A company is undergoing a layer 3 and layer 4 DDoS attack on its web servers running on AWS.Which combination of AWS services and features will provide protection in this scenario? (Choose three.)Read More →
A company plans to create individual child accounts within an existing organization in AWS Organizations for each of its DevOps teams.AWS CloudTrail has been enabled and configured on all accounts to write audit logs to an Amazon S3 bucket in a centralized AWS account.A security engineer needs to ensure thatDevOps team members are unable to modify or disable this configuration.How can the security engineers meet these requirements?Read More →
A company has an application on Amazon EC2 instances that store confidential customer data.The company must restrict access to customer data.A security engineer requires secure access to the instances that host the application.According to company policy, users must not open any inbound ports, maintain bastion hosts, or manage SSH keys for the EC2 instances.The security engineer wants to monitor, store, and access all session activity logs.The logs must be encrypted.Which solution will meet these requirements?Read More →
A company maintains an open-source application that is hosted on a public GitHub repository.While creating a new commit to the repository, an engineer uploaded their AWS access key and secret access keys.The engineer reported the mistake to a manager, and the manager immediately disabled the access key.The company needs to assess the impact of the exposed access key.A security engineer must recommend a solution that requires the least possible managerial overhead.Which solution meets these requirements?Read More →
A company recently deployed a new AWS account and wants to be notified immediately if a specific number of unauthorized AWS API requests are detected.A security engineer has turned on AWS CloudTrail for the account and is sending CloudTrail logs to Amazon CloudWatch.Which other action must the security engineer perform to receive automated alerts about unauthorized AWS API calls?Read More →
A company is using Amazon GuardDuty in its AWS environment.The company asks a security engineer to suspend GuardDuty.Which combination of steps must the security engineer perform to meet this requirement? (Choose two.)Read More →
A company is operating a website using Amazon CloudFront.CloudFront serves some content from Amazon S3 and other content from web servers running onAmazon EC2 instances behind an Application Load Balancer (ALB).Amazon DynamoDB is used as the data store.The company already uses AWS CertificateManager (ACM) to store a public TLS certificate that can optionally secure connections between the website users and CloudFront.The company has a new requirement to enforce end-to-end encryption in transit.Which combination of steps should the company take to meet this requirement? (Choose three.)Read More →
A security engineer configures Amazon S3 Cross-Region Replication (CRR) for all objects that are in an S3 bucket in the us-east-1 Region.Some objects in this S3 bucket use server-side encryption with AWS KMS keys (SSE-KMS) for encryption at rest.The security engineer creates a destination S3 bucket in the us-west-2 Region.The destination S3 bucket is in the same AWS account as the source S3 bucket.The security engineer also creates a customer managed key in us-west-2 to encrypt objects at rest in the destination S3 bucket.The replication configuration is set to use the key in us-west-2 to encrypt objects in the destination S3 bucket.The security engineer has provided the S3 replication configuration with an IAM role to perform the replication in Amazon S3.After a day, the security engineer notices that no encrypted objects from the source S3 bucket are replicated to the destination S3 bucket.However, all the unencrypted objects are replicated.Which combination of steps should the security engineer take to remediate this issue? (Choose three.)Read More →
A company has a single AWS account and uses an Amazon EC2 instance to test application code.The company recently discovered that the instance was compromised.The instance was serving up malware.The analysis of the instance showed that the instance was compromised 35 days ago.A security engineer must implement a continuous monitoring solution that automatically notifies the company’s security team about compromised instances through an email distribution list for high severity findings.The security engineer must implement the solution as soon as possible.Which combination of steps should the security engineer take to meet these requirements? (Choose three.)Read More →
A large company organizes hundreds of AWS accounts in AWS Organizations in Developer, Test, and Production OUs.Developers who have full administrative privileges in their respective accounts use the accounts in the Developer OU.The company wants to allow only certain Amazon EC2 instance types to be used within the Developer OU.How can the company prevent developer accounts from launching unapproved EC2 instance types?Read More →
© 2025. Tip2Cloud doesn't offer any real exam questions. All questions & answers were supported by AI.