Security Specialty (Page 20)

A company allows users to download its mobile app onto their phones.The app is MQTT based and connects to AWS IoT Core to subscribe to specific client-related topics.Recently, the company discovered that some malicious attackers have been trying to get a Trojan horse onto legitimate mobile phones.The Trojan horse poses as the authentic application and uses a client ID with injected special characters to gain access to topics outside the client’s privilege scope.Which combination of actions should the company take to prevent this threat? (Choose two.)Read More →

An external auditor finds that a company’s user passwords have no minimum length.The company is currently using two identity providers:✑ AWS IAM federated with on-premises Active Directory✑ Amazon Cognito user pools to accessing an AWS Cloud application developed by the companyWhich combination of actions should the security engineer take to solve this issue? (Choose two.)Read More →

A company uses Amazon RDS for MySQL as a database engine for its applications.A recent security audit revealed an RDS instance that is not compliant with company policy for encrypting data at rest.A security engineer at the company needs to ensure that all existing RDS databases are encrypted using server-side encryption and that any future deviations from the policy are detected.Which combination of steps should the security engineer take to accomplish this? (Choose two.)Read More →

A Security Engineer must add additional protection to a legacy web application by adding the following HTTP security headers:-Content Security-Policy-X-Frame-Options-X-XSS-ProtectionThe Engineer does not have access to the source code of the legacy web application.Which of the following approaches would meet this requirement?Read More →

A company’s public website consists of an Application Load Balancer (ALB), a set of Amazon EC2 instances that run a stateless application behind the ALB, and an Amazon DynamoDB table from which the application reads data.The company is concerned about malicious scanning and DDoS attacks.The company wants to impose a restriction in which each client IP address can read the data only 3 times in any 5-minute period.Which solution will meet this requirement with the LEAST effort?Read More →

A security engineer is configuring a new website that is named example.com.The security engineer wants to secure communications with the website by requiring users to connect to example.com through HTTPS.Which of the following is a valid option for storing SSL/TLS certificates?Read More →

A security engineer recently rotated all IAM access keys in an AWS account.The security engineer then configured AWS Config and enabled the following AWSConfig managed rules; mfa-enabled-for-iam-console-access, iam-user-mfa-enabled, access-key-rotated, and iam-user-unused-credentials-check.The security engineer notices that all resources are displaying as noncompliant after the IAM GenerateCredentialReport API operation is invoked.What could be the reason for the noncompliant status?Read More →

A company is using AWS Secrets Manager to manage database credentials that an application uses to access Amazon DocumentDB (with MongoDB compatibility).The company needs to implement automated password rotation.Which solution will meet this requirement with the LEAST administrative overhead?Read More →

A company has two applications: Application A and Application B. The applications run in different VPCs in the same account. The account is not part of an organization in AWS Organizations. The company’s development team manages both applications by using AWS CloudFormation.The development team splits into two teams, Now, Team A manages Application A. Team B manages Application B. AWS CloudTrail logs in the account are sent to an Amazon S3 bucket.The company needs to prevent faults in one application from affecting the other application, ensure that teams can access only their own workloads, and send CloudTrail logs to a central S3 bucket. In addition, the company needs granular billing for each application.What is the MOST operationally efficient solution that meets these requirements?Read More →

An Amazon S3 bucket is encrypted using an AWS KMS CMK.An IAM user is unable to download objects from the S3 bucket using the AWS ManagementConsole; however, other users can download objects from the S3 bucket.Which policies should the Security Engineer review and modify to resolve this issue? (Choose three.)Read More →