A company hosts a web-based application that captures and stores sensitive data in an Amazon DynamoDB table.A security audit reveals that the application does not provide end-to-end data protection or the ability to detect unauthorized data changes.The software engineering team needs to make changes that will address the audit findings.Which set of steps should the software engineering team take?Read More →
A company has a strict policy against using root credentials.The company’s security team wants to be alerted as soon as possible when root credentials are used to sign in to the AWS Management Console.How should the security team achieve this goal?Read More →
A team is using AWS Secrets Manager to store an application database password.Only a limited number of IAM principals within the account can have access to the secret.The principals who require access to the secret change frequently.A security engineer must create a solution that maximizes flexibility and scalability.Which solution will meet these requirements?Read More →
A company wants to gain better control of its large number of AWS accounts by establishing a centralized location where the accounts can be managed.The company also wants to prevent any users outside the company-owned AWS accounts from accessing a company Amazon S3 bucket.Which solution meets these requirements with the LEAST amount of operational overhead?Read More →
A company uses AWS Organizations to manage a small number of AWS accounts.However, the company plans to add 1,000 more accounts soon.The company allows only a centralized security team to create IAM roles for all AWS accounts and teams.Application teams submit requests for IAM roles to the security team.The security team has a backlog of IAM role requests and cannot review and provision the IAM roles quickly.The security team must create a process that will allow application teams to provision their own IAM roles.The process must also limit the scope of IAM roles and prevent privilege escalation.Which solution will meet these requirements with the LEAST operational overhead?Read More →
A company’s engineering team is developing a new application that creates AWS Key Management Service (AWS KMS) CMK grants for users.Immediately after a grant is created, users must be able to use the CMK to encrypt a 512-byte payload.During load testing, a bug appears intermittently whereAccessDeniedExceptions are occasionally triggered when a user first attempts to encrypt using the CMK.Which solution should the company’s security specialist recommend?Read More →
A company uses Amazon GuardDuty to detect threats and malicious activities in AWS accounts.The company has subscribed to a third-party threat intelligence list uploaded to an Amazon S3 bucket.How should the security engineer efficiently use the threat list across all company AWS accounts?Read More →
A security team is working on a solution that will use Amazon EventBridge (Amazon CloudWatch Events) to monitor new Amazon S3 objects.The solution will monitor for public access and for changes to any S3 bucket policy or setting that result in public access.The security team configures EventBridge to watch for specific API calls that are logged from AWS CloudTrail.EventBridge has an action to send an email notification through Amazon Simple Notification Service (Amazon SNS) to the security team immediately with details of the API call.Specifically, the security team wants EventBridge to watch for the s3:PutObjectAcl, s3:DeleteBucketPolicy, and s3:PutBucketPolicy API invocation logs from CloudTrail.While developing the solution in a single account, the security team discovers that the s3:PutObjectAcl API call does not invoke an EventBridge event.However, the s3:DeleteBucketPolicy API call and the s3:PutBucketPolicy API call do invoke an event.The security team has enabled CloudTrail for AWS management events with a basic configuration in the AWS Region in which EventBridge is being tested.Verification of the EventBridge event pattern indicates that the pattern is set up correctly.The security team must implement a solution so that the s3:PutObjectAcl API call will invoke an EventBridge event.The solution must not generate false notifications.Which solution will meet these requirements?Read More →
A company is running batch workloads that use containers on Amazon Elastic Container Service (Amazon ECS).The company needs a secure solution for storing API keys that are required for integration with external services.The company’s security policy states that API keys must not be stored or transmitted in plaintext.The company’s IT team currently rotates the API keys manually.A security engineer must recommend a solution that meets the security requirements and automates the rotation of the API keysWhich solution should the security engineer recommend?Read More →
A company recently set up Amazon GuardDuty and is receiving a high number of findings from IP addresses within the company.A security engineer has verified that these IP addresses are trusted and allowed.Which combination of steps should the security engineer take to configure GuardDuty so that it does not produce findings for these IP addresses? (Choose two.)Read More →
© 2025. Tip2Cloud doesn't offer any real exam questions. All questions & answers were supported by AI.