A company deployed Amazon GuardDuty in the us-east-1 Region.The company wants all DNS logs that relate to the company’s Amazon EC2 instances to be inspected.What should a security engineer do to ensure that the EC2 instances are logged?Read More →
A company that builds document management systems recently performed a security review of its application on AWS.The review showed that uploads of documents through signed URLs into Amazon S3 could occur in the application without encryption in transit.A security engineer must implement a solution that prevents uploads that are not encrypted in transit.Which solution will meet this requirement?Read More →
A company uses Amazon EC2 Linux instances in the AWS Cloud.A member of the company’s security team recently received a report about common vulnerability identifiers on the instances.A security engineer needs to verify patching and perform remediation if the instances do not have the correct patches installed.The security engineer must determine which EC2 instances are at risk and must implement a solution to automatically update those instances with the applicable patches.What should the security engineer do to meet these requirements?Read More →
A company is attempting to conduct forensic analysis on an Amazon EC2 instance, but the company is unable to connect to the instance by using AWS Systems Manager Session Manager.The company has installed AWS Systems Manager Agent (SSM Agent) on the EC2 instance.The EC2 instance is in a subnet in a VPC that does not have an internet gateway attached.The company has associated a security group with the EC2 instance.The security group does not have inbound or outbound rules.The subnet’s network ACL allows all inbound and outbound traffic.Which combination of actions will allow the company to conduct forensic analysis on the EC2 instance without compromising forensic data? (Choose three.)Read More →
A company wants to use AWS Systems Manager Patch Manager to patch Amazon EC2 instances that run Amazon Linux 2.The EC2 instances are running in a single AWS account.No internet connectivity is allowed from any EC2 instances in the account.A security engineer has configured the relevant settings in Patch Manager.The security engineer now needs to ensure that the EC2 instances can connect to the Systems Manager endpoint.Which combination of steps must the security engineer take to meet these requirements? (Choose three.)Read More →
A company recently adopted new compliance standards that require all user actions in AWS to be logged.The user actions must be logged for all accounts that belong to an organization in AWS Organizations.The company needs to set alarms that respond when specified actions occur.The alarms must forward alerts to an email distribution list.The alerts must occur in as close to real time as possible.Which solution will meet these requirements?Read More →
A company is using Amazon Macie, AWS Firewall Manager, Amazon Inspector, and AWS Shield Advanced in its AWS account.The company wants to receive alerts if a DDoS attack occurs against the account.Which solution will meet this requirement?Read More →
A company’s security team needs to receive a notification whenever an AWS access key has not been rotated in 90 or more days.A security engineer must develop a solution that provides these notifications automatically.Which solution will meet these requirements with the LEAST amount of effort?Read More →
A company’s public Application Load Balancer (ALB) recently experienced a DDoS attack.To mitigate this issue.the company deployed Amazon CloudFront in front of the ALB so that users would not directly access the Amazon EC2 instances behind the ALB.The company discovers that some traffic is still coming directly into the ALB and is still being handled by the EC2 instances.Which combination of steps should the company take to ensure that the EC2 instances will receive traffic only from CloudFront? (Choose two.)Read More →
A company’s security engineer has configured a client account to capture AWS CloudTrail logs that are then sent to an Amazon S3 bucket.The S3 bucket that stores these CloudTrail logs has always been configured to use AWS Key Management Service (AWS KMS) with the default KMS key (aws/s3) for encryption.Recently, the company changed the key on the S3 bucket to a new KMS key.Since the modification of the bucket key, the security engineer cannot retrieve new CloudTrail log files that are written to the S3 bucket.The security engineer receives the following error message: “An error occurred (AccessDenied) when calling the GetObject operation: Access Denied”.Log files that were written to the S3 bucket before the bucket key was changed are still accessible.The company used the new KMS key to encrypt other S3 buckets, and the same error is occurring with those S3 buckets.What is the MOST likely cause of this error?Read More →
© 2025. Tip2Cloud doesn't offer any real exam questions. All questions & answers were supported by AI.