EMT Practice Test

1. Question Content...


Question List

Question1: A Security Engineer who was reviewing AWS Key Management Service (AWS KMS) key policies found
this statement in each key policy in the company AWS account.

What does the statement allow?

Question2: A Security Administrator is performing a log analysis as a result of a suspected AWS account compromise.
The Administrator wants to analyze suspicious AWS CloudTrail log files but is overwhelmed by the volume
of audit logs being generated.
What approach enables the Administrator to search through the logs MOST efficiently?

Question3: A company wants to control access to its AWS resources by using identities and groups that are defined in
its existing Microsoft Active Directory.
What must the company create in its AWS account to map permissions for AWS services to Active
Directory user attributes?

Question4: A company requires that IP packet data be inspected for invalid or malicious content.
Which of the following approaches achieve this requirement? (Choose two.)

Question5: During a recent security audit, it was discovered that multiple teams in a large organization have placed
restricted data in multiple Amazon S3 buckets, and the data may have been exposed. The auditor has
requested that the organization identify all possible objects that contain personally identifiable information
(PII) and then determine whether this information has been accessed.
What solution will allow the Security team to complete this request?

Question6: The Security team believes that a former employee may have gained unauthorized access to AWS
resources sometime in the past 3 months by using an identified access key.
What approach would enable the Security team to find out what the former employee may have done
within AWS?

Question7: A company has complex connectivity rules governing ingress, egress, and communications between
Amazon EC2 instances. The rules are so complex that they cannot be implemented within the limits of the
maximum number of security groups and network access control lists (network ACLs).
What mechanism will allow the company to implement all required network rules without incurring
additional cost?

Question8: The InfoSec team has mandated that in the future only approved Amazon Machine Images (AMIs) can be
used.
How can the InfoSec team ensure compliance with this mandate?

Question9: A Software Engineer wrote a customized reporting service that will run on a fleet of Amazon EC2
instances. The company security policy states that application logs for the reporting service must be
centrally collected.
What is the MOST efficient way to meet these requirements?

Question10: An organization wants to be alerted when an unauthorized Amazon EC2 instance in its VPC performs a
network port scan against other instances in the VPC. When the Security team performs its own internal
tests in a separate account by using pre-approved third-party scanners from the AWS Marketplace, the
Security team also then receives multiple Amazon GuardDuty events from Amazon CloudWatch alerting
on its test activities.
How can the Security team suppress alerts about authorized security tests while still receiving alerts about
the unauthorized activity?

Question11: Amazon CloudWatch Logs agent is successfully delivering logs to the CloudWatch Logs service. However,
logs stop being delivered after the associated log stream has been active for a specific number of hours.
What steps are necessary to identify the cause of this phenomenon? (Choose two.)

Question12: A company's database developer has just migrated an Amazon RDS database credential to be stored and
managed by AWS Secrets Manager. The developer has also enabled rotation of the credential within the
Secrets Manager console and set the rotation to change every 30 days.
After a short period of time, a number of existing applications have failed with authentication errors.
What is the MOST likely cause of the authentication errors?

Question13: The Development team receives an error message each time the team members attempt to encrypt or
decrypt a Secure String parameter from the SSM Parameter Store by using an AWS KMS customer
managed key (CMK).
Which CMK-related issues could be responsible? (Choose two.)

Question14: A Systems Engineer has been tasked with configuring outbound mail through Simple Email Service (SES)
and requires compliance with current TLS standards.
The mail application should be configured to connect to which of the following endpoints and
corresponding ports?

Question15: The Security Engineer for a mobile game has to implement a method to authenticate users so that they
can save their progress. Because most of the users are part of the same OpenID-Connect compatible
social media website, the Security Engineer would like to use that as the identity provider.
Which solution is the SIMPLEST way to allow the authentication of users using their social media
identities?

Question16: Which option for the use of the AWS Key Management Service (KMS) supports key management best
practices that focus on minimizing the potential scope of data exposed by a possible future key
compromise?

Question17: An organization has a system in AWS that allows a large number of remote workers to submit data files.
File sizes vary from a few kilobytes to several megabytes. A recent audit highlighted a concern that data
files are not encrypted while in transit over untrusted networks.
Which solution would remediate the audit finding while minimizing the effort required?

Question18: A Software Engineer is trying to figure out why network connectivity to an Amazon EC2 instance does not
appear to be working correctly. Its security group allows inbound HTTP traffic from 0.0.0.0/0, and the
outbound rules have not been modified from the default. A custom network ACL associated with its subnet
allows inbound HTTP traffic from 0.0.0.0/0 and has no outbound rules.
What would resolve the connectivity issue?

Question19: A company has a customer master key (CMK) with imported key materials. Company policy requires that
all encryption keys must be rotated every year.
What can be done to implement the above policy?

Question20: The Security Engineer is managing a web application that processes highly sensitive personal information.
The application runs on Amazon EC2. The application has strict compliance requirements, which instruct
that all incoming traffic to the application is protected from common web exploits and that all outgoing
traffic from the EC2 instances is restricted to specific whitelisted URLs.
Which architecture should the Security Engineer use to meet these requirements?

Question21: A Security Administrator is restricting the capabilities of company root user accounts. The company uses
AWS Organizations and has enabled it for all feature sets, including consolidates billing. The top-level
account is used for billing and administrative purposes, not for operational AWS resource purposes.
How can the Administrator restrict usage of member root user accounts across the organization?

Question22: An organization is using Amazon CloudWatch Logs with agents deployed on its Linux Amazon EC2
instances. The agent configuration files have been checked and the application log files to be pushed are
configured correctly. A review has identified that logging from specific instances is missing.
Which steps should be taken to troubleshoot the issue? (Choose two.)

Question23: A company will store sensitive documents in three Amazon S3 buckets based on a data classification
scheme of "Sensitive," "Confidential," and "Restricted." The security solution must meet all of the following
requirements:
Each object must be encrypted using a unique key.

Items that are stored in the "Restricted" bucket require two-factor authentication for decryption.

AWS KMS must automatically rotate encryption keys annually.

Which of the following meets these requirements?

Question24: An employee accidentally exposed an AWS access key and secret access key during a public
presentation. The company Security Engineer immediately disabled the key.
How can the Engineer assess the impact of the key exposure and ensure that the credentials were not
misused? (Choose two.)

Question25: An application outputs logs to a text file. The logs must be continuously monitored for security incidents.
Which design will meet the requirements with MINIMUM effort?

Question26: An application has a requirement to be resilient across not only Availability Zones within the application's
primary region but also be available within another region altogether.
Which of the following supports this requirement for AWS resources that are encrypted by AWS KMS?

Question27: A company uses AWS Organization to manage 50 AWS accounts. The finance staff members logs in as
AWS IAM users in the FinanceDept AWS account. The staff members need to read the consolidates billing
information in the MasterPayer AWS account. They should not be able to view any other resources in the
MasterPayer AWS account. IAM access to billing has been enabled in the MasterPayer account.
Which of the following approaches grants the finance staff the permissions they require without granting
any unnecessary permissions?

Question28: A Security Engineer has created an Amazon CloudWatch event that invokes an AWS Lambda function
daily. The Lambda function runs an Amazon Athena query that checks AWS CloudTrail logs in Amazon S3
to detect whether any IAM user accounts or credentials have been created in the past 30 days. The results
of the Athena query are created in the same S3 bucket. The Engineer runs a test execution of the Lambda
function via the AWS Console, and the function runs successfully.
After several minutes, the Engineer finds that his Athena query has failed with the error message:
"Insufficient Permissions". The IAM permissions of the Security Engineer and the Lambda function are
shown below:
Security Engineer

Lambda function execution role

What is causing the error?

Question29: An IAM user with fill EC2 permissions could bot start an Amazon EC2 instance after it was stopped for a
maintenance task. Upon starting the instance, the instance state would change to "Pending", but after a
few seconds, it would switch back to "Stopped".
An inspection revealed that the instance has attached Amazon EBS volumes that were encrypted by using
a Customer Master Key (CMK). When these encrypted volumes were detached, the IAM user was able to
start the EC2 instances.
The IAM user policy is as follows:

What additional items need to be added to the IAM user policy? (Choose two.)
kms:GenerateDataKey

Question30: An organization policy states that all encryption keys must be automatically rotated every 12 months.
Which AWS Key Management Service (KMS) key type should be used to meet this requirement?

Question31: A financial institution has the following security requirements:
Cloud-based users must be contained in a separate authentication domain.

Cloud-based users cannot access on-premises systems.

As part of standing up a cloud environment, the financial institution is creating a number of Amazon
managed databases and Amazon EC2 instances. An Active Directory service exists on-premises that has
all the administrator accounts, and these must be able to access the databases and instances.
How would the organization manage its resources in the MOST secure manner? (Choose two.)