Within a VPC, a corporation runs an Amazon RDS Multi-AZ DB instance. The database instance is connected to the internet through a NAT gateway via two subnets.
Additionally, the organization has application servers that are hosted on Amazon EC2 instances and use the RDS database. These EC2 instances have been deployed onto two more private subnets inside the same VPC. These EC2 instances connect to the internet through a default route via the same NAT gateway. Each VPC subnet has its own route table.
The organization implemented a new security requirement after a recent security examination. Never allow the database instance to connect to the internet. A security engineer must perform this update promptly without interfering with the network traffic of the application servers.
How will the security engineer be able to comply with these requirements?

• A.Remove the existing NAT gateway. Create a new NAT gateway that only the application server subnets can use.
• B.Configure the DB instance inbound network ACL to deny traffic from the security group ID of the NAT gateway.
• C.Modify the route tables of the DB instance subnets to remove the default route to the NAT gateway.
• D.Configure the route table of the NAT gateway to deny connections to the DB instance subnets.

Comment: *

Name: *

Email: *

Verification: *

What is the function of the following AWS Key Management Service (KMS) key policy attached to a customer master key (CMK)?

• A.The Amazon WorkMail and Amazon SES services have delegated KMS encrypt and decrypt permissions to the ExampleUser principal in the 111122223333 account.
• B.The ExampleUser principal can transparently encrypt and decrypt email exchanges specifically between ExampleUser and AWS.
• C.The CMK is to be used for encrypting and decrypting only when the principal is ExampleUser and the request comes from WorkMail or SES in the specified region.
• D.The key policy allows WorkMail or SES to encrypt or decrypt on behalf of the user for any CMK in the account.

Comment: *

Name: *

Email: *

Verification: *

A company has a set of EC2 instances hosted in AWS. These instances have EBS volumes for storing critical information. There is a business continuity requirement and in order to boost the agility of the business and to ensure data durability which of the following options are not required.
Please select:

• A.Use lifecycle policies for the EBS volumes
• B.Use EBS Snapshots
• C.Use EBS volume replication
• D.Use EBS volume encryption

Comment: *

Name: *

Email: *

Verification: *

Due to new compliance requirements, a Security Engineer must enable encryption with customer-provided keys on corporate data that is stored in DynamoDB. The company wants to retain full control of the encryption keys.
Which DynamoDB feature should the Engineer use to achieve compliance'?

• A.Use AWS Certificate Manager to request a certificate. Use that certificate to encrypt data prior to uploading it to DynamoDB.
• B.Enable S3 server-side encryption with the customer-provided keys. Upload the data to Amazon S3, and then use S3Copy to move all data to DynamoDB
• C.Create a KMS master key. Generate per-record data keys and use them to encrypt data prior to uploading it to DynamoDS. Dispose of the cleartext and encrypted data keys after encryption without storing.
• D.Use the DynamoDB Java encryption client to encrypt data prior to uploading it to DynamoDB.

Comment: *

Name: *

Email: *

Verification: *

An application uses Amazon Cognito to manage end users' permissions when directly accessing AWS resources, including Amazon DynamoDB. A new feature request reads as follows:
Provide a mechanism to mark customers as suspended pending investigation or suspended permanently. Customers should still be able to log in when suspended, but should not be able to make changes.
The priorities are to reduce complexity and avoid potential for future security issues.
Which approach will meet these requirements and priorities?

• A.Create a new database field "suspended_status" and modify the application logic to validate that field when processing requests.
• B.Add suspended customers to second Cognito user pool and update the application login flow to check both user pools.
• C.Use Amazon Cognito Sync to push out a "suspension_status" parameter and split the lAM policy into normal users and suspended users.
• D.Move suspended customers to a second Cognito group and define an appropriate IAM access policy for the group.

Comment: *

Name: *

Email: *

Verification: *