Security Specialty (Page 38)

A Security Engineer has been asked to troubleshoot inbound connectivity to a web server.This single web server is not receiving inbound connections from the internet, whereas all other web servers are functioning properly.The architecture includes network ACLs, security groups, and a virtual security appliance.In addition, the Development team has implemented Application LoadBalancers (ALBs) to distribute the load across all web servers.It is a requirement that traffic between the web servers and the internet flow through the virtual security appliance.The Security Engineer has verified the following:1.The rule set in the Security Groups is correct2.The rule set in the network ACLs is correct3.The rule set in the virtual appliance is correctWhich of the following are other valid items to troubleshoot in this scenario? (Choose two.)Read More →

Company A has an AWS account that is named Account A.Company A recently acquired Company B, which has an AWS account that is named Account B.Company B stores its files in an Amazon S3 bucket.The administrators need to give a user from Account A full access to the S3 bucket in Account B.After the administrators adjust the IAM permissions for the user in Account A to access the S3 bucket in Account B, the user still cannot access any files in the S3 bucket.Which solution will resolve this issue?Read More →

During a recent security audit, it was discovered that multiple teams in a large organization have placed restricted data in multiple Amazon S3 buckets, and the data may have been exposed.The auditor has requested that the organization identify all possible objects that contain personally identifiable information (PII) and then determine whether this information has been accessed.What solution will allow the Security team to complete this request?Read More →

A company is designing a solution to serve content from an Amazon CloudFront distribution that will have an Amazon S3 bucket as the origin.A security engineer needs to encrypt S3 data at rest with an AWS Key Management Service (KMS) customer managed key rather than with an S3 managed key.The solution must minimize operational overhead.Which combination of steps should the security engineer take to meet these requirements? (Choose three.)Read More →

A company has a security team that manages its AWS Key Management Service (AWS KMS) CMKs.Members of the security team must be the only ones to administer the CMKs.The company’s application team has a software process that needs temporary access to the CMKS occasionally.The security team must provide the application team’s software process access to the CMKs.Which solution meets these requirements with the LEAST overhead?Read More →

A company operates a web application that runs on Amazon EC2 instances.The application listens on port 80 and port 443.The company uses an Application Load Balancer (ALB) with AWS WAF to terminate SSL and to forward traffic to the application instances only on port 80.The ALB is in public subnets that are associated with a network ACL that is named NACL.The application instances are in dedicated private subnets that are associated with a network ACL that is named NACL2.An Amazon RDS for PostgreSQL DB instance that uses port 5432 is in a dedicated private subnet that is associated with a network ACL that is named NACL3.All the network ACLs currently allow all inbound and outbound traffic.Which set of network ACL changes will increase the security of the application while ensuring functionality?Read More →

A company has deployed a custom DNS server in AWS.The Security Engineer wants to ensure that Amazon EC2 instances cannot use the Amazon-providedDNS.How can the Security Engineer block access to the Amazon-provided DNS in the VPC?Read More →

A Software Engineer wrote a customized reporting service that will run on a fleet of Amazon EC2 instances.The company security policy states that application logs for the reporting service must be centrally collected.What is the MOST efficient way to meet these requirements?Read More →

A Developer’s laptop was stolen.The laptop was not encrypted, and it contained the SSH key used to access multiple Amazon EC2 instances.A SecurityEngineer has verified that the key has not been used, and has blocked port 22 to all EC2 instances while developing a response plan.How can the Security Engineer further protect currently running instances?Read More →

A security engineer needs to ensure their company’s use of AWS meets AWS security best practices.As part of this, the AWS account root user must not be used for daily work.The root user must be monitored for use, and the security team must be alerted as quickly as possible if the root user is used.Which solution meets these requirements?Read More →