QUESTION 61
A company has implemented AWS WAF and Amazon CloudFront for an application. The application runs on Amazon EC2 instances that are part of an Auto Scaling group. The Auto Scaling group is behind an Application Load Balancer (ALB). The AWS WAF web ACL uses an AWS Managed Rules rule group and is associated with the CloudFront distribution. CloudFront receives the request from AWS WAF and then uses the ALB as the distribution’s origin. During a security review, a security engineer discovers that the infrastructure is susceptible to a large, layer 7 DDoS attack. How can the security engineer improve the security at the edge of the solution to defend against this type of attack?
A. Configure the CloudFront distribution to use the Lambda@Edge feature. Create an AWS Lambda function that imposes a rate limit on CloudFront viewer requests. Block the request if the rate limit is exceeded.
B. Configure the AWS WAF web ACL so that the web ACL has more capacity units to process all AWS WAF rules faster.
C. Configure AWS WAF with a rate-based rule that imposes a rate limit that automatically blocks requests when the rate limit is exceeded.
D. Configure the CloudFront distribution to use AWS WAF as its origin instead of the ALB.
Correct Answer: C
QUESTION 62
A company uses Amazon Route 53 to create a public DNS zone for the domain example.com in Account A. The company creates another public DNS zone for the subdomain dev.example.com in Account B. A security engineer creates a wildcard certificate (*.dev.example.com) with DNS validation by using AWS Certificate Manager (ACM). The security engineer validates that the corresponding CAME records have been created in the zone for dev.example.com in Account B. After all these operations are completed, the certificate status is still pending validation. What should the security engineer do to resolve this issue?
A. Purchase a valid wildcard certificate authority (CA) certificate that supports managed renewal. Import this certificate into ACM in Account B.
B. Add NS records for the subdomain dev.example. com to the Route 53 parent zone example.com in Account A.
C. Use AWS Private Certificate Authority to create a subordinate certificate authority (CA). Use ACM to generate a private certificate that supports managed renewal.
D. Resend the email message that requests ownership validation of dev.example.com.
Correct Answer: B
QUESTION 63
A company is running a new workload across accounts that are in an organization in AWS Organizations. All running resources must have a tag of CostCenter, and the tag must have one of three approved values. The company must enforce this policy and must prevent any changes of the CostCenter tag to a non-approved value. Which solution will meet these requirements?
A. Create an AWS Config Custom Policy rule by using AWS CloudFormation Guard. Include the tag key of CostCenter and the approved values. Create an SCP that denies the creation of resources when the value of the aws:Request Tag/CostCenter condition key is not one of the three approved values.
B. Create an AWS CloudTrail trail. Create an Amazon EventBridge rule that includes a rule statement that matches the creation of new resources. Configure the EventBridge rule to invoke an AWS Lambda function that checks for the CostCenter tag. Program the Lambda function to block creation in case of a noncompliant value.
C. Enable tag policies for the organization. Create a tag policy that specifies a tag key of CostCenter and the approved values. Configure the policy to enforce noncompliant operations. Create an SCP that denies the creation of resources when the aws: RequestTag/CostCenter condition key has a null value.
D. Enable tag policies for the organization. Create a tag policy that specifies a tag key of CostCenter and the approved values. Create an Amazon EventBridge rule that invokes an AWS Lambda function when a noncompliant tag is created. Program the Lambda function to block changes to the tag.
Correct Answer: C
QUESTION 64
A company runs a web application on a fleet of Amazon EC2 instances behind an Application Load Balancer (ALB). The ALB is associated with an AWS WAF web ACL that includes several AWS managed rules in Block mode. The ALB and the web ACL are configured to send logs to Amazon S3. Additionally, the web application sends requests to a log group in Amazon CloudWatch Logs. The web ACL is blocking a specific request to the web application. A security engineer must determine which web ACL rule is blocking the request. Which solution will provide this information?
A. Use Amazon Athena to query the ALB logs by the request ID of the blocked request.
B. Use Amazon Athena to query the web ACL logs by the request ID of the blocked request.
C. Use CloudWatch Logs Insights to query the application logs by the request ID of the blocked request.
D. Use CloudWatch Logs Insights to query the web ACL logs by the request ID of the blocked request.
Correct Answer: D
QUESTION 65
A company that builds document management systems recently performed a security review of its application on AWS. The review showed that uploads of documents through signed URLs into Amazon S3 could occur in the application without encryption in transit. A security engineer must implement a solution that prevents uploads that are not encrypted in transit. Which solution will meet this requirement?
A. Ensure that all client implementations are using HTTPS to upload documents into the application.
B. Configure the s3-bucket-ssl-requests-only managed rule in AWS Config.
C. Add an S3 bucket policy that denies all S3 actions for condition “aws:secure Transport”: “false”.
D. Add an S3 bucket ACL with a grantee of AllUsers, a permission of WRITE, and a condition of secure Transport.
Correct Answer: C
QUESTION 66
A company is running a container-based workload on AWS. The workload runs on an Amazon Elastic Container Service (Amazon ECS) cluster and uses container images from an Amazon Elastic Container Registry (Amazon ECR) repository. The company recently experienced a security incident that involved a container image that included critical vulnerabilities. A CI/CD pipeline that was running outside AWS uploaded the image to the ECR repository and deployed the image to the ECS cluster. Which solution will prevent images that have vulnerabilities from being pushed to the ECR repository?
A. Configure the private ECR registry to use enhanced scanning with the scan on push option. Create an Amazon EventBridge rule that invokes an AWS Lambda function when a critical vulnerability is found. Program the Lambda function to block the image push.
B. Configure Amazon Inspector. Invoke the Amazon Inspector Scan API operation from the CI/CD pipeline. Create an Amazon EventBridge rule that invokes an AWS Lambda function when a critical vulnerability is found. Program the Lambda function to return a failed result to Amazon Inspector.
C. Create an Amazon Inspector custom CI/CD integration. Install and configure the Amazon Inspector Software Bill of Materials (SBOM) Generator (Sbomgen) binary. Generate an SBOM. Invoke the Amazon Inspector Scan API operation. In case of critical vulnerabilities, fail the CI/CD pipeline.
D. Enable ECR image scanning on the ECR repository. Configure the continuous scanning option. Set the scanning configuration setting for the private registry to basic scanning. In case of critical vulnerabilities, fail the CI/CD pipeline.
Correct Answer: A
QUESTION 67
A security engineer is creating a new Amazon Open Search Service cluster. The cluster will act as a data warehouse. A separate fleet of application servers will extract records from the data warehouse and will transform these records into reports that will be uploaded to Amazon S3 buckets. The security engineer must securely configure the OpenSearch Service cluster so that only the application servers can access it. Which solution meets these requirements?
A. Configure network ACLs on the subnets that host the OpenSearch Service instances to allow access from the application servers only.
B. Configure a VPC peering connection between the VPC that contains the application servers and the VPC that contains the OpenSearch Service cluster.
C. Monitor the VPC flow logs for traffic that is destined for the OpenSearch Service cluster. Use the flow logs to detect traffic that did not originate from the application servers.
D. Configure the OpenSearch Service cluster for VPC access only. Use a security group to allow access to the OpenSearch Service cluster from the application servers only.
Correct Answer: D
QUESTION 68
A company has multiple accounts in the AWS Cloud. Users in the developer account need to have access to specific resources in the production account. What is the MOST secure way to provide this access?
A. Create one IAM user in the production account. Grant the appropriate permissions to the resources that are needed. Share the password only with the users that need access.
B. Create cross-account access with an IAM role in the developer account. Grant the appropriate permissions to this role. Allow users in the developer account to assume this role to access the production resources.
C. Create cross-account access with an IAM user account in the production account. Grant the appropriate permissions to this user account. Allow users in the developer account to use this user account to access the production resources.
D. Create cross-account access with an IAM role in the production account. Grant the appropriate permissions to this role. Allow users in the developer account to assume this role to access the production resources.
Correct Answer: D
QUESTION 69
A company is concerned about the overuse of an IAM role. The company needs to restrict access to the role so that only users from a specific public IP address can assume the role. Which solution will meet this requirement?
A. Edit the trust policy of the role to include the aws:Sourcelp condition key. Set the value to the IP address.
B. Edit the trust policy of the role to include the sts:AssumeRole action. Set the resource to the IP address.
C. Edit the IAM policy that is attached to the role to include the aws:CalledVia condition key. Set the value to the IP address.
D. Edit the IAM policy that is attached to the role to include the sts:AssumeRole action. Set the resource to the IP address.
Correct Answer: A
QUESTION 70
A company uses AWS Key Management Service (AWS KMS) for an application that requires encryption operations for sensitive data. Because of new compliance rules, the company needs a solution to fulfill the following requirements:
1. The company’s security team must be able to create, delete, and manage key material.
2. The solution must not store the customer’s key material in a shared environment.
3. The solution must maintain existing access control policies and KMS service integration.
4. The application must be able to use existing AWS KMS APIs, the AWS CLI, or the AWS Encryption SDK.
5. The solution must reside in the AWS Cloud.
6. The solution must be highly available.
Which solution will meet these requirements?
A. Deploy an AWS CloudHSM cluster into the application VPC. Add a single hardware security module (HSM). Create a CloudHSM user. Create a custom key store entry in AWS KMS. Connect AWS KMS to the CloudHSM cluster. Create a KMS key that has CloudHSM as the key material source.
B. Create a custom key store in AWS KMS. Upload key material from an open-source key management solution that runs on a hardened Amazon EC2 instance that runs Amazon Linux 2.
C. Create two Hash-based Message Authentication Code (HMAC) KMS keys in AWS KMS. Update the KMS policy to allow the security team to import custom key materials into the HMAC keys.
D. Deploy an AWS CloudHSM cluster into the application VPC. Add two hardware security modules (HSMs). Create a CloudHSM user. Create a custom key store entry in AWS KMS. Connect AWS KMS to the CloudHSM cluster. Create a KMS key that has CloudHSM as the key material source.
Correct Answer: D
QUESTION 71
A security team is using Amazon EC2 Image Builder to build a hardened AMI with forensic capabilities. An AWS Key Management Service (AWS KMS) key will encrypt the forensic AMI. EC2 Image Builder successfully installs the required patches and packages in the security team’s AWS account. The security team uses a federated IAM role in the same AWS account to sign in to the AWS Management Console and attempts to launch the forensic AMI. The EC2 instance launches and immediately terminates. What should the security team do to launch the EC2 instance successfully?
A. Update the policy that is associated with the federated IAM role to allow the ec2:Describelmages action for the forensic AMI.
B. Update the policy that is associated with the federated IAM role to allow the ec2:Startinstances action in the security team’s AWS account.
C. Update the policy that is associated with the KMS key that is used to encrypt the forensic AMI. Configure the policy to allow the kms:Encrypt and kms:Decrypt actions for the federated IAM role.
D. Update the policy that is associated with the federated IAM role to allow the kms: DescribeKey action for the KMS key that is used to encrypt the forensic AMI
Correct Answer: C
QUESTION 72
A company needs to log object-level activity in its Amazon S3 buckets. The company also needs to validate the integrity of the log file by using a digital signature. Which solution will meet these requirements?
A. Create an AWS CloudTrail trail with log file validation enabled. Enable data events. Specify Amazon S3 as the data event type.
B. Create a new S3 bucket for S3 server access logs. Configure the existing S3 buckets to send their S3 server access logs to the new S3 bucket.
C. Create an Amazon CloudWatch Logs log group. Configure the existing S3 buckets to send their S3 server access logs to the log group.
D. Create a new S3 bucket for S3 server access logs with log file validation enabled. Enable data events. Specify Amazon S3 as the data event type.
Correct Answer: A
QUESTION 73
A company is migrating a legacy application that will run on an Amazon EC2 instance with the latest version of the Windows Server operating system. The application contains sensitive information. The EC2 instance must not be directly accessible from the internet. Additionally, the company’s operations staff must be able to connect to the EC2 instance by using RDP. The operations staff’s session must be traced back to an individual. Which combination of steps will meet these requirements with the LEAST exposure of credentials or keys? (Select THREE.)
A. Place the EC2 instance in a public subnet. Configure the EC2 instance’s security group to allow port 3389 from IP addresses within the company’s network.
B. Place the EC2 instance in a private subnet. Launch a bastion EC2 instance in a public subnet. Configure the security group for the bastion EC2 instance to allow port 3389 from IP addresses of the company’s network.
C. Place the EC2 instance in a private subnet. Install AWS Systems Manager Agent on the EC2 instance.
D. Instruct the operations staff to install the AWS Systems Manager plugin for the AWS CLI on their workstations.
E. Instruct the operations staff to connect to the company’s network and use RDP to connect to the application EC2 instance through the bastion EC2 instance.
F. Open a port forwarding session to the EC2 instance by using the AWS Systems Manager start-session command. Use RDP to connect to the EC2 instance.
Correct Answer: CDF
QUESTION 74
A company wants to gain better control of its large number of AWS accounts by establishing a centralized location where the accounts can be managed. The company also wants to prevent any users outside the company-owned AWS accounts from accessing a company Amazon S3 bucket. Which solution meets these requirements with the LEAST amount of operational overhead?
A. Implement an organization in AWS Organizations. Build a detective control by monitoring AWS CloudTrail logs for attempts to access the S3 bucket from IP addresses outside the company.
B. Deploy an AWS Control Tower landing zone, and migrate the accounts. Create an S3 bucket policy that restricts access to only a principal list of accounts that have been manually entered.
C. Create an organization in AWS Organizations. Invite the AWS accounts to join the organization. Create a resource policy that includes a PrincipalOrgID condition key for the S3 bucket.
D. Invite all of the company’s AWS accounts into AWS Control Tower. Use AWS Control Tower’s automatic protection for the AWS accounts to deny access from external users.
Correct Answer: C
QUESTION 75
A company uses Amazon CloudWatch to monitor application metrics. A security engineer needs to centralize the metrics from several AWS accounts. The security engineer also must create a dashboard to securely share the metrics with customers. Which solution will meet these requirements?
A. Set up a designated monitoring account. Configure the necessary permissions in CloudWatch for source accounts to send metrics to the monitoring account Create a CloudWatch dashboard that includes the metrics. Share the dashboard by using SSO. Configure Amazon Cognito as the SSO provider.
B. Set up a designated monitoring account. Configure the necessary permissions for a CloudWatch wizard to query the metrics from source accounts. Create a CloudWatch dashboard that includes the metrics. Share the dashboard by using SSO. Configure AWS IAM Identity Center as the SSO provider.
C. Use AWS Resource Access Manager (AWS RAM) to share CloudWatch metrics between the accounts. Set up a designated monitoring account. Create a CloudWatch dashboard that includes the metrics. Share the dashboard by using SSO. Configure AWS IAM Identity Center as the SSO provider.
D. Use AWS Resource Access Manager (AWS RAM) to share CloudWatch metrics between the accounts. Set up a designated monitoring account. Create a CloudWatch dashboard that includes the metrics. Share the dashboard. Specify the email addresses of users who can use a password to view the dashboard.
Correct Answer: C
QUESTION 76
A company is running a containerized application on an Amazon Elastic Container Service (Amazon ECS) cluster that uses AWS Fargate. The application runs as several ECS services. The ECS services are in individual target groups for an internet-facing Application Load Balancer (ALB). The ALB is the origin for an Amazon CloudFront distribution. An AWS WAF web ACL is associated with the CloudFront distribution. Web clients access the ECS services through the CloudFront distribution. The company learns that the web clients can bypass the web ACL and can access the ALB directly. Which solution will prevent the web clients from directly accessing the ALB?
A. Create an AWS PrivateLink endpoint. Specify the existing ALB as the target. Update the CloudFront distribution by setting the PrivateLink endpoint as the origin.
B. Create a new internal ALB. Move all the ECS services to the internal ALB. Delete the internet-facing ALB. Update the CloudFront distribution by setting the internal ALB as the origin.
C. Modify the listener rules for the existing ALB. Add a condition to forward only the requests that come from IP addresses in the CloudFront origin prefix list.
D. Update the CloudFront distribution by adding the X-Shared-Secret custom header for the origin. Modify the listener rules for the existing ALB to forward only the requests in which the X-Shared-Secret header has the correct value.
Correct Answer: D
QUESTION 77
A security engineer suspects that an attacker has exploited an overly permissive IAM role in a company’s AWS account during the past 24 hours. The security engineer removes all permissions from the role. The company has enabled AWS Security Hub, Amazon GuardDuty, AWS Audit Manager, and AWS CloudTrail. The company also has an existing Amazon Simple Notification Service (Amazon SNS) topic. The security engineer must receive an alert through the SNS topic if there are any attempts to use the role again. Which solution will provide this alert?
A. Configure a Security Hub custom action that includes a resource of the role ARN. Configure the action to run if the role is used. Configure the action to notify the SNS topic.
B. Create a GuardDuty custom finding to detect that the role has been used. Create an Amazon EventBridge rule that runs when the finding occurs in GuardDuty. Configure the SNS topic as the target of the EventBridge rule.
C. Configure Audit Manager to run assessment reports every 24 hours. Create an Amazon EventBridge rule that runs when the assessment report is created. Configure the SNS topic as the target of the EventBridge rule.
D. Configure CloudTrail to send logs to a log group in Amazon CloudWatch Logs. Create a metric filter for the log group. Include a filter pattern to match the role name. Create a CloudWatch alarm for the metric filter. Configure the alarm to notify the SNS topic.
Correct Answer: A
QUESTION 78
A security engineer receives an abuse report email message from the AWS Trust and Safety team. The abuse report identifies a resource that appears to be compromised. The abuse report indicates that the resource is an IAM access key that belongs to a DevOps engineer in the security engineer’s company. The access key is used in a deployment system that uses AWS Lambda functions to launch AWS CloudFormation stacks. The security engineer must address the abuse report, prevent any further use of the exposed access key, and implement security best practices. Which solution will meet these requirements?
A. Locate the compromised IAM access key and deactivate or delete the key. Generate new access keys for the Lambda deployment process. Apply the new keys to the deployment system. In the account that contained the compromised key, create a new support case in AWS Support to detail these remediation steps.
B. Delete or deactivate the compromised IAM access key. Discontinue the use of IAM access keys. Create a new IAM role for the Lambda deployment process. Apply the IAM role to the deployment system Lambda functions. Respond directly to the abuse report message to detail these remediation steps.
C. Locate the compromised IAM access key. Delete the IAM user that is associated with the access key. Generate a new access key. Store the new key as an AWS Secrets Manager secret. Encrypt the secret with an AWS Key Management Service (AWS KMS) customer managed key. Update the Lambda functions to retrieve the access key from AWS Secrets Manager at runtime. In the account that contained the compromised key, create a new support case in AWS Support to detail these remediation steps.
D. Delete or deactivate the compromised IAM access key. Generate and store a new access key as an environmental variable within the configuration of the deployment system’s Lambda functions. Respond directly to the abuse report message to detail these remediation steps.
Correct Answer: D
QUESTION 79
A company has an AWS account that includes an Amazon S3 bucket. The S3 bucket uses server-side encryption with AWS KMS keys (SSE-KMS) to encrypt all the objects at rest by using a customer managed key. The S3 bucket does not have a bucket policy. An IAM role in the same account has an IAM policy that allows s3:List* and s3:Get* permissions for the S3 bucket. When the IAM role attempts to access an object in the S3 bucket, the role receives an access denied message. Why does the IAM role not have access to the objects that are in the S3 bucket?
A. The IAM role does not have permission to use the KMS CreateKey operation.
B. The S3 bucket lacks a policy that allows access to the customer managed key that encrypts the objects.
C. The IAM role does not have permission to use the customer managed key that encrypts the objects that are in the S3 bucket.
D. The ACL of the S3 objects does not allow read access for the objects when the objects are encrypted at rest.
Correct Answer: C
QUESTION 80
A company has many member accounts in an organization in AWS Organizations. The company is concerned about the potential for misuse of the AWS account root user credentials for member accounts in the organization. To address this potential misuse, the company wants to ensure that even if the account root user credentials are compromised, the account is still protected. Which solution will meet this requirement?
A. Block service access by using SCPs for the root user.
B. Remove the password for the root user.
C. Delete access keys for the root user.
D. Create an Amazon EventBridge rule to detect any AWS account root user API events.
Correct Answer: C
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.