Practice Exam Question:
Part 1: https://awslagi.com/aws-certified-security-specialty-scs-c02-exam-question-part-1
Part 2: https://awslagi.com/aws-certified-security-specialty-scs-c02-exam-question-part-2
Part 3: https://awslagi.com/aws-certified-security-specialty-scs-c02-exam-question-part-3
Part 4: https://awslagi.com/aws-certified-security-specialty-scs-c02-exam-question-part-4
Part 5: https://awslagi.com/aws-certified-security-specialty-scs-c02-exam-question-part-5
Part 6: https://awslagi.com/aws-certified-security-specialty-scs-c02-exam-question-part-6
Actual Exam Version:
251. A security engineer has noticed an unusually high amount of traffic coming from a single IP address. This was discovered by analyzing the Application Load Balancer’s access logs. How can the security engineer limit the number of requests from a specific IP address without blocking the IP address?
A. Add a rule to the Application Load Balancer to route the traffic originating from the IP address in question and show a static webpage.
B. Implement a rate-based rule with AWS WAF.
C. Use AWS Shield to limit the originating traffic hit rate.
D. Implement the GeoLocation feature in Amazon Route 53.
252. Unapproved changes were previously made to a company’s Amazon S3 bucket. A security engineer configured AWS Config to record configuration changes made to the company’s S3 buckets. The engineer discovers there are S3 configuration changes being made, but no Amazon SNS notifications are being sent. The engineer has already checked the configuration of the SNS topic and has confirmed the configuration is valid. Which combination of steps should the security engineer take to resolve the issue? (Choose two.)
A. Configure the S3 bucket ACLs to allow AWS Config to record changes to the buckets.
B. Configure policies attached to S3 buckets to allow AWS Config to record changes to the buckets.
C. Attach the AmazonS3ReadOnlyAccess managed policy to IAM User.
D. Verify the security engineer’s IAM user has an attached policy that allows all AWS Config actions.
E. Assign the AWSConfigRole managed policy to the AWS Config role.
253. A security engineer must develop an encryption tool for a company. The company requires a cryptographic solution that supports the ability to perform cryptographic erasure on all resources protected by the key material in 15 minutes or less. Which Aws Key Management Service (AWS KMS) key solution will allow the security engineer to meet these requirements?
A. Use imported key material with CMK.
B. Use an AWS KMS CMK.
C. Use an AWS managed CMK.
D. Use an AWS KMS customer managed CMK.
254. A company deployed an Amazon EC2 instance to a VPC on AWS. A recent alert indicates that the EC2 instance is receiving a suspicious number of requests over an open TCP port from an external source. The TCP port remains open for long periods of time. The company’s security team needs to stop all activity to this port from the external source to ensure that the EC2 instance is not being compromised. The application must remain available to other users. Which solution will meet these requirements?
A. Update the network ACL that is attached to the subnet that is associated with the EC2 instance. Add a Deny statement for the port and the source IP addresses.
B. Update the elastic network interface security group that is attached to the EC2 instance to remove the port from the inbound rule list.
C. Update the elastic network interface security group that is attached to the EC2 instance by adding a Deny entry in the inbound list for the port and the source IP addresses.
D. Create a new network ACL for the subnet. Deny all traffic from the EC2 instance to prevent data from being removed.
255. After a recent security audit involving Amazon S3, a company has asked for assistance reviewing its S3 buckets to determine whether the data is properly secured. The first S3 bucket on the list has the following bucket policy:
In this bucket policy sufficient to ensure that the data is not publicly accessible?
A. Yes, the bucket policy makes the whole bucket publicly accessible despite how the S3 bucket ACL or object ACLs are configured.
B. Yes, none of the data in the bucket is publicly accessible, regardless of how the S3 bucket ACL or object ACLs are configured.
C. No, the IAM user policy would need to be examined first to determine whether any data is publicly accessible.
D. No, the S3 bucket ACL and object ACLs need to be examined first to determine whether any data is publicly accessible.
256. A security engineer needs to build a solution to turn AWS CloudTrail back on in multiple AWS Regions in case it is ever turned off. What is the MOST efficient way to implement this solution?
A. Use AWS Config with a managed rule to trigger the AWS-EnableCloudTrail remediation.
B. Create an Amazon EventBridge (Amazon CloudWatch Events) event with a cloudtrail.amazonaws.com event source and a StartLogging event name to trigger an AWS Lambda function to call the StartLogging API.
C. Create an Amazon CloudWatch alarm with a cloudtrail.amazonaws.com event source and a StopLogging event name to trigger an AWS Lambda function to call the StartLogging API.
D. Monitor AWS Trusted Advisor to ensure CloudTrail logging is enabled.
257. A company needs to encrypt all of its data stored in Amazon S3. The company wants to use AWS Key Management Service (AWS KMS) to create and manage its encryption keys. The company’s security policies require the ability to import the company’s own key material for the keys, set an expiration date on the keys, and delete keys immediately, if needed. How should a security engineer set up AWS KMS to meet these requirements?
A. Configure AWS KMS and use a custom key store. Create a customer managed CMK with no key material. Import the company’s keys and key material into the CMK.
B. Configure AWS KMS and use the default key store. Create an AWS managed CMK with no key material. Import the company’s keys and key material into the CMK.
C. Configure AWS KMS and use the default key store. Create a customer managed CMK with no key material. Import the company’s keys and key material into the CMK.
D. Configure AWS KMS and use a custom key store. Create an AWS managed CMK with no key material. Import the company’s keys and key material into the CMK.
258. A company has an application that uses an Amazon RDS PostgreSQL database. The company is developing an application feature that will store sensitive information for an individual in the database. During a security review of the environment, the company discovers that the RDS DB instance is not encrypting data at rest. The company needs a solution that will provide encryption at rest for all the existing data and for any new data that is entered for an individual. Which combination of options can the company use to meet these requirements? (Choose two.)
A. Create a snapshot of the DB instance. Copy the snapshot to a new snapshot, and enable encryption for the copy process. Use the new snapshot to restore the DB instance.
B. Modify the configuration of the DB instance by enabling encryption. Create a snapshot of the DB instance. Use the snapshot to restore the DB instance.
C. Use AWS Key Management Service (AWS KMS) to create a new default AWS managed aws/rds key. Select this key as the encryption key for operations with Amazon RDS.
D. Use AWS Key Management Service (AWS KMS) to create a new CMK. Select this key as the encryption key for operations with Amazon RDS.
E. Create a snapshot of the DB instance. Enable encryption on the snapshot. Use the snapshot to restore the DB instance.
259. A security engineer needs to create an Amazon S3 bucket policy to grant least privilege read access to IAM user accounts that are named User1, User2 and User3. These IAM user accounts are members of the AuthorizedPeople IAM group. The security engineer drafts the following S3 bucket policy:
When the security engineer tries to add the policy to the S3 bucket, the following message appears: “Missing required field Principal.” The security engineer is adding a Principal element to the policy. The addition must provide read access to only User1, User2 and User3. Which solution meets these requirements?
A.
B.
C.
D.
260. A company is hosting a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application has become the target of a DoS attack. Application logging shows that requests are coming from a small number of client IP addresses, but the addresses change regularly. The company needs to block the malicious traffic with a solution that requires the least amount of ongoing effort. Which solution meets these requirements?
A. Create an AWS WAF rate-based rule, and attach it to the ALB.
B. Update the security group that is attached to the ALB to block the attacking IP addresses.
C. Update the ALB subnet’s network ACL to block the attacking client IP addresses. D. Create a AWS WAF rate-based rule, and attach it to the security group of the EC2 instances.
261. A public subnet contains two Amazon EC2 instances. The subnet has a custom network ACL. A security engineer is designing a solution to improve the subnet security. The solution must allow outbound traffic to an internet service that uses TLS through port 443. The solution also must deny inbound traffic that is destined for MySQL port 3306. Which network ACL rule set meets these requirements?
A. Use inbound rule 100 to allow traffic on TCP port 443. Use inbound rule 200 to deny traffic on TCP port 3306. Use outbound rule 100 to allow traffic on TCP port 443.
B. Use inbound rule 100 to deny traffic on TCP port 3306. Use inbound rule 200 to allow traffic on TCP port range 1024-65535. Use outbound rule 100 to allow traffic on TCP port 443.
C. Use inbound rule 100 to allow traffic on TCP port range 1024-65535. Use inbound rule 200 to deny traffic on TCP port 3306. Use outbound rule 100 to allow traffic on TCP port 443.
D. Use inbound rule 100 to deny traffic on TCP port 3306. Use inbound rule 200 to allow traffic on TCP port 443. Use outbound rule 100 to allow traffic on TCP port 443.
262. A company has developed a new Amazon RDS database application. The company must secure the RDS database credentials for encryption in transit and encryption at rest. The company also must rotate the credentials automatically on a regular basis. Which solution meets these requirements?
A. Use AWS Systems Manager Parameter Store to store the database credentials. Configure automatic rotation of the credentials.
B. Use AWS Secrets Manager to store the database credentials. Configure automatic rotation of the credentials.
C. Store the database credentials in an Amazon S3 bucket that is configured with server-side encryption with S3 managed encryption keys (SSE-S3). Rotate the credentials with IAM database authentication.
D. Store the database credentials in Amazon S3 Glacier, and use S3 Glacier Vault Lock. Configure an AWS Lambda function to rotate credentials on a scheduled basis.
263. A company’s development team is designing an application using AWS Lambda and Amazon Elastic Container Service (Amazon ECS). The development team needs to create IAM roles to support these systems. The company’s security team wants to allow the developers to build IAM roles directly, but the security team wants to retain control over the permissions the developers can delegate to those roles. The development team needs access to more permissions than those required for application’s AWS services. The solution must minimize management overhead. How should the security team prevent privilege escalation for both teams?
A. Enable AWS CloudTrail. Create a Lambda function that monitors the event history for privilege escalation events and notifies the security team.
B. Create a managed IAM policy for the permissions required. Reference the IAM policy as a permissions boundary within the development team’s IAM role.
C. Enable AWS Organizations. Create an SCP that allows the iam:CreateUser action but that has a condition that prevents API calls other than those required by the development team.
D. Create an IAM policy with a deny on the iam:CreateUser action and assign the policy to the development team. Use a ticket system to allow the developers to request new IAM roles for their applications. The IAM roles will then be created by the security team.
264. A security engineer has enabled AWS Security Hub in their AWS account, and has enabled the Center for Internet Security (CIS) AWS Foundations compliance standard. No evaluation results on compliance are returned in the Security Hub console after several hours. The engineer wants to ensure that Security Hub can evaluate their resources for CIS AWS Foundations compliance. Which steps should the security engineer take to meet these requirements?
A. Add full Amazon Inspector IAM permissions to the Security Hub service role to allow it to perform the CIS compliance evaluation.
B. Ensure that AWS Trusted Advisor is enabled in the account, and that the Security Hub service role has permissions to retrieve the Trusted Advisor security-related recommended actions.
C. Ensure that AWS Config is enabled in the account, and that the required AWS Config rules have been created for the CIS compliance evaluation.
D. Ensure that the correct trail in AWS CloudTrail has been configured for monitoring by Security Hub, and that the Security Hub service role has permissions to perform the GetObject operation on CloudTrail’s Amazon S3 bucket.
265. A company has two AWS accounts: Account A and Account B. Account A has an IAM role that IAM users in Account B assume when they need to upload sensitive documents to Amazon S3 buckets in Account A. A new requirement mandates that users can assume the role only if they are authenticated with multi-factor authentication (MFA). A security engineer must recommend a solution that meets this requirement with minimum risk and effort. Which solution should the security engineer recommend?
A. Add an aws:MultiFactorAuthPresent condition to the role’s permissions policy.
B. Add an aws:MultiFactorAuthPresent condition to the role’s trust policy.
C. Add an aws:MultiFactorAuthPresent condition to the session policy.
D. Add an aws:MultiFactorAuthPresent condition to the S3 bucket policies.
266. A company is developing an ecommerce application. The application uses Amazon EC2 instances and an Amazon RDS MySQL database. For compliance reasons, data must be secured in transit and at rest. The company needs a solution that minimizes operational overhead and minimizes cost. Which solution meets these requirements?
A. Use TLS certificates from AWS Certificate Manager (ACM) with an Application Load Balancer. Deploy self-signed certificates on the EC2 instances. Ensure that the database client software uses a TLS connection to Amazon RDS. Enable encryption of the RDS DB instance. Enable encryption on the Amazon Elastic Block Store (Amazon EBS) volumes that support the EC2 instances.
B. Use TLS certificates from a third-party vendor with an Application Load Balancer. Install the same certificates on the EC2 instances. Ensure that the database client software uses a TLS connection to Amazon RDS. Use AWS Secrets Manager for client-side encryption of application data.
C. Use AWS CloudHSM to generate TLS certificates for the EC2 instances. Install the TLS certificates on the EC2 instances. Ensure that the database client software uses a TLS connection to Amazon RDS. Use the encryption keys form CloudHSM for client-side encryption of application data.
D. Use Amazon CloudFront with AWS WAF. Send HTTP connections to the origin EC2 instances. Ensure that the database client software uses a TLS connection to Amazon RDS. Use AWS Key Management Service (AWS KMS) for client-side encryption of application data before the data is stored in the RDS database.
267. A company is undergoing a layer 3 and layer 4 DDoS attack on its web servers running on AWS. Which combination of AWS services and features will provide protection in this scenario? (Choose three.)
A. Amazon Route 53
B. AWS Certificate Manager (ACM)
C. Amazon S3
D. AWS Shield
E. Elastic Load Balancer F. Amazon GuardDuty
268. A user in account 111122223333 is receiving an access denied error message while calling the AWS Key Management Service (AWS KMS) GenerateDataKey API operation. The key policy contains the following statement:
Account 123456is not using AWS Organizations SCPs.
Which combination of steps should a security engineer take to ensure that KMSUser can perform the action on the key? (Choose two.)
A. Modify the key policy to include the key’s key ID in the Resource field.
B. Verify that KMSUser has no explicit denies for the GenerateDataKey action in its attached IAM policies.
C. Verify that KMSUser is allowed to perform the GenerateDataKey action in its attached IAM policies for the encryption context.
D. Ensure that KMSUser is including the encryption context key-value pair in its GenerateDataKey.
E. Revoke any KMS grants on the key that are denying the GenerateDataKey action for KMSUser.
269. A company is building an application on AWS that will store sensitive information. The company has a support team with access to the IT infrastructure, including databases. The company’s security engineer must introduce measures to protect the sensitive data against any data breach while minimizing management overhead. The credentials must be regularly rotated. What should the security engineer recommend?
A. Enable Amazon RDS encryption to encrypt the database and snapshots. Enable Amazon Elastic Block Store (Amazon EBS) encryption on Amazon EC2 instances. Include the database credential in the EC2 user data field. Use an AWS Lambda function to rotate database credentials. Set up TLS for the connection to the database.
B. Install a database on an Amazon EC2 instance. Enable third-party disk encryption to encrypt Amazon Elastic Block Store (Amazon EBS) volume. Store the database credentials in AWS CloudHSM with automatic rotation. Set up TLS for the connection to the database.
C. Enable Amazon RDS encryption to encrypt the database and snapshots. Enable Amazon Elastic Block Store (Amazon EBS) encryption on Amazon EC2 instances. Store the database credentials in AWS Secrets Manager with automatic rotation. Set up TLS for the connection to the RDS hosted database.
D. Set up an AWS CloudHSM cluster with AWS Key Management Service (AWS KMS) to store KMS keys. Set up Amazon RDS encryption using AWS KMS to encrypt the database. Store the database credentials in AWS Systems Manager Parameter Store with automatic rotation. Set up TLS for the connection to the RDS hosted database.
270. A company is developing a mobile shopping web app. The company needs an environment that is configured to encrypt all resources in transit and at rest. A security engineer must develop a solution that will encrypt traffic in transit to the company’s Application Load Balancer and Amazon API Gateway resources. The solution also must encrypt traffic at rest for Amazon S3 storage. What should the security engineer do to meet these requirements?
A. Use AWS Certificate Manager (ACM) for encryption in transit. Use AWS Key Management Service for encryption at rest.
B. Use AWS Certificate Manager (ACM) for encryption in transit and encryption at rest.
C. Use AWS Key Management Service for encryption in transit. Use AWS Certificate Manager (ACM) for encryption at rest.
D. Use AWS Key Management Service for encryption in transit and encryption at rest.
271. A security team is implementing a centralized logging solution to meet requirements for auditing. The solution must be able to aggregate logs from Amazon CloudWatch and AWS CloudTrail to an account that is controlled by the security team. This approach must be usable across the entire organization in AWS Organizations. Which solution meets these requirements in the MOST operationally efficient manner?
A. In each AWS account, create an Amazon Kinesis Data Firehose delivery stream that has a destination of Amazon S3 in the security team’s account. Create a subscription for each Amazon CloudWatch Logs log group in each AWS account to the Kinesis Data Firehose delivery stream in the same account. For the organization, create a CloudTrail trail that has a destination of Amazon S3.
B. In the security team’s account, create an Amazon Kinesis Data Firehose delivery stream that has a destination of Amazon S3 in the same account. Create a subscription for each Amazon CloudWatch Logs log group in each AWS account to the Kinesis Data Firehose delivery stream in the security team’s account. For each AWS account, create a CloudTrail trail that has a destination of Amazon S3.
C. In each AWS account, create an Amazon Kinesis data stream that has a destination of Amazon S3 in the security team’s account. Create a subscription for each Amazon CloudWatch Logs log group in each AWS account to the Kinesis data stream in the same account. For the organization, create a CloudTrail trail that has a destination of Amazon S3.
D. In the security team’s account, create an Amazon Kinesis data stream that has a destination of Amazon S3 in the same account. Create a subscription for each Amazon CloudWatch Logs log group in each AWS account to the Kinesis data stream in the security team’s account. For each AWS account, create a CloudTrail trail that has a destination of Amazon S3.
272. A company needs its Amazon Elastic Block Store (Amazon EBS) volumes to be encrypted at all times. During a security incident, EBS snapshots of suspicious instances are shared to a forensics account for analysis. A security engineer attempting to share a suspicious EBS snapshot to the forensics account receives the following error: “Unable to share snapshot. An error occurred (OperationNotPermitted) when calling the ModifySnapshotAttribute operation: Encrypted snapshots with EBS default key cannot be shared” Which combination of steps should the security engineer take in the incident account to complete the sharing operation? (Choose three.)
A. Create a customer managed CMK. Copy the EBS snapshot encrypting the destination snapshot using the new CMK.
B. Allow forensics accounting principals to use the CMK by modifying its policy.
C. Create an Amazon EC2 instance. Attach the encrypted and suspicious EBS volume. Copy data from the suspicious volume to an unencrypted volume. Snapshot the unencrypted volume.
D. Copy the EBS snapshot to the new decrypted snapshot.
E. Restore a volume from the suspicious EBS snapshot. Create an unencrypted EBS volume of the same size.
F. Share the target EBS snapshot with the forensics account.
273. A company is hosting multiple applications within a single VPC in its AWS account. The applications are running behind an Application Load Balancer that is associated with an AWS WAF web ACL. The company’s security team has identified that multiple port scans are originating from a specific range of IP addresses on the internet. A security engineer needs to deny access from the offending IP addresses. Which solution will meet these requirements?
A. Modify the AWS WAF web ACL with an IP set match rule statement to deny incoming requests from the IP address range.
B. Add a rule to all security groups to deny the incoming requests from the IP address range.
C. Modify the AWS WAF web ACL with a rate-based rule statement to deny incoming requests from the IP address range.
D. Configure the AWS WAF web ACL with regex match conditions. Specify a pattern set to deny the incoming requests based on the match condition.
274. A company plans to create individual child accounts within an existing organization in AWS Organizations for each of its DevOps teams. AWS CloudTrail has been enabled and configured on all accounts to write audit logs to an Amazon S3 bucket in a centralized AWS account. A security engineer needs to ensure that DevOps team members are unable to modify or disable this configuration. How can the security engineers meet these requirements?
A. Create an IAM policy that prohibits changes to the specific CloudTrail trail and apply the policy to the AWS account root user.
B. Create an S3 bucket policy in the specified destination account for the CloudTrail trail that prohibits configuration changes from the AWS account root user in the source account.
C. Create an SCP that prohibits changes to the specific CloudTrail trail and apply the SCP to the appropriate organizational unit or account in Organizations.
D. Create an IAM policy that prohibits changes to the specific CloudTrail trail and apply to a new IAM group. Have team members use individual IAM accounts that are members of the new IAM group.
275. A company has an IAM group. All of the IAM users in the group have been assigned a multi-factor authentication (MFA) device and have full access to Amazon S3. The company needs to ensure that users in the group can perform S3 actions only after the users authenticate with MFA. A security engineer must design a solution that accomplishes this goal with the least maintenance overhead. Which combination of actions will meet these requirements? (Choose two.)
A. Add a customer managed Deny policy to users in the group for s3:*actions.
B. Add a customer managed Deny policy to the group for s3:*actions.
C. Add a customer managed Allow policy to the group for s3:*actions.
D. Add a condition to the policy: “Condition” : { “BoolIfExists” : { “aws:MultiFactorAuthPresent” : false } }
E. Add a condition to the policy: “Condition” : { “Bool” : { “aws:MultiFactorAuthPresent” : false } }
276. A company uses Amazon RDS for MySQL as a database engine for its applications. A recent security audit revealed an RDS instance that is not compliant with company policy for encrypting data at rest. A security engineer at the company needs to ensure that all existing RDS databases are encrypted using server-side encryption and that any future deviations from the policy are detected. Which combination of steps should the security engineer take to accomplish this? (Choose two.)
A. Create an AWS Config rule to detect the creation of encrypted RDS databases. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to trigger on the AWS Config rules compliance state change and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team.
B. Use AWS System Manager State Manager to detect RDS database encryption configuration drift. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to track state changes and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team.
C. Create a read replica for the existing unencrypted RDS database and enable replica encryption in the process. Once the replica becomes active, promote it into a standalone database instance and terminate the unencrypted database instance.
D. Take a snapshot of the unencrypted RDS database. Copy the snapshot and enable snapshot encryption in the process. Restore the database instance from the newly created encrypted snapshot. Terminate the unencrypted database instance.
E. Enable encryption for the identified unencrypted RDS instance by changing the configurations of the existing database.
277. A security engineer has been tasked with implementing a solution that allows the company’s development team to have interactive command line access to Amazon EC2 Linux instances using the AWS Management Console. Which steps should the security engineer take to satisfy this requirement maintaining least privilege?
A. Enable AWS Systems Manager in the AWS Management Console and configure for access to EC2 instances using the default AmazonEC2RoleforSSM role. Install the Systems Manager Agent on all EC2 Linux instances that need interactive access. Configure IAM user policies to allow development team access to the Systems Manager Session Manager and attach to the team’s IAM users.
B. Enable console SSH access in the EC2 console. Configure IAM user policies to allow development team access to the AWS Systems Manager Session Manager and attach to the development team’s IAM users.
C. Enable AWS Systems Manager in the AWS Management Console and configure to access EC2 instances using the default AmazonEC2RoleforSSM role. Install the Systems Manager Agent on all EC2 Linux instances that need interactive access. Configure a security group that allows SSH port 22 from all published IP addresses. Configure IAM user policies to allow development team access to the AWS Systems Manager Session Manager and attach to the team’s IAM users.
D. Enable AWS Systems Manager in the AWS Management Console and configure to access EC2 instances using the default AmazonEC2RoleforSSM role. Install the Systems Manager Agent on all EC2 Linux instances that need interactive access. Configure IAM user policies to allow development team access to the EC2 console and attach to the team’s IAM users.
278. A company’s on-premises networks are connected to VPCs using an AWS Direct Connect gateway. The company’s on-premises application needs to stream data using an existing Amazon Kinesis Data Firehose delivery stream. The company’s security policy requires that data be encrypted in transit using a private network. How should the company meet these requirements?
A. Create a VPC endpoint for Kinesis Data Firehose. Configure the application to connect to the VPC endpoint.
B. Configure an IAM policy to restrict access to Kinesis Data Firehose using a source IP condition. Configure the application to connect to the existing Firehose delivery stream.
C. Create a new TLS certificate in AWS Certificate Manager (ACM). Create a public-facing Network Load Balancer (NLB) and select the newly created TLS certificate. Configure the NLB to forward all traffic to Kinesis Data Firehose. Configure the application to connect to the NLB.
D. Peer the on-premises network with the Kinesis Data Firehose VPC using Direct Connect. Configure the application to connect to the existing Firehose delivery stream.
279. A company has implemented AWS WAF and Amazon CloudFront for an application. The application runs on Amazon EC2 instances that are part of an Auto Scaling group. The Auto Scaling group is behind an Application Load Balancer (ALB). The AWS WAF web ACL uses an AWS Managed Rules rule group and is associated with the CloudFront distribution. CloudFront receives the request from AWS WAF and uses the ALB as the distribution’s origin. During a security review, a security engineer discovers that the infrastructure is susceptible to a large, layer 7 DDoS attack. How can the security engineer improve the security at the edge of the solution to defend against this type of attack?
A. Configure the CloudFront distribution to use the Lambda@Edge feature. Create an AWS Lambda function that imposes a rate limit on CloudFront viewer requests. Block the request if the rate limit is exceeded.
B. Configure the AWS WAF web ACL so that the web ACL has more capacity units to process all AWS WAF rules faster.
C. Configure AWS WAF with a rate-based rule that imposes a rate limit that automatically blocks requests when the rate limit is exceeded.
D. Configure the CloudFront distribution to use AWS WAF as its origin instead of the ALB.
280. A development team is using an AWS Key Management Service (AWS KMS) CMK to try to encrypt and decrypt a secure string parameter from AWS Systems Manager Parameter Store. However, the development team receives an error message on each attempt. Which issues that are related to the CMK could be reasons for the error? (Choose two.)
A. The CMK is used in the attempt does not exist.
B. The CMK is used in the attempt needs to be rotated.
C. The CMK is used in the attempt is using the CMK’s key ID instead of the CMK ARN.
D. The CMK is used in the attempt is not enabled.
E. The CMK is used in the attempt is using an alias.
281. A company uses AWS Config and AWS Organizations. One of the company’s account administrators recently turned off AWS Config recording, and a critical security incident was not logged properly. The company’s security engineer must create an SCP that will deny all users the ability to stop AWS Config. The SCP also must allow the ApprovedAdministrator role to edit AWS Config settings. Which SCP meets these requirements?
A.
B.
C.
D.
282. A company stores images for a website in an Amazon S3 bucket. The company is using Amazon CloudFront to serve the images to the end users. The company recently discovered that the images are being accessed from countries where the company does not have a distribution license. Which actions should the company take to secure the images to limit their distribution? (Choose two.)
A. Update the S3 bucket policy to restrict access to a CloudFront origin access identity (OAI).
B. Update the website DNS record to use an Amazon Route 53 geolocation record deny list of countries where the company lacks a license.
C. Add a CloudFront geo restriction deny list of countries where the company lacks a license.
D. Update the S3 bucket policy with a deny list of countries where the company lacks a license.
E. Enable the Restrict Viewer Access option in CloudFront to create a deny list of countries where the company lacks a license.
283. An audit determined that a company’s Amazon EC2 instance security group violated company policy by allowing unrestricted incoming SSH traffic. A security engineer must implement a near real-time monitoring and alerting solution that will notify administrators of such violations. Which solution meets these requirements with the MOST operational efficiency?
A. Create a recurring Amazon Inspector assessment run that runs every day and uses the Network Reachability package. Create an Amazon CloudWatch rule that invokes an AWS Lambda function when an assessment rum starts. Configure the Lambda function to retrieve and evaluate the assessment run report when it completes. Configure the Lambda function also to publish an Amazon Simple Notification Service (Amazon SNS) notification if there are any violations for unrestricted incoming SSH traffic.
B. Use the restricted-ssh AWS Config managed rule that is invoked by security group configuration changes that are not compliant. Use the AWS Config remediation feature to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic.
C. Configure VPC Flow Logs for the VPC, and specify an Amazon CloudWatch Logs group. Subscribe the CloudWatch Logs group to an AWS Lambda function that parses new log entries, detects successful connections on port 22, and publishes a notification through Amazon Simple Notification Service (Amazon SNS).
D. Create a recurring Amazon Inspector assessment run that runs every day and uses the Security Best Practices package. Create an Amazon CloudWatch rule that invokes an AWS Lambda function when an assessment rum starts. Configure the Lambda function to retrieve and evaluate the assessment run report when it completes. Configure the Lambda function also to publish an Amazon Simple Notification Service (Amazon SNS) notification if there are any violations for unrestricted incoming SSH traffic.
284. A large company has hundreds of AWS accounts. The company needs to provide its employees with access to these accounts. The solution must maximize scalability and operational efficiency. Which solution meets these requirements?
A. With each AWS account, create dedicated IAM users that employees can assume through federation based upon group membership in their existing identity provider. B. Use a centralized account with IAM roles that employees can assume through federation with their existing identity provider. Create a custom authorizer by using AWS SDK to give federated users the ability to assume their target role in the resource accounts.
C. Implement AWS Control Tower for multi-account management by integrating AWS Single Sign-On with the company’s existing identity provider. Create IAM roles for the identity provider to assume.
D. Configure the IAM trust policies within each account’s role to set up a trust back to the company’s existing identity provider. Allow users to assume the role based on their SAML token.
285. A user is implementing a third-party web application on an Amazon EC2 instance. All client communications must be over HTTPS, and traffic must be terminated before it reaches the instance. Communication to the instance must be over port 80. Company policy requires that workloads reside in private subnets. Which solution meets these requirements?
A. Create an Application Load Balancer. Add an HTTP listener for port 80 to redirect traffic to HTTPS on port 443. Add another listener with an AWS Certificate Manager (ACM) certificate for termination and a rule that forwards to the target instance through port 80.
B. Allocate an Elastic IP address that has SSL termination activated. Associate the Elastic IP address with the instance on port 80.
C. Create a Gateway Load Balancer. Add an HTTP listener for port 80 to redirect traffic to HTTPS on port 443. Add another listener with an AWS Certificate Manager (ACM) certificate for termination and a rule that forwards to the target instance through port 80.
D. Implement a Network Load Balancer. Add an HTTP listener for port 80 to redirect traffic to HTTPS on port 443. Add another listener with an AWS Certificate Manager (ACM) certificate for termination and a rule that forwards to the target instance through port 80.
286. A company uses AWS CodePipeline for its software builds. Company policy mandates that code must be deployed to the staging environment before it is deployed to the production environment. The company needs to implement monitoring and alerting to detect when a CodePipeline pipeline is used to deploy code to production without the code first being deployed to staging. What should a security engineer do to meet these requirements?
A. Enable Amazon GuardDuty to monitor AWS CloudTrail for CodePipeline. Configure findings through AWS Security Hub, and create a custom action in Security Hub to send to Amazon Simple Notification Service (Amazon SNS).
B. Use the AWS Cloud Development Kit (AWS CDK) to model reference-architecture CodePipeline pipeline that deploys application code through the staging environment and then the production environment.
C. Turn on AWS Config recording. Use a custom AWS Config rule to examine each CodePipeline pipeline for compliance. Configure an Amazon Simple Notification Service (Amazon SNS) notification on any change that is not in compliance with the rule. Add the desired receiver of the notification as a subscriber to the SNS topic.
D. Use Amazon Inspector to conduct an assessment of the CodePipeline pipelines and send a notification upon the discovery of a pipeline that is not in compliance. Add the desired receiver of the notification as a subscriber to the Amazon Simple Notification Service (Amazon SNS) topic.
287. An application is running on an Amazon EC2 instance that has an IAM role attached. The IAM role provides access to an AWS Key Management Service (AWS KMS) customer managed key and an Amazon S3 bucket. A security engineer discovers a potential vulnerability on the EC2 instance that could result in the compromise of the sensitive data. Due to other critical operations, the security engineer cannot immediately shut down the EC2 instance for vulnerability patching. What is the FASTEST way to prevent the sensitive data from being exposed?
A. Download the data from the existing S3 bucket to a new EC2 instance. Then delete the data from the S3 bucket. Re-encrypt the data with a client-based key. Upload the data to a new S3 bucket.
B. Block access to the public range of S3 endpoint IP addresses by using a host-based firewall. Ensure that internet-bound traffic from the affected EC2 instance is routed through the host-based firewall.
C. Revoke the IAM role’s active session permissions. Update the S3 bucket policy to deny access to the IAM role. Remove the IAM role from the EC2 instance profile.
D. Disable the current key. Create a new KMS key that the IAM role does not have access to, and re-encrypt all the data with the new key. Schedule the compromised key for deletion.
289. A company needs to use HTTPS when connecting to its web applications to meet compliance requirements. These web applications run in Amazon VPC on Amazon EC2 instances behind an Application Load Balancer (ALB). A security engineer wants to ensure that the load balancer will only accept connections over port 443, even if the ALB is mistakenly configured with an HTTP listener. Which configuration steps should the security engineer take to accomplish this task?
A. Create a security group with a rule that denies inbound connections from 0.0.0.0/0 on port 80. Attach this security group to the ALB to overwrite more permissive rules from the ALB’s default security group.
B. Create a network ACL that denies inbound connections from 0.0.0.0/0 on port 80. Associate the network ACL with the VPC’s internet gateway.
C. Create a network ACL that allows outbound connections to the VPC IP range on port 443 only. Associate the network ACL with the VPC’s internet gateway.
D. Create a security group with a single inbound rule that allows connections from 0.0.0.0/0 on port 443. Ensure this security group is the only one associated with the ALB.
290. A company maintains an open-source application that is hosted on a public GitHub repository. While creating a new commit to the repository, an engineer uploaded their AWS access key and secret access keys. The engineer reported the mistake to a manager, and the manager immediately disabled the access key. The company needs to assess the impact of the exposed access key. A security engineer must recommend a solution that requires the least possible managerial overhead. Which solution meets these requirements?
A. Analyze an AWS Identity and Access Management (IAM) use report from AWS Trusted Advisor to see when the access key was last used.
B. Analyze Amazon CloudWatch Logs for activity by searching for the access key.
C. Analyze VPC flow logs for activity by searching for the access key.
D. Analyze a credential report in AWS Identity and Access Management (IAM) to see when the access key was last used.
291. A security engineer must use AWS Key Management Service (AWS KMS) to design a key management solution for a set of Amazon Elastic Block Store (Amazon EBS) volumes that contain sensitive data. The solution needs to ensure that the key material automatically expires in 90 days. Which solution meets these criteria?
A. A customer managed CMK that uses customer provided key material
B. A customer managed CMK that uses AWS provided key material
C. An AWS managed CMK
D. Operation system-native encryption that uses GnuPG
292. A company uses a third-party identity provider and SAML-based SSO for its AWS accounts. After the third-party identity provider renewed an expired signing certificate, users saw the following message when trying to log in:
A security engineer needs to provide a solution that corrects the error and minimizes operational overhead. Which solution meets these requirements?
A. Upload the third-party signing certificate’s new private key to the AWS identity provider entity defined in AWS Identity and Access Management (IAM) by using the AWS Management Console.
B. Sign the identity provider’s metadata file with the new public key. Upload the signature to the AWS identity provider entity defined in AWS Identity and Access Management (IAM) by using the AWS CLI.
C. Download the updated SAML metadata file from the identity service provider. Update the file in the AWS identity provider entity defined in AWS Identity and Access Management (IAM) by using the AWS CLI.
D. Configure the AWS identity provider entity defined in AWS Identity and Access Management (IAM) to synchronously fetch the new public key by using the AWS Management Console.
293. A company recently deployed a new AWS account and wants to be notified immediately if a specific number of unauthorized AWS API requests are detected. A security engineer has turned on AWS CloudTrail for the account and is sending CloudTrail logs to Amazon CloudWatch. Which other action must the security engineer perform to receive automated alerts about unauthorized AWS API calls?
A. Create a CloudWatch metric filter that looks for API call error codes. Configure an alarm that is based on that metric’s rate to send an Amazon Simple Notification Service (Amazon SNS) notification when the threshold is exceeded.
B. Configure CloudTrail to stream event data to Amazon Kinesis Data Streams. Configure an AWS Lambda function on the stream to initiate an alarm when the threshold is exceeded.
C. Run an Amazon Athena SQL query against CloudTrail log files for unauthorized API requests. Use Amazon QuickSight to create an operational dashboard.
D. Use the AWS Personal Health Dashboard to monitor the account’s use of AWS services and to provide an alert if service error rates increase.
294. A company is running an Amazon RDS Multi-AZ DB instance inside a VPC. The DB instance is using two subnets that provide a default route to the internet through a NAT gateway. The company also has application servers that run on Amazon EC2 instances that use the RDS database. The company has deployed these EC2 instances into two other private subnets within the same VPC. These EC2 instances use a default route to access the internet through the same NAT gateway. Each subnet in the VPC uses its own unique route table. After a recent security audit, the company added a new security requirement. The DB instance must never be able to connect to the internet. A security engineer must make this change immediately without disrupting the application servers’ network traffic. How can the security engineer meet these requirements?
A. Remove the existing NAT gateway. Create a new NAT gateway that only the application server subnets can use.
B. Configure the DB instance’s inbound network ACL to deny traffic from the security group ID of the NAT gateway.
C. Modify the route tables of the DB instance subnets to remove the default route to the NAT gateway.
D. Configure the route table of the NAT gateway to deny connections to the DB instance subnets.
295. A company is using Amazon GuardDuty in its AWS environment. The company asks a security engineer to suspend GuardDuty. Which combination of steps must the security engineer perform to meet this requirement? (Choose two.)
A. Disable all optional data sources from all detectors in all regions.
B. Disassociate or delete all member accounts.
C. Disable all associated monitoring services.
D. Delete all existing findings.
E. Export all existing findings.
296. The security engineer implemented a new vault stock policy for 10TB of data and called initiate vault-lock 12 hours ago. The audit team identified a typo that is allowing incorrect access to the vault. What is the MOST cost-effective way to correct this?
A. Call the abort-vault-lock operation, fix the typo, and call the initiate-vault-lock again.
B. Copy the vault data to Amazon S3, delete the vault, and create a new vault with the data.
C. Update the policy, keeping the vault lock in place.
D. Update the policy, and call initiate-vault-lock again to apply the new policy.
297. A company has a PHP-based web application that uses Amazon S3 as an object store for user files. The S3 bucket that stores the files is configured for server-side encryption with S3 managed encryption keys (SSE-S3). According to new security requirements, the company must control all encryption keys. Additionally, all objects in the S3 bucket must be encrypted by a key that the company controls. Which combination of steps must a security engineer take to meet these requirements? (Choose three.)
A. Create a new-customer managed CMK in AWS Key Management Service (AWS KMS).
B. Change the SSE-S3 configuration on the S3 bucket to server-side encryption with customer provided encryption keys (SSE-C).
C. Configure the PHP SDK to use the SSE-S3 key to encrypt the data before the data is uploaded to Amazon S3.
D. Create an AWS managed CMK for Amazon S3 in AWS Key Management Service (AWS KMS).
E. Change the SSE-S3 configuration on the S3 bucket to server-side encryption with AWS KMS managed encryption keys (SSE-KMS). F. Change all the S3 objects in the bucket to use the new encryption key.
298. A company wants to establish separate AWS Key Management Service (AWS KMS) keys to use for different AWS services. The company’s security engineer created the following key policy to allow the infrastructure deployment team to create encrypted Amazon Elastic Block Store (Amazon EBS) volumes by assuming the Infrastructure Deployment IAM role:
The security engineer recently discovered that IAM roles other than the InfrastructureDeployment role used this key for other services. Which change to the policy should the security engineer make to resolve these issues?
A. In the statement block that contains the Sid “Allow use of the key”, under the “Condition” block, change StringEquals to StringLike.
B. In the policy document, remove the statement block that contains the Sid “Enable IAM User Permissions”. Add key management policies to the KMS policy.
C. In the statement block that contains the Sid “Allow use of the key”, under the “Condition” block, change the kms:ViaService value to ec2.us-east-1.amazonaws.com.
D. In the policy document, add a new statement block that grants the kms:Disable* permission to the security engineer’s IAM role.
299. A security engineer is working with a company to design an ecommerce application. The application will run on Amazon EC2 instances that run in an Auto Scaling group behind an Application Load Balancer (ALB). The application will use an Amazon RDS DB instance for its database. The only require connectivity from the internet is for HTTP and HTTPS traffic to the application. The application must communicate with an external payment provider that allows traffic only from a preconfigured list of IP addresses. The company must ensure that communicators with the external payment provider are not interrupted as the environment scales. Which combination of actions should the security engineer recommend to meet these requirements? (Choose three.)
A. Deploy a NAT gateway in each private subnet for every Availability Zone that is in use.
B. Place the DB instance in a public subnet.
C. Place the DB instance in a private subnet.
D. Configure the Auto Scaling group to place the EC2 instances in a public subnet.
E. Configure the Auto Scaling group to place the EC2 instances in a private subnet.
F. Deploy the ALB in a private subnet.
300. A company’s application team needs to host a MySQL database on AWS. According to the company’s security policy, all data that is stored on AWS must be encrypted at rest. In addition, all cryptographic material must be compliant with FIPS 140-2 Level 3 validation. The application team needs a solution that satisfies the company’s security requirements and minimizes operational overhead. Which solution will meet these requirements?
A. Host the database on Amazon RDS. Use Amazon Elastic Block Store (Amazon EBS) for encryption. Use an AWS Key Management Service (AWS KMS) custom key store that is backed by AWS CloudHSM for key management.
B. Host the database on Amazon RDS. Use Amazon Elastic Block Store (Amazon EBS) for encryption. Use an AWS managed CMK in AWS Key Management Service (AWS KMS) for key management.
C. Host the database on an Amazon EC2 instance. Use Amazon Elastic Block Store (Amazon EBS) for encryption. Use a customer managed CMK in AWS Key Management Service (AWS KMS) for key management.
D. Host the database on an Amazon EC2 instance. Use Transparent Data Encryption (TDE) for encryption and key management.
301. A company is operating a website using Amazon CloudFront. CloudFront serves some content from Amazon S3 and other content from web servers running on Amazon EC2 instances behind an Application Load Balancer (ALB). Amazon DynamoDB is used as the data store. The company already uses AWS Certificate Manager (ACM) to store a public TLS certificate that can optionally secure connections between the website users and CloudFront. The company has a new requirement to enforce end-to-end encryption in transit. Which combination of steps should the company take to meet this requirement? (Choose three.)
A. Update the CloudFront distribution, configuring it to optionally use HTTPS when connecting to origins on Amazon S3.
B. Update the web application configuration on the web servers to use HTTPS instead of HTTPS when connecting to DynamoDB.
C. Update the CloudFront distribution to redirect HTTP connections to HTTPS.
D. Configure the web servers on the EC2 instances to listen using HTTPS using the public ACM TLS certificate. Update the ALB to connect to the target group using HTTPS.
E. Update the ALB listener to listen using HTTPS using the public ACM TLS certificate. Update the CloudFront distribution to connect to the HTTPS listener.
F. Create a TLS certificate. Configure the web servers on the EC2 instances to use HTTPS only with that certificate. Update the ALB to connect to the target group using HTTPS.
302. A company has a new AWS account that does not have AWS CloudTrail configured. The account has an IAM access key that was issued by AWS Security Token Service (AWS STS). A security engineer discovers that the IAM access key has been compromised within the last 24 hours. The security engineer must stop the compromised IAM access key from being used. The security engineer also must determine which activities the key has been used for so far. What should the security engineer do to meet these requirements?
A. In the CloudTrail console, under CloudTrail event history, search by access key for the compromised key, with the correlated events, and identify which IAM user the key belongs to. In the IAM console, revoke all active sessions for that IAM user.
B. Create a new CloudTrail trail. In the CloudTrail console, under CloudTrail event history, search by access key for the compromised key, view the correlated events, and identify which IAM user the key belongs to. In the IAM console, revoke all active sessions for that IAM user.
C. Create a new CloudTrail trail. In the CloudTrail console, under CloudTrail event history, search by access key for the compromised key, view the correlated events, and identify which IAM role the key belongs to. In the IAM console, delete that IAM role.
D. In the CloudTrail console, under CloudTrail event history, search by access key for the compromised key, view the correlated events, and identify which IAM role the key belongs to. In the IAM console, revoke all active sessions for that IAM role.
303. A company has a website with an Amazon CloudFront HTTPS distribution an Application Load Balancer (ALB) with multiple web instances for dynamic website content, and an Amazon S3 bucket for static website content. The company’s security engineer recently updated the website security requirements:
HTTPS needs to be enforced for all data in transit with specific ciphers. The CloudFront distribution needs to be accessible from the internet only. Which solution will meet these requirements?
A. Set up an S3 bucket policy with the aws:securetransport key. Configure the CloudFront origin access identity (OAI) with the S3 bucket. Configure CloudFront to use specific ciphers. Enforce the ALB with an HTTPS listener only and select the appropriate security policy for the ciphers. Link the ALB with AWS WAF to allow access from the CloudFront IP ranges.
B. Set up an S3 bucket policy with the aws:securetransport key. Configure the CloudFront origin access identity (OAI) with the S3 bucket. Enforce the ALB with an HTTPS listener only and select the appropriate security policy for the ciphers.
C. Modify the CloudFront distribution to use AWS WAF. Force HTTPS on the S3 bucket with specific ciphers in the bucket policy. Configure an HTTPS listener only for the ALB. Set up a security group to limit access to the ALB from the CloudFront IP ranges.
D. Modify the CloudFront distribution to use the ALB as the origin. Enforce an HTTP listener on the ALB. Create a path-based routing rule on the ALB with proxies that connect to Amazon S3. Create a bucket policy to allow access from these proxies only.
304. A company hosts a web-based application that captures and stores sensitive data in an Amazon DynamoDB table. A security audit reveals that the application does not provide end-to-end data protection or the ability to detect unauthorized data changes. The software engineering team needs to make changes that will address the audit findings. Which set of steps should the software engineering team take?
A. Use an AWS Key Management Service (AWS CMK) CMK. Encrypt the data at rest.
B. Use AWS Certificate Manager (ACM) Private Certificate Authority. Encrypt the data in transit.
C. Use a DynamoDB encryption client. Use client-side encryption and sign the table items.
D. Use the AWS Encryption SDK. Use client-side encryption and sign the table items.
305. A company has a strict policy against using root credentials. The company’s security team wants to be alerted as soon as possible when root credentials are used to sign in to the AWS Management Console. How should the security team achieve this goal?
A. Use AWS Lambda to periodically query AWS CloudTrail for console login events and send alerts using Amazon Simple Notification Service (Amazon SNS).
B. Use Amazon EventBridge (Amazon CloudWatch Events) to monitor console logins and direct them to Amazon Simple Notification Service (Amazon SNS).
C. Use Amazon Athena to query AWS SSO logs and send alerts using Amazon Simple Notification Service (Amazon SNS) for root login events.
D. Configure AWS Resource Access Manager to review the access logs and send alerts using Amazon Simple Notification Service (Amazon SNS).
306. A security engineer recently rotated all IAM access keys in an AWS account. The security engineer then configured AWS Config and enabled the following AWS Config managed rules; mfa-enabled-for-iam-console-access, iam-user-mfa-enabled, access-key-rotated, and iam-user-unused-credentials-check. The security engineer notices that all resources are displaying as noncompliant after the IAM GenerateCredentialReport API operation is invoked. What could be the reason for the noncompliant status?
A. The IAM credential report was generated within the past 4 hours.
B. The security engineer does not have the GenerateCredentialReport permission.
C. The security engineer does not have the GetCredentialReport permission.
D. The AWS Config rules have a MaximumExecutionFrequency value of 24 hours.
307. A company wants to gain better control of its large number of AWS accounts by establishing a centralized location where the accounts can be managed. The company also wants to prevent any users outside the company-owned AWS accounts from accessing a company Amazon S3 bucket. Which solution meets these requirements with the LEAST amount of operational overhead?
A. Implement an organization in AWS Organizations. Build a detective control by monitoring AWS CloudTrail logs for attempts to access the S3 bucket from IP addresses outside the company.
B. Deploy an AWS Control Tower landing zone, and migrate the accounts. Create an S3 bucket policy that restricts access to only a principal list of accounts that have been manually entered.
C. Create an organization in AWS Organizations. Invite the AWS accounts to join the organization. Create a resource policy that includes a PrincipalOrgID condition key for the S3 bucket.
D. Invite all of the company’s AWS accounts into AWS Control Tower. Use AWS Control Tower’s automatic protection for the AWS accounts to deny access from external users.
308. A company’s engineering team is developing a new application that creates AWS Key Management Service (AWS KMS) CMK grants for users. Immediately after a grant is created, users must be able to use the CMK to encrypt a 512-byte payload. During load testing, a bug appears intermittently where AccessDeniedExceptions are occasionally triggered when a user first attempts to encrypt using the CMK. Which solution should the company’s security specialist recommend?
A. Instruct users to implement a retry mechanism every 2 minutes until the call succeeds.
B. Instruct the engineering team to consume a random grant token from users, and to call the CreateGrant operation, passing it the grant token. Instruct users to use that grant token in their call to encrypt.
C. Instruct the engineering team to create a random name for the grant when calling the CreateGrant operation. Return the name to the users and instruct them to provide the name as the grant token in the call to encrypt.
D. Instruct the engineering team to pass the grant token returned in the CreateGrant response to users. Instruct users to use that grant token in their call to encrypt.
309. A company uses Amazon GuardDuty to detect threats and malicious activities in AWS accounts. The company has subscribed to a third-party threat intelligence list uploaded to an Amazon S3 bucket. How should the security engineer efficiently use the threat list across all company AWS accounts?
A. Ensure the S3 bucket policy allows all company AWS accounts access to the threat list. Use an AWS Lambda function to automatically add the threat list to all company AWS accounts.
B. Ensure GuardDuty is in master-member configuration. Add the threat list to the master account referencing the S3 object that contains the threat list.
C. Ensure all accounts are part of the same organization in AWS Organizations. Add the threat list to any company account within AWS Organizations.
D. Ensure the threat list in the S3 bucket is publicly accessible. Use an Amazon CloudWatch Events event on GuardDuty findings to match IPs against the threat list.
310. A security engineer needs to create an AWS Key Management Service (AWS KMS) key that will be used to encrypt all data stored in a company’s Amazon S3 buckets in the us-west-1 Region. The key will use server-side encryption. Usage of the key must be limited to requests coming from Amazon S3 within the company’s account. Which statement in the KMS key policy will meet these requirements?
A.
B.
C.
D.
311. A company recently set up Amazon GuardDuty and is receiving a high number of findings from IP addresses within the company. A security engineer has verified that these IP addresses are trusted and allowed. Which combination of steps should the security engineer take to configure GuardDuty so that it does not produce findings for these IP addresses? (Choose two.)
A. Create a plaintext configuration file that contains the trusted IP addresses.
B. Create a JSON configuration file that contains the trusted IP addresses.
C. Upload the configuration file directly to GuardDuty.
D. Upload the configuration file to Amazon S3. Add a new trusted IP list to GuardDuty that points to the file.
E. Manually copy and paste the configuration file data into the trusted IP list in GuardDuty.
312. A company’s security engineer is configuring Amazon S3 permissions to ban all current and future public buckets. However, the company hosts several websites directly off S3 buckets with public access enabled. The engineer needs to block the public S3 buckets without causing any outages on the existing websites. The engineer has set up an Amazon CloudFront distribution for each website. Which set of steps should the security engineer implement next?
A. Configure an S3 bucket as the origin with an origin access identity (OAI) for the CloudFront distribution. Switch the DNS records for websites to point to the CloudFront distribution. Enable block public access settings at the account level.
B. Configure an S3 bucket as the origin with an origin access identity (OAI) for the CloudFront distribution. Switch the DNS records for the websites to point to the CloudFront distribution. Then, for each S3 bucket, enable block public access settings.
C. Configure an S3 bucket as the origin with an origin access identity (OAI) for the CloudFront distribution. Enable block public access settings at the account level.
D. Configure an S3 bucket as the origin for the CloudFront distribution. Configure the S3 bucket policy to accept connections from the CloudFront points of presence only. Switch the DNS records for the websites to point to the CloudFront distribution. Enable block public access settings at the account level.
313. A security engineer is analyzing Amazon GuardDuty findings. The security engineer observes an Impact value for ThreatPurpose in a GuardDuty finding. What does this value indicate?
A. An adversary has compromised an AWS resource so that the resource is capable of contacting its home command and control (C&C) server to receive further instructions for malicious activity.
B. GuardDuty is detecting activity or activity patterns that are different from the established baseline for a particular AWS resource.
C. GuardDuty is detecting activity or activity patterns that suggest that an adversary is attempting to manipulate, interrupt, or destroy the company’s systems and data.
D. GuardDuty is detecting activity or activity patterns that an adversary might use to expand its knowledge of the company’s systems and internal networks.
314. A company deployed Amazon GuardDuty in the us-east-1 Region. The company wants all DNS logs that relate to the company’s Amazon EC2 instances to be inspected. What should a security engineer do to ensure that the EC2 instances are logged?
A. Use IPv6 addresses that are configured for hostnames.
B. Configure external DNS resolvers as internal resolvers that are visible only to AWS.
C. Use AWS DNS resolvers for all EC2 instances.
D. Configure a third-party DNS resolver with logging for all EC2 instances.
315. A company has recently recovered from a security incident that required the restoration of Amazon EC2 instances from snapshots. After performing a gap analysis of its disaster recovery procedures and backup strategies, the company is concerned that, next time, it will not be able to recover the EC2 instances if the AWS account was compromised and Amazon EBS snapshots were deleted. All EBS snapshots are encrypted using an AWS KMS CMK. Which solution would solve this problem?
A. Create a new Amazon S3 bucket. Use EBS lifecycle policies to move EBS snapshots to the new S3 bucket. Move snapshots to Amazon S3 Glacier using lifecycle policies, and apply Glacier Vault Lock policies to prevent deletion.
B. Use AWS Systems Manager to distribute a configuration that performs local backups of all attached disks to Amazon S3.
C. Create a new AWS account with limited privileges. Allow the new account to access the AWS KMS key used to encrypt the EBS snapshots, and copy the encrypted snapshots to the new account on a recurring basis.
D. Use AWS Backup to copy EBS snapshots to Amazon S3.
316. A software-as-a-service (SaaS) company hosts an application on AWS in a VPC. External customers will use the application on their own Amazon EC2 instances. To access the application, the customers need to install a client application on an EC2 instance in a VPC in their AWS accounts. A security engineer is designing a solution to allow communication between the client software and the SaaS application. The solution must maximize scalability and security. Which combination of actions will meet these requirements? (Choose two.)
A. Create a Network Load Balancer (NLB) in the VPC in the SaaS company account. Use the NLB for TLS termination and load balancing. Use EC2 instances as targets for the NLB.
B. Create a Network Load Balancer (NLB) in the VPCs in the customer accounts. Use the NLB for TLS termination and load balancing. Use EC2 instances as targets for the NLB.
C. Create an AWS PrivateLink endpoint service in the VPCs in the customer accounts. Create a PrivateLink interface endpoint in the VPC in the SaaS company account.
D. Create an AWS PrivateLink endpoint service in the VPC in the SaaS company account. Create a PrivateLink interface endpoint in the VPCs in the customer accounts. E. Create a VPC peering connection between the VPC in the SaaS company account and the VPCs in the customer accounts. Create the required routes for a VPC peering connection.
317. A company is using Amazon Elastic Container Service (Amazon ECS) to deploy an application that deals with sensitive data. During a recent security audit, the company identified a security issue in which Amazon RDS credentials were stored with the application code in the company’s source code repository. A security engineer needs to develop a solution to ensure that database credentials are stored securely and rotated periodically. The credentials should be accessible to the application only. The engineer also needs to prevent database administrators from sharing database credentials as plaintext with other teammates. The solution must also minimize administrative overhead. Which solution meets these requirements?
A. Use the AWS Systems Manager Parameter Store to generate database credentials. Use an IAM profile for ECS tasks to restrict access to database credentials to specific containers only.
B. Use AWS Secrets Manager to store database credentials. Use an IAM inline policy for ECS tasks to restrict access to database credentials to specific containers only.
C. Use the AWS Systems Manager Parameter Store to store database credentials. Use IAM roles for ECS tasks to restrict access to database credentials to specific containers only.
D. Use AWS Secrets Manager to store database credentials. Use IAM roles for ECS tasks to restrict access to database credentials to specific containers only.
318. A company is outsourcing its operational support to an external company. The company’s security officer must implement an access solution for delegating operational support that minimizes overhead. Which approach should the security officer take to meet these requirements?
A. Implement Amazon Cognito identity pools with a role that uses a policy that denies the actions related to Amazon Cognito API management. Allow the external company to federate through its identity provider.
B. Federate AWS Identity and Access Management (IAM) with the external company’s identity provider. Create an IAM role and attach a policy with the necessary permissions.
C. Create an IAM group for the external company. Add a policy to the group that denies IAM modifications. Securely provide the credentials to the external company.
D. Use AWS SSO with the external company’s identity provider. Create an IAM group to map to the identity provider user group, and attach a policy with the necessary permissions.
319. A company’s policy requires that all API keys be encrypted and stored separately from source code in a centralized security account. This security account is managed by the company’s security team. However, an audit revealed that an API key is stored with the source code of an AWS Lambda function in an AWS CodeCommit repository in the DevOps account. How should the security team securely store the API key?
A. Create a CodeCommit repository in the security account using AWS Key Management Service (AWS KMS) for encryption. Require the development team to migrate the Lambda source code to this repository.
B. Store the API key in an Amazon S3 bucket in the security account using server-side encryption with Amazon S3 managed encryption keys (SSE-S3) to encrypt the key. Create a pre-signed URL for the S3 key, and specify the URL in a Lambda environmental variable in the AWS CloudFormation template. Update the Lambda function code to retrieve the key using the URL and call the API.
C. Create a secret in AWS Secrets Manager in the security account to store the API key using AWS Key Management Service (AWS KMS) for encryption. Grant access to the IAM role used by the Lambda function so that the function can retrieve the key from Secrets Manager and call the API.
D. Create an encrypted environment variable for the Lambda function to store the API key using AWS Key Management Service (AWS KMS) for encryption. Grant access to the IAM role used by the Lambda function so that the function can decrypt the key at runtime.
