- (Exam Topic 3)
A company is using Amazon Elastic Container Service (Amazon ECS) to deploy an application that deals with sensitive data During a recent security audit, the company identified a security issue in which Amazon RDS credentials were stored with the application code In the company's source code repository
A security engineer needs to develop a solution to ensure that database credentials are stored securely and rotated periodically. The credentials should be accessible to the application only The engineer also needs to prevent database administrators from sharing database credentials as plaintext with other teammates. The solution must also minimize administrate overhead
Which solution meets these requirements?

1. A. Use the AWS Systems Manager Parameter Store to generate database credential
2. B. Use an 1AM profile for ECS tasks to restrict access to database credentials to specific containers only.
3. C. Use AWS Secrets Manager to store database credential
4. D. Use an 1AM inline policy for ECS tasks to restrict access to database credentials to specific containers only.
5. E. Use the AWS Systems Manager Parameter Store to store database credential
6. F. Use 1AM roles for ECS tasks to restrict access to database credentials lo specific containers only
7. G. Use AWS Secrets Manager to store database credential
8. H. Use 1AM roles for ECS tasks to restrict access to database credentials to specific containers only.

Correct Answer: D

- (Exam Topic 1)
A company has multiple production AWS accounts. Each account has AWS CloudTrail configured to log to a single Amazon S3 bucket in a central account. Two of the production accounts have trails that are not logging anything to the S3 bucket.
Which steps should be taken to troubleshoot the issue? (Choose three.)

1. A. Verify that the log file prefix is set to the name of the S3 bucket where the logs should go.
2. B. Verify that the S3 bucket policy allows access for CloudTrail from the production AWS account IDs.
3. C. Create a new CloudTrail configuration in the account, and configure it to log to the account’s S3 bucket.
4. D. Confirm in the CloudTrail Console that each trail is active and healthy.
5. E. Open the global CloudTrail configuration in the master account, and verify that the storage location is set to the correct S3 bucket.
6. F. Confirm in the CloudTrail Console that the S3 bucket name is set correctly.

Correct Answer: BDF

- (Exam Topic 2)
A Security Engineer discovers that developers have been adding rules to security groups that allow SSH and RDP traffic from 0.0.0.0/0 instead of the organization firewall IP.
What is the most efficient way to remediate the risk of this activity?

1. A. Delete the internet gateway associated with the VPC.
2. B. Use network access control lists to block source IP addresses matching 0.0.0.0/0.
3. C. Use a host-based firewall to prevent access from all but the organization’s firewall IP.
4. D. Use AWS Config rules to detect 0.0.0.0/0 and invoke an AWS Lambda function to update the security group with the organization's firewall IP.

Correct Answer: D

- (Exam Topic 1)
A company has several critical applications running on a large fleet of Amazon EC2 instances. As part of a security operations review, the company needs to apply a critical operating system patch to EC2 instances within 24 hours of the patch becoming available from the operating system vendor. The company does not have a patching solution deployed on AWS, but does have AWS Systems Manager configured. The solution must also minimize administrative overhead.
What should a security engineer recommend to meet these requirements?

1. A. Create an AWS Config rule defining the patch as a required configuration for EC2 instances.
2. B. Use the AWS Systems Manager Run Command to patch affected instances.
3. C. Use an AWS Systems Manager Patch Manager predefined baseline to patch affected instances.
4. D. Use AWS Systems Manager Session Manager to log in to each affected instance and apply the patch.

Correct Answer: B