Security Specialty (Page 30)

A company’s on-premises networks are connected to VPCs using an AWS Direct Connect gateway.The company’s on-premises application needs to stream data using an existing Amazon Kinesis Data Firehose delivery stream.The company’s security policy requires that data be encrypted in transit using a private network.How should the company meet these requirements?Read More →

The security engineer implemented a new vault stock policy for 10TB of data and called initiate-vault-lock 12 hours ago.The audit team identified a typo that is allowing incorrect access to the vault.What is the MOST cost-effective way to correct this?Read More →

A company has implemented AWS WAF and Amazon CloudFront for an application.The application runs on Amazon EC2 instances that are part of an AutoScaling group.The Auto Scaling group is behind an Application Load Balancer (ALB).The AWS WAF web ACL uses an AWS Managed Rules rule group and is associated with the CloudFront distribution.CloudFront receives the request from AWSWAF and the uses the ALB as the distribution’s origin.During a security review, a security engineer discovers that the infrastructure is susceptible to a large, layer 7 DDoS attack.How can the security engineer improve the security at the edge of the solution to defend against this type of attack?Read More →

The Development team receives an error message each time the team members attempt to encrypt or decrypt a Secure String parameter from the SSMParameter Store by using an AWS KMS customer managed key (CMK).Which CMK-related issues could be responsible? (Choose two.)Read More →

A development team is using an AWS Key Management Service (AWS KMS) CMK to try to encrypt and decrypt a secure string parameter from AWS SystemsManager Parameter Store.However, the development team receives an error message on each attempt.Which issues that are related to the CMK could be reasons for the error? (Choose two.)Read More →

A company stores images for a website in an Amazon S3 bucket.The company is using Amazon CloudFront to serve the images to the end users.The company recently discovered that the images are being accessed form countries where the company does not have a distribution license.Which actions should the company take to secure the images to limit their distribution? (Choose two.)Read More →

A company wants to monitor the deletion of customer managed CMKs.A security engineer must create an alarm that will notify the company before a CM׀ is deleted.The security engineer has configured the integration of AWS CloudTrail with Amazon CloudWatch.What should the security engineer do next to meet this requirement?Read More →

A company runs a global ecommerce website that is hosted on AWS.The company uses Amazon CloudFront to serve content to its user base.The company wants to block inbound traffic from a specific set of countries to comply with recent data regulation policies.Which solution will meet these requirements MOST cost-effectively?Read More →

An audit determined that a company’s Amazon EC2 instance security group violated company policy by allowing unrestricted incoming SSH traffic.A security engineer must implement a near-real-time monitoring and alerting solution that will notify administrators of such violations.Which solution meets these requirements with the MOST operational efficiency?Read More →

A security engineer receives an AWS abuse email message.According to the message, an Amazon EC2 instance that is running in the security engineer’s AWS account is sending phishing email messages.The EC2 instance is part of an application that is deployed in production.The application runs on many EC2 instances behind an Application Load Balancer.The instances run in an Amazon EC2 Auto Scaling group across multiple subnets and multiple Availability Zones.The instances normally communicate only over the HTTP, HTTPS, and MySQL protocols.Upon investigation, the security engineer discovers that email messages are being sent over port 587.All other traffic is normal.The security engineer must create a solution that contains the compromised EC2 instance, preserves forensic evidence for analysis, and minimizes application downtime.Which combination of steps must the security engineer take to meet these requirements? (Choose three.)Read More →