The Security team believes that a former employee may have gained unauthorized access to AWS resources sometime in the past 3 months by using an identified access key.What approach would enable the Security team to find out what the former employee may have done within AWS?Read More →
A company has contracted with a third party to audit several AWS accounts.To enable the audit, cross-account IAM roles have been created in each account targeted for audit.The Auditor is having trouble accessing some of the accounts.Which of the following may be causing this problem? (Choose three.)Read More →
A threat assessment has identified a risk whereby an internal employee could exfiltrate sensitive data from production host running inside AWS (Account 1).The threat was documented as follows:Threat description: A malicious actor could upload sensitive data from Server X by configuring credentials for an AWS account (Account 2) they control and uploading data to an Amazon S3 bucket within their control.Server X has outbound internet access configured via a proxy server.Legitimate access to S3 is required so that the application can upload encrypted files to anS3 bucket.Server X is currently using an IAM instance role.The proxy server is not able to inspect any of the server communication due to TLS encryption.Which of the following options will mitigate the threat? (Choose two.)Read More →
A company’s security engineer receives an alert that indicates that an unexpected principal is accessing a company-owned Amazon Simple Queue Service (Amazon SQS) queue.All the company’s accounts are within an organization in AWS Organizations.The security engineer must implement a mitigation solution that minimizes compliance violations and investment in tools that are outside of AWS.What should the security engineer do to meet these requirements?Read More →
A company has deployed workloads in multiple AWS accounts that are all within a single organization in AWS Organizations.The company is using Amazon CloudWatch Logs to implement a new logging solution.The company runs a workload on Amazon EC2 instances that are in an account within the organization.The company has installed the CloudWatch agent on each workload instance and has configured the agent identically on each instance.The configuration specifies that application logs will be forwarded to CloudWatch Logs.The workload VPC has both public and private subnet tiers.The EC2 instances that are in the public subnets have the frontend-instance-role IAM role attached.The EC2 instances that are in the private subnets have the backend-instance-role IAM role attached.The workload uses VPC endpoints to communicate with various AWS services.Recently, log records from instances that use the frontend-instance-role role stopped appearing in CloudWatch Logs.CloudWatch Logs still receives log files from instances that use the backend-instance-role role.Which reason explains why the EC2 instances that use the frontend-instance-role stopped sending logs to CloudWatch Logs?Read More →
A company uses AWS Organizations to manage several AWs accounts.The company processes a large volume of sensitive data.The company uses a serverless approach to microservices.The company stores all the data in either Amazon S3 or Amazon DynamoDB.The company reads the data by using either AWS Lambda functions or container-based services that the company hosts on Amazon Elastic Kubernetes Service (Amazon EKS) on AWS Fargate.The company must implement a solution to encrypt all the data at rest and enforce least privilege data access controls.The company creates an AWS Key Management Service (AWS KMS) customer managed key.What should the company do next to meet these requirements?Read More →
An international company has established a new business entity in South Korea.The company also has established a new AWS account to contain the workload for the South Korean region.The company has set up the workload in the new account in the ap-northeast-2 Region.The workload consists of three Auto Scaling groups of Amazon EC2 instances.All workloads that operate in this Region must keep system logs and application logs for 7 years.A security engineer must implement a solution to ensure that no logging data is lost for each instance during scaling activities.The solution also must keep the logs for only the required period of 7 years.Which combination of steps should the security engineer take to meet these requirements? (Choose three.)Read More →
A Security Administrator is performing a log analysis as a result of a suspected AWS account compromise.The Administrator wants to analyze suspicious AWSCloudTrail log files but is overwhelmed by the volume of audit logs being generated.What approach enables the Administrator to search through the logs MOST efficiently?Read More →
A company is migrating one of its legacy systems from an on-premises data center to AWS.The application server will run on AWS, but the database must remain in the on-premises data center for compliance reasons.The database is sensitive to network latency.Additionally, the data that travels between the on-premises data center and AWS must have IPsec encryption.Which combination of AWS solutions will meet these requirements? (Choose two.)Read More →
A company has an IAM group.All of the IAM users in the group have been assigned a multi-factor authentication (MFA) device and have full access to AmazonS3.The company needs to ensure that users in the group can perform S3 actions only after the users authenticate with MFA.A security engineer must design a solution that accomplishes this goal with the least maintenance overhead.Which combination of actions will meet these requirements? (Choose two.)Read More →
© 2025. Tip2Cloud doesn't offer any real exam questions. All questions & answers were supported by AI.