AWS-Security-Specialty 試験問題を無料オンラインアクセス

A company had one of its Amazon EC2 key pairs compromised. A Security Engineer must identify which current Linux EC2 instances were deployed and used the compromised key pair.
How can this task be accomplished?

• A.Obtain the list of instances by directly querying Amazon EC2 using: IAM ec2 describe-instances --fi1ters "Name=key-name,Values=KEYNAMEHERE".
• B.Obtain the fingerprint for the key pair from the IAM Management Console, then search for the fingerprint in Amazon CloudWatch Logs using: IAM logs filter-log-events.
• C.Obtain the output from the EC2 instance metadata using: curl http: //169.254.169.254/latest/meta-data/public- keys/0/.
• D.Obtain the fingerprint for the key pair from the IAM Management Console, then search for the fingerprint in the Amazon Inspector logs.

A company has Windows Amazon EC2 instances in a VPC that are joined to on-premises Active Directory servers for domain services. The security team has enabled Amazon GuardDuty on the IAM account to alert on issues with the instances.
During a weekly audit of network traffic, the Security Engineer notices that one of the EC2 instances is attempting to communicate with a known command-and-control server but failing. This alert does not show up in GuardDuty.
Why did GuardDuty fail to alert to this behavior?

• A.GuardDuty only monitors active network traffic flow for command-and-control activity.
• B.GuardDuty does not report on command-and-control activity.
• C.GuardDuty does not see these DNS requests.
• D.GuardDuty did not have the appropriate alerts activated.

Authorized Administrators are unable to connect to an Amazon EC2 Linux bastion host using SSH over the internet. The connection either fails to respond or generates the following error message:
Network error: Connection timed out.
What could be responsible for the connection failure? (Select THREE )

• A.The internet gateway of the VPC has been reconfigured
• B.The host-based firewall is denying SSH traffic
• C.The security group denies outbound traffic on ephemeral ports
• D.The route table is missing a route to the internet gateway
• E.The NAT gateway in the subnet where the EC2 instance is deployed has been misconfigured
• F.The NACL denies outbound traffic on ephemeral ports

You need to create a policy and apply it for just an individual user. How could you accomplish this in the right way?
Please select:

• A.Add an IAM role for the user
• B.Add a service policy for the user
• C.Add an inline policy for the user
• D.Add an IAM managed policy for the user

A company is deploying an Amazon EC2-based application. The application will include a custom health-checking component that produces health status data in JSON format. A Security Engineer must implement a secure solution to monitor application availability in near-real time by analyzing the hearth status data.
Which approach should the Security Engineer use?

• A.Write the status data directly to a public Amazon S3 bucket from the health-checking component Configure S3 events to invoke an IAM Lambda function that analyzes the data
• B.Generate events from the health-checking component and send them to Amazon CloudWatch Events. Include the status data as event payloads. Use CloudWatch Events rules to invoke an IAM Lambda function that analyzes the data.
• C.Use Amazon CloudWatch monitoring to capture Amazon EC2 and networking metrics Visualize metrics using Amazon CloudWatch dashboards.
• D.Run the Amazon Kinesis Agent to write the status data to Amazon Kinesis Data Firehose Store the streaming data from Kinesis Data Firehose in Amazon Redshift. (hen run a script on the pool data and analyze the data in Amazon Redshift