Security Specialty (Page 16)

A security engineer received an Amazon GuardDuty alert indicating a finding involving the Amazon EC2 instance that hosts the company’s primary website.TheGuardDuty finding received read:UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.The security engineer confirmed that a malicious actor used API access keys intended for the EC2 instance from a country where the company does not operate.The security engineer needs to deny access to the malicious actor.What is the first step the security engineer should take?Read More →

A company manages multiple AWS accounts using AWS Organizations.The company’s security team notices that some member accounts are not sending AWSCloudTrail logs to a centralized Amazon S3 logging bucket.The security team wants to ensure there is at least one trail configured for all existing accounts and for any account that is created in the future.Which set of actions should the security team implement to accomplish this?Read More →

A company has a VPC with several Amazon EC2 instances behind a NAT gateway.The company’s security policy states that all network traffic must be logged and must include the original source and destination IP addresses.The existing VPC Flow Logs do not include this information.A security engineer needs to recommend a solution.Which combination of steps should the security engineer recommend? (Choose two.)Read More →

An ecommerce website was down for 1 hour following a DDoS attack.Users were unable to connect to the website during the attack period.The ecommerce company’s security team is worried about future potential attacks and wants to prepare for such events.The company needs to minimize downtime in its response to similar attacks in the future.Which steps would help achieve this? (Choose two.)Read More →

A company’s on-premises data center forwards DNS logs to a third-party security incident events management (SIEM) solution that alerts on suspicious behavior.The company wants to introduce a similar capability to its AWS accounts that includes automatic remediation.The company expects to double in size within the next few months.Which solution meets the company’s current and future logging requirements?Read More →

A company has a serverless application for internal users deployed on AWS.The application uses AWS Lambda for the front end and for business logic.TheLambda function accesses an Amazon RDS database inside a VPC.The company uses AWS Systems Manager Parameter Store for storing database credentials.A recent security review highlighted the following issues:✑ The Lambda function has internet access.✑ The relational database is publicly accessible.✑ The database credentials are not stored in an encrypted state.Which combination of steps should the company take to resolve these security issues? (Choose three.)Read More →

A company uses multiple AWS accounts managed with AWS Organizations.Security engineers have created a standard set of security groups for all these.accounts.The security policy requires that these security groups be used for all applications and delegates modification authority to the security team only.A recent security audit found that the security groups are inconsistently implemented across accounts and that unauthorized changes have been made to the security groups.A security engineer needs to recommend a solution to improve consistency and to prevent unauthorized changes in the individual accounts in the future.Which solution should the security engineer recommend?Read More →

A company has multiple departments.Each department has its own AWS account.All these accounts belong to the same organization in AWS Organizations.A large .csv file is stored in an Amazon S3 bucket in the sales department’s AWS account.The company wants to allow users from the other accounts to access the .csv file’s content through the combination of AWS Glue and Amazon Athena.However, the company does not want to allow users from the other accounts to access other files in the same folder.Which solution will meet these requirements?Read More →

A developer reported that AWS CloudTrail was disabled on their account.A security engineer investigated the account and discovered the event was undetected by the current security solution.The security engineer must recommend a solution that will detect future changes to the CloudTrail configuration and send alerts when changes occur.What should the security engineer do to meet these requirements?Read More →

A company’s data lake uses Amazon S3 and Amazon Athena.The company’s security engineer has been asked to design an encryption solution that meets the company’s data protection requirements.The encryption solution must work with Amazon S3 and keys managed by the company.The encryption solution must be protected in a hardware security module that is validated to Federal Information Processing Standards (FIPS) 140-2 Level 3.Which solution meets these requirements?Read More →