Amazon AWS Certified Security Specialist Set 2

1.

A company's database developer has just migrated an Amazon RDS database credential to be stored and managed by AWS Secrets Manager. The developer has also enabled rotation of the credential within the Secrets Manager console and set the rotation to change every 30 days.
After a short period of time, a number of existing applications have failed with authentication errors. What is the MOST likely cause of the authentication errors?

Migrating the credential to RDS requires that all access come through requests to the Secrets Manager. Enabling rotation in Secrets Manager causes the secret to rotate immediately and the applications are using the earlier credential. The Secrets Manager IAM policy does not allow access to the RDS database. The Secrets Manager IAM policy does not allow access for the applications.

2.

A Security Engineer must enforce the use of only Amazon EC2, Amazon S3, Amazon RDS, Amazon DynamoDB, and AWS STS in specific accounts.
What is a scalable and efficient approach to meet this requirement?

Set up an AWS Organizations hierarchy, and replace the FullAWSAccess policy with the following Service Control Policy for the governed organization units: Create multiple IAM users for the regulated accounts, and attach the following policy statement to restrict services as required: Set up an Organizations hierarchy, replace the global FullAWSAccess with the following Service Control Policy at the top level: Set up all users in the Active Directory for federated access to all accounts in the company. Associate Active Directory groups with IAM groups, and attach the following policy statement to restrict services as required:

3.

Which option for the use of the AWS Key Management Service (KMS) supports key management best practices that focus on minimizing the potential scope of data exposed by a possible future key compromise?

Use KMS automatic key rotation to replace the master key, and use this new master key for future encryption operations without re-encrypting previously encrypted data. Generate a new Customer Master Key (CMK), re-encrypt all existing data with the new CMK, and use it for all future encryption operations. Change the CMK alias every 90 days, and update key-calling applications with the new key alias. Change the CMK permissions to ensure that individuals who can provision keys are not the same individuals who can use the keys.

4.

An organization has a system in AWS that allows a large number of remote workers to submit data files. File sizes vary from a few kilobytes to several megabytes. A recent audit highlighted a concern that data files are not encrypted while in transit over untrusted networks.
Which solution would remediate the audit finding while minimizing the effort required?

Upload an SSL certificate to IAM, and configure Amazon CloudFront with the passphrase for the private key. Call KMS.Encrypt() in the client, passing in the data file contents, and call KMS.Decrypt() server-side. Use AWS Certificate Manager to provision a certificate on an Elastic Load Balancing in front of the web service N endpoint, and update the web service

5.

A Security Engineer has created an Amazon CloudWatch event that invokes an AWS Lambda function daily. The Lambda function runs an Amazon Athena query that checks AWS CloudTrail logs in Amazon S3 to detect whether any IAM user accounts or credentials have been created in the past 30 days. The results of the Athena query are created in the same S3 bucket. The Engineer runs a test execution of the Lambda function via the AWS Console, and the function runs successfully.
After several minutes, the Engineer finds that his Athena query has failed with the error message: "Insufficient Permissions". The IAM permissions of the Security Engineer and the Lambda function are shown below:

Security Engineer

What is causing the error?

The Lambda function does not have permissions to start the Athena query execution. The Security Engineer does not have permissions to start the Athena query execution. The Athena service does not support invocation through Lambda. The Lambda function does not have permissions to access the CloudTrail S3 bucket.

Amazon AWS Certified Security Specialist Set 2

Congratulations

COMPANY

Products

OTHERS

Partner

Amazon AWS Certified Security Specialist Set 2

Congratulations

Detail Form

COMPANY

Products

OTHERS

Partner