251.The Security team suspects that a former employee may have acquired unauthorized access to AWS resources using a recognized access key anytime in the last three months.
How would the Security team go about determining what the former employee may have done inside AWS? A. Use the AWS CloudTrail console to search for user activity. B. Use the Amazon CloudWatch Logs console to filter CloudTrail data by user. C. Use AWS Config to see what actions were taken by the user. D. Use Amazon Athena to query CloudTrail logs stored in Amazon S3.
252.A Security Engineer logged in as an IAM user to the AWS Management Console and selected the security role IAM role. To undertake a maintenance operation, the Security Engineer must move to the maintainer IAM role, which adds the security role to the list of trusted entities. The Security Engineer makes an unsuccessful effort to transition to the maintainer job.
Which of the following is the most probable reason of the failure? A. The security role and the maintainer role are not assigned to the IAM user that the Security Engineer used to sign in to the account. B. The Security Engineer should have logged in as the AWS account root user, which is allowed to assume any role directly. C. The maintainer role does not include the IAM user as a trusted entity. D. The security role does not include a statement in its policy to allow an sts:AssumeRole action.
253.A security engineer is developing a solution that would encrypt communication between clients and Docker containers operating on Amazon Elastic Container Service from end to end (Amazon ECS). Additionally, this method will address variable traffic patterns.
Which system is the MOST scalable and has the LOWEST latency? A. Configure a Network Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers. B. Configure an Application Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers. C. Configure a Network Load Balancer with a TCP listener to pass through TLS traffic to the containers. D. Configure Amazon Route to use multivalue answer routing to send traffic to the containers.
254.A Security Engineer erased imported key material in an AWS KMS CMK by mistake.
What is the Security Engineer to do in order to recover the lost key material? A. Create a new CMK. Download a new wrapping key and a new import token to import the original key material. B. Create a new CMK. Use the original wrapping key and import token to import the original key material. C. Download a new wrapping key and a new import token. Import the original key material into the existing CMK. D. Use the original wrapping key and import token. Import the original key material into the existing CMK.
255.A business use an external identity provider to enable federation across many AWS accounts. A firm security engineer wants to determine which federated user terminated a production Amazon EC2 machine a week ago.
What is the SECURITY ENGINEER'S FASTEST method of identifying the federated user? A. Review the AWS CloudTrail event history logs in an Amazon S3 bucket and look for the TerminateInstances event to identify the federated user from the role session name. B. Filter the AWS CloudTrail event history for the TerminateInstances event and identify the assumed IAM role. Review the AssumeRoleWithSAML event call in CloudTrail to identify the corresponding username. C. Search the AWS CloudTrail logs for the TerminateInstances event and note the event time. Review the IAM Access Advisor tab for all federated roles. The last accessed time should match the time when the instance was terminated. D. Use Amazon Athena to run a SQL query on the AWS CloudTrail logs stored in an Amazon S3 bucket and filter on the TerminateInstances event. Identify the corresponding role and run another query to filter the AssumeRoleWithWebIdentity event for the user name.
256.Three distinct AWS accounts are used by a business to manage its production, development, and test environments. Each developer is given their own IAM user under the development account. A new application deployed on an Amazon EC2 instance in the development account needs read access to archived documents in the production account's Amazon S3 bucket.
Access should be provided in the following manner: A. Create an IAM role in the production account and allow EC2 instance in the development account to assume that role using the trust policy. Provide read access for the required S3 bucket to this role. B. Use a custom identity broker to allow Developer IAM users to temporarily access the S3 bucket. C. Create a temporary IAM user for the application to use in the production account. D. Create a temporary IAM user in the production account and provide read access to Amazon S3. Generate the temporary IAM user's access key and secret key and store these keys on the EC2 instance used by the application in the development account.
257.The business is migrating a multi-petabyte workload to Amazon S3, but the CISO is worried about cryptographic wear-out and the blast radius associated with a key breach.
How can the CISO be certain that AWS KMS and Amazon S3 are adequately addressing the issues? (Select two.) A. There is no API operation to retrieve an S3 object in its encrypted form. B. Encryption of S3 objects is performed within the secure boundary of the KMS service. C. S3 uses KMS to generate a unique data key for each individual object. D. Using a single master key to encrypt all data includes having a single place to perform audits and usage validation. E. The KMS encryption envelope digitally signs the master key during encryption to prevent cryptographic wear-out.
258.The Security Engineer for a mobile game is responsible for implementing a means for players to verify themselves in order to store their progress. Because the majority of users are members of the same OpenID-compatible social networking website, the Security Engineer want to utilize that website as the identity provider.
Which option is the SIMPLEST method of allowing users to authenticate using their social network identities? A. Amazon Cognito B. AssumeRoleWithWebIdentity API C. Amazon Cloud Directory D. Active Directory (AD) Connector.
260.Log files are generated by applications running on Amazon EC2 instances and are stored in a subdirectory on the Linux file system. The instances disable console access and file transfer applications such as Secure Copy Protocol (SCP) and Secure File Transfer Protocol (SFTP) (SFTP). The Application Support team want to monitor the application log files automatically in order to provide alerts in the future.
A security engineer is responsible for developing a solution that satisfies the following requirements:
✑ Provide access to the log files through an AWS managed service.
Allow for automated log monitoring.
✑ Provide a graphical user interface for examining log files.
✑ Reduce effort.
Which technique satisfies these criteria? A. Modify the application to use the AWS SDK. Write the application logs to an Amazon S3 bucket. B. Install the unified Amazon CloudWatch agent on the instances. Configure the agent to collect the application log files on the EC2 file system and send them to Amazon CloudWatch Logs. C. Install AWS Systems Manager Agent on the instances. Configure an automation document to copy the application log files to AWS DeepLens. D. Install Amazon Kinesis Agent on the instances. Stream the application log files to Amazon Kinesis Data Firehose and set the destination to Amazon Elasticsearch Service.
261.A corporation uses AWS to host a serverless application for internal users. AWS Lambda is used to power the application's front end and business logic. The Lambda function connects to an Amazon RDS database that is contained inside a VPC. The business stores database credentials in AWS Systems Manager Parameter Store.
A recent security audit brought to light the following concerns:
✑ The Lambda function has internet access.
✑ The relational database is publicly accessible.
✑ The database credentials are not stored in an encrypted state.
Which combination of measures should be taken by the organization to address these security concerns? (Select three.) A. Disable public access to the RDS database inside the VPC. B. Move all the Lambda functions inside the VPC. C. Edit the IAM role used by Lambda to restrict internet access. D. Create a VPC endpoint for Systems Manager. Store the credentials as a string parameter. Change the parameter type to an advanced parameter. E. Edit the IAM role used by RDS to restrict internet access. F. Create a VPC endpoint for Systems Manager. Store the credentials as a SecureString parameter.
262.A multinational corporation must protect itself from and react to DDoS assaults at Layers 3, 4, and 7. The company's whole AWS infrastructure is serverless, with static content stored on Amazon S3 through Amazon CloudFront and Amazon Route 53.
Which solution will satisfy these criteria? A. Use AWS WAF with an upgrade to the AWS Business support plan. B. Use AWS Certificate Manager with an Application Load Balancer configured with an origin access identity. C. Use AWS Shield Advanced. D. Use AWS WAF to protect AWS Lambda functions encrypted with AWS KMS, and a NACL restricting all ingress traffic.
263.A Solutions Architect is developing a web application that will make use of Amazon CloudFront, an Elastic Load Balancing Application Load Balancer, and an Auto Scaling group of Amazon EC2 instances. The load balancer and EC2 instances are located in the United States of America's West (Oregon) region. It has been determined that encryption in transit is required between the client and CloudFront, as well as between CloudFront and the load balancer.
How many certificates would be need to be created if AWS Certificate Manager is used? A. One in the US West (Oregon) region and one in the US East (Virginia) region. B. Two in the US West (Oregon) region and none in the US East (Virginia) region. C. One in the US West (Oregon) region and none in the US East (Virginia) region. D. Two in the US East (Virginia) region and none in the US West (Oregon) region.
264.A business now utilizes Microsoft Active Directory to control access to on-premises resources and want to employ the same technique for AWS accounts. Additionally, the Development team intends to develop a public-facing application for which a distinct authentication solution is required.
Which of the following combinations would meet these requirements? (Select two.) A. Set up domain controllers on Amazon EC2 to extend the on-premises directory to AWS. B. Establish network connectivity between on-premises and the user's VPC. C. Use Amazon Cognito user pools for application authentication. D. Use AD Connector for application authentication. E. Set up federated sign-in to AWS through ADFS and SAML.
265.A business requires the migration of multiple apps to AWS. This will need the storage of over 5,000 credentials. To ensure compliance, the organization will continue to utilize its current password management system for key rotation, auditing, and interaction with third-party secrets containers. The business operates on a shoestring budget and is looking for the most cost-effective option that is also secure.
How should the business go about doing this at the LOWEST possible cost? A. Configure the company's key management solution to integrate with AWS Systems Manager Parameter Store. B. Configure the company's key management solution to integrate with AWS Secrets Manager. C. Use an Amazon S3 encrypted bucket to store the secrets and configure the applications with the appropriate roles to access the secrets. D. Configure the company's key management solution to integrate with AWS CloudHSM.
266.A software engineer created a bespoke reporting service that would be deployed across a fleet of Amazon EC2 machines. According to the company's security policy, application logs for the reporting service must be gathered centrally.
Which method is the MOST EFFECTIVE in meeting these requirements? A. Write an AWS Lambda function that logs into the EC2 instance to pull the application logs from the EC2 instance and persists them into an Amazon S3 bucket. B. Enable AWS CloudTrail logging for the AWS account, create a new Amazon S3 bucket, and then configure Amazon CloudWatch Logs to receive the application logs from CloudTrail. C. Create a simple cron job on the EC2 instances that synchronizes the application logs to an Amazon S3 bucket by using rsync. D. Install the Amazon CloudWatch Logs Agent on the EC2 instances, and configure it to send the application logs to CloudWatch Logs.
267.A business has many AWS production accounts and a central AWS security account. The security account is used for centralized monitoring and has IAM access to all resources associated with each corporate account. All of the company's Amazon S3 buckets are labeled with a value indicating their contents' data categorization.
In the security account, a security engineer is installing a monitoring system that will ensure bucket policy compliance. The system must monitor S3 buckets across all production accounts and ensure that any policy changes are consistent with the data categorization of the bucket. If there is a modification that violates compliance, the Security team must be informed immediately.
Which action combination would result in the needed solution? (Select three.) A. Configure Amazon CloudWatch Events in the production accounts to send all S3 events to the security account event bus. B. Enable Amazon GuardDuty in the security account, and join the production accounts as members. C. Configure an Amazon CloudWatch Events rule in the security account to detect S3 bucket creation or modification events. D. Enable AWS Trusted Advisor and activate email notifications for an email address assigned to the security contact. E. Invoke an AWS Lambda function in the security account to analyze S3 bucket settings in response to S3 events, and send non-compliance notifications to the Security team. F. Configure event notifications on S3 buckets for PUT, POST, and DELETE events.
268.A security engineer is collaborating with a product team on the development of a web application hosted on AWS. The application makes use of Amazon S3 for static content storage, Amazon API Gateway for RESTful service provisioning, and Amazon DynamoDB for backend data storage. Users are already stored in a directory that is accessible through a SAML identity provider.
Which of the following tasks should the Engineer do in order to allow users to log into the web application and use APIs? (Select three.)
A. Create a custom authorization service using AWS Lambda. B. Configure a SAML identity provider in Amazon Cognito to map attributes to the Amazon Cognito user pool attributes. C. Configure the SAML identity provider to add the Amazon Cognito user pool as a relying party. D. Configure an Amazon Cognito identity pool to integrate with social login providers. E. Update DynamoDB to store the user email addresses and passwords. F. Update API Gateway to use a COGNITO_USER_POOLS authorizer.
269.A business collects AWS CloudTrail log data from several AWS accounts by maintaining separate trails inside each account and transmitting log data to a centralized Amazon S3 bucket located in a log archive account. Following the addition of support for AWS Organizations trails by CloudTrail, the organization chose to centralize administration and automate deployment of the CloudTrail logging capabilities across all of its AWS accounts.
The security engineer for the organization generated an AWS Organizations trail in the master account, enabled server-side encryption for the log files using AWS KMS managed keys (SSE- KMS), and designated the same bucket as the storage location. The engineer noted, however, that the new path was not delivering logs to the bucket.
Which things might contribute to this problem? (Select two.) A. The CMK key policy does not allow CloudTrail to make encrypt and decrypt API calls against the key. B. The CMK key policy does not allow CloudTrail to make GenerateDatakey API calls against the key. C. The IAM role used by the CloudTrail trail does not have permissions to make PutObject API calls against a folder created for the Organizations trail. D. The S3 bucket policy does not allow CloudTrail to make PutObject API calls against a folder created for the Organizations trail. E. The CMK key policy does not allow the IAM role used by the CloudTrail trail to use the key for cryptographical operations.
270.A business intends to move a confidential dataset to Amazon S3. A Security Engineer is responsible for ensuring that data is encrypted at rest. The encryption solution must allow the business to create its own keys without requiring management of key storage or encryption.
What tools and techniques should the Security Engineer use to do this? A. Server-side encryption with Amazon S3-managed keys (SSE-S3) B. Server-side encryption with AWS KMS-managed keys (SSE-KMS) C. Server-side encryption with customer-provided keys (SSE-C) D. Client-side encryption with an AWS KMS-managed CMK.
271.At the moment, an application is protected by network access control lists and security groups. Web servers are situated behind an Application Load Balancer (ALB) on public subnets, whereas application servers are located in private subnets.
How can edge security be improved in order to protect Amazon EC2 instances from attack? (Select two.) A. Configure the application's EC2 instances to use NAT gateways for all inbound traffic. B. Move the web servers to private subnets without public IP addresses. C. Configure AWS WAF to provide DDoS attack protection for the ALB. D. Require all inbound network traffic to route through a bastion host in the private subnet. E. Require all inbound and outbound network traffic to route through an AWS Direct Connect connection.
272.A Security Engineer has been tasked with the responsibility of developing an automated mechanism for deactivating IAM user access credentials that are more than three months old.
Which of the following choices is appropriate for the Security Engineer? A. In the AWS Console, choose the IAM service and select Users. Review the Access Key Age column. B. Define an IAM policy that denies access if the key age is more than three months and apply to all users. C. Write a script that uses the GenerateCredentialReport, GetCredentialReport, and UpdateAccessKey APIs. D. Create an Amazon CloudWatch alarm to detect aged access keys and use an AWS Lambda function to disable the keys older than 90 days.
273.A security engineer saw an abnormally large volume of traffic emanating from a single IP address. This was determined via an examination of the Application Load Balancer's access logs.
How can a security engineer restrict the amount of requests coming from a certain IP address without banning it? A. Add a rule to the Application Load Balancer to route the traffic originating from the IP address in question and show a static webpage. B. Implement a rate-based rule with AWS WAF. C. Use AWS Shield to limit the originating traffic hit rate. D. Implement the GeoLocation feature in Amazon Route 53.
274.A freshly minted AWS KMS CMK that is used to decrypt activities is refused access to an Amazon EC2 instance. The environment is configured as follows:
✑ The instance is allowed the kms:Decrypt action in its IAM role for all resources
✑ The AWS KMS CMK status is set to enabled
✑ The instance can communicate with the KMS API using a configured VPC endpoint
What is the source of the problem? A. The kms:GenerateDataKey permission is missing from the EC2 instance's IAM role B. The ARN tag on the CMK contains the EC2 instance's ID instead of the instance's ARN C. The kms:Encrypt permission is missing from the EC2 IAM role D. The KMS CMK key policy that enables IAM user permissions is missing.
275.A recent internal investigation showed that all API logging had been deactivated on a production account, and the root user had produced fresh API keys that seemed to have been used several times.
What might have been done to prevent the situation from occurring in the first place? A. Using Amazon Inspector, review all of the API calls and configure the inspector agent to leverage SNS topics to notify security of the change to AWS CloudTrail, and revoke the new API keys for the root user. B. Using AWS Config, create a config rule that detects when AWS CloudTrail is disabled, as well as any calls to the root user create-api-key. Then use a Lambda function to re-enable CloudTrail logs and deactivate the root API keys. C. Using Amazon CloudWatch, create a CloudWatch event that detects AWS CloudTrail deactivation and a separate Amazon Trusted Advisor check to automatically detect the creation of root API keys. Then use a Lambda function to enable AWS CloudTrail and deactivate the root API keys. D. Using Amazon CloudTrail, create a new CloudTrail event that detects the deactivation of CloudTrail logs, and a separate CloudTrail event that detects the creation of root API keys. Then use a Lambda function to enable CloudTrail and deactivate the root API keys.
276.A security engineer has constructed an Amazon CloudWatch event that triggers the execution of an AWS Lambda function on a regular basis. The Lambda function does an Amazon Athena query that searches AWS CloudTrail logs in Amazon S3 for the creation of any IAM user accounts or credentials in the last 30 days. The Athena query returns results to the same S3 bucket. The Engineer tests the Lambda function through the AWS Console and confirms that it works correctly.
After a few moments, the Engineer discovers that his Athena query has failed with the following error message:€Insufficient Permissions€. The Security Engineer's and Lambda function's IAM permissions are indicated below:
What is the source of the error? A. The Lambda function does not have permissions to start the Athena query execution. B. The Security Engineer does not have permissions to start the Athena query execution. C. The Athena service does not support invocation through Lambda. D. The Lambda function does not have permissions to access the CloudTrail S3 bucket.
277.The application team has requested a new AWS KMS master key for use with Amazon S3, however the corporate security policy mandates that master keys for various AWS services be kept separate to restrict blast radius.
How is it possible for an AWS KMS customer master key (CMK) to be restricted to function solely with Amazon S3? A. Configure the CMK key policy to allow only the Amazon S3 service to use the kms:Encrypt action. B. Configure the CMK key policy to allow AWS KMS actions only when the kms:ViaService condition matches the Amazon S3 service name. C. Configure the IAM user's policy to allow KMS to pass a role to Amazon S3. D. Configure the IAM user's policy to allow only Amazon S3 operations when they are combined with the CMK.
278.The Security Engineer is responsible for the administration of a web application that handles extremely sensitive personal data. Amazon EC2 is used to host the application. The application is subject to stringent compliance requirements, which include the need that all incoming traffic to the application be secured against common web vulnerabilities and that all outbound traffic from the EC2 instances be limited to particular whitelisted URLs.
Which architecture should the Security Engineer choose in order to satisfy these requirements? A. Use AWS Shield to scan inbound traffic for web exploits. Use VPC Flow Logs and AWS Lambda to restrict egress traffic to specific whitelisted URLs. B. Use AWS Shield to scan inbound traffic for web exploits. Use a third-party AWS Marketplace solution to restrict egress traffic to specific whitelisted URLs. C. Use AWS WAF to scan inbound traffic for web exploits. Use VPC Flow Logs and AWS Lambda to restrict egress traffic to specific whitelisted URLs. D. Use AWS WAF to scan inbound traffic for web exploits. Use a third-party AWS Marketplace solution to restrict egress traffic to specific whitelisted URLs.
279.A business wishes to manage access to its AWS resources via the use of identities and groups specified in its current Microsoft Active Directory.
What must the organization construct in its AWS account in order to match AWS service permissions to Active Directory user attributes? A. AWS IAM groups B. AWS IAM users C. AWS IAM roles D. AWS IAM access keys.
280.The on-premises networks of a business are linked to VPCs using an AWS Direct Connect gateway. The on-premises application of the business requires data streaming over an existing Amazon Kinesis Data Firehose delivery stream. According to the company's security policy, data must be encrypted during transit through a private network.
How should the business go about meeting these requirements? A. Create a VPC endpoint for Kinesis Data Firehose. Configure the application to connect to the VPC endpoint. B. Configure an IAM policy to restrict access to Kinesis Data Firehose using a source IP condition. Configure the application to connect to the existing Firehose delivery stream. C. Create a new TLS certificate in AWS Certificate Manager (ACM). Create a public-facing Network Load Balancer (NLB) and select the newly created TLS certificate. Configure the NLB to forward all traffic to Kinesis Data Firehose. Configure the application to connect to the NLB. D. Peer the on-premises network with the Kinesis Data Firehose VPC using Direct Connect. Configure the application to connect to the existing Firehose delivery stream.
281.AWS Organizations is being used by a business to manage several AWS accounts. The organization offers an application that enables users to take the AppUser IAM role in order to retrieve files from an Amazon S3 bucket that has been encrypted using an AWS KMS CMK. When users attempt to access the files included in the S3 bucket, they get an access refused error.
What actions should a security engineer take to resolve this error? (Select three.) A. Ensure the KMS policy allows the AppUser role to have permission to decrypt for the CMK. B. Ensure the S3 bucket policy allows the AppUser role to have permission to get objects for the S3 bucket. C. Ensure the CMK was created before the S3 bucket. D. Ensure the S3 block public access feature is enabled for the S3 bucket. E. Ensure that automatic key rotation is disabled for the CMK. F. Ensure the SCPs within Organizations allow access to the S3 bucket.
282.During a recent security assessment, it was revealed that various teams within a big corporation had stored restricted data in multiple Amazon S3 buckets, which may have exposed the data. The auditor has demanded that the company identify all potentially compromised items containing personally identifiable information (PII) and then assess if this information has been accessed.
Which solution enables the Security team to successfully accomplish this request? A. Using Amazon Athena, query the impacted S3 buckets by using the PII query identifier function. Then, create a new Amazon CloudWatch metric for Amazon S3 object access to alert when the objects are accessed. B. Enable Amazon Macie on the S3 buckets that were impacted, then perform data classification. For identified objects that contain PII, use the research function for auditing AWS CloudTrail logs and S3 bucket logs for GET operations. C. Enable Amazon GuardDuty and enable the PII rule set on the S3 buckets that were impacted, then perform data classification. Using the PII findings report from GuardDuty, query the S3 bucket logs by using Athena for GET operations. D. Enable Amazon Inspector on the S3 buckets that were impacted, then perform data classification. For identified objects that contain PII, query the S3 bucket logs by using Athena for GET operations.
283.A developer that adheres to AWS's best practices for safe code development demands that an application encrypt sensitive data held at rest, locally inside the application, using AWS KMS.
What is the easiest and MOST SECURE method of decrypting this data in the event that it is required? A. Request KMS to provide the stored unencrypted data key and then use the retrieved data key to decrypt the data. B. Keep the plaintext data key stored in Amazon DynamoDB protected with IAM policies. Query DynamoDB to retrieve the data key to decrypt the data C. Use the Encrypt API to store an encrypted version of the data key with another customer managed key. Decrypt the data key and use it to decrypt the data when required. D. Store the encrypted data key alongside the encrypted data. Use the Decrypt API to retrieve the data key to decrypt the data when required.
284.An incident response plan is being developed by a security engineer to mitigate the danger of a hacked Amazon EC2 instance. The plan must provide a recommendation for a solution that satisfies the following requirements:
✑ A trusted forensic environment must be provisioned.
✑ Automated response processes must be orchestrated
Which Amazon Web Services (AWS) services should be included in the plan? (Select two.) A. AWS CloudFormation B. Amazon GuardDuty C. Amazon Inspector D. Amazon Macie E. AWS Step Functions.
285.A business intends to migrate the majority of its IT infrastructure to AWS. They want to use their current on-premises Active Directory as a supplier of identity for AWS.
Which combination of procedures should a Security Engineer take to federate the on-premises Active Directory of the organization with AWS? (Select two.) A. Create IAM roles with permissions corresponding to each Active Directory group. B. Create IAM groups with permissions corresponding to each Active Directory group. C. Configure Amazon Cloud Directory to support a SAML provider. D. Configure Active Directory to add relying party trust between Active Directory and AWS. E. Configure Amazon Cognito to add relying party trust between Active Directory and AWS.
286.Developers at a corporation want to transition on-premises apps to Amazon EC2 instances using Amazon Linux AMIs. A set of partner firms has access to the apps. For these situations, the Security Engineer must apply the following host-based security measures:
✑ Block traffic from documented known bad IP addresses.
✑ Detect known software vulnerabilities and CIS Benchmarks compliance.
Which solution satisfies these criteria? A. Launch the EC2 instances with an IAM role attached. Include a user data script that uses the AWS CLI to retrieve the list of bad IP addresses from AWS Secrets Manager, and uploads it as a threat list in Amazon GuardDuty. Use Amazon Inspector to scan the instances for known software vulnerabilities and CIS Benchmarks compliance. B. Launch the EC2 instances with an IAM role attached. Include a user data script that uses the AWS CLI to create NACLs blocking ingress traffic from the known bad IP addresses in the EC2 instance's subnets. Use AWS Systems Manager to scan the instances for known software vulnerabilities, and AWS Trusted Advisor to check instances for CIS Benchmarks compliance. C. Launch the EC2 instances with an IAM role attached. Include a user data script that uses the AWS CLI to create and attach security groups that only allow an allow listed source IP address range inbound. Use Amazon Inspector to scan the instances for known software vulnerabilities, and AWS Trusted Advisor to check instances for CIS Benchmarks compliance. D. Launch the EC2 instances with an IAM role attached. Include a user data script that creates a cron job to periodically retrieve the list of bad IP addresses from Amazon S3, and configures iptables on the instances blocking the list of bad IP addresses. Use Amazon Inspector to scan the instances for known software vulnerabilities and CIS Benchmarks compliance.
287.The Security Engineer of a firm has been charged with limiting access to a contractor's IAM account to the company's Amazon EC2 console without granting access to any other AWS services. The contractor's IAM account cannot get access to any other AWS service, even if the contractor's IAM account is granted extra rights based on IAM group membership.
What actions should the Security Engineer take to ensure compliance with these requirements? A. Create an Inline IAM user policy that allows for Amazon EC2 access for the contractor's IAM user. B. Create an IAM permissions boundary policy that allows Amazon EC2 access. Associate the contractor's IAM account with the IAM permissions boundary policy. C. Create an IAM group with an attached policy that allows for Amazon EC2 access. Associate the contractor's IAM account with the IAM group. D. Create an IAM role that allows for EC2 and explicitly denies all other services. Instruct the contractor to always assume this role.
288.A security engineer maintains several thousand Amazon EC2 instances, which are divided between production and development environments. Each instance is uniquely identified by its surroundings. The Engineer is responsible for analyzing and patching all development Amazon EC2 instances to ensure they are not presently vulnerable to any common vulnerabilities or exposures (CVEs).
Which combination of stages provides the Engineer with the MOST EFFECTIVE means of meeting these requirements? (Select two.) A. Log on to each EC2 instance, check and export the different software versions installed, and verify this against a list of current CVEs. B. Install the Amazon Inspector agent on all development instances. Build a custom rule package, and configure Inspector to perform a scan using this custom rule on all instances tagged as being in the development environment. C. Install the Amazon Inspector agent on all development instances. Configure Inspector to perform a scan using this CVE rule package on all instances tagged as being in the development environment. D. Install the Amazon EC2 System Manager agent on all development instances. Issue the Run command to EC2 System Manager to update all instances. E. Use AWS Trusted Advisor to check that all EC2 instances have been patched to the most recent version of operating system and installed software.
289.A business may have many AWS accounts that are associated with AWS Organizations. The security team at the firm wishes to guarantee that even Administrators with full access to the company's AWS accounts are unable to access the company's Amazon S3 buckets.
How is this to be achieved? A. Use SCPs. B. Add a permissions boundary to deny access to Amazon S3 and attach it to all roles. C. Use an S3 bucket policy. D. Create a VPC endpoint for Amazon S3 and deny statements for access to Amazon S3.
290.A security engineer at a corporation is centralizing all application logs in consolidated Amazon S3 buckets. Currently, each application in the organization runs on its own AWS account, with logs being stored in S3 buckets connected with each account. Each account will have an AWS Lambda function that uploads the required log files to the centralized S3 bucket.
Security Engineers are unable to view log data stored in the centralized S3 bucket. The Engineer's IAM user policy, as defined by the centralized account, is as follows:
What is preventing the Security Engineer from gaining access to the log files? A. The S3 bucket policy does not explicitly allow the Security Engineer access to the objects in the bucket. B. The object ACLs are not being updated to allow the users within the centralized account to access the objects. C. The Security Engineer's IAM policy does not grant permissions to read objects in the S3 bucket. D. The s3:PutObject and s3:PutObjectAcl permissions should be applied at the S3 bucket level.
291.A business is required by law to rotate its encryption keys on a yearly basis. A security engineer need a procedure for rotating KMS Customer Master Keys (CMKs) generated from imported key material.
How can the Engineer optimize the key rotation process? A. Create a new CMK, and redirect the existing Key Alias to the new CMK. B. Select the option to auto-rotate the key. C. Upload new key material into the existing CMK. D. Create a new CMK, and change the application to point to the new CMK.
292.While protecting the link between a company's VPC and its on-premises data center, a Security Engineer issued a ping command to an Amazon EC2 instance from an on-premises server (IP address 203.0.113.12). (IP address 172.31.16.139). The ping command returned an empty string. In the VPC's flow log, the following information was found:
2 123456789010 eni-1235b8ca 203.0.113.12 172.31.16.139 0 0 1 4 336 1432917027 1432917142 ACCEPT OK
2 123456789010 eni-1235b8ca 172.31.16.139 203.0.113.12 0 0 1 4 336 1432917094 1432917142 REJECT OK
What needs be done to enable the ping to function properly? A. In the security group of the EC2 instance, allow inbound ICMP traffic. B. In the security group of the EC2 instance, allow outbound ICMP traffic. C. In the VPC's NACL, allow inbound ICMP traffic. D. In the VPC's NACL, allow outbound ICMP traffic.
293.A business has hundreds of Amazon Web Services accounts and a centralized Amazon S3 bucket that is used to gather AWS CloudTrail logs for all of these accounts. A security engineer want to develop a solution that would allow the firm to do ad hoc searches against its CloudTrail logs going back three years to the time the trails were originally activated in the company's AWS account.
How might the business achieve this with the least administrative overhead possible? A. Run an Amazon EMR cluster that uses a MapReduce job to examine the CloudTrail trails. B. Use the events history feature of the CloudTrail console to query the CloudTrail trails. C. Write an AWS Lambda function to query the CloudTrail trails. Configure the Lambda function to be executed whenever a new file is created in the CloudTrail S3 bucket. D. Create an Amazon Athena table that looks at the S3 bucket the CloudTrail trails are being written to. Use Athena to run queries against the trails.
294.An business wishes to be notified when an illegal Amazon EC2 instance running in its VPC conducts a network port scan against other instances running in the VPC.
When the Security team conducts internal testing in a separate account utilizing pre-approved third-party scanners from the AWS Marketplace, the Security team additionally gets various Amazon GuardDuty notifications from Amazon CloudWatch alerting on the Security team's test activities.
How can the security team disable notifications for permitted security testing while getting alerts for unauthorized activity? A. Use a filter in AWS CloudTrail to exclude the IP addresses of the Security team's EC2 instances. B. Add the Elastic IP addresses of the Security team's EC2 instances to a trusted IP list in Amazon GuardDuty. C. Install the Amazon Inspector agent on the EC2 instances that the Security team uses. D. Grant the Security team's EC2 instances a role with permissions to call Amazon GuardDuty API operations.
295.AWS Lambda function was abused to change data, and a Security Engineer must determine who called the function and what output was generated. The Engineer is unable to locate any Lambda function logs in Amazon CloudWatch Logs.
Which of the following best describes the absence of logs? A. The execution role for the Lambda function did not grant permissions to write log data to CloudWatch Logs. B. The Lambda function was executed by using Amazon API Gateway, so the logs are not stored in CloudWatch Logs. C. The execution role for the Lambda function did not grant permissions to write to the Amazon S3 bucket where CloudWatch Logs stores the logs. D. The version of the Lambda function that was executed was not current.
296.A business has a strong policy against the use of root credentials. The company's security team want to be notified immediately if root credentials are used to access the AWS Management Console.
How should the security team accomplish this objective? A. Use AWS Lambda to periodically query AWS CloudTrail for console login events and send alerts using Amazon Simple Notification Service (Amazon SNS). B. Use Amazon EventBridge (Amazon CloudWatch Events) to monitor console logins and direct them to Amazon Simple Notification Service (Amazon SNS). C. Use Amazon Athena to query AWS SSO logs and send alerts using Amazon Simple Notification Service (Amazon SNS) for root login events. D. Configure AWS Resource Access Manager to review the access logs and send alerts using Amazon Simple Notification Service (Amazon SNS).
297.The Security Engineer is provided with the following requirements for an application that will operate on Amazon EC2 and will be controlled through AWS CloudFormation templates and EC2 Auto Scaling groups:
-Ensure that the EC2 instances are booted up and configured to connect to a backend database.
-Ensure that database credentials are securely managed.
-Ensure that all database credentials retrievals are recorded.
Which of the following methods is the MOST EFFECTIVE for meeting these requirements? A. Pass databases credentials to EC2 by using CloudFormation stack parameters with the property set to true. Ensure that the instance is configured to log to Amazon CloudWatch Logs. B. Store database passwords in AWS Systems Manager Parameter Store by using SecureString parameters. Set the IAM role for the EC2 instance profile to allow access to the parameters. C. Create an AWS Lambda that ingests the database password and persists it to Amazon S3 with server-side encryption. Have the EC2 instances retrieve the S3 object on startup, and log all script invocations to syslog. D. Write a script that is passed in as UserData so that it is executed upon launch of the EC2 instance. Ensure that the instance is configured to log to Amazon CloudWatch Logs.
298.A development team has requested assistance with setting IAM roles and rules in a newly created AWS account. The team that is using the account anticipates having hundreds of master keys and does not want to maintain access control for client master keys (CMKs).
Which of the following will enable the team to control AWS KMS permissions using IAM without having to change individual key policies? A. The account's CMK key policy must allow the account's IAM roles to perform KMS EnableKey. B. Newly created CMKs must have a key policy that allows the root principal to perform all actions. C. Newly created CMKs must allow the root principal to perform the kms CreateGrant API operation. D. Newly created CMKs must mirror the IAM policy of the KMS key administrator.
300.A security engineer is creating a new Amazon Web Services (AWS) account. The engineer has been tasked with monitoring the company's AWS account on a continuous basis, employing automated compliance tests based on AWS best practices and the Center for Internet Security's (CIS) AWS Foundations Benchmarks.
How might the security engineer do this via the use of Amazon Web Services (AWS)? A. Enable AWS Config and set it to record all resources in all Regions and global resources. Then enable AWS Security Hub and confirm that the CIS AWS Foundations compliance standard is enabled. B. Enable Amazon Inspector and configure it to scan all Regions for the CIS AWS Foundations Benchmarks. Then enable AWS Security Hub and configure it to ingest the Amazon Inspector findings. C. Enable Amazon Inspector and configure it to scan all Regions for the CIS AWS Foundations Benchmarks. Then enable AWS Shield in all Regions to protect the account from DDoS attacks. D. Enable AWS Config and set it to record all resources in all Regions and global resources. Then enable Amazon Inspector and configure it to enforce CIS AWS Foundations Benchmarks using AWS Config rules.
|
