QUESTION 161
A company hosts business-critical applications on Amazon EC2 instances in a VPC. The VPC uses default DHCP options sets. A security engineer needs to log all DNS queries that internal resources make in the VPC. The security engineer also must create a list of the most common DNS queries over time. Which solution will meet these requirements?
A. Install the Amazon CloudWatch agent on each EC2 instance in the VPC. Use the CloudWatch agent to stream the DNS query logs to an Amazon CloudWatch Logs log group. Use CloudWatch metric filters to automatically generate metrics that list the most common DNS queries.
B. Install a BIND DNS server in the VPC. Create a bash script to list the DNS request number of common DNS queries from the BIND logs.
C. Create VPC flow logs for all subnets in the VPC. Stream the flow logs to an Amazon CloudWatch Logs log group. Use CloudWatch Logs Insights to list the most common DNS queries for the log group in a custom dashboard.
D. Configure Amazon Route 53 Resolver query logging. Add an Amazon CloudWatch Logs log group as the destination. Use Amazon CloudWatch Contributor Insights to analyze the data and create time series that display the most common DNS queries.
Correct Answer: D
QUESTION 162
An ecommerce company is developing new architecture for an application release. The company needs to implement TLS for incoming traffic to the application. Traffic for the application will originate from the internet. TLS does not have to be implemented in an end-to-end configuration because the company is concerned about impacts on performance. The incoming traffic types will be HTTP and HTTPS. The application uses ports 80 and 443. What should a security engineer do to meet these requirements?
A. Create a public Application Load Balancer. Create two listeners: one listener on port 80 and one listener on port 443. Create one target group. Create a rule to forward traffic from port 80 to the listener on port 443. Provision a public TLS certificate in AWS Certificate Manager (ACM). Attach the certificate to the listener on port 443.
B. Create a public Application Load Balancer. Create two listeners: one listener on port 80 and one listener on port 443. Create one target group. Create a rule to forward traffic from port 80 to the listener on port 443. Provision a public TLS certificate in AWS Certificate Manager (ACM). Attach the certificate to the listener on port 80.
C. Create a public Network Load Balancer. Create two listeners: one listener on port 80 and one listener on port A3. Create one target group. Create a rule to forward traffic from port 80 to the listener on port 443. Set the protocol for the listener on port 443 to TLS.
D. Create a public Network Load Balancer. Create a listener on port 443. Create one target group. Create a rule to forward traffic from port 443 to the target group. Set the protocol for the listener on port 443 to TLS.
Correct Answer: A
QUESTION 163
A company has AWS accounts in an organization in AWS Organizations. The company requires a specific software application to be installed on all new and existing Amazon EC2 instances in the organization. AWS Systems Manager Agent (SSM Agent) is installed and active on all the instances. How can the company continuously monitor the deployment status of the software application on all the instances?
A. Enable AWS Config for the entire organization. For all accounts, set up the ec2-managedinstance-applications-required AWS Config managed rule and specify the application name
B. Enable AWS Config for the entire organization. Provide new AMIs that have the required software application pre-installed. Set up the approved-amis-by-id AWS Config managed rule for all accounts.
C. Create a Systems Manager Distributor package for the required software application for the entire organization. Install the Distributor package by using Systems Manager Run Command. Review the output.
D. Configure Systems Manager Application Manager to collect a current list of installed software applications in the entire organization. Filter for the required application by software status.
Correct Answer: D
QUESTION 164
A company uses an organization in AWS Organizations to help separate its Amazon EC2 instances and VPCs. The company has separate OUs for development workloads and production workloads. A security engineer must ensure that only AWS accounts in the production OU can write VPC flow logs to an Amazon S3 bucket. The security engineer is configuring the S3 bucket policy with a Condition element to allow the s3:PutObject action for VPC flow logs. How should the security engineer configure the Condition element to meet these requirements?
A. Set the value of the aws:SourceOrgID condition key to be the organization ID
B. Set the value of the aws:SourceOrgPaths condition key to be the Organizations entity path of the production OU.
C. Set the value of the aws: ResourceOrgID condition key to be the organization ID.
D. Set the value of the aws:ResourceOrgPaths condition key to be the Organizations entity path of the production OU.
Correct Answer: B
QUESTION 165
A company runs an application on Amazon EC2 instances. A security engineer must extract application logs from the instances and must identify abnormal findings in the logs. Which solution will meet these requirements?
A. Install the Amazon CloudWatch agent on the instances. Enable log anomaly detection on the log group in CloudWatch Logs.
B. Install the Amazon CloudWatch agent on the instances. Use Amazon GuardDuty to monitor CloudWatch Logs for anomalous findings.
C. Install AWS Systems Manager Agent (SSM Agent) on the instances. Enable Amazon Inspector. Configure agent-based scanning for anomalous findings.
D. Enable Amazon Inspector. Configure hybrid scanning mode and use agentless scans. Search the Amazon Inspector report for anomalous findings.
Correct Answer: A
QUESTION 166
A company uses AWS Organizations to manage a small number of AWS accounts. However, the company plans to add 1,000 more accounts soon. The company allows only a centralized security team to create IAM roles for all AWS accounts and teams. Application teams submit requests for IAM roles to the security team. The security team has a backlog of IAM role requests and cannot review and provision the IAM roles quickly. The security team must create a process that will allow application teams to provision their own IAM roles. The process must also limit the scope of IAM roles and prevent privilege escalation. Which solution will meet these requirements with the LEAST operational overhead?
A. Create an IAM group for each application team. Associate policies with each IAM group. Provision IAM users for each application team member. Add the new IAM users to the appropriate IAM group by using role-based access control (RBAC).
B. Delegate application team leads to provision IAM roles for each team. Conduct a quarterly review of the IAM roles the team leads have provisioned. Ensure that the application team leads have the appropriate training to review IAM roles.
C. Put each AWS account in its own OU. Add an SCP to each OU to grant access to only the AWS services that the teams plan to use. Include conditions in the AWS account of each team.
D. Create an SCP and a permissions boundary for IAM roles. Add the SCP to the root OU so that only roles that have the permissions boundary attached can create any new IAM roles.
Correct Answer: D
QUESTION 167
A company uses AWS Config rules to identify Amazon S3 buckets that are not compliant with the company’s data protection policy. The S3 buckets are hosted in several AWS Regions and several AWS accounts. The accounts are in an organization in AWS Organizations. The company needs a solution to remediate the organization’s existing noncompliant S3 buckets and any noncompliant S3 buckets that are created in the future. Which solution will meet these requirements?
A. Deploy an AWS Config aggregator with organization-wide resource data aggregation. Create an AWS Lambda function that responds to AWS Config findings of noncompliant S3 buckets by deleting or reconfiguring the S3 buckets.
B. Deploy an AWS Config aggregator with organization-wide resource data aggregation. Create an SCP that contains a Deny statement that prevents the creation of new noncompliant S3 buckets. Apply the SCP to all OUs in the organization.
C. Deploy an AWS Config aggregator that scopes only the accounts and Regions that the company currently uses. Create an AWS Lambda function that responds to AWS Config findings of noncompliant S3 buckets by deleting or reconfiguring the S3 buckets.
D. Deploy an AWS Config aggregator that scopes only the accounts and Regions that the company currently uses. Create an SCP that contains a Deny statement that prevents the creation of new noncompliant S3 buckets. Apply the SCP to all OUs in the organization.
Correct Answer: A
QUESTION 168
A company’s security engineer has been asked to monitor and report all AWS account root user activities. Which of the following would enable the security engineer to monitor and report all root user activities? (Select TWO.)
A. Configuring AWS Organizations to monitor root user API calls on the paying account
B. Creating an Amazon EventBridge rule that will run when any API call from the root user is reported
C. Configuring Amazon Inspector to scan the AWS account for any root user activity
D. Configuring AWS Trusted Advisor to send an email to the security team when the root user logs in to the console
E. Using Amazon SNS to notify the target group
Correct Answer: BD
QUESTION 169
A company is migrating its Amazon EC2 based applications to use Instance Metadata Service Version 2 (MDSv2). A security engineer needs to determine whether any of the EC2 instances are still using Instance Metadata Service Version (IMDSV1). What should the security engineer do to confirm that the IMDSv1 endpoint is no longer being used?
A. Configure logging on the Amazon Cloud Watch agent for IMDSv1 as part of EC2 instance startup. Create a metric filter and a CloudWatch dashboard. Track the metric in the dashboard.
B. Create an Amazon CloudWatch dashboard. Verify that the EC2:MetadataNo Token metric is zero across all S EC2 instances. Monitor the dashboard.
C. Create a security group that blocks access to HTTP for the IMDSv1 endpoint. Attach the security group to all EC2 instances.
D. Configure user data scripts for all EC2 instances to send logging information to AWS Cloud Trail when IMDSv1 is used Create a metric filter and an Amazon CloudWatch dashboard Track the metric in the dashboard.
Correct Answer: B
QUESTION 170
A company has an organization in AWs Organizations. The organization consists of multiple OUs. The company must prevent IAM principals from outside the organization from accessing the organization’s Amazon S3 buckets. The solution must not affect the existing access that the OUs have to the S3 buckets. Which solution will meet these requirements?
A. Configure S3 Block Public Access for all S3 buckets.
B. Configure S3 Block Public Access for all AWS accounts.
C. Deploy an SCP that includes the “aws.ResourceOrgPaths”: “${aws: PrincipalOrgPaths}” condition.
D. Deploy an SCP that includes the “aws.ResourceOrgID”: “${aws:PrincipalOrgID}” condition.
Correct Answer: D
QUESTION 171
A company runs workloads on Amazon EC2 instances. The company needs to continually scan the EC2 instances for software vulnerabilities and unintended network exposure. Which solution will meet these requirements?
A. Use Amazon Inspector. Set the scan mode to hybrid scanning.
B. Use Amazon GuardDuty. Enable the Malware Protection feature.
C. Use Amazon Inspector. Enable the Malware Protection feature.
D. Use Amazon GuardDuty. Enable the Runtime Monitoring feature.
Correct Answer: A
QUESTION 172
A company hosts its public website on Amazon EC2 instances behind an Application Load Balancer (ALB). The website is experiencing a global DDoS attack by a specific IoT device brand that has a unique user agent. A security engineer is creating an AWS WAF web ACL and will associate the web ACL with the ALB. The security engineer must implement a rule statement as part of the web ACL to block the requests. The rule statement must mitigate the current attack and future attacks from these IoT devices without blocking requests from customers. Which rule statement will meet these requirements?
A. Use an IP set match rule statement that includes the IP address for IoT devices from the user agent.
B. Use a geographic match rule statement. Configure the statement to block countries that the IoT devices are located in.
C. Use a rate-based rule statement. Set a rate limit that is equal to the number of requests that are coming from the IoT devices.
D. Use a string match rule statement that includes details of the IoT device brand from the user agent.
Correct Answer: D
QUESTION 173
A company has a large fleet of Amazon Linux 2 Amazon EC2 instances that run an application. The application processes sensitive data and has the following compliance requirements:
1. No remote access management ports to the EC2 instances can be exposed internally or externally.
2. All remote session activity must be recorded in an audit log.
3. All remote access to the EC2 instances must be authenticated and authorized by AWS IAM Identity Center.
The company’s DevOps team occasionally needs to connect to one of the EC2 instances to troubleshoot issues. Which solution will provide remote access to the EC2 instances while meeting the compliance requirements?
A. Grant access to the EC2 serial console at the account level. Create an IAM policy that allows an IAM role of the DevOps team to access the EC2 serial console.
B. Enable EC2 Instance Connect on the AMI of the EC2 instances. Configure the appropriate security group rules. Grant EC2 console access to the DevOps team for access to EC2 Instance Connect.
C. Assign an EC2 instance role that allows access to AWS Systems Manager. Create an IAM policy that grants access to Systems Manager Session Manager. Assign the policy to an IAM role of the DevOps team.
D. Use AWS Systems Manager Automation runbooks to open remote access ports to the EC2 instances. Attach a role to the EC2 instances to allow the runbooks to run
Correct Answer: C
QUESTION 174
A company wants to create a log analytics solution for logs generated from its on-premises devices. The logs are collected from the devices onto a server on premises. The company wants to use AWS services to perform near real-time log analysis. The company also wants to store these logs for 365 days for pattern matching and substring search capabilities later. Which solution will meet these requirements with the LEAST development overhead?
A. Install Amazon Kinesis Agent on the on-premises server to send the logs to Amazon DynamoDB. Configure an AWS Lambda trigger on DynamoDB streams to perform near real-time log analysis. Export the DynamoDB data to Amazon S3 periodically. Run Amazon Athena queries for pattern matching and substring search. Set up S3 Lifecycle policies to delete the log data after 365 days.
B. Install Amazon Managed Streaming for Apache Kafka (Amazon MSK) on the on-premises server. Create an MSK cluster to collect the streaming data and analyze the data in real time. Set the data retention period to 365 days to store the logs persistently for pattern matching and substring search.
C. Install Amazon Kinesis Agent on the on-premises server to send the logs to Amazon Data Firehose. Configure Amazon Managed Service for Apache Flink (previously known as Amazon Kinesis Data Analytics) as the destination for real-time processing. Store the logs in Amazon OpenSearch Service for pattern matching and substring search. Configure an OpenSearch Service Index State Management (ISM) policy to delete the data after 365 days.
D. Use Amazon API Gateway and AWs Lambda to write the logs from the on-premises server to Amazon DynamoDB. Configure Lambda trigger on DynamoDB streams to perform near real-time log analysis. Run Amazon Athena federated queries on DynamoDB data for pattern matching and substring search. Set up TTL to delete data after 365 days.
Correct Answer: C
QUESTION 175
A company uses AWS Organizations to manage an organization that consists of three workload OUs: Production, Development, and Testing. The company uses AWS CloudFormation templates to define and deploy workload infrastructure in AWS accounts that are associated with the OUs. Different SCPs are attached to each workload OU. The company successfully deployed a CloudFormation stack update to workloads in the Development OU and the Testing OU. When the company uses the same CloudFormation template to deploy the stack update in an account in the Production OU, the update fails. The error message reports insufficient IAM permissions. What is the FIRST step that a security engineer should take to troubleshoot this issue?
A. Review the AWS Cloud Trail logs in the account in the Production OU. Search for any failed API calls from CloudFormation during the deployment attempt.
B. Remove all the SCPs that are attached to the Production OU. Rerun the CloudFormation stack update to determine if the SCPs were preventing the CloudFormation API calls.
C. Confirm that the role used by CloudFormation has sufficient permissions to create, update, and delete the resources that are referenced in the CloudFormation template.
D. Make all the SCPs that are attached to the Production OU the same as the SCPs that are attached to the Testing OU.
Correct Answer: A
QUESTION 176
A company finds that one of its Amazon EC2 instances suddenly has a high a CPU usage. The company does not know whether the EC2 instance is compromised or whether the operating system is performing background cleanup. Which combination of steps should a security engineer take before investigating the issue? (Select THREE.)
A. Disable termination protection for the EC2 instance if termination protection has not been disabled.
B. Enable termination protection for the EC2 instance if termination protection has not been enabled.
C. Take of snapshots of the Amazon Elastic Block Store (Amazon EBS) data volumes that are attached to the EC2 instance.
D. Remove all snapshots of the Amazon Elastic Block Store (Amazon EBS) data volumes that are attached to the EC2 instance.
E. Capture the EC2 instance metadata, and then tag the EC2 instance as under quarantine.
F. Immediately remove any entries in the EC2 instance metadata that contain sensitive information.
Correct Answer: BCE
QUESTION 177
A company is planning to deploy a new log analysis environment. The company needs to implement a solution to analyze logs from multiple AWS services in near real time. The solution must provide the ability to search the logs. The solution also must send alerts to an existing Amazon Simple Notification Service (Amazon SNS) topic when specific logs match detection rules. Which solution will meet these requirements?
A. Analyze the logs by using Amazon OpenSearch Service. Search the logs from the OpenSearch API. Use OpenSearch Service Security Analytics to match logs with detection rules and to send alerts to the SNS topic.
B. Analyze the logs by using AWS Security Hub. Search the logs from the Findings page in Security Hub. Create custom actions to match logs with detection rules and to send alerts to the SNS topic.
C. Analyze the logs by using Amazon CloudWatch Logs. Use a subscription filter to match logs with detection rules and to send alerts to the SNS topic. Search the logs manually by using CloudWatch Logs Insights.
D. Analyze the logs by using Amazon QuickSight. Search the logs by listing the query results in a dashboard. Run queries to match logs with detection rules and to send alerts to the SNS topic.
Correct Answer: A
QUESTION 178
Amazon CloudWatch Logs IS agent is successfully delivering logs to the CloudWatch Logs service. However, logs stop being delivered after the associated log stream has been active for a specific number of hours. What steps are necessary to identify the cause of this phenomenon? (Select TWO.)
A. Ensure that file permissions for monitored files that allow the CloudWatch Logs agent to read the file have not been modified
B. Verify that the OS Log rotation rules are compatible with the configuration requirements for agent streaming.
C. Configure an Amazon Kinesis producer to first put the logs into Amazon Kinesis Streams.
D. Create a CloudWatch Logs metric to isolate a value that changes at least once during the period before logging stops.
E. Use AWS CloudFormation to dynamically create and maintain the configuration file for the CloudWatch Logs agent.
Correct Answer: AB
QUESTION 179
A healthcare company has multiple AWS accounts in an organization in AWS Organizations. The company uses Amazon S3 buckets to store sensitive information of patients. The company needs to restrict users from deleting any S3 bucket across the organization. What is the MOST scalable solution that meets these requirements?
A. Permissions boundaries in AWS Identity and Access Management (IAM)
B. S3 bucket policies
C. Tag policies
D. SCPs
Correct Answer: D
QUESTION 180
A company’s engineering team is developing a new application that creates AWs Key Management Service (AWS KMS) customer managed key grants for users. Immediately after a grant is created, users must be able to use the KMS key to encrypt a 512-byte payload. During load testing, AccessDeniedException errors occur occasionally when a user first attempts to use the key to encrypt. Which solution should the company’s security specialist recommend to eliminate these AccessDeniedException errors?
A. Instruct users to implement a retry mechanism every 2 minutes until the call succeeds.
B. Instruct the engineering team to consume random grant token from users and to call the CreateGrant operation by passing the grant token to the operation. Instruct users to use that grant token in their call to encrypt.
C. Instruct the engineering team to create a random name for the grant when calling the CreateGrant operation. Return the name to the users and instruct them to provide the to name as the grant token in the call to encrypt.
D. Instruct the engineering team to pass the grant token returned in the CreateGrant response to users. Instruct users to use that grant token in their call to encrypt.
Correct Answer: D
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.