- (Exam Topic 2)
A Security Engineer must enforce the use of only Amazon EC2, Amazon S3, Amazon RDS, Amazon DynamoDB, and AWS STS in specific accounts.
What is a scalable and efficient approach to meet this requirement?

1. A. Option A
2. B. Option B
3. C. Option C
4. D. Option D

Correct Answer: A
It says specific accounts which mean specific governed OUs under your organization and you apply specific service control policy to these OUs.

- (Exam Topic 1)
A Security Engineer is setting up a new AWS account. The Engineer has been asked to continuously monitor the company's AWS account using automated compliance checks based on AWS best practices and Center for Internet Security (CIS) AWS Foundations Benchmarks
How can the Security Engineer accomplish this using AWS services?

1. A. Enable AWS Config and set it to record all resources in all Regions and global resource
2. B. Then enable AWS Security Hub and confirm that the CIS AWS Foundations compliance standard is enabled
3. C. Enable Amazon Inspector and configure it to scan all Regions for the CIS AWS Foundations Benchmark
4. D. Then enable AWS Security Hub and configure it to ingest the Amazon Inspector findings
5. E. Enable Amazon Inspector and configure it to scan all Regions for the CIS AWS Foundations Benchmark
6. F. Then enable AWS Shield in all Regions to protect the account from DDoS attacks.
7. G. Enable AWS Config and set it to record all resources in all Regions and global resources Then enable Amazon Inspector and configure it to enforce CIS AWS Foundations Benchmarks using AWS Config rules.

Correct Answer: B

- (Exam Topic 3)
A company is planning on extending their on-premise AWS Infrastructure to the AWS Cloud. They need to have a solution that would give core benefits of traffic encryption and ensure latency is kept to a minimum. Which of the following would help fulfil this requirement? Choose 2 answers from the options given below
Please select:

1. A. AWS VPN
2. B. AWS VPC Peering
3. C. AWS NAT gateways
4. D. AWS Direct Connect

Correct Answer: AD
The AWS Document mention the following which supports the requirement C:\Users\wk\Desktop\mudassar\Untitled.jpg

Option B is invalid because VPC peering is only used for connection between VPCs and cannot be used to connect On-premise infrastructure to the AWS Cloud.
Option C is invalid because NAT gateways is used to connect instances in a private subnet to the internet For more information on VPN Connections, please visit the following url
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuideA/pn-connections.html
The correct answers are: AWS VPN, AWS Direct Connect Submit your Feedback/Queries to our Experts

- (Exam Topic 1)
A Security Engineer noticed an anomaly within a company EC2 instance as shown in the image. The Engineer must now investigate what e causing the anomaly. What are the MOST effective steps to take lo ensure that the instance is not further manipulated while allowing the Engineer to understand what happened?

1. A. Remove the instance from the Auto Scaling group Place the instance within an isolation security group, detach the EBS volume launch an EC2 instance with a forensic toolkit and attach the E8S volume to investigate
2. B. Remove the instance from the Auto Scaling group and the Elastic Load Balancer Place the instance within an isolation security group, launch an EC2 instance with a forensic toolkit, and allow the forensic toolkit image to connect to the suspicious Instance to perform the Investigation.
3. C. Remove the instance from the Auto Scaling group Place the Instance within an isolation security group, launch an EC2 Instance with a forensic toolkit and use the forensic toolkit imago to deploy an ENI as a network span port to inspect all traffic coming from the suspicious instance.
4. D. Remove the instance from the Auto Scaling group and the Elastic Load Balancer Place the instance within an isolation security group, make a copy of the EBS volume from a new snapshot, launch an EC2 Instance with a forensic toolkit and attach the copy of the EBS volume to investigate.

Correct Answer: B

- (Exam Topic 2)
A Security Analyst attempted to troubleshoot the monitoring of suspicious security group changes. The Analyst was told that there is an Amazon CloudWatch alarm in place for these AWS CloudTrail log events. The Analyst tested the monitoring setup by making a configuration change to the security group but did not receive any alerts.
Which of the following troubleshooting steps should the Analyst perform?

1. A. Ensure that CloudTrail and S3 bucket access logging is enabled for the Analyst's AWS accoun
2. B. Verify that a metric filter was created and then mapped to an alar
3. C. Check the alarm notification action.
4. D. Check the CloudWatch dashboards to ensure that there is a metric configured with an appropriate dimension for security group changes.
5. E. Verify that the Analyst's account is mapped to an IAM policy that includes permissions for cloudwatch: GetMetricStatistics and Cloudwatch: ListMetrics.

Correct Answer: B
MetricFilter:
Type: 'AWS::Logs::MetricFilter' Properties:
LogGroupName: '' FilterPattern: >
{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress)
|| ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }
MetricTransformations:
- MetricValue: '1'
MetricNamespace: CloudTrailMetrics MetricName: SecurityGroupEventCount