Domain 2.3: Security Controls

A financial application stores highly sensitive PII in Amazon S3. The security team requires that the data be encrypted at rest using keys managed by the company's on-premises Hardware Security Module (HSM). Which encryption strategy should be used?

A company is hosting a public-facing web application on EC2 instances behind an Application Load Balancer. They want to protect the application from SQL injection, cross-site scripting (XSS), and volumetric DDoS attacks. Which combination of services provides the MOST comprehensive protection?

A company is building a serverless application using AWS Lambda and Amazon API Gateway. They need to secure the API against unauthorized access. The users authenticate via a third-party Identity Provider (IdP) that supports OpenID Connect (OIDC). Which TWO methods can be used to authorize API requests? (Select TWO)

An architect is designing a secure CI/CD pipeline using AWS CodePipeline, CodeBuild, and CodeDeploy. The pipeline needs to deploy an application to an Auto Scaling group of EC2 instances. The EC2 instances must retrieve highly sensitive database credentials during the deployment process. Which THREE security practices should be implemented? (Select THREE)

A healthcare company is designing a new application that processes PHI (Protected Health Information). They must ensure end-to-end encryption, strict network isolation, and automated auditing of all API calls. Which THREE AWS services are required to meet these compliance mandates? (Select THREE)

A company is deploying a new application using AWS CloudFormation. They need to ensure that sensitive parameters, such as database passwords, are not hardcoded in the templates and are rotated automatically every 30 days. Which THREE actions should they take? (Select THREE)

An architect is designing a secure VPC architecture. They need to ensure that Amazon EC2 instances in private subnets can download software updates from the internet, but the instances must not be reachable from the internet. Additionally, all outbound traffic must be inspected by a third-party firewall appliance. Which THREE components are required? (Select THREE)

A company is designing a serverless application using Amazon API Gateway and AWS Lambda. They need to protect the API from SQL injection and cross-site scripting (XSS) attacks. Which solution requires the LEAST operational overhead?

A company is designing a multi-tenant SaaS application. They need to ensure that each tenant's data is strictly isolated. They are using Amazon DynamoDB. What is the MOST scalable and secure way to implement tenant isolation?

A company has a web application hosted on EC2 instances behind an Application Load Balancer (ALB). They want to authenticate users using their corporate Microsoft Active Directory (on-premises) before allowing access to the application. Which solution requires the LEAST custom code?

A company is using Amazon S3 to host a static website. They want to use Amazon CloudFront to distribute the content globally. They must ensure that users can ONLY access the content via CloudFront, and direct access to the S3 bucket URL is blocked. How should this be configured?

An application stores sensitive PII in Amazon S3. Compliance requires that data is encrypted at rest using keys managed by the company, and the encryption keys must be rotated annually automatically. Which encryption strategy meets these requirements?

A web application is deployed across multiple AWS Regions. The security team wants to protect the application from SQL injection and cross-site scripting (XSS) attacks globally using a single set of rules. Which architecture is MOST appropriate?

An application needs to access database credentials. The security policy dictates that credentials must be rotated automatically every 30 days without application downtime. Which service should be used?

A company needs to securely manage SSL/TLS certificates for their internal applications hosted on EC2 instances. The certificates must be trusted by internal clients but not public. Which TWO services/features should be used? (Select TWO)

A financial application requires end-to-end encryption. The application runs on EC2 instances behind an Application Load Balancer (ALB). The security team requires that the TLS connection terminates at the EC2 instances, not at the load balancer, to ensure data is encrypted in transit through the AWS network. How should the architect design this solution?

A company is deploying a highly sensitive application on Amazon EC2. The application processes PII and requires that all data in transit between EC2 instances within the VPC be encrypted. The company wants to achieve this with ZERO configuration changes to the application code or the operating system. How can this be achieved?

A company is building a new application using AWS CDK. The application requires a database password to connect to Amazon RDS. The security team mandates that the password must be automatically rotated every 30 days without any application downtime. Which solution meets these requirements?

A healthcare organization is building a data lake on Amazon S3 to store patient records. They must comply with HIPAA regulations. The data must be encrypted at rest using keys that the organization exclusively controls and rotates. Access to the data must be strictly limited to a specific IAM role, and any access from outside the corporate VPC must be blocked. Which combination of configurations will meet these requirements? (Select THREE)

A company is designing a multi-tenant SaaS application on AWS. They need to isolate the data of each tenant. The application uses Amazon DynamoDB. Some tenants have very strict compliance requirements and demand that their data is encrypted with their own KMS key. Other tenants are fine with standard encryption. What is the MOST scalable way to design the DynamoDB architecture?

A financial services company is building a new application on AWS. They must ensure that all data at rest is encrypted using keys managed by the company (Customer Managed Keys). The security team requires that the encryption keys are automatically rotated every year, and that specific IAM roles can only use the keys for encryption, not decryption. Which combination of actions should the Architect take? (Select THREE)

A healthcare organization is migrating its patient records system to AWS. The system consists of a web frontend, an application tier, and an Oracle database. The organization must comply with strict regulatory requirements: all data must be encrypted at rest using a dedicated hardware security module (HSM) under their exclusive control, and the database must be highly available across multiple Availability Zones. Which combination of services and configurations should the Architect use? (Select THREE)

A data science team uses Amazon SageMaker to train machine learning models. The training data is highly sensitive and stored in an Amazon S3 bucket. The security team requires that the SageMaker training instances do not have internet access and that all data transfer between SageMaker and S3 occurs over the private AWS network. How should the Architect configure the environment?

A healthcare application stores PHI in Amazon DynamoDB. Compliance requires that all data is encrypted at rest using a key that the security team can rotate annually. The application must not experience downtime during key rotation. Which solution meets these requirements?

An architecture uses Amazon API Gateway and AWS Lambda. The APIs must be protected by mutual TLS (mTLS). How should the architect implement mTLS?

A company wants to implement a Zero Trust architecture for their internal web applications hosted on EC2. Users should authenticate via the corporate Identity Provider (IdP) before accessing the applications, without using a VPN. Which AWS service provides this capability?

A financial institution requires that all data stored in Amazon S3 is automatically scanned for sensitive information such as credit card numbers and Social Security Numbers. If found, an alert must be generated. Which service should be used?

An enterprise uses AWS KMS to manage encryption keys. They have a strict regulatory requirement that the cryptographic material must be generated and stored in a FIPS 140-2 Level 3 validated hardware appliance that they exclusively control. Which solution meets this requirement?

A healthcare company is building a new patient portal on AWS. The application uses an Application Load Balancer (ALB), Amazon EC2 instances in an Auto Scaling group, and an Amazon RDS for MySQL database. To meet HIPAA compliance, all data must be encrypted at rest and in transit. How should the architect ensure end-to-end encryption in transit from the user to the database?

A company is designing a data lake on Amazon S3. Data is ingested from various sources and processed by AWS Glue. The security team requires that all data be encrypted at rest using a customer-managed KMS key. Furthermore, access to the data must be strictly controlled based on user roles, and all data access must be audited. Which combination of services and configurations should be used? (Select THREE)

A financial services company is building a data lake on Amazon S3. They need to query the data using Amazon Athena. The data contains Personally Identifiable Information (PII). The security team requires that the PII columns be dynamically redacted or masked when queried by unauthorized users, without creating duplicate copies of the data. How can this be achieved?

A company is designing a highly secure environment on AWS. They need to store sensitive database credentials. The credentials must be rotated automatically every 30 days. The application running on EC2 needs to retrieve these credentials securely without hardcoding them. Which combination of steps should be taken? (Select TWO)