Security Specialty (Page 22)

A security engineer is responsible for providing secure access to AWS resources for thousands of developers in a company’s corporate identity provider (IdP).The developers access a set of AWS services from their corporate premises using IAM credentials.Due to the volume of requests for provisioning new IAM users, it is taking a long time to grant access permissions.The security engineer receives reports that developers are sharing their IAM credentials with others to avoid provisioning delays.This causes concern about overall security for the security engineer.Which actions will meet the program requirements that address security?Read More →

A security engineer must develop an encryption tool for a company.The company requires a cryptographic solution that supports the ability to perform cryptographic erasure on all resources protected by the key material in 15 minutes or less.Which Aws Key Management Service (AWS KMS) key solution will allow the security engineer to meet these requirements?Read More →

A company provides an AWS account for each of its teams.Members of each team authenticate with AWS by using user accounts in their own team’s account.The company created a project-specific AWS account for collaboration by three or more teams.The company also created a new Amazon S3 bucket inside this new account.There is no S3 bucket policy or S3 ACL.A security engineer must implement a secure solution so that all teams can read objects and write to objects that are stored in the S3 bucket.What should the security engineer do to meet these requirements?Read More →

A company’s security engineer is investigating an Amazon GuardDuty finding for unusual activity for an IAM role.The AWS account has AWS Single Sign-On configured with federation with the company’s on-premises Active Directory domain controller.The security engineer determines that the root cause of the finding is a compromised Active Directory identity on premises.Multiple production workloads are using the IAM role on AWS.The security engineer must mitigate the unauthorized use of the IAM role while minimizing production workload downtime on AWS.Which combination of actions should the security engineer take to meet these requirements? (Choose two.)Read More →

A company wants to prevent SSH access through the use of SSH key pairs for any Amazon Linux 2 Amazon EC2 instances in its AWS account.However, a system administrator occasionally will need to access these EC2 instances through SSH in an emergency.For auditing purposes, the company needs to record any commands that a user runs in an EC2 instance.What should a security engineer do to configure access to these EC2 instances to meet these requirements?Read More →

A company has a web server in the AWS Cloud.The company will store the content for the web server in an Amazon S3 bucket.A security engineer must use an Amazon CloudFront distribution to speed up delivery of the content.None of the files can be publicly accessible from the S3 bucket direct.Which solution will meet these requirements?Read More →

An Amazon API Gateway API invokes an AWS Lambda function that needs to interact with a software-as-a-service (SaaS) platform.A unique client token is generated in the SaaS platform to grant access to the Lambda function.A security engineer needs to design a solution to encrypt the access token at rest and pass the token to the Lambda function at runtime.Which solution will meet these requirements MOST cost-effectively?Read More →

A company has multiple accounts in the AWS Cloud.Users in the developer account need to have access to specific resources in the production account.What is the MOST secure way to provide this access?Read More →

A company has a requirement that no Amazon EC2 security group can allow SSH access from the CIDR block 0.0.0.0/0.The company wants to monitor compliance with this requirement at all times and wants to receive a near-real-time notification if any security group is noncompliant.A security engineer has configured AWS Config and will use the restricted-ssh managed rule to monitor the security groups.What should the security engineer do next to meet these requirements?Read More →

A company plans to move most of its IT infrastructure to AWS.They want to leverage their existing on-premises Active Directory as an identity provider for AWS.Which combination of steps should a Security Engineer take to federate the company’s on-premises Active Directory with AWS? (Choose two.)Read More →