Design Secure Architectures

A company has multiple AWS accounts in an AWS Organizations organization. The security team wants to ensure that no user or role in any member account can disable AWS CloudTrail. What is the MOST efficient way to enforce this requirement?

A solutions architect is designing an application that will run on Amazon EC2 instances. The application needs to access an Amazon S3 bucket to read configuration files. What is the MOST secure way to grant the EC2 instances access to the S3 bucket?

A company wants to implement a federated identity solution for its employees to access the AWS Management Console. The company already uses an on-premises Microsoft Active Directory. Which TWO solutions will meet this requirement? (Select TWO.)

A mobile application needs to access Amazon DynamoDB directly to read user-specific data. The application uses a third-party identity provider (IdP) like Google or Facebook for user authentication. What is the MOST secure way to grant the mobile app access to DynamoDB?

A company is hosting a web application on Amazon EC2 instances. The application connects to an Amazon RDS for MySQL database. The security team mandates that database credentials must not be stored in the application code or configuration files. Which solution meets this requirement with the LEAST operational overhead?

A solutions architect is reviewing the security of an AWS account. The architect notices that the AWS account root user has been used recently to perform administrative tasks. What should the architect recommend to secure the root user? (Select the BEST answer.)

A company wants to enforce strict security controls on its AWS environment. They want to ensure that all IAM users are required to use Multi-Factor Authentication (MFA) before they can access any AWS services via the CLI or Management Console. Which TWO actions should a solutions architect take to meet this requirement? (Select TWO.)

A company is hosting a public-facing web application on an Application Load Balancer (ALB). The security team wants to protect the application from common web exploits, such as SQL injection and cross-site scripting (XSS). Which AWS service should be used?

A company has a strict compliance requirement that Amazon EC2 instances in a private subnet must only be able to access a specific Amazon S3 bucket. The instances must not have access to the internet. How can a solutions architect meet this requirement MOST securely?

A company wants to improve its threat detection and response capabilities in AWS. They need a solution that continuously monitors for malicious activity, such as unauthorized access to EC2 instances, and another solution that identifies sensitive data stored in S3 buckets. Which TWO services should be used? (Select TWO.)

A solutions architect is configuring network security for a VPC. The architect needs to explicitly deny traffic from a specific malicious IP address from reaching any resources in a public subnet. Which AWS feature should the architect use?

A company has built a serverless application using Amazon API Gateway and AWS Lambda. The company wants to authorize API calls using OAuth 2.0 tokens provided by a third-party identity provider. Which solution requires the LEAST operational overhead?

A company uses AWS CloudTrail to log all API activity in its AWS account. The security team needs to ensure that the CloudTrail log files have not been tampered with after they are delivered to Amazon S3. How can this be achieved?

A company is designing a multi-tier web application in a VPC. The web servers are in public subnets, and the database servers are in private subnets. The database servers must only accept traffic from the web servers. Which TWO actions should the solutions architect take to secure the database tier? (Select TWO.)

A financial institution needs to store regulatory records in Amazon S3. The records must not be deleted or overwritten by any user, including the AWS account root user, for a period of 7 years. Which S3 feature meets this requirement?

A company requires that all data stored in Amazon EBS volumes be encrypted at rest. The company also requires the ability to automatically rotate the encryption keys every year. Which AWS KMS key type should be used?

A company has an application that connects to an Amazon RDS database. The company wants to store the database credentials securely and automatically rotate them every 30 days without modifying the application code. Which TWO AWS services can be used together to achieve this? (Select TWO.)

A solutions architect wants to ensure that all new Amazon EBS volumes created in a specific AWS Region are encrypted by default. How can this be achieved with the LEAST operational overhead?

A company has an unencrypted Amazon RDS for MySQL database. The security team has mandated that the database must be encrypted at rest using AWS KMS. What is the MOST efficient way to encrypt the existing database?

A company wants to store sensitive documents in Amazon S3. The security policy requires that the data is encrypted at rest. The company wants AWS to manage the encryption keys, but they also need an audit trail showing when the keys were used and by whom. Which TWO encryption options meet these requirements? (Select TWO.)

A company wants to ensure that no AWS resources can be created in the ap-northeast-1 region across all of its AWS accounts. What is the MOST efficient way to enforce this?

A web application runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The company wants to protect the application from common web exploits like SQL injection. Which service should be used?

A company is storing highly sensitive data in an Amazon S3 bucket. The security team requires that the data is encrypted at rest using keys managed by the company, and that all API calls to the keys are logged. Which TWO actions should a solutions architect take? (Select TWO.)

An application running on an EC2 instance needs to access an Amazon DynamoDB table in a different AWS account. What is the MOST secure way to grant this access?

A company needs to store database credentials securely. The credentials must be automatically rotated every 30 days. Which AWS service should be used?

A solutions architect needs to implement a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect AWS accounts. Which service should they choose?

A company has an Amazon S3 bucket containing confidential files. The bucket must only be accessible from a specific Amazon VPC. Which TWO steps are required to enforce this? (Select TWO.)

A mobile application requires users to sign in using their social media accounts (Google, Facebook). Once authenticated, the app needs temporary AWS credentials to upload files directly to Amazon S3. Which AWS service combination should be used?

A financial institution requires a dedicated, single-tenant hardware security module (HSM) to manage their cryptographic keys due to strict regulatory compliance. Which AWS service meets this requirement?

A company wants to protect its Amazon Route 53 hosted zones and Amazon CloudFront distributions from large-scale DDoS attacks. They also require access to the AWS DDoS Response Team (DRT). Which service should they use?