AWS Certified Security - SpecialtyFree trialFree trial

By amazon
Aug, 2025

Verified

25Q per page

Question 1

The Security team believes that a former employee may have gained unauthorized access to AWS resources sometime in the past 3 months by using an identified access key.
What approach would enable the Security team to find out what the former employee may have done within AWS?

  • A: Use the AWS CloudTrail console to search for user activity.
  • B: Use the Amazon CloudWatch Logs console to filter CloudTrail data by user.
  • C: Use AWS Config to see what actions were taken by the user.
  • D: Use Amazon Athena to query CloudTrail logs stored in Amazon S3.

Question 2

A company will store sensitive documents in three Amazon S3 buckets based on a data classification scheme of Sensitive, Confidential, and Restricted. The security solution must meet all of the following requirements:
✑ Each object must be encrypted using a unique key.
✑ Items that are stored in the Restricted bucket require two-factor authentication for decryption.
✑ AWS KMS must automatically rotate encryption keys annually.
Which of the following meets these requirements?

  • A: Create a Customer Master Key (CMK) for each data classification type, and enable the rotation of it annually. For the ג€Restrictedג€ CMK, define the MFA policy within the key policy. Use S3 SSE-KMS to encrypt the objects.
  • B: Create a CMK grant for each data classification type with EnableKeyRotation and MultiFactorAuthPresent set to true. S3 can then use the grants to encrypt each object with a unique CMK.
  • C: Create a CMK for each data classification type, and within the CMK policy, enable rotation of it annually, and define the MFA policy. S3 can then create DEK grants to uniquely encrypt each object within the S3 bucket.
  • D: Create a CMK with unique imported key material for each data classification type, and rotate them annually. For the ג€Restrictedג€ key material, define the MFA policy in the key policy. Use S3 SSE-KMS to encrypt the objects.

Question 3

A company has five AWS accounts and wants to use AWS CloudTrail to log API calls. The log files must be stored in an Amazon S3 bucket that resides in a new account specifically built for centralized services with a unique top-level prefix for each trail. The configuration must also enable detection of any modification to the logs.
Which of the following steps will implement these requirements? (Choose three.)

  • A: Create a new S3 bucket in a separate AWS account for centralized storage of CloudTrail logs, and enable ג€Log File Validationג€ on all trails.
  • B: Use an existing S3 bucket in one of the accounts, apply a bucket policy to the new centralized S3 bucket that permits the CloudTrail service to use the "s3: PutObject" action and the "s3 GetBucketACL" action, and specify the appropriate resource ARNs for the CloudTrail trails.
  • C: Apply a bucket policy to the new centralized S3 bucket that permits the CloudTrail service to use the "s3 PutObject" action and the "s3 GelBucketACL" action, and specify the appropriate resource ARNs for the CloudTrail trails.
  • D: Use unique log file prefixes for trails in each AWS account.
  • E: Configure CloudTrail in the centralized account to log all accounts to the new centralized S3 bucket.
  • F: Enable encryption of the log files by using AWS Key Management Service

Question 4

A Security Engineer is implementing a solution to allow users to seamlessly encrypt Amazon S3 objects without having to touch the keys directly. The solution must be highly scalable without requiring continual management. Additionally, the organization must be able to immediately delete the encryption keys.
Which solution meets these requirements?

  • A: Use AWS KMS with AWS managed keys and the ScheduleKeyDeletion API with a PendingWindowInDays set to 0 to remove the keys if necessary.
  • B: Use KMS with AWS imported key material and then use the DeletelmportedKeyMaterial API to remove the key material if necessary.
  • C: Use AWS CloudHSM to store the keys and then use the CloudHSM API or the PKCS11 library to delete the keys if necessary.
  • D: Use the Systems Manager Parameter Store to store the keys and then use the service API operations to delete the key if necessary.

Question 5

An application uses Amazon Cognito to manage end users' permissions when directly accessing AWS resources, including Amazon DynamoDB. A new feature request reads as follows:
Provide a mechanism to mark customers as suspended pending investigation or suspended permanently. Customers should still be able to log in when suspended, but should not be able to make changes.
The priorities are to reduce complexity and avoid potential for future security issues.
Which approach will meet these requirements and priorities?

  • A: Create a new database field ג€suspended_statusג€ and modify the application logic to validate that field when processing requests.
  • B: Add suspended customers to second Cognito user pool and update the application login flow to check both user pools.
  • C: Use Amazon Cognito Sync to push out a ג€suspension_statusג€ parameter and split the IAM policy into normal users and suspended users.
  • D: Move suspended customers to a second Cognito group and define an appropriate IAM access policy for the group.

Question 6

A company stores data on an Amazon EBS volume attached to an Amazon EC2 instance. The data is asynchronously replicated to an Amazon S3 bucket. Both the EBS volume and the S3 bucket are encrypted with the same AWS KMS Customer Master Key (CMK). A former employee scheduled a deletion of that CMK before leaving the company.
The company's Developer Operations department learns about this only after the CMK has been deleted.
Which steps must be taken to address this situation?

  • A: Copy the data directly from the EBS encrypted volume before the volume is detached from the EC2 instance.
  • B: Recover the data from the EBS encrypted volume using an earlier version of the KMS backing key.
  • C: Make a request to AWS Support to recover the S3 encrypted data.
  • D: Make a request to AWS Support to restore the deleted CMK, and use it to recover the data.

Question 7

An AWS Lambda function was misused to alter data, and a Security Engineer must identify who invoked the function and what output was produced. The Engineer cannot find any logs created by the Lambda function in Amazon CloudWatch Logs.
Which of the following explains why the logs are not available?

  • A: The execution role for the Lambda function did not grant permissions to write log data to CloudWatch Logs.
  • B: The Lambda function was executed by using Amazon API Gateway, so the logs are not stored in CloudWatch Logs.
  • C: The execution role for the Lambda function did not grant permissions to write to the Amazon S3 bucket where CloudWatch Logs stores the logs.
  • D: The version of the Lambda function that was executed was not current.

Question 8

A company has Windows Amazon EC2 instances in a VPC that are joined to on-premises Active Directory servers for domain services. The security team has enabled Amazon GuardDuty on the AWS account to alert on issues with the instances.
During a weekly audit of network traffic, the Security Engineer notices that one of the EC2 instances is attempting to communicate with a known command-and- control server but failing. This alert does not show up in GuardDuty.
Why did GuardDuty fail to alert to this behavior?

  • A: GuardDuty did not have the appropriate alerts activated.
  • B: GuardDuty does not see these DNS requests.
  • C: GuardDuty only monitors active network traffic flow for command-and-control activity.
  • D: GuardDuty does not report on command-and-control activity.

Question 9

The AWS Systems Manager Parameter Store is being used to store database passwords used by an AWS Lambda function. Because this is sensitive data, the parameters are stored as type SecureString and protected by an AWS KMS key that allows access through IAM. When the function executes, this parameter cannot be retrieved as the result of an access denied error.
Which of the following actions will resolve the access denied error?

  • A: Update the ssm.amazonaws.com principal in the KMS key policy to allow kms: Decrypt.
  • B: Update the Lambda configuration to launch the function in a VPC.
  • C: Add a policy to the role that the Lambda function uses, allowing kms: Decrypt for the KMS key.
  • D: Add lambda.amazonaws.com as a trusted entity on the IAM role that the Lambda function uses.

Question 10

A company's security policy requires that VPC Flow Logs are enabled on all VPCs. A Security Engineer is looking to automate the process of auditing the VPC resources for compliance.
What combination of actions should the Engineer take? (Choose two.)

  • A: Create an AWS Lambda function that determines whether Flow Logs are enabled for a given VPC.
  • B: Create an AWS Config configuration item for each VPC in the company AWS account.
  • C: Create an AWS Config managed rule with a resource type of AWS:: Lambda:: Function.
  • D: Create an Amazon CloudWatch Event rule that triggers on events emitted by AWS Config.
  • E: Create an AWS Config custom rule, and associate it with an AWS Lambda function that contains the evaluating logic.

Question 11

A Security Engineer is looking for a way to control access to data that is being encrypted under a CMK. The Engineer is also looking to use additional authenticated data (AAD) to prevent tampering with ciphertext.
Which action would provide the required functionality?

  • A: Pass the key alias to AWS KMS when calling Encrypt and Decrypt API actions.
  • B: Use IAM policies to restrict access to Encrypt and Decrypt API actions.
  • C: Use kms:EncryptionContext as a condition when defining IAM policies for the CMK.
  • D: Use key policies to restrict access to the appropriate IAM groups.

Question 12

An application makes calls to AWS services using the AWS SDK. The application runs on Amazon EC2 instances with an associated IAM role. When the application attempts to access an object within an Amazon S3 bucket; the Administrator receives the following error message: HTTP 403: Access Denied.
Which combination of steps should the Administrator take to troubleshoot this issue? (Choose three.)

  • A: Confirm that the EC2 instance's security group authorizes S3 access.
  • B: Verify that the KMS key policy allows decrypt access for the KMS key for this IAM principle.
  • C: Check the S3 bucket policy for statements that deny access to objects.
  • D: Confirm that the EC2 instance is using the correct key pair.
  • E: Confirm that the IAM role associated with the EC2 instance has the proper privileges.
  • F: Confirm that the instance and the S3 bucket are in the same Region.

Question 13

An organization wants to deploy a three-tier web application whereby the application servers run on Amazon EC2 instances. These EC2 instances need access to credentials that they will use to authenticate their SQL connections to an Amazon RDS DB instance. Also, AWS Lambda functions must issue queries to the RDS database by using the same database credentials.
The credentials must be stored so that the EC2 instances and the Lambda functions can access them. No other access is allowed. The access logs must record when the credentials were accessed and by whom.
What should the Security Engineer do to meet these requirements?

  • A: Store the database credentials in AWS Key Management Service (AWS KMS). Create an IAM role with access to AWS KMS by using the EC2 and Lambda service principals in the role's trust policy. Add the role to an EC2 instance profile. Attach the instance profile to the EC2 instances. Set up Lambda to use the new role for execution.
  • B: Store the database credentials in AWS KMS. Create an IAM role with access to KMS by using the EC2 and Lambda service principals in the role's trust policy. Add the role to an EC2 instance profile. Attach the instance profile to the EC2 instances and the Lambda function.
  • C: Store the database credentials in AWS Secrets Manager. Create an IAM role with access to Secrets Manager by using the EC2 and Lambda service principals in the role's trust policy. Add the role to an EC2 instance profile. Attach the instance profile to the EC2 instances and the Lambda function.
  • D: Store the database credentials in AWS Secrets Manager. Create an IAM role with access to Secrets Manager by using the EC2 and Lambda service principals in the role's trust policy. Add the role to an EC2 instance profile. Attach the instance profile to the EC2 instances. Set up Lambda to use the new role for execution.

Question 14

A Security Engineer must implement mutually authenticated TLS connections between containers that communicate inside a VPC.
Which solution would be MOST secure and easy to maintain?

  • A: Use AWS Certificate Manager to generate certificates from a public certificate authority and deploy them to all the containers.
  • B: Create a self-signed certificate in one container and use AWS Secrets Manager to distribute the certificate to the other containers to establish trust.
  • C: Use AWS Certificate Manager Private Certificate Authority (ACM PCA) to create a subordinate certificate authority, then create the private keys in the containers and sign them using the ACM PCA API.
  • D: Use AWS Certificate Manager Private Certificate Authority (ACM PCA) to create a subordinate certificate authority, then use AWS Certificate Manager to generate the private certificates and deploy them to all the containers.

Question 15

The Accounting department at Example Corp. has made a decision to hire a third-party firm, AnyCompany, to monitor Example Corp.'s AWS account to help optimize costs.
The Security Engineer for Example Corp. has been tasked with providing AnyCompany with access to the required Example Corp. AWS resources. The Engineer has created an IAM role and granted permission to AnyCompany's AWS account to assume this role.
When customers contact AnyCompany, they provide their role ARN for validation. The Engineer is concerned that one of AnyCompany's other customers might deduce Example Corp.'s role ARN and potentially compromise the company's account.
What steps should the Engineer perform to prevent this outcome?

  • A: Create an IAM user and generate a set of long-term credentials. Provide the credentials to AnyCompany. Monitor access in IAM access advisor and plan to rotate credentials on a recurring basis.
  • B: Request an external ID from AnyCompany and add a condition with sts:Externald to the role's trust policy.
  • C: Require two-factor authentication by adding a condition to the role's trust policy with aws:MultiFactorAuthPresent.
  • D: Request an IP range from AnyCompany and add a condition with aws:SourceIp to the role's trust policy.

Question 16

A company maintains sensitive data in an Amazon S3 bucket that must be protected using an AWS KMS CMK. The company requires that keys be rotated automatically every year.
How should the bucket be configured?

  • A: Select server-side encryption with Amazon S3-managed keys (SSE-S3) and select an AWS-managed CMK.
  • B: Select Amazon S3-AWS KMS managed encryption keys (S3-KMS) and select a customer-managed CMK with key rotation enabled.
  • C: Select server-side encryption with Amazon S3-managed keys (SSE-S3) and select a customer-managed CMK that has imported key material.
  • D: Select server-side encryption with AWS KMS-managed keys (SSE-KMS) and select an alias to an AWS-managed CMK.

Question 17

An Amazon S3 bucket is encrypted using an AWS KMS CMK. An IAM user is unable to download objects from the S3 bucket using the AWS Management
Console; however, other users can download objects from the S3 bucket.
Which policies should the Security Engineer review and modify to resolve this issue? (Choose three.)

  • A: The CMK policy
  • B: The VPC endpoint policy
  • C: The S3 bucket policy
  • D: The S3 ACL
  • E: The IAM policy

Question 18

While analyzing a company's security solution, a Security Engineer wants to secure the AWS account root user.
What should the Security Engineer do to provide the highest level of security for the account?

  • A: Create a new IAM user that has administrator permissions in the AWS account. Delete the password for the AWS account root user.
  • B: Create a new IAM user that has administrator permissions in the AWS account. Modify the permissions for the existing IAM users.
  • C: Replace the access key for the AWS account root user. Delete the password for the AWS account root user.
  • D: Create a new IAM user that has administrator permissions in the AWS account. Enable multi-factor authentication for the AWS account root user.

Question 19

A Security Engineer is working with a Product team building a web application on AWS. The application uses Amazon S3 to host the static content, Amazon API
Gateway to provide RESTful services; and Amazon DynamoDB as the backend data store. The users already exist in a directory that is exposed through a SAML identity provider.
Which combination of the following actions should the Engineer take to enable users to be authenticated into the web application and call APIs? (Choose three.)

  • A: Create a custom authorization service using AWS Lambda.
  • B: Configure a SAML identity provider in Amazon Cognito to map attributes to the Amazon Cognito user pool attributes.
  • C: Configure the SAML identity provider to add the Amazon Cognito user pool as a relying party.
  • D: Configure an Amazon Cognito identity pool to integrate with social login providers.
  • E: Update DynamoDB to store the user email addresses and passwords.
  • F: Update API Gateway to use a COGNITO_USER_POOLS authorizer.

Question 20

While securing the connection between a company's VPC and its on-premises data center, a Security Engineer sent a ping command from an on-premises host
(IP address 203.0.113.12) to an Amazon EC2 instance (IP address 172.31.16.139). The ping command did not return a response. The flow log in the VPC showed the following:
2 123456789010 eni-1235b8ca 203.0.113.12 172.31.16.139 0 0 1 4 336 1432917027 1432917142 ACCEPT OK
2 123456789010 eni-1235b8ca 172.31.16.139 203.0.113.12 0 0 1 4 336 1432917094 1432917142 REJECT OK
What action should be performed to allow the ping to work?

  • A: In the security group of the EC2 instance, allow inbound ICMP traffic.
  • B: In the security group of the EC2 instance, allow outbound ICMP traffic.
  • C: In the VPC's NACL, allow inbound ICMP traffic.
  • D: In the VPC's NACL, allow outbound ICMP traffic.

Question 21

A Security Engineer is building a Java application that is running on Amazon EC2. The application communicates with an Amazon RDS instance and authenticates with a user name and password.
Which combination of steps can the Engineer take to protect the credentials and minimize downtime when the credentials are rotated? (Choose two.)

  • A: Have a Database Administrator encrypt the credentials and store the ciphertext in Amazon S3. Grant permission to the instance role associated with the EC2 instance to read the object and decrypt the ciphertext.
  • B: Configure a scheduled job that updates the credential in AWS Systems Manager Parameter Store and notifies the Engineer that the application needs to be restarted.
  • C: Configure automatic rotation of credentials in AWS Secrets Manager.
  • D: Store the credential in an encrypted string parameter in AWS Systems Manager Parameter Store. Grant permission to the instance role associated with the EC2 instance to access the parameter and the AWS KMS key that is used to encrypt it.
  • E: Configure the Java application to catch a connection failure and make a call to AWS Secrets Manager to retrieve updated credentials when the password is rotated. Grant permission to the instance role associated with the EC2 instance to access Secrets Manager.

Question 22

A company has several production AWS accounts and a central security AWS account. The security account is used for centralized monitoring and has IAM privileges to all resources in every corporate account. All of the company's Amazon S3 buckets are tagged with a value denoting the data classification of their contents.
A Security Engineer is deploying a monitoring solution in the security account that will enforce bucket policy compliance. The system must monitor S3 buckets in all production accounts and confirm that any policy change is in accordance with the bucket's data classification. If any change is out of compliance, the Security team must be notified quickly.
Which combination of actions would build the required solution? (Choose three.)

  • A: Configure Amazon CloudWatch Events in the production accounts to send all S3 events to the security account event bus.
  • B: Enable Amazon GuardDuty in the security account, and join the production accounts as members.
  • C: Configure an Amazon CloudWatch Events rule in the security account to detect S3 bucket creation or modification events.
  • D: Enable AWS Trusted Advisor and activate email notifications for an email address assigned to the security contact.
  • E: Invoke an AWS Lambda function in the security account to analyze S3 bucket settings in response to S3 events, and send non-compliance notifications to the Security team.
  • F: Configure event notifications on S3 buckets for PUT, POST, and DELETE events.

Question 23

A company plans to migrate a sensitive dataset to Amazon S3. A Security Engineer must ensure that the data is encrypted at rest. The encryption solution must enable the company to generate its own keys without needing to manage key storage or the encryption process.
What should the Security Engineer use to accomplish this?

  • A: Server-side encryption with Amazon S3-managed keys (SSE-S3)
  • B: Server-side encryption with AWS KMS-managed keys (SSE-KMS)
  • C: Server-side encryption with customer-provided keys (SSE-C)
  • D: Client-side encryption with an AWS KMS-managed CMK

Question 24

A company has a customer master key (CMK) with imported key materials. Company policy requires that all encryption keys must be rotated every year.
What can be done to implement the above policy?

  • A: Enable automatic key rotation annually for the CMK.
  • B: Use AWS Command Line Interface to create an AWS Lambda function to rotate the existing CMK annually.
  • C: Import new key material to the existing CMK and manually rotate the CMK.
  • D: Create a new CMK, import new key material to it, and point the key alias to the new CMK.

Question 25

A Security Engineer is defining the logging solution for a newly developed product. Systems Administrators and Developers need to have appropriate access to event log files in AWS CloudTrail to support and troubleshoot the product.
Which combination of controls should be used to protect against tampering with and unauthorized access to log files? (Choose two.)

  • A: Ensure that the log file integrity validation mechanism is enabled.
  • B: Ensure that all log files are written to at least two separate Amazon S3 buckets in the same account.
  • C: Ensure that Systems Administrators and Developers can edit log files, but prevent any other access.
  • D: Ensure that Systems Administrators and Developers with job-related need-to-know requirements only are capable of viewing ג€" but not modifying ג€" the log files.
  • E: Ensure that all log files are stored on Amazon EC2 instances that allow SSH access from the internal corporate network only.
Page 1 of 21 • Questions 1-25 of 509
12345

Free preview mode

Enjoy the free questions and consider upgrading to gain full access!