QUESTION 81
A security engineer needs to automate the management of data that is stored in several Amazon S3 buckets. The data is rarely used after 90 days. When the data is accessed, the data must be available within a few hours. The data must be deleted after 2 years. Which solution will meet these requirements?
A. Create an Amazon Data Lifecycle Manager custom policy. Specify for objects to move to S3 Glacier Flexible Retrieval after 90 days and for objects to be deleted after 2 years.
B. Create an Amazon Data Lifecycle Manager default policy. Specify for objects to move to S3 Glacier Deep Archive after 90 days. Specify the deletion of noncurrent object versions after 2 years.
C. Create an S3 Lifecycle configuration for each S3 bucket. Add a rule to transition objects to S3 Glacier Flexible Retrieval after 90 days. Add another rule to expire objects after 2 years.
D. Create an S3 Lifecycle configuration for each S3 bucket. Add a rule to transition objects to S3 Glacier Deep Archive after 90 days. Add another rule to expire noncurrent object versions after 2 years.
Correct Answer: D
QUESTION 82
A company has an organization in AWS Organizations and uses a centralized security account. The company needs to deploy a set of detective controls to monitor configuration for Amazon S3, Amazon EC2,and Amazon RDS across the organization. The controls must map to the latest Center for Internet Security (CIS) Benchmarks. The controls must be deployed across all the accounts in the organization automatically and must apply to all the AWS Regions that the organization uses. Which solution will meet these requirements?
A. Enable AWS Config. Create an AWS CloudFormation template that contains AWS Config rules that map to the latest CIS Benchmarks. Deploy the rules to the security account. Create an AWS Config aggregator to aggregate all accounts and Regions across the organization into the security account.
B. Enable Amazon GuardDuty for each Region that the organization uses. Configure the security account as the delegated administrator. Aggregate findings from all the organization’s accounts into the security account.
C. Enable Amazon Inspector. Configure the security account as the delegated administrator. Use Amazon Inspector to create a recurring CIS scan for each Region. Include all the organization’s accounts in the scan. View the scan results to determine the configuration of the AWS resources.
D. Enable AWS Security Hub. Configure the security account as the delegated administrator. From the security account, deploy a Security Hub central configuration policy that aggregates Regions,includes all accounts, and enables the latest CIS AWS Foundations Benchmark.
Correct Answer: D
QUESTION 83
A company needs to detect malicious activity in its workloads. The company’s infrastructure includes Amazon EC2 instances that are managed by AWS Systems Manager. The infrastructure also includes Amazon Elastic Container Service (Amazon ECS) clusters that run on AWS Fargate. Which solution will detect malicious activity in all of these workloads?
A. Enable Amazon Inspector. Activate the deep inspection setting for EC2 and Fargate.
B. Enable Amazon GuardDuty. Configure GuardDuty Runtime Monitoring for EC2 and Fargate.
C. Enable AWS Config. Create an AWS Config custom rule that uses Guard. Specify the malicious activities to report for EC2 and Fargate.
D. Enable Amazon Detective. Configure an IAM role that allows Detective to analyze suspicious behaviors from EC2 and Fargate.
Correct Answer: B
QUESTION 84
A company needs the ability to identify the root cause of security findings in an AWS account. The company has enabled VPC Flow Logs and Amazon GuardDuty. The company also has created an AWS CloudTrail trail. The company must investigate any IAM roles that are involved in the security findings and must visualize the findings. Which solution will meet these requirements?
A. Use Amazon Detective to run investigations on the IAM roles and to visualize the findings.
B. Use Amazon Inspector to run investigations on the IAM roles. Use Amazon CloudWatch dashboards to visualize the findings.
C. Use GuardDuty to run investigations on the IAM roles. Export the findings to Amazon S3. Use queries in Amazon Athena to visualize the findings.
D. Enable AWS Security Hub. Use custom actions in Security Hub to run investigations on the IAM roles. Visualize the findings in Security Hub.
Correct Answer: A
QUESTION 85
A company is running its application on AWS. The company has a multi-environment setup, and each environment is isolated in a separate AWS account. The company has an organization in AWS Organizations to manage the accounts. There is a single dedicated security account for the organization. The company must create an inventory of all sensitive data that is stored in Amazon S3 buckets across the organization’s accounts. The findings must be visible from a single location. Which solution will meet these requirements?
A. Set the security account as the delegated administrator for Amazon Macie and AWS Security Hub. Enable and configure Macie to publish sensitive data findings to Security Hub.
B. Set the security account as the delegated administrator for AWS Security Hub. In each account, configure Amazon Inspector to scan the S3 buckets for sensitive data. Publish sensitive data findings to Security Hub.
C. In each account, configure Amazon Inspector to scan the S3 buckets for sensitive data. Enable Amazon Inspector integration with AWS Trusted Advisor. Publish sensitive data findings to Trusted Advisor.
D. In each account, enable and configure Amazon Macie to detect sensitive data. Enable Macie integration with AWS Trusted Advisor. Publish sensitive data findings to Trusted Advisor.
Correct Answer: A
QUESTION 86
A company has enabled AWS Config for its organization in AWS Organizations. The company has deployed hundreds of Amazon S3 buckets across the organization. A security engineer needs to identify any S3 buckets that are not encrypted with AWS Key Management Service (AWS KMS). The security engineer also must prevent objects that are not encrypted with AWS KMS from being uploaded to the S3 buckets. Which solution will meet these requirements?
A. Use the s3-default-encryption-kms AWS Config managed rule to identify unencrypted S3 buckets. Create an SCP to allow the s3:PutObject action only when the object is encrypted with AwS KMS.
B. Use the s3-default-encryption-kms AWS Config managed rule to identify unencrypted S3 buckets. Create bucket policies for each S3 bucket to deny the s3:PutObject action only when the object has server-side encryption with S3 managed keys (SSE-S3).
C. Use the s3-bucket-ssl-requests-only AWS Config managed rule to identify unencrypted S3 buckets. Create an SCP to allow the s3:PutObject action only when the object is encrypted with AWS KMS.
D. Use the s3-bucket-ssl-requests-only AWS Config managed rule to identify unencrypted S3 buckets. Create bucket policies for each S3 bucket to allow the s3:PutObject action only when the object is encrypted with AWS KMS.
Correct Answer: B
QUESTION 87
A company that uses GitHub Actions needs to use a workfiow to deploy AWS services. A security engineer must set up authentication between the GitHub Actions workflow and the company’s AWS account.The solution must involve no static credentials and no long-lived credentials for access to AWs. Additionally, the workflow must be able to run without requiring any manual changes. Which solution will meet these requirements?
A. Create an IAM user. Attach an IAM policy to the IAM user. Use the AWS CLI to generate temporary credentials for the IAM user. Use the access key, secret key, and session token to authenticate to AWS from the workflow.
B. Enable AWS IAM Identity Center and configure it to use a local directory. Create a new service user in the IAM Identity Center directory. Use the AWS CLI to generate temporary credentials for the service user. Use the user ID and session token to authenticate to AWS from the workflow.
C. Create an OpenID Connect (OIDC) identity provider (IdP) in IAM. Use GitHub as the provider. Create an IAM role. Attach the role to a trust policy that contains condition keys to restrict the GitHub repositories that will run the workflow. Use the role ARN to authenticate to AWS from the workflow.
D. Configure Amazon Cognito and create an identity pool. Configure the identity pool for a SAML identity provider (IdP). Use GitHub as the provider. Create an IAM role. Attach the role to a trust policy that allows the sts:AssumeRole action for Cognito. Configure the workflow in GitHub to authenticate against the SAML IdP.
Correct Answer: C
QUESTION 88
A company stores images for a website in an Amazon S3 bucket. The company is using Amazon CloudFront to serve the images to end users. The company recently discovered that the images are being accessed from countries where the company does not have a distribution license. Which actions should the company take to secure the images to limit their distribution? (Select TWO.)
A. Update the S3 bucket policy to restrict access to a CloudFront origin access control (OAC).
B. Update the website DNS record to use an Amazon Route 53 geolocation record deny list of countries where the company lacks a license.
C. Add a CloudFront geo restriction deny list of countries where the company lacks a license.
D. Update the S3 bucket policy with a deny list of countries where the company lacks a license.
E. Enable the Restrict Viewer Access option in CloudFront to create a deny list of countries where the company lacks a license.
Correct Answer: AC
QUESTION 89
A company has an Amazon RDS database. The database contains sensitive data that is shared across teams in the company. The company needs a solution to detect anomalous logins to the database. The solution must notify an existing Amazon Simple Notification Service (Amazon SNS) topic when anomalous logins occur. Which solution will meet these requirements?
A. Use AWS Trusted Advisor security checks for Amazon RDS. Create an Amazon EventBridge rule to monitor the security checks for status changes. Configure the EventBridge rule to invoke an AWS Lambda function to publish a message to the SNS topic
B. Enable AWS AppFabric. Connect AWS AppFabric to the RDS DB instance. Create an Amazon Data Firehose stream as the destination for the AWS AppFabric findings. Create an AWS Lambda function that is invoked by the Firehose stream to publish a message to the SNS topic.
C. Enable Amazon GuardDuty and configure GuardDuty RDS Protection. Create an Amazon EventBridge rule to monitor GuardDuty findings of anomalous logins. Configure the SNS topic as the target of the EventBridge rule.
D. Enable Amazon Inspector. Create an Amazon EventBridge rule to monitor Amazon Inspector findings of anomalous logins. Configure the SNS topic as the target of the EventBridge rule.
Correct Answer: C
QUESTION 90
A company is using AWS CloudTrail and Amazon CloudWatch to monitor resources in an AWS account. The company’s developers have been using an IAM role in the account for the last 3 months. A security engineer needs to refine the customer managed IAM policy attached to the role to ensure that the role provides least privilege access. Which solution will meet this requirement with the LEAST effort?
A. Implement AWS IAM Access Analyzer policy generation on the role.
B. Implement AWS IAM Access Analyzer policy validation on the role.
C. Search CloudWatch logs to determine the actions the role invoked and to evaluate the permissions.
D. Use AWS Trusted Advisor to compare the policies assigned to the role against AWS best practices.
Correct Answer: A
QUESTION 91
A company has a compliance requirement to encrypt all data in transit. The company recently discovered an Amazon Aurora cluster that does not meet this requirement. How can the company enforce encryption for all connections to the Aurora cluster?
A. In the Aurora cluster configuration, set the require_secure_transport DB cluster parameter to ON.
B. Use AWS Directory Service for Microsoft Active Directory to create a user directory and to enforce Kerberos authentication with Aurora.
C. Configure the Aurora cluster to use AWS Certificate Manager (ACM) to provide encryption certificates.
D. Create an Amazon RDS proxy. Connect the proxy to the Aurora cluster to enable encryption.
Correct Answer: A
QUESTION 92
A company uses AWS Organizations to control its AWS accounts. A security engineer must configure permissions for an IAM role so that the role can call AWS services in only the us-east-1 Region. Which solution will meet these requirements?
A. Deploy an SCP that has a Deny statement that allows only principals in us-east-1 to assume the role.
B. Deploy an SCP that has an Allow statement for all actions and resources when the request comes from us-east-1.
C. Edit the trust policy for the role to include a Deny statement that allows only principals in us east-1 to assume the role.
D. Edit the IAM policy for the role to include a Deny statement for all actions and resources unless the request comes from us-east-1.
Correct Answer: D
QUESTION 93
A company uses AWS to run a web application that manages ticket sales in several countries. The company recently migrated the application to an architecture that includes Amazon API Gateway, AWS Lambda, and Amazon Aurora Serverless. The company needs the application to comply with Payment Card Industry Data Security Standard (PCI DSS) v4.0. A security engineer must generate a report that shows the effectiveness of the PCI DSS v4.0 controls that apply to the application. The company’s compliance team must be able to add manual evidence to the report. Which solution will meet these requirements?
A. Enable AWS Trusted Advisor. Configure all the Trusted Advisor checks. Manually map the checks against the PCI DSS v4.0 standard to generate the report.
B. Enable and configure AWS Config. Deploy the Operational Best Practices for PCI DSS conformance pack in AWS Config. Use AWS Config to generate the report.
C. Enable AWS Security Hub. Enable the Security Hub PCI DSS security standard. Use the AWS Management Console to download the report from the security standard.
D. Create an AWS Audit Manager assessment that uses the AWS managed PCI DSS v4.0 standard framework. Add all evidence to the assessment. Generate the report in Audit Manager for download.
Correct Answer: D
QUESTION 94
A company needs complete encryption of the traffic between external users and an application. The company hosts the application on a fleet of Amazon EC2 instances that run in an Auto Scaling group behind an Application Load Balancer (ALB). How can a security engineer meet these requirements?
A. Create a new Amazon-issued certificate in AWS Secrets Manager. Export the certificate from Secrets Manager. Import the certificate into the ALB and the EC2 instances.
B. Create a new Amazon-issued certificate in AWS Certificate Manager (ACM). Associate the certificate with the ALB. Export the certificate from ACM. Install the certificate on the EC2 instances.
C. Import a new third-party certificate into AWS Identity and Access Management (IAM). Export the certificate from IAM. Associate the certificate with the ALB and the EC2 instances.
D. Import a new third-party certificate into AWS Certificate Manager (ACM). Associate the certificate with the ALB. Install the certificate on the EC2 instances:
Correct Answer: B
QUESTION 95
A company is operating an open-source software platform that is internet facing. The legacy software platform no longer receives security updates. The software platform operates using Amazon Route 53 weighted load balancing to send traffic to two Amazon EC2 instances that connect to an Amazon RDS cluster. A recent report suggests this software platform is vulnerable to SQL injection attacks, with samples of attacks provided. The company’s security engineer must secure this system against SQL injection attacks within 24 hours. The security engineer’s solution must involve the least amount of effort and maintain normal operations during implementation. What should the security engineer do to meet these requirements?
A. Create an Application Load Balancer with the existing EC2 instances as a target group. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the ALB. Test to ensure the vulnerability has been mitigated, then redirect the Route 53 records to point to the ALB. Update security groups on the EC2 instances to prevent direct access from the internet.
B. Create an Amazon CloudFront distribution specifying one EC2 instance as an origin. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the distribution. Test to ensure the vulnerability has been mitigated, then redirect the Route 53 records to point to CloudFront.
C. Obtain the latest source code for the platform and make the necessary updates. Test the updated code to ensure that the vulnerability has been mitigated, then deploy the patched version of the platform to the EC2 instances.
D. Update the security group that is attached to the EC2 instances, removing access from the internet to the TCP port used by the SQL database. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the EC2 instances. Test to ensure the vulnerability has been mitigated, then restore the security group to the original setting.
Correct Answer: D
QUESTION 96
A company is implementing new compliance requirements to meet customer needs. According to the new requirements, the company must not use any Amazon RDS DB instances or DB clusters that lack encryption of the underlying storage. The company needs a solution that will generate an email alert when an unencrypted DB instance or DB cluster is created. The solution also must terminate the unencrypted DB instance or DB cluster. Which solution will meet these requirements in the MOST operationally efficient manner?
A. Create an AWS Config managed rule to detect unencrypted RDS storage. Configure an automatic remediation action to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic that includes an AWS Lambda function and an email delivery target as subscribers. Configure the Lambda function to delete the unencrypted resource.
B. Create an AWS Config managed rule to detect unencrypted RDS storage. Configure a manual remediation action to invoke an AWS Lambda function. Configure the Lambda function to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic and to delete the unencrypted resource.
C. Create an Amazon EventBridge rule that evaluates RDS event patterns and is initiated by the creation of DB instances or DB clusters. Configure the rule to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic that includes an AWS Lambda function and an email delivery target as subscribers. Configure the Lambda function to delete the unencrypted resource.
D. Create an Amazon EventBridge rule that evaluates RDS event patterns and is initiated by the creation of DB instances or DB clusters. Configure the rule to invoke an AWS Lambda function. Configure the Lambda function to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic and to delete the unencrypted resource.
Correct Answer: A
QUESTION 97
A company uses an organization in AWS Organizations to manage its AWS accounts. The company has implemented an SCP in the root account to prevent resources from being shared with external accounts. The company now needs to allow applications in its marketing team’s AWS account to share resources with external accounts. The company must continue to prevent all the other accounts in the organization from sharing resources with external accounts. All the accounts in the organization are members of the same OU. Which solution will meet these requirements?
A. Create a new SCP in the marketing team’s account. Configure the SCP to explicitly allow resource sharing.
B. Edit the existing SCP to add a Condition statement that excludes the marketing team’s account.
C. Edit the existing SCP to include an Allow statement that specifies the marketing team’s account.
D. Create an IAM permissions boundary policy to explicitly allow resource sharing. Attach the policy to IAM users in the marketing team’s account.
Correct Answer: B
QUESTION 98
A company needs a forensic-logging solution for hundreds of applications running in Docker on Amazon EC2. The solution must perform real-time analytics on the logs, must support the replay of messages, and must persist the logs. Which AWS services should be used to meet these requirements? (Select TWO.)
A. Amazon Athena
B. Amazon Kinesis
C. Amazon SQS
D. Amazon OpenSearch Service
E. Amazon EMR
Correct Answer: BD
QUESTION 99
A security engineer has created an Amazon GuardDuty detector in several AWS accounts. The accounts are in an organization in AWS Organizations. The security engineer needs centralized visibility of the security findings from the detectors. Which solution will meet this requirement?
A. Configure Amazon CloudWatch Logs Insights.
B. Create an Amazon CloudWatch dashboard.
C. Configure AWS Security Hub integrations.
D. Query the findings by using Amazon Athena
Correct Answer: C
QUESTION 100
A public subnet contains two Amazon EC2 instances. The subnet has a custom network ACL. A security engineer is designing a solution to improve the subnet security. The solution must allow outbound traffic to an internet service that uses TLS through port 443. The solution also must deny inbound traffic that is destined for MySQL port 3306. Which network ACL rule set meets these requirements?
A. Use inbound rule 100 to allow traffic on TCP port 443. Use inbound rule 200 to deny traffic on TCP port 3306. Use outbound rule 100 to allow traffic on TCP port 443.
B. Use inbound rule 100 to deny traffic on TCP port 3306. Use inbound rule 200 to allow traffic on TCP port range 1024-65535. Use outbound rule 100 to allow traffic on TCP port 443.
C. Use inbound rule 100 to allow traffic on TCP port range 1024-65535. Use inbound rule 200 to deny traffic on TCP port 3306. Use outbound rule 100 to allow traffic on TCP port 443.
D. Use inbound rule 100 to deny traffic on TCP port 3306. Use inbound rule 200 to allow traffic on TCP port 443. Use outbound rule 100 to allow traffic on TCP port 443.
Correct Answer: B
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.