A company is building an application on AWS that will store sensitive information.The company has a support team with access to the IT infrastructure, including databases.The company’s security engineer must introduce measures to protect the sensitive data against any data breach while minimizing management overhead.The credentials must be regularly rotated.What should the security engineer recommend?Read More →
A Security Engineer creates an Amazon S3 bucket policy that denies access to all users.A few days later, the Security Engineer adds an additional statement to the bucket policy to allow read-only access to one other employee.Even after updating the policy, the employee still receives an access denied message.What is the likely cause of this access denial?Read More →
A company is using an organization in AWS Organizations that contains 100 accounts.The company has configured trusted access for Amazon GuardDuty to AWS Organizations within the management account.The company has designated a member account to be the GuardDuty administrator for the organization.GuardDuty is working properly and reports findings for the organization in the GaurdDuty console.The company wants a SecOps team to receive real-time email alerts from any GuardDuty finding within the organization that is high severity according the GuardDuty severity levels.Which solution will meet these requirements?Read More →
A security engineer has been tasked with implementing a solution that allows the company’s development team to have interactive command line access toAmazon EC2 Linux instances using the AWS Management Console.Which steps should the security engineer take to satisfy this requirement maintaining least privilege?Read More →
A company needs its Amazon Elastic Block Store (Amazon EBS) volumes to be encrypted at all times.During a security incident, EBS snapshots of suspicious instances are shared to a forensics account for analysis.A security engineer attempting to share a suspicious EBS snapshot to the forensics account receives the following error:`Unable to share snapshot.An error occurred (OperationNotPermitted) when calling the ModifySnapshotAttribute operation: Encrypted snapshots with EBS default key cannot be shared`Which combination of steps should the security engineer take in the incident account to complete the sharing operation? (Choose three.)Read More →
A company needs its Amazon Elastic Block Store (Amazon EBS) volumes to be encrypted at all times.During a security incident, a security engineer attempts to share a snapshot of a suspicious EBS volume to the company’s forensics account for analysis.The security engineer receives the following error:”Unable to share snapshot: An error occurred (OperationNotPermitted) when calling the ModifySnapshotAttribute operation: Encrypted snapshots with EBS default key cannot be shared.”Which combination of steps should the security engineer take in the incident account to complete the sharing operation? (Choose three.)Read More →
A company has a large number of Amazon S3 buckets and a large number of objects in each S3 bucket.The company’s security team wants to analyze the access patterns for the objects and buckets.These patterns include the most frequently accessed buckets and objects, the largest 100 objects downloaded, and the objects with the longest download time from public IP addresses.The security team wants to view this information in a dashboard that is based on predetermined simple SQL queries.Which combination of AWS services and features should a security engineer use to provide and display the information to the security team? (Choose three.)Read More →
A Security Engineer is defining the logging solution for a newly developed product.Systems Administrators and Developers need to have appropriate access to event log files in AWS CloudTrail to support and troubleshoot the product.Which combination of controls should be used to protect against tampering with and unauthorized access to log files? (Choose two.)Read More →
A Security Architect is evaluating managed solutions for storage of encryption keys.The requirements are:-Storage is accessible by using only VPCs.-Service has tamper-evident controls.-Access logging is enabled.-Storage has high availability.Which of the following services meets these requirements?Read More →
In response to the past DDoS attack experiences, a Security Engineer has set up an Amazon CloudFront distribution for an Amazon S3 bucket.There is concern that some users may bypass the CloudFront distribution and access the S3 bucket directly.What must be done to prevent users from accessing the S3 objects directly by using URLs?Read More →
© 2025. Tip2Cloud doesn't offer any real exam questions. All questions & answers were supported by AI.