AWS Certified Security - Specialty Practice Test

Answer: B,D
Explanation:The correct answer is B and D. In the dedicated security account, create an Amazon S3bucket. Configure S3 Object Lock in compliance mode and a retention period of 2 years onthe S3 bucket. Set the bucket policy to allow the organization’s member accounts to writeto the S3 bucket. Create an AWS CloudTrail trail for the organization. Configure logs to bedelivered to the logging Amazon S3 bucket in the dedicated security account.According to the AWS documentation, AWS CloudTrail is a service that enablesgovernance, compliance, operational auditing, and risk auditing of your AWS account. WithCloudTrail, you can log, continuously monitor, and retain account activity related to actionsacross your AWS infrastructure. CloudTrail provides event history of your AWS accountactivity, including actions taken through the AWS Management Console, AWS SDKs,command line tools, and other AWS services.To use CloudTrail with multiple AWS accounts and regions, you need to enable AWSOrganizations with all features enabled. This allows you to centrally manage your accountsand apply policies across your organization. You can also use CloudTrail as a serviceprincipal for AWS Organizations, which lets you create an organization trail that applies toall accounts in your organization. An organization trail logs events for all AWS Regions anddelivers the log files to an S3 bucket that you specify. To create an organization trail, you need to use an administrator account, such as theorganization’s management account or a delegated administrator account. You can thenconfigure the trail to deliver logs to an S3 bucket in the dedicated security account. This willensure that all account activity across all member accounts and regions is logged andreported to the security account.According to the AWS documentation, Amazon S3 is an object storage service that offersscalability, data availability, security, and performance. You can use S3 to store andretrieve any amount of data from anywhere on the web. You can also use S3 features suchas lifecycle management, encryption, versioning, and replication to optimize your storage.To use S3 with CloudTrail logs, you need to create an S3 bucket in the dedicated securityaccount that will store the logs from the organization trail. You can then configure S3Object Lock on the bucket to prevent objects from being deleted or overwritten for a fixedamount of time or indefinitely. You can also enable compliance mode on the bucket, whichprevents any user, including the root user in your account, from deleting or modifying alocked object until it reaches its retention date.To set a retention period of 2 years on the S3 bucket, you need to create a default retentionconfiguration for the bucket that specifies a retention mode (either governance orcompliance) and a retention period (either a number of days or a date). You can then setthe bucket policy to allow the organization’s member accounts to write to the S3 bucket.This will ensure that all logs are retained in a secure storage location within the securityaccount for 2 years and no changes or deletions are allowed.Option A is incorrect because setting the bucket policy to allow the organization’smanagement account to write to the S3 bucket is not sufficient, as it will not grant access tothe other member accounts in the organization.Option C is incorrect because using an S3 Lifecycle configuration that expires objects after2 years is not secure, as it will allow users to delete or modify objects before they expire.Option E is incorrect because using Lambda and Kinesis Data Firehose to forward logsfrom one S3 bucket to another is not necessary, as CloudTrail can directly deliver logs toan S3 bucket in another account. It also introduces additional operational overhead andcomplexity.

Answer: A

Answer: C
Explanation: To improve the security at the edge of the solution to defend against a large, layer 7 DDoSattack, the security engineer should do the following:Configure AWS WAF with a rate-based rule that imposes a rate limit thatautomatically blocks requests when the rate limit is exceeded. This allows thesecurity engineer to use a rule that tracks the number of requests from a single IPaddress and blocks subsequent requests if they exceed a specified thresholdwithin a specified time period.

Answer: A
Explanation: this is the simplest change that can address the server issue. CloudFront is aservice that provides a global network of edge locations that cache and deliver webcontent. Creating a CloudFront distribution and configuring the ALB as the origin can helpreduce the load on the Tomcat server by serving cached content to the end users.CloudFront can also provide protection against distributed denial-of-service (DDoS) attacksby filtering malicious traffic at the edge locations. The other options are either ineffective orcomplex for solving the server issue.

Answer: C
Explanation:Q: Which data sources does GuardDuty analyze? GuardDuty analyzes CloudTrailmanagement event logs, CloudTrail S3 data event logs, VPC Flow Logs, DNS query logs,and Amazon EKS audit logs. GuardDuty can also scan EBS volume data for possiblemalware when GuardDuty Malware Protection is enabled and identifies suspiciousbehavior indicative of malicious software in EC2 instance or container workloads. Theservice is optimized to consume large data volumes for near real-time processing ofsecurity detections. GuardDuty gives you access to built-in detection techniques developedand optimized for the cloud, which are maintained and continuously improved upon byGuardDuty engineering.