A. In the security group of the EC2 instance, allow inbound ICMP traffic. B. In the security group of the EC2 instance, allow outbound ICMP traffic. C. In the VPC's NACL, allow inbound ICMP traffic. D. In the VPC's NACL, allow outbound ICMP traffic. QUESTION 117 A Security Engineer is building a Java application that is running on Amazon EC2. The application communicates with an Amazon RDS instance and authenticates with a user name and password. Which combination of steps can the Engineer take to protect the credentials and minimize downtime when the credentials are rotated? (Choose two.) A. Have a Database Administrator encrypt the credentials and store the ciphertext in Amazon S3. Grant
permission to the instance role associated with the EC2 instance to read the object and decrypt the ciphertext. B. Configure a scheduled job that updates the credential in AWS Systems Manager Parameter Store and notifies the Engineer that the application needs to be restarted. C. Configure automatic rotation of credentials in AWS Secrets Manager. D. Store the credential in an encrypted string parameter in AWS Systems Manager Parameter Store. Grant permission to the instance role associated with the EC2 instance to access the parameter and the AWS KMS key that is used to encrypt it. E. Configure the Java application to catch a connection failure and make a call to AWS Secrets Manager to retrieve updated credentials when the password is rotated. Grant permission to the instance role associated with the EC2 instance to access Secrets Manager. QUESTION 118 A company has several production AWS accounts and a central security AWS account. The security account is used for centralized monitoring and has IAM privileges to all resources in every corporate account. All of the company's Amazon S3 buckets are tagged with a value denoting the data classification of their contents. A Security Engineer is deploying a monitoring solution in the security account that will enforce bucket policy compliance. The system must monitor S3 buckets in all production accounts and confirm that any policy change is in accordance with the bucket's data classification. If any change is out of compliance; the Security team must be notified quickly. Which combination of actions would build the required solution? (Choose three.) A. Configure Amazon CloudWatch Events in the production accounts to send all S3 events to the security account event bus. B. Enable Amazon GuardDuty in the security account. and join the production accounts as members. C. Configure an Amazon CloudWatch Events rule in the security account to detect S3 bucket creation or modification events. D. Enable AWS Trusted Advisor and activate email notifications for an email address assigned to the security contact. E. Invoke an AWS Lambda function in the security account to analyze S3 bucket settings in response to S3 events, and send non-compliance notifications to the Security team.
You've reached the end of your free preview.
Want to read all 49 pages?
- Fall '19
- AWS, Amazon Elastic Compute Cloud