AWS Security Specialty Practice Exam Questions Free

AWS Certified Security - Specialty Exam Dumps

Domain	Weightage%
Domain 1: Threat Detection and Incident Response	14%
Domain 2: Security Logging and Monitoring	18%
Domain 3: Infrastructure Security	20%
Domain 4: Identity and Access Management	16%
Domain 5: Data Protection	18%
Domain 6: Management and Security Governance	14%

1 / 65

1. As a Security Specialist, you've been notified by a log analyzer regarding an alarming surge in traffic directed towards your application's login page, suggesting a potential brute force or credential-stuffing attack. The targeted application is shielded behind a Web Application Firewall (WAF) utilizing Amazon CloudFront and Amazon S3.

What is the primary course of action in response to this suspected attack?

A) Create a URI-specific rate-based WAF rule to prevent a single source IP address from connecting to the login page more than a defined threshold number of times, over a given period

B) Create a Blanket rate-based WAF rule to prevent a single source IP address from connecting to the application more than a defined threshold number of times, over a given period

C) Create an IP reputation rate-based WAF rule and completely block all web requests from the four open-source threat intelligence lists that AWS WAF Security Automations solution provides

D) Create a TCP-packet rate-based WAF rule to prevent a single source IP address from connecting to the login page more than a defined threshold number of times, over a given period

2 / 65

2. A big-data analytics company utilizes Amazon GuardDuty to detect potentially unauthorized, unforeseen, and malicious activities within its AWS environment. The security team seeks to automate the creation of tickets in a third-party ticketing system via email integration for all Low to Critical Severity findings.

As an AWS Certified Security Specialist, what solution would you recommend as the most optimal?

A) Create an Amazon EventBridge rule that includes an event pattern that matches Medium/High severity GuardDuty findings. Set up an Amazon Simple Notification Service (Amazon SNS) topic. Configure the third-party ticketing email system as a subscriber to the SNS topic. Set the SNS topic as the target for the EventBridge rule

B) Leverage the GuardDuty CreateFilter API operation to set up a filter in GuardDuty to monitor for Medium/High severity findings. Set up an SES endpoint as the target for the GuardDuty CreateFilter API so that SES can send out an email to the third-party ticketing email system

C) Leverage the GuardDuty CreateFilter API operation to set up a filter in GuardDuty to monitor for Medium/High severity findings. Set up an Amazon Simple Notification Service (Amazon SNS) topic. Configure the third-party ticketing email system as a subscriber to the SNS topic. Set the SNS topic as the target for the GuardDuty CreateFilter API

D) Create an Amazon EventBridge rule that includes an event pattern that matches Medium/High severity GuardDuty findings. Set up an SES endpoint as the target for the EventBridge rule so that SES can send out an email to the third-party ticketing email system

3 / 65

3. An organisation needs to showcase a report of changes made to the security group(s) for an Amazon Virtual Private Cloud (Amazon VPC) for auditing purposes,

What are the different ways to review security group changes in an AWS account? (Select three)

A) Use AWS CloudTrail Event history to review security group changes in your AWS account

B) Use the AWS AppConfig capability of AWS Systems Manager, to create, manage, and quickly deploy application configurations and track changes in them

C) Use CloudTrail Lake to create trails that aggregate information from multiple AWS accounts across regions

D) Configure CloudTrail with CloudWatch Logs to monitor your trail logs and be notified when security group changes occur. CloudTrail supports sending only data events to CloudWatch Logs. Configure Amazon EventBridge to monitor management events

E) Create an AWS CloudTrail trail configured to log to an Amazon Simple Storage Service (Amazon S3) bucket. Use Athena to query CloudTrail Logs over the last 30-45 days

F) Use AWS Config to view configuration history for security groups. You must have the AWS Config configuration recorder turned on

4 / 65

4. An application team is designing a solution with two applications. The security team wants the applications' logs to be captured in two different places, because one of the applications produces logs with sensitive data. What solution meets the requirement with the LEAST risk and effort?

A) Use Amazon CloudWatch logs to capture all logs, write an AWS Lambda function that parses the log file, and move sensitive data to a different log.

B) Use Amazon CloudWatch logs with two log groups, one for each application, and use an AWS IAM policy to control access to the log groups as required.

C) Aggregate logs into one file, then use Amazon CloudWatch Logs, and then design two CloudWatch metric filters to filter sensitive data from the logs.

D) Add logic to the application that saves sensitive data logs on the Amazon EC2 instances' local storage, and write a batch script that logs into the EC2 instances and moves sensitive logs to a secure location.

5 / 65

5. A company's AWS CloudTrail logs indicate unauthorized API calls made by an IAM user with elevated privileges. What should be the immediate action to mitigate the risk of further unauthorized access?

A) Disable the IAM user account associated with the unauthorized API calls.

B) Change the IAM user's password to prevent further access.

C) Ignore the unauthorized API calls as they may be false positives.

D) Increase the logging level of AWS CloudTrail to capture more details.

6 / 65

6. A Security Engineer has meticulously adhered to best practices in establishing a trusted IP address list for Amazon GuardDuty. Despite this, GuardDuty continues to generate alert findings for the designated trusted IP addresses.

To rectify the issue and ensure GuardDuty functions as intended, which of the following measures would you undertake? (Select two)

A) Ensure that multiple trusted IP lists per AWS account per Region have been configured

B) Ensure that IP addresses added in the trusted IP list are publicly routable IPv4 addresses

C) Ensure that the trusted IP lists are uploaded in the same AWS Region as your GuardDuty findings

D) Ensure that in multi-account environments, GuardDuty generates findings for member accounts based on activity that involves IP addresses from the administrator's trusted IP lists

E) Ensure that the same IP is not enlisted on both a trusted IP list as well as a threat list, as it will be processed by the threat list on priority, thereby resulting in a finding

7 / 65

7. A security team is creating a response plan in the event an employee performs unauthorized actions on the AWS infrastructure. The security team wants to include steps to determine if an employee's IAM permissions changed as part of the incident.

Which steps should the security team document in the plan?

A) Use AWS Config to examine what the employee's IAM permissions were before the incident. Compare those permissions to the employee's current IAM permissions.

B) Use Amazon Macie to configure the IAM policies as a custom-defined sensitive data type.

C) Use AWS IAM Access Analyzer to examine the employee's IAM permissions prior to the incident. Compare them to the employee's current IAM permissions.

D) Use AWS Trusted Advisor to examine what the employee's IAM permissions were before the incident. Compare those permissions to the employee's current IAM permissions.

8 / 65

8. An university employs Amazon EC2 instances (fronted by an Application Load Balancer) alongside Amazon RDS MySQL as the database. Presently, the university aims to store sensitive student data, necessitating adherence to stringent security and compliance standards. Data must be securely encrypted both in-transit and at-rest. The university seeks a solution that can enforce rigorous security measures while minimizing costs and operational complexities.

Which combination of actions will satisfy all the requirements? (Select three)

A) Use TLS certificates from AWS Certificate Manager (ACM) with an Application Load Balancer. Deploy self-signed certificates on the EC2 instances

B) Use AWS CloudHSM to generate TLS certificates for the Amazon EC2 instances. Install the TLS certificates on the Amazon EC2 instances

C) Ensure that the database client software uses a TLS connection to Amazon RDS. Enable encryption of the Amazon RDS DB instance

D) Use Amazon CloudFront with AWS Web Application Firewall (AWS WAF). Send HTTP connections to the origin Amazon EC2 instances

E) Enable encryption on the Amazon Elastic Block Store (Amazon EBS) volumes that support the Amazon EC2 instances

F) Use TLS certificates from a third-party vendor with an Application Load Balancer. Configure the same certificates on the Amazon EC2 instances

9 / 65

A procurement application integrates with the Amazon API Gateway REST API to fulfill its core functionality requirements. The development team aims to limit access to only designated public IP address ranges associated with the company's chosen vendor systems, ensuring exclusive access to the public API Gateway REST API.

What configuration adjustments are necessary to enforce access restrictions on the API Gateway REST API?

A) Create a resource policy for your REST API that denies access to any IP address that isn't specifically allowed. In the resource policy, for the aws:VpcSourceIp value, enter the specific public IP address ranges that you want to grant access to

B) Amazon API Gateway REST API does not support resource policies. Offer the REST API as HTTP API and create a resource policy for your HTTP API that denies access to any IP address that isn't specifically allowed. In the resource policy, for aws:SourceIp, give the value of the specific public IP addresses that you want to grant access to

C) Create a resource policy for your REST API that denies access to any IP address that isn't specifically allowed. In the resource policy, for aws:SourceIp, give the value of the specific public IP address ranges that you want to grant access to

D) Use a VPC endpoint policy along with an API Gateway resource policy. The resource policy is used to specify which principals can access the API. The endpoint policy specifies which private APIs can be called via the VPC endpoint

10 / 65

10. A company must ensure compliance that enforces data retention. The company stores critical data with a restriction that locks the data against future changes for 1 year. The company data is currently stored in Amazon S3 Standard. The company rarely accesses the data. The company plans to move the data to an archival storage solution.

How should the company move the data MOST efficiently?

A) Use lifecycle policies and move the data directly to Amazon S3 Glacier. Use an Amazon S3 Glacier Vault Lock policy to enforce the data retention compliance. Complete the lock process for the Amazon S3 Glacier Vault Lock policy in less than 48 hours.

B) Use lifecycle policies and move the data to Amazon S3 Infrequent Access, and then to Amazon S3 Glacier. Use an Amazon S3 Glacier Vault Lock policy to enforce the data retention compliance. Complete the lock process for the Amazon S3 Glacier Vault Lock policy in less than 24 hours.

C) Use lifecycle policies and move the data directly to Amazon S3 Glacier. Use an Amazon S3 Glacier Vault Lock policy to enforce the data retention compliance. Complete the lock process for the Amazon S3 Glacier Vault Lock policy in less than 24 hours.

D) Use lifecycle policies and move the data to Amazon S3 Infrequent Access, and then to Amazon S3 Glacier. Use an Amazon S3 Glacier Vault Lock policy to enforce the data retention compliance. Complete the lock process for the Amazon S3 Glacier Vault Lock policy in less than 48 hours.

11 / 65

11. The CTO at startup needs to analyze the AWS Web Application Firewall (AWS WAF) logs quickly and it wants to build multiple dashboards using a serverless architecture. The logging process should be automated so that the log data for dashboards is available on a real-time or near-real-time basis.

Which of the following represents the most optimal solution for this requirement?

A) Configure AWS Web Application Firewall (AWS WAF) to send logs to CloudWatch Logs. Use CloudWatch Logs Insights to interactively search and analyze your log data. Publish logs data to Amazon QuickSight dashboards through direct CloudWatch integration with QuickSight

B) Configure AWS Web Application Firewall (AWS WAF) to feed logs to Amazon S3 bucket via Amazon Kinesis Data Streams. Set up an AWS Glue crawler job and an Amazon Athena table to query for required data and create visualizations using Amazon QuickSight dashboards

C) Configure AWS Web Application Firewall (AWS WAF) to send your web ACL traffic logs to the Amazon S3 bucket. Use Amazon Redshift Spectrum to query data directly from files on Amazon S3. Using the existing integration of RedShift Spectrum with Amazon QuickSight, generate visualizations to be used in manager dashboards

D) Configure AWS Web Application Firewall (AWS WAF) to feed logs to Amazon S3 bucket via Amazon Kinesis Data Firehose. Set up an AWS Glue crawler job and an Amazon Athena table to query for required data and create visualizations using Amazon QuickSight dashboards

12 / 65

12. An Accounting services firm oversees its IT infrastructure on AWS. The company's security team has been assigned the responsibility of monitoring and documenting all root user activities within the AWS account.

Which combination of options would constitute a suitable solution for the security team to fulfill these requirements? (Select two)

A) Set up AWS Trusted Advisor to monitor root user API calls on the company's AWS account and trigger a downstream event to SNS

B) Set up an AWS Config rule that triggers a downstream event to SNS on all API calls from the root user

C) Set up a CloudWatch Events rule that is triggered on any API call from the root user

D) Using Amazon SNS as a target of the trigger that further notifies the security team

E) Set up AWS Inspector to monitor root user API calls on the company's AWS account and trigger a downstream event to SNS

13 / 65

13. An Europe company has a three-tier web application with separate subnets for Web, Application, and Database tiers. The DevSecOps at the company wants to monitor any malicious activity targeting the web application running on EC2 instances. You have been tasked with developing a solution to notify the security team in case the network exposure of EC2 instances on specific ports violates the security policies of the company.

Which AWS Services would you use to build an automated notification system to meet these requirements with the least development effort? (Select two)

A) Amazon SNS

B) WAF

C) AWS Shield

D) Amazon Inspector

E) Cloudwatch

14 / 65

14. A DevSecOps Engineer noticed that an application layer DDoS attack is underway on one of the crucial systems.

What should the immediate response of the devsecops engineer be to control the damage? (Select two)

A) Create your own AWS WAF rules in your web ACL to mitigate the attack

B) Enable Amazon GuardDuty to automatically monitor for malicious activity and block unauthorized access

C) Monitor the CloudWatch metrics: The maximum size of the Auto Scaling group, Amazon EC2 instance's CPUUtilization, and NetworkIn parameters to detect a DDoS attack and send an SNS notification to the security team

D) You can contact the AWS Support Center to get help with mitigations if you're a Shield Advanced customer

E) Define an AWS Systems Manager document (SSM document) to block all vulnerable ports, lock public access to Amazon S3 buckets and stop internet traffic to affected EC2 instances. Run the SSM using AWS Systems Manager CLI

15 / 65

15. A company has a legacy application that outputs all logs to a local text file. Logs from all applications that run on AWS must be continually monitored for security related messages.

What should the company do to deploy the legacy application on Amazon EC2 and still meet the monitoring requirement?

A) Create an AWS Lambda function that mounts the Amazon Elastic Block Store (Amazon EBS) volume with the logs and scans the logs for security incidents. Invoke the function to run every 5 minutes with a scheduled Amazon EventBridge event.

B) Send the local text log files to Amazon CloudWatch Logs, and configure a CloudWatch metric filter. Set CloudWatch alarms based on the metrics.

C) Install the Amazon Inspector agent on any EC2 instance that runs the legacy application. Generate Amazon CloudWatch alerts based on any Amazon Inspector findings.

D) Export the local text log files to AWS CloudTrail. Create an AWS Lambda function that queries the CloudTrail logs for security incidents by using Amazon Athena.

16 / 65

16. While conducting routine maintenance, the application support team detected unusual activity on an Amazon EC2 instance equipped with an EBS volume. Promptly, they notified a Security Engineer about the anomaly. The instance is integrated into an Auto Scaling Group and is accessed through an Elastic Load Balancer.

What immediate measures should the Security Engineer implement to thwart further attacks, secure the interconnected systems, and ascertain the underlying cause?

A) Remove the instance from the Auto Scaling group and deregister the instance from the Elastic Load Balancer. Place the instance within an isolation security group. Launch a new EC2 instance with a forensic toolkit, and allow the forensic toolkit image to connect to the suspicious instance to perform the investigation

B) Remove the instance from the Auto Scaling group and deregister the instance from the Elastic Load Balancer. Place the instance within an isolation security group and snapshot the Amazon EBS data volumes that are attached to the EC2 instance. Launch an EC2 instance with a forensic toolkit and attach an EBS volume created from the snapshot of the suspicious EBS volume

C) Remove the instance from the Auto Scaling group. Place the instance within an isolation security group. Launch an EC2 instance with a forensic toolkit, and use the forensic toolkit image to deploy another ENI to inspect all traffic coming from the suspicious instance

D) Detach the instance from the Auto Scaling group and place it within an isolation security group. Detach the suspicious EBS volume. Launch an EC2 instance with a forensic toolkit and attach the detached EBS volume to investigate

17 / 65

17. A user is attempting to upload a large file to an Amazon S3 bucket within a specific AWS account. The upload request includes encryption details utilizing an AWS Key Management Service (AWS KMS) key, which is also available in the same account. However, the user encounters an Access Denied error during the upload process. Interestingly, when the user attempts to upload a smaller file with encryption information, the upload is successful.

As a Security analyst, what steps would you take to address this issue?

A) Verify that kms:Decrypt permissions are specified in the key policy, otherwise they need to be added to the policy

B) Verify that the requester has kms:GenerateDataKey permissions. This permission is needed for multipart upload to work successfully

C) Verify that kms:Decrypt permissions are specified in both the key policy as well as the IAM policy of the user

D) Verify that kms:Encrypt permissions are specified in the key policy, otherwise, they need to be added to the policy

18 / 65

18. An organization has decided to enable AWS Security Hub to help assess its company growing AWS environment against security industry standards and best practices.

Which of the following represents true statements for the AWS Security Hub service? (Select two)

A) AWS Config must be enabled as a pre-requisite for using Security Hub

B) Amazon GuardDuty must be enabled as a pre-requisite for using Security Hub. GuardDuty immediately begins to send findings to Security Hub

C) Tracking an underutilized Amazon Redshift instance or an over-utilized Amazon EC2 instance is a classic example of AWS Security Hub use cases

D) When you enable both GuardDuty and Security Hub, the mutual integration is enabled automatically. GuardDuty immediately begins to send findings to Security Hub

E) Security Hub uses resource-linked roles to perform security checks for most controls from AWS Config

19 / 65

19. The decision was made to place database hosts in their own VPC, and to set up VPC peering to different VPCs containing the application and web tiers. The application servers are unable to connect to the database. Which network troubleshooting steps should be taken to resolve the issue? (Select TWO.)

A) Check to see if the application servers are in a private subnet or public subnet.

B) Check the route tables for the application server subnets for routes to the VPC peering connection

C) Check the network access control lists for the database subnets for rules that allow traffic from the Internet.

D) Check the database security groups for rules that allow traffic from the application servers.

E) Check to see if the database VPC has an Internet gateway

20 / 65

20. An Ed-tech company utilizes AWS CloudFormation templates to deploy all its AWS infrastructure resources. Within one of these templates, there's a requirement to furnish username and password credentials for the newly provisioned Amazon Redshift database.

What is the best approach to configure the database credentials during stack creation without exposing or compromising these credentials?

A) First create a secret with a password generated by Secrets Manager. Use a dynamic reference for the secret in resource metadata such as AWS::CloudFormation::Init for the new database created

B) First create a secret with a password generated by Secrets Manager. Then use a dynamic reference in the CloudFormation template to retrieve the username and password from the secret to use as credentials for the new database created

C) Create a separate CloudFormation template for the database resources. The database template should be created with the credentials of the database encrypted into the template. Use this template to create database resources

D) First create a secret with a password generated by Secrets Manager. Then use a dynamic reference in the CloudFormation template using a backslash as the final value. The backslash will be replaced with the credentials during the new database creation

21 / 65

21. A social media platform aims to restrict access to its application from certain countries while still permitting its remote development team, which operates from one of the restricted countries, to access the application. The application runs on EC2 instances managed by an Application Load Balancer (ALB) with AWS Web Application Firewall (WAF) integration.

As an AWS Certified Security Specialist, which combination of solutions would you employ to meet the specified requirements? (Select two)

A) Create a deny rule for the blocked countries in the NACL associated to each of the EC2 instances

B) Use WAF geo match statement listing the countries that you want to block

C) Use WAF IP set statement that specifies the IP addresses that you want to allow through

D) Use ALB IP set statement that specifies the IP addresses that you want to allow through

E) Use ALB geo match statement listing the countries that you want to block

22 / 65

22.

The devsecops team at a health services company has reported that an AWS access key belonging to a user has been discovered on the internet. As an engineer, it is imperative to promptly deactivate the access key and assess the user's activities for any indications of a potential breach.

What actions should be taken to address the aforementioned requirements?

A) Delete or rotate the user’s key. Review the AWS CloudTrail logs in all AWS regions and delete any unauthorized resources created or updated

B) Delete the IAM user and all the resources created by the user. Create fresh user credentials and relaunch the resources from this user

C) Call on the user to remove the access credentials from the internet. Rotate the user's key and re-deploy all the resources with the new credentials

D) Call on the user to remove the access credentials from the internet. Report abuse to AWS Trust & Safety team

23 / 65

23. You have an EBS volume connected to a running EC2 Instance utilizing KMS for encryption. However, the Customer Key associated with the EBS encryption has been deleted. Which of the following options is required for the EC2 instance to continue using the EBS volume?

A) Create a new Customer Key using KMS and attach it to the existing volume.

B) Nothing is needed as the key deletion has no immediate effect on the EC2 instance or the EBS volume.

C) Request AWS Support to recover the key.

D) Use AWS Config to recover the key.

24 / 65

24. An organization is hosting a web application on AWS and is using an S3 bucket to store images. Users should have the ability to read objects in the bucket. A Security Engineer has written the following bucket policy to grant public read access:

{

"ID":"Policy1502987489630",
"Version":"2012-10-17",
"Statement":[
{
"Sid":"Stmt1502987487640",
"Action":[
"s3:GetObject",
"s3:GetObjectVersion"
],
"Effect":"Allow",
"Resource":"arn:aws:s3:::appbucket",
"Principal":"*"
}
]
}

Attempts to read an object, however, receive the error: "Action does not apply to any resource(s) in statement.”

What should the Engineer do to fix the error?

A) Change the IAM permissions by applying PutBucketPolicy permissions.

B) Verify that the policy has the same name as the bucket name. If not, make it the same.

C) Change the Resource section to "arn:aws:s3:::appbucket/*".

D) Add an action s3:ListBucket.

25 / 65

25. In response to a threat alert issued by the security team, the company requires content inspection of the traffic flowing through an outbound endpoint of Amazon Route 53 resolver.

As a Security Specialist, how would you devise a solution to fulfill this requirement?

A) Turn on Route 53 public query logging in each public-hosted zone. Amazon Route 53 publishes the logs to Amazon CloudWatch Logs for further analysis and troubleshooting

B) Enable VPC Flow Logs to capture all network traffic information passing through Route 53 resolver endpoints. Use the Athena integration feature in the Amazon VPC Console to create Athena tables for direct querying

C) To view traffic passing through Route 53 resolver endpoints, configure Amazon Virtual Private Cloud (Amazon VPC) Traffic Mirroring

D) Create a trail in AWS CloudTrail for continuous tracking of all Route 53 events. Deliver the log files to an Amazon S3 bucket and use Athena to query the log data for user patterns and troubleshooting

26 / 65

26. A company is building a data lake on Amazon S3. The data consists of millions of small files containing sensitive information. The security team has the following requirements for the architecture:
• Data must be encrypted in transit.
• Data must be encrypted at rest.
• The bucket must be private, but if the bucket is accidentally made public, the data must remain confidential.
What combination of steps would meet the requirements? (Select TWO.)

A) Enable AES-256 (SSE-S3) encryption on the S3 bucket.

B) Enable default encryption with AWS KMS-managed keys (SSE-KMS) on the S3 bucket

C) Add a bucket policy that includes a deny if PutObject request does not include aws:SecureTransport.

D) Add a bucket policy with aws:SourceIp to only allow uploads and downloads from the corporate intranet.

E) Enable Amazon Macie to monitor and act on changes to the data lake's S3 bucket.

27 / 65

27. Every application in a company's portfolio has a separate AWS account for development and production. These accounts are centrally managed and governed within AWS Organizations. The security team wants to make sure all IAM users in the production accounts are not allowed to manually modify or update the AWS Key Management Service (AWS KMS) encryption keys.

How can the security team control this functionality?

A) Create an SCP that denies access to the services. Assemble all production accounts in an OU. Apply the policy to that OU.

B) Create an SCP that denies access to the services. Apply the policy to the root OU.

C) Create an IAM policy that denies access to the services. Associate the policy with an IAM group. Add all users and the root users to this group.

D) Create an IAM policy that denies access to the services. Use an AWS Config managed rule that checks that all users have the policy assigned. Invoke an AWS Lambda function that adds the policy when the policy is missing.

28 / 65

28. In order to fulfill the requirement that all requests made to the origin of an Amazon CloudFront distribution include the Authorization header, it is necessary for the CloudFront distribution to forward the Authorization headers to the origin.

As a Security Analyst, what configuration steps would you take to meet this use case?

A) Configure the CloudFront origin request policy to forward the Authorization header to the origins

B) Create a cache policy. Then, associate the cache policy with the cache behavior that must forward the Authorization header

C) For Amazon Simple Storage Service (Amazon S3) origins, caching based on the Authorization header is supported only when the OPTIONS responses are cached. Hence, choose the options for default cache behavior settings that enable caching for OPTIONS responses

D) Configure the CloudFront viewer request policy to forward the Authorization header to the origin

29 / 65

29. A startup working on a video processing application employs an AWS Lambda function to generate image thumbnails from larger images. This Lambda function requires both read and write permissions to an Amazon S3 bucket set up within the same AWS account.

What is the most effective approach to grant the essential access permissions to the AWS Lambda function?

A) Create an AWS Identity and Access Management (IAM) role for the Lambda function that also grants access to the S3 bucket. Grant the required permissions on the S3 bucket policy. Verify that the S3 bucket policy doesn't explicitly deny access to your Lambda function or its execution role

B) Create a security group. Attach the security group to the Lambda function. Attach a bucket policy that allows access to the Amazon S3 bucket through the security group ID

C) Generate an Amazon EC2 key pair. Store the private key in AWS Secrets Manager. Modify the AWS Lambda function to retrieve the private key from Secrets Manager and to use the private key during any communication with the S3 bucket

D) Create an AWS Identity and Access Management (IAM) role for the Lambda function that also grants access to the S3 bucket. Configure the IAM role as the Lambda functions execution role. Verify that the S3 bucket policy doesn't explicitly deny access to your Lambda function or its execution role

30 / 65

30. A security engineer must ensure that all infrastructure that is launched in the company AWS account is monitored for changes from the compliance rules. All Amazon EC2 instances must be launched from one of a specified list of Amazon Machine Images (AMIs), and all attached Amazon Elastic Block Storage (Amazon EBS) volumes must be encrypted. Instances that are not in compliance must be terminated.

Which combination of steps should the security engineer implement to meet these requirements? (Select TWO.)

A) Monitor compliance with AWS Config rules.

B) Set up an Amazon EventBridge event based on AWS Trusted Advisor metrics.

C) Create a custom remediation action by using AWS Systems Manager Automation runbooks.

D) Set up an Amazon EventBridge event based on Amazon Inspector findings.

E) Invoke an AWS CLI command from an Amazon EventBridge event that terminates the infrastructure.

31 / 65

31. A corporate cloud security policy states that communication between the company's VPC and KMS must travel entirely within the AWS network and not use the public service endpoints. What combination of the following actions satisfies that requirement? (Select TWO.)

A) Add the aws:sourceVpce condition to the KMS key policy referencing the company's Amazon VPC endpoint ID.

B) Remove the VPC internet gateway from the VPC and add a virtual private gateway to the VPC to prevent direct, public internet connectivity.

C) Create a VPC endpoint for AWS KMS with private DNS enabled.

D) Use the KMS Import Key feature to securely transfer the AWS KMS key over a VPN.

E) Add the following condition to the AWS KMS key policy: "aws:SourceIp": "10.0.0.0/16".

32 / 65

32. A company wants to enable SSO so that its employees can sign in to the AWS Management Console by using the company's SAML provider.

Which combination of steps are required as part of the process? (Select TWO.)

A) Create an AWS Direct Connect connection between the corporate network and the AWS Region with the company's infrastructure.

B) Create IAM policies that can be mapped to group memberships in the corporate directory.

C) Create an AWS Lambda function to assign IAM roles to the temporary security tokens provided to the users.

D) Create IAM users that can be mapped to the employees' corporate identities.

E) Create an IAM role that establishes a trust relationship between IAM and the corporate SAML identity provider (IdP).

33 / 65

33. A company has been using an unencrypted Amazon Elastic File System (Amazon EFS) file system that contains many files. The company must encrypt all existing files and any future files that are stored in the EFS file system. The files must be encrypted with a key that is regularly rotated.

Which solution will meet these requirements?

A) Create an AWS Key Management Service (AWS KMS) customer managed encryption key. Configure automatic rotation for the AWS KMS key. Modify the existing EFS file system and turn on encryption by using the AWS KMS key. Use an AWS Lambda function to copy the existing files in place to encrypt them.

B) Modify the existing EFS file system and turn on encryption by using the default AWS Key Management Service (AWS KMS) service key for Amazon EFS. Configure automatic rotation for the AWS KMS key. Create an AWS Lambda function to copy the existing files in place to encrypt them.

C) Create an AWS Key Management Service (AWS KMS) customer managed encryption key. Configure automatic rotation for the AWS KMS key. Create a new EFS file system and turn on encryption by using the AWS KMS key. Use AWS DataSync to transfer the existing files to the new encrypted file system.

D) Create a new EFS file system and turn on encryption by using the default AWS Key Management Service (AWS KMS) service key for Amazon EFS. Configure automatic rotation for the AWS KMS key. Use AWS DataSync to transfer the existing files to the new encrypted file system.

34 / 65

34. A company plans to use an AWS CloudFormation template to deploy a stack of production resources. A security requirement states that users should not be able to make changes to a resource that the template creates that would remove the resource from the stack or modify the resource's physical ID. Only an IAM administrative user should be able to make changes to the resource.

Which combination of solutions will meet these security requirements? (Select TWO.)

A) Configure a stack policy on the production stack that allows only the administrative user to update the stack.

B) Configure a CloudFormation service role to manage the resources and associate the role with the production stack.

C) Configure a stack policy to deny all update actions on the production stack.

D) Configure termination protection on the production stack.

E) Configure a stack policy to deny update:replace and update:delete actions on the production stack.

35 / 65

35.

A company will deploy a new application on Amazon EC2 instances in private subnets. The application will transfer sensitive data to and from an Amazon S3 bucket. According to compliance requirements, the data must not traverse the public internet.

Which solution meets the compliance requirement?

A) Access the S3 bucket through a proxy server.

B) Access the S3 bucket through a NAT gateway.

C) Access the S3 bucket through a VPC endpoint for S3.

D) Access the S3 bucket through the SSL-protected S3 endpoint.

36 / 65

36. A trading service company is evaluating storage options on Amazon S3 standard storage to meet regulatory guidelines. The data should be stored in such a way on S3 that it cannot be deleted until the regulatory period has expired.

As an AWS Certified Security Specialist, which of the following would you recommend for the given requirement?

A) Use S3 Glacier Vault Lock

B) Use S3 Object Lock

C) Activate MFA delete on the S3 bucket

D) Use S3 cross-Region Replication

37 / 65

37. A company wants to make available an Amazon S3 bucket to a vendor so that the vendor can analyze the log files in the S3 bucket. The company has created an IAM role that grants access to the S3 bucket. The company also has to set up a trust policy that specifies the vendor account.

Which pieces of information are required as arguments in the API calls to access the S3 bucket? (Select TWO.)

A) A temporary access key from the IAM role in the company's account

B) The Amazon Resource Name (ARN) of the trust policy in the company's account

C) The Amazon Resource Name (ARN) of the IAM role in the company's account

D) An external ID originally provided by the vendor to the company

E) The name of the bucket policy on the S3 bucket in the company's account

38 / 65

38. A company's security team presents a daily briefing that includes a report on which of the company's Amazon EC2 instances and on-premises servers are missing the latest security patches. All of the servers and instances have the agents installed for Amazon CloudWatch, AWS Systems Manager, and Amazon Inspector. All of the servers and instances must be brought into compliance within 24 hours so that they do not show up on the next report.

How can the security team meet these requirements?

A) Use Amazon QuickSight and AWS CloudTrail to generate the report of all noncompliant servers and instances. Redeploy all noncompliant instances and servers by using an Amazon Machine Image (AMI) with the latest patches.

B) Use AWS Systems Manager Patch Manager to generate the report of all noncompliant servers and instances. Use Patch Manager to install the missing patches.

C) Use AWS Systems Manager Patch Manager to generate the report of all noncompliant servers and instances. Redeploy all noncompliant instances and servers by using an Amazon Machine Image (AMI) with the latest patches.

D) Use AWS Trusted Advisor to generate the report of all noncompliant servers and instances. Use AWS Systems Manager Patch Manager to install the missing patches.

39 / 65

39. A hardware company relies on Amazon S3 buckets to store its sensitive business data. However, a customer lacks support for TLS versions 1.2 or higher, leading to an inability to access content stored within Amazon S3 buckets.

As a DevSecOps Engineer, what approach would you implement to enable customers to access content in the Amazon S3 buckets using TLS 1.0 or 1.1 while ensuring the security of the communication channel?

A) Configure a CloudFront distribution with an Amazon S3 bucket as the custom origin. CloudFront supports anonymous and public requests to S3 buckets for undisrupted user access

B) The wildcard domain name feature of AWS Certificate Manager (ACM) can be used to work around the TLS version limitations

C) Create a bucket policy that allows secure data access via TLS 1.0 or 1.1

D) Make your S3 bucket private and configure access through Amazon CloudFront only by using signed requests to access the S3 bucket

40 / 65

40. An AWS service hosted within AWS Account 1 is accessible to AWS Account 2 via VPC private link. The Network Load Balancer (NLB) in Account 1 has been properly configured and has acknowledged the connection. Despite data being observed leaving from the NLB, the client side within Account 2 is not receiving the transmitted data.

What troubleshooting steps should be pursued to address this issue?

A) Enable VPC Flow Logs to capture detailed information about the traffic going to and from network interfaces to the NLB

B) Configure Gateway Endpoint instead of VPC private link to access the AWS service across AWS accounts

C) Ensure that the Security Groups and Network Access Control Lists (NACLs) in both VPCs allow traffic

D) Use AWS CloudTrail to capture detailed information about the calls made to the Amazon VPC API. You can use the generated CloudTrail logs to determine which calls were made and the source IP address where the call came from

41 / 65

41. An AWS customer performs DDoS testing with a large simulated attack on its web application, which is running on Amazon EC2 instances. Later, AWS contacts the customer and informs the customer that the testing violated the AWS Customer Agreement.

How can the customer perform future testing without violating the agreement?

A) Deploy the instances that generate the simulation within the same VPC as the application.

B) Run the simulation against EC2 instances with Amazon Inspector installed.

C) Work with an AWS Partner Network (APN) Partner to perform the simulation.

D) Exclude port 80 (HTTP) and port 443 (HTTPS) from the DDoS simulation.

42 / 65

42. A company is using an Amazon S3 Glacier vault. After an archive is more than 2 years old, an archive administrator can delete the archive. However, the company must retain archives related to regulatory reviews until the review has been completed. The regulatory review sometimes takes longer than 2 years to complete. These archives have a resource tag named RegReq that is set to a value of true.

Recently the company discovered that several documents needed for an ongoing review were missing. After a quick investigation, the company determined that the archives were about 3 years old and had been accidentally deleted due to an updated policy. The company wants to prevent accidental deletion of archives in the future.

Which solution will meet these requirements?

A) Create an S3 Glacier vault access policy for the vault with three statements. The first statement denies the deletion of archives with a value of true for the tag RegReq. The second statement denies the deletion of an archive that is less than 2 years old. The third statement allows an archive administrator to delete an archive that is more than 2 years old.

B) Create an S3 Glacier Vault Lock policy for the vault with three statements. The first statement denies the deletion of archives with a value of true for the tag RegReq. The second statement denies the deletion of an archive that is less than 2 years old. The third statement allows an archive administrator to delete an archive that is more than 2 years old.

C) Create an S3 Glacier vault access policy for the vault with two statements. The first statement denies the deletion of an archive that is less than 2 years old. The second statement allows an archive administrator to delete an archive that is more than 2 years old. Create an S3 Glacier Vault Lock policy that denies the deletion of archives with a value of true for the tag RegReq.

D) Create an S3 Glacier Vault Lock policy for the vault with two statements. The first statement denies the deletion of an archive that is less than 2 years old. The second statement allows an archive administrator to delete an archive that is more than 2 years old. Create an S3 Glacier vault access policy that denies the deletion of archives with a value of true for the tag RegReq.

43 / 65

43. A Security Engineer must set up security group rules for a three-tier application:

Presentation Tier - Accessed by users over the web, protected by the security group, presentation-sg
Logic Tier - RESTful API accessed from the Presentation Tier via https, protected by the security group, logic-sg
Data Tier - SQL Server database accessed over port 1433 from the Logic Tier, protected by the security group, data-sg

What combination of the following security group rules will allow the application to be secure and functional? (Select THREE.)

A) presentation-sg: Allow ports 80 and 443 from 0.0.0.0/0

B) data-sg: Allow port 1433 from presentation-sg

C) data-sg: Allow port 1433 from logic-sg

D) presentation-sg: Allow port 1433 from data-sg

E) logic-sg: Allow port 443 from presentation-sg

F) logic-sg: Allow port 443 from 0.0.0.0/0

44 / 65

44.

An animation studio relies on Amazon S3 to store artifacts that should exclusively be accessible to EC2 instances operating within a private VPC. The security engineering team at the studio is concerned about a potential attack vector whereby any team member with access to such an instance could also establish an EC2 instance in a different VPC to gain access to these artifacts.

As an AWS Certified Security Specialist, which solution would you suggest to mitigate the risk of unauthorized access to the artifacts stored in S3?

A) Set up an IAM role that allows access to the artifacts in S3 and then create an S3 bucket policy to allow access only from this role attached to the instance profile

B) Configure an S3 VPC endpoint and create an S3 bucket policy to allow access only from this VPC endpoint

C) Attach an Elastic IP to the EC2 instance and create an S3 bucket policy to allow access only from this Elastic IP

D) Set up a highly restricted Security Group for the EC2 instance and create an S3 bucket policy to allow access only from this Security Group

45 / 65

45. As a Security Engineer, your assignment involves automating the identification and resolution of threats targeting your AWS environments using Amazon GuardDuty findings.

Which actions will you undertake to implement this solution most effectively? (Select two)

A) Configure CloudWatch Event to filter GuardDuty findings when a malicious activity is suspected. Configure the CloudWatch Event to invoke a Lambda function to parse the GuardDuty finding and store it in the Amazon DynamoDB table, if required

B) After checking the existing entries in the Amazon DynamoDB table, AWS Lambda function creates a Rule inside AWS WAF and in a VPC NAC, and a notification email is sent via Amazon Simple Notification Service (SNS)

C) Configure GuardDuty to export its findings to an Amazon S3 bucket. Configure a Lambda function to be triggered every time an object is added to the Amazon S3 bucket

D) Configure GuardDuty to trigger an AWS Lambda function every time a finding is generated. Configure an Amazon DynamoDB table to store the data received by Lambda from GuarDuty integration

E) Configure AWS Lambda function to create a Rule inside AWS WAF and in a VPC NAC for every GuardDuty finding and trigger an email notification via Amazon Simple Notification Service (SNS)

46 / 65

46. A company has multiple Amazon S3 buckets in an account. Some buckets are accessible through the internet. A security administrator wants to implement a solution that detects whether any private bucket becomes internet accessible. The administrator turns on Amazon GuardDuty and activates S3 Protection.

Which GuardDuty finding type should the administrator search for that meet these requirements?

A) Policy:S3/AccountBlockPublicAccessDisabled

B) Policy:S3/BucketPublicAccessGranted

C) Policy:S3/BucketBlockPublicAccessDisabled

D) Policy:S3/BucketAnonymousAccessGranted

47 / 65

47.

A company has several AWS Key Management Service (AWS KMS) customer managed keys. Some of the keys have imported key material. The company's security team must rotate each key annually.

Which methods can the security team use to rotate each key? (Select TWO.)

A) Enable automatic key rotation for a key.

B) Import new key material to an existing key.

C) Use the AWS CLI or the AWS Management Console to explicitly rotate an existing key.

D) Import new key material to a new key. Point the key alias to reference the new key.

E) Delete an existing key, and a new default key will be created.

48 / 65

48. A web application runs in a VPC on Amazon EC2 instances behind an Application Load Balancer (ALB). The application stores data in an Amazon RDS for MySQL DB instance. A Linux bastion host applies the schema updates to the database. Administrators connect to the bastion host by using SSH from a corporate workstation. The following security groups are applied to the infrastructure:

sgLB: Associated with the ALB
sgWeb: Associated with the EC2 instances
sgDB: Associated with the database
sgBastion: Associated with the bastion host

Which security group configuration allows the application to be secure and functional?

A) ➊ sgLB: Allow port 80 and 443 traffic from 0.0.0.0/0. ➋ sgWeb: Allow port 80 and 443 traffic from 0.0.0.0/0. ➌ sgDB: Allow port 3306 traffic from sgWeb and sgBastion. ➍ sgBastion: Allow port 22 traffic from the corporate IP address range.

B) ➊ sgLB: Allow port 80 and 443 traffic from 0.0.0.0/0. ➋ sgWeb: Allow port 80 and 443 traffic from sgLB. ➌ sgDB: Allow port 3306 traffic from sgWeb and sgLB. ➍ sgBastion: Allow port 22 traffic from the VPC IP address range.

C) ➊ sgLB: Allow port 80 and 443 traffic from 0.0.0.0/0. ➋ sgWeb: Allow port 80 and 443 traffic from sgLB. ➌ sgDB: Allow port 3306 traffic from sgWeb and sgBastion. ➍ sgBastion: Allow traffic from port 22 and from the VPC IP address range.

D) ➊ sgLB: Allow port 80 and 443 traffic from 0.0.0.0/0. ➋ sgWeb: Allow port 80 and 443 traffic from sgLB. ➌ sgDB: Allow port 3306 traffic from sgWeb and sgBastion. ➍ sgBastion: Allow port 22 traffic from the corporate IP address range.

49 / 65

49. A health organisation is designing a multi-account structure for its IT and Accounting teams using AWS Organizations and AWS Single Sign-On (AWS SSO). The teams should only be able to access specific AWS services in the designated AWS Regions.

Which solution will implement these requirements with the LEAST operational overhead?

A) Create Service control policies (SCPs) that deny access to any operations outside of the designated AWS Regions. Apart from the Condition and Resource elements, configure the NotAction element to allow access to the required AWS services

B) Create a Service control policy (SCP) that mandates multi-factor authentication (MFA) for access to the required services in the designated AWS Regions. Share the MFA credentials with only the AWS users that need access

C) Create a Service control policy (SCP) with a deny list policy strategy to deny access to users for certain AWS services and AWS Regions. Exclude administrators of the member accounts from this SCP

D) Create a Service control policy (SCP) that allows access to users for certain AWS services in the designated AWS Regions

50 / 65

50. A corporation runs a worldwide data analytics platform hosted on AWS. Utilizing Amazon CloudFront, the platform distributes content to its users. With the advent of new data regulations, the company must block incoming traffic from certain countries. It seeks a solution to adhere to the regulations without compromising the cost efficiency of its infrastructure.

What suggestions do you propose?

A) Leverage an AWS WAF web ACL with an IP match condition to deny traffic from a specific set of countries. Configure the CloudFront distribution to use the web ACL

B) Leverage an AWS WAF web ACL with a geo match condition to deny traffic from a specific set of countries. Configure the CloudFront distribution to use the web ACL

C) Leverage geolocation routing policies in CloudFront to deny traffic from a specific set of countries

D) Leverage geographic restrictions in CloudFront to deny traffic from a specific set of countries

51 / 65

51. A hybrid AWS network is configured to route internet traffic such that it egresses from an on-premises gateway rather than from a VPC Internet Gateway (IGW). Since enabling Amazon GuardDuty, an error has been repeatedly seen in the GuardDuty findings: UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS. This finding informs you that a host outside of AWS has attempted to run AWS API operations using temporary AWS credentials that were created on an EC2 instance in your AWS environment. The listed EC2 instance might be compromised, and the temporary credentials from this instance might have been exfiltrated to a remote host outside of AWS.

As a Security engineer, what steps would you take to address this issue, so that the VPC's internet traffic that egresses from an on-premises gateway does not trigger the given error? (Select two)

A) Use suppression rules and create a rule that consists of two filter criteria. The first criterion is finding type, which should be UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS

B) The second filter criterion is API caller IPv4 address with the IP address or CIDR range of the on-premises internet gateway

C) Use suppression rules and create a rule that consists of two filter criteria. The first criterion is finding type, which should be UnauthorizedAccess:EC2/SSHBruteForce

D) Create a finding filter from the GuardDuty console for two different criteria. The first criterion is finding type, which should be UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration

E) The second filter criterion is Trusted IP list to which you add the IP address or CIDR range of the on-premises internet gateway

52 / 65

52. A Security Engineer is working with a product team building a web application on AWS. The application uses Amazon S3 to host HTML pages and other static content, API Gateway and AWS Lambda to provide RESTful services, and Amazon DynamoDB to store state and other data. The users already exist in a directory that is exposed via a SAML identity provider (IDP).
What should the Security Engineer do to enable users to be authenticated into the web application and call APIs? (Select THREE).

A) Create a custom authorization service using AWS Lambda.

B) Configure a SAML Identity Provider in Amazon Cognito to map attributes to the Cognito User Pool attributes.

C) Configure the identity provider to add the Amazon Cognito User Pool as a relying party.

D) Configure an Amazon Cognito Identity Pool to integrate with social login providers.

E) Update DynamoDB to store the user email addresses and passwords.

F) Update API Gateway to use an Amazon Cognito User Pools authorizer.

53 / 65

53. A security architect wants to assess and maintain AWS resource compliance. To achieve this compliance, the security architect must confirm that subnets in the Amazon VPC are not assigned a public IP address before the subnets are provisioned. The security architect also wants to configure a solution to automatically detect and centralize a list of security findings.

What should the security architect do to meet the requirements with the FEWEST configuration steps?

A) Use AWS Config and implement AWS managed rules with detective evaluation. Configure the rule to evaluate the Amazon VPC when configuration changes trigger the Amazon VPC. Use AWS Lambda to send AWS Config rule evaluations to AWS Security Hub.

B) Use AWS Config and implement AWS managed rules with detective evaluation. Configure the rule to evaluate the Amazon VPC periodically. Use Amazon EventBridge to send AWS Config rule evaluations to AWS Security Hub.

C) Write code in AWS Lambda to invoke when an Amazon VPC is launched. Use AWS Step Functions to coordinate that AWS Config rule evaluations are sent to AWS Security Hub.

D) Use AWS Config and implement AWS managed rules with proactive evaluation. Use AWS Security Hub to view managed and custom rule evaluation results from AWS Config.

54 / 65

54. An organization wants to analyze their website's access logs and gain insights into user behavior and traffic patterns. Which AWS service can help them achieve this?

A) AWS CloudTrail Insights

B) AWS Cloudwatch

C) AWS Cloudfront

D) AWS Config

55 / 65

55. A company has enhanced its AWS Cloud security framework significantly, incorporating AWS Firewall Manager, Amazon Inspector, and AWS Shield Advanced services across its AWS accounts to meet its security needs. Recently, the company has integrated the Amazon Macie data security service to identify and safeguard sensitive data. Now, the company aims to deploy a solution leveraging data from these security services to trigger alerts in case of a DDoS attack on its AWS resources.

What solution would best fulfill this requirement?

A) Create an Amazon CloudWatch alarm that monitors AWS Shield Advanced CloudWatch metrics for an active DDoS event

B) Create an Amazon CloudWatch alarm that monitors AWS Firewall Manager CloudWatch metrics for an active DDoS event

C) Create an Amazon CloudWatch alarm that monitors Amazon Inspector logs for vulnerabilities related to an active DDoS event

D) Create an Amazon CloudWatch alarm that monitors AWS Web Application Firewall (AWS WAF) for an active DDoS event

56 / 65

56. The security team of an e-commerce startup requires notifications when an AWS access key remains unchanged for 30 days or longer. As an AWS Certified Security Specialist, you've been tasked with devising an automated solution to fulfill this need.

What solution would you suggest with minimal effort?

A) Enable the AWS Config access-keys-rotated managed rule and configure the maxAccessKeyAge parameter to 30 days. Have AWS Config apply remediation using an AWS Lambda function for every non-compliant resource. The Lambda function, in turn, publishes a customized message to an SNS topic

B) Enable the AWS Config access-keys-rotated managed rule and configure the maxAccessKeyAge parameter to 30 days. Create an Amazon EventBridge rule that runs on a daily schedule to trigger an AWS Lambda function that executes the AWS Config managed rule. Publish a customized message to an SNS topic when the Lambda function detects non-compliance

C) Enable the AWS Config access-keys-rotated managed rule and configure the maxAccessKeyAge parameter to 30 days. Have AWS Config apply remediation using the AWS Systems Manager Automation document for every non-compliant resource. The Automation document, in turn, publishes a customized message to an SNS topic

D) Configure AWS Trusted Advisor to apply remediation using an AWS Lambda function for every non-compliant AWS access key. The Lambda function, in turn, publishes a customized message to an SNS topic

57 / 65

57. The IT team at Real state Corporation has identified a security vulnerability that could potentially lead to unauthorized access to confidential data. To address this issue and safeguard the company's information, the team aims to implement a mechanism to delete an AWS KMS Customer Master Key (CMK) within a 24-hour window. This action would render the key unusable for encryption or decryption operations, bolstering data security.

Which of the following solutions would best fulfill the specified use case?

A) Use the manual key rotation feature within KMS to instantly create a new CMK

B) Utilize the scheduled key deletion feature in KMS to set the minimum wait time for deletion

C) Alter the KMS CMK alias to immediately stop any services from utilizing the CMK

D) Implement the KMS import key function to perform an immediate delete operation

58 / 65

58. A mid-sized company has recently integrated Amazon GuardDuty to surveil their AWS infrastructure for potential security risks. Upon observing a significant influx of RDP brute force attacks stemming from an Amazon EC2 instance, the security team resolved to intervene to forestall any potential complications. The company's security engineer was entrusted with devising an automated remedy to temporarily block the suspicious instance until further investigation and remediation could take place.

Which solution should the security engineer prioritize for implementation?

A) Have Security Hub ingest GuardDuty findings and send events to Kinesis Data Streams via EventBridge. Configure a Lambda function to process the data stream and block traffic to/from the suspicious instance by updating the security group so that it has no inbound and outbound rules

B) Have Security Hub ingest GuardDuty findings and send events to EventBridge that triggers a Lambda function to block traffic to/from the suspicious instance by updating the WAF web ACL

C) Have Security Hub ingest GuardDuty findings and send events to EventBridge that triggers a Lambda function to block traffic to/from the suspicious instance by updating the network ACL rules

D) Have Security Hub ingest GuardDuty findings and send events to Kinesis Data Streams via EventBridge. Configure Kinesis Data Analytics to process the data stream and block traffic to/from the suspicious instance by updating the security group so that it has no inbound and outbound rules

59 / 65

59. An application that runs on Amazon EC2 instances in a VPC must call an external web service by using TLS (port 443). The EC2 instances run in public subnets.

Which configurations allow the application to function and minimize the exposure of the instances? (Select TWO.)

A) A network ACL with a rule that allows outgoing traffic on port 443

B) A network ACL with rules that allow outgoing traffic on port 443 and incoming traffic on the ephemeral ports

C) A security group with a rule that allows outgoing traffic on port 443

D) A security group with rules that allow outgoing traffic on port 443 and incoming traffic on the ephemeral ports

E) A security group with rules that allow outgoing traffic on port 443 and incoming traffic on port 443

60 / 65

60. A company is deploying a new web application on Amazon EC2 instances. Based on its other web applications, the company anticipates that it will be the target of frequent DDoS attacks.

Which solutions can the company use to protect its application? (Select TWO.)

A) Associate the EC2 instances with a security group that blocks traffic from malicious IP addresses.

B) Use an Elastic Load Balancing (ELB) Application Load Balancer and Auto Scaling group to scale to absorb application layer traffic.

C) Use Amazon Inspector on the EC2 instances to examine incoming traffic and discard malicious traffic.

D) Use Amazon CloudFront and AWS WAF to prevent malicious traffic from reaching the application.

E) Enable Amazon GuardDuty to block malicious traffic from reaching the application.

61 / 65

61. A corporation manages distinct AWS accounts for its diverse business divisions. Each account is set up with Amazon GuardDuty to identify potential threats and malicious behavior. Quarterly, a partner security firm produces a comprehensive threat list which it disseminates to all business units.

As a Security Analyst, what strategies would you employ to configure the threat list across all AWS accounts with minimal effort? (Select two)

A) Upload the threat list to an Amazon S3 bucket and share the access with the administrator account

B) Specify an administrator account in GuardDuty and then use the administrator account to invite other AWS accounts to become member accounts. Add the threat list to the administrator account by referencing the S3 object that contains the threat list

C) Upload the threat list to an Amazon S3 bucket and share the access with the organization's delegated administrator for GuardDuty

D) Configure all AWS accounts to be part of AWS Organizations and add the threat list to all members of the organization using AWS Resource Access Manager (RAM)

E) Upload the threat list to an Amazon S3 bucket and trigger an Amazon EventBridge event every time a new threat list is added to the bucket. Define Amazon GuardDuty as a target to EventBridge to automatically configure the threat list to the administrator account in GuardDuty

62 / 65

62. A Security Engineer has been informed that a user’s access key has been found on GitHub. The Engineer must ensure that this access key cannot continue to be used, and must assess whether the access key was used to perform any unauthorized activities. What steps must be taken to perform these tasks?

A) Review the user's IAM permissions and delete any unrecognized or unauthorized resources.

B) Delete the user, review the Amazon CloudWatch logs in all regions, and report the abuse.

C) Delete or rotate the user’s key, review the CloudTrail logs in all regions, and delete any unrecognized or unauthorized resources.

D) Instruct the user to remove the key from the GitHub submission, rotate keys, and re-deploy any instances that were launched.

63 / 65

63. A financial firm is introducing its latest business segments and actively promoting them to partner organizations. These flagship applications are hosted on Amazon EC2 instances. The partner organizations' technology teams require access to these instances to gain firsthand insight into the applications. Access to the EC2 instances will be shared, and non-root SSH access is necessary for the teams.

As a Security Engineer, what steps would you take to prevent an assault on other AWS account resources by blocking access to the EC2 instance metadata service for this specific use case?

A) Configure the instance metadata service on each instance so that users must use Instance Metadata Service Version 2 (IMDSv2). The session-oriented methods will not respond to usual request/response queries

B) Disable the instance metadata service on all the instances

C) Implement local firewall rules using iptables based restrictions on the instances

D) Install intrusion prevention software (IPS) on each instance to disable access to instance metadata

64 / 65

64.

A company is using AWS CloudTrail to log all AWS API activity for all AWS Regions in all of its accounts. The company wants to protect the integrity of the log files in a central location.

Which combination of steps will protect the log files from alteration? (Select TWO.)

A) Create a central Amazon S3 bucket in a dedicated log account. In the member accounts, grant CloudTrail access to write logs to this bucket.

B) Enable AWS Organizations for all AWS accounts. Create an SCP to enable CloudTrail in each member account with logs directed to the central Amazon S3 bucket.

C) Enable server access logging on Amazon S3 buckets.

D) Use AWS Systems Manager Compliance to continually monitor the access policies of Amazon S3 buckets containing CloudTrail logs.

E) Enable AWS Organizations for all AWS accounts. Enable CloudTrail with log file integrity validation while creating an organization trail. Direct logs from this trail to a central Amazon S3 bucket.

65 / 65

65. A Security Engineer must ensure that all API calls are collected across all company accounts, and that they are preserved online and are instantly available for analysis for 90 days. For compliance reasons, this data must be restorable for 7 years. Which steps must be taken to meet the retention needs in a scalable, cost-effective way?

A) Enable AWS CloudTrail logging across all accounts to a centralized Amazon S3 bucket with versioning enabled. Set a lifecycle policy to move the data to Amazon Glacier daily, and expire the data after 90 days.

B) Enable AWS CloudTrail logging across all accounts to S3 buckets. Set a lifecycle policy to expire the data in each bucket after 7 years.

C) Enable AWS CloudTrail logging across all accounts to Glacier. Set a lifecycle policy to expire the data after 7 years.

D) Enable AWS CloudTrail logging across all accounts to a centralized Amazon S3 bucket. Set a lifecycle policy to move the data to Glacier after 90 days, and expire the data after 7 years.

Your score is

The average score is 4%

Exit