A company’s Information Security team wants to analyze Amazon EC2 performance and utilization data in near-real time for anomalies.A Security Engineer is responsible for log aggregation.The Engineer must collect logs from all of the company’s AWS accounts in a centralized location to perform the analysis.How should the Security Engineer do this?Read More →
A company uses HTTP Live Streaming (HLS) to stream live video content to paying subscribers by using Amazon CloudFront.HLS splits the video content into chunks so that the user can request the right chunk based on different conditions.Because the video events last for several hours, the total video is made up of thousands of chunks.The origin URL is not disclosed, and every user is forced to access the CloudFront URL.The company has a web application that authenticates the paying users against an internal repository and a CloudFront key pair that is already issued.What is the simplest and MOST effective way to protect the content?Read More →
A company has an organization in AWS Organizations.The company’s security team is developing automation to capture Amazon EC2 forensic evidence within any AWS account in the organization.The company has encrypted the Amazon Elastic Block Store (Amazon EBS) volumes of all the EC2 instances in the organization by default by using the AWS managed key.The automation consists of AWS Lambda functions and AWS Step Functions state machines.The automation assumes an IAM role in the target AWS account.The automation takes snapshots of suspicious EC2 instances and assigns permissions to allow the security team’s account to copy the snapshots.The security team has an AWS Key Management Service (AWS KMS) key to encrypt the snapshots.During testing, the automation fails to copy the snapshots into the security team’s AWS account.Which combination of steps should the security team take so that the automation can capture EC2 forensic evidence in all AWS accounts in the organization? (Choose three.)Read More →
A healthcare company has multiple AWS accounts in an organization in AWS Organizations.The company uses Amazon S3 buckets to store sensitive information of patients.The company needs to restrict users from deleting any S3 bucket across the organization.What is the MOST scalable solution that meets these requirements?Read More →
A company has an application that processes personally identifiable information (PII).The application runs on Amazon EC2 instances behind an Application Load Balancer (ALB).The company’s security policies require that data is encrypted in transit at all times to avoid the possibility of exposing any PII in plaintext.Which solutions could a security engineer use to meet these requirements? (Choose two.)Read More →
A company uses AWS Organizations and has Amazon Elastic Kubernetes Service (Amazon EKS) clusters in many AWS accounts.A security engineer integrates Amazon EKS with AWS CloudTrail.The CloudTrail trails are stored in an Amazon S3 bucket in each account to monitor API calls.The security engineer observes that CloudTrail logs are not displaying Kubernetes pod creation events.What should the security engineer do to view the Kubernetes events from Amazon CloudWatch?Read More →
A company uses AWS Organizations.The company has teams that use an AWS CloudHSM hardware security module (HSM) that is hosted in a central AWS account.One of the teams creates its own new dedicated AWS account and wants to use the HSM that is hosted in the central account.How should a security engineer share the HSM that is hosted in the central account with the new dedicated account?Read More →
A company has configured a gateway VPC endpoint in a VPC.Only Amazon EC2 instances that reside in a single subnet in the VPC can use the endpoint.The company has modified the route table for this single subnet to route traffic to Amazon S3 through the gateway VPC endpoint.The VPC provides internet access through an internet gateway.A security engineer attempts to use instance profile credentials from an EC2 instance to retrieve an object from the S3 bucket, but the attempt fails.The security engineer verifies that the EC2 instance has an IAM instance profile with the correct permissions to access the S3 bucket and to retrieve objects.The security engineer also verifies that the S3 bucket policy is allowing access properly.Additionally, the security engineer verifies that the EC2 instance’s security group and the subnet’s network ACLs allow the communication.What else should the security engineer check to determine why the request from the EC2 instance is failing?Read More →
A company has a single-page application (SPA) that is served by Amazon CloudFront.An Amazon S3 bucket is the origin of the CloudFront distribution.The company is using Amazon Cognito for authentication.An external security review reveals that unauthenticated users can download the application source code from the SPA in index.html and view internal details of the SPA.A security engineer needs to implement a solution to avoid exposing the source code to unauthenticated users.Which solution will meet these requirements?Read More →
A company’s web application is hosted on Amazon EC2 instances running behind an Application Load Balancer (ALB) in an Auto Scaling group.An AWS WAF web ACL is associated with the ALB.AWS CloudTrail is enabled, and stores logs in Amazon S3 and Amazon CloudWatch Logs.The Operations team has observed some EC2 instances reboot at random.After rebooting, all access logs on the instances have been deleted.During an investigation, the Operations team found that each reboot happened just after a PHP error occurred on the new-user-creation.php file.The Operations team needs to view log information to determine if the company is being attacked.Which set of actions will identify the suspect attacker’s IP address for future occurrences?Read More →
© 2025. Tip2Cloud doesn't offer any real exam questions. All questions & answers were supported by AI.