Domain 3.2: Security Improvement

A security audit reveals that several Amazon EC2 instances have critical OS vulnerabilities. The security team wants to automate the process of scanning for vulnerabilities and applying OS patches across all accounts in the organization. Which combination of services should be used?

An enterprise is migrating 500 applications to AWS. They want to establish a continuous compliance framework to ensure all deployed resources adhere to corporate security standards (e.g., encrypted EBS volumes, restricted security groups). Which TWO services should be combined to provide automated detection and remediation? (Select TWO)

An organization is implementing a continuous compliance strategy. They need to ensure that all EBS volumes are encrypted, all S3 buckets block public access, SSH is not open to the world, and any non-compliant resources are automatically remediated. Which FOUR AWS services or features are required? (Select FOUR)

A company is using AWS WAF to protect their web application. They are noticing a high volume of requests from malicious IP addresses that are constantly changing. They want to automatically block IP addresses that exhibit anomalous behavior, such as scanning for vulnerabilities. Which AWS WAF feature should they use?

A security team needs to continuously monitor their AWS environment for malicious activity, unauthorized behavior, and compromised EC2 instances. They want a centralized view across multiple accounts. Which solution is MOST appropriate?

A company requires that all S3 buckets are private. If a developer accidentally makes a bucket public, it must be automatically reverted to private within minutes. Which combination of services achieves this?

A security audit reveals that IAM users have overly permissive policies. The security team wants to automatically analyze CloudTrail logs to generate least-privilege IAM policies based on actual usage over the last 90 days. Which tool should they use?

A security team wants to automate vulnerability management for their EC2 fleet. They need to scan instances weekly, automatically apply missing critical patches, and generate a compliance report. Which THREE services/features should be used? (Select THREE)

A security team is conducting an audit of their AWS environment. They want to identify any IAM roles that have been granted permissions they haven't used in the last 90 days, so they can implement least privilege. Which AWS service or feature provides this specific capability?

A company has a strict security policy that all Amazon S3 buckets must be encrypted with AWS KMS. They have hundreds of existing buckets across multiple accounts. The security team wants to automatically remediate any bucket that is created without KMS encryption, or any existing bucket that has encryption disabled. What is the MOST scalable and automated way to achieve this?

A company is using AWS CodePipeline for CI/CD. The pipeline deploys an application to an Amazon EKS cluster. The security team wants to ensure that container images are scanned for vulnerabilities before they are deployed. If a critical vulnerability is found, the pipeline must stop. What is the MOST automated way to implement this?

An enterprise has 100+ AWS accounts. They want to ensure that all EBS snapshots are encrypted, no public S3 buckets exist, and MFA is enabled for all IAM users. They need a centralized dashboard to view the compliance status of all accounts and automatically remediate non-compliant resources. Which service combination BEST meets these requirements?

A company is using AWS CodePipeline for its CI/CD process. The pipeline deploys an application to an Amazon ECS cluster. The security team requires that every container image must be scanned for vulnerabilities before it is deployed. If critical vulnerabilities are found, the pipeline must fail automatically. How can the Architect implement this requirement?

A company wants to improve the security posture of their AWS Organizations environment. They need to automatically detect unintended public access to S3 buckets and ensure that all IAM users have MFA enabled. Which TWO services should they use to achieve this? (Select TWO)

An enterprise is refactoring its network security. They want to centrally manage firewall rules across all VPCs and enforce deep packet inspection (DPI) on all outbound internet traffic. Which TWO actions should the architect take? (Select TWO)

A company wants to improve data security for their Amazon RDS instances. They need to ensure that database credentials are never hardcoded in applications and that access to the database is authenticated using IAM roles. Which TWO steps are required? (Select TWO)

An architect is reviewing a legacy application running on EC2 instances. The instances have public IP addresses and are accessed directly via SSH by administrators. The architect must improve security by removing public IPs and eliminating inbound open ports, while still allowing administrators to access the instances securely. Which TWO actions should be taken? (Select TWO)

A company wants to enforce strict data perimeter controls. They want to ensure that IAM principals in their AWS Organization can only access AWS resources from within their corporate network or their VPCs. Which TWO mechanisms should be used together to achieve this? (Select TWO)

A security audit reveals that several Amazon EC2 instances in a VPC have unrestricted outbound internet access. The security team requires that all outbound traffic be inspected, and access to known malicious domains must be blocked. The solution must be highly available and scale automatically. Which combination of steps should the architect take? (Select TWO)

A security team wants to automate the response to compromised Amazon EC2 instances. If Amazon GuardDuty detects that an EC2 instance is communicating with a known command-and-control (C&C) server, the instance must be immediately isolated from the network, and a forensic snapshot of its EBS volume must be taken. What is the MOST automated way to achieve this?

A company wants to implement continuous compliance monitoring for their AWS environment. They want to be alerted if any Amazon S3 bucket becomes publicly accessible or if any IAM user has a password older than 90 days. Which AWS service is BEST suited for this?