Summer Sale Special - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: sntaclus

A company is operating an open-source software platform that is internet facing. The legacy software platform no longer receives security updates. The software platform operates using Amazon Route 53 weighted load balancing to send traffic to two Amazon EC2 instances that connect to an Amazon RDS cluster. A recent report suggests this software platform is vulnerable to SQL injection attacks, with samples of attacks provided. The company ' s security engineer must secure this system against SQL injection attacks within 24 hours. The security engineer’s solution must involve the least amount of effort and maintain normal operations during implementation.

What should the security engineer do to meet these requirements?

A.

Create an Application Load Balancer with the existing EC2 instances as a target group. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the ALB. Test to ensure the vulnerability has been mitigated, then redirect the Route 53 records to point to the ALB. Update security groups on the EC2 instances to prevent direct access from the internet.

B.

Create an Amazon CloudFront distribution specifying one EC2 instance as an origin. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the distribution. Test to ensure the vulnerability has been mitigated, then redirect the Route 53 records to point to CloudFront.

C.

Obtain the latest source code for the platform and make the necessary updates. Test the updated code to ensure that the vulnerability has been mitigated, then deploy the patched version of the platform to the EC2 instances.

D.

Update the security group that is attached to the EC2 instances, removing access from the internet to the TCP port used by the SQL database. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the EC2 instances. Test to ensure the vulnerability has been mitigated, then restore the security group to the original setting.

A development team is creating an open source toolset to manage a company’s software as a service (SaaS) application. The company stores the code in a public repository so that anyone can view and download the toolset’s code. The company discovers that the code contains an IAM access key and secret key that provide access to internal resources in the company ' s AWS environment. A security engineer must implement a solution to identify whether unauthorized usage of the exposed credentials has occurred. The solution also must prevent any additional usage of the exposed credentials.

Which combination of steps will meet these requirements? (Select TWO.)

A.

Use AWS Identity and Access Management Access Analyzer to determine which resources the exposed credentials accessed and who used them.

B.

Deactivate the exposed IAM access key from the user ' s IAM account.

C.

Create a rule in Amazon GuardDuty to block the access key in the source code from being used.

D.

Create a new IAM access key and secret key for the user whose credentials were exposed.

E.

Generate an IAM credential report. Check the report to determine when the user that owns the access key last logged in.

A company ' s security engineer receives an alert that indicates that an unexpected principal is accessing a company-owned Amazon Simple Queue Service (Amazon SQS) queue. All the company ' s accounts are within an organization in AWS Organizations. The security engineer must implement a mitigation solution that minimizes compliance violations and investment in tools that are outside of AWS.

What should the security engineer do to meet these requirements?

A.

Create security groups that only accept inbound traffic from the CIDR blocks of all the VPCs in the organization. Attach the security groups to all the SQS queues in all the VPCs in the organization.

B.

In all the VPCs in the organization, adjust the network ACLs to only accept inbound traffic from the CIDR blocks of all the VPCs in the organization. Attach the network ACLs to all the subnets in all the VPCs in the organization.

C.

Create interface VPC endpoints for Amazon SQS in all the VPCs in the organization. Set the aws:SourceVpce condition to the VPC endpoint identifier on the SQS policy. Add the aws:PrincipalOrgId condition to the VPC endpoint policy.

D.

Use a cloud access security broker (CASB) to maintain a list of managed resources. Configure the CASB to check the API and console access against that list on a web proxy.

A company ' s security engineer receives an abuse notification from AWS. The notification indicates that someone is hosting malware from the company ' s AWS account. After investigation, the security engineer finds a new Amazon S3 bucket that an IAM user created without authorization.

Which combination of steps should the security engineer take toMINIMIZE the consequencesof this compromise? (Select THREE.)

A.

Encrypt all AWS CloudTrail logs.

B.

Turn on Amazon GuardDuty.

C.

Change the password for all IAM users.

D.

Rotate or delete all AWS access keys.

E.

Take snapshots of all Amazon Elastic Block Store (Amazon EBS) volumes.

F.

Delete any resources that are unrecognized or unauthorized.

A company allows users to download its mobile app onto their phones. The app is MQTT based and connects to AWS IoT Core to subscribe to specific client-related topics. Recently, the company discovered that some malicious attackers have been trying to get a Trojan horse onto legitimate mobile phones. The Trojan horse poses as the authentic application and uses a client ID with injected special characters to gain access to topics outside the client ' s privilege scope.

Which combination of actions should the company take to prevent this threat? (Select TWO.)

A.

In the application, use an IoT thing name as the client ID to connect the device to AWS IoT Core.

B.

In the application, add a client ID check. Disconnect from the server if any special character is detected.

C.

Apply an AWS IoT Core policy that allows " AWSIoTWirelessDataAccess " with the principal set to " client/${iot:Connection.Thing.ThingName} " .

D.

Apply an AWS IoT Core policy to the device to allow " iot:Connect " with the resource set to " client/${iot:ClientId} " .

E.

Apply an AWS IoT Core policy to the device to allow " iot:Connect " with the resource set to " client/${iot:Connection.Thing.ThingName} " .

A company wants to deploy an application in a private VPC that will not be connected to the internet. The company’s security team will not allow bastion hosts or methods using SSH to log in to Amazon EC2 instances. The application team plans to use AWS Systems Manager Session Manager to connect to and manage the EC2 instances.

Which combination of steps should the security team take? (Select THREE.)

A.

Make sure the Systems Manager Agent is installed and running on all EC2 instances inside the VPC.

B.

Ensure the IAM role attached to the EC2 instances in the VPC allows access to Systems Manager.

C.

Create an SCP that prevents the creation of SSH key pairs.

D.

Launch a NAT gateway in the VPC. Update the routing policies to forward traffic to this NAT gateway.

E.

Ensure proper VPC endpoints are in place for Systems Manager and Amazon EC2.

F.

Ensure the VPC has a transit gateway attachment. Update the routing policies to forward traffic to this transit gateway.

A company needs to implement data lifecycle management for Amazon RDS snapshots. The company will use AWS Backup to manage the snapshots. The company must retain RDS automated snapshots for 5 years and will use Amazon S3 for long-term archival storage.

Which solution will meet these requirements?

A.

Use AWS Backup to apply a 5-year retention tag to the RDS snapshots.

B.

Enable versioning on the S3 bucket that AWS Backup uses for the RDS snapshots. Configure a 5-year retention period.

C.

Create an S3 Lifecycle policy. Include a 5-year retention period for the S3 bucket that AWS Backup uses for the RDS snapshots.

D.

Create a backup plan in AWS Backup. Configure a 5-year retention period.

A company has AWS accounts in an organization in AWS Organizations. An Amazon S3 bucket in one account is publicly accessible. A security engineer must remove public access and ensure the bucket cannot be made public again.

Which solution will meet these requirements?

A.

Enforce KMS encryption and deny s3:GetObject by SCP.

B.

Enable PublicAccessBlock and deny s3:GetObject by SCP.

C.

Enable PublicAccessBlock and deny s3:PutPublicAccessBlock by SCP.

D.

Enable Object Lock governance and deny s3:PutPublicAccessBlock by SCP.

A company begins to use AWS WAF after experiencing an increase in traffic to the company ' s public web applications. A security engineer needs to determine if the increase in traffic is because of application-layer attacks. The security engineer needs a solution to analyze AWS WAF traffic.

Which solution will meet this requirement?

A.

Configure AWS WAF to send logs to a trail in AWS CloudTrail. Create an Amazon Data Firehose delivery stream to send the logs to Amazon OpenSearch Service. Use OpenSearch Dashboards and an Amazon Athena connector to query the logs.

B.

Configure AWS WAF to send logs to an Amazon S3 bucket. Configure an OpenSearch table with a partition projection of the S3 bucket. Use OpenSearch to query the data in the S3 bucket.

C.

Configure AWS WAF to send logs to an Amazon S3 bucket. Configure an Amazon Athena table with a partition projection of the S3 bucket. Use Athena to query the data in the S3 bucket.

D.

Configure AWS WAF to send logs to a trail in AWS CloudTrail. Create an Amazon Data Firehose delivery stream to send the logs to an Amazon S3 bucket. Use Amazon Athena to query the data in the S3 bucket.

A company runs an application on an Amazon EC2 instance. The application generates invoices and stores them in an Amazon S3 bucket. The instance profile that is attached to the instance has appropriate access to the S3 bucket. The company needs to share each invoice with multiple clients that do not have AWS credentials. Each client must be able to download only the client ' s own invoices. Clients must download their invoices within 1 hour of invoice creation. Clients must use only temporary credentials to access the company ' s AWS resources.

Which additional step will meet these requirements?

A.

Update the S3 bucket policy to ensure that clients that use pre-signed URLs have the S3:Get* permission and the S3:List* permission to access S3 objects in the bucket.

B.

Add a StringEquals condition to the IAM role policy for the EC2 instance profile. Configure the policy condition to restrict access based on the s3:ResourceTag/ClientId tag of each invoice. Tag each generated invoice with the ID of its corresponding client.

C.

Update the script to use AWS Security Token Service (AWS STS) to obtain new credentials each time the script runs by assuming a new role that has S3:GetObject permissions. Use the credentials to generate the pre-signed URLs.

D.

Generate an access key and a secret key for an IAM user that has S3:GetObject permissions on the S3 bucket. Embed the keys into the script. Use the keys to generate the pre-signed URLs.