Security Specialty (Page 23)

A company has a PHP-based web application that uses Amazon S3 as an object store for user files.The S3 bucket that stores the files is configured for server- side encryption with S3 managed encryption keys (SSE-S3).According to new security requirements, the company must control all encryption keys.Additionally, all objects in the S3 bucket must be encrypted by a key that the company controls.Which combination of steps must a security engineer take to meet these requirements? (Choose three.)Read More →

A company needs to encrypt all of its data stored in Amazon S3.The company wants to use AWS Key Management Service (AWS KMS) to create and manage its encryption keys.The company’s security policies require the ability to import the company’s own key material for the keys, set an expiration date on the keys, and delete keys immediately, if needed.How should a security engineer set up AWS KMS to meet these requirements?Read More →

A Network Load Balancer (NLB) target instance is not entering the InService state.A security engineer determines that health checks are failing.Which factors could cause the health check failures? (Choose three.)Read More →

A company has an application that uses an Amazon RDS PostgreSQL database.The company is developing an application feature that will store sensitive information for an individual in the database.During a security review of the environment, the company discovers that the RDS DB instance is not encrypting data at rest.The company needs a solution that will provide encryption at rest for all the existing data and for any new data that is entered for an individual.Which combination of options can the company use to meet these requirements? (Choose two.)Read More →

A company has thousands of AWS Lambda functions.While reviewing the Lambda functions, a security engineer discovers that sensitive information is being stored in environment variables and is viewable as plaintext in the Lambda console.The values of the sensitive information are only a few characters long.What is the MOST cost-effective way to address this security issue?Read More →

A company released a new software-as-a-service (SaaS) application that is receiving significant adoption by end users.The rds-storage-encrypted AWS Config managed rule generates an alert that notifies the company’s security team about a resource that is not compliant.The noncompliant resource is an Amazon RDS for MySQL database that was deployed as part of the newly released application.How can the security team resolve the noncompliance with the LEAST disruption of application availability for the end users?Read More →

A company has developed a new Amazon RDS database application.The company must secure the RDS database credentials for encryption in transit and encryption at rest.The company also must rotate the credentials automatically on a regular basis.Which solution meets these requirements?Read More →

A company is using Amazon Route 53 Resolver for its hybrid DNS infrastructure.The company has set up Route 53 Resolver forwarding rules for authoritative domains that are hosted on on-premises DNS servers.A new security mandate requires the company to implement a solution to log and query DNS traffic that goes to the on-premises DNS servers.The logs must show details of the source IP address of the instance from which the query originated.The logs also must show the DNS name that was requested in Route 53 Resolver.Which solution will meet these requirements?Read More →

A company has a new AWS account that does not have AWS CloudTrail configured.The account has an IAM access key that was issued by AWS Security TokenService (AWS STS).A security engineer discovers that the IAM access key has been compromised within the last 24 hours.The security engineer must stop the compromised IAM access key from being used.The security engineer also must determine which activities the key has been used for so far.What should the security engineer do to meet these requirements?Read More →

A company hosts a web-based application that captures and stores sensitive data in an Amazon DynamoDB table.The company needs to implement a solution that provides end-to-end data protection and the ability to detect unauthorized data changes.Which solution will meet these requirements?Read More →