Security Specialty (Page 7)

A company is using an organization in AWS Organizations that contains 100 accounts.The company has configured trusted access for Amazon GuardDuty to AWS Organizations within the management account.The company has designated a member account to be the GuardDuty administrator for the organization.GuardDuty is working properly and reports findings for the organization in the GaurdDuty console.The company wants a SecOps team to receive real-time email alerts from any GuardDuty finding within the organization that is high severity according the GuardDuty severity levels.Which solution will meet these requirements?Read More →

A Security Engineer creates an Amazon S3 bucket policy that denies access to all users.A few days later, the Security Engineer adds an additional statement to the bucket policy to allow read-only access to one other employee.Even after updating the policy, the employee still receives an access denied message.What is the likely cause of this access denial?Read More →

A company is building an application on AWS that will store sensitive information.The company has a support team with access to the IT infrastructure, including databases.The company’s security engineer must introduce measures to protect the sensitive data against any data breach while minimizing management overhead.The credentials must be regularly rotated.What should the security engineer recommend?Read More →

A company decides to use AWS Key Management Service (AWS KMS) for data encryption operations.The company must create a KMS key and automate the rotation of the key.The company also needs the ability to deactivate the key and schedule the key for deletion.Which solution will meet these requirements?Read More →

A company is hosting multiple applications within a single VPC in its AWS account.The applications are running behind an Application Load Balancer that is associated with an AWS WAF web ACL.The company’s security team has identified that multiple port scans are originating from a specific range of IP addresses on the internet.A security engineer needs to deny access from the offending IP addresses.Which solution will meet these requirements?Read More →

A Solutions Architect is designing a web application that uses Amazon CloudFront, an Elastic Load Balancing Application Load Balancer, and an Auto Scaling group of Amazon EC2 instances.The load balancer and EC2 instances are in the US West (Oregon) region.It has been decided that encryption in transit is necessary by using a customer-branded domain name from the client to CloudFront and from CloudFront to the load balancer.Assuming that AWS Certificate Manager is used, how many certificates will need to be generated?Read More →

A company’s security engineer must record when specific AWS Lambda functions are invoked.The logs must include the AWS principal that invoked the function.External sources and the company’s developers deliver the Lambda function code by using a variety of languages such as Python, Node.js, and Golang.The security engineer has created an AWS CloudTrail trail with default configuration for the AWS account.Which solution will meet these requirements with the LEAST operational overhead?Read More →

An Application team has requested a new AWS KMS master key for use with Amazon S3, but the organizational security policy requires separate master keys for different AWS services to limit blast radius.How can an AWS KMS customer master key (CMK) be constrained to work with only Amazon S3?Read More →

A company hosts business-critical applications on Amazon EC2 instances in a VPC.The VPC uses default DHCP options sets.A security engineer needs to log all DNS queries that internal resources make in the VPC.The security engineer also must create a list of the most common DNS queries over time.Which solution will meet these requirements?Read More →

The InfoSec team has mandated that in the future only approved Amazon Machine Images (AMIs) can be used.How can the InfoSec team ensure compliance with this mandate?Read More →