An organizational must establish the ability to delete an AWS KMS Customer Master Key (CMK) within a 24-hour timeframe to keep it from being used for encrypt or decrypt operations.Which of the following actions will address this requirement?Read More →
A company finds that one of its Amazon EC2 instances suddenly has a high CPU usage.The company does not know whether the EC2 instance is compromised or whether the operating system is performing background cleanup.Which combination of steps should a security engineer take before investigating the issue? (Choose three.)Read More →
A company is observing frequent bursts of unusual traffic to its corporate website.The IP address ranges that inflate the requests keep changing, and the volumes of traffic are increasing.A security engineer needs to implement a solution to protect the website from a potential DDoS attack.The solution must rack the rate of requests from IP addresses.When the requests from a particular IP address exceed a specific rate, the solution must limit the amount of traffic that can reach the website from that IP address.Which solution will meet these requirements?Read More →
A company’s security engineer has configured a client account to capture AWS CloudTrail logs that are then sent to an Amazon S3 bucket.The S3 bucket that stores these CloudTrail logs has always been configured to use AWS Key Management Service (AWS KMS) with the default KMS key (aws/s3) for encryption.Recently, the company changed the key on the S3 bucket to a new KMS key.Since the modification of the bucket key, the security engineer cannot retrieve new CloudTrail log files that are written to the S3 bucket.The security engineer receives the following error message: “An error occurred (AccessDenied) when calling the GetObject operation: Access Denied”.Log files that were written to the S3 bucket before the bucket key was changed are still accessible.The company used the new KMS key to encrypt other S3 buckets, and the same error is occurring with those S3 buckets.What is the MOST likely cause of this error?Read More →
A company’s public Application Load Balancer (ALB) recently experienced a DDoS attack.To mitigate this issue.the company deployed Amazon CloudFront in front of the ALB so that users would not directly access the Amazon EC2 instances behind the ALB.The company discovers that some traffic is still coming directly into the ALB and is still being handled by the EC2 instances.Which combination of steps should the company take to ensure that the EC2 instances will receive traffic only from CloudFront? (Choose two.)Read More →
A company’s security team needs to receive a notification whenever an AWS access key has not been rotated in 90 or more days.A security engineer must develop a solution that provides these notifications automatically.Which solution will meet these requirements with the LEAST amount of effort?Read More →
A company is using Amazon Macie, AWS Firewall Manager, Amazon Inspector, and AWS Shield Advanced in its AWS account.The company wants to receive alerts if a DDoS attack occurs against the account.Which solution will meet this requirement?Read More →
A company recently adopted new compliance standards that require all user actions in AWS to be logged.The user actions must be logged for all accounts that belong to an organization in AWS Organizations.The company needs to set alarms that respond when specified actions occur.The alarms must forward alerts to an email distribution list.The alerts must occur in as close to real time as possible.Which solution will meet these requirements?Read More →
A company wants to use AWS Systems Manager Patch Manager to patch Amazon EC2 instances that run Amazon Linux 2.The EC2 instances are running in a single AWS account.No internet connectivity is allowed from any EC2 instances in the account.A security engineer has configured the relevant settings in Patch Manager.The security engineer now needs to ensure that the EC2 instances can connect to the Systems Manager endpoint.Which combination of steps must the security engineer take to meet these requirements? (Choose three.)Read More →
A company is attempting to conduct forensic analysis on an Amazon EC2 instance, but the company is unable to connect to the instance by using AWS Systems Manager Session Manager.The company has installed AWS Systems Manager Agent (SSM Agent) on the EC2 instance.The EC2 instance is in a subnet in a VPC that does not have an internet gateway attached.The company has associated a security group with the EC2 instance.The security group does not have inbound or outbound rules.The subnet’s network ACL allows all inbound and outbound traffic.Which combination of actions will allow the company to conduct forensic analysis on the EC2 instance without compromising forensic data? (Choose three.)Read More →
© 2025. Tip2Cloud doesn't offer any real exam questions. All questions & answers were supported by AI.