Free preview mode

Enjoy the free questions and consider upgrading to gain full access!

AWS Certified Security - SpecialtyFree trialFree trial

By amazon
Aug, 2025

Verified

25Q per page

Question 26

A company has a few dozen application servers in private subnets behind an Elastic Load Balancer (ELB) in an AWS Auto Scaling group. The application is accessed from the web over HTTPS. The data must always be encrypted in transit. The Security Engineer is worried about potential key exposure due to vulnerabilities in the application software.
Which approach will meet these requirements while protecting the external certificate during a breach?

  • A: Use a Network Load Balancer (NLB) to pass through traffic on port 443 from the internet to port 443 on the instances.
  • B: Purchase an external certificate, and upload it to the AWS Certificate Manager (for use with the ELB) and to the instances. Have the ELB decrypt traffic, and route and re-encrypt with the same certificate.
  • C: Generate an internal self-signed certificate and apply it to the instances. Use AWS Certificate Manager to generate a new external certificate for the ELB. Have the ELB decrypt traffic, and route and re-encrypt with the internal certificate.
  • D: Upload a new external certificate to the load balancer. Have the ELB decrypt the traffic and forward it on port 80 to the instances.

Question 27

Which of the following are valid event sources that are associated with web access control lists that trigger AWS WAF rules? (Choose two.)

  • A: Amazon S3 static web hosting
  • B: Amazon CloudFront distribution
  • C: Application Load Balancer
  • D: Amazon Route 53
  • E: VPC Flow Logs

Question 28

A company uses identity federation to authenticate users into an identity account (987654321987) where the users assume an IAM role named IdentityRole. The users then assume an IAM role named JobFunctionRole in the target AWS account (123456789123) to perform their job functions.
A user is unable to assume the IAM role in the target account. The policy attached to the role in the identity account is:

Image 1

What should be done to enable the user to assume the appropriate role in the target account?

  • A: Update the IAM policy attached to the role in the identity account to be:
  • B: Update the trust policy on the role in the target account to be:
  • C: Update the trust policy on the role in the identity account to be:
  • D: Update the IAM policy attached to the role in the target account to be:

Question 29

A Security Engineer is working with the development team to design a supply chain application that stores sensitive inventory data in an Amazon S3 bucket. The application will use an AWS KMS customer master key (CMK) to encrypt the data on Amazon S3. The inventory data on Amazon S3 will be shared of vendors. All vendors will use AWS principals from their own AWS accounts to access the data on Amazon S3. The vendor list may change weekly, and the solution must support cross-account access.
What is the MOST efficient way to manage access control for the KMS CMK7?

  • A: Use KMS grants to manage key access. Programmatically create and revoke grants to manage vendor access.
  • B: Use an IAM role to manage key access. Programmatically update the IAM role policies to manage vendor access.
  • C: Use KMS key policies to manage key access. Programmatically update the KMS key policies to manage vendor access.
  • D: Use delegated access across AWS accounts by using IAM roles to manage key access. Programmatically update the IAM trust policy to manage cross- account vendor access.

Question 30

A Security Engineer is setting up an AWS CloudTrail trail for all regions in an AWS account. For added security, the logs are stored using server-side encryption with AWS KMS-managed keys (SSE-KMS) and have log integrity validation enabled.
While testing the solution, the Security Engineer discovers that the digest files are readable, but the log files are not. What is the MOST likely cause?

  • A: The log files fail integrity validation and automatically are marked as unavailable.
  • B: The KMS key policy does not grant the Security Engineer's IAM user or role permissions to decrypt with it.
  • C: The bucket is set up to use server-side encryption with Amazon S3-managed keys (SSE-S3) as the default and does not allow SSE-KMS-encrypted files.
  • D: An IAM policy applicable to the Security Engineer's IAM user or role denies access to the "CloudTrail/" prefix in the Amazon S3 bucket.

Question 31

A corporate cloud security policy states that communications between the company's VPC and KMS must travel entirely within the AWS network and not use public service endpoints.
Which combination of the following actions MOST satisfies this requirement? (Choose two.)

  • A: Add the aws:sourceVpce condition to the AWS KMS key policy referencing the company's VPC endpoint ID.
  • B: Remove the VPC internet gateway from the VPC and add a virtual private gateway to the VPC to prevent direct, public internet connectivity.
  • C: Create a VPC endpoint for AWS KMS with private DNS enabled.
  • D: Use the KMS Import Key feature to securely transfer the AWS KMS key over a VPN.
  • E: Add the following condition to the AWS KMS key policy: "aws:SourceIp": "10.0.0.0/16".

Question 32

A company had one of its Amazon EC2 key pairs compromised. A Security Engineer must identify which current Linux EC2 instances were deployed and used the compromised key pair.
How can this task be accomplished?

  • A: Obtain the list of instances by directly querying Amazon EC2 using: aws ec2 describe-instances --filters "Name=key- name,Values=KEYNAMEHERE".
  • B: Obtain the fingerprint for the key pair from the AWS Management Console, then search for the fingerprint in the Amazon Inspector logs.
  • C: Obtain the output from the EC2 instance metadata using: curl http://169.254.169.254/latest/meta-data/public-keys/0/.
  • D: Obtain the fingerprint for the key pair from the AWS Management Console, then search for the fingerprint in Amazon CloudWatch Logs using: aws logs filter-log-events.

Question 33

A Security Engineer for a large company is managing a data processing application used by 1,500 subsidiary companies. The parent and subsidiary companies all use AWS. The application uses TCP port 443 and runs on Amazon EC2 behind a Network Load Balancer (NLB). For compliance reasons, the application should only be accessible to the subsidiaries and should not be available on the public internet. To meet the compliance requirements for restricted access, the Engineer has received the public and private CIDR block ranges for each subsidiary.
What solution should the Engineer use to implement the appropriate access restrictions for the application?

  • A: Create a NACL to allow access on TCP port 443 from the 1,500 subsidiary CIDR block ranges. Associate the NACL to both the NLB and EC2 instances
  • B: Create an AWS security group to allow access on TCP port 443 from the 1,500 subsidiary CIDR block ranges. Associate the security group to the NLB. Create a second security group for EC2 instances with access on TCP port 443 from the NLB security group.
  • C: Create an AWS PrivateLink endpoint service in the parent company account attached to the NLB. Create an AWS security group for the instances to allow access on TCP port 443 from the AWS PrivateLink endpoint. Use AWS PrivateLink interface endpoints in the 1,500 subsidiary AWS accounts to connect to the data processing application.
  • D: Create an AWS security group to allow access on TCP port 443 from the 1,500 subsidiary CIDR block ranges. Associate the security group with EC2 instances.

Question 34

To meet regulatory requirements, a Security Engineer needs to implement an IAM policy that restricts the use of AWS services to the us-east-1 Region.
What policy should the Engineer implement?
A.

Image 1

B.

Image 2

C.

Image 3

D.

Image 4

Question 35

A water utility company uses a number of Amazon EC2 instances to manage updates to a fleet of 2,000 Internet of Things (IoT) field devices that monitor water quality. These devices each have unique access credentials.
An operational safety policy requires that access to specific credentials is independently auditable.
What is the MOST cost-effective way to manage the storage of credentials?

  • A: Use AWS Systems Manager to store the credentials as Secure Strings Parameters. Secure by using an AWS KMS key.
  • B: Use AWS Key Management System to store a master key, which is used to encrypt the credentials. The encrypted credentials are stored in an Amazon RDS instance.
  • C: Use AWS Secrets Manager to store the credentials.
  • D: Store the credentials in a JSON file on Amazon S3 with server-side encryption.

Question 36

A company uses user data scripts that contain sensitive information to bootstrap Amazon EC2 instances. A Security Engineer discovers that this sensitive information is viewable by people who should not have access to it.
What is the MOST secure way to protect the sensitive information used to bootstrap the instances?

  • A: Store the scripts in the AMI and encrypt the sensitive data using AWS KMS Use the instance role profile to control access to the KMS keys needed to decrypt the data.
  • B: Store the sensitive data in AWS Systems Manager Parameter Store using the encrypted string parameter and assign the GetParameters permission to the EC2 instance role.
  • C: Externalize the bootstrap scripts in Amazon S3 and encrypt them using AWS KMS. Remove the scripts from the instance and clear the logs after the instance is configured.
  • D: Block user access of the EC2 instance's metadata service using IAM policies. Remove all scripts and clear the logs after execution.

Question 37

A company is building a data lake on Amazon S3. The data consists of millions of small files containing sensitive information. The Security team has the following requirements for the architecture:

  • Data must be encrypted in transit.
  • Data must be encrypted at rest.
  • The bucket must be private, but if the bucket is accidentally made public, the data must remain confidential.
    Which combination of steps would meet the requirements? (Choose two.)
  • A: Enable AES-256 encryption using server-side encryption with Amazon S3-managed encryption keys (SSE-S3) on the S3 bucket.
  • B: Enable default encryption with server-side encryption with AWS KMS-managed keys (SSE-KMS) on the S3 bucket.
  • C: Add a bucket policy that includes a deny if a PutObject request does not include aws:SecureTransport.
  • D: Add a bucket policy with aws:SourceIp to Allow uploads and downloads from the corporate intranet only.
  • E: Add a bucket policy that includes a deny if a PutObject request does not include s3:x-amz-server-side-encryption: "aws:kms".
  • F: Enable Amazon Macie to monitor and act on changes to the data lake's S3 bucket.

Question 38

A Security Engineer discovered a vulnerability in an application running on Amazon ECS. The vulnerability allowed attackers to install malicious code. Analysis of the code shows it exfiltrates data on port 5353 in batches at random time intervals.
While the code of the containers is being patched, how can Engineers quickly identify all compromised hosts and stop the egress of data on port 5353?

  • A: Enable AWS Shield Advanced and AWS WAF. Configure an AWS WAF custom filter for egress traffic on port 5353
  • B: Enable Amazon Inspector on Amazon ECS and configure a custom assessment to evaluate containers that have port 5353 open. Update the NACLs to block port 5353 outbound.
  • C: Create an Amazon CloudWatch custom metric on the VPC Flow Logs identifying egress traffic on port 5353. Update the NACLs to block port 5353 outbound.
  • D: Use Amazon Athena to query AWS CloudTrail logs in Amazon S3 and look for any traffic on port 5353. Update the security groups to block port 5353 outbound.

Question 39

An Amazon EC2 instance is denied access to a newly created AWS KMS CMK used for decrypt actions. The environment has the following configuration:
✑ The instance is allowed the kms:Decrypt action in its IAM role for all resources
✑ The AWS KMS CMK status is set to enabled
✑ The instance can communicate with the KMS API using a configured VPC endpoint
What is causing the issue?

  • A: The kms:GenerateDataKey permission is missing from the EC2 instance's IAM role
  • B: The ARN tag on the CMK contains the EC2 instance's ID instead of the instance's ARN
  • C: The kms:Encrypt permission is missing from the EC2 IAM role
  • D: The KMS CMK key policy that enables IAM user permissions is missing

Question 40

A company has enabled Amazon GuardDuty in all Regions as part of its security monitoring strategy. In one of the VPCs, the company hosts an Amazon EC2 instance working as an FTP server that is contacted by a high number of clients from multiple locations. This is identified by GuardDuty as a brute force attack due to the high number of connections that happen every hour.
The finding has been flagged as a false positive. However, GuardDuty keeps raising the issue. A Security Engineer has been asked to improve the signal-to-noise ratio. The Engineer needs to ensure that changes do not compromise the visibility of potential anomalous behavior.
How can the Security Engineer address the issue?

  • A: Disable the FTP rule in GuardDuty in the Region where the FTP server is deployed
  • B: Add the FTP server to a trusted IP list and deploy it to GuardDuty to stop receiving the notifications
  • C: Use GuardDuty filters with auto archiving enabled to close the findings
  • D: Create an AWS Lambda function that closes the finding whenever a new occurrence is reported

Question 41

What are the MOST secure ways to protect the AWS account root user of a recently opened AWS account? (Choose two.)

  • A: Use the AWS account root user access keys instead of the AWS Management Console
  • B: Enable multi-factor authentication for the AWS IAM users with the AdministratorAccess managed policy attached to them
  • C: Enable multi-factor authentication for the AWS account root user
  • D: Use AWS KMS to encrypt all AWS account root user and AWS IAM access keys and set automatic rotation to 30 days
  • E: Do not create access keys for the AWS account root user; instead, create AWS IAM users

Question 42

A company has decided to migrate sensitive documents from on-premises data centers to Amazon S3. Currently, the hard drives are encrypted to meet a compliance requirement regarding data encryption. The CISO wants to improve security by encrypting each file using a different key instead of a single key. Using a different key would limit the security impact of a single exposed key.
Which of the following requires the LEAST amount of configuration when implementing this approach?

  • A: Place each file into a different S3 bucket. Set the default encryption of each bucket to use a different AWS KMS customer managed key.
  • B: Put all the files in the same S3 bucket. Using S3 events as a trigger, write an AWS Lambda function to encrypt each file as it is added using different AWS KMS data keys.
  • C: Use the S3 encryption client to encrypt each file individually using S3-generated data keys.
  • D: Place all the files in the same S3 bucket. Use server-side encryption with AWS KMS-managed keys (SSE-KMS) to encrypt the data.

Question 43

A company has an encrypted Amazon S3 bucket. An Application Developer has an IAM policy that allows access to the S3 bucket, but the Application Developer is unable to access objects within the bucket.
What is a possible cause of the issue?

  • A: The S3 ACL for the S3 bucket fails to explicitly grant access to the Application Developer
  • B: The AWS KMS key for the S3 bucket fails to list the Application Developer as an administrator
  • C: The S3 bucket policy fails to explicitly grant access to the Application Developer
  • D: The S3 bucket policy explicitly denies access to the Application Developer

Question 44

A Web Administrator for the website example.com has created an Amazon CloudFront distribution for dev.example.com, with a requirement to configure HTTPS using a custom TLS certificate imported to AWS Certificate Manager.
Which combination of steps is required to ensure availability of the certificate in the CloudFront console? (Choose two.)

  • A: Call UploadServerCertificate with /cloudfront/dev/ in the path parameter.
  • B: Import the certificate with a 4,096-bit RSA public key.
  • C: Ensure that the certificate, private key, and certificate chain are PKCS #12-encoded.
  • D: Import the certificate in the us-east-1 (N. Virginia) Region.
  • E: Ensure that the certificate, private key, and certificate chain are PEM-encoded.

Question 45

A Security Engineer has discovered that, although encryption was enabled on the Amazon S3 bucket examplebucket, anyone who has access to the bucket has the ability to retrieve the files. The Engineer wants to limit access to each IAM user can access an assigned folder only.
What should the Security Engineer do to achieve this?

  • A: Use envelope encryption with the AWS-managed CMK aws/s3.
  • B: Create a customer-managed CMK with a key policy granting ג€kms:Decryptג€ based on the ג€${aws:username}ג€ variable.
  • C: Create a customer-managed CMK for each user. Add each user as a key user in their corresponding key policy.
  • D: Change the applicable IAM policy to grant S3 access to ג€Resourceג€: ג€arn:aws:s3:::examplebucket/${aws:username}/*ג€

Question 46

An organization is using Amazon CloudWatch Logs with agents deployed on its Linux Amazon EC2 instances. The agent configuration files have been checked and the application log files to be pushed are configured correctly. A review has identified that logging from specific instances is missing.
Which steps should be taken to troubleshoot the issue? (Choose two.)

  • A: Use an EC2 run command to confirm that the ג€awslogsג€ service is running on all instances.
  • B: Verify that the permissions used by the agent allow creation of log groups/streams and to put log events.
  • C: Check whether any application log entries were rejected because of invalid time stamps by reviewing /var/cwlogs/rejects.log.
  • D: Check that the trust relationship grants the service ג€cwlogs.amazonaws.comג€ permission to write objects to the Amazon S3 staging bucket.
  • E: Verify that the time zone on the application servers is in UTC.

Question 47

A Security Engineer manages AWS Organizations for a company. The Engineer would like to restrict AWS usage to allow Amazon S3 only in one of the organizational units (OUs). The Engineer adds the following SCP to the OU:

Image 1

The next day, API calls to AWS IAM appear in AWS CloudTrail logs in an account under that OU.
How should the Security Engineer resolve this issue?

  • A: Move the account to a new OU and deny IAM:* permissions.
  • B: Add a Deny policy for all non-S3 services at the account level.
  • C: Change the policy to:
  • D: Detach the default FullAWSAccess SCP.

Question 48

A Developer is creating an AWS Lambda function that requires environment variables to store connection information and logging settings. The Developer is required to use an AWS KMS Customer Master Key (CMK) supplied by the Information Security department in order to adhere to company standards for securing
Lambda environment variables.
Which of the following are required for this configuration to work? (Choose two.)

  • A: The Developer must configure Lambda access to the VPC using the --vpc-config parameter.
  • B: The Lambda function execution role must have the kms:Decrypt permission added in the AWS IAM policy.
  • C: The KMS key policy must allow permissions for the Developer to use the KMS key.
  • D: The AWS IAM policy assigned to the Developer must have the kms:GenerateDataKey permission added.
  • E: The Lambda execution role must have the kms:Encrypt permission added in the AWS IAM policy.

Question 49

A Developer signed in to a new account within an AWS Organizations organizational unit (OU) containing multiple accounts. Access to the Amazon S3 service is restricted with the following SCP:

Image 1

How can the Security Engineer provide the Developer with Amazon S3 access without affecting other accounts?

  • A: Move the SCP to the root OU of Organizations to remove the restriction to access Amazon S3.
  • B: Add an IAM policy for the Developer, which grants S3 access.
  • C: Create a new OU without applying the SCP restricting S3 access. Move the Developer account to this new OU.
  • D: Add an allow list for the Developer account for the S3 service.

Question 50

A company has several workloads running on AWS. Employees are required to authenticate using on-premises ADFS and SSO to access the AWS Management
Console. Developers migrated an existing legacy web application to an Amazon EC2 instance. Employees need to access this application from anywhere on the internet, but currently, there is no authentication system built into the application.
How should the Security Engineer implement employee-only access to this system without changing the application?

  • A: Place the application behind an Application Load Balancer (ALB). Use Amazon Cognito as authentication for the ALB. Define a SAML-based Amazon Cognito user pool and connect it to ADFS.
  • B: Implement AWS SSO in the master account and link it to ADFS as an identity provider. Define the EC2 instance as a managed resource, then apply an IAM policy on the resource.
  • C: Define an Amazon Cognito identity pool, then install the connector on the Active Directory server. Use the Amazon Cognito SDK on the application instance to authenticate the employees using their Active Directory user names and passwords.
  • D: Create an AWS Lambda custom authorizer as the authenticator for a reverse proxy on Amazon EC2. Ensure the security group on Amazon EC2 only allows access from the Lambda function.
Page 2 of 21 • Questions 26-50 of 509
12345

Free preview mode

Enjoy the free questions and consider upgrading to gain full access!