Summer Sale Special - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: sntaclus

A company runs a web application on a fleet of Amazon EC2 instances that are in an Auto Scaling group. The EC2 instances are in the same VPC subnet as other workloads.

A security engineer deploys an Amazon GuardDuty detector in the same AWS Region as the EC2 instances and integrates GuardDuty with AWS Security Hub.

The security engineer needs to implement an automated solution to detect and appropriately respond to anomalous traffic patterns for the web application. The solution must comply with AWS best practices forinitial response to security incidentsand mustminimize disruptionto the web application.

Which solution will meet these requirements?

A.

Disable the EC2 instance profile credentials by using AWS Lambda.

B.

Create an Amazon EventBridge rule that invokes an AWS Lambda function when GuardDuty detects anomalous traffic. Configure the function to remove the affected instance from the Auto Scaling group and attach a restricted security group.

C.

Update the subnet network ACL to block traffic from the detected source IP addresses.

D.

Send GuardDuty findings to Amazon SNS for email notification.

A company must capture AWS CloudTrail data events and must retain the logs for 7 years. The logs must be immutable and must be available to be searched by complex queries. The company also needs to visualize the data from the logs.

Which solution will meet these requirements MOST cost-effectively?

A.

Create a CloudTrail Lake data store. Implement CloudTrail Lake dashboards to visualize and query the results.

B.

Use the CloudTrail Event History feature in the AWS Management Console. Visualize and query the results in the console.

C.

Send the CloudTrail logs to an Amazon S3 bucket. Provision a persistent Amazon EMR cluster that has access to the S3 bucket. Enable S3 Object Lock on the S3 bucket. Use Apache Spark to perform queries. Use Amazon QuickSight for visualizations.

D.

Send the CloudTrail logs to a log group in Amazon CloudWatch Logs. Set the CloudWatch Logs stream to send the data to an Amazon OpenSearch Service domain. Enable cold storage for the OpenSearch Service domain. Use OpenSearch Dashboards for visualizations and queries.

A security engineer needs to prepare for a security audit of an AWS account.

Select the correct AWS resource from the following list to meet each requirement. Select each resource one time or not at all. (Select THREE.)

• AWS Artifact reports

• AWS Audit Manager controls

• AWS Config conformance packs

• AWS Config rules

• Amazon Detective investigations

• AWS Identity and Access Management Access Analyzer internal access analyzers

A company sends Amazon RDS snapshots to two accounts as part of its disaster recovery (DR) plan. The snapshots must be encrypted. However, each account needs to be able to decrypt the snapshots in case of a DR event.

Which solution will meet these requirements?

A.

Use the default AWS Key Management Service (AWS KMS) key to generate the snapshots. Create an AWS Lambda function that copies the KMS encryption key to the two accounts.

B.

Use an AWS Key Management Service (AWS KMS) customer managed key to generate the snapshots. Create an AWS Lambda function that imports the KMS key in the two accounts.

C.

Use the default AWS Key Management Service (AWS KMS) key to generate the snapshots. Share the KMS key with the two accounts by using an IAM principal that has the proper KMS permissions in each account.

D.

Use an AWS Key Management Service (AWS KMS) customer managed key to generate the snapshots. Share the KMS key with the two accounts by using an IAM principal that has the proper KMS permissions in each account.

A company runs a global ecommerce website that is hosted on AWS. The company uses Amazon CloudFront to serve content to its user base. The company wants to block inbound traffic from a specific set of countries to comply with recent data regulation policies.

Which solution will meet these requirements MOST cost-effectively?

A.

Create an AWS WAF web ACL with an IP match condition to deny the countries ' IP ranges. Associate the web ACL with the CloudFront distribution.

B.

Create an AWS WAF web ACL with a geo match condition to deny the specific countries. Associate the web ACL with the CloudFront distribution.

C.

Use the geo restriction feature in CloudFront to deny the specific countries.

D.

Use geolocation headers in CloudFront to deny the specific countries.

A company has a large fleet of Amazon Linux 2 Amazon EC2 instances that run an application. The application processes sensitive data and has the following compliance requirements:

• No remote access management ports to the EC2 instances can be exposed internally or externally.

• All remote session activity must be recorded in an audit log.

• All remote access to the EC2 instances must be authenticated and authorized by AWS IAM Identity Center.

The company ' s DevOps team occasionally needs to connect to one of the EC2 instances to troubleshoot issues.

Which solution will provide remote access to the EC2 instances while meeting the compliance requirements?

A.

Grant access to the EC2 serial console at the account level.

B.

Enable EC2 Instance Connect and configure security group rules.

C.

Assign an EC2 instance role that allows access to AWS Systems Manager. Create an IAM policy that grants access to Systems Manager Session Manager. Assign the policy to an IAM role of the DevOps team.

D.

Use AWS Systems Manager Automation runbooks to open remote access ports.

A company that builds document management systems recently performed a security review of its application on AWS. The review showed that uploads of documents through signed URLs into Amazon S3 could occur in the application without encryption in transit. A security engineer must implement a solution that prevents uploads that are not encrypted in transit.

Which solution will meet this requirement?

A.

Ensure that all client implementations are using HTTPS to upload documents into the application.

B.

Configure the s3-bucket-ssl-requests-only managed rule in AWS Config.

C.

Add an S3 bucket policy that denies all S3 actions for condition “aws:SecureTransport”: “false”.

D.

Add an S3 bucket ACL with a grantee of AllUsers, a permission of WRITE, and a condition of secureTransport.

A company has contracted with a third party to audit several AWS accounts. To enable the audit, cross-account IAM roles have been created in each account targeted for audit. The auditor is having trouble accessing some of the accounts.

Which of the following may be causing this problem? (Select THREE.)

A.

The external ID used by the auditor is missing or incorrect.

B.

The auditor is using the incorrect password.

C.

The auditor has not been grantedsts:AssumeRolefor the role in the destination account.

D.

The Amazon EC2 role used by the auditor must be set to the destination account role.

E.

The secret key used by the auditor is missing or incorrect.

F.

The role ARN used by the auditor is missing or incorrect.

A security team manages a company ' s AWS Key Management Service (AWS KMS) customer managed keys. Only members of the security team can administer the KMS keys. The company ' s application team has a software process that needs temporary access to the keys occasionally. The security team needs to provide the application team’s software process with access to the keys.

Which solution will meet these requirements with the LEAST operational overhead?

A.

Export the KMS key material to an on-premises hardware security module (HSM). Give the application team access to the key material.

B.

Edit the key policy that grants the security team access to the KMS keys by adding the application team as principals. Revert this change when the application team no longer needs access.

C.

Create a key grant to allow the application team to use the KMS keys. Revoke the grant when the application team no longer needs access.

D.

Create a new KMS key by generating key material on premises. Import the key material to AWS KMS whenever the application team needs access. Grant the application team permissions to use the key.

A company uses AWS IAM Identity Center with SAML 2.0 federation. The company decides to change its federation source from one identity provider (IdP) to another. The underlying directory for both IdPs is Active Directory.

Which solution will meet this requirement?

A.

Disable all existing users and groups within IAM Identity Center that were part of the federation with the original IdP.

B.

Modify the attribute mappings within the IAM Identity Center trust relationship to match information that the new IdP sends.

C.

Reconfigure all existing IAM roles in the company ' s AWS accounts to explicitly trust the new IdP as the principal.

D.

Confirm that the Network Time Protocol (NTP) clock skew is correctly set between IAM Identity Center and the new IdP endpoints.