Question 1

A company has a legacy application that runs on a single Amazon EC2 instance. A security audit shows that the application has been using an IAM access key within its code to access an Amazon S3 bucket that is named DOC-EXAMPLE-BUCKET1 in the same AWS account. This access key pair has the s3:GetObject permission to all objects in only this S3 bucket. The company takes the application offline because the application is not compliant with the companyâ€™s security policies for accessing other AWS resources from Amazon EC2. A security engineer validates that AWS CloudTrail is turned on in all AWS Regions. CloudTrail is sending logs to an S3 bucket that is named DOC-EXAMPLE-BUCKET2. This S3 bucket is in the same AWS account as DOC-EXAMPLE-BUCKET1. However, CloudTrail has not been configured to send logs to Amazon CloudWatch Logs. The company wants to know if any objects in DOC-EXAMPLE-BUCKET1 were accessed with the IAM access key in the past 60 days. If any objects were accessed, the company wants to know if any of the objects that are text files (.txt extension) contained personally identifiable information (PII). Which combination of steps should the security engineer take to gather this information? (Choose two.)

Options :

A : Configure Amazon Macie to identify any objects in DOC-EXAMPLE-BUCKET1 that contain PII and that were available to the access key.

B : Use Amazon CloudWatch Logs Insights to identify any objects in DOC-EXAMPLE-BUCKET1 that contain PII and that were available to the access key.

C : Use Amazon OpenSearch Service (Amazon Elasticsearch Service) to query the CloudTrail logs in DOC-EXAMPLE-BUCKET2 for API calls that used the access key to access an object that contained PII.

D : Use Amazon Athena to query the CloudTrail logs in DOC-EXAMPLE-BUCKET2 for any API calls that used the access key to access an object that contained PII.

E : Use AWS Identity and Access Management Access Analyzer to identify any API calls that used the access key to access objects that contained PII in DOC-EXAMPLE-BUCKET1.

Answer: A,D

Question 2

A Network Load Balancer (NLB) target instance is not entering the InService state. A security engineer determines that health checks are failing. Which factors could cause the health check failures? (Select THREE.)

Options :

A : The target instance-s security group does not allow traffic from the NLB.

B : The target instance-s security group is not attached to the NLB.

C : The NLB-s security group is not attached to the target instance.

D : The target instance-s subnet network ACL does not allow traffic from the NLB.

E : The target instance-s security group is not using IP addresses to allow traffic from the NLB.

F : The target network ACL is not attached to the NLB.

Answer: A,C,D

Question 3

A company created an AWS KMS key in the AWS Key Management Service (KMS) with imported key materials. The company policy requires that all encryption keys must be rotated every 365 days.

What must be done to implement policy requirements?

Options :

A : Enable automatic key rotation for the KMS key every 365 days.

B : Create a new KMS key, import new key material, and point the key alias to the new KMS key

C : Write an AWS Lambda function that rotates the key material yearly.

D : Import new key material to the existing KMS key and manually rotate the KMS key.

Answer: B

Question 4

A development team is using an IAM Key Management Service (IAM KMS) CMK to try to encrypt and decrypt a secure string parameter from IAM Systems Manager Parameter Store. However, the development team receives an error message on each attempt. Which issues that are related to the CMK could be reasons for the error? (Select TWO.)

Options :

A : The CMK that is used in the attempt does not exist.

B : The CMK that is used in the attempt needs to be rotated.

C : The CMK that is used in the attempt is using the CMK-s key ID instead of the CMK ARN.

D : The CMK that is used in the attempt is not enabled.

E : The CMK that is used in the attempt is using an alias.

Answer: A,D

Question 5

A company manages an application that runs on Amazon EC2 instances behind a Network Load Balancer (NLB). The NLB has access logs enabled which are being stored in an Amazon S3 bucket. A security engineer requires a solution to run ad hoc queries against the access logs to identify application access patterns.

How should the security engineer accomplish this task with the least amount of administrative overhead?

Options :

A : Import the access logs into Amazon CloudWatch Logs. Use CloudWatch Logs Insights to analyze the log data.

B : Use the S3 copy command to copy logs to a separate bucket. Enable S3 analytics to analyze access patterns.

C : Write an AWS Lambda function to query the access logs. Use event notifications to trigger the Lambda functions when log entries are added

D : Create an Amazon Athena table that uses the S3 bucket containing the access logs. Run SQL queries using Athena.

Answer: D