AWS Certified Security Specialty SCS-C01 Exam Updated Dumps

1. For compliance rea s ons, an org a nization limits the use of r esources to three spe c ific A WS regions. I t wants to be alerted w h en any resources a r e launched in un a p p ro v ed regi ons .

Which of the following approaches will provide aler t s on any resources launched in an u n app r oved regio n ?

2. An appl ic ation has b een built w ith Amazon E C 2 instances t h a t retrieve messages from Amazon SQS. Recentl y , IAM changes were ma d e and the instances can no long e r retrieve messages.

What actions should be taken to troubleshoot the issue while maintaining lea s t privilege. ( S elect two.) A. Configure and assign an M F A de v ice to the role used by the i nstances.

B. V erify that the SQS resource policy does not explicitly deny a cce s s to the role used by the instances. C. V erify that the access key a ttached to the role used by the instances is active.

D. Attach the AmazonSQSFullAcce s s manag e d po l icy to the role u s ed by t h e instances.

E. V erify that the role attached to the instances c o ntains policies that allow a ccess to the que u e.

3. Auditors tor a health care compa n y have mandated mat all d a ta volumes be en c rypted at rest Infrastructure is deployed mainly via A WS CloudFormation h o wever third- p arty frameworks and manual deployment are re q uir e d on some legacy systems.

What is the BEST way to monito r , on a recurring basis, whether all EBS volumes are e nc rypted?

4. A compa n y uses HTTP Live Streaming (HLS) to stream live video content to paying subscribers by using Amazon CloudF r on t . HLS sp l its the video content into ch u nks so that the user can request the right chunk based on di f ferent conditions Because the video events l a st for several hours, the total video is made up of thou s ands of chunks

The origin U RL is not disclosed and every user is forced to access the CloudFront URL The compa n y h a s a web a pplication that authenticates the paying us e rs against an internal r e p os itory and a CloudF r ont key pair that is already issued.

What is the simplest and MOST e f fect i ve way to p r otect the content?

5. An appl ic ation runn in g on EC2 instances p rocesses sensitive information stored on Amazon S3. The information is accessed o v er the Internet. The se c urity team i s concerned t h at the Int e rnet connectivity to Amazon S3 is a s e curity r isk.

Which solut i on will resolve the security concern? A. Access t h e data thro u gh an Inter n et Gatewa y . B. Access t h e data thro u gh a VPN c o nnection.

C. Acc e ss the data thro u gh a N A T Gatewa y .

D. Acc e ss the data through a VPC endpoint for Amazon S3

6. An A WS account administrator created an IAM gro u p and a pplied the following man a ged policy to requi r e that each individ u al user auth e nticate u s ing multi-fac t or authentication:



















After implementing the p o lic y , t he administrator receives reports t hat users are unable to p e rform Amazon

EC2 commands using the A WS CLI.

What should the administrator do to r es olve this problem while still enforcing multi-f a ctor authentication? A. Change the value of aws Mu l tiFactorAuthPresent to true.

B. I n struct u s ers to run the aws s t s ge t -session-to k en CLI command and pa ss the multi-factor authentication ―serial-n u mber and ― t oken-code p arameters. Use these resulting values to make API/CLI c alls

C. Implement federated API/CLI ac c ess using SAML 2.0, then con f igure the i dentity provider to enforce multi-factor a uthentication.

D. Create a r ole and enf or ce mu l ti-factor authentic a tion in the role trust poli c y Instru c t use r s to run the s ts assume-role CLI command and pass --serial-num be r and ―token-code p a r a meters Store the resulting values in environment variables. Add s t s: A ssumeRole to NotAc tio n in the polic y .

7. Some h i ghly sensitive analyti c s workloads are to be moved t o Amazon EC2 hosts. T h reat modeli n g has found that a risk exists where a subnet could be malicious l y or accidentally expo s ed to the interne t . Which of the following mitigations should be recommende d ?

8. A comp a ny needs a forensic- l ogg i ng solution for hu n dreds of applications running in Docker on Amazon EC2. The solution must perform real-time analytics on the togs must support the replay of messages a nd must persist the logs.

Which A WS services should be u s ed to meet these requirements? ( Select T WO) A. Amazon Athena

B. Amazon Kinesis

C. Amazon SQS

D. Amazon Elasticsearch

E. Amazon EMR

9. Y our cu r rent setup in A WS con s ists of the following architecture. 2 public subnets, o n e subnet wh i ch has the web servers acc e ssed by u se r s across the internet and t he other subnet for the database serve r . Which of the following ch a nges to the architecture would add a b etter security boun d ary to the resourc e s hosted in your setup

10. A Security Administrator at a university is confi g uring a fleet of Amazon EC2 instances. The EC2 instances a r e shared a m ong studen t s, and non- ro ot SSH access is allowed. The Administrator is concerned a bout students att a ck i ng o ther A WS account resou r ces by using the EC2 instance metad a ta service.

What can the Administrator do to pro t ect against this potential attack? A. Disable t h e EC2 instance metadata service.

B. Log all student SSH interactive session activit y .

C. Implement ip tables-based r e stricti o ns on the in s tances. D. Install the Amazon Ins p e c tor agent on the instances.

11. Y ou ne e d to create a policy and apply it for just an individual use r . How could you accomplish this in the right way?

12. A security alert has b een raised f o r an Amazon EC2 instance in a cust o mer account that is exhibiting strange be hav io r . The Security Engineer must first isolate the EC2 instance and then u s e tools for further investigation.

What should the Security Engineer u s e to isolate a nd research this event? (Choose thr e e.) A. A WS Cloud T rail

B. Amazon Athena

C. A WS Key Managem e nt Service ( A W S KMS) D. VPC Flow Logs

E. A WS Fir e wall Manag e r F . Security groups

13. A Security Engineer creates an Amazon S3 bucket policy that denies access to all users. A few days late r , the Security Engineer adds an additional stat e ment to t h e bucket policy to allow read - only acc e ss to one other e mployee Even after upda ti ng the policy the employee still receiv e s an access denied message.

What is the likely cau s e of this a ccess denial? A. The ACL in the bucket needs to be updat e d.

B. The IAM p olicy does n o t allow the user to access the bucket

C. It takes a few minutes for a bucket policy to take e f fe c t D. The allow permission is being overr i dden by the den y .

14. An c ompany is using A WS Secrets Manager to store secrets t h at are e nc rypted using a CMK and a r e stored in the security account 11 1 12 22 233 3 3. One of the comp a n y 's production ac c ounts. 444 4 55 5 56 6 66, must to retrieve the secret va l ues from the security account 111 1 222 2 33 3 3. A security engineer n eeds to apply a policy to the sec r et in the security a ccount based on least privilege access so the pro d uction account can retrieve the secret value onl y .

Which policy should the security engineer a p ply?

15. The Security Engineer implemented a new vau l t lock policy for 10TB of data and called











initiate-vault-lock 12 hours ago. The Audit team identified a t ypo that is allowing incorrect access to the vault.

What is the MOST c ost - e f fect i v e way to correct th i s?

16. A compa n y's development team i s d esigning an application usi ng A WS L a mbda and A mazon Elastic Contain e r Service (Amaz o n E C S). The development team needs to create IAM roles to support these systems. T h e company's security te a m wants to a llow the developers to build IAM roles directl y , but the security team wants to r etain control over the pe r missions the develop e rs can dele g a t e to those roles. The develo p ment team needs access to more pe r missions than tho s e requ i red for the a pplication's A WS services. T h e solution must minimize managem e nt overhead.

How should t he security team prevent privilege escalation for b o th teams?

17. A Security Engineer must implement mutually authenticated T LS connections be t ween containe r s that communicate inside a VPC.

Which solution would b e MOST secure and easy to maintain?

18. Y ou ha v e an EC2 instance with t h e following security configur e d:

a) ICMP inbound allo w ed on Security Group

b) ICMP outbou n d not configured o n Security Gr o up c) ICMP inbound allo w ed on Netw o rk ACL

d) ICMP outbou n d deni e d on Netwo r k ACL

If Flow logs i s enabled for the i n stanc e , which of the following flow records will be recorded? Choo s e 3 answers from the op t ions give below

19. T opic 3, Exam Pool C





Y ou are trying to use the A WS Syst e ms Manager run comma n d on a set of Instances. The run command on a set of Instances.

What can you do to diag n ose the iss u e? Choose 2 answers from t h e options given

20. A Deve l opment team has bui l t an experimental environment to te s t a s i m ple stale web application It has built an isola t ed VPC with a priva t e and a publ i c subnet. The public subnet holds only an Application Load Balan c er a N A T gatewa y , and a n internet ga t ewa y . The private subnet holds ail of the Amazon EC2 instances.

There are 3 di f ferent types of s e rvers Each server type has i t s own Security Group that limits access l o only requir e d connectivit y . The Security Groups nave both inbound a n d out b ound r ules applied Each subnet has both inbou n d and outb o u n d network ACls applied to limit a ccess to only required con n ectivity Which of the following sh o uld the team check if a server cannot establish an outbou n d connection to t h e internet? (S e lect THREE.)

21. A global c ompany must m itigate a nd respo n d to DDoS attacks at Laye r s 3, 4 and 7 All of the company's A WS applications are serverless with static content h osted on Amazon S3 using Amazon CloudF r ont a nd Amazon Route 53

Which solution will meet these requirements?

22. Y ou are building a la r ge-scale confidential documentation web server on A WSand all of the documentation for it will b e st o red on S3. One of the require m ents is that it cannot be publicly accessible from S3 directl y , and you will need to use Cloud Front to acco m plish this.

Which of the methods listed below wo uld sa t isfy the requi r em e nts as outlined? C h oo s e an answer f r om the options below

23. Y ou want to get a l ist of vulnerabilities for an EC2 Instance as per the g u idelines set b y the Center of

Internet Securit y .

How can you go about do i ng this?

24. An application runni n g on Ama z on EC2 instances generates log fil e s in a folder on a Linux file syst e m. The instances block acc e ss to t he co n s ole and file transfer utilities, s u c h as Secure Copy Protocol (SCP) and Secure File T ransfer Protocol (SFTP). The Application Supp o rt team wants to au t omatically monitor the application log files so the team can set up notifications in t he future.

A Security Engine e r must design a solution that meets the follo w ing requ i re m ents:

• Make the l o g files avail a ble throu g h a n A WS managed service.

• Allow for automatic m onitoring of the logs.











• Provide an Interlace for analyzing lo gs .

• Minimize e f fort.

Which appr o ach meets t h ese require m ents^

25. A Software Engin e er is trying to f igure o ut why network c onnectivity to an Ama z on EC2 instance does not appe a r to be working correctl y . Its security group allows i n b ound HTTP tra f fic from 0.0.0.0/0, and the outbo u nd ru l es have not been m o dified from the d e fault. A cust o m network ACL associat e d with its subn e t allows inbo u nd HTTP tra f fic from 0.0. 0 .0/0 and has no outbo u nd rules.

What would r esolve the connectivity issue?

26. A website currently runs on Amazon EC2 w i th m ostly st a tic co ntent on the site. Recentl y , the site w a s subjected to a ODoS attack, and a Security Engin e er was task e d with redesigning the e d ge security to help mitigate this r i s k in t h e future

What are some ways the Engineer c o uld achieve this? (Select THREE) A. Use A WS X-Ray to in s pect the tra f fic going 10 the EC2 instances

B. Move the state content to Am a zon S3 and font this with an A m azon Clo u dFront distribution

C. Chan g e the security g roup con f igu r ation to block the source of the atta c k tra f fic

D. Use A WS W AF security rules to inspect the inbound tra f fic

E. Use Am a z on inspector asses s ment templates to inspect the inbo u nd tra f fic

F . Use A mazon Route 53 to distribute tra f fic

27. A security engine e r n e eds to c onfi g ure moniton n g and auditi n g for A WS L ambda.

Which combination of actions using A WS services should the sec u rity engineer take to accomplish this goal? (Select TWO.)

28. A comp a ny has com p lex connectivity rules governing i n gre s s, egress, and communications betw e en Amazon EC2 instances. The rules are so c omplex t hat they c a n not be implemented within the limits of the maximum number of security groups and netw o rk access control lists (network ACL s ).

What mechanism will all o w the c o mpany to implement all required netw o rk rules without incurring additional c os t?

29. A comp a ny hosts data in S3. There is now a mandate that g oing forw a rd all data in the S3 bucket needs to encrypt at rest.

How can this be achieved?

30. A company is u s ing A W S Organ i zations to manage multiple A WS accounts. The company has an application that allows users to a ssu m e the AppUser IAM role t o downl o ad files from an Amazon S3 bucket that is encrypted with an A WS KMS CMK However wh en users try t o access the files in the S 3 bucket they get an access denied err o r .

What should a Security Engine e r do to troubleshoot this error? (Select THREE)

31. Y ou ne e d to establish a secure backup and a r chiving solution for your compan y , using A WS. Documents should be immediately accessible for three months and availab l e for five y e a rs for c ompliance reasons.

Which A WS service fulfills the s e requirements in the most c ost - e f fective way? Choose the correct answer: A. Upload d a ta to S3 and use life c ycle policies to move the da t a into Glacier for long-t e rm archiving.

B. Upload the data on EBS, use lifecycle policies to move EBS snapshots into S3 and later into Glacier for long-term a rc hiving.

C. Use Direct Connect to upload d a ta to S3 and use IAM policies to move t h e data into Glacier for long-term a rc hiving.

D. Use Storage Gateway to store data to S3 and u s e lifecycle policies to mo v e the data into Redshift f o r long-term a rc hiving.

32. A comp a ny has seve r al Customer Master Keys (CMK), some of w hich have imported key material. Each CMK must be rotated an n uall y .

What two methods c an t h e security t e am use to rotate each key? Select 2 answers from the options given below

33. A comp a ny has been using the A W5 KMS service for managing i ts keys. They are planning o n carrying out housekeepi n g activities a nd de l eting keys which are no long e r in use.

What are the ways that c a n be incorpo r ated to see which keys are in use? Choose 2 answers from the options given below

34. Y ou need to have a require m ent to store objects in an S3 b u cket with a key that is automatically managed an d rotated.

Which of the following can be used for this purpose? A. A W S K M S

B. A W S S3 Server side encryption

C. A WS Customer Ke y s D. A WS Cloud HSM

35. After multiple compr o mises o f its Amazon EC2 instances, a company's Security O f ficer is mand a ting that memory dumps of c o mpromised instances be captured for fur t her anal y s is. A Security Engineer just received an EC2 abuse n otification report from A WS s tating that an EC2 instance runn i ng the most recent Windows S e rver 2019 B a se AMI is c o mpromised.

How should t he Security Engineer col l ect a memo r y dump of t h e E C2 instance for forensic analysis?

36. A compa n y uses multi p le A WS accounts manag e d with A WS Organ i zatio n s Security engineers have created a standa r d set of security groups for all th e s e accoun t s. The security policy requires that these security gro u ps be used for all applications and delegates mod i fication authority to the security team o nl y . A recent s ecurity audit found that the security gro u ps are inc o nsistency implemented across accounts and that unauth o rized c hang e s have been made to t he security group s . A s e curity engineer n eeds to recommend a solution to improve c onsistency and to prevent u n authorized chan g es in t h e individual accounts in the future.

Which solution should the security engineer r ecommend?

37. Y ou wo r k as an administrator for a compan y . The compa n y ho s ts a number of resources using A WS. There is an incident of a suspicious A PI activity which occurred 1 1 days ago. The S e curity Admin has asked to get the API activi t y from that p oint in time.

How can this be achieved?

38. Y ou are planni n g on using t he A WS KMS se r v ice for managing keys for your appl ic ation.

For which of the following can the KMS CMK k e ys b e used for e nc rypting? Choose 2 ans w ers from the options given below

39. A comp a ny needs to use HTTPS when con nec ting to its web applicati o ns to meet compliance requi r ements. These web applications run in A mazon VPC on Amazon EC2 instances behind an Application Load Balanc e r (ALB). A s e curity engineer wants to e nsure that the load bal anc er win only accept connections over port 443. even if the ALB i s m i s takenly configured w ith an HTTP listener Which configuration steps should the security engineer take to accomplish th i s ta s k ?

40. Y ou are creating a Lambda f unction which will be triggered by a Cloud W atch Event. The data fr o m these events needs to be stored in a DynamoDB table.

How should t he Lamb d a function be given acc e ss to the DynamoDB table?

41. Y ou cur r ently opera t e a web application In the A WS US-East region. The applica t ion r uns on an auto-scaled layer of EC2 instances and an RDS Multi-AZ database. Y our IT security compliance o f fic e r has tasked you to devel o p a rel i able a nd d u rab l e l o gging solut i o n to track changes ma d e to y our EC2.IAM and RDS re s ources. The solution must ensure the integrity and c onfidentiality of your log data.

Which of these solutions would you r e commend?

42. Y our c o mpany curr e n t ly has a s e t of EC2 I nstances hosted in a VPC. The IT Secu r ity department is suspecting a possible DDos attack on the instances.

What can you do to zero in on the IP a ddresses which are receiving a flurry of requests? A. Use VPC Flow logs to get the IP a d dresses accessing the EC2 Instances

B. Use A WS Cloud trail to get the IP addresses accessing the E C 2 Instances

C. Use A WS Config to get the IP addr e sses accessing the EC2 In s tances

D. Use A WS T rusted Adv i sor to get the IP addresses accessing t h e EC2 Instances

43. What are the MOST secure ways to protect the A WS account r o ot user of a recently ope n ed A WS

account? (Choose two.)

44. A compa n y has multiple pro d u c tion A WS accounts. Each account has A WS Cloud T rail configured to log to a s ingle Amazon S3 bucket in a c entral account. T wo of t he pro d uction accounts h ave trails that are not logging a nything to t h e S3 bucket.

Which steps should be taken to troubleshoot the i s sue? (Choose three.)

45. A comp a ny wants to have a s e cure way of ge n erating, storing and m a n a ging cryptog r aphic exclusive access for t h e key s .

Which of the following can be used for this purpose? A. Use KMS and the no r mal KMS encryption keys

B. Use KMS and use an ex ternal key material

C. Use S3 S erver Side encryption

D. Use Cloud HSM

46. A comp a ny had deve l oped an inc i dent resp o nse plan 18 m o nths ago. R e gular imple m entations of the response plan are carried o u t. No changes have been made to the response plan ha v e been made since its creation.

Which of the following is a right state m ent with regards to the plan?

47. An IAM user with fill EC2 permissions could bot start an A m azon EC2 instance after it was stopped for a maintenance task. Upon starting the instance, the instan c e state would chan g e to “Pending”, but after a few seconds, it w o uld switch back to “Stopped”.

An inspecti o n revealed t h at the insta n ce has attached Amazon E B S volumes that w ere encrypted by using a Customer Master Key (CMK). When these en c rypted volumes were detached, the IAM u s er was able to start the EC2 instances.

The IAM us e r policy i s as follows:









What additi o nal items n e ed to be ad d ed to the IAM user policy? (Choose two.) A. kms:GenerateDataKey

B. kms:Decrypt

C. kms:CreateGrant D. “ Condition”: { “Bool”: {

“kms: V iaService”: “ec2. u s -west-2.amazonaws.com”

}

}

E. “ Condition”: {











“Bool”: { “kms:Grant Is For A WSResource”: true

}

}

48. Y ou ha v e a set o f K e y s defined using the A W S KMS service. Y ou want to stop usi n g a couple of k eys, but are not sure of which services are currently using the keys.

Which of the following w o uld be a safe option to st o p using the keys from further usag e ? A. Delete the keys since anyway there is a 7 day w a iting period b efore deleti o n

B. Disable t h e keys

C. Set an al i as for the k e y

D. Chan g e the key material for the k e y

49. A comp a ny continually generates sensitive records that it stores in an S3 bucket. All objects in t h e bucket are encrypted us i ng SSE-K M S using one of the company's C MKs. Company compliance policies requi r e that no more th a n one mon t h of data be e n crypted usi n g the same encryption ke y .

What solution below will meet the c o mpany's requirements?

50. A compa n y has several workloads running o n A WS Employ e es are requi r ed to authen t icate using

on- p remises ADFS and SSO to access the A W S Mana g ement Console De v elopers mig r a t ed an existing legacy web application to an A m azon EC2 instance Employees need to ac c ess th i s application from anywhe r e on the internet but c u rrentl y , mere is no authentication system but into the application.

How should t he Security Engineer i m plement em p loyee-only a ccess to this system with o ut changing the application?

51. A security engineer m ust troubleshoot an administrator's inability to make an existing Amazon S3 bucket public in an account that is part of an organ i zation n A WS Organizations. The administrator switched the role from the master account to a member account and then att e mpted to make one S3 bucket public. This action was immediately denied.

Which actions should the secur i ty engineer take to troubles h oot the permissions issue? (Select TWO.) A. Review t h e cross - acc o unt role pe r missions and the S3 bucket policy V erify that the Amazon S3 block public access option in t h e m e mber account is deactivated.

B. Review t h e role permissions m the master acc o unt and ens u re it has s u f ficient pr i vileges to perform S3 ope r ations

C. Filter A W S Cloud T rail logs for the master a cc o unt to find t h e original d e ny event and update the cross-acco u nt role m the member account accordingly V erify t h at the Amaz o n S3 block p ublic access option in the master a cc o unt is deactivated.

D. Evaluate the SCPs covering the m e mber accou n t and the pe r mi s sions boundary of the role in the member account for missing permissions and explicit denies.

E. E n s ure the S3 bucket policy expl i c i tly allows the s3 PutBuc k etPublicAccess a c tion for the role m the member account

52. Which of the following is the resp o nsibility of t h e c ustom e r? Choose 2 a n swers from t he options given bel o w .

53. A compa n y has decided to migrate s ensitive documents from o n - p remises data centers to Amazon S3. Currentl y , t h e hard drives are en c rypted to meet a c ompliance r e quirem e nt regardi n g data encryption.

The CISO wants to improve securi t y b y encrypting each file usi n g a di f ferent key instead of a single ke y . Using a di f ferent key would limit the s e curity i mpact of a s in g le exposed ke y .

Which of the following requires the LEAST amount of configuration wh e n implementing this approach? A. Pl a ce each file into a d i f f erent S3 b ucket. Set the default encryption of each buck e t to use a di f ferent A WS KMS customer managed ke y .

B. Put all the files in the s ame S3 buc k et. Using S3 events as a trigg e r , write an A WS Lambda function to encrypt each file as it is added using d i f ferent A WS KMS data k e ys.

C. Use the S3 encryp t ion client to enc r y pt each file i ndividua l ly using S3-ge n erated data k eys

D. Place all t he files in t h e s a me S3 b ucket. Use s erver-side e nc ryption with A WS KMS - manag e d keys

(SSE-KMS) t o encrypt the data

54. A Security Engineer has been asked to create an automat e d p rocess to disable IAM user access keys that are more than three months old.

Which of the following opt i ons should the Security Engineer u s e?

55. A compa n y has several produ c tion A WS accounts and a central security A WS account. The security account is u s ed for centralized monitoring and has IAM privileges to all resources in every corporate account. All of the c ompany's A mazon S3 buckets are tagged w ith a v alue d enoting the data classific a tion of their contents.

A Security Engine e r is deploying a monitoring solution in the s ecurity account that will e n force bucket policy compliance. The system m u s t m onitor S3 bucke t s in all p r oduction accounts and c onfirm that any policy change is in accordance w i th the bucket's data classification. If any change is out of compliance; the Security team mu s t be notified quickl y .

Which combination of actions would b uild the requ i red solution? (Choose th r ee.)

56. DDoS attacks that h a ppen at the application layer commonly target web a pplications with lower volumes of tra f fic compared to in f rastructure attac k s. T o m i ti g ate these typ e s of attacks, you should probably want to include a W AF ( W eb Application Firewall) as p a rt of your infrastructure. T o inspect all HTTP requ e sts, W AFs sit in-line with your a p plication tra f fic. Unfortunatel y , this creates a scenario where W AFs can b ecome a point of failure or bottleneck. T o mitigate t his problem, you need the ability to run multiple W AFs on demand during tra f fic spikes. This type of scaling for W AF is done via a " W AF sandwich." Which of the follow i ng statements best describes what a " W AF s a ndwich" is? Choose the correct answer from the options below

57. Y our c o mpany has j ust started using A WS a n d created an A WS a c count. They are aware of the potential iss u es when root access is enabled.

How can th e y best safeguard the account wh e n it comes to root acc e ss? Choose 2 ans w ers fro the options given below

58. The Inf o rmation T echnology de p a r tment has stopp e d using Cl a ssic Load Balancers and switched to Application Load Balan ce rs to save c o sts. After the switch, some users on older de v ices are no long e r able to connect to the website.

What is causing this situation?

59. Y our a p plication currently u se A WS Cognito for authenticating users. Y o ur appli c ati o n consists of di f ferent types of u sers. Some users are only allowed read acc e ss to the application and others are giv e n contributor a ccess.

How w o u you manage t h e access e f f ectively?

60. A compa n y has a VPC with an IPv6 add r ess range and a publ i c subnet with an IPv6 address block. The VPC currently ho s ts some public Amazon EC2 instances but a Security Engineer n eeds to migrate a second appl ic ation into t h e VPC that a lso requires IPv6 connec t i v it y .

This new application will occ a sionally make API r e quests to an external, internet-access i ble endpoint to receive updates Howeve r , the Security team does not want the application's EC2 instance exposed directly to t h e internet The Sec u rity Engine e r inte n ds to crea t e a private subnet with a c u stom route t a ble and to associate the route table with t h e private subnet

What else does the Security Eng i neer need to do to ensure the a pplication will not be exposed directly to the internet, but can still communicate as require d ''

61. Y ou ha v e an EBS volume attached to an EC2 Instance which u s es KMS for En c rypti o n. Someone has now go n e ahe a d and de l eted the Customer Key which was used for the EBS encrypt i on.

What should be do n e to ensure the da t a can be decrypted.

62. After a recent se c urity audit involving Amazon S3, a comp a ny has ask e d assistance reviewing its S3 buckets to determine w h ether data is pro p erly secured.

The first S3 bucket on t h e list has the following b u cket polic y .





Is this bu c ket policy su f f ic i ent to ensure that the data is not publicity accessible?

63. Y our c o mpany man a ges thousands of EC2 I n stances. There is a mandate to ensure that all servers











don't have a ny critical security flaws.

Which of the following can be done to e nsure this? Choose 2 a ns wers from the options given belo w . A. Use A WS Config to ensure that the servers have no critical fl a ws.

B. Use A WS inspector to ensure that the servers have no critical flaws. C. Use A WS inspector to patch the servers

D. Use A WS SSM to patch the servers

64. Devel op ers in an or g anization h a ve moved from a standard application deployment to containers. The Security Engineer is tasked w i th ensuring that the containe r s are secure.

Which strat e gies will reduce the attack surfa c e and enhance the security o f t h e containers? (Select

TWO.)

65. Y our c o mpany is pl a nning on A W S on hosting its A WS res o urc e s. There is a co m pany policy which mandates that all security keys are c o mpletely m a nag e d within the company itself.

Which of the following is t he c o rrect m easure of following this policy?

66. D u ring a recent internal inve s tigation, it was discovered t hat all API logging was disabled in a pro d uction account, and the ro o t user had created new API keys that appear to have been used several times.

What could have been d o ne to detect and auto m at ic ally remediate the incident?

67. A recent s ecurity audit found that A WS Cloud T rail logs are insu f ficiently protected from tampering a n d unaut h orized access.

Which actions must the Security Engineer take to address these audit findings? (Select T HREE) A. E n s ure Cloud T rail log file validation is turned on

B. Configure an S3 li f ecycle rule to per i odically archive Clou d T ra i l logs into Glacier for lon g -term storage

C. Use an S 3 bucket with tight a ccess controls that exis t s m a s e parate acco u nt

D. Use Amazon Inspector to mon i tor the file integrity of Cloud T rail log files.

E. Request a certificate t h rou g h ACM and use a ge n erated certi f icate private key to encrypt Cloud T rail log files

F . Encrypt the Cloud T rail log files with server-side encryption with A WS KMS - manag e d keys (SSE-KMS)

68. A comp a ny uses user data scripts that contain sensitive in f ormation to bootstrap Amazon EC2 instances. A Security Engineer d iscovers that this sensitive i n formation is viewab l e by people w h o should not have access to it.

What is the MOST secure way to p rotect the sensi t ive informat i on used to bootstrap the instances? A. Store the scripts in the AMI and encrypt the sensitive data us i ng A WS K M S Use the i n stance role profile to control access to the KMS keys needed to decrypt the data.

B. Store the sensitive data in A WS Systems Manager Parame t er S t ore using the encrypted string paramet e r and assign the GetParameters permission to the EC2 instance role.

C. Externalize the bootstrap scripts in Amazon S3 and encrypt t hem using A WS KMS. R emove the scripts from the instance and clear the logs after the instance is con f igured.

D. Block us e r access of the EC2 instance's metadata service u s ing IAM policies. Remove all scripts a nd clear the logs after exec u tion.

69. A compa n y has several crit i cal applications running on a lar g e fleet of Amazon EC2 instances. As part of a security operations revie w , the c o mpany needs to apply a critical oper a ting system patch to EC2 instances within 24 ho u rs of the patch becoming available from the op e rating system vendo r . The company does not have a patching solution depl oy ed on A WS, but does have A WS Systems Manag e r configured. The solution must al s o minimize administrative overh e ad.

What should a security engineer r ecommend to meet these requirements?

70. A company has the software de v elopment teams that are crea t ing a p plications t hat store sensitive data in Amazon S3 Ea c h team's data must a lways be separate. The compa n y's s e curity team must design a data encr y ption strategy for b oth teams t h at provides the ability to audit key usage. The solution must also minimize oper a tional overh e ad.

What should me security team recommend?

71. Y our c o mpany has a set of 1000 EC2 Instances defined in an A WS A cc ount. They want to e f fe c t i vely automate several administrati v e tasks on the s e instances.

Which of the following w o uld be an e f fective way to achieve thi s? A. Use the A WS Systems Manager P a rameter Store

B. Use the A WS Systems Manager Ru n Command

C. Use the A WS Inspect o r D. Use A WS Config

72. A compa n y wants to encrypt t he private network between its orvpremises environ m ent and A WS. T h e company also wants a c o nsistent net w ork experie nc e for its emp l oyees.

What should the company do to meet these requi re ments?

73. Y ou company has mandated that a ll data in A WS be encrypted at rest.

How can you achieve this for EBS volumes? Choose 2 answers from the options given below

74. A web a pplication r u ns in a VPC on EC2 instances behind an ELB Application Load Balance r . The application stores da t a in an RDS MySQL DB inst a nce. A Linux bastion host is used to a p ply schema updates to the database - administrators connect to the host via SSH from a corporate wo rkstation. The followi n g security groups are a pp lied to the infrastructure-

* sgLB - associated with the ELB

* sg W eb - associated w i th the EC2 instances.

* sgDB - associated with the database

* sgBastion - associa t ed with the bastion host

Which security group configuration will allow the application t o be secure and functional? A.

sgLB :allow port 80 and 443 tra f fic from 0.0.0.0/0 sg W eb :allow port 80 a n d 443 tra f fic f rom 0.0.0.0/0

sgDB :allow port 3306 tr a f fic from sg W eb and sgB a stion

sgBastion: allow port 22 t r a f fic from the corporate IP address ra n ge

B.

sgLB :aIlow port 80 and 443 tra f fic from 0.0.0.0/0 sg W eb :allow port 80 a n d 443 tra f fic from sgLB sgDB :allow port 3306 tr a f f i c from sg W eb and sgLB

sgBastion: allow port 22 t r a f fic from the VPC IP address range

C.

sgLB :allow port 80 and 443 tra f fic from 0.0.0.0/0 sg W eb :allow port 80 a n d 443 tra f fic from sgLB

sgDB :allow port 3306 tr a f fic from sg W eb and sgB a stion sgBastion: allow port 22 t r a f fic from the VPC IP address range D.

sgLB :allow port 80 and 443 tra f fic from 0.0.0.0/0 sg W eb :allow port 80 a n d 443 tra f fic from sgLB

sgDB :al!ow port 3306 tr a f f i c from sg W eb and sgB a stion

sgBastion: allow port 22 t r a f fic from the corporate IP address ra n ge

75. In resp o nse to the past DDoS att a ck e x periences, a Security Engineer h as set up an Amazon CloudF r ont d istribution for an Amazon S3 bucket. T here is concern that some users may bypass the CloudF r ont d istribution and acc e ss the S3 bucket directl y .

What must b e done to p r event users from accessing the S3 objec t s directly by using URLs? A. Change t h e S3 bucket/object permission so that only the buc k et owner has a c c es s .

B. Set up a CloudF r ont o rigin access identity (OAI ) , and change the S3 bucket/object permission so t h at only the OAI has access.

C. Create IAM roles for C loudFr o nt, a nd change the S3 bucket/o b ject permission so that only the IAM role has access.

D. Redirect S3 bucket access to the corresp o ndi n g CloudFr o nt d i stribution.

76. A comp a ny has exte r nal vendors that must deliver files to t h e compan y . The s e vend o rs have cross-acco u nt that gives them permission to upload objects to one of the company's S3 buckets.

What combination of ste p s must the vend o r follow to successful l y deliver a file to the company? Select 2 answers from the op t ions given below

77. A compa n y has an encrypted Amazon S3 bucket. An Application Develo pe r has an IAM policy that allows access to the S3 bucket, but t h e Application Developer is unable to access objects within the bucket.

What is a possible cause of the issue?

78. Y our c o mpany has con f idential d ocuments stored in the simp l e storage service. Due to complia n c e requi r ements, you have to ensure that the data in the S3 bucket is available in a di f ferent geog r aphical location. As an architect what is the chan g e you would make to comply with this requirement.

79. Y our c o mpany has de f ined a set of S3 buckets in A W S. They n eed to monitor the S3 buckets and know the source IP address and the person w h o make reque s ts to the S3 bucket.

How can this be achieved?

80. An appl ic ation has a require m ent to be resilient across not only A v ailability Zones within the application ’ s primary regi o n b u t also be available within anoth e r r egion alto g ethe r .

Which of the following supports this requirement for A WS resou r ces that are encr y pted by A WS KMS? A. Copy the application ’ s A WS KMS C MK from the source regi o n to the target region so that it can be used to decrypt the resource aft e r it is copied to the target r egi o n.

B. Configure A WS KMS to automa t ically synchronize the CMK betw e en r egi o ns so that it can be used to decrypt the resource in the target reg i on.

C. Use A WS services that repli c ate data across regions, and re - wrap the da t a encryp t ion key created in the source region by using the CMK in the target region so that the target re g ion ’ s CMK can decrypt the











database e n cryption ke y .

D. Configure the target region ’ s A WS service to communicate wi t h the source region ’ s A WS KMS so that it can decry p t the resource in the target region.

81. The r e a r e currently multiple applications hosted in a VPC. During m o nitoring it has been noticed that multiple port scans are c o ming in from a specific IP Address b l ock. The internal security t e am has req u ested that all o f fending IP Addresses be denied for the ne x t 24 hours.

Which of the following is the best method to quickly and tempo ra rily deny access from the specified IP Address's.

82. An A WS account includes two S3 buckets: bucket1 and bucket2.

The bucket2 does not have a policy defined, but bucket1 has the following bucket policy:





In addition, the same account has an IAM User named “alice”, with the following IAM polic y .

















Which buckets can user “alice” access? A. B u cket1 o nly

B. B u cket2 o nly

C. Both bucket1 and bucket2

D. Neither bucket1 nor bucket2

83. D u ring a manual review of sy s tem logs from an Amazon Linux EC2 inst a nce, a Security Engineer noticed that there a r e su d o com m ands that were n e ver prop e rly alerted or r e ported on t h e Amazon Cloud W atch Logs agent

Why were there no al e rts on the sudo commands?

84. A compa n y is running an applica t i o n on Amazon EC2 instances in an Auto Scaling group. The application stores logs locally A security engineer n oticed th a t l o gs were lost after a scale-in event. The security engineer n eeds to recomme n d a solution to ensure the durability and availability of log data All logs must be kept f o r a m i nimum of 1 year for audit i ng purpose s .

What should the security engin e er re c ommend?

85. Y our te a m is experimenting w i th the API gateway service for an applic a tion. There is a need to implement a custom module whi c h can be used f o r authentication / authoriza t ion for calls made to the API gatewa y .

How can this be achieved?

86. Y our c o mpany has defined a nu m ber of EC2 Instances over a peri o d o f 6 months. They want to know if any of the secur i ty groups allow unrestricted a cc ess to a resource.

What is the b est option to accomplish this require m ent? A. Use A WS Inspector to in s pect all t h e security Groups

B. Use the A WS T rusted Advisor to see which security groups ha v e compromised access. C. Use A WS Config to see which s e curity groups have compromised acce s s .

D. Use the A WS CLI to q uery the security groups and then filter for the rules which have unrestricted accessd

87. Y our company looks at the gaming domain and hosts sev e ral Ec2 Instances as game servers. T h e servers each experien c e user loads in the thousands. There is a concern of

DDos attacks on the EC2 Instan c es which could c a use a huge r ev e nue loss to the compan y .

Which of the following can help mitigate this security concern and also ensure minimum downtime for the servers.

88. An appl ic ation has b een writ t en that publish e s c u stom metrics to Amazon Cloud W a t ch. Recentl y , IAM

changes have been ma d e on the acc o unt and the metrics are no l o nger b ei n g report e d.

Which of the following is t he LEAST p ermissive s o l ution that will allow the metrics to be delivered? A. Add a s ta t ement to the IAM p o li c y u s ed by the a pplication to allow logs:p u tLogEvents and logs:createLogStream

B. Modi f y the IAM role used by the application by a dding the C l oud W atchF u llAccess m a nag e d polic y . C. Add a sta t ement to the IAM p o li c y u s ed by the a pplication to allow cloud w atch:putMetricData.

D. Add a trust relationship to the IAM r ole used by the applicati o n for cloudwatch.amazonaws.com.

89. Y ou ha v e a requirement to c onduct penetration testing on the A WS Cloud for a cou p le of EC2

Instances.

How could you go ab ou t doing this? Choose 2 right answers from the options given belo w . A. Get prior app r oval from A WS for conducting the test

B. Use a pre-ap p roved p enetration t e sting tool.

C. W ork with an A WS partner and no need for pr io r approval r e q u est from A WS D. Choose any of the A WS instance type

90. A financial institution has the following security r equire m ents:

• Clou d -bas e d users m ust be contained in a separ a te authentication domain.

• Clou d -bas e d users cannot access o n -premises systems.

As part of standing up a cloud en v ironment, the f i nancial institution is creating a number of Amazon manag e d da t abases and Amazon EC2 instances. An Active Directory s erv ic e exis t s on - premises that has all the administrator acc o unts, and these must be able to acce s s the databases and instances.

How w o uld the or g anization mana g e its resources in the MOST se c ure man n er? ( C hoose two.) A. Configure an A WS Managed Mic r osoft AD to m a nage the cloud resource s .

B. Configure an additio n al on-pre m ises Active Directory service to manage t h e cloud resources.

C. Establish a one - way trust rela t ionship from the existing Ac t ive Directory to the new Active Directory service.

D. Establish a one - way trust rela t ionship from the new Active Directory to the existing Ac tive Directory service.

E. Establish a two-way trust be t ween the new and existing Active Directory services.

91. An appl ic ation is designed to run on an EC2 I n stance. The a pplications needs to wo r k with an S3 bucket.

From a sec u rity perspective, what is t h e ideal way for the EC2 instance/ application to be configure d ? A. Use the A WS access keys en s uring that they are frequently rotated.

B. Assign an IAM user to the applicati o n that has s p ecific acc e ss to only that S3 bucket

C. Assign an IAM Role and assign it to the EC2 Instance D. Assign an IAM group a nd assign it to the EC2 Instance

92. The De v elopment team receiv e s a n error message each time t h e team m embers attempt to encr y pt or decrypt a Secure String parameter from the S S M Parameter St o re by using an A WS KMS customer manag e d key (CMK).

Which CMK-related issues could be respon s ible? ( Choose two . ) A. The CMK specified in the applicati o n does not exist.

B. The CMK specified in the applicati o n is c urrently in use.

C. The CMK specified in the applicati o n is u sing t h e CMK Key ID instead of CMK Amaz o n Resource

Name.

D. The CMK specified in the applicati o n is not enabled.

E. The CMK specified in the applicati o n is using an alias.

93. Y ou ha v e enabl e d C l oudtrail l ogs for your company's A WS account. In a ddition, the I T Securi t y department has mentioned that the logs need to be encrypted.

How can this be achieved?

94. Y our IT Security t eam has advised to carry out a penetration test on t h e resources in their com p any's

A WS Account. This i s as part of their capability to analyze the s ecurity of the Infrastructu r e. What should be do n e first in this regar d ?

95. A comp a ny has a few dozen appl ic ation servers in private subnets behi n d an Ela s tic Load Balan c er (ELB) in an A WS Auto Scaling group. The application is accessed from the web over H T TPS. The data must always be encrypted in tran s it. T h e Security E ngine e r is w orried ab o ut potential key exposure d u e t o vulnerabilities in the application softw a re.

Which approach will meet these requirements while protecting the external certific a te during a breach?

96. Y our c o mpany has mandated t h at a ll calls to the A WS KMS serv i ce be recorded. How can this be achieved?

97. A security engin e er has been tasked with implementing a solu t ion that allows the com p any's development team to have interac t ive command line access to Amazon EC2 Linux in s tances using the A WS Management Console.

Which steps should the security engineer take to satisfy this r equirem e nt while maintaining least privilege?

98. A comp a ny ’ s database develop e r has just migrated an Am az on RDS database cred e ntial to be

stored and mana g ed by A WS Secr e ts Manag e r . The developer has a l so enabled rotation of the crede n tial within the Secrets Manager con s ole and set the rotation to change every 30 days.

After a short period of time, a number of existing applications have failed with au t hentication err o rs. What is the MOST likely cau s e of the authentication errors?

99. Y ou are working for a company and been allo c ated the task for ensuring that there is a federated authentication mechan i sm setup between A WS and their On- p remise Act iv e Director y .

Which of the following are important steps that need to be cov e red in this process? Choose 2 answers from the options given belo w .

100. An org a nization has launched 5 i n stance s : 2 f o r production and 3 for testing. The or g anization w a nts that one p a rticular gr o up o f IAM u sers should o nly access the t est instances a nd not the pr oduction o nes . How can the org a nization set that a s a part of the policy?

101. Y ou have an S3 bucket defined in A WS. Y ou w ant to ensure t h at y ou encrypt the data before send i n g it across the wire.

What is the b est way to achieve this?

102. A security engine e r must use A WS Key Manag e ment Service ( A WS KMS) to design a key











managem e nt solution for a set of A m azon Elastic Block Store (Amazon EBS) volumes that contain sensitive data. The s o lution ne e ds to ensure that the key material automatically expires in 90 days. Which solution mee t s these criteria?

103. Y our company has a requirement to monitor all root user activity b y notification.

How can this best be achieved? C ho o se 2 answe r s from the options given belo w . Each a nswer forms part of the soluti o n

104. A Security Engineer n oticed an anomaly within a company EC2 instance as shown in the image.





The Engine e r must now investigate what e causing the anoma l y .

What are the MOST e f fe c tive s teps to take lo ensure that the instance is not further mani p ulated while allowing the Engineer to und e rstand what ha p pe n ed?

105. A ph a rmaceutical c o m pany has digitized v e rsions of histori c al prescriptions stored on premises. The company would like to move the s e prescriptions to A WS and perform analytics on the data in them. Any operation with this da t a requires that the data be encrypted in transit and at rest.

Which application flow w o uld meet the data protection re q uire m ents on A WS? A. Digit i z ed f i les -> Amaz o n Kinesis D a ta Analytics

B. Digitized files -> Amaz o n K i nesis D a ta Fireho s e -> Amazon S3 -> Amazon Athena

C. Digitized files -> Amazon Kine s is D ata Streams -> Kinesis C l ient Library consumer -> Amazon S3 -> Athena

D. Digitized files -> Amazon Kinesis D ata Firehose -> Amazon Elasticsearch

106. A company plans to migrate a sensitive dataset to Amazon S3. A S e curity Engineer must ensure that the data is e ncrypted at rest. The encryption soluti o n must en a ble the company to genera t e its own keys without nee d ing to mana g e key s t orage or the encr y ption proces s .

What should the Security Engineer u s e to accomplish this?

107. A security engine e r must de v elop an encryption tool for a c o mpan y . The company re q uires a cryptograph i c solution t h at suppo r ts the ability to perform cr y ptogra p hic erasure on all r e sources protected by the key mat e rial in 15 minutes or less

Which A WS Key Management Service ( A WS KMS) key solution will a l low the security engineer to meet these requir e ments?

108. A Security Engineer must design a solution that enables the Incident Response team to audit for changes to a use r ’ s IAM permissions in the case of a security i n c ident.

How can this be accomplished?

109. A comp a ny maintains sensiti v e data in an Amazon S3 bucket that must be prote c ted using an A WS KMS CMK. T he company requi r es that keys be rotated automatically every yea r .

How should t he buck e t be configured?

110. A security engine e r is asked to update an A W3 Coud T rail l o g file prefix for an existi n g trail. When











attempting to s ave the change i n the Cloud T rail c o nsole, the s e curity engin e er receives the followi n g err o r message. "There is a pr o blem with the bucket policy''

What will enable the security engineer to saw the change?

111. An appl ic ation u s es Amazon Co g nito to manage end user s ’ permissions when directly accessing

A WS resources, including Amazon DynamoDB. A new feature r equest reads as follows:

Provide a mechanism to mark c u s tomers as s u spended p endi n g inv e stigati o n or s uspen d ed perm a n e ntl y . Customers should still be able to log in when suspended, but should not be a ble to make changes.

The priorities are to reduce complexity and avoid p o tential for future security issues. Which approach will meet these requirements and priorities?

112. A comp a ny recently e xperien c ed a DDoS attack that prevented its web server from serving content. The website is stat i c and hosts only H TML, CSS, and PDF files t hat users downlo a d.















Based on the architecture shown in the image, what is the BEST way to protect the site against future attacks while minimizing the on g oing o peratio n al overh e ad?

113. The Accounting d e p a rtment a t Example Co r p. has made a deci s ion to h i re a third-party firm, AnyCompan y , to monitor Example Corp.'s A WS a c c ount to help optimize costs.

The Security Engine e r for Examp l e C o rp. has b e en tasked with p r oviding AnyCompany wi t h access to t he requi r ed Example Corp. A WS resources. The Eng i neer has created an IAM role and gr a nt e d permission to AnyCompany's A WS a ccount to assume this role.

When customers contact AnyCompa n y , they provide their role ARN for validation. The Engineer is concerned t h at one of AnyCompany's o ther cu s tomers might deduce Example Corp.'s role ARN and potentially c o mpromise the company's account.

What steps should the E n gineer p e r fo r m to prevent this outcom e ?

114. Which of the following is the most e f ficient way to automa t e the encryption of A WS Cloud T rail logs using a Customer Master Key (CMK) in A WS KMS?

115. An org a nization has tens of applications deployed on tho u sands of Amazon EC2 instances. During testing, the Application team needs information to let them kn o w wheth e r the network access control l is t s











(netw o rk ACLs) and security g r oups are working as expected. How can the Application team ’ s requi r ements be met?