Security Specialty (Page 15)

A city is implementing an election results reporting website that will use Amazon CloudFront.The website runs on a fleet of Amazon EC2 instances behind anApplication Load Balancer (ALB) in an Auto Scaling group.Election results are updated hourly and are stored as .pdf files in an Amazon S3 bucket.A security engineer needs to ensure that all external access to the website goes through CloudFront.Which solution meets these requirements?Read More →

A company has a web-based application using Amazon CloudFront and running on Amazon Elastic Container Service (Amazon ECS) behind an Application LoadBalancer (ALB).The ALB is terminating TLS and balancing load across ECS service tasks.A security engineer needs to design a solution to ensure that application content is accessible only through CloudFront and that it is never accessible directly.How should the security engineer build the MOST secure solution?Read More →

A company will store sensitive documents in three Amazon S3 buckets based on a data classification scheme of `Sensitive,` `Confidential,` and `Restricted.` The security solution must meet all of the following requirements:✑ Each object must be encrypted using a unique key.✑ Items that are stored in the `Restricted` bucket require two-factor authentication for decryption.✑ AWS KMS must automatically rotate encryption keys annually.Which of the following meets these requirements?Read More →

A company has a customer master key (CMK) with imported key materials.Company policy requires that all encryption keys must be rotated every year.What can be done to implement the above policy?Read More →

The Security Engineer is managing a web application that processes highly sensitive personal information.The application runs on Amazon EC2.The application has strict compliance requirements, which instruct that all incoming traffic to the application is protected from common web exploits and that all outgoing traffic from the EC2 instances is restricted to specific whitelisted URLs.Which architecture should the Security Engineer use to meet these requirements?Read More →

A security team is responsible for reviewing AWS API call activity in the cloud environment for security violations.These events must be recorded and retained in a centralized location for both current and future AWS regions.What is the SIMPLEST way to meet these requirements?Read More →

A Security Engineer received an AWS Abuse Notice listing EC2 instance IDs that are reportedly abusing other hosts.Which action should the Engineer take based on this situation? (Choose three.)Read More →

An application has been written that publishes custom metrics to Amazon CloudWatch.Recently, IAM changes have been made on the account and the metrics are no longer being reported.Which of the following is the LEAST permissive solution that will allow the metrics to be delivered?Read More →

An application outputs logs to a text file.The logs must be continuously monitored for security incidents.Which design will meet the requirements with MINIMUM effort?Read More →

Developers in an organization have moved from a standard application deployment to containers.The Security Engineer is tasked with ensuring that containers are secure.Which strategies will reduce the attack surface and enhance the security of the containers? (Choose two.)Read More →