A water utility company uses a number of Amazon EC2 instances to manage updates to a fleet of 2,000 Internet of Things (IoT) field devices that monitor water quality.These devices each have unique access credentials.An operational safety policy requires that access to specific credentials is independently auditable.What is the MOST cost-effective way to manage the storage of credentials?Read More →
A company’s database developer has just migrated an Amazon RDS database credential to be stored and managed by AWS Secrets Manager.The developer has also enabled rotation of the credential within the Secrets Manager console and set the rotation to change every 30 days.After a short period of time, a number of existing applications have failed with authentication errors.What is the MOST likely cause of the authentication errors?Read More →
A Security Engineer is working with the development team to design a supply chain application that stores sensitive inventory data in an Amazon S3 bucket.The application will use an AWS KMS customer master key (CMK) to encrypt the data on Amazon S3.The inventory data on Amazon S3 will be shared of vendors.All vendors will use AWS principals from their own AWS accounts to access the data on Amazon S3.The vendor list may change weekly, and the solution must support cross-account access.What is the MOST efficient way to manage access control for the KMS CMK7?Read More →
A company stores data on an Amazon EBS volume attached to an Amazon EC2 instance.The data is asynchronously replicated to an Amazon S3 bucket.Both the EBS volume and the S3 bucket are encrypted with the same AWS KMS Customer Master Key (CMK).A former employee scheduled a deletion of that CMK before leaving the company.The company’s Developer Operations department learns about this only after the CMK has been deleted.Which steps must be taken to address this situation?Read More →
An application makes calls to AWS services using the AWS SDK.The application runs on Amazon EC2 instances with an associated IAM role.When the application attempts to access an object within an Amazon S3 bucket; the Administrator receives the following error message: HTTP 403: Access Denied.Which combination of steps should the Administrator take to troubleshoot this issue? (Choose three.)Read More →
A company is running its workloads in a single AWS Region and uses AWS Organizations.A security engineer must implement a solution to prevent users from launching resources in other Regions.Which solution will meet these requirements with the LEAST operational overhead?Read More →
An organization wants to deploy a three-tier web application whereby the application servers run on Amazon EC2 instances.These EC2 instances need access to credentials that they will use to authenticate their SQL connections to an Amazon RDS DB instance.Also, AWS Lambda functions must issue queries to the RDS database by using the same database credentials.The credentials must be stored so that the EC2 instances and the Lambda functions can access them.No other access is allowed.The access logs must record when the credentials were accessed and by whom.What should the Security Engineer do to meet these requirements?Read More →
A company has several production AWS accounts and a central security AWS account.The security account is used for centralized monitoring and has IAM privileges to all resources in every corporate account.All of the company’s Amazon S3 buckets are tagged with a value denoting the data classification of their contents.A Security Engineer is deploying a monitoring solution in the security account that will enforce bucket policy compliance.The system must monitor S3 buckets in all production accounts and confirm that any policy change is in accordance with the bucket’s data classification.If any change is out of compliance, the Security team must be notified quickly.Which combination of actions would build the required solution? (Choose three.)Read More →
A company plans to use AWS CodeDeploy to deploy code to multiple Amazon EC2 instances in a VPC at the same time.The company needs to allow the CodeDeploy service to communicate with the instances in the VPC without going through the public internet for CodeDeploy API operations.What should a security engineer do to meet this requirement?Read More →
A company is using Amazon Elastic Container Service (Amazon ECS) to run its container-based application on AWS.The company needs to ensure that the container images contain no severe vulnerabilities.The company also must ensure that only specific IAM roles and specific AWS accounts can access the container images.Which solution will meet these requirements with the LEAST management overhead?Read More →
© 2025. Tip2Cloud doesn't offer any real exam questions. All questions & answers were supported by AI.