MoreExam
1. Question Content...
EXPLANATION
Answer: X - EXPLANATION Content.
Question1: An organization has a system in AWS that allows a large number of remote workers to submit data files.File sizes vary from a few kilobytes to several megabytes. A recent audit highlighted a concern that datafiles are not encrypted while in transit over untrusted networks.Which solution would remediate the audit finding while minimizing the effort required?
Question2: An organization wants to be alerted when an unauthorized Amazon EC2 instance in its VPC performs anetwork port scan against other instances in the VPC. When the Security team performs its own internaltests in a separate account by using pre-approved third-party scanners from the AWS Marketplace, theSecurity team also then receives multiple Amazon GuardDuty events from Amazon CloudWatch alertingon its test activities.How can the Security team suppress alerts about authorized security tests while still receiving alerts aboutthe unauthorized activity?
Question3: A Security Engineer has been asked to create an automated process to disable IAM user access keys thatare more than three months old.Which of the following options should the Security Engineer use?
Question4: A Security Engineer must enforce the use of only Amazon EC2, Amazon S3, Amazon RDS, AmazonDynamoDB, and AWS STS in specific accounts.What is a scalable and efficient approach to meet this requirement?
Question5: A company has complex connectivity rules governing ingress, egress, and communications betweenAmazon EC2 instances. The rules are so complex that they cannot be implemented within the limits of themaximum number of security groups and network access control lists (network ACLs).What mechanism will allow the company to implement all required network rules without incurringadditional cost?
Question6: A water utility company uses a number of Amazon EC2 instances to manage updates to a fleet of 2,000Internet of Things (IoT) field devices that monitor water quality. These devices each have unique accesscredentials.An operational safety policy requires that access to specific credentials is independently auditable.What is the MOST cost-effective way to manage the storage of credentials?
Question7: A company's database developer has just migrated an Amazon RDS database credential to be stored andmanaged by AWS Secrets Manager. The developer has also enabled rotation of the credential within theSecrets Manager console and set the rotation to change every 30 days.After a short period of time, a number of existing applications have failed with authentication errors.What is the MOST likely cause of the authentication errors?
Question8: Which of the following minimizes the potential attack surface for applications?
Question9: A Developer's laptop was stolen. The laptop was not encrypted, and it contained the SSH key used toaccess multiple Amazon EC2 instances. A Security Engineer has verified that the key has not been used,and has blocked port 22 to all EC2 instances while developing a response plan.How can the Security Engineer further protect currently running instances?
Question10: A Security Engineer is trying to determine whether the encryption keys used in an AWS service are incompliance with certain regulatory standards.Which of the following actions should the Engineer perform to get further guidance?
Question11: An organization has tens of applications deployed on thousands of Amazon EC2 instances. During testing,the Application team needs information to let them know whether the network access control lists (networkACLs) and security groups are working as expected.How can the Application team's requirements be met?
Question12: A threat assessment has identified a risk whereby an internal employee could exfiltrate sensitive data fromproduction host running inside AWS (Account 1). The threat was documented as follows:Threat description: A malicious actor could upload sensitive data from Server X by configuring credentialsfor an AWS account (Account 2) they control and uploading data to an Amazon S3 bucket within theircontrol.Server X has outbound internet access configured via a proxy server. Legitimate access to S3 is requiredso that the application can upload encrypted files to an S3 bucket. Server X is currently using an IAMinstance role. The proxy server is not able to inspect any of the server communication due to TLSencryption.Which of the following options will mitigate the threat? (Choose two.)
Question13: An application has been written that publishes custom metrics to Amazon CloudWatch. Recently, IAMchange have been made on the account and the metrics are no longer being reported.Which of the following is the LEAST permissive solution that will allow the metrics to be delivered?
Question14: A Security Engineer must design a solution that enables the incident Response team to audit for changesto a user's IAM permissions in the case of a security incident.How can this be accomplished?
Question15: An application outputs logs to a text file. The logs must be continuously monitored for security incidents.Which design will meet the requirements with MINIMUM effort?
Question16: The Development team receives an error message each time the team members attempt to encrypt ordecrypt a Secure String parameter from the SSM Parameter Store by using an AWS KMS customermanaged key (CMK).Which CMK-related issues could be responsible? (Choose two.)
Question17: An IAM user with fill EC2 permissions could bot start an Amazon EC2 instance after it was stopped for amaintenance task. Upon starting the instance, the instance state would change to "Pending", but after afew seconds, it would switch back to "Stopped".An inspection revealed that the instance has attached Amazon EBS volumes that were encrypted by usinga Customer Master Key (CMK). When these encrypted volumes were detached, the IAM user was able tostart the EC2 instances.The IAM user policy is as follows:What additional items need to be added to the IAM user policy? (Choose two.)
Question18: What is the function of the following AWS Key Management Service (KMS) key policy attached to acustomer master key (CMK)?
Question19: The Information Technology department has stopped using Classic Load Balancers and switched toApplication Load Balancers to save costs. After the switch, some users on older devices are no longer ableto connect to the website.What is causing this situation?
Question20: A Security Administrator has a website hosted in Amazon S3. The Administrator has been given thefollowing requirements:Users may access the website by using an Amazon CloudFront distribution.Users may not access the website directly by using an Amazon S3 URL.Which configurations will support these requirements? (Choose two.)
Question21: An organization policy states that all encryption keys must be automatically rotated every 12 months.Which AWS Key Management Service (KMS) key type should be used to meet this requirement?
Question22: A company has a customer master key (CMK) with imported key materials. Company policy requires thatall encryption keys must be rotated every year.What can be done to implement the above policy?
Question23: A security team is responsible for reviewing AWS API call activity in the cloud environment for securityviolations. These events must be recorded and retained in a centralized location for both current and futureAWS regions.What is the SIMPLEST way to meet these requirements?
Question24: A distributed web application is installed across several EC2 instances in public subnets residing in twoAvailability Zones. Apache logs show several intermittent brute-force attacks from hundreds of IPaddresses at the layer 7 level over the past six months.What would be the BEST way to reduce the potential impact of these attacks in the future?
Question25: A company requires that IP packet data be inspected for invalid or malicious content.Which of the following approaches achieve this requirement? (Choose two.)
Question26: Which approach will generate automated security alerts should too many unauthorized AWS API requestsbe identified?
Question27: Amazon CloudWatch Logs agent is successfully delivering logs to the CloudWatch Logs service. However,logs stop being delivered after the associated log stream has been active for a specific number of hours.What steps are necessary to identify the cause of this phenomenon? (Choose two.)
Question28: An application is currently secured using network access control lists and security groups. Web servers arelocated in public subnets behind an Application Load Balancer (ALB); application servers are located inprivate subnets.How can edge security be enhanced to safeguard the Amazon EC2 instances against attack? (Choosetwo.)
Question29: The Security Engineer is managing a web application that processes highly sensitive personal information.The application runs on Amazon EC2. The application has strict compliance requirements, which instructthat all incoming traffic to the application is protected from common web exploits and that all outgoingtraffic from the EC2 instances is restricted to specific whitelisted URLs.Which architecture should the Security Engineer use to meet these requirements?
Question30: Compliance requirements state that all communications between company on-premises hosts and EC2instances be encrypted in transit. Hosts use custom proprietary protocols for their communication, andEC2 instances need to be fronted by a load balancer for increased availability.Which of the following solutions will meet these requirements?
Question31: A Solutions Architect is designing a web application that uses Amazon CloudFront, an Elastic LoadBalancing Application Load Balancer, and an Auto Scaling group of Amazon EC2 instances. The loadbalancer and EC2 instances are in the US West (Oregon) region. It has been decided that encryption intransit is necessary by using a customer-branded domain name from the client to CloudFront and fromCloudFront to the load balancer.Assuming that AWS Certificate Manager is used, how many certificates will need to be generated?
Question32: The Security Engineer implemented a new vault lock policy for 10TB of data and called initiate-vault-lock12 hours ago. The Audit team identified a typo that is allowing incorrect access to the vault.What is the MOST cost-effective way to correct this?