Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: dpt65

SCS-C01 Questions and Answers

Question # 6

An Incident Response team is investigating an IAM access key leak that resulted in Amazon EC2 instances being launched. The company did not discover the incident until many months later The Director of Information Security wants to implement new controls that will alert when similar incidents happen in the future

Which controls should the company implement to achieve this? {Select TWO.)

A.

Enable VPC Flow Logs in all VPCs Create a scheduled IAM Lambda function that downloads and parses the logs, and sends an Amazon SNS notification for violations.

B.

Use IAM CloudTrail to make a trail, and apply it to all Regions Specify an Amazon S3 bucket to receive all the CloudTrail log files

C.

Add the following bucket policy to the company's IAM CloudTrail bucket to prevent log tampering

{

"Version": "2012-10-17-,

"Statement": {

"Effect": "Deny",

"Action": "s3:PutObject",

"Principal": "-",

"Resource": "arn:IAM:s3:::cloudtrail/IAMLogs/111122223333/*"

}

}

Create an Amazon S3 data event for an PutObject attempts, which sends notifications to an Amazon SNS topic.

D.

Create a Security Auditor role with permissions to access Amazon CloudWatch Logs m all Regions Ship the logs to an Amazon S3 bucket and make a lifecycle policy to ship the logs to Amazon S3 Glacier.

E.

Verify that Amazon GuardDuty is enabled in all Regions, and create an Amazon CloudWatch Events rule for Amazon GuardDuty findings Add an Amazon SNS topic as the rule's target

Full Access
Question # 7

A company is undergoing a layer 3 and layer 4 DDoS attack on its web servers running on IAM.

Which combination of IAM services and features will provide protection in this scenario? (Select THREE).

A.

Amazon Route 53

B.

IAM Certificate Manager (ACM)

C.

Amazon S3

D.

IAM Shield

E.

Elastic Load Balancer

F.

Amazon GuardDuty

Full Access
Question # 8

For compliance reasons a Security Engineer must produce a weekly report that lists any instance that does not have the latest approved patches applied. The Engineer must also ensure that no system goes more than 30 days without the latest approved updates being applied

What would the MOST efficient way to achieve these goals?

A.

Use Amazon inspector to determine which systems do not have the latest patches applied, and after 30 days, redeploy those instances with the latest AMI version

B.

Configure Amazon EC2 Systems Manager to report on instance patch compliance and enforce updates during the defined maintenance windows

C.

Examine IAM CloudTrail togs to determine whether any instances have not restarted in the last 30 days, and redeploy those instances

D.

Update the AMls with the latest approved patches and redeploy each instance during the defined maintenance window

Full Access
Question # 9

Your application currently uses customer keys which are generated via IAM KMS in the US east region. You now want to use the same set of keys from the EU-Central region. How can this be accomplished?

Please select:

A.

Export the key from the US east region and import them into the EU-Central region

B.

Use key rotation and rotate the existing keys to the EU-Central region

C.

Use the backing key from the US east region and use it in the EU-Central region

D.

This is not possible since keys from KMS are region specific

Full Access
Question # 10

How can you ensure that instance in an VPC does not use IAM DNS for routing DNS requests. You want to use your own managed DNS instance. How can this be achieved?

Please select:

A.

Change the existing DHCP options set

B.

Create a new DHCP options set and replace the existing one.

C.

Change the route table for the VPC

D.

Change the subnet configuration to allow DNS requests from the new DNS Server

Full Access
Question # 11

A company hosts an application on Amazon EC2 that is subject to specific rules for regulatory compliance. One rule states that traffic to and from the workload must be inspected for network-level attacks. This involves inspecting the whole packet.

To comply with this regulatory rule, a security engineer must install intrusion detection software on a c5n.4xlarge EC2 instance. The engineer must then configure the software to monitor traffic to and from the application instances.

What should the security engineer do next?

A.

Place the network interface in promiscuous mode to capture the traffic.

B.

Configure VPC Flow Logs to send traffic to the monitoring EC2 instance using a Network Load Balancer.

C.

Configure VPC traffic mirroring to send traffic to the monitoring EC2 instance using a Network Load Balancer.

D.

Use Amazon Inspector to detect network-level attacks and trigger an IAM Lambda function to send the suspicious packets to the EC2 instance.

Full Access
Question # 12

A company's cloud operations team is responsible for building effective security for IAM cross-account access. The team asks a security engineer to help troubleshoot why some developers in the developer account (123456789012) in the developers group are not able to assume a cross-account role (ReadS3) into a production account (999999999999) to read the contents of an Amazon S3 bucket (productionapp). The two account policies are as follows:

Which recommendations should the security engineer make to resolve this issue? (Select TWO.)

A.

Ask the developers to change their password and use a different web browser.

B.

Ensure that developers are using multi-factor authentication (MFA) when they log in to their developer account as the developer role.

C.

Modify the production account ReadS3 role policy to allow the PutBucketPolicy action on the productionapp S3 bucket.

D.

Update the trust relationship policy on the production account S3 role to allow the account number of the developer account.

E.

Update the developer group permissions in the developer account to allow access to the productionapp S3 bucket.

Full Access
Question # 13

Your company manages thousands of EC2 Instances. There is a mandate to ensure that all servers don't have any critical security flIAM. Which of the following can be done to ensure this? Choose 2 answers from the options given below.

Please select:

A.

Use IAM Config to ensure that the servers have no critical flIAM.

B.

Use IAM inspector to ensure that the servers have no critical flIAM.

C.

Use IAM inspector to patch the servers

D.

Use IAM SSM to patch the servers

Full Access
Question # 14

A company is running an application in The eu-west-1 Region. The application uses an IAM Key Management Service (IAM KMS) CMK to encrypt sensitive data. The company plans to deploy the application in the eu-north-1 Region.

A security engineer needs to implement a key management solution for the application deployment in the new Region. The security engineer must minimize changes to the application code.

Which change should the security engineer make to the IAM KMS configuration to meet these requirements?

A.

Update the key policies in eu-west-1. Point the application in eu-north-1 to use the same CMK as the application in eu-west-1.

B.

Allocate a new CMK to eu-north-1 to be used by the application that is deployed in that Region.

C.

Allocate a new CMK to eu-north-1. Create the same alias name for both keys. Configure the application deployment to use the key alias.

D.

Allocate a new CMK to eu-north-1. Create an alias for eu-'-1. Change the application code to point to the alias for eu-'-1.

Full Access
Question # 15

A company has several Customer Master Keys (CMK), some of which have imported key material. Each CMK must be

rotated annually.

What two methods can the security team use to rotate each key? Select 2 answers from the options given below

Please select:

A.

Enable automatic key rotation for a CMK

B.

Import new key material to an existing CMK

C.

Use the CLI or console to explicitly rotate an existing CMK

D.

Import new key material to a new CMK; Point the key alias to the new CMK.

E.

Delete an existing CMK and a new default CMK will be created.

Full Access
Question # 16

A company's application team wants to replace an internal application with a new IAM architecture that consists of Amazon EC2 instances, an IAM Lambda function, and an Amazon S3 bucket in a single IAM Region. After an architecture review, the security team mandates that no application network traffic can traverse the public internet at any point. The security team already has an SCP in place for the company's organization in IAM Organizations to restrict the creation of internet gateways. NAT gateways, and egress-only gateways.

Which combination of steps should the application team take to meet these requirements? (Select THREE.)

A.

Create an S3 endpoint that has a full-access policy for the application's VPC.

B.

Create an S3 access point for the S3 bucket. Include a policy that restricts the network origin to VPCs.

C.

Launch the Lambda function. Enable the block public access configuration.

D.

Create a security group that has an outbound rule over port 443 with a destination of the S3 endpomt. Associate the security group with the EC2 instances.

E.

Create a security group that has an outbound rule over port 443 with a destination of the S3 access point. Associate the security group with the EC2 instances.

F.

Launch the Lambda function in a VPC.

Full Access
Question # 17

An organization wants to log all IAM API calls made within all of its IAM accounts, and must have a central place to analyze these logs. What steps should be taken to meet these requirements in the MOST secure manner? (Select TWO)

A.

Turn on IAM CloudTrail in each IAM account

B.

Turn on CloudTrail in only the account that will be storing the logs

C.

Update the bucket ACL of the bucket in the account that will be storing the logs so that other accounts can log to it

D.

Create a service-based role for CloudTrail and associate it with CloudTrail in each account

E.

Update the bucket policy of the bucket in the account that will be storing the logs so that other accounts can log to it

Full Access
Question # 18

A company has a legacy application that outputs all logs to a local text file. Logs from all applications running on IAM

must be continually monitored for security related messages.

What can be done to allow the company to deploy the legacy application on Amazon EC2 and still meet the monitoring

requirement?

Please select:

A.

Create a Lambda function that mounts the EBS volume with the logs and scans the logs for security incidents. Trigger the function every 5 minutes with a scheduled Cloudwatch event.

B.

Send the local text log files to CloudWatch Logs and configure a CloudWatch metric filter. Trigger cloudwatch alarms based on the metrics.

C.

Install the Amazon inspector agent on any EC2 instance running the legacy application. Generate CloudWatch alerts a based on any Amazon inspector findings.

D.

Export the local text log files to CloudTrail. Create a Lambda function that queries the CloudTrail logs for security ' incidents using Athena.

Full Access
Question # 19

A company is deploying an Amazon EC2-based application. The application will include a custom health-checking component that produces health status data in JSON format. A Security Engineer must implement a secure solution to monitor application availability in near-real time by analyzing the hearth status data.

Which approach should the Security Engineer use?

A.

Use Amazon CloudWatch monitoring to capture Amazon EC2 and networking metrics Visualize metrics using Amazon CloudWatch dashboards.

B.

Run the Amazon Kinesis Agent to write the status data to Amazon Kinesis Data Firehose Store the streaming data from Kinesis Data Firehose in Amazon Redshift. (hen run a script on the pool data and analyze the data in Amazon Redshift

C.

Write the status data directly to a public Amazon S3 bucket from the health-checking component Configure S3 events to invoke an IAM Lambda function that analyzes the data

D.

Generate events from the health-checking component and send them to Amazon CloudWatch Events. Include the status data as event payloads. Use CloudWatch Events rules to invoke an IAM Lambda function that analyzes the data.

Full Access
Question # 20

Your company is planning on developing an application in IAM. This is a web based application. The application users will use their facebook or google identities for authentication. You want to have the ability to manage user profiles without having to add extra coding to manage this. Which of the below would assist in this.

Please select:

A.

Create an OlDC identity provider in IAM

B.

Create a SAML provider in IAM

C.

Use IAM Cognito to manage the user profiles

D.

Use IAM users to manage the user profiles

Full Access
Question # 21

An organization is using IAM CloudTrail, Amazon CloudWatch Logs, and Amazon CloudWatch to send alerts when new access keys are created. However, the alerts are no longer appearing in the Security Operations mail box.

Which of the following actions would resolve this issue?

A.

In CloudTrail, verify that the trail logging bucket has a log prefix configured.

B.

In Amazon SNS, determine whether the “Account spend limit” has been reached for this alert.

C.

In SNS, ensure that the subscription used by these alerts has not been deleted.

D.

In CloudWatch, verify that the alarm threshold “consecutive periods” value is equal to, or greater than 1.

Full Access
Question # 22

A customer has an instance hosted in the IAM Public Cloud. The VPC and subnet used to host the Instance have been created with the default settings for the Network Access Control Lists. They need to provide an IT Administrator secure access to the underlying instance. How can this be accomplished.

Please select:

A.

Ensure the Network Access Control Lists allow Inbound SSH traffic from the IT Administrator's Workstation

B.

Ensure the Network Access Control Lists allow Outbound SSH traffic from the IT Administrator's Workstation

C.

Ensure that the security group allows Inbound SSH traffic from the IT Administrator's Workstation

D.

Ensure that the security group allows Outbound SSH traffic from the IT Administrator's Workstation

Full Access
Question # 23

A corporate cloud security policy states that communications between the company's VPC and KMS must travel entirely within the IAM network and not use public service endpoints.

Which combination of the following actions MOST satisfies this requirement? (Choose two.)

A.

Add the IAM:sourceVpce condition to the IAM KMS key policy referencing the company's VPC endpoint ID.

B.

Remove the VPC internet gateway from the VPC and add a virtual private gateway to the VPC to prevent direct, public internet connectivity.

C.

Create a VPC endpoint for IAM KMS with private DNS enabled.

D.

Use the KMS Import Key feature to securely transfer the IAM KMS key over a VPN.

E.

Add the following condition to the IAM KMS key policy: "IAM:SourceIp": "10.0.0.0/16".

Full Access
Question # 24

A company’s security policy requires that VPC Flow Logs are enabled on all VPCs. A Security Engineer is looking to automate the process of auditing the VPC resources for compliance.

What combination of actions should the Engineer take? (Choose two.)

A.

Create an IAM Lambda function that determines whether Flow Logs are enabled for a given VPC.

B.

Create an IAM Config configuration item for each VPC in the company IAM account.

C.

Create an IAM Config managed rule with a resource type of IAM:: Lambda:: Function.

D.

Create an Amazon CloudWatch Event rule that triggers on events emitted by IAM Config.

E.

Create an IAM Config custom rule, and associate it with an IAM Lambda function that contains the evaluating logic.

Full Access
Question # 25

What is the function of the following IAM Key Management Service (KMS) key policy attached to a customer master key (CMK)?

A.

The Amazon WorkMail and Amazon SES services have delegated KMS encrypt and decrypt permissions to the ExampleUser principal in the 111122223333 account.

B.

The ExampleUser principal can transparently encrypt and decrypt email exchanges specifically between ExampleUser and IAM.

C.

The CMK is to be used for encrypting and decrypting only when the principal is ExampleUser and the request comes from WorkMail or SES in the specified region.

D.

The key policy allows WorkMail or SES to encrypt or decrypt on behalf of the user for any CMK in the account.

Full Access
Question # 26

A Developer’s laptop was stolen. The laptop was not encrypted, and it contained the SSH key used to access multiple Amazon EC2 instances. A Security Engineer has verified that the key has not been used, and has blocked port 22 to all EC2 instances while developing a response plan.

How can the Security Engineer further protect currently running instances?

A.

Delete the key-pair key from the EC2 console, then create a new key pair.

B.

Use the modify-instance-attribute API to change the key on any EC2 instance that is using the key.

C.

Use the EC2 RunCommand to modify the authorized_keys file on any EC2 instance that is using the key.

D.

Update the key pair in any AMI used to launch the EC2 instances, then restart the EC2 instances.

Full Access
Question # 27

An application has been written that publishes custom metrics to Amazon CloudWatch. Recently, IAM changes have been made on the account and the metrics are no longer being reported.

Which of the following is the LEAST permissive solution that will allow the metrics to be delivered?

A.

Add a statement to the IAM policy used by the application to allow logs:putLogEvents and logs:createLogStream

B.

Modify the IAM role used by the application by adding the CloudWatchFullAccess managed policy.

C.

Add a statement to the IAM policy used by the application to allow cloudwatch:putMetricData.

D.

Add a trust relationship to the IAM role used by the application for cloudwatch.amazonIAM.com.

Full Access
Question # 28

A Security Engineer is trying to determine whether the encryption keys used in an IAM service are in compliance with certain regulatory standards.

Which of the following actions should the Engineer perform to get further guidance?

A.

Read the IAM Customer Agreement.

B.

Use IAM Artifact to access IAM compliance reports.

C.

Post the question on the IAM Discussion Forums.

D.

Run IAM Config and evaluate the configuration outputs.

Full Access
Question # 29

A Systems Administrator has written the following Amazon S3 bucket policy designed to allow access to an S3 bucket for only an authorized IAM IAM user from the IP address range 10.10.10.0/24:

When trying to download an object from the S3 bucket from 10.10.10.40, the IAM user receives an access denied message.

What does the Administrator need to change to grant access to the user?

A.

Change the “Resource” from “arn: IAM:s3:::Bucket” to “arn:IAM:s3:::Bucket/*”.

B.

Change the “Principal” from “*” to {IAM:”arn:IAM:iam: : account-number: user/username”}

C.

Change the “Version” from “2012-10-17” to the last revised date of the policy

D.

Change the “Action” from [“s3:*”] to [“s3:GetObject”, “s3:ListBucket”]

Full Access
Question # 30

A company has five IAM accounts and wants to use IAM CloudTrail to log API calls. The log files must be stored in an Amazon S3 bucket that resides in a new account specifically built for centralized services with a unique top-level prefix for each trail. The configuration must also enable detection of any modification to the logs.

Which of the following steps will implement these requirements? (Choose three.)

A.

Create a new S3 bucket in a separate IAM account for centralized storage of CloudTrail logs, and enable “Log File Validation” on all trails.

B.

Use an existing S3 bucket in one of the accounts, apply a bucket policy to the new centralized S3 bucket that permits the CloudTrail service to use the "s3: PutObject" action and the "s3 GetBucketACL" action, and specify the appropriate resource ARNs for the CloudTrail trails.

C.

Apply a bucket policy to the new centralized S3 bucket that permits the CloudTrail service to use the "s3 PutObject" action and the "s3 GelBucketACL" action, and specify the appropriate resource ARNs for the CloudTrail trails.

D.

Use unique log file prefixes for trails in each IAM account.

E.

Configure CloudTrail in the centralized account to log all accounts to the new centralized S3 bucket.

F.

Enable encryption of the log files by using IAM Key Management Service

Full Access
Question # 31

A company recently experienced a DDoS attack that prevented its web server from serving content. The website is static and hosts only HTML, CSS, and PDF files that users download.

Based on the architecture shown in the image, what is the BEST way to protect the site against future attacks while minimizing the ongoing operational overhead?

A.

Move all the files to an Amazon S3 bucket. Have the web server serve the files from the S3 bucket.

B.

Launch a second Amazon EC2 instance in a new subnet. Launch an Application Load Balancer in front of both instances.

C.

Launch an Application Load Balancer in front of the EC2 instance. Create an Amazon CloudFront distribution in front of the Application Load Balancer.

D.

Move all the files to an Amazon S3 bucket. Create a CloudFront distribution in front of the bucket and terminate the web server.

Full Access
Question # 32

A Security Engineer must enforce the use of only Amazon EC2, Amazon S3, Amazon RDS, Amazon DynamoDB, and IAM STS in specific accounts.

What is a scalable and efficient approach to meet this requirement?

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Full Access
Question # 33

You have a vendor that needs access to an IAM resource. You create an IAM user account. You want to restrict access to the resource using a policy for just that user over a brief period. Which of the following would be an ideal policy to use?

Please select:

A.

An IAM Managed Policy

B.

An Inline Policy

C.

A Bucket Policy

D.

A bucket ACL

Full Access
Question # 34

Compliance requirements state that all communications between company on-premises hosts and EC2 instances be encrypted in transit. Hosts use custom proprietary protocols for their communication, and EC2 instances need to be fronted by a load balancer for increased availability.

Which of the following solutions will meet these requirements?

A.

Offload SSL termination onto an SSL listener on a Classic Load Balancer, and use a TCP connection between the load balancer and the EC2 instances.

B.

Route all traffic through a TCP listener on a Classic Load Balancer, and terminate the TLS connection on the EC2 instances.

C.

Create an HTTPS listener using an Application Load Balancer, and route all of the communication through that load balancer.

D.

Offload SSL termination onto an SSL listener using an Application Load Balancer, and re-spawn and SSL connection between the load balancer and the EC2 instances.

Full Access
Question # 35

A Security Engineer is defining the logging solution for a newly developed product. Systems Administrators and Developers need to have appropriate access to event log files in IAM CloudTrail to support and troubleshoot the product.

Which combination of controls should be used to protect against tampering with and unauthorized access to log files? (Choose two.)

A.

Ensure that the log file integrity validation mechanism is enabled.

B.

Ensure that all log files are written to at least two separate Amazon S3 buckets in the same account.

C.

Ensure that Systems Administrators and Developers can edit log files, but prevent any other access.

D.

Ensure that Systems Administrators and Developers with job-related need-to-know requirements only are capable of viewing—but not modifying—the log files.

E.

Ensure that all log files are stored on Amazon EC2 instances that allow SSH access from the internal corporate network only.

Full Access
Question # 36

An organization has a system in IAM that allows a large number of remote workers to submit data files. File sizes vary from a few kilobytes to several megabytes. A recent audit highlighted a concern that data files are not encrypted while in transit over untrusted networks.

Which solution would remediate the audit finding while minimizing the effort required?

A.

Upload an SSL certificate to IAM, and configure Amazon CloudFront with the passphrase for the private key.

B.

Call KMS.Encrypt() in the client, passing in the data file contents, and call KMS.Decrypt() server-side.

C.

Use IAM Certificate Manager to provision a certificate on an Elastic Load Balancing in front of the web service’s servers.

D.

Create a new VPC with an Amazon VPC VPN endpoint, and update the web service’s DNS record.

Full Access
Question # 37

A company will store sensitive documents in three Amazon S3 buckets based on a data classification scheme of “Sensitive,” “Confidential,” and “Restricted.” The security solution must meet all of the following requirements:

  • Each object must be encrypted using a unique key.
  • Items that are stored in the “Restricted” bucket require two-factor authentication for decryption.
  • IAM KMS must automatically rotate encryption keys annually.

Which of the following meets these requirements?

A.

Create a Customer Master Key (CMK) for each data classification type, and enable the rotation of it annually. For the “Restricted” CMK, define the MFA policy within the key policy. Use S3 SSE-KMS to encrypt the objects.

B.

Create a CMK grant for each data classification type with EnableKeyRotation and MultiFactorAuthPresent set to true. S3 can then use the grants to encrypt each object with a unique CMK.

C.

Create a CMK for each data classification type, and within the CMK policy, enable rotation of it annually, and define the MFA policy. S3 can then create DEK grants to uniquely encrypt each object within the S3 bucket.

D.

Create a CMK with unique imported key material for each data classification type, and rotate them annually. For the “Restricted” key material, define the MFA policy in the key policy. Use S3 SSE-KMS to encrypt the objects.

Full Access
Question # 38

You have a 2 tier application hosted in IAM. It consists of a web server and database server (SQL Server) hosted on separate EC2 Instances. You are devising the security groups for these EC2 Instances. The Web tier needs to be accessed by users across the Internet. You have created a web security group(wg-123) and database security group(db-345). Which combination of the following security group rules will allow the application to be secure and functional. Choose 2 answers from the options given below.

Please select:

A.

wg-123 -Allow ports 80 and 443 from 0.0.0.0/0

B.

db-345 - Allow port 1433 from wg-123

C.

wg-123 - Allow port 1433 from wg-123

D.

db-345 -Allow ports 1433 from 0.0.0.0/0

Full Access
Question # 39

A Software Engineer wrote a customized reporting service that will run on a fleet of Amazon EC2 instances. The company security policy states that application logs for the reporting service must be centrally collected.

What is the MOST efficient way to meet these requirements?

A.

Write an IAM Lambda function that logs into the EC2 instance to pull the application logs from the EC2 instance and persists them into an Amazon S3 bucket.

B.

Enable IAM CloudTrail logging for the IAM account, create a new Amazon S3 bucket, and then configure Amazon CloudWatch Logs to receive the application logs from CloudTrail.

C.

Create a simple cron job on the EC2 instances that synchronizes the application logs to an Amazon S3 bucket by using rsync.

D.

Install the Amazon CloudWatch Logs Agent on the EC2 instances, and configure it to send the application logs to CloudWatch Logs.

Full Access
Question # 40

The Security Engineer for a mobile game has to implement a method to authenticate users so that they can save their progress. Because most of the users are part of the same OpenID-Connect compatible social media website, the Security Engineer would like to use that as the identity provider.

Which solution is the SIMPLEST way to allow the authentication of users using their social media identities?

A.

Amazon Cognito

B.

AssumeRoleWithWebIdentity API

C.

Amazon Cloud Directory

D.

Active Directory (AD) Connector

Full Access
Question # 41

A financial institution has the following security requirements:

  • Cloud-based users must be contained in a separate authentication domain.
  • Cloud-based users cannot access on-premises systems.

As part of standing up a cloud environment, the financial institution is creating a number of Amazon managed databases and Amazon EC2 instances. An Active Directory service exists on-premises that has all the administrator accounts, and these must be able to access the databases and instances.

How would the organization manage its resources in the MOST secure manner? (Choose two.)

A.

Configure an IAM Managed Microsoft AD to manage the cloud resources.

B.

Configure an additional on-premises Active Directory service to manage the cloud resources.

C.

Establish a one-way trust relationship from the existing Active Directory to the new Active Directory service.

D.

Establish a one-way trust relationship from the new Active Directory to the existing Active Directory service.

E.

Establish a two-way trust between the new and existing Active Directory services.

Full Access
Question # 42

A website currently runs on Amazon EC2 with mostly static content on the site. Recently, the site was subjected to a DDoS attack, and a Security Engineer was tasked with redesigning the edge security to help mitigate this risk in the future

What are some ways the Engineer could achieve this? (Select THREE )

A.

Use IAM X-Ray to inspect the traffic going 10 the EC2 instances

B.

Move the state content to Amazon S3 and font this with an Amazon CloudFront distribution

C.

Change the security group configuration to block the source of the attack traffic

D.

Use IAM WAF security rules to inspect the inbound traffic

E.

Use Amazon inspector assessment templates to inspect the inbound traffic

F.

Use Amazon Route 53 to distribute traffic

Full Access
Question # 43

A Developer is building a serverless application that uses Amazon API Gateway as the front end. The application will not be publicly accessible. Other legacy applications running on Amazon EC2 will make calls to the application A Security Engineer Has been asked to review the security controls for authentication and authorization of the application

Which combination of actions would provide the MOST secure solution? (Select TWO )

A.

Configure an IAM policy that allows the least permissive actions to communicate with the API Gateway Attach the policy to the role used by the legacy EC2 instances

B.

Enable IAM WAF for API Gateway Configure rules to explicitly allow connections from the legacy EC2 instances

C.

Create a VPC endpoint for API Gateway Attach an IAM resource policy that allows the role of the legacy EC2 instances to call specific APIs

D.

Create a usage plan Generate a set of API keys for each application that needs to call the API.

E.

Configure cross-origin resource sharing (CORS) in each API Share the CORS information with the applications that call the API.

Full Access
Question # 44

A Security Engineer for a large company is managing a data processing application used by 1,500 subsidiary companies. The parent and subsidiary companies all use IAM. The application uses TCP port 443 and runs on Amazon EC2 behind a Network Load Balancer (NLB). For compliance reasons, the application should only be accessible to the subsidiaries and should not be available on the public internet. To meet the compliance requirements for restricted access, the Engineer has received the public and private CIDR block ranges for each subsidiary

What solution should the Engineer use to implement the appropriate access restrictions for the application?

A.

Create a NACL to allow access on TCP port 443 from the 1;500 subsidiary CIDR block ranges. Associate the NACL to both the NLB and EC2 instances

B.

Create an IAM security group to allow access on TCP port 443 from the 1,500 subsidiary CIDR block ranges. Associate the security group to the NLB. Create a second security group for EC2 instances with access on TCP port 443 from the NLB security group.

C.

Create an IAM PrivateLink endpoint service in the parent company account attached to the NLB. Create an IAM security group for the instances to allow access on TCP port 443 from the IAM PrivateLink endpoint. Use IAM PrivateLink interface endpoints in the 1,500 subsidiary IAM accounts to connect to the data processing application.

D.

Create an IAM security group to allow access on TCP port 443 from the 1,500 subsidiary CIDR block ranges. Associate the security group with EC2 instances.

Full Access
Question # 45

A company's Director of information Security wants a daily email report from IAM that contains recommendations for each company account to meet IAM Security best practices.

Which solution would meet these requirements?

A.

in every IAM account, configure IAM Lambda to query me IAM Support API tor IAM Trusted Advisor security checks Send the results from Lambda to an Amazon SNS topic to send reports.

B.

Configure Amazon GuardDuty in a master account and invite all other accounts to be managed by the master account Use GuardDuty's integration with Amazon SNS to report on findings

C.

Use Amazon Athena and Amazon QuickSight to build reports off of IAM CloudTrail Create a daily Amazon CloudWatch trigger to run the report dally and email It using Amazon SNS

D.

Use IAM Artifact's prebuilt reports and subscriptions Subscribe the Director of Information Security to the reports by adding the Director as the security alternate contact tor each account

Full Access
Question # 46

A Security Engineer has several thousand Amazon EC2 instances split across production and development environments. Each instance is tagged with its environment. The Engineer needs to analyze and patch all the development EC2 instances to ensure they are not currently exposed to any common vulnerabilities or exposures (CVEs)

Which combination of steps is the MOST efficient way for the Engineer to meet these requirements? (Select TWO.)

A.

Log on to each EC2 instance, check and export the different software versions installed, and verify this against a list of current CVEs.

B.

Install the Amazon Inspector agent on all development instances Build a custom rule package, and configure Inspector to perform a scan using this custom rule on all instances tagged as being in the development environment.

C.

Install the Amazon Inspector agent on all development instances Configure Inspector to perform a scan using the CVE rule package on all instances tagged as being in the development environment.

D.

Install the Amazon EC2 System Manager agent on all development instances Issue the Run command to EC2 System Manager to update all instances

E.

Use IAM Trusted Advisor to check that all EC2 instances have been patched to the most recent version of operating system and installed software.

Full Access
Question # 47

A Web Administrator for the website example.com has created an Amazon CloudFront distribution for dev.example.com, with a requirement to configure HTTPS using a custom TLS certificate imported to IAM Certificate Manager.

Which combination of steps is required to ensure availability of the certificate in the CloudFront console? (Choose two.)

A.

Call UploadServerCertificate with /cloudfront/dev/ in the path parameter.

B.

Import the certificate with a 4,096-bit RSA public key.

C.

Ensure that the certificate, private key, and certificate chain are PKCS #12-encoded.

D.

Import the certificate in the us-east-1 (N. Virginia) Region.

E.

Ensure that the certificate, private key, and certificate chain are PEM-encoded.

Full Access
Question # 48

An external Auditor finds that a company's user passwords have no minimum length. The company is currently using two identity providers:

• IAM IAM federated with on-premises Active Directory

• Amazon Cognito user pools to accessing an IAM Cloud application developed by the company

Which combination o1 actions should the Security Engineer take to solve this issue? (Select TWO.)

A.

Update the password length policy In the on-premises Active Directory configuration.

B.

Update the password length policy In the IAM configuration.

C.

Enforce an IAM policy In Amazon Cognito and IAM IAM with a minimum password length condition.

D.

Update the password length policy in the Amazon Cognito configuration.

E.

Create an SCP with IAM Organizations that enforces a minimum password length for IAM IAM and Amazon Cognito.

Full Access
Question # 49

The Development team receives an error message each time the team members attempt to encrypt or decrypt a Secure String parameter from the SSM Parameter Store by using an IAM KMS customer managed key (CMK).

Which CMK-related issues could be responsible? (Choose two.)

A.

The CMK specified in the application does not exist.

B.

The CMK specified in the application is currently in use.

C.

The CMK specified in the application is using the CMK KeyID instead of CMK Amazon Resource Name.

D.

The CMK specified in the application is not enabled.

E.

The CMK specified in the application is using an alias.

Full Access
Question # 50

A convoys data lake uses Amazon S3 and Amazon Athena. The company's security engineer has been asked to design an encryption solution that meets the company's data protection requirements. The encryption solution must work with Amazon S3 and keys managed by the company. The encryption solution must be protected in a hardware security module that is validated id Federal information Processing Standards (FPS) 140-2 Level 3.

Which solution meets these requirements?

A.

Use client-side encryption with an IAM KMS customer-managed key implemented with the IAM Encryption SDK

B.

Use IAM CloudHSM to store the keys and perform cryptographic operations Save the encrypted text in Amazon S3

C.

Use an IAM KMS customer-managed key that is backed by a custom key store using IAM CloudHSM

D.

Use an IAM KMS customer-managed key with the bring your own key (BYOK) feature to import a key stored in IAM CloudHSM

Full Access
Question # 51

A company is collecting IAM CloudTrail log data from multiple IAM accounts by managing individual trails in each account and forwarding log data to a centralized Amazon S3 bucket residing in a log archive account. After CloudTrail introduced support for IAM Organizations trails, the company decided to further centralize management and automate deployment of the CloudTrail logging capability across all of its IAM accounts.

The company's security engineer created an IAM Organizations trail in the master account, enabled server-side encryption with IAM KMS managed keys (SSE-KMS) for the log files, and specified the same bucket as the storage location. However, the engineer noticed that logs recorded by the new trail were not delivered to the bucket.

Which factors could cause this issue? (Select TWO.)

A.

The CMK key policy does not allow CloudTrail to make encrypt and decrypt API calls against the key.

B.

The CMK key policy does not allow CloudTrail to make GenerateDataKey API calls against the key.

C.

The IAM role used by the CloudTrail trail does not have permissions to make PutObject API calls against a folder created for the Organizations trail.

D.

The S3 bucket policy does not allow CloudTrail to make PutObject API calls against a folder created for the Organizations trail.

E.

The CMK key policy does not allow the IAM role used by the CloudTrail trail to use the key for crypto graphicaI operations.

Full Access
Question # 52

Unapproved changes were previously made to a company's Amazon S3 bucket. A security engineer configured IAM Config to record configuration changes made to the company's S3 buckets. The engineer discovers there are S3 configuration changes being made, but no Amazon SNS notifications are being sent. The engineer has already checked the configuration of the SNS topic and has confirmed the configuration is valid.

Which combination of steps should the security engineer take to resolve the issue? (Select TWO.)

A.

Configure the S3 bucket ACLs to allow IAM Config to record changes to the buckets.

B.

Configure policies attached to S3 buckets to allow IAM Config to record changes to the buckets.

C.

Attach the AmazonS3ReadOnryAccess managed policy to the IAM user.

D.

Verify the security engineer's IAM user has an attached policy that allows all IAM Config actions.

E.

Assign the IAMConfigRole managed policy to the IAM Config role

Full Access
Question # 53

A Solutions Architect is designing a web application that uses Amazon CloudFront, an Elastic Load Balancing Application Load Balancer, and an Auto Scaling group of Amazon EC2 instances. The load balancer and EC2 instances are in the US West (Oregon) region. It has been decided that encryption in transit is necessary by using a customer-branded domain name from the client to CloudFront and from CloudFront to the load balancer.

Assuming that IAM Certificate Manager is used, how many certificates will need to be generated?

A.

One in the US West (Oregon) region and one in the US East (Virginia) region.

B.

Two in the US West (Oregon) region and none in the US East (Virginia) region.

C.

One in the US West (Oregon) region and none in the US East (Virginia) region.

D.

Two in the US East (Virginia) region and none in the US West (Oregon) region.

Full Access
Question # 54

A company's architecture requires that its three Amazon EC2 instances run behind an Application Load Balancer (ALB). The EC2 instances transmit sensitive data between each other Developers use SSL certificates to encrypt the traffic between the public users and the ALB However the Developers are unsure of how to encrypt the data in transit between the ALB and the EC2 instances and the traffic between the EC2 instances

Which combination of activities must the company implement to meet its encryption requirements'? (Select TWO )

A.

Configure SSLTLS on the EC2 instances and configure the ALB target group to use HTTPS

B.

Ensure that all resources are in the same VPC so the default encryption provided by the VPC is used to encrypt the traffic between the EC2 instances.

C.

In the ALB. select the default encryption to encrypt the traffic between the ALB and the EC2 instances

D.

In the code for the application, include a cryptography library and encrypt the data before sending it between the EC2 instances

E.

Configure IAM Direct Connect to provide an encrypted tunnel between the EC2 instances

Full Access
Question # 55

Due to new compliance requirements, a Security Engineer must enable encryption with customer-provided keys on corporate data that is stored in DynamoDB. The company wants to retain full control of the encryption keys.

Which DynamoDB feature should the Engineer use to achieve compliance'?

A.

Use IAM Certificate Manager to request a certificate. Use that certificate to encrypt data prior to uploading it to DynamoDB.

B.

Enable S3 server-side encryption with the customer-provided keys. Upload the data to Amazon S3, and then use S3Copy to move all data to DynamoDB

C.

Create a KMS master key. Generate per-record data keys and use them to encrypt data prior to uploading it to DynamoDS. Dispose of the cleartext and encrypted data keys after encryption without storing.

D.

Use the DynamoDB Java encryption client to encrypt data prior to uploading it to DynamoDB.

Full Access
Question # 56

A Security Engineer discovers that developers have been adding rules to security groups that allow SSH and RDP traffic from 0.0.0.0/0 instead of the organization firewall IP.

What is the most efficient way to remediate the risk of this activity?

A.

Delete the internet gateway associated with the VPC.

B.

Use network access control lists to block source IP addresses matching 0.0.0.0/0.

C.

Use a host-based firewall to prevent access from all but the organization’s firewall IP.

D.

Use IAM Config rules to detect 0.0.0.0/0 and invoke an IAM Lambda function to update the security group with the organization's firewall IP.

Full Access
Question # 57

You want to get a list of vulnerabilities for an EC2 Instance as per the guidelines set by the Center of Internet Security. How can you go about doing this?

Please select:

A.

Enable IAM Guard Duty for the Instance

B.

Use IAM Trusted Advisor

C.

Use IAM inspector

D.

UseIAMMacie

Full Access
Question # 58

Which of the following minimizes the potential attack surface for applications?

A.

Use security groups to provide stateful firewalls for Amazon EC2 instances at the hypervisor level.

B.

Use network ACLs to provide stateful firewalls at the VPC level to prevent access to any specific IAM resource.

C.

Use IAM Direct Connect for secure trusted connections between EC2 instances within private subnets.

D.

Design network security in a single layer within the perimeter network (also known as DMZ, demilitarized zone, and screened subnet) to facilitate quicker responses to threats.

Full Access
Question # 59

A company uses identity federation to authenticate users into an identity account (987654321987) where the users assume an IAM role named IdentityRole. The users then assume an IAM role named JobFunctionRole in the target IAM account (123456789123) to perform their job functions.

A user is unable to assume the IAM role in the target account. The policy attached to the role in the identity account is:

What should be done to enable the user to assume the appropriate role in the target account?

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Full Access
Question # 60

A Security Engineer received an IAM Abuse Notice listing EC2 instance IDs that are reportedly abusing other hosts.

Which action should the Engineer take based on this situation? (Choose three.)

A.

Use IAM Artifact to capture an exact image of the state of each instance.

B.

Create EBS Snapshots of each of the volumes attached to the compromised instances.

C.

Capture a memory dump.

D.

Log in to each instance with administrative credentials to restart the instance.

E.

Revoke all network ingress and egress except for to/from a forensics workstation.

F.

Run Auto Recovery for Amazon EC2.

Full Access
Question # 61

A Security Engineer is working with the development team to design a supply chain application that stores sensitive inventory data in an Amazon S3 bucket. The application will use an IAM KMS customer master key (CMK) to encrypt the data on Amazon S3. The inventory data on Amazon S3 will be shared of vendors. All vendors will use IAM principals from their own IAM accounts to access the data on Amazon S3. The vendor list may change weekly, and the solution must support cross-account access.

What is the MOST efficient way to manage access control for the KMS CMK7?

A.

Use KMS grants to manage key access. Programmatically create and revoke grants to manage vendor access.

B.

Use an IAM role to manage key access. Programmatically update the IAM role policies to manage vendor access.

C.

Use KMS key policies to manage key access. Programmatically update the KMS key policies to manage vendor access.

D.

Use delegated access across IAM accounts by using IAM roles to manage key access. Programmatically update the IAM trust policy to manage cross-account vendor access.

Full Access
Question # 62

You are deivising a policy to allow users to have the ability to access objects in a bucket called appbucket. You define the below custom bucket policy

But when you try to apply the policy you get the error "Action does not apply to any resource(s) in statement." What should be done to rectify the error

Please select:

A.

Change the IAM permissions by applying PutBucketPolicy permissions.

B.

Verify that the policy has the same name as the bucket name. If not. make it the same.

C.

Change the Resource section to "arn:IAM:s3:::appbucket/*'.

D.

Create the bucket "appbucket" and then apply the policy.

Full Access
Question # 63

An Application team has requested a new IAM KMS master key for use with Amazon S3, but the organizational security policy requires separate master keys for different IAM services to limit blast radius.

How can an IAM KMS customer master key (CMK) be constrained to work with only Amazon S3?

A.

Configure the CMK key policy to allow only the Amazon S3 service to use the kms Encrypt action

B.

Configure the CMK key policy to allow IAM KMS actions only when the kms ViaService condition matches the Amazon S3 service name.

C.

Configure the IAM user's policy lo allow KMS to pass a rote lo Amazon S3

D.

Configure the IAM user's policy to allow only Amazon S3 operations when they are combined with the CMK

Full Access
Question # 64

An application running on EC2 instances processes sensitive information stored on Amazon S3. The information is accessed over the Internet. The security team is concerned that the Internet connectivity to Amazon S3 is a security risk. Which solution will resolve the security concern?

Please select:

A.

Access the data through an Internet Gateway.

B.

Access the data through a VPN connection.

C.

Access the data through a NAT Gateway.

D.

Access the data through a VPC endpoint for Amazon S3

Full Access
Question # 65

An organization must establish the ability to delete an IAM KMS Customer Master Key (CMK) within a 24-hour timeframe to keep it from being used for encrypt or decrypt operations Which of tne following actions will address this requirement?

A.

Manually rotate a key within KMS to create a new CMK immediately

B.

Use the KMS import key functionality to execute a delete key operation

C.

Use the schedule key deletion function within KMS to specify the minimum wait period for deletion

D.

Change the KMS CMK alias to immediately prevent any services from using the CMK.

Full Access
Question # 66

An EC2 Instance hosts a Java based application that access a DynamoDB table. This EC2 Instance is currently serving production based users. Which of the following is a secure way of ensuring that the EC2 Instance access the Dynamo table

Please select:

A.

Use IAM Roles with permissions to interact with DynamoDB and assign it to the EC2 Instance

B.

Use KMS keys with the right permissions to interact with DynamoDB and assign it to the EC2 Instance

C.

Use IAM Access Keys with the right permissions to interact with DynamoDB and assign it to the EC2 Instance

D.

Use IAM Access Groups with the right permissions to interact with DynamoDB and assign it to the EC2 Instance

Full Access
Question # 67

A company has a large set of keys defined in IAM KMS. Their developers frequently use the keys for the applications being developed. What is one of the ways that can be used to reduce the cost of accessing the keys in the IAM KMS service.

Please select:

A.

Enable rotation of the keys

B.

Use Data key caching

C.

Create an alias of the key

D.

Use the right key policy

Full Access
Question # 68

A company needs to retain tog data archives for several years to be compliant with regulations. The tog data is no longer used but It must be retained

What Is the MOST secure and cost-effective solution to meet these requirements?

A.

Archive the data to Amazon S3 and apply a restrictive bucket policy to deny the s3 DeleteOotect API

B.

Archive the data to Amazon S3 Glacier and apply a Vault Lock policy

C.

Archive the data to Amazon S3 and replicate it to a second bucket in a second IAM Region Choose the S3 Standard-Infrequent Access (S3 Standard-1A) storage class and apply a restrictive bucket policy to deny the s3 DeleteObject API

D.

Migrate the log data to a 16 T8 Amazon Elastic Block Store (Amazon EBS) volume Create a snapshot of the EBS volume

Full Access
Question # 69

A security engineer is designing an incident response plan to address the risk of a compromised Amazon EC2 instance. The plan must recommend a solution to meet the following requirements:

• A trusted forensic environment must be provisioned

• Automated response processes must be orchestrated

Which IAM services should be included in the plan? {Select TWO)

A.

IAM CloudFormation

B.

Amazon GuardDuty

C.

Amazon Inspector

D.

Amazon Macie

E.

IAM Step Functions

Full Access
Question # 70

A recent security audit identified that a company's application team injects database credentials into the environment variables of an IAM Fargate task. The company's security policy mandates that all sensitive data be encrypted at rest and in transit.

When combination of actions should the security team take to make the application compliant within the security policy? (Select THREE)

A.

Store the credentials securely in a file in an Amazon S3 bucket with restricted access to the application team IAM role Ask the application team to read the credentials from the S3 object instead

B.

Create an IAM Secrets Manager secret and specify the key/value pairs to be stored in this secret

C.

Modify the application to pull credentials from the IAM Secrets Manager secret instead of the environment variables.

D.

Add the following statement to the container instance IAM role policy

E.

Add the following statement to the execution role policy.

F.

Log in to the IAM Fargate instance, create a script to read the secret value from IAM Secret Manager, and inject the environment variables. Ask the application team to redeploy the application.

Full Access
Question # 71

A security engineer is responsible for providing secure access to IAM resources for thousands of developer in a company’s corporate identity provider (idp). The developers access a set of IAM services from the corporate premises using IAM credential. Due to the velum of require for provisioning new IAM users, it is taking a long time to grant access permissions. The security engineer receives reports that developer are sharing their IAM credentials with others to avoid provisioning delays. The causes concern about overall security for the security engineer.

Which actions will meet the program requirements that address security?

A.

Create an Amazon CloudWatch alarm for IAM CloudTrail Events Create a metric filter to send a notification when me same set of IAM credentials is used by multiple developer

B.

Create a federation between IAM and the existing corporate IdP Leverage IAM roles to provide federated access to IAM resources

C.

Create a VPN tunnel between the corporate premises and the VPC Allow permissions to all IAM services only if it originates from corporate premises.

D.

Create multiple IAM rotes for each IAM user Ensure that users who use the same IAM credentials cannot assume the same IAM role at the same time.

Full Access
Question # 72

A security engineer must develop an encryption tool for a company. The company requires a cryptographic solution that supports the ability to perform cryptographic erasure on all resources protected by the key material in 15 minutes or less

Which IAM Key Management Service (IAM KMS) key solution will allow the security engineer to meet these requirements?

A.

Use Imported key material with CMK

B.

Use an IAM KMS CMK

C.

Use an IAM managed CMK.

D.

Use an IAM KMS customer managed CMK

Full Access
Question # 73

To meet regulatory requirements, a Security Engineer needs to implement an IAM policy that restricts the use of IAM services to the us-east-1 Region.

What policy should the Engineer implement?

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Full Access
Question # 74

While securing the connection between a company's VPC and its on-premises data center, a Security Engineer sent a ping command from an on-premises host (IP address 203.0.113.12) to an Amazon EC2 instance (IP address 172.31.16.139). The ping command did not return a response. The flow log in the VPC showed the following:

2 123456789010 eni-1235b8ca 203.0.113.12 172.31.16.139 0 0 1 4 336 1432917027 1432917142 ACCEPT OK

2 123456789010 eni-1235b8ca 172.31.16.139 203.0.113.12 0 0 1 4 336 1432917094 1432917142 REJECT OK

What action should be performed to allow the ping to work?

A.

In the security group of the EC2 instance, allow inbound ICMP traffic.

B.

In the security group of the EC2 instance, allow outbound ICMP traffic.

C.

In the VPC's NACL, allow inbound ICMP traffic.

D.

In the VPC's NACL, allow outbound ICMP traffic.

Full Access
Question # 75

An application is currently secured using network access control lists and security groups. Web servers are located in public subnets behind an Application Load Balancer (ALB); application servers are located in private subnets.

How can edge security be enhanced to safeguard the Amazon EC2 instances against attack? (Choose two.)

A.

Configure the application’s EC2 instances to use NAT gateways for all inbound traffic.

B.

Move the web servers to private subnets without public IP addresses.

C.

Configure IAM WAF to provide DDoS attack protection for the ALB.

D.

Require all inbound network traffic to route through a bastion host in the private subnet.

E.

Require all inbound and outbound network traffic to route through an IAM Direct Connect connection.

Full Access
Question # 76

A company requires that SSH commands used to access its IAM instance be traceable to the user who executed each command.

How should a Security Engineer accomplish this?

A.

Allow inbound access on port 22 at the security group attached to the instance Use IAM Systems Manager Session Manager for shell access to Amazon EC2 instances with the user tag defined Enable Amazon CloudWatch togging tor Systems Manager sessions

B.

Use Amazon S3 to securely store one Privacy Enhanced Mail Certificate (PEM file) for each user Allow Amazon EC2 to read from Amazon S3 and import every user that wants to use SSH to access EC2 instances Allow inbound access on port 22 at the security group attached to the instance Install the Amazon CloudWatch agent on the EC2 instance and configure it to ingest audit logs for the instance

C.

Deny inbound access on port 22 at the security group attached to the instance Use IAM Systems Manager Session Manager tor shell access to Amazon EC2 instances with the user tag defined Enable Amazon CloudWatch togging for Systems Manager sessions

D.

Use Amazon S3 to securely store one Privacy Enhanced Mall Certificate (PEM fie) for each team or group Allow Amazon EC2 to read from Amazon S3 and import every user that wants to use SSH to access EC2 instances Allow inbound access on pod 22 at the security group attached to the instance Install the Amazon CloudWatch agent on the EC2 instance and configure it to ingest audit logs for the instance

Full Access
Question # 77

A company uses Microsoft Active Directory for access management for on-premises resources and wants to use the same mechanism for accessing its IAM accounts. Additionally, the development team plans to launch a public-facing application for which they need a separate authentication solution.

When coma nation of the following would satisfy these requirements? (Select TWO)

A.

Set up domain controllers on Amazon EC2 to extend the on-premises directory to IAM

B.

Establish network connectivity between on-premises and the user's VPC

C.

Use Amazon Cognito user pools for application authentication

D.

Use AD Connector tor application authentication.

E.

Set up federated sign-in to IAM through ADFS and SAML.

Full Access
Question # 78

A company's development team is designing an application using IAM Lambda and Amazon Elastic Container Service (Amazon ECS). The development team needs to create IAM roles to support these systems. The company's security team wants to allow the developers to build IAM roles directly, but the security team wants to retain control over the permissions the developers can delegate to those roles. The development team needs access to more permissions than those required for the application's IAM services. The solution must minimize management overhead.

How should the security team prevent privilege escalation for both teams?

A.

Enable IAM CloudTrail. Create a Lambda function that monitors the event history for privilege escalation events and notifies the security team.

B.

Create a managed IAM policy for the permissions required. Reference the IAM policy as a permissions boundary within the development team's IAM role.

C.

Enable IAM Organizations Create an SCP that allows the IAM CreateUser action but that has a condition that prevents API calls other than those required by the development team

D.

Create an IAM policy with a deny on the IAMCreateUser action and assign the policy to the development team. Use a ticket system to allow the developers to request new IAM roles for their applications. The IAM roles will then be created by the security team.

Full Access
Question # 79

A Security Engineer is troubleshooting a connectivity issue between a web server that is writing log files to the logging server in another VPC. The Engineer has confirmed that a peering relationship exists between the two VPCs. VPC flow logs show that requests sent from the web server are accepted by the togging server but the web server never receives a reply

Which of the following actions could fix this issue1?

A.

Add an inbound rule to the security group associated with the logging server that allows requests from the web server

B.

Add an outbound rule to the security group associated with the web server that allows requests to the logging server.

C.

Add a route to the route table associated with the subnet that hosts the logging server that targets the peering connection

D.

Add a route to the route table associated with the subnet that hosts the web server that targets the peering connection

Full Access