A security engineer is designing an incident response plan to address the risk of a compromised Amazon EC2 instance.The plan must recommend a solution to meet the following requirements:✑ A trusted forensic environment must be provisioned.✑ Automated response processes must be orchestrated.Which AWS services should be included in the plan? (Choose two.)Read More →
An application uses Amazon Cognito to manage end users’ permissions when directly accessing AWS resources, including Amazon DynamoDB.A new feature request reads as follows:Provide a mechanism to mark customers as suspended pending investigation or suspended permanently.Customers should still be able to log in when suspended, but should not be able to make changes.The priorities are to reduce complexity and avoid potential for future security issues.Which approach will meet these requirements and priorities?Read More →
A company has five AWS accounts and wants to use AWS CloudTrail to log API calls.The log files must be stored in an Amazon S3 bucket that resides in a new account specifically built for centralized services with a unique top-level prefix for each trail.The configuration must also enable detection of any modification to the logs.Which of the following steps will implement these requirements? (Choose three.)Read More →
An Amazon EC2 instance is part of an EC2 Auto Scaling group that is behind an Application Load Balancer (ALB).It is suspected that the EC2 instance has been compromised.Which steps should be taken to investigate the suspected compromise? (Choose three.)Read More →
A Developer who is following AWS best practices for secure code development requires an application to encrypt sensitive data to be stored at rest, locally in the application, using AWS KMS.What is the simplest and MOST secure way to decrypt this data when required?Read More →
Some highly sensitive analytics workloads are to be moved to Amazon EC2 hosts.Threat modeling has found that a risk exists where a subnet could be maliciously or accidentally exposed to the internet.Which of the following mitigations should be recommended?Read More →
An organization has three applications running on AWS, each accessing the same data on Amazon S3.The data on Amazon S3 is server-side encrypted by using an AWS KMS Customer Master Key (CMK).What is the recommended method to ensure that each application has its own programmatic access control permissions on the KMS CMK?Read More →
A Systems Engineer is troubleshooting the connectivity of a test environment that includes a virtual security appliance deployed inline.In addition to using the virtual security appliance, the Development team wants to use security groups and network ACLs to accomplish various security requirements in the environment.What configuration is necessary to allow the virtual security appliance to route the traffic?Read More →
A company runs an application on AWS that needs to be accessed only by employees.Most employees work from the office, but others work remotely or travel.How can the Security Engineer protect this workload so that only employees can access it?Read More →
For compliance reasons, an organization limits the use of resources to three specific AWS regions.It wants to be alerted when any resources are launched in unapproved regions.Which of the following approaches will provide alerts on any resources launched in an unapproved region?Read More →
© 2026. Tip2Cloud doesn't offer any real exam questions. All questions & answers were supported by AI.