An organization plans to deploy a three-tier web application where application servers run on Amazon EC2 instances. These instances need access to credentials to authenticate their SQL connections to an Amazon RDS DB instance. AWS Lambda functions must also query the RDS database using the same database credentials. These credentials must be stored in such a way that only the EC2 instances and Lambda functions can access them. Access logs should record the access times and actors. What should the Security Engineer do to fulfill these requirements?
An organization plans to deploy a three-tier web application where application servers run on Amazon EC2 instances. These instances need access to credentials to authenticate their SQL connections to an Amazon RDS DB instance. AWS Lambda functions must also query the RDS database using the same database credentials. These credentials must be stored in such a way that only the EC2 instances and Lambda functions can access them. Access logs should record the access times and actors. What should the Security Engineer do to fulfill these requirements?
A risk assessment identifies a potential threat from an internal actor who might exploit sensitive data from a production server, Server X, running within AWS Account 1. The malicious actor could manipulate credentials for an AWS account (Account 2) under their control and upload sensitive data to their Amazon S3 bucket. Server X needs legitimate access to S3 to upload encrypted files via a proxy server, which is blind to server communication due to TLS encryption. What mitigation measures can be taken to alleviate this threat? (Choose two.)
A risk assessment identifies a potential threat from an internal actor who might exploit sensitive data from a production server, Server X, running within AWS Account 1. The malicious actor could manipulate credentials for an AWS account (Account 2) under their control and upload sensitive data to their Amazon S3 bucket. Server X needs legitimate access to S3 to upload encrypted files via a proxy server, which is blind to server communication due to TLS encryption. What mitigation measures can be taken to alleviate this threat? (Choose two.)
You are the Security Engineer for a water utility company which deploys a fleet of 2,000 IoT devices for water quality monitoring. Each device has unique access credentials and the company policy necessitates independently auditable access to these credentials. Taking into account the operational costs, which AWS service would you employ to manage the storage of these credentials?
You are the Security Engineer for a water utility company which deploys a fleet of 2,000 IoT devices for water quality monitoring. Each device has unique access credentials and the company policy necessitates independently auditable access to these credentials. Taking into account the operational costs, which AWS service would you employ to manage the storage of these credentials?
As a Security Engineer for a company using Amazon CloudWatch Logs, you notice some Linux EC2 instances are not logging data despite the correct configuration. Which steps would be most effective to identify the cause of the missing logs? (Choose two.)
As a Security Engineer for a company using Amazon CloudWatch Logs, you notice some Linux EC2 instances are not logging data despite the correct configuration. Which steps would be most effective to identify the cause of the missing logs? (Choose two.)
As a Systems Engineer, you are required to configure an outbound mail operation via AWS Simple Email Service (SES) that is compliant with current Transport Layer Security (TLS) standards. Which endpoint and corresponding port should your mail application connect to for this task?
As a Systems Engineer, you are required to configure an outbound mail operation via AWS Simple Email Service (SES) that is compliant with current Transport Layer Security (TLS) standards. Which endpoint and corresponding port should your mail application connect to for this task?
As a Security Engineer, you have recently executed a new vault lock policy for 10TB of data in Amazon S3 Glacier. However, 12 hours after initiating the vault-lock operation, the audit team discovers a typo in the policy which has inadvertently granted unintended access to the vault. What is the most cost-effective solution to rectify this?
As a Security Engineer, you have recently executed a new vault lock policy for 10TB of data in Amazon S3 Glacier. However, 12 hours after initiating the vault-lock operation, the audit team discovers a typo in the policy which has inadvertently granted unintended access to the vault. What is the most cost-effective solution to rectify this?
You are a Security Analyst investigating an incident of potential unauthorized access to AWS resources by a former employee in the last quarter. The former employee is suspected of having used a specific access key. Which method would best support your investigation to uncover the actions performed by this user within AWS?
You are a Security Analyst investigating an incident of potential unauthorized access to AWS resources by a former employee in the last quarter. The former employee is suspected of having used a specific access key. Which method would best support your investigation to uncover the actions performed by this user within AWS?
Your company plans to store sensitive documents in three Amazon S3 buckets corresponding to data classification levels of Sensitive, Confidential, and Restricted. The security setup must ensure that each object is encrypted with a unique key. Items in the Restricted bucket require two-factor authentication for decryption, and AWS KMS must auto-rotate the encryption keys every year. Which solution would meet these requirements?
Your company plans to store sensitive documents in three Amazon S3 buckets corresponding to data classification levels of Sensitive, Confidential, and Restricted. The security setup must ensure that each object is encrypted with a unique key. Items in the Restricted bucket require two-factor authentication for decryption, and AWS KMS must auto-rotate the encryption keys every year. Which solution would meet these requirements?
Your company's compliance policy mandates that all traffic between on-premises hosts and EC2 instances must be encrypted while in transit. Custom proprietary protocols are utilized for communication and the EC2 instances must be placed behind a load balancer for enhanced availability. Which solution would comply with these requirements?
Your company's compliance policy mandates that all traffic between on-premises hosts and EC2 instances must be encrypted while in transit. Custom proprietary protocols are utilized for communication and the EC2 instances must be placed behind a load balancer for enhanced availability. Which solution would comply with these requirements?
An application is secured using network access control lists and security groups. Web servers are housed in public subnets behind an Application Load Balancer (ALB); application servers reside in private subnets. How can perimeter security be enhanced to protect the Amazon EC2 instances against attacks? (Choose two.)
An application is secured using network access control lists and security groups. Web servers are housed in public subnets behind an Application Load Balancer (ALB); application servers reside in private subnets. How can perimeter security be enhanced to protect the Amazon EC2 instances against attacks? (Choose two.)
As a Security Administrator, you are tasked with limiting the capabilities of root user accounts in the organization. The organization employs AWS Organizations with all feature sets activated, including consolidated billing. The top-level account is utilized for billing and administrative purposes, not for operational AWS resource activities. How can you restrict the usage of member root user accounts across the organization?
As a Security Administrator, you are tasked with limiting the capabilities of root user accounts in the organization. The organization employs AWS Organizations with all feature sets activated, including consolidated billing. The top-level account is utilized for billing and administrative purposes, not for operational AWS resource activities. How can you restrict the usage of member root user accounts across the organization?
A company possesses a customer master key (CMK) with imported key materials. Company policy demands that all encryption keys undergo rotation every year. How can the company implement this policy?
A company possesses a customer master key (CMK) with imported key materials. Company policy demands that all encryption keys undergo rotation every year. How can the company implement this policy?