AWS_CERTIFIED_SECURITY_SPECIALTY questions • Exam prepare

amazon AWS_CERTIFIED_SECURITY_SPECIALTY

Exam contains 509 questions

Page 24 of 85

Question 139 🔥

A company hosts business-critical applications on Amazon EC2 instances in a VPC. The VPC uses default DHCP options sets. A security engineer needs to log all DNS queries that internal resources make in the VPC. The security engineer also must create a list of the most common DNS queries over time.Which solution will meet these requirements?

Which database solution meets these requirements?

A. Install the Amazon CloudWatch agent on each EC2 instance in the VPC. Use the CloudWatch agent to stream the DNS query logs to an Amazon CloudWatch Logs log group. Use CloudWatch metric filters to automatically generate metrics that list the most common DNS queries.

B. Install a BIND DNS server in the VPC. Create a bash script to list the DNS request number of common DNS queries from the BIND logs.

C. Create VPC flow logs for all subnets in the VPStream the flow logs to an Amazon CloudWatch Logs log group. Use CloudWatch Logs Insights to list the most common DNS queries for the log group in a custom dashboard.

D. Configure Amazon Route 53 Resolver query logging. Add an Amazon CloudWatch Logs log group as the destination. Use Amazon CloudWatch Contributor Insights to analyze the data and create time series that display the most common DNS queries.

Highly voted

Discussion of the question

Question 140 🔥

A security engineer is trying to use Amazon EC2 Image Builder to create an image of an EC2 instance. The security engineer has configured the pipeline to send logs to an Amazon S3 bucket. When the security engineer runs the pipeline, the build fails with the following error: “AccessDenied: Access Denied status code: 403”.The security engineer must resolve the error by implementing a solution that complies with best practices for least privilege access.Which combination of steps will meet these requirements? (Choose two.)

Which database solution meets these requirements?

A. Ensure that the following policies are attached to the IAM role that the security engineer is using: EC2InstanceProfileForImageBuilder, EC2InstanceProfileForImageBuilderECRContainerBuilds, and AmazonSSMManagedInstanceCore.

B. Ensure that the following policies are attached to the instance profile for the EC2 instance: EC2InstanceProfileForImageBuilder, EC2InstanceProfileForImageBuilderECRContainerBuilds, and AmazonSSMManagedInstanceCore.

Highly voted

C. Ensure that the AWSImageBuilderFullAccess policy is attached to the instance profile for the EC2 instance.

D. Ensure that the security engineer’s IAM role has the s3:PutObject permission for the S3 bucket.

E. Ensure that the instance profile for the EC2 instance has the s3:PutObject permission for the S3 bucket.

Highly voted

Discussion of the question

Question 141 🔥

A company released a new software-as-a-service (SaaS) application that is receiving significant adoption by end users. The rds-storage-encrypted AWS Config managed rule generates an alert that notifies the company’s security team about a resource that is not compliant. The noncompliant resource is an Amazon RDS for MySQL database that was deployed as part of the newly released application.How can the security team resolve the noncompliance with the LEAST disruption of application availability for the end users?

Which database solution meets these requirements?

A. Use AWS Database Migration Service (AWS DMS) with full load and change data capture (CDC) between the noncompliant database and a new database with storage encrypted. When full load is finished, cut over any application endpoints to the new encrypted database.

Highly voted

B. Create a snapshot of the noncompliant DB instance. Make a copy of the snapshot in the same AWS Region with encryption configured. Restore the snapshot as a new DB instance. Cut over any application endpoints to the newly restored database.

C. Deploy a patch to the application to stop writing to the noncompliant database. Enable storage encryption by using the AWS CLI. Patch the application again to restore writing to the database.

D. Add a read replica to the noncompliant DB instance. Enable storage encryption on the read replica. When the read replica is available, cut over from the writer DB instance to the read replica. Delete the unencrypted DB instance after the cutover.

Discussion of the question

Question 142 🔥

A company is using Amazon Macie, AWS Firewall Manager, Amazon Inspector, and AWS Shield Advanced in its AWS account. The company wants to receive alerts if a DDoS attack occurs against the account.Which solution will meet this requirement?

Which database solution meets these requirements?

A. Use Macie to detect an active DDoS event. Create Amazon CloudWatch alarms that respond to Macie findings.

B. Use Amazon Inspector to review resources and to invoke Amazon CloudWatch alarms for any resources that are vulnerable to DDoS attacks.

C. Create an Amazon CloudWatch alarm that monitors Firewall Manager metrics for an active DDoS event.

D. Create an Amazon CloudWatch alarm that monitors Shield Advanced metrics for an active DDoS event.

Highly voted

Discussion of the question

Question 143 🔥

A company has multiple departments. Each department has its own AWS account. All these accounts belong to the same organization in AWS Organizations.A large .csv file is stored in an Amazon S3 bucket in the sales department's AWS account. The company wants to allow users from the other accounts to access the .csv file’s content through the combination of AWS Glue and Amazon Athena. However, the company does not want to allow users from the other accounts to access other files in the same folder.Which solution will meet these requirements?

Which database solution meets these requirements?

A. Apply a user policy in the other accounts to allow AWS Glue and Athena to access the .csv file.

B. Use S3 Select to restrict access to the .csv file. In AWS Glue Data Catalog, use S3 Select as the source of the AWS Glue database.

C. Define an AWS Glue Data Catalog resource policy in AWS Glue to grant cross-account S3 object access to the .csv file.

Highly voted

D. Grant AWS Glue access to Amazon S3 in a resource-based policy that specifies the organization as the principal.

Discussion of the question

Question 144 🔥

Which of the following minimizes the potential attack surface for applications?

Which database solution meets these requirements?

A. Use security groups to provide stateful firewalls for Amazon EC2 instances at the hypervisor level.

Highly voted

B. Use network ACLs to provide stateful firewalls at the VPC level to prevent access to any specific AWS resource.

C. Use AWS Direct Connect for secure trusted connections between EC2 instances within private subnets.

D. Design network security in a single layer within the perimeter network (also known as DMZ, demilitarized zone, and screened subnet) to facilitate quicker responses to threats.

Discussion of the question

Ready to Pass Your Certification Test

amazon AWS_CERTIFIED_SECURITY_SPECIALTY

Exam contains 509 questions

Lorem ipsum dolor sit amet consectetur. Eget sed turpis aenean sit aenean. Integer at nam ullamcorper a.

Company

Product

Resources

Follow us