Notes: Hi all, AWS Certified Security Specialty Practice Exam (SCS-C01) Part 5 will familiarize you with types of questions you may encounter on the certification exam and help you determine your readiness or if you need more preparation and/or experience. Successful completion of the practice exam does not guarantee you will pass the certification exam as the actual exam is longer and covers a wider range of topics. We highly recommend you should take AWS Certified Security Specialty Actual Exam Version  because it include real questions and highlighted answers are collected in our exam. It will help you pass exam in easier way.

160. Example.com is hosted on Amazon EC2 instance behind an Application Load Balancer (ALB). Third-party host intrusion detection system (HIDS) agents that capture the traffic of the EC2 instance are running on each host. The company must ensure they are using privacy enhancing technologies for users, without losing the assurance the third-party solution offers. What is the MOST secure way to meet these requirements?

A. Enable TLS pass through on the ALB, and handle decryption at the server using Elliptic Curve Diffie-Hellman (ECDHE) cipher suites.
B. Create a listener on the ALB that uses encrypted connections with Elliptic Curve Diffie-Hellman (ECDHE) cipher suites, and pass the traffic in the clear to the server.
C. Create a listener on the ALB that uses encrypted connections with Elliptic Curve Diffie-Hellman (ECDHE) cipher suites, and use encrypted connections to the servers that do not enable Perfect Forward Security (PRS).
D. Create a listener on the ALB that does not enable Perfect Forward Security (PFS) cipher suites, and use encrypted connections to the server using Elliptic Curve Diffie-Hellman (ECDHE) cipher suites.

161. A Website currently runs on Amazon EC2 with mostly static content on the site. Recently, the site was subjected to a DDoS attack, and a Security Engineer was tasked with redesigning the edge security to help mitigate this risk in the future. What are some ways the Engineer could archive this? (Choose three.)

A. Use AWS X-Ray to inspect the traffic going to the EC2 instances.
B. Move the static content to Amazon S3, and front this with Amazon CloudFront distribution. C. Change the security group configuration to block the source of the attack traffic.
D. Use AWS WAF security rules to inspect the inbound traffic.
E. Use Amazon Inspector assessment templates to inspect the inbound traffic.
F. Use Amazon Route 53 to distribute traffic.

162. A company manages three separate AWS accounts for its production, development, and test environments. Each Developer is assigned a unique IAM user under the development account. A new application hosted on an Amazon EC2 instance in the development account requires read access to the archived documents stored in an Amazon S3 bucket in the production account. How should access be granted?

A. Create an IAM role in the production account and allow EC2 instances in the development account to assume that role using the trust policy. Provide read access for the required S3 bucket to this role.
B. Use a custom identity broker to allow Developer IAM users to temporarily access the S3 bucket.
C. Create a temporary IAM user for the application to use in the production account.
D. Create a temporary IAM user in the production account and provide read access to Amazon S3. Generate the temporary IAM user’s access key and secret key and store these keys on the EC2 instance used by the application in the development account.

163. A company requires that SSH commands used to access its AWS instance be traceable to the user who executed each command. How should a Security Engineer accomplish this?

A. Allow inbound access on port 22 at the security group attached to the instance. Use AWS Systems Manager Session Manager for shell access to Amazon EC2 instances with the user tag defined. Enable Amazon CloudWatch logging for Systems Manager sessions.
B. Use Amazon S3 to securely store one Privacy Enhanced Mail Certificate (PEM file) for each user. Allow Amazon EC2 to read from Amazon S3 and import every user that wants to use SSH to access EC2 instance. Allow inbound access on port 22 at the security group attached to the instance. Install the Amazon CloudWatch agent on the EC2 instance and configure it to ingest audit logs for the instance.
C. Deny inbound access on port 22 at the security group attached to the instance. Use AWS Systems Manager Session Manager for shell access to Amazon EC2 instances with the user tag defined. Enable Amazon CloudWatch logging for Systems Manager sessions.
D. Use Amazon S3 to securely store one Privacy Enhanced Mail Certificate (PEM file) for each team or group. Allow Amazon EC2 to read from Amazon S3 and import every user that wants to use SSH to access EC2 instance. Allow inbound access on port 22 at the security group attached to the instance. Install the Amazon CloudWatch agent on the EC2 instance and configure it to ingest audit logs for the instance.

164. An organization must establish the ability to delete an AWS KMS Customer Master Key (CMK) within a 24-hour timeframe to keep it from being used for encrypt or decrypt operations. Which of the following actions will address this requirement?

A. Manually rotate a key within KMS to create a new CMK immediately.
B. Use the KMS import key functionality to execute a delete key operation.
C. Use the schedule key deletion function within KMS to specify the minimum wait period for deletion.
D. Change the KMS CMK alias to immediately prevent any services from using the CMK.

165. A company uses Microsoft Active Directory for access management for on-premises resources, and wants to use the same mechanism for accessing its AWS accounts. Additionally, the Development team plans to launch a public facing application for which they need a separate authentication solution. Which combination of the following would satisfy these requirements? (Choose two.)

A. Set up domain controllers on Amazon EC2 to extend the on-premises directory to AWS. B. Establish network connectivity between on-premises and the user’s VPC.
C. Use Amazon Cognito user pools for application authentication.
D. Use AD Connector for application authentication.
E. Set up federated sign-in to AWS through ADFS and SAML.

166. A company wants to encrypt the private network between its on-premises environment and AWS. The company also wants a consistent network experience for its employees. What should the company do to meet these requirements?

A. Establish an AWS Direct Connect connection with AWS and set up a Direct Connect gateway. In the Direct Connect gateway configuration, enable IPsec and BGP, and then leverage native AWS network encryption between Availability Zones and Regions.
B. Establish an AWS Direct Connect connection with AWS and set up a Direct Connect gateway. Using the Direct Connect gateway, create a private virtual interface and advertise the customer gateway private IP addresses. Create a VPN connection using the customer gateway and the virtual private gateway.
C. Establish a VPN connection with the AWS virtual private cloud over the Internet.
D. Establish an AWS Direct Connect connection with AWS and establish a public virtual interface. For prefixes that need to be advertised, enter the customer gateway public IP addresses. Create a VPN connection over Direct Connect using the customer gateway and the virtual private gateway.

167. A company’s Security Engineer has been tasked with restricting a contractor’s IAM account access to the company’s Amazon EC2 console without providing access to any other AWS services. The contractor’s IAM account must not be able to gain access to any other AWS service, even if the IAM account is assigned additional permissions based on IAM group membership. What should the Security Engineer do to meet these requirements?

A. Create an Inline IAM user policy that allows for Amazon EC2 access for the contractor’s IAM user.
B. Create an IAM permissions boundary policy that allows Amazon EC2 access. Associate the contractor’s IAM account with the IAM permissions boundary policy.
C. Create an IAM group with an attached policy that allows for Amazon EC2 access. Associate the contractor’s IAM account with the IAM group.
D. Create an IAM role that allows for EC2 and explicitly denies all other services. Instruct the contractor to always assume this role.

168. A company recently performed an annual security assessment of its AWS environment. The assessment showed the audit logs are not available beyond 90 days and that unauthorized changes to IAM policies are made without detection. How should a Security Engineer resolve these issues?

A. Create an Amazon S3 lifecycle policy that archives AWS CloudTrail trail logs to Amazon S3 Glacier after 90 days. Configure Amazon Inspector to provide a notification when a policy change is made to resources.
B. Configure AWS Artifact to archive AWS CloudTrail logs. Configure AWS Trusted Advisor to provide a notification when a policy change is made to resources.
C. Configure Amazon CloudWatch to export log groups to Amazon S3. Configure AWS CloudTrail to provide a notification when a policy change is made to resources.
D. Create an AWS CloudTrail trail that stores audit logs in Amazon S3. Configure an AWS Config rule to provide a notification when a policy change is made to resources.

169. A Security Engineer is asked to update an AWS CloudTrail log file prefix for an existing trail. When attempting to save the change in the CloudTrail console, the Security Engineer receives the following error message: “There is a problem with the bucket policy.” What will enable the Security Engineer to save the change?

A. Create a new trail with the updated log file prefix, and then delete the original trail. Update the existing bucket policy in the Amazon S3 console with the new log file prefix, and then update the log file prefix in the CloudTrail console.
B. Update the existing bucket policy in the Amazon S3 console to allow the Security Engineer’s Principal to perform PutBucketPolicy, and then update the log file prefix in the CloudTrail console.
C. Update the existing bucket policy in the Amazon S3 console with the new log file prefix, and then update the log file prefix in the CloudTrail console.
D. Update the existing bucket policy in the Amazon S3 console to allow the Security Engineer’s Principal to perform GetBucketPolicy, and then update the log file prefix in the CloudTrail console.

170. A company needs a forensic-logging solution for hundreds of applications running in Docker on Amazon EC2. The solution must perform real-time analytics on the logs, must support the replay of messages, and must persist the logs. Which AWS services should be used to meet these requirements? (Choose two.)

A. Amazon Athena
B. Amazon Kinesis
C. Amazon SQS
D. Amazon Elasticsearch
E. Amazon EMR

171. A company’s architecture requires that its three Amazon EC2 instances run behind an Application Load Balancer (ALB). The EC2 instances transmit sensitive data between each other. Developers use SSL certificates to encrypt the traffic between the public users and the ALB. However, the Developers are unsure of how to encrypt the data in transit between the ALB and the EC2 instances and the traffic between the EC2 instances. Which combination of activities must the company implement to meet its encryption requirements? (Choose two.)

A. Configure SSL/TLS on the EC2 instances and configure the ALB target group to use HTTPS.
B. Ensure that all resources are in the same VPC so the default encryption provided by the VPC is used to encrypt the traffic between the EC2 instances.
C. In the ALB, select the default encryption to encrypt the traffic between the ALB and the EC2 instances.
D. In the code for the application, include a cryptography library and encrypt the data before sending it between the EC2 instances.
E. Configure AWS Direct Connect to provide an encrypted tunnel between the EC2 instances.

172. A Security Engineer has launched multiple Amazon EC2 instances from a private AMI using an AWS CloudFormation template. The Engineer notices instances terminating right after they are launched. What could be causing these terminations?

A. The IAM user launching those instances is missing ec2:RunInstances permissions.
B. The AMI used was encrypted and the IAM user does not have the required AWS KMS permissions.
C. The instance profile used with the EC2 instances is unable to query instance metadata.
D. AWS currently does not have sufficient capacity in the Region.

173. Authorized Administrators are unable to connect to an Amazon EC2 Linux bastion host using SSH over the Internet. The connection either fails to respond or generates the following error message: Network error: Connection timed out. What could be responsible for the connection failure? (Choose three.)

A. The NAT gateway in the subnet where the EC2 instance is deployed has been misconfigured.
B. The internet gateway of the VPC has been misconfigured.
C. The security group denies outbound traffic on ephemeral ports.
D. The route table is missing a route to the internet gateway.
E. The NACL denies outbound traffic on ephemeral ports.
F. The host-based firewall is denying SSH traffic.

174. After multiple compromises of its Amazon EC2 instances, a company’s Security Officer is mandating that memory dumps of compromised instances be captured for further analysis. A Security Engineer just received an EC2 abuse notification report from AWS stating that an EC2 instance running the most recent Windows Server 2019 Base AMI is compromised. How should the Security Engineer collect a memory dump of the EC2 instance for forensic analysis?

A. Give consent to the AWS Security team to dump the memory core on the compromised instance and provide it to AWS Support for analysis.
B. Review memory dump data that the AWS Systems Manager Agent sent to Amazon CloudWatch Logs.
C. Download and run the EC2Rescue for Windows Server utility from AWS.
D. Reboot the EC2 Windows Server, enter safe mode, and select memory dump

175. A company’s Information Security team wants to analyze Amazon EC2 performance and utilization data in near-real time for anomalies. A Security Engineer is responsible for log aggregation. The Engineer must collect logs from all of the company’s AWS accounts in a centralized location to perform the analysis.
How should the Security Engineer do this?

A. Log in to each account four times a day and filter the AWS CloudTrail log data, then copy and paste the logs into the Amazon S3 bucket in the destination account.
B. Set up Amazon CloudWatch to stream data to an Amazon S3 bucket in each source account. Set up bucket replication for each source account into a centralized bucket owned by the Security Engineer.
C. Set up an AWS Config aggregator to collect AWS configuration data from multiple sources.
D. Set up Amazon CloudWatch cross-account log data sharing with subscriptions in each account. Send the logs to Amazon Kinesis Data Firehose in the Security Engineer’s account.

176. Two Amazon EC2 instances in different subnets should be able to connect to each other but cannot. It has been confirmed that other hosts in the same subnets are able to communicate successfully, and that security groups have valid ALLOW rules in place to permit this traffic. Which of the following troubleshooting steps should be performed?

A. Check inbound and outbound security groups, looking for DENY rules
B. Check inbound and outbound Network ACL rules, looking for DENY rules
C. Review the rejected packet reason codes in the VPC Flow Logs
D. Use AWS X-Ray to trace the end-to-end application flow

177. A Security Engineer creates an Amazon S3 bucket policy that denies access to all users. A few days later, the Security Engineer adds an additional statement to the bucket policy to allow read only access to one other employee. Even after updating the policy, the employee still receives an access denied message. What is the likely cause of this access denial?

A. The ACL in the bucket needs to be updated
B. The IAM policy does not allow the user to access the bucket
C. It takes a few minutes for a bucket policy to take effect
D. The allow permission is being overridden by the deny

178. A company plans to use custom AMIs to launch Amazon EC2 instances across multiple AWS accounts in a single Region to perform security monitoring and analytics tasks. The EC2 instances are launched in EC2 Auto Scaling groups. To increase the security of the solution, a Security Engineer will manage the lifecycle of the custom AMIs in a centralized account and will encrypt them with a centrally managed AWS KMS CMK. The Security Engineer configured the KMS key policy to allow cross-account access. However, the EC2 instances are still not being properly launched by the EC2 Auto Scaling groups. Which combination of configuration steps should the Security Engineer take to ensure the EC2 Auto Scaling groups have been granted the proper permissions to execute tasks?

A. Create a customer-managed CMK in the centralized account. Allow other applicable accounts to use that key for cryptographical operations by applying proper cross-account permissions in the key policy. Create an IAM role in all applicable accounts and configure its access policy to allow the use of the centrally managed CMK for cryptographical operations. Configure EC2 Auto Scaling groups within each applicable account to use the created IAM role to launch EC2 instances.
B. Create a customer-managed CMK in the centralized account. Allow other applicable accounts to use that key for cryptographical operations by applying proper cross-account permissions in the key policy. Create an IAM role in all applicable accounts and configure its access policy with permissions to create grants for the centrally managed CMK. Use this IAM role to create a grant for the centrally managed CMK with permissions to perform cryptographical operations and with the EC2 Auto Scaling service-linked role defined as the grantee principal.
C. Create a customer-managed CMK or an AWS managed CMK in the centralized account. Allow other applicable accounts to use that key for cryptographical operations by applying proper cross account permissions in the key policy. Use the CMK administrator to create a CMK grant that includes permissions to perform cryptographical operations that define EC2 Auto Scaling service linked roles from all other accounts as the grantee principal.
D. Create a customer-managed CMK or an AWS managed CMK in the centralized account. Allow other applicable accounts to use that key for cryptographical operations by applying proper cross account permissions in the key policy. Modify the access policy for the EC2 Auto Scaling roles to perform cryptographical operations against the centrally managed CMK.

179. An organization wants to log all AWS API calls made within all of its AWS accounts, and must have a central place to analyze these logs. What steps should be taken to meet these requirements in the MOST secure manner? (Choose two.)

A. Turn on AWS CloudTrail in each AWS account.
B. Turn on CloudTrail in only the account that will be storing the logs.
C. Update the bucket ACL of the bucket in the account that will be storing the logs so that other accounts can log to it.
D. Create a service-based role for CloudTrail and associate it with CloudTrail in each account.
E. Update the bucket policy of the bucket in the account that will be storing the logs so that other accounts can log to it.

180. A company uses HTTP Live Streaming (HLS) to stream live video content to paying subscribers by using Amazon CloudFront. HLS splits the video content into chunks so that the user can request the right chunk based on different conditions. Because the video events last for several hours, the total video is made up of thousands of chunks. The origin URL is not disclosed, and every user is forced to access the CloudFront URL. The company has a web application that authenticates the paying users against an internal repository and a CloudFront key pair that is already issued. What is the simplest and MOST effective way to protect the content?

A. Develop the application to use the CloudFront key pair to create signed URLs that users will use to access the content.
B. Develop the application to use the CloudFront key pair to set the signed cookies that users will use to access the content.
C. Develop the application to issue a security token that Lambda@Edge will receive to authenticate and authorize access to the content.
D. Keep the CloudFront URL encrypted inside the application, and use AWS KMS to resolve the URL on-the-fly after the user is authenticated.

181. A company’s web application is hosted on Amazon EC2 instances running behind an Application Load Balancer (ALB) in an Auto Scaling group. An AWS WAF web ACL is associated with the ALB. AWS CloudTrail is enabled, and stores logs in Amazon S3 and Amazon CloudWatch Logs. The Operations team has observed some EC2 instances reboot at random. After rebooting, all access logs on the instances have been deleted. During an investigation, the Operations team found that each reboot happened just after a PHP error occurred on the new-user-creation.php file. The Operations team needs to view log information to determine if the company is being attacked. Which set of actions will identify the suspect attacker’s IP address for future occurrences?

A. Configure VPC Flow Logs on the subnet where the ALB is located, and stream the data CloudWatch. Search for the new-user-creation.php occurrences in CloudWatch.
B. Configure the CloudWatch agent on the ALB. Configure the agent to send application logs to CloudWatch. Update the instance role to allow CloudWatch Logs access. Export the logs to CloudWatch. Search for the new-user-creation.php occurrences in CloudWatch.
C. Configure the ALB to export access logs to an Amazon Elasticsearch Service cluster, and use the service to search for the new-user-creation.php occurrences.
D. Configure the web ACL to send logs to Amazon Kinesis Data Firehose, which delivers the logs to an S3 bucket. Use Amazon Athena to query the logs and find the new-user-creation.php occurrences.

182. A company has hundreds of AWS accounts, and a centralized Amazon S3 bucket used to collect AWS CloudTrail logs for all of these accounts. A Security Engineer wants to create a solution that will enable the company to run ad hoc queries against its CloudTrail logs dating back 3 years from when the trails were first enabled in the company’s AWS account. How should the company accomplish this with the least amount of administrative overhead?

A. Run an Amazon EMR cluster that uses a MapReduce job to examine the CloudTrail trails. B. Use the events history feature of the CloudTrail console to query the CloudTrail trails.
C. Write an AWS Lambda function to query the CloudTrail trails. Configure the Lambda function to be executed whenever a new file is created in the CloudTrail S3 bucket.
D. Create an Amazon Athena table that looks at the S3 bucket the CloudTrail trails are being written to. Use Athena to run queries against the trails.

183. A Security Engineer is troubleshooting a connectivity issue between a web server that is writing log files to the logging server in another VPC. The Engineer has confirmed that a peering relationship exists between the two VPCs. VPC flow logs show that requests sent from the web server are accepted by the logging server, but the web server never receives a reply. Which of the following actions could fix this issue?

A. Add an inbound rule to the security group associated with the logging server that allows requests from the web server.
B. Add an outbound rule to the security group associated with the web server that allows requests to the logging server.
C. Add a route to the route table associated with the subnet that hosts the logging server that targets the peering connection.
D. Add a route to the route table associated with the subnet that hosts the web server that targets the peering connection.

184. A Security Engineer accidentally deleted the imported key material in an AWS KMS CMK. What should the Security Engineer do to restore the deleted key material?

A. Create a new CMK. Download a new wrapping key and a new import token to import the original key material.
B. Create a new CMK. Use the original wrapping key and import token to import the original key material.
C. Download a new wrapping key and a new import token. Import the original key material into the existing CMK.
D. Use the original wrapping key and import token. Import the original key material into the existing CMK.

185. A company’s Security Engineer is copying all application logs to centralized Amazon S3 buckets. Currently, each of the company’s applications is in its own AWS account, and logs are pushed into S3 buckets associated with each account. The Engineer will deploy an AWS Lambda function into each account that copies the relevant log files to the centralized S3 bucket. The Security Engineer is unable to access the log files in the centralized S3 bucket. The Engineer’s IAM user policy from the centralized account looks like this:

The centralized S3 bucket policy looks like this:

Why is the Security Engineer unable to access the log files?

A. The S3 bucket policy does not explicitly allow the Security Engineer access to the objects in the bucket.
B. The object ACLs are not being updated to allow the users within the centralized account to access the objects.
C. The Security Engineer’s IAM policy does not grant permissions to read objects in the S3 bucket.
D. The s3:PutObject and s3:PutObjectAcl permissions should be applied at the S3 bucket level.

186. An application running on Amazon EC2 instances generates log files in a folder on a Linux file system. The instances block access to the console and file transfer utilities, such as Secure Copy Protocol (SCP) and Secure File Transfer Protocol (SFTP). The Application Support team wants to automatically monitor the application log files so the team can set up notifications in the future. A Security Engineer must design a solution that meets the following requirements:
Make the log files available through an AWS managed service.
Allow for automatic monitoring of the logs.
Provide an interface for analyzing logs.
Minimize effort.
Which approach meets these requirements?

A. Modify the application to use the AWS SDK. Write the application logs to an Amazon S3 bucket.
B. Install the unified Amazon CloudWatch agent on the instances. Configure the agent to collect the application log files on the EC2 file system and send them to Amazon CloudWatch Logs.
C. Install AWS Systems Manager Agent on the instances. Configure an automation document to copy the application log files to AWS DeepLens.
D. Install Amazon Kinesis Agent on the instances. Stream the application log files to Amazon Kinesis Data Firehose and set the destination to Amazon Elasticsearch Service.

187. A company has multiple AWS accounts that are part of AWS Organizations. The company’s Security team wants to ensure that even those Administrators with full access to the company’s AWS accounts are unable to access the company’s Amazon S3 buckets. How should this be accomplished?

A. Use SCPs.
B. Add a permissions boundary to deny access to Amazon S3 and attach it to all roles.
C. Use an S3 bucket policy.
D. Create a VPC endpoint for Amazon S3 and deny statements for access to Amazon S3.

188. A Security Engineer has several thousand Amazon EC2 instances split across production and development environments. Each instance is tagged with its environment. The Engineer needs to analyze and patch all the development EC2 instances to ensure they are not currently exposed to any common vulnerabilities or exposures (CVEs). Which combination of steps is the MOST efficient way for the Engineer to meet these requirements? (Choose two.)

A. Log on to each EC2 instance, check and export the different software versions installed, and verify this against a list of current CVEs.
B. Install the Amazon Inspector agent on all development instances. Build a custom rule package, and configure Inspector to perform a scan using this custom rule on all instances tagged as being in the development environment.
C. Install the Amazon Inspector agent on all development instances. Configure Inspector to perform a scan using this CVE rule package on all instances tagged as being in the development environment.
D. Install the Amazon EC2 System Manager agent on all development instances. Issue the Run command to EC2 System Manager to update all instances.
E. Use AWS Trusted Advisor to check that all EC2 instances have been patched to the most recent version of operating system and installed software.

189. A company has decided to use encryption in its AWS account to secure the objects in Amazon S3 using server-side encryption. Object sizes range from 16,000 B to 5 MB. The requirements are as follows: The key material must be generated and stored in a certified Federal Information Processing Standard (FIPS) 140-2 Level 3 machine. The key material must be available in multiple Regions. Which option meets these requirements?

A. Use an AWS KMS customer managed key and store the key material in AWS with replication across Regions.
B. Use an AWS customer managed key, import the key material into AWS KMS using in-house AWS CloudHSM, and store the key material securely in Amazon S3.
C. Use an AWS KMS custom key store backed by AWS CloudHSM clusters, and copy backups across Regions.
D. Use AWS CloudHSM to generate the key material and backup keys across Regions. Use the Java Cryptography Extension (JCE) and Public Key Cryptography Standards #11 (PKCS #11) encryption libraries to encrypt and decrypt the data.

190. An organization has a multi-petabyte workload that it is moving to Amazon S3, but the CISO is concerned about cryptographic wear-out and the blast radius if a key is compromised. How can the CISO be assured that AWS KMS and Amazon S3 are addressing the concerns? (Choose two.)

A. There is no API operation to retrieve an S3 object in its encrypted form.
B. Encryption of S3 objects is performed within the secure boundary of the KMS service.
C. S3 uses KMS to generate a unique data key for each individual object.
D. Using a single master key to encrypt all data includes having a single place to perform audits and usage validation.
E. The KMS encryption envelope digitally signs the master key during encryption to prevent cryptographic wear-out.

191. A company has a compliance requirement to rotate its encryption keys on an annual basis. A Security Engineer needs a process to rotate the KMS Customer Master Keys (CMKs) that were created using imported key material. How can the Engineer perform the key rotation process MOST efficiently?

A. Create a new CMK, and redirect the existing Key Alias to the new CMK.
B. Select the option to auto-rotate the key.
C. Upload new key material into the existing CMK.
D. Create a new CMK, and change the application to point to the new CMK.

192. A company’s Chief Security Officer has requested that a Security Analyst review and improve the security posture of each company AWS account. The Security Analyst decides to do this by improving AWS account root user security. Which actions should the Security Analyst take to meet these requirements? (Choose three.)

A. Delete the access keys for the account root user in every account.
B. Create an admin IAM user with administrative privileges and delete the account root user in every account.
C. Implement a strong password to help protect account-level access to the AWS Management Console by the account root user.
D. Enable multi-factor authentication (MFA) on every account root user in all accounts.
E. Create a custom IAM policy to limit permissions to required actions for the account root user and attach the policy to the account root user.
F. Attach an IAM role to the account root user to make use of the automated credential rotation in AWS STS.

193. A large company wants its Compliance team to audit its Amazon S3 buckets to identify if personally identifiable information (PII) is stored in them. The company has hundreds of S3 buckets and has asked the Security Engineers to scan every bucket. How can this task be accomplished?

A. Configure Amazon CloudWatch Events to trigger Amazon Inspector to scan the S3 buckets daily for PII. Configure Amazon Inspector to publish Amazon SNS notifications to the Compliance team if PII is detected.
B. Configure Amazon Macie to classify data in the S3 buckets and check the dashboard for PII findings. Configure Amazon CloudWatch Events to capture Macie alerts and target an Amazon SNS topic to be notified if PII is detected.
C. Check the AWS Trusted Advisor data loss prevention page in the AWS Management Console. Download the Amazon S3 data confidentiality report and send it to the Compliance team. Configure Amazon CloudWatch Events to capture Trusted Advisor alerts and target an Amazon SNS topic to be notified if PII is detected.
D. Enable Amazon GuardDuty in multiple Regions to scan the S3 buckets. Configure Amazon CloudWatch Events to capture GuardDuty alerts and target an Amazon SNS topic to be notified if PII is detected.

194. During a manual review of system logs from an Amazon Linux EC2 instance, a Security Engineer noticed that there are sudo commands that were never properly alerted or reported on the Amazon CloudWatch Logs agent. Why were there no alerts on the sudo commands?

A. There is a security group blocking outbound port 80 traffic that is preventing the agent from sending the logs.
B. The IAM instance profile on the EC2 instance was not properly configured to allow the CloudWatch Logs agent to push the logs to CloudWatch.
C. CloudWatch Logs status is set to ON versus SECURE, which prevents if from pulling in OS security event logs.
D. The VPC requires that all traffic go through a proxy, and the CloudWatch Logs agent does not support a proxy configuration.

195. A company has an AWS account and allows a third-party contractor, who uses another AWS account, to assume certain IAM roles. The company wants to ensure that IAM roles can be assumed by the contractor only if the contractor has multi-factor authentication enabled on their IAM user accounts. What should the company do to accomplish this?

A. Add the following condition to the IAM policy attached to all IAM roles:
“Effect”: “Deny”,
“Condition” : { “BoolItExists” : { “aws:MultiFactorAuthPresent” : false } }
B. Add the following condition to the IAM policy attached to all IAM roles:
“Effect”: “Deny”,
“Condition” : { “Bool” : { “aws:MultiFactorAuthPresent” : false } }
C. Add the following condition to the IAM policy attached to all IAM roles:
“Effect”: “Allow”,
“Condition” : { “Null” : { “aws:MultiFactorAuthPresent” : false } }
D. Add the following condition to the IAM policy attached to all IAM roles:
“Effect”: “Allow”,
“Condition” : { “BoolItExists” : { “aws:MultiFactorAuthPresent” : false } }

196. A large corporation is creating a multi-account strategy and needs to determine how its employees should access the AWS Infrastructure. Which of the following solutions would provide the MOST scalable solution?

A. Create dedicated IAM users within each AWS account that employees can assume though federation based upon group membership in their existing identity provider.
B. Use a centralized account with IAM roles that employees can assume through federation with their existing identity provider. Use cross-account roles to allow the federated users to assume their target role in the resource accounts.
C. Configure the AWS Security Token Service to use Kerberos tokens so that users can use their existing corporate usernames and passwords to access AWS resources directly.
D. Configure the IAM trust policies within each account’s role to set up a trust back to the corporation’s existing identity provider, allowing users to assume the role based on their SAML token.

197. A company wants to deploy a distributed web application on a fleet of EC2 instances. The fleet will be fronted by a Classic Load Balancer that will be configured to terminate the TLS connection. The company wants to make sure that all past and current TLS traffic to the Classic Load Balancer stays secure, even if the certificate private key is leaked. To ensure the company meets these requirements, a Security Engineer can configure a Classic Load Balancer with:

A. An HTTPS listener that uses a certificate that is managed by Amazon Certification Manager.
B. An HTTPS listener that uses a custom security policy that allows only perfect forward secrecy cipher suites.
C. An HTTPS listener that uses the latest AWS predefined ELBSecurityPolicy-TLS-1-2-2017-01 security policy.
D. A TCP listener that uses a custom security policy that allows only perfect forward secrecy cipher suite

198. Users report intermittent availability of a web application hosted on AWS. Monitoring systems report an excess of abnormal network traffic followed by high CPU utilization on the application web tier. Which of the following techniques will improve the availability of the application? (Choose two.)

A. Deploy AWS WAF to block all unsecured web applications from accessing the internet.
B. Deploy an Intrusion Detection/Prevention Systems (IDS/IPS) to monitor or block unusual incoming network traffic.
C. Configure security groups to allow outgoing network traffic only from hosts that are protected with up-to-date antivirus software.
D. Create Amazon CloudFront distribution and configure AWS WAF rules to protect the web applications from malicious traffic.
E. Use the default Amazon VPC for external-facing systems to allow AWS to actively block malicious network traffic affecting Amazon EC2 instances.

199. A company has an application hosted in an Amazon EC2 instance and wants the application to access secure strings stored in AWS Systems Manager Parameter Store. When the application tries to access the secure string key value, it fails. Which factors could be the cause of this failure? (Choose two.)

A. The EC2 instance role does not have decrypt permissions on the AWS Key Management Service (AWS KMS) key used to encrypt the secret.
B. The EC2 instance role does not have read permissions to read the parameters in Parameter Store.
C. Parameter Store does not have permission to use AWS Key Management Service (AWS KMS) to decrypt the parameter.
D. The EC2 instance role does not have encrypt permissions on the AWS Key Management Service (AWS KMS) key associated with the secret.
E. The EC2 instance does not have any tags associated.

200. A security engineer received an Amazon GuardDuty alert indicating a finding involving the Amazon EC2 instance that hosts the company’s primary website. The GuardDuty finding received read:
UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.
The security engineer confirmed that a malicious actor used API access keys intended for the EC2 instance from a country where the company does not operate. The security engineer needs to deny access to the malicious actor. What is the first step the security engineer should take?

A. Open the EC2 console and remove any security groups that allow inbound traffic from 0.0.0.0/0.
B. Install the AWS Systems Manager Agent on the EC2 instance and run an inventory report.
C. Install the Amazon Inspector agent on the host and run an assessment with the CVE rules package.
D. Open the IAM console and revoke all IAM sessions that are associated with the instance profile.