Are you tired of looking for a source that'll keep you updated on the AWS Certified Security - Specialty Exam? Plus, has a collection of affordable, high-quality, and incredibly easy Amazon SCS-C02 Practice Questions? Well then, you are in luck because Salesforcexamdumps.com just updated them! Get Ready to become a AWS Certified Specialty Certified.
|
|||
Test Engine |
|
||
PDF + Test Engine |
|
Here are Amazon SCS-C02 PDF available features:
327 questions with answers | Updation Date : 08 Nov, 2024 |
1 day study required to pass exam | 100% Passing Assurance |
100% Money Back Guarantee | Free 3 Months Updates |
Students Passed
Average Marks
Questions From Dumps
Total Happy Clients
Amazon SCS-C02 is a necessary certification exam to get certified. The certification is a reward to the deserving candidate with perfect results. The AWS Certified Specialty Certification validates a candidate's expertise to work with Amazon. In this fast-paced world, a certification is the quickest way to gain your employer's approval. Try your luck in passing the AWS Certified Security - Specialty Exam and becoming a certified professional today. Salesforcexamdumps.com is always eager to extend a helping hand by providing approved and accepted Amazon SCS-C02 Practice Questions. Passing AWS Certified Security - Specialty will be your ticket to a better future!
Contrary to the belief that certification exams are generally hard to get through, passing AWS Certified Security - Specialty is incredibly easy. Provided you have access to a reliable resource such as Salesforcexamdumps.com Amazon SCS-C02 PDF. We have been in this business long enough to understand where most of the resources went wrong. Passing Amazon AWS Certified Specialty certification is all about having the right information. Hence, we filled our Amazon SCS-C02 Dumps with all the necessary data you need to pass. These carefully curated sets of AWS Certified Security - Specialty Practice Questions target the most repeated exam questions. So, you know they are essential and can ensure passing results. Stop wasting your time waiting around and order your set of Amazon SCS-C02 Braindumps now!
We aim to provide all AWS Certified Specialty certification exam candidates with the best resources at minimum rates. You can check out our free demo before pressing down the download to ensure Amazon SCS-C02 Practice Questions are what you wanted. And do not forget about the discount. We always provide our customers with a little extra.
Unlike other websites, Salesforcexamdumps.com prioritize the benefits of the AWS Certified Security - Specialty candidates. Not every Amazon exam candidate has full-time access to the internet. Plus, it's hard to sit in front of computer screens for too many hours. Are you also one of them? We understand that's why we are here with the AWS Certified Specialty solutions. Amazon SCS-C02 Question Answers offers two different formats PDF and Online Test Engine. One is for customers who like online platforms for real-like Exam stimulation. The other is for ones who prefer keeping their material close at hand. Moreover, you can download or print Amazon SCS-C02 Dumps with ease.
If you still have some queries, our team of experts is 24/7 in service to answer your questions. Just leave us a quick message in the chat-box below or email at [email protected].
A security team is responsible for reviewing AWS API call activity in the cloud environment for security violations. These events must be recorded and retained in a centralized location for both current and future AWS regions. What is the SIMPLEST way to meet these requirements?
A. Enable AWS Trusted Advisor security checks in the AWS Console, tsnd report allsecurity incidents for all regions.
B. Enable AWS CloudTrail by creating individual trails for each region, and specify a singleAmazon S3 bucket to receive log files for later analysis.
C. Enable AWS CloudTrail by creating a new trail and applying the trail to all regions.Specify a single Amazon S3 bucket as the storage location.
D. Enable Amazon CloudWatch logging for all AWS services across all regions, andaggregate them to a single Amazon S3 bucket for later analysis.
A company has a guideline that mandates the encryption of all Amazon S3 bucket data in transit. A security engineer must implement an S3 bucket policy that denies any S3 operations if data is not encrypted. Which S3 bucket policy will meet this requirement?
A. Option A
B. Option B
C. Option C
D. Option D
An IAM user receives an Access Denied message when the user attempts to access objects in an Amazon S3 bucket. The user and the S3 bucket are in the same AWS account. The S3 bucket is configured to use server-side encryption with AWS KMS keys (SSE-KMS) to encrypt all of its objects at rest by using a customer managed key from the same AWS account. The S3 bucket has no bucket policy defined. The IAM user has been granted permissions through an IAM policy that allows the kms:Decrypt permission to the customer managed key. The IAM policy also allows the s3:List* and s3:Get* permissions for the S3 bucket and its objects. Which of the following is a possible reason that the IAM user cannot access the objects in the S3 bucket?
A. The IAM policy needs to allow the kms:DescribeKey permission.
B. The S3 bucket has been changed to use the AWS managed key to encrypt objects atrest.
C. An S3 bucket policy needs to be added to allow the IAM user to access the objects.
D. The KMS key policy has been edited to remove the ability for the AWS account to havefull access to the key.
A company is storing data in Amazon S3 Glacier. A security engineer implemented a new vault lock policy for 10 TB of data and called the initiate-vault-lock operation 12 hours ago. The audit team identified a typo in the policy that is allowing unintended access to the vault. What is the MOST cost-effective way to correct this error?
A. Call the abort-vault-lock operation. Update the policy. Call the initiate-vault-lockoperation again.
B. Copy the vault data to a new S3 bucket. Delete the vault. Create a new vault with thedata.
C. Update the policy to keep the vault lock in place
D. Update the policy. Call the initiate-vault-lock operation again to apply the new policy.
A company wants to implement host-based security for Amazon EC2 instances and containers in Amazon Elastic Container Registry (Amazon ECR). The company has deployed AWS Systems Manager Agent (SSM Agent) on the EC2 instances. All the company's AWS accounts are in one organization in AWS Organizations. The company will analyze the workloads for software vulnerabilities and unintended network exposure. The company will push any findings to AWS Security Hub. which the company has configured for the organization. The company must deploy the solution to all member accounts, including pew accounts, automatically. When new workloads come online, the solution must scan the workloads. Which solution will meet these requirements?
A. B. Configure a delegated administrator for Amazon GuardDuty for the organization.Create an Amazon EventBridge rule to initiate analysis of ECR containers
B. Configure a delegated administrator for Amazon Inspector for the organization.Configure automatic scanning for new member accounts.
C. D. Configure a delegated administrator for Amazon Inspector for the organization.Create an AWS Config rule to initiate analysis of ECR containers
A company that operates in a hybrid cloud environment must meet strict compliance requirements. The company wants to create a report that includes evidence from onpremises workloads alongside evidence from AWS resources. A security engineer must implement a solution to collect, review, and manage the evidence to demonstrate compliance with company policy.' Which solution will meet these requirements?
A. Create an assessment in AWS Audit Manager from a prebuilt framework or a customframework. Upload manual evidence from the on-premises workloads. Add the evidence tothe assessment. Generate an assessment report after Audit Manager collects thenecessary evidence from the AWS resources.
B. Install the Amazon CloudWatch agent on the on-premises workloads. Use AWS Configto deploy a conformance pack from a sample conformance pack template or a customYAML template. Generate an assessment report after AWS Config identifies noncompliant workloads and resources.
C. Set up the appropriate security standard in AWS Security Hub. Upload manual evidencefrom the on-premises workloads. Wait for Security Hub to collect the evidence from theAWS resources. Download the list of controls as a .csv file.
D. Install the Amazon CloudWatch agent on the on-premises workloads. Create aCloudWatch dashboard to monitor the on-premises workloads and the AWS resources.Run a query on the workloads and resources. Download the results.
An Amazon API Gateway API invokes an AWS Lambda function that needs to interact with a software-as-a-service (SaaS) platform. A unique client token is generated in the SaaS platform to grant access to the Lambda function. A security engineer needs to design a solution to encrypt the access token at rest and pass the token to the Lambda function at runtime. Which solution will meet these requirements MOST cost-effectively
A. Store the client token as a secret in AWS Secrets Manager. Use th^AWS SDK toretneve the secret in the Lambda function.
B. Configure a token-based Lambda authorizer in API Gateway.
C. Store the client token as a SecureString parameter in AWS Systems ManagerParameter Store. Use the AWS SDK to retrieve the value of the SecureString parameter inthe Lambda function.
D. Use AWS Key Management Service (AWS KMS) to encrypt the client token. Pass thetoken to the Lambda function at runtime through an environment variable.
A company has two AWS accounts: Account A and Account B Each account has a VPC. An application that runs in the VPC in Account A needs to write to an Amazon S3 bucket in Account B. The application in Account A already has permission to write to the S3 bucket in Account B. The application and the S3 bucket are in the same AWS Region. The company cannot send network traffic over the public internet. Which solution will meet these requirements? b
A. In both accounts, create a transit gateway and VPC attachments in a subnet in eachAvailability Zone. Update the VPC route tables.
B. Deploy a software VPN appliance in Account A. Create a VPN connection between thesoftware VPN appliance and a virtual private gateway in Account B
C. Create a VPC peering connection between the VPC in Account A and the VPC inAccount B. Update the VPC route tables, network ACLs, and security groups to allownetwork traffic between the peered IP ranges.
D. In Account A. create a gateway VPC endpoint for Amazon S3. Update the VPC routetable in Account A.
The Security Engineer is managing a traditional three-tier web application that is running on Amazon EC2 instances. The application has become the target of increasing numbers of malicious attacks from the Internet. What steps should the Security Engineer take to check for known vulnerabilities and limit the attack surface? (Choose two.)
A. Use AWS Certificate Manager to encrypt all traffic between the client and applicationservers.
B. Review the application security groups to ensure that only the necessary ports are open.
C. Use Elastic Load Balancing to offload Secure Sockets Layer encryption.
D. Use Amazon Inspector to periodically scan the backend instances.
E. Use AWS Key Management Services to encrypt all the traffic between the client andapplication servers.
A company is evaluating the use of AWS Systems Manager Session Manager to gam access to the company's Amazon EC2 instances. However, until the company implements the change, the company must protect the key file for the EC2 instances from read and write operations by any other users. When a security administrator tries to connect to a critical EC2 Linux instance during an emergency, the security administrator receives the following error. "Error Unprotected private key file - Permissions for' ssh/my_private_key pern' are too open". Which command should the security administrator use to modify the private key Me permissions to resolve this error?
A. chmod 0040 ssh/my_private_key pern
B. chmod 0400 ssh/my_private_key pern
C. chmod 0004 ssh/my_private_key pern
D. chmod 0777 ssh/my_private_key pern
A company's data scientists want to create artificial intelligence and machine learning (AI/ML) training models by using Amazon SageMaker. The training models will use large datasets in an Amazon S3 bucket. The datasets contain sensitive information. On average. the data scientists need 30 days to train models. The S3 bucket has been secured appropriately The companfs data retention policy states that all data that is older than 45 days must be removed from the S3 bucket. Which action should a security engineer take to enforce this data retention policy?
A. Configure an S3 Lifecycle rule on the S3 bucket to delete objects after 45 days.
B. Create an AWS Lambda function to check the last-modified date of the S3 objects anddelete objects that are older than 45 days. Create an S3 event notification to invoke theLambda function for each PutObject operation.
C. Create an AWS Lambda function to check the last-modified date of the S3 objects anddelete objects that are older than 45 days. Create an Amazon EventBridge rule to invoke the Lambda function each month.
D. Configure S3 Intelligent-Ttering on the S3 bucket to automatically transition objects toanother storage class.
A company uses Amazon EC2 instances to host frontend services behind an Application Load Balancer. Amazon Elastic Block Store (Amazon EBS) volumes are attached to the EC2 instances. The company uses Amazon S3 buckets to store large files for images and music. The company has implemented a security architecture oit>AWS to prevent, identify, and isolate potential ransomware attacks. The company now wants to further reduce risk. A security engineer must develop a disaster recovery solution that can recover to normal operations if an attacker bypasses preventive and detective controls. The solution must meet an RPO of 1 hour. Which solution will meet these requirements?
A. Use AWS Backup to create backups of the EC2 instances and S3 buckets every hour.Create AWS CloudFormation templates that replicate existing architecture components.Use AWS CodeCommit to store the CloudFormation templates alongside applicationconfiguration code.
B. Use AWS Backup to create backups of the EBS volumes and S3 objects every day. UseAmazon Security Lake to create a centralized data lake for AWS CloudTrail logs and VPCflow logs. Use the logs for automated response.
C. Use Amazon Security Lake to create a centralized data lake for AWS CloudTrail logsand VPC flow logs. Use the logs for automated response Enable AWS Security Hub toestablish a single location for recovery procedures. Create AWS CloudFormation templatesthat replicate existing architecture components. Use AWS CodeCommit to store theCloudFormation templates alongside application configuration code.
D. Create EBS snapshots every 4 hours Enable Amazon GuardDuty Malware Protection.Create automation to immediately restore the most recent snapshot for any EC2 instancesthat produce an Execution:EC2/MaliciousFile finding in GuardDuty.
AWS CloudTrail is being used to monitor API calls in an organization. An audit revealed that CloudTrail is failing to deliver events to Amazon S3 as expected. What initial actions should be taken to allow delivery of CloudTrail events to S3? (Select TWO.)
A. Verify thattheS3 bucket policy allows CloudTrail to write objects.
B. Verify thatthe1AM role used by CloudTrail has access to write to Amazon CloudWatchLogs.
C. Remove any lifecycle policies on the S3 bucket that are archiving objects to S3 GlacierFlexible Retrieval.
D. Verify thattheS3 bucket defined in CloudTrail exists.
E. Verify that the log file prefix defined in CloudTrail exists in the S3 bucket.
A company deployed an Amazon EC2 instance to a VPC on AWS. A recent alert indicates that the EC2 instance is receiving a suspicious number of requests over an open TCP port from an external source. The TCP port remains open for long periods of time. The company's security team needs to stop all activity to this port from the external source to ensure that the EC2 instance is not being compromised. The application must remain available to other users. Which solution will mefet these requirements?
A. Update the network ACL that is attached to the subnet that is associated with the EC2instance. Add a Deny statement for the port and the source IP addresses.
B. Update the elastic network interface security group that is attached to the EC2 instanceto remove the port from theinbound rule list.
C. Update the elastic network interface security group that is attached to the EC2 instanceby adding a Deny entry in the inbound list for the port and the sourceIP addresses.
D. Create a new network ACL for the subnet. Deny all traffic from the EC2 instance toprevent data from being removed.
A company is running an application on Amazon EC2 instances in an Auto Scaling group. The application stores logs locally. A security engineer noticed that logs were lost after a scale-in event. The security engineer needs to recommend a solution to ensure the durability and availability of log data All logs must be kept for a minimum of 1 year for auditing purposes. What should the security engineer recommend?
A. Within the Auto Scaling lifecycle, add a hook to create and attach an Amazon ElasticBlock Store (Amazon EBS) log volume each time an EC2 instance is created. When theinstance is terminated, the EBS volume can be reattached to another instance for logreview.
B. Create an Amazon Elastic File System (Amazon EFS) file system and add a commandin the user data section of the Auto Scaling launch template to mount the EFS file systemduring EC2 instance creation. Configure a process on the instance to copy the logs once aday from an instance Amazon Elastic Block Store (Amazon EBS) volume to a directory inthe EFS file system.
C. Add an Amazon CloudWatch agent into the AMI used in the Auto Scaling group.Configure the CloudWatch agent to send the logs to Amazon CloudWatch Logs for review,
D. Within the Auto Scaling lifecycle, add a lifecycle hook at the terminating state transition and alert the engineering team by using a lifecycle notification to Amazon SimpleNotification Service (Amazon SNS). Configure the hook to remain in the Terminating:Waitstate for 1 hour to allow manual review of the security logs prior to instance termination.
A company has AWS accounts in an organization in AWS Organizations. The company needs to install a corporate software package on all Amazon EC2 instances for all the accounts in the organization. A central account provides base AMIs for the EC2 instances. The company uses AWS Systems Manager for software inventory and patching operations. A security engineer must implement a solution that detects EC2 instances ttjat do not have the required software. The solution also must automatically install the software if the software is not present. Which solution will meet these requirements?
A. Provide new AMIs that have the required software pre-installed. Apply a tag to the AMIsto indicate that the AMIs have the required software. Configure an SCP that allows newEC2 instances to be launched only if the instances have the tagged AMIs. Tag all existingEC2 instances.
B. Configure a custom patch baseline in Systems Manager Patch Manager. Add thepackage name for the required software to the approved packages list. Associate the newpatch baseline with all EC2 instances. Set up a maintenance window for softwaredeployment.
C. Centrally enable AWS Config. Set up the ec2-managedinstance-applications-requiredAWS Config rule for all accounts Create an Amazon EventBridge rule that reacts to AWSConfig events. Configure the EventBridge rule to invoke an AWS Lambda function thatuses Systems Manager Run Command to install the required software.
D. Create a new Systems Manager Distributor package for the required software. Specifythe download location. Select all EC2 instances in the different accounts. Install thesoftware by using Systems Manager Run Command.
A company uses HTTP Live Streaming (HL'S) to stream live video content to paying subscribers by using Amazon CloudFront. HLS splits the video content into chunks so that the user can request the right chunk based on different conditions. Because the video events last for several hours, the total video is made up of thousands of chunks. The origin URL is not disclosed, and every user is forced to access the CloudFront URL. The company has a web application that authenticates the paying users against an internal repository and a CloudFront key pair that is already issued. What is the simplest and MOST effective way to protect the content?
A. Develop the application to use the CloudFront key pair to set the signed cookies thatusers will use to access the content.
B. Develop the application to issue a security token that Lambda@Edge will receive toauthenticate and authorize access to the content
C. Keep the CloudFront URL encrypted inside the application, and use AWS KMS toresolve the URL on-the-fly after the user is authenticated.
A company hosts an application on Amazon EC2 instances. The application also uses Amazon S3 and Amazon Simple Queue Service (Amazon SQS). The application is behind an Application Load Balancer (ALB) and scales with AWS Auto Scaling. The company’s security policy requires the use of least privilege access, which has been applied to all existing AWS resources. A security engineer needs to implement private connectivity to AWS services. Which combination of steps should the security engineer take to meet this requirement? (Select THREE.)
A. A. Use an interface VPC endpoint for Amazon SQS
B. B. Configure a connection to Amazon S3 through AWS Transit Gateway.
C. C. Use a gateway VPC endpoint for Amazon S3.
D. D. Modify the 1AM role applied to the EC2 instances in the Auto Scaling group to allowoutbound traffic to the interface endpoints.
E. E. Modify the endpoint policies on all VPC endpoints. Specify the SQS and S3 resourcesthat the application uses
F. F. Configure a connection to Amazon S3 through AWS Firewall Manager
A company operates a web application that runs on Amazon EC2 instances. The application listens on port 80 and port 443. The company uses an Application Load Balancer (ALB) with AWS WAF to terminate SSL and to forward traffic to the application instances only on port 80. The ALB is in public subnets that are associated with a network ACL that is named NACL1. The application instances are in dedicated private subnets that are associated with a network ACL that is named NACL2. An Amazon RDS for PostgreSQL DB instance that uses port 5432 is in a dedicated private subnet that is associated with a network ACL that is named NACL3. All the network ACLs currently allow all inbound and outbound traffic. Which set of network ACL changes will increase the security of the application while ensuring functionality?
A. Make the following changes to NACL3:• Add a rule that allows inbound traffic on port 5432 from NACL2.• Add a rule that allows outbound traffic on ports 1024-65536 to NACL2.• Remove the default rules that allow all inbound and outbound traffic.
B. Make the following changes to NACL3:• Add a rule that allows inbound traffic on port 5432 from the CIDR blocks of the applicationinstance subnets.• Add a rule that allows outbound traffic on ports 1024-65536 to the application instancesubnets.• Remove the default rules that allow all inbound and outbound traffic.
C. Make the following changes to NACL2:• Add a rule that allows outbound traffic on port 5432 to the CIDR blocks of the RDSsubnets.• Remove the default rules that allow all inbound and outbound traffic.
D. Make the following changes to NACL2:• Add a rule that allows inbound traffic on port 5432 from the CIDR blocks of the RDSsubnets.• Add a rule that allows outbound traffic on port 5432 to the RDS subnets.
An AWS Lambda function was misused to alter data, and a security engineer must identify who invoked the function and what output was produced. The engineer cannot find any logs create^ by the Lambda function in Amazon CloudWatch Logs. Which of the following explains why the logs are not available?
A. The execution role for the Lambda function did not grant permissions to write log data toCloudWatch Logs.
B. The Lambda function was invoked by using Amazon API Gateway, so the logs are notstored in CloudWatch Logs.
C. The execution role for the Lambda function did not grant permissions to write to theAmazon S3 bucket where CloudWatch Logs stores the logs.
D. The version of the Lambda function that was invoked was not current.
A company that uses AWS Organizations is using AWS 1AM Identity Center (AWS Single Sign-On) to administer access to AWS accounts. A security engineer is creating a custom permission set in 1AM Identity Center. The company will use the permission set across multiple accounts. An AWS managed policy and a customer managed policy are attached to the permission set. The security engineer has full administrative permissions and is operating in the management account. When the security engineer attempts to assign the permission set to an 1AM Identity Center user who has access to multiple accounts, the assignment fails. What should the security engineer do to resolve this failure?
A. Create the customer managed policy in every account where the permission set isassigned. Give the customer managed policy the same name and same permissions ineach account.
B. Remove either the AWS managed policy or the customer managed policy from thepermission set. Create a second permission set that includes the removed policy. Apply thepermission sets separately to the user.
C. Evaluate the logic of the AWS managed policy and the customer managed policy.Resolve any policy conflicts in the permission set before deployment.
D. Do not add the new permission set to the user. Instead, edit the user's existingpermission set to include the AWS managed policy and the customer managed policy.
A company suspects that an attacker has exploited an overly permissive role to export credentials from Amazon EC2 instance metadata. The company uses Amazon GuardDuty and AWS Audit Manager. The company has enabled AWS CloudTrail logging and Amazon CloudWatch logging for all of its AWS accounts. A security engineer must determine if the credentials were used to access the company's resources from an external account. Which solution will provide this information?
A. Review GuardDuty findings to find InstanceCredentialExfiltration events.
B. Review assessment reports in the Audit Manager console to findInstanceCredentialExfiltration events.
C. Review CloudTrail logs for GetSessionToken API calls to AWS Security Token Service(AWS STS) that come from an acount ID from outside the company.
D. Review CloudWatch logs for GetSessionToken API calls to AWS Security TokenService (AWS STS) that come from an account ID from outside the company.
A security team is working on a solution that will use Amazon EventBridge (Amazon CloudWatch Events) to monitor new Amazon S3 objects. The solution will monitor for public access and for changes to any S3 bucket policy or setting that result in public access. The security team configures EventBridge to watch for specific API calls that are logged from AWS CloudTrail. EventBridge has an action to send an email notification through Amazon Simple Notification Service (Amazon SNS) to the security team immediately with details of the API call. Specifically, the security team wants EventBridge to watch for the s3:PutObjectAcl, s3:DeleteBucketPolicy, and s3:PutBucketPolicy API invocation logs from CloudTrail. While developing the solution in a single account, the security team discovers that the s3:PutObjectAcl API call does not invoke an EventBridge event. However, the s3:DeleteBucketPolicy API call and the s3:PutBucketPolicy API call do invoke an event. The security team has enabled CloudTrail for AWS management events with a basic configuration in the AWS Region in which EventBridge is being tested. Verification of the EventBridge event pattern indicates that the pattern is set up correctly. The security team must implement a solution so that the s3:PutObjectAcl API call will invoke an EventBridge event. The solution must not generate false notifications. Which solution will meet these requirements?
A. Modify the EventBridge event pattern by selecting Amazon S3. Select All Events as theevent type.
B. Modify the EventBridge event pattern by selecting Amazon S3. Select Bucket LevelOperations as the event type.
C. Enable CloudTrail Insights to identify unusual API activity.
D. Enable CloudTrail to monitor data events for read and write operations to S3 buckets.
A company runs an online game on AWS. When players sign up for the game, their username and password credentials are stored in an Amazon Aurora database. The number of users has grown to hundreds of thousands of players. The number of requests for password resets and login assistance has become a burden for the company’s customer service team. The company needs to implement a solution to give players another way to log in to the game. The solution must remove the burden of password resets and login assistance while securely protecting each player's credentials. Which solution will meet these requirements?
A. When a new player signs up, use an AWS Lambda function to automatically create an1AM access key and a secret access key. Program the Lambda function to store thecredentials on the player's device. Create 1AM keys for existing players. B Migrate the player credentials from the Aurora database to AWS Secrets Manager. Whena new player signs up. create a key-value pair in Secrets Manager for the player's user IDand password.
B. Configure Amazon Cognito user pools to federate access to the game with third-partyidentity providers (IdPs), such as social IdPs Migrate the game's authentication mechanismto Cognito.
C. Instead of using usernames and passwords for authentication, issue API keys to newand existing players. Create an Amazon API Gateway API to give the game client accessto the game's functionality.
A company wants to receive automated email notifications when AWS access keys from developer AWS accounts are detected on code repository sites. Which solution will provide the required email notifications?
A. Create an Amazon EventBridge rule to send Amazon Simple Notification Service(Amazon SNS) email notifications for Amazon GuardDutyUnauthorizedAccesslAMUser/lnstanceCredentialExfiltration OutsideAWS findings.
B. Change the AWS account contact information for the Operations type to a separateemail address. Periodically poll this email address for notifications.
C. Create an Amazon EventBridge rule that reacts to AWS Health events that have a valueof Risk for the service category Configure email notifications by using Amazon SimpleNotification Service (Amazon SNS).
D. D. Implement new anomaly detection software. Ingest AWS CloudTrail logs. Configuremonitoring for ConsoleLogin events in the AWS Management Console. Configure emailnotifications from the anomaly detection software.
A company’s security team needs to receive a notification whenever an AWS access key has not been rotated in 90 or more days. A security engineer must develop a solution that provides these notifications automatically. Which solution will meet these requirements with the LEAST amount of effort?
A. Deploy an AWS Config managed rule to run on a periodic basis of 24 hours. Select theaccess-keys-rotated managed rule, and set the maxAccessKeyAge parameter to 90 days.Create an Amazon EventBridge (Amazon CloudWatch Events) rule with an event patternthat matches the compliance type of NON_COMPLIANT from AWS Config for themanaged rule. Configure EventBridge (CloudWatch Events) to send an Amazon SimpleNotification Service (Amazon SNS) notification to the security team.
B. Create a script to export a .csv file from the AWS Trusted Advisor check for IAM accesskey rotation. Load the script into an AWS Lambda function that will upload the .csv file toan Amazon S3 bucket. Create an Amazon Athena table query that runs when the .csv fileis uploaded to the S3 bucket. Publish the results for any keys older than 90 days by usingan invocation of an Amazon Simple Notification Service (Amazon SNS) notification to thesecurity team.
C. Create a script to download the IAM credentials report on a periodic basis. Load thescript into an AWS Lambda function that will run on a schedule through AmazonEventBridge (Amazon CloudWatch Events). Configure the Lambda script to load the reportinto memory and to filter the report for records in which the key was last rotated at least 90days ago. If any records are detected, send an Amazon Simple Notification Service(Amazon SNS) notification to the security team.
D. Create an AWS Lambda function that queries the IAM API to list all the users. Iteratethrough the users by using the ListAccessKeys operation. Verify that the value in the CreateDate field is not at least 90 days old. Send an Amazon Simple Notification Service(Amazon SNS) notification to the security team if the value is at least 90 days old. Createan Amazon EventBridge (Amazon CloudWatch Events) rule to schedule the Lambdafunction to run each day.
A company has an application that runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances are in an Amazon EC2 Auto Scaling group and are attached to Amazon Elastic Blodfc Store (Amazon EBS) volumes. A security engineer needs to preserve all forensic evidence from one of the instances. Which order of steps should the security engineer use to meet this requirement?
A. Take an EBS volume snapshot of the instance and store the snapshot in an Amazon S3bucket. Take a memory snapshot of the instance and store the snapshot in an S3 bucket.Detach the instance from the Auto Scaling group. Deregister the instance from the ALB.Stop the instance.
B. Take a memory snapshot of the instance and store the snapshot in an Amazon S3bucket. Stop the instance. Take an EBS volume snapshot of the instanceand store the snapshot in an S3 bucket. Detach the instance from the Auto Scaling group.Deregister the instance from the ALB.
C. Detach the instance from the Auto Scaling group. Deregister the instance from the ALB.Take an EBS volume snapshot of the instance and store the snapshotin an Amazon S3 bucket. Take a memory snapshot of the instance and store the snapshotin an S3 bucket. Stop the instance
D. Detach the instance from the Auto Scaling group Deregister the instance from the ALB.Stop the instance. Take a memory snapshot of the instance and store the snapshot in anAmazon S3 bucket. Take an EBS volume snapshot of the instance and store the snapshotin an S3 bucket.
A company manages multiple AWS accounts using AWS Organizations. The company's security team notices that some member accounts are not sending AWS CloudTrail logs to a centralized Amazon S3 logging bucket. The security team wants to ensure there is at least one trail configured for all existing accounts and for any account that is created in the future. Which set of actions should the security team implement to accomplish this?
A. Create a new trail and configure it to send CloudTraiI logs to Amazon S3. Use AmazonEventBridge to send notification if a trail is deleted or stopped.
B. Deploy an AWS Lambda function in every account to check if there is an existing trailand create a new trail, if needed.
C. Edit the existing trail in the Organizations management account and apply it to theorganization.
D. Create an SCP to deny the cloudtraiI:DeIete• and cloudtraiI:Stop• actbns. Apply the SCPto all accounts.
A security engineer is implementing a solution to allow users to seamlessly encrypt Amazon S3 objects without having to touch the keys directly. The solution must be highly scalable without requiring continual management. Additionally, the organization must be able to immediately delete the encryption keys. Which solution meets these requirements?
A. Use AWS KMS with AWS managed keys and the ScheduleKeyDeletion API with aPendingWindowInDays set to 0 to remove the keys if necessary.
B. B. Use KMS with AWS imported key material and then use theDeletelmportedKeyMaterial API to remove the key material if necessary.
C. Use AWS CloudHSM to store the keys and then use the CloudHSM API or the PKCS11library to delete the keys if necessary.
D. Use the Systems Manager Parameter Store to store the keys and then use the serviceAPI operations to delete the keys if necessary.
A company needs to implement DNS Security Extensions (DNSSEC) for a specific subdomain. The subdomain is already registered with Amazon Route 53. A security engineer has enabled DNSSEC signing and has created a key-signing key (KSK). When the security engineer tries to test the configuration, the security engineer receives an error for a broken trust chain. What should the security engineer do to resolve this error?
A. Replace the KSK with a zone-signing key (ZSK).
B. Deactivate and then activate the KSK.
C. Create a Delegation Signer (DS) record in the parent hosted zone.
D. Create a Delegation Signer (DS) record in the subdomain.
A security analyst attempted to troubleshoot the monitoring of suspicious security group changes. The analyst was told that there is an Amazon CloudWatch alarm in place for these AWS CloudTrail log events. The analyst tested the monitoring setup by making a configuration change to the security group but did not receive any alerts. Which of the following troubleshooting steps should the analyst perform?
A. Ensure that CloudTrail and S3 bucket access logging is enabled for the analyst's AWSaccount.
B. Verify that a metric filter was created and then mapped to an alarm. Check the alarm notification action.
C. Check the CloudWatch dashboards to ensure that there is a metric configured with anappropriate dimension for security group changes.
D. Verify that the analyst's account is mapped to an IAM policy that includes permissionsfor cloudwatch:GetMetricStatistics and cloudwatch:ListMetrics.
A company has public certificates that are managed by AWS Certificate Manager (ACM). The certificates are either imported certificates or managed certificates from ACM with mixed validation methods. A security engineer needs to design a monitoring solution to provide alerts by email when a certificate is approaching its expiration date. What is the MOST operationally efficient way to meet this requirement?
A. Create an AWS Lambda function to list all certificates and to go through each certificateto describe the certificate by using the AWS SDK. Filter on the NotAfter attribute and sendan email notification. Use an Amazon EventBridge rate expression to schedule the Lambdafunction to run daily.
B. Create an Amazon CloudWatch alarm Add all the certificate ARNs in the AWS/CertificateManager namespace to the DaysToExpiry metnc. Configure the alarm topublish a notification to an Amazon Simple Notification Service (Amazon SNS) topic whenthe value for the DaysToExpiry metric is less than or equal to 31.
C. Set up AWS Security Hub. Turn on the AWS Foundational Security Best Practicesstandard with integrated ACM to send findings. Configure and use a custom action bycreating a rule to match the pattern from the ACM findings on the NotBefore attribute as theevent source Create an Amazon Simple Notification Service (Amazon SNS) topic as thetarget
D. Create an Amazon EventBridge rule by using a predefined pattern for ACM Choose themetric in the ACM Certificate Approaching Expiration event as the event pattern. Create anAmazon Simple Notification Service (Amazon SNS) topic as the target
A company runs workloads in the us-east-1 Region. The company has never deployed resources to other AWS Regions and does not have any multi-Region resources. The company needs to replicate its workloads and infrastructure to the us-west-1 Region. A security engineer must implement a solution that uses AWS Secrets Manager to store secrets in both Regions. The solution must use AWS Key Management Service (AWS KMS) to encrypt the secrets. The solution must minimize latency and must be able to work if only one Region is available. The security engineer uses Secrets Manager to create the secrets in us-east-1. What should the security engineer do next to meet the requirements?
A. Encrypt the secrets in us-east-1 by using an AWS managed KMS key. Replicate thesecrets to us-west-1. Encrypt the secrets in us-west-1 by using a new AWS managed KMSkey in us-west-1.
B. Encrypt the secrets in us-east-1 by using an AWS managed KMS key. Configure resources in us-west-1 to call the Secrets Manager endpoint in us-east-1.
C. Encrypt the secrets in us-east-1 by using a customer managed KMS key. Configureresources in us-west-1 to call the Secrets Manager endpoint in us-east-1.
D. Encrypt the secrets in us-east-1 by using a customer managed KMS key. Replicate thesecrets to us-west-1. Encrypt the secrets in us-west-1 by using the customer managedKMS key from us-east-1.
A company used AWS Organizations to set up an environment with multiple AWS accounts. The company's organization currently has two AWS accounts, and the company expects to add more than 50 AWS accounts during the next 12 months The company will require all existing and future AWS accounts to use Amazon GuardDuty. Each existing AWS account has GuardDuty active. The company reviews GuardDuty findings by logging into each AWS account individually. The company wants a centralized view of the GuardDuty findings for the existing AWS accounts and any future AWS accounts. The company also must ensure that any new AWS account has GuardDuty automatically turned on. Which solution will meet these requirements?
A. B. Create a new AWS account in the organization. Enable GuardDuty in the newaccount. Designate the new account as the delegated administrator account forGuardDuty. Configure GuardDuty to add existing accounts as member accounts. Select theoption to automatically add new AWS accounts to the organization
B. Create a new AWS account in the organization. Enable GuardDuty in the new account.Enable AWS Security Hub in each account. Select the option to automatically add newAWS accounts to the organization.
C. D. Enable AWS Security Hub in the organization's management account. Designate themanagement account as the delegated administrator account for Security Hub. Addexisting accounts as member accounts. Select the option to automatically add new AWSaccounts to the organization. Send all Security Hub findings to the organization'sGuardDuty account.
A company has AWS accounts that are in an organization in AWS Organizations. A security engineer needs to set up AWS Security Hub in a dedicated account for security monitoring. The security engineer must ensure that Security Hub automatically manages all existing accounts and all new accounts that are added to the organization. Security Hub also must receive findings from all AWS Regions. Which combination of actions will meet these requirements with the LEAST operational overhead? (Select TWO.)
A. B. Create an AWS Lambda function that routes events from other Regions to thededicated Security Hub account. Create an Amazon EventBridge rule to invoke theLambda function.
B. Turn on the option to automatically enable accounts for Security Hub.
C. Create an SCP that denies the securityhub DisableSecurityHub permission. Attach theSCP to the organization’s root account.
D. E. Configure services in other Regions to write events to an AWS CloudTrailorganization trail. Configure Security Hub to read events from the trail.
A security engineer is creating an AWS Lambda function. The Lambda function needs to use a role that is named LambdaAuditRole to assume a role that is named AcmeAuditFactoryRole in a different AWS account. When the code is processed, the following error message appears: "An error oc-curred (AccessDenied) when calling the AssumeRole operation." Which combination of steps should the security engineer take to resolve this er-ror? (Select TWO.)
A. Ensure that LambdaAuditRole has the sts:AssumeRole permission for AcmeAuditFactoryRole.
B. Ensure that LambdaAuditRole has the AWSLambdaBasicExecutionRole managedpolicy attached.
C. Ensure that the trust policy for AcmeAuditFactoryRole allows the sts:AssumeRole actionfrom LambdaAuditRole.
D. Ensure that the trust policy for LambdaAuditRole allows the sts:AssumeRole action fromthe lambda.amazonaws.com service.
E. Ensure that the sts:AssumeRole API call is being issued to the us-east-I Regionendpoint.
A systems engineer deployed containers from several custom-built images that an application team provided through a QA workflow The systems engineer used Amazon Elastic Container Service (Amazon ECS) with the Fargate launch type as the target platform The system engineer now needs to collect logs from all containers into an existing Amazon CloudWatch log group Which solution will meet this requirement?
A. Turn on the awslogs log driver by specifying parameters for awslogs-group andawslogs-region m the LogConfiguration property
B. Download and configure the CloudWatch agent on the container instances
C. Set up Fluent Bit and FluentO as a DaemonSet to send logs to Amazon CloudWatchLogs
D. Configure an 1AM policy that includes the togs CreateLogGroup action Assign the policyto the container instances
An Amazon EC2 Auto Scaling group launches Amazon Linux EC2 instances and installs the Amazon CloudWatch agent to publish logs to Amazon CloudWatch Logs. The EC2 instances launch with an IAM role that has an IAM policy attached. The policy provides access to publish custom metrics to CloudWatch. The EC2 instances run in a private subnet inside a VPC. The VPC provides ^ccess to the internet for private subnets through a NAT gateway. A security engineer notices that no logs are being published to CloudWatch Logs for the EC2 instances that the Auto Scaling group launches. The security engineer validates that the CloudWatch Logs agent is running and is configured properly on the EC2 instances. In addition, the security engineer validates that network communications are working properly to AWS services. What can the security engineer do to ensure that the logs are published to CloudWatch Logs?
A. Configure the IAM policy in use by the IAM role to have access to the requiredcloudwatch: API actions thatwill publish logs.
B. Adjust the Amazon EC2 Auto Scaling service-linked role to have permissions to write toCloudWatch Logs.
C. Configure the IAM policy in use by the IAM role to have access to the required AWSlogs: API actions that willpublish logs.
D. Add an interface VPC endpoint to provide a route to CloudWatch Logs.
A company has secured the AWS account root user for its AWS account by following AWS best practices. The company also has enabled AWS CloudTrail, which is sending its logs to Amazon S3. A security engineer wants to receive notification in near-real time if a user uses the AWS account root user credentials to sign in to the AWS Management Console. Which solutions will provide this notification? (Select TWO.)
A. Use AWS Trusted Advisor and its security evaluations for the root account. Configure an Amazon EventBridge event rule that is invoked by the Trusted Advisor API. Configure therule to target an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe anyrequired endpoints to the SNS topic so that these endpoints can receive notification.
B. B. Use AWS IAM Access Analyzer. Create an Amazon CloudWatch Logs metric filter toevaluate log entries from Access Analyzer that detect a successful root account login.Create an Amazon CloudWatch alarm that monitors whether a root login has occurred.Configure the CloudWatch alarm to notify an Amazon Simple Notification Service (AmazonSNS) topic when the alarm enters the ALARM state. Subscribe any required endpoints tothis SNS topic so that these endpoints can receive notification.
C. Configure AWS CloudTrail to send its logs to Amazon CloudWatch Logs. Configure ametric filter on the CloudWatch Logs log group used by CloudTrail to evaluate log entriesfor successful root account logins. Create an Amazon CloudWatch alarm that monitorswhether a root login has occurred Configure the CloudWatch alarm to notify an AmazonSimple Notification Service (Amazon SNS) topic when the alarm enters the ALARM state.Subscribe any required endpoints to this SNS topic so that these endpoints can receivenotification.
D. Configure AWS CloudTrail to send log notifications to an Amazon Simple NotificationService (Amazon SNS) topic. Create an AWS Lambda function that parses the CloudTrailnotification for root login activity and notifies a separate SNS topic that contains theendpoints that should receive notification. Subscribe the Lambda function to the SNS topicthat is receiving log notifications from CloudTrail.
E. E. Configure an Amazon EventBridge event rule that runs when Amazon CloudWatchAPI calls are recorded for a successful root login. Configure the rule to target an AmazonSimple Notification Service (Amazon SNS) topic. Subscribe any required endpoints to theSNS topic so that these endpoints can receive notification.
A company needs to create a centralized solution to analyze log files. The company uses an organization in AWS Organizations to manage its AWS accounts. The solution must aggregate and normalize events from the following sources: • The entire organization in Organizations • All AWS Marketplace offerings that run in the company’s AWS accounts • The company's on-premises systems Which solution will meet these requirements?
A. Configure log streams in Amazon CloudWatch Logs for the sources that needmonitoring. Create log subscription filters for each log stream. Forward the messages toAmazon OpenSearch Service for analysis.
B. Set up a delegated Amazon Security Lake administrator account in Organizations.Enable and configure Security Lake for the organization. Add the accounts that needmonitoring. Use Amazon Athena to query the log data.
C. D. Apply an SCP to configure all member accounts and services to deliver log files to acentralized Amazon S3 bucket. Use Amazon OpenSearch Service to query the centralizedS3 bucket for log entries.
A company has a VPC that has no internet access and has the private DNS hostnames option enabled. An Amazon Aurora database is running inside the VPC. A security engineer wants to use AWS Secrets Manager to automatically rotate the credentials for the Aurora database The security engineer configures the Secrets Manager default AWS Lambda rotation function to run inside the same VPC that the Aurora database uses. However, the security engineer determines that the password cannot be rotated properly because the Lambda function cannot communicate with the Secrets Manager endpoint. What is the MOST secure way that the security engineer can give the Lambda function the ability to communicate with the Secrets Manager endpoint?
A. Add a NAT gateway to the VPC to allow access to the Secrets Manager endpoint.
B. Add a gateway VPC endpoint to the VPC to allow access to the Secrets Managerendpoint.
C. Add an interface VPC endpoint to the VPC to allow access to the Secrets Managerendpoint.
D. Add an internet gateway for the VPC to allow access to the Secrets Manager endpoint.
A company is evaluating the use of AWS Systems Manager Session Manager to gam access to the company's Amazon EC2 instances. However, until the company implements the change, the company must protect the key file for the EC2 instances from read and write operations by any other users. When a security administrator tries to connect to a critical EC2 Linux instance during an emergency, the security administrator receives the following error. "Error Unprotected private key file - Permissions for' ssh/my_private_key pern' are too open". Which command should the security administrator use to modify the private key Me permissions to resolve this error?
A. chmod 0040 ssh/my_private_key pern
B. chmod 0400 ssh/my_private_key pern
C. chmod 0004 ssh/my_private_key pern
D. chmod 0777 ssh/my_private_key pern
A company has deployed servers on Amazon EC2 instances in a VPC. External vendors access these servers over the internet. Recently, the company deployed a new application on EC2 instances in a new CIDR range. The company needs to make the application available to the vendors. A security engineer verified that the associated security groups and network ACLs are allowing the required ports in the inbound diction. However, the vendors cannot connect to the application. Which solution will provide the vendors access to the application?
A. Modify the security group that is associated with the EC2 instances to have the sameoutbound rules as inbound rules.
B. Modify the network ACL that is associated with the CIDR range to allow outbound trafficto ephemeral ports.
C. Modify the inbound rules on the internet gateway to allow the required ports.
D. Modify the network ACL that is associated with the CIDR range to have the sameoutbound rules as inbound rules.
A company uses AWS Signer with all of the company’s AWS Lambda functions. A developer recently stopped working for the company. The company wants to ensure that all the code that the developer wrote can no longer be deployed to the Lambda functions. Which solution will meet this requirement?
A. Revoke all versions of the signing profile assigned to the developer.
B. Examine the developer’s IAM roles. Remove all permissions that grant access to Signer.
C. Re-encrypt all source code with a new AWS Key Management Service (AWS KMS) key.
D. Use Amazon CodeGuru to profile all the code that the Lambda functions use.
A Network Load Balancer (NLB) target instance is not entering the InService state. A security engineer determines that health checks are failing. Which factors could cause the health check failures? (Select THREE.)
A. Revoke all versions of the signing profile assigned to the developer.
B. Examine the developer’s IAM roles. Remove all permissions that grant access to Signer.
C. Re-encrypt all source code with a new AWS Key Management Service (AWS KMS) key.
D. Use Amazon CodeGuru to profile all the code that the Lambda functions use.
A security engineer recently rotated all IAM access keys in an AWS account. The security engineer then configured AWS Config and enabled the following AWS Config managed rules; mfa-enabled-for-iam-console-access, iam-user-mfa-enabled, access-key-rotated, and iam-user-unused-credentials-check. The security engineer notices that all resources are displaying as noncompliant after the IAM GenerateCredentialReport API operation is invoked. What could be the reason for the noncompliant status?
A. The IAM credential report was generated within the past 4 hours.
B. The security engineer does not have the GenerateCredentialReport permission.
C. The security engineer does not have the GetCredentialReport permission.
D. The AWS Config rules have a MaximumExecutionFrequency value of 24 hours.
A Systems Engineer is troubleshooting the connectivity of a test environment that includes a virtual security appliance deployed inline. In addition to using the virtual security appliance, the Development team wants to use security groups and network ACLs to accomplish various security requirements in the environment. What configuration is necessary to allow the virtual security appliance to route the traffic?
A. Disable network ACLs.
B. Configure the security appliance's elastic network interface for promiscuous mode.
C. Disable the Network Source/Destination check on the security appliance's elastic network interface
D. Place the security appliance in the public subnet with the internet gateway
A Security Engineer is building a Java application that is running on Amazon EC2. The application communicates with an Amazon RDS instance and authenticates with a user name and password. Which combination of steps can the Engineer take to protect the credentials and minimize downtime when the credentials are rotated? (Choose two.)
A. Have a Database Administrator encrypt the credentials and store the ciphertext inAmazon S3. Grant permission to the instance role associated with the EC2 instance toread the object and decrypt the ciphertext.
B. Configure a scheduled job that updates the credential in AWS Systems ManagerParameter Store and notifies the Engineer that the application needs to be restarted.
C. Configure automatic rotation of credentials in AWS Secrets Manager.
D. Store the credential in an encrypted string parameter in AWS Systems ManagerParameter Store. Grant permission to the instance role associated with the EC2 instance toaccess the parameter and the AWS KMS key that is used to encrypt it.
E. Configure the Java application to catch a connection failure and make a call to AWSSecrets Manager to retrieve updated credentials when the password is rotated. Grantpermission to the instance role associated with the EC2 instance to access SecretsManager.
A company has a group of Amazon EC2 instances in a single private subnet of a VPC with no internet gateway attached. A security engineer has installed the Amazon CloudWatch agent on all instances in that subnet to capture logs from a specific application. To ensure that the logs flow securely, the company's networking team has created VPC endpoints for CloudWatch monitoring and CloudWatch logs. The networking team has attached the endpoints to the VPC. The application is generating logs. However, when the security engineer queries CloudWatch, the logs do not appear. Which combination of steps should the security engineer take to troubleshoot this issue? (Choose three.)
A. Ensure that the EC2 instance profile that is attached to the EC2 instances haspermissions to create log streams and write logs.
B. Create a metric filter on the logs so that they can be viewed in the AWS Management Console.
C. Check the CloudWatch agent configuration file on each EC2 instance to make sure thatthe CloudWatch agent is collecting the proper log files.
D. Check the VPC endpoint policies of both VPC endpoints to ensure that the EC2instances have permissions to use them.
E. Create a NAT gateway in the subnet so that the EC2 instances can communicate withCloudWatch.
F. Ensure that the security groups allow all the EC2 instances to communicate with eachother to aggregate logs before sending.
An AWS account administrator created an IAM group and applied the following managed policy to require that each individual user authenticate using multi-factor authentication:
After implementing the policy, the administrator receives reports that users are unable to perform Amazon EC2 commands using the AWS CLI. What should the administrator do to resolve this problem while still enforcing multi-factor authentication?
A. Change the value of aws:MultiFactorAuthPresent to true.
B. Instruct users to run the aws sts get-session-token CLI command and pass the multifactorauthentication --serial-number and --token-code parameters. Use these resultingvalues to make API/CLI calls.
C. Implement federated API/CLI access using SAML 2.0, then configure the identity provider to enforce multi-factor authentication.
D. Create a role and enforce multi-factor authentication in the role trust policy. Instructusers to run the sts assume-role CLI command and pass --serial-number and --token-codeparameters. Store the resulting values in environment variables. Add sts:AssumeRole toNotAction in the policy.
A company uses SAML federation to grant users access to AWS accounts. A company workload that is in an isolated AWS account runs on immutable infrastructure with no human access to Amazon EC2. The company requires a specialized user known as a break glass user to have access to the workload AWS account and instances in the case of SAML errors. A recent audit discovered that the company did not create the break glass user for the AWS account that contains the workload. The company must create the break glass user. The company must log any activities of the break glass user and send the logs to a security team. Which combination of solutions will meet these requirements? (Select TWO.)
A. Create a local individual break glass IAM user for the security team. Create a trail inAWS CloudTrail that has Amazon CloudWatch Logs turned on. Use Amazon EventBridgeto monitor local user activities.
B. Create a break glass EC2 key pair for the AWS account. Provide the key pair to thesecurity team. Use AWS CloudTraiI to monitor key pair activity. Send notifications to thesecurity team by using Amazon Simple Notification Service (Amazon SNS).
C. Create a break glass IAM role for the account. Allow security team members to performthe AssumeRoleWithSAML operation. Create an AWS Cloud Trail trail that has AmazonCloudWatch Logs turned on. Use Amazon EventBridge to monitor security team activities.
D. Create a local individual break glass IAM user on the operating system level of each workload instance. Configure unrestricted security groups on the instances to grant accessto the break glass IAM users.
E. Configure AWS Systems Manager Session Manager for Amazon EC2. Configure anAWS Cloud Trail filter based on Session Manager. Send the results to an Amazon SimpleNotification Service (Amazon SNS) topic.
A security engineer must use AWS Key Management Service (AWS KMS) to design a key management solution for a set of Amazon Elastic Block Store (Amazon EBS) volumes that contain sensitive data. The solution needs to ensure that the key material automatically expires in 90 days. Which solution meets these criteria?
A. A customer managed CMK that uses customer provided key material
B. A customer managed CMK that uses AWS provided key material
C. An AWS managed CMK
D. Operation system-native encryption that uses GnuPG
A security engineer is trying to use Amazon EC2 Image Builder to create an image of an EC2 instance. The security engineer has configured the pipeline to send logs to an Amazon S3 bucket. When the security engineer runs the pipeline, the build fails with the following error: “AccessDenied: Access Denied status code: 403”. The security engineer must resolve the error by implementing a solution that complies with best practices for least privilege access. Which combination of steps will meet these requirements? (Choose two.)
A. Ensure that the following policies are attached to the IAM role that the security engineeris using: EC2InstanceProfileForImageBuilder,EC2InstanceProfileForImageBuilderECRContainerBuilds, andAmazonSSMManagedInstanceCore.
B. Ensure that the following policies are attached to the instance profile for the EC2 instance: EC2InstanceProfileForImageBuilder,EC2InstanceProfileForImageBuilderECRContainerBuilds, andAmazonSSMManagedInstanceCore.
C. Ensure that the AWSImageBuilderFullAccess policy is attached to the instance profilefor the EC2 instance.
D. Ensure that the security engineer’s IAM role has the s3:PutObject permission for the S3bucket.
E. Ensure that the instance profile for the EC2 instance has the s3:PutObject permissionfor the S3 bucket.
A company has contracted with a third party to audit several AWS accounts. To enable the audit, cross- account IAM roles have been created in each account targeted for audit. The Auditor is having trouble accessing some of the accounts. Which of the following may be causing this problem? (Choose three.)
A. The external ID used by the Auditor is missing or incorrect.
B. The Auditor is using the incorrect password.
C. The Auditor has not been granted sts:AssumeRole for the role in the destination account.
D. The Amazon EC2 role used by the Auditor must be set to the destination account role.
E. The secret key used by the Auditor is missing or incorrect.
F. The role ARN used by the Auditor is missing or incorrect.
A Security Engineer is working with a Product team building a web application on AWS. The application uses Amazon S3 to host the static content, Amazon API Gateway to provide RESTful services; and Amazon DynamoDB as the backend data store. The users already exist in a directory that is exposed through a SAML identity provider. Which combination of the following actions should the Engineer take to enable users to be authenticated into the web application and call APIs? (Choose three.)
A. Create a custom authorization service using AWS Lambda.
B. Configure a SAML identity provider in Amazon Cognito to map attributes to the AmazonCognito user pool attributes.
C. Configure the SAML identity provider to add the Amazon Cognito user pool as a relying party.
D. Configure an Amazon Cognito identity pool to integrate with social login providers.
E. Update DynamoDB to store the user email addresses and passwords.
F. Update API Gateway to use a COGNITO_USER_POOLS authorizer.
A company has an organization with SCPs in AWS Organizations. The root SCP for the organization is as follows:
The company's developers are members of a group that has an IAM policy that allows access to Amazon Simple Email Service (Amazon SES) by allowing ses:* actions. The account is a child to an OU that has an SCP that allows Amazon SES. The developers are receiving a not-authorized error when they try to access Amazon SES through the AWS Management Console. Which change must a security engineer implement so that the developers can access Amazon SES?
A. Add a resource policy that allows each member of the group to access Amazon SES.
B. Add a resource policy that allows "Principal": {"AWS": "arn:aws:iam::accountnumber:group/Dev"}.
C. Remove the AWS Control Tower control (guardrail) that restricts access to AmazonSES.
D. Remove Amazon SES from the root SCP.
A company is evaluating its security posture. In the past, the company has observed issues with specific hosts and host header combinations that affected the company's business. The company has configured AWS WAF web ACLs as an initial step to mitigate these issues. The company must create a log analysis solution for the AWS WAF web ACLs to monitor problematic activity. The company wants to process all the AWS WAF logs in a central location. The company must have the ability to filter out requests based on specific hosts. A security engineer starts to enable access logging for the AWS WAF web ACLs. What should the security engineer do next to meet these requirements with the MOST operational efficiency?
A. Specify Amazon Redshift as the destination for the access logs. Deploy the AmazonAthena Redshift connector. Use Athena to query the data from Amazon Redshift and tofilter the logs by host.
B. Specify Amazon CloudWatch as the destination for the access logs. Use AmazonCloudWatch Logs Insights to design a query to filter the logs by host.
C. Specify Amazon CloudWatch as the destination for the access logs. Export theCloudWatch logs to an Amazon S3 bucket. Use Amazon Athena to query the logs and tofilter the logs by host.
D. Specify Amazon CloudWatch as the destination for the access logs. Use AmazonRedshift Spectrum to query the logs and to filter the logs by host.
A company uses AWS Organizations. The company wants to implement short-term credentials for third-party AWS accounts to use to access accounts within the com-pany's organization. Access is for the AWS Management Console and third-party software-as-aservice (SaaS) applications. Trust must be enhanced to prevent two external accounts from using the same credentials. The solution must require the least possible operational effort. Which solution will meet these requirements?
A. Use a bearer token authentication with OAuth or SAML to manage and share a centralAmazon Cognito user pool across multiple Amazon API Gateway APIs.
B. Implement AWS IAM Identity Center (AWS Single Sign-On), and use an identi-ty sourceof choice. Grant access to users and groups from other accounts by using permission setsthat are assigned by account.
C. Create a unique IAM role for each external account. Create a trust policy. Use AWS Secrets Manager to create a random external key.
D. Create a unique IAM role for each external account. Create a trust policy that includes acondition that uses the sts:Externalld condition key.
A company uses AWS Organizations to manage several AWs accounts. The company processes a large volume of sensitive data. The company uses a serverless approach to microservices. The company stores all the data in either Amazon S3 or Amazon DynamoDB. The company reads the data by using either AWS lambda functions or container-based services that the company hosts on Amazon Elastic Kubernetes Service (Amazon EKS) on AWS Fargate. The company must implement a solution to encrypt all the data at rest and enforce least privilege data access controls. The company creates an AWS Key Management Service (AWS KMS) customer managed key. What should the company do next to meet these requirements?
A. Create a key policy that allows the kms:Decrypt action only for Amazon S3 andDynamoDB. Create an SCP that denies the creation of S3 buckets and DynamoDB tablesthat are not encrypted with the key.
B. Create an 1AM policy that denies the kms:Decrypt action for the key. Create a Lambdafunction than runs on a schedule to attach the policy to any new roles. Create an AWSConfig rule to send alerts for resources that are not encrypted with the key.
C. Create a key policy that allows the kms:Decrypt action only for Amazon S3, DynamoDB,Lambda, and Amazon EKS. Create an SCP that denies the creation of S3 buckets andDynamoDB tables that are not encrypted with the key.
D. Create a key policy that allows the kms:Decrypt action only for Amazon S3, DynamoDB,Lambda, and Amazon EKS. Create an AWS Config rule to send alerts for resources thatare not encrypted with the key.
A security engineer is creating an AWS Lambda function. The Lambda function needs to use a role that is named LambdaAuditRole to assume a role that is named AcmeAuditFactoryRole in a different AWS account. When the code is processed, the following error message appears: "An error oc-curred (AccessDenied) when calling the AssumeRole operation." Which combination of steps should the security engineer take to resolve this er-ror? (Select TWO.)
A. Ensure that LambdaAuditRole has the sts:AssumeRole permission for AcmeAuditFactoryRole.
B. Ensure that LambdaAuditRole has the AWSLambdaBasicExecutionRole managedpolicy attached.
C. Ensure that the trust policy for AcmeAuditFactoryRole allows the sts:AssumeRole actionfrom LambdaAuditRole.
D. Ensure that the trust policy for LambdaAuditRole allows the sts:AssumeRole action fromthe lambda.amazonaws.com service.
E. Ensure that the sts:AssumeRole API call is being issued to the us-east-I Regionendpoint.
A company hosts a public website on an Amazon EC2 instance. HTTPS traffic must be able to access the website. The company uses SSH for management of the web server. The website is on the subnet 10.0.1.0/24. The management subnet is 192.168.100.0/24. A security engineer must create a security group for the EC2 instance. Which combination of steps should the security engineer take to meet these requirements in the MOST secure manner? (Select TWO.)
A. Allow port 22 from source 0.0.0.0/0.
B. Allow port 443 from source 0.0.0.0/0.
C. Allow port 22 from 192.168.100.0/24.
D. Allow port 22 from 10.0.1.0/24.
E. Allow port 443 from 10.0.1.0/24.
A security engineer is configuring a mechanism to send an alert when three or more failed sign-in attempts to the AWS Management Console occur during a 5-minute period. The security engineer creates a trail in AWS CloudTrail to assist in this work. Which solution will meet these requirements?
A. In CloudTrail, turn on Insights events on the trail. Configure an alarm on the insight witheventName matching ConsoleLogin and errorMessage matching “Failed authentication”.Configure a threshold of 3 and a period of 5 minutes.
B. Configure CloudTrail to send events to Amazon CloudWatch Logs. Create a metric filterfor the relevant log group. Create a filter pattern with eventName matching ConsoleLoginand errorMessage matching “Failed authentication”. Create a CloudWatch alarm with athreshold of 3 and a period of 5 minutes.
C. Create an Amazon Athena table from the CloudTrail events. Run a query for eventNamematching ConsoleLogin and for errorMessage matching “Failed authentication”. Create anotification action from the query to send an Amazon Simple Notification Service (AmazonSNS) notification when the count equals 3 within a period of 5 minutes.
D. In AWS Identity and Access Management Access Analyzer, create a new analyzer.Configure the analyzer to send an Amazon Simple Notification Service (Amazon SNS)notification when a failed sign-in event occurs 3 times for any IAM user within a period of 5minutes.
A company is using AWS Organizations to implement a multi-account strategy. The company does not have on-premises infrastructure. All workloads run on AWS. The company currently has eight member accounts. The company anticipates that it will have no more than 20 AWS accounts total at any time. The company issues a new security policy that contains the following requirements: • No AWS account should use a VPC within the AWS account for workloads. • The company should use a centrally managed VPC that all AWS accounts can access to launch workloads in subnets. • No AWS account should be able to modify another AWS account's application resources within the centrally managed VPC. • The centrally managed VPC should reside in an existing AWS account that is named Account-A within an organization. The company uses an AWS CloudFormation template to create a VPC that contains multiple subnets in Account-A. This template exports the subnet IDs through the CloudFormation Outputs section. Which solution will complete the security setup to meet these requirements?
A. Use a CloudFormation template in the member accounts to launch workloads. Configurethe template to use the Fn::lmportValue function to obtain the subnet ID values.
B. Use a transit gateway in the VPC within Account-A. Configure the member accounts touse the transit gateway to access the subnets in Account-A to launch workloads.
C. Use AWS Resource Access Manager (AWS RAM) to share Account-A's VPC subnetswith the remaining member accounts. Configure the member accounts to use the sharedsubnets to launch workloads.
D. Create a peering connection between Account-A and the remaining member accounts.Configure the member accounts to use the subnets in Account-A through the VPC peeringconnection to launch workloads.
A Security Engineer is asked to update an AWS CloudTrail log file prefix for an existing trail. When attempting to save the change in the CloudTrail console, the Security Engineer receives the following error message: `There is a problem with the bucket policy.` What will enable the Security Engineer to save the change?
A. Create a new trail with the updated log file prefix, and then delete the original trail.Update the existing bucket policy in the Amazon S3 console with the new log file prefix,and then update the log file prefix in the CloudTrail console.
B. Update the existing bucket policy in the Amazon S3 console to allow the SecurityEngineer's Principal to perform PutBucketPolicy, and then update the log file prefix in theCloudTrail console.
C. Update the existing bucket policy in the Amazon S3 console with the new log file prefix,and then update the log file prefix in the CloudTrail console.
D. Update the existing bucket policy in the Amazon S3 console to allow the SecurityEngineer's Principal to perform GetBucketPolicy, and then update the log file prefix in theCloudTrail console.
A company needs complete encryption of the traffic between external users and an application. The company hosts the application on a fleet of Amazon EC2 instances that run in an Auto Scaling group behind an Application Load Balancer (ALB). How can a security engineer meet these requirements?
A. Create a new Amazon-issued certificate in AWS Secrets Manager. Export the certificatefrom Secrets Manager. Import the certificate into the ALB and the EC2 instances.
B. Create a new Amazon-issued certificate in AWS Certificate Manager (ACM). Associatethe certificate with the ALB. Export the certificate from ACM. Install the certificate on theEC2 instances.
C. Import a new third-party certificate into AWS Identity and Access Management (IAM).Export the certificate from IAM. Associate the certificate with the ALB and the EC2instances.
D. Import a new third-party certificate into AWS Certificate Manager (ACM). Associate thecertificate with the ALB. Install the certificate on the EC2 instances.
A company is using Amazon Elastic Container Service (Amazon ECS) to run its containerbased application on AWS. The company needs to ensure that the container images contain no severe vulnerabilities. The company also must ensure that only specific IAM roles and specific AWS accounts can access the container images. Which solution will meet these requirements with the LEAST management overhead?
A. Pull images from the public container registry. Publish the images to Amazon ElasticContainer Registry (Amazon ECR) repositories with scan on push configured in acentralized AWS account. Use a CI/CD pipeline to deploy the images to different AWSaccounts. Use identity-based policies to restrict access to which IAM principals can accessthe images.
B. Pull images from the public container registry. Publish the images to a private containerregistry that is hosted on Amazon EC2 instances in a centralized AWS account. Deployhost-based container scanning tools to EC2 instances that run Amazon ECS. Restrictaccess to the container images by using basic authentication over HTTPS.
C. Pull images from the public container registry. Publish the images to Amazon ElasticContainer Registry (Amazon ECR) repositories with scan on push configured in acentralized AWS account. Use a CI/CD pipeline to deploy the images to different AWSaccounts. Use repository policies and identity-based policies to restrict access to whichIAM principals and accounts can access the images.
D. Pull images from the public container registry. Publish the images to AWS CodeArtifactrepositories in a centralized AWS account. Use a CI/CD pipeline to deploy the images todifferent AWS accounts. Use repository policies and identity-based policies to restrictaccess to which IAM principals and accounts can access the images.
A company uses infrastructure as code (IaC) to create AWS infrastructure. The company writes the code as AWS CloudFormation templates to deploy the infrastructure. The company has an existing CI/CD pipeline that the company can use to deploy these templates. After a recent security audit, the company decides to adopt a policy-as-code approach to improve the company's security posture on AWS. The company must prevent the deployment of any infrastructure that would violate a security policy, such as an unencrypted Amazon Elastic Block Store (Amazon EBS) volume. Which solution will meet these requirements?
A. Turn on AWS Trusted Advisor. Configure security notifications as webhooks in thepreferences section of the CI/CD pipeline.
B. Turn on AWS Config. Use the prebuilt rules or customized rules. Subscribe the CI/CDpipeline to an Amazon Simple Notification Service (Amazon SNS) topic that receivesnotifications from AWS Config.
C. Create rule sets in AWS CloudFormation Guard. Run validation checks forCloudFormation templates as a phase of the CI/CD process.
D. Create rule sets as SCPs. Integrate the SCPs as a part of validation control in a phaseof the CI/CD process.
A company is using Amazon Route 53 Resolver for its hybrid DNS infrastructure. The company has set up Route 53 Resolver forwarding rules for authoritative domains that arehosted on on-premises DNS servers. A new security mandate requires the company to implement a solution to log and query DNS traffic that goes to the on-premises DNS servers. The logs must show details of the source IP address of the instance from which the query originated. The logs also must show the DNS name that was requested in Route 53 Resolver. Which solution will meet these requirements?
A. Use VPC Traffic Mirroring. Configure all relevant elastic network interfaces as the trafficsource, include amazon-dns in the mirror filter, and set Amazon CloudWatch Logs as themirror target. Use CloudWatch Insights on the mirror session logs to run queries on thesource IP address and DNS name.
B. Configure VPC flow logs on all relevant VPCs. Send the logs to an Amazon S3 bucket.Use Amazon Athena to run SQL queries on the source IP address and DNS name.
C. Configure Route 53 Resolver query logging on all relevant VPCs. Send the logs toAmazon CloudWatch Logs. Use CloudWatch Insights to run queries on the source IPaddress and DNS name.
D. Modify the Route 53 Resolver rules on the authoritative domains that forward to the onpremisesDNS servers. Send the logs to an Amazon S3 bucket. Use Amazon Athena to runSQL queries on the source IP address and DNS name.
A security engineer is troubleshooting an AWS Lambda function that is named MyLambdaFunction. The function is encountering an error when the function attempts to read the objects in an Amazon S3 bucket that is named DOC-EXAMPLE-BUCKET. The S3 bucket has the following bucket policy:
Which change should the security engineer make to the policy to ensure that the Lambda function can read the bucket objects?
A. Remove the Condition element. Change the Principal element to the following:{“AWS”: “arn "aws" ::: lambda ::: function:MyLambdaFunction”}
B. Change the Action element to the following:" s3:GetObject*"" s3:GetBucket*"
C. Change the Resource element to "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*".
D. Change the Resource element to "arn:aws:lambda:::function:MyLambdaFunction".Change the Principal element to the following:{“Service”: “s3.amazonaws.com”}
A security engineer wants to forward custom application-security logs from an Amazon EC2 instance to Amazon CloudWatch. The security engineer installs the CloudWatch agent on the EC2 instance and adds the path of the logs to the CloudWatch configuration file. However, CloudWatch does not receive the logs. The security engineer verifies that the awslogs service is running on the EC2 instance. What should the security engineer do next to resolve the issue?
A. Add AWS CloudTrail to the trust policy of the EC2 instance. Send the custom logs toCloudTrail instead of CloudWatch.
B. Add Amazon S3 to the trust policy of the EC2 instance. Configure the application towrite the custom logs to an S3 bucket that CloudWatch can use to ingest the logs.
C. Add Amazon Inspector to the trust policy of the EC2 instance. Use Amazon Inspectorinstead of the CloudWatch agent to collect the custom logs.
D. Attach the CloudWatchAgentServerPolicy AWS managed policy to the EC2 instancerole.
A company is running an Amazon RDS for MySQL DB instance in a VPC. The VPC must not send or receive network traffic through the internet. A security engineer wants to use AWS Secrets Manager to rotate the DB instance credentials automatically. Because of a security policy, the security engineer cannot use the standard AWS Lambda function that Secrets Manager provides to rotate the credentials. The security engineer deploys a custom Lambda function in the VPC. The custom Lambda function will be responsible for rotating the secret in Secrets Manager. The security engineer edits the DB instance's security group to allow connections from this function. When the function is invoked, the function cannot communicate with Secrets Manager to rotate the secret properly. What should the security engineer do so that the function can rotate the secret?
A. Add an egress-only internet gateway to the VPC. Allow only the Lambda function'ssubnet to route traffic through the egress-only internet gateway.
B. Add a NAT gateway to the VPC. Configure only the Lambda function's subnet with adefault route through the NAT gateway.
C. Configure a VPC peering connection to the default VPC for Secrets Manager. Configurethe Lambda function's subnet to use the peering connection for routes.
D. Configure a Secrets Manager interface VPC endpoint. Include the Lambda function'sprivate subnet during the configuration process.
A security engineer needs to configure an Amazon S3 bucket policy to restrict access to an S3 bucket that is named DOC-EXAMPLE-BUCKET. The policy must allow access to only DOC-EXAMPLE-BUCKET from only the following endpoint: vpce-1a2b3c4d. The policy must deny all access to DOC-EXAMPLE-BUCKET if the specified endpoint is not used. Which bucket policy statement meets these requirements?
Description automatically generated
A. Option A
B. Option B
C. Option C
D. Option D
A company plans to use AWS Key Management Service (AWS KMS) to implement an encryption strategy to protect data at rest. The company requires client-side encryption for company projects. The company is currently conducting multiple projects to test the company's use of AWS KMS. These tests have led to a sudden increase in the company's AWS resource consumption. The test projects include applications that issue multiple requests each second to KMS endpoints for encryption activities. The company needs to develop a solution that does not throttle the company's ability to use AWS KMS. The solution must improve key usage for client-side encryption and must be cost optimized. Which solution will meet these requirements?
A. Use keyrings with the AWS Encryption SDK. Use each keyring individually or combinekeyrings into a multi-keyring. Decrypt the data by using a keyring that has the primary keyin the multi-keyring.
B. Use data key caching. Use the local cache that the AWS Encryption SDK provides witha caching cryptographic materials manager.
C. Use KMS key rotation. Use a local cache in the AWS Encryption SDK with a cachingcryptographic materials manager.
D. Use keyrings with the AWS Encryption SDK. Use each keyring individually or combinekeyrings into a multi-keyring. Use any of the wrapping keys in the multi-keyring to decryptthe data.
A company has hundreds of AWS accounts in an organization in AWS Organizations. The company operates out of a single AWS Region. The company has a dedicated security tooling AWS account in the organization. The security tooling account is configured as the organization's delegated administrator for Amazon GuardDuty and AWS Security Hub. The company has configured the environment to automatically enable GuardDuty and Security Hub for existing AWS accounts and new AWS accounts. The company is performing control tests on specific GuardDuty findings to make sure that the company's security team can detect and respond to security events. The security team launched an Amazon EC2 instance and attempted to run DNS requests against a test domain, example.com, to generate a DNS finding. However, the GuardDuty finding was never created in the Security Hub delegated administrator account. Why was the finding was not created in the Security Hub delegated administrator account?
A. VPC flow logs were not turned on for the VPC where the EC2 instance was launched.
B. The VPC where the EC2 instance was launched had the DHCP option configured for acustom OpenDNS resolver.
C. The GuardDuty integration with Security Hub was never activated in the AWS accountwhere the finding was generated.
D. Cross-Region aggregation in Security Hub was not configured.
A security engineer is checking an AWS CloudFormation template for vulnerabilities. The security engineer finds a parameter that has a default value that exposes an application's API key in plaintext. The parameter is referenced several times throughout the template. The security engineer must replace the parameter while maintaining the ability to reference the value in the template. Which solution will meet these requirements in the MOST secure way? {resolve:s3:MyBucketName:MyObjectName}}.
A. Store the API key value as a SecureString parameter in AWS Systems ManagerParameter Store. In the template, replace all references to the value with{{resolve:ssm:MySSMParameterName:I}}.
B. Store the API key value in AWS Secrets Manager. In the template, replace allreferences to the value with { {resolve:secretsmanager:MySecretId:SecretString}}.
C. Store the API key value in Amazon DynamoDB. In the template, replace all referencesto the value with {{resolve:dynamodb:MyTableName:MyPrimaryKey}}.
D. Store the API key value in a new Amazon S3 bucket. In the template, replace allreferences to the value with {
There is a requirement for a company to transfer large amounts of data between IAM and an on-premise location. There is an additional requirement for low latency and high consistency traffic to IAM. Given these requirements how would you design a hybrid architecture? Choose the correct answer from the options below Please select:
A. Provision a Direct Connect connection to an IAM region using a Direct Connect partner.
B. Create a VPN tunnel for private connectivity, which increases network consistency andreduces latency.
C. Create an iPSec tunnel for private connectivity, which increases network consistencyand reduces latency.
D. Create a VPC peering connection between IAM and the Customer gateway.
A company has AWS accounts in an organization in AWS Organizations. The organization includes a dedicated security account. All AWS account activity across all member accounts must be logged and reported to the dedicated security account. The company must retain all the activity logs in a secure storage location within the dedicated security account for 2 years. No changes or deletions of the logs are allowed. Which combination of steps will meet these requirements with the LEAST operational overhead? (Select TWO.)
A. In the dedicated security account, create an Amazon S3 bucket. Configure S3 ObjectLock in compliance mode and a retention period of 2 years on the S3 bucket. Set thebucket policy to allow the organization's management account to write to the S3 bucket.
B. In the dedicated security account, create an Amazon S3 bucket. Configure S3 ObjectLock in compliance mode and a retention period of 2 years on the S3 bucket. Set thebucket policy to allow the organization's member accounts to write to the S3 bucket.
C. In the dedicated security account, create an Amazon S3 bucket that has an S3 Lifecycleconfiguration that expires objects after 2 years. Set the bucket policy to allow theorganization's member accounts to write to the S3 bucket.
D. Create an AWS Cloud Trail trail for the organization. Configure logs to be delivered tothe logging Amazon S3 bucket in the dedicated security account.
E. Turn on AWS CloudTrail in each account. Configure logs to be delivered to an AmazonS3 bucket that is created in the organization's management account. Forward the logs tothe S3 bucket in the dedicated security account by using AWS Lambda and AmazonKinesis Data Firehose.
A company wants to monitor the deletion of customer managed CMKs A security engineer must create an alarm that will notify the company before a CMK is deleted The security engineer has configured the integration of IAM CloudTrail with Amazon CloudWatch What should the security engineer do next to meet this requirement?
A. Use inbound rule 100 to allow traffic on TCP port 443 Use inbound rule 200 to denytraffic on TCP port 3306 Use outbound rule 100 to allow traffic on TCP port 443
B. Use inbound rule 100 to deny traffic on TCP port 3306. Use inbound rule 200 to allowtraffic on TCP port range 1024-65535. Use outbound rule 100 to allow traffic on TCP port443
C. Use inbound rule 100 to allow traffic on TCP port range 1024-65535 Use inbound rule200 to deny traffic on TCP port 3306 Use outbound rule 100 to allow traffic on TCP port443
D. Use inbound rule 100 to deny traffic on TCP port 3306 Use inbound rule 200 to allowtraffic on TCP port 443 Use outbound rule 100 to allow traffic on TCP port 443
A company has implemented IAM WAF and Amazon CloudFront for an application. The application runs on Amazon EC2 instances that are part of an Auto Scaling group. The Auto Scaling group is behind an Application Load Balancer (ALB). The IAM WAF web ACL uses an IAM Managed Rules rule group and is associated with the CloudFront distribution. CloudFront receives the request from IAM WAF and then uses the ALB as the distribution's origin. During a security review, a security engineer discovers that the infrastructure is susceptible to a large, layer 7 DDoS attack. How can the security engineer improve the security at the edge of the solution to defend against this type of attack?
A. Configure the CloudFront distribution to use the Lambda@Edge feature. Create an IAMLambda function that imposes a rate limit on CloudFront viewer requests. Block the requestif the rate limit is exceeded.
B. Configure the IAM WAF web ACL so that the web ACL has more capacity units toprocess all IAM WAF rules faster.
C. Configure IAM WAF with a rate-based rule that imposes a rate limit that automaticallyblocks requests when the rate limit is exceeded.
D. Configure the CloudFront distribution to use IAM WAF as its origin instead of the ALB.
An IT department currently has a Java web application deployed on Apache Tomcat running on Amazon EC2 instances. All traffic to the EC2 instances is sent through an internet-facing Application Load Balancer (ALB) The Security team has noticed during the past two days thousands of unusual read requests coming from hundreds of IP addresses. This is causing the Tomcat server to run out of threads and reject new connections Which the SIMPLEST change that would address this server issue?
A. Create an Amazon CloudFront distribution and configure the ALB as the origin
B. Block the malicious IPs with a network access list (NACL).
C. Create an IAM Web Application Firewall (WAF). and attach it to the ALB
D. Map the application domain name to use Route 53
A company recently had a security audit in which the auditors identified multiple potential threats. These potential threats can cause usage pattern changes such as DNS access peak, abnormal instance traffic, abnormal network interface traffic, and unusual Amazon S3 API calls. The threats can come from different sources and can occur at any time. The company needs to implement a solution to continuously monitor its system and identify all these incoming threats in near-real time. Which solution will meet these requirements?
A. Enable AWS CloudTrail logs, VPC flow logs, and DNS logs. Use Amazon CloudWatchLogs to manage these logs from a centralized account.
B. Enable AWS CloudTrail logs, VPC flow logs, and DNS logs. Use Amazon Macie tomonitor these logs from a centralized account.
C. Enable Amazon GuardDuty from a centralized account. Use GuardDuty to manageAWS CloudTrail logs, VPC flow logs, and DNS logs.
D. Enable Amazon Inspector from a centralized account. Use Amazon Inspector to manageAWS CloudTrail logs, VPC flow logs, and DNS logs.
A company has multiple Amazon S3 buckets encrypted with customer-managed CMKs Due to regulatory requirements the keys must be rotated every year. The company's Security Engineer has enabled automatic key rotation for the CMKs; however the company wants to verity that the rotation has occurred. What should the Security Engineer do to accomplish this?
A. Filter IAM CloudTrail logs for KeyRotaton events
B. Monitor Amazon CloudWatcn Events for any IAM KMS CMK rotation events
C. Using the IAM CLI. run the IAM kms gel-key-relation-status operation with the --key-idparameter to check the CMK rotation date
D. Use Amazon Athena to query IAM CloudTrail logs saved in an S3 bucket to filterGenerate New Key events
A company uses an Amazon S3 bucket to store reports Management has mandated that all new objects stored in this bucket must be encrypted at rest using server-side encryption with a client-specified IAM Key Management Service (IAM KMS) CMK owned by the same account as the S3 bucket. The IAM account number is 111122223333, and the bucket name Is report bucket. The company's security specialist must write the S3 bucket policy to ensure the mandate can be Implemented Which statement should the security specialist include in the policy?
A. Option A
B Option B
C. Option C
D. Option D
A security engineer needs to build a solution to turn IAM CloudTrail back on in multiple IAM Regions in case it is ever turned off. What is the MOST efficient way to implement this solution?
A. Use IAM Config with a managed rule to trigger the IAM-EnableCloudTrail remediation.
B. Create an Amazon EventBridge (Amazon CloudWatch Events) event with acloudtrail.amazonIAM.com event source and a StartLogging event name to trigger an IAMLambda function to call the StartLogging API.
C. Create an Amazon CloudWatch alarm with a cloudtrail.amazonIAM.com event sourceand a StopLogging event name to trigger an IAM Lambda function to call the StartLoggingAPI.
D. Monitor IAM Trusted Advisor to ensure CloudTrail logging is enabled.
An application is running on an Amazon EC2 instance that has an IAM role attached. The IAM role provides access to an AWS Key Management Service (AWS KMS) customer managed key and an Amazon S3 bucket. The key is used to access 2 TB of sensitive data that is stored in the S3 bucket. A security engineer discovers a potential vulnerability on the EC2 instance that could result in the compromise of the sensitive data. Due to other critical operations, the security engineer cannot immediately shut down the EC2 instance for vulnerability patching. What is the FASTEST way to prevent the sensitive data from being exposed?
A. Download the data from the existing S3 bucket to a new EC2 instance. Then delete thedata from the S3 bucket. Re-encrypt the data with a client-based key. Upload the data to anew S3 bucket.
B. Block access to the public range of S3 endpoint IP addresses by using a host-basedfirewall. Ensure that internet-bound traffic from the affected EC2 instance is routed throughthe host-based firewall.
C. Revoke the IAM role's active session permissions. Update the S3 bucket policy to denyaccess to the IAM role. Remove the IAM role from the EC2 instance profile.
D. Disable the current key. Create a new KMS key that the IAM role does not have accessto, and re-encrypt all the data with the new key. Schedule the compromised key fordeletion.
A company uses Amazon API Gateway to present REST APIs to users. An API developer wants to analyze API access patterns without the need to parse the log files. Which combination of steps will meet these requirements with the LEAST effort? (Select TWO.)
A. Configure access logging for the required API stage.
B. Configure an AWS CloudTrail trail destination for API Gateway events. Configure filterson the userldentity, userAgent, and sourcelPAddress fields.
C. Configure an Amazon S3 destination for API Gateway logs. Run Amazon Athenaqueries to analyze API access information.
D. Use Amazon CloudWatch Logs Insights to analyze API access information.
E. Select the Enable Detailed CloudWatch Metrics option on the required API stage.
A company has an application that uses dozens of Amazon DynamoDB tables to store data. Auditors find that the tables do not comply with the company's data protection policy. The company's retention policy states that all data must be backed up twice each month: once at midnight on the 15th day of the month and again at midnight on the 25th day of the month. The company must retain the backups for 3 months. Which combination of steps should a security engineer take to meet these re-quirements? (Select TWO.)
A. Use the DynamoDB on-demand backup capability to create a backup plan. Con-figure alifecycle policy to expire backups after 3 months.
B. Use AWS DataSync to create a backup plan. Add a backup rule that includes a retentionperiod of 3 months.
C. Use AVVS Backup to create a backup plan. Add a backup rule that includes a retentionperiod of 3 months.
D. Set the backup frequency by using a cron schedule expression. Assign eachDynamoDB table to the backup plan.
E. Set the backup frequency by using a rate schedule expression. Assign each DynamoDBtable to the backup plan.
A company has multiple departments. Each department has its own IAM account. All these accounts belong to the same organization in IAM Organizations. A large .csv file is stored in an Amazon S3 bucket in the sales department's IAM account. The company wants to allow users from the other accounts to access the .csv file's content through the combination of IAM Glue and Amazon Athena. However, the company does not want to allow users from the other accounts to access other files in the same folder. Which solution will meet these requirements?
A. Apply a user policy in the other accounts to allow IAM Glue and Athena lo access the.csv We.
B. Use S3 Select to restrict access to the .csv lie. In IAM Glue Data Catalog, use S3 Selectas the source of the IAM Glue database.
C. Define an IAM Glue Data Catalog resource policy in IAM Glue to grant cross-account S3object access to the .csv file.
D. Grant IAM Glue access to Amazon S3 in a resource-based policy that specifies theorganization as the principal.
A development team is attempting to encrypt and decode a secure string parameter from the IAM Systems Manager Parameter Store using an IAM Key Management Service (IAM KMS) CMK. However, each attempt results in an error message being sent to the development team. Which CMK-related problems possibly account for the error? (Select two.)
A. The CMK is used in the attempt does not exist.
B. The CMK is used in the attempt needs to be rotated.
C. The CMK is used in the attempt is using the CMK€™s key ID instead of the CMK ARN.
D. The CMK is used in the attempt is not enabled.
E. The CMK is used in the attempt is using an alias.
A company in France uses Amazon Cognito with the Cognito Hosted Ul as an identity broker for sign-in and sign-up processes. The company is marketing an application and expects that all the application's users will come from France. When the company launches the application the company's security team observes fraudulent sign-ups for the application. Most of the fraudulent registrations are from users outside of France. The security team needs a solution to perform custom validation at sign-up Based on the results of the validation the solution must accept or deny the registration request. Which combination of steps will meet these requirements? (Select TWO.)
A. Create a pre sign-up AWS Lambda trigger. Associate the Amazon Cognito function withthe Amazon Cognito user pool.
B. Use a geographic match rule statement to configure an AWS WAF web ACL. Associatethe web ACL with the Amazon Cognito user pool.
C. Configure an app client for the application's Amazon Cognito user pool. Use the appclient ID to validate the requests in the hosted Ul.
D. Update the application's Amazon Cognito user pool to configure a geographic restrictionsetting.
E. Use Amazon Cognito to configure a social identity provider (IdP) to validate the requestson the hosted Ul.
A company's IAM account consists of approximately 300 IAM users. Now there is a mandate that an access change is required for 100 IAM users to have unlimited privileges to S3.As a system administrator, how can you implement this effectively so that there is no need to apply the policy at the individual user level? Please select:
A. Create a new role and add each user to the IAM role
B. Use the IAM groups and add users, based upon their role, to different groups and applythe policy to group
C. Create a policy and apply it to multiple users using a JSON script
D. Create an S3 bucket policy with unlimited access which includes each user's IAMaccount ID
A company needs to encrypt all of its data stored in Amazon S3. The company wants to use IAM Key Management Service (IAM KMS) to create and manage its encryption keys. The company's security policies require the ability to Import the company's own key material for the keys, set an expiration date on the keys, and delete keys immediately, if needed. How should a security engineer set up IAM KMS to meet these requirements?
A. Configure IAM KMS and use a custom key store. Create a customer managed CMK withno key material Import the company's keys and key material into the CMK
B. Configure IAM KMS and use the default Key store Create an IAM managed CMK withno key material Import the company's key material into the CMK
C. Configure IAM KMS and use the default key store Create a customer managed CMKwith no key material import the company's key material into the CMK
D. Configure IAM KMS and use a custom key store. Create an IAM managed CMK with nokey material. Import the company's key material into the CMK.
A company has an organization in AWS Organizations. The company wants to use AWS CloudFormation StackSets in the organization to deploy various AWS design patterns into environments. These patterns consist of Amazon EC2 instances, Elastic Load Balancing (ELB) load balancers, Amazon RDS databases, and Amazon Elastic Kubernetes Service (Amazon EKS) clusters or Amazon Elastic Container Service (Amazon ECS) clusters. Currently, the company's developers can create their own CloudFormation stacks to increase the overall speed of delivery. A centralized CI/CD pipeline in a shared services AWS account deploys each CloudFormation stack. The company's security team has already provided requirements for each service in accordance with internal standards. If there are any resources that do not comply with the internal standards, the security team must receive notification to take appropriate action. The security team must implement a notification solution that gives developers the ability to maintain the same overall delivery speed that they currently have. Which solution will meet these requirements in the MOST operationally efficient way?
A. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe thesecurity team's email addresses to the SNS topic. Create a custom AWS Lambda functionthat will run the aws cloudformation validate-template AWS CLI command on all CloudFormation templates before the build stage in the CI/CD pipeline. Configure theCI/CD pipeline to publish a notification to the SNS topic if any issues are found.
B. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe thesecurity team's email addresses to the SNS topic. Create custom rules in CloudFormationGuard for each resource configuration. In the CllCD pipeline, before the build stage,configure a Docker image to run the cfn-guard command on the CloudFormation template.Configure the CI/CD pipeline to publish a notification to the SNS topic if any issues arefound.
C. Create an Amazon Simple Notification Service (Amazon SNS) topic and an Am-azonSimple Queue Service (Amazon SQS) queue. Subscribe the security team's emailaddresses to the SNS topic. Create an Amazon S3 bucket in the shared services AWSaccount. Include an event notification to publish to the SQS queue when new objects areadded to the S3 bucket. Require the de-velopers to put their CloudFormation templates inthe S3 bucket. Launch EC2 instances that automatically scale based on the SQS queuedepth. Con-figure the EC2 instances to use CloudFormation Guard to scan the templatesand deploy the templates if there are no issues. Configure the CllCD pipe-line to publish anotification to the SNS topic if any issues are found.
D. Create a centralized CloudFormation stack set that includes a standard set of resourcesthat the developers can deploy in each AWS account. Configure each CloudFormationtemplate to meet the security requirements. For any new resources or configurations,update the CloudFormation template and send the template to the security team for review.When the review is com-pleted, add the new CloudFormation stack to the repository for thedevel-opers to use.
A company's policy requires that all API keys be encrypted and stored separately from source code in a centralized security account. This security account is managed by the company's security team However, an audit revealed that an API key is steed with the source code of an IAM Lambda function m an IAM CodeCommit repository in the DevOps account How should the security learn securely store the API key?
A. Create a CodeCommit repository in the security account using IAM Key ManagementService (IAM KMS) tor encryption Require the development team to migrate the Lambdasource code to this repository
B. Store the API key in an Amazon S3 bucket in the security account using server-sideencryption with Amazon S3 managed encryption keys (SSE-S3) to encrypt the key Createa resigned URL tor the S3 key. and specify the URL m a Lambda environmental variable inthe IAM CloudFormation template Update the Lambda function code to retrieve the keyusing the URL and call the API
C. Create a secret in IAM Secrets Manager in the security account to store the API keyusing IAM Key Management Service (IAM KMS) tor encryption Grant access to the IAMrole used by the Lambda function so that the function can retrieve the key from Secrets Manager and call the API
D. Create an encrypted environment variable for the Lambda function to store the API keyusing IAM Key Management Service (IAM KMS) tor encryption Grant access to the IAMrole used by the Lambda function so that the function can decrypt the key at runtime
Example.com is hosted on Amazon EC2 instances behind an Application Load Balancer (ALB). Third-party host intrusion detection system (HIDS) agents that capture the traffic of the EC2 instance are running on each host. The company must ensure they are using privacy enhancing technologies for users, without losing the assurance the third-party solution offers. What is the MOST secure way to meet these requirements?
A. Enable TLS pass through on the ALB, and handle decryption at the server using EllipticCurve Diffie-Hellman (ECDHE) cipher suites.
B. Create a listener on the ALB that uses encrypted connections with Elliptic Curve Diffie-Hellman (ECDHE) cipher suites, and pass the traffic in the clear to the server.
C. Create a listener on the ALB that uses encrypted connections with Elliptic Curve Diffie- Hellman (ECDHE) cipher suites, and use encrypted connections to the servers that do notenable Perfect Forward Secrecy (PFS).
D. Create a listener on the ALB that does not enable Perfect Forward Secrecy (PFS) ciphersuites, and use encrypted connections to the servers using Elliptic Curve Diffie-Hellman(ECDHE) cipher suites.
A company wants to receive an email notification about critical findings in AWS Security Hub. The company does not have an existing architecture that supports this functionality. Which solution will meet the requirement?
A. Create an AWS Lambda function to identify critical Security Hub findings. Create anAmazon Simple Notification Service (Amazon SNS) topic as the target of the Lambdafunction. Subscribe an email endpoint to the SNS topic to receive published messages.
B. Create an Amazon Kinesis Data Firehose delivery stream. Integrate the delivery stream with Amazon EventBridge. Create an EventBridge rule that has a filter to detect criticalSecurity Hub findings. Configure the delivery stream to send the findings to an emailaddress.
C. Create an Amazon EventBridge rule to detect critical Security Hub findings. Create anAmazon Simple Notification Service (Amazon SNS) topic as the target of the EventBridgerule. Subscribe an email endpoint to the SNS topic to receive published messages.
D. Create an Amazon EventBridge rule to detect critical Security Hub findings. Create anAmazon Simple Email Service (Amazon SES) topic as the target of the EventBridge rule.Use the Amazon SES API to format the message. Choose an email address to be therecipient of the message.
A company has recently recovered from a security incident that required the restoration of Amazon EC2 instances from snapshots. After performing a gap analysis of its disaster recovery procedures and backup strategies, the company is concerned that, next time, it will not be able to recover the EC2 instances if the AWS account was compromised and Amazon EBS snapshots were deleted. All EBS snapshots are encrypted using an AWS KMS CMK. Which solution would solve this problem?
A. Create a new Amazon S3 bucket. Use EBS lifecycle policies to move EBS snapshots tothe new S3 bucket. Move snapshots to Amazon S3 Glacier using lifecycle policies, andapply Glacier Vault Lock policies to prevent deletion.
B. Use AWS Systems Manager to distribute a configuration that performs local backups ofall attached disks to Amazon S3.
C. Create a new AWS account with limited privileges. Allow the new account to access theAWS KMS key used to encrypt the EBS snapshots, and copy the encrypted snapshots tothe new account on a recurring basis.stent.
D. Use AWS Backup to copy EBS snapshots to Amazon S3.
A company uses AWS Organizations to manage a multi-accountAWS environment in a single AWS Region. The organization's management account is named management-01. The company has turned on AWS Config in all accounts in the organization. The company has designated an account named security-01 as the delegated administra-tor for AWS Config. All accounts report the compliance status of each account's rules to the AWS Config delegated administrator account by using an AWS Config aggregator. Each account administrator can configure and manage the account's own AWS Config rules to handle each account's unique compliance requirements. A security engineer needs to implement a solution to automatically deploy a set of 10 AWS Config rules to all existing and future AWS accounts in the organiza-tion. The solution must turn on AWS Config automatically during account crea-tion. Which combination of steps will meet these requirements? (Select TWO.)
A. Create an AWS CloudFormation template that contains the 1 0 required AVVS Configrules. Deploy the template by using CloudFormation StackSets in the security-01 account.
B. Create a conformance pack that contains the 10 required AWS Config rules. Deploy theconformance pack from the security-01 account.
C. Create a conformance pack that contains the 10 required AWS Config rules. Deploy theconformance pack from the management-01 account.
D. Create an AWS CloudFormation template that will activate AWS Config. De-ploy thetemplate by using CloudFormation StackSets in the security-01 ac-count.
E. Create an AWS CloudFormation template that will activate AWS Config. De-ploy thetemplate by using CloudFormation StackSets in the management-01 account.
Navigate your SCS- C02 question answers training for the AWS Certified Security - Specialty certification exam. The exam is best for those burdened with security-related job roles. It checks and certifies the candidate's demonstration of securing the AWS platform.
The certification offered by Amazon Web Services (AWS) is a tough nut to crack. Learn to tackle the SCS- C02 real exam questions with stimulation that replicates your exam. Salesforcexamdumps is here to help you out with the best SCS- C02 practice test at your disposal!
To prove your knowledge, you must know all the nooks and crannies of the exam. That evaluates designing and implementing secure applications on the Amazon Web Services expertise. It spans across six domains:
The exam consists of 65 SCS- C02 real exam questions, and you have 170 minutes to complete them. You can take it in person or online in 9 languages. The exam costs $300.
Knowing the exam, learning the topics, and assessing your readiness helps prepare better. Try the SCS-C02 practice test at Salesforcexamdumps. They provide tons of SCS-C02 real exam questions versions. Learn more about them in the upcoming paragraph.
SCS-C02 question answers preparation is a crucial process that leads to success. Salesforcexamdumps authentic resources are here to help you get ready. Here’s what you get using our resources.
Our experts make sure our materials are clear, user-friendly, and accessible to all. Our PDF files are a creative alternative for SCS-C02 practice tests. Created with careful planning and design as the SCS-C02 question answers resources. This feature keeps track of the SCS-C02 dumps information and ideas while studying.
SCS-C02 braindumps are a great way to strengthen your AWS question answers training. Regular SCS-C02 dumps feedback helps tell between topics learned and areas needing work. Practice with SCS-C02 real exam questions to get accustomed to the test-taking. The stimulating atmosphere hardens your memory. You’ll pace yourself to feel comfortable sitting down for the exam.
Relying on SCS-C02 practice tests isn't enough. To enhance your preparation, you must:
All the best in your exam preparation!
Leave a comment
Your email address will not be published. Required fields are marked *