Security Specialty (Page 5)

Unapproved changes were previously made to a company’s Amazon S3 bucket.A security engineer configured AWS Config to record configuration changes made to the company’s S3 buckets.The engineer discovers there are S3 configuration changes being made, but no Amazon SNS notifications are being sent.The engineer has already checked the configuration of the SNS topic and has confirmed the configuration is valid.Which combination of steps should the security engineer take to resolve the issue? (Choose two.)Read More →

A company is developing an ecommerce application.The application uses Amazon EC2 instances and an Amazon RDS MySQL database.For compliance reasons, data must be secured in transit and at rest.The company needs a solution that minimizes operational overhead and minimizes cost.Which solution meets these requirements?Read More →

A company is operating an open-source software platform that is internet facing.The legacy software platform no longer receives security updates.The software platform operates using Amazon Route 53 weighted load balancing to send traffic to two Amazon EC2 instances that connect to an Amazon RDS cluster.A recent report suggests this software platform is vulnerable to SQL injection attacks, with samples of attacks provided.The company’s Security Engineer must secure this system against SQL injection attacks within 24 hours.The Security Engineer’s solution must involve the least amount of effort and maintain normal operations during implementation.What should the Security Engineer do to meet these requirements?Read More →

A company’s Developers plan to migrate their on-premises applications to Amazon EC2 instances running Amazon Linux AMIs.The applications are accessed by a group of partner companies.The Security Engineer needs to implement the following host-based security measures for these instances:✑ Block traffic from documented known bad IP addresses.✑ Detect known software vulnerabilities and CIS Benchmarks compliance.Which solution addresses these requirements?Read More →

Auditors for a health care company have mandated that all data volumes be encrypted at rest.Infrastructure is deployed mainly via AWS CloudFormation; however, third-party frameworks and manual deployment are required on some legacy systems.What is the BEST way to monitor, on a recurring basis, whether all EBS volumes are encrypted?Read More →

A Development team has built an experimental environment to test a simple static web application.It has built an isolated VPC with a private and a public subnet.The public subnet holds only an Application Load Balancer, a NAT gateway, and an internet gateway.The private subnet holds all of the Amazon EC2 instances.There are 3 different types of servers.Each server type has its own Security Group that limits access to only required connectivity.The Security Groups have both inbound and outbound rules applied.Each subnet has both inbound and outbound network ACLs applied to limit access to only required connectivity.Which of the following should the team check if a server cannot establish an outbound connection to the internet? (Choose three.)Read More →

A company wants to encrypt the private network between its on-premises environment and AWS.The company also wants a consistent network experience for its employees.What should the company do to meet these requirements?Read More →

A company plans to use custom AMIs to launch Amazon EC2 instances across multiple AWS accounts in a single Region to perform security monitoring and analytics tasks.The EC2 instances are launched in EC2 Auto Scaling groups.To increase the security of the solution, a Security Engineer will manage the lifecycle of the custom AMIs in a centralized account and will encrypt them with a centrally managed AWS KMS CMK.The Security Engineer configured the KMS key policy to allow cross-account access.However, the EC2 instances are still not being properly launched by the EC2 Auto Scaling groups.Which combination of configuration steps should the Security Engineer take to ensure the EC2 Auto Scaling groups have been granted the proper permissions to execute tasks?Read More →

An organization wants to log all AWS API calls made within all of its AWS accounts, and must have a central place to analyze these logs.What steps should be taken to meet these requirements in the MOST secure manner? (Choose two.)Read More →

A company has multiple AWS accounts that are part of AWS Organizations.The company’s Security team wants to ensure that even those Administrators with full access to the company’s AWS accounts are unable to access the company’s Amazon S3 buckets.How should this be accomplished?Read More →