For compliance reasons, a Security Engineer must produce a weekly report that lists any instance that does not have the latest approved patches applied. The
Engineer must also ensure that no system goes more than 30 days without the latest approved updates being applied.
What would be the MOST efficient way to achieve these goals?
D
A company is operating an open-source software platform that is internet facing. The legacy software platform no longer receives security updates. The software platform operates using Amazon Route 53 weighted load balancing to send traffic to two Amazon EC2 instances that connect to an Amazon RDS cluster. A recent report suggests this software platform is vulnerable to SQL injection attacks, with samples of attacks provided. The company's Security Engineer must secure this system against SQL injection attacks within 24 hours. The Security Engineer's solution must involve the least amount of effort and maintain normal operations during implementation.
What should the Security Engineer do to meet these requirements?
A
A recent security audit found that AWS CloudTrail logs are insufficiently protected from tampering and unauthorized access.
Which actions must the Security Engineer take to access these audit findings? (Choose three.)
ABF
Reference:
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html
A company's Developers plan to migrate their on-premises applications to Amazon EC2 instances running Amazon Linux AMIs. The applications are accessed by a group of partner companies. The Security Engineer needs to implement the following host-based security measures for these instances:
✑ Block traffic from documented known bad IP addresses.
✑ Detect known software vulnerabilities and CIS Benchmarks compliance.
Which solution addresses these requirements?
C
A Security Architect has been asked to review an existing security architecture and identity why the application servers cannot successfully initiate a connection to the database servers. The following summary describes the architecture:
1. An Application Load Balancer, an internet gateway and a NAT gateway are configured in the pubic subnet.
2. Database, application, and web servers are configured on three different private subnets.
3. The VPC has two route tables: one for the public subnet and one for all other subnets. The route table for the public subnet has a 0.0.0.0/0 route to the internet gateway. The route table for all other subnets has a 0.0.0.0/0 route to the NAT gateway. All private subnets can route to each other.
4. Each subnet has a network ACL implemented that limits all inbound and outbound connectivity to only the required ports and protocols.
5. There are 3 Security Groups (SGs): database, application, and web. Each group limits all inbound and outbound connectivity to the minimum required.
Which of the following accurately reflects the access control mechanisms the Architect should verify?
C
Developers in an organization have moved from a standard application deployment to containers. The Security Engineer is tasked with ensuring that containers are secure.
Which strategies will reduce the attack surface and enhance the security of the containers? (Choose two.)
BD
Auditors for a health care company have mandated that all data volumes be encrypted at rest. Infrastructure is deployed mainly via AWS CloudFormation; however, third-party frameworks and manual deployment are required on some legacy systems.
What is the BEST way to monitor, on a recurring basis, whether all EBS volumes are encrypted?
B
Using AWS Config Rules, you can run continuous assessment checks on your resources to verify that they comply with your own security policies, industry best practices, and compliance regimes such as PCI/HIPAA. For example, AWS Config provides a managed AWS Config Rules to ensure that encryption is turned on for all EBS volumes in your account. You can also write a custom AWS Config Rule to essentially ג€codifyג€ your own corporate security policies. AWS Config alerts you in real time when a resource is misconfigured, or when a resource violates a particular security policy.
Reference:
https://d1.awsstatic.com/whitepapers/aws-security-whitepaper.pdf
A company became aware that one of its access keys was exposed on a code sharing website 11 days ago. A Security Engineer must review all use of the exposed keys to determine the extent of the exposure. The company enabled AWS CloudTrail in all regions when it opened the account.
Which of the following will allow the Security Engineer to complete the task?
A
Reference:
https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-for-activity/
A Development team has built an experimental environment to test a simple static web application. It has built an isolated VPC with a private and a public subnet.
The public subnet holds only an Application Load Balancer, a NAT gateway, and an internet gateway. The private subnet holds all of the Amazon EC2 instances.
There are 3 different types of servers. Each server type has its own Security Group that limits access to only required connectivity. The Security Groups have both inbound and outbound rules applied. Each subnet has both inbound and outbound network ACLs applied to limit access to only required connectivity.
Which of the following should the team check if a server cannot establish an outbound connection to the internet? (Choose three.)
CDE
Example.com is hosted on Amazon EC2 instance behind an Application Load Balancer (ALB). Third-party host intrusion detection system (HIDS) agents that capture the traffic of the EC2 instance are running on each host. The company must ensure they are using privacy enhancing technologies for users, without losing the assurance the third-party solution offers.
What is the MOST secure way to meet these requirements?
C