QUESTION 101
A company has a strict policy against using root credentials. The company’s security team wants to be alerted as soon as possible when root credentials are used to sign in to the AWS Management Console. How should the security team achieve this goal?
A. Use AWS Lambda to periodically query AWS CloudTrail for console login events and send alerts using Amazon Simple Notification Service (Amazon SNS).
B. Use Amazon EventBridge to monitor console logins and direct them to Amazon Simple Notification Service (Amazon SNS).
C. Use Amazon Athena to query AWS IAM Identity Center logs and send alerts using Amazon Simple Notification Service (Amazon SNS) for root login events.
D. Configure AWS Resource Access Manager to review the access logs and send alerts using Amazon Simple Notification Service (Amazon SNS).
Correct Answer: B
QUESTION 102
A security engineer has noticed an unusually high amount of traffic coming from a single IP address. This was discovered by analyzing the Application Load Balancer’s access logs. How can the security engineer limit the number of requests from a specific IP address without blocking the IP address?
A. Add a rule to the Application Load Balancer to route the traffic originating from the IP address in question and show a static webpage.
B. Implement a rate-based rule with AWS WAF.
C. Use AWS Shield to limit the originating traffic hit rate.
D. Implement the GeoLocation feature in Amazon Route 53.
Correct Answer: B
QUESTION 103
A company’s security policy requires all Amazon EC2 instances to use the Amazon Time Sync Service. AWS CloudTrail trails are enabled in all of the company’s AWS accounts. VPC flow logs are enabled for all VPCs. A security engineer must identify any EC2 instances that attempt to use Network Time Protocol (NTP) servers on the internet. Which solution will meet these requirements?
A. Monitor CloudTrail logs for API calls to non-standard time servers.
B. Monitor CloudTrail logs for API calls to the Amazon Time Sync Service.
C. Monitor VPC flow logs for traffic to non-standard time servers.
D. Monitor VPC flow logs for traffic to the Amazon Time Sync Service.
Correct Answer: C
QUESTION 104
A security engineer has been asked to troubleshoot inbound connectivity to a web server. This single web server is not receiving inbound connections from the internet, whereas all other web servers are functioning properly. The architecture includes network ACLs, security groups, and a virtual security appliance. In addition, the development team has implemented Application Load Balancers (ALBs) to distribute the load across all web servers. It is a requirement that traffic between the web servers and the internet flow through the virtual security appliance. The security engineer has verified the following:
1. The rule set in the security groups is correct.
2. The rule set in the network ACLs is correct.
3. The rule set in the virtual appliance is correct.
Which of the following are other valid items to troubleshoot in this scenario? (Select TWO.)
A. Verify that the 0.0.0.0/0 route in the route table for the web server subnet points to a NAT gateway.
B. Verify which security group is applied to the particular web server’s elastic network interface (ENI).
C. Verify that the 0.0.0.0/0 route in the route table for the web server subnet points to the virtual security appliance.
D. Verify the registered targets in the ALB
E. Verify that the 0.0.0.0/0 route in the public subnet points to a NAT gateway.
Correct Answer: BD
QUESTION 105
A company needs to prevent Amazon S3 objects from being shared with IAM identities outside of the company’s organization in AWS Organizations. A security engineer is creating and deploying an SCP to accomplish this goal. The company has enabled the S3 Block Public Access feature on all of its S3 buckets. What should the SCP do to meet these requirements?
A. Deny the S3:* action with a Condition element that comprises an operator of StringNotEquals, a key of aws:ResourceOrgID, and a value of ${aws: PrincipalOrgID).
B. Deny the S3:PutAccountPublicAccessBlock action with a Condition element that comprises an operator of String Like, a key of aws: PrincipalArn, and the values of the external IAM principals.
C. Allow the S3:* action with a Condition element that comprises an operator of StringNotEquals, a key of aws: PrincipalOrgID, and a value of ${aws:PrincipalOrgID).
D. Deny the S3:* action with a Condition element that comprises an operator of StringLike, a key of aws: PrincipalArn, and the values of the external IAM principals.
Correct Answer: A
QUESTION 106
A company must retain backup copies of Amazon RDS DB instances and Amazon Elastic Block Store (Amazon EBS) volumes. The company must retain the backup copies in data centers that are several hundred miles apart. Which solution will meet these requirements with the LEAST operational overhead?
A. Configure AWS Backup to create the backups according to the needed schedule. In the backup plan, specify multiple Availability Zones as backup destinations.
B. Configure Amazon Data Lifecycle Manager to create the backups. Configure the Amazon Data Lifecycle Manager policy to copy the backups to an Amazon S3 bucket. Enable replication on the S3 bucket.
C. Configure AWS Backup to create the backups according to the needed schedule. Create a destination backup vault in a different AWS Region. Configure AWS Backup to copy the backups to the destination backup vault.
D. Configure Amazon Data Lifecycle Manager to create the backups. Create an AWS Lambda function to copy the backups to a different AWS Region. Use Amazon EventBridge to invoke the Lambda function on a schedule.
Correct Answer: C
QUESTION 107
A company needs to retain data that is stored in Amazon CloudWatch Logs log groups. The company must retain this data for 90 days. The company must receive notification in AWS Security Hub when log group retention is not compliant with this requirement. Which solution will provide the appropriate notification?
A. Create a Security Hub custom action to assess the log group retention period.
B. Create a data protection policy in CloudWatch Logs to assess the log group retention period.
C. Create a Security Hub automation rule. Configure the automation rule to assess the log group retention period.
D. Use the AWS Config managed rule that assesses the log group retention period. Ensure that AWS Config integration is enabled in Security Hub.
Correct Answer: D
QUESTION 108
A security engineer is designing a solution that will provide end-to-end encryption between clients and Docker containers running in Amazon Elastic Container Service (Amazon ECS). This solution will also handle volatile traffic patterns. Which solution would have the MOST scalability and LOWEST latency?
A. Configure a Network Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers.
B. Configure an Application Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers.
C. Configure a Network Load Balancer with a TCP listener to pass through TLS traffic to the containers.
D. Configure Amazon Route 53 to use multivalue answer routing to send traffic to the containers.
Correct Answer: C
QUESTION 109
A company hosts a web-based application that captures and stores sensitive data in an Amazon DynamoDB table. The company needs to implement a solution that provides end-to-end data protection and the ability to detect unauthorized data changes. Which solution will meet these requirements?
A. Use an AWS Key Management Service (AWS KMS) customer managed key. Encrypt the data at rest.
B. Use AWS Private Certificate Authority. Encrypt the data in transit.
C. Use the DynamoDB Encryption Client. Use client-side encryption. Sign the table items.
D. Use the AWS Encryption SDK. Use client-side encryption. Sign the table items.
Correct Answer: C
QUESTION 110
A security engineer wants to evaluate configuration changes to a specific AWS resource to ensure that the resource meets compliance standards. However, the security engineer is concerned about a situation in which several configuration changes are made to the resource in quick succession. The security engineer wants to record only the latest configuration of that resource to indicate the cumulative impact of the set of changes. Which solution will meet this requirement in the MOST operationally efficient way?
A. Use AWS CloudTrail to detect the configuration changes by filtering API calls to monitor the changes. Use the most recent API call to indicate the cumulative impact of multiple calls.
B. Use AWS Config to detect the configuration changes and to record the latest configuration in case of multiple configuration changes.
C. Use Amazon CloudWatch to detect the configuration changes by filtering API calls to monitor the changes. Use the most recent API call to indicate the cumulative impact of multiple calls.
D. Use AWS Cloud Map to detect the configuration changes. Generate a report of configuration changes from AWS Cloud Map to track the latest state by using a sliding time window.
Correct Answer: B
QUESTION 111
A company runs its microservices architecture in Kubernetes containers on AWS by using Amazon Elastic Kubernetes Service (Amazon EKS) and Amazon Aurora. The company has an organization in AWS Organizations to manage hundreds of AWS accounts that host different microservices. The company needs to implement a monitoring solution for logs from all AWS resources across all accounts. The solution must include automatic detection of security-related issues. Which solution will meet these requirements with the LEAST operational effort?
A. Designate an Amazon GuardDuty administrator account in the organization’s management account. Enable GuardDuty for all accounts. Enable EKS Protection and RDS Protection in the GuardDuty administrator account.
B. Designate a monitoring account. Share Amazon CloudWatch logs from all accounts with the monitoring account. Configure Aurora to publish all logs to CloudWatch. Use Amazon Inspector in the monitoring account to evaluate the CloudWatch logs.
C. Create a central Amazon S3 bucket in the organization’s management account. Configure AWS CloudTrail in all AWS accounts to deliver CloudTrail logs to the S3 bucket. Configure Aurora to publish all logs to CloudTrail. Use Amazon Athena to query the CloudTrail logs in the S3 bucket for security issues.
D. Designate a monitoring account. Share Amazon CloudWatch logs from all accounts with the monitoring account. Subscribe an Amazon Kinesis data stream to the CloudWatch logs. Create AWS Lambda functions to process log records in the data stream to detect security issues.
Correct Answer: B
QUESTION 112
A security engineer is working with a development team to design a supply chain application that stores sensitive inventory data in an Amazon S3 bucket. The application will use an AWS Key Management Service (AWS KMS) customer managed key to encrypt the data in Amazon S3. The inventory data in Amazon S3 will be shared with hundreds of vendors. All vendors will use AWS principals from their own AWS accounts to access the data in Amazon S3. The vendor list might change weekly. The security engineer needs to find a solution that supports cross-account access. Which solution is the MOST operationally efficient way to manage access control for the customer managed key?
A. Use KMS grants to manage key access. Programmatically create and revoke grants to manage vendor access.
B. Use an IAM role to manage key access. Programmatically update the IAM role policies to manage vendor access.
C. Use KMS key policies to manage key access. Programmatically update the KMS key policies to manage vendor access
D. Use delegated access across AWS accounts by using IAM roles to manage key access. Programmatically update the IAM trust policy to manage cross-account vendor access
Correct Answer: A
QUESTION 113
A consultant agency needs to perform a security audit for a company’s production AWS account. Several consultants need access to the account. The consultant agency already has its own AWS account. The company requires multi-factor authentication (MFA) for all access to its production account. The company also forbids the use of long-term credentials. Which solution will provide the consultant agency with access that meets these requirements?
A. Create an IAM group. Create an IAM user for each consultant. Add each user to the group. Turn on MFA for each consultant.
B. Configure Amazon Cognito on the company’s production account to authenticate against the consultant agency’s identity provider (IdP). Add MFA to a Cognito user pool.
C. Create an IAM role in the consultant agency’s AWS account. Define a trust policy that requires MFA. In the trust policy, specify the company’s production account as the principal. Attach the trust policy to the role.
D. Create an IAM role in the company’s production account. Define a trust policy that requires MFA. In the trust policy, specify the consultant agency’s AWS account as the principal. Attach the trust policy to the role.
Correct Answer: D
QUESTION 114
A company is planning to create an organization by using AWS Organizations. The company needs to integrate user management with the company’s external identity provider (IdP). The company also needs to centrally manage access to all of its AWS accounts and applications from the organization’s management account. Which solution will meet these requirements?
A. Configure AWS Directory Service with the external IdP. Create IAM policies and associate them with users from the external IdP.
B. Enable AWS IAM Identity Center and use the external IdP as the identity source. Create permission sets and account assignments by using IAM Identity Center.
C. Configure AWS Identity and Access Management (IAM) to use the external IdP as an IdP. Create IAM policies and associate them with users from the external IdP.
D. Enable Amazon Cognito in the organization’s management account. Create an identity pool and associate it with the external Id. Create IAM roles and associate them with the identity pool.
Correct Answer: B
QUESTION 115
A company needs to use HTTPS when connecting to its web applications to meet compliance requirements. These web applications run in Amazon VPC on Amazon EC2 instances behind an Application Load Balancer (ALB). A security engineer wants to ensure that the load balancer will only accept connections over port 443, even if the ALB is mistakenly configured with an HTTP listener. Which configuration steps should the security engineer take to accomplish this task?
A. Create a security group with a rule that denies inbound connections from 0.0.0.0/0 on port 80. Attach this security group to the ALB to overwrite more permissive rules from the ALB’s default security group.
B. Create a network ACL that denies inbound connections from 0.0.0.0/0 on port 80. Associate the network ACL with the VPC’s internet gateway.
C. Create a network ACL that allows outbound connections to the VPC IP range on port 443 only. Associate the network ACL with the VPC’s internet gateway.
D. Create a security group with a single inbound rule that allows connections from 0.0.0.0/0 on port 443. Ensure this security group is the only one associated with the ALB.
Correct Answer: B
QUESTION 116
A company uses an organization in AWS Organizations to manage hundreds of AWS accounts. Some of the accounts provide access to external AWS principals through cross-account IAM roles and Amazon S3 bucket policies. The company needs to identify which external principals have access to which accounts. Which solution will provide this information?
A. Enable AWS Identity and Access Management Access Analyzer for the organization. Configure the organization as a zone of trust. Filter findings by AWS account ID.
B. Create a custom AWS Config rule to monitor IAM roles in each account. Deploy an AWS Config aggregator to a central account. Filter findings by AWS account ID.
C. Activate Amazon Inspector. Integrate Amazon Inspector with AWS Security Hub. Filter findings by AWS account ID for the IAM role resource type and the S3 bucket policy resource type.
D. Configure the organization to use Amazon GuardDuty. Filter findings by AWS account ID for the Discovery:IAMUser/Anomalous Behavior finding type.
Correct Answer: A
QUESTION 117
A development team is creating an open source toolset to manage a company’s software as a service (SaaS) application. The company stores the code in a public repository so that anyone can view and download the toolset’s code. The company discovers that the code contains an IAM access key and secret key that provide access to internal resources in the company’s AWS environment. A security engineer must implement a solution to identify whether unauthorized usage of the exposed credentials has occurred. The solution also must prevent any additional usage of the exposed credentials. Which combination of steps will meet these requirements? (Select TWO.)
A. Use AWS Identity and Access Management Access Analyzer to determine which resources the exposed credentials accessed and who used them.
B. Deactivate the exposed IAM access key from the user’s IAM account.
C. Create a rule in Amazon GuardDuty to block the access key in the source code from being used.
D. Create a new IAM access key and secret key for the user whose credentials were exposed.
E. Generate an IAM credential report. Check the report to determine when the user that owns the access key last logged in.
Correct Answer: AB
QUESTION 118
A company runs a web application on a fleet of Amazon EC2 instances that are in an Auto Scaling group. The EC2 instances are in the same VPC subnet as other workloads. A security engineer deploys an Amazon GuardDuty detector in the same AWS Region as the EC2 instances. The security engineer also sets up an AWS Security Hub integration with GuardDuty. The security engineer needs to implement an automated solution to detect and appropriately respond to anomalous traffic patterns for the web application. The solution must comply with AWS best practices for initial response to security incidents and must minimize disruption to the web application. Which solution will meet these requirements?
A. Create an Amazon EventBridge rule that detects the Behavior: EC2/TrafficVolumeUnusual GuardDuty finding. Configure the rule to invoke an AWS Lambda function to disable the EC2 instance profile access keys.
B. Create an Amazon EventBridge rule that invokes an AWS Lambda function when GuardDuty detects anomalous traffic. Program the Lambda function to disassociate the identified instance from the Auto Scaling group and to isolate the instance by using a new restricted security group.
C. Create a Security Hub automated response that updates the network ACL that is associated with the subnet of the EC2 instances. Configure the response to update the network ACL to deny traffic from the source of detected anomalous traffic.
D. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the security engineer’s email address to the SNS topic. Configure GuardDuty to send all findings to the SNS topic.
Correct Answer: B
QUESTION 119
A company has an organization in AWS Organizations that includes dedicated accounts for each of its business units. The company is collecting all AWS CloudTrail logs from the accounts in a single Amazon S3 bucket in the top-level account. The company’s IT governance team has access to the top-level account. A security engineer needs to allow each business unit to access its own CloudTrail logs. The security engineer creates an IAM role in the top-level account for each of the other accounts. For each role, the security engineer creates an IAM policy to allow read-only permissions to objects in the S3 bucket with the prefix of the respective logs. Which action must the security engineer take in each business unit account to allow an IAM user in that account to read the logs?
A. Attach a policy to the IAM user to allow the user to assume the role that was created in the top-level account. Specify the role’s ARN in the policy.
B. Create an SCP that grants permissions to the top-level account.
C. Use the root account of the business unit account to assume the role that was created in the top-level account. Specify the role’s ARN in the policy.
D. Forward the credentials of the IAM role in the top-level account to the IAM user in the business unit account.
Correct Answer: A
QUESTION 120
A company needs to detect unauthenticated access to its Amazon Elastic Kubernetes Service (Amazon EKS) clusters. The company needs a solution that requires no additional configuration of the existing EKS deployment. Which solution will meet these requirements with the LEAST operational effort?
A. Install an Amazon EKS add-on from a security vendor.
B. Enable AWS Security Hub. Monitor the Kubernetes findings.
C. Monitor Amazon CloudWatch Container Insights metrics for Amazon EKS.
D. Enable Amazon GuardDuty. Use EKS Audit Log Monitoring.
Correct Answer: D
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.