QUESTION 41
A company uses an organization in AWS Organizations to manage multiple AWS accounts. The company uses AWS IAM Identity Center to manage access to the accounts. The company uses AWS Directory Service as an identity source. Employees access the AS console and specific AWS accounts and permissions through the AWS access portal. A security engineer creates a new permissions set in IAM Identity Center and assigns the permissions set to one of the member accounts in the organization. The security engineer assigns the permissions set to a user group for developers named DevOps in the member account. The security engineer expects all the developers to see the new permissions set listed for the member account in the AWS access portal. All the developers except for one can see the permissions set. The security engineer must ensure that the remaining developer can see the permissions set in the AWS access portal. Which solution will meet this requirement?
A. Add the remaining developer to the DevOps group in Directory Service
B. Remove and then re-add the permissions set in the member account.
C. Add the service-linked role for organization to the member account.
D. Update the permissions set to allow console access for the remaining developer.
Correct Answer: A
QUESTION 42
A company’s web application is hosted on Amazon EC2 instances running behind an Application Load Balancer (ALB) in an Auto Scaling group. An AWS WAF web ACL is associated with the ALB. AWS CloudTrail is enabled, and stores logs in Amazon S3 and Amazon CloudWatch Logs. The operations team has observed some EC2 instances reboot at random. After rebooting, all access logs on the instances have been deleted. During an investigation, the operations team found that each reboot happened just after a PHP error occurred on the new-user-creation.php file. The operations team needs to view log information to determine if the company is being attacked. Which set of actions will identify the suspect attacker’s IP address for future occurrences?
A. Configure VPC Flow Logs on the subnet where the ALB is located, and stream the data CloudWatch. Search for the new-user-creation.php occurrences in CloudWatch.
B. Configure the CloudWatch agent on the ALB. Configure the agent to send application logs to CloudWatch. Update the instance role to allow CloudWatch Logs access. Export the logs to CloudWatch. Search for the new-user-creation.php occurrences in CloudWatch.
C. Configure the ALB to export access logs to an Amazon OpenSearch Service cluster, and use the service to search for the new-user-creation.php occurrences.
D. Configure the web ACL to send logs to Amazon Data Firehose, which delivers the logs to an S3 bucket. Use Amazon Athena to query the logs and find the new-user-creation.php occurrences.
Correct Answer: D
QUESTION 43
A company needs a cloud-based, managed desktop solution for its workforce of remote employees. The company wants to ensure that the employees can access the desktops only by using company-provided devices. A security engineer must design a solution that will minimize cost and management overhead. Which solution will meet these requirements?
A. Deploy a custom virtual desktop infrastructure (VDI) solution with a restriction policy to allow access only from corporate devices.
B. Deploy a fleet of Amazon EC2 instances. Assign an instance to each employee with certificate-based device authentication that uses Windows Active Directory.
C. Deploy Amazon WorkSpaces. Set up a trusted device policy with IP blocking on the authentication gateway by using AWS Identity and Access Management (IAM).
D. Deploy Amazon WorkSpaces. Create client certificates, and deploy them to trusted devices. Enable restricted access at the directory level.
Correct Answer: D
QUESTION 44
A company uses an organization in AWS Organizations to manage its 250 member accounts. The company also uses AWS IAM Identity Center with a SAML external identity provider (IdP). IAM Identity Center has been delegated to a member account. The company’s security team has access to the delegated account. The security team has been investigating a malicious internal user who might be accessing sensitive accounts. The security team needs to know when the user logged into the organization during the last 7 days. Which solution will quickly identify the access attempts?
A. In the delegated account, use Amazon CloudWatch Logs to search for events that match the user details for all successful attempts.
B. In each member account, use the IAM Identity Center console to search for events that match the user details for all attempts.
C. In the external IdP, use Amazon EventBridge to search for events that match the user details for all attempts.
D. In the organization’s management account, use AWS CloudTrail to search for events that match the user details for all successful attempts.
Correct Answer: D
QUESTION 45
A security engineer receives a notice about suspicious activity from a Linux-based Amazon EC2 instance that uses Amazon Elastic Block Store (Amazon EBS)-based storage. The instance is making connections to known malicious addresses. The instance is in a development account within a VPC that is in the us-east-1 Region. The VPC contains an internet gateway and has a subnet in us-east-1a and us-east-1b. Each subnet is associated with a route table that uses the internet gateway as a default route. Each subnet also uses the default network ACL. The suspicious EC2 instance runs within the us-east-1b subnet. During an initial investigation, a security engineer discovers that the suspicious instance is the only instance that runs in the subnet. Which response will immediately mitigate the attack and help investigate the root cause?
A. Log in to the suspicious instance and use the netstat command to identify remote connections. Use the IP addresses from these remote connections to create deny rules in the security group of the instance. Install diagnostic tools on the instance for investigation. Update the outbound network ACL for the subnet in us-east-1b to explicitly deny all connections as the first rule during the investigation of the instance.
B. Update the outbound network ACL for the subnet in us-east-1b to explicitly deny all connections as the first rule. Replace the security group with a new security group that allows connections only from a diagnostics security group. Update the outbound network ACL for the us-east-1b subnet to remove the deny all rule. Launch a new EC2 instance that has diagnostic tools. Assign the new security group to the new EC2 instance. Use the new EC2 instance to investigate the suspicious instance.
C. Ensure that the Amazon Elastic Block Store (Amazon EBS) volumes that are attached to the suspicious EC2 instance will not delete upon termination. Terminate the instance. Launch a new EC2 instance in us-east-1a that has diagnostic tools. Mount the EBS volumes from the terminated instance for investigation.
D. Create an AWS WAF web ACL that denies traffic to and from the suspicious instance. Attach the AWS WAF web ACL to the instance to mitigate the attack. Log in to the instance and install diagnostic tools to investigate the instance.
Correct Answer: C
QUESTION 46
A company’s security team wants to receive email notification from AWS about any abuse reports regarding DoS attacks. A security engineer needs to implement a solution that will provide a near-real-time alert for any abuse reports that AWS sends for the account. The security engineer already has created an Amazon Simple Notification Service (Amazon SNS) topic and has subscribed the security team’s email address to the topic. What should the security engineer do next to meet these requirements?
A. Use the AWS Trusted Advisor API to detect an AWS abuse report notification type of AWS_ABUSE_DOS_REPORT. Create an AWS Lambda function that uses the Trusted Advisor API to check for the notification. Create an Amazon EventBridge rule to run the Lambda function every minute. Configure the Lambda function to publish a message to the SNS topic if a notification is discovered.
B. Create an Amazon EventBridge rule that uses AWS Health and identifies a specific event for AWS_ABUSE_DOS_REPORT. Configure the rule action to publish a message to the SNS topic.
C. Use the AWS Support API to detect an AWS abuse report case with the subject of AWS_ABUSE_DOS_REPORT. Create an AWS Lambda function that uses the AWS Support API to check for a support case. Create an Amazon EventBridge rule to run the Lambda function every minute. Configure the Lambda function to publish a message to the SNS topic if a case is discovered.
D. Configure AWS CloudTrail to send logs to Amazon CloudWatch Logs. Create a CloudWatch Logs metric fitter for any AWS_ABUSE_DOS_REPORT event that is detected Configure an Amazon CloudWatch alarm to publish a message to the SNS topic if the metric filter threshold is reached.
Correct Answer: B
QUESTION 47
A security engineer needs to control access to data that is encrypted with an AWS Key Management Service (AWS KMS) customer managed key. The security engineer also needs to use additional authenticated data (AAD) to prevent tampering with ciphertext. Which solution will meet these requirements?
A. Pass the key alias to AWS KMS when calling the Encrypt and Decrypt API actions.
B. Use IAM policies to restrict access to the Encrypt and Decrypt API actions.
C. Use the kms: EncryptionContext condition key when defining IAM policies for the customer managed key.
D. Use key policies to restrict access to the appropriate IAM groups.
Correct Answer: C
QUESTION 48
A company has an encrypted Amazon Aurora DB cluster in the us-east-1 Region. The DB cluster is encrypted with an AWS Key Management Service (AWS KMS) customer managed key. To meet compliance requirements, the company needs to copy a DB snapshot to the us-west-1 Region. However, when the company tries to copy the snapshot to us-west-1, the company cannot access the key that was used to encrypt the original database. What should the company do to set up the snapshot in us-west-1 with proper encryption?
A. Use AWS Secrets Manager to store the customer managed key in us-west-1 as a secret. Use this secret to encrypt the snapshot in us-west-1.
B. Create a new customer managed key in us-west-1. Use this new key to encrypt the snapshot in us-west-1.
C. Create an IAM policy that allows access to the customer managed key in us-east-1. Specify arn.aws:kms.us-west-1:* as the principal.
D. Create an IAM policy that allows access to the customer managed key in us-east-1. Specify arn.aws.rds us-west-1:* as the principal.
Correct Answer: B
QUESTION 49
A company has the following security policy for its Amazon Aurora MySQL databases for a single AWS account:
1. Database storage must be encrypted at rest.
2. Deletion protection must be enabled
3. Databases must not be publicly accessible.
4. Database audit logs must be published to Amazon CloudWatch Logs.
A security engineer must implement a solution that continuously monitors all Aurora MySQL resources for continuous compliance with this policy. The solution must be able to display a database’s compliance state for each part of the policy at any time. Which solution will meet these requirements?
A. Enable AWS Audit Manager. Configure Audit Manager to use a custom framework that matches the security requirements. Create an assessment report to view the compliance state.
B. Enable AWS Config. Implement AWS Config managed rules that monitor all Aurora MySQL resources for the security requirements. View the compliance state in the AWS Config dashboard.
C. Enable AWS Security Hub. Create a configuration policy that includes the security requirements. Apply the configuration policy to all Aurora MySQL resources. View the compliance state in Security Hub.
D. Create an Amazon EventBridge rule that runs when an Aurora MySQL resource is created or modified. Create an AWS Lambda function to verify the security requirements and to send the compliance state to a CloudWatch custom metric.
Correct Answer: B
QUESTION 50
A company has a web application that reads from and writes to an Amazon S3 bucket. The company needs to use AWS credentials to authenticate all S3 API calls to the S3 bucket. Which solution will provide the application with AWS credentials to make S3 API calls?
A. Integrate the application with Amazon Cognito identity pools. Use the Getld API operation to obtain AWS credentials to make authenticated calls to the S3 API.
B. Integrate the application with Amazon Cognito identity pools. Use the AssumeRoleWithWebIdentity API operation to obtain AWS credentials to make authenticated calls to the S3 API.
C. Integrate the application with Amazon Cognito user pools. Use the ID token to obtain AWS credentials to make authenticated calls to the S3 API.
D. Integrate the application with Amazon Cognito user pools. Use the access token to obtain AWS credentials to make authenticated calls to the S3 API.
Correct Answer: A
QUESTION 51
A security engineer needs to centralize logging from VPC Flow Logs and AWS CloudTrail. The security engineer also needs to query the log data after an incident occurs. Which solution will meet these requirements?
A. Configure VPC Flow Logs and CloudTrail to send the log data directly to Amazon CloudWatch Logs. Query the log data by using a metric filter.
B. Configure VP Flow Logs and CloudTrail to send the log data directly to Amazon CloudWatch Logs. Query the log data by using a subscription filter.
C. Configure VPC Flow Logs and CloudTrail to send the log data directly to Amazon DynamoDB. Use the DynamoDB Query API operation to query items based on their primary key values.
D. Configure VPC Flow Logs and CloudTrail to send the log data directly to an Amazon S3 bucket. Use Amazon Athena to query the log data.
Correct Answer: C
QUESTION 52
A company has an organization in AWS Organizations. The company has created an Amazon Simple Queue Service (Amazon SQS) queue to receive messages from applications in the company’s AWS accounts. The SQS access policy currently allows all AM principals to perform any SQS action on the queue. The company must prevent all principals except member accounts in the organization from sending and receiving messages. The company needs this restriction to apply to any new accounts that are added to the organization. Which solution will meet these requirements?
A. Create an SCP that denies Amazon SQS actions for accounts that are not in the organization. Apply the SCP to the root OU of the organization.
B. Create an SCP that explicitly allows Amazon SQS actions for accounts that are in the organization. Apply the SCP to the root OU of the organization.
C. Edit the Amazon SQS access policy. In the existing statement that allows all IAM principals, replace the principals to allow only specific account IDs for accounts in the organization.
D. Edit the Amazon SQS access policy. In the existing statement that allows all IAM principals, add the aws: PrincipalOrgID condition key and specify the organization ID.
Correct Answer: D
QUESTION 53
A company has a device that collects low volumes of data from a weather station in a remote location. The device has access to the internet. The software that sends the data must use Secure Copy Protocol to transfer the data to a Linux-based Amazon EC2 instance every 24 hours. After a migration, the instance now runs in a private subnet in a VPC. The VPC has no internet gateway, no public subnets, and no VPC endpoints. The company must transfer the data to the instance without allowing any direct public access to the instance. Which solution will meet these requirements?
A. Configure AWS Systems Manager Session Manager to connect to the instance in the private subnet. Use the AWS CLI to open an SSH session to the instance to upload the data over Secure Copy Protocol.
B. Configure an EC2 Instance Connect endpoint in the private subnet. Use the Secure Copy Protocol ProxyCommand to open an EC2 Instance Connect tunnel to the instance to upload the data.
C. Set up an AWS Network Firewall firewall with a Gateway Load Balancer endpoint in the private subnet. Create a rule that allows access to the instance over SSH. Use the firewall endpoint IP address to upload the data to the instance over Secure Copy Protocol.
D. Create an Amazon S3 File Gateway and connect it to the device. Create an S3 bucket to upload the data through the S3 File Gateway over Secure Copy Protocol. Remotely log in to the instance to download the data directly from the S3 bucket.
Correct Answer: A
QUESTION 54
A company has several Amazon S3 buckets that do not enforce encryption in transit. A security engineer must implement a solution that enforces encryption in transit for all the company’s existing and future S3 buckets. Which solution will meet these requirements?
A. Enable AWS Config. Create a proactive AWS Config Custom Policy rule. Create a Guard clause to evaluate the S3 bucket policies to check for a value of True for the aws: SecureTransport condition key. If the AWS Config rule evaluates to NON_COMPLIANT, block resource creation.
B. Enable AWS Config. Configure the s3-bucket-ssl-requests-only AWS Config managed rule and set the rule trigger type to Hybrid. Create an AWS Systems Manager Automation runbook that applies a bucket policy to deny requests when the value of the aws: Secure Transport condition key is False. Configure automatic remediation. Set the runbook as the target of the rule.
C. Enable Amazon Inspector. Create a custom AWS Lambda rule. Create a Lambda function that applies a bucket policy to deny requests when the value of the aws: SecureTransport condition key is False. Set the Lambda function as the target of the rule.
D. Create an AWS Cloud Trail trail. Enable S3 data events on the trail. Create an AWS Lambda function that applies a bucket policy to deny requests when the value of the aws:Secure Transport condition key is False. Configure the Cloud Trail trail to invoke the Lambda function.
Correct Answer: B
QUESTION 55
A company stores signed legal contracts for loans in an Amazon S3 bucket that has versioning enabled. Each contract must be stored until the loan is paid back or for 10 years if the loan is not paid back. The company needs a solution that allows only users with special permissions to delete or modify the contracts before the 10 years pass. After 10 years, the contracts must be deleted automatically. Which solution will meet these requirements?
A. Configure S3 Object Lock on the bucket with a retention period of 10 years. Specify governance mode as the retention mode. Create an S3 Lifecycle policy that will expire objects after 10 years.
B. Configure S3 Object Lock on the bucket with a retention period of 10 years. Specify compliance mode as the retention mode. Create an S3 Lifecycle policy that will expire objects after 10 years.
C. Configure S3 Object Lock on the bucket with a retention period of 10 years. Place a legal hold on the objects. Create an S3 Lifecycle policy that will remove versioning for the objects and expire objects after 10 years.
D. Configure S3 Object Lock on the bucket. Specify compliance mode as the retention mode. Place a legal hold on the objects. Create an S3 Lifecycle policy that will expire the objects after 10 years.
Correct Answer: B
QUESTION 56
A company uses AWS Organizations. The company has teams that use an AWS CloudHSM hardware security module (HSM) that is hosted in a central AWS account. One of the teams creates its own new dedicated AWS account and wants to use the HSM that is hosted in the central account. How should a security engineer share the HSM that is hosted in the central account with the new dedicated account?
A. Use AWS Resource Access Manager (AWS RAM) to share the VPC subnet ID of the HSM that is hosted in the central account with the new dedicated account. Configure the CloudHSM security group to accept inbound traffic from the private IP addresses of client instances in the new dedicated account.
B. Use AWS Identity and Access Management (IAM) to create a cross-account role to access the CloudHSM cluster that is in the central account. Create a new IAM user in the new dedicated account. Assign the cross-account role to the new IAM user.
C. Use AWS IAM Identity Center to create an AWS Security Token Service (AWS STS) token to authenticate from the new dedicated account to the central account. Use the cross-account permissions that are assigned to the STS token to invoke an operation on the HSM in the central account.
D. Use AWS Resource Access Manager (AWS RAM) to share the ID of the HSM that is hosted in the central account with the new dedicated account. Configure the CloudHSM security group to accept inbound traffic from the private IP addresses of client instances in the new dedicated account.
Correct Answer: A
QUESTION 57
A company wants to migrate its static primary domain website to AWS. The company hosts the website and DNS servers internally. The company wants the website to enforce SSL/TLS encryption, block IP addresses from outside the United States (US), and take advantage of managed services whenever possible. Which solution will meet these requirements?
A. Migrate the website to Amazon S3. Import a public SSL certificate to an Application Load Balancer with rules to block traffic from outside the US. Migrate DNS to Amazon Route 53.
B. Migrate the website to Amazon EC2. Import a public SSL certificate that is created by AWS Certificate Manager (ACM) to an Application Load Balancer with rules to block traffic from outside the US. Update DNS accordingly.
C. Migrate the website to Amazon S3. Import a public SSL certificate to Amazon CloudFront. Use AWS WAF rules to block traffic from outside the US. Update DNS accordingly.
D. Migrate the website to Amazon S3. Import a public SSL certificate that is created by AWS Certificate Manager (ACM) to Amazon CloudFront. Configure CloudFront to block traffic from outside the US. Migrate DNS to Amazon Route 53.
Correct Answer: D
QUESTION 58
A security engineer needs to analyze Apache web server access logs that are stored in an Amazon S3 bucket. Amazon EC2 instance web servers generated the logs. The EC2 instances have the Amazon CloudWatch agent installed and configured to report their access logs. The security engineer needs to use a query in Amazon Athena to analyze the logs. The query must identify IP addresses that have attempted and failed to access restricted web server content held at the /admin URL path. The query also must identify the URLs that the IP addresses attempted to access. Which query will meet these requirements?
A. SELECT client_ip, client_request FROM logs WHERE client_request LIKE ‘%/admin%’ AND server_status = ‘403’
B. SELECT client_ip FROM logs WHERE client_request CONTAINS ‘%/admin%’. AND server_status = ‘401’ GROUP BY client_ip
C. SELECT DISTINCT (client_ip), client_request, client_id FROM logs WHERE server_status =’403′ LIMIT 1000
D. SELECT DISTINCT (client_ip), client_request FROM logs WHERE user_id ‘admin’ AND server_status = ‘401’
Correct Answer: A
QUESTION 59
A company uses AWS Organizations to manage its AWS accounts. The company needs to enforce server-side encryption with AWS KMS keys (SSE-KMS) on its Amazon S3 buckets. Which solution will meet this requirement?
A. Edit the S3 bucket policies to require requests to include the s3:x-amz-server-side-encryption header.
B. Edit the S3 bucket policies to require requests to include the s3:x-amz-server-side-encryption-aws-kms-key-id header.
C. Create an SCP that requires requests to include the s3:x-amz-server-side-encryption header. Attach the SCP to the root OU.
D. Create an SCP that requires requests to include the s3:x-amz-server-side-encryption-customer-algorithm header. Attach the SCP to the root OU
Correct Answer: B
QUESTION 60
A company uses AWS CodePipeline for its software builds. Company policy mandates that code must be deployed to the staging environment before it is deployed to the production environment. The company needs to implement monitoring and alerting to detect when a CodePipeline pipeline is used to deploy code to production without the code first being deployed to staging. What should a security engineer do to meet these requirements?
A. Enable Amazon GuardDuty to monitor AWS CloudTrail for CodePipeline. Configure findings through AWS Security Hub, and create a custom action in Security Hub to send to Amazon Simple Notification Service (Amazon SNS).
B. Use the AWS Cloud Development Kit (AWS CDK) to model a reference-architecture CodePipeline pipeline that deploys application code through the staging environment and then the production environment.
C. Turn on AWS Config recording. Use a custom AWS Config rule to examine each CodePipeline pipeline for compliance. Configure an Amazon Simple Notification Service (Amazon SNS) notification on any change that is not in compliance with the rule. Add the desired receiver of the notification as a subscriber to the SNS topic.
D. Use Amazon Inspector to conduct an assessment of the CodePipeline pipelines and send a notification upon the discovery of a pipeline that is not in compliance. Add the desired receiver of the notification as a subscriber to the Amazon Simple Notification Service (Amazon SNS) topic.
Correct Answer: C
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.