Security Specialty (Page 3)

A company wants to implement host-based security for Amazon EC2 instances and containers in Amazon Elastic Container Registry (Amazon ECR).The company has deployed AWS Systems Manager Agent (SSM Agent) on the EC2 instances.All the company’s AWS accounts are in one organization in AWS Organizations.The company will analyze the workloads for software vulnerabilities and unintended network exposure.The company will push any findings to AWS Security Hub, which the company has configured for the organization.The company must deploy the solution to all member accounts, including new accounts, automatically.When new workloads come online, the solution must scan the workloads.Which solution will meet these requirements?Read More →

A company’s application uses standard tier secure string parameters from AWS Systems Manager Parameter Store.The application is receiving error messages when the company tries to update a parameter.The parameter uses an AWS Key Management Service (AWS KMS) customer managed key for encryption and decryption.What are the reasons for the error messages? (Choose two.)Read More →

A security engineer receives an abuse report email message from the AWS Trust and Safety team.The abuse report identifies a resource that appears to be compromised.The abuse report indicates that the resource is an IAM access key that belongs to a DevOps engineer in the security engineer’s company.The access key is used in a deployment system that uses AWS Lambda functions to launch AWS CloudFormation stacks.The security engineer must address the abuse report, prevent any further use of the exposed access key, and implement security best practices.Which solution will meet these requirements?Read More →

A security engineer is configuring AWS Config for an AWS account that uses a new 1AM entity.When the security engineer tries to configure AWS Config rules and automatic remediation options, errors occur.In the AWS CloudTrail logs, the security engineer sees the following error message: “Insufficient delivery policy to s3 bucket: DOC-EXAMPLE-BUCKET, unable to write to bucket, provided s3 key prefix is ‘null’.”Which combination of steps should the security engineer take to remediate this issue? (Choose two.)Read More →

A company has many member accounts in an organization in AWS Organizations.The company is concerned about the potential for misuse of the AWS account root user credentials for member accounts in the organization.To address this potential misuse, the company wants to ensure that even if the account root user credentials are compromised, the account is still protected.Which solution will meet this requirement?Read More →

A company wants to analyze Amazon EC2 performance and utilization data in near real time for anomalies.The information that the company needs to analyze is in application logs.All the EC2 instances currently send logs to Amazon CloudWatch Logs.A security engineer must set up the log aggregation.The security engineer must collect logs from all the company’s AWS accounts into a centralized location to facilitate analysis.Which solution will meet this requirement?Read More →

A company is running internal microservices on Amazon Elastic Container Service (Amazon ECS) with the Amazon EC2 launch type.The company is using Amazon Elastic Container Registry (Amazon ECR) private repositories.A security engineer needs to encrypt the private repositories by using AWS Key Management Service (AWS KMS).The security engineer also needs to analyze the container images for any common vulnerabilities and exposures (CVEs).Which solution will meet these requirements?Read More →

An organization has a system in AWS that allows a large number of remote workers to submit data files.File sizes vary from a few kilobytes to several megabytes.A recent audit highlighted a concern that data files are not encrypted while in transit over untrusted networks.Which solution would remediate the audit finding while minimizing the effort required?Read More →

A Security Administrator is configuring an Amazon S3 bucket and must meet the following security requirements:✑ Encryption in transit✑ Encryption at rest✑ Logging of all object retrievals in AWS CloudTrailWhich of the following meet these security requirements? (Choose three.)Read More →

A company has a VPC with an IPv6 address range and a public subnet with an IPv6 address block.The VPC currently hosts some public Amazon EC2 instances, but a security engineer needs to migrate a second application into the VPC that also requires IPv6 connectivity.This new application will occasionally make API requests to an external, internet-accessible endpoint to receive updates.However, the security team does not want the application’s EC2 instance exposed directly to the internet.The security engineer intends to create a private subnet with a custom route table and to associate the route table with the private subnet.What else does the security engineer need to do to ensure the application will not be exposed directly to the internet, but can still communicate as required?Read More →