It is observed during a security event that certain Amazon EC2 instances are not submitting Amazon CloudWatch logs.
Which measures may be taken by the Security Engineer to resolve this issue? (Select two.)
The latest changes and updates from the administration for this exam.
Latest Update: Jun 01 2026
All questions are working fine.
It is observed during a security event that certain Amazon EC2 instances are not submitting Amazon CloudWatch logs.
Which measures may be taken by the Security Engineer to resolve this issue? (Select two.)
Select all that apply
A security engineer learns that developers have been modifying security groups to allow SSH and RDP traffic from 0.0.0.0/0 rather than the organization's firewall IP.
What is the most efficient method of mitigating the risk associated with this activity?
A Security Engineer has configured an Amazon CloudFront distribution for an Amazon S3 bucket in response to previous DDoS assault experiences. Concerns have been expressed that some users may circumvent the CloudFront distribution and directly access the S3 bucket.
What must be done to prevent people from directly accessing S3 items through URLs?
A business intends to migrate the majority of its IT infrastructure to AWS. The firm wishes to use its on-premises Active Directory as an AWS identity provider.
Which actions should be followed to authenticate to AWS services utilizing the on-premises Active Directory of the organization? (Select three.)
Select all that apply
A Security Analyst sought to resolve a monitoring issue involving suspicious security group modifications. The Analyst was informed that these AWS CloudTrail log events are being monitored through an Amazon CloudWatch alert. The Analyst validated the monitoring settings by making a modification to the security group's configuration, but received no warnings.
Which of the following troubleshooting procedures should be performed by the Analyst?
On Amazon EC2 instances, Example.com maintains its internal document repository. The program is hosted on Amazon EC2 instances, and the papers were previously kept on encrypted Amazon EBS volumes. Example.com has migrated the files to Amazon S3 to optimize the program for growth. The security team has instructed that all files on the EBS volume be safely erased, and it must guarantee that the data is unreadable prior to releasing the underlying disks.
Which of the following approaches will assure that no one else can read the data?
A Systems Administrator has written the following Amazon S3 bucket policy designed to allow access to an S3 bucket for only an authorized AWS IAM user from the IP address range 10.10.10.0/24:
When trying to download an object from the S3 bucket from 10.10.10.40, the IAM user receives an access denied message.
What does the Administrator need to change to grant access to the user?
The Security Engineer observed that a new application that handles with very sensitive data is storing Amazon S3 objects with the following key pattern, which includes extremely sensitive data.
Pattern:
"randomID_datestamp_PII.csv"
Example:
"1234567_12302017_000-00-0000 csv"
The bucket in which these things are kept is encrypted on the server side (SSE).
Which method is the safest and most cost-effective way to safeguard sensitive data?
AWS CloudTrail is used to track API calls made inside an organization. CloudTrail is not delivering events to Amazon S3 as planned, according to an audit.
What first steps should be made to enable CloudTrail event delivery to S3? (Select two.)
Select all that apply
Due to new compliance requirements, a Security Engineer must enable encryption with customer-provided keys on corporate data that is stored in DynamoDB.
The company wants to retain full control of the encryption keys.
Which DynamoDB feature should the Engineer use to achieve compliance'?