DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

Pass the AWS Exam Easily with Updated SCS-C02 Practice Questions

Accessing our exam preparation resources and study materials provides a deep understanding of professional data classification, AWS data protection mechanisms, data encryption methods, and the AWS mechanisms that implement these methods. Our mock exams simulate the actual exam environment, allowing you to practice under exam conditions and refine your strategies for success. Preparing for the SPOTO AWS SCS-C02 exam comes with significant advantages for individuals seeking AWS Certified Security - Specialty certification. Our comprehensive exam questions and answers are meticulously designed to cover key topics, ensuring that certified individuals can confidently create and implement security solutions in the AWS Cloud.
Take other online exams

Question #1
A company is using IAM Organizations to develop a multi-account secure networking strategy. The company plans to use separate centrally managed accounts for shared services, auditing, and security inspection. The company plans to provide dozens of additional accounts to application owners for production and development environments.Company security policy requires that all internet traffic be routed through a centrally managed security inspection layer in the security inspection account. A security engineer
A. reate an IAM policy that prohibits changes to the specific CloudTrail trail and apply the policy to the IAM account root user
B. reate an S3 bucket policy in the specified destination account for the CloudTrail trail that prohibits configuration changes from the IAM account root user in the source account
C. reate an SCP that prohibits changes to the specific CloudTrail trail and apply the SCP to the appropriate organizational unit or account in Organizations
D. reate an IAM policy that prohibits changes to the specific CloudTrail trail and apply the policy to a new IAM group
View answer
Correct Answer: C

View The Updated SCS-C02 Exam Questions

SPOTO Provides 100% Real SCS-C02 Exam Questions for You to Pass Your SCS-C02 Exam!

Question #2
A Security Architect has been asked to review an existing security architecture and identify why the application servers cannot successfully initiate a connection to the database servers. The following summary describes the architecture:1 An Application Load Balancer, an internet gateway, and a NAT gateway are configured in the public subnet 2. Database, application, and web servers are configured on three different private subnets.3 The VPC has two route tables: one for the public subnet and one for all ot
A. dd a deny rule to the public VPC security group to block the malicious IP
B. dd the malicious IP to IAM WAF backhsted IPs
C. onfigure Linux iptables or Windows Firewall to block any traffic from the malicious IP
D. odify the hosted zone in Amazon Route 53 and create a DNS sinkhole for the malicious IP
View answer
Correct Answer: A
Question #3
A company receives a notification from the AWS Abuse team about an AWS account The notification indicates that a resource in the account is compromised The company determines that the compromised resource is an Amazon EC2 instance that hosts a web application The compromised EC2 instance is part of an EC2 Auto Scaling group.The EC2 instance accesses Amazon S3 and Amazon DynamoDB resources by using an 1AM access key and secret key The 1AM access key and secret key are stored inside the AMI that is specified
A. otate the potentially compromised access key that the EC2 instance uses Create a new AM I without the potentially compromised credentials Perform an EC2 Auto Scaling instance refresh
B. elete or deactivate the potentially compromised access key Create an EC2 Auto Scaling linked 1AM role that includes a custom policy that matches the potentially compromised access key permission Associate the new 1AM role with the Auto Scaling group Perform an EC2 Auto Scaling instance refresh
C. elete or deactivate the potentially compromised access key Create a new AMI without the potentially compromised credentials Create an 1AM role that includes the correct permissions Create a launch template for the Auto Scaling group to reference the new AMI and 1AM role Perform an EC2 Auto Scaling instance refresh
D. otate the potentially compromised access key Create a new AMI without the potentially compromised access key Use a user data script to supply the new access key as environmental variables in the Auto Scaling group's launch configuration Perform an EC2 Auto Scaling instance refresh
View answer
Correct Answer: C
Question #4
Your CTO is very worried about the security of your IAM account. How best can you prevent hackers from completely hijacking your account?
A. se short but complex password on the root account and any administrators
B. se IAM IAM Geo-Lock and disallow anyone from logging in except for in your city
C. se MFA on all users and accounts, especially on the root account
D. on't write down or remember the root account password after creating the IAM account
View answer
Correct Answer: C
Question #5
A company's cloud operations team is responsible for building effective security for IAM cross- account access. The team asks a security engineer to help troubleshoot why some developers in the developer account (123456789012) in the developers group are not able to assume a cross-account role (ReadS3) into a production account (999999999999) to read the contents of an Amazon S3 bucket (productionapp). The two account policies are as follows:Which recommendations should the security engineer make to resolve
A. se IAM Control Tower
B. reate a centrally managed VPC in the security inspection account
C. se IAM Control Tower
D. nable IAM Resource Access Manager (IAM RAM) for IAM Organizations
View answer
Correct Answer: AD
Question #6
For compliance reasons a Security Engineer must produce a weekly report that lists any instance that does not have the latest approved patches applied. The Engineer must also ensure that no system goes more than 30 days without the latest approved updates being applied.What would the MOST efficient way to achieve these goals?
A. se Amazon inspector to determine which systems do not have the latest patches applied, and after 30 days, redeploy those instances with the latest AMI version
B. onfigure Amazon EC2 Systems Manager to report on instance patch compliance and enforce updates during the defined maintenance windows
C. xamine IAM CloudTrail togs to determine whether any instances have not restarted in the last 30 days, and redeploy those instances
D. pdate the AMls with the latest approved patches and redeploy each instance during the defined maintenance window
View answer
Correct Answer: B
Question #7
During a manual review of system logs from an Amazon Linux EC2 instance, a Security Engineer noticed that there are sudo commands that were never properly alerted or reported on the Amazon CloudWatch Logs agent.Why were there no alerts on the sudo commands?
A. here is a security group blocking outbound port 80 traffic that is preventing the agent from sending the logs
B. he IAM instance profile on the EC2 instance was not properly configured to allow the CloudWatch Logs agent to push the logs to CloudWatch
C. loudWatch Logs status is set to ON versus SECURE, which prevents it from pulling in OS security event logs
D. he VPC requires that all traffic go through a proxy, and the CloudWatch Logs agent does not support a proxy configuration
View answer
Correct Answer: B
Question #8
A company uses Amazon API Gateway to present REST APIs to users. An API developer wants to analyze API access patterns without the need to parse the log files.Which combination of steps will meet these requirements with the LEAST effort? (Select TWO.)
A. onfigure the S3 Block Public Access feature for the AWS account
B. onfigure the S3 Block Public Access feature for all objects that are in the bucket
C. eactivate ACLs for objects that are in the bucket
D. se AWS PrivateLink for Amazon S3 to access the bucket
View answer
Correct Answer: CD
Question #9
A Development team has built an experimental environment to test a simple stale web application It has built an isolated VPC with a private and a public subnet. The public subnet holds only an Application Load Balancer a NAT gateway, and an internet gateway. The private subnet holds ail of the Amazon EC2 instances.There are 3 different types of servers Each server type has its own Security Group that limits access lo only required connectivity. The Security Groups nave both inbound and outbound rules applie
A. se encrypted Amazon EBS volumes with Amazon default keys (IAM EBS)
B. se server-side encryption with customer-provided keys (SSE-C)
C. se server-side encryption with IAM KMS managed keys (SSE-KMS)
D. se server-side encryption with Amazon S3 managed keys (SSE-S3)
View answer
Correct Answer: CEF
Question #10
A company is running an application in The eu-west-1 Region. The application uses an IAM Key Management Service (IAM KMS) CMK to encrypt sensitive dat.
A. he company plans to deploy the application in the eu-north-1 Region
B. pdate the key policies in eu-west-1
C. llocate a new CMK to eu-north-1 to be used by the application that is deployed in that Region
D. llocate a new CMK to eu-north-1
E. llocate a new CMK to eu-north-1
View answer
Correct Answer: B
Question #11
Auditors for a health care company have mandated that all data volumes be encrypted at rest Infrastructure is deployed mainly via IAM CloudFormation however third-party frameworks and manual deployment are required on some legacy systems.What is the BEST way to monitor, on a recurring basis, whether all EBS volumes are encrypted?
A. ilter the event history on the exposed access key in the CloudTrail console Examine the data from the past 11 days
B. se the IAM CLI lo generate an IAM credential report Extract all the data from the past 11 days
C. se Amazon Athena to query the CloudTrail logs from Amazon S3 Retrieve the rows for the exposed access key tor the past 11 days
D. se the Access Advisor tab in the IAM console to view all of the access key activity for the past 11 days
View answer
Correct Answer: B
Question #12
A company has retail stores The company is designing a solution to store scanned copies of customer receipts on Amazon S3 Files will be between 100 KB and 5 MB in PDF format Each retail store must have a unique encryption key Each object must be encrypted with a unique key.Which solution will meet these requirements?
A. reate a dedicated AWS Key Management Service (AWS KMS) customer managed key for each retail store Use the S3 Put operation to upload the objects to Amazon S3 Specify server-side encryption with AWS KMS keys (SSE-KMS) and the key ID of the store's key
B. reate a new AWS Key Management Service (AWS KMS) customer managed key every day for each retail store Use the KMS Encrypt operation to encrypt objects Then upload the objects to Amazon S3
C. un the AWS Key Management Service (AWS KMS) GenerateDataKey operation every day for each retail store Use the data key and client-side encryption to encrypt the objects Then upload the objects to Amazon S3
D. se the AWS Key Management Service (AWS KMS) ImportKeyMaterial operation to import new key material to AWS KMS every day for each retail store Use a customer managed key and the KMS Encrypt operation to encrypt the objects Then upload the objects to Amazon S3
View answer
Correct Answer: A
Question #13
A company has an AWS Lambda function that creates image thumbnails from larger images. The Lambda function needs read and write access to an Amazon S3 bucket in the same AWS account.Which solutions will provide the Lambda function this access? (Choose two.)
A. reate an IAM user that has only programmatic access
B. enerate an Amazon EC2 key pair
C. reate an IAM role for the Lambda function
D. reate an IAM role for the Lambda function
E. reate a security group
View answer
Correct Answer: BE
Question #14
A company is building a data processing application mat uses AWS Lambda functions. The application's Lambda functions need to communicate with an Amazon RDS OB instance that is deployed within a VPC in the same AWS account.Which solution meets these requirements in the MOST secure way?
A. onfigure the DB instance to allow public access Update the DB instance security group to allow access from the Lambda public address space for the AWS Region
B. eploy the Lambda functions inside the VPC Attach a network ACL to the Lambda subnet Provide outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic from 0
C. eploy the Lambda functions inside the VPC Attach a security group to the Lambda functions Provide outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic from the Lambda security group
D. eer the Lambda default VPC with the VPC that hosts the DB instance to allow direct network access without the need for security groups
View answer
Correct Answer: C
Question #15
A developer signed in to a new account within an IAM Organization organizational unit (OU) containing multiple accounts. Access to the Amazon $3 service is restricted with the following SCP.How can the security engineer provide the developer with Amazon $3 access without affecting other account?
A. ove the SCP to the root OU of organization to remove the restriction to access Amazon $3
B. dd an IAM policy for the developer, which grants $3 access
C. reate a new OU without applying the SCP restricting $3 access
D. dd an allow list for the developer account for the $3 service
View answer
Correct Answer: C
Question #16
A company has a group of Amazon EC2 instances in a single private subnet of a VPC with no internet gateway attached. A security engineer has installed the Amazon CloudWatch agent on all instances in that subnet to capture logs from a specific application. To ensure that the logs flow securely, the company's networking team has created VPC endpoints for CloudWatch monitoring and CloudWatch logs. The networking team has attached the endpoints to the VPC.The application is generating logs. However, when the se
A. nsure that the EC2 instance profile that is attached to the EC2 instances has permissions to create log streams and write logs
B. reate a metric filter on the logs so that they can be viewed in the AWS Management Console
C. heck the CloudWatch agent configuration file on each EC2 instance to make sure that the CloudWatch agent is collecting the proper log files
D. heck the VPC endpoint policies of both VPC endpoints to ensure that the EC2 instances have permissions to use them
E. reate a NAT gateway in the subnet so that the EC2 instances can communicate with CloudWatch
View answer
Correct Answer: ACD
Question #17
Amazon GuardDuty has detected communications to a known command and control endpoint from a company's Amazon EC2 instance. The instance was found to be running a vulnerable version of a common web framework. The company's security operations team wants to quickly identity other compute resources with the specific version of that framework installed.Which approach should the team take to accomplish this task?
A. can all the EC2 instances for noncompliance with IAM Config
B. can all the EC2 instances with the Amazon Inspector Network Reachability rules package to identity instances running a web server with RecognizedPortWithListener findings
C. can all the EC2 instances with IAM Systems Manager to identify the vulnerable version of the web framework
D. can an the EC2 instances with IAM Resource Access Manager to identify the vulnerable version of the web framework
View answer
Correct Answer: C
Question #18
You have an S3 bucket defined in IAM. You want to ensure that you encrypt the data before sending it across the wire.What is the best way to achieve this.
A. nable server side encryption for the S3 bucket
B. se the IAM Encryption CLI to encrypt the data first
C. se a Lambda function to encrypt the data before sending it to the S3 bucket
D. nable client encryption for the bucket
View answer
Correct Answer: B
Question #19
A company's security engineer has been tasked with restricting a contractor's IAM account access to the company's Amazon EC2 console without providing access to any other IAM services The contractors IAM account must not be able to gain access to any other IAM service, even it the IAMaccount rs assigned additional permissions based on IAM group membership.What should the security engineer do to meet these requirements''
A. reate an mime IAM user policy that allows for Amazon EC2 access for the contractor's IAM user
B. reate an IAM permissions boundary policy that allows Amazon EC2 access Associate the contractor's IAM account with the IAM permissions boundary policy
C. reate an IAM group with an attached policy that allows for Amazon EC2 access Associate the contractor's IAM account with the IAM group
D. reate a IAM role that allows for EC2 and explicitly denies all other services Instruct the contractor to always assume this role
View answer
Correct Answer: B
Question #20
Your company uses IAM to host its resources. They have the following requirements.1) Record all API calls and Transitions.2) Help in understanding what resources are there in the account.3) Facility to allow auditing credentials and logins Which services would suffice the above requirements.
A. AM Inspector, CloudTrail, IAM Credential Reports
B. loudTrail
C. loudTrail, IAM Config, IAM Credential Reports
D. AM SQS, IAM Credential Reports, CloudTrail
View answer
Correct Answer: C
Question #21
A company's on-premises networks are connected to VPCs using an IAM Direct Connect gateway. The company's on-premises application needs to stream data using an existing Amazon Kinesis Data Firehose delivery stream. The company's security policy requires that data be encrypted in transit using a private network.How should the company meet these requirements?
A. reate a VPC endpoint tor Kinesis Data Firehose
B. onfigure an IAM policy to restrict access to Kinesis Data Firehose using a source IP condition
C. reate a new TLS certificate in IAM Certificate Manager (ACM)
D. eer the on-premises network with the Kinesis Data Firehose VPC using Direct Connect
View answer
Correct Answer: A
Question #22
A company deploys a distributed web application on a fleet of Amazon EC2 instances. The fleet is behind an Application Load Balancer (ALB) that will be configured to terminate the TLS connection. All TLS traffic to the ALB must stay secure, even if the certificate private key is compromised.How can a security engineer meet this requirement?
A. reate an HTTPS listener that uses a certificate that is managed by IAM Certificate Manager (ACM)
B. reate an HTTPS listener that uses a security policy that uses a cipher suite with perfect toward secrecy (PFS)
C. reate an HTTPS listener that uses the Server Order Preference security feature
D. reate a TCP listener that uses a custom security policy that allows only cipher suites with perfect forward secrecy (PFS)
View answer
Correct Answer: A
Question #23
A company uses an Amazon S3 bucket to store reports Management has mandated that all new objects stored in this bucket must be encrypted at rest using server-side encryption with a client-specified IAM Key Management Service (IAM KMS) CMK owned by the same account as the S3 bucket. The IAM account number is 111122223333, and the bucket name Is report bucket. The company's security specialist must write the S3 bucket policy to ensure the mandate can be Implemented.Which statement should the security speciali
A. reate a CodeCommit repository in the security account using IAM Key Management Service (IAM KMS) tor encryption Require the development team to migrate the Lambda source code to this repository
B. tore the API key in an Amazon S3 bucket in the security account using server-side encryption with Amazon S3 managed encryption keys (SSE-S3) to encrypt the key Create a resigned URL tor the S3 key
C. reate a secret in IAM Secrets Manager in the security account to store the API key using IAM Key Management Service (IAM KMS) tor encryption Grant access to the IAM role used by the Lambda function so that the function can retrieve the key from Secrets Manager and call the API
D. reate an encrypted environment variable for the Lambda function to store the API key using IAM Key Management Service (IAM KMS) tor encryption Grant access to the IAM role used by the Lambda function so that the function can decrypt the key at runtime
View answer
Correct Answer: D
Question #24
An application team wants to use IAM Certificate Manager (ACM) to request public certificates to ensure that data is secured in transit. The domains that are being used are not currently hosted on Amazon Route 53The application team wants to use an IAM managed distribution and caching solution to optimize requests to its systems and provide better points of presence to customers The distribution solution will use a primary domain name that is customized The distribution solution also will use several altern
A.
B.
C.
View answer
Correct Answer: CDF
Question #25
A company needs to retain tog data archives for several years to be compliant with regulations. The tog data is no longer used but It must be retained.What Is the MOST secure and cost-effective solution to meet these requirements?
A. rchive the data to Amazon S3 and apply a restrictive bucket policy to deny the s3 DeleteOotect API
B. rchive the data to Amazon S3 Glacier and apply a Vault Lock policy
C. rchive the data to Amazon S3 and replicate it to a second bucket in a second IAM Region Choose the S3 Standard-Infrequent Access (S3 Standard-1A) storage class and apply a restrictive bucket policy to deny the s3 DeleteObject API
D. igrate the log data to a 16 T8 Amazon Elastic Block Store (Amazon EBS) volume Create a snapshot of the EBS volume
View answer
Correct Answer: B
Question #26
A company wants to ensure that its IAM resources can be launched only in the us-east-1 and us-west- 2 Regions.What is the MOST operationally efficient solution that will prevent developers from launching Amazon EC2 instances in other Regions?
A. reate a new security group in the database VPC and create an inbound rule that allows all traffic from the IP address range of the application VPC
B. reate a new security group in the application VPC with an inbound rule that allows the IP address range of the database VPC over TCP port 1521
C. reate a new security group in the application VPC with no inbound rules
D. reate a new security group in the application VPC with an inbound rule that allows the IP address range of the database VPC over TCP port 1521
View answer
Correct Answer: C
Question #27
A company is running an application in The eu-west-1 Region. The application uses an IAM Key Management Service (IAM KMS) CMK to encrypt sensitive dat.
A. he company plans to deploy the application in the eu-north-1 Region
B. pdate the key policies in eu-west-1
C. llocate a new CMK to eu-north-1 to be used by the application that is deployed in that Region
D. llocate a new CMK to eu-north-1
E. llocate a new CMK to eu-north-1
View answer
Correct Answer: B
Question #28
A company's Security Team received an email notification from the Amazon EC2 Abuse team that one or more of the company's Amazon EC2 instances may have been compromised.Which combination of actions should the Security team take to respond to (be current modem? (Select TWO.)
A. se Amazon CloudWatch monitoring to capture Amazon EC2 and networking metrics Visualize metrics using Amazon CloudWatch dashboards
B. un the Amazon Kinesis Agent to write the status data to Amazon Kinesis Data Firehose Store the streaming data from Kinesis Data Firehose in Amazon Redshift
C. rite the status data directly to a public Amazon S3 bucket from the health-checking component Configure S3 events to invoke an IAM Lambda function that analyzes the data
D. enerate events from the health-checking component and send them to Amazon CloudWatch Events
View answer
Correct Answer: DE
Question #29
A company receives a notification from the AWS Abuse team about an AWS account The notification indicates that a resource in the account is compromised The company determines that the compromised resource is an Amazon EC2 instance that hosts a web application The compromised EC2 instance is part of an EC2 Auto Scaling group.The EC2 instance accesses Amazon S3 and Amazon DynamoDB resources by using an 1AM access key and secret key The 1AM access key and secret key are stored inside the AMI that is specified
A. otate the potentially compromised access key that the EC2 instance uses Create a new AM I without the potentially compromised credentials Perform an EC2 Auto Scaling instance refresh
B. elete or deactivate the potentially compromised access key Create an EC2 Auto Scaling linked 1AM role that includes a custom policy that matches the potentially compromised access key permission Associate the new 1AM role with the Auto Scaling group Perform an EC2 Auto Scaling instance refresh
C. elete or deactivate the potentially compromised access key Create a new AMI without the potentially compromised credentials Create an 1AM role that includes the correct permissions Create a launch template for the Auto Scaling group to reference the new AMI and 1AM role Perform an EC2 Auto Scaling instance refresh
D. otate the potentially compromised access key Create a new AMI without the potentially compromised access key Use a user data script to supply the new access key as environmental variables in the Auto Scaling group's launch configuration Perform an EC2 Auto Scaling instance refresh
View answer
Correct Answer: C
Question #30
A company is using Amazon Elastic Container Service (Amazon ECS) to deploy an application that deals with sensitive data During a recent security audit, the company identified a security issue in which Amazon RDS credentials were stored with the application code In the company's source code repository.A security engineer needs to develop a solution to ensure that database credentials are stored securely and rotated periodically. The credentials should be accessible to the application only The engineer also
A. se the IAM Systems Manager Parameter Store to generate database credentials
B. se IAM Secrets Manager to store database credentials
C. se the IAM Systems Manager Parameter Store to store database credentials
D. se IAM Secrets Manager to store database credentials
View answer
Correct Answer: D
Question #31
A company's Chief Security Officer has requested that a Security Analyst review and improve the security posture of each company IAM account The Security Analyst decides to do this by Improving IAM account root user security.Which actions should the Security Analyst take to meet these requirements? (Select THREE.)
A. utbound SG configuration on database servers Inbound SG configuration on application servers inbound and outbound network ACL configuration on the database subnet Inbound and outbound network ACL configuration on the application server subnet
B. nbound SG configuration on database servers
C. nbound and outbound SG configuration on database servers Inbound and outbound SG configuration on application servers Inbound network ACL configuration on the database subnet Outbound network ACL configuration on the application server subnet
D. nbound SG configuration on database servers Outbound SG configuration on application servers Inbound network ACL configuration on the database subnet Outbound network ACL configuration on the application server subnet
View answer
Correct Answer: ADE
Question #32
A company deploys a set of standard IAM roles in AWS accounts. The IAM roles are based on job functions within the company. To balance operational efficiency and security, a security engineer implemented AWS Organizations SCPs to restrict access to critical security services in all company accounts.All of the company's accounts and OUs within AWS Organizations have a default FullAWSAccess SCP that is attached. The security engineer needs to ensure that no one can disable Amazon GuardDuty and AWS Security Hu
A. ption
B. ption
C. ption
D. ption D
View answer
Correct Answer: A
Question #33
Your company has just set up a new central server in a VPC. There is a requirement for other teams who have their servers located in different VPC's in the same region to connect to the central server.Which of the below options is best suited to achieve this requirement.
A. et up VPC peering between the central server VPC and each of the teams VPCs
B. et up IAM DirectConnect between the central server VPC and each of the teams VPCs
C. et up an IPSec Tunnel between the central server VPC and each of the teams VPCs
D. one of the above options will work
View answer
Correct Answer: A
Question #34
A company wants to establish separate IAM Key Management Service (IAM KMS) keys to use for different IAM services. The company's security engineer created the following key policy lo allow the infrastructure deployment team to create encrypted Amazon Elastic Block Store (Amazon EBS) volumes by assuming the InfrastructureDeployment IAM role:The security engineer recently discovered that IAM roles other than the InfrastructureDeployment role used this key (or other services.Which change to the policy should t
A. n the statement block that contains the Sid "Allow use of the key", under the "Condition" block, change StringEquals to StringLike
B. n the policy document, remove the statement Dlock that contains the Sid "Enable IAM User Permissions"
C. n the statement block that contains the Sid "Allow use of the Key", under the "Condition" block, change the Kms:ViaService value to ec2
D. n the policy document, add a new statement block that grants the kms:Disable' permission to the security engineer's IAM role
View answer
Correct Answer: C
Question #35
A company is hosting multiple applications within a single VPC in its IAM account. The applications are running behind an Application Load Balancer that is associated with an IAM WAF web ACL. The company's security team has identified that multiple port scans are originating from a specific range of IP addresses on the internet.A security engineer needs to deny access from the offending IP addresses.Which solution will meet these requirements?
A. odify the IAM WAF web ACL with an IP set match rule statement to deny incoming requests from the IP address range
B. dd a rule to all security groups to deny the incoming requests from the IP address range
C. odify the IAM WAF web ACL with a rate-based rule statement to deny the incoming requests from the IP address range
D. onfigure the IAM WAF web ACL with regex match conditions
View answer
Correct Answer: A
Question #36
Amazon GuardDuty has detected communications to a known command and control endpoint from a company's Amazon EC2 instance. The instance was found to be running a vulnerable version of a common web framework. The company's security operations team wants to quickly identity other compute resources with the specific version of that framework installed.Which approach should the team take to accomplish this task?
A. can all the EC2 instances for noncompliance with IAM Config
B. can all the EC2 instances with the Amazon Inspector Network Reachability rules package to identity instances running a web server with RecognizedPortWithListener findings
C. can all the EC2 instances with IAM Systems Manager to identify the vulnerable version of the web framework
D. can an the EC2 instances with IAM Resource Access Manager to identify the vulnerable version of the web framework
View answer
Correct Answer: C
Question #37
A company is hosting multiple applications within a single VPC in its IAM account. The applications are running behind an Application Load Balancer that is associated with an IAM WAF web ACL. The company's security team has identified that multiple port scans are originating from a specific range of IP addresses on the internet.A security engineer needs to deny access from the offending IP addresses.Which solution will meet these requirements?
A. odify the IAM WAF web ACL with an IP set match rule statement to deny incoming requests from the IP address range
B. dd a rule to all security groups to deny the incoming requests from the IP address range
C. odify the IAM WAF web ACL with a rate-based rule statement to deny the incoming requests from the IP address range
D. onfigure the IAM WAF web ACL with regex match conditions
View answer
Correct Answer: A
Question #38
A company has an AWS Key Management Service (AWS KMS) customer managed key with imported key material Company policy requires all encryption keys to be rotated every year.What should a security engineer do to meet this requirement for this customer managed key?
A. nable automatic key rotation annually for the existing customer managed key
B. se the AWS CLI to create an AWS Lambda function to rotate the existing customer managed key annually
C. mport new key material to the existing customer managed key Manually rotate the key
D. reate a new customer managed key Import new key material to the new key Point the key alias to the new key
View answer
Correct Answer: A
Question #39
Your development team is using access keys to develop an application that has access to S3 and DynamoDB. A new security policy has outlined that the credentials should not be older than 2 months, and should be rotated. How can you achieve this?
A. se the application to rotate the keys in every 2 months via the SDK
B. se a script to query the creation date of the keys
C. elete the user associated with the keys after every 2 months
D. elete the IAM Role associated with the keys after every 2 months
View answer
Correct Answer: B
Question #40
A developer at a company uses an SSH key to access multiple Amazon EC2 instances. The company discovers that the SSH key has been posted on a public GitHub repository. A security engineer verifies that the key has not been used recently.How should the security engineer prevent unauthorized access to the EC2 instances?
A. elete the key pair from the EC2 console
B. se the ModifylnstanceAttribute API operation to change the key on any EC2 instance that is using the key
C. estrict SSH access in the security group to only known corporate IP addresses
D. pdate the key pair in any AMI that is used to launch the EC2 instances
View answer
Correct Answer: C
Question #41
A company hosts an application on Amazon EC2 that is subject to specific rules for regulatory compliance. One rule states that traffic to and from the workload must be inspected for network- level attacks. This involves inspecting the whole packet.To comply with this regulatory rule, a security engineer must install intrusion detection software on a c5n.4xlarge EC2 instance. The engineer must then configure the software to monitor traffic to and from the application instances.What should the security engine
A. lace the network interface in promiscuous mode to capture the traffic
B. onfigure VPC Flow Logs to send traffic to the monitoring EC2 instance using a Network Load Balancer
C. onfigure VPC traffic mirroring to send traffic to the monitoring EC2 instance using a Network Load Balancer
D. se Amazon Inspector to detect network-level attacks and trigger an IAM Lambda function to send the suspicious packets to the EC2 instance
View answer
Correct Answer: D
Question #42
You work at a company that makes use of IAM resources. One of the key security policies is to ensure that all data i encrypted both at rest and in transit.Which of the following is one of the right ways to implement this.
A. se S3 SSE and use SSL for data in transit
B. SL termination on the ELB
C. nabling Proxy Protocol
D. nabling sticky sessions on your load balancer
View answer
Correct Answer: A
Question #43
A company has launched an Amazon EC2 instance with an Amazon Elastic Block Store (Amazon EBS) volume in the us-east-1 Region The volume is encrypted with an AWS Key Management Service (AWS KMS) customer managed key that the company's security team created The security team has created an 1AM key policy and has assigned the policy to the key The security team has also created an 1AM instance profile and has assigned the profile to the instance.The EC2 instance will not start and transitions from the pending
A. onfigure trusted access for AWS System Manager in Organizations Configure a bastion host from the management account Replace SSH and RDP by using Systems Manager Session Manager from the management account Configure Session Manager logging to Amazon CloudWatch Logs
B. eplace SSH and RDP with AWS Systems Manager Session Manager Install Systems Manager Agent (SSM Agent) on the instances Attach the
C. mazonSSMManagedlnstanceCore role to the instances Configure session data streaming to Amazon CloudWatch Logs Create a separate logging account that has appropriate cross-account permissions to audit the log data
D. nstall a bastion host in the management account Reconfigure all SSH and RDP to allow access only from the bastion host Install AWS Systems Manager Agent (SSM Agent) on the bastion host Attach the AmazonSSMManagedlnstanceCore role to the bastion host Configure session data streaming to Amazon CloudWatch Logs in a separate logging account to audit log data
E. eplace SSH and RDP with AWS Systems Manager State Manager Install Systems Manager Agent (SSM Agent) on the instances Attach the
View answer
Correct Answer: CD
Question #44
Your company uses IAM to host its resources. They have the following requirements.1) Record all API calls and Transitions.2) Help in understanding what resources are there in the account.3) Facility to allow auditing credentials and logins Which services would suffice the above requirements.
A. AM Inspector, CloudTrail, IAM Credential Reports
B. loudTrail
C. loudTrail, IAM Config, IAM Credential Reports
D. AM SQS, IAM Credential Reports, CloudTrail
View answer
Correct Answer: C
Question #45
An Application team has requested a new IAM KMS master key for use with Amazon S3, but the organizational security policy requires separate master keys for different IAM services to limit blast radius.How can an IAM KMS customer master key (CMK) be constrained to work with only Amazon S3?
A. onfigure the CMK key policy to allow only the Amazon S3 service to use the kms Encrypt action
B. onfigure the CMK key policy to allow IAM KMS actions only when the kms ViaService condition matches the Amazon S3 service name
C. onfigure the IAM user's policy lo allow KMS to pass a rote lo Amazon S3
D. onfigure the IAM user's policy to allow only Amazon S3 operations when they are combined with the CMK
View answer
Correct Answer: B
Question #46
A company needs a security engineer to implement a scalable solution for multi-account authentication and authorization. The solution should not introduce additional user-managed architectural components. Native IAM features should be used as much as possible The security engineer has set up IAM Organizations w1th all features activated and IAM SSO enabled.Which additional steps should the security engineer take to complete the task?
A. se AD Connector to create users and groups for all employees that require access to IAM accounts
B. se an IAM SSO default directory to create users and groups for all employees that require access to IAM accounts
C. se an IAM SSO default directory to create users and groups for all employees that require access to IAM accounts
D. se IAM Directory Service tor Microsoft Active Directory to create users and groups for all employees that require access to IAM accounts Enable IAM Management Console access in the created directory and specify IAM SSO as a source cl information tor integrated accounts and permission sets
View answer
Correct Answer: B
Question #47
Auditors for a health care company have mandated that all data volumes be encrypted at rest Infrastructure is deployed mainly via IAM CloudFormation however third-party frameworks and manual deployment are required on some legacy systems.What is the BEST way to monitor, on a recurring basis, whether all EBS volumes are encrypted?
A. ilter the event history on the exposed access key in the CloudTrail console Examine the data from the past 11 days
B. se the IAM CLI lo generate an IAM credential report Extract all the data from the past 11 days
C. se Amazon Athena to query the CloudTrail logs from Amazon S3 Retrieve the rows for the exposed access key tor the past 11 days
D. se the Access Advisor tab in the IAM console to view all of the access key activity for the past 11 days
View answer
Correct Answer: B
Question #48
A large corporation is creating a multi-account strategy and needs to determine how its employees should access the IAM infrastructure.Which of the following solutions would provide the MOST scalable solution?
A. reate dedicated IAM users within each IAM account that employees can assume through federation based upon group membership in their existing identity provider
B. se a centralized account with IAM roles that employees can assume through federation with their existing identity provider Use cross-account roles to allow the federated users to assume their target role in the resource accounts
C. onfigure the IAM Security Token Service to use Kerberos tokens so that users can use their existing corporate user names and passwords to access IAM resources directly
D. onfigure the IAM trust policies within each account's role to set up a trust back to the corporation's existing identity provider allowing users to assume the role based off their SAML token
View answer
Correct Answer: B
Question #49
A company has two teams, and each team needs to access its respective Amazon S3 buckets. The company anticipates adding more teams that also will have their own S3 buckets.When the company adds these teams, team members will need the ability to be assigned to multiple teams. Team members also will need the ability to change teams. Additional S3 buckets can be created or deleted.An IAM administrator must design a solution to accomplish these goals. The solution also must be scalable and must require the leas
A. dd users to groups that represent the teams
B. reate an IAM role for each team
C. reate IAM roles that are labeled with an access tag value of a team
D. mplement a role-based access control (RBAC) authorization model
View answer
Correct Answer: A
Question #50
An organization has a multi-petabyte workload that it is moving to Amazon S3, but the CISO is concerned about cryptographic wear-out and the blast radius if a key is compromised. How can the CISO be assured that IAM KMS and Amazon S3 are addressing the concerns? (Select TWO )
A. n HTTPS listener that uses a certificate that is managed by Amazon Certification Manager
B. n HTTPS listener that uses a custom security policy that allows only perfect forward secrecy cipher suites
C. n HTTPS listener that uses the latest IAM predefined ELBSecuntyPolicy-TLS-1 -2-2017-01 security policy
D. TCP listener that uses a custom security policy that allows only perfect forward secrecy cipher suites
View answer
Correct Answer: CE
Question #51
A company has an organization with SCPs in AWS Organizations. The root SCP for the organization is as follows.The company's developers are members of a group that has an IAM policy that allows access to Amazon Simple Email Service (Amazon SES) by allowing ses.* actions. The account is a child to an OU that has an SCP that allows Amazon SES. The developers are receiving a not-authorized error when they try to access Amazon SES through the AWS Management Console.Which change must a security engineer implement
A. dd a resource policy that allows each member of the group to access Amazon SES
B. dd a resource policy that allows 'Principal'
C. emove the AWS Control Tower control (guardrail) that restricts access to Amazon SES
D. emove Amazon SES from the root SCP
View answer
Correct Answer: D
Question #52
An Incident Response team is investigating an IAM access key leak that resulted in Amazon EC2 instances being launched. The company did not discover the incident until many months later The Director of Information Security wants to implement new controls that will alert when similar incidents happen in the future.Which controls should the company implement to achieve this? {Select TWO.)
A. he S3 bucket policy does not explicitly allow the Security Engineer access to the objects in the bucket
B. he object ACLs are not being updated to allow the users within the centralized account to access the objects
C. he Security Engineers IAM policy does not grant permissions to read objects in the S3 bucket
D. he s3:PutObject and s3:PutObjectAcl permissions should be applied at the S3 bucket level
View answer
Correct Answer: AE
Question #53
A Security Engineer is troubleshooting an issue with a company's custom logging application. The application logs are written to an Amazon S3 bucket with event notifications enabled to send events lo an Amazon SNS topic. All logs are encrypted at rest using an IAM KMS CMK. The SNS topic is subscribed to an encrypted Amazon SQS queue. The logging application polls the queue for new messages that contain metadata about the S3 object. The application then reads the content of the object from the S3 bucket for
A. dd the following statement to the IAM managed CMKs:
B. dd the following statement to the CMK key policy:
C. dd the following statement to the CMK key policy:
D. dd the following statement to the CMK key policy:
View answer
Correct Answer: D
Question #54
A company is running workloads in a single IAM account on Amazon EC2 instances and Amazon EMR clusters a recent security audit revealed that multiple Amazon Elastic Block Store (Amazon EBS) volumes and snapshots are not encrypted.The company's security engineer is working on a solution that will allow users to deploy EC2 Instances and EMR clusters while ensuring that all new EBS volumes and EBS snapshots are encrypted at rest. The solution must also minimize operational overhead.Which steps should the secur
A. reate an Amazon Event Bridge (Amazon Cloud watch Events) event with an EC2 instance as the source and create volume as the event trigger
B. se a customer managed IAM policy that will verify that the encryption flag of the Createvolume context is set to true
C. reate an IAM Config rule to evaluate the configuration of each EC2 instance on creation or modification
D. se the IAM Management Console or IAM CLi to enable encryption by default for EBS volumes in each IAM Region where the company operates
View answer
Correct Answer: D
Question #55
A company's on-premises networks are connected to VPCs using an IAM Direct Connect gateway. The company's on-premises application needs to stream data using an existing Amazon Kinesis Data Firehose delivery stream. The company's security policy requires that data be encrypted in transit using a private network.How should the company meet these requirements?
A. reate a VPC endpoint tor Kinesis Data Firehose
B. onfigure an IAM policy to restrict access to Kinesis Data Firehose using a source IP condition
C. reate a new TLS certificate in IAM Certificate Manager (ACM)
D. eer the on-premises network with the Kinesis Data Firehose VPC using Direct Connect
View answer
Correct Answer: A
Question #56
A company has multiple Amazon S3 buckets encrypted with customer-managed CMKs Due to regulatory requirements the keys must be rotated every year. The company's Security Engineer has enabled automatic key rotation for the CMKs; however the company wants to verity that the rotation has occurred.What should the Security Engineer do to accomplish this?
A. ilter IAM CloudTrail logs for KeyRotaton events
B. onitor Amazon CloudWatcn Events for any IAM KMS CMK rotation events
C. sing the IAM CLI
D. se Amazon Athena to query IAM CloudTrail logs saved in an S3 bucket to filter Generate New Key events
View answer
Correct Answer: C
Question #57
A company manages three separate IAM accounts for its production, development, and test environments, Each Developer is assigned a unique IAM user under the development account. A new application hosted on an Amazon EC2 instance in the developer account requires read access to the archived documents stored in an Amazon S3 bucket in the production account.How should access be granted?
A. reate an IAM role in the production account and allow EC2 instances in the development account to assume that role using the trust policy
B. se a custom identity broker to allow Developer IAM users to temporarily access the S3 bucket
C. reate a temporary IAM user for the application to use in the production account
D. reate a temporary IAM user in the production account and provide read access to Amazon S3
View answer
Correct Answer: A
Question #58
A company manages three separate IAM accounts for its production, development, and test environments, Each Developer is assigned a unique IAM user under the development account. A new application hosted on an Amazon EC2 instance in the developer account requires read access to the archived documents stored in an Amazon S3 bucket in the production account.How should access be granted?
A. reate an IAM role in the production account and allow EC2 instances in the development account to assume that role using the trust policy
B. se a custom identity broker to allow Developer IAM users to temporarily access the S3 bucket
C. reate a temporary IAM user for the application to use in the production account
D. reate a temporary IAM user in the production account and provide read access to Amazon S3
View answer
Correct Answer: A
Question #59
Example.com is hosted on Amazon EC2 instances behind an Application Load Balancer (ALB). Third- party host intrusion detection system (HIDS) agents that capture the traffic of the EC2 instance are running on each host. The company must ensure they are using privacy enhancing technologies for users, without losing the assurance the third-party solution offers.What is the MOST secure way to meet these requirements?
A. nable TLS pass through on the ALB, and handle decryption at the server using Elliptic Curve Diffie-Hellman (ECDHE) cipher suites
B. reate a listener on the ALB that uses encrypted connections with Elliptic Curve Diffie-Hellman (ECDHE) cipher suites, and pass the traffic in the clear to the server
C. reate a listener on the ALB that uses encrypted connections with Elliptic Curve Diffie-Hellman (ECDHE) cipher suites, and use encrypted connections to the servers that do not enable Perfect Forward Secrecy (PFS)
D. reate a listener on the ALB that does not enable Perfect Forward Secrecy (PFS) cipher suites, and use encrypted connections to the servers using Elliptic Curve Diffie-Hellman (ECDHE) cipher suites
View answer
Correct Answer: D
Question #60
A company is developing a highly resilient application to be hosted on multiple Amazon EC2 instances . The application will store highly sensitive user data in Amazon RDS tables.The application must.- Include migration to a different IAM Region in the application disaster recovery plan.- Provide a full audit trail of encryption key administration events.- Allow only company administrators to administer keys.- Protect data at rest using application layer encryption.A Security Engineer is evaluating options f
A. he key administration event logging generated by CloudHSM is significantly more extensive than IAM KMS
B. loudHSM ensures that only company support staff can administer encryption keys, whereas IAM KMS allows IAM staff to administer keys
C. he ciphertext produced by CloudHSM provides more robust protection against brute force decryption attacks than the ciphertext produced by IAM KMS
D. loudHSM provides the ability to copy keys to a different Region, whereas IAM KMS does not
View answer
Correct Answer: B
Question #61
A company wants to monitor the deletion of customer managed CMKs A security engineer must create an alarm that will notify the company before a CMK is deleted The security engineer has configured the integration of IAM CloudTrail with Amazon CloudWatch.What should the security engineer do next to meet this requirement?
A. se inbound rule 100 to allow traffic on TCP port 443 Use inbound rule 200 to deny traffic on TCP port 3306 Use outbound rule 100 to allow traffic on TCP port 443
B. se inbound rule 100 to deny traffic on TCP port 3306
C. se inbound rule 100 to allow traffic on TCP port range 1024-65535 Use inbound rule 200 to deny traffic on TCP port 3306 Use outbound rule 100 to allow traffic on TCP port 443
D. se inbound rule 100 to deny traffic on TCP port 3306 Use inbound rule 200 to allow traffic on TCP port 443 Use outbound rule 100 to allow traffic on TCP port 443
View answer
Correct Answer: A
Question #62
A company uses Amazon API Gateway to present REST APIs to users. An API developer wants to analyze API access patterns without the need to parse the log files.Which combination of steps will meet these requirements with the LEAST effort? (Select TWO.)
A. onfigure the S3 Block Public Access feature for the AWS account
B. onfigure the S3 Block Public Access feature for all objects that are in the bucket
C. eactivate ACLs for objects that are in the bucket
D. se AWS PrivateLink for Amazon S3 to access the bucket
View answer
Correct Answer: CD
Question #63
A company has launched an Amazon EC2 instance with an Amazon Elastic Block Store (Amazon EBS) volume in the us-east-1 Region The volume is encrypted with an AWS Key Management Service (AWS KMS) customer managed key that the company's security team created The security team has created an 1AM key policy and has assigned the policy to the key The security team has also created an 1AM instance profile and has assigned the profile to the instance.The EC2 instance will not start and transitions from the pending
A. onfigure trusted access for AWS System Manager in Organizations Configure a bastion host from the management account Replace SSH and RDP by using Systems Manager Session Manager from the management account Configure Session Manager logging to Amazon CloudWatch Logs
B. eplace SSH and RDP with AWS Systems Manager Session Manager Install Systems Manager Agent (SSM Agent) on the instances Attach the
C. mazonSSMManagedlnstanceCore role to the instances Configure session data streaming to Amazon CloudWatch Logs Create a separate logging account that has appropriate cross-account permissions to audit the log data
D. nstall a bastion host in the management account Reconfigure all SSH and RDP to allow access only from the bastion host Install AWS Systems Manager Agent (SSM Agent) on the bastion host Attach the AmazonSSMManagedlnstanceCore role to the bastion host Configure session data streaming to Amazon CloudWatch Logs in a separate logging account to audit log data
E. eplace SSH and RDP with AWS Systems Manager State Manager Install Systems Manager Agent (SSM Agent) on the instances Attach the
View answer
Correct Answer: CD
Question #64
You work at a company that makes use of IAM resources. One of the key security policies is to ensure that all data i encrypted both at rest and in transit.Which of the following is one of the right ways to implement this.
A. se S3 SSE and use SSL for data in transit
B. SL termination on the ELB
C. nabling Proxy Protocol
D. nabling sticky sessions on your load balancer
View answer
Correct Answer: A
Question #65
An organization has a multi-petabyte workload that it is moving to Amazon S3, but the CISO is concerned about cryptographic wear-out and the blast radius if a key is compromised. How can the CISO be assured that IAM KMS and Amazon S3 are addressing the concerns? (Select TWO )
A. n HTTPS listener that uses a certificate that is managed by Amazon Certification Manager
B. n HTTPS listener that uses a custom security policy that allows only perfect forward secrecy cipher suites
C. n HTTPS listener that uses the latest IAM predefined ELBSecuntyPolicy-TLS-1 -2-2017-01 security policy
D. TCP listener that uses a custom security policy that allows only perfect forward secrecy cipher suites
View answer
Correct Answer: CE
Question #66
A company's cloud operations team is responsible for building effective security for IAM cross- account access. The team asks a security engineer to help troubleshoot why some developers in the developer account (123456789012) in the developers group are not able to assume a cross-account role (ReadS3) into a production account (999999999999) to read the contents of an Amazon S3 bucket (productionapp). The two account policies are as follows:Which recommendations should the security engineer make to resolve
A. se IAM Control Tower
B. reate a centrally managed VPC in the security inspection account
C. se IAM Control Tower
D. nable IAM Resource Access Manager (IAM RAM) for IAM Organizations
View answer
Correct Answer: AD
Question #67
Your CTO thinks your IAM account was hacked.What is the only way to know for certain if there was unauthorized access and what they did, assuming your hackers are very sophisticated IAM engineers and doing everything they can to cover their tracks?
A. se CloudTrail Log File Integrity Validation
B. se IAM Config SNS Subscriptions and process events in real time
C. se CloudTrail backed up to IAM S3 and Glacier
D. se IAM Config Timeline forensics
View answer
Correct Answer: A
Question #68
A company needs a forensic-logging solution for hundreds of applications running in Docker on Amazon EC2 The solution must perform real-time analytics on the togs must support the replay of messages and must persist the logs.Which IAM services should be used to meet these requirements? (Select TWO)
A. n a recurring basis, update an IAM user policies to require that EC2 instances are created with an encrypted volume
B. onfigure an IAM Config rule lo run on a recurring basis 'or volume encryption
C. et up Amazon Inspector rules tor volume encryption to run on a recurring schedule
D. se CloudWatch Logs to determine whether instances were created with an encrypted volume
View answer
Correct Answer: BD
Question #69
A security engineer is configuring a new website that is named example.com. The security engineer wants to secure communications with the website by requiring users to connect to example.com through HTTPS.Which of the following is a valid option for storing SSL/TLS certificates?
A. ustom SSL certificate that is stored in AWS Key Management Service (AWS KMS)
B. efault SSL certificate that is stored in Amazon CloudFront
C. ustom SSL certificate that is stored in AWS Certificate Manager (ACM)
D. efault SSL certificate that is stored in Amazon S3
View answer
Correct Answer: C
Question #70
You need to create a policy and apply it for just an individual user. How could you accomplish this in the right way?
A. dd an IAM managed policy for the user
B. dd a service policy for the user
C. dd an IAM role for the user
D. dd an inline policy for the user
View answer
Correct Answer: D
Question #71
A company wants to monitor the deletion of customer managed CMKs A security engineer must create an alarm that will notify the company before a CMK is deleted The security engineer has configured the integration of IAM CloudTrail with Amazon CloudWatch.What should the security engineer do next to meet this requirement?
A. se inbound rule 100 to allow traffic on TCP port 443 Use inbound rule 200 to deny traffic on TCP port 3306 Use outbound rule 100 to allow traffic on TCP port 443
B. se inbound rule 100 to deny traffic on TCP port 3306
C. se inbound rule 100 to allow traffic on TCP port range 1024-65535 Use inbound rule 200 to deny traffic on TCP port 3306 Use outbound rule 100 to allow traffic on TCP port 443
D. se inbound rule 100 to deny traffic on TCP port 3306 Use inbound rule 200 to allow traffic on TCP port 443 Use outbound rule 100 to allow traffic on TCP port 443
View answer
Correct Answer: A
Question #72
A security engineer needs to develop a process to investigate and respond to potential security events on a company's Amazon EC2 instances. All the EC2 instances are backed by Amazon Elastic Block Store (Amazon EBS). The company uses AWS Systems Manager to manage all the EC2 instances and has installed Systems Manager Agent (SSM Agent) on all the EC2 instances.The process that the security engineer is developing must comply with AWS security best practices and must meet the following requirements:A compromi
A. ather any relevant metadata for the compromised EC2 instance
B. ather any relevant metadata for the compromised EC2 instance
C. se Systems Manager Run Command to invoke scripts that collect volatile data
D. stablish a Linux SSH or Windows Remote Desktop Protocol (RDP) session to the compromised EC2 instance to invoke scripts that collect volatile data
E. reate a snapshot of the compromised EC2 instance's EBS volume for follow-up investigations
F. reate a Systems Manager State Manager association to generate an EBS volume snapshot of the compromised EC2 instance
View answer
Correct Answer: BCE
Question #73
A Development team has built an experimental environment to test a simple stale web application It has built an isolated VPC with a private and a public subnet. The public subnet holds only an Application Load Balancer a NAT gateway, and an internet gateway. The private subnet holds ail of the Amazon EC2 instances.There are 3 different types of servers Each server type has its own Security Group that limits access lo only required connectivity. The Security Groups nave both inbound and outbound rules applie
A. se encrypted Amazon EBS volumes with Amazon default keys (IAM EBS)
B. se server-side encryption with customer-provided keys (SSE-C)
C. se server-side encryption with IAM KMS managed keys (SSE-KMS)
D. se server-side encryption with Amazon S3 managed keys (SSE-S3)
View answer
Correct Answer: CEF
Question #74
A corporation is preparing to acquire several companies. A Security Engineer must design a solution to ensure that newly acquired IAM accounts follow the corporation's security best practices. The solution should monitor each Amazon S3 bucket for unrestricted public write access and use IAM managed services.What should the Security Engineer do to meet these requirements?
A. onfigure Amazon Macie to continuously check the configuration of all S3 buckets
B. nable IAM Config to check the configuration of each S3 bucket
C. et up IAM Systems Manager to monitor S3 bucket policies for public write access
D. onfigure an Amazon EC2 instance to have an IAM role and a cron job that checks the status of all S3 buckets
View answer
Correct Answer: C
Question #75
A company is operating a website using Amazon CloudFornt. CloudFront servers some content from Amazon S3 and other from web servers running EC2 instances behind an Application. Load Balancer (ALB). Amazon DynamoDB is used as the data store. The company already uses IAM Certificate Manager (ACM) to store a public TLS certificate that can optionally secure connections between the website users and CloudFront. The company has a new requirement to enforce end-to-end encryption in transit.Which combination of st
A. dd an origin custom header Set the viewer protocol policy to HTTP and HTTPS Set the origin protocol pokey to HTTPS only Update the application to validate the CloudFront custom header
B. dd an origin custom header Set the viewer protocol policy to HTTPS only Set the origin protocol policy to match viewer Update the application to validate the CloudFront custom header
C. dd an origin custom header Set the viewer protocol policy to redirect HTTP to HTTPS Set the origin protocol policy to HTTP only Update the application to validate the CloudFront custom header
D. dd an origin custom header Set the viewer protocol policy to redirect HTTP to HTTPS
View answer
Correct Answer: BCE
Question #76
A company needs to store multiple years of financial records. The company wants to use Amazon S3 to store copies of these documents. The company must implement a solution to prevent the documents from being edited, replaced, or deleted for 7 years after the documents are stored in Amazon S3. The solution must also encrypt the documents at rest.A security engineer creates a new S3 bucket to store the documents.What should the security engineer do next to meet these requirements?
A. he company uses a serverless approach to microservices
B. reate a key policy that allows the kms:Decrypt action only for Amazon S3 and DynamoD Create an SCP that denies the creation of S3 buckets and DynamoDB tables that are not encrypted with the key
C. reate an 1AM policy that denies the kms:Decrypt action for the key
D. reate a key policy that allows the kms:Decrypt action only for Amazon S3, DynamoDB, Lambda, and Amazon EKS
E. reate a key policy that allows the kms:Decrypt action only for Amazon S3, DynamoDB, Lambda, and Amazon EKS
View answer
Correct Answer: B
Question #77
There are currently multiple applications hosted in a VPC. During monitoring it has been noticed that multiple port scans are coming in from a specific IP Address block. The internal security team has requested that all offending IP Addresses be denied for the next 24 hours.Which of the following is the best method to quickly and temporarily deny access from the specified IP Address's.
A. reate an AD policy to modify the Windows Firewall settings on all hosts in the VPC to deny access from the IP Address block
B. odify the Network ACLs associated with all public subnets in the VPC to deny access from the IP Address block
C. dd a rule to all of the VPC Security Groups to deny access from the IP Address block
D. odify the Windows Firewall settings on all AMI'S that your organization uses in that VPC to deny access from the IP address block
View answer
Correct Answer: B
Question #78
A security engineer has enabled IAM Security Hub in their IAM account, and has enabled the Center for internet Security (CIS) IAM Foundations compliance standard. No evaluation results on compliance are returned in the Security Hub console after several hours. The engineer wants to ensure that Security Hub can evaluate their resources for CIS IAM Foundations compliance.Which steps should the security engineer take to meet these requirements?
A. dd full Amazon Inspector IAM permissions to the Security Hub service role to allow it to perform the CIS compliance evaluation
B. nsure that IAM Trusted Advisor Is enabled in the account and that the Security Hub service role has permissions to retrieve the Trusted Advisor security-related recommended actions
C. nsure that IAM Config
D. nsure that the correct trail in IAM CloudTrail has been configured for monitoring by Security Hub and that the Security Hub service role has permissions to perform the GetObject operation on CloudTrails Amazon S3 bucket
View answer
Correct Answer: C
Question #79
An IT department currently has a Java web application deployed on Apache Tomcat running on Amazon EC2 instances. All traffic to the EC2 instances is sent through an internet-facing Application Load Balancer (ALB) The Security team has noticed during the past two days thousands of unusual read requests coming from hundreds of IP addresses. This is causing the Tomcat server to run out of threads and reject new connections.Which the SIMPLEST change that would address this server issue?
A. reate an Amazon CloudFront distribution and configure the ALB as the origin
B. lock the malicious IPs with a network access list (NACL)
C. reate an IAM Web Application Firewall (WAF)
D. ap the application domain name to use Route 53
View answer
Correct Answer: A
Question #80
A development team is attempting to encrypt and decode a secure string parameter from the IAM Systems Manager Parameter Store using an IAM Key Management Service (IAM KMS) CMK. However, each attempt results in an error message being sent to the development team.Which CMK-related problems possibly account for the error? (Select two.)
A. owever, the company does not want to allow users from the other accounts to access other files in the same folder
B. pply a user policy in the other accounts to allow IAM Glue and Athena lo access the
C. se S3 Select to restrict access to the
D. efine an IAM Glue Data Catalog resource policy in IAM Glue to grant cross-account S3 object access to the
E. rant IAM Glue access to Amazon S3 in a resource-based policy that specifies the organization as the principal
View answer
Correct Answer: AD
Question #81
A developer signed in to a new account within an IAM Organization organizational unit (OU) containing multiple accounts. Access to the Amazon $3 service is restricted with the following SCP.How can the security engineer provide the developer with Amazon $3 access without affecting other account?
A. ove the SCP to the root OU of organization to remove the restriction to access Amazon $3
B. dd an IAM policy for the developer, which grants $3 access
C. reate a new OU without applying the SCP restricting $3 access
D. dd an allow list for the developer account for the $3 service
View answer
Correct Answer: C
Question #82
During a manual review of system logs from an Amazon Linux EC2 instance, a Security Engineer noticed that there are sudo commands that were never properly alerted or reported on the Amazon CloudWatch Logs agent.Why were there no alerts on the sudo commands?
A. here is a security group blocking outbound port 80 traffic that is preventing the agent from sending the logs
B. he IAM instance profile on the EC2 instance was not properly configured to allow the CloudWatch Logs agent to push the logs to CloudWatch
C. loudWatch Logs status is set to ON versus SECURE, which prevents it from pulling in OS security event logs
D. he VPC requires that all traffic go through a proxy, and the CloudWatch Logs agent does not support a proxy configuration
View answer
Correct Answer: B
Question #83
An audit determined that a company's Amazon EC2 instance security group violated company policy by allowing unrestricted incoming SSH traffic. A security engineer must implement a near-real-time monitoring and alerting solution that will notify administrators of such violations.Which solution meets these requirements with the MOST operational efficiency?
A. reate a recurring Amazon Inspector assessment run that runs every day and uses the Network Reachability package
B. se the restricted-ssh IAM Config managed rule that is invoked by security group configuration changes that are not compliant
C. onfigure VPC Flow Logs for the VP and specify an Amazon CloudWatch Logs group
D. reate a recurring Amazon Inspector assessment run that runs every day and uses the Security Best Practices package
View answer
Correct Answer: B
Question #84
A company created an IAM account for its developers to use for testing and learning purposes Because MM account will be shared among multiple teams of developers, the company wants to restrict the ability to stop and terminate Amazon EC2 instances so that a team can perform these actions only on the instances it owns.Developers were Instructed to tag al their instances with a Team tag key and use the team name in the tag value One of the first teams to use this account is Business Intelligence A security en
A. or each team, create an AM policy similar to the one that fellows Populate the ec2:ResourceTag/Team condition key with a proper team name Attach resulting policies to the corresponding IAM roles
B. or each team create an IAM policy similar to the one that follows Populate the IAM TagKeys/Team condition key with a proper team name
C. ag each IAM role with a Team lag key
D. ag each IAM role with the Team key, and use the team name in the tag value
View answer
Correct Answer: A
Question #85
Your company has a set of EC2 Instances defined in IAM. These Ec2 Instances have strict security groups attached to them. You need to ensure that changes to the Security groups are noted and acted on accordingly. How can you achieve this?
A. se Cloudwatch logs to monitor the activity on the Security Groups
B. se Cloudwatch metrics to monitor the activity on the Security Groups
C. se IAM inspector to monitor the activity on the Security Groups
D. se Cloudwatch events to be triggered for any changes to the Security Groups
View answer
Correct Answer: D
Question #86
A company's engineering team is developing a new application that creates IAM Key Management Service (IAM KMS) CMK grants for users immediately after a grant IS created users must be able to use the CMK tu encrypt a 512-byte payload. During load testing, a bug appears |intermittently where AccessDeniedExceptions are occasionally triggered when a user first attempts to encrypt using the CMKWhich solution should the c0mpany`s security specialist recommend`?
A. nstruct users to implement a retry mechanism every 2 minutes until the call succeeds
B. nstruct the engineering team to consume a random grant token from users, and to call the CreateGrant operation, passing it the grant token
C. nstruct the engineering team to create a random name for the grant when calling the CreateGrant operation
D. nstruct the engineering team to pass the grant token returned in the CreateGrant response to users
View answer
Correct Answer: D
Question #87
A company needs to encrypt all of its data stored in Amazon S3. The company wants to use IAM Key Management Service (IAM KMS) to create and manage its encryption keys. The company's security policies require the ability to Import the company's own key material for the keys, set an expiration date on the keys, and delete keys immediately, if needed.How should a security engineer set up IAM KMS to meet these requirements?
A. onfigure IAM KMS and use a custom key store
B. onfigure IAM KMS and use the default Key store Create an IAM managed CMK with no key material Import the company's key material into the CMK
C. onfigure IAM KMS and use the default key store Create a customer managed CMK with no key material import the company's key material into the CMK
D. onfigure IAM KMS and use a custom key store
View answer
Correct Answer: A
Question #88
A systems engineer deployed containers from several custom-built images that an application team provided through a QA workflow The systems engineer used Amazon Elastic Container Service (Amazon ECS) with the Fargate launch type as the target platform The system engineer now needs to collect logs from all containers into an existing Amazon CloudWatch log group.Which solution will meet this requirement?
A. urn on the awslogs log driver by specifying parameters for awslogs-group and awslogs-region m the LogConfiguration property
B. ownload and configure the CloudWatch agent on the container instances
C. et up Fluent Bit and FluentO as a DaemonSet to send logs to Amazon CloudWatch Logs
D. onfigure an 1AM policy that includes the togs CreateLogGroup action Assign the policy to the container instances
View answer
Correct Answer: A
Question #89
A systems engineer deployed containers from several custom-built images that an application team provided through a QA workflow The systems engineer used Amazon Elastic Container Service (Amazon ECS) with the Fargate launch type as the target platform The system engineer now needs to collect logs from all containers into an existing Amazon CloudWatch log group.Which solution will meet this requirement?
A. urn on the awslogs log driver by specifying parameters for awslogs-group and awslogs-region m the LogConfiguration property
B. ownload and configure the CloudWatch agent on the container instances
C. et up Fluent Bit and FluentO as a DaemonSet to send logs to Amazon CloudWatch Logs
D. onfigure an 1AM policy that includes the togs CreateLogGroup action Assign the policy to the container instances
View answer
Correct Answer: A
Question #90
There is a requirement for a company to transfer large amounts of data between IAM and an on- premise location. There is an additional requirement for low latency and high consistency traffic to IAM. Given these requirements how would you design a hybrid architecture? Choose the correct answer from the options below.
A. rovision a Direct Connect connection to an IAM region using a Direct Connect partner
B. reate a VPN tunnel for private connectivity, which increases network consistency and reduces latency
C. reate an iPSec tunnel for private connectivity, which increases network consistency and reduces latency
D. reate a VPC peering connection between IAM and the Customer gateway
View answer
Correct Answer: A
Question #91
A company wants to remove all SSH keys permanently from a specific subset of its Amazon Linux 2 Amazon EC2 instances that are using the same 1AM instance profile However three individuals who have IAM user accounts will need to access these instances by using an SSH session to perform critical duties.How can a security engineer provide the access to meet these requirements'?
A. ssign an 1AM policy to the instance profile to allow the EC2 instances to be managed by AWS Systems Manager Provide the 1AM user accounts with permission to use Systems Manager Remove the SSH keys from the EC2 instances Use Systems Manager Inventory to select the EC2 instance and connect
B. ssign an 1AM policy to the 1AM user accounts to provide permission to use AWS Systems Manager Run Command Remove the SSH keys from the EC2 instances Use Run Command to open an SSH connection to the EC2 instance
C. ssign an 1AM policy to the instance profile to allow the EC2 instances to be managed by AWS Systems Manager Provide the 1AM user accounts with permission to use Systems Manager Remove the SSH keys from the EC2 instances Use Systems Manager Session Manager to select the EC2 instance and connect
D. ssign an 1AM policy to the 1AM user accounts to provide permission to use the EC2 service in the AWS Management Console Remove the SSH keys from the EC2 instances Connect to the EC2 instance as the ec2-user through the AWS Management Console's EC2 SSH client method
View answer
Correct Answer: C
Question #92
A company hosts an application on Amazon EC2 that is subject to specific rules for regulatory compliance. One rule states that traffic to and from the workload must be inspected for network- level attacks. This involves inspecting the whole packet.To comply with this regulatory rule, a security engineer must install intrusion detection software on a c5n.4xlarge EC2 instance. The engineer must then configure the software to monitor traffic to and from the application instances.What should the security engine
A. lace the network interface in promiscuous mode to capture the traffic
B. onfigure VPC Flow Logs to send traffic to the monitoring EC2 instance using a Network Load Balancer
C. onfigure VPC traffic mirroring to send traffic to the monitoring EC2 instance using a Network Load Balancer
D. se Amazon Inspector to detect network-level attacks and trigger an IAM Lambda function to send the suspicious packets to the EC2 instance
View answer
Correct Answer: D
Question #93
A security engineer needs to build a solution to turn IAM CloudTrail back on in multiple IAM Regions in case it is ever turned off.What is the MOST efficient way to implement this solution?
A. se IAM Config with a managed rule to trigger the IAM-EnableCloudTrail remediation
B. reate an Amazon EventBridge (Amazon CloudWatch Events) event with a cloudtrail
C. reate an Amazon CloudWatch alarm with a cloudtrail
D. onitor IAM Trusted Advisor to ensure CloudTrail logging is enabled
View answer
Correct Answer: B
Question #94
A company has an AWS Key Management Service (AWS KMS) customer managed key with imported key material Company policy requires all encryption keys to be rotated every year.What should a security engineer do to meet this requirement for this customer managed key?
A. nable automatic key rotation annually for the existing customer managed key
B. se the AWS CLI to create an AWS Lambda function to rotate the existing customer managed key annually
C. mport new key material to the existing customer managed key Manually rotate the key
D. reate a new customer managed key Import new key material to the new key Point the key alias to the new key
View answer
Correct Answer: A
Question #95
An Incident Response team is investigating an IAM access key leak that resulted in Amazon EC2 instances being launched. The company did not discover the incident until many months later The Director of Information Security wants to implement new controls that will alert when similar incidents happen in the future.Which controls should the company implement to achieve this? {Select TWO.)
A. he S3 bucket policy does not explicitly allow the Security Engineer access to the objects in the bucket
B. he object ACLs are not being updated to allow the users within the centralized account to access the objects
C. he Security Engineers IAM policy does not grant permissions to read objects in the S3 bucket
D. he s3:PutObject and s3:PutObjectAcl permissions should be applied at the S3 bucket level
View answer
Correct Answer: AE
Question #96
Your company is planning on using bastion hosts for administering the servers in IAM.Which of the following is the best description of a bastion host from a security perspective?
A. Bastion host should be on a private subnet and never a public subnet due to security concerns
B. Bastion host sits on the outside of an internal network and is used as a gateway into the private network and is considered the critical strong point of the network
C. astion hosts allow users to log in using RDP or SSH and use that session to S5H into internal network to access private subnet resources
D. Bastion host should maintain extremely tight security and monitoring as it is available to the public
View answer
Correct Answer: C
Question #97
An IT department currently has a Java web application deployed on Apache Tomcat running on Amazon EC2 instances. All traffic to the EC2 instances is sent through an internet-facing Application Load Balancer (ALB) The Security team has noticed during the past two days thousands of unusual read requests coming from hundreds of IP addresses. This is causing the Tomcat server to run out of threads and reject new connections.Which the SIMPLEST change that would address this server issue?
A. reate an Amazon CloudFront distribution and configure the ALB as the origin
B. lock the malicious IPs with a network access list (NACL)
C. reate an IAM Web Application Firewall (WAF)
D. ap the application domain name to use Route 53
View answer
Correct Answer: A
Question #98
A company is hosting a static website on Amazon S3 The company has configured an Amazon CloudFront distribution to serve the website contents The company has associated an IAM WAF web ACL with the CloudFront distribution. The web ACL ensures that requests originate from the United States to address compliance restrictions.THE company is worried that the S3 URL might still be accessible directly and that requests can bypass the CloudFront distribution.Which combination of steps should the company take to rem
A. nable Amazon Macie so that Secunty H jb will allow Detective to process findings from Macie
B. isable IAM Key Management Service (IAM KMS) encryption on CtoudTrail logs in every member account of the organization
C. nable Amazon GuardDuty on all member accounts Try to enable Detective in 48 hours
D. nsure that the principal that launches Detective has the organizations ListAccounts permission
View answer
Correct Answer: AD
Question #99
A company's engineering team is developing a new application that creates IAM Key Management Service (IAM KMS) CMK grants for users immediately after a grant IS created users must be able to use the CMK tu encrypt a 512-byte payload. During load testing, a bug appears |intermittently where AccessDeniedExceptions are occasionally triggered when a user first attempts to encrypt using the CMKWhich solution should the c0mpany`s security specialist recommend`?
A. nstruct users to implement a retry mechanism every 2 minutes until the call succeeds
B. nstruct the engineering team to consume a random grant token from users, and to call the CreateGrant operation, passing it the grant token
C. nstruct the engineering team to create a random name for the grant when calling the CreateGrant operation
D. nstruct the engineering team to pass the grant token returned in the CreateGrant response to users
View answer
Correct Answer: D
Question #100
A company needs a forensic-logging solution for hundreds of applications running in Docker on Amazon EC2 The solution must perform real-time analytics on the togs must support the replay of messages and must persist the logs.Which IAM services should be used to meet these requirements? (Select TWO)
A. n a recurring basis, update an IAM user policies to require that EC2 instances are created with an encrypted volume
B. onfigure an IAM Config rule lo run on a recurring basis 'or volume encryption
C. et up Amazon Inspector rules tor volume encryption to run on a recurring schedule
D. se CloudWatch Logs to determine whether instances were created with an encrypted volume
View answer
Correct Answer: BD
Question #101
A company wants to establish separate IAM Key Management Service (IAM KMS) keys to use for different IAM services. The company's security engineer created the following key policy lo allow the infrastructure deployment team to create encrypted Amazon Elastic Block Store (Amazon EBS) volumes by assuming the InfrastructureDeployment IAM role:The security engineer recently discovered that IAM roles other than the InfrastructureDeployment role used this key (or other services.Which change to the policy should t
A. n the statement block that contains the Sid "Allow use of the key", under the "Condition" block, change StringEquals to StringLike
B. n the policy document, remove the statement Dlock that contains the Sid "Enable IAM User Permissions"
C. n the statement block that contains the Sid "Allow use of the Key", under the "Condition" block, change the Kms:ViaService value to ec2
D. n the policy document, add a new statement block that grants the kms:Disable' permission to the security engineer's IAM role
View answer
Correct Answer: C
Question #102
A company's Chief Security Officer has requested that a Security Analyst review and improve the security posture of each company IAM account The Security Analyst decides to do this by Improving IAM account root user security.Which actions should the Security Analyst take to meet these requirements? (Select THREE.)
A. utbound SG configuration on database servers Inbound SG configuration on application servers inbound and outbound network ACL configuration on the database subnet Inbound and outbound network ACL configuration on the application server subnet
B. nbound SG configuration on database servers
C. nbound and outbound SG configuration on database servers Inbound and outbound SG configuration on application servers Inbound network ACL configuration on the database subnet Outbound network ACL configuration on the application server subnet
D. nbound SG configuration on database servers Outbound SG configuration on application servers Inbound network ACL configuration on the database subnet Outbound network ACL configuration on the application server subnet
View answer
Correct Answer: ADE
Question #103
A developer at a company uses an SSH key to access multiple Amazon EC2 instances. The company discovers that the SSH key has been posted on a public GitHub repository. A security engineer verifies that the key has not been used recently.How should the security engineer prevent unauthorized access to the EC2 instances?
A. elete the key pair from the EC2 console
B. se the ModifylnstanceAttribute API operation to change the key on any EC2 instance that is using the key
C. estrict SSH access in the security group to only known corporate IP addresses
D. pdate the key pair in any AMI that is used to launch the EC2 instances
View answer
Correct Answer: C
Question #104
A security engineer needs to create an IAM Key Management Service
A. emove the existing NAT gateway
B. onfigure the DB instance TMs inbound network ACL to deny traffic from the security group ID of the NAT gateway
C. odify the route tables of the DB instance subnets to remove the default route to the NAT gateway
D. onfigure the route table of the NAT gateway to deny connections to the DB instance subnets
View answer
Correct Answer: A
Question #105
A company hosts an end user application on AWS Currently the company deploys the application on Amazon EC2 instances behind an Elastic Load Balancer The company wants to configure end-to-end encryption between the Elastic Load Balancer and the EC2 instances.Which solution will meet this requirement with the LEAST operational effort?
A. se Amazon issued AWS Certificate Manager (ACM) certificates on the EC2 instances and the Elastic Load Balancer to configure end-to-end encryption
B. mport a third-party SSL certificate to AWS Certificate Manager (ACM) Install the third-party certificate on the EC2 instances Associate the ACM imported third-party certificate with the Elastic Load Balancer
C. eploy AWS CloudHSM Import a third-party certificate Configure the EC2 instances and the Elastic Load Balancer to use the CloudHSM imported certificate
D. mport a third-party certificate bundle to AWS Certificate Manager (ACM) Install the third-party certificate on the EC2 instances Associate the ACM imported third-party certificate with the Elastic Load Balancer
View answer
Correct Answer: A

View The Updated AWS Exam Questions

SPOTO Provides 100% Real AWS Exam Questions for You to Pass Your AWS Exam!

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: