- (Exam Topic 3)
A company uses Amazon RDS for MySQL as a database engine for its applications. A recent security audit revealed an RDS instance that is not compliant with company policy for encrypting data at rest. A security engineer at the company needs to ensure that all existing RDS databases are encrypted using server-side encryption and that any future deviations from the policy are detected.
Which combination of steps should the security engineer take to accomplish this? (Select TWO.)

1. A. Create an AWS Config rule to detect the creation of unencrypted RDS database
2. B. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to trigger on the AWS Config rules compliance state change and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team.
3. C. Use AWS System Manager State Manager to detect RDS database encryption configuration drif
4. D. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to track state changes and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team.
5. E. Create a read replica for the existing unencrypted RDS database and enable replica encryption in the proces
6. F. Once the replica becomes active, promote it into a standalone database instance and terminate the unencrypted database instance.
7. G. Take a snapshot of the unencrypted RDS databas
8. H. Copy the snapshot and enable snapshot encryption in the proces
9. I. Restore the database instance from the newly created encrypted snapsho
10. J. Terminate the unencrypted database instance.
11. K. Enable encryption for the identified unencrypted RDS instance by changing the configurations of the existing database

Correct Answer: AD

- (Exam Topic 2)
A Systems Engineer has been tasked with configuring outbound mail through Simple Email Service (SES) and requires compliance with current TLS standards.
The mail application should be configured to connect to which of the following endpoints and corresponding ports?

1. A. email.us-east-1.amazonaws.com over port 8080
2. B. email-pop3.us-east-1.amazonaws.com over port 995
3. C. email-smtp.us-east-1.amazonaws.com over port 587
4. D. email-imap.us-east-1.amazonaws.com over port 993

Correct Answer: C
https://docs.aws.amazon.com/ses/latest/DeveloperGuide/smtp-connect.html

- (Exam Topic 3)
Your application currently use AWS Cognito for authenticating users. Your application consists of different types of users. Some users are only allowed read access to the application and others are given contributor access. How wou you manage the access effectively?
Please select:

1. A. Create different cognito endpoints, one for the readers and the other for the contributors.
2. B. Create different cognito groups, one for the readers and the other for the contributors.
3. C. You need to manage this within the application itself
4. D. This needs to be managed via Web security tokens

Correct Answer: B
The AWS Documentation mentions the following
You can use groups to create a collection of users in a user pool, which is often done to set the permissions for those users. For example, you can create separate groups for users who are readers, contributors, and editors of your website and app.
Option A is incorrect since you need to create cognito groups and not endpoints
Options C and D are incorrect since these would be overheads when you can use AWS Cognito For more information on AWS Cognito user groups please refer to the below Link: https://docs.aws.amazon.com/coenito/latest/developersuide/cognito-user-pools-user-groups.htmll
The correct answer is: Create different cognito groups, one for the readers and the other for the contributors. Submit your Feedback/Queries to our Experts

- (Exam Topic 1)
A company recently performed an annual security assessment of its AWS environment. The assessment showed that audit logs are not available beyond 90 days and that unauthorized changes to IAM policies are made without detection.
How should a security engineer resolve these issues?

1. A. Create an Amazon S3 lifecycle policy that archives AWS CloudTrail trail logs to Amazon S3 Glacier after 90 day
2. B. Configure Amazon Inspector to provide a notification when a policy change is made to resources.
3. C. Configure AWS Artifact to archive AWS CloudTrail logs Configure AWS Trusted Advisor to provide a notification when a policy change is made to resources.
4. D. Configure Amazon CloudWatch to export log groups to Amazon S3. Configure AWS CloudTrail to provide a notification when a policy change is made to resources.
5. E. Create an AWS CloudTrail trail that stores audit logs in Amazon S3. Configure an AWS Config rule to provide a notif cation when a policy change is made to resources.

Correct Answer: A

- (Exam Topic 2)
A Security Engineer is building a Java application that is running on Amazon EC2. The application communicates with an Amazon RDS instance and authenticates with a user name and password.
Which combination of steps can the Engineer take to protect the credentials and minimize downtime when the credentials are rotated? (Choose two.)

1. A. Have a Database Administrator encrypt the credentials and store the ciphertext in Amazon S3. Grant permission to the instance role associated with the EC2 instance to read the object and decrypt the ciphertext.
2. B. Configure a scheduled job that updates the credential in AWS Systems Manager Parameter Store and notifies the Engineer that the application needs to be restarted.
3. C. Configure automatic rotation of credentials in AWS Secrets Manager.
4. D. Store the credential in an encrypted string parameter in AWS Systems Manager Parameter Stor
5. E. Grant permission to the instance role associated with the EC2 instance to access the parameter and the AWS KMS key that is used to encrypt it.
6. F. Configure the Java application to catch a connection failure and make a call to AWS Secrets Manager to retrieve updated credentials when the password is rotate
7. G. Grant permission to the instance role associated with the EC2 instance to access Secrets Manager.

Correct Answer: CE