- (Exam Topic 3)
A company deploys a set of standard IAM roles in AWS accounts. The IAM roles are based on job functions within the company. To balance operational efficiency and security, a security engineer implemented AWS Organizations SCPs to restrict access to critical security services in all company accounts.
All of the company's accounts and OUs within AWS Organizations have a default FullAWSAccess SCP that is attached. The security engineer needs to ensure that no one can disable Amazon GuardDuty and AWS Security Hub. The security engineer also must not override other permissions that are granted by 1AM policies that are defined in the accounts.
Which SCP should the security engineer attach to the root of the organization to meet these requirements?

A)

B)

C)

1. A. Option
2. B. Option
3. C. Option

Correct Answer: C

- (Exam Topic 3)
A company has set up EC2 instances on the AW5 Cloud. There is a need to see all the IP addresses which are accessing the EC2 Instances. Which service can help achieve this?
Please select:

1. A. Use the AWS Inspector service
2. B. Use AWS VPC Flow Logs
3. C. Use Network ACL's
4. D. Use Security Groups

Correct Answer: B
The AWS Documentation mentions the foil
A flow log record represents a network flow in your flow log. Each record captures the network flow for a specific 5-tuple, for a specific capture window. A 5-tuple is a set of five different values that specify the source, destination, and protocol for an internet protocol (IP) flow.
Options A,C and D are all invalid because these services/tools cannot be used to get the the IP addresses which are accessing the EC2 Instances
For more information on VPC Flow Logs please visit the URL https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html
The correct answer is: Use AWS VPC Flow Logs Submit vour Feedback/Queries to our Experts

- (Exam Topic 1)
A Security Engineer is looking for a way to control access to data that is being encrypted under a CMK. The Engineer is also looking to use additional authenticated data (AAD) to prevent tampering with ciphertext.
Which action would provide the required functionality?

1. A. Pass the key alias to AWS KMS when calling Encrypt and Decrypt API actions.
2. B. Use IAM policies to restrict access to Encrypt and Decrypt API actions.
3. C. Use kms:EncryptionContext as a condition when defining IAM policies for the CMK.
4. D. Use key policies to restrict access to the appropriate IAM groups.

Correct Answer: B

- (Exam Topic 2)
An organization receives an alert that indicates that an EC2 instance behind an ELB Classic Load Balancer has been compromised.
What techniques will limit lateral movement and allow evidence gathering?

1. A. Remove the instance from the load balancer and terminate it.
2. B. Remove the instance from the load balancer, and shut down access to the instance by tightening the security group.
3. C. Reboot the instance and check for any Amazon CloudWatch alarms.
4. D. Stop the instance and make a snapshot of the root EBS volume.

Correct Answer: B
https://d1.awsstatic.com/whitepapers/aws_security_incident_response.pdf

- (Exam Topic 3)
A company uses Amazon RDS for MySQL as a database engine for its applications. A recent security audit revealed an RDS instance that is not compliant with company policy for encrypting data at rest. A security engineer at the company needs to ensure that all existing RDS databases are encrypted using server-side encryption and that any future deviations from the policy are detected.
Which combination of steps should the security engineer take to accomplish this? (Select TWO.)

1. A. Create an AWS Config rule to detect the creation of unencrypted RDS database
2. B. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to trigger on the AWS Config rules compliance state change and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team.
3. C. Use AWS System Manager State Manager to detect RDS database encryption configuration drif
4. D. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to track state changes and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team.
5. E. Create a read replica for the existing unencrypted RDS database and enable replica encryption in the proces
6. F. Once the replica becomes active, promote it into a standalone database instance and terminate the unencrypted database instance.
7. G. Take a snapshot of the unencrypted RDS databas
8. H. Copy the snapshot and enable snapshot encryption in the proces
9. I. Restore the database instance from the newly created encrypted snapsho
10. J. Terminate the unencrypted database instance.
11. K. Enable encryption for the identified unencrypted RDS instance by changing the configurations of the existing database

Correct Answer: AD