DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

AWS SCS-C02 Exam Questions for Effective Preparation | AWS Certified Security - Specialty

SPOTO's AWS SCS-C02 Exam Questions provide you with a vast collection of test questions that accurately simulate the real exam environment, allowing you to familiarize yourself with the exam format and question types. These study materials are expertly designed by industry professionals, ensuring their relevance and accuracy. Furthermore, SPOTO offers mock exams that closely mimic the actual certification exam, enabling you to gauge your readiness and identify areas that require further attention. By leveraging these exam resources, you can effectively prepare and increase your chances of passing the AWS Certified Security - Specialty exam successfully on your first attempt, validating your expertise in creating and implementing secure AWS Cloud solutions.
Take other online exams

Question #1
A development team is attempting to encrypt and decode a secure string parameter from the IAM Systems Manager Parameter Store using an IAM Key Management Service (IAM KMS) CMK. However, each attempt results in an error message being sent to the development team.Which CMK-related problems possibly account for the error? (Select two.)
A. owever, the company does not want to allow users from the other accounts to access other files in the same folder
B. pply a user policy in the other accounts to allow IAM Glue and Athena lo access the
C. se S3 Select to restrict access to the
D. efine an IAM Glue Data Catalog resource policy in IAM Glue to grant cross-account S3 object access to the
E. rant IAM Glue access to Amazon S3 in a resource-based policy that specifies the organization as the principal
View answer
Correct Answer: AD
Question #2
A company needs to encrypt all of its data stored in Amazon S3. The company wants to use IAM Key Management Service (IAM KMS) to create and manage its encryption keys. The company's security policies require the ability to Import the company's own key material for the keys, set an expiration date on the keys, and delete keys immediately, if needed.How should a security engineer set up IAM KMS to meet these requirements?
A. onfigure IAM KMS and use a custom key store
B. onfigure IAM KMS and use the default Key store Create an IAM managed CMK with no key material Import the company's key material into the CMK
C. onfigure IAM KMS and use the default key store Create a customer managed CMK with no key material import the company's key material into the CMK
D. onfigure IAM KMS and use a custom key store
View answer
Correct Answer: A
Question #3
A company needs a security engineer to implement a scalable solution for multi-account authentication and authorization. The solution should not introduce additional user-managed architectural components. Native IAM features should be used as much as possible The security engineer has set up IAM Organizations w1th all features activated and IAM SSO enabled.Which additional steps should the security engineer take to complete the task?
A. se AD Connector to create users and groups for all employees that require access to IAM accounts
B. se an IAM SSO default directory to create users and groups for all employees that require access to IAM accounts
C. se an IAM SSO default directory to create users and groups for all employees that require access to IAM accounts
D. se IAM Directory Service tor Microsoft Active Directory to create users and groups for all employees that require access to IAM accounts Enable IAM Management Console access in the created directory and specify IAM SSO as a source cl information tor integrated accounts and permission sets
View answer
Correct Answer: B
Question #4
A company Is planning to use Amazon Elastic File System (Amazon EFS) with its on-premises servers. The company has an existing IAM Direct Connect connection established between its on-premises data center and an IAM Region Security policy states that the company's on-premises firewall should only have specific IP addresses added to the allow list and not a CIDR range. The company also wants to restrict access so that only certain data center-based servers have access to Amazon EFSHow should a security engin
A. dd the file-system-id efs IAM-region amazonIAM com URL to the allow list for the data center firewall Install the IAM CLI on the data center-based servers to mount the EFS file system in the EFS security group add the data center IP range to the allow list Mount the EFS using the EFS file system name
B. ssign an Elastic IP address to Amazon EFS and add the Elastic IP address to the allow list for the data center firewall Install the IAM CLI on the data center-based servers to mount the EFS file system In the EFS security group, add the IP addresses of the data center servers to the allow list Mount the EFS using the Elastic IP address
C. dd the EFS file system mount target IP addresses to the allow list for the data center firewall In the EFS security group, add the data center server IP addresses to the allow list Use the Linux terminal to mount the EFS file system using the IP address of one of the mount targets
D. ssign a static range of IP addresses for the EFS file system by contacting IAM Support In the EFS security group add the data center server IP addresses to the allow list Use the Linux terminal to mount the EFS file system using one of the static IP addresses
View answer
Correct Answer: B
Question #5
A company is building a data processing application that uses AWS Lambda functions The application's Lambda functions need to communicate with an Amazon RDS OB instance that is deployed within a VPC in the same AWS account.Which solution meets these requirements in the MOST secure way?
A. onfigure the DB instance to allow public access Update the DB instance security group to allow access from the Lambda public address space for the AWS Region
B. eploy the Lambda functions inside the VPC Attach a network ACL to the Lambda subnet Provide outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic from 0 0 0
C. eploy the Lambda functions inside the VPC Attach a security group to the Lambda functions Provide outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic from the Lambda security group
D. eer the Lambda default VPC with the VPC that hosts the DB instance to allow direct network access without the need for security groups
View answer
Correct Answer: C
Question #6
You have an S3 bucket defined in IAM. You want to ensure that you encrypt the data before sending it across the wire.What is the best way to achieve this.
A. nable server side encryption for the S3 bucket
B. se the IAM Encryption CLI to encrypt the data first
C. se a Lambda function to encrypt the data before sending it to the S3 bucket
D. nable client encryption for the bucket
View answer
Correct Answer: B
Question #7
A corporation is preparing to acquire several companies. A Security Engineer must design a solution to ensure that newly acquired IAM accounts follow the corporation's security best practices. The solution should monitor each Amazon S3 bucket for unrestricted public write access and use IAM managed services.What should the Security Engineer do to meet these requirements?
A. onfigure Amazon Macie to continuously check the configuration of all S3 buckets
B. nable IAM Config to check the configuration of each S3 bucket
C. et up IAM Systems Manager to monitor S3 bucket policies for public write access
D. onfigure an Amazon EC2 instance to have an IAM role and a cron job that checks the status of all S3 buckets
View answer
Correct Answer: C
Question #8
A company stores images for a website in an Amazon S3 bucket. The company is using Amazon CloudFront to serve the images to end users. The company recently discovered that the images are being accessed from countries where the company does not have a distribution license.Which actions should the company take to secure the images to limit their distribution? (Select TWO.)
A. nalyze an IAM Identity and Access Management (IAM) use report from IAM Trusted Advisor to see when the access key was last used
B. nalyze Amazon CloudWatch Logs for activity by searching for the access key
C. nalyze VPC flow logs for activity by searching for the access key
D. nalyze a credential report in IAM Identity and Access Management (IAM) to see when the access key was last used
View answer
Correct Answer: AC
Question #9
A company's application team needs to host a MySQL database on IAM. According to the company's security policy, all data that is stored on IAM must be encrypted at rest. In addition, all cryptographic material must be compliant with FIPS 140-2 Level 3 validation.The application team needs a solution that satisfies the company's security requirements and minimizes operational overhead.Which solution will meet these requirements?
A. ost the database on Amazon RDS
B. ost the database on Amazon RDS
C. ost the database on an Amazon EC2 instance
D. ost the database on an Amazon EC2 instance
View answer
Correct Answer: B
Question #10
A company's Security Team received an email notification from the Amazon EC2 Abuse team that one or more of the company's Amazon EC2 instances may have been compromised.Which combination of actions should the Security team take to respond to (be current modem? (Select TWO.)
A. se Amazon CloudWatch monitoring to capture Amazon EC2 and networking metrics Visualize metrics using Amazon CloudWatch dashboards
B. un the Amazon Kinesis Agent to write the status data to Amazon Kinesis Data Firehose Store the streaming data from Kinesis Data Firehose in Amazon Redshift
C. rite the status data directly to a public Amazon S3 bucket from the health-checking component Configure S3 events to invoke an IAM Lambda function that analyzes the data
D. enerate events from the health-checking component and send them to Amazon CloudWatch Events
View answer
Correct Answer: DE
Question #11
An audit determined that a company's Amazon EC2 instance security group violated company policy by allowing unrestricted incoming SSH traffic. A security engineer must implement a near-real-time monitoring and alerting solution that will notify administrators of such violations.Which solution meets these requirements with the MOST operational efficiency?
A. reate a recurring Amazon Inspector assessment run that runs every day and uses the Network Reachability package
B. se the restricted-ssh IAM Config managed rule that is invoked by security group configuration changes that are not compliant
C. onfigure VPC Flow Logs for the VP and specify an Amazon CloudWatch Logs group
D. reate a recurring Amazon Inspector assessment run that runs every day and uses the Security Best Practices package
View answer
Correct Answer: B
Question #12
A company is hosting a static website on Amazon S3 The company has configured an Amazon CloudFront distribution to serve the website contents The company has associated an IAM WAF web ACL with the CloudFront distribution. The web ACL ensures that requests originate from the United States to address compliance restrictions.THE company is worried that the S3 URL might still be accessible directly and that requests can bypass the CloudFront distribution.Which combination of steps should the company take to rem
A. nable Amazon Macie so that Secunty H jb will allow Detective to process findings from Macie
B. isable IAM Key Management Service (IAM KMS) encryption on CtoudTrail logs in every member account of the organization
C. nable Amazon GuardDuty on all member accounts Try to enable Detective in 48 hours
D. nsure that the principal that launches Detective has the organizations ListAccounts permission
View answer
Correct Answer: AD
Question #13
A company is building a data processing application that uses AWS Lambda functions The application's Lambda functions need to communicate with an Amazon RDS OB instance that is deployed within a VPC in the same AWS account.Which solution meets these requirements in the MOST secure way?
A. onfigure the DB instance to allow public access Update the DB instance security group to allow access from the Lambda public address space for the AWS Region
B. eploy the Lambda functions inside the VPC Attach a network ACL to the Lambda subnet Provide outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic from 0 0 0
C. eploy the Lambda functions inside the VPC Attach a security group to the Lambda functions Provide outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic from the Lambda security group
D. eer the Lambda default VPC with the VPC that hosts the DB instance to allow direct network access without the need for security groups
View answer
Correct Answer: C
Question #14
A company uses an external identity provider to allow federation into different IAM accounts. A security engineer for the company needs to identify the federated user that terminated a production Amazon EC2 instance a week ago.What is the FASTEST way for the security engineer to identify the federated user?
A. eview the IAM CloudTrail event history logs in an Amazon S3 bucket and look for the Terminatelnstances event to identify the federated user from the role session name
B. ilter the IAM CloudTrail event history for the Terminatelnstances event and identify the assumed IAM role
C. earch the IAM CloudTrail logs for the Terminatelnstances event and note the event time
D. se Amazon Athena to run a SQL query on the IAM CloudTrail logs stored in an Amazon S3 bucket and filter on the Terminatelnstances event
View answer
Correct Answer: B
Question #15
A company deployed Amazon GuardDuty In the us-east-1 Region. The company wants all DNS logs that relate to the company's Amazon EC2 instances to be inspected.What should a security engineer do to ensure that the EC2 instances are logged?
A. se IPv6 addresses that are configured for hostnames
B. onfigure external DNS resolvers as internal resolvers that are visible only to IAM
C. se IAM DNS resolvers for all EC2 instances
D. onfigure a third-party DNS resolver with logging for all EC2 instances
View answer
Correct Answer: C
Question #16
A company is using an AWS Key Management Service (AWS KMS) AWS owned key in its application to encrypt files in an AWS account The company's security team wants the ability to change to new key material for new files whenever a potential key breach occurs A security engineer must implement a solution that gives the security team the ability to change the key whenever the team wants to do so.Which solution will meet these requirements?
A. reate a new customer managed key Add a key rotation schedule to the key Invoke the key rotation schedule every time the security team requests a key change
B. reate a new AWS managed key Add a key rotation schedule to the key Invoke the key rotation schedule every time the security team requests a key change
C. reate a key alias Create a new customer managed key every time the security team requests a key change Associate the alias with the new key
D. reate a key alias Create a new AWS managed key every time the security team requests a key change Associate the alias with the new key
View answer
Correct Answer: A
Question #17
A company has implemented IAM WAF and Amazon CloudFront for an application. The application runs on Amazon EC2 instances that are part of an Auto Scaling group. The Auto Scaling group is behind an Application Load Balancer (ALB).The IAM WAF web ACL uses an IAM Managed Rules rule group and is associated with the CloudFront distribution. CloudFront receives the request from IAM WAF and then uses the ALB as the distribution's origin.During a security review, a security engineer discovers that the infrastructur
A. onfigure the CloudFront distribution to use the Lambda@Edge feature
B. onfigure the IAM WAF web ACL so that the web ACL has more capacity units to process all IAM WAF rules faster
C. onfigure IAM WAF with a rate-based rule that imposes a rate limit that automatically blocks requests when the rate limit is exceeded
D. onfigure the CloudFront distribution to use IAM WAF as its origin instead of the ALB
View answer
Correct Answer: C
Question #18
A company has developed a new Amazon RDS database application. The company must secure the ROS database credentials for encryption in transit and encryption at rest. The company also must rotate the credentials automatically on a regular basis.Which solution meets these requirements?
A. se IAM Systems Manager Parameter Store to store the database credentiais
B. se IAM Secrets Manager to store the database credentials
C. tore the database credentials in an Amazon S3 bucket that is configured with server-side encryption with S3 managed encryption keys (SSE-S3) Rotate the credentials with IAM database authentication
D. tore the database credentials m Amazon S3 Glacier, and use S3 Glacier Vault Lock Configure an IAM Lambda function to rotate the credentials on a scheduled basts
View answer
Correct Answer: A
Question #19
A company's security engineer wants to receive an email alert whenever Amazon GuardDuty, AWS Identity and Access Management Access Analyzer, or Amazon Made generate a high-severity security finding. The company uses AWS Control Tower to govern all of its accounts. The company also uses AWS Security Hub with all of the AWS service integrations turned on.Which solution will meet these requirements with the LEAST operational overhead?
A. et up separate AWS Lambda functions for GuardDuty, 1AM Access Analyzer, and Macie to call each service's public API to retrieve high-severity findings
B. reate an Amazon EventBridge rule with a pattern that matches Security Hub findings events with high severity
C. reate an Amazon EventBridge rule with a pattern that matches AWS Control Tower events with high severity
D. ost an application on Amazon EC2 to call the GuardDuty, 1AM Access Analyzer, and Macie APIs
View answer
Correct Answer: B
Question #20
A company is building a data processing application mat uses AWS Lambda functions. The application's Lambda functions need to communicate with an Amazon RDS OB instance that is deployed within a VPC in the same AWS account.Which solution meets these requirements in the MOST secure way?
A. onfigure the DB instance to allow public access Update the DB instance security group to allow access from the Lambda public address space for the AWS Region
B. eploy the Lambda functions inside the VPC Attach a network ACL to the Lambda subnet Provide outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic from 0
C. eploy the Lambda functions inside the VPC Attach a security group to the Lambda functions Provide outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic from the Lambda security group
D. eer the Lambda default VPC with the VPC that hosts the DB instance to allow direct network access without the need for security groups
View answer
Correct Answer: C
Question #21
A company stores sensitive documents in Amazon S3 by using server-side encryption with an IAM Key Management Service (IAM KMS) CMK. A new requirement mandates that the CMK that is used for these documents can be used only for S3 actions.Which statement should the company add to the key policy to meet this requirement?
A.
B.
View answer
Correct Answer: A
Question #22
A company created an IAM account for its developers to use for testing and learning purposes Because MM account will be shared among multiple teams of developers, the company wants to restrict the ability to stop and terminate Amazon EC2 instances so that a team can perform these actions only on the instances it owns.Developers were Instructed to tag al their instances with a Team tag key and use the team name in the tag value One of the first teams to use this account is Business Intelligence A security en
A. or each team, create an AM policy similar to the one that fellows Populate the ec2:ResourceTag/Team condition key with a proper team name Attach resulting policies to the corresponding IAM roles
B. or each team create an IAM policy similar to the one that follows Populate the IAM TagKeys/Team condition key with a proper team name
C. ag each IAM role with a Team lag key
D. ag each IAM role with the Team key, and use the team name in the tag value
View answer
Correct Answer: A
Question #23
Your company is planning on using bastion hosts for administering the servers in IAM.Which of the following is the best description of a bastion host from a security perspective?
A. Bastion host should be on a private subnet and never a public subnet due to security concerns
B. Bastion host sits on the outside of an internal network and is used as a gateway into the private network and is considered the critical strong point of the network
C. astion hosts allow users to log in using RDP or SSH and use that session to S5H into internal network to access private subnet resources
D. Bastion host should maintain extremely tight security and monitoring as it is available to the public
View answer
Correct Answer: C
Question #24
Your company has a set of EC2 Instances defined in IAM. These Ec2 Instances have strict security groups attached to them. You need to ensure that changes to the Security groups are noted and acted on accordingly. How can you achieve this?
A. se Cloudwatch logs to monitor the activity on the Security Groups
B. se Cloudwatch metrics to monitor the activity on the Security Groups
C. se IAM inspector to monitor the activity on the Security Groups
D. se Cloudwatch events to be triggered for any changes to the Security Groups
View answer
Correct Answer: D
Question #25
A company manages multiple IAM accounts using IAM Organizations. The company's security team notices that some member accounts are not sending IAM CloudTrail logs to a centralized Amazon S3 logging bucket. The security team wants to ensure there is at least one trail configured (or all existing accounts and for any account that is created in the future.Which set of actions should the security team implement to accomplish this?
A. reate a new trail and configure it to send CloudTrail logs to Amazon S3
B. eploy an IAM Lambda function in every account to check if there is an existing trail and create a new trail, if needed
C. dit the existing trail in the Organizations master account and apply it to the organization
D. reate an SCP to deny the cloudtrail:Delete" and cloudtrail:Stop\' actions
View answer
Correct Answer: C
Question #26
A company needs to use HTTPS when connecting to its web applications to meet compliance requirements. These web applications run in Amazon VPC on Amazon EC2 instances behind an Application Load Balancer (ALB). A security engineer wants to ensure that the load balancer win only accept connections over port 443. even if the ALB is mistakenly configured with an HTTP listener.Which configuration steps should the security engineer take to accomplish this task?
A. reate a security group with a rule that denies Inbound connections from 0
B. reate a network ACL that denies inbound connections from 0 0
C. reate a network ACL that allows outbound connections to the VPC IP range on port 443 only
D. reate a security group with a single inbound rule that allows connections from 0
View answer
Correct Answer: D
Question #27
A recent security audit found that IAM CloudTrail logs are insufficiently protected from tampering and unauthorized access Which actions must the Security Engineer take to address these audit findings? (Select THREE )
A. pdate the IAM WAF rules in the affected account and use IAM Firewall Manager to push updated IAM WAF rules across all other accounts
B. se GuardDuty centralized logging and Amazon SNS to set up alerts to notify all application teams of security incidents
C. se GuardDuty alerts to write an IAM Lambda function that updates all accounts by adding additional NACLs on the Amazon EC2 instances to block known malicious IP addresses
D. se IAM Shield Advanced to identify threats in each individual account and then apply the account-based protections to all other accounts through Organizations
View answer
Correct Answer: ADE
Question #28
A security engineer needs to build a solution to turn IAM CloudTrail back on in multiple IAM Regions in case it is ever turned off.What is the MOST efficient way to implement this solution?
A. se IAM Config with a managed rule to trigger the IAM-EnableCloudTrail remediation
B. reate an Amazon EventBridge (Amazon CloudWatch Events) event with a cloudtrail
C. reate an Amazon CloudWatch alarm with a cloudtrail
D. onitor IAM Trusted Advisor to ensure CloudTrail logging is enabled
View answer
Correct Answer: B
Question #29
A company plans to use AWS Key Management Service (AWS KMS) to implement an encryption strategy to protect data at rest. The company requires client-side encryption for company projects. The company is currently conducting multiple projects to test the company's use of AWS KMS. These tests have led to a sudden increase in the company's AWS resource consumption. The test projects include applications that issue multiple requests each second to KMS endpoints for encryption activities.The company needs to deve
A. se keyrings with the AWS Encryption SDK
B. se data key caching
C. se KMS key rotation
D. se keyrings with the AWS Encryption SDK
View answer
Correct Answer: B
Question #30
A company deploys a set of standard IAM roles in AWS accounts. The IAM roles are based on job functions within the company. To balance operational efficiency and security, a security engineer implemented AWS Organizations SCPs to restrict access to critical security services in all company accounts.All of the company's accounts and OUs within AWS Organizations have a default FullAWSAccess SCP that is attached. The security engineer needs to ensure that no one can disable Amazon GuardDuty and AWS Security Hu
A. ption
B. ption
C. ption
D. ption D
View answer
Correct Answer: A
Question #31
A company is using IAM Organizations to develop a multi-account secure networking strategy. The company plans to use separate centrally managed accounts for shared services, auditing, and security inspection. The company plans to provide dozens of additional accounts to application owners for production and development environments.Company security policy requires that all internet traffic be routed through a centrally managed security inspection layer in the security inspection account. A security engineer
A. reate an IAM policy that prohibits changes to the specific CloudTrail trail and apply the policy to the IAM account root user
B. reate an S3 bucket policy in the specified destination account for the CloudTrail trail that prohibits configuration changes from the IAM account root user in the source account
C. reate an SCP that prohibits changes to the specific CloudTrail trail and apply the SCP to the appropriate organizational unit or account in Organizations
D. reate an IAM policy that prohibits changes to the specific CloudTrail trail and apply the policy to a new IAM group
View answer
Correct Answer: C
Question #32
A company's IAM account consists of approximately 300 IAM users. Now there is a mandate that an access change is required for 100 IAM users to have unlimited privileges to S3.As a system administrator, how can you implement this effectively so that there is no need to apply the policy at the individual user level?
A. reate a new role and add each user to the IAM role
B. se the IAM groups and add users, based upon their role, to different groups and apply the policy to group
C. reate a policy and apply it to multiple users using a JSON script
D. reate an S3 bucket policy with unlimited access which includes each user's IAM account ID
View answer
Correct Answer: B
Question #33
A company manages multiple IAM accounts using IAM Organizations. The company's security team notices that some member accounts are not sending IAM CloudTrail logs to a centralized Amazon S3 logging bucket. The security team wants to ensure there is at least one trail configured (or all existing accounts and for any account that is created in the future.Which set of actions should the security team implement to accomplish this?
A. reate a new trail and configure it to send CloudTrail logs to Amazon S3
B. eploy an IAM Lambda function in every account to check if there is an existing trail and create a new trail, if needed
C. dit the existing trail in the Organizations master account and apply it to the organization
D. reate an SCP to deny the cloudtrail:Delete" and cloudtrail:Stop\' actions
View answer
Correct Answer: C
Question #34
A Security Engineer has been tasked with enabling IAM Security Hub to monitor Amazon EC2 instances fix CVE in a single IAM account The Engineer has already enabled IAM Security Hub and Amazon Inspector m the IAM Management Console and has installed me Amazon Inspector agent on an EC2 instances that need to be monitored.Which additional steps should the Security Engineer lake 10 meet this requirement?
A. onfigure the Amazon inspector agent to use the CVE rule package
B. onfigure the Amazon Inspector agent to use the CVE rule package Configure Security Hub to ingest from IAM inspector by writing a custom resource policy
C. onfigure the Security Hub agent to use the CVE rule package Configure IAM Inspector lo ingest from Security Hub by writing a custom resource policy
D. onfigure the Amazon Inspector agent to use the CVE rule package Install an additional Integration library Allow the Amazon Inspector agent to communicate with Security Hub
View answer
Correct Answer: D
Question #35
Your CTO is very worried about the security of your IAM account. How best can you prevent hackers from completely hijacking your account?
A. se short but complex password on the root account and any administrators
B. se IAM IAM Geo-Lock and disallow anyone from logging in except for in your city
C. se MFA on all users and accounts, especially on the root account
D. on't write down or remember the root account password after creating the IAM account
View answer
Correct Answer: C
Question #36
A Security Engineer has been tasked with enabling IAM Security Hub to monitor Amazon EC2 instances fix CVE in a single IAM account The Engineer has already enabled IAM Security Hub and Amazon Inspector m the IAM Management Console and has installed me Amazon Inspector agent on an EC2 instances that need to be monitored.Which additional steps should the Security Engineer lake 10 meet this requirement?
A. onfigure the Amazon inspector agent to use the CVE rule package
B. onfigure the Amazon Inspector agent to use the CVE rule package Configure Security Hub to ingest from IAM inspector by writing a custom resource policy
C. onfigure the Security Hub agent to use the CVE rule package Configure IAM Inspector lo ingest from Security Hub by writing a custom resource policy
D. onfigure the Amazon Inspector agent to use the CVE rule package Install an additional Integration library Allow the Amazon Inspector agent to communicate with Security Hub
View answer
Correct Answer: D
Question #37
A security administrator is setting up a new AWS account. The security administrator wants to secure the data that a company stores in an Amazon S3 bucket. The security administrator also wants to reduce the chance of unintended data exposure and the potential for misconfiguration of objects that are in the S3 bucket.Which solution will meet these requirements with the LEAST operational overhead?
A. onfigure S3 server-side encryption
B. onfigure S3 server-side encryption
C. onfigure S3 Versioning
D. et up S3 Event Notifications and use S3 server-side encryption
View answer
Correct Answer: D
Question #38
A security engineer is checking an AWS CloudFormation template for vulnerabilities. The security engineer finds a parameter that has a default value that exposes an application's API key in plaintext. The parameter is referenced several times throughout the template. The security engineer must replace the parameter while maintaining the ability to reference the value in the template. Which solution will meet these requirements in the MOST secure way?
A. tore the API key value as a SecureString parameter in AWS Systems Manager Parameter Store
B. tore the API key value in AWS Secrets Manager
C. tore the API key value in Amazon DynamoDB
D. tore the API key value in a new Amazon S3 bucket
{resolve. 3
View answer
Correct Answer: B
Question #39
An organization must establish the ability to delete an IAM KMS Customer Master Key (CMK) within a 24-hour timeframe to keep it from being used for encrypt or decrypt operations Which of tne following actions will address this requirement?
A. anually rotate a key within KMS to create a new CMK immediately
B. se the KMS import key functionality to execute a delete key operation
C. se the schedule key deletion function within KMS to specify the minimum wait period for deletion
D. hange the KMS CMK alias to immediately prevent any services from using the CMK
View answer
Correct Answer: C
Question #40
An application team wants to use IAM Certificate Manager (ACM) to request public certificates to ensure that data is secured in transit. The domains that are being used are not currently hosted on Amazon Route 53The application team wants to use an IAM managed distribution and caching solution to optimize requests to its systems and provide better points of presence to customers The distribution solution will use a primary domain name that is customized The distribution solution also will use several altern
A.
B.
C.
View answer
Correct Answer: CDF
Question #41
A company has two VPCs in the same AWS Region and in the same AWS account Each VPC uses a CIDR block that does not overlap with the CIDR block of the other VPC One VPC contains AWS Lambda functions that run inside a subnet that accesses the internet through a NAT gateway. The Lambda functions require access to a publicly accessible Amazon Aurora MySQL database that is running in the other VPCA security engineer determines that the Aurora database uses a security group rule that allows connections from the N
A. ove the Aurora database into a private subnet that has no internet access routes in the database's current VPC Configure the Lambda functions to use the Aurora database's new private IP address to access the database Configure the Aurora databases security group to allow access from the private IP addresses of the Lambda functions
B. stablish a VPC endpoint between the two VPCs in the Aurora database's VPC configure a service VPC endpoint for Amazon RDS In the Lambda functions' VPC
C. stablish an AWS Direct Connect interface between the VPCs Configure the Lambda functions to use a new route table that accesses the Aurora database through the Direct Connect interface Configure the Aurora database's security group to allow access from the Direct Connect interface IP address
D. ove the Lambda functions into a public subnet in their VPC Move the Aurora database into a private subnet in its VPC Configure the Lambda functions to use the Aurora database's new private IP address to access the database Configure the Aurora database to allow access from the public IP addresses of the Lambda functions
View answer
Correct Answer: B
Question #42
A System Administrator is unable to start an Amazon EC2 instance in the eu-west-1 Region using an IAM role The same System Administrator is able to start an EC2 instance in the eu-west-2 and eu- west-3 Regions. The IAMSystemAdministrator access policy attached to the System Administrator IAM role allows unconditional access to all IAM services and resources within the account.Which configuration caused this issue?
A. n SCP is attached to the account with the following permission statement:
B. permission boundary policy is attached to the System Administrator role with the following permission statement:
C. permission boundary is attached to the System Administrator role with the following permission statement:
D. n SCP is attached to the account with the following statement:
View answer
Correct Answer: B
Question #43
A company deployed IAM Organizations to help manage its increasing number of IAM accounts. A security engineer wants to ensure only principals in the Organization structure can access a specific Amazon S3 bucket. The solution must also minimize operational overhead.Which solution will meet these requirements?
A. Put all users into an IAM group with an access policy granting access to the J bucket
B. ave the account creation trigger an IAM Lambda function that manages the bucket policy, allowing access to accounts listed in the policy only
C. dd an SCP to the Organizations master account, allowing all principals access to the bucket
D. pecify the organization ID in the global key condition element of a bucket policy, allowing all principals access
View answer
Correct Answer: D
Question #44
A company stores images for a website in an Amazon S3 bucket. The company is using Amazon CloudFront to serve the images to end users. The company recently discovered that the images are being accessed from countries where the company does not have a distribution license.Which actions should the company take to secure the images to limit their distribution? (Select TWO.)
A. nalyze an IAM Identity and Access Management (IAM) use report from IAM Trusted Advisor to see when the access key was last used
B. nalyze Amazon CloudWatch Logs for activity by searching for the access key
C. nalyze VPC flow logs for activity by searching for the access key
D. nalyze a credential report in IAM Identity and Access Management (IAM) to see when the access key was last used
View answer
Correct Answer: AC
Question #45
Your CTO thinks your IAM account was hacked.What is the only way to know for certain if there was unauthorized access and what they did, assuming your hackers are very sophisticated IAM engineers and doing everything they can to cover their tracks?
A. se CloudTrail Log File Integrity Validation
B. se IAM Config SNS Subscriptions and process events in real time
C. se CloudTrail backed up to IAM S3 and Glacier
D. se IAM Config Timeline forensics
View answer
Correct Answer: A
Question #46
A company is using an AWS Key Management Service (AWS KMS) AWS owned key in its application to encrypt files in an AWS account The company's security team wants the ability to change to new key material for new files whenever a potential key breach occurs A security engineer must implement a solution that gives the security team the ability to change the key whenever the team wants to do so.Which solution will meet these requirements?
A. reate a new customer managed key Add a key rotation schedule to the key Invoke the key rotation schedule every time the security team requests a key change
B. reate a new AWS managed key Add a key rotation schedule to the key Invoke the key rotation schedule every time the security team requests a key change
C. reate a key alias Create a new customer managed key every time the security team requests a key change Associate the alias with the new key
D. reate a key alias Create a new AWS managed key every time the security team requests a key change Associate the alias with the new key
View answer
Correct Answer: A
Question #47
A security engineer has enabled IAM Security Hub in their IAM account, and has enabled the Center for internet Security (CIS) IAM Foundations compliance standard. No evaluation results on compliance are returned in the Security Hub console after several hours. The engineer wants to ensure that Security Hub can evaluate their resources for CIS IAM Foundations compliance.Which steps should the security engineer take to meet these requirements?
A. dd full Amazon Inspector IAM permissions to the Security Hub service role to allow it to perform the CIS compliance evaluation
B. nsure that IAM Trusted Advisor Is enabled in the account and that the Security Hub service role has permissions to retrieve the Trusted Advisor security-related recommended actions
C. nsure that IAM Config
D. nsure that the correct trail in IAM CloudTrail has been configured for monitoring by Security Hub and that the Security Hub service role has permissions to perform the GetObject operation on CloudTrails Amazon S3 bucket
View answer
Correct Answer: C
Question #48
A company wants to remove all SSH keys permanently from a specific subset of its Amazon Linux 2 Amazon EC2 instances that are using the same 1AM instance profile However three individuals who have IAM user accounts will need to access these instances by using an SSH session to perform critical duties.How can a security engineer provide the access to meet these requirements'?
A. ssign an 1AM policy to the instance profile to allow the EC2 instances to be managed by AWS Systems Manager Provide the 1AM user accounts with permission to use Systems Manager Remove the SSH keys from the EC2 instances Use Systems Manager Inventory to select the EC2 instance and connect
B. ssign an 1AM policy to the 1AM user accounts to provide permission to use AWS Systems Manager Run Command Remove the SSH keys from the EC2 instances Use Run Command to open an SSH connection to the EC2 instance
C. ssign an 1AM policy to the instance profile to allow the EC2 instances to be managed by AWS Systems Manager Provide the 1AM user accounts with permission to use Systems Manager Remove the SSH keys from the EC2 instances Use Systems Manager Session Manager to select the EC2 instance and connect
D. ssign an 1AM policy to the 1AM user accounts to provide permission to use the EC2 service in the AWS Management Console Remove the SSH keys from the EC2 instances Connect to the EC2 instance as the ec2-user through the AWS Management Console's EC2 SSH client method
View answer
Correct Answer: C
Question #49
An Application team has requested a new IAM KMS master key for use with Amazon S3, but the organizational security policy requires separate master keys for different IAM services to limit blast radius.How can an IAM KMS customer master key (CMK) be constrained to work with only Amazon S3?
A. onfigure the CMK key policy to allow only the Amazon S3 service to use the kms Encrypt action
B. onfigure the CMK key policy to allow IAM KMS actions only when the kms ViaService condition matches the Amazon S3 service name
C. onfigure the IAM user's policy lo allow KMS to pass a rote lo Amazon S3
D. onfigure the IAM user's policy to allow only Amazon S3 operations when they are combined with the CMK
View answer
Correct Answer: B
Question #50
A company is running workloads in a single IAM account on Amazon EC2 instances and Amazon EMR clusters a recent security audit revealed that multiple Amazon Elastic Block Store (Amazon EBS) volumes and snapshots are not encrypted.The company's security engineer is working on a solution that will allow users to deploy EC2 Instances and EMR clusters while ensuring that all new EBS volumes and EBS snapshots are encrypted at rest. The solution must also minimize operational overhead.Which steps should the secur
A. reate an Amazon Event Bridge (Amazon Cloud watch Events) event with an EC2 instance as the source and create volume as the event trigger
B. se a customer managed IAM policy that will verify that the encryption flag of the Createvolume context is set to true
C. reate an IAM Config rule to evaluate the configuration of each EC2 instance on creation or modification
D. se the IAM Management Console or IAM CLi to enable encryption by default for EBS volumes in each IAM Region where the company operates
View answer
Correct Answer: D
Question #51
A company has two teams, and each team needs to access its respective Amazon S3 buckets. The company anticipates adding more teams that also will have their own S3 buckets.When the company adds these teams, team members will need the ability to be assigned to multiple teams. Team members also will need the ability to change teams. Additional S3 buckets can be created or deleted.An IAM administrator must design a solution to accomplish these goals. The solution also must be scalable and must require the leas
A. dd users to groups that represent the teams
B. reate an IAM role for each team
C. reate IAM roles that are labeled with an access tag value of a team
D. mplement a role-based access control (RBAC) authorization model
View answer
Correct Answer: A
Question #52
A development team is using an IAM Key Management Service (IAM KMS) CMK to try to encrypt and decrypt a secure string parameter from IAM Systems Manager Parameter Store. However, the development team receives an error message on each attempt.Which issues that are related to the CMK could be reasons for the error? (Select TWO.)
A. nable Amazon GuardDuty in all Regions
B. se an organization in IAM Organizations
C. rovision EC2 resources by using IAM Cloud Formation templates through IAM CodePipeline
D. reate an IAM Config rule to prevent unauthorized activity outside us-east-1 and us-west-2
View answer
Correct Answer: AD
Question #53
A company's IAM account consists of approximately 300 IAM users. Now there is a mandate that an access change is required for 100 IAM users to have unlimited privileges to S3.As a system administrator, how can you implement this effectively so that there is no need to apply the policy at the individual user level?
A. reate a new role and add each user to the IAM role
B. se the IAM groups and add users, based upon their role, to different groups and apply the policy to group
C. reate a policy and apply it to multiple users using a JSON script
D. reate an S3 bucket policy with unlimited access which includes each user's IAM account ID
View answer
Correct Answer: B
Question #54
A company's security engineer has been tasked with restricting a contractor's IAM account access to the company's Amazon EC2 console without providing access to any other IAM services The contractors IAM account must not be able to gain access to any other IAM service, even it the IAMaccount rs assigned additional permissions based on IAM group membership.What should the security engineer do to meet these requirements''
A. reate an mime IAM user policy that allows for Amazon EC2 access for the contractor's IAM user
B. reate an IAM permissions boundary policy that allows Amazon EC2 access Associate the contractor's IAM account with the IAM permissions boundary policy
C. reate an IAM group with an attached policy that allows for Amazon EC2 access Associate the contractor's IAM account with the IAM group
D. reate a IAM role that allows for EC2 and explicitly denies all other services Instruct the contractor to always assume this role
View answer
Correct Answer: B
Question #55
A security administrator is setting up a new AWS account. The security administrator wants to secure the data that a company stores in an Amazon S3 bucket. The security administrator also wants to reduce the chance of unintended data exposure and the potential for misconfiguration of objects that are in the S3 bucket.Which solution will meet these requirements with the LEAST operational overhead?
A. onfigure S3 server-side encryption
B. onfigure S3 server-side encryption
C. onfigure S3 Versioning
D. et up S3 Event Notifications and use S3 server-side encryption
View answer
Correct Answer: D
Question #56
You need to create a policy and apply it for just an individual user. How could you accomplish this in the right way?
A. dd an IAM managed policy for the user
B. dd a service policy for the user
C. dd an IAM role for the user
D. dd an inline policy for the user
View answer
Correct Answer: D
Question #57
A company hosts an end user application on AWS Currently the company deploys the application on Amazon EC2 instances behind an Elastic Load Balancer The company wants to configure end-to-end encryption between the Elastic Load Balancer and the EC2 instances.Which solution will meet this requirement with the LEAST operational effort?
A. se Amazon issued AWS Certificate Manager (ACM) certificates on the EC2 instances and the Elastic Load Balancer to configure end-to-end encryption
B. mport a third-party SSL certificate to AWS Certificate Manager (ACM) Install the third-party certificate on the EC2 instances Associate the ACM imported third-party certificate with the Elastic Load Balancer
C. eploy AWS CloudHSM Import a third-party certificate Configure the EC2 instances and the Elastic Load Balancer to use the CloudHSM imported certificate
D. mport a third-party certificate bundle to AWS Certificate Manager (ACM) Install the third-party certificate on the EC2 instances Associate the ACM imported third-party certificate with the Elastic Load Balancer
View answer
Correct Answer: A
Question #58
Your development team is using access keys to develop an application that has access to S3 and DynamoDB. A new security policy has outlined that the credentials should not be older than 2 months, and should be rotated. How can you achieve this?
A. se the application to rotate the keys in every 2 months via the SDK
B. se a script to query the creation date of the keys
C. elete the user associated with the keys after every 2 months
D. elete the IAM Role associated with the keys after every 2 months
View answer
Correct Answer: B
Question #59
A company stores sensitive documents in Amazon S3 by using server-side encryption with an IAM Key Management Service (IAM KMS) CMK. A new requirement mandates that the CMK that is used for these documents can be used only for S3 actions.Which statement should the company add to the key policy to meet this requirement?
A.
B.
View answer
Correct Answer: A
Question #60
A company deploys a distributed web application on a fleet of Amazon EC2 instances. The fleet is behind an Application Load Balancer (ALB) that will be configured to terminate the TLS connection. All TLS traffic to the ALB must stay secure, even if the certificate private key is compromised.How can a security engineer meet this requirement?
A. reate an HTTPS listener that uses a certificate that is managed by IAM Certificate Manager (ACM)
B. reate an HTTPS listener that uses a security policy that uses a cipher suite with perfect toward secrecy (PFS)
C. reate an HTTPS listener that uses the Server Order Preference security feature
D. reate a TCP listener that uses a custom security policy that allows only cipher suites with perfect forward secrecy (PFS)
View answer
Correct Answer: A
Question #61
A company has a set of EC2 Instances hosted in IAM. The EC2 Instances have EBS volumes which is used to store critical information. There is a business continuity requirement to ensure high availability for the EBS volumes. How can you achieve this?
A. se lifecycle policies for the EBS volumes
B. se EBS Snapshots
C. se EBS volume replication
D. se EBS volume encryption
View answer
Correct Answer: B
Question #62
A company uses an external identity provider to allow federation into different IAM accounts. A security engineer for the company needs to identify the federated user that terminated a production Amazon EC2 instance a week ago.What is the FASTEST way for the security engineer to identify the federated user?
A. eview the IAM CloudTrail event history logs in an Amazon S3 bucket and look for the Terminatelnstances event to identify the federated user from the role session name
B. ilter the IAM CloudTrail event history for the Terminatelnstances event and identify the assumed IAM role
C. earch the IAM CloudTrail logs for the Terminatelnstances event and note the event time
D. se Amazon Athena to run a SQL query on the IAM CloudTrail logs stored in an Amazon S3 bucket and filter on the Terminatelnstances event
View answer
Correct Answer: B
Question #63
A company has an organization in AWS Organizations. The company wants to use AWS CloudFormation StackSets in the organization to deploy various AWS design patterns into environments. These patterns consist of Amazon EC2 instances, Elastic Load Balancing (ELB) load balancers, Amazon RDS databases, and Amazon Elastic Kubernetes Service (Amazon EKS) clusters or Amazon Elastic Container Service (Amazon ECS) clusters.Currently, the company’s developers can create their own CloudFormation stacks to increase the o
A. reate an Amazon Simple Notification Service (Amazon SNS) topic
B. reate an Amazon Simple Notification Service (Amazon SNS) topic
C. reate an Amazon Simple Notification Service (Amazon SNS) topic and an Amazon Simple Queue Service (Amazon SQS) queue
D. reate a centralized CloudFormation stack set that includes a standard set of resources that the developers can deploy in each AWS account
View answer
Correct Answer: A
Question #64
A company has multiple Amazon S3 buckets encrypted with customer-managed CMKs Due to regulatory requirements the keys must be rotated every year. The company's Security Engineer has enabled automatic key rotation for the CMKs; however the company wants to verity that the rotation has occurred.What should the Security Engineer do to accomplish this?
A. ilter IAM CloudTrail logs for KeyRotaton events
B. onitor Amazon CloudWatcn Events for any IAM KMS CMK rotation events
C. sing the IAM CLI
D. se Amazon Athena to query IAM CloudTrail logs saved in an S3 bucket to filter Generate New Key events
View answer
Correct Answer: C
Question #65
There is a requirement for a company to transfer large amounts of data between IAM and an on- premise location. There is an additional requirement for low latency and high consistency traffic to IAM. Given these requirements how would you design a hybrid architecture? Choose the correct answer from the options below.
A. rovision a Direct Connect connection to an IAM region using a Direct Connect partner
B. reate a VPN tunnel for private connectivity, which increases network consistency and reduces latency
C. reate an iPSec tunnel for private connectivity, which increases network consistency and reduces latency
D. reate a VPC peering connection between IAM and the Customer gateway
View answer
Correct Answer: A
Question #66
A company has implemented IAM WAF and Amazon CloudFront for an application. The application runs on Amazon EC2 instances that are part of an Auto Scaling group. The Auto Scaling group is behind an Application Load Balancer (ALB).The IAM WAF web ACL uses an IAM Managed Rules rule group and is associated with the CloudFront distribution. CloudFront receives the request from IAM WAF and then uses the ALB as the distribution's origin.During a security review, a security engineer discovers that the infrastructur
A. onfigure the CloudFront distribution to use the Lambda@Edge feature
B. onfigure the IAM WAF web ACL so that the web ACL has more capacity units to process all IAM WAF rules faster
C. onfigure IAM WAF with a rate-based rule that imposes a rate limit that automatically blocks requests when the rate limit is exceeded
D. onfigure the CloudFront distribution to use IAM WAF as its origin instead of the ALB
View answer
Correct Answer: C
Question #67
A company has two VPCs in the same AWS Region and in the same AWS account Each VPC uses a CIDR block that does not overlap with the CIDR block of the other VPC One VPC contains AWS Lambda functions that run inside a subnet that accesses the internet through a NAT gateway. The Lambda functions require access to a publicly accessible Amazon Aurora MySQL database that is running in the other VPCA security engineer determines that the Aurora database uses a security group rule that allows connections from the N
A. ove the Aurora database into a private subnet that has no internet access routes in the database's current VPC Configure the Lambda functions to use the Aurora database's new private IP address to access the database Configure the Aurora databases security group to allow access from the private IP addresses of the Lambda functions
B. stablish a VPC endpoint between the two VPCs in the Aurora database's VPC configure a service VPC endpoint for Amazon RDS In the Lambda functions' VPC
C. stablish an AWS Direct Connect interface between the VPCs Configure the Lambda functions to use a new route table that accesses the Aurora database through the Direct Connect interface Configure the Aurora database's security group to allow access from the Direct Connect interface IP address
D. ove the Lambda functions into a public subnet in their VPC Move the Aurora database into a private subnet in its VPC Configure the Lambda functions to use the Aurora database's new private IP address to access the database Configure the Aurora database to allow access from the public IP addresses of the Lambda functions
View answer
Correct Answer: B
Question #68
An organization must establish the ability to delete an IAM KMS Customer Master Key (CMK) within a 24-hour timeframe to keep it from being used for encrypt or decrypt operations Which of tne following actions will address this requirement?
A. anually rotate a key within KMS to create a new CMK immediately
B. se the KMS import key functionality to execute a delete key operation
C. se the schedule key deletion function within KMS to specify the minimum wait period for deletion
D. hange the KMS CMK alias to immediately prevent any services from using the CMK
View answer
Correct Answer: C
Question #69
A security engineer needs to create an IAM Key Management Service
A. emove the existing NAT gateway
B. onfigure the DB instance TMs inbound network ACL to deny traffic from the security group ID of the NAT gateway
C. odify the route tables of the DB instance subnets to remove the default route to the NAT gateway
D. onfigure the route table of the NAT gateway to deny connections to the DB instance subnets
View answer
Correct Answer: A
Question #70
A company needs to use HTTPS when connecting to its web applications to meet compliance requirements. These web applications run in Amazon VPC on Amazon EC2 instances behind an Application Load Balancer (ALB). A security engineer wants to ensure that the load balancer win only accept connections over port 443. even if the ALB is mistakenly configured with an HTTP listener.Which configuration steps should the security engineer take to accomplish this task?
A. reate a security group with a rule that denies Inbound connections from 0
B. reate a network ACL that denies inbound connections from 0 0
C. reate a network ACL that allows outbound connections to the VPC IP range on port 443 only
D. reate a security group with a single inbound rule that allows connections from 0
View answer
Correct Answer: D
Question #71
A company is developing a highly resilient application to be hosted on multiple Amazon EC2 instances . The application will store highly sensitive user data in Amazon RDS tables.The application must.- Include migration to a different IAM Region in the application disaster recovery plan.- Provide a full audit trail of encryption key administration events.- Allow only company administrators to administer keys.- Protect data at rest using application layer encryption.A Security Engineer is evaluating options f
A. he key administration event logging generated by CloudHSM is significantly more extensive than IAM KMS
B. loudHSM ensures that only company support staff can administer encryption keys, whereas IAM KMS allows IAM staff to administer keys
C. he ciphertext produced by CloudHSM provides more robust protection against brute force decryption attacks than the ciphertext produced by IAM KMS
D. loudHSM provides the ability to copy keys to a different Region, whereas IAM KMS does not
View answer
Correct Answer: B
Question #72
A company has retail stores The company is designing a solution to store scanned copies of customer receipts on Amazon S3 Files will be between 100 KB and 5 MB in PDF format Each retail store must have a unique encryption key Each object must be encrypted with a unique key.Which solution will meet these requirements?
A. reate a dedicated AWS Key Management Service (AWS KMS) customer managed key for each retail store Use the S3 Put operation to upload the objects to Amazon S3 Specify server-side encryption with AWS KMS keys (SSE-KMS) and the key ID of the store's key
B. reate a new AWS Key Management Service (AWS KMS) customer managed key every day for each retail store Use the KMS Encrypt operation to encrypt objects Then upload the objects to Amazon S3
C. un the AWS Key Management Service (AWS KMS) GenerateDataKey operation every day for each retail store Use the data key and client-side encryption to encrypt the objects Then upload the objects to Amazon S3
D. se the AWS Key Management Service (AWS KMS) ImportKeyMaterial operation to import new key material to AWS KMS every day for each retail store Use a customer managed key and the KMS Encrypt operation to encrypt the objects Then upload the objects to Amazon S3
View answer
Correct Answer: A
Question #73
A company deployed IAM Organizations to help manage its increasing number of IAM accounts. A security engineer wants to ensure only principals in the Organization structure can access a specific Amazon S3 bucket. The solution must also minimize operational overhead.Which solution will meet these requirements?
A. Put all users into an IAM group with an access policy granting access to the J bucket
B. ave the account creation trigger an IAM Lambda function that manages the bucket policy, allowing access to accounts listed in the policy only
C. dd an SCP to the Organizations master account, allowing all principals access to the bucket
D. pecify the organization ID in the global key condition element of a bucket policy, allowing all principals access
View answer
Correct Answer: D
Question #74
A Security Engineer is troubleshooting an issue with a company's custom logging application. The application logs are written to an Amazon S3 bucket with event notifications enabled to send events lo an Amazon SNS topic. All logs are encrypted at rest using an IAM KMS CMK. The SNS topic is subscribed to an encrypted Amazon SQS queue. The logging application polls the queue for new messages that contain metadata about the S3 object. The application then reads the content of the object from the S3 bucket for
A. dd the following statement to the IAM managed CMKs:
B. dd the following statement to the CMK key policy:
C. dd the following statement to the CMK key policy:
D. dd the following statement to the CMK key policy:
View answer
Correct Answer: D
Question #75
A company is using Amazon Elastic Container Service (Amazon ECS) to run its container-based application on AWS. The company needs to ensure that the container images contain no severe vulnerabilities. The company also must ensure that only specific IAM roles and specific AWS accounts can access the container images.Which solution will meet these requirements with the LEAST management overhead?
A. ull images from the public container registry
B. ull images from the public container registry
C. ull images from the public container registry
D. ull images from the public container registry
View answer
Correct Answer: C
Question #76
A recent security audit found that IAM CloudTrail logs are insufficiently protected from tampering and unauthorized access Which actions must the Security Engineer take to address these audit findings? (Select THREE )
A. pdate the IAM WAF rules in the affected account and use IAM Firewall Manager to push updated IAM WAF rules across all other accounts
B. se GuardDuty centralized logging and Amazon SNS to set up alerts to notify all application teams of security incidents
C. se GuardDuty alerts to write an IAM Lambda function that updates all accounts by adding additional NACLs on the Amazon EC2 instances to block known malicious IP addresses
D. se IAM Shield Advanced to identify threats in each individual account and then apply the account-based protections to all other accounts through Organizations
View answer
Correct Answer: ADE
Question #77
A company is using Amazon Elastic Container Service (Amazon ECS) to deploy an application that deals with sensitive data During a recent security audit, the company identified a security issue in which Amazon RDS credentials were stored with the application code In the company's source code repository.A security engineer needs to develop a solution to ensure that database credentials are stored securely and rotated periodically. The credentials should be accessible to the application only The engineer also
A. se the IAM Systems Manager Parameter Store to generate database credentials
B. se IAM Secrets Manager to store database credentials
C. se the IAM Systems Manager Parameter Store to store database credentials
D. se IAM Secrets Manager to store database credentials
View answer
Correct Answer: D
Question #78
For compliance reasons a Security Engineer must produce a weekly report that lists any instance that does not have the latest approved patches applied. The Engineer must also ensure that no system goes more than 30 days without the latest approved updates being applied.What would the MOST efficient way to achieve these goals?
A. se Amazon inspector to determine which systems do not have the latest patches applied, and after 30 days, redeploy those instances with the latest AMI version
B. onfigure Amazon EC2 Systems Manager to report on instance patch compliance and enforce updates during the defined maintenance windows
C. xamine IAM CloudTrail togs to determine whether any instances have not restarted in the last 30 days, and redeploy those instances
D. pdate the AMls with the latest approved patches and redeploy each instance during the defined maintenance window
View answer
Correct Answer: B
Question #79
A company needs to retain tog data archives for several years to be compliant with regulations. The tog data is no longer used but It must be retained.What Is the MOST secure and cost-effective solution to meet these requirements?
A. rchive the data to Amazon S3 and apply a restrictive bucket policy to deny the s3 DeleteOotect API
B. rchive the data to Amazon S3 Glacier and apply a Vault Lock policy
C. rchive the data to Amazon S3 and replicate it to a second bucket in a second IAM Region Choose the S3 Standard-Infrequent Access (S3 Standard-1A) storage class and apply a restrictive bucket policy to deny the s3 DeleteObject API
D. igrate the log data to a 16 T8 Amazon Elastic Block Store (Amazon EBS) volume Create a snapshot of the EBS volume
View answer
Correct Answer: B
Question #80
A company is building an application on IAM that will store sensitive Information. The company has a support team with access to the IT infrastructure, including databases. The company's security engineer must introduce measures to protect the sensitive data against any data breach while minimizing management overhead. The credentials must be regularly rotated.What should the security engineer recommend?
A. nable Amazon RDS encryption to encrypt the database and snapshots
B. nstall a database on an Amazon EC2 Instance
C. nable Amazon RDS encryption to encrypt the database and snapshots
D. et up an IAM CloudHSM cluster with IAM Key Management Service (IAM KMS) to store KMS keys
View answer
Correct Answer: C
Question #81
A developer is building a serverless application hosted on AWS that uses Amazon Redshift as a data store The application has separate modules for readwrite and read-only functionality The modules need their own database users for compliance reasons.Which combination of steps should a security engineer implement to grant appropriate access? (Select TWO.)
A. onfigure cluster security groups for each application module to control access to database users that are required for read-only and readwrite
B. onfigure a VPC endpoint for Amazon Redshift Configure an endpoint policy that maps database users to each application module, and allow access to the tables that are required for read-only and read/write
C. onfigure an 1AM policy for each module Specify the ARN of an Amazon Redshift database user that allows the GetClusterCredentials API call
D. reate local database users for each module
E. onfigure an 1AM policy for each module Specify the ARN of an 1AM user that allows the GetClusterCredentials API call
View answer
Correct Answer: A
Question #82
A company's security engineer wants to receive an email alert whenever Amazon GuardDuty, AWS Identity and Access Management Access Analyzer, or Amazon Made generate a high-severity security finding. The company uses AWS Control Tower to govern all of its accounts. The company also uses AWS Security Hub with all of the AWS service integrations turned on.Which solution will meet these requirements with the LEAST operational overhead?
A. et up separate AWS Lambda functions for GuardDuty, 1AM Access Analyzer, and Macie to call each service's public API to retrieve high-severity findings
B. reate an Amazon EventBridge rule with a pattern that matches Security Hub findings events with high severity
C. reate an Amazon EventBridge rule with a pattern that matches AWS Control Tower events with high severity
D. ost an application on Amazon EC2 to call the GuardDuty, 1AM Access Analyzer, and Macie APIs
View answer
Correct Answer: B
Question #83
A company Is planning to use Amazon Elastic File System (Amazon EFS) with its on-premises servers. The company has an existing IAM Direct Connect connection established between its on-premises data center and an IAM Region Security policy states that the company's on-premises firewall should only have specific IP addresses added to the allow list and not a CIDR range. The company also wants to restrict access so that only certain data center-based servers have access to Amazon EFSHow should a security engin
A. dd the file-system-id efs IAM-region amazonIAM com URL to the allow list for the data center firewall Install the IAM CLI on the data center-based servers to mount the EFS file system in the EFS security group add the data center IP range to the allow list Mount the EFS using the EFS file system name
B. ssign an Elastic IP address to Amazon EFS and add the Elastic IP address to the allow list for the data center firewall Install the IAM CLI on the data center-based servers to mount the EFS file system In the EFS security group, add the IP addresses of the data center servers to the allow list Mount the EFS using the Elastic IP address
C. dd the EFS file system mount target IP addresses to the allow list for the data center firewall In the EFS security group, add the data center server IP addresses to the allow list Use the Linux terminal to mount the EFS file system using the IP address of one of the mount targets
D. ssign a static range of IP addresses for the EFS file system by contacting IAM Support In the EFS security group add the data center server IP addresses to the allow list Use the Linux terminal to mount the EFS file system using one of the static IP addresses
View answer
Correct Answer: B
Question #84
A company needs to store multiple years of financial records. The company wants to use Amazon S3 to store copies of these documents. The company must implement a solution to prevent the documents from being edited, replaced, or deleted for 7 years after the documents are stored in Amazon S3. The solution must also encrypt the documents at rest.A security engineer creates a new S3 bucket to store the documents.What should the security engineer do next to meet these requirements?
A. he company uses a serverless approach to microservices
B. reate a key policy that allows the kms:Decrypt action only for Amazon S3 and DynamoD Create an SCP that denies the creation of S3 buckets and DynamoDB tables that are not encrypted with the key
C. reate an 1AM policy that denies the kms:Decrypt action for the key
D. reate a key policy that allows the kms:Decrypt action only for Amazon S3, DynamoDB, Lambda, and Amazon EKS
E. reate a key policy that allows the kms:Decrypt action only for Amazon S3, DynamoDB, Lambda, and Amazon EKS
View answer
Correct Answer: B
Question #85
A company has developed a new Amazon RDS database application. The company must secure the ROS database credentials for encryption in transit and encryption at rest. The company also must rotate the credentials automatically on a regular basis.Which solution meets these requirements?
A. se IAM Systems Manager Parameter Store to store the database credentiais
B. se IAM Secrets Manager to store the database credentials
C. tore the database credentials in an Amazon S3 bucket that is configured with server-side encryption with S3 managed encryption keys (SSE-S3) Rotate the credentials with IAM database authentication
D. tore the database credentials m Amazon S3 Glacier, and use S3 Glacier Vault Lock Configure an IAM Lambda function to rotate the credentials on a scheduled basts
View answer
Correct Answer: A
Question #86
A company wants to ensure that its IAM resources can be launched only in the us-east-1 and us-west- 2 Regions.What is the MOST operationally efficient solution that will prevent developers from launching Amazon EC2 instances in other Regions?
A. reate a new security group in the database VPC and create an inbound rule that allows all traffic from the IP address range of the application VPC
B. reate a new security group in the application VPC with an inbound rule that allows the IP address range of the database VPC over TCP port 1521
C. reate a new security group in the application VPC with no inbound rules
D. reate a new security group in the application VPC with an inbound rule that allows the IP address range of the database VPC over TCP port 1521
View answer
Correct Answer: C
Question #87
A company's application team needs to host a MySQL database on IAM. According to the company's security policy, all data that is stored on IAM must be encrypted at rest. In addition, all cryptographic material must be compliant with FIPS 140-2 Level 3 validation.The application team needs a solution that satisfies the company's security requirements and minimizes operational overhead.Which solution will meet these requirements?
A. ost the database on Amazon RDS
B. ost the database on Amazon RDS
C. ost the database on an Amazon EC2 instance
D. ost the database on an Amazon EC2 instance
View answer
Correct Answer: B
Question #88
A System Administrator is unable to start an Amazon EC2 instance in the eu-west-1 Region using an IAM role The same System Administrator is able to start an EC2 instance in the eu-west-2 and eu- west-3 Regions. The IAMSystemAdministrator access policy attached to the System Administrator IAM role allows unconditional access to all IAM services and resources within the account.Which configuration caused this issue?
A. n SCP is attached to the account with the following permission statement:
B. permission boundary policy is attached to the System Administrator role with the following permission statement:
C. permission boundary is attached to the System Administrator role with the following permission statement:
D. n SCP is attached to the account with the following statement:
View answer
Correct Answer: B
Question #89
A company is operating a website using Amazon CloudFornt. CloudFront servers some content from Amazon S3 and other from web servers running EC2 instances behind an Application. Load Balancer (ALB). Amazon DynamoDB is used as the data store. The company already uses IAM Certificate Manager (ACM) to store a public TLS certificate that can optionally secure connections between the website users and CloudFront. The company has a new requirement to enforce end-to-end encryption in transit.Which combination of st
A. dd an origin custom header Set the viewer protocol policy to HTTP and HTTPS Set the origin protocol pokey to HTTPS only Update the application to validate the CloudFront custom header
B. dd an origin custom header Set the viewer protocol policy to HTTPS only Set the origin protocol policy to match viewer Update the application to validate the CloudFront custom header
C. dd an origin custom header Set the viewer protocol policy to redirect HTTP to HTTPS Set the origin protocol policy to HTTP only Update the application to validate the CloudFront custom header
D. dd an origin custom header Set the viewer protocol policy to redirect HTTP to HTTPS
View answer
Correct Answer: BCE
Question #90
Your company has just set up a new central server in a VPC. There is a requirement for other teams who have their servers located in different VPC's in the same region to connect to the central server.Which of the below options is best suited to achieve this requirement.
A. et up VPC peering between the central server VPC and each of the teams VPCs
B. et up IAM DirectConnect between the central server VPC and each of the teams VPCs
C. et up an IPSec Tunnel between the central server VPC and each of the teams VPCs
D. one of the above options will work
View answer
Correct Answer: A
Question #91
Example.com is hosted on Amazon EC2 instances behind an Application Load Balancer (ALB). Third- party host intrusion detection system (HIDS) agents that capture the traffic of the EC2 instance are running on each host. The company must ensure they are using privacy enhancing technologies for users, without losing the assurance the third-party solution offers.What is the MOST secure way to meet these requirements?
A. nable TLS pass through on the ALB, and handle decryption at the server using Elliptic Curve Diffie-Hellman (ECDHE) cipher suites
B. reate a listener on the ALB that uses encrypted connections with Elliptic Curve Diffie-Hellman (ECDHE) cipher suites, and pass the traffic in the clear to the server
C. reate a listener on the ALB that uses encrypted connections with Elliptic Curve Diffie-Hellman (ECDHE) cipher suites, and use encrypted connections to the servers that do not enable Perfect Forward Secrecy (PFS)
D. reate a listener on the ALB that does not enable Perfect Forward Secrecy (PFS) cipher suites, and use encrypted connections to the servers using Elliptic Curve Diffie-Hellman (ECDHE) cipher suites
View answer
Correct Answer: D
Question #92
A Security Architect has been asked to review an existing security architecture and identify why the application servers cannot successfully initiate a connection to the database servers. The following summary describes the architecture:1 An Application Load Balancer, an internet gateway, and a NAT gateway are configured in the public subnet 2. Database, application, and web servers are configured on three different private subnets.3 The VPC has two route tables: one for the public subnet and one for all ot
A. dd a deny rule to the public VPC security group to block the malicious IP
B. dd the malicious IP to IAM WAF backhsted IPs
C. onfigure Linux iptables or Windows Firewall to block any traffic from the malicious IP
D. odify the hosted zone in Amazon Route 53 and create a DNS sinkhole for the malicious IP
View answer
Correct Answer: A
Question #93
A company uses an Amazon S3 bucket to store reports Management has mandated that all new objects stored in this bucket must be encrypted at rest using server-side encryption with a client-specified IAM Key Management Service (IAM KMS) CMK owned by the same account as the S3 bucket. The IAM account number is 111122223333, and the bucket name Is report bucket. The company's security specialist must write the S3 bucket policy to ensure the mandate can be Implemented.Which statement should the security speciali
A. reate a CodeCommit repository in the security account using IAM Key Management Service (IAM KMS) tor encryption Require the development team to migrate the Lambda source code to this repository
B. tore the API key in an Amazon S3 bucket in the security account using server-side encryption with Amazon S3 managed encryption keys (SSE-S3) to encrypt the key Create a resigned URL tor the S3 key
C. reate a secret in IAM Secrets Manager in the security account to store the API key using IAM Key Management Service (IAM KMS) tor encryption Grant access to the IAM role used by the Lambda function so that the function can retrieve the key from Secrets Manager and call the API
D. reate an encrypted environment variable for the Lambda function to store the API key using IAM Key Management Service (IAM KMS) tor encryption Grant access to the IAM role used by the Lambda function so that the function can decrypt the key at runtime
View answer
Correct Answer: D
Question #94
A development team is using an IAM Key Management Service (IAM KMS) CMK to try to encrypt and decrypt a secure string parameter from IAM Systems Manager Parameter Store. However, the development team receives an error message on each attempt.Which issues that are related to the CMK could be reasons for the error? (Select TWO.)
A. nable Amazon GuardDuty in all Regions
B. se an organization in IAM Organizations
C. rovision EC2 resources by using IAM Cloud Formation templates through IAM CodePipeline
D. reate an IAM Config rule to prevent unauthorized activity outside us-east-1 and us-west-2
View answer
Correct Answer: AD
Question #95
A company has a set of EC2 Instances hosted in IAM. The EC2 Instances have EBS volumes which is used to store critical information. There is a business continuity requirement to ensure high availability for the EBS volumes. How can you achieve this?
A. se lifecycle policies for the EBS volumes
B. se EBS Snapshots
C. se EBS volume replication
D. se EBS volume encryption
View answer
Correct Answer: B
Question #96
There are currently multiple applications hosted in a VPC. During monitoring it has been noticed that multiple port scans are coming in from a specific IP Address block. The internal security team has requested that all offending IP Addresses be denied for the next 24 hours.Which of the following is the best method to quickly and temporarily deny access from the specified IP Address's.
A. reate an AD policy to modify the Windows Firewall settings on all hosts in the VPC to deny access from the IP Address block
B. odify the Network ACLs associated with all public subnets in the VPC to deny access from the IP Address block
C. dd a rule to all of the VPC Security Groups to deny access from the IP Address block
D. odify the Windows Firewall settings on all AMI'S that your organization uses in that VPC to deny access from the IP address block
View answer
Correct Answer: B
Question #97
A company deployed Amazon GuardDuty In the us-east-1 Region. The company wants all DNS logs that relate to the company's Amazon EC2 instances to be inspected.What should a security engineer do to ensure that the EC2 instances are logged?
A. se IPv6 addresses that are configured for hostnames
B. onfigure external DNS resolvers as internal resolvers that are visible only to IAM
C. se IAM DNS resolvers for all EC2 instances
D. onfigure a third-party DNS resolver with logging for all EC2 instances
View answer
Correct Answer: C
Question #98
A developer is building a serverless application hosted on AWS that uses Amazon Redshift as a data store The application has separate modules for readwrite and read-only functionality The modules need their own database users for compliance reasons.Which combination of steps should a security engineer implement to grant appropriate access? (Select TWO.)
A. onfigure cluster security groups for each application module to control access to database users that are required for read-only and readwrite
B. onfigure a VPC endpoint for Amazon Redshift Configure an endpoint policy that maps database users to each application module, and allow access to the tables that are required for read-only and read/write
C. onfigure an 1AM policy for each module Specify the ARN of an Amazon Redshift database user that allows the GetClusterCredentials API call
D. reate local database users for each module
E. onfigure an 1AM policy for each module Specify the ARN of an 1AM user that allows the GetClusterCredentials API call
View answer
Correct Answer: A
Question #99
A security engineer receives a notice from the AWS Abuse team about suspicious activity from a Linux-based Amazon EC2 instance that uses Amazon Elastic Block Store (Amazon EBS>-based storage The instance is making connections to known malicious addresses.The instance is in a development account within a VPC that is in the us-east-1 Region The VPC contains an internet gateway and has a subnet in us-east-1a and us-easMb Each subnet is associate with a route table that uses the internet gateway as a default ro
A. og in to the suspicious instance and use the netstat command to identify remote connections Use the IP addresses from these remote connections to create deny rules in the security group of the instance Install diagnostic tools on the instance for investigation Update the outbound network ACL for the subnet in us-east- lb to explicitly deny all connections as the first rule during the investigation of the instance
B. pdate the outbound network ACL for the subnet in us-east-1b to explicitly deny all connections as the first rule Replace the security group with a new security group that allows connections only from a diagnostics security group Update the outbound network ACL for the us-east-1b subnet to remove the deny all rule Launch a new EC2 instance that has diagnostic tools Assign the new security group to the new EC2 instance Use the new EC2 instance to investigate the suspicious instance
C. nsure that the Amazon Elastic Block Store (Amazon EBS) volumes that are attached to the suspicious EC2 instance will not delete upon termination Terminate the instance Launch a new EC2 instance in us-east-1a that has diagnostic tools Mount the EBS volumes from the terminated instance for investigation
D. reate an AWS WAF web ACL that denies traffic to and from the suspicious instance Attach the AWS WAF web ACL to the instance to mitigate the attack Log in to the instance and install diagnostic tools to investigate the instance
View answer
Correct Answer: B
Question #100
A security engineer receives a notice from the AWS Abuse team about suspicious activity from a Linux-based Amazon EC2 instance that uses Amazon Elastic Block Store (Amazon EBS>-based storage The instance is making connections to known malicious addresses.The instance is in a development account within a VPC that is in the us-east-1 Region The VPC contains an internet gateway and has a subnet in us-east-1a and us-easMb Each subnet is associate with a route table that uses the internet gateway as a default ro
A. og in to the suspicious instance and use the netstat command to identify remote connections Use the IP addresses from these remote connections to create deny rules in the security group of the instance Install diagnostic tools on the instance for investigation Update the outbound network ACL for the subnet in us-east- lb to explicitly deny all connections as the first rule during the investigation of the instance
B. pdate the outbound network ACL for the subnet in us-east-1b to explicitly deny all connections as the first rule Replace the security group with a new security group that allows connections only from a diagnostics security group Update the outbound network ACL for the us-east-1b subnet to remove the deny all rule Launch a new EC2 instance that has diagnostic tools Assign the new security group to the new EC2 instance Use the new EC2 instance to investigate the suspicious instance
C. nsure that the Amazon Elastic Block Store (Amazon EBS) volumes that are attached to the suspicious EC2 instance will not delete upon termination Terminate the instance Launch a new EC2 instance in us-east-1a that has diagnostic tools Mount the EBS volumes from the terminated instance for investigation
D. reate an AWS WAF web ACL that denies traffic to and from the suspicious instance Attach the AWS WAF web ACL to the instance to mitigate the attack Log in to the instance and install diagnostic tools to investigate the instance
View answer
Correct Answer: B
Question #101
A large corporation is creating a multi-account strategy and needs to determine how its employees should access the IAM infrastructure.Which of the following solutions would provide the MOST scalable solution?
A. reate dedicated IAM users within each IAM account that employees can assume through federation based upon group membership in their existing identity provider
B. se a centralized account with IAM roles that employees can assume through federation with their existing identity provider Use cross-account roles to allow the federated users to assume their target role in the resource accounts
C. onfigure the IAM Security Token Service to use Kerberos tokens so that users can use their existing corporate user names and passwords to access IAM resources directly
D. onfigure the IAM trust policies within each account's role to set up a trust back to the corporation's existing identity provider allowing users to assume the role based off their SAML token
View answer
Correct Answer: B
Question #102
A company is building an application on IAM that will store sensitive Information. The company has a support team with access to the IT infrastructure, including databases. The company's security engineer must introduce measures to protect the sensitive data against any data breach while minimizing management overhead. The credentials must be regularly rotated.What should the security engineer recommend?
A. nable Amazon RDS encryption to encrypt the database and snapshots
B. nstall a database on an Amazon EC2 Instance
C. nable Amazon RDS encryption to encrypt the database and snapshots
D. et up an IAM CloudHSM cluster with IAM Key Management Service (IAM KMS) to store KMS keys
View answer
Correct Answer: C

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: