A company has two AWS accounts, each containing one VPC. The first VPC has a VPN connection with its corporate network. The second VPC, without a VPN, hosts an Amazon Aurora database cluster in private subnets. Developers manage the Aurora database from a bastion host in a public subnet as shown in the image. A security review has flagged this architecture as vulnerable, and a Security Engineer has been asked to make this design more secure. The company has a short deadline and a second VPN connection to the Aurora account is not possible. How can a Security Engineer securely set up the bastion host?

Move the bastion host to the VPC with VPN connectivity. Create a VPC peering relationship between the bastion host VPC and Aurora VPC.

Create a SSH port forwarding tunnel on the Developer’s workstation to the bastion host to ensure that only authorized SSH clients can access the bastion host.

Move the bastion host to the VPC with VPN connectivity. Create a cross-account trust relationship between the bastion VPC and Aurora VPC, and update the Aurora security group for the relationship.

Create an AWS Direct Connect connection between the corporate network and the Aurora account, and adjust the Aurora security group for this connection.

An organization operates a web application that serves users globally. The application runs on Amazon EC2 instances behind an Application Load Balancer. There is an Amazon CloudFront distribution in front of the load balancer, and the organization uses AWS WAF. The application is currently experiencing a volumetric attack whereby the attacker is exploiting a bug in a popular mobile game. The application is being flooded with HTTP requests from all over the world with the User-Agent setto the following string: Mozilla/5.0 (compatible; ExampleCorp; ExampleGame/1.22; Mobile/1.0)What mitigation can be applied to block attacks resulting from this bug while continuing to servicelegitimate requests?

Create a rule in AWS WAF rules with conditions that block requests based on the presence of ExampleGame/1.22 in the User-Agent header

Create a geographic restriction on the CloudFront distribution to prevent access to the application from most geographic regions

Create a rate-based rule in AWS WAF to limit the total number of requests that the web application services.

Create an IP-based blacklist in AWS WAF to block the IP addresses that are originating from requests that contain ExampleGame/1.22 in the User-Agent header.

Some highly sensitive analytics workloads are to be moved to Amazon EC2 hosts. Threat modeling has found that a risk exists where a subnet could be maliciously or accidentally exposed to the internet. Which of the following mitigations should be recommended?

Use AWS Config to detect whether an Internet Gateway is added and use an AWS Lambda function to provide auto-remediation.

Within the Amazon VPC configuration, mark the VPC as private and disable Elastic IP addresses.

Use IPv6 addressing exclusively on the EC2 hosts, as this prevents the hosts from being accessed from the internet.

Move the workload to a Dedicated Host, as this provides additional network security controls and monitoring.

A Developer who is following AWS best practices for secure code development requires an application to encrypt sensitive data to be stored at rest, locally in the application, using AWS KMS. What is the simplest and MOST secure way to decrypt this data when required?

Store the encrypted data key alongside the encrypted data. Use the Decrypt API to retrieve the data key to decrypt the data when required.

Request KMS to provide the stored unencrypted data key and then use the retrieved data key to decrypt the data.

Keep the plaintext data key stored in Amazon DynamoDB protected with IAM policies. Query DynamoDB to retrieve the data key to decrypt the data

Use the Encrypt API to store an encrypted version of the data key with another customer managed key. Decrypt the data key and use it to decrypt the data when required.

Store the encrypted data key alongside the encrypted data. Use the Decrypt API to retrieve the data key to decrypt the data when required.

An organization receives an alert that indicates that an EC2 instance behind an ELB Classic Load Balancer has been compromised. What techniques will limit lateral movement and allow evidence gathering?

Remove the instance from the load balancer, and shut down access to the instance by tightening the security group.

Remove the instance from the load balancer and terminate it.

Remove the instance from the load balancer, and shut down access to the instance by tightening the security group.

Reboot the instance and check for any Amazon CloudWatch alarms.

Stop the instance and make a snapshot of the root EBS volume.

A Development team has asked for help configuring the IAM roles and policies in a new AWS account. The team using the account expects to have hundreds of master keys and therefore does not want to manage access control for customer master keys (CMKs).Which of the following will allow the team to manage AWS KMS permissions in IAM without the complexity of editing individual key policies?

Newly created CMKs must have a key policy that allows the root principal to perform all actions.

The account’s CMK key policy must allow the account’s IAM roles to perform KMS EnableKey.

Newly created CMKs must have a key policy that allows the root principal to perform all actions.

Newly created CMKs must allow the root principal to perform the kms CreateGrant API operation.

Newly created CMKs must mirror the IAM policy of the KMS key administrator.

An Amazon EC2 instance is part of an EC2 Auto Scaling group that is behind an Application Load Balancer (ALB). It is suspected that the EC2 instance has been compromised. Which steps should be taken to investigate the suspected compromise? (Choose three.)

Initiate an Amazon Elastic Block Store volume snapshot of all volumes on the EC2 instance.

De-register the EC2 instance from the ALB and detach it from the Auto Scaling group.

Attach a security group that has restrictive ingress and egress rules to the EC2 instance.

Detach the elastic network interface from the EC2 instance.

Initiate an Amazon Elastic Block Store volume snapshot of all volumes on the EC2 instance.

Disable any Amazon Route 53 health checks associated with the EC2 instance.

De-register the EC2 instance from the ALB and detach it from the Auto Scaling group.

Attach a security group that has restrictive ingress and egress rules to the EC2 instance.

Add a rule to an AWS WAF to block access to the EC2 instance.

A company has five AWS accounts and wants to use AWS CloudTrail to log API calls. The log files must be stored in an Amazon S3 bucket that resides in a new account specifically built for centralized services with a unique top-level prefix for each trail. The configuration must also enable detection of any modification to the logs.Which of the following steps will implement these requirements? (Choose three.)

Create a new S3 bucket in a separate AWS account for centralized storage of CloudTrail logs, and enable “Log File Validation” on all trails.

Apply a bucket policy to the new centralized S3 bucket that permits the CloudTrail service to use the "s3 PutObject" action and the "s3 GelBucketACL" action, and specify the appropriate resource ARNs for the CloudTrail trails.

Configure CloudTrail in the centralized account to log all accounts to the new centralized S3 bucket.

Create a new S3 bucket in a separate AWS account for centralized storage of CloudTrail logs, and enable “Log File Validation” on all trails.

Use an existing S3 bucket in one of the accounts, apply a bucket policy to the new centralized S3 bucket that permits the CloudTrail service to use the "s3: PutObject" action and the "s3 GetBucketACL" action, and specify the appropriate resource ARNs for the CloudTrail trails.

Apply a bucket policy to the new centralized S3 bucket that permits the CloudTrail service to use the "s3 PutObject" action and the "s3 GelBucketACL" action, and specify the appropriate resource ARNs for the CloudTrail trails.

Use unique log file prefixes for trails in each AWS account.

Configure CloudTrail in the centralized account to log all accounts to the new centralized S3 bucket.

Enable encryption of the log files by using AWS Key Management Service

A Security Engineer is implementing a solution to allow users to seamlessly encrypt Amazon S3 objects without having to touch the keys directly. The solution must be highly scalable without requiring continual management. Additionally, the organization must be able to immediately delete the encryption keys.Which solution meets these requirements?

Use KMS with AWS imported key material and then use the DeletelmportedKeyMaterial API to remove the key material if necessary.

Use AWS KMS with AWS managed keys and the ScheduleKeyDeletion API with a PendingWindowInDays set to 0 to remove the keys if necessary.

Use KMS with AWS imported key material and then use the DeletelmportedKeyMaterial API to remove the key material if necessary.

Use AWS CloudHSM to store the keys and then use the CloudHSM API or the PKCS11 library to delete the keys if necessary.

Use the Systems Manager Parameter Store to store the keys and then use the service API operations to delete the key if necessary.

An application uses Amazon Cognito to manage end users’ permissions when directly accessing AWS resources, including Amazon DynamoDB. A new feature request reads as follows:Provide a mechanism to mark customers as suspended pending investigation or suspended permanently. Customers should still be able to log in when suspended, but should not be able to make changes. The priorities are to reduce complexity and avoid potential for future security issues.Which approach will meet these requirements and priorities?

Move suspended customers to a second Cognito group and define an appropriate IAM access policy for the group.

Create a new database field “suspended_status” and modify the application logic to validate that field when processing requests.

Add suspended customers to second Cognito user pool and update the application login flow to check both user pools.

Use Amazon Cognito Sync to push out a “suspension_status” parameter and split the lAM policy into normal users and suspended users.

Move suspended customers to a second Cognito group and define an appropriate IAM access policy for the group.

A company stores data on an Amazon EBS volume attached to an Amazon EC2 instance. The data is asynchronously replicated to an Amazon S3 bucket. Both the EBS volume and the S3 bucket are encrypted with the same AWS KMSCustomer Master Key (CMK). A former employee scheduled a deletion of that CMK before leaving the company.The company’s Developer Operations department learns about this only after the CMK has been deleted.Which steps must be taken to address this situation?

Copy the data directly from the EBS encrypted volume before the volume is detached from the EC2 instance.

Recover the data from the EBS encrypted volume using an earlier version of the KMS backing key.

Make a request to AWS Support to recover the S3 encrypted data.

Make a request to AWS Support to restore the deleted CMK, and use it to recover the data.

An AWS Lambda function was misused to alter data, and a Security Engineer must identify who invoked the function and what output was produced. The Engineer cannot find any logs created by the Lambda function in Amazon CloudWatch Logs.Which of the following explains why the logs are not available?

The execution role for the Lambda function did not grant permissions to write log data to CloudWatch Logs.

The Lambda function was executed by using Amazon API Gateway, so the logs are not stored in CloudWatch Logs.

The execution role for the Lambda function did not grant permissions to write to the Amazon S3 bucket where CloudWatch Logs stores the logs.

The version of the Lambda function that was executed was not current.

A company has Windows Amazon EC2 instances in a VPC that are joined to on-premises Active Directory servers for domain services. The security team has enabled Amazon GuardDuty on the AWS account to alert on issues with the instances.During a weekly audit of network traffic, the Security Engineer notices that one of the EC2 instances is attempting to communicate with a known command-and-control server but failing. This alert does not show up in GuardDuty. Why did GuardDuty fail to alert to this behavior?

GuardDuty does not see these DNS requests.

GuardDuty did not have the appropriate alerts activated.

GuardDuty does not see these DNS requests.

GuardDuty only monitors active network traffic flow for command-and-control activity.

GuardDuty does not report on command-and-control activity.

The AWS Systems Manager Parameter Store is being used to store database passwords used by an AWS Lambda function. Because this is sensitive data, the parameters are stored as type SecureString and protected by an AWS KMS key that allows access through IAM. When the function executes, this parameter cannot be retrieved as the result of an access denied error. Which of the following actions will resolve the access denied error?

Add a policy to the role that the Lambda function uses, allowing kms: Decrypt for the KMS key.

Update the ssm.amazonaws.com principal in the KMS key policy to allow kms: Decrypt.

Update the Lambda configuration to launch the function in a VPC.

Add a policy to the role that the Lambda function uses, allowing kms: Decrypt for the KMS key.

Add lambda.amazonaws.com as a trusted entity on the IAM role that the Lambda function uses.

A company’s security policy requires that VPC Flow Logs are enabled on all VPCs. A Security Engineer is looking to automate the process of auditing the VPC resources for compliance. What combination of actions should the Engineer take? (Choose two.)

Create an AWS Lambda function that determines whether Flow Logs are enabled for a given VPC.

Create an AWS Config custom rule, and associate it with an AWS Lambda function that contains the evaluating logic.

Create an AWS Lambda function that determines whether Flow Logs are enabled for a given VPC.

Create an AWS Config configuration item for each VPC in the company AWS account.

Create an AWS Config managed rule with a resource type of AWS:: Lambda:: Function.

Create an Amazon CloudWatch Event rule that triggers on events emitted by AWS Config.

Create an AWS Config custom rule, and associate it with an AWS Lambda function that contains the evaluating logic.

An application makes calls to AWS services using the AWS SDK. The application runs on Amazon EC2 instances with an associated IAM role. When the application attempts to access an object within an Amazon S3 bucket; the Administrator receives the following error message: HTTP 403: Access Denied.Which combination of steps should the Administrator take to troubleshoot this issue? (Select three.)

Verify that the KMS key policy allows decrypt access for the KMS key for this IAM principle.

Check the S3 bucket policy for statements that deny access to objects.

Confirm that the IAM role associated with the EC2 instance has the proper privileges.

Confirm that the EC2 instance's security group authorizes S3 access.

Verify that the KMS key policy allows decrypt access for the KMS key for this IAM principle.

Check the S3 bucket policy for statements that deny access to objects.

Confirm that the EC2 instance is using the correct key pair.

Confirm that the IAM role associated with the EC2 instance has the proper privileges.

Confirm that the instance and the S3 bucket are in the same Region.

A Security Engineer must implement mutually authenticated TLS connections between containers that communicate inside a VPC. Which solution would be MOST secure and easy to maintain?

Use AWS Certificate Manager Private Certificate Authority (ACM PCA) to create a subordinate certificate authority, then use AWS Certificate Manager to generate the private certificates and deploy them to all the containers.

Use AWS Certificate Manager to generate certificates from a public certificate authority and deploy them to all the containers.

Create a self-signed certificate in one container and use AWS Secrets Manager to distribute the certificate to the other containers to establish trust.

Use AWS Certificate Manager Private Certificate Authority (ACM PCA) to create a subordinate certificate authority, then create the private keys in the containers and sign them using the ACM PCA API.

Use AWS Certificate Manager Private Certificate Authority (ACM PCA) to create a subordinate certificate authority, then use AWS Certificate Manager to generate the private certificates and deploy them to all the containers.

The Accounting department at Example Corp. has made a decision to hire a third-party firm, AnyCompany, to monitor Example Corp.'s AWS account to help optimize costs. The Security Engineer for Example Corp. has been tasked with providing AnyCompany with access to the required Example Corp. AWS resources. The Engineer has created an IAM role and granted permission to AnyCompany's AWS account to assume this role.When customers contact AnyCompany, they provide their role ARN for validation. The Engineer is concerned that one of AnyCompany's other customers might deduce Example Corp.'s role ARN and potentially compromise the company's account.What steps should the Engineer perform to prevent this outcome?

Request an external ID from AnyCompany and add a condition with sts:Externald to the role's trust policy.

Create an IAM user and generate a set of long-term credentials. Provide the credentials to AnyCompany. Monitor access in IAM access advisor and plan to rotate credentials on a recurring basis.

Request an external ID from AnyCompany and add a condition with sts:Externald to the role's trust policy.

Require two-factor authentication by adding a condition to the role's trust policy with aws:MultiFactorAuthPresent.

Request an IP range from AnyCompany and add a condition with aws:SourceIp to the role's trust policy.

A company maintains sensitive data in an Amazon S3 bucket that must be protected using an AWS KMS CMK. The company requires that keys be rotated automatically every year. How should the bucket be configured?

Select Amazon S3-AWS KMS managed encryption keys (S3-KMS) and select a customer-managed CMK with key rotation enabled.

Select server-side encryption with Amazon S3-managed keys (SSE-S3) and select an AWS-managed CMK.

Select Amazon S3-AWS KMS managed encryption keys (S3-KMS) and select a customer-managed CMK with key rotation enabled.

Select server-side encryption with Amazon S3-managed keys (SSE-S3) and select a customermanaged CMK that has imported key material.

Select server-side encryption with AWS KMS-managed keys (SSE-KMS) and select an alias to an AWS-managed CMK.

While analyzing a company's security solution, a Security Engineer wants to secure the AWS account root user. What should the Security Engineer do to provide the highest level of security for the account?

Create a new IAM user that has administrator permissions in the AWS account. Enable multifactor authentication for the AWS account root user.

Create a new IAM user that has administrator permissions in the AWS account. Delete the password for the AWS account root user.

Create a new IAM user that has administrator permissions in the AWS account. Modify the permissions for the existing IAM users.

Replace the access key for the AWS account root user. Delete the password for the AWS account root user.

Create a new IAM user that has administrator permissions in the AWS account. Enable multifactor authentication for the AWS account root user.

A Security Engineer is working with a Product team building a web application on AWS. The application uses Amazon S3 to host the static content, Amazon API Gateway to provide RESTful services; and Amazon DynamoDB as the backend data store. The users already exist in a directory that is exposed through a SAML identity provider.Which combination of the following actions should the Engineer take to enable users to be authenticated into the web application and call APIs? (Choose three.)

Configure a SAML identity provider in Amazon Cognito to map attributes to the Amazon Cognito user pool attributes.

Configure an Amazon Cognito identity pool to integrate with social login providers.

Update DynamoDB to store the user email addresses and passwords.

Create a custom authorization service using AWS Lambda.

Configure a SAML identity provider in Amazon Cognito to map attributes to the Amazon Cognito user pool attributes.

Configure the SAML identity provider to add the Amazon Cognito user pool as a relying party.

Configure an Amazon Cognito identity pool to integrate with social login providers.

Update DynamoDB to store the user email addresses and passwords.

Update API Gateway to use a COGNITO_USER_POOLS authorizer.

A Security Engineer is building a Java application that is running on Amazon EC2. The application communicates with an Amazon RDS instance and authenticates with a user name and password. Which combination of steps can the Engineer take to protect the credentials and minimize downtime when the credentials are rotated? (Choose two.)

Configure automatic rotation of credentials in AWS Secrets Manager.

Configure the Java application to catch a connection failure and make a call to AWS Secrets Manager to retrieve updated credentials when the password is rotated. Grant permission to the instance role associated with the EC2 instance to access Secrets Manager.

Have a Database Administrator encrypt the credentials and store the ciphertext in Amazon S3.Grant permission to the instance role associated with the EC2 instance to read the object and decrypt the ciphertext.

Configure a scheduled job that updates the credential in AWS Systems Manager Parameter Store and notifies the Engineer that the application needs to be restarted.

Configure automatic rotation of credentials in AWS Secrets Manager.

Store the credential in an encrypted string parameter in AWS Systems Manager Parameter Store.Grant permission to the instance role associated with the EC2 instance to access the parameter and the AWS KMS key that is used to encrypt it.

Configure the Java application to catch a connection failure and make a call to AWS Secrets Manager to retrieve updated credentials when the password is rotated. Grant permission to the instance role associated with the EC2 instance to access Secrets Manager.

A company plans to migrate a sensitive dataset to Amazon S3. A Security Engineer must ensure that the data is encrypted at rest. The encryption solution must enable the company to generate its own keys without needing to manage key storage or the encryption process.What should the Security Engineer use to accomplish this?

Server-side encryption with AWS KMS-managed keys (SSE-KMS)

Server-side encryption with Amazon S3-managed keys (SSE-S3)

Server-side encryption with AWS KMS-managed keys (SSE-KMS)

Server-side encryption with customer-provided keys (SSE-C)

Client-side encryption with an AWS KMS-managed CMK

A Security Engineer is defining the logging solution for a newly developed product. Systems Administrators and Developers need to have appropriate access to event log files in AWS CloudTrail to support and troubleshoot the product. Which combination of controls should be used to protect against tampering with and unauthorized access to log files? (Choose two.)

Ensure that the log file integrity validation mechanism is enabled.

Ensure that Systems Administrators and Developers with job-related need-to-know requirements only are capable of viewing—but not modifying—the log files.

Ensure that the log file integrity validation mechanism is enabled.

Ensure that all log files are written to at least two separate Amazon S3 buckets in the same account.

Ensure that Systems Administrators and Developers can edit log files, but prevent any other access.

Ensure that Systems Administrators and Developers with job-related need-to-know requirements only are capable of viewing—but not modifying—the log files.

Ensure that all log files are stored on Amazon EC2 instances that allow SSH access from the internal corporate network only.

A company has a few dozen application servers in private subnets behind an Elastic Load Balancer(ELB) in an AWS Auto Scaling group. The application is accessed from the web over HTTPS. The datamust always be encrypted in transit. The Security Engineer is worried about potential key exposuredue to vulnerabilities in the application software.Which approach will meet these requirements while protecting the external certificate during a breach?

Generate an internal self-signed certificate and apply it to the instances. Use AWS Certificate Manager to generate a new external certificate for the ELB. Have the ELB decrypt traffic, and route and re-encrypt with the internal certificate.

Use a Network Load Balancer (NLB) to pass through traffic on port 443 from the internet to port 443 on the instances.

Purchase an external certificate, and upload it to the AWS Certificate Manager (for use with the ELB) and to the instances. Have the ELB decrypt traffic, and route and re-encrypt with the same certificate.

Generate an internal self-signed certificate and apply it to the instances. Use AWS Certificate Manager to generate a new external certificate for the ELB. Have the ELB decrypt traffic, and route and re-encrypt with the internal certificate.

Upload a new external certificate to the load balancer. Have the ELB decrypt the traffic and forward it on port 80 to the instances.

A Security Engineer is working with the development team to design a supply chain application that stores sensitive inventory data in an Amazon S3 bucket. The application will use an AWS KMS customer master key (CMK) to encrypt the data on Amazon S3. The inventory data on Amazon S3 will be shared of vendors. All vendors will use AWS principals from their own AWS accounts to access the data on Amazon S3. The vendor list may change weekly, and the solution must support cross-account access.What is the MOST efficient way to manage access control for the KMS CMK7?

Use KMS grants to manage key access. Programmatically create and revoke grants to manage vendor access.

Use an IAM role to manage key access. Programmatically update the IAM role policies to manage vendor access.

Use KMS key policies to manage key access. Programmatically update the KMS key policies to manage vendor access.

Use delegated access across AWS accounts by using IAM roles to manage key access.Programmatically update the IAM trust policy to manage cross-account vendor access.

A corporate cloud security policy states that communications between the company's VPC and KMS must travel entirely within the AWS network and not use public service endpoints. Which combination of the following actions MOST satisfies this requirement? (Choose two.)

Add the aws:sourceVpce condition to the AWS KMS key policy referencing the company's VPC endpoint ID.

Create a VPC endpoint for AWS KMS with private DNS enabled.

Add the aws:sourceVpce condition to the AWS KMS key policy referencing the company's VPC endpoint ID.

Remove the VPC internet gateway from the VPC and add a virtual private gateway to the VPC to prevent direct, public internet connectivity.

Create a VPC endpoint for AWS KMS with private DNS enabled.

Use the KMS Import Key feature to securely transfer the AWS KMS key over a VPN.

Add the following condition to the AWS KMS key policy: "aws:SourceIp": "10.0.0.0/16".

A company uses user data scripts that contain sensitive information to bootstrap Amazon EC2 instances. A Security Engineer discovers that this sensitive information is viewable by people who should not have access to it. What is the MOST secure way to protect the sensitive information used to bootstrap the instances?

Store the sensitive data in AWS Systems Manager Parameter Store using the encrypted string parameter and assign the GetParameters permission to the EC2 instance role.

Store the scripts in the AMI and encrypt the sensitive data using AWS KMS Use the instance role profile to control access to the KMS keys needed to decrypt the data.

Store the sensitive data in AWS Systems Manager Parameter Store using the encrypted string parameter and assign the GetParameters permission to the EC2 instance role.

Externalize the bootstrap scripts in Amazon S3 and encrypt them using AWS KMS. Remove the scripts from the instance and clear the logs after the instance is configured.

Block user access of the EC2 instance's metadata service using IAM policies. Remove all scripts and clear the logs after execution.

An Amazon EC2 instance is denied access to a newly created AWS KMS CMK used for decrypt actions.The environment has the following configuration:The instance is allowed the kms:Decrypt action in its IAM role for all resources The AWS KMS CMK status is set to enabled The instance can communicate with the KMS API using a configured VPC endpoint What is causing the issue?

The KMS CMK key policy that enables IAM user permissions is missing

The kms:GenerateDataKey permission is missing from the EC2 instance’s IAM role

The ARN tag on the CMK contains the EC2 instance’s ID instead of the instance’s ARN

The kms:Encrypt permission is missing from the EC2 IAM role

The KMS CMK key policy that enables IAM user permissions is missing

A company has enabled Amazon GuardDuty in all Regions as part of its security monitoring strategy.In one of the VPCs, the company hosts an Amazon EC2 instance working as an FTP server that is contacted by a high number of clients from multiple locations. This is identified by GuardDuty as a brute force attack due to the high number of connections that happen every hour.The finding has been flagged as a false positive. However, GuardDuty keeps raising the issue. A Security Engineer has been asked to improve the signal-to-noise ratio. The Engineer needs to ensure that changes do not compromise the visibility of potential anomalous behavior.How can the Security Engineer address the issue?

Add the FTP server to a trusted IP list and deploy it to GuardDuty to stop receiving the notifications

Disable the FTP rule in GuardDuty in the Region where the FTP server is deployed

Add the FTP server to a trusted IP list and deploy it to GuardDuty to stop receiving the notifications

Use GuardDuty filters with auto archiving enabled to close the findings

Create an AWS Lambda function that closes the finding whenever a new occurrence is reported

What are the MOST secure ways to protect the AWS account root user of a recently opened AWS account? (Choose two.)

Enable multi-factor authentication for the AWS account root user

Do not create access keys for the AWS account root user; instead, create AWS IAM users

Use the AWS account root user access keys instead of the AWS Management Console

Enable multi-factor authentication for the AWS IAM users with the AdministratorAccess managed policy attached to them

Enable multi-factor authentication for the AWS account root user

Use AWS KMS to encrypt all AWS account root user and AWS IAM access keys and set automatic rotation to 30 days

Do not create access keys for the AWS account root user; instead, create AWS IAM users

A company hosts a popular web application that connects to an Amazon RDS MySQL DB instance running in a private VPC subnet that was created with default ACL settings. The IT Security department has a suspicion that a DDos attack is coming from a suspecting IP. How can you protect the subnets from this attack?Please select:

Change the Inbound NACL to deny access from the suspecting IP

Change the Inbound Security Groups to deny access from the suspecting IP

Change the Outbound Security Groups to deny access from the suspecting IP

Change the Inbound NACL to deny access from the suspecting IP

Change the Outbound NACL to deny access from the suspecting IP

You are hosting a web site via website hosting on an S3 bucket - http://demo.s3-website-us-east-l.amazonaws.com. You have some web pages that use Javascript that access resources in anotherbucket which has web site hosting also enabled. But when users access the web pages , they aregetting a blocked Javascript error. How can you rectify this? Please select:

Enable versioning for the bucket

Your company has a requirement to monitor all root user activity by notification. How can this best be achieved? Choose 2 answers from the options given below. Each answer forms part of the solution Please select:

Create a Cloudwatch Events Rule s

A company wants to have a secure way of generating, storing and managing cryptographic exclusive access for the keys. Which of the following can be used for this purpose?Please select:

Use KMS and the normal KMS encryption keys

Use KMS and use an external key material

Amazon SCS-C01 Practice Test 6 - Free Online Exam Prep & Questions

A company has two AWS accounts, each containing one VPC. The first VPC has a VPN connection with its corporate network. The second VPC, without a VPN, hosts an Amazon Aurora database cluster in private subnets. Developers manage the Aurora database from a bastion host in a public subnet as shown in the image.

Amazon SCS-C01 image Question 201 7319 09162024005923000000

A security review has flagged this architecture as vulnerable, and a Security Engineer has been asked to make this design more secure. The company has a short deadline and a second VPN connection to the Aurora account is not possible. How can a Security Engineer securely set up the bastion host?

Become a Premium Member for full access

Unlock Premium Member

Amazon SCS-C01 Practice Test 6

Question

Amazon SCS-C01 Practice Tests

Practice Tests