QUESTION 141
A company has two AWS accounts. One account is for development workloads. The other account is for production workloads. For compliance reasons, the production account contains all the AWS Key Management Service (AWS KMS) keys that the company uses for encryption. The company applies an IAM role to an AWS Lambda function in the development account to allow secure access to AWS resources. The Lambda function must access a specific KMS customer managed key that exists in the production account to encrypt the Lambda function’s data. Which combination of steps should a security engineer take to meet these requirements? (Select TWO.)
A. Configure the key policy for the customer managed key in the production account to allow access to the Lambda service.
B. Configure the key policy for the customer managed key in the production account to allow access to the IAM role of the Lambda function in the development account.
C. Configure a new IAM policy in the production account with permissions to use the customer managed key. Apply the IAM policy to the IAM role that the Lambda function in the development account uses.
D. Configure a new key policy in the development account with permissions to use the customer managed key. Apply the key policy to the IAM role that the Lambda function in the development account uses.
E. Configure the IAM role for the Lambda function in the development account by attaching an IAM policy that allows access to the customer managed key in the production account.
Correct Answer: BE
QUESTION 142
A company receives a notification from the AWS Abuse team about an AWS account. The notification indicates that a resource in the account is compromised. The company determines that the compromised resource is an Amazon EC2 instance that hosts a web application. The compromised EC2 instance is part of an EC2 Auto Scaling group. The EC2 instance accesses Amazon S3 and Amazon DynamoDB resources by using an IAM access key and secret key. The IAM access key and secret key are stored inside the AMI that is specified in the Auto Scaling group’s launch configuration. The company is concerned that the credentials that are stored in the AMI might also have been exposed. The company must implement a solution that remediates the security concerns without causing downtime for the application. The solution must comply with security best practices. Which solution will meet these requirements?
A. Rotate the potentially compromised access key that the EC2 instance uses. Create a new AMI without the potentially compromised credentials. Perform an EC2 Auto Scaling instance refresh.
B. Delete or deactivate the potentially compromised access key. Create an EC2 Auto Scaling linked IAM role that includes a custom policy that matches the potentially compromised access key permission. Associate the new AM role with the Auto Scaling group. Perform an EC2 Auto Scaling instance refresh.
C. Delete or deactivate the potentially compromised access key. Create a new AMI without the potentially compromised credentials. Create an IAM role that includes the correct permissions. Create a launch template for the Auto Scaling group to reference the new AMI and IAM role. Perform an EC2 Auto Scaling instance refresh.
D. Rotate the potentially compromised access key. Create a new AMI without the potentially compromised access key. Use a user data script to supply the new access key as environmental variables in the Auto Scaling group’s launch configuration. Perform an EC2 Auto Scaling instance refresh.
Correct Answer: C
QUESTION 143
A company wants to know when users make changes to IAM roles in the company’s AWS account. The company uses Amazon CloudWatch and AWS CloudTrail in the account. The company has configured a CloudTrail trail to capture read and write API activity for management events. The company has an Amazon Simple Notification Service (Amazon SNS) topic for security notifications. A security engineer must implement a solution that provides a notification when an IAM role is edited. Which solution will meet this requirement?
A. Enable Amazon Detective. Run a Detective investigation for changes to IAM roles. Create an Amazon EventBridge rule that monitors the results of the Detective investigation. Set the SNS topic as the target of the EventBridge rule.
B. Create an Amazon EventBridge rule that monitors AWS API calls from CloudTrail. Scope the event pattern to monitor changes to IAM roles from the iam.amazonaws.com event source. Set the SNS topic as the target of the EventBridge rule.
C. Create a new CloudWatch log group. Configure the CloudTrail trail to send events to the new log group. Set up a CloudWatch metric to monitor changes to IAM roles from the iam.amazonaws.com event source. Create a subscription filter for the log group. Set the SNS topic as the target of the subscription filter.
D. Create a new CloudWatch log group. Configure the CloudTrail trail to send events to the new log group. Create a subscription filter that includes an event pattern to monitor changes to IAM roles from the iam.amazonaws.com event source. Set the SNS topic as the target of the subscription filter.
Correct Answer: B
QUESTION 144
A company uses an external identity provider to allow federation into different AWS accounts. A security engineer for the company needs to identify the federated user that terminated a production Amazon EC2 instance a week ago. What is the FASTEST way for the security engineer to identify the federated user?
A. Review the AWS CloudTrail event history logs in an Amazon S3 bucket and look for the Terminatelnstances event to identify the federated user from the role session name.
B. Filter the AWS CloudTrail event history for the Terminatelnstances event and identify the assumed IAM role. Review the AssumeRoleWithSAML event call in CloudTrail to identify the corresponding username.
C. Search the AWS CloudTrail logs for the Terminatelnstances event and note the event time. Review the IAM Access Advisor tab for all federated roles. The last accessed time should match the time when the instance was terminated.
D. Use Amazon Athena to run a SQL query on the AWS CloudTrail logs stored in an Amazon S3 bucket and filter on the Terminatelnstances event. Identify the corresponding role and run another query to filter the AssumeRoleWithWebldentity event for the user name.
Correct Answer: B
QUESTION 145
A company is building a secure solution that relies on an AWS Key Management Service (AWS KMS) customer managed key. The company wants to allow AWS Lambda to use the KMS key. However, the company wants to prevent Amazon EC2 from using the key. Which solution will meet these requirements?
A. Create an IAM policy that explicitly denies permission to the key. Attach the policy to all EC2 instance profiles. Create an IAM policy that explicitly allows permission to the key. Attach the policy to all Lambda function roles.
B. Create a custom key policy for the key. Use the kms: ViaService condition key to deny access to requests from Amazon EC2 and to allow access to requests from Lambda. Use the Lambda IAM role as the principal.
C. Create a custom key policy for the key. Use the aws:Sourcelp condition key to deny access to requests from Amazon EC2. Use the aws: AuthorizedService condition key to allow access to requests from Lambda. Use the Lambda IAM role as the principal.
D. Create an SCP that explicitly denies permission to the key for Amazon EC2 and explicitly allows permission to the key for Lambda. Attach the SCP to the AWS account.
Correct Answer: B
QUESTION 146
A company is using AWS Organizations with nested OUs to manage AWS accounts. The company has a custom compliance monitoring service for the accounts. The monitoring service runs as an AWS Lambda function and is invoked by Amazon EventBridge Scheduler. The company needs to deploy the monitoring service in all existing and future accounts in the organization. The company must avoid using the organization’s management account when the management account is not required. Which solution will meet these requirements?
A. Create an AWS CloudFormation template for the Lambda function and for the EventBridge Scheduler schedule. Create a CloudFormation stack set in the organization’s management account. Specify all the existing accounts as the deployment targets. Add new accounts as a stack to the existing stack set when new accounts are created.
B. Configure an Organizations delegated administrator account for AWS CloudFormation. Create a CloudFormation template for the Lambda function and for the EventBridge Scheduler schedule. Create a CloudFormation stack set in the delegated administrator account. Specify the root of the organization as the deployment target. Activate automatic deployment for the stack set.
C. Enable AWS Systems Manager operations management capabilities. Configure a delegated administrator account for Systems Manager. Create a Systems Manager Automation custom runbook in the delegated administrator account. Use the runbook to deploy the Lambda function and the EventBridge Scheduler schedule. Specify the root of the organization as the target for Systems Manager Automation.
D. Create an AWS Systems Manager Automation custom runbook in the organization’s management account. Use the runbook to deploy the Lambda function and the EventBridge Scheduler schedule. Share the runbook with target accounts. Specify all the existing accounts as targets for Systems Manager Automation. Add new accounts as targets when new accounts are created.
Correct Answer: B
QUESTION 147
A security engineer is troubleshooting a connectivity issue between a web server that is writing log files to the logging server in another VPC. The engineer has confirmed that a peering relationship exists between the two VPCs. VPC flow logs show that requests sent from the web server are accepted by the logging server, but the web server never receives a reply. Which of the following actions could fix this issue?
A. Add an inbound rule to the security group associated with the logging server that allows requests from the web server.
B. Add an outbound rule to the security group associated with the web server that allows requests to the logging server.
C. Add a route to the route table associated with the subnet that hosts the logging server that targets the peering connection.
D. Add a route to the route table associated with the subnet that hosts the web server that targets the peering connection.
Correct Answer: C
QUESTION 148
A company uses Amazon GuardDuty. The company’s security engineer needs to receive an email notification for every GuardDuty finding that is a High severity level. Which solution will meet this requirement?
A. Create a verified identity for the email address in Amazon Simple Email Service (Amazon SES). Create an Amazon EventBridge rule that has the SES verified identity as the target. Specify GuardDuty as the event source. Configure the EventBridge event pattern to match High severity findings.
B. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the email address to the SNS topic. Create an Amazon EventBridge rule that has the SNS topic as the target. Specify GuardDuty as the event source. Configure the EventBridge event pattern to match High severity findings.
C. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the email address to the SNS topic. Enable AWS Security Hub. Integrate Security Hub with GuardDuty. Use Security Hub automation rules to publish High severity GuardDuty findings to the SNS topic.
D. Enable AWS Security Hub. Integrate Security Hub with GuardDuty. Use Security Hub automation rules to create a custom rule. Configure the custom rule to detect High severity GuardDuty findings and to send a notification to the email address.
Correct Answer: B
QUESTION 149
A company has an application that processes personally identifiable information (PII). The application runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The company’s security policies require that data is encrypted in transit at all times to avoid the possibility of exposing any PII in plaintext. Which solutions could a security engineer use to meet these requirements? (Select TWO.)
A. Terminate SSL from clients on the existing ALB. Use HTTPS to connect from the ALB to the EC2 instances.
B. Replace the existing ALB with a Network Load Balancer (NLB). On the NLB, configure an SSL listener and TCP passthrough to receive client connections. Terminate HTTPS traffic from the NLB on the EC2 instances.
C. Replace the existing ALB with a Network Load Balancer (NLB). On the LB, configure TCP passthrough to receive client connections. Terminate SSL from the NLB on the EC2 instances
D. Configure a Network Load Balancer (NLB) with TCP passthrough to receive client connections. Terminate SSL on the existing ALB.
E. Configure a Network Load Balancer (NLB) with a TLS listener to receive client connections. Configure TCP passthrough on the existing ALB so that the NLB can reach the EC2 instances. Terminate SSL from the ALB on the EC2 instances.
Correct Answer: BE
QUESTION 150
A company wants to deploy a continuous security threat-detection service at scale to automatically analyze all the company’s member accounts in AWS Organizations within the ap-east-1 Region. The company’s organization includes a management account, a security account, and many member accounts. When the company creates a new member account, the threat-detection service should automatically analyze the new account so that the company can review any findings from the security account. Which solution uses AWS security best practices and meets these requirements with the LEAST effort?
A. Activate Amazon GuardDuty in ap-east-1. Designate the security account as the GuardDuty delegated administrator by using the console.
B. Activate Amazon GuardDuty in ap-east-1 with trusted access to AWS Organizations. Designate the management account as the GuardDuty organization administrator.
C. Activate AWS Security Hub in ap-east-1. Designate the management account as the Security Hub delegated administrator by using the console.
D. Activate AWS Control Tower in ap-east-1 with trusted access to AWS Organizations. Designate the security account as the organization administrator.
Correct Answer: B
QUESTION 151
A security engineer is configuring AWS Config for an AWS account that uses a new IAM entity. When the security engineer tries to configure AWS Config rules and automatic remediation options, errors occur. In the AWS CloudTrail logs, the security engineer sees the following error message: “Insufficient delivery policy to s3 bucket: DOC-EXAMPLE-BUCKET, unable to write to bucket, provided s3 key prefix is ‘null’.” Which combination of steps should the security engineer take to remediate this issue? (Select TWO.)
A. Check the Amazon S3 bucket policy. Verify that the policy allows the config amazonaws.com service to write to the target bucket.
B. Verify that the IAM entity has the permissions necessary to perform the s3:GetBucketAcl and s3:PutObject* operations to write to the target bucket.
C. Verify that the Amazon S3 bucket policy has the permissions necessary to perform the s3:GetBucketAcl and s3:PutObject* operations to write to the target bucket.
D. Check the policy that is associated with the IAM entity. Verify that the policy allows the config. amazonaws.com service to write to the target bucket.
E. Verify that the AWS Config service role has permissions to invoke the BatchGetResourceConfig action instead of the GetResourceConfigHistory action and s3:PutObject* operation.
Correct Answer: AB
QUESTION 152
A company has AWS accounts in an organization in AWS Organizations. The company must prevent IAM principals from outside the organization from performing any actions on the organization’s Amazon S3 buckets. Which solution will meet this requirement?
A. Make sure that all S3 bucket policies contain a statement that includes the aws: PrincipalOrgiD condition key.
B. Make sure that all S3 bucket policies contain a statement that includes the aws.SourceArn condition key.
C. Create an SCP that includes the aws:PrincipalOrgID condition key. Attach the SCP to the root OU.
D. Create an SCP that includes the aws: ResourceOrgID condition key. Attach the SCP to the root OU.
Correct Answer: A
QUESTION 153
A company runs an application outside of AWS. The external application authenticates to AWS as an IAM user. A security engineer needs to migrate the external application to use an IAM role. The company’s human users already use IAM roles with AWS IAM Identity Center. Which solution will give the external application the ability to use an IAM role?
A. Set up the external application as a managed application in IAM Identity Center. Create a new account assignment to generate an AM role for the external application to use.
B. Create an AWS Verified Access instance. Set up a trust provider for the external application. Create a Verified Access policy to allow the external application to assume an IAM role.
C. Use AWS IAM Roles Anywhere. Create a trust anchor and profile on AWS. Set up the credential helper tool in the external application. Configure an IAM role to trust IAM Roles Anywhere.
D. Enable federation with IAM. Configure SAML2.0 federation by adding a relying party trust between the external application and AWS. Set up an IAM role for the external application to assume.
Correct Answer: C
QUESTION 154
A company is using an organization with all features enabled in AWS Organizations. The organization contains OUs. The company has configured a delegated administrator account for AWS IAM Identity Center. In this delegated administrator account, the company has deployed an AWS CloudFormation stack that contains permission sets. A security engineer must implement a solution to prevent the deletion of the CloudFormation stack. Which solution will meet this requirement?
A. Enable termination protection for the CloudFormation stack. Create an SCP that denies the cloudformation: Update Termination Protection action for the stack’s ARN. Apply the SCP to the root of the organization.
B. Enable termination protection for the CloudFormation stack. Create an SCP that denies the cloudformation:DeleteStack action for the stack’s ARN. Apply the SCP to all OUs except the OU that contains the delegated administrator account.
C. Set the DeletionPolicy attribute to Retain for all resources in the CloudFormation stack. Create an IAM policy that denies the cloudformation:Delete Stack action for the stack’s ARN. Attach the IAM policy to all IAM users and roles in the organization’s management account.
D. Assign a stack policy to deny updates to stack resources. Create an SCP that denies the cloudformation:UpdateStack action for the stack’s ARN. Apply the SCP to all OUs and the organization’s management account.
Correct Answer: B
QUESTION 155
A security engineer is an IAM administrator at a company that uses AWS Organizations with multiple accounts and OUs. The security engineer needs to give developers the permission to create their own IAM roles in the Sandbox OU and in the Workload OU. The security engineer must define a maximum set of permissions that developers can apply to the IAM roles. The permissions must be based on the OU in which the account resides. Which solution will meet these requirements?
A. Create a single SCP. Include conditions in the SCP to reference the OU of the account and to deny access that is not included in the maximum allowed permissions. Attach the SCP to the root OU.
B. Create two distinct SCPs: one SCP for the Sandbox OU and another SCP for the Workload OU. In each SCP, deny all permissions except the maximum allowed permissions. Attach each SCP to its respective OU.
C. Create a single permissions policy that contains the maximum allowed permissions across all OUs. Add a condition in the developers’ IAM permissions to allow the creation of an IAM role only when this permissions policy is attached as a permissions boundary.
D. Create two distinct permissions policies: one policy for the Sandbox OU and another policy for the Workload OU. In each policy, define the maximum allowed permissions for that OU. Add a condition in the developers’ IAM permissions to allow creation of an IAM role only if the appropriate OU’s permissions policy is attached as a permissions boundary.
Correct Answer: B
QUESTION 156
A company has AWS accounts in an organization in AWS Organizations. The organization includes a development OU and a production OU. The company launches Amazon EC2 instances by using AWS CloudFormation templates. A security engineer must implement a restriction in which the development OU can launch instances from only the T4g instance family. Which solution will meet this requirement?
A. Use EC2 Image Builder to restrict the available instance types to T4g instances when the requesting IAM principal is in the development OU.
B. Create an SCP that uses the aws PrincipalOrg Paths condition key to restrict instances to the T4g type. Attach the SCP to the development OU.
C. Set up CloudFormation Guard. Write a CloudFormation Guard rule to restrict instances to the T4g type. Associate the rule with the development OU.
D. Define a product in AWS Service Catalog. Include a policy in the template to restrict the available instance types to T4g instances when the requesting IAM principal is in the development OU.
Correct Answer: C
QUESTION 157
A company must create annual snapshots of Amazon Elastic Block Store (Amazon EBS) volumes. The company must retain the snapshots for 10 years. The company will use AWS Key Management Service (AWS KMS) to encrypt the EBS volumes and snapshots. The encryption keys must be rotated automatically every year. Snapshots that were created in previous years must be readable after rotation of the encryption keys. Which type of KMS keys should the company use for encryption to meet these requirements?
A. Asymmetric AWS managed KMS keys with key material created by AWS KMS
B. Symmetric customer managed KMS keys with key material created by AWS KMS
C. Symmetric customer managed KMS keys with custom imported key material
D. Asymmetric AWS managed KMS keys with custom imported key material
Correct Answer: B
QUESTION 158
An audit reveals that a company has multiple applications that are susceptible to SQL injection attacks. The company wants a formal penetration testing program as soon as possible to identify future risks in applications that are deployed on AWS. The company’s legal department is concerned that such testing might create AWS abuse notifications and violate the AWS Acceptable Use policy. The company must ensure compliance in these areas. Which testing procedures are allowed on AWS as part of a penetration testing strategy? (Select TWO.)
A. Port scanning inside the company’s VPC.
B. Brute force test of the Amazon S3 bucket namespace.
C. Use of a SQL injection tool on the company’s web application against an Amazon RDS for PostgreSQL DB instance.
D. Packet flooding of the company’s web application.
E. DNS zone walking through Amazon Route 53 hosted zones.
Correct Answer: AC
QUESTION 159
A company uses Amazon EC2 Linux instances in the AWS Cloud. A member of the company’s security team recently received a report about common vulnerability identifiers on the instances. A security engineer needs to verify patching and perform remediation if the instances do not have the correct patches installed. The security engineer must determine which EC2 instances are at risk and must implement a solution to automatically update those instances with the applicable patches. What should the security engineer do to meet these requirements?
A. Use AWS Systems Manager Patch Manager to view vulnerability identifiers for missing patches on the instances. Use Patch Manager also to automate the patching process.
B. Use AWS Shield Advanced to view vulnerability identifiers for missing patches on the instances. Use AWS Systems Manager Patch Manager to automate the patching process.
C. Use Amazon GuardDuty to view vulnerability identifiers for missing patches on the instances. Use Amazon Inspector to automate the patching process.
D. Use Amazon Inspector to view vulnerability identifiers for missing patches on the instances. Use Amazon Inspector also to automate the patching process.
Correct Answer: D
QUESTION 160
A company uses infrastructure as code (IaC) to create AS infrastructure. The company writes the code as AWS CloudFormation templates to deploy the infrastructure. The company has an existing CI/CD pipeline that the company can use to deploy these templates. After a recent security audit, the company decides to adopt a policy-as-code approach to improve the company’s security posture on AWS. The company must prevent the deployment of any infrastructure that would violate a security policy, such as an unencrypted Amazon Elastic Block Store (Amazon EBS) volume. Which solution will meet these requirements?
A. Turn on AWS Trusted Advisor. Configure security notifications as webhooks in the preferences section of the CI/CD pipeline.
B. Turn on AWS Config. Use the prebuilt rules or customized rules. Subscribe the CI/CD pipeline to an Amazon Simple Notification Service (Amazon SNS) topic that receives notifications from AWS Config.
C. Create rule sets in AWS CloudFormation Guard. Run validation checks for CloudFormation templates as a phase of the CI/CD process.
D. Create rule sets as SCPs. Integrate the SCs as a part of validation control in a phase of the CI/CD process.
Correct Answer: C
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.