Summer Sale Special - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: sntaclus

A security engineer wants to forward custom application-security logs from an Amazon EC2 instance to Amazon CloudWatch. The security engineer installs the CloudWatch agent on the EC2 instance and adds the path of the logs to the CloudWatch configuration file.

However, CloudWatch does not receive the logs. The security engineer verifies that the awslogs service is running on the EC2 instance.

What should the security engineer do next to resolve the issue?

A.

Add AWS CloudTrail to the trust policy of the EC2 instance. Send the custom logs to CloudTrail instead of CloudWatch.

B.

Add Amazon S3 to the trust policy of the EC2 instance. Configure the application to write the custom logs to an S3 bucket that CloudWatch can use to ingest the logs.

C.

Add Amazon Inspector to the trust policy of the EC2 instance. Use Amazon Inspector instead of the CloudWatch agent to collect the custom logs.

D.

Attach the CloudWatchAgentServerPolicy AWS managed policy to the EC2 instance role.

A company runs its microservices architecture in Kubernetes containers on AWS by using Amazon Elastic Kubernetes Service (Amazon EKS) and Amazon Aurora. The company has an organization in AWS Organizations to manage hundreds of AWS accounts that host different microservices.

The company needs to implement a monitoring solution for logs from all AWS resources across all accounts. The solution must include automatic detection of security-related issues.

Which solution will meet these requirements with theLEAST operational effort?

A.

Designate an Amazon GuardDuty administrator account in the organization’s management account. Enable GuardDuty for all accounts. Enable EKS Protection and RDS Protection in the GuardDuty administrator account.

B.

Designate a monitoring account. Share Amazon CloudWatch Logs from all accounts. Use Amazon Inspector to evaluate the logs.

C.

Centralize CloudTrail logs in Amazon S3 and analyze them with Amazon Athena.

D.

Stream CloudWatch Logs to Amazon Kinesis and analyze them with custom AWS Lambda functions.

A company runs several applications on Amazon Elastic Kubernetes Service (Amazon EKS). The company needs a solution to detect any Kubernetes security risks by monitoring Amazon EKS audit logs in addition to operating system, networking, and file events. The solution must send email alerts for any identified risks to a mailing list that is associated with a security team.

Which solution will meet these requirements?

A.

Deploy AWS Security Hub and enable security standards that contain EKS controls. Create an Amazon Simple Notification Service (Amazon SNS) topic and set the security team’s mailing list as a subscriber. Use an Amazon EventBridge rule to send relevant Security Hub events to the SNS topic.

B.

Enable Amazon Inspector container image scanning. Configure Amazon Detective to analyze EKS security logs. Create Amazon CloudWatch log groups for EKS audit logs. Use an AWS Lambda function to process the logs and to send email alerts to the security team.

C.

Enable Amazon GuardDuty. Enable EKS Protection and Runtime Monitoring for Amazon EKS in GuardDuty. Create an Amazon Simple Notification Service (Amazon SNS) topic and set the security team ' s mailing list as a subscriber. Use an Amazon EventBridge rule to send relevant GuardDuty events to the SNS topic.

D.

Install the AWS Systems Manager Agent (SSM Agent) on all EKS nodes. Configure Amazon CloudWatch Logs to collect EKS audit logs. Create an Amazon Simple Notification Service (Amazon SNS) topic and set the security team ' s mailing list as a subscriber. Configure a CloudWatch alarm to publish a message to the SNS topic when new audit logs are generated.

A company has enabled AWS Config for its organization in AWS Organizations. The company has deployed hundreds of Amazon S3 buckets across the organization. A security engineer needs to identify any S3 buckets that are not encrypted with AWS Key Management Service (AWS KMS). The security engineer also must prevent objects that are not encrypted with AWS KMS from being uploaded to the S3 buckets.

Which solution will meet these requirements?

A.

Use thes3-default-encryption-kmsAWS Config managed rule to identify unencrypted S3 buckets. Create an SCP to allow thes3:PutObjectaction only when the object is encrypted with AWS KMS.

B.

Use thes3-default-encryption-kmsAWS Config managed rule to identify unencrypted S3 buckets. Create bucket policies for each S3 bucket to deny thes3:PutObjectaction only when the object has server-side encryption with S3 managed keys (SSE-S3).

C.

Use thes3-bucket-ssl-requests-onlyAWS Config managed rule to identify unencrypted S3 buckets. Create an SCP to allow thes3:PutObjectaction only when the object is encrypted with AWS KMS.

D.

Use thes3-bucket-ssl-requests-onlyAWS Config managed rule to identify unencrypted S3 buckets. Create bucket policies for each S3 bucket to allow thes3:PutObjectaction only when the object is encrypted with AWS KMS.

A company has a web application that reads from and writes to an Amazon S3 bucket. The company needs to use AWS credentials to authenticate all S3 API calls to the S3 bucket.

Which solution will provide the application with AWS credentials to make S3 API calls?

A.

Integrate with Cognito identity pools and use GetId to obtain AWS credentials.

B.

Integrate with Cognito identity pools and use AssumeRoleWithWebIdentity to obtain AWS credentials.

C.

Integrate with Cognito user pools and use the ID token to obtain AWS credentials.

D.

Integrate with Cognito user pools and use the access token to obtain AWS credentials.

A company operates an Amazon EC2 instance that is registered as a target of a Network Load Balancer (NLB). The NLB is associated with a security group. The security group allows inbound TCP traffic on port 22 from 10.0.0.0/23.

The company maps the NLB to two subnets that share the same network ACL and route table. The route table has a route for 0.0.0.0/0 to an internet gateway. The network ACL has one inbound rule that has a priority of 20 and that allows TCP traffic on port 22 from 10.0.0.0/16.

A security engineer receives an alert that there is an unauthorized SSH session on the EC2 instance. The unauthorized session originates from 10.0.1.5. The company ' s incident response procedure requires unauthorized SSH sessions to beimmediately interrupted. The instance must remain running, and its memory must remain intact.

Which solution will meet these requirements?

A.

Restart the EC2 instance from either the AWS Management Console or the AWS CLI.

B.

Add a new inbound rule that has a priority of 10 to the network ACL to deny TCP traffic on port 22 from 10.0.1.5.

C.

Remove the security group rule that allows inbound TCP traffic on port 22 from 10.0.0.0/16.

D.

Update the route table to remove the route to the internet gateway.

A company runs a public web application on Amazon EKS behind Amazon CloudFront and an Application Load Balancer (ALB). A security engineer must send a notification to an existing Amazon SNS topic when the application receives 10,000 requests from the same end-user IP address within any 5-minute period.

Which solution will meet these requirements?

A.

Configure CloudFront standard logging and CloudWatch Logs metric filters.

B.

Configure VPC Flow Logs and CloudWatch Logs metric filters.

C.

Configure an AWS WAF web ACL with an ASN match rule and CloudWatch alarms.

D.

Configure an AWS WAF web ACL with a rate-based rule. Associate it with CloudFront. Create a CloudWatch alarm to notify SNS.

A consultant agency needs to perform a security audit for a company ' s production AWS account. Several consultants need access to the account. The consultant agency already has its own AWS account. The company requires multi-factor authentication (MFA) for all access to its production account. The company also forbids the use of long-term credentials.

Which solution will provide the consultant agency with access that meets these requirements?

A.

Create an IAM group. Create an IAM user for each consultant. Add each user to the group. Turn on MFA for each consultant.

B.

Configure Amazon Cognito on the company’s production account to authenticate against the consultant agency ' s identity provider (IdP). Add MFA to a Cognito user pool.

C.

Create an IAM role in the consultant agency ' s AWS account. Define a trust policy that requires MFA. In the trust policy, specify the company ' s production account as the principal. Attach the trust policy to the role.

D.

Create an IAM role in the company’s production account. Define a trust policy that requires MFA. In the trust policy, specify the consultant agency ' s AWS account as the principal. Attach the trust policy to the role.

A company manages multiple AWS accounts through an organization in AWS Organizations. The company enables all features in the organization.

A security team must implement a solution to centrally manage VPC security groups across the accounts. The company uses an existing reference security group with the required configuration. The solution must detect if security group rules have been modified to deviate from the reference security group. The solution must automatically restore any noncompliant security groups to match the reference security group.

The security team needs to select a solution that does not require custom development or scripting.

Which solution will meet these requirements?

A.

Use AWS Firewall Manager to manage security group rules through security group policy rules.

B.

Create an AWS Systems Manager Automation runbook to identify and align noncompliant security groups with the reference security group.

C.

Use a custom AWS Config rule with auto remediation. Compare to the reference security group for compliance.

D.

Manage security groups through AWS CloudFormation StackSets. Use the reference security group for the initial rules.

A company runs a public web application on an Amazon EKS cluster. The company uses an Amazon CloudFront distribution to deploy the application. An Application Load Balancer (ALB) is configured as an origin for the distribution.

A security engineer needs to implement a monitoring solution that sends notifications to an existing Amazon SNS topic. The solution must send a notification to the SNS topic when the application receives 10,000 requests from the same end-user IP address during any 5-minute period.

Which solution will meet these requirements?

A.

Configure CloudFront standard logging. Send logs to an Amazon CloudWatch Logs log group. Create a log group metric filter to send a notification to the SNS topic when the request threshold is breached.

B.

Configure VPC Flow Logs to send logs for the VPC that contains the EKS cluster to an Amazon CloudWatch Logs log group. Create a log group metric filter to send a notification to the SNS topic when the request threshold is breached.

C.

Configure an AWS WAF web ACL with an Autonomous System Number match rule. Associate the web ACL with the ALB. Create an Amazon CloudWatch metric alarm to send a notification to the SNS topic when the ASN match rule request threshold is breached.

D.

Configure an AWS WAF web ACL with a rate-based rule. Associate the web ACL with the CloudFront distribution. Create an Amazon CloudWatch metric alarm to send a notification to the SNS topic when the rate-based rule request threshold is breached.