Amazon SCS-C01 Exam Dumps

A company wants to monitor the deletion of customer managed CMKs A security engineermust create an alarm that will notify the company before a CMK is deleted The securityengineer has configured the integration of AWS CloudTrail with Amazon CloudWatchWhat should the security engineer do next to meet this requirement?Within AWS Key Management Service (AWS KMS} specify the deletion time of the keymaterial during CMK creation AWS KMS will automatically create a CloudWatch.Create an amazon Eventbridge (Amazon CloudWatch Events) rule to look for API calls ofDeleteAlias Create an AWS Lamabda function to send an Amazon Simple NotificationService (Amazon SNS) messages to the company Add the Lambda functions as the targetof the Eventbridge (CloudWatch Events) rule.Create an Amazon EventBridge (Amazon CloudWath Events) rule to look for API calls ofDisableKey and ScheduleKeyDelection. Create an AWS Lambda function to generate thealarm and send the notification to the company. Add the lambda function as the target ofthe SNS policy.

A. Use inbound rule 100 to allow traffic on TCP port 443 Use inbound rule 200 to denytraffic on TCP port 3306 Use outbound rule 100 to allow traffic on TCP port 443
B. Use inbound rule 100 to deny traffic on TCP port 3306. Use inbound rule 200 to allowtraffic on TCP port range 1024-65535. Use outbound rule 100 to allow traffic on TCP port443
C. Use inbound rule 100 to allow traffic on TCP port range 1024-65535 Use inbound rule200 to deny traffic on TCP port 3306 Use outbound rule 100 to allow traffic on TCP port443
D. Use inbound rule 100 to deny traffic on TCP port 3306 Use inbound rule 200 to allowtraffic on TCP port 443 Use outbound rule 100 to allow traffic on TCP port 443

Answer: B

A company's on-premises networks are connected to VPCs using an AWS Direct Connectgateway. The company's on-premises application needs to stream data using an existingAmazon Kinesis Data Firehose delivery stream. The company's security policy requiresthat data be encrypted in transit using a private network.How should the company meet these requirements?

A. Create a VPC endpoint tor Kinesis Data Firehose. Configure the application to connectto the VPC endpoint.
B. Configure an 1AM policy to restrict access to Kinesis Data Firehose using a source IPcondition. Configure the application to connect to the existing Firehose delivery stream.
C. Create a new TLS certificate in AWS Certificate Manager (ACM). Create a public-facingNetwork Load Balancer (NLB) and select the newly created TLS certificate. Configure theNLB to forward all traffic to Kinesis Data Firehose. Configure the application to connect tothe NLB.
D. Peer the on-premises network with the Kinesis Data Firehose VPC using DirectConnect. Configure the application to connect to the existing Firehose delivery stream.

Answer: A

A Network Load Balancer (NLB) target instance is not entering the InService state. Asecurity engineer determines that health checks are failing.Which factors could cause the health check failures? (Select THREE.)

A. The target instance's security group does not allow traffic from the NLB.
B. The target instance's security group is not attached to the NLB.
C. The NLB's security group is not attached to the target instance.
D. The target instance's subnet network ACL does not allow traffic from the NLB.
E. The target instance's security group is not using IP addresses to allow traffic from the NLB.
F. The target network ACL is not attached to the NLB.

Answer: A,C,D

A company's security engineer has been tasked with restricting a contractor's 1AM accountaccess to the company's Amazon EC2 console without providing access to any other AWSservices The contractors 1AM account must not be able to gain access to any other AWSservice, even it the 1AM account rs assigned additional permissions based on 1AM groupmembershipWhat should the security engineer do to meet these requirements''

A. Create an mime 1AM user policy that allows for Amazon EC2 access for the contractor's1AM user
B. Create an 1AM permissions boundary policy that allows Amazon EC2 access Associatethe contractor's 1AM account with the 1AM permissions boundary policy
C. Create an 1AM group with an attached policy that allows for Amazon EC2 accessAssociate the contractor's 1AM account with the 1AM group
D. Create a 1AM role that allows for EC2 and explicitly denies all other services Instruct thecontractor to always assume this role

Answer: B

A security engineer receives an AWS abuse email message. According to the message, anAmazon EC2 instance that is running in the security engineer's AWS account is sendingphishing email messages.The EC2 instance is part of an application that is deployed in production. The applicationruns on many EC2 instances behind an Application Load Balancer. The instances run in anAmazon EC2 Auto Scaling group across multiple subnets and multiple Availability Zones.The instances normally communicate only over the HTTP. HTTPS, and MySQL protocols.Upon investigation, the security engineer discovers that email messages are being sentover port 587. All other traffic is normal.The security engineer must create a solution that contains the compromised EC2 instance,preserves forensic evidence for analysis, and minimizes application downtime. Whichcombination of steps must the security engineer take to meet these requirements? (SelectTHREE.)

A. Add an outbound rule to the security group that is attached to the compromised EC2instance to deny traffic to 0.0.0.0/0 and port 587.
B. Add an outbound rule to the network ACL for the subnet that contains the compromisedEC2 instance to deny traffic to 0.0.0.0/0 and port 587.
C. Gather volatile memory from the compromised EC2 instance. Suspend thecompromised EC2 instance from the Auto Scaling group. Then take a snapshot of thecompromised EC2 instance. v
D. Take a snapshot of the compromised EC2 instance. Suspend the compromised EC2instance from the Auto Scaling group. Then gather volatile memory from the compromisedEC2 instance.
E. Move the compromised EC2 instance to an isolated subnet that has a network ACL thathas no inbound rules or outbound rules.
F. Replace the existing security group that is attached to the compromised EC2 instancewith a new security group that has no inbound rules or outbound rules.

Answer: A,C,E

A company is implementing a new application in a new AWS account. A VPC and subnetshave been created for the application. The application has been peered to an existing VPCin another account in the same AWS Region for database access. Amazon EC2 instanceswill regularly be created and terminated in the application VPC, but only some of them willneed access to the databases in the peered VPC over TCP port 1521. A security engineermust ensure that only the EC2 instances that need access to the databases can accessthem through the network.How can the security engineer implement this solution?

A. Create a new security group in the database VPC and create an inbound rule that allowsall traffic from the IP address range of the application VPC. Add a new network ACL rule onthe database subnets. Configure the rule to TCP port 1521 from the IP address range ofthe application VPC. Attach the new security group to the database instances that theapplication instances need to access.
B. Create a new security group in the application VPC with an inbound rule that allows theIP address range of the database VPC over TCP port 1521. Create a new security group inthe database VPC with an inbound rule that allows the IP address range of the applicationVPC over port 1521. Attach the new security group to the database instances and theapplication instances that need database access.
C. Create a new security group in the application VPC with no inbound rules. Create a newsecurity group in the database VPC with an inbound rule that allows TCP port 1521 fromthe new application security group in the application VPC. Attach the application securitygroup to the application instances that need database access, and attach the databasesecurity group to the database instances.
D. Create a new security group in the application VPC with an inbound rule that allows theIP address range of the database VPC over TCP port 1521. Add a new network ACL ruleon the database subnets. Configure the rule to allow all traffic from the IP address range ofthe application VPC. Attach the new security group to the application instances that needdatabase access.

Answer: C

A company deployed AWS Organizations to help manage its increasing number of AWSaccounts. A security engineer wants to ensure only principals in the Organization structurecan access a specic Amazon S3 bucket. The solution must also minimize operationaloverheadWhich solution will meet these requirements?

A. 1 Put all users into an IAM group with an access policy granting access to the J bucket.
B. Have the account creation trigger an AWS Lambda function that manages the bucketpolicy, allowing access to accounts listed in the policy only.
C. Add an SCP to the Organizations master account, allowing all principals access to thebucket.
D. Specify the organization ID in the global key condition element of a bucket policy, allowing all principals access.

Answer: D

A company has implemented AWS WAF and Amazon CloudFront for an application. Theapplication runs on Amazon EC2 instances that are part of an Auto Scaling group. TheAuto Scaling group is behind an Application Load Balancer (ALB).The AWS WAF web ACL uses an AWS Managed Rules rule group and is associated withthe CloudFront distribution. CloudFront receives the request from AWS WAF and then usesthe ALB as the distribution's origin.During a security review, a security engineer discovers that the infrastructure is susceptibleto a large, layer 7 DDoS attack.How can the security engineer improve the security at the edge of the solution to defendagainst this type of attack?

A. Configure the CloudFront distribution to use the Lambda@Edge feature. Create anAWS Lambda function that imposes a rate limit on CloudFront viewer requests. Block therequest if the rate limit is exceeded.
B. Configure the AWS WAF web ACL so that the web ACL has more capacity units toprocess all AWS WAF rules faster.
C. Configure AWS WAF with a rate-based rule that imposes a rate limit that automaticallyblocks requests when the rate limit is exceeded. 
D. Configure the CloudFront distribution to use AWS WAF as its origin instead of the ALB.

Answer: C

A company Is planning to use Amazon Elastic File System (Amazon EFS) with its onpremises servers. The company has an existing AWS Direct Connect connectionestablished between its on-premises data center and an AWS Region Security policystates that the company's on-premises firewall should only have specific IP addressesadded to the allow list and not a CIDR range. The company also wants to restrict access sothat only certain data center-based servers have access to Amazon EFSHow should a security engineer implement this solution''

A. Add the file-system-id efs aws-region amazonaws com URL to the allow list for the datacenter firewall Install the AWS CLI on the data center-based servers to mount the EFS filesystem in the EFS security group add the data center IP range to the allow list Mount theEFS using the EFS file system name
B. Assign an Elastic IP address to Amazon EFS and add the Elastic IP address to the allowlist for the data center firewall Install the AWS CLI on the data center-based servers tomount the EFS file system In the EFS security group, add the IP addresses of the datacenter servers to the allow list Mount the EFS using the Elastic IP address
C. Add the EFS file system mount target IP addresses to the allow list for the data centerfirewall In the EFS security group, add the data center server IP addresses to the allow listUse the Linux terminal to mount the EFS file system using the IP address of one of the mount targets
D. Assign a static range of IP addresses for the EFS file system by contacting AWSSupport In the EFS security group add the data center server IP addresses to the allow listUse the Linux terminal to mount the EFS file system using one of the static IP addresses

Answer: B

A developer 15 building a serverless application hosted on AWS that uses AmazonRedshift in a data store. The application has separate modules for read/write and read-onlyfunctionality. The modules need their own database users tor compliance reasons.Which combination of steps should a security engineer implement to grant appropriateaccess' (Select TWO )

A. Configure cluster security groups for each application module to control access todatabase users that are required for read-only and read/write.
B. Configure a VPC endpoint for Amazon Redshift Configure an endpoint policy that mapsdatabase users to each application module, and allow access to the tables that arerequired for read-only and read/write
C. Configure an 1AM poky for each module Specify the ARN of an Amazon Redshiftdatabase user that allows the GetClusterCredentials API call
D. Create focal database users for each module
E. Configure an 1AM policy for each module Specify the ARN of an 1AM user that allowsthe GetClusterCredentials API call

Answer: A,E

A company is running an application in The eu-west-1 Region. The application uses anAWS Key Management Service (AWS KMS) CMK to encrypt sensitive data. The companyplans to deploy the application in the eu-north-1 Region.A security engineer needs to implement a key management solution for the applicationdeployment in the new Region. The security engineer must minimize changes to theapplication code.Which change should the security engineer make to the AWS KMS configuration to meetthese requirements?

A. Update the key policies in eu-west-1. Point the application in eu-north-1 to use the sameCMK as the application in eu-west-1.
B. Allocate a new CMK to eu-north-1 to be used by the application that is deployed in thatRegion.
C. Allocate a new CMK to eu-north-1. Create the same alias name for both keys. Configurethe application deployment to use the key alias.
D. Allocate a new CMK to eu-north-1. Create an alias for eu-'-1. Change the applicationcode to point to the alias for eu-'-1.

Answer: B

A company is hosting a static website on Amazon S3 The company has configured anAmazon CloudFront distribution to serve the website contents The company hasassociated an AWS WAF web ACL with the CloudFront distribution. The web ACL ensuresthat requests originate from the United States to address compliance restrictions.THE company is worried that the S3 URL might still be accessible directly and thatrequests can bypass the CloudFront distributionWhich combination of steps should the company take to remove direct access to the S3URL? (Select TWO. )

A. Select "Restrict Bucket Access" in the origin settings of the CloudFront distribution
B. Create an origin access identity (OAI) for the S3 origin
C. Update the S3 bucket policy to allow s3 GetObject with a condition that the aws Refererkey matches the secret value Deny all other requests
D. Configure the S3 bucket poky so that only the origin access identity (OAI) has readpermission for objects in the bucket
E. Add an origin custom header that has the name Referer to the CloudFront distributionGive the header a secret value.

Answer: A,D

A company has two teams, and each team needs to access its respective Amazon S3buckets. The company anticipates adding more teams that also will have their own S3buckets. When the company adds these teams, team members will need the ability to beassigned to multiple teams. Team members also will need the ability to change teams.Additional S3 buckets can be created or deleted.An 1AM administrator must design a solution to accomplish these goals. The solution alsomust be scalable and must require the least possible operational overhead.Which solution meets these requirements?

A. Add users to groups that represent the teams. Create a policy for each team that allowsthe team to access its respective S3 buckets only. Attach the policy to the correspondinggroup.
B. Create an 1AM role for each team. Create a policy for each team that allows the team toaccess its respective S3 buckets only. Attach the policy to the corresponding role.
C. Create 1AM roles that are labeled with an access tag value of a team. Create one policythat allows dynamic access to S3 buckets with the same tag. Attach the policy to the 1AMroles. Tag the S3 buckets accordingly.
D. Implement a role-based access control (RBAC) authorization model. Create thecorresponding policies, and attach them to the 1AM users.

Answer: A

A company is hosting multiple applications within a single VPC in its AWS account. Theapplications are running behind an Application Load Balancer that is associated with anAWS WAF web ACL. The company's security team has identified that multiple port scansare originating from a specific range of IP addresses on the internet.A security engineer needs to deny access from the offending IP addresses.Which solution will meet these requirements?

A. Modify the AWS WAF web ACL with an IP set match rule statement to deny incomingrequests from the IP address range.
B. Add a rule to all security groups to deny the incoming requests from the IP addressrange.
C. Modify the AWS WAF web ACL with a rate-based rule statement to deny the incomingrequests from the IP address range.
D. Configure the AWS WAF web ACL with regex match conditions. Specify a pattern set todeny the incoming requests based on the match condition

Answer: D

A company wants to ensure that its AWS resources can be launched only in the us-east-1and us-west-2 Regions.What is the MOST operationally efficient solution that will prevent developers fromlaunching Amazon EC2 instances in other Regions?

A. Enable Amazon GuardDuty in all Regions. Create alerts to detect unauthorized activityoutside us-east-1 and us-west-2.
B. Use an organization in AWS Organizations. Attach an SCP that allows all actions whenthe aws: Requested Region condition key is either us-east-1 or us-west-2. Delete theFullAWSAccess policy.
C. Provision EC2 resources by using AWS Cloud Formation templates through AWSCodePipeline. Allow only the values of us-east-1 and us-west-2 in the AWSCloudFormation template's parameters.
D. Create an AWS Config rule to prevent unauthorized activity outside us-east-1 and uswest-2.

Answer: C

Your CTO thinks your AWS account was hacked. What is the only way to know for certainif there was unauthorized access and what they did, assuming your hackers are verysophisticated AWS engineers and doing everything they can to cover their tracks?Please select:

A. Use CloudTrail Log File Integrity Validation.
B. Use AWS Config SNS Subscriptions and process events in real time.
C. Use CloudTrail backed up to AWS S3 and Glacier.
D. Use AWS Config Timeline forensics.

Answer: A

A company stores images for a website in an Amazon S3 bucket. The company is usingAmazon CloudFront to serve the images to end users. The company recently discoveredthat the images are being accessed from countries where the company does not have adistribution license.Which actions should the company take to secure the images to limit their distribution?(Select TWO.)

A. Update the S3 bucket policy to restrict access to a CloudFront origin access identity(OAI).
B. Update the website DNS record to use an Amazon Route 53 geolocation record denylist of countries where the company lacks a license.
C. Add a CloudFront geo restriction deny list of countries where the company lacks alicense.
D. Update the S3 bucket policy with a deny list of countries where the company lacks alicense.
E. Enable the Restrict Viewer Access option in CloudFront to create a deny list of countrieswhere the company lacks a license.

Answer: A,C

A company's engineering team is developing a new application that creates AWS KeyManagement Service (AWS KMS) CMK grants for users immediately after a grant IScreated users must be able to use the CMK tu encrypt a 512-byte payload. During loadtesting, a bug appears |intermittently where AccessDeniedExceptions are occasionallytriggered when a user rst attempts to encrypt using the CMKWhich solution should the c0mpany‘s security specialist recommend‘?

A. Instruct users to implement a retry mechanism every 2 minutes until the call succeeds.
B. Instruct the engineering team to consume a random grant token from users, and to callthe CreateGrant operation, passing it the grant token. Instruct use to use that grant token intheir call to encrypt.
C. Instruct the engineering team to create a random name for the grant when calling theCreateGrant operation. Return the name to the users and instruct them to provide thename as the grant token in the call to encrypt.
D. Instruct the engineering team to pass the grant token returned in the CreateGrantresponse to users. Instruct users to use that grant token in their call to encrypt.

Answer: D

A company has an application that uses an Amazon RDS PostgreSQL database. Thecompany is developing an application feature that will store sensitive information for anindividual in the database.During a security review of the environment, the company discovers that the RDS DBinstance is not encrypting data at rest. The company needs a solution that will provideencryption at rest for all the existing data and for any new data that is entered for anindividual.Which combination of options can the company use to meet these requirements? (SelectTWO.)

A. Create a snapshot of the DB instance. Copy the snapshot to a new snapshot, andenable encryption for the copy process. Use the new snapshot to restore the DB instance.
B. Modify the configuration of the DB instance by enabling encryption. Create a snapshotof the DB instance. Use the snapshot to restore the DB instance.
C. Use AWS Key Management Service (AWS KMS) to create a new default AWS managedawa/rds key. Select this key as the encryption key for operations with Amazon RDS.
D. Use AWS Key Management Service (AWS KMS] to create a new CMK. Select this keyas the encryption key for operations with Amazon RDS.
E. Create a snapshot of the DB instance. Enable encryption on the snapshoVUse thesnapshot to restore the DB instance.

Answer: C,E

An audit determined that a company's Amazon EC2 instance security group violatedcompany policy by allowing unrestricted incoming SSH traffic. A security engineer mustimplement a near-real-time monitoring and alerting solution that will notify administrators ofsuch violations.Which solution meets these requirements with the MOST operational efficiency?

A. Create a recurring Amazon Inspector assessment run that runs every day and uses theNetwork Reachability package. Create an Amazon CloudWatch rule that invokes an AWSLambda function when an assessment run starts. Configure the Lambda function toretrieve and evaluate the assessment run report when it completes. Configure the Lambdafunction also to publish an Amazon Simple Notification Service (Amazon SNS) notificationif there are any violations for unrestricted incoming SSH traffic.
B. Use the restricted-ssh AWS Config managed rule that is invoked by security groupconfiguration changes that are not compliant. Use the AWS Config remediation feature topublish a message to an Amazon Simple Notification Service (Amazon SNS) topic.
C. Configure VPC Flow Logs for the VPC. and specify an Amazon CloudWatch Logsgroup. Subscribe the CloudWatch Logs group to an AWS Lambda function that parses newlog entries, detects successful connections on port 22, and publishes a notification throughAmazon Simple Notification Service (Amazon SNS).
D. Create a recurring Amazon Inspector assessment run that runs every day and uses theSecurity Best Practices package. Create an Amazon CloudWatch rule that invokes anAWS Lambda function when an assessment run starts. Configure the Lambda function toretrieve and evaluate the assessment run report when it completes. Configure the Lambdafunction also to publish an Amazon Simple Notification Service (Amazon SNS) notificationif there are any violations for unrestricted incoming SSH traffic.

Answer: A

A company uses Amazon RDS for MySQL as a database engine for its applications. A recent security audit revealed an RDS instance that is not compliant with company policy for encrypting data at rest. A security engineer at the company needs to ensure that all existing RDS databases are encrypted using server-side encryption and that any future deviations from the policy are detected.Which combination of steps should the security engineer take to accomplish this? (Select TWO.)

A. Create an AWS Config rule to detect the creation of unencrypted RDS databases. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to trigger on the AWS Config rules compliance state change and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team.
B. Use AWS System Manager State Manager to detect RDS database encryption configuration drift. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to track state changes and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team.
C. Create a read replica for the existing unencrypted RDS database and enable replica encryption in the process. Once the replica becomes active, promote it into a standalone database instance and terminate the unencrypted database instance.
D. Take a snapshot of the unencrypted RDS database. Copy the snapshot and enable snapshot encryption in the process. Restore the database instance from the newly created encrypted snapshot. Terminate the unencrypted database instance.
E. Enable encryption for the identified unencrypted RDS instance by changing the configurations of the existing database

Answer: A,D

A company is building an application on AWS that will store sensitive Information. The company has a support team with access to the IT infrastructure, including databases. The company's security engineer must introduce measures to protect the sensitive data against any data breach while minimizing management overhead. The credentials must be regularly rotated.What should the security engineer recommend?

A. Enable Amazon RDS encryption to encrypt the database and snapshots. Enable Amazon Elastic Block Store (Amazon EBS) encryption on Amazon EC2 instances. Include the database credential in the EC2 user data field. Use an AWS Lambda function to rotate database credentials. Set up TLS for the connection to the database.
B. Install a database on an Amazon EC2 Instance. Enable third-party disk encryption to encrypt the Amazon Elastic Block Store (Amazon EBS) volume. Store the database credentials in AWS CloudHSM with automatic rotation. Set up TLS for the connection to the database.
C. Enable Amazon RDS encryption to encrypt the database and snapshots. Enable Amazon Elastic Block Store (Amazon EBS) encryption on Amazon EC2 instances. Store the database credentials in AWS Secrets Manager with automatic rotation. Set up TLS for the connection to the RDS hosted database.
D. Set up an AWS CloudHSM cluster with AWS Key Management Service (AWS KMS) to store KMS keys. Set up Amazon RDS encryption using AWS KMS to encrypt the database. Store database credentials in the AWS Systems Manager Parameter Store with automatic rotation. Set up TLS for the connection to the RDS hosted database.

Answer: C

A web application runs in a VPC on EC2 instances behind an ELB Application Load Balancer. The application stores data in an RDS MySQL DB instance. A Linux bastion host is used to apply schema updates to the database - administrators connect to the host via SSH from a corporate workstation. The following security groups are applied to the infrastructure- * sgLB - associated with the ELB * sgWeb - associated with the EC2 instances. * sgDB - associated with the database * sgBastion - associated with the bastion host Which security group configuration will allow the application to be secure and functional? Please select: 

A. sgLB :allow port 80 and 443 traffic from 0.0.0.0/0 sgWeb :allow port 80 and 443 traffic from 0.0.0.0/0 sgDB :allow port 3306 traffic from sgWeb and sgBastion sgBastion: allow port 22 traffic from the corporate IP address range 
B. sgLB :aIlow port 80 and 443 traffic from 0.0.0.0/0 sgWeb :allow port 80 and 443 traffic from sgLB sgDB :allow port 3306 traffic from sgWeb and sgLB sgBastion: allow port 22 traffic from the VPC IP address range 
C. sgLB :allow port 80 and 443 traffic from 0.0.0.0/0 sgWeb :allow port 80 and 443 traffic from sgLB sgDB :allow port 3306 traffic from sgWeb and sgBastion sgBastion: allow port 22 traffic from the VPC IP address range 
D. sgLB :allow port 80 and 443 traffic from 0.0.0.0/0 sgWeb :allow port 80 and 443 traffic from sgLB sgDB :al!ow port 3306 traffic from sgWeb and sgBastion sgBastion: allow port 22 traffic from the corporate IP address range 

Answer: D

A security engineer needs to build a solution to turn AWS CloudTrail back on in multiple AWS Regions in case it is ever turned off.What is the MOST efficient way to implement this solution?

A. Use AWS Config with a managed rule to trigger the AWS-EnableCloudTrail remediation.
B. Create an Amazon EventBridge (Amazon CloudWatch Events) event with a cloudtrail.amazonaws.com event source and a StartLogging event name to trigger an AWS Lambda function to call the StartLogging API.
C. Create an Amazon CloudWatch alarm with a cloudtrail.amazonaws.com event source and a StopLogging event name to trigger an AWS Lambda function to call the StartLogging API.
D. Monitor AWS Trusted Advisor to ensure CloudTrail logging is enabled.

Answer: B

A security engineer creates an Amazon S3 bucket policy that denies access to all users. A few days later, the security engineer adds an additional statement to the bucket policy to allow read-only access to one other employee. Even after updating the policy, the employee still receives an access denied message. What is the likely cause of this access denial? A security engineer is working with a company to design an ecommerce application. The application will run on Amazon EC2 instances that run in an Auto Scaling group behind an Application Load Balancer (ALB). The application will use an Amazon RDS DB instance for its database. The only required connectivity from the internet is for HTTP and HTTPS traffic to the application. The application must communicate with an external payment provider that allows traffic only from a preconfigured allow list of IP addresses. The company must ensure that communications with the external payment provider are not interrupted as the environment scales. Which combination of actions should the security engineer recommend to meet these requirements? (Select THREE.)

A. Deploy a NAT gateway in each private subnet for every Availability Zone that is in use.
B. Place the DB instance in a public subnet.
C. Place the DB instance in a private subnet.
D. Configure the Auto Scaling group to place the EC2 instances in a public subnet.
E. Configure the Auto Scaling group to place the EC2 instances in a private subnet.
F. Deploy the ALB in a private subnet.

Answer: A,C,E

A company uses an external identity provider to allow federation into different AWS accounts. A security engineer for the company needs to identify the federated user thatterminated a production Amazon EC2 instance a week ago.What is the FASTEST way for the security engineer to identify the federated user?

A. Review the AWS CloudTrail event history logs in an Amazon S3 bucket and look for the Terminatelnstances event to identify the federated user from the role session name.
B. Filter the AWS CloudTrail event history for the Terminatelnstances event and identify the assumed 1AM role. Review the AssumeRoleWithSAML event call in CloudTrail to identifythe corresponding username.
C. Search the AWS CloudTrail logs for the Terminatelnstances event and note the event time. Review the 1AM Access Advisor tab for all federated roles. The last accessed timeshould match the time when the instance was terminated.
D. Use Amazon Athena to run a SQL query on the AWS CloudTrail logs stored in an Amazon S3 bucket and filter on the Terminatelnstances event. Identify the correspondingrole and run another query to filter the AssumeRoleWithWebldentity event for the user name.

Answer: B

A development team is using an AWS Key Management Service (AWS KMS) CMK to try to encrypt and decrypt a secure string parameter from AWS Systems Manager ParameterStore. However, the development team receives an error message on each attempt.Which issues that are related to the CMK could be reasons for the error? (Select TWO.)

A. The CMK that is used in the attempt does not exist.
B. The CMK that is used in the attempt needs to be rotated.
C. The CMK that is used in the attempt is using the CMK's key ID instead of the CMK ARN.
D. The CMK that is used in the attempt is not enabled.
E. The CMK that is used in the attempt is using an alias.

Answer: A,D

When managing permissions for the API gateway, what can be used to ensure that the right level of permissions are given to developers, IT admins and users? These permissions should be easily managed.Please select:

A. Use the secure token service to manage the permissions for the different users
B. Use IAM Policies to create different policies for the different types of users.
C. Use the AWS Config tool to manage the permissions for the different users
D. Use IAM Access Keys to create sets of keys for the different types of users.

Answer: B

A company is using AWS Organizations to develop a multi-account secure networking strategy. The company plans to use separate centrally managed accounts for shared services, auditing, and security inspection. The company plans to provide dozens of additional accounts to application owners for production and development environments. Company security policy requires that all internet traffic be routed through a centrally managed security inspection layer in the security inspection account. A security engineer must recommend a solution that minimizes administrative overhead and complexity.Which solution meets these requirements?

A. Use AWS Control Tower. Modify the default Account Factory networking template to automatically associate new accounts with a centrally managed VPC through a VPC peering connection and to create a default route to the VPC peer in the default route table. Create an SCP that denies the CreatelnternetGateway action. Attach the SCP to all accounts except the security inspection account.
B. Create a centrally managed VPC in the security inspection account. Establish VPC peering connections between the security inspection account and other accounts. Instruct account owners to create default routes in their account route tables that point to the VPC peer. Create an SCP that denies the Attach InternetGateway action. Attach the SCP to all accounts except the security inspection account.
C. Use AWS Control Tower. Modify the default Account Factory networking template to automatically associate new accounts with a centrally managed transit gateway and to create a default route to the transit gateway in the default route table. Create an SCP that denies the AttachlnternetGateway action. Attach the SCP to all accounts except the security inspection account.
D. Enable AWS Resource Access Manager (AWS RAM) for AWS Organizations. Create a shared transit gateway, and make it available by using an AWS RAM resource share. Create an SCP that denies the CreatelnternetGateway action. Attach the SCP to all accounts except the security inspection account. Create routes in the route tables of all accounts that point to the shared transit gateway.

Answer: C

A security engineer has enabled AWS Security Hub in their AWS account, and has enabled the Center for internet Security (CIS) AWS Foundations compliance standard. No evaluation results on compliance are returned in the Security Hub console after several hours. The engineer wants to ensure that Security Hub can evaluate their resources for CIS AWS Foundations compliance.Which steps should the security engineer take to meet these requirements?

A. Add full Amazon Inspector 1AM permissions to the Security Hub service role to allow it to perform the CIS compliance evaluation
B. Ensure that AWS Trusted Advisor Is enabled in the account and that the Security Hub service role has permissions to retrieve the Trusted Advisor security-related recommended actions
C. Ensure that AWS Config. is enabled in the account, and that the required AWS Config rules have been created for the CIS compliance evaluation
D. Ensure that the correct trail in AWS CloudTrail has been configured for monitoring by Security Hub and that the Security Hub service role has permissions to perform the GetObject operation on CloudTrails Amazon S3 bucket

Answer: A

Your company has been using AWS for the past 2 years. They have separate S3 buckets for logging the various AWS services that have been used. They have hired an external vendor for analyzing their log files. They have their own AWS account. What is the best way to ensure that the partner account can access the log files in the company account for analysis. Choose 2 answers from the options given below Please select:

A. Create an IAM user in the company account
B. Create an IAM Role in the company account
C. Ensure the IAM user has access for read-only to the S3 buckets
D. Ensure the IAM Role has access for read-only to the S3 buckets

Answer: B,D

A company deployed Amazon GuardDuty In the us-east-1 Region. The company wants all DNS logs that relate to the company's Amazon EC2 instances to be inspected. Whatshould a security engineer do to ensure that the EC2 instances are logged?

A. Use IPv6 addresses that are configured for hostnames.
B. Configure external DNS resolvers as internal resolvers that are visible only to AWS. 
C. Use AWS DNS resolvers for all EC2 instances.
D. Configure a third-party DNS resolver with logging for all EC2 instances.

Answer: C

A company deploys a distributed web application on a fleet of Amazon EC2 instances. The fleet is behind an Application Load Balancer (ALB) that will be configured to terminate theTLS connection. All TLS traffic to the ALB must stay secure, even if the certificate private key is compromised.How can a security engineer meet this requirement?

A. Create an HTTPS listener that uses a certificate that is managed by AWS Certificate Manager (ACM).
B. Create an HTTPS listener that uses a security policy that uses a cipher suite with perfect toward secrecy (PFS).
C. Create an HTTPS listener that uses the Server Order Preference security feature.
D. Create a TCP listener that uses a custom security policy that allows only cipher suites with perfect forward secrecy (PFS).

Answer: A

A company's policy requires that all API keys be encrypted and stored separately from source code in a centralized security account. This security account is managed by the company's security team However, an audit revealed that an API key is steed with the source code of an AWS Lambda function m an AWS CodeCommit repository in the DevOps accountHow should the security learn securely store the API key?

A. Create a CodeCommit repository in the security account using AWS Key Management Service (AWS KMS) tor encryption Require the development team to migrate the Lambdasource code to this repository
B. Store the API key in an Amazon S3 bucket in the security account using server-side encryption with Amazon S3 managed encryption keys (SSE-S3) to encrypt the key Create a resigned URL tor the S3 key. and specify the URL m a Lambda environmental variable in the AWS CloudFormation template Update the Lambda function code to retrieve the key using the URL and call the API
C. Create a secret in AWS Secrets Manager in the security account to store the API key using AWS Key Management Service (AWS KMS) tor encryption Grant access to the 1AMrole used by the Lambda function so that the function can retrieve the key from Secrets Manager and call the API
D. Create an encrypted environment variable for the Lambda function to store the API key using AWS Key Management Service (AWS KMS) tor encryption Grant access to the 1AMrole used by the Lambda function so that the function can decrypt the key at runtime

Answer: C

A company hosts an application on Amazon EC2 that is subject to specific rules for regulatory compliance. One rule states that traffic to and from the workload must be inspected for network-level attacks. This involves inspecting the whole packet. To comply with this regulatory rule, a security engineer must install intrusion detection software on a c5n.4xlarge EC2 instance. The engineer must then configure the software to monitor traffic to and from the application instances.What should the security engineer do next?

A. Place the network interface in promiscuous mode to capture the traffic.
B. Configure VPC Flow Logs to send traffic to the monitoring EC2 instance using a Network Load Balancer.
C. Configure VPC traffic mirroring to send traffic to the monitoring EC2 instance using a Network Load Balancer.
D. Use Amazon Inspector to detect network-level attacks and trigger an AWS Lambda function to send the suspicious packets to the EC2 instance.

Answer: D

You have a requirement to serve up private content using the keys available with Cloudfront. How can this be achieved?Please select:

A. Add the keys to the backend distribution.
B. Add the keys to the S3 bucket
C. Create pre-signed URL's
D. Use AWS Access keys

Answer: C

A company's application team wants to replace an internal application with a new AWS architecture that consists of Amazon EC2 instances, an AWS Lambda function, and an Amazon S3 bucket in a single AWS Region. After an architecture review, the security team mandates that no application network traffic can traverse the public internet at any point. The security team already has an SCP in place for the company's organization in AWS Organizations to restrict the creation of internet gateways. NAT gateways, and egress-only gateways.Which combination of steps should the application team take to meet these requirements? (Select THREE.)

A. Create an S3 endpoint that has a full-access policy for the application's VPC.
B. Create an S3 access point for the S3 bucket. Include a policy that restricts the network origin to VPCs.
C. Launch the Lambda function. Enable the block public access configuration.
D. Create a security group that has an outbound rule over port 443 with a destination of the S3 endpomt. Associate the security group with the EC2 instances.
E. Create a security group that has an outbound rule over port 443 with a destination of the S3 access point. Associate the security group with the EC2 instances.
F. Launch the Lambda function in a VPC.

Answer: A,D,F

Amazon GuardDuty has detected communications to a known command and control endpoint from a company's Amazon EC2 instance. The instance was found to be running a vulnerable version of a common web framework. The company's security operations team wants to quickly identity other compute resources with the specific version of that framework installed.Which approach should the team take to accomplish this task?

A. Scan all the EC2 instances for noncompliance with AWS Config. Use Amazon Athena to query AWS CloudTrail logs for the framework installation
B. Scan all the EC2 instances with the Amazon Inspector Network Reachability rules package to identity instances running a web server with RecognizedPortWithListener findings
C. Scan all the EC2 instances with AWS Systems Manager to identify the vulnerable version of the web framework
D. Scan an the EC2 instances with AWS Resource Access Manager to identify the vulnerable version of the web framework

Answer: C

A developer at a company uses an SSH key to access multiple Amazon EC2 instances. The company discovers that the SSH key has been posted on a public GitHub repository. A security engineer verifies that the key has not been used recently.How should the security engineer prevent unauthorized access to the EC2 instances?

A. Delete the key pair from the EC2 console. Create a new key pair.
B. Use the ModifylnstanceAttribute API operation to change the key on any EC2 instance that is using the key.
C. Restrict SSH access in the security group to only known corporate IP addresses.
D. Update the key pair in any AMI that is used to launch the EC2 instances. Restart the EC2 instances.

Answer: C

A company plans to create individual child accounts within an existing organization in AWS Organizations for each of its DevOps teams. AWS CloudTrail has been enabled and configured on all accounts to write audit logs to an Amazon S3 bucket in a centralized AWS account. A security engineer needs to ensure that DevOps team members are unable to modify or disable this configuration.How can the security engineer meet these requirements?

A. Create an 1AM policy that prohibits changes to the specific CloudTrail trail and apply the policy to the AWS account root user.
B. Create an S3 bucket policy in the specified destination account for the CloudTrail trail that prohibits configuration changes from the AWS account root user in the source account.
C. Create an SCP that prohibits changes to the specific CloudTrail trail and apply the SCP to the appropriate organizational unit or account in Organizations.
D. Create an 1AM policy that prohibits changes to the specific CloudTrail trail and apply the policy to a new 1AM group. Have team members use individual 1AM accounts that aremembers of the new 1AM group.

Answer: D

A company manages multiple AWS accounts using AWS Organizations. The company's security team notices that some member accounts are not sending AWS CloudTrail logs to a centralized Amazon S3 logging bucket. The security team wants to ensure there is at least one trail configured (or all existing accounts and for any account that is created in the future.Which set of actions should the security team implement to accomplish this?

A. Create a new trail and configure it to send CloudTrail logs to Amazon S3. Use Amazon EventBridge (Amazon CloudWatch Events) to send notification if a trail is deleted or stopped.
B. Deploy an AWS Lambda function in every account to check if there is an existing trail and create a new trail, if needed. 
C. Edit the existing trail in the Organizations master account and apply it to the organization.
D. Create an SCP to deny the cloudtrail:Delete" and cloudtrail:Stop' actions. Apply the SCP to all accounts.

Answer: C