A team is using AWS Secrets Manager to store an application database password.Only a limited number of IAM principals within the account can have access to the secret.The principals who require access to the secret change frequently.A security engineer must create a solution that maximizes flexibility and scalability.Which solution will meet these requirements?Read More →
A company has a strict policy against using root credentials.The company’s security team wants to be alerted as soon as possible when root credentials are used to sign in to the AWS Management Console.How should the security team achieve this goal?Read More →
A company hosts a web-based application that captures and stores sensitive data in an Amazon DynamoDB table.A security audit reveals that the application does not provide end-to-end data protection or the ability to detect unauthorized data changes.The software engineering team needs to make changes that will address the audit findings.Which set of steps should the software engineering team take?Read More →
A company requires that SSH commands used to access its AWS instance be traceable to the user who executed each command.How should a Security Engineer accomplish this?Read More →
A Website currently runs on Amazon EC2, with mostly static content on the site.Recently, the site was subjected to a DDoS attack, and a Security Engineer was tasked with redesigning the edge security to help mitigate this risk in the future.What are some ways the Engineer could achieve this? (Choose three.)Read More →
Example.com is hosted on Amazon EC2 instance behind an Application Load Balancer (ALB).Third-party host intrusion detection system (HIDS) agents that capture the traffic of the EC2 instance are running on each host.The company must ensure they are using privacy enhancing technologies for users, without losing the assurance the third-party solution offers.What is the MOST secure way to meet these requirements?Read More →
A company became aware that one of its access keys was exposed on a code sharing website 11 days ago.A Security Engineer must review all use of the exposed keys to determine the extent of the exposure.The company enabled AWS CloudTrail in all regions when it opened the account.Which of the following will allow the Security Engineer to complete the task?Read More →
A company has public certificates that are managed by AWS Certificate Manager (ACM).The certificates are either imported certificates or managed certificates from ACM with mixed validation methods.A security engineer needs to design a monitoring solution to provide alerts by email when a certificate is approaching its expiration date.What is the MOST operationally efficient way to meet this requirement?Read More →
A Security Architect has been asked to review an existing security architecture and identity why the application servers cannot successfully initiate a connection to the database servers.The following summary describes the architecture:1.An Application Load Balancer, an internet gateway and a NAT gateway are configured in the pubic subnet.2.Database, application, and web servers are configured on three different private subnets.3.The VPC has two route tables: one for the public subnet and one for all other subnets.The route table for the public subnet has a 0.0.0.0/0 route to the internet gateway.The route table for all other subnets has a 0.0.0.0/0 route to the NAT gateway.All private subnets can route to each other.4.Each subnet has a network ACL implemented that limits all inbound and outbound connectivity to only the required ports and protocols.5.There are 3 Security Groups (SGs): database, application, and web.Each group limits all inbound and outbound connectivity to the minimum required.Which of the following accurately reflects the access control mechanisms the Architect should verify?Read More →
A company has a VPC that contains a publicly accessible subnet and a privately accessible subnet.Both subnets send network traffic that is destined for the company’s data center through the public internet.The public subnet uses Route Table A, which has a default route for network traffic to travel through the internet gateway of the VPC.The private subnet uses Route Table B, which has a default route for network traffic to travel through a NAT gateway within the VPC.Recently, the company created an AWS Site-to-Site VPN connection to the VPC from one of is data centers.The tunnel s active and is working property between the customer gateway and the virtual private gateway.The CIDR blocks of the VPC and the data center do not overlap.According to a new security policy, all network traffic that originates from the VPC and travels to the data center must not travel across the public internet.A security engineer determines that resources in the public subnet and private subnet are still sending traffic across the public internet to the data center.Which combination of steps will ensure that all network traffic that originates from the VPC will not use the public internet to communicate with the data cantor? (Choose two.)Read More →
© 2025. Tip2Cloud doesn't offer any real exam questions. All questions & answers were supported by AI.