Your company is planning on AWS on hosting its AWS resources. There is a company policy which mandates that all security keys are completely managed within the company itself. Which of the following is the correct measure of following this policy?
Please select:

• A.Using the AWS KMS service for creation of the keys and the company managing the key lifecycle thereafter.
• B.Generating the key pairs for the EC2 Instances using puttygen
• C.Use the EC2 Key pairs that come with AWS
• D.Use S3 server-side encryption

Comment: *

Name: *

Email: *

Verification: *

A distributed web application is installed across several EC2 instances in public subnets residing in two Availability Zones. Apache logs show several intermittent brute-force attacks from hundreds of IP addresses at the layer 7 level over the past six months.
What would be the BEST way to reduce the potential impact of these attacks in the future?

• A.Use custom route tables to prevent malicious traffic from routing to the instances.
• B.Update security groups to deny traffic from the originating source IP addresses.
• C.Use network ACLs.
• D.Install intrusion prevention software (IPS) on each instance.

Comment: *

Name: *

Email: *

Verification: *

A Security Engineer is setting up an AWS CloudTrail trail for all regions in an AWS account. For added security, the logs are stored using server-side encryption with AWS KMS-managed keys (SSE-KMS) and have log integrity validation enabled.
While testing the solution, the Security Engineer discovers that the digest files are readable, but the log files are not. What is the MOST likely cause?

• A.The KMS key policy does not grant the Security Engineer's IAM user or role permissions to decrypt with it.
• B.The bucket is set up to use server-side encryption with Amazon S3-managed keys (SSE-S3) as the default and does not allow SSE-KMS-encrypted files.
• C.The log files fail integrity validation and automatically are marked as unavailable.
• D.An IAM policy applicable to the Security Engineer's IAM user or role denies access to the
  "CloudTrail/" prefix in the Amazon S3 bucket

Comment: *

Name: *

Email: *

Verification: *

An organization has a multi-petabyte workload that it is moving to Amazon S3, but the CISO is concerned about cryptographic wear-out and the blast radius if a key is compromised.
How can the CISO be assured that AWS KMS and Amazon S3 are addressing the concerns? (Choose two.)

• A.Encryption of S3 objects is performed within the secure boundary of the KMS service.
• B.S3 uses KMS to generate a unique data key for each individual object.
• C.There is no API operation to retrieve an S3 object in its encrypted form.
• D.Using a single master key to encrypt all data includes having a single place to perform audits and usage validation.
• E.The KMS encryption envelope digitally signs the master key during encryption to prevent cryptographic wear-out.

Comment: *

Name: *

Email: *

Verification: *

A web application runs in a VPC on EC2 instances behind an ELB Application Load Balancer. The application stores data in an RDS MySQL DB instance. A Linux bastion host is used to apply schema updates to the database - administrators connect to the host via SSH from a corporate workstation. The following security groups are applied to the infrastructure-
* sgLB - associated with the ELB
* sgWeb - associated with the EC2 instances.
* sgDB - associated with the database
* sgBastion - associated with the bastion host Which security group configuration will allow the application to be secure and functional?
Please select:

• A.sgLB :allow port 80 and 443 traffic from 0.0.0.0/0
  sgWeb :allow port 80 and 443 traffic from 0.0.0.0/0
  sgDB :allow port 3306 traffic from sgWeb and sgBastion
  sgBastion: allow port 22 traffic from the corporate IP address range
• B.sgLB :aIlow port 80 and 443 traffic from 0.0.0.0/0
  sgWeb :allow port 80 and 443 traffic from sgLB
  sgDB :allow port 3306 traffic from sgWeb and sgLB
  sgBastion: allow port 22 traffic from the VPC IP address range
• C.sgLB :allow port 80 and 443 traffic from 0.0.0.0/0
  sgWeb :allow port 80 and 443 traffic from sgLB
  sgDB :allow port 3306 traffic from sgWeb and sgBastion
  sgBastion: allow port 22 traffic from the VPC IP address range
• D.sgLB :allow port 80 and 443 traffic from 0.0.0.0/0
  sgWeb :allow port 80 and 443 traffic from sgLB
  sgDB :allow port 3306 traffic from sgWeb and sgBastion
  sgBastion: allow port 22 traffic from the corporate IP address range

Comment: *

Name: *

Email: *

Verification: *