Summer Sale - Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: dpt65

SCS-C01 Questions and Answers

Note! Following SCS-C01 Exam is Retired now. Please select the alternative replacement for your Exam Certification. The new exam code is SCS-C02

SCS-C01 Questions and Answers

Question # 6

A developer has created an AWS Lambda function in a company's development account. The Lambda function requires the use of an AWS Key Management Service (AWS KMS) customer managed key that exists in a security account that the company's security team controls. The developer obtains the ARN of the KMS key from a previous Lambda function in the development account. The previous Lambda function had been working properly with the KMS key.

When the developer uses the ARN and tests the new Lambda function an error message states that access is denied to the KMS key in the security account. The developer tests the previous Lambda function that uses the same KMS key and discovers that the previous Lambda function still can encrypt data as expected.

A security engineer must resolve the problem so that the new Lambda function in the development account can use the KMS key from the security account.

Which combination of steps should the security engineer take to meet these requirements? (Select TWO.)

A.

In the security account configure an IAM role for the new Lambda function. Attach an IAM policy that allows access to the KMS key in the security account.

B.

In the development account configure an IAM role for the new Lambda function. Attach a key policy that allows access to the KMS key in the security account.

C.

In the development account configure an IAM role for the new Lambda function. Attach an IAM policy that allows access to the KMS key in the security account.

D.

Configure a key policy for the KMS key m the security account to allow access to the IAM role of the new Lambda function in the security account.

E.

Configure a key policy for the KMS key in the security account to allow access to the IAM role of the new Lambda function in the development account.

Full Access
Question # 7

A company is running its workloads in a single AWS Region and uses AWS Organizations. A security engineer must implement a solution to prevent users from launching resources in other Regions.

Which solution will meet these requirements with the LEAST operational overhead?

A.

Create an IAM policy that has an aws RequestedRegion condition that allows actions only in the designated Region Attach the policy to all users.

B.

Create an I AM policy that has an aws RequestedRegion condition that denies actions that are not in the designated Region Attach the policy to the AWS account in AWS Organizations.

C.

Create an IAM policy that has an aws RequestedRegion condition that allows the desired actions Attach the policy only to the users who are in the designated Region.

D.

Create an SCP that has an aws RequestedRegion condition that denies actions that are not in the designated Region. Attach the SCP to the AWS account in AWS Organizations.

Full Access
Question # 8

A company is building a data processing application that uses AWS Lambda functions The application's Lambda functions need to communicate with an Amazon RDS OB instance that is deployed within a VPC in the same AWS account

Which solution meets these requirements in the MOST secure way?

A.

Configure the DB instance to allow public access Update the DB instance security group to allow access from the Lambda public address space for the AWS Region

B.

Deploy the Lambda functions inside the VPC Attach a network ACL to the Lambda subnet Provide outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic from 0 0 0 0/0

C.

Deploy the Lambda functions inside the VPC Attach a security group to the Lambda functions Provide outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic from the Lambda security group

D.

Peer the Lambda default VPC with the VPC that hosts the DB instance to allow direct network access without the need for security groups

Full Access
Question # 9

A Development team has built an experimental environment to test a simple stale web application It has built an isolated VPC with a private and a public subnet. The public subnet holds only an Application Load Balancer a NAT gateway, and an internet gateway. The private subnet holds ail of the Amazon EC2 instances

There are 3 different types of servers Each server type has its own Security Group that limits access lo only required connectivity. The Security Groups nave both inbound and outbound rules applied Each subnet has both inbound and outbound network ACls applied to limit access to only required connectivity

Which of the following should the team check if a server cannot establish an outbound connection to the internet? (Select THREE.)

A.

The route tables and the outbound rules on the appropriate private subnet security group

B.

The outbound network ACL rules on the private subnet and the Inbound network ACL rules on the public subnet

C.

The outbound network ACL rules on the private subnet and both the inbound and outbound rules on the public subnet

D.

The rules on any host-based firewall that may be applied on the Amazon EC2 instances

E.

The Security Group applied to the Application Load Balancer and NAT gateway

F.

That the 0.0.0./0 route in the private subnet route table points to the internet gateway in the public subnet

Full Access
Question # 10

A company is deploying an Amazon EC2-based application. The application will include a custom health-checking component that produces health status data in JSON format. A Security Engineer must implement a secure solution to monitor application availability in near-real time by analyzing the hearth status data.

Which approach should the Security Engineer use?

A.

Use Amazon CloudWatch monitoring to capture Amazon EC2 and networking metrics Visualize metrics using Amazon CloudWatch dashboards.

B.

Run the Amazon Kinesis Agent to write the status data to Amazon Kinesis Data Firehose Store the streaming data from Kinesis Data Firehose in Amazon Redshift. (hen run a script on the pool data and analyze the data in Amazon Redshift

C.

Write the status data directly to a public Amazon S3 bucket from the health-checking component Configure S3 events to invoke an IAM Lambda function that analyzes the data

D.

Generate events from the health-checking component and send them to Amazon CloudWatch Events. Include the status data as event payloads. Use CloudWatch Events rules to invoke an IAM Lambda function that analyzes the data.

Full Access
Question # 11

A security team is developing an application on an Amazon EC2 instance to get objects from an Amazon S3 bucket. All objects in the S3 bucket are encrypted with an AWS Key Management Service (AWS KMS) customer managed key. All network traffic for requests that are made within the VPC is restricted to the AWS infrastructure. This traffic does not traverse the public internet.

The security team is unable to get objects from the S3 bucket

Which factors could cause this issue? (Select THREE.)

A.

The IAM instance profile that is attached to the EC2 instance does not allow the s3 ListBucket action to the S3: bucket in the AWS accounts.

B.

The I AM instance profile that is attached to the EC2 instance does not allow the s3 ListParts action to the S3; bucket in the AWS accounts.

C.

The KMS key policy that encrypts the object in the S3 bucket does not allow the kms; ListKeys action to the EC2 instance profile ARN.

D.

The KMS key policy that encrypts the object in the S3 bucket does not allow the kms Decrypt action to the EC2 instance profile ARN.

E.

The security group that is attached to the EC2 instance is missing an outbound rule to the S3 managed prefix list over port 443.

F.

The security group that is attached to the EC2 instance is missing an inbound rule from the S3 managed prefix list over port 443.

Full Access
Question # 12

A company is building a data processing application mat uses AWS Lambda functions. The application's Lambda functions need to communicate with an Amazon RDS OB instance that is deployed within a VPC in the same AWS account

Which solution meets these requirements in the MOST secure way?

A.

Configure the DB instance to allow public access Update the DB instance security group to allow access from the Lambda public address space for the AWS Region

B.

Deploy the Lambda functions inside the VPC Attach a network ACL to the Lambda subnet Provide outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic from 0.0.0.0/0

C.

Deploy the Lambda functions inside the VPC Attach a security group to the Lambda functions Provide outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic from the Lambda security group

D.

Peer the Lambda default VPC with the VPC that hosts the DB instance to allow direct network access without the need for security groups

Full Access
Question # 13

A company's security team is building a solution for logging and visualization. The solution will assist the company with the large variety and velocity of data that it receives from IAM across multiple accounts. The security team has enabled IAM CloudTrail and VPC Flow Logs in all of its accounts. In addition, the company has an organization in IAM Organizations and has an IAM Security Hub master account.

The security team wants to use Amazon Detective However the security team cannot enable Detective and is unsure why

What must the security team do to enable Detective?

A.

Enable Amazon Macie so that Secunty H jb will allow Detective to process findings from Macie.

B.

Disable IAM Key Management Service (IAM KMS) encryption on CtoudTrail logs in every member account of the organization

C.

Enable Amazon GuardDuty on all member accounts Try to enable Detective in 48 hours

D.

Ensure that the principal that launches Detective has the organizations ListAccounts permission

Full Access
Question # 14

A company has implemented IAM WAF and Amazon CloudFront for an application. The application runs on Amazon EC2 instances that are part of an Auto Scaling group. The Auto Scaling group is behind an Application Load Balancer (ALB).

The IAM WAF web ACL uses an IAM Managed Rules rule group and is associated with the CloudFront distribution. CloudFront receives the request from IAM WAF and then uses the ALB as the distribution's origin.

During a security review, a security engineer discovers that the infrastructure is susceptible to a large, layer 7 DDoS attack.

How can the security engineer improve the security at the edge of the solution to defend against this type of attack?

A.

Configure the CloudFront distribution to use the Lambda@Edge feature. Create an IAM Lambda function that imposes a rate limit on CloudFront viewer requests. Block the request if the rate limit is exceeded.

B.

Configure the IAM WAF web ACL so that the web ACL has more capacity units to process all IAM WAF rules faster.

C.

Configure IAM WAF with a rate-based rule that imposes a rate limit that automatically blocks requests when the rate limit is exceeded.

D.

Configure the CloudFront distribution to use IAM WAF as its origin instead of the ALB.

Full Access
Question # 15

A company's IAM account consists of approximately 300 IAM users. Now there is a mandate that an access change is required for 100 IAM users to have unlimited privileges to S3.As a system administrator, how can you implement this effectively so that there is no need to apply the policy at the individual user level?

Please select:

A.

Create a new role and add each user to the IAM role

B.

Use the IAM groups and add users, based upon their role, to different groups and apply the policy to group

C.

Create a policy and apply it to multiple users using a JSON script

D.

Create an S3 bucket policy with unlimited access which includes each user's IAM account ID

Full Access
Question # 16

Auditors for a health care company have mandated that all data volumes be encrypted at rest Infrastructure is deployed mainly via IAM CloudFormation however third-party frameworks and manual deployment are required on some legacy systems

What is the BEST way to monitor, on a recurring basis, whether all EBS volumes are encrypted?

A.

On a recurring basis, update an IAM user policies to require that EC2 instances are created with an encrypted volume

B.

Configure an IAM Config rule lo run on a recurring basis 'or volume encryption

C.

Set up Amazon Inspector rules tor volume encryption to run on a recurring schedule

D.

Use CloudWatch Logs to determine whether instances were created with an encrypted volume

Full Access
Question # 17

An Application team has requested a new IAM KMS master key for use with Amazon S3, but the organizational security policy requires separate master keys for different IAM services to limit blast radius.

How can an IAM KMS customer master key (CMK) be constrained to work with only Amazon S3?

A.

Configure the CMK key policy to allow only the Amazon S3 service to use the kms Encrypt action

B.

Configure the CMK key policy to allow IAM KMS actions only when the kms ViaService condition matches the Amazon S3 service name.

C.

Configure the IAM user's policy lo allow KMS to pass a rote lo Amazon S3

D.

Configure the IAM user's policy to allow only Amazon S3 operations when they are combined with the CMK

Full Access
Question # 18

Example.com is hosted on Amazon EC2 instances behind an Application Load Balancer (ALB). Third-party host intrusion detection system (HIDS) agents that capture the traffic of the EC2 instance are running on each host. The company must ensure they are using privacy enhancing technologies for users, without losing the assurance the third-party solution offers.

What is the MOST secure way to meet these requirements?

A.

Enable TLS pass through on the ALB, and handle decryption at the server using Elliptic Curve Diffie-Hellman (ECDHE) cipher suites.

B.

Create a listener on the ALB that uses encrypted connections with Elliptic Curve Diffie-Hellman (ECDHE) cipher suites, and pass the traffic in the clear to the server.

C.

Create a listener on the ALB that uses encrypted connections with Elliptic Curve Diffie-Hellman (ECDHE) cipher suites, and use encrypted connections to the servers that do not enable Perfect Forward Secrecy (PFS).

D.

Create a listener on the ALB that does not enable Perfect Forward Secrecy (PFS) cipher suites, and use encrypted connections to the servers using Elliptic Curve Diffie-Hellman (ECDHE) cipher suites.

Full Access
Question # 19

A company has multiple departments. Each department has its own IAM account. All these accounts belong to the same organization in IAM Organizations.

A large .csv file is stored in an Amazon S3 bucket in the sales department's IAM account. The company wants to allow users from the other accounts to access the .csv file's content through the combination of IAM Glue and Amazon Athena. However, the company does not want to allow users from the other accounts to access other files in the same folder.

Which solution will meet these requirements?

A.

Apply a user policy in the other accounts to allow IAM Glue and Athena lo access the .csv We.

B.

Use S3 Select to restrict access to the .csv lie. In IAM Glue Data Catalog, use S3 Select as the source of the IAM Glue database.

C.

Define an IAM Glue Data Catalog resource policy in IAM Glue to grant cross-account S3 object access to the .csv file.

D.

Grant IAM Glue access to Amazon S3 in a resource-based policy that specifies the organization as the principal.

Full Access
Question # 20

An application running on EC2 instances in a VPC must call an external web service via TLS (port 443). The instances run in public subnets.

Which configurations below allow the application to function and minimize the exposure of the instances? Select 2 answers from the options given below

Please select:

A.

A network ACL with a rule that allows outgoing traffic on port 443.

B.

A network ACL with rules that allow outgoing traffic on port 443 and incoming traffic on ephemeral ports

C.

A network ACL with rules that allow outgoing traffic on port 443 and incoming traffic on port 443.

D.

A security group with a rule that allows outgoing traffic on port 443

E.

A security group with rules that allow outgoing traffic on port 443 and incoming traffic on ephemeral ports.

F.

A security group with rules that allow outgoing traffic on port 443 and incoming traffic on port 443.

Full Access
Question # 21

You need to establish a secure backup and archiving solution for your company, using IAM. Documents should be immediately accessible for three months and available for five years for compliance reasons. Which IAM service fulfills these requirements in the most cost-effective way? Choose the correct answer:

Please select:

A.

Upload data to S3 and use lifecycle policies to move the data into Glacier for long-term archiving.

B.

Upload the data on EBS, use lifecycle policies to move EBS snapshots into S3 and later into Glacier for long-term archiving.

C.

Use Direct Connect to upload data to S3 and use IAM policies to move the data into Glacier for long-term archiving.

D.

Use Storage Gateway to store data to S3 and use lifecycle policies to move the data into Redshift for long-term archiving.

Full Access
Question # 22

Your company has a requirement to work with a DynamoDB table. There is a security mandate that all data should be encrypted at rest. What is the easiest way to accomplish this for DynamoDB.

Please select:

A.

Use the IAM SDK to encrypt the data before sending it to the DynamoDB table

B.

Encrypt the DynamoDB table using KMS during its creation

C.

Encrypt the table using IAM KMS after it is created

D.

Use S3 buckets to encrypt the data before sending it to DynamoDB

Full Access
Question # 23

You have a set of Customer keys created using the IAM KMS service. These keys have been used for around 6 months. You are now trying to use the new KMS features for the existing set of key's but are not able to do so. What could be the reason for this.

Please select:

A.

You have not explicitly given access via the key policy

B.

You have not explicitly given access via the IAM policy

C.

You have not given access via the IAM roles

D.

You have not explicitly given access via IAM users

Full Access
Question # 24

You have a requirement to serve up private content using the keys available with Cloudfront. How can this be achieved?

Please select:

A.

Add the keys to the backend distribution.

B.

Add the keys to the S3 bucket

C.

Create pre-signed URL's

D.

Use IAM Access keys

Full Access
Question # 25

You currently have an S3 bucket hosted in an IAM Account. It holds information that needs be accessed by a partner account. Which is the MOST secure way to allow the partner account to access the S3 bucket in your account? Select 3 options.

Please select:

A.

Ensure an IAM role is created which can be assumed by the partner account.

B.

Ensure an IAM user is created which can be assumed by the partner account.

C.

Ensure the partner uses an external id when making the request

D.

Provide the ARN for the role to the partner account

E.

Provide the Account Id to the partner account

F.

Provide access keys for your account to the partner account

Full Access
Question # 26

Your company is planning on developing an application in IAM. This is a web based application. The application user will use their facebook or google identities for authentication. You want to have the ability to manage user profiles without having to add extra coding to manage this. Which of the below would assist in this.

Please select:

A.

Create an OlDC identity provider in IAM

B.

Create a SAML provider in IAM

C.

Use IAM Cognito to manage the user profiles

D.

Use IAM users to manage the user profiles

Full Access
Question # 27

Your company currently has a set of EC2 Instances hosted in a VPC. The IT Security department is suspecting a possible DDos attack on the instances. What can you do to zero in on the IP addresses which are receiving a flurry of requests.

Please select:

A.

Use VPC Flow logs to get the IP addresses accessing the EC2 Instances

B.

Use IAM Cloud trail to get the IP addresses accessing the EC2 Instances

C.

Use IAM Config to get the IP addresses accessing the EC2 Instances

D.

Use IAM Trusted Advisor to get the IP addresses accessing the EC2 Instances

Full Access
Question # 28

You are responsible to deploying a critical application onto IAM. Part of the requirements for this application is to ensure that the controls set for this application met PCI compliance. Also there is a need to monitor web application logs to identify any malicious activity. Which of the following services can be used to fulfil this requirement. Choose 2 answers from the options given below

Please select:

A.

Amazon Cloudwatch Logs

B.

Amazon VPC Flow Logs

C.

Amazon IAM Config

D.

Amazon Cloudtrail

Full Access
Question # 29

An EC2 Instance hosts a Java based application that access a DynamoDB table. This EC2 Instance is currently serving production based users. Which of the following is a secure way of ensuring that the EC2 Instance access the Dynamo table

Please select:

A.

Use IAM Roles with permissions to interact with DynamoDB and assign it to the EC2 Instance

B.

Use KMS keys with the right permissions to interact with DynamoDB and assign it to the EC2 Instance

C.

Use IAM Access Keys with the right permissions to interact with DynamoDB and assign it to the EC2 Instance

D.

Use IAM Access Groups with the right permissions to interact with DynamoDB and assign it to the EC2 Instance

Full Access
Question # 30

An application running on EC2 instances in a VPC must access sensitive data in the data center. The access must be encrypted in transit and have consistent low latency. Which hybrid architecture will meet these requirements?

Please select:

A.

Expose the data with a public HTTPS endpoint.

B.

A VPN between the VPC and the data center over a Direct Connect connection

C.

A VPN between the VPC and the data center.

D.

A Direct Connect connection between the VPC and data center

Full Access
Question # 31

A company is hosting a static website on Amazon S3 The company has configured an Amazon CloudFront distribution to serve the website contents The company has associated an IAM WAF web ACL with the CloudFront distribution. The web ACL ensures that requests originate from the United States to address compliance restrictions.

THE company is worried that the S3 URL might still be accessible directly and that requests can bypass the CloudFront distribution

Which combination of steps should the company take to remove direct access to the S3 URL? (Select TWO. )

A.

Select "Restrict Bucket Access" in the origin settings of the CloudFront distribution

B.

Create an origin access identity (OAI) for the S3 origin

C.

Update the S3 bucket policy to allow s3 GetObject with a condition that the IAM Referer key matches the secret value Deny all other requests

D.

Configure the S3 bucket poky so that only the origin access identity (OAI) has read permission for objects in the bucket

E.

Add an origin custom header that has the name Referer to the CloudFront distribution Give the header a secret value.

Full Access
Question # 32

A company is planning on using IAM EC2 and IAM Cloudfrontfor their web application. For which one of the below attacks is usage of Cloudfront most suited for?

Please select:

A.

Cross side scripting

B.

SQL injection

C.

DDoS attacks

D.

Malware attacks

Full Access
Question # 33

Development teams in your organization use S3 buckets to store the log files for various applications hosted ir development environments in IAM. The developers want to keep the logs for one month for troubleshooting purposes, and then purge the logs. What feature will enable this requirement?

Please select:

A.

Adding a bucket policy on the S3 bucket.

B.

Configuring lifecycle configuration rules on the S3 bucket.

C.

Creating an IAM policy for the S3 bucket.

D.

Enabling CORS on the S3 bucket.

Full Access
Question # 34

Your company has the following setup in IAM

a. A set of EC2 Instances hosting a web application

b. An application load balancer placed in front of the EC2 Instances

There seems to be a set of malicious requests coming from a set of IP addresses. Which of the following can be used to protect against these requests?

Please select:

A.

Use Security Groups to block the IP addresses

B.

Use VPC Flow Logs to block the IP addresses

C.

Use IAM inspector to block the IP addresses

D.

Use IAM WAF to block the IP addresses

Full Access
Question # 35

A company wishes to enable Single Sign On (SSO) so its employees can login to the management console using their corporate directory identity. Which steps below are required as part of the process? Select 2 answers from the options given below.

Please select:

A.

Create a Direct Connect connection between on-premise network and IAM. Use an AD connector for connecting IAM with on-premise active directory.

B.

Create IAM policies that can be mapped to group memberships in the corporate directory.

C.

Create a Lambda function to assign IAM roles to the temporary security tokens provided to the users.

D.

Create IAM users that can be mapped to the employees' corporate identities

E.

Create an IAM role that establishes a trust relationship between IAM and the corporate directory identity provider (IdP)

Full Access
Question # 36

A customer has an instance hosted in the IAM Public Cloud. The VPC and subnet used to host the Instance have been created with the default settings for the Network Access Control Lists. They need to provide an IT Administrator secure access to the underlying instance. How can this be accomplished.

Please select:

A.

Ensure the Network Access Control Lists allow Inbound SSH traffic from the IT Administrator's Workstation

B.

Ensure the Network Access Control Lists allow Outbound SSH traffic from the IT Administrator's Workstation

C.

Ensure that the security group allows Inbound SSH traffic from the IT Administrator's Workstation

D.

Ensure that the security group allows Outbound SSH traffic from the IT Administrator's Workstation

Full Access
Question # 37

A company had developed an incident response plan 18 months ago. Regular implementations of the response plan are carried out. No changes have been made to the response plan have been made since its creation. Which of the following is a right statement with regards to the plan?

Please select:

A.

It places too much emphasis on already implemented security controls.

B.

The response plan is not implemented on a regular basis

C.

The response plan does not cater to new services

D.

The response plan is complete in its entirety

Full Access
Question # 38

Your company has confidential documents stored in the simple storage service. Due to compliance requirements, you have to ensure that the data in the S3 bucket is available in a different geographical location. As an architect what is the change you would make to comply with this requirement.

Please select:

A.

Apply Multi-AZ for the underlying 53 bucket

B.

Copy the data to an EBS Volume in another Region

C.

Create a snapshot of the S3 bucket and copy it to another region

D.

Enable Cross region replication for the S3 bucket

Full Access
Question # 39

Your developer is using the KMS service and an assigned key in their Java program. They get the below error when

running the code

arn:IAM:iam::113745388712:user/UserB is not authorized to perform: kms:DescribeKey

Which of the following could help resolve the issue?

Please select:

A.

Ensure that UserB is given the right IAM role to access the key

B.

Ensure that UserB is given the right permissions in the IAM policy

C.

Ensure that UserB is given the right permissions in the Key policy

D.

Ensure that UserB is given the right permissions in the Bucket policy

Full Access
Question # 40

A company has several Customer Master Keys (CMK), some of which have imported key material. Each CMK must be

rotated annually.

What two methods can the security team use to rotate each key? Select 2 answers from the options given below

Please select:

A.

Enable automatic key rotation for a CMK

B.

Import new key material to an existing CMK

C.

Use the CLI or console to explicitly rotate an existing CMK

D.

Import new key material to a new CMK; Point the key alias to the new CMK.

E.

Delete an existing CMK and a new default CMK will be created.

Full Access
Question # 41

Your company hosts a large section of EC2 instances in IAM. There are strict security rules governing the EC2 Instances. During a potential security breach , you need to ensure quick investigation of the underlying EC2 Instance. Which of the following service can help you quickly provision a test environment to look into the breached instance.

Please select:

A.

IAM Cloudwatch

B.

IAM Cloudformation

C.

IAM Cloudtrail

D.

IAM Config

Full Access
Question # 42

A company hosts critical data in an S3 bucket. Even though they have assigned the appropriate permissions to the bucket, they are still worried about data deletion. What measures can be taken to restrict the risk of data deletion on the bucket. Choose 2 answers from the options given below

Please select:

A.

Enable versioning on the S3 bucket

B.

Enable data at rest for the objects in the bucket

C.

Enable MFA Delete in the bucket policy

D.

Enable data in transit for the objects in the bucket

Full Access
Question # 43

Your company manages thousands of EC2 Instances. There is a mandate to ensure that all servers don't have any critical security flIAM. Which of the following can be done to ensure this? Choose 2 answers from the options given below.

Please select:

A.

Use IAM Config to ensure that the servers have no critical flIAM.

B.

Use IAM inspector to ensure that the servers have no critical flIAM.

C.

Use IAM inspector to patch the servers

D.

Use IAM SSM to patch the servers

Full Access
Question # 44

Your company has been using IAM for the past 2 years. They have separate S3 buckets for logging the various IAM services that have been used. They have hired an external vendor for analyzing their log files. They have their own IAM account. What is the best way to ensure that the partner account can access the log files in the company account for analysis. Choose 2 answers from the options given below

Please select:

A.

Create an IAM user in the company account

B.

Create an IAM Role in the company account

C.

Ensure the IAM user has access for read-only to the S3 buckets

D.

Ensure the IAM Role has access for read-only to the S3 buckets

Full Access
Question # 45

You have been given a new brief from your supervisor for a client who needs a web application set up on IAM. The a most important requirement is that MySQL must be used as the database, and this database must not be hosted in t« public cloud, but rather at the client's data center due to security risks. Which of the following solutions would be the ^ best to assure that the client's requirements are met? Choose the correct answer from the options below

Please select:

A.

Build the application server on a public subnet and the database at the client's data center. Connect them with a VPN connection which uses IPsec.

B.

Use the public subnet for the application server and use RDS with a storage gateway to access and synchronize the data securely from the local data center.

C.

Build the application server on a public subnet and the database on a private subnet with a NAT instance between them.

D.

Build the application server on a public subnet and build the database in a private subnet with a secure ssh connection to the private subnet from the client's data center.

Full Access
Question # 46

Your current setup in IAM consists of the following architecture. 2 public subnets, one subnet which has the web servers accessed by users across the internet and the other subnet for the database server. Which of the following changes to the architecture would add a better security boundary to the resources hosted in your setup

Please select:

A.

Consider moving the web server to a private subnet

B.

Consider moving the database server to a private subnet

C.

Consider moving both the web and database server to a private subnet

D.

Consider creating a private subnet and adding a NAT instance to that subnet

Full Access
Question # 47

You are building a system to distribute confidential training videos to employees. Using CloudFront, what method could be used to serve content that is stored in S3, but not publicly accessible from S3 directly?

Please select:

A.

Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket to that OAl.

B.

Add the CloudFront account security group "amazon-cf/amazon-cf-sg" to the appropriate S3 bucket policy.

C.

Create an Identity and Access Management (IAM) User for CloudFront and grant access to the objects in your S3 bucket to that IAM User.

D.

Create a S3 bucket policy that lists the CloudFront distribution ID as the Principal and the target bucket as the Amazon Resource Name (ARN).

Full Access
Question # 48

You need to create a Linux EC2 instance in IAM. Which of the following steps is used to ensure secure authentication the EC2 instance from a windows machine. Choose 2 answers from the options given below.

Please select:

A.

Ensure to create a strong password for logging into the EC2 Instance

B.

Create a key pair using putty

C.

Use the private key to log into the instance

D.

Ensure the password is passed securely using SSL

Full Access
Question # 49

A company is planning on using IAM for hosting their applications. They want complete separation and isolation of their production , testing and development environments. Which of the following is an ideal way to design such a setup?

Please select:

A.

Use separate VPCs for each of the environments

B.

Use separate IAM Roles for each of the environments

C.

Use separate IAM Policies for each of the environments

D.

Use separate IAM accounts for each of the environments

Full Access
Question # 50

You want to track access requests for a particular S3 bucket. How can you achieve this in the easiest possible way?

Please select:

A.

Enable server access logging for the bucket

B.

Enable Cloudwatch metrics for the bucket

C.

Enable Cloudwatch logs for the bucket

D.

Enable IAM Config for the S3 bucket

Full Access
Question # 51

You have just developed a new mobile application that handles analytics workloads on large scale datasets that are stored on Amazon Redshift. Consequently, the application needs to access Amazon Redshift tables. Which of the belov methods would be the best both practically and security-wise, to access the tables? Choose the correct answer from the options below

Please select:

A.

Create an IAM user and generate encryption keys for that user. Create a policy for Redshift read-only access. Embed th keys in the application.

B.

Create an HSM client certificate in Redshift and authenticate using this certificate.

C.

Create a Redshift read-only access policy in IAM and embed those credentials in the application.

D.

Use roles that allow a web identity federated user to assume a role that allows access to the Redshift table by providing temporary credentials.

Full Access
Question # 52

Which of the following is the correct sequence of how KMS manages the keys when used along with the Redshift cluster service

Please select:

A.

The master keys encrypts the cluster key. The cluster key encrypts the database key. The database key encrypts the data encryption keys.

B.

The master keys encrypts the database key. The database key encrypts the data encryption keys.

C.

The master keys encrypts the data encryption keys. The data encryption keys encrypts the database key

D.

The master keys encrypts the cluster key, database key and data encryption keys

Full Access
Question # 53

Your IT Security team has identified a number of vulnerabilities across critical EC2 Instances in the company's IAM Account. Which would be the easiest way to ensure these vulnerabilities are remediated?

Please select:

A.

Create IAM Lambda functions to download the updates and patch the servers.

B.

Use IAM CLI commands to download the updates and patch the servers.

C.

Use IAM inspector to patch the servers

D.

Use IAM Systems Manager to patch the servers

Full Access
Question # 54

You need to inspect the running processes on an EC2 Instance that may have a security issue. How can you achieve this in the easiest way possible. Also you need to ensure that the process does not interfere with the continuous running of the instance.

Please select:

A.

Use IAM Cloudtrail to record the processes running on the server to an S3 bucket.

B.

Use IAM Cloudwatch to record the processes running on the server

C.

Use the SSM Run command to send the list of running processes information to an S3 bucket.

D.

Use IAM Config to see the changed process information on the server

Full Access
Question # 55

Your company has many IAM accounts defined and all are managed via IAM Organizations. One IAM account has a S3 bucket that has critical data. How can we ensure that all the users in the IAM organisation have access to this bucket?

Please select:

A.

Ensure the bucket policy has a condition which involves IAM:PrincipalOrglD

B.

Ensure the bucket policy has a condition which involves IAM:AccountNumber

C.

Ensure the bucket policy has a condition which involves IAM:PrincipaliD

D.

Ensure the bucket policy has a condition which involves IAM:OrglD

Full Access
Question # 56

You have an Amazon VPC that has a private subnet and a public subnet in which you have a NAT instance server. You

have created a group of EC2 instances that configure themselves at startup by downloading a bootstrapping script

from S3 that deploys an application via GIT.

Which one of the following setups would give us the highest level of security?

Choose the correct answer from the options given below.

Please select:

A.

EC2 instances in our public subnet, no EIPs, route outgoing traffic via the IGW

B.

EC2 instances in our public subnet, assigned EIPs, and route outgoing traffic via the NAT

C.

EC2 instance in our private subnet, assigned EIPs, and route our outgoing traffic via our IGW

D.

EC2 instances in our private subnet, no EIPs, route outgoing traffic via the NAT

Full Access
Question # 57

A user has enabled versioning on an S3 bucket. The user is using server side encryption for data at Rest. If the user is supplying his own keys for encryption SSE-C, which of the below mentioned statements is true?

Please select:

A.

The user should use the same encryption key for all versions of the same object

B.

It is possible to have different encryption keys for different versions of the same object

C.

IAM S3 does not allow the user to upload his own keys for server side encryption

D.

The SSE-C does not work when versioning is enabled

Full Access
Question # 58

You are building a large-scale confidential documentation web server on IAMand all of the documentation for it will be stored on S3. One of the requirements is that it cannot be publicly accessible from S3 directly, and you will need to use Cloud Front to accomplish this. Which of the methods listed below would satisfy the requirements as outlined? Choose an answer from the options below

Please select:

A.

Create an Identity and Access Management (IAM) user for CloudFront and grant access to the objects in your S3 bucket to that IAM User.

B.

Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket to that OAl.

C.

Create individual policies for each bucket the documents are stored in and in that policy grant access to only CloudFront.

D.

Create an S3 bucket policy that lists the CloudFront distribution ID as the Principal and the target bucket as the Amazon Resource Name (ARN).

Full Access
Question # 59

Your company is planning on using IAM EC2 and ELB for deployment for their web applications. The security policy mandates that all traffic should be encrypted. Which of the following options will ensure that this requirement is met. Choose 2 answers from the options below.

Please select:

A.

Ensure the load balancer listens on port 80

B.

Ensure the load balancer listens on port 443

C.

Ensure the HTTPS listener sends requests to the instances on port 443

D.

Ensure the HTTPS listener sends requests to the instances on port 80

Full Access
Question # 60

A company has a legacy application that outputs all logs to a local text file. Logs from all applications running on IAM

must be continually monitored for security related messages.

What can be done to allow the company to deploy the legacy application on Amazon EC2 and still meet the monitoring

requirement?

Please select:

A.

Create a Lambda function that mounts the EBS volume with the logs and scans the logs for security incidents. Trigger the function every 5 minutes with a scheduled Cloudwatch event.

B.

Send the local text log files to CloudWatch Logs and configure a CloudWatch metric filter. Trigger cloudwatch alarms based on the metrics.

C.

Install the Amazon inspector agent on any EC2 instance running the legacy application. Generate CloudWatch alerts a based on any Amazon inspector findings.

D.

Export the local text log files to CloudTrail. Create a Lambda function that queries the CloudTrail logs for security ' incidents using Athena.

Full Access
Question # 61

A company has been using the IAM KMS service for managing its keys. They are planning on carrying out housekeeping activities and deleting keys which are no longer in use. What are the ways that can be incorporated to see which keys are in use? Choose 2 answers from the options given below

Please select:

A.

Determine the age of the master key

B.

See who is assigned permissions to the master key

C.

See Cloudtrail for usage of the key

D.

Use IAM cloudwatch events for events generated for the key

Full Access
Question # 62

You are planning on hosting a web application on IAM. You create an EC2 Instance in a public subnet. This instance needs to connect to an EC2 Instance that will host an Oracle database. Which of the following steps should be followed to ensure a secure setup is in place? Select 2 answers.

Please select:

A.

Place the EC2 Instance with the Oracle database in the same public subnet as the Web server for faster communication

B.

Place the EC2 Instance with the Oracle database in a separate private subnet

C.

Create a database security group and ensure the web security group to allowed incoming access

D.

Ensure the database security group allows incoming traffic from 0.0.0.0/0

Full Access
Question # 63

A company continually generates sensitive records that it stores in an S3 bucket. All objects in the bucket are encrypted using SSE-KMS using one of the company's CMKs. Company compliance policies require that no more than one month of data be encrypted using the same encryption key. What solution below will meet the company's requirements?

Please select:

A.

Trigger a Lambda function with a monthly CloudWatch event that creates a new CMK and updates the S3 bucket to use the new CMK.

B.

Configure the CMK to rotate the key material every month.

C.

Trigger a Lambda function with a monthly CloudWatch event that creates a new CMK, updates the S3 bucket to use thfl new CMK, and deletes the old CMK.

D.

Trigger a Lambda function with a monthly CloudWatch event that rotates the key material in the CMK.

Full Access
Question # 64

You are trying to use the IAM Systems Manager run command on a set of Instances. The run command on a set of Instances. What can you do to diagnose the issue? Choose 2 answers from the options given

Please select:

A.

Ensure that the SSM agent is running on the target machine

B.

Check the /var/log/amazon/ssm/errors.log file

C.

Ensure the right AMI is used for the Instance

D.

Ensure the security groups allow outbound communication for the instance

Full Access
Question # 65

A company is running an application in The eu-west-1 Region. The application uses an IAM Key Management Service (IAM KMS) CMK to encrypt sensitive data. The company plans to deploy the application in the eu-north-1 Region.

A security engineer needs to implement a key management solution for the application deployment in the new Region. The security engineer must minimize changes to the application code.

Which change should the security engineer make to the IAM KMS configuration to meet these requirements?

A.

Update the key policies in eu-west-1. Point the application in eu-north-1 to use the same CMK as the application in eu-west-1.

B.

Allocate a new CMK to eu-north-1 to be used by the application that is deployed in that Region.

C.

Allocate a new CMK to eu-north-1. Create the same alias name for both keys. Configure the application deployment to use the key alias.

D.

Allocate a new CMK to eu-north-1. Create an alias for eu-'-1. Change the application code to point to the alias for eu-'-1.

Full Access
Question # 66

A company wants to monitor the deletion of customer managed CMKs A security engineer must create an alarm that will notify the company before a CMK is deleted The security engineer has configured the integration of IAM CloudTrail with Amazon CloudWatch

What should the security engineer do next to meet this requirement?

A.

Use inbound rule 100 to allow traffic on TCP port 443 Use inbound rule 200 to deny traffic on TCP port 3306 Use outbound rule 100 to allow traffic on TCP port 443

B.

Use inbound rule 100 to deny traffic on TCP port 3306. Use inbound rule 200 to allow traffic on TCP port range 1024-65535. Use outbound rule 100 to allow traffic on TCP port 443

C.

Use inbound rule 100 to allow traffic on TCP port range 1024-65535 Use inbound rule 200 to deny traffic on TCP port 3306 Use outbound rule 100 to allow traffic on TCP port 443

D.

Use inbound rule 100 to deny traffic on TCP port 3306 Use inbound rule 200 to allow traffic on TCP port 443 Use outbound rule 100 to allow traffic on TCP port 443

Full Access
Question # 67

A company wants to prevent SSH access through the use of SSH key pairs for any Amazon Linux 2 Amazon EC2 instances in its AWS account. However, a system administrator occasionally will need to access these EC2 instances through SSH in an emergency. For auditing purposes, the company needs to record any commands that a user runs in an EC2 instance.

What should a security engineer do to configure access to these EC2 instances to meet these requirements?

A.

Use the EC2 serial console Configure the EC2 serial console to save all commands that are entered to an Amazon S3 bucket. Provide the EC2 instances with an IAM role that allows the EC2 serial console to access Amazon S3. Configure an IAM account for the system administrator. Provide an IAM policy that allows the IAM account to use the EC2 serial console.

B.

Use EC2 Instance Connect Configure EC2 Instance Connect to save all commands that are entered to Amazon CloudWatch Logs. Provide the EC2 instances with an IAM role that allows the EC2 instances to access CloudWatch Logs Configure an IAM account for the system administrator. Provide an IAM policy that allows the IAM account to use EC2 Instance Connect.

C.

Use an EC2 key pair with an EC2 instance that needs SSH access Access the EC2 instance with this key pair by using SSH. Configure the EC2 instance to save all commands that are entered to Amazon CloudWatch Logs. Provide the EC2 instance with an IAM role that allows the EC2 instance to access Amazon S3 and CloudWatch Logs.

D.

Use AWS Systems Manager Session Manager Configure Session Manager to save all commands that are entered in a session to an Amazon S3 bucket. Provide the EC2 instances with an IAM role that allows Systems Manager to manage the EC2 instances. Configure an IAM account for the system administrator Provide an IAM policy that allows the IAM account to use Session Manager.

Full Access
Question # 68

A company's Security Auditor discovers that users are able to assume roles without using multi-factor authentication (MFA). An example of a current policy being applied to these users is as follows:

The Security Auditor finds that the users who are able to assume roles without MFA are alt coming from the IAM CLI. These users are using long-term IAM credentials. Which changes should a Security Engineer implement to resolve this security issue? (Select TWO.)

A)

B)

C)

D)

E)

A.

Option A

B.

Option B

C.

Option C

D.

Option D

E.

Option E

Full Access
Question # 69

A company has two IAM accounts within IAM Organizations. In Account-1. Amazon EC2 Auto Scaling is launched using a service-linked role. In Account-2. Amazon EBS volumes are encrypted with an IAM KMS key A Security Engineer needs to ensure that the service-linked role can launch instances with these encrypted volumes

Which combination of steps should the Security Engineer take in both accounts? (Select TWO.)

A.

Allow Account-1 to access the KMS key in Account-2 using a key policy

B.

Attach an IAM policy to the service-linked role in Account-1 that allows these actions CreateGrant. DescnbeKey, Encrypt, GenerateDataKey, Decrypt, and ReEncrypt

C.

Create a KMS grant for the service-linked role with these actions CreateGrant, DescnbeKey Encrypt GenerateDataKey Decrypt, and ReEncrypt

D.

Attach an IAM policy to the role attached to the EC2 instances with KMS actions and then allow Account-1 in the KMS key policy.

E.

Attach an IAM policy to the user who is launching EC2 instances and allow the user to access the KMS key policy of Account-2.

Full Access
Question # 70

A company is running workloads in a single IAM account on Amazon EC2 instances and Amazon EMR clusters a recent security audit revealed that multiple Amazon Elastic Block Store (Amazon EBS) volumes and snapshots are not encrypted

The company's security engineer is working on a solution that will allow users to deploy EC2 Instances and EMR clusters while ensuring that all new EBS volumes and EBS snapshots are encrypted at rest. The solution must also minimize operational overhead

Which steps should the security engineer take to meet these requirements?

A.

Create an Amazon Event Bridge (Amazon Cloud watch Events) event with an EC2 instance as the source and create volume as the event trigger. When the event is triggered invoke an IAM Lambda function to evaluate and notify the security engineer if the EBS volume that was created is not encrypted.

B.

Use a customer managed IAM policy that will verify that the encryption flag of the Createvolume context is set to true. Apply this rule to all users.

C.

Create an IAM Config rule to evaluate the configuration of each EC2 instance on creation or modification. Have the IAM Config rule trigger an IAM Lambdafunction to alert the security team and terminate the instance it the EBS volume is not encrypted. 5

D.

Use the IAM Management Console or IAM CLi to enable encryption by default for EBS volumes in each IAM Region where the company operates.

Full Access
Question # 71

A company has two teams, and each team needs to access its respective Amazon S3 buckets. The company anticipates adding more teams that also will have their own S3 buckets. When the company adds these teams, team members will need the ability to be assigned to multiple teams. Team members also will need the ability to change teams. Additional S3 buckets can be created or deleted.

An IAM administrator must design a solution to accomplish these goals. The solution also must be scalable and must require the least possible operational overhead.

Which solution meets these requirements?

A.

Add users to groups that represent the teams. Create a policy for each team that allows the team to access its respective S3 buckets only. Attach the policy to the corresponding group.

B.

Create an IAM role for each team. Create a policy for each team that allows the team to access its respective S3 buckets only. Attach the policy to the corresponding role.

C.

Create IAM roles that are labeled with an access tag value of a team. Create one policy that allows dynamic access to S3 buckets with the same tag. Attach the policy to the IAM roles. Tag the S3 buckets accordingly.

D.

Implement a role-based access control (RBAC) authorization model. Create the corresponding policies, and attach them to the IAM users.

Full Access
Question # 72

A company hosts business-critical applications on Amazon EC2 instances in a VPC. The VPC uses default DHCP options sets. A security engineer needs to log all DNS queries that internal resources make in the VPC. The security engineer also must create a list of the most common DNS queries over time.

Which solution will meet these requirements?

A.

Install the Amazon CloudWatch agent on each EC2 instance in the VPC. Use the CloudWatch agent to stream the DNS query logs to an Amazon CloudWatch Logs log group. Use CloudWatch metric filters to automatically generate metrics that list the most common ONS queries.

B.

Install a BIND DNS server in the VPC. Create a bash script to list the DNS request number of common DNS queries from the BIND logs.

C.

Create VPC flow logs for all subnets in the VPC. Stream the flow logs to an Amazon CloudWatch Logs log group. Use CloudWatch Logs Insights to list the most common DNS queries for the log group in a custom dashboard.

D.

Configure Amazon Route 53 Resolver query logging. Add an Amazon CloudWatch Logs log group as the destination. Use Amazon CloudWatch Contributor Insights to analyze the data and create time series that display the most common DNS queries.

Full Access
Question # 73

A company uses an external identity provider to allow federation into different IAM accounts. A security engineer for the company needs to identify the federated user that terminated a production Amazon EC2 instance a week ago.

What is the FASTEST way for the security engineer to identify the federated user?

A.

Review the IAM CloudTrail event history logs in an Amazon S3 bucket and look for the Terminatelnstances event to identify the federated user from the role session name.

B.

Filter the IAM CloudTrail event history for the Terminatelnstances event and identify the assumed IAM role. Review the AssumeRoleWithSAML event call in CloudTrail to identify the corresponding username.

C.

Search the IAM CloudTrail logs for the Terminatelnstances event and note the event time. Review the IAM Access Advisor tab for all federated roles. The last accessed time should match the time when the instance was terminated.

D.

Use Amazon Athena to run a SQL query on the IAM CloudTrail logs stored in an Amazon S3 bucket and filter on the Terminatelnstances event. Identify the corresponding role and run another query to filter the AssumeRoleWithWebldentity event for the user name.

Full Access
Question # 74

Your CTO thinks your IAM account was hacked. What is the only way to know for certain if there was unauthorized access and what they did, assuming your hackers are very sophisticated IAM engineers and doing everything they can to cover their tracks?

Please select:

A.

Use CloudTrail Log File Integrity Validation.

B.

Use IAM Config SNS Subscriptions and process events in real time.

C.

Use CloudTrail backed up to IAM S3 and Glacier.

D.

Use IAM Config Timeline forensics.

Full Access
Question # 75

A company manages three separate IAM accounts for its production, development, and test environments, Each Developer is assigned a unique IAM user under the development account. A new application hosted on an Amazon EC2 instance in the developer account requires read access to the archived documents stored in an Amazon S3 bucket in the production account.

How should access be granted?

A.

Create an IAM role in the production account and allow EC2 instances in the development account to assume that role using the trust policy. Provide read access for the required S3 bucket to this role.

B.

Use a custom identity broker to allow Developer IAM users to temporarily access the S3 bucket.

C.

Create a temporary IAM user for the application to use in the production account.

D.

Create a temporary IAM user in the production account and provide read access to Amazon S3. Generate the temporary IAM user's access key and secret key and store these on the EC2 instance used by the application in the development account.

Full Access
Question # 76

A company hosts an end user application on AWS Currently the company deploys the application on Amazon EC2 instances behind an Elastic Load Balancer The company wants to configure end-to-end encryption between the Elastic Load Balancer and the EC2 instances.

Which solution will meet this requirement with the LEAST operational effort?

A.

Use Amazon issued AWS Certificate Manager (ACM) certificates on the EC2 instances and the Elastic Load Balancer to configure end-to-end encryption

B.

Import a third-party SSL certificate to AWS Certificate Manager (ACM) Install the third-party certificate on the EC2 instances Associate the ACM imported third-party certificate with the Elastic Load Balancer

C.

Deploy AWS CloudHSM Import a third-party certificate Configure the EC2 instances and the Elastic Load Balancer to use the CloudHSM imported certificate

D.

Import a third-party certificate bundle to AWS Certificate Manager (ACM) Install the third-party certificate on the EC2 instances Associate the ACM imported third-party certificate with the Elastic Load Balancer.

Full Access
Question # 77

A company uses AWS Organizations to manage a small number of AWS accounts. However, the company plans to add 1 000 more accounts soon. The company allows only a centralized security team to create IAM roles for all AWS accounts and teams. Application teams submit requests for IAM roles to the security team. The security team has a backlog of IAM role requests and cannot review and provision the IAM roles quickly.

The security team must create a process that will allow application teams to provision their own IAM roles. The process must also limit the scope of IAM roles and prevent privilege escalation.

Which solution will meet these requirements with the LEAST operational overhead?

A.

Create an IAM group for each application team. Associate policies with each IAM group. Provision IAM users for each application team member. Add the new IAM users to the appropriate IAM group by using role-based access control (RBAC).

B.

Delegate application team leads to provision IAM rotes for each team. Conduct a quarterly review of the IAM rotes the team leads have provisioned. Ensure that the application team leads have the appropriate training to review IAM roles.

C.

Put each AWS account in its own OU. Add an SCP to each OU to grant access to only the AWS services that the teams plan to use. Include conditions tn the AWS account of each team.

D.

Create an SCP and a permissions boundary for IAM roles. Add the SCP to the root OU so that only roles that have the permissions boundary attached can create any new IAM roles.

Full Access
Question # 78

A company has an encrypted Amazon Aurora DB cluster in the us-east-1 Region. The DB cluster is encrypted with an AWS Key Management Service (AWS KMS) customer managed key. To meet compliance requirements, the company needs to copy a DB snapshot to the us-west-1 Region. However, when the company tries to copy the snapshot to us-west-1 the company cannot access the key that was used to encrypt the original database.

What should the company do to set up the snapshot in us-west-1 with proper encryption?

A.

Use AWS Secrets Manager to store the customer managed key in us-west-1 as a secret Use this secret to encrypt the snapshot in us-west-1.

B.

Create a new customer managed key in us-west-1. Use this new key to encrypt the snapshot in us-west-1.

C.

Create an IAM policy that allows access to the customer managed key in us-east-1. Specify am aws kms us-west-1 " as the principal.

D.

Create an IAM policy that allows access to the customer managed key in us-east-1. Specify arn aws rds us-west-1. * as the principal.

Full Access
Question # 79

An application team wants to use IAM Certificate Manager (ACM) to request public certificates to ensure that data is secured in transit. The domains that are being used are not currently hosted on Amazon Route 53

The application team wants to use an IAM managed distribution and caching solution to optimize requests to its systems and provide better points of presence to customers The distribution solution will use a primary domain name that is customized The distribution solution also will use several alternative domain names The certificates must renew automatically over an indefinite period of time

Which combination of steps should the application team take to deploy this architecture? (Select THREE.)

A.

Request a certificate (torn ACM in the us-west-2 Region Add the domain names that the certificate will secure

B.

Send an email message to the domain administrators to request vacation of the domains for ACM

C.

Request validation of the domains for ACM through DNS Insert CNAME records into each domain's DNS zone

D.

Create an Application Load Balancer for me caching solution Select the newly requested certificate from ACM to be used for secure connections

E.

Create an Amazon CloudFront distribution for the caching solution Enter the main CNAME record as the Origin Name Enter the subdomain names or alternate names in the Alternate Domain Names Distribution Settings Select the newly requested certificate from ACM to be used for secure connections

F.

Request a certificate from ACM in the us-east-1 Region Add the domain names that the certificate wil secure

Full Access
Question # 80

A company that uses AWS Organizations wants to see AWS Security Hub findings for many AWS accounts and AWS Regions. Some of the accounts are in the company's organization, and some accounts are in organizations that the company manages for customers. Although the company can see findings in the Security Hub administrator account for accounts in the company's organization, there are no findings from accounts in other organizations.

Which combination of steps should the company take to see findings from accounts that are outside the organization that includes the Security Hub administrator account? (Select TWO.)

A.

Use a designated administration account to automatically set up member accounts.

B.

Create the AWS Service Role ForSecurrty Hub service-linked rote for Security Hub.

C.

Send an administration request from the member accounts.

D.

Enable Security Hub for all member accounts.

E.

Send invitations to accounts that are outside the company's organization from the Security Hub administrator account.

Full Access
Question # 81

A company is using an AWS Key Management Service (AWS KMS) AWS owned key in its application to encrypt files in an AWS account The company's security team wants the ability to change to new key material for new files whenever a potential key breach occurs A security engineer must implement a solution that gives the security team the ability to change the key whenever the team wants to do so

Which solution will meet these requirements?

A.

Create a new customer managed key Add a key rotation schedule to the key Invoke the key rotation schedule every time the security team requests a key change

B.

Create a new AWS managed key Add a key rotation schedule to the key Invoke the key rotation schedule every time the security team requests a key change

C.

Create a key alias Create a new customer managed key every time the security team requests a key change Associate the alias with the new key

D.

Create a key alias Create a new AWS managed key every time the security team requests a key change Associate the alias with the new key

Full Access
Question # 82

A company wants to remove all SSH keys permanently from a specific subset of its Amazon Linux 2 Amazon EC2 instances that are using the same 1AM instance profile However three individuals who have IAM user accounts will need to access these instances by using an SSH session to perform critical duties

How can a security engineer provide the access to meet these requirements'?

A.

Assign an 1AM policy to the instance profile to allow the EC2 instances to be managed by AWS Systems Manager Provide the 1AM user accounts with permission to use Systems Manager Remove the SSH keys from the EC2 instances Use Systems Manager Inventory to select the EC2 instance and connect

B.

Assign an 1AM policy to the 1AM user accounts to provide permission to use AWS Systems Manager Run Command Remove the SSH keys from the EC2 instances Use Run Command to open an SSH connection to the EC2 instance

C.

Assign an 1AM policy to the instance profile to allow the EC2 instances to be managed by AWS Systems Manager Provide the 1AM user accounts with permission to use Systems Manager Remove the SSH keys from the EC2 instances Use Systems Manager Session Manager to select the EC2 instance and connect

D.

Assign an 1AM policy to the 1AM user accounts to provide permission to use the EC2 service in the AWS Management Console Remove the SSH keys from the EC2 instances Connect to the EC2 instance as the ec2-user through the AWS Management Console's EC2 SSH client method

Full Access
Question # 83

A developer at a company uses an SSH key to access multiple Amazon EC2 instances. The company discovers that the SSH key has been posted on a public GitHub repository. A security engineer verifies that the key has not been used recently.

How should the security engineer prevent unauthorized access to the EC2 instances?

A.

Delete the key pair from the EC2 console. Create a new key pair.

B.

Use the ModifylnstanceAttribute API operation to change the key on any EC2 instance that is using the key.

C.

Restrict SSH access in the security group to only known corporate IP addresses.

D.

Update the key pair in any AMI that is used to launch the EC2 instances. Restart the EC2 instances.

Full Access
Question # 84

A security engineer is defining the controls required to protect the IAM account root user credentials in an IAM Organizations hierarchy. The controls should also limit the impact in case these credentials have been compromised.

Which combination of controls should the security engineer propose? (Select THREE.)

A)

B)

C) Enable multi-factor authentication (MFA) for the root user.

D) Set a strong randomized password and store it in a secure location.

E) Create an access key ID and secret access key, and store them in a secure location.

F) Apply the following permissions boundary to the toot user:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

E.

Option E

F.

Option F

Full Access
Question # 85

Which of the following bucket policies will ensure that objects being uploaded to a bucket called 'demo' are encrypted.

Please select:

A.

C:\Users\wk\Desktop\mudassar\Untitled.jpg

B.

C:\Users\wk\Desktop\mudassar\Untitled.jpg

C.

C:\Users\wk\Desktop\mudassar\Untitled.jpg

D.

C:\Users\wk\Desktop\mudassar\Untitled.jpg

Full Access
Question # 86

An ecommerce company is developing new architecture for an application release. The company needs to implement TLS for incoming traffic to the application. Traffic for the application will originate from the internet TLS does not have to be implemented in an end-to-end configuration because the company is concerned about impacts on performance. The incoming traffic types will be HTTP and HTTPS The application uses ports 80 and 443.

What should a security engineer do to meet these requirements?

A.

Create a public Application Load Balancer. Create two listeners one listener on port 80 and one listener on port 443. Create one target group. Create a rule to forward traffic from port 80 to the listener on port 443 Provision a public TLS certificate in AWS Certificate Manager (ACM). Attach the certificate to the listener on port 443.

B.

Create a public Application Load Balancer. Create two listeners one listener on port 80 and one listener on port 443. Create one target group. Create a rule to forward traffic from port 80 to the listener on port 443 Provision a public TLS certificate in AWS Certificate Manager (ACM). Attach the certificate to the listener on port 80.

C.

Create a public Network Load Balancer. Create two listeners one listener on port 80 and one listener on port 443. Create one target group. Create a rule to forward traffic from port 80 to the listener on port 443. Set the protocol for the listener on port 443 to TLS.

D.

Create a public Network Load Balancer. Create a listener on port 443. Create one target group. Create a rule to forward traffic from port 443 to the target group. Set the protocol for the listener on port 443 to TLS.

Full Access
Question # 87

A company has a set of EC2 Instances hosted in IAM. The EC2 Instances have EBS volumes which is used to store critical information. There is a business continuity requirement to ensure high availability for the EBS volumes. How can you achieve this?

A.

Use lifecycle policies for the EBS volumes

B.

Use EBS Snapshots

C.

Use EBS volume replication

D.

Use EBS volume encryption

Full Access
Question # 88

A developer 15 building a serverless application hosted on IAM that uses Amazon Redshift in a data store. The application has separate modules for read/write and read-only functionality. The modules need their own database users tor compliance reasons.

Which combination of steps should a security engineer implement to grant appropriate access' (Select TWO )

A.

Configure cluster security groups for each application module to control access to database users that are required for read-only and read/write.

B.

Configure a VPC endpoint for Amazon Redshift Configure an endpoint policy that maps database users to each application module, and allow access to the tables that are required for read-only and read/write

C.

Configure an IAM poky for each module Specify the ARN of an Amazon Redshift database user that allows the GetClusterCredentials API call

D.

Create focal database users for each module

E.

Configure an IAM policy for each module Specify the ARN of an IAM user that allows the GetClusterCredentials API call

Full Access
Question # 89

A security alert has been raised for an Amazon EC2 instance in a customer account that is exhibiting strange behavior. The Security Engineer must first isolate the EC2 instance and then use tools for further investigation.

What should the Security Engineer use to isolate and research this event? (Choose three.)

A.

IAM CloudTrail

B.

Amazon Athena

C.

IAM Key Management Service (IAM KMS)

D.

VPC Flow Logs

E.

IAM Firewall Manager

F.

Security groups

Full Access
Question # 90

An organization receives an alert that indicates that an EC2 instance behind an ELB Classic Load Balancer has been compromised.

What techniques will limit lateral movement and allow evidence gathering?

A.

Remove the instance from the load balancer and terminate it.

B.

Remove the instance from the load balancer, and shut down access to the instance by tightening the security group.

C.

Reboot the instance and check for any Amazon CloudWatch alarms.

D.

Stop the instance and make a snapshot of the root EBS volume.

Full Access
Question # 91

A Security Engineer must add additional protection to a legacy web application by adding the following HTTP security headers:

-Content Security-Policy

-X-Frame-Options

-X-XSS-Protection

The Engineer does not have access to the source code of the legacy web application.

Which of the following approaches would meet this requirement?

A.

Configure an Amazon Route 53 routing policy to send all web traffic that does not include the required headers to a black hole.

B.

Implement an IAM Lambda@Edge origin response function that inserts the required headers.

C.

Migrate the legacy application to an Amazon S3 static website and front it with an Amazon CloudFront distribution.

D.

Construct an IAM WAF rule to replace existing HTTP headers with the required security headers by using regular expressions.

Full Access
Question # 92

You have just recently set up a web and database tier in a VPC and hosted the application. When testing the app , you are not able to reach the home page for the app. You have verified the security groups. What can help you diagnose the issue.

Please select:

A.

Use the IAM Trusted Advisor to see what can be done.

B.

Use VPC Flow logs to diagnose the traffic

C.

Use IAM WAF to analyze the traffic

D.

Use IAM Guard Duty to analyze the traffic

Full Access
Question # 93

A Software Engineer is trying to figure out why network connectivity to an Amazon EC2 instance does not appear to be working correctly. Its security group allows inbound HTTP traffic from 0.0.0.0/0, and the outbound rules have not been modified from the default. A custom network ACL associated with its subnet allows inbound HTTP traffic from 0.0.0.0/0 and has no outbound rules.

What would resolve the connectivity issue?

A.

The outbound rules on the security group do not allow the response to be sent to the client on the ephemeral port range.

B.

The outbound rules on the security group do not allow the response to be sent to the client on the HTTP port.

C.

An outbound rule must be added to the network ACL to allow the response to be sent to the client on the ephemeral port range.

D.

An outbound rule must be added to the network ACL to allow the response to be sent to the client on the HTTP port.

Full Access
Question # 94

A company plans to migrate a sensitive dataset to Amazon S3. A Security Engineer must ensure that the data is encrypted at rest. The encryption solution must enable the company to generate its own keys without needing to manage key storage or the encryption process.

What should the Security Engineer use to accomplish this?

A.

Server-side encryption with Amazon S3-managed keys (SSE-S3)

B.

Server-side encryption with IAM KMS-managed keys (SSE-KMS)

C.

Server-side encryption with customer-provided keys (SSE-C)

D.

Client-side encryption with an IAM KMS-managed CMK

Full Access
Question # 95

IAM CloudTrail is being used to monitor API calls in an organization. An audit revealed that CloudTrail is failing to deliver events to Amazon S3 as expected.

What initial actions should be taken to allow delivery of CloudTrail events to S3? (Select two.)

A.

Verify that the S3 bucket policy allow CloudTrail to write objects.

B.

Verify that the IAM role used by CloudTrail has access to write to Amazon CloudWatch Logs.

C.

Remove any lifecycle policies on the S3 bucket that are archiving objects to Amazon Glacier.

D.

Verify that the S3 bucket defined in CloudTrail exists.

E.

Verify that the log file prefix defined in CloudTrail exists in the S3 bucket.

Full Access
Question # 96

During a security event, it is discovered that some Amazon EC2 instances have not been sending Amazon CloudWatch logs.

Which steps can the Security Engineer take to troubleshoot this issue? (Select two.)

A.

Connect to the EC2 instances that are not sending the appropriate logs and verify that the CloudWatch Logs agent is running.

B.

Log in to the IAM account and select CloudWatch Logs. Check for any monitored EC2 instances that are in the “Alerting” state and restart them using the EC2 console.

C.

Verify that the EC2 instances have a route to the public IAM API endpoints.

D.

Connect to the EC2 instances that are not sending logs. Use the command prompt to verify that the right permissions have been set for the Amazon SNS topic.

E.

Verify that the network access control lists and security groups of the EC2 instances have the access to send logs over SNMP.

Full Access
Question # 97

A company has two IAM accounts, each containing one VPC. The first VPC has a VPN connection with its corporate network. The second VPC, without a VPN, hosts an Amazon Aurora database cluster in private subnets. Developers manage the Aurora database from a bastion host in a public subnet as shown in the image.

A security review has flagged this architecture as vulnerable, and a Security Engineer has been asked to make this design more secure. The company has a short deadline and a second VPN connection to the Aurora account is not possible.

How can a Security Engineer securely set up the bastion host?

A.

Move the bastion host to the VPC with VPN connectivity. Create a VPC peering relationship between the bastion host VPC and Aurora VPC.

B.

Create a SSH port forwarding tunnel on the Developer’s workstation to the bastion host to ensure that only authorized SSH clients can access the bastion host.

C.

Move the bastion host to the VPC with VPN connectivity. Create a cross-account trust relationship between the bastion VPC and Aurora VPC, and update the Aurora security group for the relationship.

D.

Create an IAM Direct Connect connection between the corporate network and the Aurora account, and adjust the Aurora security group for this connection.

Full Access
Question # 98

A Developer who is following IAM best practices for secure code development requires an application to encrypt sensitive data to be stored at rest, locally in the application, using IAM KMS. What is the simplest and MOST secure way to decrypt this data when required?

A.

Request KMS to provide the stored unencrypted data key and then use the retrieved data key to decrypt the data.

B.

Keep the plaintext data key stored in Amazon DynamoDB protected with IAM policies. Query DynamoDB to retrieve the data key to decrypt the data

C.

Use the Encrypt API to store an encrypted version of the data key with another customer managed key. Decrypt the data key and use it to decrypt the data when required.

D.

Store the encrypted data key alongside the encrypted data. Use the Decrypt API to retrieve the data key to decrypt the data when required.

Full Access
Question # 99

An organization is using Amazon CloudWatch Logs with agents deployed on its Linux Amazon EC2 instances. The agent configuration files have been checked and the application log files to be pushed are configured correctly. A review has identified that logging from specific instances is missing.

Which steps should be taken to troubleshoot the issue? (Choose two.)

A.

Use an EC2 run command to confirm that the “IAMlogs” service is running on all instances.

B.

Verify that the permissions used by the agent allow creation of log groups/streams and to put log events.

C.

Check whether any application log entries were rejected because of invalid time stamps by reviewing /var/cwlogs/rejects.log.

D.

Check that the trust relationship grants the service “cwlogs.amazonIAM.com” permission to write objects to the Amazon S3 staging bucket.

E.

Verify that the time zone on the application servers is in UTC.

Full Access
Question # 100

You have a 2 tier application hosted in IAM. It consists of a web server and database server (SQL Server) hosted on separate EC2 Instances. You are devising the security groups for these EC2 Instances. The Web tier needs to be accessed by users across the Internet. You have created a web security group(wg-123) and database security group(db-345). Which combination of the following security group rules will allow the application to be secure and functional. Choose 2 answers from the options given below.

Please select:

A.

wg-123 -Allow ports 80 and 443 from 0.0.0.0/0

B.

db-345 - Allow port 1433 from wg-123

C.

wg-123 - Allow port 1433 from wg-123

D.

db-345 -Allow ports 1433 from 0.0.0.0/0

Full Access
Question # 101

What are the MOST secure ways to protect the IAM account root user of a recently opened IAM account? (Choose two.)

A.

Use the IAM account root user access keys instead of the IAM Management Console

B.

Enable multi-factor authentication for the IAM IAM users with the AdministratorAccess managed policy attached to them

C.

Enable multi-factor authentication for the IAM account root user

D.

Use IAM KMS to encrypt all IAM account root user and IAM IAM access keys and set automatic rotation to 30 days

E.

Do not create access keys for the IAM account root user; instead, create IAM IAM users

Full Access
Question # 102

Which option for the use of the IAM Key Management Service (KMS) supports key management best practices that focus on minimizing the potential scope of data exposed by a possible future key compromise?

A.

Use KMS automatic key rotation to replace the master key, and use this new master key for future encryption operations without re-encrypting previously encrypted data.

B.

Generate a new Customer Master Key (CMK), re-encrypt all existing data with the new CMK, and use it for all future encryption operations.

C.

Change the CMK alias every 90 days, and update key-calling applications with the new key alias.

D.

Change the CMK permissions to ensure that individuals who can provision keys are not the same individuals who can use the keys.

Full Access
Question # 103

An organization is using IAM CloudTrail, Amazon CloudWatch Logs, and Amazon CloudWatch to send alerts when new access keys are created. However, the alerts are no longer appearing in the Security Operations mail box.

Which of the following actions would resolve this issue?

A.

In CloudTrail, verify that the trail logging bucket has a log prefix configured.

B.

In Amazon SNS, determine whether the “Account spend limit” has been reached for this alert.

C.

In SNS, ensure that the subscription used by these alerts has not been deleted.

D.

In CloudWatch, verify that the alarm threshold “consecutive periods” value is equal to, or greater than 1.

Full Access
Question # 104

An IAM Lambda function was misused to alter data, and a Security Engineer must identify who invoked the function and what output was produced. The Engineer cannot find any logs created by the Lambda function in Amazon CloudWatch Logs.

Which of the following explains why the logs are not available?

A.

The execution role for the Lambda function did not grant permissions to write log data to CloudWatch Logs.

B.

The Lambda function was executed by using Amazon API Gateway, so the logs are not stored in CloudWatch Logs.

C.

The execution role for the Lambda function did not grant permissions to write to the Amazon S3 bucket where CloudWatch Logs stores the logs.

D.

The version of the Lambda function that was executed was not current.

Full Access
Question # 105

A Lambda function reads metadata from an S3 object and stores the metadata in a DynamoDB table. The function is

triggered whenever an object is stored within the S3 bucket.

How should the Lambda function be given access to the DynamoDB table?

Please select:

A.

Create a VPC endpoint for DynamoDB within a VPC. Configure the Lambda function to access resources in the VPC.

B.

Create a resource policy that grants the Lambda function permissions to write to the DynamoDB table. Attach the poll to the DynamoDB table.

C.

Create an IAM user with permissions to write to the DynamoDB table. Store an access key for that user in the Lambda environment variables.

D.

Create an IAM service role with permissions to write to the DynamoDB table. Associate that role with the Lambda function.

Full Access
Question # 106

A company uses IAM Organization to manage 50 IAM accounts. The finance staff members log in as IAM IAM users in the FinanceDept IAM account. The staff members need to read the consolidated billing information in the MasterPayer IAM account. They should not be able to view any other resources in the MasterPayer IAM account. IAM access to billing has been enabled in the MasterPayer account.

Which of the following approaches grants the finance staff the permissions they require without granting any unnecessary permissions?

A.

Create an IAM group for the finance users in the FinanceDept account, then attach the IAM managed ReadOnlyAccess IAM policy to the group.

B.

Create an IAM group for the finance users in the MasterPayer account, then attach the IAM managed ReadOnlyAccess IAM policy to the group.

C.

Create an IAM IAM role in the FinanceDept account with the ViewBilling permission, then grant the finance users in the MasterPayer account the permission to assume that role.

D.

Create an IAM IAM role in the MasterPayer account with the ViewBilling permission, then grant the finance users in the FinanceDept account the permission to assume that role.

Full Access
Question # 107

A Security Administrator is performing a log analysis as a result of a suspected IAM account compromise. The Administrator wants to analyze suspicious IAM CloudTrail log files but is overwhelmed by the volume of audit logs being generated.

What approach enables the Administrator to search through the logs MOST efficiently?

A.

Implement a “write-only” CloudTrail event filter to detect any modifications to the IAM account resources.

B.

Configure Amazon Macie to classify and discover sensitive data in the Amazon S3 bucket that contains the CloudTrail audit logs.

C.

Configure Amazon Athena to read from the CloudTrail S3 bucket and query the logs to examine account activities.

D.

Enable Amazon S3 event notifications to trigger an IAM Lambda function that sends an email alarm when there are new CloudTrail API entries.

Full Access
Question # 108

A company uses identity federation to authenticate users into an identity account (987654321987) where the users assume an IAM role named IdentityRole. The users then assume an IAM role named JobFunctionRole in the target IAM account (123456789123) to perform their job functions.

A user is unable to assume the IAM role in the target account. The policy attached to the role in the identity account is:

What should be done to enable the user to assume the appropriate role in the target account?

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Full Access
Question # 109

The Security Engineer has discovered that a new application that deals with highly sensitive data is storing Amazon S3 objects with the following key pattern, which itself contains highly sensitive data.

Pattern:

"randomID_datestamp_PII.csv"

Example:

"1234567_12302017_000-00-0000 csv"

The bucket where these objects are being stored is using server-side encryption (SSE).

Which solution is the most secure and cost-effective option to protect the sensitive data?

A.

Remove the sensitive data from the object name, and store the sensitive data using S3 user-defined metadata.

B.

Add an S3 bucket policy that denies the action s3:GetObject

C.

Use a random and unique S3 object key, and create an S3 metadata index in Amazon DynamoDB using client-side encrypted attributes.

D.

Store all sensitive objects in Binary Large Objects (BLOBS) in an encrypted Amazon RDS instance.

Full Access
Question # 110

You want to get a list of vulnerabilities for an EC2 Instance as per the guidelines set by the Center of Internet Security. How can you go about doing this?

Please select:

A.

Enable IAM Guard Duty for the Instance

B.

Use IAM Trusted Advisor

C.

Use IAM inspector

D.

UseIAMMacie

Full Access
Question # 111

The IAM Systems Manager Parameter Store is being used to store database passwords used by an IAM Lambda function. Because this is sensitive data, the parameters are stored as type SecureString and protected by an IAM KMS key that allows access through IAM. When the function executes, this parameter cannot be retrieved as the result of an access denied error.

Which of the following actions will resolve the access denied error?

A.

Update the ssm.amazonIAM.com principal in the KMS key policy to allow kms: Decrypt.

B.

Update the Lambda configuration to launch the function in a VPC.

C.

Add a policy to the role that the Lambda function uses, allowing kms: Decrypt for the KMS key.

D.

Add lambda.amazonIAM.com as a trusted entity on the IAM role that the Lambda function uses.

Full Access
Question # 112

You have just received an email from IAM Support stating that your IAM account might have been compromised. Which of the following steps would you look to carry out immediately. Choose 3 answers from the options below.

Please select:

A.

Change the root account password.

B.

Rotate all IAM access keys

C.

Keep all resources running to avoid disruption

D.

Change the password for all IAM users.

Full Access
Question # 113

The Security Engineer implemented a new vault lock policy for 10TB of data and called initiate-vault-lock 12 hours ago. The Audit team identified a typo that is allowing incorrect access to the vault.

What is the MOST cost-effective way to correct this?

A.

Call the abort-vault-lock operation, fix the typo, and call the initiate-vault-lock again.

B.

Copy the vault data to Amazon S3, delete the vault, and create a new vault with the data.

C.

Update the policy, keeping the vault lock in place.

D.

Update the policy and call initiate-vault-lock again to apply the new policy.

Full Access
Question # 114

The Security Engineer for a mobile game has to implement a method to authenticate users so that they can save their progress. Because most of the users are part of the same OpenID-Connect compatible social media website, the Security Engineer would like to use that as the identity provider.

Which solution is the SIMPLEST way to allow the authentication of users using their social media identities?

A.

Amazon Cognito

B.

AssumeRoleWithWebIdentity API

C.

Amazon Cloud Directory

D.

Active Directory (AD) Connector

Full Access
Question # 115

A company has deployed a custom DNS server in IAM. The Security Engineer wants to ensure that Amazon EC2 instances cannot use the Amazon-provided DNS.

How can the Security Engineer block access to the Amazon-provided DNS in the VPC?

A.

Deny access to the Amazon DNS IP within all security groups.

B.

Add a rule to all network access control lists that deny access to the Amazon DNS IP.

C.

Add a route to all route tables that black holes traffic to the Amazon DNS IP.

D.

Disable DNS resolution within the VPC configuration.

Full Access
Question # 116

Which of the following minimizes the potential attack surface for applications?

A.

Use security groups to provide stateful firewalls for Amazon EC2 instances at the hypervisor level.

B.

Use network ACLs to provide stateful firewalls at the VPC level to prevent access to any specific IAM resource.

C.

Use IAM Direct Connect for secure trusted connections between EC2 instances within private subnets.

D.

Design network security in a single layer within the perimeter network (also known as DMZ, demilitarized zone, and screened subnet) to facilitate quicker responses to threats.

Full Access
Question # 117

A security team is creating a response plan in the event an employee executes unauthorized actions on IAM infrastructure. They want to include steps to determine if the employee's IAM permissions changed as part of the incident.

What steps should the team document in the plan?

Please select:

A.

Use IAM Config to examine the employee's IAM permissions prior to the incident and compare them to the employee's current IAM permissions.

B.

Use Made to examine the employee's IAM permissions prior to the incident and compare them to the employee's A current IAM permissions.

C.

Use CloudTrail to examine the employee's IAM permissions prior to the incident and compare them to the employee's current IAM permissions.

D.

Use Trusted Advisor to examine the employee's IAM permissions prior to the incident and compare them to the employee's current IAM permissions.

Full Access
Question # 118

An organization has tens of applications deployed on thousands of Amazon EC2 instances. During testing, the Application team needs information to let them know whether the network access control lists (network ACLs) and security groups are working as expected.

How can the Application team’s requirements be met?

A.

Turn on VPC Flow Logs, send the logs to Amazon S3, and use Amazon Athena to query the logs.

B.

Install an Amazon Inspector agent on each EC2 instance, send the logs to Amazon S3, and use Amazon EMR to query the logs.

C.

Create an IAM Config rule for each network ACL and security group configuration, send the logs to Amazon S3, and use Amazon Athena to query the logs.

D.

Turn on IAM CloudTrail, send the trails to Amazon S3, and use IAM Lambda to query the trails.

Full Access
Question # 119

A corporate cloud security policy states that communications between the company's VPC and KMS must travel entirely within the IAM network and not use public service endpoints.

Which combination of the following actions MOST satisfies this requirement? (Choose two.)

A.

Add the IAM:sourceVpce condition to the IAM KMS key policy referencing the company's VPC endpoint ID.

B.

Remove the VPC internet gateway from the VPC and add a virtual private gateway to the VPC to prevent direct, public internet connectivity.

C.

Create a VPC endpoint for IAM KMS with private DNS enabled.

D.

Use the KMS Import Key feature to securely transfer the IAM KMS key over a VPN.

E.

Add the following condition to the IAM KMS key policy: "IAM:SourceIp": "10.0.0.0/16".

Full Access
Question # 120

An Amazon EC2 instance is part of an EC2 Auto Scaling group that is behind an Application Load Balancer (ALB). It is suspected that the EC2 instance has been compromised.

Which steps should be taken to investigate the suspected compromise? (Choose three.)

A.

Detach the elastic network interface from the EC2 instance.

B.

Initiate an Amazon Elastic Block Store volume snapshot of all volumes on the EC2 instance.

C.

Disable any Amazon Route 53 health checks associated with the EC2 instance.

D.

De-register the EC2 instance from the ALB and detach it from the Auto Scaling group.

E.

Attach a security group that has restrictive ingress and egress rules to the EC2 instance.

F.

Add a rule to an IAM WAF to block access to the EC2 instance.

Full Access
Question # 121

Your IT Security team has advised to carry out a penetration test on the resources in their company's IAM Account. This is as part of their capability to analyze the security of the Infrastructure. What should be done first in this regard?

Please select:

A.

Turn on Cloud trail and carry out the penetration test

B.

Turn on VPC Flow Logs and carry out the penetration test

C.

Submit a request to IAM Support

D.

Use a custom IAM Marketplace solution for conducting the penetration test

Full Access
Question # 122

A Software Engineer wrote a customized reporting service that will run on a fleet of Amazon EC2 instances. The company security policy states that application logs for the reporting service must be centrally collected.

What is the MOST efficient way to meet these requirements?

A.

Write an IAM Lambda function that logs into the EC2 instance to pull the application logs from the EC2 instance and persists them into an Amazon S3 bucket.

B.

Enable IAM CloudTrail logging for the IAM account, create a new Amazon S3 bucket, and then configure Amazon CloudWatch Logs to receive the application logs from CloudTrail.

C.

Create a simple cron job on the EC2 instances that synchronizes the application logs to an Amazon S3 bucket by using rsync.

D.

Install the Amazon CloudWatch Logs Agent on the EC2 instances, and configure it to send the application logs to CloudWatch Logs.

Full Access
Question # 123

A Security Analyst attempted to troubleshoot the monitoring of suspicious security group changes. The Analyst was told that there is an Amazon CloudWatch alarm in place for these IAM CloudTrail log events. The Analyst tested the monitoring setup by making a configuration change to the security group but did not receive any alerts.

Which of the following troubleshooting steps should the Analyst perform?

A.

Ensure that CloudTrail and S3 bucket access logging is enabled for the Analyst's IAM account.

B.

Verify that a metric filter was created and then mapped to an alarm. Check the alarm notification action.

C.

Check the CloudWatch dashboards to ensure that there is a metric configured with an appropriate dimension for security group changes.

D.

Verify that the Analyst's account is mapped to an IAM policy that includes permissions for cloudwatch: GetMetricStatistics and Cloudwatch: ListMetrics.

Full Access
Question # 124

In response to the past DDoS attack experiences, a Security Engineer has set up an Amazon CloudFront distribution for an Amazon S3 bucket. There is concern that some users may bypass the CloudFront distribution and access the S3 bucket directly.

What must be done to prevent users from accessing the S3 objects directly by using URLs?

A.

Change the S3 bucket/object permission so that only the bucket owner has access.

B.

Set up a CloudFront origin access identity (OAI), and change the S3 bucket/object permission so that only the OAI has access.

C.

Create IAM roles for CloudFront, and change the S3 bucket/object permission so that only the IAM role has access.

D.

Redirect S3 bucket access to the corresponding CloudFront distribution.

Full Access
Question # 125

Compliance requirements state that all communications between company on-premises hosts and EC2 instances be encrypted in transit. Hosts use custom proprietary protocols for their communication, and EC2 instances need to be fronted by a load balancer for increased availability.

Which of the following solutions will meet these requirements?

A.

Offload SSL termination onto an SSL listener on a Classic Load Balancer, and use a TCP connection between the load balancer and the EC2 instances.

B.

Route all traffic through a TCP listener on a Classic Load Balancer, and terminate the TLS connection on the EC2 instances.

C.

Create an HTTPS listener using an Application Load Balancer, and route all of the communication through that load balancer.

D.

Offload SSL termination onto an SSL listener using an Application Load Balancer, and re-spawn and SSL connection between the load balancer and the EC2 instances.

Full Access
Question # 126

You have an S3 bucket hosted in IAM. This is used to host promotional videos uploaded by yourself. You need to provide access to users for a limited duration of time. How can this be achieved?

Please select:

A.

Use versioning and enable a timestamp for each version

B.

Use Pre-signed URL's

C.

Use IAM Roles with a timestamp to limit the access

D.

Use IAM policies with a timestamp to limit the access

Full Access
Question # 127

A company wants to have a secure way of generating, storing and managing cryptographic exclusive access for the keys. Which of the following can be used for this purpose?

Please select:

A.

Use KMS and the normal KMS encryption keys

B.

Use KMS and use an external key material

C.

Use S3 Server Side encryption

D.

Use Cloud HSM

Full Access
Question # 128

A Security Engineer is working with a Product team building a web application on IAM. The application uses Amazon S3 to host the static content, Amazon API Gateway to provide RESTful services; and Amazon DynamoDB as the backend data store. The users already exist in a directory that is exposed through a SAML identity provider.

Which combination of the following actions should the Engineer take to enable users to be authenticated into the web application and call APIs? (Choose three.)

A.

Create a custom authorization service using IAM Lambda.

B.

Configure a SAML identity provider in Amazon Cognito to map attributes to the Amazon Cognito user pool attributes.

C.

Configure the SAML identity provider to add the Amazon Cognito user pool as a relying party.

D.

Configure an Amazon Cognito identity pool to integrate with social login providers.

E.

Update DynamoDB to store the user email addresses and passwords.

F.

Update API Gateway to use a COGNITO_USER_POOLS authorizer.

Full Access
Question # 129

A Systems Administrator has written the following Amazon S3 bucket policy designed to allow access to an S3 bucket for only an authorized IAM IAM user from the IP address range 10.10.10.0/24:

When trying to download an object from the S3 bucket from 10.10.10.40, the IAM user receives an access denied message.

What does the Administrator need to change to grant access to the user?

A.

Change the “Resource” from “arn: IAM:s3:::Bucket” to “arn:IAM:s3:::Bucket/*”.

B.

Change the “Principal” from “*” to {IAM:”arn:IAM:iam: : account-number: user/username”}

C.

Change the “Version” from “2012-10-17” to the last revised date of the policy

D.

Change the “Action” from [“s3:*”] to [“s3:GetObject”, “s3:ListBucket”]

Full Access
Question # 130

Which of the following are valid event sources that are associated with web access control lists that trigger IAM WAF rules? (Choose two.)

A.

Amazon S3 static web hosting

B.

Amazon CloudFront distribution

C.

Application Load Balancer

D.

Amazon Route 53

E.

VPC Flow Logs

Full Access
Question # 131

The InfoSec team has mandated that in the future only approved Amazon Machine Images (AMIs) can be used.

How can the InfoSec team ensure compliance with this mandate?

A.

Terminate all Amazon EC2 instances and relaunch them with approved AMIs.

B.

Patch all running instances by using IAM Systems Manager.

C.

Deploy IAM Config rules and check all running instances for compliance.

D.

Define a metric filter in Amazon CloudWatch Logs to verify compliance.

Full Access
Question # 132

An organization is moving non-business-critical applications to IAM while maintaining a mission-critical application in an on-premises data center. An on-premises application must share limited confidential information with the applications in IAM. The internet performance is unpredictable.

Which configuration will ensure continued connectivity between sites MOST securely?

A.

VPN and a cached storage gateway

B.

IAM Snowball Edge

C.

VPN Gateway over IAM Direct Connect

D.

IAM Direct Connect

Full Access
Question # 133

Two Amazon EC2 instances in different subnets should be able to connect to each other but cannot. It has been confirmed that other hosts in the same subnets are able to communicate successfully, and that security groups have valid ALLOW rules in place to permit this traffic.

Which of the following troubleshooting steps should be performed?

A.

Check inbound and outbound security groups, looking for DENY rules.

B.

Check inbound and outbound Network ACL rules, looking for DENY rules.

C.

Review the rejected packet reason codes in the VPC Flow Logs.

D.

Use IAM X-Ray to trace the end-to-end application flow

Full Access
Question # 134

A Developer signed in to a new account within an IAM Organizations organizations unit (OU) containing multiple accounts. Access to the Amazon S3 service is restricted with the following SCP:

How can the Security Engineer provide the Developer with Amazon S3 access without affecting other accounts?

A.

Move the SCP to the root OU of Organizations to remove the restriction to access Amazon S3.

B.

Add an IAM policy for the Developer, which grants S3 access.

C.

Create a new OU without applying the SCP restricting S3 access. Move the Developer account to this new OU.

D.

Add an allow list for the Developer account for the S3 service.

Full Access
Question # 135

A company has hundreds of IAM accounts, and a centralized Amazon S3 bucket used to collect IAM CloudTrail for all of these accounts. A security engineer wants to create a solution that will enable the company to run ad hoc queues against its CloudTrail logs dating back 3 years from when the trails were first enabled in the company’s IAM account.

How should the company accomplish this with the least amount of administrative overhead?

A.

Run an Amazon EMP cluster that uses a MapReduce job to be examine the CloudTrail trails.

B.

Use the events history/feature of the CloudTrail console to query the CloudTrail trails.

C.

Write an IAM Lambda function to query the CloudTrail trails Configure the Lambda function to be executed whenever a new file is created in the CloudTrail S3 bucket.

D.

Create an Amazon Athena table that tools at the S3 bucket the CloudTrail trails are being written to Use Athena to run queries against the trails.

Full Access
Question # 136

A Developer is building a serverless application that uses Amazon API Gateway as the front end. The application will not be publicly accessible. Other legacy applications running on Amazon EC2 will make calls to the application A Security Engineer Has been asked to review the security controls for authentication and authorization of the application

Which combination of actions would provide the MOST secure solution? (Select TWO )

A.

Configure an IAM policy that allows the least permissive actions to communicate with the API Gateway Attach the policy to the role used by the legacy EC2 instances

B.

Enable IAM WAF for API Gateway Configure rules to explicitly allow connections from the legacy EC2 instances

C.

Create a VPC endpoint for API Gateway Attach an IAM resource policy that allows the role of the legacy EC2 instances to call specific APIs

D.

Create a usage plan Generate a set of API keys for each application that needs to call the API.

E.

Configure cross-origin resource sharing (CORS) in each API Share the CORS information with the applications that call the API.

Full Access
Question # 137

A company is developing a new mobile app for social media sharing. The company's development team has decided to use Amazon S3 to store at media files generated by mobile app users The company wants to allow users to control whether their own tiles are public, private, of shared with other users in their social network

what should the development team do to implement the type of access control with the LEAST administrative effort?

A.

Use individual ACLs on each S3 object.

B.

Use IAM groups tor sharing files between application social network users

C.

Store each user's files in a separate S3 bucket and apery a bucket policy based on the user's sharing settings

D.

Generate presigned UPLs for each file access

Full Access
Question # 138

A Security Engineer has several thousand Amazon EC2 instances split across production and development environments. Each instance is tagged with its environment. The Engineer needs to analyze and patch all the development EC2 instances to ensure they are not currently exposed to any common vulnerabilities or exposures (CVEs)

Which combination of steps is the MOST efficient way for the Engineer to meet these requirements? (Select TWO.)

A.

Log on to each EC2 instance, check and export the different software versions installed, and verify this against a list of current CVEs.

B.

Install the Amazon Inspector agent on all development instances Build a custom rule package, and configure Inspector to perform a scan using this custom rule on all instances tagged as being in the development environment.

C.

Install the Amazon Inspector agent on all development instances Configure Inspector to perform a scan using the CVE rule package on all instances tagged as being in the development environment.

D.

Install the Amazon EC2 System Manager agent on all development instances Issue the Run command to EC2 System Manager to update all instances

E.

Use IAM Trusted Advisor to check that all EC2 instances have been patched to the most recent version of operating system and installed software.

Full Access
Question # 139

A company's on-premises data center forwards DNS logs to a third-party security incident events management (SIEM) solution that alerts on suspicious behavior. The company wants to introduce a similar capability to its IAM accounts that includes automatic remediation. The company expects to double in size within the next few months.

Which solution meets the company's current and future logging requirements?

A.

Enable Amazon GuardDuty and IAM Security Hub in all Regions and all accounts. Designate a master security account to receive all alerts from the child accounts. Set up specific rules within Amazon Even;Bridge to trigger an IAM Lambda function for remediation steps.

B.

Ingest all IAM CloudTrail logs, VPC Flow Logs, and DNS logs into a single Amazon S3 bucket in a designated security account. Use the current on-premises SIEM to monitor the logs and send a notification to an Amazon SNS topic to alert the security team of remediation steps.

C.

Ingest all IAM CloudTrail logs, VPC Flow Logs, and DNS logs into a single Amazon S3 bucket in a designated security account. Launch an Amazon EC2 instance and install the current SIEM to monitor the logs and send a notification to an Amazon SNS topic to alert the security team of remediation steps.

D.

Enable Amazon GuardDuty and IAM Security Hub in all Regions and all accounts. Designate a master security account to receive all alerts from the child accounts. Create an IAM Organizations SCP that denies access to certain API calls that are on an ignore list.

Full Access
Question # 140

A Security Engineer has launched multiple Amazon EC2 instances from a private AMI using an IAM CloudFormation template. The Engineer notices instances terminating right after they are launched.

What could be causing these terminations?

A.

The IAM user launching those instances is missing ec2:Runinstances permission.

B.

The AMI used as encrypted and the IAM does not have the required IAM KMS permissions.

C.

The instance profile used with the EC2 instances in unable to query instance metadata.

D.

IAM currently does not have sufficient capacity in the Region.

Full Access
Question # 141

Unapproved changes were previously made to a company's Amazon S3 bucket. A security engineer configured IAM Config to record configuration changes made to the company's S3 buckets. The engineer discovers there are S3 configuration changes being made, but no Amazon SNS notifications are being sent. The engineer has already checked the configuration of the SNS topic and has confirmed the configuration is valid.

Which combination of steps should the security engineer take to resolve the issue? (Select TWO.)

A.

Configure the S3 bucket ACLs to allow IAM Config to record changes to the buckets.

B.

Configure policies attached to S3 buckets to allow IAM Config to record changes to the buckets.

C.

Attach the AmazonS3ReadOnryAccess managed policy to the IAM user.

D.

Verify the security engineer's IAM user has an attached policy that allows all IAM Config actions.

E.

Assign the IAMConfigRole managed policy to the IAM Config role

Full Access
Question # 142

An employee accidentally exposed an IAM access key and secret access key during a public presentation. The company Security Engineer immediately disabled the key.

How can the Engineer assess the impact of the key exposure and ensure that the credentials were not misused? (Choose two.)

A.

Analyze IAM CloudTrail for activity.

B.

Analyze Amazon CloudWatch Logs for activity.

C.

Download and analyze the IAM Use report from IAM Trusted Advisor.

D.

Analyze the resource inventory in IAM Config for IAM user activity.

E.

Download and analyze a credential report from IAM.

Full Access
Question # 143

A company’s security engineer is configuring Amazon S3 permissions to ban all current and future public buckets However, the company hosts several websites directly off S3 buckets with public access enabled

The engineer needs to bock me pubic S3 buckets without causing any outages on me easting websites The engineer has set up an Amazon CloudFrom distribution (or each website

Which set or steps should the security engineer implement next?

A.

Configure an S3 bucket as the origin an origin access identity (OAI) for the CloudFront distribution Switch the DNS records from websites to point to the CloudFront distribution Enable Nock public access settings at the account level

B.

Configure an S3 bucket as the origin with an origin access identity (OAI) for the CloudFront distribution Switch the ONS records tor the websites to point to the CloudFront disinfection Then, tor each S3 bucket enable block public access settings

C.

Configure an S3 bucket as the origin with an origin access identity (OAI) for the CloudFront distribution Enable block public access settings at the account level

D.

Configure an S3 bucket as the origin for me CloudFront distribution Configure the S3 bucket policy to accept connections from the CloudFront points of presence only Switch the DNS records for the websites to point to the CloudFront distribution Enable block public access settings at me account level

Full Access
Question # 144

A company is configuring three Amazon EC2 instances with each instance in a separate Availability Zone. The EC2 instances wilt be used as transparent proxies for outbound internet traffic for ports 80 and 443 so the proxies can block traffic to certain internet destinations as required by the company's security policies. A Security Engineer completed the following:

• Set up the proxy software on the EC2 instances.

• Modified the route tables on the private subnets to use the proxy EC2 instances as the default route.

• Created a security group rule opening inbound port 80 and 443 TCP protocols on the proxy EC2 instance security group.

However, the proxy EC2 instances are not successfully forwarding traffic to the internet.

What should the Security Engineer do to make the proxy EC2 instances route traffic to the internet?

A.

Put all the proxy EC2 instances in a cluster placement group.

B.

Disable source and destination checks on the proxy EC2 instances.

C.

Open all inbound ports on the proxy EC2 instance security group.

D.

Change the VPC's DHCP domain-name-server’s options set to the IP addresses of proxy EC2 instances.

Full Access
Question # 145

A company is running an application on Amazon EC2 instances in an Auto Scaling group. The application stores logs locally A security engineer noticed that logs were lost after a scale-in event. The security engineer needs to recommend a solution to ensure the durability and availability of log data All logs must be kept for a minimum of 1 year for auditing purposes

What should the security engineer recommend?

A.

Within the Auto Scaling lifecycle, add a hook to create and attach an Amazon Elastic Block Store (Amazon EBS) log volume each time an EC2 instance is created. When the instance is terminated, the EBS volume can be reattached to another instance for log review.

B.

Create an Amazon Elastic File System (Amazon EFS) file system and add a command in the user data section of the Auto Scaling launch template to mount the EFS file system during EC2 instance creation Configure a process on the instance to copy the logs once a day from an instance Amazon Elastic Block Store (Amazon EBS) volume to a directory in the EFS file system.

C.

Build the Amazon CloudWatch agent into the AMI used in the Auto Scaling group. Configure the CloudWatch agent to send the logs to Amazon CloudWatch Logs for review.

D.

Within the Auto Scaling lifecycle, add a lifecycle hook at the terminating state transition and alert the engineering team by using a lifecycle notification to Amazon Simple Notification Service (Amazon SNS). Configure the hook to remain in the Terminating:Wait state for 1 hour to allow manual review of the security logs prior to instance termination.

Full Access
Question # 146

To meet regulatory requirements, a Security Engineer needs to implement an IAM policy that restricts the use of IAM services to the us-east-1 Region.

What policy should the Engineer implement?

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Full Access
Question # 147

A developer is creating an IAM Lambda function that requires environment variables to store connection information and logging settings. The developer is required to use an IAM KMS Customer Master Key (CMK> supplied by the information security department in order to adhere to company standards for securing Lambda environment variables.

Which of the following are required for this configuration to work? (Select TWO.)

A.

The developer must configure Lambda access to the VPC using the --vpc-config parameter.

B.

The Lambda function execution role must have the kms:Decrypt- permission added in the IAM IAM policy.

C.

The KMS key policy must allow permissions for the developer to use the KMS key.

D.

The IAM IAM policy assigned to the developer must have the kmseGcnerate-DataKcy permission added.

E.

The Lambda execution role must have the kms:Encrypt permission added in the IAM IAM policy.

Full Access
Question # 148

A company has a VPC with several Amazon EC2 instances behind a NAT gateway. The company's security policy states that all network traffic must be logged and must include the original source and destination IP addresses. The existing VPC Flow Logs do not include this information. A security engineer needs to recommend a solution.

Which combination of steps should the security engineer recommend? (Select TWO )

A.

Edit the existing VPC Flow Logs. Change the log format of the VPC Flow Logs from the Amazon default format to a custom format.

B.

Delete and recreate the existing VPC Flow Logs. Change the log format of the VPC Flow Logs from the Amazon default format to a custom format.

C.

Change the destination to Amazon CloudWatch Logs.

D.

Include the pkt-srcaddr and pkt-dstaddr fields in the log format.

E.

Include the subnet-id and instance-id fields in the log format.

Full Access
Question # 149

A company hosts a web-based application that captures and stores sensitive data in an Amazon DynamoDB table. A security audit reveals that the application does not provide end-to-end data protection or the ability to detect unauthorized data changes The software engineering team needs to make changes that will address the audit findings.

Which set of steps should the software engineering team take?

A.

Use an IAM Key Management Service (IAM KMS) CMK. Encrypt the data at rest.

B.

Use IAM Certificate Manager (ACM) Private Certificate Authority Encrypt the data in transit.

C.

Use a DynamoDB encryption client. Use client-side encryption and sign the table items

D.

Use the IAM Encryption SDK. Use client-side encryption and sign the table items.

Full Access
Question # 150

A company is using IAM Organizations to manage multiple IAM member accounts. All of these accounts have Amazon GuardDuty enabled in all Regions. The company's IAM Security Operations Center has a centralized security account for logging and monitoring. One of the member accounts has received an excessively high bill A security engineer discovers that a compromised Amazon EC2 instance is being used to mine crypto currency. The Security Operations Center did not receive a GuardDuty finding in the central security account.

but there was a GuardDuty finding in the account containing the compromised EC2 instance. The security engineer needs to ensure an GuardDuty finding are available in the security account.

What should the security engineer do to resolve this issue?

A.

Set up an Amazon CloudWatch Event rule to forward ail GuardDuty findings to the security account Use an IAM Lambda function as a target to raise findings

B.

Set up an Amazon CloudWatch Events rule to forward all GuardDuty findings to the security account Use an IAM Lambda function as a target to raise findings in IAM Security Hub

C.

Check that GuardDuty in the security account is able to assume a role in the compromised account using the GuardDuty fast findings permission Schedule an Amazon CloudWatch Events rule and an IAM Lambda function to periodically check for GuardDuty findings

D.

Use the IAM GuardDuty get-members IAM CLI command m the security account to see if the account is listed Send an invitation from GuardDuty m the security account to GuardDuty in the compromised account Accept the invitation to forward all future GuardDuty findings

Full Access
Question # 151

A Security Engineer is setting up an IAM CloudTrail trail for all regions in an IAM account. For added security, the logs are stored using server-side encryption with IAM KMS-managed keys (SSE-KMS) and have log integrity validation enabled.

While testing the solution, the Security Engineer discovers that the digest files are readable, but the log files are not. What is the MOST likely cause?

A.

The log files fail integrity validation and automatically are marked as unavailable.

B.

The KMS key policy does not grant the Security Engineer's IAM user or role permissions to decrypt with it.

C.

The bucket is set up to use server-side encryption with Amazon S3-managed keys (SSE-S3) as the default and does not allow SSE-KMS-encrypted files.

D.

An IAM policy applicable to the Security Engineer’s IAM user or role denies access to the "CloudTrail/" prefix in the Amazon S3 bucket

Full Access
Question # 152

A Security Engineer accidentally deleted the imported key material in an IAM KMS CMK. What should the Security Engineer do to restore the deleted key material?

A.

Create a new CMK. Download a new wrapping key and a new import token to import the original key material

B.

Create a new CMK Use the original wrapping key and import token to import the original key material.

C.

Download a new wrapping key and a new import token Import the original key material into the existing CMK.

D.

Use the original wrapping key and import token Import the original key material into the existing CMK

Full Access
Question # 153

A Security Engineer discovered a vulnerability in an application running on Amazon ECS. The vulnerability allowed attackers to install malicious code. Analysis of the code shows it exfiltrates data on port 5353 in batches at random time intervals.

While the code of the containers is being patched, how can Engineers quickly identify all compromised hosts and stop the egress of data on port 5353?

A.

Enable IAM Shield Advanced and IAM WAF. Configure an IAM WAF custom filter for egress traffic on port 5353

B.

Enable Amazon Inspector on Amazon ECS and configure a custom assessment to evaluate containers that have port 5353 open. Update the NACLs to block port 5353 outbound.

C.

Create an Amazon CloudWatch custom metric on the VPC Flow Logs identifying egress traffic on port 5353. Update the NACLs to block port 5353 outbound.

D.

Use Amazon Athena to query IAM CloudTrail logs in Amazon S3 and look for any traffic on port 5353. Update the security groups to block port 5353 outbound.

Full Access
Question # 154

A company has recently recovered from a security incident that required the restoration of Amazon EC2 instances from snapshots.

After performing a gap analysis of its disaster recovery procedures and backup strategies, the company is concerned that, next time, it will not be able to recover the EC2 instances if the IAM account was compromised and Amazon EBS snapshots were deleted.

All EBS snapshots are encrypted using an IAM KMS CMK.

Which solution would solve this problem?

A.

Create a new Amazon S3 bucket Use EBS lifecycle policies to move EBS snapshots to the new S3 bucket. Move snapshots to Amazon S3 Glacier using lifecycle policies, and apply Glacier Vault Lock policies to prevent deletion

B.

Use IAM Systems Manager to distribute a configuration that performs local backups of all attached disks to Amazon S3.

C.

Create a new IAM account with limited privileges. Allow the new account to access the IAM KMS key used to encrypt the EBS snapshots, and copy the encrypted snapshots to the new account on a recuning basis

D.

Use IAM Backup to copy EBS snapshots to Amazon S3.

Full Access
Question # 155

A company has several production IAM accounts and a central security IAM account. The security account is used for centralized monitoring and has IAM privileges to all resources in every corporate account. All of the company's Amazon S3 buckets are tagged with a value denoting the data classification of their contents.

A Security Engineer is deploying a monitoring solution in the security account that will enforce bucket policy compliance. The system must monitor S3 buckets in all production accounts and confirm that any policy change is in accordance with the bucket's data classification. If any change is out of compliance; the Security team must be notified quickly.

Which combination of actions would build the required solution? (Choose three.)

A.

Configure Amazon CloudWatch Events in the production accounts to send all S3 events to the security account event bus.

B.

Enable Amazon GuardDuty in the security account. and join the production accounts as members.

C.

Configure an Amazon CloudWatch Events rule in the security account to detect S3 bucket creation or modification events.

D.

Enable IAM Trusted Advisor and activate email notifications for an email address assigned to the security contact.

E.

Invoke an IAM Lambda function in the security account to analyze S3 bucket settings in response to S3 events, and send non-compliance notifications to the Security team.

F.

Configure event notifications on S3 buckets for PUT; POST, and DELETE events.

Full Access
Question # 156

A company's application runs on Amazon EC2 and stores data in an Amazon S3 bucket The company wants additional security controls in place to limit the likelihood of accidental exposure of data to external parties

Which combination of actions will meet this requirement? (Select THREE.)

A.

Encrypt the data in Amazon S3 using server-side encryption with Amazon S3 managed encryption keys (SSE-S3)

B.

Encrypt the data in Amazon S3 using server-side encryption with IAM KMS managed encryption keys (SSE-KMS)

C.

Create a new Amazon S3 VPC endpoint and modify the VPC's routing tables to use the new endpoint

D.

Use the Amazon S3 Block Public Access feature.

E.

Configure the bucket policy to allow access from the application instances only

F.

Use a NACL to filter traffic to Amazon S3

Full Access
Question # 157

A company's Director of information Security wants a daily email report from IAM that contains recommendations for each company account to meet IAM Security best practices.

Which solution would meet these requirements?

A.

in every IAM account, configure IAM Lambda to query me IAM Support API tor IAM Trusted Advisor security checks Send the results from Lambda to an Amazon SNS topic to send reports.

B.

Configure Amazon GuardDuty in a master account and invite all other accounts to be managed by the master account Use GuardDuty's integration with Amazon SNS to report on findings

C.

Use Amazon Athena and Amazon QuickSight to build reports off of IAM CloudTrail Create a daily Amazon CloudWatch trigger to run the report dally and email It using Amazon SNS

D.

Use IAM Artifact's prebuilt reports and subscriptions Subscribe the Director of Information Security to the reports by adding the Director as the security alternate contact tor each account

Full Access
Question # 158

A company wants to encrypt the private network between its orvpremises environment and IAM. The company also wants a consistent network experience for its employees.

What should the company do to meet these requirements?

A.

Establish an IAM Direct Connect connection with IAM and set up a Direct Connect gateway. In the Direct Connect gateway configuration, enable IPsec and BGP, and then leverage native IAM network encryption between Availability Zones and Regions,

B.

Establish an IAM Direct Connect connection with IAM and set up a Direct Connect gateway. Using the Direct Connect gateway, create a private virtual interface and advertise the customer gateway private IP addresses. Create a VPN connection using the customer gateway and the virtual private gateway

C.

Establish a VPN connection with the IAM virtual private cloud over the internet

D.

Establish an IAM Direct Connect connection with IAM and establish a public virtual interface. For prefixes that need to be advertised, enter the customer gateway public IP addresses. Create a VPN connection over Direct Connect using the customer gateway and the virtual private gateway.

Full Access
Question # 159

A company is using IAM Organizations to manage multiple IAM accounts. The company has an application that allows users to assume the AppUser IAM role to download files from an Amazon S3 bucket that is encrypted with an IAM KMS CMK However when users try to access the files in the S3 bucket they get an access denied error.

What should a Security Engineer do to troubleshoot this error? (Select THREE )

A.

Ensure the KMS policy allows the AppUser role to have permission to decrypt for the CMK

B.

Ensure the S3 bucket policy allows the AppUser role to have permission to get objects for the S3 bucket

C.

Ensure the CMK was created before the S3 bucket.

D.

Ensure the S3 block public access feature is enabled for the S3 bucket.

E.

Ensure that automatic key rotation is disabled for the CMK

F.

Ensure the SCPs within Organizations allow access to the S3 bucket.

Full Access
Question # 160

A company uses HTTP Live Streaming (HLS) to stream live video content to paying subscribers by using Amazon CloudFront. HLS splits the video content into chunks so that the user can request the right chunk based on different conditions Because the video events last for several hours, the total video is made up of thousands of chunks

The origin URL is not disclosed and every user is forced to access the CloudFront URL The company has a web application that authenticates the paying users against an internal repository and a CloudFront key pair that is already issued.

What is the simplest and MOST effective way to protect the content?

A.

Develop the application to use the CloudFront key pair to create signed URLs that users will use to access the content.

B.

Develop the application to use the CloudFront key pair to set the signed cookies that users will use to access the content.

C.

Develop the application to issue a security token that Lambda@Edge will receive to authenticate and authorize access to the content

D.

Keep the CloudFront URL encrypted inside the application, and use IAM KMS to resolve the URL on-the-fly after the user is authenticated.

Full Access
Question # 161

A Security Administrator at a university is configuring a fleet of Amazon EC2 instances. The EC2 instances are shared among students, and non-root SSH access is allowed. The Administrator is concerned about students attacking other IAM account resources by using the EC2 instance metadata service.

What can the Administrator do to protect against this potential attack?

A.

Disable the EC2 instance metadata service.

B.

Log all student SSH interactive session activity.

C.

Implement ip tables-based restrictions on the instances.

D.

Install the Amazon Inspector agent on the instances.

Full Access
Question # 162

A company wants to encrypt data locally while meeting regulatory requirements related to key exhaustion. The encryption key can be no more than 10 days old or encrypt more than 2" 16 objects Any encryption key must be generated on a FlPS-validated hardware security module (HSM). The company is cost-conscious, as plans to upload an average of 100 objects to Amazon S3 each second for sustained operations across 5 data producers

When approach MOST efficiently meets the company's needs?

A.

Use the IAM Encryption SDK and set the maximum age to 10 days and the minimum number of messages encrypted to 3" 16. Use IAM Key Management Service (IAM KMS) to generate the master key and data key Use data key caching with the Encryption SDk during the encryption process.

B.

Use IAM Key Management Service (IAM KMS) to generate an IAM managed CMK. Then use Amazon S3 client-side encryption configured to automatically rotate with every object

C.

Use IAM CloudHSM to generate the master key and data keys. Then use Boto 3 and Python to locally encrypt data before uploading the object Rotate the data key every 10 days or after 2" 16 objects have been Uploaded to Amazon 33

D.

Use server-side encryption with Amazon S3 managed encryption keys (SSE-S3) and set the master key to automatically rotate.

Full Access
Question # 163

A company uses multiple IAM accounts managed with IAM Organizations Security engineers have created a standard set of security groups for all these accounts. The security policy requires that these security groups be used for all applications and delegates modification authority to the security team only.

A recent security audit found that the security groups are inconsistency implemented across accounts and that unauthorized changes have been made to the security groups. A security engineer needs to recommend a solution to improve consistency and to prevent unauthorized changes in the individual accounts in the future.

Which solution should the security engineer recommend?

A.

Use IAM Resource Access Manager to create shared resources for each requited security group and apply an IAM policy that permits read-only access to the security groups only.

B.

Create an IAM CloudFormation template that creates the required security groups Execute the template as part of configuring new accounts Enable Amazon Simple Notification Service (Amazon SNS) notifications when changes occur

C.

Use IAM Firewall Manager to create a security group policy, enable the policy feature to identify and revert local changes, and enable automatic remediation

D.

Use IAM Control Tower to edit the account factory template to enable the snare security groups option Apply an SCP to the OU or individual accounts that prohibits security group modifications from local account users

Full Access
Question # 164

A company Is trying to replace its on-premises bastion hosts used to access on-premises Linux servers with IAM Systems Manager Session Manager. A security engineer has installed the Systems Manager Agent on all servers. The security engineer verifies that the agent is running on all the servers, but Session Manager cannot connect to them. The security engineer needs to perform verification steps before Session Manager will work on the servers.

Which combination of steps should the security engineer perform? (Select THREE.)

A.

Open inbound port 22 to 0 0.0.0/0 on all Linux servers.

B.

Enable the advanced-instances tier in Systems Manager.

C.

Create a managed-instance activation for the on-premises servers.

D.

Reconfigure the Systems Manager Agent with the activation code and ID.

E.

Assign an IAM role to all of the on-premises servers.

F.

Initiate an inventory collection with Systems Manager on the on-premises servers

Full Access
Question # 165

A Security Engineer has been asked to troubleshoot inbound connectivity to a web server. This single web server is not receiving inbound connections from the internet, whereas all other web servers are functioning properly.

The architecture includes network ACLs, security groups, and a virtual security appliance. In addition, the Development team has implemented Application Load Balancers (ALBs) to distribute the load across all web servers. It is a requirement that traffic between the web servers and the internet flow through the virtual security appliance.

The Security Engineer has verified the following:

1. The rule set in the Security Groups is correct

2. The rule set in the network ACLs is correct

3. The rule set in the virtual appliance is correct

Which of the following are other valid items to troubleshoot in this scenario? (Choose two.)

A.

Verify that the 0.0.0.0/0 route in the route table for the web server subnet points to a NAT gateway.

B.

Verify which Security Group is applied to the particular web server’s elastic network interface (ENI).

C.

Verify that the 0.0.0.0/0 route in the route table for the web server subnet points to the virtual security appliance.

D.

Verify the registered targets in the ALB.

E.

Verify that the 0.0.0.0/0 route in the public subnet points to a NAT gateway.

Full Access
Question # 166

A Security Engineer noticed an anomaly within a company EC2 instance as shown in the image. The Engineer must now investigate what e causing the anomaly. What are the MOST effective steps to take lo ensure that the instance is not further manipulated while allowing the Engineer to understand what happened?

A.

Remove the instance from the Auto Scaling group Place the instance within an isolation security group, detach the EBS volume launch an EC2 instance with a forensic toolkit and attach the E8S volume to investigate

B.

Remove the instance from the Auto Scaling group and the Elastic Load Balancer Place the instance within an isolation security group, launch an EC2 instance with a forensic toolkit, and allow the forensic toolkit image to connect to the suspicious Instance to perform the Investigation.

C.

Remove the instance from the Auto Scaling group Place the Instance within an isolation security group, launch an EC2 Instance with a forensic toolkit and use the forensic toolkit imago to deploy an ENI as a network span port to inspect all traffic coming from the suspicious instance.

D.

Remove the instance from the Auto Scaling group and the Elastic Load Balancer Place the instance within an isolation security group, make a copy of the EBS volume from a new snapshot, launch an EC2 Instance with a forensic toolkit and attach the copy of the EBS volume to investigate.

Full Access
Question # 167

A company has an IAM account and allows a third-party contractor who uses another IAM account, to assume certain IAM roles. The company wants to ensure that IAM roles can be assumed by the contractor only if the contractor has multi-factor authentication enabled on their IAM user accounts

What should the company do to accomplish this?

A)

B)

C)

D)

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Full Access
Question # 168

A Security Engineer creates an Amazon S3 bucket policy that denies access to all users. A few days later, the Security Engineer adds an additional statement to the bucket policy to allow read-only access to one other employee Even after updating the policy the employee still receives an access denied message.

What is the likely cause of this access denial?

A.

The ACL in the bucket needs to be updated.

B.

The IAM policy does not allow the user to access the bucket

C.

It takes a few minutes for a bucket policy to take effect

D.

The allow permission is being overridden by the deny.

Full Access
Question # 169

A company requires that SSH commands used to access its IAM instance be traceable to the user who executed each command.

How should a Security Engineer accomplish this?

A.

Allow inbound access on port 22 at the security group attached to the instance Use IAM Systems Manager Session Manager for shell access to Amazon EC2 instances with the user tag defined Enable Amazon CloudWatch togging tor Systems Manager sessions

B.

Use Amazon S3 to securely store one Privacy Enhanced Mail Certificate (PEM file) for each user Allow Amazon EC2 to read from Amazon S3 and import every user that wants to use SSH to access EC2 instances Allow inbound access on port 22 at the security group attached to the instance Install the Amazon CloudWatch agent on the EC2 instance and configure it to ingest audit logs for the instance

C.

Deny inbound access on port 22 at the security group attached to the instance Use IAM Systems Manager Session Manager tor shell access to Amazon EC2 instances with the user tag defined Enable Amazon CloudWatch togging for Systems Manager sessions

D.

Use Amazon S3 to securely store one Privacy Enhanced Mall Certificate (PEM fie) for each team or group Allow Amazon EC2 to read from Amazon S3 and import every user that wants to use SSH to access EC2 instances Allow inbound access on pod 22 at the security group attached to the instance Install the Amazon CloudWatch agent on the EC2 instance and configure it to ingest audit logs for the instance

Full Access
Question # 170

A security engineer is responsible for providing secure access to IAM resources for thousands of developer in a company’s corporate identity provider (idp). The developers access a set of IAM services from the corporate premises using IAM credential. Due to the velum of require for provisioning new IAM users, it is taking a long time to grant access permissions. The security engineer receives reports that developer are sharing their IAM credentials with others to avoid provisioning delays. The causes concern about overall security for the security engineer.

Which actions will meet the program requirements that address security?

A.

Create an Amazon CloudWatch alarm for IAM CloudTrail Events Create a metric filter to send a notification when me same set of IAM credentials is used by multiple developer

B.

Create a federation between IAM and the existing corporate IdP Leverage IAM roles to provide federated access to IAM resources

C.

Create a VPN tunnel between the corporate premises and the VPC Allow permissions to all IAM services only if it originates from corporate premises.

D.

Create multiple IAM rotes for each IAM user Ensure that users who use the same IAM credentials cannot assume the same IAM role at the same time.

Full Access
Question # 171

A company has a website with an Amazon CloudFront HTTPS distribution, an Application Load Balancer (ALB) with multiple web instances for dynamic website content, and an Amazon S3 bucket for static website content. The company's security engineer recently updated the website security requirements:

• HTTPS needs to be enforced for all data in transit with specific ciphers.

• The CloudFront distribution needs to be accessible from the internet only.

Which solution will meet these requirements?

A.

Set up an S3 bucket policy with the IAMsecuretransport key Configure the CloudFront origin access identity (OAI) with the S3 bucket Configure CloudFront to use specific ciphers. Enforce the ALB with an HTTPS listener only and select the appropriate security policy for the ciphers Link the ALB with IAM WAF to allow access from the CloudFront IP ranges.

B.

Set up an S3 bucket policy with the IAM:securetransport key. Configure the CloudFront origin access identity (OAI) with the S3 bucket. Enforce the ALB with an HTTPS listener only and select the appropriate security policy for the ciphers.

C.

Modify the CloudFront distribution to use IAM WAF. Force HTTPS on the S3 bucket with specific ciphers in the bucket policy. Configure an HTTPS listener only for the ALB. Set up a security group to limit access to the ALB from the CloudFront IP ranges

D.

Modify the CloudFront distribution to use the ALB as the origin. Enforce an HTTPS listener on the ALB. Create a path-based routing rule on the ALB with proxies that connect lo Amazon S3. Create a bucket policy to allow access from these proxies only.

Full Access
Question # 172

An company is using IAM Secrets Manager to store secrets that are encrypted using a CMK and are stored in the security account 111122223333. One of the company's production accounts. 444455556666, must to retrieve the secret values from the security account 111122223333. A security engineer needs to apply a policy to the secret in the security account based on least privilege access so the production account can retrieve the secret value only.

Which policy should the security engineer apply?

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Full Access
Question # 173

A company recently performed an annual security assessment of its IAM environment. The assessment showed that audit logs are not available beyond 90 days and that unauthorized changes to IAM policies are made without detection.

How should a security engineer resolve these issues?

A.

Create an Amazon S3 lifecycle policy that archives IAM CloudTrail trail logs to Amazon S3 Glacier after 90 days. Configure Amazon Inspector to provide a notification when a policy change is made to resources.

B.

Configure IAM Artifact to archive IAM CloudTrail logs Configure IAM Trusted Advisor to provide a notification when a policy change is made to resources.

C.

Configure Amazon CloudWatch to export log groups to Amazon S3. Configure IAM CloudTrail to provide a notification when a policy change is made to resources.

D.

Create an IAM CloudTrail trail that stores audit logs in Amazon S3. Configure an IAM Config rule to provide a notification when a policy change is made to resources.

Full Access
Question # 174

Users report intermittent availability of a web application hosted on IAM. Monitoring systems report an excess of abnormal network traffic followed by high CPU utilization on the application web tier. Which of the following techniques will improve the availability of the application? (Select TWO.)

A.

Deploy IAM WAF to block all unsecured web applications from accessing the internet.

B.

Deploy an Intrusion Detection/Prevention System (IDS/IPS) to monitor or block unusual incoming network traffic.

C.

Configure security groups to allow outgoing network traffic only from hosts that are protected with up-to-date antivirus software.

D.

Create Amazon CloudFront distribution and configure IAM WAF rules to protect the web applications from malicious traffic.

E.

Use the default Amazon VPC for externakfacing systems to allow IAM to actively block malicious network traffic affecting Amazon EC2 instances.

Full Access
Question # 175

A Security Engineer manages IAM Organizations for a company. The Engineer would like to restrict IAM usage to allow Amazon S3 only in one of the organizational units (OUs). The Engineer adds the following SCP to the OU:

The next day. API calls to IAM IAM appear in IAM CloudTrail logs In an account under that OU. How should the Security Engineer resolve this issue?

A.

Move the account to a new OU and deny IAM:* permissions.

B.

Add a Deny policy for all non-S3 services at the account level.

C.

Change the policy to:

{

“Version”: “2012-10-17”,

“Statement”: [

{

“Sid”: “AllowS3”,

"Effect": "Allow",

"Action": "s3:*",

"Resource": "*/*»

}

]

}

D.

Detach the default FullIAMAccess SCP

Full Access
Question # 176

A company's security information events management (SIEM) tool receives new IAM CloudTrail logs from an Amazon S3 bucket that is configured to send all object created event notification to an Amazon SNS topic An Amazon SQS queue is subscribed to this SNS topic. The company's SEM tool then ports this SQS queue for new messages using an IAM role and fetches new log events from the S3 bucket based on the SQS messages.

After a recent security review that resulted m restricted permissions, the SEM tool has stopped receiving new CloudTral logs

Which of the following are possible causes of this issue? (Select THREE)

A.

The SOS queue does not allow the SQS SendMessage action from the SNS topic

B.

The SNS topic does not allow the SNS Publish action from Amazon S3

C.

The SNS topic is not delivering raw messages to the SQS queue

D.

The S3 bucket policy does not allow CloudTrail to perform the PutObject action

E.

The IAM role used by the 5EM tool does not have permission to subscribe to the SNS topic

F.

The IAM role used by the SEM tool does not allow the SQS DeleteMessage action.

Full Access