A company Is planning to use Amazon Elastic File System (Amazon EFS) with its onpremises servers. The company has an existing IAM Direct Connect connection established between its on-premises data center and an IAM Region Security policy states that the company's on-premises firewall should only have specific IP addresses added to the allow list and not a CIDR range. The company also wants to restrict access so that only certain data center-based servers have access to Amazon EFS How should a security engineer implement this solution''
A. Add the file-system-id efs IAM-region amazonIAM com URL to the allow list for the datacenter firewall Install the IAM CLI on the data center-based servers to mount the EFS filesystem in the EFS security group add the data center IP range to the allow list Mount theEFS using the EFS file system name
B. Assign an Elastic IP address to Amazon EFS and add the Elastic IP address to the allowlist for the data center firewall Install the IAM CLI on the data center-based servers tomount the EFS file system In the EFS security group, add the IP addresses of the datacenter servers to the allow list Mount the EFS using the Elastic IP address
C. Add the EFS file system mount target IP addresses to the allow list for the data centerfirewall In the EFS security group, add the data center server IP addresses to the allow listUse the Linux terminal to mount the EFS file system using the IP address of one of themount targets
D. Assign a static range of IP addresses for the EFS file system by contacting IAM SupportIn the EFS security group add the data center server IP addresses to the allow list Use theLinux terminal to mount the EFS file system using one of the static IP addresses
A Network Load Balancer (NLB) target instance is not entering the InService state. A security engineer determines that health checks are failing. Which factors could cause the health check failures? (Select THREE.)
A. The target instance's security group does not allow traffic from the NLB.
B. The target instance's security group is not attached to the NLB.
C. The NLB's security group is not attached to the target instance.
D. The target instance's subnet network ACL does not allow traffic from the NLB.
E. The target instance's security group is not using IP addresses to allow traffic from theNLB.
F. The target network ACL is not attached to the NLB.
A security engineer recently rotated the host keys for an Amazon EC2 instance. The security engineer is trying to access the EC2 instance by using the EC2 Instance. Connect feature. However, the security engineer receives an error (or failed host key validation. Before the rotation of the host keys EC2 Instance Connect worked correctly with this EC2 instance. What should the security engineer do to resolve this error?
A. Import the key material into AWS Key Management Service (AWS KMS).
B. Manually upload the new host key to the AWS trusted host keys database.
C. Ensure that the AmazonSSMManagedInstanceCore policy is attached to the EC2instance profile.
D. Create a new SSH key pair for the EC2 instance.
A Security Engineer receives alerts that an Amazon EC2 instance on a public subnet is under an SFTP brute force attack from a specific IP address, which is a known malicious bot. What should the Security Engineer do to block the malicious bot?
A. Add a deny rule to the public VPC security group to block the malicious IP
B. Add the malicious IP to IAM WAF backhsted IPs
C. Configure Linux iptables or Windows Firewall to block any traffic from the malicious IPD. Modify the hosted zone in Amazon Route 53 and create a DNS sinkhole for themalicious IP
You work at a company that makes use of IAM resources. One of the key security policies is to ensure that all data i encrypted both at rest and in transit. Which of the following is one of the right ways to implement this. Please select:
A. Use S3 SSE and use SSL for data in transit
B. SSL termination on the ELB
C. Enabling Proxy Protocol
D. Enabling sticky sessions on your load balancer
A company discovers a billing anomaly in its AWS account. A security consultant investigates the anomaly and discovers that an employee who left the company 30 days ago still has access to the account. The company has not monitored account activity in the past. The security consultant needs to determine which resources have been deployed or reconfigured by the employee as quickly as possible. Which solution will meet these requirements?
A. In AWS Cost Explorer, filter chart data to display results from the past 30 days. Exportthe results to a data table. Group the data table by re-source.
B. Use AWS Cost Anomaly Detection to create a cost monitor. Access the detec-tionhistory. Set the time frame to Last 30 days. In the search area, choose the servicecategory.
C. In AWS CloudTrail, filter the event history to display results from the past 30 days.Create an Amazon Athena table that contains the data. Parti-tion the table by event source.
D. Use AWS Audit Manager to create an assessment for the past 30 days. Apply a usagebasedframework to the assessment. Configure the assessment to as-sess by resource.
While securing the connection between a company's VPC and its on-premises data center, a Security Engineer sent a ping command from an on-premises host (IP address 203.0.113.12) to an Amazon EC2 instance (IP address 172.31.16.139). The ping command did not return a response. The flow log in the VPC showed the following: 2 123456789010 eni-1235b8ca 203.0.113.12 172.31.16.139 0 0 1 4 336 1432917027 1432917142 ACCEPT OK 2 123456789010 eni-1235b8ca 172.31.16.139 203.0.113.12 0 0 1 4 336 1432917094 1432917142 REJECT OK What action should be performed to allow the ping to work?
A. In the security group of the EC2 instance, allow inbound ICMP traffic.
B. In the security group of the EC2 instance, allow outbound ICMP traffic.
C. In the VPC's NACL, allow inbound ICMP traffic.
D. In the VPC's NACL, allow outbound ICMP traffic.
A company has deployed Amazon GuardDuty and now wants to implement automation for potential threats. The company has decided to start with RDP brute force attacks that come from Amazon EC2 instances in the company’s AWS environment. A security engineer needs to implement a solution that blocks the detected communication from a suspicious instance until investigation and potential remediation can occur. Which solution will meet these requirements?
A. Configure GuardDuty to send the event to an Amazon Kinesis data stream. Process theevent with an Amazon Kinesis Data Analytics for Apache Flink application that sends anotification to the company through Amazon Simple Notification Service (Amazon SNS).Add rules to the network ACL to block traffic to and from the suspicious instance.
B. Configure GuardDuty to send the event to Amazon EventBridge (Amazon CloudWatchEvents). Deploy an AWS WAF web ACL. Process the event with an AWS Lambda functionthat sends a notification to the company through Amazon Simple Notification Service(Amazon SNS) and adds a web ACL rule to block traffic to and from the suspiciousinstance.
C. Enable AWS Security Hub to ingest GuardDuty findings and send the event to AmazonEventBridge (Amazon CloudWatch Events). Deploy AWS Network Firewall. Process theevent with an AWS Lambda function that adds a rule to a Network Firewall firewall policy toblock traffic to and from the suspicious instance.
D. Enable AWS Security Hub to ingest GuardDuty findings. Configure an Amazon Kinesisdata stream as an event destination for Security Hub. Process the event with an AWSLambda function that replaces the security group of the suspicious instance with a securitygroup that does not allow any connections.
A security engineer needs to see up an Amazon CloudFront distribution for an Amazon S3 bucket that hosts a static website. The security engineer must allow only specified IP addresses to access the website. The security engineer also must prevent users from accessing the website directly by using S3 URLs. Which solution will meet these requirements?
A. Generate an S3 bucket policy. Specify cloudfront amazonaws com as the principal. Usethe aws Sourcelp condition key to allow access only if the request conies from the specifiedIP addresses.
B. Create a CloudFront origin access identity (OAl). Create the S3 bucket policy so thatonly the OAl has access. Create an AWS WAF web ACL and add an IP set rule. Associatethe web ACL with the CloudFront distribution.
C. Implement security groups to allow only the specified IP addresses access and torestrict S3 bucket access by using the CloudFront distribution.
D. Create an S3 bucket access point to allow access from only the CloudFront distribution.Create an AWS WAF web ACL and add an IP set rule. Associate the web ACL with theCloudFront distribution.
A company needs to follow security best practices to deploy resources from an AWS CloudFormation template. The CloudFormation template must be able to configure sensitive database credentials. The company already uses AWS Key Management Service (AWS KMS) and AWS Secrets Manager. Which solution will meet the requirements?
A. Use a dynamic reference in the CloudFormation template to reference the databasecredentials in Secrets Manager.
B. Use a parameter in the CloudFormation template to reference the database credentials.Encrypt the CloudFormation template by using AWS KMS.
C. Use a SecureString parameter in the CloudFormation template to reference thedatabase credentials in Secrets Manager.
D. Use a SecureString parameter in the CloudFormation template to reference anencrypted value in AWS KMS