Security Specialty (Page 27)

A company needs to implement DNS Security Extensions (DNSSEC) for a specific subdomain.The subdomain is already registered with Amazon Route 53.A security engineer has enabled DNSSEC signing and has created a key-signing key (KSK).When the security engineer tries to test the configuration, the security engineer receives an error for a broken trust chain.What should the security engineer do to resolve this error?Read More →

A company uses Amazon Route 53 to create a public DNS zone for the domain example.com in Account A.The company creates another public DNS zone for the subdomain dev.example.com in Account B.A security engineer creates a wildcard certificate (*.dev.example.com) with DNS validation by using AWS Certificate Manager (ACM).The security engineer validates that the corresponding CNAME records have been created in the zone for dev.example.com in Account B.After all these operations are completed, the certificate status is still pending validation.What should the security engineer do to resolve this issue?Read More →

A company uses AWS Organizations to manage 20 AWS accounts.The company has a new requirement to enforce IAM access key rotation every 90 days.Currently, the company uses the access keys to connect to Amazon EC2 instances.The company uses the organization’s management account to manage the IAM users of all the accounts.A security administrator needs to develop a solution for the key rotation.Which solution will meet these requirements?Read More →

A company wants to store all objects that contain sensitive data in an Amazon S3 bucket.The company will use server-side encryption to encrypt the S3 bucket.The company’s operations team manages access to the company’s S3 buckets.The company’s security team manages access to encryption keys.The company wants to separate the duties of the two teams to ensure that configuration errors by only one of these teams will not compromise the data by granting unauthorized access to plaintext data.Which solution will meet this requirement?Read More →

A company’s security administrator receives an AWS Abuse notification that an IAM user’s access key might be compromised.A legacy application uses the IAM user.The security administrator must remediate the potential compromise with the least possible downtime to the application.Which solution will meet these requirements?Read More →

A company has an encrypted Amazon Aurora DB cluster in the us-east-1 Region.The DB cluster is encrypted with an AWS Key Management Service (AWS KMS) customer managed key.To meet compliance requirements, the company needs to copy a DB snapshot to the us-west-1 Region.However, when the company tries to copy the snapshot to us-west-1, the company cannot access the key that was used to encrypt the original database.What should the company do to set up the snapshot in us-west-1 with proper encryption?Read More →

A security engineer receives a notice from the AWS Abuse team about suspicious activity from a Linux-based Amazon EC2 instance that uses Amazon Elastic Block Store (Amazon EBS)-based storage.The instance is making connections to known malicious addresses.The instance is in a development account within a VPC that is in the us-east-1 Region.The VPC contains an internet gateway and has a subnet in us-east-1a and us-east-1 b.Each subnet is associate with a route table that uses the internet gateway as a default route.Each subnet also uses the default network ACL.The suspicious EC2 instance runs within the us-east-1 b subnet.During an initial investigation, a security engineer discovers that the suspicious instance is the only instance that runs in the subnet.Which response will immediately mitigate the attack and help investigate the root cause?Read More →

A systems engineer deployed containers from several custom-built images that an application team provided through a QA workflow.The systems engineer used Amazon Elastic Container Service (Amazon ECS) with the Fargate launch type as the target platform.The system engineer now needs to collect logs from all containers into an existing Amazon CloudWatch log group.Which solution will meet this requirement?Read More →

A company runs an application on Amazon EC2 instances that run on Amazon Linux 2.The application outputs important information to a custom log file.To support troubleshooting and incident response, new events in the log files must be available to the company’s operations staff within 30 minutes.The operations staff needs a solution to retrieve the latest custom log information without using interactive sessions to connect to the instances.Which solutions will meet these requirements? (Choose two.)Read More →

A security administrator is setting up a new AWS account.The security administrator wants to secure the data that a company stores in an Amazon S3 bucket.The security administrator also wants to reduce the chance of unintended data exposure and the potential for misconfiguration of objects that are in the S3 bucket.Which solution will meet these requirements with the LEAST operational overhead?Read More →