Domain 1.2: Secure Workloads

A company is hosting a public-facing web application on an Application Load Balancer (ALB). The security team wants to protect the application from common web exploits, such as SQL injection and cross-site scripting (XSS). Which AWS service should be used?

A company has a strict compliance requirement that Amazon EC2 instances in a private subnet must only be able to access a specific Amazon S3 bucket. The instances must not have access to the internet. How can a solutions architect meet this requirement MOST securely?

A company wants to improve its threat detection and response capabilities in AWS. They need a solution that continuously monitors for malicious activity, such as unauthorized access to EC2 instances, and another solution that identifies sensitive data stored in S3 buckets. Which TWO services should be used? (Select TWO.)

A solutions architect is configuring network security for a VPC. The architect needs to explicitly deny traffic from a specific malicious IP address from reaching any resources in a public subnet. Which AWS feature should the architect use?

A company has built a serverless application using Amazon API Gateway and AWS Lambda. The company wants to authorize API calls using OAuth 2.0 tokens provided by a third-party identity provider. Which solution requires the LEAST operational overhead?

A company uses AWS CloudTrail to log all API activity in its AWS account. The security team needs to ensure that the CloudTrail log files have not been tampered with after they are delivered to Amazon S3. How can this be achieved?

A company is designing a multi-tier web application in a VPC. The web servers are in public subnets, and the database servers are in private subnets. The database servers must only accept traffic from the web servers. Which TWO actions should the solutions architect take to secure the database tier? (Select TWO.)

A web application runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The company wants to protect the application from common web exploits like SQL injection. Which service should be used?

A solutions architect needs to implement a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect AWS accounts. Which service should they choose?

A company has an Amazon S3 bucket containing confidential files. The bucket must only be accessible from a specific Amazon VPC. Which TWO steps are required to enforce this? (Select TWO.)

A company wants to protect its Amazon Route 53 hosted zones and Amazon CloudFront distributions from large-scale DDoS attacks. They also require access to the AWS DDoS Response Team (DRT). Which service should they use?

A company has 50 VPCs across multiple AWS accounts. They want to inspect all traffic leaving the VPCs for the internet using a centralized firewall appliance. What is the MOST scalable architecture?

A company wants to receive real-time alerts whenever an IAM policy is modified in their AWS account. Which TWO services should be combined to achieve this? (Select TWO.)

A company is deploying a web application on an Application Load Balancer (ALB). They need to secure the traffic in transit using HTTPS. What is the MOST cost-effective and operationally efficient way to obtain and manage the SSL/TLS certificate?

A company exposes a REST API using Amazon API Gateway. They want to restrict access to the API so that only authenticated users from their Amazon Cognito User Pool can call it. Which TWO steps are required? (Select TWO.)

A company hosts a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application is experiencing SQL injection attacks. Which AWS service should a solutions architect use to block these attacks?

A company wants to continuously monitor its AWS accounts for malicious activity and unauthorized behavior, such as cryptocurrency mining on EC2 instances. Which service should be implemented?

A solutions architect is designing a VPC. The requirement is to block a specific malicious IP address from accessing the VPC, while allowing legitimate HTTP traffic to reach EC2 instances. Which TWO actions should be taken? (Select TWO.)

A company requires strict auditing of its AWS environment. They need to record all API calls and ensure that the log files have not been tampered with after creation. Which TWO features should be enabled? (Select TWO.)

A company is hosting a public-facing web application. They want to protect the application from DDoS attacks, SQL injection, and ensure traffic is distributed across multiple Availability Zones. Which THREE services should be combined? (Select THREE.)

A company wants a centralized view of security alerts and compliance status across multiple AWS accounts. They want to automatically check their environment against AWS Foundational Security Best Practices. Which service should they use?

A company needs to inspect all outbound traffic from their VPC to the internet. They want to implement stateful domain name (FQDN) filtering to ensure instances can only access approved external APIs. Which service provides this capability?

A company is designing a web application that will be hosted on AWS. The application will use an Application Load Balancer (ALB) and Amazon EC2 instances in an Auto Scaling group. The company wants to protect the application from SQL injection and cross-site scripting (XSS) attacks. <br/><br/>Which TWO actions should a solutions architect take to meet these requirements? (Select TWO.)

A solutions architect is designing a VPC for a three-tier web application. The database tier must be completely isolated from the internet. The application tier needs to download software updates from the internet but should not accept incoming internet connections. <br/><br/>How should the subnets be configured?

A security team wants to centralize security alerts from multiple AWS services and AWS accounts. They also need to continuously monitor their AWS environment for malicious activity and unauthorized behavior. <br/><br/>Which TWO AWS services should they use? (Select TWO.)

A company has an application running on Amazon EC2 instances in a private subnet. The application needs to securely access Amazon S3 to download configuration files. The security team dictates that traffic between the EC2 instances and S3 must not traverse the public internet. <br/><br/>Which solution meets these requirements MOST cost-effectively?

A company is hosting a static website on Amazon S3 distributed via Amazon CloudFront. The company wants to ensure that users can only access the website through the CloudFront distribution and cannot access the S3 bucket directly via its S3 URL. <br/><br/>What should the solutions architect configure to meet this requirement?

A company is deploying a new application on Amazon EC2 instances. The security team requires that all network traffic to and from the instances be strictly controlled. Specifically, they want to block traffic from a known malicious IP address at the subnet level, and only allow HTTP/HTTPS traffic to the instances. <br/><br/>Which TWO actions should the solutions architect take? (Select TWO.)

A company is using Amazon S3 to store sensitive customer data. The security team wants to be alerted immediately if any S3 buckets are accidentally made public. <br/><br/>Which AWS service provides the MOST direct way to monitor and alert on public S3 buckets?

A company has an application that uses Amazon API Gateway and AWS Lambda. The security team wants to block requests originating from specific countries and protect the API from SQL injection attacks. <br/><br/>How can this be achieved?

A company wants to securely connect their on-premises data center to their AWS VPC. They require an encrypted connection over the public internet. They also want to ensure high availability for this connection. <br/><br/>Which TWO actions should the solutions architect take? (Select TWO.)

A company is using Amazon S3 to host a static website. They want to use their custom domain name (e.g., www.example.com) and secure the site with HTTPS. <br/><br/>Which combination of AWS services is required to achieve this?

A company has a VPC with public and private subnets. Instances in the private subnet need to access the internet to download software patches. The company wants to implement this securely and cost-effectively, ensuring the instances cannot receive inbound connections from the internet. <br/><br/>What is the BEST solution?

A company is designing a VPC for a multi-tier web application. They need to block specific malicious IP addresses from accessing the web servers, while allowing legitimate HTTPS traffic. Which TWO actions should the solutions architect take? (Select TWO.)

A company hosts a web application on an Application Load Balancer (ALB). They are experiencing SQL injection attacks and cross-site scripting (XSS) attempts. Which AWS service should be deployed to protect the application?

Which AWS service provides intelligent threat detection by continuously monitoring for malicious activity and unauthorized behavior to protect AWS accounts and workloads?

A company requires that all AWS API calls are logged. They also need to mathematically prove that the log files have not been tampered with after they were delivered to Amazon S3. How can this be achieved?

A company is hosting a secure web application. They need to terminate SSL/TLS connections and protect the application from common web exploits. Which TWO AWS services should be combined to meet these requirements? (Select TWO.)

An application in a private subnet needs to access an Amazon DynamoDB table. Traffic must not traverse the public internet. The security team requires that the application can ONLY access one specific DynamoDB table. How should this be implemented?

A security team wants a centralized view of security alerts and compliance status across all their AWS accounts. They want to automatically check their environment against AWS Foundational Security Best Practices. Which TWO features does AWS Security Hub provide to meet these needs? (Select TWO.)

A company needs to inspect all outbound traffic from their VPC to the internet. They want to block traffic to known malicious domains and implement stateful packet inspection. Which AWS service should they use?

A company hosts a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The security team has detected SQL injection attempts against the application.<br/><br/>Which AWS service should a solutions architect deploy to block these attacks?

A solutions architect is designing the network security for a three-tier web application in a VPC. The architect needs to implement security controls at the subnet level and the instance level.<br/><br/>Which TWO statements about VPC security are correct? (Select TWO.)

A company wants to continuously monitor its AWS accounts for malicious activity, such as unusual API calls or unauthorized deployments, using machine learning and threat intelligence.<br/><br/>Which AWS service should be used?

An application running on EC2 instances in a private subnet needs to upload large files to Amazon S3. The security team dictates that this traffic must not traverse the public internet.<br/><br/>How should a solutions architect configure the network?

A healthcare company stores patient records in Amazon S3. The compliance team requires automated discovery and alerting if any Personally Identifiable Information (PII) or Protected Health Information (PHI) is uploaded to the buckets.<br/><br/>Which TWO actions should a solutions architect take to meet this requirement? (Select TWO.)

A financial institution requires 24/7 support and financial protection against Distributed Denial of Service (DDoS) attacks for its critical web applications. The applications are hosted on EC2 instances behind an ALB.<br/><br/>Which AWS service provides these specific benefits?

A company wants to inspect all outbound traffic from its VPC to the internet. The security team requires deep packet inspection, stateful domain name filtering, and intrusion prevention system (IPS) capabilities.<br/><br/>Which AWS service should be implemented?

A company is hosting a web application on EC2 instances behind an Application Load Balancer (ALB). The company wants to protect the application from common web exploits like SQL injection and cross-site scripting (XSS). Which AWS service should be used?

A solutions architect is designing a VPC for a multi-tier application. The database tier must be completely isolated from the internet, but the EC2 instances in the database tier need to download software patches from external repositories. Which TWO components are required to meet these needs? (Select TWO.)

A company wants to continuously monitor its AWS accounts for malicious activity and unauthorized behavior, such as unusual API calls or compromised EC2 instances communicating with known command-and-control servers. Which service should be enabled?

An application uses an Amazon RDS MySQL database. The security team requires that all database connections use SSL/TLS encryption in transit. How can a solutions architect enforce this requirement?

A company is deploying a fleet of EC2 instances in a private subnet. The instances need to access Amazon S3 to download configuration files. The security policy strictly prohibits traffic from traversing the public internet. What is the MOST secure way to provide this access?

A company wants to secure its VPC network. They need to explicitly deny traffic from a specific malicious IP address from reaching their EC2 instances. Which TWO methods can be used to achieve this? (Select TWO.)

A company is using AWS Security Hub to aggregate security alerts. They want to automatically remediate specific findings, such as open SSH ports on security groups, without manual intervention. What is the MOST operationally efficient way to do this?