- (Exam Topic 3)
An Incident Response team is investigating an AWS access key leak that resulted in Amazon EC2 instances being launched. The company did not discover the incident until many months later The Director of Information Security wants to implement new controls that will alert when similar incidents happen in the future
Which controls should the company implement to achieve this? {Select TWO.)

1. A. Enable VPC Flow Logs in all VPCs Create a scheduled AWS Lambda function that downloads and parses the logs, and sends an Amazon SNS notification for violations.
2. B. Use AWS CloudTrail to make a trail, and apply it to all Regions Specify an Amazon S3 bucket to receive all the CloudTrail log files
3. C. Add the following bucket policy to the company's AWS CloudTrail bucket to prevent log tampering{"Version": "2012-10-17-,"Statement": { "Effect": "Deny","Action": "s3:PutObject", "Principal": "-","Resource": "arn:aws:s3:::cloudtrail/AWSLogs/111122223333/*"}}Create an Amazon S3 data event for an PutObject attempts, which sends notifications to an Amazon SNS topic.
4. D. Create a Security Auditor role with permissions to access Amazon CloudWatch Logs m all Regions Ship the logs to an Amazon S3 bucket and make a lifecycle policy to ship the logs to Amazon S3 Glacier.
5. E. Verify that Amazon GuardDuty is enabled in all Regions, and create an Amazon CloudWatch Events rule for Amazon GuardDuty findings Add an Amazon SNS topic as the rule's target

Correct Answer: AE

- (Exam Topic 2)
You want to get a list of vulnerabilities for an EC2 Instance as per the guidelines set by the Center of Internet Security. How can you go about doing this?
Please select:

1. A. Enable AWS Guard Duty for the Instance
2. B. Use AWS Trusted Advisor
3. C. Use AWS inspector
4. D. UseAWSMacie

Correct Answer: C
The AWS Inspector service can inspect EC2 Instances based on specific Rules. One of the rules packages is based on the guidelines set by the Center of Internet Security
Center for Internet security (CIS) Benchmarks
The CIS Security Benchmarks program provides well-defined, un-biased and consensus-based industry best practices to help organizations assess and improve their security. Amazon Web Services is a CIS Security Benchmarks Member company and the list of Amazon Inspector certifications can be viewed nere.
Option A is invalid because this can be used to protect an instance but not give the list of vulnerabilities Options B and D are invalid because these services cannot give a list of vulnerabilities For more information
on the guidelines, please visit the below URL:
* https://docs.aws.amazon.com/inspector/latest/userguide/inspector_cis.html The correct answer is: Use AWS Inspector
Submit your Feedback/Queries to our Experts

- (Exam Topic 2)
A water utility company uses a number of Amazon EC2 instances to manage updates to a fleet of 2,000 Internet of Things (IoT) field devices that monitor water quality. These devices each have unique access credentials.
An operational safety policy requires that access to specific credentials is independently auditable. What is the MOST cost-effective way to manage the storage of credentials?

1. A. Use AWS Systems Manager to store the credentials as Secure Strings Parameter
2. B. Secure by using an AWS KMS key.
3. C. Use AWS Key Management System to store a master key, which is used to encrypt the credential
4. D. The encrypted credentials are stored in an Amazon RDS instance.
5. E. Use AWS Secrets Manager to store the credentials.
6. F. Store the credentials in a JSON file on Amazon S3 with server-side encryption.

Correct Answer: A
https://docs.aws.amazon.com/systems-manager/latest/userguide/parameter-store-advanced-parameters.html

- (Exam Topic 3)
A company is undergoing a layer 3 and layer 4 DDoS attack on its web servers running on AWS.
Which combination of AWS services and features will provide protection in this scenario? (Select THREE).

1. A. Amazon Route 53
2. B. AWS Certificate Manager (ACM)
3. C. Amazon S3
4. D. AWS Shield
5. E. Elastic Load Balancer
6. F. Amazon GuardDuty

Correct Answer: DEF

- (Exam Topic 2)
An application outputs logs to a text file. The logs must be continuously monitored for security incidents.
Which design will meet the requirements with MINIMUM effort?

1. A. Create a scheduled process to copy the component’s logs into Amazon S3. Use S3 events to trigger a Lambda function that updates Amazon CloudWatch metrics with the log dat
2. B. Set up CloudWatch alerts based on the metrics.
3. C. Install and configure the Amazon CloudWatch Logs agent on the application’s EC2 instanc
4. D. Create a CloudWatch metric filter to monitor the application log
5. E. Set up CloudWatch alerts based on the metrics.
6. F. Create a scheduled process to copy the application log files to AWS CloudTrai
7. G. Use S3 events to trigger Lambda functions that update CloudWatch metrics with the log dat
8. H. Set up CloudWatch alerts based on the metrics.
9. I. Create a file watcher that copies data to Amazon Kinesis when the application writes to the log file.Have Kinesis trigger a Lambda function to update Amazon CloudWatch metrics with the log dat
10. J. Set up CloudWatch alerts based on the metrics.

Correct Answer: B
https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/QuickStartEC2Instance.html