AWS-Certified-Security-Specialty Exam - Amazon AWS Certified Security - Specialty

NEW QUESTION 1
A company's policy requires that all API keys be encrypted and stored separately from source code in a centralized security account. This security account is managed by the company's security team However, an audit revealed that an API key is steed with the source code of an IAM Lambda function m an IAM CodeCommit repository in the DevOps account
How should the security learn securely store the API key?

• A. Create a CodeCommit repository in the security account using IAM Key Management Service (IAMKMS) tor encryption Require the development team to migrate the Lambda source code to this repository
• B. Store the API key in an Amazon S3 bucket in the security account using server-side encryption with Amazon S3 managed encryption keys (SSE-S3) to encrypt the key Create a resigned URL tor the S3 ke
• C. and specify the URL m a Lambda environmental variable in the IAM CloudFormation template Update the Lambda function code to retrieve the key using the URL and call the API
• D. Create a secret in IAM Secrets Manager in the security account to store the API key using IAM Key Management Service (IAM KMS) tor encryption Grant access to the IAM role used by the Lambda function so that the function can retrieve the key from Secrets Manager and call the API
• E. Create an encrypted environment variable for the Lambda function to store the API key using IAM Key Management Service (IAM KMS) tor encryption Grant access to the IAM role used by the Lambda function so that the function can decrypt the key at runtime

Answer: C

Explanation:
To securely store the API key, the security team should do the following:
Create a secret in AWS Secrets Manager in the security account to store the API key using AWS Key Management Service (AWS KMS) for encryption. This allows the security team to encrypt and manage the API key centrally, and to configure automatic rotation schedules for it.
Grant access to the IAM role used by the Lambda function so that the function can retrieve the key from Secrets Manager and call the API. This allows the security team to avoid storing the API key with the source code, and to use IAM policies to control access to the secret.

NEW QUESTION 2
A company deployed IAM Organizations to help manage its increasing number of IAM accounts. A security engineer wants to ensure only principals in the Organization structure can access a specic Amazon S3 bucket. The solution must also minimize operational overhead
Which solution will meet these requirements?

• A. 1 Put all users into an IAM group with an access policy granting access to the J bucket.
• B. Have the account creation trigger an IAM Lambda function that manages the bucket policy, allowing access to accounts listed in the policy only.
• C. Add an SCP to the Organizations master account, allowing all principals access to the bucket.
• D. Specify the organization ID in the global key condition element of a bucket policy, allowing all principals access.

Answer: D

NEW QUESTION 3
A company has recently recovered from a security incident that required the restoration of Amazon EC2 instances from snapshots. The company uses an AWS Key
Management Service (AWS KMS) customer managed key to encrypt all Amazon Elastic Block Store (Amazon EBS) snapshots.
The company performs a gap analysis of its disaster recovery procedures and backup strategies. A security engineer needs to implement a solution so that the company can recover the EC2 instances if the AWS account is compromised and the EBS snapshots are deleted.
Which solution will meet this requirement?

• A. Create a new Amazon S3 bucke
• B. Use EBS lifecycle policies to move EBS snapshots to the new S3 bucke
• C. Use lifecycle policies to move snapshots to the S3 Glacier Instant Retrieval storage clas
• D. Use S3 Object Lock to prevent deletion of the snapshots.
• E. Use AWS Systems Manager to distribute a configuration that backs up all attached disks to Amazon S3.
• F. Create a new AWS account that has limited privilege
• G. Allow the new account to access the KMS key that encrypts the EBS snapshot
• H. Copy the encrypted snapshots to the new account on a recurring basis.
• I. Use AWS Backup to copy EBS snapshots to Amazon S3. Use S3 Object Lock to prevent deletion of the snapshots.

Answer: C

Explanation:
This solution meets the requirement of recovering the EC2 instances if the AWS account is compromised and the EBS snapshots are deleted. By creating a new AWS account with limited privileges, the company can isolate the backup snapshots from the main account and reduce the risk of accidental or malicious deletion. By allowing the new account to access the KMS key that encrypts the EBS snapshots, the company can ensure that the snapshots are copied in an encrypted form and can be decrypted when needed. By copying the encrypted snapshots to the new account on a recurring basis, the company can maintain a consistent backup schedule and minimize data loss.

NEW QUESTION 4
A company stores images for a website in an Amazon S3 bucket. The company is using Amazon CloudFront to serve the images to end users. The company recently discovered that the images are being accessed from countries where the company does not have a distribution license.
Which actions should the company take to secure the images to limit their distribution? (Select TWO.)

• A. Update the S3 bucket policy to restrict access to a CloudFront origin access identity (OAI).
• B. Update the website DNS record to use an Amazon Route 53 geolocation record deny list of countries where the company lacks a license.
• C. Add a CloudFront geo restriction deny list of countries where the company lacks a license.
• D. Update the S3 bucket policy with a deny list of countries where the company lacks a license.
• E. Enable the Restrict Viewer Access option in CloudFront to create a deny list of countries where the company lacks a license.

Answer: AC

Explanation:
To secure the images to limit their distribution, the company should take the following actions:
Update the S3 bucket policy to restrict access to a CloudFront origin access identity (OAI). This allows the company to use a special CloudFront user that can access objects in their S3 bucket, and prevent anyone else from accessing them directly.
Add a CloudFront geo restriction deny list of countries where the company lacks a license. This allows the company to use a feature that controls access to their content based on the geographic location of their viewers, and block requests from countries where they do not have a distribution license.

NEW QUESTION 5
A company uses Amazon RDS for MySQL as a database engine for its applications. A recent security audit revealed an RDS instance that is not compliant with company policy for encrypting data at rest. A security engineer at the company needs to ensure that all existing RDS databases are encrypted using server-side encryption and that any future deviations from the policy are detected.
Which combination of steps should the security engineer take to accomplish this? (Select TWO.)

• A. Create an IAM Config rule to detect the creation of unencrypted RDS database
• B. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to trigger on the IAM Config rules compliance state change and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team.
• C. Use IAM System Manager State Manager to detect RDS database encryption configuration drif
• D. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to track state changes and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team.
• E. Create a read replica for the existing unencrypted RDS database and enable replica encryption in the proces
• F. Once the replica becomes active, promote it into a standalone database instance and terminate the unencrypted database instance.
• G. Take a snapshot of the unencrypted RDS databas
• H. Copy the snapshot and enable snapshot encryption in the proces
• I. Restore the database instance from the newly created encrypted snapsho
• J. Terminate the unencrypted database instance.
• K. Enable encryption for the identified unencrypted RDS instance by changing the configurations of the existing database

Answer: AD

NEW QUESTION 6
A company is operating a website using Amazon CloudFornt. CloudFront servers some content from Amazon S3 and other from web servers running EC2 instances behind an Application. Load Balancer (ALB). Amazon DynamoDB is used as the data store. The company already uses IAM Certificate Manager (ACM) to store a public TLS certificate that can optionally secure connections between the website users and CloudFront. The company has a new requirement to enforce end-to-end encryption in transit.
Which combination of steps should the company take to meet this requirement? (Select THREE.)

• A. Update the CloudFront distributio
• B. configuring it to optionally use HTTPS when connecting to origins on Amazon S3
• C. Update the web application configuration on the web servers to use HTTPS instead of HTTP when connecting to DynamoDB
• D. Update the CloudFront distribution to redirect HTTP corrections to HTTPS
• E. Configure the web servers on the EC2 instances to listen using HTTPS using the public ACM TLS certificate Update the ALB to connect to the target group using HTTPS
• F. Update the ALB listen to listen using HTTPS using the public ACM TLS certificat
• G. Update the CloudFront distribution to connect to the HTTPS listener.
• H. Create a TLS certificate Configure the web servers on the EC2 instances to use HTTPS only with that certificat
• I. Update the ALB to connect to the target group using HTTPS.

Answer: BCE

Explanation:
To enforce end-to-end encryption in transit, the company should do the following:
Update the web application configuration on the web servers to use HTTPS instead of HTTP when connecting to DynamoDB. This ensures that the data is encrypted when it travels from the web servers to the data store.
Update the CloudFront distribution to redirect HTTP requests to HTTPS. This ensures that the viewers always use HTTPS when they access the website through CloudFront.
Update the ALB to listen using HTTPS using the public ACM TLS certificate. Update the CloudFront distribution to connect to the HTTPS listener. This ensures that the data is encrypted when it travels from CloudFront to the ALB and from the ALB to the web servers.

NEW QUESTION 7
A company has an organization in AWS Organizations. The company wants to use AWS CloudFormation StackSets in the organization to deploy various AWS design patterns into environments. These patterns consist of Amazon EC2 instances, Elastic Load Balancing (ELB) load balancers, Amazon RDS databases, and Amazon Elastic Kubernetes Service (Amazon EKS) clusters or Amazon Elastic Container Service (Amazon ECS) clusters.
Currently, the company's developers can create their own CloudFormation stacks to increase the overall speed of delivery. A centralized CI/CD pipeline in a shared services AWS account deploys each CloudFormation stack.
The company's security team has already provided requirements for each service in accordance with internal standards. If there are any resources that do not comply with the internal standards, the security team must receive notification to take appropriate action. The security team must implement a notification solution that gives developers the ability to maintain the same overall delivery speed that they currently have.
Which solution will meet these requirements in the MOST operationally efficient way?

• A. Create an Amazon Simple Notification Service (Amazon SNS) topi
• B. Subscribe the security team's email addresses to the SNS topi
• C. Create a custom AWS Lambda function that will run the aws cloudformation validate-template AWS CLI command on all CloudFormation templates before the build stage in the CI/CD pipelin
• D. Configure the CI/CD pipeline to publish a notification to the SNS topic if any issues are found.
• E. Create an Amazon Simple Notification Service (Amazon SNS) topi
• F. Subscribe the security team's email addresses to the SNS topi
• G. Create custom rules in CloudFormation Guard for each resource configuratio
• H. In the CllCD pipeline, before the build stage, configure a Docker image to run the cfn-guard command on the CloudFormation templat
• I. Configure the CI/CD pipeline to publish a notification to the SNS topic if any issues are found.
• J. Create an Amazon Simple Notification Service (Amazon SNS) topic and an Am-azon Simple Queue Service (Amazon SQS) queu
• K. Subscribe the security team's email addresses to the SNS topi
• L. Create an Amazon S3 bucket in the shared services AWS accoun
• M. Include an event notification to publish to the SQS queue when new objects are added to the S3 bucke
• N. Require the de-velopers to put their CloudFormation templates in the S3 bucke
• O. Launch EC2 instances that automatically scale based on the SQS queue dept
• P. Con-figure the EC2 instances to use CloudFormation Guard to scan the templates and deploy the templates if there are no issue
• Q. Configure the CllCD pipe-line to publish a notification to the SNS topic if any issues are found.
• R. Create a centralized CloudFormation stack set that includes a standard set of resources that the developers can deploy in each AWS accoun
• S. Configure each CloudFormation template to meet the security requirement
• T. For any new resources or configurations, update the CloudFormation template and send the template to the security team for revie
• . When the review is com-pleted, add the new CloudFormation stack to the repository for the devel-opers to use.

Answer: B

NEW QUESTION 8
A Security Architect has been asked to review an existing security architecture and identify why the application servers cannot successfully initiate a connection to the database servers. The following summary describes the architecture:
* 1 An Application Load Balancer, an internet gateway, and a NAT gateway are configured in the public subnet
* 2. Database, application, and web servers are configured on three different private subnets.
* 3 The VPC has two route tables: one for the public subnet and one for all other subnets The route table for the public subnet has a 0 0 0 0/0 route to the internet gateway The route table for all other subnets has a 0 0.0.0/0 route to the NAT gateway. All private subnets can route to each other
* 4 Each subnet has a network ACL implemented that limits all inbound and outbound connectivity to only the required ports and protocols
* 5 There are 3 Security Groups (SGs) database application and web Each group limits all inbound and outbound connectivity to the minimum required
Which of the following accurately reflects the access control mechanisms the Architect should verify1?

• A. Outbound SG configuration on database servers Inbound SG configuration on application servers inbound and outbound network ACL configuration on the database subnet Inbound and outbound network ACL configuration on the application server subnet
• B. Inbound SG configuration on database servers Outbound SG configuration on application serversInbound and outbound network ACL configuration on the database subnetInbound and outbound network ACL configuration on the application server subnet
• C. Inbound and outbound SG configuration on database servers Inbound and outbound SG configuration on application servers Inbound network ACL configuration on the database subnet Outbound network ACL configuration on the application server subnet
• D. Inbound SG configuration on database servers Outbound SG configuration on application servers Inbound network ACL configuration on the database subnet Outbound network ACL configuration on the application server subnet.

Answer: A

Explanation:
this is the accurate reflection of the access control mechanisms that the Architect should verify. Access control mechanisms are methods that regulate who can access what resources and how. Security groups and network ACLs are two types of access control mechanisms that can be applied to EC2 instances and subnets. Security groups are stateful, meaning they remember and return traffic that was previously allowed. Network ACLs are stateless, meaning they do not remember or return traffic that was previously allowed. Security groups and network ACLs can have inbound and outbound rules that specify the source, destination, protocol, and port of the traffic. By verifying the outbound security group configuration on database servers, the inbound security group configuration on application servers, and the inbound and outbound network ACL configuration on both the database and application server subnets, the Architect can check if there are any misconfigurations or conflicts that prevent the application servers from initiating a connection to the database servers. The other options are either inaccurate or incomplete for verifying the access control mechanisms.

NEW QUESTION 9
A company wants to receive an email notification about critical findings in AWS Security Hub. The company does not have an existing architecture that supports this functionality.
Which solution will meet the requirement?

• A. Create an AWS Lambda function to identify critical Security Hub finding
• B. Create an Amazon Simple Notification Service (Amazon SNS) topic as the target of the Lambda functio
• C. Subscribe an email endpoint to the SNS topic to receive published messages.
• D. Create an Amazon Kinesis Data Firehose delivery strea
• E. Integrate the delivery stream with Amazon EventBridg
• F. Create an EventBridge rule that has a filter to detect critical Security Hub finding
• G. Configure the delivery stream to send the findings to an email address.
• H. Create an Amazon EventBridge rule to detect critical Security Hub finding
• I. Create an Amazon Simple Notification Service (Amazon SNS) topic as the target of the EventBridge rul
• J. Subscribe an email endpoint to the SNS topic to receive published messages.
• K. Create an Amazon EventBridge rule to detect critical Security Hub finding
• L. Create an Amazon Simple Email Service (Amazon SES) topic as the target of the EventBridge rul
• M. Use the Amazon SES API to format the messag
• N. Choose an email address to be the recipient of the message.

Answer: C

Explanation:
This solution meets the requirement of receiving an email notification about critical findings in AWS Security Hub. Amazon EventBridge is a serverless event bus that can receive events from AWS services and third-party sources, and route them to targets based on rules and filters. Amazon SNS is a fully managed pub/sub service that can send messages to various endpoints, such as email, SMS, mobile push, and HTTP. By creating an EventBridge rule that detects critical Security Hub findings and sends them to an SNS topic, the company can leverage the existing integration between these services and avoid writing custom code or managing servers. By subscribing an email endpoint to the SNS topic, the company can receive published messages in their inbox.

NEW QUESTION 10
A company's Security Engineer is copying all application logs to centralized Amazon S3 buckets. Currently, each of the company's applications is in its own IAM account, and logs are pushed into S3 buckets associated with each account. The Engineer will deploy an IAM Lambda function into each account that copies the relevant log files to the centralized S3 bucket.
The Security Engineer is unable to access the log files in the centralized S3 bucket. The Engineer's IAM user policy from the centralized account looks like this:

The centralized S3 bucket policy looks like this:

Why is the Security Engineer unable to access the log files?

• A. The S3 bucket policy does not explicitly allow the Security Engineer access to the objects in the bucket.
• B. The object ACLs are not being updated to allow the users within the centralized account to access the objects
• C. The Security Engineers IAM policy does not grant permissions to read objects in the S3 bucket
• D. The s3:PutObject and s3:PutObjectAcl permissions should be applied at the S3 bucket level

Answer: C

NEW QUESTION 11
A company is running its workloads in a single AWS Region and uses AWS Organizations. A security engineer must implement a solution to prevent users from launching resources in other Regions.
Which solution will meet these requirements with the LEAST operational overhead?

• A. Create an IAM policy that has an aws RequestedRegion condition that allows actions only in the designated Region Attach the policy to all users.
• B. Create an I AM policy that has an aws RequestedRegion condition that denies actions that are not in the designated Region Attach the policy to the AWS account in AWS Organizations.
• C. Create an IAM policy that has an aws RequestedRegion condition that allows the desired actions Attach the policy only to the users who are in the designated Region.
• D. Create an SCP that has an aws RequestedRegion condition that denies actions that are not in the designated Regio
• E. Attach the SCP to the AWS account in AWS Organizations.

Answer: D

Explanation:
Although you can use a IAM policy to prevent users launching resources in other regions. The best practice is to use SCP when using AWS organizations. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_general.htm

NEW QUESTION 12
Developers in an organization have moved from a standard application deployment to containers. The Security Engineer is tasked with ensuring that the containers are secure. Which strategies will reduce the attack surface and enhance the security of the containers? (Select TWO.)

• A. Use the containers to automate security deployments.
• B. Limit resource consumption (CPU, memory), networking connections, ports, and unnecessary container libraries.
• C. Segregate containers by host, function, and data classification.
• D. Use Docker Notary framework to sign task definitions.
• E. Enable container breakout at the host kernel.

Answer: AC

Explanation:
these are the strategies that can reduce the attack surface and enhance the security of the containers. Containers are a method of packaging and running applications in isolated environments. Using containers to automate security deployments can help ensure that security patches and updates are applied consistently and quickly across the container fleet. Segregating containers by host, function, and data classification can help limit the impact of a compromise and enforce the principle of least privilege. The other options are either irrelevant or risky for securing containers.

NEW QUESTION 13
A company is attempting to conduct forensic analysis on an Amazon EC2 instance, but the company is unable to connect to the instance by using AWS Systems Manager Session Manager. The company has installed AWS Systems Manager Agent (SSM Agent) on the EC2 instance.
The EC2 instance is in a subnet in a VPC that does not have an internet gateway attached. The company has associated a security group with the EC2 instance. The security group does not have inbound or outbound rules. The subnet's network ACL allows all inbound and outbound traffic.
Which combination of actions will allow the company to conduct forensic analysis on the EC2 instance without compromising forensic data? (Select THREE.)

• A. Update the EC2 instance security group to add a rule that allows outbound traffic on port 443 for 0.0.0.0/0.
• B. Update the EC2 instance security group to add a rule that allows inbound traffic on port 443 to the VPC's CIDR range.
• C. Create an EC2 key pai
• D. Associate the key pair with the EC2 instance.
• E. Create a VPC interface endpoint for Systems Manager in the VPC where the EC2 instance is located.
• F. Attach a security group to the VPC interface endpoin
• G. Allow inbound traffic on port 443 to the VPC's CIDR range.
• H. Create a VPC interface endpoint for the EC2 instance in the VPC where the EC2 instance is located.

Answer: BCF

NEW QUESTION 14
A company is building an application on AWS that will store sensitive information. The company has a support team with access to the IT infrastructure, including databases. The company's security engineer must introduce measures to protect the sensitive data against any data breach while minimizing management overhead. The credentials must be regularly rotated.
What should the security engineer recommend?

• A. Enable Amazon RDS encryption to encrypt the database and snapshot
• B. Enable Amazon Elastic Block Store (Amazon EBS) encryption on Amazon EC2 instance
• C. Include the database credential in the EC2 user data fiel
• D. Use an AWS Lambda function to rotate database credential
• E. Set up TLS for the connection to the database.
• F. Install a database on an Amazon EC2 instanc
• G. Enable third-party disk encryption to encrypt Amazon Elastic Block Store (Amazon EBS) volum
• H. Store the database credentials in AWS CloudHSM with automatic rotatio
• I. Set up TLS for the connection to the database.
• J. Enable Amazon RDS encryption to encrypt the database and snapshot
• K. Enable Amazon Elastic Block Store (Amazon EBS) encryption on Amazon EC2 instance
• L. Store the database credentials in AWS Secrets Manager with automatic rotatio
• M. Set up TLS for the connection to the RDS hosted database.
• N. Set up an AWS CloudHSM cluster with AWS Key Management Service (AWS KMS) to store KMS key
• O. Set up Amazon RDS encryption using AWS KSM to encrypt the databas
• P. Store the database credentials in AWS Systems Manager Parameter Store with automatic rotatio
• Q. Set up TLS for the connection to the RDS hosted database.

Answer: C

NEW QUESTION 15
A company needs complete encryption of the traffic between external users and an application. The company hosts the application on a fleet of Amazon EC2 instances that run in an Auto Scaling group behind an Application Load Balancer (ALB).
How can a security engineer meet these requirements?

• A. Create a new Amazon-issued certificate in AWS Secrets Manage
• B. Export the certificate from Secrets Manage
• C. Import the certificate into the ALB and the EC2 instances.
• D. Create a new Amazon-issued certificate in AWS Certificate Manager (ACM). Associate the certificate with the AL
• E. Export the certificate from AC
• F. Install the certificate on the EC2 instances.
• G. Import a new third-party certificate into AWS Identity and Access Management (IAM). Export thecertificate from IA
• H. Associate the certificate with the ALB and the EC2 instances.
• I. Import a new third-party certificate into AWS Certificate Manager (ACM). Associate the certificate with the AL
• J. Install the certificate on the EC2 instances.

Answer: D

Explanation:
The correct answer is D. Import a new third-party certificate into AWS Certificate Manager (ACM). Associate the certificate with the ALB. Install the certificate on the EC2 instances.
This answer is correct because it meets the requirements of complete encryption of the traffic between external users and the application. By importing a third-party certificate into ACM, the security engineer can use it to secure the communication between the ALB and the clients. By installing the same certificate on the EC2 instances, the security engineer can also secure the communication between the ALB and the instances. This way, both the front-end and back-end connections are encrypted with SSL/TLS1.
The other options are incorrect because:
A. Creating a new Amazon-issued certificate in AWS Secrets Manager is not a solution, because AWS Secrets Manager is not a service for issuing certificates, but for storing and managing secrets such as database credentials and API keys2. AWS Secrets Manager does not integrate with ALB or EC2 for certificate deployment.
B. Creating a new Amazon-issued certificate in AWS Certificate Manager (ACM) and exporting it from ACM is not a solution, because ACM does not allow exporting Amazon-issued certificates3. ACM only allows exporting private certificates that are issued by an AWS Private Certificate Authority (CA)4.
C. Importing a new third-party certificate into AWS Identity and Access Management (IAM) is not a solution, because IAM is not a service for managing certificates, but for controlling access to AWS resources5. IAM does not integrate with ALB or EC2 for certificate deployment.
References:
1: How SSL/TLS works 2: What is AWS Secrets Manager? 3: Exporting an ACM Certificate 4: Exporting Private Certificates from ACM 5: What is IAM?

NEW QUESTION 16
A company is developing a highly resilient application to be hosted on multiple Amazon EC2 instances . The application will store highly sensitive user data in Amazon RDS tables
The application must
• Include migration to a different IAM Region in the application disaster recovery plan.
• Provide a full audit trail of encryption key administration events
• Allow only company administrators to administer keys.
• Protect data at rest using application layer encryption
A Security Engineer is evaluating options for encryption key management
Why should the Security Engineer choose IAM CloudHSM over IAM KMS for encryption key management in this situation?

• A. The key administration event logging generated by CloudHSM is significantly more extensive than IAM KMS.
• B. CloudHSM ensures that only company support staff can administer encryption keys, whereas IAM KMS allows IAM staff to administer keys
• C. The ciphertext produced by CloudHSM provides more robust protection against brute force decryption attacks than the ciphertext produced by IAM KMS
• D. CloudHSM provides the ability to copy keys to a different Region, whereas IAM KMS does not

Answer: B

Explanation:
CloudHSM allows full control of your keys such including Symmetric (AES), Asymmetric (RSA), Sha-256, SHA 512, Hash Based, Digital Signatures (RSA). On the other hand, AWS Key Management Service is a
multi-tenant key storage that is owned and managed by AWS1.
References: 1: What are the differences between AWS Cloud HSM and KMS?

NEW QUESTION 17
A company purchased a subscription to a third-party cloud security scanning solution that integrates with AWS Security Hub. A security engineer needs to implement a solution that will remediate the findings
from the third-party scanning solution automatically. Which solution will meet this requirement?

• A. Set up an Amazon EventBridge rule that reacts to new Security Hub find-ing
• B. Configure an AWS Lambda function as the target for the rule to reme-diate the findings.
• C. Set up a custom action in Security Hu
• D. Configure the custom action to call AWS Systems Manager Automation runbooks to remediate the findings.
• E. Set up a custom action in Security Hu
• F. Configure an AWS Lambda function as the target for the custom action to remediate the findings.
• G. Set up AWS Config rules to use AWS Systems Manager Automation runbooks to remediate the findings.

Answer: A

NEW QUESTION 18
A developer is building a serverless application hosted on AWS that uses Amazon Redshift as a data store The application has separate modules for readwrite and read-only functionality The modules need their own database users for compliance reasons
Which combination of steps should a security engineer implement to grant appropriate access? (Select TWO.)

• A. Configure cluster security groups for each application module to control access to database users that are required for read-only and readwrite
• B. Configure a VPC endpoint for Amazon Redshift Configure an endpoint policy that maps database users to each application module, and allow access to the tables that are required for read-only and read/write
• C. Configure an 1AM policy for each module Specify the ARN of an Amazon Redshift database user that allows the GetClusterCredentials API call
• D. Create local database users for each module
• E. Configure an 1AM policy for each module Specify the ARN of an 1AM user that allows the GetClusterCredentials API call

Answer: A

Explanation:
To grant appropriate access to separate modules for read-write and read-only functionality in a serverless
application hosted on AWS that uses Amazon Redshift as a data store, a security engineer should configure cluster security groups for each application module to control access to database users that are required for read-only and readwrite, and configure an IAM policy for each module specifying the ARN of an IAM user that allows the GetClusterCredentials API call.
References: : Amazon Redshift - Amazon Web Services : Amazon Redshift - Amazon Web Services : Identity and Access Management - AWS Management Console : AWS Identity and Access Management - AWS Management Console

NEW QUESTION 19
A company has an application that uses an Amazon RDS PostgreSQL database. The company is developing an application feature that will store sensitive information for an individual in the database.
During a security review of the environment, the company discovers that the RDS DB instance is not encrypting data at rest. The company needs a solution that will provide encryption at rest for all the existing data and for any new data that is entered for an individual.
Which combination of options can the company use to meet these requirements? (Select TWO.)

• A. Create a snapshot of the DB instanc
• B. Copy the snapshot to a new snapshot, and enable encryption for the copy proces
• C. Use the new snapshot to restore the DB instance.
• D. Modify the configuration of the DB instance by enabling encryptio
• E. Create a snapshot of the DB instanc
• F. Use the snapshot to restore the DB instance.
• G. Use IAM Key Management Service (IAM KMS) to create a new default IAM managed awa/rds key.Select this key as the encryption key for operations with Amazon RDS.
• H. Use IAM Key Management Service (IAM KMS] to create a new CM
• I. Select this key as the encryption key for operations with Amazon RDS.
• J. Create a snapshot of the DB instanc
• K. Enable encryption on the snapshoVUse the snapshot to restore the DB instance.

Answer: CE

NEW QUESTION 20
......