Home Exams
Log In Sign Up
Exams > Amazon > AWS Certified Security - Specialty
AWS Certified Security - Specialty
Page 10 out of 44 pages Questions 91-100 out of 434 questions
Question#91

A company's architecture requires that its three Amazon EC2 instances run behind an Application Load Balancer (ALB). The EC2 instances transmit sensitive data between each other. Developers use SSL certificates to encrypt the traffic between the public users and the ALB. However, the Developers are unsure of how to encrypt the data in transit between the ALB and the EC2 instances and the traffic between the EC2 instances.
Which combination of activities must the company implement to meet its encryption requirements? (Choose two.)

  • A. Configure SSL/TLS on the EC2 instances and configure the ALB target group to use HTTPS.
  • B. Ensure that all resources are in the same VPC so the default encryption provided by the VPC is used to encrypt the traffic between the EC2 instances.
  • C. In the ALB, select the default encryption to encrypt the traffic between the ALB and the EC2 instances.
  • D. In the code for the application, include a cryptography library and encrypt the data before sending it between the EC2 instances.
  • E. Configure AWS Direct Connect to provide an encrypted tunnel between the EC2 instances.
Discover Answer Hide Answer

AE

Question#92

A Security Engineer has launched multiple Amazon EC2 instances from a private AMI using an AWS CloudFormation template. The Engineer notices instances terminating right after they are launched.
What could be causing these terminations?

  • A. The IAM user launching those instances is missing ec2:RunInstances permissions
  • B. The AMI used was encrypted and the IAM user does not have the required AWS KMS permissions
  • C. The instance profile used with the EC2 instances is unable to query instance metadata
  • D. AWS currently does not have sufficient capacity in the Region
Discover Answer Hide Answer

B
Reference:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/troubleshooting-launch.html

Question#93

Authorized Administrators are unable to connect to an Amazon EC2 Linux bastion host using SSH over the Internet. The connection either fails to respond or generates the following error message:
Network error: Connection timed out.
What could be responsible for the connection failure? (Choose three.)

  • A. The NAT gateway in the subnet where the EC2 instance is deployed has been misconfigured.
  • B. The internet gateway of the VPC has been misconfigured.
  • C. The security group denies outbound traffic on ephemeral ports.
  • D. The route table is missing a route to the internet gateway.
  • E. The NACL denies outbound traffic on ephemeral ports.
  • F. The host-based firewall is denying SSH traffic.
Discover Answer Hide Answer

BDF
Reference:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/TroubleshootingInstancesConnecting.html

Question#94

After multiple compromises of its Amazon EC2 instances, a company's Security Officer is mandating that memory dumps of compromised instances be captured for further analysis. A Security Engineer just received an EC2 abuse notification report from AWS stating that an EC2 instance running the most recent Windows
Server 2019 Base AMI is compromised.
How should the Security Engineer collect a memory dump of the EC2 instance for forensic analysis?

  • A. Give consent to the AWS Security team to dump the memory core on the compromised instance and provide it to AWS Support for analysis.
  • B. Review memory dump data that the AWS Systems Manager Agent sent to Amazon CloudWatch Logs.
  • C. Download and run the EC2Rescue for Windows Server utility from AWS.
  • D. Reboot the EC2 Windows Server, enter safe mode, and select memory dump.
Discover Answer Hide Answer

B
Reference:
https://www.giac.org/paper/gcfa/13310/digital-forensic-analysis-amazon-linux-ec2-instances/123500

Question#95

A company's Information Security team wants to analyze Amazon EC2 performance and utilization data in near-real time for anomalies. A Security Engineer is responsible for log aggregation. The Engineer must collect logs from all of the company's AWS accounts in a centralized location to perform the analysis.
How should the Security Engineer do this?

  • A. Log in to each account four times a day and filter the AWS CloudTrail log data, then copy and paste the logs in to the Amazon S3 bucket in the destination account.
  • B. Set up Amazon CloudWatch to stream data to an Amazon S3 bucket in each source account. Set up bucket replication for each source account into a centralized bucket owned by the Security Engineer.
  • C. Set up an AWS Config aggregator to collect AWS configuration data from multiple sources.
  • D. Set up Amazon CloudWatch cross-account log data sharing with subscriptions in each account. Send the logs to Amazon Kinesis Data Firehose in the Security Engineer's account.
Discover Answer Hide Answer

C
Reference:
https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-config.html

Question#96

Two Amazon EC2 instances in different subnets should be able to connect to each other but cannot. It has been confirmed that other hosts in the same subnets are able to communicate successfully, and that security groups have valid ALLOW rules in place to permit this traffic.
Which of the following troubleshooting steps should be performed?

  • A. Check inbound and outbound security groups, looking for DENY rules
  • B. Check inbound and outbound Network ACL rules, looking for DENY rules
  • C. Review the rejected packet reason codes in the VPC Flow Logs
  • D. Use AWS X-Ray to trace the end-to-end application flow
Discover Answer Hide Answer

C

Question#97

A Security Engineer creates an Amazon S3 bucket policy that denies access to all users. A few days later, the Security Engineer adds an additional statement to the bucket policy to allow read-only access to one other employee. Even after updating the policy, the employee still receives an access denied message.
What is the likely cause of this access denial?

  • A. The ACL in the bucket needs to be updated
  • B. The IAM policy does not allow the user to access the bucket
  • C. It takes a few minutes for a bucket policy to take effect
  • D. The allow permission is being overridden by the deny
Discover Answer Hide Answer

B
Reference:
https://aws.amazon.com/premiumsupport/knowledge-center/s3-access-denied-bucket-policy/

Question#98

A company plans to use custom AMIs to launch Amazon EC2 instances across multiple AWS accounts in a single Region to perform security monitoring and analytics tasks. The EC2 instances are launched in EC2 Auto Scaling groups. To increase the security of the solution, a Security Engineer will manage the lifecycle of the custom AMIs in a centralized account and will encrypt them with a centrally managed AWS KMS CMK. The Security Engineer configured the KMS key policy to allow cross-account access. However, the EC2 instances are still not being properly launched by the EC2 Auto Scaling groups.
Which combination of configuration steps should the Security Engineer take to ensure the EC2 Auto Scaling groups have been granted the proper permissions to execute tasks?

  • A. Create a customer-managed CMK in the centralized account. Allow other applicable accounts to use that key for cryptographical operations by applying proper cross-account permissions in the key policy. Create an IAM role in all applicable accounts and configure its access policy to allow the use of the centrally managed CMK for cryptographical operations. Configure EC2 Auto Scaling groups within each applicable account to use the created IAM role to launch EC2 instances.
  • B. Create a customer-managed CMK in the centralized account. Allow other applicable accounts to use that key for cryptographical operations by applying proper cross-account permissions in the key policy. Create an IAM role in all applicable accounts and configure its access policy with permissions to create grants for the centrally managed CMK. Use this IAM role to create a grant for the centrally managed CMK with permissions to perform cryptographical operations and with the EC2 Auto Scaling service-linked role defined as the grantee principal.
  • C. Create a customer-managed CMK or an AWS managed CMK in the centralized account. Allow other applicable accounts to use that key for cryptographical operations by applying proper cross-account permissions in the key policy. Use the CMK administrator to create a CMK grant that includes permissions to perform cryptographical operations that define EC2 Auto Scaling service-linked roles from all other accounts as the grantee principal.
  • D. Create a customer-managed CMK or an AWS managed CMK in the centralized account. Allow other applicable accounts to use that key for cryptographical operations by applying proper cross-account permissions in the key policy. Modify the access policy for the EC2 Auto Scaling roles to perform cryptographical operations against the centrally managed CMK.
Discover Answer Hide Answer

D
Reference:
https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying-external-accounts.html

Question#99

An organization wants to log all AWS API calls made within all of its AWS accounts, and must have a central place to analyze these logs.
What steps should be taken to meet these requirements in the MOST secure manner? (Choose two.)

  • A. Turn on AWS CloudTrail in each AWS account.
  • B. Turn on CloudTrail in only the account that will be storing the logs.
  • C. Update the bucket ACL of the bucket in the account that will be storing the logs so that other accounts can log to it.
  • D. Create a service-based role for CloudTrail and associate it with CloudTrail in each account.
  • E. Update the bucket policy of the bucket in the account that will be storing the logs so that other accounts can log to it.
Discover Answer Hide Answer

BE

Question#100

A company uses HTTP Live Streaming (HLS) to stream live video content to paying subscribers by using Amazon CloudFront. HLS splits the video content into chunks so that the user can request the right chunk based on different conditions. Because the video events last for several hours, the total video is made up of thousands of chunks.
The origin URL is not disclosed, and every user is forced to access the CloudFront URL. The company has a web application that authenticates the paying users against an internal repository and a CloudFront key pair that is already issued.
What is the simplest and MOST effective way to protect the content?

  • A. Develop the application to use the CloudFront key pair to create signed URLs that users will use to access the content.
  • B. Develop the application to use the CloudFront key pair to set the signed cookies that users will use to access the content.
  • C. Develop the application to issue a security token that [email protected] will receive to authenticate and authorize access to the content.
  • D. Keep the CloudFront URL encrypted inside the application, and use AWS KMS to resolve the URL on-the-fly after the user is authenticated.
Discover Answer Hide Answer

A
Reference:
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-signed-urls.html

chevron rightPrevious Nextchevron right
Email: support@exam-data.com
Copyright © 2024 Exam Data. All rights reserved.
Home Exams
chevron
Public Agreement Privacy Policy Sales and Refunds