A company’s director of information security wants a daily email report from AWS that contains recommendations for each company account to meet AWSSecurity best practices.Which solution would meet these requirements?Read More →
A company’s security information events management (SIEM) tool receives new AWS CloudTrail logs from an Amazon S3 bucket that is configured to send all object created event notifications to an Amazon SNS topic.An Amazon SQS queue is subscribed to this SNS topic.The company’s SIEM tool then polls this SQS queue for new messages using an IAM role and fetches new log events from the S3 bucket based on the SQS messages.After a recent security review that resulted in restricted permissions, the SIEM tool has stopped receiving new CloudTrail logs.Which of the following are possible causes of this issue? (Choose three.)Read More →
A security engineer is designing an incident response plan to address the risk of a compromised Amazon EC2 instance.The plan must recommend a solution to meet the following requirements:✑ A trusted forensic environment must be provisioned.✑ Automated response processes must be orchestrated.Which AWS services should be included in the plan? (Choose two.)Read More →
An application uses Amazon Cognito to manage end users’ permissions when directly accessing AWS resources, including Amazon DynamoDB.A new feature request reads as follows:Provide a mechanism to mark customers as suspended pending investigation or suspended permanently.Customers should still be able to log in when suspended, but should not be able to make changes.The priorities are to reduce complexity and avoid potential for future security issues.Which approach will meet these requirements and priorities?Read More →
A company has five AWS accounts and wants to use AWS CloudTrail to log API calls.The log files must be stored in an Amazon S3 bucket that resides in a new account specifically built for centralized services with a unique top-level prefix for each trail.The configuration must also enable detection of any modification to the logs.Which of the following steps will implement these requirements? (Choose three.)Read More →
An Amazon EC2 instance is part of an EC2 Auto Scaling group that is behind an Application Load Balancer (ALB).It is suspected that the EC2 instance has been compromised.Which steps should be taken to investigate the suspected compromise? (Choose three.)Read More →
A Developer who is following AWS best practices for secure code development requires an application to encrypt sensitive data to be stored at rest, locally in the application, using AWS KMS.What is the simplest and MOST secure way to decrypt this data when required?Read More →
Some highly sensitive analytics workloads are to be moved to Amazon EC2 hosts.Threat modeling has found that a risk exists where a subnet could be maliciously or accidentally exposed to the internet.Which of the following mitigations should be recommended?Read More →
An organization has three applications running on AWS, each accessing the same data on Amazon S3.The data on Amazon S3 is server-side encrypted by using an AWS KMS Customer Master Key (CMK).What is the recommended method to ensure that each application has its own programmatic access control permissions on the KMS CMK?Read More →
A Systems Engineer is troubleshooting the connectivity of a test environment that includes a virtual security appliance deployed inline.In addition to using the virtual security appliance, the Development team wants to use security groups and network ACLs to accomplish various security requirements in the environment.What configuration is necessary to allow the virtual security appliance to route the traffic?Read More →
© 2025. Tip2Cloud doesn't offer any real exam questions. All questions & answers were supported by AI.