A.  

Modify the application to use the IAM SDK. Write the application logs lo an Amazon S3 bucket

B.  

install the unified Amazon CloudWatch agent on the instances Configure the agent to collect the application log dies on the EC2 tile system and send them to Amazon CloudWatch Logs

C.  

Install IAM Systems Manager Agent on the instances Configure an automation document to copy the application log files to IAM DeepLens

D.  

Install Amazon Kinesis Agent on the instances Stream the application log files to Amazon Kinesis Data Firehose and sot the destination to Amazon Elasticsearch Service

A.  

Configure Amazon CloudWatch Events in the production accounts to send all S3 events to the security account event bus.

B.  

Enable Amazon GuardDuty in the security account. and join the production accounts as members.

C.  

Configure an Amazon CloudWatch Events rule in the security account to detect S3 bucket creation or modification events.

D.  

Enable IAM Trusted Advisor and activate email notifications for an email address assigned to the security contact.

E.  

Invoke an IAM Lambda function in the security account to analyze S3 bucket settings in response to S3 events, and send non-compliance notifications to the Security team.

F.  

Configure event notifications on S3 buckets for PUT; POST, and DELETE events.

A.  

Ensure the KMS policy allows the AppUser role to have permission to decrypt for the CMK

B.  

Ensure the S3 bucket policy allows the AppUser role to have permission to get objects for the S3 bucket

C.  

Ensure the CMK was created before the S3 bucket.

D.  

Ensure the S3 block public access feature is enabled for the S3 bucket.

E.  

Ensure that automatic key rotation is disabled for the CMK

F.  

Ensure the SCPs within Organizations allow access to the S3 bucket.

A.  

Configuring IAM Organizations to monitor root user API calls on the paying account

B.  

Creating an Amazon CloudWatch Events rule that will trigger when any API call from the root user is reported

C.  

Configuring Amazon Inspector to scan the IAM account for any root user activity

D.  

Configuring IAM Trusted Advisor to send an email to the Security team when the root user logs in to the console

E.  

Using Amazon SNS to notify the target group

A.  

One in the US West (Oregon) region and one in the US East (Virginia) region.

B.  

Two in the US West (Oregon) region and none in the US East (Virginia) region.

C.  

One in the US West (Oregon) region and none in the US East (Virginia) region.

D.  

Two in the US East (Virginia) region and none in the US West (Oregon) region.

A.  

Configure a web ACL rule for IAM WAF to block requests with a string match condition for the user agent of the loT device. Associate the v/eb ACL with the ALB.

B.  

Configure an Amazon CloudFront distribution to use the ALB as an origin. Configure a web ACL rule for IAM WAF to block requests with a string match condition for the user agent of the loT device. Associate the web ACL with the ALB Change the public DNS entry of the website to point to the CloudFront distribution.

C.  

Configure an Amazon CloudFront distribution to use a new ALB as an origin. Configure a web ACL rule for IAM WAF to block requests with a string match condition for the user agent of the loT device. Change the ALB security group to alow access from CloudFront IP address ranges only Change the public DNS entry of the website to point to the CloudFront distribution.

D.  

Activate IAM Shield Advanced to enable DDoS protection. Apply an IAM WAF ACL to the ALB. and configure a listener rule on the ALB to block loT devices based on the user agent.

A.  

Encrypt the data in Amazon S3 using server-side encryption with Amazon S3 managed encryption keys (SSE-S3)

B.  

Encrypt the data in Amazon S3 using server-side encryption with IAM KMS managed encryption keys (SSE-KMS)

C.  

Create a new Amazon S3 VPC endpoint and modify the VPC's routing tables to use the new endpoint

D.  

Use the Amazon S3 Block Public Access feature.

E.  

Configure the bucket policy to allow access from the application instances only

F.  

Use a NACL to filter traffic to Amazon S3

A.  

Download a new copy of the SAML metadata file from the identity provider Create a new IAM identity provider entity. Upload the new metadata file to the new IAM identity provider entity.

B.  

During the next certificate rotation period and before the current certificate expires, add a new certificate as the secondary to the identity provider. Generate a new metadata file and upload it to the IAM identity provider entity. Perform automated or manual rotation of the certificate when required.

C.  

Download a new copy of the SAML metadata file from the identity provider Upload the new metadata to the IAM identity provider entity configured for the SAML integration in question.

D.  

During the next certificate rotation period and before the current certificate expires, add a new certificate as the secondary to the identity provider. Generate a new copy of the metadata file and create a new IAM identity provider entity. Upload the metadata file to the new IAM identity provider entity. Perform automated or manual rotation of the certificate when required.

E.  

Download a new copy of the SAML metadata file from the identity provider Create a new IAM identity provider entity. Upload the new metadata file to the new IAM identity provider entity. Update the identity provider configurations to pass a new IAM identity provider entity name in the SAML assertion.

A.  

Move the account to a new OU and deny IAM:* permissions.

B.  

Add a Deny policy for all non-S3 services at the account level.

C.  

Change the policy to:

{

“Version”: “2012-10-17”,

“Statement”: [

{

“Sid”: “AllowS3”,

"Effect": "Allow",

"Action": "s3:*",

"Resource": "*/*»

}

]

}

D.  

Detach the default FullIAMAccess SCP

A.  

Launch a NAT instance in the public subnet Update the custom route table with a new route to the NAT instance

B.  

Remove the internet gateway, and add IAM PrivateLink to the VPC Then update the custom route table with a new route to IAM PrivateLink

C.  

Add a managed NAT gateway to the VPC Update the custom route table with a new route to the gateway

D.  

Add an egress-only internet gateway to the VPC. Update the custom route table with a new route to the gateway

A.  

Verify that the log file prefix is set to the name of the S3 bucket where the logs should go.

B.  

Verify that the S3 bucket policy allows access for CloudTrail from the production IAM account IDs.

C.  

Create a new CloudTrail configuration in the account, and configure it to log to the account’s S3 bucket.

D.  

Confirm in the CloudTrail Console that each trail is active and healthy.

E.  

Open the global CloudTrail configuration in the master account, and verify that the storage location is set to the correct S3 bucket.

F.  

Confirm in the CloudTrail Console that the S3 bucket name is set correctly.

A.  

The ACL in the bucket needs to be updated.

B.  

The IAM policy does not allow the user to access the bucket

C.  

It takes a few minutes for a bucket policy to take effect

D.  

The allow permission is being overridden by the deny.

A.  

Log on to each EC2 instance, check and export the different software versions installed, and verify this against a list of current CVEs.

B.  

Install the Amazon Inspector agent on all development instances Build a custom rule package, and configure Inspector to perform a scan using this custom rule on all instances tagged as being in the development environment.

C.  

Install the Amazon Inspector agent on all development instances Configure Inspector to perform a scan using the CVE rule package on all instances tagged as being in the development environment.

D.  

Install the Amazon EC2 System Manager agent on all development instances Issue the Run command to EC2 System Manager to update all instances

E.  

Use IAM Trusted Advisor to check that all EC2 instances have been patched to the most recent version of operating system and installed software.

A.  

Tell the application teams to use two different S3 buckets with separate IAM Key Management Service (IAM KMS) IAM managed CMKs Limit the key process to allow encryption and decryption of the CMKs to their respective teams only. Force the teams to use encryption context to encrypt and decrypt

B.  

Tell the application teams to use two different S3 buckets with a single IAM Key Management Service (IAM KMS) IAM managed CMK Limit the key policy to allow encryption and decryption of the CMK only. Do not allow the teams to use encryption context to encrypt and decrypt

C.  

Tell the application teams to use two different S3 buckets with separate IAM Key Management Service (IAM KMS) customer managed CMKs Limit the key policies to allow encryption and decryption of the CMKs to their respective teams only Force the teams to use encryption context to encrypt and decrypt

D.  

Tell the application teams to use two different S3 buckets with a single IAM Key Management Service (IAM KMS) customer managed CMK Limit the key policy to allow encryption and decryption of the CMK only Do not allow the teams to use encryption context to encrypt and decrypt

A.  

Use IAM Resource Access Manager to create shared resources for each requited security group and apply an IAM policy that permits read-only access to the security groups only.

B.  

Create an IAM CloudFormation template that creates the required security groups Execute the template as part of configuring new accounts Enable Amazon Simple Notification Service (Amazon SNS) notifications when changes occur

C.  

Use IAM Firewall Manager to create a security group policy, enable the policy feature to identify and revert local changes, and enable automatic remediation

D.  

Use IAM Control Tower to edit the account factory template to enable the snare security groups option Apply an SCP to the OU or individual accounts that prohibits security group modifications from local account users

A.  

UseSCPs

B.  

Add a permissions boundary to deny access to Amazon S3 and attach it to all roles

C.  

Use an S3 bucket policy

D.  

Create a VPC endpoint for Amazon S3 and deny statements for access to Amazon S3

A.  

Configure the S3 bucket ACLs to allow IAM Config to record changes to the buckets.

B.  

Configure policies attached to S3 buckets to allow IAM Config to record changes to the buckets.

C.  

Attach the AmazonS3ReadOnryAccess managed policy to the IAM user.

D.  

Verify the security engineer's IAM user has an attached policy that allows all IAM Config actions.

E.  

Assign the IAMConfigRole managed policy to the IAM Config role

A.  

Default IAM Certificate Manager certificate

B.  

Custom SSL certificate stored in IAM KMS

C.  

Default CloudFront certificate

D.  

Custom SSL certificate stored in IAM Certificate Manager

E.  

Default SSL certificate stored in IAM Secrets Manager

F.  

Custom SSL certificate stored in IAM IAM

A.  

The developer must configure Lambda access to the VPC using the --vpc-config parameter.

B.  

The Lambda function execution role must have the kms:Decrypt- permission added in the IAM IAM policy.

C.  

The KMS key policy must allow permissions for the developer to use the KMS key.

D.  

The IAM IAM policy assigned to the developer must have the kmseGcnerate-DataKcy permission added.

E.  

The Lambda execution role must have the kms:Encrypt permission added in the IAM IAM policy.

A.  

Configure a Network Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers

B.  

Configure an Application Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers

C.  

Configure a Network Load Balancer with a TCP listener to pass through TLS traffic to the containers

D.  

Configure Amazon Route 53 to use multivalue answer routing to send traffic to the containers

A.  

Use IAM Secrets Manager and an IAM SDK to create a unique secret for the customer-specific data

B.  

Use IAM Key Management Service (IAM KMS) and the IAM Encryption SDK to generate and store a data encryption key for each customer.

C.  

Use IAM Key Management Service (IAM KMS) with service-managed keys to generate and store customer-specific data encryption keys

D.  

Use IAM Key Management Service (IAM KMS) and create an IAM CloudHSM custom key store Use CloudHSM to generate and store a new CMK for each customer.

A.  

Enable IAM Shield Advanced and IAM WAF. Configure an IAM WAF custom filter for egress traffic on port 5353

B.  

Enable Amazon Inspector on Amazon ECS and configure a custom assessment to evaluate containers that have port 5353 open. Update the NACLs to block port 5353 outbound.

C.  

Create an Amazon CloudWatch custom metric on the VPC Flow Logs identifying egress traffic on port 5353. Update the NACLs to block port 5353 outbound.

D.  

Use Amazon Athena to query IAM CloudTrail logs in Amazon S3 and look for any traffic on port 5353. Update the security groups to block port 5353 outbound.

A.  

Ensure a NAT gateway is present to download the updates

B.  

Use the Systems Manager to patch the instances

C.  

Ensure an internet gateway is present to download the updates

D.  

Use the IAM inspector to patch the updates

A.  

Configure an IAM Managed Microsoft AD to manage the cloud resources.

B.  

Configure an additional on-premises Active Directory service to manage the cloud resources.

C.  

Establish a one-way trust relationship from the existing Active Directory to the new Active Directory service.

D.  

Establish a one-way trust relationship from the new Active Directory to the existing Active Directory service.

E.  

Establish a two-way trust between the new and existing Active Directory services.

A.  

Allow inbound access on port 22 at the security group attached to the instance Use IAM Systems Manager Session Manager for shell access to Amazon EC2 instances with the user tag defined Enable Amazon CloudWatch togging tor Systems Manager sessions

B.  

Use Amazon S3 to securely store one Privacy Enhanced Mail Certificate (PEM file) for each user Allow Amazon EC2 to read from Amazon S3 and import every user that wants to use SSH to access EC2 instances Allow inbound access on port 22 at the security group attached to the instance Install the Amazon CloudWatch agent on the EC2 instance and configure it to ingest audit logs for the instance

C.  

Deny inbound access on port 22 at the security group attached to the instance Use IAM Systems Manager Session Manager tor shell access to Amazon EC2 instances with the user tag defined Enable Amazon CloudWatch togging for Systems Manager sessions

D.  

Use Amazon S3 to securely store one Privacy Enhanced Mall Certificate (PEM fie) for each team or group Allow Amazon EC2 to read from Amazon S3 and import every user that wants to use SSH to access EC2 instances Allow inbound access on pod 22 at the security group attached to the instance Install the Amazon CloudWatch agent on the EC2 instance and configure it to ingest audit logs for the instance

A.  

Option A

B.  

Option B

C.  

Option C

D.  

Option D

A.  

A customer managed CMK that uses customer provided key material

B.  

A customer managed CMK that uses IAM provided key material

C.  

An IAM managed CMK

D.  

Operating system-native encryption that uses GnuPG

A.  

IAM Cognito

B.  

IAM SAML

C.  

IAM IAM

D.  

IAM Config

A.  

Upload the third-party signing certificate's new private key to the IAM identity provider entity defined in IAM identity and Access Management (IAM) by using the IAM Management Console

B.  

Sign the identity provider's metadata file with the new public key Upload the signature to the IAM identity provider entity defined in IAM Identity and Access Management (IAM) by using the IAM CLI.

C.  

Download the updated SAML metadata tile from the identity service provider Update the file in the IAM identity provider entity defined in IAM Identity and Access Management (IAM) by using the IAM CLI

D.  

Configure the IAM identity provider entity defined in IAM Identity and Access Management (IAM) to synchronously fetch the new public key by using the IAM Management Console.

A.  

Put all the proxy EC2 instances in a cluster placement group.

B.  

Disable source and destination checks on the proxy EC2 instances.

C.  

Open all inbound ports on the proxy EC2 instance security group.

D.  

Change the VPC's DHCP domain-name-server’s options set to the IP addresses of proxy EC2 instances.

A.  

Associate the EC2 instances with a security group that blocks traffic from blacklisted IP addresses.

B.  

Use an ELB Application Load Balancer and Auto Scaling group to scale to absorb application layer traffic.

C.  

Use Amazon Inspector on the EC2 instances to examine incoming traffic and discard malicious traffic.

D.  

Use CloudFront and IAM WAF to prevent malicious traffic from reaching the application

E.  

Enable GuardDuty to block malicious traffic from reaching the application

A.  

Enable automatic key rotation for a CMK

B.  

Import new key material to an existing CMK

C.  

Use the CLI or console to explicitly rotate an existing CMK

D.  

Import new key material to a new CMK; Point the key alias to the new CMK.

E.  

Delete an existing CMK and a new default CMK will be created.

A.  

Create an IAM role that allows CloudFront to access the specific S3 bucket. Modify the S3 bucket policy to allow only the new IAM role to access its contents. Create an interface VPC endpoint for CloudFront to securely communicate with the ALB.

B.  

Create an IAM role that allows CloudFront to access the specific S3 bucket. Modify the S3 bucket policy to allow only the new IAM role to access its contents. Associate the ALB with a security group that allows only incoming traffic from the CloudFront service to communicate with the AL

B.  

C.  

Create an origin access identity (OAI) in CloudFront. Modify the S3 bucket policy to allow only the new OAI to access the bucket contents. Create an interface VPC endpoint for CloudFront to securely communicate with the ALB.

D.  

Create an origin access identity (OAI) in CloudFront. Modify the S3 bucket policy to allow only the new OAI to access the bucket contents. Associate the ALB with a security group that allows only incoming traffic from the CloudFront service to communicate with the ALB.

A.  

Allow Inbound on port 3306 for Source Web Server Security Group WebSecGrp.

B.  

Allow Inbound on port 3306 from source 20.0.0.0/16

C.  

Allow Outbound on port 3306 for Destination Web Server Security Group WebSecGrp.

D.  

Allow Outbound on port 80 for Destination NAT Instance IP

A.  

Use IAM Config to check the state of the EC2 instance for any sort of security issues.

B.  

Use IAM Inspector API's in the pipeline for the EC2 Instances

C.  

Use IAM Trusted Advisor API's in the pipeline for the EC2 Instances

D.  

Use IAM Security Groups to ensure no vulnerabilities are present

A.  

From the IAM Management Console, navigate to the Security Credentials page and retrieve the access and secret key for your account.

B.  

Create an IAM user within the enterprise account assign a user policy to the IAM user that allows only the actions required by the SaaS application. Create a new access and secret key for the user and provide these credentials to the SaaS provider.

C.  

Create an IAM role for cross-account access allows the SaaS provider's account to assume the role and assign it a policy that allows only the actions required by the SaaS application.

D.  

Create an IAM role for EC2 instances, assign it a policy that allows only the actions required tor the Saas application to work, provide the role ARN to the SaaS provider to use when launching their application instances.

A.  

Ensure that the SSM agent is running on the target machine

B.  

Check the /var/log/amazon/ssm/errors.log file

C.  

Ensure the right AMI is used for the Instance

D.  

Ensure the security groups allow outbound communication for the instance

A.  

Search the Cloud Watch logs to find for the suspicious activity which occurred 11 days ago

B.  

Search the Cloudtrail event history on the API events which occurred 11 days ago.

C.  

Search the Cloud Watch metrics to find for the suspicious activity which occurred 11 days ago

D.  

Use IAM Config to get the API calls which were made 11 days ago.

A.  

Create an OlDC identity provider in IAM

B.  

Create a SAML provider in IAM

C.  

Use IAM Cognito to manage the user profiles

D.  

Use IAM users to manage the user profiles

A.  

Ensure that UserB is given the right IAM role to access the key

B.  

Ensure that UserB is given the right permissions in the IAM policy

C.  

Ensure that UserB is given the right permissions in the Key policy

D.  

Ensure that UserB is given the right permissions in the Bucket policy

A.  

Remove the role applied to the Ec2 Instance

B.  

Create a separate forensic instance

C.  

Ensure that the security groups only allow communication to this forensic instance

D.  

Terminate the instance

A.  

Check the Inbound security rules for the database security group Check the Outbound security rules for the application security group

B.  

Check the Outbound security rules for the database security group I Check the inbound security rules for the application security group

C.  

Check the both the Inbound and Outbound security rules for the database security group Check the inbound security rules for the application security group

D.  

Check the Outbound security rules for the database security group

Check the both the Inbound and Outbound security rules for the application security group

A.  

Get prior approval from IAM for conducting the test

B.  

Use a pre-approved penetration testing tool.

C.  

Work with an IAM partner and no need for prior approval request from IAM

D.  

Choose any of the IAM instance type

A.  

Use CloudTrail to see if any KMS API request has been issued against existing keys

B.  

Use Key policies to see the access level for the keys

C.  

Rotate the keys once before deletion to see if other services are using the keys

D.  

Change the IAM policy for the keys to see if other services are using the keys

A.  

Create an IAM policy with the security group and use that security group for IAM console login

B.  

Create an IAM policy with a condition which denies access when the IP address range is not from the organization

C.  

Configure the EC2 instance security group which allows traffic only from the organization's IP range

D.  

Create an IAM policy with VPC and allow a secure gateway between the organization and IAM Console

A.  

Use multiple VPCs in the account each VPC for each department

B.  

Use multiple IAM groups, each group for each department

C.  

Use multiple IAM roles, each group for each department

D.  

Use multiple IAM accounts, each account for each department

A.  

Using the IAM KMS service for creation of the keys and the company managing the key lifecycle thereafter.

B.  

Generating the key pairs for the EC2 Instances using puttygen

C.  

Use the EC2 Key pairs that come with IAM

D.  

Use S3 server-side encryption

A.  

Use IAM Roles with permissions to interact with DynamoDB and assign it to the EC2 Instance

B.  

Use KMS keys with the right permissions to interact with DynamoDB and assign it to the EC2 Instance

C.  

Use IAM Access Keys with the right permissions to interact with DynamoDB and assign it to the EC2 Instance

D.  

Use IAM Access Groups with the right permissions to interact with DynamoDB and assign it to the EC2 Instance

A.  

Use IAM Cloudtrail to record the processes running on the server to an S3 bucket.

B.  

Use IAM Cloudwatch to record the processes running on the server

C.  

Use the SSM Run command to send the list of running processes information to an S3 bucket.

D.  

Use IAM Config to see the changed process information on the server

A.  

Export the key from the US east region and import them into the EU-Central region

B.  

Use key rotation and rotate the existing keys to the EU-Central region

C.  

Use the backing key from the US east region and use it in the EU-Central region

D.  

This is not possible since keys from KMS are region specific

A.  

The EC2 instance running your WAF software is placed between your private subnets and any NATed connections to the internet.

B.  

The EC2 instance running your WAF software is placed between your public subnets and your Internet Gateway.

C.  

The EC2 instance running your WAF software is placed between your public subnets and your private subnets.

D.  

The EC2 instance running your WAF software is included in an Auto Scaling group and placed in between two Elastic load balancers.

A.  

When storing data in Amazon EBS, use only EBS-optimized Amazon EC2 instances.

B.  

When storing data in EBS, encrypt the volume by using IAM KMS.

C.  

When storing data in Amazon S3, use object versioning and MFA Delete.

D.  

When storing data in Amazon EC2 Instance Store, encrypt the volume by using KMS.

E.  

When storing data in S3, enable server-side encryption.

A.  

Ensure the load balancer listens on port 80

B.  

Ensure the load balancer listens on port 443

C.  

Ensure the HTTPS listener sends requests to the instances on port 443

D.  

Ensure the HTTPS listener sends requests to the instances on port 80

A.  

Create a Service Control Policy that denies access to the services. Assemble all production accounts in an organizational unit. Apply the policy to that organizational unit.

B.  

Create a Service Control Policy that denies access to the services. Apply the policy to the root account.

C.  

Create an IAM policy that denies access to the services. Associate the policy with an IAM group and enlist all users and the root users in this group.

D.  

Create an IAM policy that denies access to the services. Create a Config Rule that checks that all users have the policy m assigned. Trigger a Lambda function that adds the policy when found missing.

A.  

Enable bucket versioning and also enable CRR

B.  

Enable bucket versioning and enable Master Pays

C.  

For the Bucket policy add a condition for {"Null": {"IAM:MultiFactorAuthAge": true}} i

D.  

Enable the Bucket ACL and add a condition for {"Null": {"IAM:MultiFactorAuthAge": true}}

A.  

Use lifecycle policies for the EBS volumes

B.  

Use EBS Snapshots

C.  

Use EBS volume replication

D.  

Use EBS volume encryption

A.  

Ensure Cloudtrail for each region. Then enable for each future region.

B.  

Ensure one Cloudtrail trail is enabled for all regions.

C.  

Create a Cloudtrail for each region. Use Cloudformation to enable the trail for all future regions.

D.  

Create a Cloudtrail for each region. Use IAM Config to enable the trail for all future regions.

A.  

Don't do anything since CloudTrail logs are automatically encrypted.

B.  

Enable S3-SSE for the underlying bucket which receives the log files

C.  

Enable S3-KMS for the underlying bucket which receives the log files

D.  

Enable KMS encryption for the logs which are sent to Cloudwatch

A.  

Trigger a Lambda function with a monthly CloudWatch event that creates a new CMK and updates the S3 bucket to use the new CMK.

B.  

Configure the CMK to rotate the key material every month.

C.  

Trigger a Lambda function with a monthly CloudWatch event that creates a new CMK, updates the S3 bucket to use thfl new CMK, and deletes the old CMK.

D.  

Trigger a Lambda function with a monthly CloudWatch event that rotates the key material in the CMK.

A.  

Create an Identity and Access Management (IAM) user for CloudFront and grant access to the objects in your S3 bucket to that IAM User.

B.  

Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket to that OAl.

C.  

Create individual policies for each bucket the documents are stored in and in that policy grant access to only CloudFront.

D.  

Create an S3 bucket policy that lists the CloudFront distribution ID as the Principal and the target bucket as the Amazon Resource Name (ARN).

A.  

Use Bucket policies

B.  

Use the Secure Token service

C.  

Use IAM user policies

D.  

Use IAM Access Keys

A.  

The user should use the same encryption key for all versions of the same object

B.  

It is possible to have different encryption keys for different versions of the same object

C.  

IAM S3 does not allow the user to upload his own keys for server side encryption

D.  

The SSE-C does not work when versioning is enabled

A.  

Generate pre-signed URLs for each user as they request access to protected S3 content

B.  

Create an IAM user for each subscribed user and assign the GetObject permission to each IAM user

C.  

Create an S3 bucket policy that limits access to your private content to only your subscribed users'credentials

D.  

Crpafp a Cloud Front Clriein Identity user for vnur suhsrrihprl users and assign the GptOhiprt oprmissinn to this user

A.  

Access the data through an Internet Gateway.

B.  

Access the data through a VPN connection.

C.  

Access the data through a NAT Gateway.

D.  

Access the data through a VPC endpoint for Amazon S3

A.  

Create an IAM policy that allows the key to be accessed by only the S3 service.

B.  

Create a bucket policy that allows the key to be accessed by only the S3 service.

C.  

Use the kms:ViaService condition in the Key policy

D.  

Define an IAM user, allocate the key and then assign the permissions to the required service

A.  

The master keys encrypts the cluster key. The cluster key encrypts the database key. The database key encrypts the data encryption keys.

B.  

The master keys encrypts the database key. The database key encrypts the data encryption keys.

C.  

The master keys encrypts the data encryption keys. The data encryption keys encrypts the database key

D.  

The master keys encrypts the cluster key, database key and data encryption keys

A.  

Use the VPC Flow Logs.

B.  

Use a network monitoring tool provided by an IAM partner.

C.  

Use another instance. Setup a port to "promiscuous mode" and sniff the traffic to analyze the packets. -

D.  

Use Cloudwatch metric

A.  

Build the application server on a public subnet and the database at the client's data center. Connect them with a VPN connection which uses IPsec.

B.  

Use the public subnet for the application server and use RDS with a storage gateway to access and synchronize the data securely from the local data center.

C.  

Build the application server on a public subnet and the database on a private subnet with a NAT instance between them.

D.  

Build the application server on a public subnet and build the database in a private subnet with a secure ssh connection to the private subnet from the client's data center.

A.  

Ensure the Network Access Control Lists allow Inbound SSH traffic from the IT Administrator's Workstation

B.  

Ensure the Network Access Control Lists allow Outbound SSH traffic from the IT Administrator's Workstation

C.  

Ensure that the security group allows Inbound SSH traffic from the IT Administrator's Workstation

D.  

Ensure that the security group allows Outbound SSH traffic from the IT Administrator's Workstation

A.  

Use VPC Flow logs to monitor the VPC and then implement NACL's to mitigate attacks

B.  

Use IAM Shield Advanced to protect the EC2 Instances

C.  

Use IAM Inspector to protect the EC2 Instances

D.  

Use IAM Trusted Advisor to protect the EC2 Instances

A.  

Use IAM Config to ensure that the servers have no critical flIAM.

B.  

Use IAM inspector to ensure that the servers have no critical flIAM.

C.  

Use IAM inspector to patch the servers

D.  

Use IAM SSM to patch the servers

A.  

Adding a bucket policy on the S3 bucket.

B.  

Configuring lifecycle configuration rules on the S3 bucket.

C.  

Creating an IAM policy for the S3 bucket.

D.  

Enabling CORS on the S3 bucket.

A.  

Add the keys to the backend distribution.

B.  

Add the keys to the S3 bucket

C.  

Create pre-signed URL's

D.  

Use IAM Access keys

A.  

Call UploadServerCertificate with /cloudfront/dev/ in the path parameter.

B.  

Import the certificate with a 4,096-bit RSA public key.

C.  

Ensure that the certificate, private key, and certificate chain are PKCS #12-encoded.

D.  

Import the certificate in the us-east-1 (N. Virginia) Region.

E.  

Ensure that the certificate, private key, and certificate chain are PEM-encoded.

A.  

Obtain the list of instances by directly querying Amazon EC2 using: IAM ec2 describe-instances --fi1ters "Name=key-name,Values=KEYNAMEHERE".

B.  

Obtain the fingerprint for the key pair from the IAM Management Console, then search for the fingerprint in the Amazon Inspector logs.

C.  

Obtain the output from the EC2 instance metadata using: curl http: //169.254.169.254/latest/meta-data/public- keys/0/.

D.  

Obtain the fingerprint for the key pair from the IAM Management Console, then search for the fingerprint in Amazon CloudWatch Logs using: IAM logs filter-log-events.

A.  

Run an Amazon EMP cluster that uses a MapReduce job to be examine the CloudTrail trails.

B.  

Use the events history/feature of the CloudTrail console to query the CloudTrail trails.

C.  

Write an IAM Lambda function to query the CloudTrail trails Configure the Lambda function to be executed whenever a new file is created in the CloudTrail S3 bucket.

D.  

Create an Amazon Athena table that tools at the S3 bucket the CloudTrail trails are being written to Use Athena to run queries against the trails.

A.  

Use IAM X-Ray to inspect the traffic going 10 the EC2 instances

B.  

Move the state content to Amazon S3 and font this with an Amazon CloudFront distribution

C.  

Change the security group configuration to block the source of the attack traffic

D.  

Use IAM WAF security rules to inspect the inbound traffic

E.  

Use Amazon inspector assessment templates to inspect the inbound traffic

F.  

Use Amazon Route 53 to distribute traffic

A.  

Establish an IAM Direct Connect connection with IAM and set up a Direct Connect gateway. In the Direct Connect gateway configuration, enable IPsec and BGP, and then leverage native IAM network encryption between Availability Zones and Regions,

B.  

Establish an IAM Direct Connect connection with IAM and set up a Direct Connect gateway. Using the Direct Connect gateway, create a private virtual interface and advertise the customer gateway private IP addresses. Create a VPN connection using the customer gateway and the virtual private gateway

C.  

Establish a VPN connection with the IAM virtual private cloud over the internet

D.  

Establish an IAM Direct Connect connection with IAM and establish a public virtual interface. For prefixes that need to be advertised, enter the customer gateway public IP addresses. Create a VPN connection over Direct Connect using the customer gateway and the virtual private gateway.

A.  

Create a new trail with the updated log file prefix, and then delete the original nail Update the existing bucket policy in the Amazon S3 console with the new log the prefix, and then update the log file prefix in the CloudTrail console

B.  

Update the existing bucket policy in the Amazon S3 console to allow the security engineers principal to perform PutBucketPolicy. and then update the log file prefix in the CloudTrail console

C.  

Update the existing bucket policy in the Amazon S3 console with the new log file prefix, and then update the log file prefix in the CloudTrail console.

D.  

Update the existing bucket policy in the Amazon S3 console to allow the security engineers principal to perform GetBucketPolicy, and then update the log file prefix in the CloudTrail console

A.  

Create an Amazon CloudWatch alarm for IAM CloudTrail Events Create a metric filter to send a notification when me same set of IAM credentials is used by multiple developer

B.  

Create a federation between IAM and the existing corporate IdP Leverage IAM roles to provide federated access to IAM resources

C.  

Create a VPN tunnel between the corporate premises and the VPC Allow permissions to all IAM services only if it originates from corporate premises.

D.  

Create multiple IAM rotes for each IAM user Ensure that users who use the same IAM credentials cannot assume the same IAM role at the same time.

A.  

Add an inbound rule to the security group associated with the logging server that allows requests from the web server

B.  

Add an outbound rule to the security group associated with the web server that allows requests to the logging server.

C.  

Add a route to the route table associated with the subnet that hosts the logging server that targets the peering connection

D.  

Add a route to the route table associated with the subnet that hosts the web server that targets the peering connection

A.  

Create a new Amazon S3 bucket Use EBS lifecycle policies to move EBS snapshots to the new S3 bucket. Move snapshots to Amazon S3 Glacier using lifecycle policies, and apply Glacier Vault Lock policies to prevent deletion

B.  

Use IAM Systems Manager to distribute a configuration that performs local backups of all attached disks to Amazon S3.

C.  

Create a new IAM account with limited privileges. Allow the new account to access the IAM KMS key used to encrypt the EBS snapshots, and copy the encrypted snapshots to the new account on a recuning basis

D.  

Use IAM Backup to copy EBS snapshots to Amazon S3.

A.  

In the GuardDuty console, select the CryptoCurrency:EC2/BitcoinTool B'DNS finding and use the suppress findings option

B.  

Create a custom IAM Lambda function to process newly detected GuardDuty alerts Process the CryptoCurrency EC2/BitcoinTool BIDNS alert and filter out

the high-severity finding types only.

C.  

When creating a new Amazon EC2 Instance, provide the instance with a specific tag that indicates it is performing mining operations Create a custom IAM Lambda function to process newly detected GuardDuty alerts and filter for the presence of this tag

D.  

When GuardDuty produces a cryptocurrency finding, process the finding with a custom IAM Lambda function to extract the instance ID from the finding Then use the IAM Systems Manager Run Command to check for a running process performing mining operations

A.  

The NAT gateway in the subnet where the EC2 instance is deployed has been misconfigured

B.  

The internet gateway of the VPC has been reconfigured

C.  

The security group denies outbound traffic on ephemeral ports

D.  

The route table is missing a route to the internet gateway

E.  

The NACL denies outbound traffic on ephemeral ports

F.  

The host-based firewall is denying SSH traffic

A.  

Remove the instance from the Auto Scaling group Place the instance within an isolation security group, detach the EBS volume launch an EC2 instance with a forensic toolkit and attach the E8S volume to investigate

B.  

Remove the instance from the Auto Scaling group and the Elastic Load Balancer Place the instance within an isolation security group, launch an EC2 instance with a forensic toolkit, and allow the forensic toolkit image to connect to the suspicious Instance to perform the Investigation.

C.  

Remove the instance from the Auto Scaling group Place the Instance within an isolation security group, launch an EC2 Instance with a forensic toolkit and use the forensic toolkit imago to deploy an ENI as a network span port to inspect all traffic coming from the suspicious instance.

D.  

Remove the instance from the Auto Scaling group and the Elastic Load Balancer Place the instance within an isolation security group, make a copy of the EBS volume from a new snapshot, launch an EC2 Instance with a forensic toolkit and attach the copy of the EBS volume to investigate.

A.  

In the security group of the EC2 instance, allow inbound ICMP traffic.

B.  

In the security group of the EC2 instance, allow outbound ICMP traffic.

C.  

In the VPC's NACL, allow inbound ICMP traffic.

D.  

In the VPC's NACL, allow outbound ICMP traffic.

A.  

Configure SSLTLS on the EC2 instances and configure the ALB target group to use HTTPS

B.  

Ensure that all resources are in the same VPC so the default encryption provided by the VPC is used to encrypt the traffic between the EC2 instances.

C.  

In the ALB. select the default encryption to encrypt the traffic between the ALB and the EC2 instances

D.  

In the code for the application, include a cryptography library and encrypt the data before sending it between the EC2 instances

E.  

Configure IAM Direct Connect to provide an encrypted tunnel between the EC2 instances

A.  

Yes, the bucket policy makes the whole bucket publicly accessible despite now the S3 bucket ACL or object ACLs are configured.

B.  

Yes, none of the data in the bucket is publicity accessible, regardless of how the S3 bucket ACL and object ACLs are configured.

C.  

No, the IAM user policy would need to be examined first to determine whether any data is publicly accessible.

D.  

No, the S3 bucket ACL and object ACLs need to be examined first to determine whether any data is publicly accessible.

A.  

The CMK policy

B.  

The VPC endpoint policy

C.  

The S3 bucket policy

D.  

The S3 ACL

E.  

The IAM policy

A.  

Pass databases credentials to EC2 by using CloudFormation stack parameters with the property set to true. Ensure that the instance is configured to log to Amazon CloudWatch Logs.

B.  

Store database passwords in IAM Systems Manager Parameter Store by using SecureString parameters. Set the IAM role for the EC2 instance profile to allow access to the parameters.

C.  

Create an IAM Lambda that ingests the database password and persists it to Amazon S3 with server-side encryption. Have the EC2 instances retrieve the S3 object on startup, and log all script invocations to syslog.

D.  

Write a script that is passed in as UserData so that it is executed upon launch of the EC2 instance. Ensure that the instance is configured to log to Amazon CloudWatch Logs.

A.  

Create an IAM group for the finance users in the FinanceDept account, then attach the IAM managed ReadOnlyAccess IAM policy to the group.

B.  

Create an IAM group for the finance users in the MasterPayer account, then attach the IAM managed ReadOnlyAccess IAM policy to the group.

C.  

Create an IAM IAM role in the FinanceDept account with the ViewBilling permission, then grant the finance users in the MasterPayer account the permission to assume that role.

D.  

Create an IAM IAM role in the MasterPayer account with the ViewBilling permission, then grant the finance users in the FinanceDept account the permission to assume that role.

A.  

Use the IAM Trusted Advisor to see what can be done.

B.  

Use VPC Flow logs to diagnose the traffic

C.  

Use IAM WAF to analyze the traffic

D.  

Use IAM Guard Duty to analyze the traffic

A.  

Create IAM roles with permissions corresponding to each Active Directory group.

B.  

Create IAM groups with permissions corresponding to each Active Directory group.

C.  

Create a SAML provider with IAM.

D.  

Create a SAML provider with Amazon Cloud Directory.

E.  

Configure IAM as a trusted relying party for the Active Directory

F.  

Configure IAM as a trusted relying party for Amazon Cloud Directory.

A.  

Use KMS and the normal KMS encryption keys

B.  

Use KMS and use an external key material

C.  

Use S3 Server Side encryption

D.  

Use Cloud HSM

A.  

An IAM Managed Policy

B.  

An Inline Policy

C.  

A Bucket Policy

D.  

A bucket ACL

A.  

Create a VPC endpoint for DynamoDB within a VPC. Configure the Lambda function to access resources in the VPC.

B.  

Create a resource policy that grants the Lambda function permissions to write to the DynamoDB table. Attach the poll to the DynamoDB table.

C.  

Create an IAM user with permissions to write to the DynamoDB table. Store an access key for that user in the Lambda environment variables.

D.  

Create an IAM service role with permissions to write to the DynamoDB table. Associate that role with the Lambda function.

A.  

Using Amazon Athena, query the impacted S3 buckets by using the PII query identifier function. Then, create a new Amazon CloudWatch metric for Amazon S3 object access to alert when the objects are accessed.

B.  

Enable Amazon Macie on the S3 buckets that were impacted, then perform data classification. For identified objects that contain PII, use the research function for auditing IAM CloudTrail logs and S3 bucket logs for GET operations.

C.  

Enable Amazon GuardDuty and enable the PII rule set on the S3 buckets that were impacted, then perform data classification. Using the PII findings report from GuardDuty, query the S3 bucket logs by using Athena for GET operations.

D.  

Enable Amazon Inspector on the S3 buckets that were impacted, then perform data classification. For identified objects that contain PII, query the S3 bucket logs by using Athena for GET operations.

A.  

GuardDuty did not have the appropriate alerts activated.

B.  

GuardDuty does not see these DNS requests.

C.  

GuardDuty only monitors active network traffic flow for command-and-control activity.

D.  

GuardDuty does not report on command-and-control activity.

A.  

Use IAM Shield to scan inbound traffic for web exploits. Use VPC Flow Logs and IAM Lambda to restrict egress traffic to specific whitelisted URLs.

B.  

Use IAM Shield to scan inbound traffic for web exploits. Use a third-party IAM Marketplace solution to restrict egress traffic to specific whitelisted URLs.

C.  

Use IAM WAF to scan inbound traffic for web exploits. Use VPC Flow Logs and IAM Lambda to restrict egress traffic to specific whitelisted URLs.

D.  

Use IAM WAF to scan inbound traffic for web exploits. Use a third-party IAM Marketplace solution to restrict egress traffic to specific whitelisted URLs.

A.  

Use IAM Config to review the IAM policy assigned to users before and after the incident.

B.  

Run the GenerateCredentialReport via the IAM CLI, and copy the output to Amazon S3 daily for auditing purposes.

C.  

Copy IAM CloudFormation templates to S3, and audit for changes from the template.

D.  

Use Amazon EC2 Systems Manager to deploy images, and review IAM CloudTrail logs for changes.

A.  

Add a statement to the IAM policy used by the application to allow logs:putLogEvents and logs:createLogStream

B.  

Modify the IAM role used by the application by adding the CloudWatchFullAccess managed policy.

C.  

Add a statement to the IAM policy used by the application to allow cloudwatch:putMetricData.

D.  

Add a trust relationship to the IAM role used by the application for cloudwatch.amazonIAM.com.

A.  

Bypass the proxy and use an S3 VPC endpoint with a policy that whitelists only certain S3 buckets within Account 1.

B.  

Block outbound access to public S3 endpoints on the proxy server.

C.  

Configure Network ACLs on Server X to deny access to S3 endpoints.

D.  

Modify the S3 bucket policy for the legitimate bucket to allow access only from the public IP addresses associated with the application server.

E.  

Remove the IAM instance role from the application server and save API access keys in a trusted and encrypted application config file.

A.  

Delete the key-pair key from the EC2 console, then create a new key pair.

B.  

Use the modify-instance-attribute API to change the key on any EC2 instance that is using the key.

C.  

Use the EC2 RunCommand to modify the authorized_keys file on any EC2 instance that is using the key.

D.  

Update the key pair in any AMI used to launch the EC2 instances, then restart the EC2 instances.

A.  

The Lambda function does not have permissions to start the Athena query execution.

B.  

The Security Engineer does not have permissions to start the Athena query execution.

C.  

The Athena service does not support invocation through Lambda.

D.  

The Lambda function does not have permissions to access the CloudTrail S3 bucket.

A.  

Create a Customer Master Key (CMK) for each data classification type, and enable the rotation of it annually. For the “Restricted” CMK, define the MFA policy within the key policy. Use S3 SSE-KMS to encrypt the objects.

B.  

Create a CMK grant for each data classification type with EnableKeyRotation and MultiFactorAuthPresent set to true. S3 can then use the grants to encrypt each object with a unique CMK.

C.  

Create a CMK for each data classification type, and within the CMK policy, enable rotation of it annually, and define the MFA policy. S3 can then create DEK grants to uniquely encrypt each object within the S3 bucket.

D.  

Create a CMK with unique imported key material for each data classification type, and rotate them annually. For the “Restricted” key material, define the MFA policy in the key policy. Use S3 SSE-KMS to encrypt the objects.

A.  

Create a new S3 bucket in a separate IAM account for centralized storage of CloudTrail logs, and enable “Log File Validation” on all trails.

B.  

Use an existing S3 bucket in one of the accounts, apply a bucket policy to the new centralized S3 bucket that permits the CloudTrail service to use the "s3: PutObject" action and the "s3 GetBucketACL" action, and specify the appropriate resource ARNs for the CloudTrail trails.

C.  

Apply a bucket policy to the new centralized S3 bucket that permits the CloudTrail service to use the "s3 PutObject" action and the "s3 GelBucketACL" action, and specify the appropriate resource ARNs for the CloudTrail trails.

D.  

Use unique log file prefixes for trails in each IAM account.

E.  

Configure CloudTrail in the centralized account to log all accounts to the new centralized S3 bucket.

F.  

Enable encryption of the log files by using IAM Key Management Service

A.  

Call the abort-vault-lock operation, fix the typo, and call the initiate-vault-lock again.

B.  

Copy the vault data to Amazon S3, delete the vault, and create a new vault with the data.

C.  

Update the policy, keeping the vault lock in place.

D.  

Update the policy and call initiate-vault-lock again to apply the new policy.

A.  

IAM CloudTrail

B.  

Amazon Athena

C.  

IAM Key Management Service (IAM KMS)

D.  

VPC Flow Logs

E.  

IAM Firewall Manager

F.  

Security groups

A.  

IAM User name and password

B.  

Key pairs

C.  

IAM Access keys

D.  

IAM SDK keys

A.  

Digitized files -> Amazon Kinesis Data Analytics

B.  

Digitized files -> Amazon Kinesis Data Firehose -> Amazon S3 -> Amazon Athena

C.  

Digitized files -> Amazon Kinesis Data Streams -> Kinesis Client Library consumer -> Amazon S3 -> Athena

D.  

Digitized files -> Amazon Kinesis Data Firehose -> Amazon Elasticsearch

A.  

Conduct an audit on a yearly basis

B.  

Conduct an audit if application instances have been added to your account

C.  

Conduct an audit if you ever suspect that an unauthorized person might have accessed your account

D.  

Whenever there are changes in your organization

A.  

Detach the elastic network interface from the EC2 instance.

B.  

Initiate an Amazon Elastic Block Store volume snapshot of all volumes on the EC2 instance.

C.  

Disable any Amazon Route 53 health checks associated with the EC2 instance.

D.  

De-register the EC2 instance from the ALB and detach it from the Auto Scaling group.

E.  

Attach a security group that has restrictive ingress and egress rules to the EC2 instance.

F.  

Add a rule to an IAM WAF to block access to the EC2 instance.

A.  

Develop an alerting mechanism based on processing IAM CloudTrail logs.

B.  

Monitor Amazon S3 Event Notifications for objects stored in buckets in unapproved regions.

C.  

Analyze Amazon CloudWatch Logs for activities in unapproved regions.

D.  

Use IAM Trusted Advisor to alert on all resources being created.

A.  

Connect to the EC2 instances that are not sending the appropriate logs and verify that the CloudWatch Logs agent is running.

B.  

Log in to the IAM account and select CloudWatch Logs. Check for any monitored EC2 instances that are in the “Alerting” state and restart them using the EC2 console.

C.  

Verify that the EC2 instances have a route to the public IAM API endpoints.

D.  

Connect to the EC2 instances that are not sending logs. Use the command prompt to verify that the right permissions have been set for the Amazon SNS topic.

E.  

Verify that the network access control lists and security groups of the EC2 instances have the access to send logs over SNMP.

A.  

Remove the instance from the load balancer and terminate it.

B.  

Remove the instance from the load balancer, and shut down access to the instance by tightening the security group.

C.  

Reboot the instance and check for any Amazon CloudWatch alarms.

D.  

Stop the instance and make a snapshot of the root EBS volume.

A.  

Update the ssm.amazonIAM.com principal in the KMS key policy to allow kms: Decrypt.

B.  

Update the Lambda configuration to launch the function in a VPC.

C.  

Add a policy to the role that the Lambda function uses, allowing kms: Decrypt for the KMS key.

D.  

Add lambda.amazonIAM.com as a trusted entity on the IAM role that the Lambda function uses.

A.  

Request KMS to provide the stored unencrypted data key and then use the retrieved data key to decrypt the data.

B.  

Keep the plaintext data key stored in Amazon DynamoDB protected with IAM policies. Query DynamoDB to retrieve the data key to decrypt the data

C.  

Use the Encrypt API to store an encrypted version of the data key with another customer managed key. Decrypt the data key and use it to decrypt the data when required.

D.  

Store the encrypted data key alongside the encrypted data. Use the Decrypt API to retrieve the data key to decrypt the data when required.

A.  

Use the IAM account root user access keys instead of the IAM Management Console

B.  

Enable multi-factor authentication for the IAM IAM users with the AdministratorAccess managed policy attached to them

C.  

Enable multi-factor authentication for the IAM account root user

D.  

Use IAM KMS to encrypt all IAM account root user and IAM IAM access keys and set automatic rotation to 30 days

E.  

Do not create access keys for the IAM account root user; instead, create IAM IAM users

A.  

Create an Amazon CloudWatch metric filter that looks for API call error codes and then implement an alarm based on that metric’s rate.

B.  

Configure IAM CloudTrail to stream event data to Amazon Kinesis. Configure an IAM Lambda function on the stream to alarm when the threshold has been exceeded.

C.  

Run an Amazon Athena SQL query against CloudTrail log files. Use Amazon QuickSight to create an operational dashboard.

D.  

Use the Amazon Personal Health Dashboard to monitor the account’s use of IAM services, and raise an alert if service error rates increase.

A.  

Enable IAM Guard Duty for the Instance

B.  

Use IAM Trusted Advisor

C.  

Use IAM inspector

D.  

UseIAMMacie

A.  

Change the root account password.

B.  

Rotate all IAM access keys

C.  

Keep all resources running to avoid disruption

D.  

Change the password for all IAM users.

A.  

Select server-side encryption with Amazon S3-managed keys (SSE-S3) and select an IAM-managed CMK.

B.  

Select Amazon S3-IAM KMS managed encryption keys (S3-KMS) and select a customer-managed CMK with key rotation enabled.

C.  

Select server-side encryption with Amazon S3-managed keys (SSE-S3) and select a customer-managed CMK that has imported key material.

D.  

Select server-side encryption with IAM KMS-managed keys (SSE-KMS) and select an alias to an IAM-managed CMK.

A.  

Read the IAM Customer Agreement.

B.  

Use IAM Artifact to access IAM compliance reports.

C.  

Post the question on the IAM Discussion Forums.

D.  

Run IAM Config and evaluate the configuration outputs.

A.  

Use versioning and enable a timestamp for each version

B.  

Use Pre-signed URL's

C.  

Use IAM Roles with a timestamp to limit the access

D.  

Use IAM policies with a timestamp to limit the access

A.  

Disable the FTP rule in GuardDuty in the Region where the FTP server is deployed

B.  

Add the FTP server to a trusted IP list and deploy it to GuardDuty to stop receiving the notifications

C.  

Use GuardDuty filters with auto archiving enabled to close the findings

D.  

Create an IAM Lambda function that closes the finding whenever a new occurrence is reported

A.  

email.us-east-1.amazonIAM.com over port 8080

B.  

email-pop3.us-east-1.amazonIAM.com over port 995

C.  

email-smtp.us-east-1.amazonIAM.com over port 587

D.  

email-imap.us-east-1.amazonIAM.com over port 993

A.  

The kms:GenerateDataKey permission is missing from the EC2 instance’s IAM role

B.  

The ARN tag on the CMK contains the EC2 instance’s ID instead of the instance’s ARN

C.  

The kms:Encrypt permission is missing from the EC2 IAM role

D.  

The KMS CMK key policy that enables IAM user permissions is missing

A.  

Write an IAM Lambda function that logs into the EC2 instance to pull the application logs from the EC2 instance and persists them into an Amazon S3 bucket.

B.  

Enable IAM CloudTrail logging for the IAM account, create a new Amazon S3 bucket, and then configure Amazon CloudWatch Logs to receive the application logs from CloudTrail.

C.  

Create a simple cron job on the EC2 instances that synchronizes the application logs to an Amazon S3 bucket by using rsync.

D.  

Install the Amazon CloudWatch Logs Agent on the EC2 instances, and configure it to send the application logs to CloudWatch Logs.

A.  

Add each employee’s home IP address to the security group for the application so that only those users can access the workload.

B.  

Create a virtual gateway for VPN connectivity for each employee, and restrict access to the workload from within the VPC.

C.  

Use a VPN appliance from the IAM Marketplace for users to connect to, and restrict workload access to traffic from that appliance.

D.  

Route all traffic to the workload through IAM WAF. Add each employee’s home IP address into an IAM WAF rule, and block all other traffic.

A.  

Using Amazon Inspector, review all of the API calls and configure the inspector agent to leverage SNS topics to notify security of the change to IAM CloudTrail, and revoke the new API keys for the root user.

B.  

Using IAM Config, create a config rule that detects when IAM CloudTrail is disabled, as well as any calls to the root user create-api-key. Then use a Lambda function to re-enable CloudTrail logs and deactivate the root API keys.

C.  

Using Amazon CloudWatch, create a CloudWatch event that detects IAM CloudTrail deactivation and a separate Amazon Trusted Advisor check to automatically detect the creation of root API keys. Then use a Lambda function to enable IAM CloudTrail and deactivate the root API keys.

D.  

Using Amazon CloudTrail, create a new CloudTrail event that detects the deactivation of CloudTrail logs, and a separate CloudTrail event that detects the creation of root API keys. Then use a Lambda function to enable CloudTrail and deactivate the root API keys.

A.  

Option A

B.  

Option B

C.  

Option C

D.  

Option D

A.  

Change the key policy permissions associated with the KMS CMK for each application when it must access the data in Amazon S3.

B.  

Have each application assume an IAM role that provides permissions to use the IAM Certificate Manager CMK.

C.  

Have each application use a grant on the KMS CMK to add or remove specific access controls on the KMS CMK.

D.  

Have each application use an IAM policy in a user context to have specific access permissions on the KMS CMK.

A.  

C:\Users\wk\Desktop\mudassar\Untitled.jpg

B.  

C:\Users\wk\Desktop\mudassar\Untitled.jpg

C.  

C:\Users\wk\Desktop\mudassar\Untitled.jpg

D.  

C:\Users\wk\Desktop\mudassar\Untitled.jpg

A.  

Set up separate AWS Lambda functions for GuardDuty, 1AM Access Analyzer, and Macie to call each service's public API to retrieve high-severity findings. Use Amazon Simple Notification Service (Amazon SNS) to send the email alerts. Create an Amazon EventBridge rule to invoke the functions on a schedule.

B.  

Create an Amazon EventBridge rule with a pattern that matches Security Hub findings events with high severity. Configure the rule to send the findings to a target Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the desired email addresses to the SNS topic.

C.  

Create an Amazon EventBridge rule with a pattern that matches AWS Control Tower events with high severity. Configure the rule to send the findings to a target Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the desired email addresses to the SNS topic.

D.  

Host an application on Amazon EC2 to call the GuardDuty, 1AM Access Analyzer, and Macie APIs. Within the application, use the Amazon Simple Notification Service (Amazon SNS) API to retrieve high-severity findings and to send the findings to an SNS topic. Subscribe the desired email addresses to the SNS topic.

A.  

Create an identity policy that allows the sts: AssumeRole action in the AWS account that contains the resources. Attach the identity policy to the IAM user.

B.  

Ensure that the sts: AssumeRole action is allowed by the SCPs of the organization that owns the resources that the IAM user needs to access.

C.  

Create a role in the AWS account that contains the resources. Create an entry in the role's trust policy that allows the IAM user to assume the role. Attach the trust policy to the role.

D.  

Establish a trust relationship between the IAM user and the AWS account that contains the resources.

E.  

Create a role in the IAM user's AWS account. Create an identity policy that allows the sts: AssumeRole action. Attach the identity policy to the role.

A.  

In the statement block that contains the Sid "Allow use of the key", under the "Condition" block, change StringEquals to StringLike.

B.  

In the policy document, remove the statement Dlock that contains the Sid "Enable IAM User Permissions". Add key management policies to the KMS policy.

C.  

In the statement block that contains the Sid "Allow use of the Key", under the "Condition" block, change the Kms:ViaService value to ec2.us-east-1 .amazonIAM com.

D.  

In the policy document, add a new statement block that grants the kms:Disable' permission to the security engineer's IAM role.

A.  

Review the cross-account role permissions and the S3 bucket policy Verify that the Amazon S3 block public access option in the member account is deactivated.

B.  

Review the role permissions m the master account and ensure it has sufficient privileges to perform S3 operations

C.  

Filter IAM CloudTrail logs for the master account to find the original deny event and update the cross-account role m the member account accordingly Verify that the Amazon S3 block public access option in the master account is deactivated.

D.  

Evaluate the SCPs covering the member account and the permissions boundary of the role in the member account for missing permissions and explicit denies.

E.  

Ensure the S3 bucket policy explicitly allows the s3 PutBucketPublicAccess action for the role m the member account

A.  

Create dedicated IAM users within each IAM account that employees can assume through federation based upon group membership in their existing identity provider

B.  

Use a centralized account with IAM roles that employees can assume through federation with their existing identity provider Use cross-account roles to allow the federated users to assume their target role in the resource accounts.

C.  

Configure the IAM Security Token Service to use Kerberos tokens so that users can use their existing corporate user names and passwords to access IAM resources directly

D.  

Configure the IAM trust policies within each account's role to set up a trust back to the corporation's existing identity provider allowing users to assume the role based off their SAML token

A.  

Update the S3 bucket policy to restrict access to a CloudFront origin access identity (OAI).

B.  

Update the website DNS record to use an Amazon Route 53 geolocation record deny list of countries where the company lacks a license.

C.  

Add a CloudFront geo restriction deny list of countries where the company lacks a license.

D.  

Update the S3 bucket policy with a deny list of countries where the company lacks a license.

E.  

Enable the Restrict Viewer Access option in CloudFront to create a deny list of countries where the company lacks a license.

A.  

Place the network interface in promiscuous mode to capture the traffic.

B.  

Configure VPC Flow Logs to send traffic to the monitoring EC2 instance using a Network Load Balancer.

C.  

Configure VPC traffic mirroring to send traffic to the monitoring EC2 instance using a Network Load Balancer.

D.  

Use Amazon Inspector to detect network-level attacks and trigger an IAM Lambda function to send the suspicious packets to the EC2 instance.

A.  

Use the application to rotate the keys in every 2 months via the SDK

B.  

Use a script to query the creation date of the keys. If older than 2 months, create new access key and update all applications to use it inactivate the old key and delete it.

C.  

Delete the user associated with the keys after every 2 months. Then recreate the user again.

D.  

Delete the IAM Role associated with the keys after every 2 months. Then recreate the IAM Role again.

A.  

Change the replication configuration to use the key in us-east-1 to encrypt the objects that are in the destination S3 bucket.

B.  

Grant the IAM role the kms. Encrypt permission for the key in us-east-1 that encrypts source objects.

C.  

Grant the IAM role the s3 GetObjectVersionForReplication permission for objects that are in the source S3 bucket.

D.  

Grant the IAM role the kms. Decrypt permission for the key in us-east-1 that encrypts source objects.

E.  

Change the key policy of the key in us-east-1 to grant the kms. Decrypt permission to the security engineer's IAM account.

F.  

Grant the IAM role the kms Encrypt permission for the key in us-west-2 that encrypts objects that are in the destination S3 bucket.

A.  

Delete the key pair from the EC2 console. Create a new key pair.

B.  

Use the ModifylnstanceAttribute API operation to change the key on any EC2 instance that is using the key.

C.  

Restrict SSH access in the security group to only known corporate IP addresses.

D.  

Update the key pair in any AMI that is used to launch the EC2 instances. Restart the EC2 instances.

A.  

The CMK is used in the attempt does not exist.

B.  

The CMK is used in the attempt needs to be rotated.

C.  

The CMK is used in the attempt is using the CMKג€™s key ID instead of the CMK ARN.

D.  

The CMK is used in the attempt is not enabled.

E.  

The CMK is used in the attempt is using an alias.

A.  

Create an IAM group for each application team. Associate policies with each IAM group. Provision IAM users for each application team member. Add the new IAM users to the appropriate IAM group by using role-based access control (RBAC).

B.  

Delegate application team leads to provision IAM rotes for each team. Conduct a quarterly review of the IAM rotes the team leads have provisioned. Ensure that the application team leads have the appropriate training to review IAM roles.

C.  

Put each AWS account in its own OU. Add an SCP to each OU to grant access to only the AWS services that the teams plan to use. Include conditions tn the AWS account of each team.

D.  

Create an SCP and a permissions boundary for IAM roles. Add the SCP to the root OU so that only roles that have the permissions boundary attached can create any new IAM roles.

A.  

Create an Amazon CloudFront distribution and configure the ALB as the origin

B.  

Block the malicious IPs with a network access list (NACL).

C.  

Create an IAM Web Application Firewall (WAF). and attach it to the ALB

D.  

Map the application domain name to use Route 53

A.  

Update the policy that is associated with the federated IAM role to allow the ec2. Describelmages action for the forensic AMI.

B.  

Update the policy that is associated with the federated IAM role to allow the ec2 Start Instances action m the security team's AWS account.

C.  

Update the policy that is associated with the KMS key that is used to encrypt the forensic AMI. Configure the policy to allow the kms. Encrypt and kms Decrypt actions for the federated IAM role.

D.  

Update the policy that is associated with the federated IAM role to allow the kms. DescribeKey action for the KMS key that is used to encrypt the forensic AMI.

A.  

Create an mime IAM user policy that allows for Amazon EC2 access for the contractor's IAM user

B.  

Create an IAM permissions boundary policy that allows Amazon EC2 access Associate the contractor's IAM account with the IAM permissions boundary policy

C.  

Create an IAM group with an attached policy that allows for Amazon EC2 access Associate the contractor's IAM account with the IAM group

D.  

Create a IAM role that allows for EC2 and explicitly denies all other services Instruct the contractor to always assume this role

A.  

Use CloudTrail Log File Integrity Validation.

B.  

Use IAM Config SNS Subscriptions and process events in real time.

C.  

Use CloudTrail backed up to IAM S3 and Glacier.

D.  

Use IAM Config Timeline forensics.

A.  

Configure the S3 Block Public Access feature for the AWS account.

B.  

Configure the S3 Block Public Access feature for all objects that are in the bucket.

C.  

Deactivate ACLs for objects that are in the bucket.

D.  

Use AWS PrivateLink for Amazon S3 to access the bucket.

A.  

Option A

B.  

Option B

C.  

Option C

D.  

Option D

A.  

Use the SimpleCORS managed response headers policy.

B.  

Use a Lambda@Edge function to add the Strict-Transport-Security response header.

C.  

Use the SecurityHeadersPolicy managed response headers policy.

D.  

Include the X-XSS-Protection header in a custom response headers policy.

A.  

Update the EC2 instance security group to add a rule that allows outbound traffic on port 443 for 0.0.0.0/0.

B.  

Update the EC2 instance security group to add a rule that allows inbound traffic on port 443 to the VPC's CIDR range.

C.  

Create an EC2 key pair. Associate the key pair with the EC2 instance.

D.  

Create a VPC interface endpoint for Systems Manager in the VPC where the EC2 instance is located.

E.  

Attach a security group to the VPC interface endpoint. Allow inbound traffic on port 443 to the VPC's CIDR range.

F.  

Create a VPC interface endpoint for the EC2 instance in the VPC where the EC2 instance is located.

A.  

Option A

B.  

Option B

C.  

Option C

D.  

Option D

E.  

Option E

A.  

Open a support case with the IAM Security team and ask them to remove the malicious code from the affected instance

B.  

Respond to the notification and list the actions that have been taken to address the incident

C.  

Delete all IAM users and resources in the account

D.  

Detach the internet gateway from the VPC remove aft rules that contain 0.0.0.0V0 from the security groups, and create a NACL rule to deny all traffic Inbound from the internet

E.  

Delete the identified compromised instances and delete any associated resources that the Security team did not create.

A.  

Attach a policy to the IAM user to allow the user to assume the role that was created in the top-level account. Specify the role's ARN in the policy.

B.  

Create an SCP that grants permissions to the top-level account.

C.  

Use the root account of the business unit account to assume the role that was created in the top-level account. Specify the role's ARN in the policy.

D.  

Forward the credentials of the IAM role in the top-level account to the IAM user in the business unit account.

A.  

Amazon Route 53

B.  

IAM Certificate Manager (ACM)

C.  

Amazon S3

D.  

IAM Shield

E.  

Elastic Load Balancer

F.  

Amazon GuardDuty

A.  

Set up VPC peering between the central server VPC and each of the teams VPCs.

B.  

Set up IAM DirectConnect between the central server VPC and each of the teams VPCs.

C.  

Set up an IPSec Tunnel between the central server VPC and each of the teams VPCs.

D.  

None of the above options will work.

A.  

Create a pre sign-up AWS Lambda trigger. Associate the Amazon Cognito function with the Amazon Cognito user pool.

B.  

Use a geographic match rule statement to configure an AWS WAF web ACL. Associate the web ACL with the Amazon Cognito user pool.

C.  

Configure an app client for the application's Amazon Cognito user pool. Use the app client ID to validate the requests in the hosted Ul.

D.  

Update the application's Amazon Cognito user pool to configure a geographic restriction setting.

E.  

Use Amazon Cognito to configure a social identity provider (IdP) to validate the requests on the hosted Ul.

A.  

Add a deny rule to the public VPC security group to block the malicious IP

B.  

Add the malicious IP to IAM WAF backhsted IPs

C.  

Configure Linux iptables or Windows Firewall to block any traffic from the malicious IP

D.  

Modify the hosted zone in Amazon Route 53 and create a DNS sinkhole for the malicious IP

A.  

In the security account configure an IAM role for the new Lambda function. Attach an IAM policy that allows access to the KMS key in the security account.

B.  

In the development account configure an IAM role for the new Lambda function. Attach a key policy that allows access to the KMS key in the security account.

C.  

In the development account configure an IAM role for the new Lambda function. Attach an IAM policy that allows access to the KMS key in the security account.

D.  

Configure a key policy for the KMS key m the security account to allow access to the IAM role of the new Lambda function in the security account.

E.  

Configure a key policy for the KMS key in the security account to allow access to the IAM role of the new Lambda function in the development account.

A.  

Option A

B.  

Option B

C.  

Option C

D.  

Option D

A.  

Use inbound rule 100 to allow traffic on TCP port 443 Use inbound rule 200 to deny traffic on TCP port 3306 Use outbound rule 100 to allow traffic on TCP port 443

B.  

Use inbound rule 100 to deny traffic on TCP port 3306. Use inbound rule 200 to allow traffic on TCP port range 1024-65535. Use outbound rule 100 to allow traffic on TCP port 443

C.  

Use inbound rule 100 to allow traffic on TCP port range 1024-65535 Use inbound rule 200 to deny traffic on TCP port 3306 Use outbound rule 100 to allow traffic on TCP port 443

D.  

Use inbound rule 100 to deny traffic on TCP port 3306 Use inbound rule 200 to allow traffic on TCP port 443 Use outbound rule 100 to allow traffic on TCP port 443

A.  

Move the Aurora database into a private subnet that has no internet access routes in the database's current VPC Configure the Lambda functions to use the Aurora

database's new private IP address to access the database Configure the Aurora databases security group to allow access from the private IP addresses of the Lambda functions

B.  

Establish a VPC endpoint between the two VPCs in the Aurora database's VPC configure a service VPC endpoint for Amazon RDS In the Lambda functions' VPC.

configure an interface VPC endpoint that uses the service endpoint in the Aurora database's VPC Configure the service endpoint to allow connections from the Lambda functions.

C.  

Establish an AWS Direct Connect interface between the VPCs Configure the Lambda functions to use a new route table that accesses the Aurora database through the Direct Connect interface Configure the Aurora database's security group to allow access from the Direct Connect interface IP address

D.  

Move the Lambda functions into a public subnet in their VPC Move the Aurora database into a private subnet in its VPC Configure the Lambda functions to use the Aurora database's new private IP address to access the database Configure the Aurora database to allow access from the public IP addresses of the Lambda functions

A.  

Enable TLS pass through on the ALB, and handle decryption at the server using Elliptic Curve Diffie-Hellman (ECDHE) cipher suites.

B.  

Create a listener on the ALB that uses encrypted connections with Elliptic Curve Diffie-Hellman (ECDHE) cipher suites, and pass the traffic in the clear to the server.

C.  

Create a listener on the ALB that uses encrypted connections with Elliptic Curve Diffie-Hellman (ECDHE) cipher suites, and use encrypted connections to the servers that do not enable Perfect Forward Secrecy (PFS).

D.  

Create a listener on the ALB that does not enable Perfect Forward Secrecy (PFS) cipher suites, and use encrypted connections to the servers using Elliptic Curve Diffie-Hellman (ECDHE) cipher suites.

A.  

Create a security group with a rule that denies Inbound connections from 0.0.0 0/0 on port 00. Attach this security group to the ALB to overwrite more permissive rules from the ALB's default security

group.

B.  

Create a network ACL that denies inbound connections from 0 0.0.0/0 on port 80 Associate the network ACL with the VPC s internet gateway

C.  

Create a network ACL that allows outbound connections to the VPC IP range on port 443 only. Associate the network ACL with the VPC's internet gateway.

D.  

Create a security group with a single inbound rule that allows connections from 0.0.0 0/0 on port 443. Ensure this security group is the only one associated with the ALB

A.  

Enable VPC Flow Logs in all VPCs Create a scheduled IAM Lambda function that downloads and parses the logs, and sends an Amazon SNS notification for violations.

B.  

Use IAM CloudTrail to make a trail, and apply it to all Regions Specify an Amazon S3 bucket to receive all the CloudTrail log files

C.  

Add the following bucket policy to the company's IAM CloudTrail bucket to prevent log tampering

{

"Version": "2012-10-17-,

"Statement": {

"Effect": "Deny",

"Action": "s3:PutObject",

"Principal": "-",

"Resource": "arn:IAM:s3:::cloudtrail/IAMLogs/111122223333/*"

}

}

Create an Amazon S3 data event for an PutObject attempts, which sends notifications to an Amazon SNS topic.

D.  

Create a Security Auditor role with permissions to access Amazon CloudWatch Logs m all Regions Ship the logs to an Amazon S3 bucket and make a lifecycle policy to ship the logs to Amazon S3 Glacier.

E.  

Verify that Amazon GuardDuty is enabled in all Regions, and create an Amazon CloudWatch Events rule for Amazon GuardDuty findings Add an Amazon SNS topic as the rule's target

A.  

Create an HTTPS listener that uses a certificate that is managed by IAM Certificate Manager (ACM).

B.  

Create an HTTPS listener that uses a security policy that uses a cipher suite with perfect toward secrecy (PFS).

C.  

Create an HTTPS listener that uses the Server Order Preference security feature.

D.  

Create a TCP listener that uses a custom security policy that allows only cipher suites with perfect forward secrecy (PFS).

A.  

Filter the event history on the exposed access key in the CloudTrail console Examine the data from the past 11 days.

B.  

Use the IAM CLI lo generate an IAM credential report Extract all the data from the past 11 days.

C.  

Use Amazon Athena to query the CloudTrail logs from Amazon S3 Retrieve the rows for the exposed access key tor the past 11 days.

D.  

Use the Access Advisor tab in the IAM console to view all of the access key activity for the past 11 days.

A.  

Place the RDS instance in a public subnet and an IAM Lambda function outside the VPC. Schedule the Lambda function to run every 3 months to rotate the secrets.

B.  

Place the RDS instance in a private subnet and an IAM Lambda function inside the VPC in the private subnet. Configure the private subnet to use a NAT gateway. Schedule the Lambda function to run every 3 months to rotate the secrets.

C.  

Place the RDS instance in a private subnet and an IAM Lambda function outside the VP

C.  

D.  

Place the RDS instance in a private subnet and an IAM Lambda function inside the VPC in the private subnet. Schedule the Lambda function to run quarterly to rotate the secrets.

E.  

Place the RDS instance in a private subnet and an IAM Lambda function inside the VPC in the private subnet. Configure a Secrets Manager interface endpoint. Schedule the Lambda function to run every 3 months to rotate the secrets.

A.  

Create a new trail and configure it to send CloudTrail logs to Amazon S3. Use Amazon EventBridge (Amazon CloudWatch Events) to send notification if a trail is deleted or stopped.

B.  

Deploy an IAM Lambda function in every account to check if there is an existing trail and create a new trail, if needed.

C.  

Edit the existing trail in the Organizations master account and apply it to the organization.

D.  

Create an SCP to deny the cloudtrail:Delete" and cloudtrail:Stop' actions. Apply the SCP to all accounts.

A.  

Ensure CloudTrail log file validation is turned on

B.  

Configure an S3 lifecycle rule to periodically archive CloudTrail logs into Glacier for long-term storage

C.  

Use an S3 bucket with tight access controls that exists m a separate account

D.  

Use Amazon Inspector to monitor the file integrity of CloudTrail log files.

E.  

Request a certificate through ACM and use a generated certificate private key to encrypt CloudTrail log files

F.  

Encrypt the CloudTrail log files with server-side encryption with IAM KMS-managed keys (SSE-KMS)

A.  

Move the SCP to the root OU of organization to remove the restriction to access Amazon $3.

B.  

Add an IAM policy for the developer, which grants $3 access.

C.  

Create a new OU without applying the SCP restricting $3 access. Move the developer account to this new OU.

D.  

Add an allow list for the developer account for the $3 service.

A.  

Deploy a NAT gateway in each private subnet for every Availability Zone that is in use.

B.  

Place the DB instance in a public subnet.

C.  

Place the DB instance in a private subnet.

D.  

Configure the Auto Scaling group to place the EC2 instances in a public subnet.

E.  

Configure the Auto Scaling group to place the EC2 instances in a private subnet.

F.  

Deploy the ALB in a private subnet.

A.  

Use IAM Config with a managed rule to trigger the IAM-EnableCloudTrail remediation.

B.  

Create an Amazon EventBridge (Amazon CloudWatch Events) event with a cloudtrail.amazonIAM.com event source and a StartLogging event name to trigger an IAM Lambda function to call the StartLogging API.

C.  

Create an Amazon CloudWatch alarm with a cloudtrail.amazonIAM.com event source and a StopLogging event name to trigger an IAM Lambda function to call the StartLogging API.

D.  

Monitor IAM Trusted Advisor to ensure CloudTrail logging is enabled.