What does this value indicate?
2025-01-07
A security engineer is analyzing Amazon GuardDuty findings.The security engineer observes an Impact value for ThreatPurpose in a GuardDuty finding.What does this value indicate?Read More →
What should the security engineer do to fix this issue?
2025-01-07
A company has implemented centralized logging and monitoring of AWS CloudTrail logs from all Regions in an Amazon S3 bucket.The log files are encrypted using AWS KMS.A security engineer is attempting to review the log files using a third-party tool hosted on an Amazon EC2 instance.The security engineer is unable to access the logs in the S3 bucket and receives an access denied error message.What should the security engineer do to fix this issue?Read More →
Which solution meets these requirements?
2025-01-07
A security engineer is creating a new Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster.The cluster will act as a data warehouse.A separate fleet of application servers will extract records from the data warehouse and will transform these records into reports that will be uploaded to Amazon S3 buckets.The security engineer must securely configure the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster so that only the application servers can access it.Which solution meets these requirements?Read More →
What else does the security engineer need to do to ensure the application will not be exposed directly to the internet, but can still communicate as required?
2025-01-07
A company has a VPC with an IPv6 address range and a public subnet with an IPv6 address block.The VPC currently hosts some public Amazon EC2 instances, but a security engineer needs to migrate a second application into the VPC that also requires IPv6 connectivity.This new application will occasionally make API requests to an external, internet-accessible endpoint to receive updates.However, the security team does not want the application’s EC2 instance exposed directly to the internet.The security engineer intends to create a private subnet with a custom route table and to associate the route table with the private subnet.What else does the security engineer need to do to ensure the application will not be exposed directly to the internet, but can still communicate as required?Read More →
A Security Administrator is configuring an Amazon S3 bucket and must meet the following security requirements:✑ Encryption in transit✑ Encryption at rest✑ Logging of all object retrievals in AWS CloudTrailWhich of the following meet these security requirements?
2025-01-07
A Security Administrator is configuring an Amazon S3 bucket and must meet the following security requirements:✑ Encryption in transit✑ Encryption at rest✑ Logging of all object retrievals in AWS CloudTrailWhich of the following meet these security requirements? (Choose three.)Read More →
Which solution would remediate the audit finding while minimizing the effort required?
2025-01-07
An organization has a system in AWS that allows a large number of remote workers to submit data files.File sizes vary from a few kilobytes to several megabytes.A recent audit highlighted a concern that data files are not encrypted while in transit over untrusted networks.Which solution would remediate the audit finding while minimizing the effort required?Read More →
Which solution will meet these requirements?
2025-01-07
A company is running internal microservices on Amazon Elastic Container Service (Amazon ECS) with the Amazon EC2 launch type.The company is using Amazon Elastic Container Registry (Amazon ECR) private repositories.A security engineer needs to encrypt the private repositories by using AWS Key Management Service (AWS KMS).The security engineer also needs to analyze the container images for any common vulnerabilities and exposures (CVEs).Which solution will meet these requirements?Read More →
Which solution will meet this requirement?
2025-01-07
A company wants to analyze Amazon EC2 performance and utilization data in near real time for anomalies.The information that the company needs to analyze is in application logs.All the EC2 instances currently send logs to Amazon CloudWatch Logs.A security engineer must set up the log aggregation.The security engineer must collect logs from all the company’s AWS accounts into a centralized location to facilitate analysis.Which solution will meet this requirement?Read More →
Which solution will meet this requirement?
2025-01-07
A company has many member accounts in an organization in AWS Organizations.The company is concerned about the potential for misuse of the AWS account root user credentials for member accounts in the organization.To address this potential misuse, the company wants to ensure that even if the account root user credentials are compromised, the account is still protected.Which solution will meet this requirement?Read More →
“Which combination of steps should the security engineer take to remediate this issue?
2025-01-07
A security engineer is configuring AWS Config for an AWS account that uses a new 1AM entity.When the security engineer tries to configure AWS Config rules and automatic remediation options, errors occur.In the AWS CloudTrail logs, the security engineer sees the following error message: “Insufficient delivery policy to s3 bucket: DOC-EXAMPLE-BUCKET, unable to write to bucket, provided s3 key prefix is ‘null’.”Which combination of steps should the security engineer take to remediate this issue? (Choose two.)Read More →