QUESTION 21
A company uses AWS IAM Identity Center to manage access to its AWS accounts. The accounts are in an organization in AWS Organizations. A security engineer needs to set up delegated administration of IAM Identity Center in the organization’s management account. Which combination of steps should the security engineer perform in IAM Identity Center before configuring delegated administration? (Select THREE.)
A. Grant least privilege access to the organization’s management account.
B. Create a new IAM Identity Center directory in the organization’s management account.
C. Set up a second AWS Region in the organization’s management account.
D. Create permission sets for use only in the organization’s management account.
E. Create IAM users for use only in the organization’s management account.
F. Create user assignments only in the organization’s management account.
Correct Answer: ABD
QUESTION 22
A company runs container-based workloads outside of AWS. The company wants the workloads to obtain temporary security credentials to securely access the company’s AWS account. The company currently uses AWS IAM Identity Center to manage user access to the company’s AWS resources. Which solution will meet this requirement?
A. Use AWS Identity and Access Management (IAM) Roles Anywhere to create a trust anchor. Configure an IAM role to trust the IAM Roles Anywhere service principal.
B. Use AWS Identity and Access Management (IAM) federation and create a trust anchor. Configure an IAM role to trust the IAM service principal.
C. Set up an AWS managed application in AWS IAM Identity Center for the workload. Assign the AWS managed application to a group of users.
D. Set up a customer managed application in AWS IAM Identity Center for the workload. Assign the customer managed application to a group of users.
Correct Answer: A
QUESTION 23
A company allows users to download its mobile app onto their phones. The app is MQTT based and connects to AWS IoT Core to subscribe to specific client-related topics. Recently, the company discovered that some malicious attackers have been trying to get a Trojan horse onto legitimate mobile phones. The Trojan horse poses as the authentic application and uses a client ID with injected special characters to gain access to topics outside the client’s privilege scope. Which combination of actions should the company take to prevent this threat? (Select TWO.)
A. In the application, use an IoT thing name as the client ID to connect the device to AWS IoT Core.
B. In the application, add a client ID check. Disconnect from the server if any special character is detected.
C. Apply an AWS IoT Core policy that allows “AWSIoTWirelessDataAccess” with the principal set to “client/${iot:Connection. Thing. ThingName}”.
D. Apply an AWS IoT Core policy to the device to allow “iot: Connect” with the resource set to “client/${iot Clientid}”.
E. Apply an AWS IoT Core policy to the device to allow “iot: Connect” with the resource set to “client/${iot Connection. Thing. ThingName}”.
Correct Answer: AD
QUESTION 24
A security team manages a company’s AWS Key Management Service (AWS KMS) customer managed keys. Only members of the security team can administer the KMS keys. The company’s application team has a software process that needs temporary access to the keys occasionally. The security team needs to provide the application team’s software process with access to the keys. Which solution will meet these requirements with the LEAST operational overhead?
A. Export the KMS key material to an on-premises hardware security module (HSM). Give the application team access to the key material.
B. Edit the key policy that grants the security team access to the KMS keys by adding the application team as principals. Revert this change when the application team no longer needs access.
C. Create a key grant to allow the application team to use the KMS keys. Revoke the grant when the application team no longer needs access.
D. Create a new KMS key by generating key material on premises. Import the key material to AWS KMS whenever the application team needs access. Grant the application team permissions to use the key.
Correct Answer: C
QUESTION 25
A security administrator is setting up a new AWS account. The security administrator wants to secure the data that a company stores in an Amazon S3 bucket. The security administrator also wants to reduce the chance of unintended data exposure and the potential for misconfiguration of objects that are in the S3 bucket. Which solution will meet these requirements with the LEAST operational overhead?
A. Configure the S3 Block Public Access feature for the AWS account.
B. Configure the S3 Block Public Access feature for all objects that are in the bucket.
C. Deactivate ACLs for objects that are in the bucket.
D. Use AWS PrivateLink for Amazon S3 to access the bucket.
Correct Answer: A
QUESTION 26
A company uses AWS Organizations to manage its AWS accounts. The company has a development account and a production account. An auditor has requested evidence that the production account workloads are resilient to disruption. The company needs a solution that improves the resilience of each production account workload. Which solution will meet these requirements?
A. Use AWS Audit Manager to create a new assessment based on AWS Operational Best Practices in the production account. After the assessments are finished, provide the auditor with direct access to the reports.
B. Review the architecture by using the AWS Well-Architected Tool. Use the Well-Architected Framework and focus on the Operational Excellence, Security, and Reliability pillars. Document and implement mitigations for the identified risks. Provide the documentation to the auditor.
C. Use Amazon Inspector with a multi-account environment to assess the production account workloads for vulnerabilities. Create a CIS scan in Amazon Inspector. Configure the CIS scan as a one time scan with Benchmark Level 2. After the scan is finished, download the PDF report and provide the report to the auditor.
D. Use the AWS Fault Injection Service to create experiments in the development account for each workload. Adjust the configuration and architecture of the workloads to improve resilience. Run the experiments again. Download the PDF reports and provide the reports to the auditor.
Correct Answer: B
QUESTION 27
A company uses an organization in AWS Organizations to manage multiple AWS accounts. The company wants to centrally give users the ability to access Amazon @ Developer. Which solution will meet this requirement?
A. Enable AWS IAM Identity Center and set up Amazon @ Developer as an AWS managed application.
B. Enable Amazon Cognito and create a new identity pool for Amazon @ Developer.
C. Enable Amazon Cognito and set up Amazon @ Developer as an AWS managed application.
D. Enable AWS IAM Identity Center and create a new identity pool for Amazon @ Developer.
Correct Answer: A
QUESTION 28
A company creates AWS Lambda functions from container images that are stored in Amazon Elastic Container Registry (Amazon ECR). The company needs to identify any software vulnerabilities in the container images and any code vulnerabilities in the Lambda functions. Which solution will meet these requirements?
A. Enable Amazon GuardDuty. Configure Amazon ECR scanning and Lambda code scanning in GuardDuty.
B. Enable Amazon GuardDuty. Configure Runtime Monitoring and Lambda Protection in GuardDuty.
C. Enable Amazon Inspector. Configure Amazon ECR enhanced scanning and Lambda code scanning in Amazon Inspector.
D. Enable AWS Security Hub. Configure Runtime Monitoring and Lambda Protection in Security Hub.
Correct Answer: C
QUESTION 29
A company’s security engineer receives an abuse notification from AWS. The notification indicates that someone is hosting malware from the company’s AWS account. After investigation, the security engineer finds a new Amazon S3 bucket that an IAM user created without authorization. Which combination of steps should the security engineer take to MINIMIZE the consequences of this compromise? (Select THREE.)
A. Encrypt all AWS CloudTrail logs.
B. Turn on Amazon GuardDuty.
C. Change the password for all IAM users.
D. Rotate or delete all AWS access keys.
E. Take snapshots of all Amazon Elastic Block Store (Amazon EBS) volumes.
F. Delete any resources that are unrecognized or unauthorized.
Correct Answer: BDF
QUESTION 30
A company runs an application on a fleet of Amazon EC2 instances. The company can remove instances from the fleet without risk to the application. All EC2 instances use the same security group named ProdFleet. Amazon GuardDuty and AWS Config are active in the company’s AWS account. A security engineer needs to provide a solution that will prevent an EC2 instance from sending outbound traffic if GuardDuty generates a cryptocurrency finding event. The security engineer creates a new security group named Isolate that contains no outbound rules. The security engineer configures an AWS Lambda function to remove an EC2 instance from the ProdFleet security group and add it to the Isolate security group. Which additional step will meet this requirement?
A. Configure GuardDuty to directly invoke the Lambda function if GuardDuty generates a CryptoCurrency:EC2/* finding event.
B. Configure an AWS Config rule that invokes the Lambda function if a CryptoCurrency: EC2/* configuration change event occurs for an EC2 instance.
C. Configure an Amazon EventBridge rule that invokes the Lambda function if GuardDuty generates a CryptoCurrency: EC2/* finding event.
D. Configure an Amazon EventBridge rule that invokes the Lambda function if AWS Config detects a CryptoCurrency: EC2/* configuration change event for an EC2 instance.
Correct Answer: C
QUESTION 31
A company’s application team needs a new AWS Key Management Service (AWS KMS) customer managed key to use with Amazon S3. The company’s security policy requires separate keys for different AWS services to limit security exposure. How can a security engineer limit the KMS customer managed key to work with only Amazon S3?
A. Configure the key policy to allow only Amazon S3 to perform the kms: Encrypt action.
B. Configure the key policy to allow KMS actions only when the value for the kms:ViaService condition key matches the Amazon S3 service name.
C. Configure the application’s IAM role policy to allow Amazon S3 to perform the iam:PassRole action.
D. Configure the application’s IAM role policy to allow only S3 operations when the operations are combined with the KMS customer managed key.
Correct Answer: B
QUESTION 32
A company is attempting to conduct forensic analysis on an Amazon EC2 instance, but the company is unable to connect to the instance by using AWS Systems Manager Session Manager. The company has installed AWS Systems Manager Agent (SSM Agent) on the EC2 instance. The EC2 instance is in a subnet in a VPC that does not have an internet gateway attached. The company has associated a security group with the EC2 instance. The security group does not have inbound or outbound rules. The subnet’s network ACL allows all inbound and outbound traffic. Which combination of actions will allow the company to conduct forensic analysis on the EC2 instance without compromising forensic data? (Select THREE.)
A. Update the EC2 instance security group to add a rule that allows outbound traffic on port 443 for 0.0.0.0/0
B. Update the EC2 instance security group to add a rule that allows inbound traffic on port 443 to the VPC’s CIDR range.
C. Create an EC2 key pair. Associate the key pair with the EC2 instance.
D. Create a VPC interface endpoint for Systems Manager in the VPC where the EC2 instance is located
E. Attach a security group to the VPC interface endpoint. Allow inbound traffic on port 443 to the VPC’s CIDR range.
F. Create a VPC interface endpoint for the EC2 instance in the VPC where the EC2 instance is located.
Correct Answer: ADE
QUESTION 33
A company has a PHP-based web application that uses Amazon S3 as an object store for user files. The S3 bucket that stores the files is configured for server-side encryption with Amazon S3 managed encryption keys (SSE-S3). According to new security requirements, the company must control all encryption keys. Additionally, all objects in the S3 bucket must be encrypted by a key that the company controls. Which combination of steps must a security engineer take to meet these requirements? (Select THREE.)
A. Create a new customer managed key in AWS Key Management Service (AWS KMS).
B. Change the SSE-S3 configuration on the S3 bucket to server-side encryption with customer-provided encryption keys (SSE-C).
C. Configure the PHP SDK to use the SSE-S3 key to encrypt the data before the data is uploaded to Amazon S3.
D. Create an AWS managed key for Amazon S3 in AWS Key Management Service (AWS KMS).
E. Change the SSE-S3 configuration on the S3 bucket to server-side encryption with AWS KMS managed encryption keys (SSE-KMS).
F. Change all the S3 objects in the bucket to use the new encryption key.
Correct Answer: AEF
QUESTION 34
A security engineer is responding to an incident that is affecting an AWS account. The ID of the account is 123456789012. The attack created workloads that are distributed across multiple AWS Regions. The security engineer contains the attack. The security engineer removes all compute and storage resources from all affected Regions. However, the attacker also created an AWS KMS key. The key policy on the KMS key explicitly allows IAM principal kms:* permissions. The key was scheduled to be deleted the previous day. However, the key is still enabled and usable. The key has an ARN of arn:aws:kms:us-east-2:123456789012:key/mrk-0bb0212cd9864fdea0dcamzo26efb5670. The security engineer must delete the key as quickly as possible. Which solution will meet this requirement?
A. Log in to the account by using the account root user credentials. Re-issue the deletion request for the KMS key with a waiting period of 7 days.
B. Identify the other Regions where the KMS key ID is present and schedule the key for deletion in 7 days.
C. Update the IAM principal to allow kms:* permissions on the KMS key ARN. Re-issue the deletion request for the KMS key with a waiting period of 7 days.
D. Disable the KMS key. Re-issue the deletion request for the KMS key in 30 days.
Correct Answer: A
QUESTION 35
A company’s security engineer receives an alert that indicates that an unexpected principal is accessing a company-owned Amazon Simple Queue Service (Amazon SQS) queue. All the company’s accounts are within an organization in AWS Organizations. The security engineer must implement a mitigation solution that minimizes compliance violations and investment in tools that are outside of AWS. What should the security engineer do to meet these requirements?
A. Create security groups that only accept inbound traffic from the CIDR blocks of all the VPCs in the organization. Attach the security groups to all the SQS queues in all the VPCs in the organization.
B. In all the VPCs in the organization, adjust the network ACLs to only accept inbound traffic from the CIDR blocks of all the VPCs in the organization. Attach the network ACLs to all the subnets in all the VPCs in the organization.
C. Create interface VPC endpoints for Amazon SQS in all the VPCs in the organization. Set the aws: SourceVpce condition to the VPC endpoint identifier on the SQS policy. Add the aws:PrincipalOrgld condition to the VPC endpoint policy.
D. Use a cloud access security broker (CASB) to maintain a list of managed resources. Configure the CASB to check the API and console access against that list on a web proxy.
Correct Answer: C
QUESTION 36
A company is running an application in the eu-west-1 Region. The application uses an AWS Key Management Service (AWS KMS) customer managed key to encrypt sensitive data. The company plans to deploy the application in the eu-north-1 Region. A security engineer needs to implement a key management solution for the application deployment in the new Region. The security engineer must minimize changes to the application code. Which change should the security engineer make to the AWS KMS configuration to meet these requirements?
A. Update the key policies in eu-west-1. Point the application in eu-north-1 to use the same customer managed key as the application in eu-west-1.
B. Allocate a new customer managed key to eu-north-1 to be used by the application that is deployed in that Region.
C. Allocate a new customer managed key to eu-north-1. Create the same alias name for both keys. Configure the application deployment to use the key alias.
D. Allocate a new customer managed key to eu-north-1. Create an alias for eu-*-1. Change the application code to point to the alias for eu-*-1.
Correct Answer: C
QUESTION 37
A company has decided to move its fleet of Linux-based web server instances to an Amazon EC2 Auto Scaling group. Currently, the instances are static and are launched manually. When an administrator needs to view log files, the administrator uses SSH to establish a connection to the instances and retrieves the logs manually. The company often needs to query the logs to produce results about application sessions and user issues. The company does not want its new automatically scaling architecture to result in the loss of any log files when instances are scaled in. Which combination of steps should a security engineer take to meet these requirements MOST cost-effectively? (Select TWO.)
A. Configure a cron job on the instances to forward the log files to Amazon S3 periodically.
B. Configure AWS Glue and Amazon Athena to query the log files.
C. Configure the Amazon CloudWatch agent on the instances to forward the logs to Amazon CloudWatch Logs.
D. Configure Amazon CloudWatch Logs Insights to query the log files.
E. Configure the instances to write the logs to an Amazon Elastic File System (Amazon EFS) volume.
Correct Answer: CD
QUESTION 38
A company needs to develop a code-signing application that will use a certificate authority (CA) to sign a code-signing certificate. The solution must use an AWS Key Management Service (AWS KMS) asymmetric key. The solution needs to collect and store immutable evidence about the creation, origin, and use of the KMS key for compliance purposes. This information must be made available to internal auditors. Which solution meets these requirements?
A. Create an Amazon S3 bucket with S3 Object Lock enabled. Create an AWS CloudTrail trail with an event selector and log file validation enabled for all kms.amazonaws.com CreateKey events. Configure the event selector to send the CreateKey events to the S3 bucket. Create the KMS key. Update the event selector to filter for API calls that reference the KMS key ARN. Provide the auditors with access to the S3 bucket.
B. Implement logging for application operations that reference the KMS key. Ensure that the logs contain all associated metadata. Store the logs in an Amazon CloudWatch Logs log group. Configure an automated export of the log group. Send the export to the auditors.
C. Create an Amazon DynamoDB table that the auditors can access. Create an AWS Lambda function that an Amazon EventBridge rule invokes. Configure the EventBridge rule to monitor KMS API calls. Configure the EventBridge rule to filter for all API calls that reference the KMS key ARN. Configure the Lambda function to store the contents of the API calls in the DynamoDB table.
D. Set up Amazon CloudWatch Logs Insights with a custom metric to track KMS key usage. Visualize the metrics by using a CloudWatch dashboard with real-time monitoring. Configure CloudWatch alarms. Use a subscription filter to replicate the data to a separate account for the auditors to review.
Correct Answer: A
QUESTION 39
A company recently experienced a malicious attack on its cloud-based environment. The company successfully contained and eradicated the attack. A security engineer is performing incident response work. The security engineer needs to recover an Amazon RDS database cluster to the last known good version. The database cluster is configured to generate automated backups with a retention period of 14 days. The initial attack occurred 5 days ago at exactly 3:15 PM. Which solution will meet this requirement?
A. Identity the Regional cluster ARN for the database. Use the ARN to restore the Regional cluster by using the Restore to point in time feature. Set a target time 5 days ago at 3:14 PM.
B. Identify the Regional cluster ARN for the database. List snapshots that have been taken of the cluster. Restore the database by using the snapshot that has a creation time that is closest to 5 days ago at 3:14 PM.
C. List all snapshots that have been taken of all the company’s RDS databases. Identify the snapshot that was taken closest to 5 days ago at 3:14 PM and restore it.
D. Identify the Regional cluster ARN for the database. Use the ARN to restore the Regional cluster by using the Restore to point in time feature. Set a target time 14 days ago.
Correct Answer: A
QUESTION 40
A company uses AWS Organizations with all features enabled. The company has enabled AWS Security Hub in all member accounts and in all AWS Regions. The company has created a VPC in the eu-central-1 Region in a member AWS account. A security engineer has verified that no security group rules in the VPC allow inbound traffic from all IP addresses on TCP port 22. The security engineer needs an automated system. The system must prevent the creation of security group rules in the VPC that allow traffic from all IP addresses on TCP port 22. Which solution will meet these requirements?
A. Enable an AWS Cloud Trail organization trail that logs to an Amazon CloudWatch Logs log group. Create a CloudWatch alarm based on a log group metric filter. Configure the alarm to publish to an Amazon Simple Notification Service (Amazon SNS) topic when a security group rule is added that allows inbound traffic from all IP addresses Subscribe the security engineer’s email address to the SNS topic.
B. Create an Amazon EventBridge rule that filters for Security Hub findings about security group rules that allow inbound traffic from all IP addresses on TCP port 22. Configure the EventBridge rule to target an AWS Lambda function that removes the unwanted security group rule.
C. Create an SCP that prevents the creation or modification of security group rules that allow inbound traffic from all IP addresses on TCP port 22.
D. Deploy AWS Network Firewall with a rule that inspects all inbound traffic and prevents incoming traffic on TCP port 22.
Correct Answer: C
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.