A security engineer is designing an incident response plan to address the risk of a compromised Amazon EC2 instance.The plan must recommend a solution to meet the following requirements:✑ A trusted forensic environment must be provisioned.✑ Automated response processes must be orchestrated.Which AWS services should be included in the plan? (Choose two.)Read More →
A company’s security information events management (SIEM) tool receives new AWS CloudTrail logs from an Amazon S3 bucket that is configured to send all object created event notifications to an Amazon SNS topic.An Amazon SQS queue is subscribed to this SNS topic.The company’s SIEM tool then polls this SQS queue for new messages using an IAM role and fetches new log events from the S3 bucket based on the SQS messages.After a recent security review that resulted in restricted permissions, the SIEM tool has stopped receiving new CloudTrail logs.Which of the following are possible causes of this issue? (Choose three.)Read More →
A company’s director of information security wants a daily email report from AWS that contains recommendations for each company account to meet AWSSecurity best practices.Which solution would meet these requirements?Read More →
A company is using AWS Organizations to manage multiple AWS accounts.The company has an application that allows users to assume the AppUser IAM role to download files from an Amazon S3 bucket that is encrypted with an AWS KMS CMK.However, when users try to access the files in the S3 bucket, they get an access denied error.What should a security engineer do to troubleshoot this error? (Choose three.)Read More →
A company is setting up products to deploy in AWS Service Catalog.Management is concerned that when users launch products, elevated IAM privileges will be required to create resources.How should the company mitigate this concern?Read More →
An organization receives an alert that indicates that an EC2 instance behind an ELB Classic Load Balancer has been compromised.What techniques will limit lateral movement and allow evidence gathering?Read More →
A company is running an application on Amazon EC2 instances in an Auto Scaling group.The application stores logs locally.A security engineer noticed that logs were lost after a scale-in event.The security engineer needs to recommend a solution to ensure the durability and availability of log data.All logs must be kept for a minimum of 1 year for auditing purposes.What should the security engineer recommend?Read More →
A security engineer is designing a solution that will provide end-to-end encryption between clients and Docker containers running in Amazon Elastic ContainerService (Amazon ECS).This solution will also handle volatile traffic patterns.Which solution would have the MOST scalability and LOWEST latency?Read More →
A large government organization is moving to the cloud and has specific encryption requirements.The first workload to move requires that a customer’s data be immediately destroyed when the customer makes that request.Management has asked the security team to provide a solution that will securely store the data, allow only authorized applications to perform encryption and decryption, and allow for immediate destruction of the data.Which solution will meet these requirements?Read More →
A company wants to encrypt data locally while meeting regulatory requirements related to key exhaustion.The encryption key can be no more than 10 days old or encrypt more than 2^16 objects.Any encryption key must be generated on a FIPS-validated hardware security module (HSM).The company is cost-conscious, as it plans to upload an average of 100 objects to Amazon S3 each second for sustained operations across 5 data producers.Which approach MOST efficiently meets the company’s needs?Read More →
© 2025. Tip2Cloud doesn't offer any real exam questions. All questions & answers were supported by AI.