon EC2 instances that allow SSH access from the internal corporate network only.

Question 66

An application outputs logs to a text file. The logs must be continuously monitored for security incidents.

Which design will meet the requirements with MINIMUM effort?

Options:

Create a scheduled process to copy the component’s logs into Amazon S3. Use S3 events to trigger a Lambda function that updates Amazon CloudWatch metrics with the log data. Set up CloudWatch alerts based on the metrics.

Install and configure the Amazon CloudWatch Logs agent on the application’s EC2 instance. Create a CloudWatch metric filter to monitor the application logs. Set up CloudWatch alerts based on the metrics.

Create a scheduled process to copy the application log files to IAM CloudTrail. Use S3 events to trigger Lambda functions that update CloudWatch metrics with the log data. Set up CloudWatch alerts based on the metrics.

Create a file watcher that copies data to Amazon Kinesis when the application writes to the log file. Have Kinesis trigger a Lambda function to update Amazon CloudWatch metrics with the log data. Set up CloudWatch alerts based on the metrics.

Question 67

A company has contracted with a third party to audit several IAM accounts. To enable the audit, cross-account IAM roles have been created in each account targeted for audit. The Auditor is having trouble accessing some of the accounts.

Which of the following may be causing this problem? (Choose three.)

Options:

The external ID used by the Auditor is missing or incorrect.

The Auditor is using the incorrect password.

The Auditor has not been granted sts:AssumeRole for the role in the destination account.

The Amazon EC2 role used by the Auditor must be set to the destination account role.

The secret key used by the Auditor is missing or incorrect.

The role ARN used by the Auditor is missing or incorrect.

Question 68

A company requires that IP packet data be inspected for invalid or malicious content.

Which of the following approaches achieve this requirement? (Choose two.)

Options:

Configure a proxy solution on Amazon EC2 and route all outbound VPC traffic through it. Perform inspection within proxy software on the EC2 instance.

Configure the host-based agent on each EC2 instance within the VPC. Perform inspection within the host-based agent.

Enable VPC Flow Logs for all subnets in the VPC. Perform inspection from the Flow Log data within Amazon CloudWatch Logs.

Configure Elastic Load Balancing (ELB) access logs. Perform inspection from the log data within the ELB access log files.

Configure the CloudWatch Logs agent on each EC2 instance within the VPC. Perform inspection from the log data within CloudWatch Logs.

Question 69

A Security Engineer is building a Java application that is running on Amazon EC2. The application communicates with an Amazon RDS instance and authenticates with a user name and password.

Which combination of steps can the Engineer take to protect the credentials and minimize downtime when the credentials are rotated? (Choose two.)

Options:

Have a Database Administrator encrypt the credentials and store the ciphertext in Amazon S3. Grant permission to the instance role associated with the EC2 instance to read the object and decrypt the ciphertext.

Configure a scheduled job that updates the credential in IAM Systems Manager Parameter Store and notifies the Engineer that the application needs to be restarted.

Configure automatic rotation of credentials in IAM Secrets Manager.

Store the credential in an encrypted string parameter in IAM Systems Manager Parameter Store. Grant permission to the instance role associated with the EC2 instance to access the parameter and the IAM KMS key that is used to encrypt it.

Configure the Java application to catch a connection failure and make a call to IAM Secrets Manager to retrieve updated credentials when the password is rotated. Grant permission to the instance role associated with the EC2 instance to access Secrets Manager.

Question 70

A Security Engineer must design a system that can detect whether a file on an Amazon EC2 host has been modified. The system must then alert the Security Engineer of the modification.

What is the MOST efficient way to meet these requirements?

Options:

Install antivirus software and ensure that signatures are up-to-date. Configure Amazon CloudWatch alarms to send alerts for security events.

Install host-based IDS software to check for file integrity. Export the logs to Amazon CloudWatch Logs for monitoring and alerting.

Export system log files to Amazon S3. Parse the log files using an IAM Lambda function that will send alerts of any unauthorized system login attempts through Amazon SNS.

Use Amazon CloudWatch Logs to detect file system changes. If a change is detected, automatically terminate and recreate the instance from the most recent AMI. Use Amazon SNS to send notification of the event.

Question 71

An organization wants to deploy a three-tier web application whereby the application servers run on Amazon EC2 instances. These EC2 instances need access to credentials that they will use to authenticate their SQL connections to an Amazon RDS DB instance. Also, IAM Lambda functions must issue queries to the RDS database by using the same database credentials.

The credentials must be stored so that the EC2 instances and the Lambda functions can access them. No other access is allowed. The access logs must record when the credentials were accessed and by whom.

What should the Security Engineer do to meet these requirements?

Options:

Store the database credentials in IAM Key Management Service (IAM KMS). Create an IAM role with access to IAM KMS by using the EC2 and Lambda service principals in the role’s trust policy. Add the role to an EC2 instance profile. Attach the instance profile to the EC2 instances. Set up Lambda to use the new role for execution.

Store the database credentials in IAM KMS. Create an IAM role with access to KMS by using the EC2 and Lambda service principals in the role’s trust policy. Add the role to an EC2 instance profile. Attach the instance profile to the EC2 instances and the Lambda function.

Store the database credentials in IAM Secrets Manager. Create an IAM role with access to Secrets Manager by using the EC2 and Lambda service principals in the role’s trust policy. Add the role to an EC2 instance profile. Attach the instance profile to the EC2 instances and the Lambda function.

Question 72

A company has multiple VPCs in their account that are peered, as shown in the diagram. A Security Engineer wants to perform penetration tests of the Amazon EC2 instances in all three VPCs.

How can this be accomplished? (Choose two.)

Options:

Deploy a pre-authorized scanning engine from the IAM Marketplace into VPC B, and use it to scan instances in all three VPCs. Do not complete the penetration test request form.

Deploy a pre-authorized scanning engine from the Marketplace into each VPC, and scan instances in each VPC from the scanning engine in that VPC. Do not complete the penetration test request form.

Create a VPN connection from the data center to VPC A. Use an on-premises scanning engine to scan the instances in all three VPCs. Complete the penetration test request form for all three VPCs.

Create a VPN connection from the data center to each of the three VPCs. Use an on-premises scanning engine to scan the instances in each VPC. Do not complete the penetration test request form.

Create a VPN connection from the data center to each of the three VPCs. Use an on-premises scanning engine to scan the instances in each VPC. Complete the penetration test request form for all three VPCs.

Question 73

The Security Engineer created a new IAM Key Management Service (IAM KMS) key with the following key policy:

What are the effects of the key policy? (Choose two.)

Options:

The policy allows access for the IAM account 111122223333 to manage key access though IAM policies.

The policy allows all IAM users in account 111122223333 to have full access to the KMS key.

The policy allows the root user in account 111122223333 to have full access to the KMS key.

The policy allows the KMS service-linked role in account 111122223333 to have full access to the KMS key.

The policy allows all IAM roles in account 111122223333 to have full access to the KMS key.

Question 74

A Systems Engineer has been tasked with configuring outbound mail through Simple Email Service (SES) and requires compliance with current TLS standards.

The mail application should be configured to connect to which of the following endpoints and corresponding ports?

Options:

email.us-east-1.amazonIAM.com over port 8080

email-pop3.us-east-1.amazonIAM.com over port 995

email-smtp.us-east-1.amazonIAM.com over port 587

email-imap.us-east-1.amazonIAM.com over port 993

Question 75

A company stores data on an Amazon EBS volume attached to an Amazon EC2 instance. The data is asynchronously replicated to an Amazon S3 bucket. Both the EBS volume and the S3 bucket are encrypted with the same IAM KMS Customer Master Key (CMK). A former employee scheduled a deletion of that CMK before leaving the company.

The company’s Developer Operations department learns about this only after the CMK has been deleted.

Which steps must be taken to address this situation?

Options:

Copy the data directly from the EBS encrypted volume before the volume is detached from the EC2 instance.

Recover the data from the EBS encrypted volume using an earlier version of the KMS backing key.

Make a request to IAM Support to recover the S3 encrypted data.

Make a request to IAM Support to restore the deleted CMK, and use it to recover the data.

Question 76

A company runs an application on IAM that needs to be accessed only by employees. Most employees work from the office, but others work remotely or travel.

How can the Security Engineer protect this workload so that only employees can access it?

Options:

Add each employee’s home IP address to the security group for the application so that only those users can access the workload.

Create a virtual gateway for VPN connectivity for each employee, and restrict access to the workload from within the VPC.

Use a VPN appliance from the IAM Marketplace for users to connect to, and restrict workload access to traffic from that appliance.

Route all traffic to the workload through IAM WAF. Add each employee’s home IP address into an IAM WAF rule, and block all other traffic.

Question 77

You have just recently set up a web and database tier in a VPC and hosted the application. When testing the app , you are not able to reach the home page for the app. You have verified the security groups. What can help you diagnose the issue.

Please select:

Options:

Use the IAM Trusted Advisor to see what can be done.

Use VPC Flow logs to diagnose the traffic

Use IAM WAF to analyze the traffic

Use IAM Guard Duty to analyze the traffic

Question 78

Your company is planning on hosting an internal network in IAM. They want machines in the VPC to authenticate using private certificates. They want to minimize the work and maintenance in working with certificates. What is the ideal way to fulfil this requirement.

Please select:

Options:

Consider using Windows Server 2016 Certificate Manager

Consider using IAM Certificate Manager

Consider using IAM Access keys to generate the certificates

Consider using IAM Trusted Advisor for managing the certificates

Question 79

A Systems Administrator has written the following Amazon S3 bucket policy designed to allow access to an S3 bucket for only an authorized IAM IAM user from the IP address range 10.10.10.0/24:

When trying to download an object from the S3 bucket from 10.10.10.40, the IAM user receives an access denied message.

What does the Administrator need to change to grant access to the user?

Options:

Change the “Resource” from “arn: IAM:s3:::Bucket” to “arn:IAM:s3:::Bucket/*”.

Change the “Principal” from “*” to {IAM:”arn:IAM:iam: : account-number: user/username”}

Change the “Version” from “2012-10-17” to the last revised date of the policy

Change the “Action” from [“s3:*”] to [“s3:GetObject”, “s3:ListBucket”]

Question 80

Your company has a requirement to monitor all root user activity by notification. How can this best be achieved? Choose 2 answers from the options given below. Each answer forms part of the solution

Please select:

Options:

Create a Cloudwatch Events Rule s

Create a Cloudwatch Logs Rule

Use a Lambda function

Use Cloudtrail API call

Question 81

A company’s security policy requires that VPC Flow Logs are enabled on all VPCs. A Security Engineer is looking to automate the process of auditing the VPC resources for compliance.

What combination of actions should the Engineer take? (Choose two.)

Options:

Create an IAM Lambda function that determines whether Flow Logs are enabled for a given VPC.

Create an IAM Config configuration item for each VPC in the company IAM account.

Create an IAM Config managed rule with a resource type of IAM:: Lambda:: Function.

Create an Amazon CloudWatch Event rule that triggers on events emitted by IAM Config.

Create an IAM Config custom rule, and associate it with an IAM Lambda function that contains the evaluating logic.

Question 82

A company uses user data scripts that contain sensitive information to bootstrap Amazon EC2 instances. A Security Engineer discovers that this sensitive information is viewable by people who should not have access to it.

What is the MOST secure way to protect the sensitive information used to bootstrap the instances?

Options:

Store the scripts in the AMI and encrypt the sensitive data using IAM KMS Use the instance role profile to control access to the KMS keys needed to decrypt the data.

Store the sensitive data in IAM Systems Manager Parameter Store using the encrypted string parameter and assign the GetParameters permission to the EC2 instance role.

Externalize the bootstrap scripts in Amazon S3 and encrypt them using IAM KMS. Remove the scripts from the instance and clear the logs after the instance is configured.

Block user access of the EC2 instance's metadata service using IAM policies. Remove all scripts and clear the logs after execution.

Question 83

A company uses IAM Organization to manage 50 IAM accounts. The finance staff members log in as IAM IAM users in the FinanceDept IAM account. The staff members need to read the consolidated billing information in the MasterPayer IAM account. They should not be able to view any other resources in the MasterPayer IAM account. IAM access to billing has been enabled in the MasterPayer account.

Which of the following approaches grants the finance staff the permissions they require without granting any unnecessary permissions?

Options:

Create an IAM group for the finance users in the FinanceDept account, then attach the IAM managed ReadOnlyAccess IAM policy to the group.

Create an IAM group for the finance users in the MasterPayer account, then attach the IAM managed ReadOnlyAccess IAM policy to the group.

Create an IAM IAM role in the FinanceDept account with the ViewBilling permission, then grant the finance users in the MasterPayer account the permission to assume that role.

Create an IAM IAM role in the MasterPayer account with the ViewBilling permission, then grant the finance users in the FinanceDept account the permission to assume that role.

Question 84

A company has five IAM accounts and wants to use IAM CloudTrail to log API calls. The log files must be stored in an Amazon S3 bucket that resides in a new account specifically built for centralized services with a unique top-level prefix for each trail. The configuration must also enable detection of any modification to the logs.

Which of the following steps will implement these requirements? (Choose three.)

Options:

Create a new S3 bucket in a separate IAM account for centralized storage of CloudTrail logs, and enable “Log File Validation” on all trails.

Use an existing S3 bucket in one of the accounts, apply a bucket policy to the new centralized S3 bucket that permits the CloudTrail service to use the "s3: PutObject" action and the "s3 GetBucketACL" action, and specify the appropriate resource ARNs for the CloudTrail trails.

Apply a bucket policy to the new centralized S3 bucket that permits the CloudTrail service to use the "s3 PutObject" action and the "s3 GelBucketACL" action, and specify the appropriate resource ARNs for the CloudTrail trails.

Use unique log file prefixes for trails in each IAM account.

Configure CloudTrail in the centralized account to log all accounts to the new centralized S3 bucket.

Enable encryption of the log files by using IAM Key Management Service

Question 85

You have a 2 tier application hosted in IAM. It consists of a web server and database server (SQL Server) hosted on separate EC2 Instances. You are devising the security groups for these EC2 Instances. The Web tier needs to be accessed by users across the Internet. You have created a web security group(wg-123) and database security group(db-345). Which combination of the following security group rules will allow the application to be secure and functional. Choose 2 answers from the options given below.

Please select:

Options:

wg-123 -Allow ports 80 and 443 from 0.0.0.0/0

db-345 - Allow port 1433 from wg-123

wg-123 - Allow port 1433 from wg-123

db-345 -Allow ports 1433 from 0.0.0.0/0

Question 86

An organization operates a web application that serves users globally. The application runs on Amazon EC2 instances behind an Application Load Balancer. There is an Amazon CloudFront distribution in front of the load balancer, and the organization uses IAM WAF. The application is currently experiencing a volumetric attack whereby the attacker is exploiting a bug in a popular mobile game.

The application is being flooded with HTTP requests from all over the world with the User-Agent set to the following string: Mozilla/5.0 (compatible; ExampleCorp; ExampleGame/1.22; Mobile/1.0)

What mitigation can be applied to block attacks resulting from this bug while continuing to service legitimate requests?

Options:

Create a rule in IAM WAF rules with conditions that block requests based on the presence of ExampleGame/1.22 in the User-Agent header

Create a geographic restriction on the CloudFront distribution to prevent access to the application from most geographic regions

Create a rate-based rule in IAM WAF to limit the total number of requests that the web application services.

Create an IP-based blacklist in IAM WAF to block the IP addresses that are originating from requests that contain ExampleGame/1.22 in the User-Agent header.

Question 87

A Security Engineer who was reviewing IAM Key Management Service (IAM KMS) key policies found this statement in each key policy in the company IAM account.

What does the statement allow?

Options:

All principals from all IAM accounts to use the key.

Only the root user from account 111122223333 to use the key.

All principals from account 111122223333 to use the key but only on Amazon S3.

Only principals from account 111122223333 that have an IAM policy applied that grants access to this key to use the key.

Question 88

An organization receives an alert that indicates that an EC2 instance behind an ELB Classic Load Balancer has been compromised.

What techniques will limit lateral movement and allow evidence gathering?

Options:

Remove the instance from the load balancer and terminate it.

Remove the instance from the load balancer, and shut down access to the instance by tightening the security group.

Reboot the instance and check for any Amazon CloudWatch alarms.

Stop the instance and make a snapshot of the root EBS volume.

Question 89

Your company has just set up a new central server in a VPC. There is a requirement for other teams who have their servers located in different VPC's in the same region to connect to the central server. Which of the below options is best suited to achieve this requirement.

Please select:

Options:

Set up VPC peering between the central server VPC and each of the teams VPCs.

Set up IAM DirectConnect between the central server VPC and each of the teams VPCs.

Set up an IPSec Tunnel between the central server VPC and each of the teams VPCs.

None of the above options will work.

Question 90

A company wants to remove all SSH keys permanently from a specific subset of its Amazon Linux 2 Amazon EC2 instances that are using the same 1AM instance profile However three individuals who have IAM user accounts will need to access these instances by using an SSH session to perform critical duties

How can a security engineer provide the access to meet these requirements'?

Options:

Assign an 1AM policy to the instance profile to allow the EC2 instances to be managed by AWS Systems Manager Provide the 1AM user accounts with permission to use Systems Manager Remove the SSH keys from the EC2 instances Use Systems Manager Inventory to select the EC2 instance and connect

Assign an 1AM policy to the 1AM user accounts to provide permission to use AWS Systems Manager Run Command Remove the SSH keys from the EC2 instances Use Run Command to open an SSH connection to the EC2 instance

Assign an 1AM policy to the 1AM user accounts to provide permission to use the EC2 service in the AWS Management Console Remove the SSH keys from the EC2 instances Connect to the EC2 instance as the ec2-user through the AWS Management Console's EC2 SSH client method

Question 91

A company has a relational database workload that runs on Amazon Aurora MySQL. According to new compliance standards the company must rotate all database credentials every 30 days. The company needs a solution that maximizes security and minimizes development effort.

Which solution will meet these requirements?

Options:

Store the database credentials in AWS Secrets Manager. Configure automatic credential rotation tor every 30 days.

Store the database credentials in AWS Systems Manager Parameter Store. Create an AWS Lambda function to rotate the credentials every 30 days.

Store the database credentials in an environment file or in a configuration file. Modify the credentials every 30 days.

Store the database credentials in an environment file or in a configuration file. Create an AWS Lambda function to rotate the credentials every 30 days.

Question 92

A company's application team needs to host a MySQL database on IAM. According to the company's security policy, all data that is stored on IAM must be encrypted at rest. In addition, all cryptographic material must be compliant with FIPS 140-2 Level 3 validation.

The application team needs a solution that satisfies the company's security requirements and minimizes operational overhead.

Which solution will meet these requirements?

Options:

Host the database on Amazon RDS. Use Amazon Elastic Block Store (Amazon EBS) for encryption. Use an IAM Key Management Service (IAM KMS) custom key store that is backed by IAM CloudHSM for key management.

Host the database on Amazon RDS. Use Amazon Elastic Block Store (Amazon EBS) for encryption. Use an IAM managed CMK in IAM Key Management Service (IAM KMS) for key management.

Host the database on an Amazon EC2 instance. Use Amazon Elastic Block Store (Amazon EBS) for encryption. Use a customer managed CMK in IAM Key Management Service (IAM KMS) for key management.

Host the database on an Amazon EC2 instance. Use Transparent Data Encryption (TDE) for encryption and key management.

Question 93

A company maintains an open-source application that is hosted on a public GitHub repository. While creating a new commit to the repository, an engineer uploaded their IAM access key and secret access key. The engineer reported the mistake to a manager, and the manager immediately disabled the access key.

The company needs to assess the impact of the exposed access key. A security engineer must recommend a solution that requires the least possible managerial overhead.

Which solution meets these requirements?

Options:

Analyze an IAM Identity and Access Management (IAM) use report from IAM Trusted Advisor to see when the access key was last used.

Analyze Amazon CloudWatch Logs for activity by searching for the access key.

Analyze VPC flow logs for activity by searching for the access key

Analyze a credential report in IAM Identity and Access Management (IAM) to see when the access key was last used.

Question 94

A company hosts multiple externally facing applications, each isolated in its own IAM account The company'B Security team has enabled IAM WAF. IAM Config. and Amazon GuardDuty on all accounts. The company's Operations team has also joined all of the accounts to IAM Organizations and established centralized logging for CloudTrail. IAM Config, and GuardDuty. The company wants the Security team to take a reactive remediation in one account, and automate implementing this remediation as proactive prevention in all the other accounts.

How should the Security team accomplish this?

Options:

Update the IAM WAF rules in the affected account and use IAM Firewall Manager to push updated IAM WAF rules across all other accounts.

Use GuardDuty centralized logging and Amazon SNS to set up alerts to notify all application teams of security incidents.

Use GuardDuty alerts to write an IAM Lambda function that updates all accounts by adding additional NACLs on the Amazon EC2 instances to block known malicious IP addresses.

Use IAM Shield Advanced to identify threats in each individual account and then apply the account-based protections to all other accounts through Organizations.

Question 95

A company has an organization in AWS Organizations that includes dedicated accounts for each of its business units. The company is collecting all AWS CloudTrail logs from the accounts in a single Amazon S3 bucket in the top-level account. The company's IT governance team has access to the top-level account. A security engineer needs to allow each business unit to access its own CloudTrail logs.

The security engineer creates an IAM role in the top-level account for each of the other accounts. For each role the security engineer creates an IAM policy to allow read-only permissions to objects in the S3 bucket with the prefix of the respective logs.

Which action must the security engineer take in each business unit account to allow an IAM user in that account to read the logs?

Options:

Attach a policy to the IAM user to allow the user to assume the role that was created in the top-level account. Specify the role's ARN in the policy.

Create an SCP that grants permissions to the top-level account.

Use the root account of the business unit account to assume the role that was created in the top-level account. Specify the role's ARN in the policy.

Forward the credentials of the IAM role in the top-level account to the IAM user in the business unit account.

Question 96

Which of the following are valid configurations for using SSL certificates with Amazon CloudFront? (Select THREE )

Options:

Default AWS Certificate Manager certificate

Custom SSL certificate stored in AWS KMS

Default CloudFront certificate

Custom SSL certificate stored in AWS Certificate Manager

Default SSL certificate stored in AWS Secrets Manager

Custom SSL certificate stored in AWS IAM

Question 97

A company wants to protect its website from man in-the-middle attacks by using Amazon CloudFront. Which solution will meet these requirements with the LEAST operational overhead?

Options:

Use the SimpleCORS managed response headers policy.

Use a Lambda@Edge function to add the Strict-Transport-Security response header.

Use the SecurityHeadersPolicy managed response headers policy.

Include the X-XSS-Protection header in a custom response headers policy.

Question 98

A security engineer must troubleshoot an administrator's inability to make an existing Amazon S3 bucket public in an account that is part of an organization n IAM Organizations. The administrator switched the role from the master account to a member account and then attempted to make one S3 bucket public. This action was immediately denied

Which actions should the security engineer take to troubleshoot the permissions issue? (Select TWO.)

Options:

Review the cross-account role permissions and the S3 bucket policy Verify that the Amazon S3 block public access option in the member account is deactivated.

Review the role permissions m the master account and ensure it has sufficient privileges to perform S3 operations

Filter IAM CloudTrail logs for the master account to find the original deny event and update the cross-account role m the member account accordingly Verify that the Amazon S3 block public access option in the master account is deactivated.

Evaluate the SCPs covering the member account and the permissions boundary of the role in the member account for missing permissions and explicit denies.

Ensure the S3 bucket policy explicitly allows the s3 PutBucketPublicAccess action for the role m the member account

Question 99

A company's Chief Security Officer has requested that a Security Analyst review and improve the security posture of each company IAM account The Security Analyst decides to do this by Improving IAM account root user security.

Which actions should the Security Analyst take to meet these requirements? (Select THREE.)

Options:

Delete the access keys for the account root user in every account.

Create an admin IAM user with administrative privileges and delete the account root user in every account.

Implement a strong password to help protect account-level access to the IAM Management Console by the account root user.

Enable multi-factor authentication (MFA) on every account root user in all accounts.

Create a custom IAM policy to limit permissions to required actions for the account root user and attach the policy to the account root user.

Attach an IAM role to the account root user to make use of the automated credential rotation in IAM STS.

Question 100

A company is building a data processing application mat uses AWS Lambda functions. The application's Lambda functions need to communicate with an Amazon RDS OB instance that is deployed within a VPC in the same AWS account

Which solution meets these requirements in the MOST secure way?

Options:

Configure the DB instance to allow public access Update the DB instance security group to allow access from the Lambda public address space for the AWS Region

Deploy the Lambda functions inside the VPC Attach a network ACL to the Lambda subnet Provide outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic from 0.0.0.0/0

Deploy the Lambda functions inside the VPC Attach a security group to the Lambda functions Provide outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic from the Lambda security group

Peer the Lambda default VPC with the VPC that hosts the DB instance to allow direct network access without the need for security groups

Question 101

There is a requirement for a company to transfer large amounts of data between IAM and an on-premise location. There is an additional requirement for low latency and high consistency traffic to IAM. Given these requirements how would you design a hybrid architecture? Choose the correct answer from the options below

Please select:

Options:

Provision a Direct Connect connection to an IAM region using a Direct Connect partner.

Create a VPN tunnel for private connectivity, which increases network consistency and reduces latency.

Create an iPSec tunnel for private connectivity, which increases network consistency and reduces latency.

Create a VPC peering connection between IAM and the Customer gateway.

Question 102

Your company is planning on using bastion hosts for administering the servers in IAM. Which of the following is the best description of a bastion host from a security perspective?

Please select:

Options:

A Bastion host should be on a private subnet and never a public subnet due to security concerns

A Bastion host sits on the outside of an internal network and is used as a gateway into the private network and is considered the critical strong point of the network

Bastion hosts allow users to log in using RDP or SSH and use that session to S5H into internal network to access private subnet resources.

A Bastion host should maintain extremely tight security and monitoring as it is available to the public

Question 103

Your CTO thinks your IAM account was hacked. What is the only way to know for certain if there was unauthorized access and what they did, assuming your hackers are very sophisticated IAM engineers and doing everything they can to cover their tracks?

Please select:

Options:

Use CloudTrail Log File Integrity Validation.

Use IAM Config SNS Subscriptions and process events in real time.

Use CloudTrail backed up to IAM S3 and Glacier.

Use IAM Config Timeline forensics.

Question 104

A company has multiple departments. Each department has its own IAM account. All these accounts belong to the same organization in IAM Organizations.

A large .csv file is stored in an Amazon S3 bucket in the sales department's IAM account. The company wants to allow users from the other accounts to access the .csv file's content through the combination of IAM Glue and Amazon Athena. However, the company does not want to allow users from the other accounts to access other files in the same folder.

Which solution will meet these requirements?

Options:

Apply a user policy in the other accounts to allow IAM Glue and Athena lo access the .csv We.

Use S3 Select to restrict access to the .csv lie. In IAM Glue Data Catalog, use S3 Select as the source of the IAM Glue database.

Define an IAM Glue Data Catalog resource policy in IAM Glue to grant cross-account S3 object access to the .csv file.

Grant IAM Glue access to Amazon S3 in a resource-based policy that specifies the organization as the principal.

Question 105

A business stores website images in an Amazon S3 bucket. The firm serves the photos to end users through Amazon CloudFront. The firm learned lately that the photographs are being accessible from nations in which it does not have a distribution license.

Which steps should the business take to safeguard the photographs and restrict their distribution? (Select two.)

Options:

Update the S3 bucket policy to restrict access to a CloudFront origin access identity (OAI).

Update the website DNS record to use an Amazon Route 53 geolocation record deny list of countries where the company lacks a license.

Add a CloudFront geo restriction deny list of countries where the company lacks a license.

Update the S3 bucket policy with a deny list of countries where the company lacks a license.

Enable the Restrict Viewer Access option in CloudFront to create a deny list of countries where the company lacks a license.

Question 106

A developer 15 building a serverless application hosted on IAM that uses Amazon Redshift in a data store. The application has separate modules for read/write and read-only functionality. The modules need their own database users tor compliance reasons.

Which combination of steps should a security engineer implement to grant appropriate access' (Select TWO )

Options:

Configure cluster security groups for each application module to control access to database users that are required for read-only and read/write.

Configure a VPC endpoint for Amazon Redshift Configure an endpoint policy that maps database users to each application module, and allow access to the tables that are required for read-only and read/write

Configure an IAM poky for each module Specify the ARN of an Amazon Redshift database user that allows the GetClusterCredentials API call

Create focal database users for each module

Configure an IAM policy for each module Specify the ARN of an IAM user that allows the GetClusterCredentials API call

Question 107

A company hosts an end user application on AWS Currently the company deploys the application on Amazon EC2 instances behind an Elastic Load Balancer The company wants to configure end-to-end encryption between the Elastic Load Balancer and the EC2 instances.

Which solution will meet this requirement with the LEAST operational effort?

Options:

Use Amazon issued AWS Certificate Manager (ACM) certificates on the EC2 instances and the Elastic Load Balancer to configure end-to-end encryption

Import a third-party SSL certificate to AWS Certificate Manager (ACM) Install the third-party certificate on the EC2 instances Associate the ACM imported third-party certificate with the Elastic Load Balancer

Deploy AWS CloudHSM Import a third-party certificate Configure the EC2 instances and the Elastic Load Balancer to use the CloudHSM imported certificate

Import a third-party certificate bundle to AWS Certificate Manager (ACM) Install the third-party certificate on the EC2 instances Associate the ACM imported third-party certificate with the Elastic Load Balancer.

Question 108

A company has a large fleet of Linux Amazon EC2 instances and Windows EC2 instances that run in private subnets. The company wants all remote administration to be performed as securely as possible in the AWS Cloud.

Which solution will meet these requirements?

Options:

Do not use SSH-RSA private keys during the launch of new instances. Implement AWS Systems Manager Session Manager.

Generate new SSH-RSA private keys for existing instances. Implement AWS Systems Manager Session Manager.

Do not use SSH-RSA private keys during the launch of new instances. Configure EC2 Instance Connect.

Generate new SSH-RSA private keys for existing instances. Configure EC2 Instance Connect.

Question 109

You need to create a policy and apply it for just an individual user. How could you accomplish this in the right way?

Please select:

Options:

Add an IAM managed policy for the user

Add a service policy for the user

Add an IAM role for the user

Add an inline policy for the user

Question 110

A company hosts business-critical applications on Amazon EC2 instances in a VPC. The VPC uses default DHCP options sets. A security engineer needs to log all DNS queries that internal resources make in the VPC. The security engineer also must create a list of the most common DNS queries over time.

Which solution will meet these requirements?

Options:

Install the Amazon CloudWatch agent on each EC2 instance in the VPC. Use the CloudWatch agent to stream the DNS query logs to an Amazon CloudWatch Logs log group. Use CloudWatch metric filters to automatically generate metrics that list the most common ONS queries.

Install a BIND DNS server in the VPC. Create a bash script to list the DNS request number of common DNS queries from the BIND logs.

Create VPC flow logs for all subnets in the VPC. Stream the flow logs to an Amazon CloudWatch Logs log group. Use CloudWatch Logs Insights to list the most common DNS queries for the log group in a custom dashboard.

Configure Amazon Route 53 Resolver query logging. Add an Amazon CloudWatch Logs log group as the destination. Use Amazon CloudWatch Contributor Insights to analyze the data and create time series that display the most common DNS queries.

Question 111

Your company has a set of EC2 Instances defined in IAM. These Ec2 Instances have strict security groups attached to them. You need to ensure that changes to the Security groups are noted and acted on accordingly. How can you achieve this?

Please select:

Options:

Use Cloudwatch logs to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS for the notification.

Use Cloudwatch metrics to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS for the notification.

Use IAM inspector to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS f the notification.

Use Cloudwatch events to be triggered for any changes to the Security Groups. Configure the Lambda function for email notification as well.

Question 112

An Incident Response team is investigating an IAM access key leak that resulted in Amazon EC2 instances being launched. The company did not discover the incident until many months later The Director of Information Security wants to implement new controls that will alert when similar incidents happen in the future

Which controls should the company implement to achieve this? {Select TWO.)

Options:

Enable VPC Flow Logs in all VPCs Create a scheduled IAM Lambda function that downloads and parses the logs, and sends an Amazon SNS notification for violations.

Use IAM CloudTrail to make a trail, and apply it to all Regions Specify an Amazon S3 bucket to receive all the CloudTrail log files

Add the following bucket policy to the company's IAM CloudTrail bucket to prevent log tampering

{

"Version": "2012-10-17-,

"Statement": {

"Effect": "Deny",

"Action": "s3:PutObject",

"Principal": "-",

"Resource": "arn:IAM:s3:::cloudtrail/IAMLogs/111122223333/*"

}

Create an Amazon S3 data event for an PutObject attempts, which sends notifications to an Amazon SNS topic.

Create a Security Auditor role with permissions to access Amazon CloudWatch Logs m all Regions Ship the logs to an Amazon S3 bucket and make a lifecycle policy to ship the logs to Amazon S3 Glacier.

Verify that Amazon GuardDuty is enabled in all Regions, and create an Amazon CloudWatch Events rule for Amazon GuardDuty findings Add an Amazon SNS topic as the rule's target

Question 113

A company is deploying an Amazon EC2-based application. The application will include a custom health-checking component that produces health status data in JSON format. A Security Engineer must implement a secure solution to monitor application availability in near-real time by analyzing the hearth status data.

Which approach should the Security Engineer use?

Options:

Use Amazon CloudWatch monitoring to capture Amazon EC2 and networking metrics Visualize metrics using Amazon CloudWatch dashboards.

Run the Amazon Kinesis Agent to write the status data to Amazon Kinesis Data Firehose Store the streaming data from Kinesis Data Firehose in Amazon Redshift. (hen run a script on the pool data and analyze the data in Amazon Redshift

Write the status data directly to a public Amazon S3 bucket from the health-checking component Configure S3 events to invoke an IAM Lambda function that analyzes the data

Generate events from the health-checking component and send them to Amazon CloudWatch Events. Include the status data as event payloads. Use CloudWatch Events rules to invoke an IAM Lambda function that analyzes the data.

Question 114

A System Administrator is unable to start an Amazon EC2 instance in the eu-west-1 Region using an IAM role The same System Administrator is able to start an EC2 instance in the eu-west-2 and eu-west-3 Regions. The IAMSystemAdministrator access policy attached to the System Administrator IAM role allows unconditional access to all IAM services and resources within the account

Which configuration caused this issue?

A) An SCP is attached to the account with the following permission statement:

A permission boundary policy is attached to the System Administrator role with the following permission statement:

A permission boundary is attached to the System Administrator role with the following permission statement:

An SCP is attached to the account with the following statement:

Options:

Option A

Option B

Option C

Option D

Question 115

A company has multiple accounts in the AWS Cloud. Users in the developer account need to have access to specific resources in the production account.

What is the MOST secure way to provide this access?

Options:

Create one IAM user in the production account. Grant the appropriate permissions to the resources that are needed. Share the password only with the users that need access.

Create cross-account access with an IAM role in the developer account. Grant the appropriate permissions to this role. Allow users in the developer account to assume this role to access the production resources.

Create cross-account access with an IAM user account in the production account. Grant the appropriate permissions to this user account. Allow users in the developer account to use this user account to access the production resources.

Create cross-account access with an IAM role in the production account. Grant the appropriate permissions to this role. Allow users in the developer account to assume this role to access the production resources.

Question 116

A security engineer creates an Amazon S3 bucket policy that denies access to all users. A few days later, the security engineer adds an additional statement to the bucket policy to allow read-only access to one other employee. Even after updating the policy, the employee still receives an access denied message.

What is the likely cause of this access denial?

A security engineer is working with a company to design an ecommerce application. The application will run on Amazon EC2 instances that run in an Auto Scaling group behind an Application Load Balancer (ALB). The application will use an Amazon RDS DB instance for its database.

The only required connectivity from the internet is for HTTP and HTTPS traffic to the application. The application must communicate with an external payment provider that allows traffic only from a preconfigured allow list of IP addresses. The company must ensure that communications with the external payment provider are not interrupted as the environment scales.

Which combination of actions should the security engineer recommend to meet these requirements? (Select THREE.)

Options:

Deploy a NAT gateway in each private subnet for every Availability Zone that is in use.

Place the DB instance in a public subnet.

Place the DB instance in a private subnet.

Configure the Auto Scaling group to place the EC2 instances in a public subnet.

Configure the Auto Scaling group to place the EC2 instances in a private subnet.

Deploy the ALB in a private subnet.

Question 117

A developer is building a serverless application hosted on AWS that uses Amazon Redshift as a data store The application has separate modules for readwrite and read-only functionality The modules need their own database users for compliance reasons

Which combination of steps should a security engineer implement to grant appropriate access? (Select TWO.)

Options:

Configure cluster security groups for each application module to control access to database users that are required for read-only and readwrite

Configure an 1AM policy for each module Specify the ARN of an Amazon Redshift database user that allows the GetClusterCredentials API call

Create local database users for each module

Configure an 1AM policy for each module Specify the ARN of an 1AM user that allows the GetClusterCredentials API call

Question 118

A company's on-premises networks are connected to VPCs using an IAM Direct Connect gateway. The company's on-premises application needs to stream data using an existing Amazon Kinesis Data Firehose delivery stream. The company's security policy requires that data be encrypted in transit using a private network.

How should the company meet these requirements?

Options:

Create a VPC endpoint tor Kinesis Data Firehose. Configure the application to connect to the VPC endpoint.

Configure an IAM policy to restrict access to Kinesis Data Firehose using a source IP condition. Configure the application to connect to the existing Firehose delivery stream.

Create a new TLS certificate in IAM Certificate Manager (ACM). Create a public-facing Network Load Balancer (NLB) and select the newly created TLS certificate. Configure the NLB to forward all traffic to Kinesis Data Firehose. Configure the application to connect to the NLB.

Peer the on-premises network with the Kinesis Data Firehose VPC using Direct Connect. Configure the application to connect to the existing Firehose delivery stream.

Question 119

A company is running its workloads in a single AWS Region and uses AWS Organizations. A security engineer must implement a solution to prevent users from launching resources in other Regions.

Which solution will meet these requirements with the LEAST operational overhead?

Options:

Create an IAM policy that has an aws RequestedRegion condition that allows actions only in the designated Region Attach the policy to all users.

Create an I AM policy that has an aws RequestedRegion condition that denies actions that are not in the designated Region Attach the policy to the AWS account in AWS Organizations.

Create an IAM policy that has an aws RequestedRegion condition that allows the desired actions Attach the policy only to the users who are in the designated Region.

Create an SCP that has an aws RequestedRegion condition that denies actions that are not in the designated Region. Attach the SCP to the AWS account in AWS Organizations.

Question 120

A company is implementing new compliance requirements to meet customer needs. According to the new requirements the company must not use any Amazon RDS DB instances or DB clusters that lack encryption of the underlying storage. The company needs a solution that will generate an email alert when an unencrypted DB instance or DB cluster is created. The solution also must terminate the unencrypted DB instance or DB cluster.

Which solution will meet these requirements in the MOST operationally efficient manner?

Options:

Create an AWS Config managed rule to detect unencrypted ROS storage. Configure an automatic remediation action to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic that includes an AWS Lambda function and an email delivery target as subscribers. Configure the Lambda function to delete the unencrypted resource.

Create an AWS Config managed rule to detect unencrypted RDS storage. Configure a manual remediation action to invoke an AWS Lambda function. Configure the Lambda function to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic and to delete the unencrypted resource.

Create an Amazon EventBridge rule that evaluates RDS event patterns and is initiated by the creation of DB instances or DB clusters Configure the rule to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic that includes an AWS Lambda function and an email delivery target as subscribers. Configure the Lambda function to delete the unencrypted resource.

Create an Amazon EventBridge rule that evaluates RDS event patterns and is initiated by the creation of DB instances or DB clusters. Configure the rule to invoke an AWS Lambda function. Configure the Lambda function to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic and to delete the unencrypted resource.

Question 121

A company is building an application on IAM that will store sensitive Information. The company has a support team with access to the IT infrastructure, including databases. The company's security engineer must introduce measures to protect the sensitive data against any data breach while minimizing management overhead. The credentials must be regularly rotated.

What should the security engineer recommend?

Options:

Enable Amazon RDS encryption to encrypt the database and snapshots. Enable Amazon Elastic Block Store (Amazon EBS) encryption on Amazon EC2 instances. Include the database credential in the EC2 user data field. Use an IAM Lambda function to rotate database credentials. Set up TLS for the connection to the database.

Install a database on an Amazon EC2 Instance. Enable third-party disk encryption to encrypt the Amazon Elastic Block Store (Amazon EBS) volume. Store the database credentials in IAM CloudHSM with automatic rotation. Set up TLS for the connection to the database.

Enable Amazon RDS encryption to encrypt the database and snapshots. Enable Amazon Elastic Block Store (Amazon EBS) encryption on Amazon EC2 instances. Store the database credentials in IAM Secrets Manager with automatic rotation. Set up TLS for the connection to the RDS hosted database.

Set up an IAM CloudHSM cluster with IAM Key Management Service (IAM KMS) to store KMS keys. Set up Amazon RDS encryption using IAM KMS to encrypt the database. Store database credentials in the IAM Systems Manager Parameter Store with automatic rotation. Set up TLS for the connection to the RDS hosted database.

Question 122

A developer has created an AWS Lambda function in a company's development account. The Lambda function requires the use of an AWS Key Management Service (AWS KMS) customer managed key that exists in a security account that the company's security team controls. The developer obtains the ARN of the KMS key from a previous Lambda function in the development account. The previous Lambda function had been working properly with the KMS key.

When the developer uses the ARN and tests the new Lambda function an error message states that access is denied to the KMS key in the security account. The developer tests the previous Lambda function that uses the same KMS key and discovers that the previous Lambda function still can encrypt data as expected.

A security engineer must resolve the problem so that the new Lambda function in the development account can use the KMS key from the security account.

Which combination of steps should the security engineer take to meet these requirements? (Select TWO.)

Options:

In the security account configure an IAM role for the new Lambda function. Attach an IAM policy that allows access to the KMS key in the security account.

In the development account configure an IAM role for the new Lambda function. Attach a key policy that allows access to the KMS key in the security account.

In the development account configure an IAM role for the new Lambda function. Attach an IAM policy that allows access to the KMS key in the security account.

Configure a key policy for the KMS key m the security account to allow access to the IAM role of the new Lambda function in the security account.

Configure a key policy for the KMS key in the security account to allow access to the IAM role of the new Lambda function in the development account.

Question 123

A Security Engineer has been tasked with enabling IAM Security Hub to monitor Amazon EC2 instances fix CVE in a single IAM account The Engineer has already enabled IAM Security Hub and Amazon Inspector m the IAM Management Console and has installed me Amazon Inspector agent on an EC2 instances that need to be monitored.

Which additional steps should the Security Engineer lake 10 meet this requirement?

Options:

Configure the Amazon inspector agent to use the CVE rule package

Configure the Amazon Inspector agent to use the CVE rule package Configure Security Hub to ingest from IAM inspector by writing a custom resource policy

Configure the Security Hub agent to use the CVE rule package Configure IAM Inspector lo ingest from Security Hub by writing a custom resource policy

Configure the Amazon Inspector agent to use the CVE rule package Install an additional Integration library Allow the Amazon Inspector agent to communicate with Security Hub

Question 124

A company wants to migrate its static primary domain website to AWS. The company hosts the website and DNS servers internally. The company wants the website to enforce SSL/TLS encryption block IP addresses from outside the United States (US), and take advantage of managed services whenever possible.

Which solution will meet these requirements?

Options:

Migrate the website to Amazon S3 Import a public SSL certificate to an Application Load. Balancer with rules to block traffic from outside the US Migrate DNS to Amazon Route 53.

Migrate the website to Amazon EC2 Import a public SSL certificate that is created by AWS Certificate Manager (ACM) to an Application Load Balancer with rules to block traffic from outside the US Update DNS accordingly.

Migrate the website to Amazon S3. Import a public SSL certificate to Amazon CloudFront Use AWS WAF rules to block traffic from outside the US Update DNS.

accordingly

Migrate the website to Amazon S3 Import a public SSL certificate that is created by AWS Certificate Manager (ACM) to Amazon. CloudFront Configure CloudFront to block traffic from outside the US. Migrate DNS to Amazon Route 53.

Answer:

Explanation:

To migrate the static website to AWS and meet the requirements, the following steps are required:

Migrate the website to Amazon S3, which is a highly scalable and durable object storage service that can host static websites. To do this, create an S3 bucket with the same name as the domain name of the website, enable static website hosting for the bucket, upload the website files to the bucket, and configure the bucket policy to allow public read access to the objects. For more information, see Hosting a static website on Amazon S3.
Import a public SSL certificate that is created by AWS Certificate Manager (ACM) to Amazon CloudFront, which is a global content delivery network (CDN) service that can improve the performance and security of web applications. To do this, request or import a public SSL certificate for the domain name of the website using ACM, create a CloudFront distribution with the S3 bucket as the origin, and associate the SSL certificate with the distribution. For more information, see Using alternate domain names and HTTPS.
Configure CloudFront to block traffic from outside the US, which is one of the requirements. To do this, create a CloudFront web ACL using AWS WAF, which is a web application firewall service that lets you control access to your web applications. In the web ACL, create a rule that uses a geo match condition to block requests that originate from countries other than the US. Associate the web ACL with the CloudFront distribution. For more information, see How AWS WAF works with Amazon CloudFront features.
Migrate DNS to Amazon Route 53, which is a highly available and scalable cloud DNS service that can route traffic to various AWS services. To do this, register or transfer your domain name to Route 53, create a hosted zone for your domain name, and create an alias record that points your domain name to your CloudFront distribution. For more information, see Routing traffic to an Amazon CloudFront web distribution by using your domain name.

The other options are incorrect because they either do not implement SSL/TLS encryption for the website (A), do not use managed services whenever possible (B), or do not block IP addresses from outside the US ©.

Verified References:

https://docs.aws.amazon.com/AmazonS3/latest/userguide/HostingWebsiteOnS3Setup.html
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-alternate-domain-names.html
https://docs.aws.amazon.com/waf/latest/developerguide/waf-cloudfront.html
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-to-cloudfront-distribution.html

Question 125

A company has a set of EC2 Instances hosted in IAM. The EC2 Instances have EBS volumes which is used to store critical information. There is a business continuity requirement to ensure high availability for the EBS volumes. How can you achieve this?

Options:

Use lifecycle policies for the EBS volumes

Use EBS Snapshots

Use EBS volume replication

Use EBS volume encryption

Question 126

A company's security engineer wants to receive an email alert whenever Amazon GuardDuty, AWS Identity and Access Management Access Analyzer, or Amazon Made generate a high-severity security finding. The company uses AWS Control Tower to govern all of its accounts. The company also uses AWS Security Hub with all of the AWS service integrations turned on.

Which solution will meet these requirements with the LEAST operational overhead?

Options:

Set up separate AWS Lambda functions for GuardDuty, 1AM Access Analyzer, and Macie to call each service's public API to retrieve high-severity findings. Use Amazon Simple Notification Service (Amazon SNS) to send the email alerts. Create an Amazon EventBridge rule to invoke the functions on a schedule.

Create an Amazon EventBridge rule with a pattern that matches Security Hub findings events with high severity. Configure the rule to send the findings to a target Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the desired email addresses to the SNS topic.

Create an Amazon EventBridge rule with a pattern that matches AWS Control Tower events with high severity. Configure the rule to send the findings to a target Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the desired email addresses to the SNS topic.

Host an application on Amazon EC2 to call the GuardDuty, 1AM Access Analyzer, and Macie APIs. Within the application, use the Amazon Simple Notification Service (Amazon SNS) API to retrieve high-severity findings and to send the findings to an SNS topic. Subscribe the desired email addresses to the SNS topic.

Question 127

A company has retail stores The company is designing a solution to store scanned copies of customer receipts on Amazon S3 Files will be between 100 KB and 5 MB in PDF format Each retail store must have a unique encryption key Each object must be encrypted with a unique key

Which solution will meet these requirements?

Options:

Create a dedicated AWS Key Management Service (AWS KMS) customer managed key for each retail store Use the S3 Put operation to upload the objects to Amazon S3 Specify server-side encryption with AWS KMS keys (SSE-KMS) and the key ID of the store's key

Create a new AWS Key Management Service (AWS KMS) customer managed key every day for each retail store Use the KMS Encrypt operation to encrypt objects Then upload the objects to Amazon S3

Run the AWS Key Management Service (AWS KMS) GenerateDataKey operation every day for each retail store Use the data key and client-side encryption to encrypt the objects Then upload the objects to Amazon S3

Use the AWS Key Management Service (AWS KMS) ImportKeyMaterial operation to import new key material to AWS KMS every day for each retail store Use a customer managed key and the KMS Encrypt operation to encrypt the objects Then upload the objects to Amazon S3

Question 128

During a manual review of system logs from an Amazon Linux EC2 instance, a Security Engineer noticed that there are sudo commands that were never properly alerted or reported on the Amazon CloudWatch Logs agent

Why were there no alerts on the sudo commands?

Options:

There is a security group blocking outbound port 80 traffic that is preventing the agent from sending the logs

The IAM instance profile on the EC2 instance was not properly configured to allow the CloudWatch Logs agent to push the logs to CloudWatch

CloudWatch Logs status is set to ON versus SECURE, which prevents it from pulling in OS security event logs

The VPC requires that all traffic go through a proxy, and the CloudWatch Logs agent does not support a proxy configuration.

Question 129

A company is using an AWS Key Management Service (AWS KMS) AWS owned key in its application to encrypt files in an AWS account The company's security team wants the ability to change to new key material for new files whenever a potential key breach occurs A security engineer must implement a solution that gives the security team the ability to change the key whenever the team wants to do so

Which solution will meet these requirements?

Options:

Create a new customer managed key Add a key rotation schedule to the key Invoke the key rotation schedule every time the security team requests a key change

Create a new AWS managed key Add a key rotation schedule to the key Invoke the key rotation schedule every time the security team requests a key change

Create a key alias Create a new customer managed key every time the security team requests a key change Associate the alias with the new key

Create a key alias Create a new AWS managed key every time the security team requests a key change Associate the alias with the new key

Question 130

An IT department currently has a Java web application deployed on Apache Tomcat running on Amazon EC2 instances. All traffic to the EC2 instances is sent through an internet-facing Application Load Balancer (ALB) The Security team has noticed during the past two days thousands of unusual read requests coming from hundreds of IP addresses. This is causing the Tomcat server to run out of threads and reject new connections

Which the SIMPLEST change that would address this server issue?

Options:

Create an Amazon CloudFront distribution and configure the ALB as the origin

Block the malicious IPs with a network access list (NACL).

Create an IAM Web Application Firewall (WAF). and attach it to the ALB

Map the application domain name to use Route 53

Question 131

A company wants to ensure that its IAM resources can be launched only in the us-east-1 and us-west-2 Regions.

What is the MOST operationally efficient solution that will prevent developers from launching Amazon EC2 instances in other Regions?

Options:

Enable Amazon GuardDuty in all Regions. Create alerts to detect unauthorized activity outside us-east-1 and us-west-2.

Use an organization in IAM Organizations. Attach an SCP that allows all actions when the IAM: Requested Region condition key is either us-east-1 or us-west-2. Delete the FullIAMAccess policy.

Provision EC2 resources by using IAM Cloud Formation templates through IAM CodePipeline. Allow only the values of us-east-1 and us-west-2 in the IAM CloudFormation template's parameters.

Create an IAM Config rule to prevent unauthorized activity outside us-east-1 and us-west-2.

Question 132

You have a set of Keys defined using the IAM KMS service. You want to stop using a couple of keys , but are not sure of which services are currently using the keys. Which of the following would be a safe option to stop using the keys from further usage.

Please select:

Options:

Delete the keys since anyway there is a 7 day waiting period before deletion

Disable the keys

Set an alias for the key

Change the key material for the key

Question 133

You currently operate a web application In the IAM US-East region. The application runs on an auto-scaled layer of EC2 instances and an RDS Multi-AZ database. Your IT security compliance officer has tasked you to develop a reliable and durable logging solution to track changes made to your EC2.IAM and RDS resources. The solution must ensure the integrity and confidentiality of your log data. Which of these solutions would you recommend?

Please select:

Options:

Create a new CloudTrail trail with one new S3 bucket to store the logs and with the global services option selected. Use IAM roles S3 bucket policies and Mufti Factor Authentication (MFA) Delete on the S3 bucket that stores your logs.

Create a new CloudTrail with one new S3 bucket to store the logs. Configure SNS to send log file delivery notifications to your management system. Use IAM roles and S3 bucket policies on the S3 bucket that stores your logs.

Create a new CloudTrail trail with an existing S3 bucket to store the logs and with the global services option selected. Use S3 ACLsand Multi Factor Authentication (MFA) Delete on the S3 bucket that stores your logs.

Create three new CloudTrail trails with three new S3 buckets to store the logs one for the IAM Management console, one for IAM SDKs and one for command line tools. Use IAM roles and S3 bucket policies on the S3 buckets that store your logs.

Question 134

A company requires that data stored in IAM be encrypted at rest. Which of the following approaches achieve this requirement? Select 2 answers from the options given below.

Please select:

Options:

When storing data in Amazon EBS, use only EBS-optimized Amazon EC2 instances.

When storing data in EBS, encrypt the volume by using IAM KMS.

When storing data in Amazon S3, use object versioning and MFA Delete.

When storing data in Amazon EC2 Instance Store, encrypt the volume by using KMS.

When storing data in S3, enable server-side encryption.

Question 135

A company has resources hosted in their IAM Account. There is a requirement to monitor all API activity for all regions. The audit needs to be applied for future regions as well. Which of the following can be used to fulfil this requirement.

Please select:

Options:

Ensure Cloudtrail for each region. Then enable for each future region.

Ensure one Cloudtrail trail is enabled for all regions.

Create a Cloudtrail for each region. Use Cloudformation to enable the trail for all future regions.

Create a Cloudtrail for each region. Use IAM Config to enable the trail for all future regions.

Question 136

A large organization is planning on IAM to host their resources. They have a number of autonomous departments that wish to use IAM. What could be the strategy to adopt for managing the accounts.

Please select:

Options:

Use multiple VPCs in the account each VPC for each department

Use multiple IAM groups, each group for each department

Use multiple IAM roles, each group for each department

Use multiple IAM accounts, each account for each department

Question 137

You are responsible to deploying a critical application onto IAM. Part of the requirements for this application is to ensure that the controls set for this application met PCI compliance. Also there is a need to monitor web application logs to identify any malicious activity. Which of the following services can be used to fulfil this requirement. Choose 2 answers from the options given below

Please select:

Options:

Amazon Cloudwatch Logs

Amazon VPC Flow Logs

Amazon IAM Config

Amazon Cloudtrail

Question 138

A company wishes to enable Single Sign On (SSO) so its employees can login to the management console using their corporate directory identity. Which steps below are required as part of the process? Select 2 answers from the options given below.

Please select:

Options:

Create a Direct Connect connection between on-premise network and IAM. Use an AD connector for connecting IAM with on-premise active directory.

Create IAM policies that can be mapped to group memberships in the corporate directory.

Create a Lambda function to assign IAM roles to the temporary security tokens provided to the users.

Create IAM users that can be mapped to the employees' corporate identities

Create an IAM role that establishes a trust relationship between IAM and the corporate directory identity provider (IdP)

Answer:

A, E

Explanation:

Create a Direct Connect connection so that corporate users can access the IAM account

Option B is incorrect because IAM policies are not directly mapped to group memberships in the corporate directory. It is IAM roles which are mapped.

Option C is incorrect because Lambda functions is an incorrect option to assign roles.

Option D is incorrect because IAM users are not directly mapped to employees' corporate identities.

For more information on Direct Connect, please refer to below URL:

' https://IAM.amazon.com/directconnect/

From the IAM Documentation, for federated access, you also need to ensure the right policy permissions are in place

Configure permissions in IAM for your federated users

The next step is to create an IAM role that establishes a trust relationship between IAM and your organization's IdP that identifies your IdP as a principal (trusted entity) for purposes of federation. The role also defines what users authenticated your organization's IdP are allowed to do in IAM. You can use the IAM console to create this role. When you create the trust policy that indicates who can assume the role, you specify the SAML provider that you created earlier in IAM along with one or more SAML attributes that a user must match to be allowed to assume the role. For example, you can specify that only users whose SAML eduPersonOrgDN value is ExampleOrg are allowed to sign in. The role wizard automatically adds a condition to test the saml:aud attribute to make sure that the role is assumed only for sign-in to the IAM Management Console. The trust policy for the role might look like this:

C:\Users\wk\Desktop\mudassar\Untitled.jpg

For more information on SAML federation, please refer to below URL:

https://docs.IAM.amazon.com/IAM/latest/UserGuide/id_roles_providers_enabli

Note:

What directories can I use with IAM SSO?

You can connect IAM SSO to Microsoft Active Directory, running either on-premises or in the IAM Cloud. IAM SSO supports IAM Directory Service for Microsoft Active Directory, also known as IAM Managed Microsoft AD, and AD Connector. IAM SSO does not support Simple AD. See IAM Directory Service Getting Started to learn more.

To connect to your on-premises directory with AD Connector, you need the following:

VPC

Set up a VPC with the following:

• At least two subnets. Each of the subnets must be in a different Availability Zone.

• The VPC must be connected to your on-premises network through a virtual private network (VPN) connection or IAM Direct

Connect.

• The VPC must have default hardware tenancy.

• https://IAM.amazon.com/single-sign-on/

• https://IAM.amazon.com/single-sign-on/faqs/

• https://IAM.amazon.com/bloj using-corporate-credentials/

• https://docs.IAM.amazon.com/directoryservice/latest/admin-

The correct answers are: Create a Direct Connect connection between on-premise network and IAM. Use an AD connector connecting IAM with on-premise active directory.. Create an IAM role that establishes a trust relationship between IAM and corporate directory identity provider (IdP)

Submit your Feedback/Queries to our Experts

Question 139

A company is planning on extending their on-premise IAM Infrastructure to the IAM Cloud. They need to have a solution that would give core benefits of traffic encryption and ensure latency is kept to a minimum. Which of the following would help fulfil this requirement? Choose 2 answers from the options given below

Please select:

Options:

IAM VPN

IAM VPC Peering

IAM NAT gateways

IAM Direct Connect

Question 140

You are designing a connectivity solution between on-premises infrastructure and Amazon VPC. Your server's on-premises will be communicating with your VPC instances. You will be establishing IPSec tunnels over the internet. Yo will be using VPN gateways and terminating the IPsec tunnels on IAM-supported customer gateways. Which of the following objectives would you achieve by implementing an IPSec tunnel as outlined above? Choose 4 answers form the options below

Please select:

Options:

End-to-end protection of data in transit

End-to-end Identity authentication

Data encryption across the internet

Protection of data in transit over the Internet

Peer identity authentication between VPN gateway and customer gateway

Data integrity protection across the Internet

Question 141

Your company has a set of EBS volumes defined in IAM. The security mandate is that all EBS volumes are encrypted. What can be done to notify the IT admin staff if there are any unencrypted volumes in the account.

Please select:

Options:

Use IAM Inspector to inspect all the EBS volumes

Use IAM Config to check for unencrypted EBS volumes

Use IAM Guard duty to check for the unencrypted EBS volumes

Use IAM Lambda to check for the unencrypted EBS volumes

Question 142

Your company has a set of 1000 EC2 Instances defined in an IAM Account. They want to effectively automate several administrative tasks on these instances. Which of the following would be an effective way to achieve this?

Please select:

Options:

Use the IAM Systems Manager Parameter Store

Use the IAM Systems Manager Run Command

Use the IAM Inspector

Use IAM Config

Question 143

Your team is experimenting with the API gateway service for an application. There is a need to implement a custom module which can be used for authentication/authorization for calls made to the API gateway. How can this be achieved?

Please select:

Options:

Use the request parameters for authorization

Use a Lambda authorizer

Use the gateway authorizer

Use CORS on the API gateway

Question 144

A company is planning to run a number of Admin related scripts using the IAM Lambda service. There is a need to understand if there are any errors encountered when the script run. How can this be accomplished in the most effective manner.

Please select:

Options:

Use Cloudwatch metrics and logs to watch for errors

Use Cloudtrail to monitor for errors

Use the IAM Config service to monitor for errors

Use the IAM inspector service to monitor for errors

Question 145

The CFO of a company wants to allow one of his employees to view only the IAM usage report page. Which of the below mentioned IAM policy statements allows the user to have access to the IAM usage report page?

Please select:

Options:

"Effect": "Allow". "Action": ["Describe"], "Resource": "Billing"

"Effect": "Allow", "Action": ["AccountUsage], "Resource": "*"

"Effect': "Allow", "Action": ["IAM-portal:ViewUsage"," IAM-portal:ViewBilling"], "Resource": "*"

"Effect": "Allow", "Action": ["IAM-portal: ViewBilling"], "Resource": "*"

Question 146

You have a bucket and a VPC defined in IAM. You need to ensure that the bucket can only be accessed by the VPC endpoint. How can you accomplish this?

Please select:

Options:

Modify the security groups for the VPC to allow access to the 53 bucket

Modify the route tables to allow access for the VPC endpoint

Modify the IAM Policy for the bucket to allow access for the VPC endpoint

Modify the bucket Policy for the bucket to allow access for the VPC endpoint

Question 147

Your company manages thousands of EC2 Instances. There is a mandate to ensure that all servers don't have any critical security flIAM. Which of the following can be done to ensure this? Choose 2 answers from the options given below.

Please select:

Options:

Use IAM Config to ensure that the servers have no critical flIAM.

Use IAM inspector to ensure that the servers have no critical flIAM.

Use IAM inspector to patch the servers

Use IAM SSM to patch the servers

Question 148

An employee keeps terminating EC2 instances on the production environment. You've determined the best way to ensure this doesn't happen is to add an extra layer of defense against terminating the instances. What is the best method to ensure the employee does not terminate the production instances? Choose the 2 correct answers from the options below

Please select:

Options:

Tag the instance with a production-identifying tag and add resource-level permissions to the employee user with an explicit deny on the terminate API call to instances with the production tag. <

Tag the instance with a production-identifying tag and modify the employees group to allow only start stop, and reboot API calls and not the terminate instance call.

Modify the IAM policy on the user to require MFA before deleting EC2 instances and disable MFA access to the employee

Modify the IAM policy on the user to require MFA before deleting EC2 instances

Question 149

A company is hosting sensitive data in an IAM S3 bucket. It needs to be ensured that the bucket always remains private. How can this be ensured continually? Choose 2 answers from the options given below

Please select:

Options:

Use IAM Config to monitor changes to the IAM Bucket

Use IAM Lambda function to change the bucket policy

Use IAM Trusted Advisor API to monitor the changes to the IAM Bucket

Use IAM Lambda function to change the bucket ACL

Question 150

Your company is planning on developing an application in IAM. This is a web based application. The application users will use their facebook or google identities for authentication. You want to have the ability to manage user profiles without having to add extra coding to manage this. Which of the below would assist in this.

Please select:

Options:

Create an OlDC identity provider in IAM

Create a SAML provider in IAM

Use IAM Cognito to manage the user profiles

Use IAM users to manage the user profiles

Question 151

Your company is planning on using IAM EC2 and ELB for deployment for their web applications. The security policy mandates that all traffic should be encrypted. Which of the following options will ensure that this requirement is met. Choose 2 answers from the options below.

Please select:

Options:

Ensure the load balancer listens on port 80

Ensure the load balancer listens on port 443

Ensure the HTTPS listener sends requests to the instances on port 443

Ensure the HTTPS listener sends requests to the instances on port 80

Question 152

You have private video content in S3 that you want to serve to subscribed users on the Internet. User IDs, credentials, and subscriptions are stored in an Amazon RDS database. Which configuration will allow you to securely serve private content to your users?

Please select:

Options:

Generate pre-signed URLs for each user as they request access to protected S3 content

Create an IAM user for each subscribed user and assign the GetObject permission to each IAM user

Create an S3 bucket policy that limits access to your private content to only your subscribed users'credentials

Crpafp a Cloud Front Clriein Identity user for vnur suhsrrihprl users and assign the GptOhiprt oprmissinn to this user

Question 153

A company is using a Redshift cluster to store their data warehouse. There is a requirement from the Internal IT Security team to ensure that data gets encrypted for the Redshift database. How can this be achieved?

Please select:

Options:

Encrypt the EBS volumes of the underlying EC2 Instances

Use IAM KMS Customer Default master key

Use SSL/TLS for encrypting the data

Use S3 Encryption

Question 154

Your company looks at the gaming domain and hosts several Ec2 Instances as game servers. The servers each experience user loads in the thousands. There is a concern of DDos attacks on the EC2 Instances which could cause a huge revenue loss to the company. Which of the following can help mitigate this security concern and also ensure minimum downtime for the servers.

Please select:

Options:

Use VPC Flow logs to monitor the VPC and then implement NACL's to mitigate attacks

Use IAM Shield Advanced to protect the EC2 Instances

Use IAM Inspector to protect the EC2 Instances

Use IAM Trusted Advisor to protect the EC2 Instances

Question 155

A web application runs in a VPC on EC2 instances behind an ELB Application Load Balancer. The application stores data in an RDS MySQL DB instance. A Linux bastion host is used to apply schema updates to the database - administrators connect to the host via SSH from a corporate workstation. The following security groups are applied to the infrastructure-

* sgLB - associated with the ELB

* sgWeb - associated with the EC2 instances.

* sgDB - associated with the database

* sgBastion - associated with the bastion host Which security group configuration will allow the application to be secure and functional?

Please select:

Options:

sgLB :allow port 80 and 443 traffic from 0.0.0.0/0

sgWeb :allow port 80 and 443 traffic from 0.0.0.0/0

sgDB :allow port 3306 traffic from sgWeb and sgBastion

sgBastion: allow port 22 traffic from the corporate IP address range

sgLB :aIlow port 80 and 443 traffic from 0.0.0.0/0

sgWeb :allow port 80 and 443 traffic from sgLB

sgDB :allow port 3306 traffic from sgWeb and sgLB

sgBastion: allow port 22 traffic from the VPC IP address range

sgLB :allow port 80 and 443 traffic from 0.0.0.0/0

sgWeb :allow port 80 and 443 traffic from sgLB

sgDB :allow port 3306 traffic from sgWeb and sgBastion

sgBastion: allow port 22 traffic from the VPC IP address range

sgLB :allow port 80 and 443 traffic from 0.0.0.0/0

sgWeb :allow port 80 and 443 traffic from sgLB

sgDB :allow port 3306 traffic from sgWeb and sgBastion

sgBastion: allow port 22 traffic from the corporate IP address range

Question 156

You have just developed a new mobile application that handles analytics workloads on large scale datasets that are stored on Amazon Redshift. Consequently, the application needs to access Amazon Redshift tables. Which of the belov methods would be the best both practically and security-wise, to access the tables? Choose the correct answer from the options below

Please select:

Options:

Create an IAM user and generate encryption keys for that user. Create a policy for Redshift read-only access. Embed th keys in the application.

Create an HSM client certificate in Redshift and authenticate using this certificate.

Create a Redshift read-only access policy in IAM and embed those credentials in the application.

Use roles that allow a web identity federated user to assume a role that allows access to the Redshift table by providing temporary credentials.

Question 157

Your company has an EC2 Instance hosted in IAM. This EC2 Instance hosts an application. Currently this application is experiencing a number of issues. You need to inspect the network packets to see what the type of error that is occurring? Which one of the below steps can help address this issue?

Please select:

Options:

Use the VPC Flow Logs.

Use a network monitoring tool provided by an IAM partner.

Use another instance. Setup a port to "promiscuous mode" and sniff the traffic to analyze the packets. -

Use Cloudwatch metric

Question 158

An EC2 Instance hosts a Java based application that access a DynamoDB table. This EC2 Instance is currently serving production based users. Which of the following is a secure way of ensuring that the EC2 Instance access the Dynamo table

Please select:

Options:

Use IAM Roles with permissions to interact with DynamoDB and assign it to the EC2 Instance

Use KMS keys with the right permissions to interact with DynamoDB and assign it to the EC2 Instance

Use IAM Access Keys with the right permissions to interact with DynamoDB and assign it to the EC2 Instance

Use IAM Access Groups with the right permissions to interact with DynamoDB and assign it to the EC2 Instance

Question 159

You have a requirement to serve up private content using the keys available with Cloudfront. How can this be achieved?

Please select:

Options:

Add the keys to the backend distribution.

Add the keys to the S3 bucket

Create pre-signed URL's

Use IAM Access keys

Question 160

Which of the following is the responsibility of the customer? Choose 2 answers from the options given below.

Please select:

Options:

Management of the Edge locations

Encryption of data at rest

Protection of data in transit

Decommissioning of old storage devices

Question 161

Your company is hosting a set of EC2 Instances in IAM. They want to have the ability to detect if any port scans occur on their IAM EC2 Instances. Which of the following can help in this regard?

Please select:

Options:

Use IAM inspector to consciously inspect the instances for port scans

Use IAM Trusted Advisor to notify of any malicious port scans

Use IAM Config to notify of any malicious port scans

Use IAM Guard Duty to monitor any malicious port scans

Question 162

A company is planning on using IAM EC2 and IAM Cloudfrontfor their web application. For which one of the below attacks is usage of Cloudfront most suited for?

Please select:

Options:

Cross side scripting

SQL injection

DDoS attacks

Malware attacks

Question 163

An application running on EC2 instances in a VPC must call an external web service via TLS (port 443). The instances run in public subnets.

Which configurations below allow the application to function and minimize the exposure of the instances? Select 2 answers from the options given below

Please select:

Options:

A network ACL with a rule that allows outgoing traffic on port 443.

A network ACL with rules that allow outgoing traffic on port 443 and incoming traffic on ephemeral ports

A network ACL with rules that allow outgoing traffic on port 443 and incoming traffic on port 443.

A security group with a rule that allows outgoing traffic on port 443

A security group with rules that allow outgoing traffic on port 443 and incoming traffic on ephemeral ports.

A security group with rules that allow outgoing traffic on port 443 and incoming traffic on port 443.

Question 164

When managing permissions for the API gateway, what can be used to ensure that the right level of permissions are given to developers, IT admins and users? These permissions should be easily managed.

Please select:

Options:

Use the secure token service to manage the permissions for the different users

Use IAM Policies to create different policies for the different types of users.

Use the IAM Config tool to manage the permissions for the different users

Use IAM Access Keys to create sets of keys for the different types of users.

Question 165

Your company has confidential documents stored in the simple storage service. Due to compliance requirements, you have to ensure that the data in the S3 bucket is available in a different geographical location. As an architect what is the change you would make to comply with this requirement.

Please select:

Options:

Apply Multi-AZ for the underlying 53 bucket

Copy the data to an EBS Volume in another Region

Create a snapshot of the S3 bucket and copy it to another region

Enable Cross region replication for the S3 bucket

Question 166

You need to have a cloud security device which would allow to generate encryption keys based on FIPS 140-2 Level 3. Which of the following can be used for this purpose.

Please select:

Options:

IAM KMS

IAM Customer Keys

IAM managed keys

IAM Cloud HSM

Answer:

A, D

Explanation:

IAM Key Management Service (KMS) now uses FIPS 140-2 validated hardware security modules (HSM) and supports FIPS 140-2 validated endpoints, which provide independent assurances about the confidentiality and integrity of your keys.

All master keys in IAM KMS regardless of their creation date or origin are automatically protected using FIPS 140-2 validated

HSMs. defines four levels of security, simply named "Level 1'' to "Level 4". It does not specify in detail what level of security is required by any particular application.

• FIPS 140-2 Level 1 the lowest, imposes very limited requirements; loosely, all components must be "production-grade" anc various egregious kinds of insecurity must be absent

• FIPS 140-2 Level 2 adds requirements for physical tamper-evidence and role-based authentication.

• FIPS 140-2 Level 3 adds requirements for physical tamper-resistance (making it difficult for attackers to gain access to sensitive information contained in the module) and identity-based authentication, and for a physical or logical separation between the interfaces by which "critical security parameters" enter and leave the module, and its other interfaces.

• FIPS 140-2 Level 4 makes the physical security requirements more stringent and requires robustness against environmental attacks.

IAMCIoudHSM provides you with a FIPS 140-2 Level 3 validated single-tenant HSM cluster in your Amazon Virtual Private Cloud (VPQ to store and use your keys. You have exclusive control over how your keys are used via an authentication mechanism independent from IAM. You interact with keys in your IAM CloudHSM cluster similar to the way you interact with your applications running in Amazon EC2.

IAM KMS allows you to create and control the encryption keys used by your applications and supported IAM services in multiple regions around the world from a single console. The service uses a FIPS 140-2 validated HSM to protect the security of your keys. Centralized management of all your keys in IAM KMS lets you enforce who can use your keys under which conditions, when they get rotated, and who can manage them.

IAM KMS HSMs are validated at level 2 overall and at level 3 in the following areas:

• Cryptographic Module Specification

• Roles, Services, and Authentication

• Physical Security

• Design Assurance

So I think that we can have 2 answers for this question. Both A & D.

• https://IAM.amazon.com/blo15s/security/IAM-key-management-service- now-ffers-flps-140-2-validated-cryptographic-m < enabling-easier-adoption-of-the-service-for-regulated-workloads/

• https://a ws.amazon.com/cloudhsm/faqs/

• https://IAM.amazon.com/kms/faqs/

• https://en.wikipedia.org/wiki/RPS

The IAM Documentation mentions the following

IAM CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the IAM Cloud. With CloudHSM, you can manage your own encryption keys using FIPS 140-2 Level 3 validated HSMs. CloudHSM offers you the flexibility to integrate with your applications using industry-standard APIs, such as PKCS#11, Java Cryptography Extensions ()CE). and Microsoft CryptoNG (CNG) libraries. CloudHSM is also standards-compliant and enables you to export all of your keys to most other commercially-available HSMs. It is a fully-managed service that automates time-consuming administrative tasks for you, such as hardware provisioning, software patching, high-availability, and backups. CloudHSM also enables you to scale quickly by adding and removing HSM capacity on-demand, with no up-front costs.

All other options are invalid since IAM Cloud HSM is the prime service that offers FIPS 140-2 Level 3 compliance

For more information on CloudHSM, please visit the following url

https://IAM.amazon.com/cloudhsm;

The correct answers are: IAM KMS, IAM Cloud HSM Submit your Feedback/Queries to our Experts

Question 167

A company continually generates sensitive records that it stores in an S3 bucket. All objects in the bucket are encrypted using SSE-KMS using one of the company's CMKs. Company compliance policies require that no more than one month of data be encrypted using the same encryption key. What solution below will meet the company's requirements?

Please select:

Options:

Trigger a Lambda function with a monthly CloudWatch event that creates a new CMK and updates the S3 bucket to use the new CMK.

Configure the CMK to rotate the key material every month.

Trigger a Lambda function with a monthly CloudWatch event that creates a new CMK, updates the S3 bucket to use thfl new CMK, and deletes the old CMK.

Trigger a Lambda function with a monthly CloudWatch event that rotates the key material in the CMK.

Question 168

You have a requirement to conduct penetration testing on the IAM Cloud for a couple of EC2 Instances. How could you go about doing this? Choose 2 right answers from the options given below.

Please select:

Options:

Get prior approval from IAM for conducting the test

Use a pre-approved penetration testing tool.

Work with an IAM partner and no need for prior approval request from IAM

Choose any of the IAM instance type

Question 169

You currently have an S3 bucket hosted in an IAM Account. It holds information that needs be accessed by a partner account. Which is the MOST secure way to allow the partner account to access the S3 bucket in your account? Select 3 options.

Please select:

Options:

Ensure an IAM role is created which can be assumed by the partner account.

Ensure an IAM user is created which can be assumed by the partner account.

Ensure the partner uses an external id when making the request

Provide the ARN for the role to the partner account

Provide the Account Id to the partner account

Provide access keys for your account to the partner account

Question 170

You are creating a Lambda function which will be triggered by a Cloudwatch Event. The data from these events needs to be stored in a DynamoDB table. How should the Lambda function be given access to the DynamoDB table?

Please select:

Options:

Put the IAM Access keys in the Lambda function since the Lambda function by default is secure

Use an IAM role which has permissions to the DynamoDB table and attach it to the Lambda function.

Use the IAM Access keys which has access to DynamoDB and then place it in an S3 bucket.

Create a VPC endpoint for the DynamoDB table. Access the VPC endpoint from the Lambda function.

Question 171

A company has an existing IAM account and a set of critical resources hosted in that account. The employee who was in-charge of the root account has left the company. What must be now done to secure the account. Choose 3 answers from the options given below.

Please select:

Options:

Change the access keys for all IAM users.

Delete all custom created IAM policies

Delete the access keys for the root account

Confirm MFAtoa secure device

Change the password for the root account

Change the password for all IAM users

Question 172

You have a set of application , database and web servers hosted in IAM. The web servers are placed behind an ELB. There are separate security groups for the application, database and web servers. The network security groups have been defined accordingly. There is an issue with the communication between the application and database servers. In order to troubleshoot the issue between just the application and database server, what is the ideal set of MINIMAL steps you would take?

Please select:

Options:

Check the Inbound security rules for the database security group Check the Outbound security rules for the application security group

Check the Outbound security rules for the database security group I Check the inbound security rules for the application security group

Check the both the Inbound and Outbound security rules for the database security group Check the inbound security rules for the application security group

Check the Outbound security rules for the database security group

Check the both the Inbound and Outbound security rules for the application security group

Question 173

You have an EC2 instance with the following security configured:

a. ICMP inbound allowed on Security Group

b. ICMP outbound not configured on Security Group

c. ICMP inbound allowed on Network ACL

d. ICMP outbound denied on Network ACL

If Flow logs is enabled for the instance, which of the following flow records will be recorded? Choose 3 answers from the options give below

Please select:

Options:

An ACCEPT record for the request based on the Security Group

An ACCEPT record for the request based on the NACL

A REJECT record for the response based on the Security Group

A REJECT record for the response based on the NACL

Question 174

Your company has been using IAM for hosting EC2 Instances for their web and database applications. They want to have a compliance check to see the following

Whether any ports are left open other than admin ones like SSH and RDP

Whether any ports to the database server other than ones from the web server security group are open Which of the following can help achieve this in the easiest way possible. You don't want to carry out an extra configuration changes?

Please select:

Options:

IAM Config

IAM Trusted Advisor

IAM Inspector D.IAMGuardDuty

Question 175

Company policy requires that all insecure server protocols, such as FTP, Telnet, HTTP, etc be disabled on all servers. The security team would like to regularly check all servers to ensure compliance with this requirement by using a scheduled CloudWatch event to trigger a review of the current infrastructure. What process will check compliance of the company's EC2 instances?

Please select:

Options:

Trigger an IAM Config Rules evaluation of the restricted-common-ports rule against every EC2 instance.

Query the Trusted Advisor API for all best practice security checks and check for "action recommened" status.

Enable a GuardDuty threat detection analysis targeting the port configuration on every EC2 instance.

Run an Amazon inspector assessment using the Runtime Behavior Analysis rules package against every EC2 instance.

Load More SCS-C01 Questions

Summer Special Flat 65% Limited Time Discount offer - Ends in 0d 00h 00m 00s - Coupon code: suredis

Amazon Web Services SCS-C01 AWS Certified Security - Specialty Exam Practice Test

AWS Certified Security - Specialty Questions and Answers

Options:

Answer:

Options:

Answer:

Explanation:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Explanation:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Explanation:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer: