Auditors for a health care company have mandated that all data volumes be encrypted at rest. Infrastructure is deployed mainly via AWS CloudFormation; however, third-party frameworks and manual deployment are required on some legacy systems.
What is the BEST way to monitor, on a recurring basis, whether all EBS volumes are encrypted?

• A.On a recurring basis, update all IAM user policies to require that EC2 instances are created with an encrypted volume.
• B.Configure an AWS Config rule to run on a recurring basis for volume encryption.
• C.Set up Amazon Inspector rules for volume encryption to run on a recurring schedule.
• D.Use CloudWatch Logs to determine whether instances were created with an encrypted volume.

Comment: *

Name: *

Email: *

Verification: *

A company's security policy requires that VPC Flow Logs are enabled on all VPCs. A Security Engineer is looking to automate the process of auditing the VPC resources for compliance.
What combination of actions should the Engineer take? (Choose two.)

• A.Create an Amazon CloudWatch Event rule that triggers on events emitted by AWS Config.
• B.Create an AWS Config configuration item for each VPC in the company AWS account.
• C.Create an AWS Config managed rule with a resource type of AWS:: Lambda:: Function.
• D.Create an AWS Config custom rule, and associate it with an AWS Lambda function that contains the evaluating logic.
• E.Create an AWS Lambda function that determines whether Flow Logs are enabled for a given VPC.

Comment: *

Name: *

Email: *

Verification: *

The Security Engineer is managing a traditional three-tier web application that is running on Amazon EC2 instances. The application has become the target of increasing numbers of malicious attacks from the Internet.
What steps should the Security Engineer take to check for known vulnerabilities and limit the attack surface?
(Choose two.)

• A.Use AWS Certificate Manager to encrypt all traffic between the client and application servers.
• B.Use AWS Key Management Services to encrypt all the traffic between the client and application servers.
• C.Use Elastic Load Balancing to offload Secure Sockets Layer encryption.
• D.Review the application security groups to ensure that only the necessary ports are open.
• E.Use Amazon Inspector to periodically scan the backend instances.

Comment: *

Name: *

Email: *

Verification: *

Which of the following is the most efficient way to automate the encryption of AWS CloudTrail logs using a Customer Master Key (CMK) in AWS KMS?

• A.Use the KMS direct encrypt function on the log data every time a CloudTrail log is generated.
• B.Use the default Amazon S3 server-side encryption with S3-managed keys to encrypt and decrypt the CloudTrail logs.
• C.Configure CloudTrail to use server-side encryption using KMS-managed keys to encrypt and decrypt CloudTrail logs.
• D.Use encrypted API endpoints so that all AWS API calls generate encrypted CloudTrail log entries using the TLS certificate from the encrypted API call.

Comment: *

Name: *

Email: *

Verification: *

A company continually generates sensitive records that it stores in an S3 bucket. All objects in the bucket are encrypted using SSE-KMS using one of the company's CMKs. Company compliance policies require that no more than one month of data be encrypted using the same encryption key. What solution below will meet the company's requirements?
Please select:

• A.Trigger a Lambda function with a monthly CloudWatch event that creates a new CMK and updates the S3 bucket to use the new CMK.
• B.Configure the CMK to rotate the key material every month.
• C.Trigger a Lambda function with a monthly CloudWatch event that creates a new CMK, updates the S3 bucket to use thfl new CMK, and deletes the old CMK.
• D.Trigger a Lambda function with a monthly CloudWatch event that rotates the key material in the CMK.

Comment: *

Name: *

Email: *

Verification: *