Security Specialty (Page 10)

A company has deployed servers on Amazon EC2 instances in a VPC.External vendors access these servers over the internet.Recently, the company deployed a new application on EC2 instances in a new CIDR range.The company needs to make the application available to the vendors.A security engineer verified that the associated security groups and network ACLs are allowing the required ports in the inbound diction.However, the vendors cannot connect to the application.Which solution will provide the vendors access to the application?Read More →

A global company must mitigate and respond to DDoS attacks at Layers 3, 4 and 7.All of the company’s AWS applications are serverless with static content hosted on Amazon S3 using Amazon CloudFront and Amazon Route 53.Which solution will meet these requirements?Read More →

A recent security audit found that AWS CloudTrail logs are insufficiently protected from tampering and unauthorized access.Which actions must the Security Engineer take to access these audit findings? (Choose three.)Read More →

A company has a VPC that contains a publicly accessible subnet and a privately accessible subnet.Both subnets send network traffic that is destined for the company’s data center through the public internet.The public subnet uses Route Table A, which has a default route for network traffic to travel through the internet gateway of the VPC.The private subnet uses Route Table B, which has a default route for network traffic to travel through a NAT gateway within the VPC.Recently, the company created an AWS Site-to-Site VPN connection to the VPC from one of is data centers.The tunnel s active and is working property between the customer gateway and the virtual private gateway.The CIDR blocks of the VPC and the data center do not overlap.According to a new security policy, all network traffic that originates from the VPC and travels to the data center must not travel across the public internet.A security engineer determines that resources in the public subnet and private subnet are still sending traffic across the public internet to the data center.Which combination of steps will ensure that all network traffic that originates from the VPC will not use the public internet to communicate with the data cantor? (Choose two.)Read More →

A Security Architect has been asked to review an existing security architecture and identity why the application servers cannot successfully initiate a connection to the database servers.The following summary describes the architecture:1.An Application Load Balancer, an internet gateway and a NAT gateway are configured in the pubic subnet.2.Database, application, and web servers are configured on three different private subnets.3.The VPC has two route tables: one for the public subnet and one for all other subnets.The route table for the public subnet has a 0.0.0.0/0 route to the internet gateway.The route table for all other subnets has a 0.0.0.0/0 route to the NAT gateway.All private subnets can route to each other.4.Each subnet has a network ACL implemented that limits all inbound and outbound connectivity to only the required ports and protocols.5.There are 3 Security Groups (SGs): database, application, and web.Each group limits all inbound and outbound connectivity to the minimum required.Which of the following accurately reflects the access control mechanisms the Architect should verify?Read More →

A company has public certificates that are managed by AWS Certificate Manager (ACM).The certificates are either imported certificates or managed certificates from ACM with mixed validation methods.A security engineer needs to design a monitoring solution to provide alerts by email when a certificate is approaching its expiration date.What is the MOST operationally efficient way to meet this requirement?Read More →

A company became aware that one of its access keys was exposed on a code sharing website 11 days ago.A Security Engineer must review all use of the exposed keys to determine the extent of the exposure.The company enabled AWS CloudTrail in all regions when it opened the account.Which of the following will allow the Security Engineer to complete the task?Read More →

Example.com is hosted on Amazon EC2 instance behind an Application Load Balancer (ALB).Third-party host intrusion detection system (HIDS) agents that capture the traffic of the EC2 instance are running on each host.The company must ensure they are using privacy enhancing technologies for users, without losing the assurance the third-party solution offers.What is the MOST secure way to meet these requirements?Read More →

A Website currently runs on Amazon EC2, with mostly static content on the site.Recently, the site was subjected to a DDoS attack, and a Security Engineer was tasked with redesigning the edge security to help mitigate this risk in the future.What are some ways the Engineer could achieve this? (Choose three.)Read More →

A company requires that SSH commands used to access its AWS instance be traceable to the user who executed each command.How should a Security Engineer accomplish this?Read More →