Security Specialty (Page 40)

A company needs to use HTTPS when connecting to its web applications to meet compliance requirements.These web applications run in Amazon VPC onAmazon EC2 instances behind an Application Load Balancer (ALB).A security engineer wants to ensure that the load balancer will only accept connections over port 443, even if the ALB is mistakenly configured with an HTTP listener.Which configuration steps should the security engineer take to accomplish this task?Read More →

A security engineer must use AWS Key Management Service (AWS KMS) to design a key management solution for a set of Amazon Elastic Block Store (AmazonEBS) volumes that contain sensitive data.The solution needs to ensure that the key material automatically expires in 90 days.Which solution meets these criteria?Read More →

A company is running an Amazon RDS Multi-AZ DB instance inside a VPC.The DB instance is using two subnets that provide a default route to the internet through a NAT gateway.The company also has application servers that run on Amazon EC2 instances that use the RDS database.The company has deployed these EC2 instances into two other private subnets within the same VPC.These EC2 instances use a default route to access the internet through the same NAT gateway.Each subnet in the VPC uses its own unique route table.After a recent security audit, the company added a new security requirement.The DB instance must never be able to connect to the internet.A security engineer must make this change immediately without disrupting the application servers’ network traffic.How can the security engineer meet these requirements?Read More →

A Security Engineer is troubleshooting a connectivity issue between a web server that is writing log files to the logging server in another VPC.The Engineer has confirmed that a peering relationship exists between the two VPCs.VPC flow logs show that requests sent from the web server are accepted by the logging server, but the web server never receives a reply.Which of the following actions could fix this issue?Read More →

A Security Engineer accidentally deleted the imported key material in an AWS KMS CMK.What should the Security Engineer do to restore the deleted key material?Read More →

An organization has a multi-petabyte workload that it is moving to Amazon S3, but the CISO is concerned about cryptographic wear-out and the blast radius if a key is compromised.How can the CISO be assured that AWS KMS and Amazon S3 are addressing the concerns? (Choose two.)Read More →

A company’s Chief Security Officer has requested that a Security Analyst review and improve the security posture of each company AWS account.The SecurityAnalyst decides to do this by improving AWS account root user security.Which actions should the Security Analyst take to meet these requirements? (Choose three.)Read More →

A large company wants its Compliance team to audit its Amazon S3 buckets to identify if personally identifiable information (PII) is stored in them.The company has hundreds of S3 buckets and has asked the Security Engineers to scan every bucket.How can this task be accomplished?Read More →

During a manual review of system logs from an Amazon Linux EC2 instance, a Security Engineer noticed that there are sudo commands that were never properly alerted or reported on the Amazon CloudWatch Logs agent.Why were there no alerts on the sudo commands?Read More →

A company has an AWS account and allows a third-party contractor, who uses another AWS account, to assume certain IAM roles.The company wants to ensure that IAM roles can be assumed by the contractor only if the contractor has multi-factor authentication enabled on their IAM user accounts.What should the company do to accomplish this?Read More →