- (Exam Topic 3)
An ecommerce website was down for 1 hour following a DDoS attack Users were unable to connect to the website during the attack period. The ecommerce company's security team is worried about future potential attacks and wants to prepare for such events The company needs to minimize downtime in its response to similar attacks in the future.
Which steps would help achieve this9 (Select TWO )

1. A. Enable Amazon GuardDuty to automatically monitor for malicious activity and block unauthorized access.
2. B. Subscribe to AWS Shield Advanced and reach out to AWS Support in the event of an attack.
3. C. Use VPC Flow Logs to monitor network: traffic and an AWS Lambda function to automatically block an attacker's IP using security groups.
4. D. Set up an Amazon CloudWatch Events rule to monitor the AWS CloudTrail events in real time use AWS Config rules to audit the configuration, and use AWS Systems Manager for remediation.
5. E. Use AWS WAF to create rules to respond to such attacks

Correct Answer: CE

- (Exam Topic 1)
A company is configuring three Amazon EC2 instances with each instance in a separate Availability Zone. The EC2 instances wilt be used as transparent proxies for outbound internet traffic for ports 80 and 443 so the proxies can block traffic to certain internet destinations as required by the company's security policies. A Security Engineer completed the following:
• Set up the proxy software on the EC2 instances.
• Modified the route tables on the private subnets to use the proxy EC2 instances as the default route.
• Created a security group rule opening inbound port 80 and 443 TCP protocols on the proxy EC2 instance security group.
However, the proxy EC2 instances are not successfully forwarding traffic to the internet.
What should the Security Engineer do to make the proxy EC2 instances route traffic to the internet?

1. A. Put all the proxy EC2 instances in a cluster placement group.
2. B. Disable source and destination checks on the proxy EC2 instances.
3. C. Open all inbound ports on the proxy EC2 instance security group.
4. D. Change the VPC's DHCP domain-name-servers options set to the IP addresses of proxy EC2 instances.

Correct Answer: B

- (Exam Topic 3)
A company manages three separate AWS accounts for its production, development, and test environments, Each Developer is assigned a unique IAM user under the development account. A new application hosted on an Amazon EC2 instance in the developer account requires read access to the archived documents stored in an Amazon S3 bucket in the production account.
How should access be granted?

1. A. Create an IAM role in the production account and allow EC2 instances in the development account toassume that role using the trust polic
2. B. Provide read access for the required S3 bucket to this role.
3. C. Use a custom identity broker to allow Developer IAM users to temporarily access the S3 bucket.
4. D. Create a temporary IAM user for the application to use in the production account.
5. E. Create a temporary IAM user in the production account and provide read access to Amazon S3.Generate the temporary IAM user's access key and secret key and store these on the EC2 instance used by the application in the development account.

Correct Answer: B

- (Exam Topic 3)
A company plans to create individual child accounts within an existing organization in AWS Organizations for each of its DevOps teams. AWS CloudTrail has been enabled and configured on all accounts to write audit logs to an Amazon S3 bucket in a centralized AWS account. A security engineer needs to ensure that DevOps team members are unable to modify or disable this configuration.
How can the security engineer meet these requirements?

1. A. Create an 1AM policy that prohibits changes to the specific CloudTrail trail and apply the policy to the AWS account root user.
2. B. Create an S3 bucket policy in the specified destination account for the CloudTrail trail that prohibits configuration changes from the AWS account root user in the source account.
3. C. Create an SCP that prohibits changes to the specific CloudTrail trail and apply the SCP to the appropriate organizational unit or account in Organizations.
4. D. Create an 1AM policy that prohibits changes to the specific CloudTrail trail and apply the policy to a new 1AM grou
5. E. Have team members use individual 1AM accounts that are members of the new 1AM group.

Correct Answer: D

- (Exam Topic 2)
A distributed web application is installed across several EC2 instances in public subnets residing in two Availability Zones. Apache logs show several intermittent brute-force attacks from hundreds of IP addresses at the layer 7 level over the past six months.
What would be the BEST way to reduce the potential impact of these attacks in the future?

1. A. Use custom route tables to prevent malicious traffic from routing to the instances.
2. B. Update security groups to deny traffic from the originating source IP addresses.
3. C. Use network ACLs.
4. D. Install intrusion prevention software (IPS) on each instance.

Correct Answer: D
https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html NACL has limit 20 (can increase to maximum 40 rule), and more rule will make more low-latency