AWS Security Specialty Exam Flashcards

Question 1

Q

Is AWS Config per region or globally enabled?

Answer

A

per region

Question 2

Q

How to determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it

Answer

A

use CloudTrail log file integrity validation

Question 3

Q

Sequence of log events from the same source/application

Answer

A

Log Streams

Question 4

Q

A collection of log streams with the same access control, monitoring and retention settings

Answer

A

Log Groups

Question 5

Q

Cloud Trail history length

Question 6

Q

Maximum number of Trials in CloudTrial

Answer

A

5 per region

Question 7

Q

Default signed URL timeout

Answer

A

60 minutes

Question 8

Q

Can RTMP distribution use signed cookies?

Answer

A

No. Singed URLs only

Question 9

Q

Can Web distribution use both signed URL and signed cookies?

Question 10

Q

Advantage of signed cookies over signed URLs?

Answer

A

Cookies can give access to an object type or are/folder and dont’ need a specifically formatted URL

Question 11

Q

Max number of CMK’s per region

Answer

A

1000 - in ANY state

Question 12

Q

Max number of KMS aliases

Question 13

Q

S3 ACL use cases

Answer

A

fine grained permissions on individual files/objects within S3
bucket polices are limited to 20kb in size, consider using S3 ACL if bucket policy grows too large

Question 14

Q

Bucket policy max size

Question 15

Q

How to ensure the access to S3 is encrypted in transport?

Answer

A

S3 bucket policy with Condition aws:SecureTransport

Question 16

Q

Is S3 cross region replication secured?

Answer

A

yes - SSL by default

Question 17

Q

How many destinations can you set replicate S3 bucket?

Question 18

Q

Does versioning has to be enabled when using cross region replication?

Question 19

Q

Does cross region replication work Cross Accounts?

Question 20

Q

How often AWS rotates KMS keys?

Answer

A

every 3 years

Question 21

Q

Automatic Key Rotation for Customer Managed Keys

Answer

A

Automatic rotation every 365 days (disabled by default)

Question 22

Q

Automatic Key Rotation for Customer Managed Keys, imported key material

Answer

A

No automatic rotation

Question 23

Q

Two ways of viewing EC2 SSH keys

Answer

A

list /home/ec2-user/.ssh/authorized_keys
curl http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key

Question 24

Q

Can you have multiple key-pairs attached to the EC2 instance?

Question 25

Q

Will deleting EC2 Key Pair in the console delete it from instance?

Question 26

Q

How to recover EC2 from lost Key Pair?

Answer

A

Take snaphot of the EC2 instance and deploy it as new instance (with new key pairs).

Question 27

Q

Condition key which can allow or deny access to our CMK depending on which service originated the request

Answer

A

kms:ViaService

Question 28

Q

4 Main User Types in CloudHSM

Answer

A

Precrypto Officer (PRECO)
Crypto Officer (CO)
Crypto Users (CU)
Appliance User (AU)

Question 29

Q

A company has an AWS Lambda function that creates image thumbnails from larger images. The Lambda function needs read and write access to an Amazon S3 bucket in the same AWS account.
Which 2 solutions will provide the Lambda function this access?

Answer

A

Create an IAM role for the Lambda function. Attach an IAM policy that allows access to the S3 bucket
Create an IAM role for the Lambda function. Attach a bucket policy to the S3 bucket to allow access. Specify the function’s IAM role as the principal

Question 30

Q

A security engineer is configuring a new website that is named example.com. The security engineer wants to secure communications with the website by requiring users to connect to example.com through HTTPS.
What is a valid option for storing SSL/TLS certificates?

Answer

A

Custom SSL certificate that is stored in AWS Certificate Manager (ACM)

Question 31

Q

A security engineer needs to develop a process to investigate and respond to potential security events on a company’s Amazon EC2 instances. All the EC2 instances are backed by Amazon Elastic Block Store (Amazon EBS). The company uses AWS Systems Manager to manage all the EC2 instances and has installed Systems Manager Agent (SSM Agent) on all the EC2 instances.
The process that the security engineer is developing must comply with AWS security best practices and must meet the following requirements:
A compromised EC2 instance’s volatile memory and non-volatile memory must be preserved for forensic purposes.
A compromised EC2 instance’s metadata must be updated with corresponding incident ticket information.
A compromised EC2 instance must remain online during the investigation but must be isolated to prevent the spread of malware.
Any investigative activity during the collection of volatile data must be captured as part of the process.
Which combination of steps should the security engineer take to meet these requirements with the LEAST operational overhead?

Answer

A

Gather any relevant metadata for the compromised EC2 instance. Enable termination protection. Isolate the instance by updating the instance’s security groups to restrict access. Detach the instance from any Auto Scaling groups that the instance is a member of. Deregister the instance from any Elastic Load Balancing (ELB) resources.
Use Systems Manager Run Command to invoke scripts that collect volatile data
Create a snapshot of the compromised EC2 instance’s EBS volume for follow-up investigations. Tag the instance with any relevant metadata and incident ticket information

Question 32

Q

A company has an organization in AWS Organizations. The company wants to use AWS CloudFormation StackSets in the organization to deploy various AWS design patterns into environments. These patterns consist of Amazon EC2 instances, Elastic Load Balancing (ELB) load balancers, Amazon RDS databases, and Amazon Elastic Kubernetes Service (Amazon EKS) clusters or Amazon Elastic Container Service (Amazon ECS) clusters.
Currently, the company’s developers can create their own CloudFormation stacks to increase the overall speed of delivery. A centralized CI/CD pipeline in a shared services AWS account deploys each CloudFormation stack.
The company’s security team has already provided requirements for each service in accordance with internal standards. If there are any resources that do not comply with the internal standards, the security team must receive notification to take appropriate action. The security team must implement a notification solution that gives developers the ability to maintain the same overall delivery speed that they currently have.
Which solution will meet these requirements in the MOST operationally efficient way?

Answer

A

Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the security team’s email addresses to the SNS topic. Create custom rules in CloudFormation Guard for each resource configuration. In the CI/CD pipeline, before the build stage, configure a Docker image to run the cfn-guard command on the CloudFormation template. Configure the CI/CD pipeline to publish a notification to the SNS topic if any issues are found

Question 33

Q

The Security team believes that a former employee may have gained unauthorized access to AWS resources sometime in the past 3 months by using an identified access key.
What approach would enable the Security team to find out what the former employee may have done within AWS?

Answer

A

Use the AWS CloudTrail console to search for user activity.

Question 34

Q

A company is storing data in Amazon S3 Glacier. The security engineer implemented a new vault lock policy for 10TB of data and called initiate-vault-lock operation 12 hours ago. The audit team identified a typo in the policy that is allowing unintended access to the vault.
What is the MOST cost-effective way to correct this?

Answer

A

Call the abort-vault-lock operation. Update the policy. Call the initiate-vault-lock operation again.

Question 35

Q

A company wants to control access to its AWS resources by using identities and groups that are defined in its existing Microsoft Active Directory.
What must the company create in its AWS account to map permissions for AWS services to Active Directory user attributes?

Answer

A

AWS IAM roles

Question 36

Q

A company has contracted with a third party to audit several AWS accounts. To enable the audit, cross-account IAM roles have been created in each account targeted for audit. The Auditor is having trouble accessing some of the accounts.
What 3 options might be causing this problem?

Answer

A

The external ID used by the Auditor is missing or incorrect
The Auditor has not been granted sts:AssumeRole for the role in the destination account
The role ARN used by the Auditor is missing or incorrect

Question 37

Q

Compliance requirements state that all communications between company on-premises hosts and EC2 instances be encrypted in transit. Hosts use custom proprietary protocols for their communication, and EC2 instances need to be fronted by a load balancer for increased availability.
Which solution will meet these requirements?

Answer

A

Route all traffic through a TCP listener on a Classic Load Balancer, and terminate the TLS connection on the EC2 instances.

Question 38

Q

An application is currently secured using network access control lists and security groups. Web servers are located in public subnets behind an Application Load Balancer (ALB); Application servers are located in private subnets.
How can edge security be enhanced to safeguard the Amazon EC2 instances against attack?

Answer

A

Move the web servers to private subnets without public IP addresses.
Configure AWS WAF to provide DDoS attack protection for the ALB

Question 39

Q

A Security Administrator is restricting the capabilities of company root user accounts. The company uses AWS Organizations and has enabled it for all feature sets, including consolidated billing. The top-level account is used for billing and administrative purposes, not for operational AWS resource purposes.
How can the Administrator restrict usage of member root user accounts across the organization?

Answer

A

Create an organizational unit (OU) in Organizations with a service control policy that controls usage of the root user. Add all operational accounts to the new OU.

Question 40

Q

A Systems Engineer has been tasked with configuring outbound mail through Simple Email Service (SES) and requires compliance with current TLS standards.
The mail application should be configured to connect to which endpoint and corresponding port?

Answer

A

email-smtp.us-east-1.amazonaws.com over port 587

Question 41

Q

A company is migrating one of its legacy systems from an on-premises data center to AWS. The application server will run on AWS, but the database must remain in the on-premises data center for compliance reasons. The database is sensitive to network latency. Additionally, the data that travels between the on-premises data center and AWS must have IPsec encryption.
Which combination of 2 AWS solutions will meet these requirements?

Answer

A

AWS Site-to-Site VPN
AWS Direct Connect

Question 42

Q

A company has an application that uses dozens of Amazon DynamoDB tables to store data. Auditors find that the tables do not comply with the company’s data protection policy.
The company’s retention policy states that all data must be backed up twice each month: once at midnight on the 15th day of the month and again at midnight on the 25th day of the month. The company must retain the backups for 3 months.
Which combination of 2 steps should a security engineer take to meet these requirements?

Answer

A

Use AWS Backup to create a backup plan. Add a backup rule that includes a retention period of 3 months.
Set the backup frequency by using a cron schedule expression. Assign each DynamoDB table to the backup plan.

Question 43

Q

A company needs a security engineer to implement a scalable solution for multi-account authentication and authorization. The solution should not introduce additional user-managed architectural components. Native AWS features should be used as much as possible. The security engineer has set up AWS Organizations with all features activated and AWS IAM Identity Center (AWS Single Sign-On) enabled.
Which additional steps should the security engineer take to complete the task?

Answer

A

Use an IAM Identity Center default directory to create users and groups for all employees that require access to AWS accounts. Assign groups to AWS accounts and link to permission sets in accordance with the employees’ job functions and access requirements. Instruct employees to access AWS accounts by using the IAM Identity Center user portal.

Question 44

Q

A company has deployed Amazon GuardDuty and now wants to implement automation for potential threats. The company has decided to start with RDP brute force attacks that come from Amazon EC2 instances in the company’s AWS environment. A security engineer needs to implement a solution that blocks the detected communication from a suspicious instance until investigation and potential remediation can occur.
Which solution will meet these requirements?

Answer

A

Enable AWS Security Hub to ingest GuardDuty findings and send the event to Amazon EventBridge. Deploy AWS Network Firewall. Process the event with an AWS Lambda function that adds a rule to a Network Firewall firewall policy to block traffic to and from the suspicious instance.

Question 45

Q

Company A has an AWS account that is named Account A. Company A recently acquired Company B, which has an AWS account that is named Account B. Company B stores its files in an Amazon S3 bucket. The administrators need to give a user from Account A full access to the S3 bucket in Account B.
After the administrators adjust the IAM permissions for the user in Account A to access the S3 bucket in Account B, the user still cannot access any files in the S3 bucket.
Which solution will resolve this issue?

Answer

A

In Account B, create a bucket policy to allow the user from Account A to access the S3 bucket in Account B.

Question 46

Q

A company wants to receive an email notification about critical findings in AWS Security Hub. The company does not have an existing architecture that supports this functionality.
Which solution will meet the requirement?

Answer

A

Create an Amazon EventBridge rule to detect critical Security Hub findings. Create an Amazon Simple Notification Service (Amazon SNS) topic as the target of the EventBridge rule. Subscribe an email endpoint to the SNS topic to receive published messages.

Question 47

Q

An international company has established a new business entity in South Korea. The company also has established a new AWS account to contain the workload for the South Korean region. The company has set up the workload in the new account in the ap-northeast-2 Region. The workload consists of three Auto Scaling groups of Amazon EC2 instances. All workloads that operate in this Region must keep system logs and application logs for 7 years.
A security engineer must implement a solution to ensure that no logging data is lost for each instance during scaling activities. The solution also must keep the logs for only the required period of 7 years.
Which combination of 3 steps should the security engineer take to meet these requirements?

Answer

A

Ensure that the Amazon CloudWatch agent is installed on all the EC2 instances that the Auto Scaling groups launch. Generate a CloudWatch agent configuration file to forward the required logs to Amazon CloudWatch Logs.
Set the log retention for desired log groups to 7 years.
Attach an IAM role to the launch configuration or launch template that the Auto Scaling groups use. Configure the role to provide the necessary permissions to forward logs to Amazon CloudWatch Logs.

Question 48

Q

What is a Field-level encryption

Answer

A

Field-level encryption allows you to enable your users to securely upload sensitive information to your web servers. The sensitive information provided by your users is encrypted at the edge, close to the user, and remains encrypted throughout your entire application stack. This encryption ensures that only applications that need the data—and have the credentials to decrypt it—are able to do so

Question 49

Q

A security engineer is designing an IAM policy to protect AWS API operations. The policy must enforce multi-factor authentication (MFA) for IAM users to access certain services in the AWS production account. Each session must remain valid for only 2 hours. The current version of the IAM policy is as follows

Which combination of 2 conditions must the security engineer add to the IAM policy to meet these requirements?

Answer

A

“Bool”: {“aws:MultiFactorAuthPresent”: “true”}
“NumericLessThan”: {“aws:MultiFactorAuthAge”: “7200”}

Question 50

Q

A company uses AWS Organizations and has production workloads across multiple AWS accounts. A security engineer needs to design a solution that will proactively monitor for suspicious behavior across all the accounts that contain production workloads.
The solution must automate remediation of incidents across the production accounts. The solution also must publish a notification to an Amazon Simple Notification Service (Amazon SNS) topic when a critical security finding is detected. In addition, the solution must send all security incident logs to a dedicated account.
Which solution will meet these requirements?

Answer

A

Activate Amazon GuardDuty in each production account. In a dedicated logging account, aggregate all GuardDuty logs from each production account. Remediate incidents by using Amazon EventBridge to invoke a custom AWS Lambda function from the GuardDuty findings. Configure the Lambda function to also publish notifications to the SNS topic.

Question 51

Q

A company is designing a multi-account structure for its development teams. The company is using AWS Organizations and AWS IAM Identity Center (AWS Single Sign-On). The company must implement a solution so that the development teams can use only specific AWS Regions and so that each AWS account allows access to only specific AWS services.
Which solution will meet these requirements with the LEAST operational overhead?

Answer

A

Create SCPs that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed

Question 52

Q

A company is developing an ecommerce application. The application uses Amazon EC2 instances and an Amazon RDS MySQL database. For compliance reasons, data must be secured in transit and at rest. The company needs a solution that minimizes operational overhead and minimizes cost.
Which solution meets these requirements?

Answer

A

Use TLS certificates from AWS Certificate Manager (ACM) with an Application Load Balancer. Deploy self-signed certificates on the EC2 instances. Ensure that the database client software uses a TLS connection to Amazon RDS. Enable encryption of the RDS DB instance. Enable encryption on the Amazon Elastic Block Store (Amazon EBS) volumes that support the EC2 instances

Question 53

Q

A company used a lift-and-shift approach to migrate from its on-premises data centers to the AWS Cloud. The company migrated on-premises VMs to Amazon EC2 instances. Now the company wants to replace some of components that are running on the EC2 instances with managed AWS services that provide similar functionality.
Initially, the company will transition from load balancer software that runs on EC2 instances to AWS Elastic Load Balancers. A security engineer must ensure that after this transition, all the load balancer logs are centralized and searchable for auditing. The security engineer must also ensure that metrics are generated to show which ciphers are in use.
Which solution will meet these requirements?

Answer

A

Create an Amazon S3 bucket. Configure the load balancers to send logs to the S3 bucket. Use Amazon Athena to search the logs that are in the S3 bucket. Create Athena queries for the required metrics. Publish the metrics to Amazon CloudWatch.

Question 54

Q

A company has a legacy application that runs on a single Amazon EC2 instance. A security audit shows that the application has been using an IAM access key within its code to access an Amazon S3 bucket that is named DOC-EXAMPLE-BUCKET1 in the same AWS account. This access key pair has the s3:GetObject permission to all objects in only this S3 bucket. The company takes the application offline because the application is not compliant with the company’s security policies for accessing other AWS resources from Amazon EC2.
A security engineer validates that AWS CloudTrail is turned on in all AWS Regions. CloudTrail is sending logs to an S3 bucket that is named DOC-EXAMPLE-BUCKET2. This S3 bucket is in the same AWS account as DOC-EXAMPLE-BUCKET1. However, CloudTrail has not been configured to send logs to Amazon CloudWatch Logs.
The company wants to know if any objects in DOC-EXAMPLE-BUCKET1 were accessed with the IAM access key in the past 60 days. If any objects were accessed, the company wants to know if any of the objects that are text files (.txt extension) contained personally identifiable information (PII).
Which combination of 2 steps should the security engineer take to gather this information?

Answer

A

Use Amazon Athena to query the CloudTrail logs in DOC-EXAMPLE-BUCKET2 for any API calls that used the access key to access an object that contained PII
Configure Amazon Macie to identify any objects in DOC-EXAMPLE-BUCKET1 that contain PII and that were available to the access key.

Question 55

Q

A security engineer creates an Amazon S3 bucket policy that denies access to all users. A few days later, the security engineer adds an additional statement to the bucket policy to allow read-only access to one other employee. Even after updating the policy, the employee sill receives an access denied message.
What is the likely cause of this access denial?

Answer

A

The allow permission is being overridden by the deny.

Explicit deny statements cannot be overridden by allow statements

Question 56

Q

A company is using Amazon Macie, AWS Firewall Manager, Amazon Inspector, and AWS Shield Advanced in its AWS account. The company wants to receive alerts if a DDoS attack occurs against the account.
Which solution will meet this requirement?

Answer

A

Create an Amazon CloudWatch alarm that monitors Shield Advanced metrics for an active DDoS event

Question 57

Q

A company hosts a web application on an Apache web server. The application runs on Amazon EC2 instances that are in an Auto Scaling group. The company configured the EC2 instances to send the Apache web server logs to an Amazon CloudWatch Logs group that the company has configured to expire after 1 year.
Recently, the company discovered in the Apache web server logs that a specific IP address is sending suspicious requests to the web application. A security engineer wants to analyze the past week of Apache web server logs to determine how many requests that the IP address sent and the corresponding URLs that the IP address requested.
What should the security engineer do to meet these requirements with the LEAST effort?

Answer

A

Use CloudWatch Logs Insights and a custom query syntax to analyze the CloudWatch logs for the specific IP address and the requested URLs.

Question 58

Q

A company developed an application by using AWS Lambda, Amazon S3, Amazon Simple Notification Service (Amazon SNS), and Amazon DynamoDB. An external application puts objects into the company’s S3 bucket and tags the objects with date and time. A Lambda function periodically pulls data from the company’s S3 bucket based on date and time tags and inserts specific values into a DynamoDB table for further processing.
The data includes personally identifiable information (PII). The company must remove data that is older than 30 days from the S3 bucket and the DynamoDB table.
Which solution will meet this requirement with the MOST operational efficiency?

Answer

A

Create an S3 Lifecycle policy to expire objects that are older than 30 days. Update the Lambda function to add the TTL attribute in the DynamoDB table. Enable TTL on the DynamoDB table to expire entries that are older than 30 days based on the TTL attribute

Question 59

Q

What are 2 the MOST secure ways to protect the AWS account root user of a recently opened AWS account?

Answer

A

Do not create access keys for the AWS account root user; instead, create AWS IAM users
Enable multi-factor authentication for the AWS account root user

Question 60

Q

A company is expanding its group of stores. On the day that each new store opens, the company wants to launch a customized web application for that store. Each store’s application will have a non-production environment and a production environment. Each environment will be deployed in a separate AWS account. The company uses AWS Organizations and has an OU that is used only for these accounts.
The company distributes most of the development work to third-party development teams. A security engineer needs to ensure that each team follows the company’s deployment plan for AWS resources. The security engineer also must limit access to the deployment plan to only the developers who need access. The security engineer already has created an AWS CloudFormation template that implements the deployment plan.
What should the security engineer do next to meet the requirements in the MOST secure way?

Answer

A

Create an AWS Service Catalog portfolio in the organization’s management account. Upload the CloudFormation template. Add the template to the portfolio’s product list. Share the portfolio with the OU

Question 61

Q

A company has launched a web application running on port 80 on Amazon EC2 instances. The instances have been launched in a private subnet. An Application Load Balancer (ALB) is configured in front of the instances with an HTTP listener.

The instances are assigned to a security group named WebAppSG and the ALB is assigned to a security group named ALB-SG. The security team requires that the security group rules are locked down according to best practice.

What 3 rules should be configured in the security groups?

Answer

A

An inbound rule in WebAppSG allowing port 80 from source ALB-SG
An inbound rule in ALB-SG allowing port 80 from source 0.0.0.0/0
An outbound rule in ALB-SG allowing port 80 to WebAppSG

Question 62

Q

A security engineer created an Amazon S3 bucket and attached the following bucket policy.

What is the effect of this bucket policy?

Answer

A

The specified users are not denied S3 permissions but must be granted permissions through IAM user policies or ACLs

Question 63

Q

A multinational enterprise uses AWS Organizations to manage several AWS accounts spread across different regions. The company’s IT department centrally manages the creation of IAM roles. Recently, the company decided to delegate the IAM role creation to various regional teams to speed up the process and reduce the IT department’s workload. However, it is critical to prevent privilege escalation and ensure the scope of IAM roles remains within the defined limits.

Which solution will meet these requirements with the LEAST operational overhead?

Answer

A

Establish an SCP and a permissions boundary for IAM roles. Apply the SCP to the root OU so that only roles with the attached permissions boundary can create any new IAM roles

Question 64

Q

A solutions architect is designing a secure, distributed application that will run on Amazon EC2 instances across multiple Availability Zones and AWS Regions and on-premises servers. The has asked a security engineer how encryption will be applied between the EC2 instances and on-premises servers.

Which 2 statements are correct about encryption in transit?

Answer

A

All inter-region traffic over the AWS global network is automatically encrypted
All traffic between Availability Zones is encrypted by default

Answer 56

A

Create a new KMS key and update the existing Key Alias to point to the new KMS key

Answer 57

A

The EC2 instance security group does not allow inbound traffic from the NLB IP addresses
The network ACL associated with the instance subnets does not allow traffic from the NLB

Answer 58

A

When using the ec2:runinstances API action set the “–metadata-options HttpTokens” option to “required”
Update existing instances using the “ec2 modify-instance-metadata-options” commands from the AWS CLI with the “HttpTokens required” option

You can access instance metadata from a running instance using one of the following methods:

Instance Metadata Service Version 1 (IMDSv1) – a request/response method

Instance Metadata Service Version 2 (IMDSv2) – a session-oriented method

By default, you can use either IMDSv1 or IMDSv2, or both. The instance metadata service distinguishes between IMDSv1 and IMDSv2 requests based on whether, for any given request, either the PUT or GET headers, which are unique to IMDSv2, are present in that request.

You can configure the instance metadata service on each instance such that local code or users must use IMDSv2. When you specify that IMDSv2 must be used, IMDSv1 no longer works.

IMDSv2 uses session-oriented requests. With session-oriented requests, you create a session token that defines the session duration, which can be a minimum of one second and a maximum of six hours.

Answer 59

A

Use Amazon Inspector and run the “Common vulnerabilities and exposures” assessment and the “Center for Internet Security (CIS) Benchmarks” assessment

Answer 60

A

AWS CloudTrail for the federated identity user name

Answer 61

A

Set up CloudWatch Logs subscription filters in each account. Use the subscription filters to stream the logs to an Amazon Kinesis Data Firehose stream in the central account, which then forwards the logs to the data processing system

Answer 62

A

Invalidate any temporary security credentials
Delete the access key ID and secret access key

Answer 63

A

Revoke all versions of the signing profile assigned to the developer

Answer 64

A

Run the EC2Rescue CLI using the /offline mode and specify the device ID

Answer 65

A

Use Service Control Policies (SCPs) to limit root account permissions

Service Control Policies (SCPs) can limit the maximum permission level for all AWS accounts in an organization, including the root user. By implementing SCPs, the university can prevent the root user in any account from exceeding the permissions defined in the SCP.

Answer 66

A

Use AWS Config to track configuration changes and AWS CloudTrail to record API calls and track access patterns in the AWS Cloud

Answer 67

A

Use the default key store and import the company’s keys into a customer managed KMS key

Answer 68

A

Disable the Network Source/Destination check on the security appliance’s elastic network interface

Answer 69

A

In the Security Hub administrator account, create an Amazon EventBridge rule to react to AWS Inspector findings with a high priority level. Configure the rule to target an Amazon SNS topic and subscribe the security operations team’s email addresses to the SNS topic

Answer 70

A

Grant the IAM role the s3:GetObjectVersionForReplication permission for the objects in the source S3 bucket
Give the IAM role the kms:Decrypt permission for the eu-west-1 key encrypting the source objects
Assign the IAM role the kms:Encrypt permission for the key in the eu-central-1 region that encrypts objects in the destination S3 bucket

Answer 71

A

Scan all the EC2 instances with AWS Systems Manager to identify the vulnerable version of the web framework

AWS Systems Manager Patch Manager can be used to scan systems and identify vulnerable versions of software and then install the patches on the systems. Patch Manager provides options to scan your instances and report compliance on a schedule, install available patches on a schedule, and patch or scan instances on demand whenever you need to.

Answer 72

A

Enable the option to automatically rotate each KMS key every year

When you enable automatic key rotation for a customer managed key, AWS KMS generates new cryptographic material for the KMS key every year. You can enable or disable automatic key rotation for customer managed KMS keys at any time. You cannot modify the rotation configuration for AWS managed KMS keys which are automatically rotated every year.

Key rotation changes only the KMS key’s key material, which is the cryptographic material that is used in encryption operations. The KMS key is the same logical resource, regardless of whether or how many times its key material changes.

Answer 73

A

Configure a rate-based rule on AWS WAF that puts a temporary block on requests from IP addresses that send excessive requests

Answer 74

A

Create an Amazon CloudFront distribution, configure the alternate domain name and subdomains, and select a certificate from AWS Certificate Manager (ACM)
Create a certificate in AWS Certificate Manager (ACM) and add the domain name and subdomains. Create Alias records for the distribution in Amazon Route 53

Answer 75

A

Create an egress-only internet gateway and update the route table in the private subnet

Answer 76

A

Implement encryption at rest for the Amazon EBS volumes attached to EC2 instances. Encrypt the RDS database and use a TLS secured connection. Store the database credentials in AWS Secrets Manager and configure automatic rotation

Answer 77

A

Enable the awslogs log driver by including awslogs-group and awslogs-region parameters in the LogConfiguration property

The Fargate launch type supports the awslogs log driver. You need to specify the awslogs-group (CloudWatch log group name) and awslogs-region (AWS Region of the log group) parameters in the LogConfiguration property in the task definition for Amazon ECS.

Answer 78

A

Use AWS Systems Manager Session Manager to access the EC2 instances. Set up Amazon CloudWatch Logs for session logging. Choose the option to upload session logs and ensure that only encrypted CloudWatch Logs log groups are allowed

Answer 79

A

Setup a Virtual Private Gateway (VGW)

Answer 80

A

Create an organization trail in the management account and specify a central S3 bucket

Answer 81

A

Service Control Policies (SCPs)

Answer 82

A

Disable or delete the compromised IAM access key. Stop using static IAM access keys and instead, create a new IAM role for the Lambda automation process. Assign this role to the AWS Lambda functions. Respond to the AWS Trust and Safety team detailing the remediation actions

Answer 83

A

Connect to each EC2 instance and replace the public key information in the authorized_keys file

Answer 84

A

Configure a password policy in Active Directory for the federation scenario
Configure an IAM password policy for the IAM user scenario
Configure a password policy in the Amazon Cognito user pool

Answer 85

A

Configure VPC traffic mirroring to send traffic to the intrusion detection EC2 instance using a Network Load Balancer

Answer 86

A

Call the AbortVaultLock operation. Update the policy. Call the initiate-vault-lock operation again

Answer 87

A

Create an Amazon EventBridge rule uses the “AWS API Call via CloudTrail” event source and the “s3:PutBucketPolicy” event pattern. Generate an alert using Amazon SNS

Answer 88

A

Create an AWS WAF rate-based rule to block this traffic when it exceeds a defined threshold

Answer 89

A

Modify the route table of the database subnets to remove the default route to the NAT gateway

Answer 90

A

Configure the key policy with a kms:ViaService condition key that limits use of the KMS key to the Amazon S3 service name

Answer 91

A

An explicit deny will always override an explicit allow.

There is an explicit deny in the bucket policy that denies all users. Explicit denies will always override any explicit allow statements so the new update to the policy does not grant access to the forensic analyst

Answer 92

A

Create an origin access identity (OAI) and associate it with the CloudFront distribution
Configure the S3 bucket permissions so that only the origin access identity can access the bucket contents

Answer 93

A

Specify ‘*’ as the principal and aws:PrincipalOrgld as a condition.

You can use a condition key, aws:PrincipalOrgID, in policies to require all principals accessing the resource to be from an account (including the master account) in the organization. To set this up for this scenario you must specify ‘*’ as the principal, to allow any user access, and then restrict only to users within the AWS Organization using the condition key. The aws:PrincipalOrgId condition key should be used with the organization ID value specified.

Answer 94

A

Use imported key material with an AWS KMS key

Cryptographic erasure is when the encryption material used to encrypt the data is deleted. This results in the data being unrecoverable as it cannot be decrypted. A security team may use this technique if the encryption keys used to encrypt data have been compromised. Of course, you would want to ensure that the key materials are backed up offline so you can perform a restore of the data.

In this case the only option available that will meet the requirements is to import key material into an AWS KMS key. You cannot immediately delete a KMS key; you must schedule it for deletion with a waiting period of a minimum of 7 days. With imported key material you can speed up the process by deleting the key material which renders the KMS key unusable. This effect is immediate.

Answer 95

A

Create a snapshot of unencrypted databases. Copy the unencrypted snapshots to created encrypted snapshots. Restore the databases from the encrypted snapshots
Use AWS Config to detect any existing and new unencrypted databases. Configure an Amazon SNS notification to alert the security team

Answer 96

A

Migrate the static content to an Amazon S3 bucket and create an Amazon CloudFront distribution
Use the AWS Web Application Firewall (WAF) service to inspect and manage web requests

Answer 97

A

The application lacks the kms:Encrypt permission for the custom-managed key
The state of the customer-managed key specified within the application is set to ‘Disabled’

Answer 98

A

Configure the trust policy on the IAM role AWS Config uses to allow “config.amazonaws.com” to assume the role
Configure the role policy on the IAM role AWS Config uses to allow write access to the Amazon S3 bucket
Configure the access policy for the Amazon SNS topic to allow “sns:publish” access to “config.amazonaws.com

Answer 99

A

Create a landing zone using AWS Control Tower. Integrate AWS Single Sign-On (SSO) with the company’s existing identity provider. Grant Active Directory users access to accounts and applications

Answer 100

A

On the DBSG security group, create a custom TCP rule for TCP 3306 and configure the AppSG security group as the source
On the AppSG security group, create a custom TCP rule for TCP 1030 and configure the WebSG security group as the source

Answer 101

A

Enable access logging for the appropriate API stage
Use Amazon CloudWatch Logs Insights for analyzing API usage data

Answer 102

A

Use the SecurityHeadersPolicy managed response headers policy

Answer 103

A

Modify the web ACL with an IP set match rule statement and a block action to deny incoming requests from the IP address range

Answer 104

A

Create a new customer-managed key in AWS KMS and import the new key material. Provide Amazon RDS permissions to use the key. Create a new RDS instance and choose the new key as the encryption key. Migrate the data into RDS

Answer 105

A

Create a second access key and modify applications to use the new key. Disable the old access key and check applications are working correctly before deleting the old access key

Answer 106

A

Use AWS Signer to verify code integrity when code packages are deployed to Lambda
Use IAM policies to enforce that developers can only create functions that have code signing enabled

Answer 107

A

Verify that the S3 bucket policy grants CloudTrail the s3:PutObject permission
Verify that the S3 bucket and prefix defined in CloudTrail exists

Answer 108

A

The S3 bucket ACL and object ACLs will need to be checked to determine if public access is possible

Answer 109

A

The route table of the subnet is missing a route to the internet gateway
The network ACL denies outbound traffic on ephemeral ports
The host-based firewall of the instance operating system is denying traffic

Answer 110

A

Generate a credential report in each account in the Organization. Consolidate the reports and identify the users the access key IDs belong to. Rotate the access key IDs

Answer 111

A

Generate a new access key for the IAM user. Update the inventory management system to utilize the new access key. Subsequently, deactivate the compromised access key

Answer 112

A

Create an IAM account for the new employee and add the account to the security team IAM group. Set a permissions boundary that grants access to manage Amazon DynamoDB, Amazon RDS, and Amazon CloudWatch. When the employee takes on new management responsibilities, add the additional services to the permissions boundary IAM policy

Answer 113

A

Use AWS Secrets Manager to store the SSH key pairs. Create an AWS Lambda function that rotates the SSH keys every 90 days. Create an AWS CloudTrail trail that logs to an S3 bucket

Answer 114

A

Modify the configuration of AWS WAF to add an IP match condition to block the malicious IP address

Answer 115

A

Designate a delegated administrator for Amazon Inspector for the entire organization. Set up automatic scanning for all existing and new member accounts

Answer 116

A

Use the DynamoDB Encryption Client for client-side encryption and to digitally sign the table items

Answer 117

A

AWS CloudFormation
AWS Step Functions

Answer 118

A

The IAM role assigned to the EC2 instance profile does not have decrypt permissions on the AWS KMS key used to encrypt the parameter
The IAM role assigned to the EC2 instance profile does not have permissions to retrieve parameters in Systems Manager Parameter Store

Answer 119

A

Amazon Route 53
AWS Shield
Elastic Load Balancer

Answer 120

A

Use AWS Systems Manager Session Manager. Grant the IAM user accounts permissions to use Systems Manager Session Manager

Answer 121

A

Create an interface VPC endpoint for Amazon SQS
Create a gateway VPC endpoint for Amazon DynamoDB
Modify the endpoint policies on all VPC endpoints. Specify the SQS and DynamoDB resources that the application uses

Answer 122

A

Trust policy

Answer 123

A

Configure the Lambda function to connect to private subnets in an Amazon VPC
Configure a VPC endpoint for accessing the DynamoDB table using private addresses

Answer 124

A

Connect the Lambda function to a private subnet within the VPC. Attach a security group to the function that allows outbound access to the VPC CIDR block only. Update the DB instance security group to allow traffic from the Lambda security group

Answer 125

A

Install the Systems Manager SSM Agent on the EC2 Linux instances and attach an IAM role that grants permissions
Create an IAM user policy for Session Manager access granting the SysOps team access to the EC2 Linux instances

Answer 126

A

Add specific tags to the Amazon EC2 instances
Attach an IAM policy to the operations users that grants access to the instances with the specific tag using the Condition element

Answer 127

A

Update the trust policy on the role in the production account to allow the “sts: AssumeRole” API action for the IdPUsersRole principal in the identity account

Answer 128

A

Configure Amazon CloudFront and set up a distribution for the S3 and EC2 origins to accelerate content delivery
Use an AWS Lambda function configured with CloudFront (Lambda@Edge) to add HTTP security headers on origin responses

Answer 129

A

Create an OU in AWS Organizations and add all the member accounts. Attach an SCP that controls the permissions available for the root user

Answer 130

A

Configure CloudFront to add a custom HTTP header to requests that CloudFront sends to the ALB
Configure the ALB to deny requests that do not contain the custom HTTP header

Answer 131

A

Set up federated sign-in to AWS through ADFS and SAML

Answer 132

A

Amazon Kinesis
Amazon OpenSearch

Answer 133

A

All users in member accounts will not be able to disable AWS SecurityHub or delete or modify the Amazon GuardDuty configuration. IAM policies defined in member accounts will not be overridden

Answer 134

A

Add an aws:MultiFactorAuthPresent : true condition to the role’s trust policy

Answer 135

A

Configure a Pre Sign-Up AWS Lambda trigger and associate it with the Amazon Cognito user pool to execute custom validation during sign-up

AWS Lambda triggers for Amazon Cognito can add custom validation to user pool workflows. A Pre sign-up Lambda trigger can perform custom validation during sign-up, such as checking the geographical origin of the registration request.

Answer 136

A

The KMS key policy does not grant the IAM role permissions to use the key for decryption

Answer 137

A

Add the Elastic IP addresses to the ingress rules of the instance security groups

Answer 138

A

Deploy an interface VPC endpoint for CodeBuild API operations

Answer 139

A

The KMS key specified is not enabled

Answer 140

A

Capture IP traffic using VPC Flow Logs and create a metric filter with an alarm that notifies the security team if connection attempts are made. Then, update NACLs to block the traffic

Answer 141

A

Use the AWS management console to revoke active sessions for the IAM role

We can determine that the credentials were issued to a role rather than a user as users will use access keys rather than obtaining the credentials from AWS STS. When a role needs permissions to access an AWS service it must call the AWS STS service to obtain temporary security credentials.

Answer 142

A

Enables IAM policies in the 554422336677 account to allow access to the key

By default, a policy statement like this one in this question is present in the key policy document when you create a new KMS key with the AWS Management Console. It is also present when you create a new KMS key programmatically but do not provide a key policy

Answer 143

A

Store the credentials in AWS Secrets Manager and choose an AWS KMS key. Enable automatic rotation every 60 days and configure the application to retrieve the secret programmatically

Answer 144

A

Enable Amazon S3 server access logging to monitor and record detailed logs of the requests made to the S3 buckets
Use Amazon Athena to perform SQL queries on the server access logs in S3 and employ Amazon QuickSight for visualizing the analyzed data in an interactive dashboard

Answer 145

A

Remove the deny statement for Amazon RDS from the root SCP

Answer 146

A

Create a metric filter and define a metric pattern that matches security group changes
Create an alarm that sends an Amazon SNS notification if security group changes are identified

Answer 147

A

Use KMS grants. Programmatically create and revoke grants to manage access

Answer 148

A

Store the environment variables in AWS Secrets Manager and access them at runtime. Use IAM permissions to restrict access to the secrets to only the Lambda functions that require access

AWS Secrets Manager is well suited to this use case. Secrets can be stored with values up to 10KB in size and the maximum number of secrets within a Region is 500,000.

Answer 149

A

Create an HTTPS listener that uses a predefined security policy that supports forward secrecy (FS)

Answer 150

A

Enable federated access between the corporate IdP and the AWS account using IAM. Use IAM roles to provide access to AWS resources

Answer 151

A

Create an interface VPC endpoint for CloudWatch Logs. Configure the endpoint policy to allow the EC2 instances to use the endpoint

Answer 152

A

Create an interface VPC endpoint for Kinesis Data Streams. Configure the application to connect to the VPC endpoint

Kinesis Data Streams uses TLS for all connections, so the data is encrypted in transit by default

Answer 153

A

Add a condition to the S3 bucket policy that allows actions if the request meets the condition “aws:SecureTransport”: “true”
Configure default encryption for the S3 bucket. Add a condition to the S3 bucket policy that denies PUT requests that don’t include the “x-amz-server-side-encryption” header

Answer 154

A

Update the relevant IAM policy to grant access to the resource “arn:aws:s3:::examplebucket/${aws:username}/*

Answer 155

A

The Lambda function execution role does not have permissions to write to CloudWatch Logs

Answer 156

A

Enable Amazon GuardDuty. After 48 hours, enable Amazon Detective

When you try to enable Detective, Detective checks whether GuardDuty has been enabled for your account for at least 48 hours. If you are not a GuardDuty customer or have been a GuardDuty customer for less than 48 hours, you cannot enable Detective. You must either enable GuardDuty or wait for 48 hours. This allows GuardDuty to assess the data volume that your account produces.

Answer 157

A

The Lambda function does not have permissions to access the S3 bucket

Answer 158

A

Use AWS Config with the managed rule cloudtrail-enabled to check that CloudTrail is enabled. If the rule is NON_COMPLIANT use Systems Manager Automation to automatically remediate the issue”

Answer 159

A

Configure the host-based firewall within the operating system

Answer 160

A

Server-side encryption with AWS KMS-managed keys (SSE-KMS)

Answer 161

A

Use AWS KMS with AWS imported key material and then use the DeletelmportedKeyMaterial API to remove the key material

Answer 162

A

Rotate and delete all root and IAM access keys
Delete any unauthorized IAM users
Delete any unauthorized resources

Answer 163

A

Use AWS WAF to create a rate-based rule

Answer 164

A

Create a custom key policy for the KMS key. Use the kms:ViaService condition key to allow the KMS key to be used only when the request comes from Amazon EC2 or Amazon RDS

The kms:ViaService condition key limits use of an AWS KMS key to requests from specified AWS services. You can specify one or more services in each kms:ViaService condition key

Answer 165

A

Search CloudTrail event logs for the TerminateInstances event and identify the assumed IAM role ARN. Then, search CloudTrail event logs for the AssumeRoleWithSAML event that includes the role ARN and note the federated username

Answer 166

A

Add an HTTP listener with a rule that redirects HTTP requests to HTTPS. Add an HTTPS listener and choose an AWS Certificate Manager (ACM) certificate

Answer 167

A

Assign a distinct Lambda execution role with specific KMS key access permissions to each Lambda function

Answer 168

A

Utilize Service Control Policies (SCPs) in AWS Organizations to limit each team’s access to only their assigned Regions and services

Answer 169

A

Create an IAM policy in each development account that has read-only access to Amazon EC2 resources. Assign the policy to a cross-account IAM role. Ask the security team members to assume the role from their account

Answer 170

A

Set up S3 bucket policies to allow access from a VPC endpoint

Answer 171

A

Use AWS CloudTrail. Enable forwarding to Amazon CloudWatch Logs. Create a CloudWatch Logs metric filter to match patterns indicating security group changes. Configure a CloudWatch alarm to send alerts to an Amazon SNS topic

Answer 172

A

Use Amazon GuardDuty to identify malicious traffic. Store the identified IP addresses in a DynamoDB table. Use Lambda to update the DynamoDB table and modify an AWS Network Firewall rule group to block the traffic

Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity. It can identify potentially harmful behavior, such as traffic from a botnet.

The suspicious IP addresses can be stored in a DynamoDB table.

Lambda can be used to update the DynamoDB table and to automatically update an AWS Network Firewall rule group to block traffic from these IP addresses

Answer 173

A

Create an SCP that includes a Deny rule for the s3:DeleteBucket action. Apply this SCP to all the OUs in the organization

Answer 174

A

Implement an SCP that uses the “aws:RequestedRegion” condition to deny actions outside the approved region. Attach the SCP to the AWS account under AWS Organizations

Answer 175

A

Security group TCP port 80 inbound and TCP port 80 outbound
Network ACL: TCP port 80 inbound and TCP ports 1024-65535 outbound

Answer 176

A

Deploy the AWS Systems Manager Agent on the EC2 instances. Access the EC2 instances using Session Manager restricting access to users with permission to manage the instances

Answer 177

A

Create a Web ACL with a string match condition that matches the value in the User-Agent header. Configure WAF to block requests that match the condition

Answer 178

A

Use AWS Config with Auto Remediation to remediate any changes to S3 bucket policies. Configure alerting with AWS Config and Amazon SNS

Answer 179

A

Configure the restricted-ssh managed rule in AWS Config. When the rule is NON_COMPLIANT, use the AWS Config remediation feature to publish a notification to an Amazon SNS topic

Answer 180

A

Create an origin access identity (OAI) for the CloudFront distribution and update the S3 bucket policy to restrict access to the OAI
Update the distribution settings in CloudFront and configure restrictions based on the geography of the request

Answer 181

A

Disable source/destination checks on the EC2 proxy instances

Answer 182

A

Create an Amazon Athena table that uses the S3 bucket containing the access logs. Run SQL queries using Athena

Answer 183

A

Change the existing single-region trail to log all regions and capture API activity in a single central Amazon S3 bucket

Answer 184

A

Use AWS Secrets Manager and configure automatic rotation of the credentials

Answer 185

A

Subscribe to AWS Shield Advanced and reach out to AWS Support in the event of an attack
Create rule statements in AWS WAF web ACLs to block matching requests relating to the attack traffic

Answer 186

A

Deploy the AWS Config rule “approved_ami_by_id” and specify the approved AMI IDs

Answer 187

A

Maintain the API endpoint type as PRIVATE. Attach a resource policy to the REST API permitting access from vpc-beta

Answer 188

A

Check the SCPs set at the organizational units (OUs)
Check for the permissions boundaries set for the IAM user

Answer 189

A

Download the AWS-provided root certificates. Use the certificates when connecting to the RDS DB instance

Answer 190

A

Check the configuration of the IAM role attached to the instance profile to ensure it has sufficient permissions
Check if an Amazon SQS policy explicitly denies access to the IAM role used by the instances

Answer 191

A

Enable logging in AWS WAF settings, associate the web ACL with an Amazon Kinesis Data Firehose delivery stream
Create an Amazon Kinesis Data Firehose delivery stream in the same AWS Region as the web ACL. Specify the S3 bucket as the destination for the delivery stream

Answer 192

A

Create a new KMS key, import new key material, and point the key alias to the new KMS key

Answer 193

A

Install the unified Amazon CloudWatch agent on the EC2 instances. Configure the agent to collect the application log files and send them to Amazon CloudWatch Logs

Answer 194

A

Associate the Gateway VPC Endpoint with the route table of the private subnet, where the EC2 instance resides

Answer 195

A

Configure AWS WAF to send its log files directly to an Amazon S3 bucket for later analysis

Answer 196

A

Create an Amazon S3 bucket in the management account and create an Organization trail in the management account that logs to the S3 bucket

Answer 197

A

Use a tag-based approach by attaching a resource policy to the secret. Apply tags to the secret and the IAM principals. Use the aws:PrincipalTag and aws:ResourceTag IAM condition keys to control access.

Answer 198

A

Create an AWS WAF rate-based rule, and attach it to the ALB

Answer 199

A

The VPC where the EC2 instance was launched had the DHCP option configured for a custom OpenDNS resolver

Answer 200

A

Use Amazon Inspector. Create inclusion rules in Amazon ECR to match repositories that need to be scanned. Push Amazon Inspector findings to AWS Security Hub

Answer 201

A

Enable Amazon GuardDuty in the AWS account.
Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the security team’s email distribution list to the topic.
Create an Amazon EventBridge rule for GuardDuty findings of high severity. Configure the rule to publish a message to the topic.

Answer 202

A

Update the trust policy on the role in the target account to be:

Answer 203

A

Use an AWS Service Catalog portfolio that contains EC2 products with appropriate AMIs that include only approved software. Grant the developers permission to access only the Service Catalog portfolio to launch a product in the software development account.

Answer 204

A

Create a suppression rule in GuardDuty to filter findings by automatically archiving new findings that match the specified criteria.

A suppression rule is a set of criteria, consisting of a filter attribute paired with a value, used to filter findings by automatically archiving new findings that match the specified criteria.

Answer 205

A

Recreate the ECR repositories with KMS encryption and ECR scanning enabled. Analyze the scan report after the next push of images.

Answer 206

A

Create an IAM permissions boundary policy that allows Amazon EC2 access. Associate the contractor’s IAM account with the IAM permissions boundary policy.

Answer 207

A

Edit the existing trail in the Organizations management account and apply it to the organization

Answer 208

A

Enable Amazon GuardDuty from a centralized account. Use GuardDuty to manage AWS CloudTrail logs, VPC flow logs, and DNS logs.

Answer 209

A

Delete or rotate the user’s key, review the AWS CloudTrail logs in all regions, and delete any unrecognized or unauthorized resources.

Answer 210

A

Create a VPC endpoint for AWS KMS with private DNS enabled
add the aws:sourceVpce condition to the AWS KMS key policy referencing the company’s VPC endpoint ID

Answer 211

A

{
“Sid”: “Logging-12345”,
“Resource”: “*”,
“Action”: [
“logs:CreateLogGroup”,
“logs:CreateLogStream”,
“logs:PutLogEvents”
],
“Effect”: “Allow”
}

Answer 212

A

Enable default encryption with server-side encryption with AWS KMS-managed keys (SSE-KMS) on the S3 bucket.
Add a bucket policy that includes a deny if a PutObject request does not include aws:SecureTransport

Answer 213

A

Enable AWS CloudTrail logging across all accounts to a centralized Amazon S3 bucket. Set a lifecycle policy to move the data to Amazon Glacier after 90 days, and expire the data after 7 years

Answer 214

A

Check the route tables for the application server subnets for routes to the VPC peering connection
Check the database security groups for rules that allow traffic from the application servers

Answer 215

A

To be alerted to unusual traffic entering and exiting your network as a potential security event

Answer 216

A

Modify the web ACL to deny requests from the IP addresses.

Answer 217

A

the response plan doesn’t cater to new services as the plan us not updated for 18 months

Answer 218

A

Use Systems Manager Run Command to run AWSSupprt-RunEC2RescueForWindowsTool command document.

Answer 219

A

Configure a VPC flow log with CloudWatch as the destination. Create a CloudWatch metric filter for destination port 22. Create a CloudWatch alarm trigger

Answer 220

A

Create an AWS Lambda function to perform the custom checks. Then configure a custom AWS Config rule to invoke the Lambda function.

Answer 221

A

Create an IAM policy that gives the desired level of access to the CloudWatch Log group
Stream the log files to a separate CloudWatch group

Answer 222

A

Create an audit report to list all of the certificates that the private CA has issued or revoked. Download the JSON-formatted report from the S3 bucket.

Answer 223

A

Use AWS lambda function to change the S3 bucket policy
Use AWS Config to monitor changes to the S3 bucket

Answer 224

A

AWS VPN
AWS Direct Connect

Answer 225

A

use AWS SSM to patch the servers
use AWS Inspector to ensure that the servers have no critical flaws

Answer 226

A

check the instance status by using the Health API
check to see if the right role has been assigned to the EC2 instances
ensure that the agent is running on the instances

Answer 227

A

Download reports from the AWS Artifact console and provide them to the auditors

Answer 228

A

Enable EBS encryption during launch

Answer 229

A

respond to any notifications you received from AWS Support
Change your AWS account root user password
rotate access keys if they were authorised and are still needed, otherwise delete them

Answer 230

A

Use the IAM Encryption CLI to encrypt the data first

Answer 231

A

Use AWS IAM Access Analyzer to analyze the polices. View the findings from policy validation checks.

Answer 232

A

Configure IAM WAF with a rate-based rule that imposes a rate limit that automatically blocks requests when the rate limit is exceeded.

Answer 233

A

Develop the application to use the CloudFront key pair to set the signed cookies that users will use to access the content.

Utilizing CloudFront signed cookies is the simplest and most effective way to protect HLS video content for paying subscribers. Signed cookies provide access control for multiple files, such as video chunks in HLS streaming, without the need to generate a signed URL for each video chunk. This method simplifies the process for long video events with thousands of chunks, enhancing user experience while ensuring content protection.

Answer 234

A

Call the abort-vault-lock operation. Update the policy. Call the initiate-vault-lock operation again.

Answer 235

A

Implement S3 Object Lock in compliance mode in the primary Region. Configure S3 replication to replicate the objects to an S3 bucket in the secondary Region.

Implementing S3 Object Lock in compliance mode on the primary Region and configuring S3 replication to a secondary Region ensures the immutability of S3 objects, preventing them from being deleted or altered. This setup meets the requirement of protecting critical data from permanent deletion, even by users with administrative access. The replicated objects in the secondary Region inherit the Object Lock from the primary, ensuring consistent protection across Regions and aligning with disaster recovery requirements.

Answer 236

A

Create a new AWS account in the organization. Enable GuardDuty in the new account. Designate the new account as the delegated administrator account for GuardDuty. Configure GuardDuty to add existing accounts as member accounts. Select the option to automatically add new AWS accounts to the organization

Answer 237

A

Create a conformance pack that contains the 10 required AWS Config rules. Deploy the conformance pack from the security-01 account
Create an AWS CloudFormation template that will activate AWS Config. Deploy the template by using CloudFormation StackSets in the management-01 account

Answer 238

A

Create a new AWS account in the organization. Enable GuardDuty in the new account. Designate the new account as the delegated administrator account for GuardDuty. Configure GuardDuty to add existing accounts as member accounts. Select the option to automatically add new AWS accounts to the organization

Answer 239

A

Create an AWS WAF web ACL for the ALB. Create a custom rule that blocks requests that contain the user agent string of the device emulator.

To mitigate a credential stuffing attack against a web-based application behind an Application Load Balancer (ALB), creating an AWS WAF web ACL with a custom rule to block requests containing the known malicious user agent string is an effective solution. This approach allows for precise targeting of the attack vector (the user agent string of the device emulator) without impacting legitimate users. AWS WAF provides the capability to inspect HTTP(S) requests and block those that match defined criteria, such as specific strings in the user agent header, thereby preventing malicious requests from reaching the application.

Answer 240

A

Store the client token as a SecureString parameter in AWS Systems Manager Parameter Store. Use the AWS SDK to retrieve the value of the SecureString parameter in the Lambda function.

Answer 241

A

Verify that a metric filter was created and then mapped to an alarm. Check the alarm notification action.

Answer 242

A

Search the Cloudtrail event history on the API events which occurred 11 days ago.

Answer 243

A

Opt for enhanced scanning and specify a filter for a scan on push

With enhanced scanning, Amazon ECR integrates with Amazon Inspector to provide automated, continuous scanning of your repositories. Your container images are scanned for both operating systems and programming language package vulnerabilities. As new vulnerabilities appear, the scan results are updated and Amazon Inspector emits an event to EventBridge to notify you.

Answer 244

A

Enable CloudTrail to monitor data events for read and write operations for S3 buckets

Answer 245

A

Create an AWS Identity and Access Management (IAM) role for the Lambda function that also grants access to the S3 bucket. Configure the IAM role as the Lambda functions execution role. Verify that the S3 bucket policy doesn’t explicitly deny access to your Lambda function or its execution role

Answer 246

A

Enable trails and set up CloudTrail events to review and monitor management activities of all AWS accounts by logging these activities into CloudWatch Logs using a KMS key. Ensure that CloudTrail is enabled for all accounts as well as all available AWS services
Leverage Config rules to audit changes to AWS resources and monitor the compliance of the configuration by running the evaluations for the rule at a frequency that you choose. Develop AWS Config custom rules to establish a test-driven development approach by triggering the evaluation when any resource that matches the rule’s scope changes in configuration

Answer 247

A

Add an inbound rule to the security group of the database instance in VPC1, with the source as the CIDR block of VPC2 (VPC for the instances launched by the Auto Scaling Group)

Answer 248

A

Create an IAM role for the CI/CD pipeline to be used for deploying application resources
The security team should create a permissions boundary policy and attach it to the IAM role used by the CI/CD pipeline

Answer 249

A

Create an Amazon Simple Notification Service (Amazon SNS) topic and configure the users of the security team as subscribers to the topic. Create an Amazon EventBridge event rule to monitor userIdentity root logins from the AWS Management Console and trigger notifications to the SNS topic when root user login activity is detected

Answer 250

A

First create a secret with a password generated by Secrets Manager. Then use a dynamic reference in the CloudFormation template to retrieve the username and password from the secret to use as credentials for the new database created

Answer 251

A

Resource-based policies that grant permissions to an IAM role ARN are limited by an implicit deny in a permissions boundary or session policy
If a resource-based policy grants permission directly to the IAM user or the session principal that is making the request, then an implicit deny in an identity-based policy, a permissions boundary, or a session policy does not impact the final decision

Answer 252

A

The IAM identity that creates a KMS key is not considered to be the key owner. Like any other identity, the key creator needs to get permission through a key policy, IAM policy, or grant
AWS identities that have the kms:CreateKey permission can set the initial key policy and give themselves permission to use or manage the key

KMS keys belong to the AWS account in which they were created. However, no identity or principal, including the AWS account root user, has permission to use or manage a KMS key unless that permission is explicitly provided in a key policy, IAM policy, or grant. The IAM identity that creates a KMS key is not considered to be the key owner and they don’t automatically have permission to use or manage the KMS key that they created. Like any other identity, the key creator needs to get permission through a key policy, IAM policy, or grant.

Answer 253

A

Create a resource policy for your REST API that denies access to any IP address that isn’t specifically allowed. In the resource policy, for aws:SourceIp, give the value of the specific public IP address ranges that you want to grant access to

After the resource policy is attached to your REST API, users who call the API from specified IP addresses (allowed users) can access the API. Calls from any other IP address are denied access and receive an HTTP 403 Forbidden error.
The aws:SourceIp condition value works only for public IP address ranges.

To allow access to private IP address ranges, use the condition value aws:VpcSourceIp and enter the private IP address of your HTTP client that’s invoking your private API endpoint through the interface VPC endpoint. This configuration is not correct for public IPs.

Answer 254

A

Configure a traffic mirror target for the monitoring appliance. Create a traffic mirror filter with a rule for outbound traffic to reject all packets that have a destination IP in the VPC CIDR block and accept all other outbound packets. Also, create another rule for inbound traffic to reject all packets that have a source IP in the VPC CIDR block and accept all other inbound packets

Answer 255

A

Use Amazon Cognito to manage user identities in your mobile application. You can then use the Amazon Cognito credentials provider to manage credentials that your application uses to make requests to access AWS resources
Define an IAM role that has appropriate permissions for the application and launch the Amazon EC2 instance with this role associated with the instance
Use an IAM role to establish trust between accounts, and then grant users in one account limited permissions to access the trusted account

Answer 256

A

Modify the bucket policy to allow root user access from the Amazon S3 console or the AWS CLI
If there is a bucket policy on the Amazon S3 bucket that doesn’t specify the AWS account root user as a principal, the root user is denied access to that bucket

Answer 257

A

Leverage an AWS KMS custom key store backed by AWS CloudHSM clusters. Copy backups across Regions

Answer 258

A

Configure AWS CloudTrail to send trail events to Amazon CloudWatch Logs. Create a metric filter for the relevant log group with a filter pattern having eventName as ConsoleLogin and errorMessage as Failed authentication
Create a CloudWatch alarm with the threshold parameter set to 3 and the period parameter set to 5 minutes. The alarm action is a notification sent to an Amazon Simple Notification Service (Amazon SNS) topic subscribed by the concerned manager(s)

Answer 259

A

Verify that SSM Agent is installed on the instance
Create an AWS Identity and Access Management (IAM) instance profile for Systems Manager. Attach the IAM role to your private EC2 instance
Create three virtual private cloud (VPC) endpoints for Systems Manager with service names: com.amazonaws.[region].ssm, com.amazonaws.[region].ec2messages, com.amazonaws.[region].ssmmessages

Answer 260

A

Establish a Lambda execution role that provides access to the KMS key for each Lambda function

Answer 261

A

Create a CloudFront distribution with Origin Access Control (OAC). Make your S3 bucket private and configure access through Amazon CloudFront only by using signed requests to access the S3 bucket

Answer 262

A

Create an Amazon CloudWatch alarm that monitors AWS Shield Advanced CloudWatch metrics for an active DDoS event

AWS Shield Advanced reports metrics to Amazon CloudWatch on an AWS resource more frequently during DDoS events than when no events are underway. Shield Advanced reports metrics once a minute during an event, and then once right after the event ends. While no events are underway, Shield Advanced reports metrics once a day, at a time assigned to the resource. This periodic report keeps the metrics active and available for use in custom CloudWatch alarms.

Answer 263

A

Create Service control policies (SCPs) that deny access to any operations outside of the designated AWS Regions. Apart from the Condition and Resource elements, configure the NotAction element to allow access to the required AWS services

Answer 264

A

Set up a CloudWatch Events rule that is triggered on any API call from the root user
Using Amazon SNS as a target of the trigger that further notifies the security team

Answer 265

A

Use AWS CloudFormation Guard (cfn-guard), an open-source tool that helps you write compliance rules and validate the CloudFormation templates against those rules

Answer 266

A

Configure a single Amazon S3 bucket to hold all data. Use server-side encryption with Amazon S3 managed keys (SSE-S3) to encrypt the data

Answer 267

A

{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: “s3:PutObject”,
“Resource”: “*”,
“Condition”: {
“DateGreaterThan”: {“aws:CurrentTime”: “2023-04-01T00:00:00Z”},
“DateLessThan”: {“aws:CurrentTime”: “2023-04-30T23:59:59Z”}
}
}
]
}

Answer 268

A

Amazon Inspector
Amazon SNS

Answer 269

A

Enable AWS CloudTrail and configure the trail to send the logs to Amazon CloudWatch Logs. Configure a CloudWatch metric filter for the log group with a filter pattern on all security group changes. Create a CloudWatch alarm based on the log group-metric filter to publish notifications to an Amazon SNS topic

Answer 270

A

AWS Security Hub sends the Amazon GuardDuty findings to Amazon Detective to visualize and investigate the findings
AWS Firewall Manager sends findings to Security Hub when AWS Shield Advanced is not protecting the resources

Answer 271

A

Use suppression rules and create a rule that consists of two filter criteria. The first criterion is finding type, which should be UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS
The second filter criterion is API caller IPv4 address with the IP address or CIDR range of the on-premises internet gateway

Answer 272

A

Ensure that the database client software uses a TLS connection to Amazon RDS. Enable encryption of the Amazon RDS DB instance
Enable encryption on the Amazon Elastic Block Store (Amazon EBS) volumes that support the Amazon EC2 instances
Use TLS certificates from AWS Certificate Manager (ACM) with an Application Load Balancer. Deploy self-signed certificates on the EC2 instances

Answer 273

A

Combine AWS Direct Connect with AWS Site-to-Site VPN

Answer 274

A

Use AWS Resource Access Manager (AWS RAM) to share the subnets in Account X’s centrally managed VPC with the other member accounts. Configure the member accounts to use the shared subnets to launch workloads

Answer 275

A

{
“Statement”: [
{
“Principal”: “”,
“Action”: [
“execute-api:Invoke”
],
“Effect”: “Allow”,
“Resource”: [
“arn:aws:execute-api:us-east-1:123412341234:a1b2c3d4e5/”,
“arn:aws:execute-api:us-east-1:123412341234:aaaaa11111/*”
]
}
]
}

Answer 276

A

Use Amazon Cognito with AWS SDKs for mobile development to create unique identities for the users

Answer 277

A

Add a VPC Interface Endpoint for Secrets Manager and configure the Lambda function’s subnet to use it

Answer 278

A

Implement an AWS CloudTrail trail as an organizational trail. Configure the trail to forward the trail data to an Amazon CloudWatch Logs log group
In CloudWatch Logs, set a metric filter for any user action event the company needs to track. Create an Amazon CloudWatch alarm against the metric. When triggered, the alarm sends notifications to the subscribed users through an Amazon Simple Notification Service (Amazon SNS) topic

Answer 279

A

Implement the KMS import key function to perform an immediate delete operation

Answer 280

A

Create a URI-specific rate-based WAF rule to prevent a single source IP address from connecting to the login page more than a defined threshold number of times, over a given period

Answer 281

A

The EC2 instance is in a private subnet and it does not have the com.amazonaws.us-east-1.ssmmessages VPC endpoint for Session Manager

Answer 282

A

Verify that kms:Decrypt permissions are specified in the key policy, otherwise, they need to be added to the policy

The AWS CLI (aws s3 commands), AWS SDKs, and many third-party programs automatically perform a multipart upload when the file is large. To perform a multipart upload with encryption using an AWS KMS key, the requester must have kms:GenerateDataKey and kms:Decrypt permissions. The kms:GenerateDataKey permissions allow the requester to initiate the upload. With kms:Decrypt permissions, newly uploaded parts can be encrypted with the same key used for previous parts of the same object.

Answer 283

A

When you activate private DNS for an interface VPC endpoint, you can no longer access API Gateway public APIs from your Amazon VPC
The security groups that you choose must have a rule that allows TCP Port 443 inbound HTTPS traffic from an IP address range in your Amazon VPC

Answer 284

A

Use VPC security groups to control the network traffic to and from your file system
Use an IAM policy to control access for clients who can mount your file system with the required permissions

Answer 285

A

When you enable both GuardDuty and Security Hub, the mutual integration is enabled automatically. GuardDuty immediately begins to send findings to Security Hub
AWS Config must be enabled as a pre-requisite for using Security Hub

Answer 286

A

Create an S3 bucket policy in the Audit account that allows access to the S3 bucket for the user from the Finance account

Answer 287

A

Inactivate the publicly exposed IAM access key
Create a new access key and secret access key pair for the IAM user
Update the application to use the new credentials
Revoke any temporary AWS Security Token Service (AWS STS) credentials associated with the IAM user
Delete AWS Management Console credentials associated with the IAM user

Answer 288

A

To view traffic passing through Route 53 resolver endpoints, configure Amazon Virtual Private Cloud (Amazon VPC) Traffic Mirroring

Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an elastic network interface of type interface. You can then send the traffic to out-of-band security and monitoring appliances for content inspection, threat monitoring and troubleshooting.

Answer 289

A

Leverage geographic restrictions in CloudFront to deny traffic from a specific set of countries

Answer 290

A

Enable object-level logging for S3. Set up an EventBridge event pattern when a PutObject API call with public-read permission is detected in the AWS CloudTrail logs and set the target as an SNS topic for downstream notifications
Configure a Lambda function as one of the SNS topic subscribers, which is invoked to secure the objects in the S3 bucket

Answer 291

A

Configure an S3 VPC endpoint and create an S3 bucket policy to allow access only from this VPC endpoint

Answer 292

A

Create an identity-based policy with the IAM aws:RequestedRegion condition key that denies access to all actions outside the specified Region, except for actions related to the global AWS services specified using NotAction. Attach the policy to the developers IAM group

Answer 293

A

Configure the DaysToExpiry CloudWatch metric to schedule a batch search of expiring ACM certificates and trigger an AWS Lambda function to send the certificates-to-be-expired notification to an SNS topic. This Lambda function can also be configured to log all the expiring certificates as findings in Security Hub

Answer 294

A

Turn on enhanced scanning for your Amazon ECR registry. By default, the duration of the scans is set to Lifetime. When enhanced scanning is turned on, Amazon ECR sends scan events to EventBridge which can be configured for further notifications to specified teams

Answer 295

A

The target instance’s security group has rules that are not using the correct IP addresses to allow traffic from the NLB
The target instance’s security group has no rules that allow traffic from the NLB’s IP Addresses
The target instance’s subnet network ACL does not allow traffic from the NLB’s IP Addresses

Answer 296

A

Change the behavior of SES by using configuration sets. Set the TlsPolicy property for a configuration set to Require

Answer 297

A

Enable the AWS Config access-keys-rotated managed rule and configure the maxAccessKeyAge parameter to 30 days. Have AWS Config apply remediation using AWS Systems Manager Automation document for every non-compliant resource. The Automation document, in turn, publishes a customized message to an SNS topic

Answer 298

A

Have Security Hub ingest GuardDuty findings and send events to Kinesis Data Streams via EventBridge. Configure a Lambda function to process the data stream and block traffic to/from the suspicious instance by updating the security group so that it has no inbound and outbound rules

Answer 299

A

Use AWS Organizations to set a service control policy that denies the kms:Delete* and kms:ScheduleKeyDeletion actions for all accounts within the organization

Answer 300

A

Ensure that the Security Groups and Network Access Control Lists (NACLs) in both VPCs allow traffic

Answer 301

A

Remove the instance from the Auto Scaling group and deregister the instance from the Elastic Load Balancer. Place the instance within an isolation security group and snapshot the Amazon EBS data volumes that are attached to the EC2 instance. Launch an EC2 instance with a forensic toolkit and attach an EBS volume created from the snapshot of the suspicious EBS volume

Answer 302

A

Create an Amazon EventBridge rule that includes an event pattern that matches Medium/High severity GuardDuty findings. Set up an Amazon Simple Notification Service (Amazon SNS) topic. Configure the third-party ticketing email system as a subscriber to the SNS topic. Set the SNS topic as the target for the EventBridge rule

Answer 303

A

Create a TCP listener using a Network Load Balancer and implement mTLS on the target

Answer 304

A

Copy the data directly from the EBS encrypted volume before the volume is detached from the EC2 instance

Answer 305

A

Create a Service Control Policy (SCP) that denies all requests that are not sent using SSL (TLS) and also prevents an account from leaving the organization. Apply the SCP to the root of the organization
The application team has to create an IAM role in Account A1, that the application running on the EC2 instance will use to get objects from the S3 bucket in Account A2. A resource-based policy has to be attached to the bucket in the data lake account (Account A2) that grants read access to the role in the application account (Account A1)

Answer 306

A

Create a cache policy. Then, associate the cache policy with the cache behavior that must forward the Authorization header

Answer 307

A

Configure SAML-based authentication tied to an IAM role that has the PowerUserAccess managed policy attached to it. Attach a customer-managed policy that denies access to RDS in any AWS Region except us-east-1

Answer 308

A

Configure AWS Web Application Firewall (AWS WAF) to feed logs to Amazon S3 bucket via Amazon Kinesis Data Firehose. Set up an AWS Glue crawler job and an Amazon Athena table to query for required data and create visualizations using Amazon QuickSight dashboards

Answer 309

A

If you use a custom DNS resolver, then GuardDuty cannot access and process data from this data source

If you use AWS DNS resolvers for your Amazon EC2 instances (the default setting), then GuardDuty can access and process your request and response DNS logs through the internal AWS DNS resolvers. If you use another DNS resolver, such as OpenDNS or GoogleDNS, or if you set up your own DNS resolvers, then GuardDuty cannot access and process data from this data source.

Answer 310

A

Use the Amazon S3 console to update the prefix in the current bucket policy, and then use the CloudTrail console to specify the same prefix for the bucket in the trail

Answer 311

A

Configure the WAF web ACL to deliver logs to Amazon Kinesis Data Firehose, which should be configured to eventually store the logs in an Amazon S3 bucket. Use Athena to query the logs for errors and tracking

Answer 312

A

The aws:PrincipalOrgID global condition key can be used with the Principal element in a resource-based policy with AWS KMS. You need to specify the Organization ID in the Condition element

Answer 313

A

Use encryption context that you can use to verify the authenticity of AWS KMS API calls and the integrity of the ciphertext returned by the AWS Decrypt API

All AWS KMS cryptographic operations with symmetric encryption KMS keys accept an encryption context, an optional set of key–value pairs that can contain additional contextual information about the data. AWS KMS uses the encryption context as additional authenticated data (AAD) to support authenticated encryption.

Answer 314

A

Apply a custom IAM policy to restrict the permissions of the IAM role for creating EC2 instances in a specified VPC with tags using the policy condition ec2:ResourceTags to limit control to instances

Answer 315

A

Add the logs:CreateLogStream action to the second Allow statement

Answer 316

A

Create an AWS WAF ACL and use an IP match condition to allow traffic only from those IPs that are allowed in the EC2 security group. Associate this new WAF ACL with the CloudFront distribution
Configure an origin access identity (OAI) and associate it with the CloudFront distribution. Set up the permissions in the S3 bucket policy so that only the OAI can read the objects

Answer 317

A

You can contact the AWS Support Center to get help with mitigations if you’re a Shield Advanced customer
Create your own AWS WAF rules in your web ACL to mitigate the attack

For application layer (layer 7) DDoS attacks, AWS attempts to detect and notify AWS Shield Advanced customers through CloudWatch alarms. By default, it doesn’t automatically apply mitigations, to avoid inadvertently blocking valid user traffic.
For application layer (layer 7) resources, you have the following options available for responding to an attack. 1. Provide your own mitigations – You can investigate and mitigate the attack on your own. To manually mitigate a potential application layer DDoS attack you can create your own AWS WAF rules in your web ACL to mitigate the attack. This is the only option available if you aren’t a Shield Advanced customer.

Answer 318

A

Ensure that IP addresses added in the trusted IP list are publicly routable IPv4 addresses
Ensure that the trusted IP lists are uploaded in the same AWS Region as your GuardDuty findings

Trusted IP lists and threat lists are account and Region-specific. At any given time, you can have only one uploaded trusted IP list per AWS account per Region. Whereas, you can have up to six uploaded threat lists per AWS account per Region.

Answer 319

A

Configure the application security groups to ensure that only the necessary ports are open. Use Amazon Inspector to periodically scan the EC2 instances for vulnerabilities

To scan for known vulnerabilities, use Amazon Inspector. Amazon Inspector is an automated vulnerability management service that continually scans Amazon Elastic Compute Cloud (EC2) and container workloads for software vulnerabilities and unintended network exposure.
You can enable Amazon Inspector for your entire organization or an individual account with a few clicks in the AWS Management Console. Once enabled, Amazon Inspector automatically discovers running Amazon EC2 instances and Amazon ECR repositories and immediately starts continually scanning workloads for software vulnerabilities and unintended network exposure

Answer 320

A

When the Owner uploaded the object, the upload event occurs in Owner’s account and it matches the settings for Owner’s trail. The trail processes and logs the event in Owner’s account
When Bob uploaded the object, the upload event occurred in Bob’s account and it matches the settings for Bob’s trail. Bob’s trail processes and logs the event. The Owner’s trail settings also match the event, so the event is logged in Owner’s trail too

Answer 321

A

Rotate and delete all root and AWS Identity and Access Management (IAM) access keys
Check your AWS account bill to know the charged resources
Use AWS Git projects to scan for evidence of unauthorized use

Answer 322

A

Use AWS CloudTrail Event history to review security group changes in your AWS account
Use AWS Config to view configuration history for security groups. You must have the AWS Config configuration recorder turned on
Create an AWS CloudTrail trail configured to log to an Amazon Simple Storage Service (Amazon S3) bucket. Use Athena to query CloudTrail Logs over the last 30-45 days

Answer 323

A

The IP will be processed by the trusted IP list first, and will not generate a finding
Attach AmazonGuardDutyFullAccess managed policy to provide full access privileges to an identity to work with trusted IP lists and threat lists. You also need to add the following privileges { “Effect”: “Allow”, “Action”: [ “iam:PutRolePolicy”, “iam:DeleteRolePolicy” ], “Resource”: “arn:aws:iam::123456789123:role/aws-service-role/guardduty.amazonaws.com/AWSServiceRoleForAmazonGuardDuty” }

Answer 324

A

Implement local firewall rules using iptables based restrictions on the instances

iptables is a command line interface used to set up and maintain tables for the Netfilter firewall for IPv4, included in the Linux kernel. The firewall matches packets with rules defined in these tables and then takes the specified action on a possible match.

Answer 325

A

Use AWS Config with a managed rule cloudtrail-enabled to trigger a remediation action to fix the non-compliant status using AWS Systems Manager Automation documents

Answer 326

A

Set up a new S3 bucket in the us-east-1 region with replication enabled from this new bucket into another bucket in us-west-1 region. Enable SSE-KMS encryption on the new bucket in us-east-1 region by using an AWS KMS multi-region key. Copy the existing data from the current S3 bucket in us-east-1 region into this new S3 bucket in us-east-1 region

AWS KMS supports multi-region keys, which are AWS KMS keys in different AWS regions that can be used interchangeably – as though you had the same key in multiple regions. Each set of related multi-region keys has the same key material and key ID, so you can encrypt data in one AWS region and decrypt it in a different AWS region without re-encrypting or making a cross-region call to AWS KMS.

Answer 327

A

If auto remediate any non-compliant resources isn’t turned on, then the Firewall Manager created web ACL won’t be associated with in-scope resources

Answer 328

A

Use Amazon Detective in conjunction with Amazon GuardDuty to monitor malicious activity and unauthorized behavior on the AWS resources and quickly identify the root cause of potential security issues through linked datasets

Answer 329

A

Create a new CMK and import the new key material into it. Point the key alias of the older CMK to the new CMK created

Answer 330

A

Delete or rotate the user’s key. Review the AWS CloudTrail logs in all AWS regions and delete any unauthorized resources created or updated

Answer 331

A

Create a new Amazon S3 bucket in the centralized account to store all the CloudTrail log files. Enable log file validation on all Trails in AWS accounts of all business units. Use unique log file prefixes for trails in each AWS account
Apply a bucket policy to the new centralized S3 bucket that permits the CloudTrail service to use the s3 PutObject action and the s3 GetBucketACL action, and specify the appropriate resource ARNs for the CloudTrail trails

Answer 332

A

Specify an administrator account in GuardDuty and then use the administrator account to invite other AWS accounts to become member accounts. Add the threat list to the administrator account by referencing the S3 object that contains the threat list
Upload the threat list to an Amazon S3 bucket and share the access with the administrator account

Answer 333

A

Create a new AWS account with limited privileges. Allow the newly created account to access the AWS KMS CMK key used to encrypt the EBS snapshots. Copy the encrypted snapshots to the new account on a regular basis

Answer 334

A

Use S3 Object Lock

Amazon S3 Object Lock is an Amazon S3 feature that allows you to store objects using a write once, read many (WORM) model. You can use WORM protection for scenarios where it is imperative that data is not changed or deleted after it has been written. Whether your business has a requirement to satisfy compliance regulations in the financial or healthcare sector, or you simply want to capture a golden copy of business records for later auditing and reconciliation, S3 Object Lock is the right tool for you. Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely.

Answer 335

A

Leverage the Amazon EC2 console to enable encryption of new EBS volumes by default. Leverage the Auto Scaling group’s instance refresh feature to replace existing instances with new instances

Answer 336

A

Create an IAM group having the development team users. Add a customer-managed policy with Deny Effect to the group for all s3:*actions with the condition defined as “Condition” : { “BoolIfExists” : { “aws:MultiFactorAuthPresent” : “false” } }

AWS recommends the use of BoolIfExists operator to check whether a request is authenticated using MFA. The aws:MultiFactorAuthPresent key is not present when an API or CLI command is called with long-term credentials, such as user access key pairs. Therefore AWS recommends that when you check for this key that you use the IfExists versions of the condition operators

Answer 337

A

Launch a temporary instance and attach the volume to it as a secondary volume. Delete the .run-once file from the instance, located at %ProgramData%/Amazon/EC2Launch/state/.run-once
Verify that the EC2Launch v2 service is running. Detach the EBS root volume from the instance
Reattach the volume to the original instance as the root volume and connect to the instance using its key pair to retrieve the administrator password. Connect to the instance using its current public DNS name

Answer 338

A

Block requests that contain a specific User-Agent in the request using custom Rules. Block requests that don’t contain a User-Agent header using either AWS Managed Rules or custom rules

Answer 339

A

The security group of the ALB should have an inbound rule from anywhere on port 443
The security group of RDS should have an inbound rule from the security group of the EC2 instances in the ASG on port 5432
The security group of the EC2 instances should have an inbound rule from the security group of the ALB on port 80

Answer 340

A

Add launch constraint(s) to each product in the service catalog portfolio

A launch constraint specifies the AWS Identity and Access Management (IAM) role that Service Catalog assumes when an end user launches, updates, or terminates a product. An IAM role is a collection of permissions that an IAM user or AWS service can assume temporarily to use AWS services.

Answer 341

A

The security groups assigned to Application Load Balancers should be configured to not use connection tracking
If you are subscribed to AWS Shield Advanced, you can register Elastic IP addresses as Protected Resources
When using Amazon CloudFront and AWS WAF with Amazon API Gateway, configure the cache behavior for your distributions to forward all headers to the API Gateway regional endpoint

Answer 342

A

The cross-account access points don’t grant access to data until you are granted permissions from the bucket owner
You can’t configure Cross-Region Replication to operate through an access point
You can only use access points to perform operations on objects. You can’t use access points to perform Amazon S3 operations, such as modifying or deleting buckets

Answer 343

A

As the CMK was deleted a day ago, it must be in the ‘pending deletion’ status and hence you can just cancel the CMK deletion and recover the key

Answer 344

A

Create a Lambda function that polls Config to detect non-compliant resources daily and send notifications via Amazon SNS
Create a Lambda function containing the logic to determine if a resource is compliant or non-compliant. Create a custom Config rule that uses this Lambda function as its source

Answer 345

A

Set up an AWS Web Application Firewall (WAF) web ACL. Create a rule to deny any requests that do not originate from the specified country. Attach the rule with the web ACL. Attach the web ACL with the ALB

Answer 346

A

If a user or role has an IAM permission policy that grants access to an action that is either not allowed or explicitly denied by the applicable SCPs, the user or role can’t perform that action
SCPs do not affect service-linked role
SCPs affect all users and roles in attached accounts, including the root user

Answer 347

A

When you change a security group rule, its tracked connections are not immediately interrupted. The tracked connections need to be configured to change to untracked connections and then apply the isolation security group to isolate the compromised instance

Answer 348

A

Configure AWS Security Hub to have a central dashboard for higher visibility of the environment and remediate issues quickly
Use Amazon Athena to analyze data in Amazon Simple Storage Service (Amazon S3) to retrieve any amount of data from anywhere—using standard SQL
Store the data cost-effectively on Amazon S3 buckets and use Amazon Macie to automatically discover, classify and protect the highly sensitive data

Answer 349

A

Use the aggregator feature of AWS Config to provide access to AWS Config data to both accounts without the need to share the management account details

An aggregator is an AWS Config resource type that collects AWS Config configuration and compliance data from multiple AWS accounts and Regions into a single account and Region to get a centralized view of your resource inventory and compliance.

Answer 350

A

Use WAF IP set statement that specifies the IP addresses that you want to allow through
Use WAF geo match statement listing the countries that you want to block

Answer 351

A

You can use an Internet Gateway ID as the custom source for the inbound rule

Answer 352

A

Enable WAF comprehensive logs that are delivered through Amazon Kinesis Firehose to a destination of your choice

AWS WAF supports full logging of all web requests inspected by the service. Customers can store these logs in Amazon S3 for compliance and auditing needs as well as use them for debugging and additional forensics. The logs will help customers understand why certain rules are triggered and why certain web requests are blocked. Customers can also integrate the logs with their SIEM and log analysis tools.

Answer 353

A

Add the condition as { “Bool”: { “kms:GrantIsForAWSResource”: true } to the IAM user policy
Add the <action> as kms:CreateGrant to the IAM user policy</action>

Answer 354

A

Create an encrypted snapshot of the database, share the snapshot, and allow access to the AWS Key Management Service (AWS KMS) encryption key

Answer 355

A

kms:GenerateDataKey

Answer 356

A

Revoke all active sessions for the IAM role. Update the S3 bucket policy to deny access to the IAM role. Remove the IAM role from the EC2 instance profile

Answer 357

A

If the requests are routed through a VPC endpoint, then check for any restrictions coming from the associated VPC endpoint policy
A session policy is in place and is causing an authorization issue

Answer 358

A

Configure CloudWatch Event to filter GuardDuty findings when a malicious activity is suspected. Configure the CloudWatch Event to invoke a Lambda function to parse the GuardDuty finding and store it in the Amazon DynamoDB table, if required
After checking the existing entries in the Amazon DynamoDB table, AWS Lambda function creates a Rule inside AWS WAF and in a VPC NACL, and a notification email is sent via Amazon Simple Notification Service (SNS)

Answer 359

A

Set up a service control policy (SCP) that prohibits changes to CloudTrail, and attach it to the developer accounts

Answer 360

A

In the IAM console, under the Permissions tab, look for a policy named AWSExposedCredentialPolicy_DO_NOT_REMOVE. If the user has this policy attached, then rotate the access keys for the user
Create new access keys and modify the application to use new ones. Deactivate the exposed account access keys immediately. Subsequently, delete the exposed keys only when you have verified the proper functioning of the application
If you must retain an EC2 instance for regulatory, compliance, or legal reasons, then create an Amazon EBS snapshot before terminating the instance

Answer 361

A

Use an origin group with primary and secondary origins to configure CloudFront for high-availability and failover
CloudFront can route to multiple origins based on the content type
Use field-level encryption in CloudFront to protect sensitive data for specific content

Field-level encryption allows you to enable your users to securely upload sensitive information to your web servers. The sensitive information provided by your users is encrypted at the edge, close to the user, and remains encrypted throughout your entire application stack. This encryption ensures that only applications that need the data—and have the credentials to decrypt it—can do so.

Answer 362

A

Review the abuse notice and reply explaining how you will prevent the abusive activity from recurring in the future

Answer 363

A

Check if the IAM user credentials are stored in the .aws/credentials file. Because these credentials have higher precedence over role credentials, IAM user credentials will be used to make the API calls. Delete the credentials file

Answer 364

A

The associated AWS Config managed rules are deleted. Any associated AWS WAF web access control lists (web ACLs) that don’t contain any resources are deleted

Answer 365

A

Set up an Amazon CloudWatch alarm that monitors Shield Advanced metrics for an active DDoS event

Answer 366

A

Create an Amazon CloudWatch metric filter that processes CloudTrail logs having API call details and looks at any errors by factoring in all the error codes that need to be tracked. Create an alarm based on this metric’s rate to send an SNS notification to the required team

Answer 367

A

Install and configure the unified CloudWatch agent on the application’s EC2 instance. Create a CloudWatch metric filter to monitor the application logs. Configure CloudWatch alerts based on these metrics

Answer 368

A

IAM user or IAM role policy should include the following IAM permissions:
“logs:CreateLogGroup”,
“logs:CreateLogStream”,
“logs:PutLogEvents”,
“logs:DescribeLogStreams”
Creating an Amazon Machine Image (AMI) after the CloudWatch agent is installed can lead to errors in the CloudWatch agent

It’s a best practice to install the CloudWatch agent at launch using AWS CloudFormation, AWS Systems Manager Agent (SSM Agent), user data scripts, or the AWS CLI. It is also a best practice to create an AMI before installing the CloudWatch agent. AMIs typically capture unique information from the original instance. Metadata becomes out of sync, and this state can lead to the CloudWatch agent not working as intended. Out-of-sync metadata is the reason that many Windows instances require Sysprep when working with AMI.

Answer 369

A

CloudWatch alarm might be configured to treat a missing data point the same way as a breaching data point. Configure the alarm to evaluate missing data points as NOT BREACHING

Answer 370

A

Use Amazon Route 53 to distribute traffic
Move the static content to Amazon S3, and front this with an Amazon CloudFront distribution. Configure another layer of protection by adding AWS Web Application Firewall (AWS WAF) to the CloudFront distribution

Answer 371

A

An outbound rule must be added to the Network ACL (NACL) to allow the response to be sent to the client on the ephemeral port range

Security groups are stateful, so allowing inbound traffic to the necessary ports enables the connection. Network ACLs are stateless, so you must allow both inbound and outbound traffic. By default, each custom Network ACL denies all inbound and outbound traffic until you add rules.

Answer 372

A

Use Patch Manager, a capability of AWS Systems Manager to automatically scan your instances and report compliance on a schedule, install available software updates on a schedule, and scan targets on demand

Answer 373

A

Configure an organizational trail with AWS CloudTrail, forwarding logs to CloudWatch Logs. Set a metric filter within CloudWatch Logs to catch specific actions and create a CloudWatch alarm to send messages to an SNS topic upon these actions

Answer 374

A

AWS CloudHSM

Answer 375

A

Share an encrypted snapshot, use a customer managed KMS key, and allow the Decrypt and CreateGrant actions for the target account in the key policy

Answer 376

A

Deploy a NAT gateway in each private subnet for every Availability Zone that is in use
Place the DB instance in a private subnet
Configure the Auto Scaling group to place the EC2 instances in a private subnet

Brainscape's Knowledge GenomeTM

AWS Security Specialty Exam Flashcards

Brainscape's Knowledge Genome^TM