Amazon SCS-C02 Exam Dumps

Amazon SCS-C02 Sample Question Answers

Question # 1

A company has AWS accounts in an organization in AWS Organizations. The organizationincludes a dedicated security account.All AWS account activity across all member accounts must be logged and reported to thededicated security account. The company must retain all the activity logs in a securestorage location within the dedicated security account for 2 years. No changes or deletions of the logs are allowed.Which combination of steps will meet these requirements with the LEAST operationaloverhead? (Select TWO.)

A. In the dedicated security account, create an Amazon S3 bucket. Configure S3 ObjectLock in compliance mode and a retention period of 2 years on the S3 bucket. Set thebucket policy to allow the organization's management account to write to the S3 bucket.
B. In the dedicated security account, create an Amazon S3 bucket. Configure S3 ObjectLock in compliance mode and a retention period of 2 years on the S3 bucket. Set thebucket policy to allow the organization's member accounts to write to the S3 bucket.
C. In the dedicated security account, create an Amazon S3 bucket that has an S3 Lifecycleconfiguration that expires objects after 2 years. Set the bucket policy to allow theorganization's member accounts to write to the S3 bucket.
D. Create an AWS Cloud Trail trail for the organization. Configure logs to be delivered tothe logging Amazon S3 bucket in the dedicated security account.
E. Turn on AWS CloudTrail in each account. Configure logs to be delivered to an AmazonS3 bucket that is created in the organization's management account. Forward the logs tothe S3 bucket in the dedicated security account by using AWS Lambda and AmazonKinesis Data Firehose.

Show Answer

Question # 2

A company wants to monitor the deletion of customer managed CMKs A security engineermust create an alarm that will notify the company before a CMK is deleted The securityengineer has configured the integration of IAM CloudTrail with Amazon CloudWatchWhat should the security engineer do next to meet this requirement?

A. Use inbound rule 100 to allow traffic on TCP port 443 Use inbound rule 200 to denytraffic on TCP port 3306 Use outbound rule 100 to allow traffic on TCP port 443
B. Use inbound rule 100 to deny traffic on TCP port 3306. Use inbound rule 200 to allowtraffic on TCP port range 1024-65535. Use outbound rule 100 to allow traffic on TCP port443
C. Use inbound rule 100 to allow traffic on TCP port range 1024-65535 Use inbound rule200 to deny traffic on TCP port 3306 Use outbound rule 100 to allow traffic on TCP port443
D. Use inbound rule 100 to deny traffic on TCP port 3306 Use inbound rule 200 to allowtraffic on TCP port 443 Use outbound rule 100 to allow traffic on TCP port 443

Show Answer

Question # 3

A company has implemented IAM WAF and Amazon CloudFront for an application. Theapplication runs on Amazon EC2 instances that are part of an Auto Scaling group. TheAuto Scaling group is behind an Application Load Balancer (ALB).The IAM WAF web ACL uses an IAM Managed Rules rule group and is associated with theCloudFront distribution. CloudFront receives the request from IAM WAF and then uses theALB as the distribution's origin.During a security review, a security engineer discovers that the infrastructure is susceptibleto a large, layer 7 DDoS attack.How can the security engineer improve the security at the edge of the solution to defendagainst this type of attack?

A. Configure the CloudFront distribution to use the Lambda@Edge feature. Create an IAMLambda function that imposes a rate limit on CloudFront viewer requests. Block the requestif the rate limit is exceeded.
B. Configure the IAM WAF web ACL so that the web ACL has more capacity units toprocess all IAM WAF rules faster.
C. Configure IAM WAF with a rate-based rule that imposes a rate limit that automaticallyblocks requests when the rate limit is exceeded.
D. Configure the CloudFront distribution to use IAM WAF as its origin instead of the ALB.

Show Answer

Question # 4

An IT department currently has a Java web application deployed on Apache Tomcatrunning on Amazon EC2 instances. All traffic to the EC2 instances is sent through aninternet-facing Application Load Balancer (ALB) The Security team has noticed during thepast two days thousands of unusual read requests coming from hundreds of IP addresses.This is causing the Tomcat server to run out of threads and reject new connectionsWhich the SIMPLEST change that would address this server issue?

A. Create an Amazon CloudFront distribution and configure the ALB as the origin
B. Block the malicious IPs with a network access list (NACL).
C. Create an IAM Web Application Firewall (WAF). and attach it to the ALB
D. Map the application domain name to use Route 53

Show Answer

Question # 5

A company recently had a security audit in which the auditors identified multiple potentialthreats. These potential threats can cause usage pattern changes such as DNS access peak, abnormal instance traffic, abnormal network interface traffic, and unusual Amazon S3API calls. The threats can come from different sources and can occur at any time. Thecompany needs to implement a solution to continuously monitor its system and identify allthese incoming threats in near-real time.Which solution will meet these requirements?

A. Enable AWS CloudTrail logs, VPC flow logs, and DNS logs. Use Amazon CloudWatchLogs to manage these logs from a centralized account.
B. Enable AWS CloudTrail logs, VPC flow logs, and DNS logs. Use Amazon Macie tomonitor these logs from a centralized account.
C. Enable Amazon GuardDuty from a centralized account. Use GuardDuty to manageAWS CloudTrail logs, VPC flow logs, and DNS logs.
D. Enable Amazon Inspector from a centralized account. Use Amazon Inspector to manageAWS CloudTrail logs, VPC flow logs, and DNS logs.

Show Answer

Question # 6

A company has multiple Amazon S3 buckets encrypted with customer-managed CMKsDue to regulatory requirements the keys must be rotated every year. The company'sSecurity Engineer has enabled automatic key rotation for the CMKs; however the companywants to verity that the rotation has occurred.What should the Security Engineer do to accomplish this?

A. Filter IAM CloudTrail logs for KeyRotaton events
B. Monitor Amazon CloudWatcn Events for any IAM KMS CMK rotation events
C. Using the IAM CLI. run the IAM kms gel-key-relation-status operation with the --key-idparameter to check the CMK rotation date
D. Use Amazon Athena to query IAM CloudTrail logs saved in an S3 bucket to filterGenerate New Key events

Show Answer

Question # 7

A security engineer needs to build a solution to turn IAM CloudTrail back on in multiple IAMRegions in case it is ever turned off.What is the MOST efficient way to implement this solution?

A. Use IAM Config with a managed rule to trigger the IAM-EnableCloudTrail remediation.
B. Create an Amazon EventBridge (Amazon CloudWatch Events) event with acloudtrail.amazonIAM.com event source and a StartLogging event name to trigger an IAMLambda function to call the StartLogging API.
C. Create an Amazon CloudWatch alarm with a cloudtrail.amazonIAM.com event sourceand a StopLogging event name to trigger an IAM Lambda function to call the StartLoggingAPI.
D. Monitor IAM Trusted Advisor to ensure CloudTrail logging is enabled.

Show Answer

Question # 8

An application is running on an Amazon EC2 instance that has an IAM role attached. TheIAM role provides access to an AWS Key Management Service (AWS KMS) customermanaged key and an Amazon S3 bucket. The key is used to access 2 TB of sensitive datathat is stored in the S3 bucket.A security engineer discovers a potential vulnerability on the EC2 instance that could resultin the compromise of the sensitive data. Due to other critical operations, the securityengineer cannot immediately shut down the EC2 instance for vulnerability patching.What is the FASTEST way to prevent the sensitive data from being exposed?

A. Download the data from the existing S3 bucket to a new EC2 instance. Then delete thedata from the S3 bucket. Re-encrypt the data with a client-based key. Upload the data to anew S3 bucket.
B. Block access to the public range of S3 endpoint IP addresses by using a host-basedfirewall. Ensure that internet-bound traffic from the affected EC2 instance is routed throughthe host-based firewall.
C. Revoke the IAM role's active session permissions. Update the S3 bucket policy to denyaccess to the IAM role. Remove the IAM role from the EC2 instance profile.
D. Disable the current key. Create a new KMS key that the IAM role does not have accessto, and re-encrypt all the data with the new key. Schedule the compromised key fordeletion.

Show Answer

Question # 9

A company uses Amazon API Gateway to present REST APIs to users. An API developerwants to analyze API access patterns without the need to parse the log files.Which combination of steps will meet these requirements with the LEAST effort? (SelectTWO.)

A. Configure access logging for the required API stage.
B. Configure an AWS CloudTrail trail destination for API Gateway events. Configure filterson the userldentity, userAgent, and sourcelPAddress fields.
C. Configure an Amazon S3 destination for API Gateway logs. Run Amazon Athenaqueries to analyze API access information.
D. Use Amazon CloudWatch Logs Insights to analyze API access information.
E. Select the Enable Detailed CloudWatch Metrics option on the required API stage.

Show Answer

Question # 10

A company has an application that uses dozens of Amazon DynamoDB tables to storedata. Auditors find that the tables do not comply with the company's data protection policy.The company's retention policy states that all data must be backed up twice each month:once at midnight on the 15th day of the month and again at midnight on the 25th day of themonth. The company must retain the backups for 3 months.Which combination of steps should a security engineer take to meet these re-quirements?(Select TWO.)

A. Use the DynamoDB on-demand backup capability to create a backup plan. Con-figure alifecycle policy to expire backups after 3 months.
B. Use AWS DataSync to create a backup plan. Add a backup rule that includes a retentionperiod of 3 months.
C. Use AVVS Backup to create a backup plan. Add a backup rule that includes a retentionperiod of 3 months.
D. Set the backup frequency by using a cron schedule expression. Assign eachDynamoDB table to the backup plan.
E. Set the backup frequency by using a rate schedule expression. Assign each DynamoDBtable to the backup plan.

Show Answer

Question # 11

A company has multiple departments. Each department has its own IAM account. All theseaccounts belong to the same organization in IAM Organizations.A large .csv file is stored in an Amazon S3 bucket in the sales department's IAM account.The company wants to allow users from the other accounts to access the .csv file's contentthrough the combination of IAM Glue and Amazon Athena. However, the company doesnot want to allow users from the other accounts to access other files in the same folder.Which solution will meet these requirements?

A. Apply a user policy in the other accounts to allow IAM Glue and Athena lo access the.csv We.
B. Use S3 Select to restrict access to the .csv lie. In IAM Glue Data Catalog, use S3 Selectas the source of the IAM Glue database.
C. Define an IAM Glue Data Catalog resource policy in IAM Glue to grant cross-account S3object access to the .csv file.
D. Grant IAM Glue access to Amazon S3 in a resource-based policy that specifies theorganization as the principal.

Show Answer

Question # 12

A development team is attempting to encrypt and decode a secure string parameter fromthe IAM Systems Manager Parameter Store using an IAM Key Management Service (IAMKMS) CMK. However, each attempt results in an error message being sent to the development team.Which CMK-related problems possibly account for the error? (Select two.)

A. The CMK is used in the attempt does not exist.
B. The CMK is used in the attempt needs to be rotated.
C. The CMK is used in the attempt is using the CMK€™s key ID instead of the CMK ARN.
D. The CMK is used in the attempt is not enabled.
E. The CMK is used in the attempt is using an alias.

Show Answer

Question # 13

A company in France uses Amazon Cognito with the Cognito Hosted Ul as an identitybroker for sign-in and sign-up processes. The company is marketing an application andexpects that all the application's users will come from France.When the company launches the application the company's security team observesfraudulent sign-ups for the application. Most of the fraudulent registrations are from usersoutside of France.The security team needs a solution to perform custom validation at sign-up Based on theresults of the validation the solution must accept or deny the registration request.Which combination of steps will meet these requirements? (Select TWO.)

A. Create a pre sign-up AWS Lambda trigger. Associate the Amazon Cognito function withthe Amazon Cognito user pool.
B. Use a geographic match rule statement to configure an AWS WAF web ACL. Associatethe web ACL with the Amazon Cognito user pool.
C. Configure an app client for the application's Amazon Cognito user pool. Use the appclient ID to validate the requests in the hosted Ul.
D. Update the application's Amazon Cognito user pool to configure a geographic restrictionsetting.
E. Use Amazon Cognito to configure a social identity provider (IdP) to validate the requestson the hosted Ul.

Show Answer

Question # 14

A company's IAM account consists of approximately 300 IAM users. Now there is amandate that an access change is required for 100 IAM users to have unlimited privilegesto S3.As a system administrator, how can you implement this effectively so that there is noneed to apply the policy at the individual user level?Please select:

A. Create a new role and add each user to the IAM role
B. Use the IAM groups and add users, based upon their role, to different groups and applythe policy to group
C. Create a policy and apply it to multiple users using a JSON script
D. Create an S3 bucket policy with unlimited access which includes each user's IAMaccount ID

Show Answer

Question # 15

A company needs to encrypt all of its data stored in Amazon S3. The company wants touse IAM Key Management Service (IAM KMS) to create and manage its encryption keys.The company's security policies require the ability to Import the company's own keymaterial for the keys, set an expiration date on the keys, and delete keys immediately, ifneeded.How should a security engineer set up IAM KMS to meet these requirements?

A. Configure IAM KMS and use a custom key store. Create a customer managed CMK withno key material Import the company's keys and key material into the CMK
B. Configure IAM KMS and use the default Key store Create an IAM managed CMK withno key material Import the company's key material into the CMK
C. Configure IAM KMS and use the default key store Create a customer managed CMKwith no key material import the company's key material into the CMK
D. Configure IAM KMS and use a custom key store. Create an IAM managed CMK with nokey material. Import the company's key material into the CMK.

Show Answer

Question # 16

A company has an organization in AWS Organizations. The company wants to use AWSCloudFormation StackSets in the organization to deploy various AWS design patterns intoenvironments. These patterns consist of Amazon EC2 instances, Elastic Load Balancing(ELB) load balancers, Amazon RDS databases, and Amazon Elastic Kubernetes Service(Amazon EKS) clusters or Amazon Elastic Container Service (Amazon ECS) clusters.Currently, the company's developers can create their own CloudFormation stacks toincrease the overall speed of delivery. A centralized CI/CD pipeline in a shared servicesAWS account deploys each CloudFormation stack.The company's security team has already provided requirements for each service inaccordance with internal standards. If there are any resources that do not comply with theinternal standards, the security team must receive notification to take appropriate action.The security team must implement a notification solution that gives developers the ability tomaintain the same overall delivery speed that they currently have.Which solution will meet these requirements in the MOST operationally efficient way?

A. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe thesecurity team's email addresses to the SNS topic. Create a custom AWS Lambda functionthat will run the aws cloudformation validate-template AWS CLI command on all CloudFormation templates before the build stage in the CI/CD pipeline. Configure theCI/CD pipeline to publish a notification to the SNS topic if any issues are found.
B. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe thesecurity team's email addresses to the SNS topic. Create custom rules in CloudFormationGuard for each resource configuration. In the CllCD pipeline, before the build stage,configure a Docker image to run the cfn-guard command on the CloudFormation template.Configure the CI/CD pipeline to publish a notification to the SNS topic if any issues arefound.
C. Create an Amazon Simple Notification Service (Amazon SNS) topic and an Am-azonSimple Queue Service (Amazon SQS) queue. Subscribe the security team's emailaddresses to the SNS topic. Create an Amazon S3 bucket in the shared services AWSaccount. Include an event notification to publish to the SQS queue when new objects areadded to the S3 bucket. Require the de-velopers to put their CloudFormation templates inthe S3 bucket. Launch EC2 instances that automatically scale based on the SQS queuedepth. Con-figure the EC2 instances to use CloudFormation Guard to scan the templatesand deploy the templates if there are no issues. Configure the CllCD pipe-line to publish anotification to the SNS topic if any issues are found.
D. Create a centralized CloudFormation stack set that includes a standard set of resourcesthat the developers can deploy in each AWS account. Configure each CloudFormationtemplate to meet the security requirements. For any new resources or configurations,update the CloudFormation template and send the template to the security team for review.When the review is com-pleted, add the new CloudFormation stack to the repository for thedevel-opers to use.

Show Answer

Question # 17

A company's policy requires that all API keys be encrypted and stored separately fromsource code in a centralized security account. This security account is managed by thecompany's security team However, an audit revealed that an API key is steed with thesource code of an IAM Lambda function m an IAM CodeCommit repository in the DevOpsaccountHow should the security learn securely store the API key?

A. Create a CodeCommit repository in the security account using IAM Key ManagementService (IAM KMS) tor encryption Require the development team to migrate the Lambdasource code to this repository
B. Store the API key in an Amazon S3 bucket in the security account using server-sideencryption with Amazon S3 managed encryption keys (SSE-S3) to encrypt the key Createa resigned URL tor the S3 key. and specify the URL m a Lambda environmental variable inthe IAM CloudFormation template Update the Lambda function code to retrieve the keyusing the URL and call the API
C. Create a secret in IAM Secrets Manager in the security account to store the API keyusing IAM Key Management Service (IAM KMS) tor encryption Grant access to the IAMrole used by the Lambda function so that the function can retrieve the key from Secrets Manager and call the API
D. Create an encrypted environment variable for the Lambda function to store the API keyusing IAM Key Management Service (IAM KMS) tor encryption Grant access to the IAMrole used by the Lambda function so that the function can decrypt the key at runtime

Show Answer

Question # 18

Example.com is hosted on Amazon EC2 instances behind an Application Load Balancer(ALB). Third-party host intrusion detection system (HIDS) agents that capture the traffic ofthe EC2 instance are running on each host. The company must ensure they are usingprivacy enhancing technologies for users, without losing the assurance the third-partysolution offers.What is the MOST secure way to meet these requirements?

A. Enable TLS pass through on the ALB, and handle decryption at the server using EllipticCurve Diffie-Hellman (ECDHE) cipher suites.
B. Create a listener on the ALB that uses encrypted connections with Elliptic Curve Diffie-Hellman (ECDHE) cipher suites, and pass the traffic in the clear to the server.
C. Create a listener on the ALB that uses encrypted connections with Elliptic Curve Diffie- Hellman (ECDHE) cipher suites, and use encrypted connections to the servers that do notenable Perfect Forward Secrecy (PFS).
D. Create a listener on the ALB that does not enable Perfect Forward Secrecy (PFS) ciphersuites, and use encrypted connections to the servers using Elliptic Curve Diffie-Hellman(ECDHE) cipher suites.

Show Answer

Question # 19

A company wants to receive an email notification about critical findings in AWS SecurityHub. The company does not have an existing architecture that supports this functionality.Which solution will meet the requirement?

A. Create an AWS Lambda function to identify critical Security Hub findings. Create anAmazon Simple Notification Service (Amazon SNS) topic as the target of the Lambdafunction. Subscribe an email endpoint to the SNS topic to receive published messages.
B. Create an Amazon Kinesis Data Firehose delivery stream. Integrate the delivery stream with Amazon EventBridge. Create an EventBridge rule that has a filter to detect criticalSecurity Hub findings. Configure the delivery stream to send the findings to an emailaddress.
C. Create an Amazon EventBridge rule to detect critical Security Hub findings. Create anAmazon Simple Notification Service (Amazon SNS) topic as the target of the EventBridgerule. Subscribe an email endpoint to the SNS topic to receive published messages.
D. Create an Amazon EventBridge rule to detect critical Security Hub findings. Create anAmazon Simple Email Service (Amazon SES) topic as the target of the EventBridge rule.Use the Amazon SES API to format the message. Choose an email address to be therecipient of the message.

Show Answer

Question # 20

A company has recently recovered from a security incident that required the restoration ofAmazon EC2 instances from snapshots. After performing a gap analysis of its disaster recovery procedures and backup strategies,the company is concerned that, next time, it will not be able to recover the EC2 instances ifthe AWS account was compromised and Amazon EBS snapshots were deleted.All EBS snapshots are encrypted using an AWS KMS CMK.Which solution would solve this problem?

A. Create a new Amazon S3 bucket. Use EBS lifecycle policies to move EBS snapshots tothe new S3 bucket. Move snapshots to Amazon S3 Glacier using lifecycle policies, andapply Glacier Vault Lock policies to prevent deletion.
B. Use AWS Systems Manager to distribute a configuration that performs local backups ofall attached disks to Amazon S3.
C. Create a new AWS account with limited privileges. Allow the new account to access theAWS KMS key used to encrypt the EBS snapshots, and copy the encrypted snapshots tothe new account on a recurring basis.stent.
D. Use AWS Backup to copy EBS snapshots to Amazon S3.

Show Answer

Question # 21

A company uses AWS Organizations to manage a multi-accountAWS environment in asingle AWS Region. The organization's management account is named management-01.The company has turned on AWS Config in all accounts in the organization. The companyhas designated an account named security-01 as the delegated administra-tor for AWSConfig.All accounts report the compliance status of each account's rules to the AWS Configdelegated administrator account by using an AWS Config aggregator. Each accountadministrator can configure and manage the account's own AWS Config rules to handleeach account's unique compliance requirements.A security engineer needs to implement a solution to automatically deploy a set of 10 AWSConfig rules to all existing and future AWS accounts in the organiza-tion. The solution mustturn on AWS Config automatically during account crea-tion.Which combination of steps will meet these requirements? (Select TWO.)

A. Create an AWS CloudFormation template that contains the 1 0 required AVVS Configrules. Deploy the template by using CloudFormation StackSets in the security-01 account.
B. Create a conformance pack that contains the 10 required AWS Config rules. Deploy theconformance pack from the security-01 account.
C. Create a conformance pack that contains the 10 required AWS Config rules. Deploy theconformance pack from the management-01 account.
D. Create an AWS CloudFormation template that will activate AWS Config. De-ploy thetemplate by using CloudFormation StackSets in the security-01 ac-count.
E. Create an AWS CloudFormation template that will activate AWS Config. De-ploy thetemplate by using CloudFormation StackSets in the management-01 account.

Show Answer

Question # 22

A company uses an external identity provider to allow federation into different IAMaccounts. A security engineer for the company needs to identify the federated user thatterminated a production Amazon EC2 instance a week ago.What is the FASTEST way for the security engineer to identify the federated user?

A. Review the IAM CloudTrail event history logs in an Amazon S3 bucket and look for theTerminatelnstances event to identify the federated user from the role session name.
B. Filter the IAM CloudTrail event history for the Terminatelnstances event and identify theassumed IAM role. Review the AssumeRoleWithSAML event call in CloudTrail to identifythe corresponding username.
C. Search the IAM CloudTrail logs for the Terminatelnstances event and note the eventtime. Review the IAM Access Advisor tab for all federated roles. The last accessed timeshould match the time when the instance was terminated.
D. Use Amazon Athena to run a SQL query on the IAM CloudTrail logs stored in anAmazon S3 bucket and filter on the Terminatelnstances event. Identify the correspondingrole and run another query to filter the AssumeRoleWithWebldentity event for the username.

Show Answer

Question # 23

A company is using an AWS Key Management Service (AWS KMS) AWS owned key in itsapplication to encrypt files in an AWS account The company's security team wants theability to change to new key material for new files whenever a potential key breach occursA security engineer must implement a solution that gives the security team the ability tochange the key whenever the team wants to do soWhich solution will meet these requirements?

A. Create a new customer managed key Add a key rotation schedule to the key Invoke thekey rotation schedule every time the security team requests a key change
B. Create a new AWS managed key Add a key rotation schedule to the key Invoke the keyrotation schedule every time the security team requests a key change
C. Create a key alias Create a new customer managed key every time the security teamrequests a key change Associate the alias with the new key
D. Create a key alias Create a new AWS managed key every time the security teamrequests a key change Associate the alias with the new key

Show Answer

Question # 24

A company has two VPCs in the same AWS Region and in the same AWS account EachVPC uses a CIDR block that does not overlap with the CIDR block of the other VPC OneVPC contains AWS Lambda functions that run inside a subnet that accesses the internetthrough a NAT gateway. The Lambda functions require access to a publicly accessibleAmazon Aurora MySQL database that is running in the other VPCA security engineer determines that the Aurora database uses a security group rule thatallows connections from the NAT gateway IP address that the Lambda functions use. Thecompany's security policy states that no database should be publicly accessible.What is the MOST secure way that the security engineer can provide the Lambda functionswith access to the Aurora database?

A. Move the Aurora database into a private subnet that has no internet access routes in thedatabase's current VPC Configure the Lambda functions to use the Auroradatabase's new private IP address to access the database Configure the Aurora databasessecurity group to allow access from the private IP addresses of the Lambda functions
B. Establish a VPC endpoint between the two VPCs in the Aurora database's VPCconfigure a service VPC endpoint for Amazon RDS In the Lambda functions' VPC.configure an interface VPC endpoint that uses the service endpoint in the Auroradatabase's VPC Configure the service endpoint to allow connections from the Lambdafunctions.
C. Establish an AWS Direct Connect interface between the VPCs Configure the Lambdafunctions to use a new route table that accesses the Aurora database through the DirectConnect interface Configure the Aurora database's security group to allow access from theDirect Connect interface IP address
D. Move the Lambda functions into a public subnet in their VPC Move the Aurora databaseinto a private subnet in its VPC Configure the Lambda functions to use the Auroradatabase's new private IP address to access the database Configure the Aurora databaseto allow access from the public IP addresses of the Lambda functions

Show Answer

Question # 25

An Incident Response team is investigating an IAM access key leak that resulted inAmazon EC2 instances being launched. The company did not discover the incident untilmany months later The Director of Information Security wants to implement new controlsthat will alert when similar incidents happen in the futureWhich controls should the company implement to achieve this? {Select TWO.)

A. Enable VPC Flow Logs in all VPCs Create a scheduled IAM Lambda function thatdownloads and parses the logs, and sends an Amazon SNS notification for violations.
B. Use IAM CloudTrail to make a trail, and apply it to all Regions Specify an Amazon S3bucket to receive all the CloudTrail log files
C. Add the following bucket policy to the company's IAM CloudTrail bucket to prevent logtampering{"Version": "2012-10-17-,"Statement": {"Effect": "Deny", "Action": "s3:PutObject","Principal": "-","Resource": "arn:IAM:s3:::cloudtrail/IAMLogs/111122223333/*"}}Create an Amazon S3 data event for an PutObject attempts, which sends notifications toan Amazon SNS topic.
D. Create a Security Auditor role with permissions to access Amazon CloudWatch Logs mall Regions Ship the logs to an Amazon S3 bucket and make a lifecycle policy to ship thelogs to Amazon S3 Glacier.
E. Verify that Amazon GuardDuty is enabled in all Regions, and create an AmazonCloudWatch Events rule for Amazon GuardDuty findings Add an Amazon SNS topic as therule's target

Show Answer

Question # 26

A company that uses AWS Organizations wants to see AWS Security Hub findings formany AWS accounts and AWS Regions. Some of the accounts are in the company'sorganization, and some accounts are in organizations that the company manages forcustomers. Although the company can see findings in the Security Hub administratoraccount for accounts in the company's organization, there are no findings from accounts inother organizations.Which combination of steps should the company take to see findings from accounts thatare outside the organization that includes the Security Hub administrator account? (SelectTWO.)

A. Use a designated administration account to automatically set up member accounts.
B. Create the AWS Service Role ForSecurrty Hub service-linked rote for Security Hub.
C. Send an administration request from the member accounts.
D. Enable Security Hub for all member accounts.
E. Send invitations to accounts that are outside the company's organization from theSecurity Hub administrator account.

Show Answer

Question # 27

A company is running workloads in a single IAM account on Amazon EC2 instances andAmazon EMR clusters a recent security audit revealed that multiple Amazon Elastic BlockStore (Amazon EBS) volumes and snapshots are not encryptedThe company's security engineer is working on a solution that will allow users to deployEC2 Instances and EMR clusters while ensuring that all new EBS volumes and EBSsnapshots are encrypted at rest. The solution must also minimize operational overheadWhich steps should the security engineer take to meet these requirements?

A. Create an Amazon Event Bridge (Amazon Cloud watch Events) event with an EC2instance as the source and create volume as the event trigger. When the event is triggeredinvoke an IAM Lambda function to evaluate and notify the security engineer if the EBSvolume that was created is not encrypted.
B. Use a customer managed IAM policy that will verify that the encryption ag of theCreatevolume context is set to true. Apply this rule to all users.
C. Create an IAM Config rule to evaluate the conguration of each EC2 instance on creationor modication. Have the IAM Cong rule trigger an IAM Lambdafunction to alert the securityteam and terminate the instance it the EBS volume is not encrypted. 5
D. Use the IAM Management Console or IAM CLi to enable encryption by default for EBSvolumes in each IAM Region where the company operates.

Show Answer

Question # 28

A security engineer needs to implement a solution to create and control the keys that acompany uses for cryptographic operations. The security engineer must create symmetrickeys in which the key material is generated and used within a custom key store that isbacked by an AWS CloudHSM cluster.The security engineer will use symmetric and asymmetric data key pairs for local use withinapplications. The security engineer also must audit the use of the keys.How can the security engineer meet these requirements?

A. To create the keys use AWS Key Management Service (AWS KMS) and the custom keystores with the CloudHSM cluster. For auditing, use Amazon Athena
B. To create the keys use Amazon S3 and the custom key stores with the CloudHSMcluster. For auditing use AWS CloudTrail.
C. To create the keys use AWS Key Management Service (AWS KMS) and the custom keystores with the CloudHSM cluster. For auditing, use Amazon GuardDuty.
D. To create the keys use AWS Key Management Service (AWS KMS) and the custom keystores with the CloudHSM cluster. For auditing, use AWS CloudTrail.

Show Answer

Question # 29

A security engineer receives an IAM abuse email message. According to the message, anAmazon EC2 instance that is running in the security engineer's IAM account is sendingphishing email messages.The EC2 instance is part of an application that is deployed in production. The applicationruns on many EC2 instances behind an Application Load Balancer. The instances run in anAmazon EC2 Auto Scaling group across multiple subnets and multiple Availability Zones.The instances normally communicate only over the HTTP. HTTPS, and MySQL protocols.Upon investigation, the security engineer discovers that email messages are being sentover port 587. All other traffic is normal.The security engineer must create a solution that contains the compromised EC2 instance,preserves forensic evidence for analysis, and minimizes application downtime. Whichcombination of steps must the security engineer take to meet these requirements? (SelectTHREE.)

A. Add an outbound rule to the security group that is attached to the compromised EC2 instance to deny traffic to 0.0.0.0/0 and port 587.
B. Add an outbound rule to the network ACL for the subnet that contains the compromisedEC2 instance to deny traffic to 0.0.0.0/0 and port 587.
C. Gather volatile memory from the compromised EC2 instance. Suspend thecompromised EC2 instance from the Auto Scaling group. Then take a snapshot of thecompromised EC2 instance. v
D. Take a snapshot of the compromised EC2 instance. Suspend the compromised EC2instance from the Auto Scaling group. Then gather volatile memory from the compromisedEC2 instance.
E. Move the compromised EC2 instance to an isolated subnet that has a network ACL thathas no inbound rules or outbound rules.
F. Replace the existing security group that is attached to the compromised EC2 instancewith a new security group that has no inbound rules or outbound rules.

Show Answer

Question # 30

A company's on-premises networks are connected to VPCs using an IAM Direct Connectgateway. The company's on-premises application needs to stream data using an existingAmazon Kinesis Data Firehose delivery stream. The company's security policy requiresthat data be encrypted in transit using a private network.How should the company meet these requirements?

A. Create a VPC endpoint tor Kinesis Data Firehose. Configure the application to connect to the VPC endpoint.
B. Configure an IAM policy to restrict access to Kinesis Data Firehose using a source IPcondition. Configure the application to connect to the existing Firehose delivery stream.
C. Create a new TLS certificate in IAM Certificate Manager (ACM). Create a public-facingNetwork Load Balancer (NLB) and select the newly created TLS certificate. Configure theNLB to forward all traffic to Kinesis Data Firehose. Configure the application to connect tothe NLB.
D. Peer the on-premises network with the Kinesis Data Firehose VPC using DirectConnect. Configure the application to connect to the existing Firehose delivery stream.

Show Answer

Question # 31

A company hosts a web application on an Apache web server. The application runs onAmazon EC2 instances that are in an Auto Scaling group. The company configured theEC2 instances to send the Apache web server logs to an Amazon CloudWatch Logs groupthat the company has configured to expire after 1 year.Recently, the company discovered in the Apache web server logs that a specific IP addressis sending suspicious requests to the web application. A security engineer wants to analyzethe past week of Apache web server logs to determine how many requests that the IPaddress sent and the corresponding URLs that the IP address requested.What should the security engineer do to meet these requirements with the LEAST effort?

A. Export the CloudWatch Logs group data to Amazon S3. Use Amazon Macie to query thelogs for the specific IP address and the requested URLs.
B. Configure a CloudWatch Logs subscription to stream the log group to an Am-azonOpenSearch Service cluster. Use OpenSearch Service to analyze the logs for the specificIP address and the requested URLs.
C. Use CloudWatch Logs Insights and a custom query syntax to analyze the CloudWatchlogs for the specific IP address and the requested URLs.
D. Export the CloudWatch Logs group data to Amazon S3. Use AWS Glue to crawl the S3bucket for only the log entries that contain the specific IP ad-dress. Use AWS Glue to viewthe results.

Show Answer

Question # 32

A company has a set of EC2 Instances hosted in IAM. The EC2 Instances have EBSvolumes which is used to store critical information. There is a business continuityrequirement to ensure high availability for the EBS volumes. How can you achieve this?

A. Use lifecycle policies for the EBS volumes
B. Use EBS Snapshots
C. Use EBS volume replication
D. Use EBS volume encryption

Show Answer

Question # 33

A company has a large fleet of Linux Amazon EC2 instances and Windows EC2 instancesthat run in private subnets. The company wants all remote administration to be performedas securely as possible in the AWS Cloud.Which solution will meet these requirements?

A. Do not use SSH-RSA private keys during the launch of new instances. Implement AWSSystems Manager Session Manager.
B. Generate new SSH-RSA private keys for existing instances. Implement AWS SystemsManager Session Manager.
C. Do not use SSH-RSA private keys during the launch of new instances. Configure EC2Instance Connect.
D. Generate new SSH-RSA private keys for existing instances. Configure EC2 InstanceConnect.

Show Answer

Question # 34

A security engineer must troubleshoot an administrator's inability to make an existingAmazon S3 bucket public in an account that is part of an organization n IAM Organizations.The administrator switched the role from the master account to a member account andthen attempted to make one S3 bucket public. This action was immediately deniedWhich actions should the security engineer take to troubleshoot the permissions issue?(Select TWO.)

A. Review the cross-account role permissions and the S3 bucket policy Verify that theAmazon S3 block public access option in the member account is deactivated.
B. Review the role permissions m the master account and ensure it has sufficient privilegesto perform S3 operations
C. Filter IAM CloudTrail logs for the master account to find the original deny event andupdate the cross-account role m the member account accordingly Verify that the AmazonS3 block public access option in the master account is deactivated.
D. Evaluate the SCPs covering the member account and the permissions boundary of therole in the member account for missing permissions and explicit denies.
E. Ensure the S3 bucket policy explicitly allows the s3 PutBucketPublicAccess action forthe role m the member account

Show Answer

Question # 35

A team is using AWS Secrets Manager to store an application database password. Only alimited number of IAM principals within the account can have access to the secret. The principals who require access to the secret change frequently. A security engineer mustcreate a solution that maximizes flexibility and scalability.Which solution will meet these requirements?

A. Use a role-based approach by creating an IAM role with an inline permissions policy thatallows access to the secret. Update the IAM principals in the role trust policy as required.
B. Deploy a VPC endpoint for Secrets Manager. Create and attach an endpoint policy thatspecifies the IAM principals that are allowed to access the secret. Update the list of IAMprincipals as required.
C. Use a tag-based approach by attaching a resource policy to the secret. Apply tags to thesecret and the IAM principals. Use the aws:PrincipalTag and aws:ResourceTag IAMcondition keys to control access.
D. Use a deny-by-default approach by using IAM policies to deny access to the secretexplicitly. Attach the policies to an IAM group. Add all IAM principals to the IAM group.Remove principals from the group when they need access. Add the principals to the groupagain when access is no longer allowed.

Show Answer

Question # 36

A company has several workloads running on AWS. Employees are required toauthenticate using on-premises ADFS and SSO to access the AWS ManagementConsole. Developers migrated an existing legacy web application to an Amazon EC2instance. Employees need to access this application from anywhere on the internet, butcurrently, there is no authentication system built into the application.How should the Security Engineer implement employee-only access to this system withoutchanging the application?

A. Place the application behind an Application Load Balancer (ALB). Use Amazon Cognitoas authentication for the ALB. Define a SAML-based Amazon Cognito user pool andconnect it to ADFS.
B. Implement AWS SSO in the master account and link it to ADFS as an identity provider.Define the EC2 instance as a managed resource, then apply an IAM policy on theresource.
C. Define an Amazon Cognito identity pool, then install the connector on the ActiveDirectory server. Use the Amazon Cognito SDK on the application instance to authenticatethe employees using their Active Directory user names and passwords.
D. Create an AWS Lambda custom authorizer as the authenticator for a reverse proxy onAmazon EC2. Ensure the security group on Amazon EC2 only allows access from theLambda function.

Show Answer

Question # 37

An AWS account that is used for development projects has a VPC that contains twosubnets. The first subnet is named public-subnet-1 and has the CIDR block 192.168.1.0/24assigned. The other subnet is named private-subnet-2 and has the CIDR block192.168.2.0/24 assigned. Each subnet contains Amazon EC2 instances.Each subnet is currently using the VPC's default network ACL. The security groups that theEC2 instances in these subnets use have rules that allow traffic between each instancewhere required. Currently, all network traffic flow is working as expected between the EC2instances that are using these subnets.A security engineer creates a new network ACL that is named subnet-2-NACL with defaultentries. The security engineer immediately configures private-subnet-2 to use the newnetwork ACL and makes no other changes to the infrastructure. The security engineerstarts to receive reports that the EC2 instances in public-subnet-1 and public-subnet-2cannot communicate with each other.Which combination of steps should the security engineer take to allow the EC2 instancesthat are running in these two subnets to communicate again? (Select TWO.)

A. Add an outbound allow rule for 192.168.2.0/24 in the VPC's default network ACL.
B. Add an inbound allow rule for 192.168.2.0/24 in the VPC's default network ACL.
C. Add an outbound allow rule for 192.168.2.0/24 in subnet-2-NACL.
D. Add an inbound allow rule for 192.168.1.0/24 in subnet-2-NACL.
E. Add an outbound allow rule for 192.168.1.0/24 in subnet-2-NACL.

Show Answer

Question # 38

A Security Engineer has been tasked with enabling IAM Security Hub to monitor AmazonEC2 instances fix CVE in a single IAM account The Engineer has already enabled IAMSecurity Hub and Amazon Inspector m the IAM Management Console and has installed meAmazon Inspector agent on an EC2 instances that need to be monitored.Which additional steps should the Security Engineer lake 10 meet this requirement?

A. Configure the Amazon inspector agent to use the CVE rule package
B. Configure the Amazon Inspector agent to use the CVE rule package Configure SecurityHub to ingest from IAM inspector by writing a custom resource policy
C. Configure the Security Hub agent to use the CVE rule package Configure IAM Inspectorlo ingest from Security Hub by writing a custom resource policy
D. Configure the Amazon Inspector agent to use the CVE rule package Install an additionalIntegration library Allow the Amazon Inspector agent to communicate with Security Hub

Show Answer

Question # 39

An ecommerce company has a web application architecture that runs primarily oncontainers. The application containers are deployed on Amazon Elastic Container Service(Amazon ECS). The container images for the application are stored in Amazon ElasticContainer Registry (Amazon ECR).The company's security team is performing an audit of components of the application architecture. The security team identifies issues with some container images that arestored in the container repositories.The security team wants to address these issues by implementing continual scanning andon-push scanning of the container images. The security team needs to implement asolution that makes any findings from these scans visible in a centralized dashboard. Thesecurity team plans to use the dashboard to view these findings along with other securityrelatedfindings that they intend to generate in the future.There are specific repositories that the security team needs to exclude from the scanningprocess.Which solution will meet these requirements?

A. Use Amazon Inspector. Create inclusion rules in Amazon ECR to match repos-itoriesthat need to be scanned. Push Amazon Inspector findings to AWS Se-curity Hub.
B. Use ECR basic scanning of container images. Create inclusion rules in Ama-zon ECR tomatch repositories that need to be scanned. Push findings to AWS Security Hub.
C. Use ECR basic scanning of container images. Create inclusion rules in Ama-zon ECR tomatch repositories that need to be scanned. Push findings to Amazon Inspector.
D. Use Amazon Inspector. Create inclusion rules in Amazon Inspector to matchrepositories that need to be scanned. Push Amazon Inspector findings to AWS Config.

Show Answer

Question # 40

A company uses AWS Organizations and has production workloads across multiple AWSaccounts. A security engineer needs to design a solution that will proactively monitor forsuspicious behavior across all the accounts that contain production workloads.The solution must automate remediation of incidents across the production accounts. Thesolution also must publish a notification to an Amazon Simple Notification Service (AmazonSNS) topic when a critical security finding is detected. In addition, the solution must send all security incident logs to a dedicated account.Which solution will meet these requirements?

A. Activate Amazon GuardDuty in each production account. In a dedicated loggingaccount. aggregate all GuardDuty logs from each production account. Remediate incidentsby configuring GuardDuty to directly invoke an AWS Lambda function. Configure theLambda function to also publish notifications to the SNS topic.
B. Activate AWS security Hub in each production account. In a dedicated logging account.aggregate all security Hub findings from each production account. Remediate incidents byustng AWS Config and AWS Systems Manager. Configure Systems Manager to alsopub11Sh notifications to the SNS topic.
C. Activate Amazon GuardDuty in each production account. In a dedicated loggingaccount. aggregate all GuardDuty logs from each production account Remediate incidentsby using Amazon EventBridge to invoke a custom AWS Lambda function from theGuardDuty findings. Configure the Lambda function to also publish notifications to the SNStopic.
D. Activate AWS Security Hub in each production account. In a dedicated logging account.aggregate all Security Hub findings from each production account. Remediate incidents byusing Amazon EventBridge to invoke a custom AWS Lambda function from the SecurityHub findings. Configure the Lambda function to also publish notifications to the SNS topic.

Show Answer

Question # 41

A company's security engineer has been tasked with restricting a contractor's IAM accountaccess to the company's Amazon EC2 console without providing access to any other IAMservices The contractors IAM account must not be able to gain access to any other IAMservice, even it the IAM account rs assigned additional permissions based on IAM groupmembership What should the security engineer do to meet these requirements''

A. Create an mime IAM user policy that allows for Amazon EC2 access for the contractor'sIAM user
B. Create an IAM permissions boundary policy that allows Amazon EC2 access Associatethe contractor's IAM account with the IAM permissions boundary policy
C. Create an IAM group with an attached policy that allows for Amazon EC2 accessAssociate the contractor's IAM account with the IAM group
D. Create a IAM role that allows for EC2 and explicitly denies all other services Instruct thecontractor to always assume this role

Show Answer

Question # 42

A company Is planning to use Amazon Elastic File System (Amazon EFS) with its onpremisesservers. The company has an existing IAM Direct Connect connectionestablished between its on-premises data center and an IAM Region Security policy statesthat the company's on-premises firewall should only have specific IP addresses added tothe allow list and not a CIDR range. The company also wants to restrict access so that onlycertain data center-based servers have access to Amazon EFS How should a security engineer implement this solution''

A. Add the file-system-id efs IAM-region amazonIAM com URL to the allow list for the datacenter firewall Install the IAM CLI on the data center-based servers to mount the EFS filesystem in the EFS security group add the data center IP range to the allow list Mount theEFS using the EFS file system name
B. Assign an Elastic IP address to Amazon EFS and add the Elastic IP address to the allowlist for the data center firewall Install the IAM CLI on the data center-based servers tomount the EFS file system In the EFS security group, add the IP addresses of the datacenter servers to the allow list Mount the EFS using the Elastic IP address
C. Add the EFS file system mount target IP addresses to the allow list for the data centerfirewall In the EFS security group, add the data center server IP addresses to the allow listUse the Linux terminal to mount the EFS file system using the IP address of one of themount targets
D. Assign a static range of IP addresses for the EFS file system by contacting IAM SupportIn the EFS security group add the data center server IP addresses to the allow list Use theLinux terminal to mount the EFS file system using one of the static IP addresses

Show Answer

Question # 43

A Network Load Balancer (NLB) target instance is not entering the InService state. Asecurity engineer determines that health checks are failing.Which factors could cause the health check failures? (Select THREE.)

A. The target instance's security group does not allow traffic from the NLB.
B. The target instance's security group is not attached to the NLB.
C. The NLB's security group is not attached to the target instance.
D. The target instance's subnet network ACL does not allow traffic from the NLB.
E. The target instance's security group is not using IP addresses to allow traffic from theNLB.
F. The target network ACL is not attached to the NLB.

Show Answer

Question # 44

A security engineer recently rotated the host keys for an Amazon EC2 instance. Thesecurity engineer is trying to access the EC2 instance by using the EC2 Instance. Connectfeature. However, the security engineer receives an error (or failed host key validation.Before the rotation of the host keys EC2 Instance Connect worked correctly with this EC2instance.What should the security engineer do to resolve this error?

A. Import the key material into AWS Key Management Service (AWS KMS).
B. Manually upload the new host key to the AWS trusted host keys database.
C. Ensure that the AmazonSSMManagedInstanceCore policy is attached to the EC2instance profile.
D. Create a new SSH key pair for the EC2 instance.

Show Answer

Question # 45

A Security Engineer receives alerts that an Amazon EC2 instance on a public subnet isunder an SFTP brute force attack from a specific IP address, which is a known maliciousbot. What should the Security Engineer do to block the malicious bot?

A. Add a deny rule to the public VPC security group to block the malicious IP
B. Add the malicious IP to IAM WAF backhsted IPs
C. Configure Linux iptables or Windows Firewall to block any traffic from the malicious IPD. Modify the hosted zone in Amazon Route 53 and create a DNS sinkhole for themalicious IP

Show Answer

Question # 46

You work at a company that makes use of IAM resources. One of the key security policiesis to ensure that all data i encrypted both at rest and in transit. Which of the following is oneof the right ways to implement this.Please select:

A. Use S3 SSE and use SSL for data in transit
B. SSL termination on the ELB
C. Enabling Proxy Protocol
D. Enabling sticky sessions on your load balancer

Show Answer

Question # 47

A company discovers a billing anomaly in its AWS account. A security consultantinvestigates the anomaly and discovers that an employee who left the company 30 daysago still has access to the account.The company has not monitored account activity in the past.The security consultant needs to determine which resources have been deployed orreconfigured by the employee as quickly as possible.Which solution will meet these requirements?

A. In AWS Cost Explorer, filter chart data to display results from the past 30 days. Exportthe results to a data table. Group the data table by re-source.
B. Use AWS Cost Anomaly Detection to create a cost monitor. Access the detec-tionhistory. Set the time frame to Last 30 days. In the search area, choose the servicecategory.
C. In AWS CloudTrail, filter the event history to display results from the past 30 days.Create an Amazon Athena table that contains the data. Parti-tion the table by event source.
D. Use AWS Audit Manager to create an assessment for the past 30 days. Apply a usagebasedframework to the assessment. Configure the assessment to as-sess by resource.

Show Answer