- (Exam Topic 2)
A security team must present a daily briefing to the CISO that includes a report of which of the company's thousands of EC2 instances and on-premises servers are missing the latest security patches. All instances/servers must be brought into compliance within 24 hours so they do not show up on the next day's report. How can the security team fulfill these requirements?
Please select:

1. A. Use Amazon QuickSight and Cloud Trail to generate the report of out of compliance instances/servers.Redeploy all out of compliance instances/servers using an AMI with the latest patches.
2. B. Use Systems Manger Patch Manger to generate the report of out of compliance instances/ server
3. C. Use Systems Manager Patch Manger to install the missing patches.
4. D. Use Systems Manger Patch Manger to generate the report of out of compliance instances/ servers.Redeploy all out of1 compliance instances/servers using an AMI with the latest patches.
5. E. Use Trusted Advisor to generate the report of out of compliance instances/server
6. F. Use Systems Manger Patch Manger to install the missing patches.

Correct Answer: B
Use the Systems Manger Patch Manger to generate the report and also install the missing patches The AWS Documentation mentions the following
AWS Systems Manager Patch Manager automates the process of patching managed instances with
security-related updates. For Linux-based instances, you can also install patches for non-security updates. You can patch fleets of Amazon EC2 instances or your on-premises servers and virtual machines (VMs) by operating system type. This includes supported versions of Windows, Ubuntu Server, Red Hat Enterprise Linux (RHEL), SUSE Linux Enterprise Server (SLES), and Amazon Linux. You can scan instances to see only a report of missing patches, or you can scan and automatically install all missing patches.
Option A is invalid because Amazon QuickSight and Cloud Trail cannot be used to generate the list of servers that don't meet compliance needs.
Option C is wrong because deploying instances via new AMI'S would impact the applications hosted on these servers
Option D is invalid because Amazon Trusted Advisor cannot be used to generate the list of servers that don't meet compliance needs.
For more information on the AWS Patch Manager, please visit the below URL:
https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-patch.html (
The correct answer is: Use Systems Manger Patch Manger to generate the report of out of compliance instances/ servers. Use Systems Manager Patch Manger to install the missing patches.
Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
A recent security audit found that AWS CloudTrail logs are insufficiently protected from tampering and unauthorized access Which actions must the Security Engineer take to address these audit findings? (Select THREE )

1. A. Ensure CloudTrail log file validation is turned on
2. B. Configure an S3 lifecycle rule to periodically archive CloudTrail logs into Glacier for long-term storage
3. C. Use an S3 bucket with tight access controls that exists m a separate account
4. D. Use Amazon Inspector to monitor the file integrity of CloudTrail log files.
5. E. Request a certificate through ACM and use a generated certificate private key to encrypt CloudTrail log files
6. F. Encrypt the CloudTrail log files with server-side encryption with AWS KMS-managed keys (SSE-KMS)

Correct Answer: ADE

- (Exam Topic 1)
The Security Engineer is managing a traditional three-tier web application that is running on Amazon EC2 instances. The application has become the target of increasing numbers of malicious attacks from the Internet.
What steps should the Security Engineer take to check for known vulnerabilities and limit the attack surface? (Choose two.)

1. A. Use AWS Certificate Manager to encrypt all traffic between the client and application servers.
2. B. Review the application security groups to ensure that only the necessary ports are open.
3. C. Use Elastic Load Balancing to offload Secure Sockets Layer encryption.
4. D. Use Amazon Inspector to periodically scan the backend instances.
5. E. Use AWS Key Management Services to encrypt all the traffic between the client and application servers.

Correct Answer: BD

- (Exam Topic 1)
A security engineer is designing a solution that will provide end-to-end encryption between clients and Docker containers running In Amazon Elastic Container Service (Amazon ECS). This solution will also handle volatile traffic patterns
Which solution would have the MOST scalability and LOWEST latency?

1. A. Configure a Network Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers
2. B. Configure an Application Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers
3. C. Configure a Network Load Balancer with a TCP listener to pass through TLS traffic to the containers
4. D. Configure Amazon Route 53 to use multivalue answer routing to send traffic to the containers

Correct Answer: A

- (Exam Topic 3)
An organization wants to log all AWS API calls made within all of its AWS accounts, and must have a central place to analyze these logs. What steps should be taken to meet these requirements in the MOST secure manner? (Select TWO)

1. A. Turn on AWS CloudTrail in each AWS account
2. B. Turn on CloudTrail in only the account that will be storing the logs
3. C. Update the bucket ACL of the bucket in the account that will be storing the logs so that other accounts can log to it
4. D. Create a service-based role for CloudTrail and associate it with CloudTrail in each account
5. E. Update the bucket policy of the bucket in the account that will be storing the logs so that other accounts can log to it

Correct Answer: AE