Question # 111
A company has a large fleet of Linux Amazon EC2 instances and Windows EC2 instances that run in private subnets. The company wants all remote administration to be performed as securely as possible in the AWS Cloud. Which solution will meet these requirements?
A. Do not use SSH-RSA private keys during the launch of new instances. Implement AWSSystems Manager Session Manager.
B. Generate new SSH-RSA private keys for existing instances. Implement AWS SystemsManager Session Manager.
C. Do not use SSH-RSA private keys during the launch of new instances. Configure EC2Instance Connect.
D. Generate new SSH-RSA private keys for existing instances. Configure EC2 InstanceConnect.
Question # 112
A security engineer must troubleshoot an administrator's inability to make an existing Amazon S3 bucket public in an account that is part of an organization n IAM Organizations. The administrator switched the role from the master account to a member account and then attempted to make one S3 bucket public. This action was immediately denied Which actions should the security engineer take to troubleshoot the permissions issue? (Select TWO.)
A. Review the cross-account role permissions and the S3 bucket policy Verify that theAmazon S3 block public access option in the member account is deactivated.
B. Review the role permissions m the master account and ensure it has sufficient privilegesto perform S3 operations
C. Filter IAM CloudTrail logs for the master account to find the original deny event andupdate the cross-account role m the member account accordingly Verify that the AmazonS3 block public access option in the master account is deactivated.
D. Evaluate the SCPs covering the member account and the permissions boundary of therole in the member account for missing permissions and explicit denies.
E. Ensure the S3 bucket policy explicitly allows the s3 PutBucketPublicAccess action forthe role m the member account
Question # 113
A team is using AWS Secrets Manager to store an application database password. Only a limited number of IAM principals within the account can have access to the secret. The principals who require access to the secret change frequently. A security engineer must create a solution that maximizes flexibility and scalability. Which solution will meet these requirements?
A. Use a role-based approach by creating an IAM role with an inline permissions policy thatallows access to the secret. Update the IAM principals in the role trust policy as required.
B. Deploy a VPC endpoint for Secrets Manager. Create and attach an endpoint policy thatspecifies the IAM principals that are allowed to access the secret. Update the list of IAMprincipals as required.
C. Use a tag-based approach by attaching a resource policy to the secret. Apply tags to thesecret and the IAM principals. Use the aws:PrincipalTag and aws:ResourceTag IAMcondition keys to control access.
D. Use a deny-by-default approach by using IAM policies to deny access to the secretexplicitly. Attach the policies to an IAM group. Add all IAM principals to the IAM group.Remove principals from the group when they need access. Add the principals to the groupagain when access is no longer allowed.
Question # 114
A company has several workloads running on AWS. Employees are required to authenticate using on-premises ADFS and SSO to access the AWS Management Console. Developers migrated an existing legacy web application to an Amazon EC2 instance. Employees need to access this application from anywhere on the internet, but currently, there is no authentication system built into the application. How should the Security Engineer implement employee-only access to this system without changing the application?
A. Place the application behind an Application Load Balancer (ALB). Use Amazon Cognitoas authentication for the ALB. Define a SAML-based Amazon Cognito user pool andconnect it to ADFS.
B. Implement AWS SSO in the master account and link it to ADFS as an identity provider.Define the EC2 instance as a managed resource, then apply an IAM policy on theresource.
C. Define an Amazon Cognito identity pool, then install the connector on the ActiveDirectory server. Use the Amazon Cognito SDK on the application instance to authenticatethe employees using their Active Directory user names and passwords.
D. Create an AWS Lambda custom authorizer as the authenticator for a reverse proxy onAmazon EC2. Ensure the security group on Amazon EC2 only allows access from theLambda function.
Question # 115
An AWS account that is used for development projects has a VPC that contains two subnets. The first subnet is named public-subnet-1 and has the CIDR block 192.168.1.0/24 assigned. The other subnet is named private-subnet-2 and has the CIDR block 192.168.2.0/24 assigned. Each subnet contains Amazon EC2 instances. Each subnet is currently using the VPC's default network ACL. The security groups that the EC2 instances in these subnets use have rules that allow traffic between each instance where required. Currently, all network traffic flow is working as expected between the EC2 instances that are using these subnets. A security engineer creates a new network ACL that is named subnet-2-NACL with default entries. The security engineer immediately configures private-subnet-2 to use the new network ACL and makes no other changes to the infrastructure. The security engineer starts to receive reports that the EC2 instances in public-subnet-1 and public-subnet-2 cannot communicate with each other. Which combination of steps should the security engineer take to allow the EC2 instances that are running in these two subnets to communicate again? (Select TWO.)
A. Add an outbound allow rule for 192.168.2.0/24 in the VPC's default network ACL.
B. Add an inbound allow rule for 192.168.2.0/24 in the VPC's default network ACL.
C. Add an outbound allow rule for 192.168.2.0/24 in subnet-2-NACL.
D. Add an inbound allow rule for 192.168.1.0/24 in subnet-2-NACL.
E. Add an outbound allow rule for 192.168.1.0/24 in subnet-2-NACL.
Question # 116
A Security Engineer has been tasked with enabling IAM Security Hub to monitor Amazon EC2 instances fix CVE in a single IAM account The Engineer has already enabled IAM Security Hub and Amazon Inspector m the IAM Management Console and has installed me Amazon Inspector agent on an EC2 instances that need to be monitored. Which additional steps should the Security Engineer lake 10 meet this requirement?
A. Configure the Amazon inspector agent to use the CVE rule package
B. Configure the Amazon Inspector agent to use the CVE rule package Configure SecurityHub to ingest from IAM inspector by writing a custom resource policy
C. Configure the Security Hub agent to use the CVE rule package Configure IAM Inspectorlo ingest from Security Hub by writing a custom resource policy
D. Configure the Amazon Inspector agent to use the CVE rule package Install an additionalIntegration library Allow the Amazon Inspector agent to communicate with Security Hub
Question # 117
An ecommerce company has a web application architecture that runs primarily on containers. The application containers are deployed on Amazon Elastic Container Service (Amazon ECS). The container images for the application are stored in Amazon Elastic Container Registry (Amazon ECR). The company's security team is performing an audit of components of the application architecture. The security team identifies issues with some container images that are stored in the container repositories. The security team wants to address these issues by implementing continual scanning and on-push scanning of the container images. The security team needs to implement a solution that makes any findings from these scans visible in a centralized dashboard. The security team plans to use the dashboard to view these findings along with other securityrelated findings that they intend to generate in the future. There are specific repositories that the security team needs to exclude from the scanning process. Which solution will meet these requirements?
A. Use Amazon Inspector. Create inclusion rules in Amazon ECR to match repos-itoriesthat need to be scanned. Push Amazon Inspector findings to AWS Se-curity Hub.
B. Use ECR basic scanning of container images. Create inclusion rules in Ama-zon ECR tomatch repositories that need to be scanned. Push findings to AWS Security Hub.
C. Use ECR basic scanning of container images. Create inclusion rules in Ama-zon ECR tomatch repositories that need to be scanned. Push findings to Amazon Inspector.
D. Use Amazon Inspector. Create inclusion rules in Amazon Inspector to matchrepositories that need to be scanned. Push Amazon Inspector findings to AWS Config.
Question # 118
A company uses AWS Organizations and has production workloads across multiple AWS accounts. A security engineer needs to design a solution that will proactively monitor for suspicious behavior across all the accounts that contain production workloads. The solution must automate remediation of incidents across the production accounts. The solution also must publish a notification to an Amazon Simple Notification Service (Amazon SNS) topic when a critical security finding is detected. In addition, the solution must send all security incident logs to a dedicated account. Which solution will meet these requirements?
A. Activate Amazon GuardDuty in each production account. In a dedicated loggingaccount. aggregate all GuardDuty logs from each production account. Remediate incidentsby configuring GuardDuty to directly invoke an AWS Lambda function. Configure theLambda function to also publish notifications to the SNS topic.
B. Activate AWS security Hub in each production account. In a dedicated logging account.aggregate all security Hub findings from each production account. Remediate incidents byustng AWS Config and AWS Systems Manager. Configure Systems Manager to alsopub11Sh notifications to the SNS topic.
C. Activate Amazon GuardDuty in each production account. In a dedicated loggingaccount. aggregate all GuardDuty logs from each production account Remediate incidentsby using Amazon EventBridge to invoke a custom AWS Lambda function from theGuardDuty findings. Configure the Lambda function to also publish notifications to the SNStopic.
D. Activate AWS Security Hub in each production account. In a dedicated logging account.aggregate all Security Hub findings from each production account. Remediate incidents byusing Amazon EventBridge to invoke a custom AWS Lambda function from the SecurityHub findings. Configure the Lambda function to also publish notifications to the SNS topic.
Question # 119
A security engineer is defining the controls required to protect the IAM account root user credentials in an IAM Organizations hierarchy. The controls should also limit the impact in case these credentials have been compromised. Which combination of controls should the security engineer propose? (Select THREE.) A)
A. Option A
B. Option B
C. Option C
D. Option D
E. Option E
F. Option F
Question # 120
A company's security engineer has been tasked with restricting a contractor's IAM account access to the company's Amazon EC2 console without providing access to any other IAM services The contractors IAM account must not be able to gain access to any other IAM service, even it the IAM account rs assigned additional permissions based on IAM group membership What should the security engineer do to meet these requirements''
A. Create an mime IAM user policy that allows for Amazon EC2 access for the contractor'sIAM user
B. Create an IAM permissions boundary policy that allows Amazon EC2 access Associatethe contractor's IAM account with the IAM permissions boundary policy
C. Create an IAM group with an attached policy that allows for Amazon EC2 accessAssociate the contractor's IAM account with the IAM group
D. Create a IAM role that allows for EC2 and explicitly denies all other services Instruct thecontractor to always assume this role
‹ First<1011121314>