MoreExam
1. Question Content...
EXPLANATION
Answer: X - EXPLANATION Content.
Question1: A Software Engineer is trying to figure out why network connectivity to an Amazon EC2 instance does not appear to be working correctly. Its security group allows inbound HTTP traffic from 0.0.0.0/0, and the outbound rules have not been modified from the default. A custom network ACL associated with its subnet allows inbound HTTP traffic from 0.0.0.0/0 and has no outbound rules.What would resolve the connectivity issue?
Question2: You are planning on hosting a web application on AWS. You create an EC2 Instance in a public subnet. This instance needs to connect to an EC2 Instance that will host an Oracle database. Which of the following steps should be followed to ensure a secure setup is in place? Select 2 answers.Please select:
Question3: There is a set of Ec2 Instances in a private subnet. The application hosted on these EC2 Instances need to access a DynamoDB table. It needs to be ensured that traffic does not flow out to the internet. How can this be achieved?Please select:
Question4: A security team is creating a response plan in the event an employee executes unauthorized actions on AWS infrastructure. They want to include steps to determine if the employee's 1AM permissions changed as part of the incident.What steps should the team document in the plan?Please select:
Question5: Your company has many AWS accounts defined and all are managed via AWS Organizations. One AWS account has a S3 bucket that has critical data. How can we ensure that all the users in the AWS organisation have access to this bucket?Please select:
Question6: You have several S3 buckets defined in your AWS account. You need to give access to external AWS accounts to these S3 buckets. Which of the following can allow you to define the permissions for the external accounts? Choose 2 answers from the options given below Please select:
Question7: An application has been built with Amazon EC2 instances that retrieve messages from Amazon SQS.Recently, IAM changes were made and the instances can no longer retrieve messages.What actions should be taken to troubleshoot the issue while maintaining least privilege. (Select two.)
Question8: Which technique can be used to integrate AWS 1AM (Identity and Access Management) with an on-premise LDAP (Lightweight Directory Access Protocol) directory service?Please select:
Question9: A customer has an instance hosted in the AWS Public Cloud. The VPC and subnet used to host the Instance have been created with the default settings for the Network Access Control Lists. They need to provide an IT Administrator secure access to the underlying instance. How can this be accomplished.Please select:
Question10: An application is currently secured using network access control lists and security groups. Web servers are located in public subnets behind an Application Load Balancer (ALB); application servers are located in private subnets.How can edge security be enhanced to safeguard the Amazon EC2 instances against attack? (Choose two.)
Question11: You have private video content in S3 that you want to serve to subscribed users on the Internet. User IDs, credentials, and subscriptions are stored in an Amazon RDS database. Which configuration will allow you to securely serve private content to your users?Please select:
Question12: Your company has just set up a new central server in a VPC. There is a requirement for other teams who have their servers located in different VPC's in the same region to connect to the central server. Which of the below options is best suited to achieve this requirement.Please select:
Question13: A new application will be deployed on EC2 instances in private subnets. The application will transfer sensitive data to and from an S3 bucket. Compliance requirements state that the data must not traverse the public internet. Which solution meets the compliance requirement?Please select:
Question14: You need to create a policy and apply it for just an individual user. How could you accomplish this in the right way?Please select:
Question15: A Security Engineer has discovered that, although encryption was enabled on the Amazon S3 bucket examplebucket, anyone who has access to the bucket has the ability to retrieve the files. The Engineer wants to limit access to each IAM user can access an assigned folder only.What should the Security Engineer do to achieve this?
Question16: A Security Architect is evaluating managed solutions for storage of encryption keys. The requirements are:-Storage is accessible by using only VPCs.-Service has tamper-evident controls.-Access logging is enabled.-Storage has high availability.Which of the following services meets these requirements?
Question17: Your CTO is very worried about the security of your AWS account. How best can you prevent hackers from completely hijacking your account?Please select:
Question18: What is the result of the following bucket policy?Choose the correct answer:Please select:
Question19: An organization has tens of applications deployed on thousands of Amazon EC2 instances. During testing, the Application team needs information to let them know whether the network access control lists (network ACLs) and security groups are working as expected.How can the Application team's requirements be met?
Question20: You are building a large-scale confidential documentation web server on AWSand all of the documentation for it will be stored on S3. One of the requirements is that it cannot be publicly accessible from S3 directly, and you will need to use Cloud Front to accomplish this. Which of the methods listed below would satisfy the requirements as outlined? Choose an answer from the options below Please select:
Question21: An application running on EC2 instances in a VPC must access sensitive data in the data center. The access must be encrypted in transit and have consistent low latency. Which hybrid architecture will meet these requirements?Please select:
Question22: A Security Analyst attempted to troubleshoot the monitoring of suspicious security group changes. The Analyst was told that there is an Amazon CloudWatch alarm in place for these AWS CloudTrail log events.The Analyst tested the monitoring setup by making a configuration change to the security group but did not receive any alerts.Which of the following troubleshooting steps should the Analyst perform?
Question23: Your company has an EC2 Instance hosted in AWS. This EC2 Instance hosts an application. Currently this application is experiencing a number of issues. You need to inspect the network packets to see what the type of error that is occurring? Which one of the below steps can help address this issue?Please select:
Question24: Compliance requirements state that all communications between company on-premises hosts and EC2 instances be encrypted in transit. Hosts use custom proprietary protocols for their communication, and EC2 instances need to be fronted by a load balancer for increased availability.Which of the following solutions will meet these requirements?
Question25: What is the function of the following AWS Key Management Service (KMS) key policy attached to a customer master key (CMK)?
Question26: A company uses identity federation to authenticate users into an identity account (987654321987) where the users assume an IAM role named IdentityRole. The users then assume an IAM role named JobFunctionRole in the target AWS account (123456789123) to perform their job functions.A user is unable to assume the IAM role in the target account. The policy attached to the role in the identity account is:What should be done to enable the user to assume the appropriate role in the target account?
Question27: A threat assessment has identified a risk whereby an internal employee could exfiltrate sensitive data from production host running inside AWS (Account 1). The threat was documented as follows:Threat description: A malicious actor could upload sensitive data from Server X by configuring credentials for an AWS account (Account 2) they control and uploading data to an Amazon S3 bucket within their control.Server X has outbound internet access configured via a proxy server. Legitimate access to S3 is required so that the application can upload encrypted files to an S3 bucket. Server X is currently using an IAM instance role. The proxy server is not able to inspect any of the server communication due to TLS encryption.Which of the following options will mitigate the threat? (Choose two.)
Question28: You have a web site that is sitting behind AWS Cloudfront. You need to protect the web site against threats such as SQL injection and Cross site scripting attacks. Which of the following service can help in such a scenario Please select:
Question29: The Security Engineer created a new AWS Key Management Service (AWS KMS) key with the following key policy:What are the effects of the key policy? (Choose two.)
Question30: A Solutions Architect is designing a web application that uses Amazon CloudFront, an Elastic Load Balancing Application Load Balancer, and an Auto Scaling group of Amazon EC2 instances. The load balancer and EC2 instances are in the US West (Oregon) region. It has been decided that encryption in transit is necessary by using a customer-branded domain name from the client to CloudFront and from CloudFront to the load balancer.Assuming that AWS Certificate Manager is used, how many certificates will need to be generated?
Question31: Your IT Security department has mandated that all data on EBS volumes created for underlying EC2 Instances need to be encrypted. Which of the following can help achieve this?Please select:
Question32: Your developer is using the KMS service and an assigned key in their Java program. They get the below error when running the code arn:aws:iam::113745388712:user/UserB is not authorized to perform: kms:DescribeKey Which of the following could help resolve the issue?Please select:
Question33: A company runs an application on AWS that needs to be accessed only by employees. Most employees work from the office, but others work remotely or travel.How can the Security Engineer protect this workload so that only employees can access it?
Question34: A company has several Customer Master Keys (CMK), some of which have imported key material. Each CMK must be rotated annually.What two methods can the security team use to rotate each key? Select 2 answers from the options given below Please select:
Question35: Your company has a set of EC2 Instances that are placed behind an ELB. Some of the applications hosted on these instances communicate via a legacy protocol. There is a security mandate that all traffic between the client and the EC2 Instances need to be secure. How would you accomplish this?Please select:
Question36: A company maintains sensitive data in an Amazon S3 bucket that must be protected using an AWS KMS CMK. The company requires that keys be rotated automatically every year.How should the bucket be configured?
Question37: Your company use AWS KMS for management of its customer keys. From time to time, there is a requirement to delete existing keys as part of housekeeping activities. What can be done during the deletion process to verify that the key is no longer being used.Please select:
Question38: An organization is moving non-business-critical applications to AWS while maintaining a mission-critical application in an on-premises data center. An on-premises application must share limited confidential information with the applications in AWS. The internet performance is unpredictable.Which configuration will ensure continued connectivity between sites MOST securely?
Question39: You are planning to use AWS Configto check the configuration of the resources in your AWS account. You are planning on using an existing 1AM role and using it for the AWS Config resource. Which of the following is required to ensure the AWS config service can work as required?Please select:
Question40: A company has a large set of keys defined in AWS KMS. Their developers frequently use the keys for the applications being developed. What is one of the ways that can be used to reduce the cost of accessing the keys in the AWS KMS service.Please select:
Question41: Which of the following bucket policies will ensure that objects being uploaded to a bucket called 'demo' are encrypted.Please select:
Question42: You are designing a custom 1AM policy that would allow uses to list buckets in S3 only if they are MFA authenticated. Which of the following would best match this requirement?
Question43: A distributed web application is installed across several EC2 instances in public subnets residing in two Availability Zones. Apache logs show several intermittent brute-force attacks from hundreds of IP addresses at the layer 7 level over the past six months.What would be the BEST way to reduce the potential impact of these attacks in the future?
Question44: Which option for the use of the AWS Key Management Service (KMS) supports key management best practices that focus on minimizing the potential scope of data exposed by a possible future key compromise?
Question45: A company has deployed a custom DNS server in AWS. The Security Engineer wants to ensure that Amazon EC2 instances cannot use the Amazon-provided DNS.How can the Security Engineer block access to the Amazon-provided DNS in the VPC?
Question46: You have a set of application , database and web servers hosted in AWS. The web servers are placed behind an ELB. There are separate security groups for the application, database and web servers. The network security groups have been defined accordingly. There is an issue with the communication between the application and database servers. In order to troubleshoot the issue between just the application and database server, what is the ideal set of MINIMAL steps you would take?Please select:
Question47: Your company has a set of 1000 EC2 Instances defined in an AWS Account. They want to effectively automate several administrative tasks on these instances. Which of the following would be an effective way to achieve this?Please select:
Question48: A Systems Engineer has been tasked with configuring outbound mail through Simple Email Service (SES) and requires compliance with current TLS standards.The mail application should be configured to connect to which of the following endpoints and corresponding ports?
Question49: A company wants to have an Intrusion detection system available for their VPC in AWS. They want to have complete control over the system. Which of the following would be ideal to implement?Please select:
Question50: A Security Engineer must design a system that can detect whether a file on an Amazon EC2 host has been modified. The system must then alert the Security Engineer of the modification.What is the MOST efficient way to meet these requirements?
Question51: Which of the below services can be integrated with the AWS Web application firewall service. Choose 2 answers from the options given below Please select:
Question52: Your development team has started using AWS resources for development purposes. The AWS account has just been created. Your IT Security team is worried about possible leakage of AWS keys. What is the first level of measure that should be taken to protect the AWS account.Please select:
Question53: Which of the following is the responsibility of the customer? Choose 2 answers from the options given below.Please select:
Question54: A company will store sensitive documents in three Amazon S3 buckets based on a data classification scheme of "Sensitive," "Confidential," and "Restricted." The security solution must meet all of the following requirements:* Each object must be encrypted using a unique key.* Items that are stored in the "Restricted" bucket require two-factor authentication for decryption.* AWS KMS must automatically rotate encryption keys annually.Which of the following meets these requirements?
Question55: You have a bucket and a VPC defined in AWS. You need to ensure that the bucket can only be accessed by the VPC endpoint. How can you accomplish this?Please select:
Question56: A company stores critical data in an S3 bucket. There is a requirement to ensure that an extra level of security is added to the S3 bucket. In addition , it should be ensured that objects are available in a secondary region if the primary one goes down. Which of the following can help fulfil these requirements? Choose 2 answers from the options given below Please select:
Question57: Amazon CloudWatch Logs agent is successfully delivering logs to the CloudWatch Logs service. However, logs stop being delivered after the associated log stream has been active for a specific number of hours.What steps are necessary to identify the cause of this phenomenon? (Choose two.)
Question58: A company has complex connectivity rules governing ingress, egress, and communications between Amazon EC2 instances. The rules are so complex that they cannot be implemented within the limits of the maximum number of security groups and network access control lists (network ACLs).What mechanism will allow the company to implement all required network rules without incurring additional cost?
Question59: An organization has launched 5 instances: 2 for production and 3 for testing. The organization wants that one particular group of 1AM users should only access the test instances and not the production ones. How can the organization set that as a part of the policy?Please select:
Question60: You have a set of Customer keys created using the AWS KMS service. These keys have been used for around6 months. You are now trying to use the new KMS features for the existing set of key's but are not able to do so. What could be the reason for this.Please select:
Question61: Your CTO thinks your AWS account was hacked. What is the only way to know for certain if there was unauthorized access and what they did, assuming your hackers are very sophisticated AWS engineers and doing everything they can to cover their tracks?Please select:
Question62: For compliance reasons, an organization limits the use of resources to three specific AWS regions. It wants to be alerted when any resources are launched in unapproved regions.Which of the following approaches will provide alerts on any resources launched in an unapproved region?
Question63: A company wants to have a secure way of generating, storing and managing cryptographic exclusive access for the keys. Which of the following can be used for this purpose?Please select:
Question64: A Security Engineer has created an Amazon CloudWatch event that invokes an AWS Lambda function daily.The Lambda function runs an Amazon Athena query that checks AWS CloudTrail logs in Amazon S3 to detect whether any IAM user accounts or credentials have been created in the past 30 days. The results of the Athena query are created in the same S3 bucket. The Engineer runs a test execution of the Lambda function via the AWS Console, and the function runs successfully.After several minutes, the Engineer finds that his Athena query has failed with the error message: "Insufficient Permissions". The IAM permissions of the Security Engineer and the Lambda function are shown below:Security EngineerLambda function execution roleWhat is causing the error?
Question65: An IAM user with fill EC2 permissions could bot start an Amazon EC2 instance after it was stopped for a maintenance task. Upon starting the instance, the instance state would change to "Pending", but after a few seconds, it would switch back to "Stopped".An inspection revealed that the instance has attached Amazon EBS volumes that were encrypted by using a Customer Master Key (CMK). When these encrypted volumes were detached, the IAM user was able to start the EC2 instances.The IAM user policy is as follows:What additional items need to be added to the IAM user policy? (Choose two.)
Question66: A company hosts data in S3. There is now a mandate that going forward all data in the S3 bucket needs to encrypt at rest. How can this be achieved?Please select:
Question67: A Web Administrator for the website example.com has created an Amazon CloudFront distribution for dev.example.com, with a requirement to configure HTTPS using a custom TLS certificate imported to AWS Certificate Manager.Which combination of steps is required to ensure availability of the certificate in the CloudFront console?(Choose two.)
Question68: A company has a set of EC2 instances hosted in AWS. These instances have EBS volumes for storing critical information. There is a business continuity requirement and in order to boost the agility of the business and to ensure data durability which of the following options are not required.Please select:
Question69: Your company has confidential documents stored in the simple storage service. Due to compliance requirements, you have to ensure that the data in the S3 bucket is available in a different geographical location.As an architect what is the change you would make to comply with this requirement.Please select:
Question70: An organization policy states that all encryption keys must be automatically rotated every 12 months.Which AWS Key Management Service (KMS) key type should be used to meet this requirement?
Question71: You work as an administrator for a company. The company hosts a number of resources using AWS. There is an incident of a suspicious API activity which occurred 11 days ago. The Security Admin has asked to get the API activity from that point in time. How can this be achieved?Please select:
Question72: A Security Engineer launches two Amazon EC2 instances in the same Amazon VPC but in separate Availability Zones. Each instance has a public IP address and is able to connect to external hosts on the internet. The two instances are able to communicate with each other by using their private IP addresses, but they are not able to communicate with each other when using their public IP addresses.Which action should the Security Engineer take to allow communication over the public IP addresses?
Question73: A company plans to move most of its IT infrastructure to AWS. They want to leverage their existing on-premises Active Directory as an identity provider for AWS.Which combination of steps should a Security Engineer take to federate the company's on-premises Active Directory with AWS? (Choose two.)
Question74: Your company has a requirement to monitor all root user activity by notification. How can this best be achieved? Choose 2 answers from the options given below. Each answer forms part of the solution Please select:
Question75: A Systems Engineer is troubleshooting the connectivity of a test environment that includes a virtual security appliance deployed inline. In addition to using the virtual security appliance, the Development team wants to use security groups and network ACLs to accomplish various security requirements in the environment.What configuration is necessary to allow the virtual security appliance to route the traffic?
Question76: A company has hired a third-party security auditor, and the auditor needs read-only access to all AWS resources and logs of all VPC records and events that have occurred on AWS. How can the company meet the auditor's requirements without comprising security in the AWS environment? Choose the correct answer from the options below Please select:
Question77: An application outputs logs to a text file. The logs must be continuously monitored for security incidents.Which design will meet the requirements with MINIMUM effort?
Question78: You have a vendor that needs access to an AWS resource. You create an AWS user account. You want to restrict access to the resource using a policy for just that user over a brief period. Which of the following would be an ideal policy to use?Please select:
Question79: A Security Engineer must enforce the use of only Amazon EC2, Amazon S3, Amazon RDS, Amazon DynamoDB, and AWS STS in specific accounts.What is a scalable and efficient approach to meet this requirement?
Question80: A Software Engineer wrote a customized reporting service that will run on a fleet of Amazon EC2 instances.The company security policy states that application logs for the reporting service must be centrally collected.What is the MOST efficient way to meet these requirements?
Question81: When you enable automatic key rotation for an existing CMK key where the backing key is managed by AWS, after how long is the key rotated?Please select:
Question82: An application has a requirement to be resilient across not only Availability Zones within the application's primary region but also be available within another region altogether.Which of the following supports this requirement for AWS resources that are encrypted by AWS KMS?
Question83: A windows machine in one VPC needs to join the AD domain in another VPC. VPC Peering has been established. But the domain join is not working. What is the other step that needs to be followed to ensure that the AD domain join can work as intended Please select:
Question84: You have an EBS volume attached to an EC2 Instance which uses KMS for Encryption. Someone has now gone ahead and deleted the Customer Key which was used for the EBS encryption. What should be done to ensure the data can be decrypted.Please select:
Question85: A user has created a VPC with the public and private subnets using the VPC wizard. The VPC has CIDR20.0.0.0/16. The public subnet uses CIDR 20.0.1.0/24. The user is planning to host a web server in the public subnet with port 80 and a Database server in the private subnet with port 3306. The user is configuring a security group for the public subnet (WebSecGrp) and the private subnet (DBSecGrp). which of the below mentioned entries is required in the private subnet database security group DBSecGrp?Please select:
Question86: An employee accidentally exposed an AWS access key and secret access key during a public presentation. The company Security Engineer immediately disabled the key.How can the Engineer assess the impact of the key exposure and ensure that the credentials were not misused?(Choose two.)
Question87: Your company currently has a set of EC2 Instances hosted in a VPC. The IT Security department is suspecting a possible DDos attack on the instances. What can you do to zero in on the IP addresses which are receiving a flurry of requests.Please select:
Question88: A company is hosting a website that must be accessible to users for HTTPS traffic. Also port 22 should be open for administrative purposes. The administrator's workstation has a static IP address of 203.0.113.1/32.Which of the following security group configurations are the MOST secure but still functional to support these requirements? Choose 2 answers from the options given below Please select:
Question89: Which approach will generate automated security alerts should too many unauthorized AWS API requests be identified?
Question90: In response to the past DDoS attack experiences, a Security Engineer has set up an Amazon CloudFront distribution for an Amazon S3 bucket. There is concern that some users may bypass the CloudFront distribution and access the S3 bucket directly.What must be done to prevent users from accessing the S3 objects directly by using URLs?
Question91: A company wishes to enable Single Sign On (SSO) so its employees can login to the management console using their corporate directory identity. Which steps below are required as part of the process? Select 2 answers from the options given below.Please select:
Question92: An Amazon S3 bucket is encrypted using an AWS KMS CMK. An IAM user is unable to download objects from the S3 bucket using the AWS Management Console; however, other users can download objects from the S3 bucket.Which policies should the Security Engineer review and modify to resolve this issue? (Select three.)
Question93: A company has two AWS accounts, each containing one VPC. The first VPC has a VPN connection with its corporate network. The second VPC, without a VPN, hosts an Amazon Aurora database cluster in private subnets. Developers manage the Aurora database from a bastion host in a public subnet as shown in the image.A security review has flagged this architecture as vulnerable, and a Security Engineer has been asked to make this design more secure. The company has a short deadline and a second VPN connection to the Aurora account is not possible.How can a Security Engineer securely set up the bastion host?
Question94: During a security event, it is discovered that some Amazon EC2 instances have not been sending Amazon CloudWatch logs.Which steps can the Security Engineer take to troubleshoot this issue? (Select two.)
Question95: An enterprise wants to use a third-party SaaS application. The SaaS application needs to have access to issue several API commands to discover Amazon EC2 resources running within the enterprise's account. The enterprise has internal security policies that require any outside access to their environment must conform to the principles of least privilege and there must be controls in place to ensure that the credentials used by the SaaS vendor cannot be used by any other third party. Which of the following would meet all of these conditions?Please select:
Question96: How can you ensure that instance in an VPC does not use AWS DNS for routing DNS requests. You want to use your own managed DNS instance. How can this be achieved?Please select:
Question97: An organization wants to deploy a three-tier web application whereby the application servers run on Amazon EC2 instances. These EC2 instances need access to credentials that they will use to authenticate their SQL connections to an Amazon RDS DB instance. Also, AWS Lambda functions must issue queries to the RDS database by using the same database credentials.The credentials must be stored so that the EC2 instances and the Lambda functions can access them. No other access is allowed. The access logs must record when the credentials were accessed and by whom.What should the Security Engineer do to meet these requirements?
Question98: AWS CloudTrail is being used to monitor API calls in an organization. An audit revealed that CloudTrail is failing to deliver events to Amazon S3 as expected.What initial actions should be taken to allow delivery of CloudTrail events to S3? (Select two.)
Question99: What are the MOST secure ways to protect the AWS account root user of a recently opened AWS account?(Choose two.)
Question100: A Security Engineer who was reviewing AWS Key Management Service (AWS KMS) key policies found this statement in each key policy in the company AWS account.What does the statement allow?
Question101: A Security Administrator at a university is configuring a fleet of Amazon EC2 instances. The EC2 instances are shared among students, and non-root SSH access is allowed. The Administrator is concerned about students attacking other AWS account resources by using the EC2 instance metadata service.What can the Administrator do to protect against this potential attack?
Question102: A company has set up the following structure to ensure that their S3 buckets always have logging enabledIf there are any changes to the configuration to an S3 bucket, a config rule gets checked. If logging is disabled, then Lambda function is invoked. This Lambda function will again enable logging on the S3 bucket. Now there is an issue being encoutered with the entire flow. You have verified that the Lambda function is being invoked. But when logging is disabled for the bucket, the lambda function does not enable it again. Which of the following could be an issue Please select:
Question103: The Security team believes that a former employee may have gained unauthorized access to AWS resources sometime in the past 3 months by using an identified access key.What approach would enable the Security team to find out what the former employee may have done within AWS?
Question104: Your company is planning on using AWS EC2 and ELB for deployment for their web applications. The security policy mandates that all traffic should be encrypted. Which of the following options will ensure that this requirement is met. Choose 2 answers from the options below.Please select:
Question105: You need to establish a secure backup and archiving solution for your company, using AWS. Documents should be immediately accessible for three months and available for five years for compliance reasons. Which AWS service fulfills these requirements in the most cost-effective way? Choose the correct answer:Please select:
Question106: A company is using a Redshift cluster to store their data warehouse. There is a requirement from the Internal IT Security team to ensure that data gets encrypted for the Redshift database. How can this be achieved?Please select:
Question107: Some highly sensitive analytics workloads are to be moved to Amazon EC2 hosts. Threat modeling has found that a risk exists where a subnet could be maliciously or accidentally exposed to the internet.Which of the following mitigations should be recommended?
Question108: Your development team is using access keys to develop an application that has access to S3 and DynamoDB.A new security policy has outlined that the credentials should not be older than 2 months, and should be rotated. How can you achieve this?Please select:
Question109: Your company looks at the gaming domain and hosts several Ec2 Instances as game servers. The servers each experience user loads in the thousands. There is a concern of DDos attacks on the EC2 Instances which could cause a huge revenue loss to the company. Which of the following can help mitigate this security concern and also ensure minimum downtime for the servers.Please select:
Question110: You are trying to use the Systems Manager to patch a set of EC2 systems. Some of the systems are not getting covered in the patching process. Which of the following can be used to troubleshoot the issue? Choose 3 answers from the options given below.Please select:
Question111: A company hosts a critical web application on the AWS Cloud. This is a key revenue generating application for the company. The IT Security team is worried about potential DDos attacks against the web site. The senior management has also specified that immediate action needs to be taken in case of a potential DDos attack. What should be done in this regard?Please select:
Question112: A Security Engineer is building a Java application that is running on Amazon EC2. The application communicates with an Amazon RDS instance and authenticates with a user name and password.Which combination of steps can the Engineer take to protect the credentials and minimize downtime when the credentials are rotated? (Choose two.)
Question113: The Development team receives an error message each time the team members attempt to encrypt or decrypt a Secure String parameter from the SSM Parameter Store by using an AWS KMS customer managed key (CMK).Which CMK-related issues could be responsible? (Choose two.)
Question114: You have a requirement to serve up private content using the keys available with Cloudfront. How can this be achieved?Please select:
Question115: Your application currently uses customer keys which are generated via AWS KMS in the US east region. You now want to use the same set of keys from the EU-Central region. How can this be accomplished?Please select:
Question116: Due to new compliance requirements, a Security Engineer must enable encryption with customer-provided keys on corporate data that is stored in DynamoDB. The company wants to retain full control of the encryption keys.Which DynamoDB feature should the Engineer use to achieve compliance'?