Security Specialty (Page 17)

A company is hosting a web application on Amazon EC2 instances behind an Application Load Balancer (ALB).The application has become the target of a DoS attack.Application logging shows that requests are coming from small number of client IP addresses, but the addresses change regularly.The company needs to block the malicious traffic with a solution that requires the least amount of ongoing effort.Which solution meets these requirements?Read More →

A company’s security engineer has been asked to monitor and report all AWS account root user activities.Which of the following would enable the security engineer to monitor and report all root user activities? (Choose two.)Read More →

A public subnet contains two Amazon EC2 instances.The subnet has a custom network ACL.A security engineer is designing a solution to improve the subnet security.The solution must allow outbound traffic to an internet service that uses TLS through port 443.The solution also must deny inbound traffic that is destined forMySQL port 3306.Which network ACL rule set meets these requirements?Read More →

A company wants to protect its website from man-in-the-middle attacks by using Amazon CloudFront.Which solution will meet these requirements with the LEAST operational overhead?Read More →

A company’s application uses Amazon DynamoDB to store data.The company’s security policy requires all data to be encrypted at rest.The security policy also requires the company to use an on-premises hardware security module (HSM) to generate and manage the company’s encryption keys.A security engineer uses the on-premises HSM to generate an encryption key.What should the security engineer do next to meet these requirements?Read More →

A web application gives users the ability to log in, verify their membership’s validity, and browse artifacts that are stored in an Amazon S3 bucket.When a user attempts to download an object, the application must verify the permission to access the object and allow the user to download the object from a custom domain name such as example.com.What is the MOST secure way for a security engineer to implement this functionality?Read More →

An application team is developing an internal application in its AWS account.Employees will use the application to access their employee benefits information.The application has an Amazon S3 bucket that is encrypted with an AWS Key Management Service (AWS KMS) customer managed key.The application team has configured an S3 gateway VPC endpoint for the application to use.During testing, an IAM user is unable to download objects from the S3 bucket by using the AWS Management Console.However, other IAM users in the same AWS account can download objects from the S3 bucket.Which policies or ACL should a security engineer review and modify to resolve this issue? (Choose three.)Read More →

A company’s development team is designing an application using AWS Lambda and Amazon Elastic Container Service (Amazon ECS).The development team needs to create IAM roles to support these systems.The company’s security team wants to allow the developers to build IAM roles directly, but the security team wants to retain control over the permissions the developers can delegate to those roles.The development team needs access to more permissions than those required for application’s AWS services.The solution must minimize management overhead.How should the security team prevent privilege escalation for both teams?Read More →

A security engineer has enabled AWS Security Hub in their AWS account, and has enabled the Center for Internet Security (CIS) AWS Foundations compliance standard.No evaluation results on compliance are returned in the Security Hub console after several hours.The engineer wants to ensure that Security Hub can evaluate their resources for CIS AWS Foundations compliance.Which steps should the security engineer take to meet these requirements?Read More →

A company has two AWS accounts: Account A and Account B.Account A has an IAM role that IAM users in Account B assume when they need to upload sensitive documents to Amazon S3 buckets in Account A.A new requirement mandates that users can assume the role only if they are authenticated with multi-factor authentication (MFA).A security engineer must recommend a solution that meets this requirement with minimum risk and effort.Which solution should the security engineer recommend?Read More →