Security Specialty (Page 4)

A security engineer is creating a new Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster.The cluster will act as a data warehouse.A separate fleet of application servers will extract records from the data warehouse and will transform these records into reports that will be uploaded to Amazon S3 buckets.The security engineer must securely configure the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster so that only the application servers can access it.Which solution meets these requirements?Read More →

A company has implemented centralized logging and monitoring of AWS CloudTrail logs from all Regions in an Amazon S3 bucket.The log files are encrypted using AWS KMS.A security engineer is attempting to review the log files using a third-party tool hosted on an Amazon EC2 instance.The security engineer is unable to access the logs in the S3 bucket and receives an access denied error message.What should the security engineer do to fix this issue?Read More →

A security engineer is analyzing Amazon GuardDuty findings.The security engineer observes an Impact value for ThreatPurpose in a GuardDuty finding.What does this value indicate?Read More →

A company needs a cloud-based, managed desktop solution for its workforce of remote employees.The company wants to ensure that the employees can access the desktops only by using company-provided devices.A security engineer must design a solution that will minimize cost and management overhead.Which solution will meet these requirements?Read More →

A company uses AWS Certificate Manager (ACM) to automate the renewal of SSL/TLS certificates that the company’s Elastic Load Balancers use.The company recently noticed that ACM was unable to automatically renew some certificates.These certificates have a status of “pending validation” in the ACM console.A security engineer configured the certificates by using DNS validation.The security engineer has verified that the existing certificates have not expired.What should the security engineer do to correct this issue?Read More →

A company has recently recovered from a security incident that required the restoration of Amazon EC2 instances from snapshots.After performing a gap analysis of its disaster recovery procedures and backup strategies, the company is concerned that, next time, it will not be able to recover the EC2 instances if the AWS account was compromised and Amazon EBS snapshots were deleted.All EBS snapshots are encrypted using an AWS KMS CMK.Which solution would solve this problem?Read More →

A software-as-a-service (SaaS) company hosts an application on AWS in a VPC.External customers will use the application on their own Amazon EC2 instances.To access the application, the customers need to install a client application on an EC2 instance in a VPC in their AWS accounts.A security engineer is designing a solution to allow communication between the client software and the SaaS application.The solution must maximize scalability and security.Which combination of actions will meet these requirements? (Choose two.)Read More →

A company is using Amazon Elastic Container Service (Amazon ECS) to deploy an application that deals with sensitive data.During a recent security audit, the company identified a security issue in which Amazon RDS credentials were stored with the application code in the company’s source code repository.A security engineer needs to develop a solution to ensure that database credentials are stored securely and rotated periodically.The credentials should be accessible to the application only.The engineer also needs to prevent database administrators from sharing database credentials as plaintext with other teammates.The solution must also minimize administrative overhead.Which solution meets these requirements?Read More →

A company is outsourcing its operational support to an external company.The company’s security officer must implement an access solution for delegating operational support that minimizes overhead.Which approach should the security officer take to meet these requirements?Read More →

A company’s policy requires that all API keys be encrypted and stored separately from source code in a centralized security account.This security account is managed by the company’s security team.However, an audit revealed that an API key is stored with the source code of an AWS Lambda function in an AWSCodeCommit repository in the DevOps account.How should the security team securely store the API key?Read More →