Summer Sale Special - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: sntaclus

A security engineer recently rotated the host keys for an Amazon EC2 instance. The security engineer is trying to access the EC2 instance by using the EC2 Instance Connect feature. However, the security engineer receives an error for failed host key validation. Before the rotation of the host keys, EC2 Instance Connect worked correctly with this EC2 instance.

What should the security engineer do to resolve this error?

A.

Import the key material into AWS Key Management Service (AWS KMS).

B.

Manually upload the new host key to the AWS trusted host keys database.

C.

Ensure that the AmazonSSMManagedInstanceCore policy is attached to the EC2 instance profile.

D.

Create a new SSH key pair for the EC2 instance.

A company receives an alert from AWS Support. The alert shows a compromised access key on a single standalone AWS account. A security engineer must determine the scope of the issue. Then, the security engineer must triage and remediate the issue.

Which solution will meet these requirements?

A.

Delete the IAM user that has the AWSCompromisedKeyQuarantineV3 policy attached. Review Amazon CloudWatch for suspicious activity.

B.

Review AWS CloudTrail logs. Remove any unauthorized resources. Rotate all IAM access keys for the user that has the AWSCompromisedKeyQuarantineV3 policy attached. Remove the policy from the user.

C.

Remove the AWSCompromisedKeyQuarantineV3 policy from the impacted IAM user. Review AWS CloudTrail logs. Remove any unauthorized resources.

D.

Review Amazon CloudWatch logs for suspicious activity. Remove all unauthorized resources. Rotate the impacted IAM access keys.

A company has an Amazon RDS database. The database contains sensitive data that is shared across teams in the company. The company needs a solution to detect anomalous logins to the database. The solution must notify an existing Amazon SNS topic when anomalous logins occur.

Which solution will meet these requirements?

A.

Use AWS Trusted Advisor security checks for Amazon RDS. Create an Amazon EventBridge rule to monitor the security checks for status changes. Configure the EventBridge rule to invoke an AWS Lambda function to publish a message to the SNS topic.

B.

Enable AWS AppFabric. Connect AWS AppFabric to the RDS DB instance. Create an Amazon Data Firehose stream as the destination for the AWS AppFabric findings. Create an AWS Lambda function that is invoked by the Firehose stream to publish a message to the SNS topic.

C.

Enable Amazon GuardDuty and configure GuardDuty RDS Protection. Create an Amazon EventBridge rule to monitor GuardDuty findings of anomalous logins. Configure the SNS topic as the target of the EventBridge rule.

D.

Enable Amazon Inspector. Create an Amazon EventBridge rule to monitor Amazon Inspector findings of anomalous logins. Configure the SNS topic as the target of the EventBridge rule.

A company uses an incident response team to troubleshoot incidents. The incident response team must use temporary credentials from AWS STS for cross-account IAM role access when troubleshooting. Occasionally, each team member will need to respond to multiple different types of incidents simultaneously. Based on the type of incident, the company wants to dynamically assign minimal permissions to whichever team member responds.

Which solution will meet these requirements?

A.

Attach a policy to the cross-account role that grants the appropriate permissions for all types of incidents. Reduce the scope of those permissions by using a session policy.

B.

Attach a policy to the cross-account role that grants the appropriate permissions for all types of incidents. Reduce the scope of those permissions by using a permissions boundary.

C.

Do not assign any permissions to the cross-account role initially. Assign a session policy to the role being assumed with the required permission for that type of incident.

D.

Use an AWS Lambda function for each incident. Configure the function to create a temporary cross-account role that uses the AWS managed policy AWSSecurityIncidentResponseServiceRolePolicy. Reduce the scope of those permissions by using a permissions boundary.

A company uses an organization in AWS Organizations and AWS IAM Identity Center to manage its AWS environment. The company configures IAM Identity Center to access the company’s on-premises Active Directory through a properly configured AD Connector. All the company’s employees are in an Active Directory group namedCloud.

The employees can view and access nearly all the AWS accounts in the organization, and the employees have the permissions that they require. However, the employees cannot access an account namedAccount A. The company verifies that Account A exists in the organization.

What is the likely reason that the employees are unable to access Account A?

A.

The company did not add Account A to an organizational unit (OU) within the organization.

B.

The company has not synchronized the Cloud Active Directory group with the on-premises Active Directory.

C.

The company did not assign the Cloud Active Directory group to Account A in IAM Identity Center with a valid permission set.

D.

The company applied an IAM permissions boundary to Account A that is denying access to the account.

A company has a compliance requirement to encrypt all data in transit. The company recently discovered an Amazon Aurora cluster that does not meet this requirement.

How can the company enforce encryption for all connections to the Aurora cluster?

A.

In the Aurora cluster configuration, set therequire_secure_transportDB cluster parameter toON.

B.

Use AWS Directory Service for Microsoft Active Directory to create a user directory and to enforce Kerberos authentication with Aurora.

C.

Configure the Aurora cluster to use AWS Certificate Manager (ACM) to provide encryption certificates.

D.

Create an Amazon RDS proxy. Connect the proxy to the Aurora cluster to enable encryption.

A company is expanding its group of stores. On the day that each new store opens, the company wants to launch a customized web application for that store. Each store ' s application will have a non-production environment and a production environment. Each environment will be deployed in a separate AWS account. The company uses AWS Organizations and has an OU that is used only for these accounts.

The company distributes most of the development work to third-party development teams. A security engineer needs to ensure that each team follows the company ' s deployment plan for AWS resources. The security engineer also must limit access to the deployment plan to only the developers who need access. The security engineer already has created an AWS CloudFormation template that implements the deployment plan.

What should the security engineer do next to meet the requirements in theMOST secureway?

A.

Create an AWS Service Catalog portfolio in the organization ' s management account. Upload the CloudFormation template. Add the template to the portfolio ' s product list. Share the portfolio with the OU.

B.

Use the CloudFormation CLI to create a module from the CloudFormation template. Register the module as a private extension in the CloudFormation registry. Publish the extension. Create an SCP that allows access to the extension.

C.

Create an AWS Service Catalog portfolio and create an IAM role for cross-account access. Attach the AWSServiceCatalogEndUserFullAccess managed policy to the role.

D.

Use the CloudFormation CLI to create a module and share the extension directly with the OU.

A company’s platform has grown rapidly over the past 6 months. The company’s platform architecture evolved quickly to accommodate the growth. The company’s development team has been deploying features quickly by using different AWS services. The development team has not performed formal architecture reviews.

The company needs to evaluate its security posture against AWS security best practices.

Which solution will meet these requirements?

A.

Create a new workload in the AWS Well-Architected Tool. Work with the development team to answer security questions based on the team’s current state. Use the save milestone feature to track improvements against identified high-risk items.

B.

Use the cost recommendations in AWS Cost Explorer. Analyze the cost implications of security misconfigurations. Prioritize architectural changes based on potential cost savings as a result of implementing AWS security best practices.

C.

Enable AWS Security Hub CSPM. Create a Security Hub CSPM automation rule to map existing services to approved architecture patterns. Use the data to identify non-compliance against AWS best practices and generate a compliance report.

D.

Enable Amazon Detective. Create a Detective investigation for AWS security best practices. Use a behavior graph to visualize the data. Analyze the entities to identify architectural components that do not follow AWS security best practices.

A company creates AWS Lambda functions from container images that are stored in Amazon Elastic Container Registry (Amazon ECR). The company needs to identify any software vulnerabilities in the container images and any code vulnerabilities in the Lambda functions.

Which solution will meet these requirements?

A.

Enable Amazon GuardDuty. Configure Amazon ECR scanning and Lambda code scanning in GuardDuty.

B.

Enable Amazon GuardDuty. Configure Runtime Monitoring and Lambda Protection in GuardDuty.

C.

Enable Amazon Inspector. Configure Amazon ECR enhanced scanning and Lambda code scanning in Amazon Inspector.

D.

Enable AWS Security Hub. Configure Runtime Monitoring and Lambda Protection in Security Hub.

A security team manages a company’s AWS Key Management Service (AWS KMS) customer managed keys. Only members of the security team can administer the KMS keys. The company ' s application team has a software process that needs temporary access to the keys occasionally. The security team needs to provide the application team ' s software process with access to the keys.

Which solution will meet these requirements with the LEAST operational overhead?

A.

Export the KMS key material to an on-premises hardware security module (HSM). Give the application team access to the key material.

B.

Edit the key policy that grants the security team access to the KMS keys by adding the application team as principals. Revert this change when the application team no longer needs access.

C.

Create a key grant to allow the application team to use the KMS keys. Revoke the grant when the application team no longer needs access.

D.

Create a new KMS key by generating key material on premises. Import the key material to AWS KMS whenever the application team needs access. Grant the application team permissions to use the key.