AWS Certified Security - Specialty

Question#211

A company stores images for a website in an Amazon S3 bucket. The company is using Amazon CloudFront to serve the images to the end users. The company recently discovered that the images are being accessed form countries where the company does not have a distribution license.
Which actions should the company take to secure the images to limit their distribution? (Choose two.)

A. Update the S3 bucket policy to restrict access to a CloudFront origin access identity (OAI).
B. Update the website DNS record to use an Amazon Route 53 geolocation record deny list of countries where the company lacks a license.
C. Add a CloudFront geo restriction deny list of countries where the company lacks a license.
D. Update the S3 bucket policy with a deny list of countries where the company lacks a license.
E. Enable the Restrict Viewer Access option in CloudFront to create a deny list of countries where the company lacks a license.

Discover Answer

AE

Question#212

An audit determined that a company's Amazon EC2 instance security group violated company policy by allowing unrestricted incoming SSH traffic. A security engineer must implement a near-real-time monitoring and alerting solution that will notify administrators of such violations.
Which solution meets these requirements with the MOST operational efficiency?

A. Create a recurring Amazon Inspector assessment run that runs every day and uses the Network Reachability package. Create an Amazon CloudWatch rule that invokes an AWS Lambda function when an assessment rum starts. Configure the Lambda function to retrieve and evaluate the assessment run report when it completes. Configure the Lambda function also to publish an Amazon Simple Notification Service (Amazon SNS) notification is there are any violations for unrestricted incoming SSH traffic.
B. Use the restricted-ssh AWS Config managed rule that is invoked by security group configuration changes that are not compliant. Use the AWS Config remediation feature to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic.
C. Configure VPC Flow Logs for the VPC, and specify an Amazon CloudWatch Logs group. Subscribe the CloudWatch Logs group to an AWS Lambda function that parses new log entries, detects successful connections on port 22, and publishes a notification through Amazon Simple Notification Service (Amazon SNS).
D. Create a recurring Amazon Inspector assessment run that runs every day and uses the Security Best Practices package. Create an Amazon CloudWatch rule that invokes an AWS Lambda function when an assessment rum starts. Configure the Lambda function to retrieve and evaluate the assessment run report when it completes. Configure the Lambda function also to publish an Amazon Simple Notification Service (Amazon SNS) notification is there are any violations for unrestricted incoming SSH traffic.

Discover Answer

A
Reference:
https://docs.aws.amazon.com/inspector/latest/userguide/inspector_assessments.html

Question#213

A large company has hundreds of AWS accounts. The company needs to provide its employees with access to these accounts. The solution must maximize scalability and operational efficiency.
Which solution meets these requirements?

A. With each AWS account, create dedicated IAM users that employees can assume through federation based upon group membership in their existing identity provider.
B. Use a centralized account with IAM roles that employees can assume through federation with their existing identity provider. Create a custom authorizer by using AWS SDK to give federated users the ability to assume their target role in the resource accounts.
C. Implement AWS Control Tower for multi-account management by integrating AWS Single Sign-On with the company's existing identity provider. Create IAM roles for the identity provider to assume.
D. Configure the IAM trust policies within each account's role to set up a trust back to the company's existing identity provider. Allow users to assume the role based on their SAML token.

Discover Answer

B

Question#214

A company's security team suspects that an insider threat is present. The security team is basing its suspicion on activity that occurred in one of the company's
AWS accounts. The activity was performed with the AWS account root user credentials. The root user has no access keys. The company uses AWS
Organizations, and the account where the activity occurred is in an OU.
A security engineer needs to take away the root user's ability to make any updates to the account. The root user password cannot be changed to accomplish this goal.
Which solution will meet these requirements?

A. Attach the following SCP to the account:
B. Attach the following SCP to the account:
C. Attach the following SCP to the account:
D. Attach the following inline IAM policy to the root user:

Discover Answer

C

Question#215

A user is implementing a third-party web application on an Amazon EC2 instance. All client communications must be over HTTPS, and traffic must be terminated before it reaches the instance. Communication to the instance must be over port 80. Company policy requires that workloads reside in private subnets.
Which solution meets these requirements?

A. Create an Application Load Balancer. Add an HTTP listener for port 80 to redirect traffic to HTTPS on port 443. Add another listener with an AWS Certificate Manager (ACM) certificate for termination and a rule that forwards to the target instance through port 80.
B. Allocate an Elastic IP address that has SSL termination activated. Associate the Elastic IP address with the instance on port 80.
C. Create a Gateway Load Balancer. Add an HTTP listener for port 80 to redirect traffic to HTTPS on port 443. Add another listener with an AWS Certificate Manager (ACM) certificate for termination and a rule that forwards to the target instance through port 80.
D. Implement a Network Load Balancer. Add an HTTP listener for port 80 to redirect traffic to HTTPS on port 443. Add another listener with an AWS Certificate Manager (ACM) certificate for termination and a rule that forwards to the target instance through port 80.

Discover Answer

D

Question#216

A company uses AWS CodePipeline for its software builds. Company policy mandates that code must be deployed to the staging environment before it is deployed to the production environment. The company needs to implement monitoring and alerting to detect when a CodePipeline pipeline is used to deploy code to production without the code first being deployed to staging.
What should a security engineer do to meet these requirements?

A. Enable Amazon GuardDuty to monitor AWS CloudTrail for CodePipeline. Configure findings through AWS Security Hub, and create a custom action in Security Hub to send to Amazon Simple Notification Service (Amazon SNS).
B. Use the AWS Cloud Development Kit (AWS CDK) to model reference-architecture CodePipeline pipeline that deploys application code through the staging environment and then the production environment.
C. Turn on AWS Config recording. Use a custom AWS Config rule to examine each CodePipeline pipeline for compliance. Configure an Amazon Simple Notification Service (Amazon SNS) notification on any change that is not in compliance with the rule. Add the desired receiver of the notification as a subscriber to the SNS topic.
D. Use Amazon Inspector to conduct an assessment of the CodePipeline pipelines and send a notification upon the discovery of a pipeline that is not in compliance. Add the desired receiver of the notification as a subscriber to the Amazon Simple Notification Service (Amazon SNS) topic.

Discover Answer

A

Question#217

An application is running on an Amazon EC2 instance that has an IAM role attached. The IAM role provides access to an AWS Key Management Service (AWS
KMS) customer managed key and an Amazon S3 bucket.
A security engineer discovers a potential vulnerability on the EC2 instance that could result in the compromise of the sensitive data. Due to other critical operations, the security engineer cannot immediately shut down the EC2 instance for vulnerability patching.
What is the FASTEST way to prevent the sensitive data from being exposed?

A. Download the data from the existing S3 bucket to a new EC2 instance. Then delete the data from the S3 bucket. Re-encrypt the data with a client-based key. Upload the data to a new S3 bucket.
B. Block access to the public range of S3 endpoint IP addresses by using a host-based firewall. Ensure that internet-bound traffic from the affected EC2 instance is routed through the host-based firewall.
C. Revoke the IAM role's active session permissions. Update the S3 bucket policy to deny access to the IAM role. Remove the IAM role from the EC2 instance profile.
D. Disable the current key. Create a new KMS key that the IAM role does not have access to, and re-encrypt all the data with the new key. Schedule the compromised key for deletion.

Discover Answer

C

Question#218

A company stores sensitive documents in Amazon S3 by using server-side encryption with an AWS Key Management Service (AWS KMS) CMK. A new requirement mandates that the CMK that is used for these documents can be used only for S3 actions.
Which statement should the company add to the key policy to meet this requirement?
A.

B.

C.

D.

Discover Answer

B

Question#219

A company needs to use HTTPS when connecting to its web applications to meet compliance requirements. These web applications run in Amazon VPC on
Amazon EC2 instances behind an Application Load Balancer (ALB). A security engineer wants to ensure that the load balancer will only accept connections over port 443, even if the ALB is mistakenly configured with an HTTP listener.
Which configuration steps should the security engineer take to accomplish this task?

A. Create a security group with a rule that denies inbound connections from 0.0.0.0/0 on port 80. Attach this security group to the ALB to overwrite more permissive rules from the ALB's default security group.
B. Create a network ACL that denies inbound connections from 0.0.0.0/0 on port 80. Associate the network ACL with the VPC's internet gateway.
C. Create a network ACL that allows outbound connections to the VPC IP range on port 443 only. Associate the network ACL with the VPC's internet gateway.
D. Create a security group with a single inbound rule that allows connections from 0.0.0.0/0 on port 443. Ensure this security group is the only one associated with the ALB.

Discover Answer

D

Question#220

A company maintains an open-source application that is hosted on a public GitHub repository. While creating a new commit to the repository, an engineer uploaded their AWS access key and secret access keys. The engineer reported the mistake to a manager, and the manager immediately disabled the access key.
The company needs to assess the impact of the exposed access key. A security engineer must recommend a solution that requires the least possible managerial overhead.
Which solution meets these requirements?

A. Analyze an AWS Identity and Access Management (IAM) use report from AWS Trusted Advisor to see when the access key was last used.
B. Analyze Amazon CloudWatch Logs for activity by searching for the access key.
C. Analyze VPC flow logs for activity by searching for the access key.
D. Analyze a credential report in AWS Identity and Access Management (IAM) to see when the access key was last used.

Discover Answer

D
Reference:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html