Month End Sale Special - 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70dumps

SCS-C01 Questions and Answers

Question # 6

A security engineer is defining the controls required to protect the IAM account root user credentials in an IAM Organizations hierarchy. The controls should also limit the impact in case these credentials have been compromised.

Which combination of controls should the security engineer propose? (Select THREE.)

A)

B)

C) Enable multi-factor authentication (MFA) for the root user.

D) Set a strong randomized password and store it in a secure location.

E) Create an access key ID and secret access key, and store them in a secure location.

F) Apply the following permissions boundary to the toot user:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

E.

Option E

F.

Option F

Full Access
Question # 7

A company had developed an incident response plan 18 months ago. Regular implementations of the response plan are carried out. No changes have been made to the response plan have been made since its creation. Which of the following is a right statement with regards to the plan?

Please select:

A.

It places too much emphasis on already implemented security controls.

B.

The response plan is not implemented on a regular basis

C.

The response plan does not cater to new services

D.

The response plan is complete in its entirety

Full Access
Question # 8

An Incident Response team is investigating an IAM access key leak that resulted in Amazon EC2 instances being launched. The company did not discover the incident until many months later The Director of Information Security wants to implement new controls that will alert when similar incidents happen in the future

Which controls should the company implement to achieve this? {Select TWO.)

A.

Enable VPC Flow Logs in all VPCs Create a scheduled IAM Lambda function that downloads and parses the logs, and sends an Amazon SNS notification for violations.

B.

Use IAM CloudTrail to make a trail, and apply it to all Regions Specify an Amazon S3 bucket to receive all the CloudTrail log files

C.

Add the following bucket policy to the company's IAM CloudTrail bucket to prevent log tampering

{

"Version": "2012-10-17-,

"Statement": {

"Effect": "Deny",

"Action": "s3:PutObject",

"Principal": "-",

"Resource": "arn:IAM:s3:::cloudtrail/IAMLogs/111122223333/*"

}

}

Create an Amazon S3 data event for an PutObject attempts, which sends notifications to an Amazon SNS topic.

D.

Create a Security Auditor role with permissions to access Amazon CloudWatch Logs m all Regions Ship the logs to an Amazon S3 bucket and make a lifecycle policy to ship the logs to Amazon S3 Glacier.

E.

Verify that Amazon GuardDuty is enabled in all Regions, and create an Amazon CloudWatch Events rule for Amazon GuardDuty findings Add an Amazon SNS topic as the rule's target

Full Access
Question # 9

A company uses a third-party application to store encrypted data in Amazon S3. The company uses another third-party application trial decrypts the data from Amazon S3 to ensure separation of duties Between the applications A Security Engineer warns to separate the permissions using IAM roles attached to Amazon EC2 instances. The company prefers to use native IAM services.

Which encryption method will meet these requirements?

A.

Use encrypted Amazon EBS volumes with Amazon default keys (IAM EBS)

B.

Use server-side encryption with customer-provided keys (SSE-C)

C.

Use server-side encryption with IAM KMS managed keys (SSE-KMS)

D.

Use server-side encryption with Amazon S3 managed keys (SSE-S3)

Full Access
Question # 10

A Security Architect has been asked to review an existing security architecture and identify why the application servers cannot successfully initiate a connection to the database servers. The following summary describes the architecture:

1 An Application Load Balancer, an internet gateway, and a NAT gateway are configured in the public subnet 2. Database, application, and web servers are configured on three different private subnets.

3 The VPC has two route tables: one for the public subnet and one for all other subnets The route table for the public subnet has a 0 0 0 0/0 route to the internet gateway The route table for all other subnets has a 0 0.0.0/0 route to the NAT gateway. All private subnets can route to each other

4 Each subnet has a network ACL implemented that limits all inbound and outbound connectivity to only the required ports and protocols

5 There are 3 Security Groups (SGs) database application and web Each group limits all inbound and outbound connectivity to the minimum required

Which of the following accurately reflects the access control mechanisms the Architect should verify1?

A.

Outbound SG configuration on database servers Inbound SG configuration on application servers inbound and outbound network ACL configuration on the database subnet Inbound and outbound network ACL configuration on the application server subnet

B.

Inbound SG configuration on database servers

Outbound SG configuration on application servers

Inbound and outbound network ACL configuration on the database subnet

Inbound and outbound network ACL configuration on the application server subnet

C.

Inbound and outbound SG configuration on database servers Inbound and outbound SG configuration on application servers Inbound network ACL configuration on the database subnet Outbound network ACL configuration on the application server subnet

D.

Inbound SG configuration on database servers Outbound SG configuration on application servers Inbound network ACL configuration on the database subnet Outbound network ACL configuration on the application server subnet.

Full Access
Question # 11

A company has two VPCs in the same AWS Region and in the same AWS account Each VPC uses a CIDR block that does not overlap with the CIDR block of the other VPC One VPC contains AWS Lambda functions that run inside a subnet that accesses the internet through a NAT gateway. The Lambda functions require access to a publicly accessible Amazon Aurora MySQL database that is running in the other VPC

A security engineer determines that the Aurora database uses a security group rule that allows connections from the NAT gateway IP address that the Lambda functions use. The company's security policy states that no database should be publicly accessible.

What is the MOST secure way that the security engineer can provide the Lambda functions with access to the Aurora database?

A.

Move the Aurora database into a private subnet that has no internet access routes in the database's current VPC Configure the Lambda functions to use the Aurora

database's new private IP address to access the database Configure the Aurora databases security group to allow access from the private IP addresses of the Lambda functions

B.

Establish a VPC endpoint between the two VPCs in the Aurora database's VPC configure a service VPC endpoint for Amazon RDS In the Lambda functions' VPC.

configure an interface VPC endpoint that uses the service endpoint in the Aurora database's VPC Configure the service endpoint to allow connections from the Lambda functions.

C.

Establish an AWS Direct Connect interface between the VPCs Configure the Lambda functions to use a new route table that accesses the Aurora database through the Direct Connect interface Configure the Aurora database's security group to allow access from the Direct Connect interface IP address

D.

Move the Lambda functions into a public subnet in their VPC Move the Aurora database into a private subnet in its VPC Configure the Lambda functions to use the Aurora database's new private IP address to access the database Configure the Aurora database to allow access from the public IP addresses of the Lambda functions

Full Access
Question # 12

You have an EBS volume attached to an EC2 Instance which uses KMS for Encryption. Someone has now gone ahead and deleted the Customer Key which was used for the EBS encryption. What should be done to ensure the data can be decrypted.

Please select:

A.

Create a new Customer Key using KMS and attach it to the existing volume

B.

You cannot decrypt the data that was encrypted under the CMK, and the data is not recoverable.

C.

Request IAM Support to recover the key

D.

Use IAM Config to recover the key

Full Access
Question # 13

A corporation is preparing to acquire several companies. A Security Engineer must design a solution to ensure that newly acquired IAM accounts follow the corporation's security best practices. The solution should monitor each Amazon S3 bucket for unrestricted public write access and use IAM managed services.

What should the Security Engineer do to meet these requirements?

A.

Configure Amazon Macie to continuously check the configuration of all S3 buckets.

B.

Enable IAM Config to check the configuration of each S3 bucket.

C.

Set up IAM Systems Manager to monitor S3 bucket policies for public write access.

D.

Configure an Amazon EC2 instance to have an IAM role and a cron job that checks the status of all S3 buckets.

Full Access
Question # 14

A company is hosting sensitive data in an IAM S3 bucket. It needs to be ensured that the bucket always remains private. How can this be ensured continually? Choose 2 answers from the options given below

Please select:

A.

Use IAM Config to monitor changes to the IAM Bucket

B.

Use IAM Lambda function to change the bucket policy

C.

Use IAM Trusted Advisor API to monitor the changes to the IAM Bucket

D.

Use IAM Lambda function to change the bucket ACL

Full Access
Question # 15

A company wants to establish separate IAM Key Management Service (IAM KMS) keys to use for different IAM services. The company's security engineer created the following key policy lo allow the infrastructure deployment team to create encrypted Amazon Elastic Block Store (Amazon EBS) volumes by assuming the InfrastructureDeployment IAM role:

The security engineer recently discovered that IAM roles other than the InfrastructureDeployment role used this key (or other services. Which change to the policy should the security engineer make to resolve these issues?

A.

In the statement block that contains the Sid "Allow use of the key", under the "Condition" block, change StringEquals to StringLike.

B.

In the policy document, remove the statement Dlock that contains the Sid "Enable IAM User Permissions". Add key management policies to the KMS policy.

C.

In the statement block that contains the Sid "Allow use of the Key", under the "Condition" block, change the Kms:ViaService value to ec2.us-east-1 .amazonIAM com.

D.

In the policy document, add a new statement block that grants the kms:Disable' permission to the security engineer's IAM role.

Full Access
Question # 16

A company has resources hosted in their IAM Account. There is a requirement to monitor all API activity for all regions. The audit needs to be applied for future regions as well. Which of the following can be used to fulfil this requirement.

Please select:

A.

Ensure Cloudtrail for each region. Then enable for each future region.

B.

Ensure one Cloudtrail trail is enabled for all regions.

C.

Create a Cloudtrail for each region. Use Cloudformation to enable the trail for all future regions.

D.

Create a Cloudtrail for each region. Use IAM Config to enable the trail for all future regions.

Full Access
Question # 17

A security engineer has enabled IAM Security Hub in their IAM account, and has enabled the Center for internet Security (CIS) IAM Foundations compliance standard. No evaluation results on compliance are returned in the Security Hub console after several hours. The engineer wants to ensure that Security Hub can evaluate their resources for CIS IAM Foundations compliance.

Which steps should the security engineer take to meet these requirements?

A.

Add full Amazon Inspector IAM permissions to the Security Hub service role to allow it to perform the CIS compliance evaluation

B.

Ensure that IAM Trusted Advisor Is enabled in the account and that the Security Hub service role has permissions to retrieve the Trusted Advisor security-related recommended actions

C.

Ensure that IAM Config. is enabled in the account, and that the required IAM Config rules have been created for the CIS compliance evaluation

D.

Ensure that the correct trail in IAM CloudTrail has been configured for monitoring by Security Hub and that the Security Hub service role has permissions to perform the GetObject operation on CloudTrails Amazon S3 bucket

Full Access
Question # 18

A development team is using an IAM Key Management Service (IAM KMS) CMK to try to encrypt and decrypt a secure string parameter from IAM Systems Manager Parameter Store. However, the development team receives an error message on each attempt.

Which issues that are related to the CMK could be reasons for the error? (Select TWO.)

A.

The CMK that is used in the attempt does not exist.

B.

The CMK that is used in the attempt needs to be rotated.

C.

The CMK that is used in the attempt is using the CMK's key ID instead of the CMK ARN.

D.

The CMK that is used in the attempt is not enabled.

E.

The CMK that is used in the attempt is using an alias.

Full Access
Question # 19

A company needs to store multiple years of financial records. The company wants to use Amazon S3 to store copies of these documents. The company must implement a solution to prevent the documents from being edited, replaced, or deleted for 7 years after the documents are stored in Amazon S3. The solution must also encrypt the documents at rest.

A security engineer creates a new S3 bucket to store the documents.

What should the security engineer do next to meet these requirements?

A.

Configure S3 server-side encryption. Create an S3 bucket policy that has an explicit deny rule for all users for s3:DeleteObject and s3:PutObject API calls. Configure S3 Object Lock to use governance mode with a retention period of 7 years.

B.

Configure S3 server-side encryption. Configure S3 Versioning on the S3 bucket. Configure S3 Object Lock to use compliance mode with a retention period of 7 years.

C.

Configure S3 Versioning. Configure S3 Intelligent-Tiering on the S3 bucket to move the documents to S3 Glacier Deep Archive storage. Use S3 server-side encryption immediately. Expire the objects after 7 years.

D.

Set up S3 Event Notifications and use S3 server-side encryption. Configure S3 Event Notifications to target an AWS Lambda function that will review any S3 API call to the S3 bucket and deny the s3:DeleteObject and s3:PutObject API calls. Remove the S3 event notification after 7 years.

Full Access
Question # 20

A company maintains an open-source application that is hosted on a public GitHub repository. While creating a new commit to the repository, an engineer uploaded their IAM access key and secret access key. The engineer reported the mistake to a manager, and the manager immediately disabled the access key.

The company needs to assess the impact of the exposed access key. A security engineer must recommend a solution that requires the least possible managerial overhead.

Which solution meets these requirements?

A.

Analyze an IAM Identity and Access Management (IAM) use report from IAM Trusted Advisor to see when the access key was last used.

B.

Analyze Amazon CloudWatch Logs for activity by searching for the access key.

C.

Analyze VPC flow logs for activity by searching for the access key

D.

Analyze a credential report in IAM Identity and Access Management (IAM) to see when the access key was last used.

Full Access
Question # 21

An ecommerce website was down for 1 hour following a DDoS attack Users were unable to connect to the website during the attack period. The ecommerce company's security team is worried about future potential attacks and wants to prepare for such events The company needs to minimize downtime in its response to similar attacks in the future.

Which steps would help achieve this9 (Select TWO )

A.

Enable Amazon GuardDuty to automatically monitor for malicious activity and block unauthorized access.

B.

Subscribe to IAM Shield Advanced and reach out to IAM Support in the event of an attack.

C.

Use VPC Flow Logs to monitor network: traffic and an IAM Lambda function to automatically block an attacker's IP using security groups.

D.

Set up an Amazon CloudWatch Events rule to monitor the IAM CloudTrail events in real time use IAM Config rules to audit the configuration, and use IAM Systems Manager for remediation.

E.

Use IAM WAF to create rules to respond to such attacks

Full Access
Question # 22

A company hosts data in S3. There is a requirement to control access to the S3 buckets. Which are the 2 ways in which this can be achieved?

Please select:

A.

Use Bucket policies

B.

Use the Secure Token service

C.

Use IAM user policies

D.

Use IAM Access Keys

Full Access
Question # 23

A developer signed in to a new account within an IAM Organization organizational unit (OU) containing multiple accounts. Access to the Amazon $3 service is restricted with the following SCP.

How can the security engineer provide the developer with Amazon $3 access without affecting other account?

A.

Move the SCP to the root OU of organization to remove the restriction to access Amazon $3.

B.

Add an IAM policy for the developer, which grants $3 access.

C.

Create a new OU without applying the SCP restricting $3 access. Move the developer account to this new OU.

D.

Add an allow list for the developer account for the $3 service.

Full Access
Question # 24

A Security Administrator is configuring an Amazon S3 bucket and must meet the following security requirements:

  • Encryption in transit
  • Encryption at rest
  • Logging of all object retrievals in IAM CloudTrail

Which of the following meet these security requirements? (Choose three.)

A.

Specify “IAM:SecureTransport”: “true” within a condition in the S3 bucket policy.

B.

Enable a security group for the S3 bucket that allows port 443, but not port 80.

C.

Set up default encryption for the S3 bucket.

D.

Enable Amazon CloudWatch Logs for the IAM account.

E.

Enable API logging of data events for all S3 objects.

F.

Enable S3 object versioning for the S3 bucket.

Full Access
Question # 25

Your IT Security team has advised to carry out a penetration test on the resources in their company's IAM Account. This is as part of their capability to analyze the security of the Infrastructure. What should be done first in this regard?

Please select:

A.

Turn on Cloud trail and carry out the penetration test

B.

Turn on VPC Flow Logs and carry out the penetration test

C.

Submit a request to IAM Support

D.

Use a custom IAM Marketplace solution for conducting the penetration test

Full Access
Question # 26

A company has contracted with a third party to audit several IAM accounts. To enable the audit, cross-account IAM roles have been created in each account targeted for audit. The Auditor is having trouble accessing some of the accounts.

Which of the following may be causing this problem? (Choose three.)

A.

The external ID used by the Auditor is missing or incorrect.

B.

The Auditor is using the incorrect password.

C.

The Auditor has not been granted sts:AssumeRole for the role in the destination account.

D.

The Amazon EC2 role used by the Auditor must be set to the destination account role.

E.

The secret key used by the Auditor is missing or incorrect.

F.

The role ARN used by the Auditor is missing or incorrect.

Full Access
Question # 27

A Security Engineer has been asked to create an automated process to disable IAM user access keys that are more than three months old.

Which of the following options should the Security Engineer use?

A.

In the IAM Console, choose the IAM service and select “Users”. Review the “Access Key Age” column.

B.

Define an IAM policy that denies access if the key age is more than three months and apply to all users.

C.

Write a script that uses the GenerateCredentialReport, GetCredentialReport, and UpdateAccessKey APIs.

D.

Create an Amazon CloudWatch alarm to detect aged access keys and use an IAM Lambda function to disable the keys older than 90 days.

Full Access
Question # 28

Which of the following is used as a secure way to log into an EC2 Linux Instance?

Please select:

A.

IAM User name and password

B.

Key pairs

C.

IAM Access keys

D.

IAM SDK keys

Full Access
Question # 29

A Security Engineer must add additional protection to a legacy web application by adding the following HTTP security headers:

-Content Security-Policy

-X-Frame-Options

-X-XSS-Protection

The Engineer does not have access to the source code of the legacy web application.

Which of the following approaches would meet this requirement?

A.

Configure an Amazon Route 53 routing policy to send all web traffic that does not include the required headers to a black hole.

B.

Implement an IAM Lambda@Edge origin response function that inserts the required headers.

C.

Migrate the legacy application to an Amazon S3 static website and front it with an Amazon CloudFront distribution.

D.

Construct an IAM WAF rule to replace existing HTTP headers with the required security headers by using regular expressions.

Full Access
Question # 30

An Amazon EC2 instance is part of an EC2 Auto Scaling group that is behind an Application Load Balancer (ALB). It is suspected that the EC2 instance has been compromised.

Which steps should be taken to investigate the suspected compromise? (Choose three.)

A.

Detach the elastic network interface from the EC2 instance.

B.

Initiate an Amazon Elastic Block Store volume snapshot of all volumes on the EC2 instance.

C.

Disable any Amazon Route 53 health checks associated with the EC2 instance.

D.

De-register the EC2 instance from the ALB and detach it from the Auto Scaling group.

E.

Attach a security group that has restrictive ingress and egress rules to the EC2 instance.

F.

Add a rule to an IAM WAF to block access to the EC2 instance.

Full Access
Question # 31

A company plans to migrate a sensitive dataset to Amazon S3. A Security Engineer must ensure that the data is encrypted at rest. The encryption solution must enable the company to generate its own keys without needing to manage key storage or the encryption process.

What should the Security Engineer use to accomplish this?

A.

Server-side encryption with Amazon S3-managed keys (SSE-S3)

B.

Server-side encryption with IAM KMS-managed keys (SSE-KMS)

C.

Server-side encryption with customer-provided keys (SSE-C)

D.

Client-side encryption with an IAM KMS-managed CMK

Full Access
Question # 32

An organization has three applications running on IAM, each accessing the same data on Amazon S3. The data on Amazon S3 is server-side encrypted by using an IAM KMS Customer Master Key (CMK).

What is the recommended method to ensure that each application has its own programmatic access control permissions on the KMS CMK?

A.

Change the key policy permissions associated with the KMS CMK for each application when it must access the data in Amazon S3.

B.

Have each application assume an IAM role that provides permissions to use the IAM Certificate Manager CMK.

C.

Have each application use a grant on the KMS CMK to add or remove specific access controls on the KMS CMK.

D.

Have each application use an IAM policy in a user context to have specific access permissions on the KMS CMK.

Full Access
Question # 33

Which option for the use of the IAM Key Management Service (KMS) supports key management best practices that focus on minimizing the potential scope of data exposed by a possible future key compromise?

A.

Use KMS automatic key rotation to replace the master key, and use this new master key for future encryption operations without re-encrypting previously encrypted data.

B.

Generate a new Customer Master Key (CMK), re-encrypt all existing data with the new CMK, and use it for all future encryption operations.

C.

Change the CMK alias every 90 days, and update key-calling applications with the new key alias.

D.

Change the CMK permissions to ensure that individuals who can provision keys are not the same individuals who can use the keys.

Full Access
Question # 34

You have an Ec2 Instance in a private subnet which needs to access the KMS service. Which of the following methods can help fulfil this requirement, keeping security in perspective

Please select:

A.

Use a VPC endpoint

B.

Attach an Internet gateway to the subnet

C.

Attach a VPN connection to the VPC

D.

Use VPC Peering

Full Access
Question # 35

Some highly sensitive analytics workloads are to be moved to Amazon EC2 hosts. Threat modeling has found that a risk exists where a subnet could be maliciously or accidentally exposed to the internet.

Which of the following mitigations should be recommended?

A.

Use IAM Config to detect whether an Internet Gateway is added and use an IAM Lambda function to provide auto-remediation.

B.

Within the Amazon VPC configuration, mark the VPC as private and disable Elastic IP addresses.

C.

Use IPv6 addressing exclusively on the EC2 hosts, as this prevents the hosts from being accessed from the internet.

D.

Move the workload to a Dedicated Host, as this provides additional network security controls and monitoring.

Full Access
Question # 36

The Security Engineer created a new IAM Key Management Service (IAM KMS) key with the following key policy:

What are the effects of the key policy? (Choose two.)

A.

The policy allows access for the IAM account 111122223333 to manage key access though IAM policies.

B.

The policy allows all IAM users in account 111122223333 to have full access to the KMS key.

C.

The policy allows the root user in account 111122223333 to have full access to the KMS key.

D.

The policy allows the KMS service-linked role in account 111122223333 to have full access to the KMS key.

E.

The policy allows all IAM roles in account 111122223333 to have full access to the KMS key.

Full Access
Question # 37

You have an instance setup in a test environment in IAM. You installed the required application and the promoted the server to a production environment. Your IT Security team has advised that there maybe traffic flowing in from an unknown IP address to port 22. How can this be mitigated immediately?

Please select:

A.

Shutdown the instance

B.

Remove the rule for incoming traffic on port 22 for the Security Group

C.

Change the AMI for the instance

D.

Change the Instance type for the instance

Full Access
Question # 38

A company requires that IP packet data be inspected for invalid or malicious content.

Which of the following approaches achieve this requirement? (Choose two.)

A.

Configure a proxy solution on Amazon EC2 and route all outbound VPC traffic through it. Perform inspection within proxy software on the EC2 instance.

B.

Configure the host-based agent on each EC2 instance within the VPC. Perform inspection within the host-based agent.

C.

Enable VPC Flow Logs for all subnets in the VPC. Perform inspection from the Flow Log data within Amazon CloudWatch Logs.

D.

Configure Elastic Load Balancing (ELB) access logs. Perform inspection from the log data within the ELB access log files.

E.

Configure the CloudWatch Logs agent on each EC2 instance within the VPC. Perform inspection from the log data within CloudWatch Logs.

Full Access
Question # 39

A water utility company uses a number of Amazon EC2 instances to manage updates to a fleet of 2,000 Internet of Things (IoT) field devices that monitor water quality. These devices each have unique access credentials.

An operational safety policy requires that access to specific credentials is independently auditable.

What is the MOST cost-effective way to manage the storage of credentials?

A.

Use IAM Systems Manager to store the credentials as Secure Strings Parameters. Secure by using an IAM KMS key.

B.

Use IAM Key Management System to store a master key, which is used to encrypt the credentials. The encrypted credentials are stored in an Amazon RDS instance.

C.

Use IAM Secrets Manager to store the credentials.

D.

Store the credentials in a JSON file on Amazon S3 with server-side encryption.

Full Access
Question # 40

A Security Engineer has several thousand Amazon EC2 instances split across production and development environments. Each instance is tagged with its environment. The Engineer needs to analyze and patch all the development EC2 instances to ensure they are not currently exposed to any common vulnerabilities or exposures (CVEs)

Which combination of steps is the MOST efficient way for the Engineer to meet these requirements? (Select TWO.)

A.

Log on to each EC2 instance, check and export the different software versions installed, and verify this against a list of current CVEs.

B.

Install the Amazon Inspector agent on all development instances Build a custom rule package, and configure Inspector to perform a scan using this custom rule on all instances tagged as being in the development environment.

C.

Install the Amazon Inspector agent on all development instances Configure Inspector to perform a scan using the CVE rule package on all instances tagged as being in the development environment.

D.

Install the Amazon EC2 System Manager agent on all development instances Issue the Run command to EC2 System Manager to update all instances

E.

Use IAM Trusted Advisor to check that all EC2 instances have been patched to the most recent version of operating system and installed software.

Full Access
Question # 41

Example.com hosts its internal document repository on Amazon EC2 instances. The application runs on EC2 instances and previously stored the documents on encrypted Amazon EBS volumes. To optimize the application for scale, example.com has moved the files to Amazon S3. The security team has mandated that all the files are securely deleted from the EBS volume, and it must certify that the data is unreadable before releasing the underlying disks.

Which of the following methods will ensure that the data is unreadable by anyone else?

A.

Change the volume encryption on the EBS volume to use a different encryption mechanism. Then, release the EBS volumes back to IAM.

B.

Release the volumes back to IAM. IAM immediately wipes the disk after it is deprovisioned.

C.

Delete the encryption key used to encrypt the EBS volume. Then, release the EBS volumes back to IAM.

D.

Delete the data by using the operating system delete commands. Run Quick Format on the drive and then release the EBS volumes back to IAM.

Full Access
Question # 42

A corporate cloud security policy states that communications between the company's VPC and KMS must travel entirely within the IAM network and not use public service endpoints.

Which combination of the following actions MOST satisfies this requirement? (Choose two.)

A.

Add the IAM:sourceVpce condition to the IAM KMS key policy referencing the company's VPC endpoint ID.

B.

Remove the VPC internet gateway from the VPC and add a virtual private gateway to the VPC to prevent direct, public internet connectivity.

C.

Create a VPC endpoint for IAM KMS with private DNS enabled.

D.

Use the KMS Import Key feature to securely transfer the IAM KMS key over a VPN.

E.

Add the following condition to the IAM KMS key policy: "IAM:SourceIp": "10.0.0.0/16".

Full Access
Question # 43

An application makes calls to IAM services using the IAM SDK. The application runs on Amazon EC2 instances with an associated IAM role. When the application attempts to access an object within an Amazon S3 bucket; the Administrator receives the following error message: HTTP 403: Access Denied.

Which combination of steps should the Administrator take to troubleshoot this issue? (Select three.)

A.

Confirm that the EC2 instance's security group authorizes S3 access.

B.

Verify that the KMS key policy allows decrypt access for the KMS key for this IAM principle.

C.

Check the S3 bucket policy for statements that deny access to objects.

D.

Confirm that the EC2 instance is using the correct key pair.

E.

Confirm that the IAM role associated with the EC2 instance has the proper privileges.

F.

Confirm that the instance and the S3 bucket are in the same Region.

Full Access
Question # 44

A Security Engineer is trying to determine whether the encryption keys used in an IAM service are in compliance with certain regulatory standards.

Which of the following actions should the Engineer perform to get further guidance?

A.

Read the IAM Customer Agreement.

B.

Use IAM Artifact to access IAM compliance reports.

C.

Post the question on the IAM Discussion Forums.

D.

Run IAM Config and evaluate the configuration outputs.

Full Access
Question # 45

A company is using CloudTrail to log all IAM API activity for all regions in all of its accounts. The CISO has asked that additional steps be taken to protect the integrity of the log files.

What combination of steps will protect the log files from intentional or unintentional alteration? Choose 2 answers from the options given below

Please select:

A.

Create an S3 bucket in a dedicated log account and grant the other accounts write only access. Deliver all log files from every account to this S3 bucket.

B.

Write a Lambda function that queries the Trusted Advisor Cloud Trail checks. Run the function every 10 minutes.

C.

Enable CloudTrail log file integrity validation

D.

Use Systems Manager Configuration Compliance to continually monitor the access policies of S3 buckets containing Cloud Trail logs.

E.

Create a Security Group that blocks all traffic except calls from the CloudTrail service. Associate the security group with) all the Cloud Trail destination S3 buckets.

Full Access
Question # 46

A company runs an application on IAM that needs to be accessed only by employees. Most employees work from the office, but others work remotely or travel.

How can the Security Engineer protect this workload so that only employees can access it?

A.

Add each employee’s home IP address to the security group for the application so that only those users can access the workload.

B.

Create a virtual gateway for VPN connectivity for each employee, and restrict access to the workload from within the VPC.

C.

Use a VPN appliance from the IAM Marketplace for users to connect to, and restrict workload access to traffic from that appliance.

D.

Route all traffic to the workload through IAM WAF. Add each employee’s home IP address into an IAM WAF rule, and block all other traffic.

Full Access
Question # 47

A company is planning to run a number of Admin related scripts using the IAM Lambda service. There is a need to understand if there are any errors encountered when the script run. How can this be accomplished in the most effective manner.

Please select:

A.

Use Cloudwatch metrics and logs to watch for errors

B.

Use Cloudtrail to monitor for errors

C.

Use the IAM Config service to monitor for errors

D.

Use the IAM inspector service to monitor for errors

Full Access
Question # 48

A company's Security Engineer is copying all application logs to centralized Amazon S3 buckets. Currently, each of the company's applications is in its own IAM account, and logs are pushed into S3 buckets associated with each account. The Engineer will deploy an IAM Lambda function into each account that copies the relevant log files to the centralized S3 bucket.

The Security Engineer is unable to access the log files in the centralized S3 bucket. The Engineer's IAM user policy from the centralized account looks like this:

The centralized S3 bucket policy looks like this:

Why is the Security Engineer unable to access the log files?

A.

The S3 bucket policy does not explicitly allow the Security Engineer access to the objects in the bucket.

B.

The object ACLs are not being updated to allow the users within the centralized account to access the objects

C.

The Security Engineers IAM policy does not grant permissions to read objects in the S3 bucket

D.

The s3:PutObject and s3:PutObjectAcl permissions should be applied at the S3 bucket level

Full Access
Question # 49

You have a 2 tier application hosted in IAM. It consists of a web server and database server (SQL Server) hosted on separate EC2 Instances. You are devising the security groups for these EC2 Instances. The Web tier needs to be accessed by users across the Internet. You have created a web security group(wg-123) and database security group(db-345). Which combination of the following security group rules will allow the application to be secure and functional. Choose 2 answers from the options given below.

Please select:

A.

wg-123 -Allow ports 80 and 443 from 0.0.0.0/0

B.

db-345 - Allow port 1433 from wg-123

C.

wg-123 - Allow port 1433 from wg-123

D.

db-345 -Allow ports 1433 from 0.0.0.0/0

Full Access
Question # 50

A Security Engineer who was reviewing IAM Key Management Service (IAM KMS) key policies found this statement in each key policy in the company IAM account.

What does the statement allow?

A.

All principals from all IAM accounts to use the key.

B.

Only the root user from account 111122223333 to use the key.

C.

All principals from account 111122223333 to use the key but only on Amazon S3.

D.

Only principals from account 111122223333 that have an IAM policy applied that grants access to this key to use the key.

Full Access
Question # 51

An organization has a system in IAM that allows a large number of remote workers to submit data files. File sizes vary from a few kilobytes to several megabytes. A recent audit highlighted a concern that data files are not encrypted while in transit over untrusted networks.

Which solution would remediate the audit finding while minimizing the effort required?

A.

Upload an SSL certificate to IAM, and configure Amazon CloudFront with the passphrase for the private key.

B.

Call KMS.Encrypt() in the client, passing in the data file contents, and call KMS.Decrypt() server-side.

C.

Use IAM Certificate Manager to provision a certificate on an Elastic Load Balancing in front of the web service’s servers.

D.

Create a new VPC with an Amazon VPC VPN endpoint, and update the web service’s DNS record.

Full Access
Question # 52

A security team is responsible for reviewing IAM API call activity in the cloud environment for security violations. These events must be recorded and retained in a centralized location for both current and future IAM regions.

What is the SIMPLEST way to meet these requirements?

A.

Enable IAM Trusted Advisor security checks in the IAM Console, and report all security incidents for all regions.

B.

Enable IAM CloudTrail by creating individual trails for each region, and specify a single Amazon S3 bucket to receive log files for later analysis.

C.

Enable IAM CloudTrail by creating a new trail and applying the trail to all regions. Specify a single Amazon S3 bucket as the storage location.

D.

Enable Amazon CloudWatch logging for all IAM services across all regions, and aggregate them to a single Amazon S3 bucket for later analysis.

Full Access
Question # 53

You have a vendor that needs access to an IAM resource. You create an IAM user account. You want to restrict access to the resource using a policy for just that user over a brief period. Which of the following would be an ideal policy to use?

Please select:

A.

An IAM Managed Policy

B.

An Inline Policy

C.

A Bucket Policy

D.

A bucket ACL

Full Access
Question # 54

Which of the following are valid event sources that are associated with web access control lists that trigger IAM WAF rules? (Choose two.)

A.

Amazon S3 static web hosting

B.

Amazon CloudFront distribution

C.

Application Load Balancer

D.

Amazon Route 53

E.

VPC Flow Logs

Full Access
Question # 55

An organization policy states that all encryption keys must be automatically rotated every 12 months.

Which IAM Key Management Service (KMS) key type should be used to meet this requirement?

A.

IAM managed Customer Master Key (CMK)

B.

Customer managed CMK with IAM generated key material

C.

Customer managed CMK with imported key material

D.

IAM managed data key

Full Access
Question # 56

While securing the connection between a company's VPC and its on-premises data center, a Security Engineer sent a ping command from an on-premises host (IP address 203.0.113.12) to an Amazon EC2 instance (IP address 172.31.16.139). The ping command did not return a response. The flow log in the VPC showed the following:

2 123456789010 eni-1235b8ca 203.0.113.12 172.31.16.139 0 0 1 4 336 1432917027 1432917142 ACCEPT OK

2 123456789010 eni-1235b8ca 172.31.16.139 203.0.113.12 0 0 1 4 336 1432917094 1432917142 REJECT OK

What action should be performed to allow the ping to work?

A.

In the security group of the EC2 instance, allow inbound ICMP traffic.

B.

In the security group of the EC2 instance, allow outbound ICMP traffic.

C.

In the VPC's NACL, allow inbound ICMP traffic.

D.

In the VPC's NACL, allow outbound ICMP traffic.

Full Access
Question # 57

A Developer is building a serverless application that uses Amazon API Gateway as the front end. The application will not be publicly accessible. Other legacy applications running on Amazon EC2 will make calls to the application A Security Engineer Has been asked to review the security controls for authentication and authorization of the application

Which combination of actions would provide the MOST secure solution? (Select TWO )

A.

Configure an IAM policy that allows the least permissive actions to communicate with the API Gateway Attach the policy to the role used by the legacy EC2 instances

B.

Enable IAM WAF for API Gateway Configure rules to explicitly allow connections from the legacy EC2 instances

C.

Create a VPC endpoint for API Gateway Attach an IAM resource policy that allows the role of the legacy EC2 instances to call specific APIs

D.

Create a usage plan Generate a set of API keys for each application that needs to call the API.

E.

Configure cross-origin resource sharing (CORS) in each API Share the CORS information with the applications that call the API.

Full Access
Question # 58

A Security Engineer is troubleshooting a connectivity issue between a web server that is writing log files to the logging server in another VPC. The Engineer has confirmed that a peering relationship exists between the two VPCs. VPC flow logs show that requests sent from the web server are accepted by the togging server but the web server never receives a reply

Which of the following actions could fix this issue1?

A.

Add an inbound rule to the security group associated with the logging server that allows requests from the web server

B.

Add an outbound rule to the security group associated with the web server that allows requests to the logging server.

C.

Add a route to the route table associated with the subnet that hosts the logging server that targets the peering connection

D.

Add a route to the route table associated with the subnet that hosts the web server that targets the peering connection

Full Access
Question # 59

A company's Security Officer is concerned about the risk of IAM account root user logins and has assigned a Security Engineer to implement a notification solution for near-real-time alerts upon account root user logins.

How should the Security Engineer meet these requirements?

A.

Create a cron job that runs a script lo download the IAM IAM security credentials We. parse the file for account root user logins and email the Security team's distribution 1st

B.

Run IAM CloudTrail logs through Amazon CloudWatch Events to detect account roo4 user logins and trigger an IAM Lambda function to send an Amazon SNS notification to the Security team's distribution list.

C.

Save IAM CloudTrail logs to an Amazon S3 bucket in the Security team's account Process the CloudTrail logs with the Security Engineer's logging solution for account root user logins Send an Amazon SNS notification to the Security team upon encountering the account root user login events

D.

Save VPC Plow Logs to an Amazon S3 bucket in the Security team's account and process the VPC Flow Logs with their logging solutions for account root user logins Send an Amazon SNS notification to the Security team upon encountering the account root user login events

Full Access
Question # 60

A company recently performed an annual security assessment of its IAM environment. The assessment showed that audit logs are not available beyond 90 days and that unauthorized changes to IAM policies are made without detection.

How should a security engineer resolve these issues?

A.

Create an Amazon S3 lifecycle policy that archives IAM CloudTrail trail logs to Amazon S3 Glacier after 90 days. Configure Amazon Inspector to provide a notification when a policy change is made to resources.

B.

Configure IAM Artifact to archive IAM CloudTrail logs Configure IAM Trusted Advisor to provide a notification when a policy change is made to resources.

C.

Configure Amazon CloudWatch to export log groups to Amazon S3. Configure IAM CloudTrail to provide a notification when a policy change is made to resources.

D.

Create an IAM CloudTrail trail that stores audit logs in Amazon S3. Configure an IAM Config rule to provide a notification when a policy change is made to resources.

Full Access
Question # 61

A company has a website with an Amazon CloudFront HTTPS distribution, an Application Load Balancer (ALB) with multiple web instances for dynamic website content, and an Amazon S3 bucket for static website content. The company's security engineer recently updated the website security requirements:

• HTTPS needs to be enforced for all data in transit with specific ciphers.

• The CloudFront distribution needs to be accessible from the internet only.

Which solution will meet these requirements?

A.

Set up an S3 bucket policy with the IAMsecuretransport key Configure the CloudFront origin access identity (OAI) with the S3 bucket Configure CloudFront to use specific ciphers. Enforce the ALB with an HTTPS listener only and select the appropriate security policy for the ciphers Link the ALB with IAM WAF to allow access from the CloudFront IP ranges.

B.

Set up an S3 bucket policy with the IAM:securetransport key. Configure the CloudFront origin access identity (OAI) with the S3 bucket. Enforce the ALB with an HTTPS listener only and select the appropriate security policy for the ciphers.

C.

Modify the CloudFront distribution to use IAM WAF. Force HTTPS on the S3 bucket with specific ciphers in the bucket policy. Configure an HTTPS listener only for the ALB. Set up a security group to limit access to the ALB from the CloudFront IP ranges

D.

Modify the CloudFront distribution to use the ALB as the origin. Enforce an HTTPS listener on the ALB. Create a path-based routing rule on the ALB with proxies that connect lo Amazon S3. Create a bucket policy to allow access from these proxies only.

Full Access
Question # 62

The Development team receives an error message each time the team members attempt to encrypt or decrypt a Secure String parameter from the SSM Parameter Store by using an IAM KMS customer managed key (CMK).

Which CMK-related issues could be responsible? (Choose two.)

A.

The CMK specified in the application does not exist.

B.

The CMK specified in the application is currently in use.

C.

The CMK specified in the application is using the CMK KeyID instead of CMK Amazon Resource Name.

D.

The CMK specified in the application is not enabled.

E.

The CMK specified in the application is using an alias.

Full Access
Question # 63

A company's security information events management (SIEM) tool receives new IAM CloudTrail logs from an Amazon S3 bucket that is configured to send all object created event notification to an Amazon SNS topic An Amazon SQS queue is subscribed to this SNS topic. The company's SEM tool then ports this SQS queue for new messages using an IAM role and fetches new log events from the S3 bucket based on the SQS messages.

After a recent security review that resulted m restricted permissions, the SEM tool has stopped receiving new CloudTral logs

Which of the following are possible causes of this issue? (Select THREE)

A.

The SOS queue does not allow the SQS SendMessage action from the SNS topic

B.

The SNS topic does not allow the SNS Publish action from Amazon S3

C.

The SNS topic is not delivering raw messages to the SQS queue

D.

The S3 bucket policy does not allow CloudTrail to perform the PutObject action

E.

The IAM role used by the 5EM tool does not have permission to subscribe to the SNS topic

F.

The IAM role used by the SEM tool does not allow the SQS DeleteMessage action.

Full Access
Question # 64

An application developer is using an IAM Lambda function that must use IAM KMS to perform encrypt and decrypt operations for API keys that are less than 2 KB Which key policy would allow the application to do this while granting least privilege?

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Full Access
Question # 65

A company has an encrypted Amazon S3 bucket. An Application Developer has an IAM policy that allows access to the S3 bucket, but the Application Developer is unable to access objects within the bucket.

What is a possible cause of the issue?

A.

The S3 ACL for the S3 bucket fails to explicitly grant access to the Application Developer

B.

The IAM KMS key for the S3 bucket fails to list the Application Developer as an administrator

C.

The S3 bucket policy fails to explicitly grant access to the Application Developer

D.

The S3 bucket policy explicitly denies access to the Application Developer

Full Access
Question # 66

A company has several critical applications running on a large fleet of Amazon EC2 instances. As part of a security operations review, the company needs to apply a critical operating system patch to EC2 instances within 24 hours of the patch becoming available from the operating system vendor. The company does not have a patching solution deployed on IAM, but does have IAM Systems Manager configured. The solution must also minimize administrative overhead.

What should a security engineer recommend to meet these requirements?

A.

Create an IAM Config rule defining the patch as a required configuration for EC2 instances.

B.

Use the IAM Systems Manager Run Command to patch affected instances.

C.

Use an IAM Systems Manager Patch Manager predefined baseline to patch affected instances.

D.

Use IAM Systems Manager Session Manager to log in to each affected instance and apply the patch.

Full Access
Question # 67

A Developer reported that IAM CloudTrail was disabled on their account. A Security Engineer investigated the account and discovered the event was undetected by the current security solution. The Security Engineer must recommend a solution that will detect future changes to the CloudTrail configuration and send alerts when changes occur.

What should the Security Engineer do to meet these requirements?

A.

Use IAM Resource Access Manager (IAM RAM) to monitor the IAM CloudTrail configuration. Send notifications using Amazon SNS.

B.

Create an Amazon CloudWatch Events rule to monitor Amazon GuardDuty findings. Send email notifications using Amazon SNS.

C.

Update security contact details in IAM account settings for IAM Support to send alerts when suspicious activity is detected.

D.

Use Amazon Inspector to automatically detect security issues. Send alerts using Amazon SNS.

Full Access
Question # 68

A Security Administrator at a university is configuring a fleet of Amazon EC2 instances. The EC2 instances are shared among students, and non-root SSH access is allowed. The Administrator is concerned about students attacking other IAM account resources by using the EC2 instance metadata service.

What can the Administrator do to protect against this potential attack?

A.

Disable the EC2 instance metadata service.

B.

Log all student SSH interactive session activity.

C.

Implement ip tables-based restrictions on the instances.

D.

Install the Amazon Inspector agent on the instances.

Full Access
Question # 69

A Security Engineer noticed an anomaly within a company EC2 instance as shown in the image. The Engineer must now investigate what e causing the anomaly. What are the MOST effective steps to take lo ensure that the instance is not further manipulated while allowing the Engineer to understand what happened?

A.

Remove the instance from the Auto Scaling group Place the instance within an isolation security group, detach the EBS volume launch an EC2 instance with a forensic toolkit and attach the E8S volume to investigate

B.

Remove the instance from the Auto Scaling group and the Elastic Load Balancer Place the instance within an isolation security group, launch an EC2 instance with a forensic toolkit, and allow the forensic toolkit image to connect to the suspicious Instance to perform the Investigation.

C.

Remove the instance from the Auto Scaling group Place the Instance within an isolation security group, launch an EC2 Instance with a forensic toolkit and use the forensic toolkit imago to deploy an ENI as a network span port to inspect all traffic coming from the suspicious instance.

D.

Remove the instance from the Auto Scaling group and the Elastic Load Balancer Place the instance within an isolation security group, make a copy of the EBS volume from a new snapshot, launch an EC2 Instance with a forensic toolkit and attach the copy of the EBS volume to investigate.

Full Access
Question # 70

A company has multiple production IAM accounts. Each account has IAM CloudTrail configured to log to a single Amazon S3 bucket in a central account. Two of the production accounts have trails that are not logging anything to the S3 bucket.

Which steps should be taken to troubleshoot the issue? (Choose three.)

A.

Verify that the log file prefix is set to the name of the S3 bucket where the logs should go.

B.

Verify that the S3 bucket policy allows access for CloudTrail from the production IAM account IDs.

C.

Create a new CloudTrail configuration in the account, and configure it to log to the account’s S3 bucket.

D.

Confirm in the CloudTrail Console that each trail is active and healthy.

E.

Open the global CloudTrail configuration in the master account, and verify that the storage location is set to the correct S3 bucket.

F.

Confirm in the CloudTrail Console that the S3 bucket name is set correctly.

Full Access
Question # 71

A Solutions Architect is designing a web application that uses Amazon CloudFront, an Elastic Load Balancing Application Load Balancer, and an Auto Scaling group of Amazon EC2 instances. The load balancer and EC2 instances are in the US West (Oregon) region. It has been decided that encryption in transit is necessary by using a customer-branded domain name from the client to CloudFront and from CloudFront to the load balancer.

Assuming that IAM Certificate Manager is used, how many certificates will need to be generated?

A.

One in the US West (Oregon) region and one in the US East (Virginia) region.

B.

Two in the US West (Oregon) region and none in the US East (Virginia) region.

C.

One in the US West (Oregon) region and none in the US East (Virginia) region.

D.

Two in the US East (Virginia) region and none in the US West (Oregon) region.

Full Access
Question # 72

A company's architecture requires that its three Amazon EC2 instances run behind an Application Load Balancer (ALB). The EC2 instances transmit sensitive data between each other Developers use SSL certificates to encrypt the traffic between the public users and the ALB However the Developers are unsure of how to encrypt the data in transit between the ALB and the EC2 instances and the traffic between the EC2 instances

Which combination of activities must the company implement to meet its encryption requirements'? (Select TWO )

A.

Configure SSLTLS on the EC2 instances and configure the ALB target group to use HTTPS

B.

Ensure that all resources are in the same VPC so the default encryption provided by the VPC is used to encrypt the traffic between the EC2 instances.

C.

In the ALB. select the default encryption to encrypt the traffic between the ALB and the EC2 instances

D.

In the code for the application, include a cryptography library and encrypt the data before sending it between the EC2 instances

E.

Configure IAM Direct Connect to provide an encrypted tunnel between the EC2 instances

Full Access
Question # 73

A Developer signed in to a new account within an IAM Organizations organizations unit (OU) containing multiple accounts. Access to the Amazon S3 service is restricted with the following SCP:

How can the Security Engineer provide the Developer with Amazon S3 access without affecting other accounts?

A.

Move the SCP to the root OU of Organizations to remove the restriction to access Amazon S3.

B.

Add an IAM policy for the Developer, which grants S3 access.

C.

Create a new OU without applying the SCP restricting S3 access. Move the Developer account to this new OU.

D.

Add an allow list for the Developer account for the S3 service.

Full Access
Question # 74

A large government organization is moving to the cloud and has specific encryption requirements. The first workload to move requires that a customer's data be immediately destroyed when the customer makes that request.

Management has asked the security team to provide a solution that will securely store the data, allow only authorized applications to perform encryption and decryption and allow for immediate destruction of the data

Which solution will meet these requirements?

A.

Use IAM Secrets Manager and an IAM SDK to create a unique secret for the customer-specific data

B.

Use IAM Key Management Service (IAM KMS) and the IAM Encryption SDK to generate and store a data encryption key for each customer.

C.

Use IAM Key Management Service (IAM KMS) with service-managed keys to generate and store customer-specific data encryption keys

D.

Use IAM Key Management Service (IAM KMS) and create an IAM CloudHSM custom key store Use CloudHSM to generate and store a new CMK for each customer.

Full Access
Question # 75

A company has a VPC with several Amazon EC2 instances behind a NAT gateway. The company's security policy states that all network traffic must be logged and must include the original source and destination IP addresses. The existing VPC Flow Logs do not include this information. A security engineer needs to recommend a solution.

Which combination of steps should the security engineer recommend? (Select TWO )

A.

Edit the existing VPC Flow Logs. Change the log format of the VPC Flow Logs from the Amazon default format to a custom format.

B.

Delete and recreate the existing VPC Flow Logs. Change the log format of the VPC Flow Logs from the Amazon default format to a custom format.

C.

Change the destination to Amazon CloudWatch Logs.

D.

Include the pkt-srcaddr and pkt-dstaddr fields in the log format.

E.

Include the subnet-id and instance-id fields in the log format.

Full Access
Question # 76

A company has hundreds of IAM accounts, and a centralized Amazon S3 bucket used to collect IAM CloudTrail for all of these accounts. A security engineer wants to create a solution that will enable the company to run ad hoc queues against its CloudTrail logs dating back 3 years from when the trails were first enabled in the company’s IAM account.

How should the company accomplish this with the least amount of administrative overhead?

A.

Run an Amazon EMP cluster that uses a MapReduce job to be examine the CloudTrail trails.

B.

Use the events history/feature of the CloudTrail console to query the CloudTrail trails.

C.

Write an IAM Lambda function to query the CloudTrail trails Configure the Lambda function to be executed whenever a new file is created in the CloudTrail S3 bucket.

D.

Create an Amazon Athena table that tools at the S3 bucket the CloudTrail trails are being written to Use Athena to run queries against the trails.

Full Access
Question # 77

A company has multiple IAM accounts that are part of IAM Organizations. The company's Security team wants to ensure that even those Administrators with full access to the company's IAM accounts are unable to access the company's Amazon S3 buckets

How should this be accomplished?

A.

UseSCPs

B.

Add a permissions boundary to deny access to Amazon S3 and attach it to all roles

C.

Use an S3 bucket policy

D.

Create a VPC endpoint for Amazon S3 and deny statements for access to Amazon S3

Full Access
Question # 78

A company's Developers plan to migrate their on-premises applications to Amazon EC2 instances running Amazon Linux AMIs. The applications are accessed by a group of partner companies The Security Engineer needs to implement the following host-based security measures for these instances:

• Block traffic from documented known bad IP addresses

• Detect known software vulnerabilities and CIS Benchmarks compliance.

Which solution addresses these requirements?

A.

Launch the EC2 instances with an IAM role attached. Include a user data script that uses the IAM CLI to retrieve the list of bad IP addresses from IAM Secrets Manager and uploads it as a threat list in Amazon GuardDuty Use Amazon Inspector to scan the instances for known software vulnerabilities and CIS Benchmarks compliance

B.

Launch the EC2 instances with an IAM role attached Include a user data script that uses the IAM CLl to create NACLs blocking ingress traffic from the known bad IP addresses in the EC2 instance's subnets Use IAM Systems Manager to scan the instances for known software vulnerabilities, and IAM Trusted Advisor to check instances for CIS Benchmarks compliance

C.

Launch the EC2 instances with an IAM role attached Include a user data script that uses the IAM CLl to create and attach security groups that only allow an allow listed source IP address range inbound. Use Amazon Inspector to scan the instances for known software vulnerabilities, and IAM Trusted Advisor to check instances for CIS Benchmarks compliance

D.

Launch the EC2 instances with an IAM role attached Include a user data script that creates a cron job to periodically retrieve the list of bad IP addresses from Amazon S3, and configures iptabies on the instances blocking the list of bad IP addresses Use Amazon inspector to scan the instances for known software vulnerabilities and CIS Benchmarks compliance.

Full Access
Question # 79

A Security Engineer accidentally deleted the imported key material in an IAM KMS CMK. What should the Security Engineer do to restore the deleted key material?

A.

Create a new CMK. Download a new wrapping key and a new import token to import the original key material

B.

Create a new CMK Use the original wrapping key and import token to import the original key material.

C.

Download a new wrapping key and a new import token Import the original key material into the existing CMK.

D.

Use the original wrapping key and import token Import the original key material into the existing CMK

Full Access
Question # 80

A global company must mitigate and respond to DDoS attacks at Layers 3, 4 and 7 All of the company's IAM applications are serverless with static content hosted on Amazon S3 using Amazon CloudFront and Amazon Route 53

Which solution will meet these requirements?

A.

Use IAM WAF with an upgrade to the IAM Business support plan

B.

Use IAM Certificate Manager with an Application Load Balancer configured with an origin access identity

C.

Use IAM Shield Advanced

D.

Use IAM WAF to protect IAM Lambda functions encrypted with IAM KMS and a NACL restricting all Ingress traffic

Full Access
Question # 81

A company has a web-based application using Amazon CloudFront and running on Amazon Elastic Container Service (Amazon ECS) behind an Application Load Balancer (ALB). The ALB is terminating TLS and balancing load across ECS service tasks A security engineer needs to design a solution to ensure that application content is accessible only through CloudFront and that I is never accessible directly.

How should the security engineer build the MOST secure solution?

A.

Add an origin custom header Set the viewer protocol policy to HTTP and HTTPS Set the origin protocol pokey to HTTPS only Update the application to validate the CloudFront custom header

B.

Add an origin custom header Set the viewer protocol policy to HTTPS only Set the origin protocol policy to match viewer Update the application to validate the CloudFront custom header.

C.

Add an origin custom header Set the viewer protocol policy to redirect HTTP to HTTPS Set the origin protocol policy to HTTP only Update the application to validate the CloudFront custom header.

D.

Add an origin custom header Set the viewer protocol policy to redirect HTTP to HTTPS. Set the origin protocol policy to HTTPS only Update the application to validate the CloudFront custom header

Full Access
Question # 82

You want to track access requests for a particular S3 bucket. How can you achieve this in the easiest possible way?

Please select:

A.

Enable server access logging for the bucket

B.

Enable Cloudwatch metrics for the bucket

C.

Enable Cloudwatch logs for the bucket

D.

Enable IAM Config for the S3 bucket

Full Access