MoreExam
1. Question Content...
EXPLANATION
Answer: X - EXPLANATION Content.
Question1: A Security Engineer who was reviewing AWS Key Management Service (AWS KMS) key policies foundthis statement in each key policy in the company AWS account.What does the statement allow?
Question2: A Security Administrator is performing a log analysis as a result of a suspected AWS account compromise.The Administrator wants to analyze suspicious AWS CloudTrail log files but is overwhelmed by the volumeof audit logs being generated.What approach enables the Administrator to search through the logs MOST efficiently?
Question3: A company wants to control access to its AWS resources by using identities and groups that are defined inits existing Microsoft Active Directory.What must the company create in its AWS account to map permissions for AWS services to ActiveDirectory user attributes?
Question4: A company requires that IP packet data be inspected for invalid or malicious content.Which of the following approaches achieve this requirement? (Choose two.)
Question5: During a recent security audit, it was discovered that multiple teams in a large organization have placedrestricted data in multiple Amazon S3 buckets, and the data may have been exposed. The auditor hasrequested that the organization identify all possible objects that contain personally identifiable information(PII) and then determine whether this information has been accessed.What solution will allow the Security team to complete this request?
Question6: The Security team believes that a former employee may have gained unauthorized access to AWSresources sometime in the past 3 months by using an identified access key.What approach would enable the Security team to find out what the former employee may have donewithin AWS?
Question7: A company has complex connectivity rules governing ingress, egress, and communications betweenAmazon EC2 instances. The rules are so complex that they cannot be implemented within the limits of themaximum number of security groups and network access control lists (network ACLs).What mechanism will allow the company to implement all required network rules without incurringadditional cost?
Question8: The InfoSec team has mandated that in the future only approved Amazon Machine Images (AMIs) can beused.How can the InfoSec team ensure compliance with this mandate?
Question9: A Software Engineer wrote a customized reporting service that will run on a fleet of Amazon EC2instances. The company security policy states that application logs for the reporting service must becentrally collected.What is the MOST efficient way to meet these requirements?
Question10: An organization wants to be alerted when an unauthorized Amazon EC2 instance in its VPC performs anetwork port scan against other instances in the VPC. When the Security team performs its own internaltests in a separate account by using pre-approved third-party scanners from the AWS Marketplace, theSecurity team also then receives multiple Amazon GuardDuty events from Amazon CloudWatch alertingon its test activities.How can the Security team suppress alerts about authorized security tests while still receiving alerts aboutthe unauthorized activity?
Question11: Amazon CloudWatch Logs agent is successfully delivering logs to the CloudWatch Logs service. However,logs stop being delivered after the associated log stream has been active for a specific number of hours.What steps are necessary to identify the cause of this phenomenon? (Choose two.)
Question12: A company's database developer has just migrated an Amazon RDS database credential to be stored andmanaged by AWS Secrets Manager. The developer has also enabled rotation of the credential within theSecrets Manager console and set the rotation to change every 30 days.After a short period of time, a number of existing applications have failed with authentication errors.What is the MOST likely cause of the authentication errors?
Question13: The Development team receives an error message each time the team members attempt to encrypt ordecrypt a Secure String parameter from the SSM Parameter Store by using an AWS KMS customermanaged key (CMK).Which CMK-related issues could be responsible? (Choose two.)
Question14: A Systems Engineer has been tasked with configuring outbound mail through Simple Email Service (SES)and requires compliance with current TLS standards.The mail application should be configured to connect to which of the following endpoints andcorresponding ports?
Question15: The Security Engineer for a mobile game has to implement a method to authenticate users so that theycan save their progress. Because most of the users are part of the same OpenID-Connect compatiblesocial media website, the Security Engineer would like to use that as the identity provider.Which solution is the SIMPLEST way to allow the authentication of users using their social mediaidentities?
Question16: Which option for the use of the AWS Key Management Service (KMS) supports key management bestpractices that focus on minimizing the potential scope of data exposed by a possible future keycompromise?
Question17: An organization has a system in AWS that allows a large number of remote workers to submit data files.File sizes vary from a few kilobytes to several megabytes. A recent audit highlighted a concern that datafiles are not encrypted while in transit over untrusted networks.Which solution would remediate the audit finding while minimizing the effort required?
Question18: A Software Engineer is trying to figure out why network connectivity to an Amazon EC2 instance does notappear to be working correctly. Its security group allows inbound HTTP traffic from 0.0.0.0/0, and theoutbound rules have not been modified from the default. A custom network ACL associated with its subnetallows inbound HTTP traffic from 0.0.0.0/0 and has no outbound rules.What would resolve the connectivity issue?
Question19: A company has a customer master key (CMK) with imported key materials. Company policy requires thatall encryption keys must be rotated every year.What can be done to implement the above policy?
Question20: The Security Engineer is managing a web application that processes highly sensitive personal information.The application runs on Amazon EC2. The application has strict compliance requirements, which instructthat all incoming traffic to the application is protected from common web exploits and that all outgoingtraffic from the EC2 instances is restricted to specific whitelisted URLs.Which architecture should the Security Engineer use to meet these requirements?
Question21: A Security Administrator is restricting the capabilities of company root user accounts. The company usesAWS Organizations and has enabled it for all feature sets, including consolidates billing. The top-levelaccount is used for billing and administrative purposes, not for operational AWS resource purposes.How can the Administrator restrict usage of member root user accounts across the organization?
Question22: An organization is using Amazon CloudWatch Logs with agents deployed on its Linux Amazon EC2instances. The agent configuration files have been checked and the application log files to be pushed areconfigured correctly. A review has identified that logging from specific instances is missing.Which steps should be taken to troubleshoot the issue? (Choose two.)
Question23: A company will store sensitive documents in three Amazon S3 buckets based on a data classificationscheme of "Sensitive," "Confidential," and "Restricted." The security solution must meet all of the followingrequirements:Each object must be encrypted using a unique key.Items that are stored in the "Restricted" bucket require two-factor authentication for decryption.AWS KMS must automatically rotate encryption keys annually.Which of the following meets these requirements?
Question24: An employee accidentally exposed an AWS access key and secret access key during a publicpresentation. The company Security Engineer immediately disabled the key.How can the Engineer assess the impact of the key exposure and ensure that the credentials were notmisused? (Choose two.)
Question25: An application outputs logs to a text file. The logs must be continuously monitored for security incidents.Which design will meet the requirements with MINIMUM effort?
Question26: An application has a requirement to be resilient across not only Availability Zones within the application'sprimary region but also be available within another region altogether.Which of the following supports this requirement for AWS resources that are encrypted by AWS KMS?
Question27: A company uses AWS Organization to manage 50 AWS accounts. The finance staff members logs in asAWS IAM users in the FinanceDept AWS account. The staff members need to read the consolidates billinginformation in the MasterPayer AWS account. They should not be able to view any other resources in theMasterPayer AWS account. IAM access to billing has been enabled in the MasterPayer account.Which of the following approaches grants the finance staff the permissions they require without grantingany unnecessary permissions?
Question28: A Security Engineer has created an Amazon CloudWatch event that invokes an AWS Lambda functiondaily. The Lambda function runs an Amazon Athena query that checks AWS CloudTrail logs in Amazon S3to detect whether any IAM user accounts or credentials have been created in the past 30 days. The resultsof the Athena query are created in the same S3 bucket. The Engineer runs a test execution of the Lambdafunction via the AWS Console, and the function runs successfully.After several minutes, the Engineer finds that his Athena query has failed with the error message:"Insufficient Permissions". The IAM permissions of the Security Engineer and the Lambda function areshown below:Security EngineerLambda function execution roleWhat is causing the error?
Question29: An IAM user with fill EC2 permissions could bot start an Amazon EC2 instance after it was stopped for amaintenance task. Upon starting the instance, the instance state would change to "Pending", but after afew seconds, it would switch back to "Stopped".An inspection revealed that the instance has attached Amazon EBS volumes that were encrypted by usinga Customer Master Key (CMK). When these encrypted volumes were detached, the IAM user was able tostart the EC2 instances.The IAM user policy is as follows:What additional items need to be added to the IAM user policy? (Choose two.)kms:GenerateDataKey
Question30: An organization policy states that all encryption keys must be automatically rotated every 12 months.Which AWS Key Management Service (KMS) key type should be used to meet this requirement?
Question31: A financial institution has the following security requirements:Cloud-based users must be contained in a separate authentication domain.Cloud-based users cannot access on-premises systems.As part of standing up a cloud environment, the financial institution is creating a number of Amazonmanaged databases and Amazon EC2 instances. An Active Directory service exists on-premises that hasall the administrator accounts, and these must be able to access the databases and instances.How would the organization manage its resources in the MOST secure manner? (Choose two.)