A security engineer for a company wants to maintain all IAM users and roles according to the principle of least privilege.The security engineer plans to audit the IAM permissions once every 365 days.The security engineer must view the permissions that each IAM identity used in the last 365 days and must remove any unused permissions.Which solution will meet these requirements?Read More →
A security engineer is trying to use Amazon EC2 Image Builder to create an image of an EC2 instance.The security engineer has configured the pipeline to send logs to an Amazon S3 bucket.When the security engineer runs the pipeline, the build fails with the following error: “AccessDenied: Access Denied status code: 403”.The security engineer must resolve the error by implementing a solution that complies with best practices for least privilege access.Which combination of steps will meet these requirements? (Choose two.)Read More →
An organization wants to be alerted when an unauthorized Amazon EC2 instance in its VPC performs a network port scan against other instances in the VPC.When the Security team performs its own internal tests in a separate account by using pre-approved third-party scanners from the AWS Marketplace, the Security team also then receives multiple Amazon GuardDuty events from Amazon CloudWatch alerting on its test activities.How can the Security team suppress alerts about authorized security tests while still receiving alerts about the unauthorized activity?Read More →
A large company has hundreds of AWS accounts.The company needs to provide its employees with access to these accounts.The solution must maximize scalability and operational efficiency.Which solution meets these requirements?Read More →
A company needs to provide digital evidence to a security engineer for analysis.The evidence must be encrypted and the immutability of the source data must be maintained.What is the MOST secure solution that meets these requirements?Read More →
A user is implementing a third-party web application on an Amazon EC2 instance.All client communications must be over HTTPS, and traffic must be terminated before it reaches the instance.Communication to the instance must be over port 80.Company policy requires that workloads reside in private subnets.Which solution meets these requirements?Read More →
A company uses AWS CodePipeline for its software builds.Company policy mandates that code must be deployed to the staging environment before it is deployed to the production environment.The company needs to implement monitoring and alerting to detect when a CodePipeline pipeline is used to deploy code to production without the code first being deployed to staging.What should a security engineer do to meet these requirements?Read More →
A company is running an Amazon RDS for MySQL DB instance in a VPC.The VPC must not send or receive network traffic through the internet.A security engineer wants to use AWS Secrets Manager to rotate the DB instance credentials automatically.Because of a security policy, the security engineer cannot use the standard AWS Lambda function that Secrets Manager provides to rotate the credentials.The security engineer deploys a custom Lambda function in the VPC.The custom Lambda function will be responsible for rotating the secret in Secrets Manager.The security engineer edits the DB instance’s security group to allow connections from this function.When the function is invoked, the function cannot communicate with Secrets Manager to rotate the secret properly.What should the security engineer do so that the function can rotate the secret?Read More →
An application is running on an Amazon EC2 instance that has an IAM role attached.The IAM role provides access to an AWS Key Management Service (AWSKMS) customer managed key and an Amazon S3 bucket.A security engineer discovers a potential vulnerability on the EC2 instance that could result in the compromise of the sensitive data.Due to other critical operations, the security engineer cannot immediately shut down the EC2 instance for vulnerability patching.What is the FASTEST way to prevent the sensitive data from being exposed?Read More →
A company runs a cron job on an Amazon EC2 instance on a predefined schedule.The cron job calls a bash script that encrypts a 2 KB file.A security engineer creates an AWS Key Management Service (AWS KMS) CMK with a key policy.The key policy and the EC2 instance role have the necessary configuration for this job.Which process should the bash script use to encrypt the file?Read More →
© 2025. Tip2Cloud doesn't offer any real exam questions. All questions & answers were supported by AI.