QUESTION 181
A developer operations team uses AWS Identity and Access Management (IAM) to manage user permissions. The team created an Amazon EC2 instance profile role that uses an AWS managed ReadOnlyAccess policy. When an application that is running on Amazon EC2 tries to read a file from an encrypted Amazon S3 bucket, the application receives an AccessDenied error. The team administrator has verified that the S3 bucket policy allows everyone in the account to access the S3 bucket. There is no object ACL that is attached to the file. What should the administrator do to fix the IAM access issue?
A. Edit the ReadOnlyAccess policy to add kms: Decrypt actions.
B. Add the EC2 IAM role as the authorized Principal to the S3 bucket policy.
C. Attach an inline policy with kms:Decrypt permissions to the IAM role.
D. Attach an inline policy with S3.* permissions to the IAM role.
Correct Answer: C
QUESTION 182
A security engineer has designed a VPC to segment private traffic from public traffic. The VPC includes two Availability Zones. The security engineer has provisioned each Availability Zone with one private subnet and one public subnet. The security engineer has created three route tables for use with the environment. One route table is for the public subnets, and two route tables are for the private subnets (one route table for the private subnet in each Availability Zone). The security engineer discovers that all four subnets are attempting to route traffic out through the internet gateway that is attached to the VPC. Which combination of steps should the security engineer take to remediate this scenario? (Select TWO.)
A. Verify that a NAT a gateway has been provisioned in the public subnet in each Availability Zone.
B. Verify that a NAT gateway has been provisioned in the private subnet in each Availability Zone.
C. Modify the route tables that are associated with each of the public subnets. Create a new route for local destinations to the VPC CIDR range.
D. Modify the route tables that are associated with each of the private subnets. Create a new route for the destination 0.0.0.0/0. Specify the NAT gateway in the public subnet of the same Availability Zone as the target of the route.
E. Modify the route tables that are associated with each of the private subnets. a Create a new route for the destination 0.0.0.0/0. Specify the internet gateway in the public subnet of the same Availability Zone as the target of the route.
Correct Answer: AD
QUESTION 183
A company has a new web-based account management system for an online game. Players create a unique username and password to log in to the system. The company has implemented an AWS WAF web ACL for the system. The web ACL includes the core rule set (CRS) AWS managed rule group on the Application Load Balancer that serves the system. The company’s security team finds that the system was the target of a credential stuffing attack. Credentials that were exposed in other breaches were used to try to log in to the system. The security team must implement a solution to reduce the chance of a successful credential stuffing attack in the future. The solution also must minimize impact on legitimate users of the system. Which combination of actions will meet these requirements? (Select Two.)
A. Create an Amazon CloudWatch custom metric to analyze the number of successful login responses from a single IP address.
B. Add the account takeover prevention (ATP) AWS managed rule group to the web ACL. Configure the rule group to inspect login requests to the system. Block any requests that have the awswaf.managed aws.atp:signal:credential_compromised label.
C. Configure a default web ACL action that requires all users to solve a CAPTCHA puzzle when they log in.
D. Implement IP-based match rules in the web ACL for any IP addresses that generate many successful login responses. Block any IP addresses that generate many successful logins.
E. Create a custom block response that redirects users to a secure workflow to reset their password inside the system.
Correct Answer: BE
QUESTION 184
A company has an application on Amazon EC2 instances that store confidential customer data. The company must restrict access to customer data. A security engineer requires secure access to the instances that host the application. According to company policy, users must not open any inbound ports, maintain bastion hosts, or manage SSH keys for the EC2 instances. The security engineer wants to monitor, store, and access all session activity logs. The logs must be encrypted. Which solution will meet these requirements?
A. Use AWS Control Tower to connect to the EC2 instances. Configure Amazon CloudWatch logging for the sessions. Select the upload session logs option and allow only encrypted CloudWatch Logs log groups.
B. Use AWS Security Hub to connect to the EC2 instances. Configure Amazon CloudWatch logging for the sessions. Select the upload session logs option and allow only encrypted CloudWatch Logs log groups.
C. Use AWS Systems Manager Session Manager to connect to the EC2 instances. Configure Amazon CloudWatch monitoring to record the sessions. Select the store session logs option for the desired CloudWatch Logs log groups.
D. Use AWS Systems Manager Session Manager to connect to the to EC2 instances. Configure Amazon CloudWatch logging. Select the upload session logs option and allow only encrypted CloudWatch Logs log groups.
Correct Answer: D
QUESTION 185
A company has a requirement that no Amazon EC2 security group can allow SSH access from the CIDR block 0.0.0.0/0. The company wants to monitor compliance with this requirement at all times and wants to receive a near-real-time notification if any security group is noncompliant. A security engineer has configured AWS Config and will use the restricted-ssh managed rule to monitor the security groups. What should the security engineer do next to meet these requirements?
A. Configure AWS Config to send its configuration snapshots to an Amazon S3 bucket. Create an AWS Lambda function to run on a PutEvent to the S3 bucket. Configure the Lambda function to parse the snapshot for a compliance change to the restricted-ssh managed rule. Configure the Lambda function to send a notification to an Amazon Simple Notification Service (Amazon SNS) topic if a change is discovered.
B. Configure an Amazon EventBridge event rule that is invoked by a compliance change event from AWS Config for the restricted-ssh managed rule. Configure the event rule to target an Amazon Simple Notification Service (Amazon SNS) topic that will provide a notification.
C. Configure AWS Config to push all its compliance notifications to Amazon CloudWatch Logs. Configure a CloudWatch Logs metric filter on the AWS Config log group to look for a compliance notification change on the restricted-ssh managed rule. Create an Amazon CloudWatch alarm on the metric filter to send a notification to an Amazon Simple Notification Service (Amazon SNS) topic if the alarm is in the ALARM state.
D. Configure an Amazon CloudWatch alarm on the CloudWatch metric for the restricted-ssh managed rule. Configure the CloudWatch alarm to send a notification to an Amazon Simple Notification Service (Amazon SNS) topic if the alarm is in the ALARM state.
Correct Answer: B
QUESTION 186
A company uses AWS Organizations to a manage a small number of AWS accounts. However, the company plans to add 1,000 more accounts soon. The company allows only centralized security team to create IAM roles for all AWS accounts and teams. Application teams submit requests for IAM roles to the security team. The security team has a backlog of IAM role requests and cannot review and provision the IAM roles quickly. The security team must create a process that will allow application teams to provision their own IAM roles. The process must also limit the scope of IAM roles and prevent privilege escalation. Which solution will meet these requirements with the LEAST operational overhead?
A. Create an IAM group for each application team. Associate policies with each IAM group. Provision IAM users for each application team member. Add the new IAM users to the appropriate IAM group by using role-based access control (RBAC).
B. Delegate application team leads to provision IAM roles for each team. Conduct a quarterly review of the IAM roles the team leads have provisioned. Ensure that the application team leads have the appropriate training to review IAM roles.
C. Put each AWS account in its own OU Add an SCP to each OU to grant access to only the AWS services that the teams plan to use. Include conditions in the AWS account of each team.
D. Create an SCP and a permissions boundary for IAM roles. Add the SCP to the root OU so that only roles that have the permissions boundary attached can create any new IAM roles.
Correct Answer: D
QUESTION 187
A company needs to securely deploy resources and workloads across AWs accounts The accounts are in an organization in AWS Organizations. The company needs to use AWS CloudFormation for infrastructure as code (IaC) management of approved architectural patterns. The company also must enforce tagging requirements and specific guidelines for resource and workload configuration and creation. Which solution will meet these requirements?
A. Use CloudFormation stack policies to prevent the creation of resources that do not meet the tagging or configuration requirements. Use Amazon EventBridge rules to detect API calls that attempt to create resources outside of CloudFormation.
B. B Use an AWS CodePipeline pipeline to test and deploy IaC defined workloads through CloudFormation into the accounts. Use AWS Config rules to enforce the tagging requirements. Apply an SCP to prevent the creation of misconfigured resources in all OUs.
C. Create an IAM permissions boundary to prevent the creation of misconfigured resources through CloudFormation and to enforce the tagging requirements. Apply the permissions boundary to all account roles. Use AWS Config rules to identify existing resources that are in a misconfigured state.
D. Use AWS Service Catalog with CloudFormation to manage access to approved architecture configurations. Provision Service Catalog portfolios to the accounts across the organization. Use AWS Config rules to enforce the tagging requirements and other resource configuration policies across accounts.
Correct Answer: D
QUESTION 188
A company uses Aws Key Management Service (AWS KMS). During an attempt to attach an encrypted Amazon Elastic Block Store (Amazon EBS) volume to an Amazon EC2 instance, the attachment fails. The company discovers that a customer managed key has become unusable because the key material for the key was deleted. The company needs the data that is on the EBS volume. A security engineer must recommend a solution to decrypt the EBS volume’s encrypted data key. The solution must also attach the volume to the EC2 instance. Which solution will meet these requirements?
A. Import new key material into the key. Attach the EBS volume.
B. Restore the EBS volume from a snapshot that was taken before the deletion of the key material.
C. Reimport the same key material that originally was imported into the key. Attach the EBS volume.
D. Create a new key. Import new key material. Attach the EBS volume.
Correct Answer: C
QUESTION 189
A company stores sensitive data in an Amazon S3 bucket. The company encrypts the data at rest by using server-side encryption with Amazon S3 managed keys (SSE-$3) A security engineer must prevent any modifications to the data in the S3 bucket. Which solution will meet this requirement?
A. Configure S3 bucket policies to deny DELETE and PUT object permissions.
B. Configure S3 Object Lock in compliance mode with S3 bucket versioning enabled.
C. Change the encryption on the S3 bucket to use Aws Key Management Service (AWS KMS) customer managed keys.
D. Configure the S3 bucket with multi-factor authentication (MFA) delete protection.
Correct Answer: B
QUESTION 190
A company hired an external consultant who needs to use a laptop to access the company’s VPCs. Specifically, the consultant needs access to two VPCs that are peered together in the same Aws Region. The company wants to provide the consultant with access to these VPCs without also providing any unnecessary access to other network resources. Which solution will meet these requirements?
A. Create an AWS Site-to-Site VPN endpoint in the same Region as the VPCs. Configure access through an appropriate subnet and authorization rule.
B. Create an AWS account. Use the VPC sharing feature through AWS Resource Access Manager to allow the consultant to access the VPCs.
C. Create an AWS Client VPN endpoint in the same Region as the VPCs. Configure access through an appropriate subnet and authorization rule.
D. Create a gateway VPC endpoint in the same Region as the VPCs. Configure access through an appropriate subnet and authorization rule.
Correct Answer: C
QUESTION 191
A company needs to analyze access logs for an Application Load Balancer (ALB). The ALB directs traffic to the company’s online login portal The company needs to use visualizations to identify login attempts by bots from a list of known IP sources. Which solution will meet these requirements?
A. Configure the ALB to send logs directly to Amazon CloudWatch Logs. Analyze and visualize the logs by using CloudWatch Logs Insights.
B. Configure the ALB to send logs directly to Amazon Redshift Analyze the logs by using SQL queries Visualize the logs by using custom reports.
C. Configure the ALB to send logs directly to Amazon OpenSearch Service. Analyze the logs by using OpenSearch dashboards. Visualize the logs by using custom OpenSearch dashboards.
D. Configure the ALB to send logs directly to an Amazon S3 bucket Analyze the logs by using Amazon Athena. Visualize the logs by using Amazon QuickSight
Correct Answer: C
QUESTION 192
A security engineer for a large company is managing a data processing application used by 1,500 subsidiary companies. The parent and subsidiary companies all use AWS. The application uses TCP port 443 and runs on Amazon EC2 behind a Network Load Balancer (NLB). For compliance reasons, the application should only be accessible to the subsidiaries and should not be available on the public internet. To meet the compliance requirements for restricted access, the engineer has received the public and private CIDR block ranges for each subsidiary. What solution should the engineer use to implement the appropriate access restrictions for the application?
A. Create a NACL to allow access on TCP port 443 from the 1.500 subsidiary CIDR block ranges. Associate the NACL to both the NLB and EC2 instances.
B. Create an AWS security group to allow access on TCP port 443 from the 1.500 subsidiary CIDR block ranges. Associate the security group to the NLB. Create a second security group for EC2 instances with access on TCP port 443 from the NLB security group.
C. Create an AWS PrivateLink endpoint service in the parent company account attached to the NLB Create an AWS security group for the instances to allow access on TCP port 443 from the AWS PrivateLink endpoint. Use AWS PrivateLink interface endpoints in the 1,500 subsidiary AWS accounts to connect to the data processing application.
D. Create an AWS security group to allow access on TCP port 443 from the 1,500 subsidiary CIDR block ranges. Associate the security group with EC2 instances.
Correct Answer: C
QUESTION 193
A company uses Amazon Elastic Kubernetes Service (Amazon EKS) clusters to run its Kubernetes-based applications. The company uses Amazon GuardDuty to protect the applications. EKS Protection is enabled in GuardDuty. However, the corresponding GuardDuty feature is not monitoring the Kubernetes-based applications. Which solution will cause GuardDuty to monitor the Kubernetes-based applications?
A. Enable VPC flow logs for the VPC that hosts the EKS clusters.
B. Assign the CloudWatchEventsFullAccess AWS managed policy to the EKS clusters.
C. Ensure that the AmazonGuardDutyFullAccess AWS managed policy is attached to the GuardDuty service role
D. Enable the control plane logs in Amazon EKS. Ensure that the logs are ingested into Amazon CloudWatch.
Correct Answer: D
QUESTION 194
A company has created a set of AWS Lambda functions to automate incident response steps for incidents that occur on Amazon EC2 instances. The Lambda functions need to collect relevant artifacts, such as instance ID and security group configuration. The Lambda functions must then write a summary to an Amazon S3 bucket. The company runs its workloads in a VPC that uses public subnets and private subnets. The public subnets use an internet gateway to access the internet. The private subnets use a NAT gateway to access the internet. All network traffic to Amazon S3 that is related to the incident response process must use the AWS network. This traffic must not travel across the internet. Which solution will meet these requirements?
A. Deploy the Lambda functions to a private subnet in the VPC. Configure the Lambda functions to access the S3 service through the NAT gateway.
B. Deploy the Lambda functions to a private subnet in the VPC. Create an S3 gateway endpoint to access the S3 service.
C. Deploy the S3 bucket and the Lambda functions in the same private subnet. Configure the Lambda functions to use the default endpoint for the S3 service.
D. Deploy an Amazon Simple Queue Service (Amazon SQS) queue and the Lambda functions in the same private subnet. Configure the Lambda functions to send data to the SQS queue. Configure the SQS queue to send data to the S3 bucket.
Correct Answer: B
QUESTION 195
A security engineer is trying to access Amazon S3 buckets in two AWS accounts at the same time. The security engineer accesses the S3 bucket in the first account by using the AWS CLI with the default credentials stored in the local .aws/credentials file. When the security engineer tries to access the S3 bucket in the second account, the security engineer receives an Access Denied authentication error. The security engineer must access the S3 bucket in the second account without losing access to the S3 bucket in the first account. Which solution will meet these requirements?
A. Obtain new credentials that allow access to the S3 bucket in the second account. Run the aws configure AWS CLI command. Input the new credentials by following the prompts. Reference the credential profile during calls to the second account.
B. Create a trust policy and assign it to an IAM role in the first account. In the trust policy, add the S3 bucket in the second account as a principal. Reference the default credentials to assume the role.
C. Create a resource policy and assign it to an IAM role in the first account. In the resource policy, add permissions to access the S3 bucket in the second account. Reference the default credentials to assume the role.
D. Obtain new credentials that allow access to the S3 bucket in the second account. Add the credentials to the .aws/credentials file under a new profile name. Reference the new profile name during calls to the second account.
Correct Answer: D
QUESTION 196
A company plans to create Amazon S3 buckets to store log data. All the S3 buckets will have versioning enabled and will use the S3 Standard storage class. A security engineer needs to implement a solution that protects objects in the S3 buckets from deletion for 90 days. The solution must ensure that no object can be deleted during this time period, even by an administrator or the AWS account root user. Which solution will meet these requirements?
A. Enable S3 Object Lock in governance mode. Set a legal hold of 90 days.
B. Enable S3 Object Lock in governance mode. Set a retention period of 90 days.
C. Enable S3 Object Lock in compliance mode. Set a retention period of 90 days.
D. Create an S3 Glacier Vault Lock policy that prevents deletion for 90 days.
Correct Answer: C
QUESTION 197
A company has configured an organization in AWS Organizations for its AWS accounts. AWS CloudTrail is enabled in all AWS Regions. A security engineer must implement a solution to prevent Cloud Trail from being disabled. Which solution will meet this requirement?
A. Enable CloudTrail log file integrity validation from the organization’s management account.
B. Enable server-side encryption with AWS KMS keys (SSE-KMS) for CloudTrail logs. Create a KMS key. Attach a policy to the key to prevent decryption of the logs.
C. Create an SCP that includes an explicit Deny rule for the StopLogging action and the Delete Trail action. Attach the SCP to the root OU.
D. Create IAM policies for all the company’s users to prevent the users from performing the Describe Trails action and the GetTrailStatus action.
Correct Answer: C
QUESTION 198
A company is investigating actions that an IAM role performed. The company must find out when the role last accessed AWS Security Hub and when the role last used the DeleteInsight action in Security Hub. Which solution will provide this information?
A. Use the checks for the security category in AWS Trusted Advisor. Search for the role and examine the actions taken.
B. Use the Access Advisor tab in AWS Identity and Access Management (IAM). Search for Security Hub and the actions taken.
C. Use AWS Identity and Access Management (IAM) to generate a credential report. Search the report for Security Hub activity.
D. Create an analyzer in AWS Identity and Access Management Access Analyzer. Examine the findings for the role’s actions in Security Hub.
Correct Answer: B
QUESTION 199
A security engineer is designing security controls for a fleet of Amazon EC2 instances that run sensitive workloads in a VPC. The security engineer needs to implement a solution to detect and mitigate software vulnerabilities on the EC2 instances. Which solution will meet this requirement?
A. Scan the EC2 instances by using Amazon Inspector. Apply security patches and updates by using AWS Systems Manager Patch Manager.
B. Install host-based firewall and antivirus software on each EC2 instance. Use AWS Systems Manager Run Command to update the firewall and antivirus software.
C. Install the Amazon CloudWatch agent on the EC2 instances. Enable detailed logging. Use Amazon EventBridge to review the software logs for anomalies.
D. Scan the EC2 instances by using Amazon GuardDuty Malware Protection. Apply security patches and updates by using AWS Systems Manager Patch Manager.
Correct Answer: A
QUESTION 200
A security engineer is implementing authentication for a multi-account environment by using federated access with SAML 2.0. The security engineer has configured AWS IAM Identity. Center as an identity provider (IdP). The security engineer also has created IAM roles to grant access to the AWS accounts. A federated user reports an authentication failure when the user attempts to authenticate with the new system. What should the security engineer do to troubleshoot this issue in the MOST operationally efficient way?
A. Review the SAML IdP logs to identify errors. Check AWS CloudTrail to verify the API calls that the user made
B. Review the SAML IdP logs to identify errors. Use the IAM policy simulator to validate access to the IAM roles
C. Use IAM access advisor to review recent service access. Use the IAM policy simulator to validate access to the IAM roles
D. Recreate the SAML IdP in a separate account to confirm the behavior that the user is experiencing
Correct Answer: B
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.