EMT Practice Test

1. Question Content...


Question List

Question1: An organization has a system in AWS that allows a large number of remote workers to submit data files.
File sizes vary from a few kilobytes to several megabytes. A recent audit highlighted a concern that data
files are not encrypted while in transit over untrusted networks.
Which solution would remediate the audit finding while minimizing the effort required?

Question2: An organization wants to be alerted when an unauthorized Amazon EC2 instance in its VPC performs a
network port scan against other instances in the VPC. When the Security team performs its own internal
tests in a separate account by using pre-approved third-party scanners from the AWS Marketplace, the
Security team also then receives multiple Amazon GuardDuty events from Amazon CloudWatch alerting
on its test activities.
How can the Security team suppress alerts about authorized security tests while still receiving alerts about
the unauthorized activity?

Question3: A Security Engineer has been asked to create an automated process to disable IAM user access keys that
are more than three months old.
Which of the following options should the Security Engineer use?

Question4: A Security Engineer must enforce the use of only Amazon EC2, Amazon S3, Amazon RDS, Amazon
DynamoDB, and AWS STS in specific accounts.
What is a scalable and efficient approach to meet this requirement?

Question5: A company has complex connectivity rules governing ingress, egress, and communications between
Amazon EC2 instances. The rules are so complex that they cannot be implemented within the limits of the
maximum number of security groups and network access control lists (network ACLs).
What mechanism will allow the company to implement all required network rules without incurring
additional cost?

Question6: A water utility company uses a number of Amazon EC2 instances to manage updates to a fleet of 2,000
Internet of Things (IoT) field devices that monitor water quality. These devices each have unique access
credentials.
An operational safety policy requires that access to specific credentials is independently auditable.
What is the MOST cost-effective way to manage the storage of credentials?

Question7: A company's database developer has just migrated an Amazon RDS database credential to be stored and
managed by AWS Secrets Manager. The developer has also enabled rotation of the credential within the
Secrets Manager console and set the rotation to change every 30 days.
After a short period of time, a number of existing applications have failed with authentication errors.
What is the MOST likely cause of the authentication errors?

Question8: Which of the following minimizes the potential attack surface for applications?

Question9: A Developer's laptop was stolen. The laptop was not encrypted, and it contained the SSH key used to
access multiple Amazon EC2 instances. A Security Engineer has verified that the key has not been used,
and has blocked port 22 to all EC2 instances while developing a response plan.
How can the Security Engineer further protect currently running instances?

Question10: A Security Engineer is trying to determine whether the encryption keys used in an AWS service are in
compliance with certain regulatory standards.
Which of the following actions should the Engineer perform to get further guidance?

Question11: An organization has tens of applications deployed on thousands of Amazon EC2 instances. During testing,
the Application team needs information to let them know whether the network access control lists (network
ACLs) and security groups are working as expected.
How can the Application team's requirements be met?

Question12: A threat assessment has identified a risk whereby an internal employee could exfiltrate sensitive data from
production host running inside AWS (Account 1). The threat was documented as follows:
Threat description: A malicious actor could upload sensitive data from Server X by configuring credentials
for an AWS account (Account 2) they control and uploading data to an Amazon S3 bucket within their
control.
Server X has outbound internet access configured via a proxy server. Legitimate access to S3 is required
so that the application can upload encrypted files to an S3 bucket. Server X is currently using an IAM
instance role. The proxy server is not able to inspect any of the server communication due to TLS
encryption.
Which of the following options will mitigate the threat? (Choose two.)

Question13: An application has been written that publishes custom metrics to Amazon CloudWatch. Recently, IAM
change have been made on the account and the metrics are no longer being reported.
Which of the following is the LEAST permissive solution that will allow the metrics to be delivered?

Question14: A Security Engineer must design a solution that enables the incident Response team to audit for changes
to a user's IAM permissions in the case of a security incident.
How can this be accomplished?

Question15: An application outputs logs to a text file. The logs must be continuously monitored for security incidents.
Which design will meet the requirements with MINIMUM effort?

Question16: The Development team receives an error message each time the team members attempt to encrypt or
decrypt a Secure String parameter from the SSM Parameter Store by using an AWS KMS customer
managed key (CMK).
Which CMK-related issues could be responsible? (Choose two.)

Question17: An IAM user with fill EC2 permissions could bot start an Amazon EC2 instance after it was stopped for a
maintenance task. Upon starting the instance, the instance state would change to "Pending", but after a
few seconds, it would switch back to "Stopped".
An inspection revealed that the instance has attached Amazon EBS volumes that were encrypted by using
a Customer Master Key (CMK). When these encrypted volumes were detached, the IAM user was able to
start the EC2 instances.
The IAM user policy is as follows:

What additional items need to be added to the IAM user policy? (Choose two.)

Question18: What is the function of the following AWS Key Management Service (KMS) key policy attached to a
customer master key (CMK)?

Question19: The Information Technology department has stopped using Classic Load Balancers and switched to
Application Load Balancers to save costs. After the switch, some users on older devices are no longer able
to connect to the website.
What is causing this situation?

Question20: A Security Administrator has a website hosted in Amazon S3. The Administrator has been given the
following requirements:
Users may access the website by using an Amazon CloudFront distribution.

Users may not access the website directly by using an Amazon S3 URL.

Which configurations will support these requirements? (Choose two.)

Question21: An organization policy states that all encryption keys must be automatically rotated every 12 months.
Which AWS Key Management Service (KMS) key type should be used to meet this requirement?

Question22: A company has a customer master key (CMK) with imported key materials. Company policy requires that
all encryption keys must be rotated every year.
What can be done to implement the above policy?

Question23: A security team is responsible for reviewing AWS API call activity in the cloud environment for security
violations. These events must be recorded and retained in a centralized location for both current and future
AWS regions.
What is the SIMPLEST way to meet these requirements?

Question24: A distributed web application is installed across several EC2 instances in public subnets residing in two
Availability Zones. Apache logs show several intermittent brute-force attacks from hundreds of IP
addresses at the layer 7 level over the past six months.
What would be the BEST way to reduce the potential impact of these attacks in the future?

Question25: A company requires that IP packet data be inspected for invalid or malicious content.
Which of the following approaches achieve this requirement? (Choose two.)

Question26: Which approach will generate automated security alerts should too many unauthorized AWS API requests
be identified?

Question27: Amazon CloudWatch Logs agent is successfully delivering logs to the CloudWatch Logs service. However,
logs stop being delivered after the associated log stream has been active for a specific number of hours.
What steps are necessary to identify the cause of this phenomenon? (Choose two.)

Question28: An application is currently secured using network access control lists and security groups. Web servers are
located in public subnets behind an Application Load Balancer (ALB); application servers are located in
private subnets.
How can edge security be enhanced to safeguard the Amazon EC2 instances against attack? (Choose
two.)

Question29: The Security Engineer is managing a web application that processes highly sensitive personal information.
The application runs on Amazon EC2. The application has strict compliance requirements, which instruct
that all incoming traffic to the application is protected from common web exploits and that all outgoing
traffic from the EC2 instances is restricted to specific whitelisted URLs.
Which architecture should the Security Engineer use to meet these requirements?

Question30: Compliance requirements state that all communications between company on-premises hosts and EC2
instances be encrypted in transit. Hosts use custom proprietary protocols for their communication, and
EC2 instances need to be fronted by a load balancer for increased availability.
Which of the following solutions will meet these requirements?

Question31: A Solutions Architect is designing a web application that uses Amazon CloudFront, an Elastic Load
Balancing Application Load Balancer, and an Auto Scaling group of Amazon EC2 instances. The load
balancer and EC2 instances are in the US West (Oregon) region. It has been decided that encryption in
transit is necessary by using a customer-branded domain name from the client to CloudFront and from
CloudFront to the load balancer.
Assuming that AWS Certificate Manager is used, how many certificates will need to be generated?

Question32: The Security Engineer implemented a new vault lock policy for 10TB of data and called initiate-
vault-lock12 hours ago. The Audit team identified a typo that is allowing incorrect access to the vault.
What is the MOST cost-effective way to correct this?