Security Specialty (Page 35)

An Amazon EC2 instance is denied access to a newly created AWS KMS CMK used for decrypt actions.The environment has the following configuration:✑ The instance is allowed the kms:Decrypt action in its IAM role for all resources✑ The AWS KMS CMK status is set to enabled✑ The instance can communicate with the KMS API using a configured VPC endpointWhat is causing the issue?Read More →

A company has enabled Amazon GuardDuty in all Regions as part of its security monitoring strategy.In one of the VPCs, the company hosts an Amazon EC2 instance working as an FTP server that is contacted by a high number of clients from multiple locations.This is identified by GuardDuty as a brute force attack due to the high number of connections that happen every hour.The finding has been flagged as a false positive.However, GuardDuty keeps raising the issue.A Security Engineer has been asked to improve the signal-to-noise ratio.The Engineer needs to ensure that changes do not compromise the visibility of potential anomalous behavior.How can the Security Engineer address the issue?Read More →

What are the MOST secure ways to protect the AWS account root user of a recently opened AWS account? (Choose two.)Read More →

A company has a requirement that none of its Amazon RDS resources can be publicly accessible.A security engineer needs to set up monitoring for this requirement and must receive a near-real-time notification if any RDS resource is noncompliant.Which combination of steps should the security engineer take to meet these requirements? (Choose three.)Read More →

A company is developing a mobile shopping web app.The company needs an environment that is configured to encrypt all resources in transit and at rest.A security engineer must develop a solution that will encrypt traffic in transit to the company’s Application Load Balancer and Amazon API Gateway resources.The solution also must encrypt traffic at rest for Amazon S3 storage.What should the security engineer do to meet these requirements?Read More →

While analyzing a company’s security solution, a Security Engineer wants to secure the AWS account root user.What should the Security Engineer do to provide the highest level of security for the account?Read More →

A security engineer is configuring a mechanism to send an alert when three or more failed sign-in attempts to the AWS Management Console occur during a 5-minute period.The security engineer creates a trail in AWS CloudTrail to assist in this work.Which solution will meet these requirements?Read More →

A Security Engineer is building a Java application that is running on Amazon EC2.The application communicates with an Amazon RDS instance and authenticates with a user name and password.Which combination of steps can the Engineer take to protect the credentials and minimize downtime when the credentials are rotated? (Choose two.)Read More →

A company hosts an end user application on AWS.Currently, the company deploys the application on Amazon EC2 instances behind an Elastic Load Balancer.The company wants to configure end-to-end encryption between the Elastic Load Balancer and the EC2 instances.Which solution will meet this requirement with the LEAST operational effort?Read More →

For compliance reasons, a Security Engineer must produce a weekly report that lists any instance that does not have the latest approved patches applied.TheEngineer must also ensure that no system goes more than 30 days without the latest approved updates being applied.What would be the MOST efficient way to achieve these goals?Read More →