Security Specialty (Page 36)

A Security Engineer has several thousand Amazon EC2 instances split across production and development environments.Each instance is tagged with its environment.The Engineer needs to analyze and patch all the development EC2 instances to ensure they are not currently exposed to any common vulnerabilities or exposures (CVEs).Which combination of steps is the MOST efficient way for the Engineer to meet these requirements? (Choose two.)Read More →

A security engineer is working for a parent company that provides hosting and services to client companies.The parent company maintains an organization in AWS Organizations for all client company accounts.The parent company adds any new accounts to the organization when the new accounts are created.The parent company currently uses IAM users to administer the client company accounts.As more client accounts are added, the administration of the IAM accounts takes more time.The security engineer must design a solution to reduce the amount of time that the parent company spends on administration and access provisioning for client accounts.Which combination of steps should the security engineer take to meet these requirements? (Choose two.)Read More →

A company has a legacy application that runs on a single Amazon EC2 instance.A security audit shows that the application has been using an IAM access key within its code to access an Amazon S3 bucket that is named DOC-EXAMPLE-BUCKET1 in the same AWS account.This access key pair has the s3:GetObject permission to all objects in only this S3 bucket.The company takes the application offline because the application is not compliant with the company’s security policies for accessing other AWS resources from Amazon EC2.A security engineer validates that AWS CloudTrail is turned on in all AWS Regions.CloudTrail is sending logs to an S3 bucket that is named DOC-EXAMPLE-BUCKET2.This S3 bucket is in the same AWS account as DOC-EXAMPLE-BUCKET1.However, CloudTrail has not been configured to send logs to Amazon CloudWatch Logs.The company wants to know if any objects in DOC-EXAMPLE-BUCKET1 were accessed with the IAM access key in the past 60 days.If any objects were accessed, the company wants to know if any of the objects that are text files (.txt extension) contained personally identifiable information (PII).Which combination of steps should the security engineer take to gather this information? (Choose two.)Read More →

A company is implementing new compliance requirements to meet customer needs.According to the new requirements, the company must not use any Amazon RDS DB instances or DB clusters that lack encryption of the underlying storage.The company needs a solution that will generate an email alert when an unencrypted DB instance or DB cluster is created.The solution also must terminate the unencrypted DB instance or DB cluster.Which solution will meet these requirements in the MOST operationally efficient manner?Read More →

A company’s Security Engineer has been tasked with restricting a contractor’s IAM account access to the company’s Amazon EC2 console without providing access to any other AWS services.The contractor’s IAM account must not be able to gain access to any other AWS service, even if the IAM account is assigned additional permissions based on IAM group membership.What should the Security Engineer do to meet these requirements?Read More →

A company uses an external identity provider to allow federation into different AWS accounts.A security engineer for the company needs to identify the federated user that terminated a production Amazon EC2 instance a week ago.What is the FASTEST way for the security engineer to identify the federated user?Read More →

A company’s application team needs to host a MySQL database on AWS.According to the company’s security policy, all data that is stored on AWS must be encrypted at rest.In addition, all cryptographic material must be compliant with FIPS 140-2 Level 3 validation.The application team needs a solution that satisfies the company’s security requirements and minimizes operational overhead.Which solution will meet these requirements?Read More →

A company wants to control access to its AWS resources by using identities and groups that are defined in its existing Microsoft Active Directory.What must the company create in its AWS account to map permissions for AWS services to Active Directory user attributes?Read More →

An application is currently secured using network access control lists and security groups.Web servers are located in public subnets behind an Application LoadBalancer (ALB); application servers are located in private subnets.How can edge security be enhanced to safeguard the Amazon EC2 instances against attack? (Choose two.)Read More →

A company is storing data in Amazon S3 Glacier.The security engineer implemented a new vault lock policy for 10TB of data and called initiate-vault-lock operation 12 hours ago.The audit team identified a typo in the policy that is allowing unintended access to the vault.What is the MOST cost-effective way to correct this?Read More →