Auditors for a health care company have mandated that all data volumes by encrypted at rest. Infrastructure is deployed mainly via AWS CloudFormation: however, third-party frameworks and manual deployment are required on some legacy systems.
What is the BEST way to monitor, on a recurring basis, whether all EBS volumes are encrypted?

A. On a recurring basis, update all IAM user policies to require that EC2 instances are created with an encrypted volume.
B. Configure an AWS Config rule to run on a recurring basis for volume encryption.
C. Set up Amazon Inspector rules for volume encryption to run on a recurring schedule.
D. Use CloudWatch Logs to determine whether instances were created with an encrypted volume.

Developers in an organization have moved from a standard application deployment to containers. The Security Engineer is tasked with ensuring that containers are secure.
Which strategies will reduce the attack surface and enhance the security of the containers? (Choose two.)

A. Use the containers to automate security deployments.
B. Limit resource consumption (CPU, memory), networking connections, ports, and unnecessary container libraries.
C. Segregate container by host, function, and data classification.
D. Use Docker Notary framework to sign task definitions.
E. Enable container breakout at the host kernel.

A Security Architect has been asked to review an existing security architecture and identity why the application servers cannot successfully initiate a connection to the database servers. The following summary describes the architecture:

1. An Application Load Balancer, an internet gateway and a NAT gateway are configured in the pubic subnet.
2. Database, application, and web servers are configured on three different private subnets.
3. The VPC has two route tables: one for the public subnet and one for all other subnets. The route table for the public subnet has a 0.0.0.0/0 route to the internet gateway. The route table for all other subnets has a 0.0.0.0/0 route to the NAT gateway. All private subnets can route to each other.
4. Each subnet has a network ACL implemented that limits all inbound and outbound connectivity to only the required ports and protocols.
5. There are 3 Security Groups (SGs): database, application, and web. Each group limits all inbound and outbound connectivity to the minimum required.

Which of the following accurately reflects the access control mechanisms the Architect should verify?

A. Outbound SG configuration on database servers
Inbound SG configuration on application servers
Inbound and outbound network ACL configuration on the database subnet
Inbound and outbound network ACL configuration on the application server subnet
B. Inbound SG configuration on database servers
Outbound SG configuration on application servers
Inbound and outbound network ACL configuration on the database subnet
Inbound and outbound network ACL configuration on the application server subnet
C. Inbound and outbound SG configuration on database servers
Inbound and outbound SG configuration on application servers
Inbound network ACL configuration on the database subnet
Outbound network ACL configuration on the application server subnet
D. Inbound SG configuration on database servers
Outbound SG configuration on application servers
Inbound network ACL configuration on the database subnet
Outbound network ACL configuration on the application server subnet

A company’s Developers plan to migrate their on-premises applications to Amazon EC2 instances running Amazon Linux AMIs. The applications are accessed by a group of partner companies. The Security Engineer needs to implement the following host-based security measures for these instances:

• Block traffic from documented known bad IP addresses.
• Detect known software vulnerabilities and CIS Benchmarks compliance.

Which solution addresses these requirements?

A. Launch the EC2 instances with an IAM role attached. Include a user data script that uses the AWS CLI to retrieve the list of bad IP addresses from AWS Secrets Manager, and uploads it as a threat list in Amazon GuardDuty. Use Amazon Inspector to scan the instances for known software vulnerabilities and CIS Benchmarks compliance.
B. Launch the EC2 instances with an IAM role attached. Include a user data script that uses the AWS CLI to create NACLs blocking ingress traffic from the known bad IP addresses in the EC2 instance’s subnets. Use AWS Systems Manager to scan the instances for known software vulnerabilities, and AWS Trusted Advisor to check instances for CIS Benchmarks compliance.
C. Launch the EC2 instances with an IAM role attached. Include a user data script that uses the AWS CLI to create and attach security groups that only allow an allow listed source IP address range ingress inbound. Use Amazon Inspector to scan the instances for known software vulnerabilities, and AWS Trusted Advisor to check instances for CIS Benchmarks compliance.
D. Launch the EC2 instances with an IAM role attached. Include a user data script that creates a cron job to periodically retrieve the list of bad IP addresses from Amazon S3, and configures iptables on the instances blocking the list of bad IP addresses. Use Amazon Inspector to scan the instances for known software vulnerabilities and CIS Benchmarks compliance.

A recent security audit found that AWS CloudTrail logs are insufficiently protected from tampering and unauthorized access.
Which actions must the Security Engineer take to access these audit findings? (Choose three.)

A. Ensure CloudTrail log file validation is turned on.
B. Configure an S3 lifecycle rule to periodically archive CloudTrail logs into Glacier for long-term storage.
C. Use an S3 bucket with tight access controls that exists in a separate account.
D. Use Amazon Inspector to monitor the file integrity of CloudTrail log files.
E. Request a certificate through ACM and use a generated certificate private key to encrypt CloudTrail log files.
F. Encrypt the CloudTrail log files with server-side encryption AWS KMS-managed keys (SSE-KMS).

A company is operating an open-source software platform that is internet facing. The legacy software platform no longer receives security updates. The software platform operates using Amazon Route 53 weighted load balancing to send traffic to two Amazon EC2 instances that connect to an Amazon RDS cluster. A recent report suggests this software platform is vulnerable to SQL injection attacks, with samples of attacks provided. The company’s Security Engineer must secure this system against SQL injection attacks within 24 hours. The Security Engineer’s solution must involve the least amount of effort and maintain normal operations during implementation.
What should the Security Engineer do to meet these requirements?

A. Create an Application Load Balancer with the existing EC2 instances as a target group. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the ALB. Test to ensure the vulnerability has been mitigated. Then redirect the Route 53 records to point to the ALB. Update security groups on the EC2 instances to prevent direct access from the internet.
B. Create an Amazon CloudFront distribution specifying one EC2 instance as an origin. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the distribution. Test to ensure the vulnerability has been mitigated, then redirect the Route 53 records to point to CloudFront.
C. Obtain the latest source code for the platform and make the necessary updates. Test the updated code to ensure that the vulnerability has been mitigated, then deploy the patched version of the platform to the EC2 instances.
D. Update the security group that is attached to the EC2 instances, removing access from the internet to the TCP port used by the SQL database. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the EC2 instances. Test to ensure the vulnerability has been mitigated, then restore the security group to the original setting.

For compliance reasons, a Security Engineer must produce a weekly report that lists any instance that does not have the latest approved patches applied. The Engineer must also ensure that no system goes more than 30 days without the latest approved updates being applied.
What would be the MOST efficient way to achieve these goals?

A. Use Amazon Inspector to determine which systems do not have the latest patches applied, and after 30 days, redeploy those instances with the latest AMI version.
B. Configure Amazon EC2 Systems Manager to report on instance patch compliance, and enforce updates during the defined maintenance windows.
C. Examine AWS CloudTrail logs to determine whether any instances have not restarted in the last 30 days, and redeploy those instances.
D. Update the AMIs with the latest approved patches, and redeploy each instance during the defined maintenance window.

A company is configuring three Amazon EC2 instances with each instance in a separate Availability Zone. The EC2 instances will be used as transparent proxies for outbound internet traffic for ports 80 and 443 so the proxies can block traffic to certain internet destinations as required by the company’s security policies. A Security Engineer completed the following:

• Set up the proxy software on the EC2 instances.
• Modified the route tables on the private subnets to use the proxy EC2 instances as the default route.
• Created a security group rule opening inbound port 80 and 443 TCP protocols on the proxy EC2 instance security group.

However, the proxy EC2 instances are not successfully forwarding traffic to the internet.
What should the Security Engineer do to make the proxy EC2 instances route traffic to the internet?

A. Put all the proxy EC2 instances in a cluster placement group.
B. Disable source and destination checks on the proxy EC2 instances.
C. Open all inbound ports on the proxy EC2 instance security group.
D. Change the VPC’s DHCP domain-name-servers options set to the IP addresses of proxy EC2 instances.

A Security Engineer signed in to the AWS Management Console as an IAM user and switched to the security role IAM role. To perform a maintenance operation, the Security Engineer needs to switch to the maintainer role IAM role, which lists the security role as a trusted entity. The Security Engineer attempts to switch to the maintainer role, but it fails.
What is the likely cause of the failure?

A. The security role and the maintainer role are not assigned to the IAM user that the Security Engineer used to sign in to the account.
B. The Security Engineer should have logged in as the AWS account root user, which is allowed to assume any role directly.
C. The maintainer role does not include the IAM user as a trusted entity.
D. The security role does not include a statement in its policy to allow an sts:AssumeRole action.

A global company must mitigate and respond to DDoS attacks at Layers 3, 4 and 7. All of the company’s AWS applications are serverless with static content hosted on Amazon S3 using Amazon CloudFront and Amazon Route 53.
Which solution will meet these requirements?

A. Use AWS WAF with an upgrade to the AWS Business support plan.
B. Use AWS Certificate Manager with an Application Load Balancer configured with an origin access identity.
C. Use AWS Shield Advanced.
D. Use AWS WAF to protect AWS Lambda functions encrypted with AWS KMS, and a NACL restricting all ingress traffic.