Security Specialty (Page 34)

A Systems Engineer has been tasked with configuring outbound mail through Simple Email Service (SES) and requires compliance with current TLS standards.The mail application should be configured to connect to which of the following endpoints and corresponding ports?Read More →

A Security Administrator is restricting the capabilities of company root user accounts.The company uses AWS Organizations and has enabled it for all feature sets, including consolidated billing.The top-level account is used for billing and administrative purposes, not for operational AWS resource purposes.How can the Administrator restrict usage of member root user accounts across the organization?Read More →

After multiple compromises of its Amazon EC2 instances, a company’s Security Officer is mandating that memory dumps of compromised instances be captured for further analysis.A Security Engineer just received an EC2 abuse notification report from AWS stating that an EC2 instance running the most recent WindowsServer 2019 Base AMI is compromised.How should the Security Engineer collect a memory dump of the EC2 instance for forensic analysis?Read More →

The InfoSec team has mandated that in the future only approved Amazon Machine Images (AMIs) can be used.How can the InfoSec team ensure compliance with this mandate?Read More →

A company hosts business-critical applications on Amazon EC2 instances in a VPC.The VPC uses default DHCP options sets.A security engineer needs to log all DNS queries that internal resources make in the VPC.The security engineer also must create a list of the most common DNS queries over time.Which solution will meet these requirements?Read More →

An Application team has requested a new AWS KMS master key for use with Amazon S3, but the organizational security policy requires separate master keys for different AWS services to limit blast radius.How can an AWS KMS customer master key (CMK) be constrained to work with only Amazon S3?Read More →

A company’s security engineer must record when specific AWS Lambda functions are invoked.The logs must include the AWS principal that invoked the function.External sources and the company’s developers deliver the Lambda function code by using a variety of languages such as Python, Node.js, and Golang.The security engineer has created an AWS CloudTrail trail with default configuration for the AWS account.Which solution will meet these requirements with the LEAST operational overhead?Read More →

A Solutions Architect is designing a web application that uses Amazon CloudFront, an Elastic Load Balancing Application Load Balancer, and an Auto Scaling group of Amazon EC2 instances.The load balancer and EC2 instances are in the US West (Oregon) region.It has been decided that encryption in transit is necessary by using a customer-branded domain name from the client to CloudFront and from CloudFront to the load balancer.Assuming that AWS Certificate Manager is used, how many certificates will need to be generated?Read More →

A company is hosting multiple applications within a single VPC in its AWS account.The applications are running behind an Application Load Balancer that is associated with an AWS WAF web ACL.The company’s security team has identified that multiple port scans are originating from a specific range of IP addresses on the internet.A security engineer needs to deny access from the offending IP addresses.Which solution will meet these requirements?Read More →

A company decides to use AWS Key Management Service (AWS KMS) for data encryption operations.The company must create a KMS key and automate the rotation of the key.The company also needs the ability to deactivate the key and schedule the key for deletion.Which solution will meet these requirements?Read More →