A.  

Enable Amazon Macie. Run an on-demand sensitive data discovery job that uses the PERSONALJNFORMATION managed data identifier.

B.  

Use AWS Glue with the Detect Pll transform to identify sensitive data and to mask the sensitive data.

C.  

Enable AWS Audit Manager. Create an assessment by using a supported framework.

D.  

Enable Amazon GuardDuty S3 Protection Document any findings that are related to suspicious access of S3 buckets.

E.  

Enable AWS Security Hub. Use the AWS Foundational Security Best Practices standard. Review the controls dashboard for evidence of failed S3 Block Public Access controls.

F.  

Enable AWS Config Set up the s3-bucket-public-write-prohibited AWS Config managed rule.

A.  

In the security account configure an IAM role for the new Lambda function. Attach an IAM policy that allows access to the KMS key in the security account.

B.  

In the development account configure an IAM role for the new Lambda function. Attach a key policy that allows access to the KMS key in the security account.

C.  

In the development account configure an IAM role for the new Lambda function. Attach an IAM policy that allows access to the KMS key in the security account.

D.  

Configure a key policy for the KMS key m the security account to allow access to the IAM role of the new Lambda function in the security account.

E.  

Configure a key policy for the KMS key in the security account to allow access to the IAM role of the new Lambda function in the development account.

A.  

Option A

B.  

Option B

C.  

Option C

D.  

Option D

A.  

Enable AWS Config Create a proactive AWS. Config Custom Policy rule Create a Guard clause to evaluate the S3 bucket policies to check for a value of True for the aws SecureTransport condition key. If the AWS Config rule evaluates to NON_COMPLIANT, block resource creation.

B.  

Enable AWS Config Configure the s3-bucket-ssl-requests-only AWS Config managed rule and set the rule trigger type to Hybrid Create an AWS Systems Manager.

Automation runbook that applies a bucket policy to deny requests when the value of the aws SecureTransport condition key is False Configure automatic remediation Set the runbook as the target of the rule.

C.  

Enable Amazon Inspector Create a custom AWS Lambda rule. Create a Lambda function that applies a bucket policy to deny requests when the value of the aws SecureTransport condition key is False Set the Lambda function as the target of the rule.

D.  

Create an AWS CloudTrail trail Enable S3 data events on the trail. Create an AWS Lambda function that applies a bucket policy to deny requests when the value of the aws SecureTransport condition key is False. Configure the CloudTrail trail to invoke the Lambda function.

A.  

Configure trusted access for AWS System Manager in Organizations Configure a bastion host from the management account Replace SSH and RDP by using Systems Manager Session Manager from the management account Configure Session Manager logging to Amazon CloudWatch Logs

B.  

Replace SSH and RDP with AWS Systems Manager Session Manager Install Systems Manager Agent (SSM Agent) on the instances Attach the

C.  

AmazonSSMManagedlnstanceCore role to the instances Configure session data streaming to Amazon CloudWatch Logs Create a separate logging account that has appropriate cross-account permissions to audit the log data

D.  

Install a bastion host in the management account Reconfigure all SSH and RDP to allow access only from the bastion host Install AWS Systems Manager Agent (SSM Agent) on the bastion host Attach the AmazonSSMManagedlnstanceCore role to the bastion host Configure session data streaming to Amazon CloudWatch Logs in a separate logging account to audit log data

E.  

Replace SSH and RDP with AWS Systems Manager State Manager Install Systems Manager Agent (SSM Agent) on the instances Attach theAmazonSSMManagedlnstanceCore role to the instances Configure session data streaming to Amazon CloudTrail Use CloudTrail Insights to analyze the trail data

A.  

Create a CloudWatch Logs account-wide data protection policy. Specify the appropriate data identifiers for the policy. Ensure that the developers do not have the logs:Unmask 1AM permission.

B.  

Export the CloudWatch Logs data to an Amazon S3 bucket. Set up automated discovery by using Amazon Macie on the S3 bucket. Create a custom data identifier for the sensitive data. Remove the developers' access to CloudWatch Logs. Grant permissions for the developers to view the exported log data in Amazon S3.

C.  

Export the CloudWatch Logs data to an Amazon S3 bucket. Set up automated discovery by using Amazon Macie on the S3 bucket. Specify the appropriate managed data identifiers. Remove the developers' access to CloudWatch Logs. Grant permissions for the developers to view the exported log data in Amazon S3.

D.  

Create a CloudWatch Logs data protection policy for each log group. Specify the appropriate data identifiers for the policy. Ensure that the developers do not have the logsiUnmask 1AM permission.

A.  

A computer code with black text Description automatically generated

B.  

A computer code with black text Description automatically generated

C.  

A computer code with black text Description automatically generated

D.  

A computer code with black text Description automatically generated

A.  

Review the AWS CloudTrail logs in the account in the Production OU Search for any failed API calls from CloudFormation during the deployment attempt.

B.  

Remove all the SCPs that are attached to the Production OU Rerun the CloudFormation stack update to determine if the SCPs were preventing the CloudFormation API calls.

C.  

Confirm that the role used by CloudFormation has sufficient permissions to create update and delete the resources that are referenced in the CloudFormation template.

D.  

Make all the SCPs that are attached to the Production OU the same as the SCPs that are attached to the Testing OU.

A.  

B.  

B.  

C.  

A computer code with black text Description automatically generated

D.  

A computer code with text Description automatically generated

A.  

In each account, update the ECR registry to use Amazon Inspector instead of the default scanning service. Configure Amazon Inspector to forwardvulnerability findings to AWS Security Hub in a central security account. Provide access for the audit team to use Security Hub to review the findings.

B.  

In each account, configure AWS Config to monitor the configuration of the ECS containers and the ECR registry. Configure AWS Config conformance packs forvulnerability scanning. Create an AWS Config aggregator in a central account to collect configuration and compliance details from all accounts. Provide theaudit team with access to AWS Config in the account where the aggregator is configured.

C.  

In each account, configure AWS Audit Manager to scan the ECS containers and the ECR registry. Configure Audit Manager to forward vulnerability findings toAWS Security Hub in a central security account. Provide access for the audit team to use Security Hub to review the findings.

D.  

In each account, configure Amazon GuardDuty to scan the ECS containers and the ECR registry. Configure GuardDuty to forward vulnerability findings to AWS Security Hub in a central security account. Provide access for the audit team to use Security Hub to review the findings.

A.  

Enable Amazon RDS encryption to encrypt the database and snapshots. Enable Amazon Elastic Block Store (Amazon EBS) encryption on Amazon EC2 instances. Include the database credential in the EC2 user data field. Use an AWS Lambda function to rotate database credentials. Set up TLS for the connection to the database.

B.  

Install a database on an Amazon EC2 instance. Enable third-party disk encryption to encrypt Amazon Elastic Block Store (Amazon EBS) volume. Store the database credentials in AWS CloudHSM with automatic rotation. Set up TLS for the connection to the database.

C.  

Enable Amazon RDS encryption to encrypt the database and snapshots. Enable Amazon Elastic Block Store (Amazon EBS) encryption on Amazon EC2 instances. Store the database credentials in AWS Secrets Manager with automatic rotation. Set up TLS for the connection to the RDS hosted database.

D.  

Set up an AWS CloudHSM cluster with AWS Key Management Service (AWS KMS) to store KMS keys. Set up Amazon RDS encryption using AWS KSM to encrypt the database. Store the database credentials in AWS Systems Manager Parameter Store with automatic rotation. Set up TLS for the connection to the RDS hosted database.

A.  

1 Put all users into an IAM group with an access policy granting access to the J bucket.

B.  

Have the account creation trigger an IAM Lambda function that manages the bucket policy, allowing access to accounts listed in the policy only.

C.  

Add an SCP to the Organizations master account, allowing all principals access to the bucket.

D.  

Specify the organization ID in the global key condition element of a bucket policy, allowing all principals access.

A.  

Configure the Amazon inspector agent to use the CVE rule package

B.  

Configure the Amazon Inspector agent to use the CVE rule package Configure Security Hub to ingest from IAM inspector by writing a custom resource policy

C.  

Configure the Security Hub agent to use the CVE rule package Configure IAM Inspector lo ingest from Security Hub by writing a custom resource policy

D.  

Configure the Amazon Inspector agent to use the CVE rule package Install an additional Integration library Allow the Amazon Inspector agent to communicate with Security Hub

A.  

Add an IAM managed policy for the user

B.  

Add a service policy for the user

C.  

Add an IAM role for the user

D.  

Add an inline policy for the user

A.  

Use Amazon Athena to query the ALB logs by the request ID of the blocked request.

B.  

Use Amazon Athena to query the web ACL logs by the request ID of the blocked request.

C.  

Use CloudWatch Logs Insights to query the application logs by the request ID of the blocked request.

D.  

Use CloudWatch Logs Instghts to query the web ACL logs by the request ID of the blocked request.

A.  

Configure AWS Directory Service with the external IdP Create 1AM policies and associate them with users from the external IdP

B.  

Enable AWS 1AM Identity Center and use the external IdP as the identity source. Create permission sets and account assignments by using 1AM Identity Center.

C.  

Configure AWS Identity and Access Management (1AM) to use the external IdP as an IdP Create 1AM policies and associate them with users from the externa IdP

D.  

Enable Amazon Cognito in the organization's management account. Create an identity pool and associate it with the external IdP Create 1AM roles and associate them with the identity pool.

A.  

Create a CodeCommit repository in the security account using IAM Key Management Service (IAM KMS) tor encryption Require the development team to migrate the Lambda source code to this repository

B.  

Store the API key in an Amazon S3 bucket in the security account using server-side encryption with Amazon S3 managed encryption keys (SSE-S3) to encrypt the key Create a resigned URL tor the S3 key. and specify the URL m a Lambda environmental variable in the IAM CloudFormation template Update the Lambda function code to retrieve the key using the URL and call the API

C.  

Create a secret in IAM Secrets Manager in the security account to store the API key using IAM Key Management Service (IAM KMS) tor encryption Grant access to the IAM role used by the Lambda function so that the function can retrieve the key from Secrets Manager and call the API

D.  

Create an encrypted environment variable for the Lambda function to store the API key using IAM Key Management Service (IAM KMS) tor encryption Grant access to the IAM role used by the Lambda function so that the function can decrypt the key at runtime

A.  

Set the dnssec-enable option to yes in the BIND configuration. Create a zone-signing key (ZSK) and a key-signing key (KSK) Restart the BIND service.

B.  

Migrate the zone to Route 53 with DNSSEC signing enabled. Create a zone-signing key (ZSK) and a key-signing key (KSK) that are based on an AWS. Key Management Service (AWS KMS) customer managed key.

C.  

Set the dnssec-enable option to yes in the BIND configuration. Create a zone-signing key (ZSK) and a key-signing key (KSK). Run the dnssec-signzone command to generate a delegation signer (DS) record Use AWS. Key Management Service (AWS KMS) to secure the keys.

D.  

Migrate the zone to Route 53 with DNSSEC signing enabled. Create a key-signing key (KSK) that is based on an AWS Key Management Service (AWS KMS) customer managed key. Add a delegation signer (DS) record to the parent zone.

A.  

Create AWS Config custom rules by using Guard custom policy. Configure the AWS Config rules to detect when an EC2 instance queries a DNS domain name that is associated with cryptocurrency-related activity. Configure AWS Config to initiate alerts to the SNS topic.

B.  

Enable Amazon GuardDuty Create an Amazon EventBridge rule to send alerts to the SNS topic when GuardDuty creates a finding that is associated with cryptocurrency-related activity.

C.  

Enable Amazon Inspector. Create an Amazon EventBridge rule to send alerts to the SNS topic when Amazon Inspector creates a finding that is associated with cryptocurrency-related activity.

D.  

Enable VPC flow logs. Send the flow logs to an Amazon S3 bucket. Set up a query in Amazon Athena to detect when an EC2 instance queries a DNS domain name that is associated with cryptocurrency-related activity. Configure the Athena query to initiate alerts to the SNS topic.

A.  

An HTTPS listener that uses a certificate that is managed by Amazon Certification Manager.

B.  

An HTTPS listener that uses a custom security policy that allows only perfect forward secrecy cipher suites

C.  

An HTTPS listener that uses the latest IAM predefined ELBSecuntyPolicy-TLS-1 -2-2017-01 security policy

D.  

A TCP listener that uses a custom security policy that allows only perfect forward secrecy cipher suites.

A.  

Move the logs:CreateLogGroup action to the second Allow statement.

B.  

Add the logs:PutDestination action to the second Allow statement.

C.  

Add the logs:GetLogEvents action to the second Allow statement.

D.  

Add the logs:CreateLogStream action to the second Allow statement.

A.  

Encrypt the secrets in us-east-1 by using an AWS managed KMS key. Replicate the secrets to us-west-1. Encrypt the secrets in us-west-1 by using a newAWS managed KMS key in us-west-1.

B.  

Encrypt the secrets in us-east-1 by using an AWS managed KMS key. Configure resources in us-west-1 to call the Secrets Manager endpoint in us-east-1.

C.  

Encrypt the secrets in us-east-1 by using a customer managed KMS key. Configure resources in us-west-1 to call the Secrets Manager endpoint in us-east-1.

D.  

Encrypt the secrets in us-east-1 by using a customer managed KMS key. Replicate the secrets to us-west-1. Encrypt the secrets in us-west-1 by using thecustomer managed KMS key from us-east-1.

A.  

Create an AD policy to modify the Windows Firewall settings on all hosts in the VPC to deny access from the IP Address block.

B.  

Modify the Network ACLs associated with all public subnets in the VPC to deny access from the IP Address block.

C.  

Add a rule to all of the VPC Security Groups to deny access from the IP Address block.

D.  

Modify the Windows Firewall settings on all AMI'S that your organization uses in that VPC to deny access from the IP address block.

A.  

Update the policy that is associated with the federated IAM role to allow the ec2. Describelmages action for the forensic AMI.

B.  

Update the policy that is associated with the federated IAM role to allow the ec2 Start Instances action m the security team's AWS account.

C.  

Update the policy that is associated with the KMS key that is used to encrypt the forensic AMI. Configure the policy to allow the kms. Encrypt and kms Decrypt actions for the federated IAM role.

D.  

Update the policy that is associated with the federated IAM role to allow the kms. DescribeKey action for the KMS key that is used to encrypt the forensic AMI.

A.  

Ensure that the S3 bucket policy allows access to the service provider's role to decrypt objects.

B.  

Add a statement to the key policy to allow the service provider's role the kms: Decrypt action (or the key.

C.  

Add the AWSKeyManagementServicePowerUser AWS managed policy to the service provider's role.

D.  

Migrate the key to AWS Certificate Manager (ACM) to create a shared endpoint for access to the key.

A.  

Deploy an AWS Config managed rule to run on a periodic basis of 24 hours. Select the access-keys-rotated managed rule, and set the maxAccessKeyAge parameter to 90 days. Create an Amazon EventBridge (Amazon CloudWatch Events) rule with an event pattern that matches the compliance type of NON_COMPLIANT from AWS Config for the managed rule. Configure EventBridge (CloudWatch Events) to send an Amazon Simple Notification Service (Amazon SNS) not

B.  

Create a script to export a .csv file from the AWS Trusted Advisor check for IAM access key rotation. Load the script into an AWS Lambda function that will upload the .csv file to an Amazon S3 bucket. Create an Amazon Athena table query that runs when the .csv file is uploaded to the S3 bucket. Publish the results for any keys older than 90 days by using an invocation of an Amazon Simple Notification Service (Amazon SNS) notification to the

C.  

Create a script to download the IAM credentials report on a periodic basis. Load the script into an AWS Lambda function that will run on a schedule through Amazon EventBridge (Amazon CloudWatch Events). Configure the Lambda script to load the report into memory and to filter the report for records in which the key was last rotated at least 90 days ago. If any records are detected, send an Amazon Simple Notification Service (Amazon SNS) noti

D.  

Create an AWS Lambda function that queries the IAM API to list all the users. Iterate through the users by using the ListAccessKeys operation. Verify that the value in the CreateDate field is not at least 90 days old. Send an Amazon Simple Notification Service (Amazon SNS) notification to the security team if the value is at least 90 days old. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to schedule the Lambda function to ru

A.  

Ask the developers to change their password and use a different web browser.

B.  

Ensure that developers are using multi-factor authentication (MFA) when they log in to their developer account as the developer role.

C.  

Modify the production account ReadS3 role policy to allow the PutBucketPolicy action onthe productionapp S3 bucket.

D.  

Update the trust relationship policy on the production account S3 role to allow the account number of the developer account.

E.  

Update the developer group permissions in the developer account to allow access to the productionapp S3 bucket.

A.  

Set up a designated monitoring account. Configure the necessary permissions in CloudWatch for source accounts to send metrics to the monitoring account. Create a CloudWatch dashboard that includes the metrics Share the dashboard by using SSO Configure Amazon Cognito as the SSO provider.

B.  

Set up a designated monitoring account Configure the necessary permissions for a CloudWatch wizard to query the metrics from source accounts. Create a CloudWatch dashboard that includes the metrics Share the dashboard by using SSO Configure AWS 1AM Identity Center as the SSO provider.

C.  

Use AWS Resource Access Manager (AWS RAM) to share CloudWatch metrics between the accounts. Set up a designated monitoring account. Create a CloudWatch dashboard that includes the metncs Share the dashboard by using SSO Configure AWS 1AM Identity Center as the SSO provider.

D.  

Use AWS Resource Access Manager (AWS RAM) to share CloudWatch metrics between the accounts. Set up a designated monitoring account Create a CloudWatch dashboard that includes the metrics. Share the dashboard Specify the email addresses of users who can use a password to view the dashboard.

A.  

Create an 1AM group. Create an 1AM user for each consultant. Add each user to the group. Turn on MFAfor each consultant.

B.  

Configure Amazon Cognito on the company's production account to authenticate against the consultant agency's identity provider (IdP). Add MFAto a Cognito user pool.

C.  

Create an 1AM role in the consultant agency's AWS account. Define a trust policy that requires MFA. In the trust policy, specify the company's production account as the principal. Attach the trust policy to the role.

D.  

Create an 1AM role in the company's production account. Define a trust policy that requires MFA. In the trust policy, specify the consultant agency's AWS account as the principal. Attach the trust policy to the role.

A.  

Use AWS Identity and Access Management Access Analyzer to determine which resources the exposed credentials accessed and who used them.

B.  

Deactivate the exposed IAM access key from the user's IAM account.

C.  

Create a rule in Amazon GuardDuty to block the access key in the source code from being used.

D.  

Create a new IAM access key and secret key for the user whose credentials were exposed.

E.  

Generate an IAM credential report. Check the report to determine when the user that owns the access key last logged in.

A.  

Import new key material into the key. Attach the EBS volume.

B.  

Restore the EBS volume from a snapshot that was taken before the deletion of the key material.

C.  

Reimport the same key material lhat originally was imported into the key. Attach the EBS volume.

D.  

Create a new key. Import new key material. Attach the EBS volume.

A.  

Ensure that the Amazon CloudWatch agent is installed on all the EC2 instances that the Auto Scaling groups launch. Generate a CloudWatch agent configuration file to forward the required logs to Amazon CloudWatch Logs.

B.  

Set the log retention for desired log groups to 7 years.

C.  

Attach an IAM role to the launch configuration or launch template that the Auto Scaling groups use. Configure the role to provide the necessary permissions to forward logs to Amazon CloudWatch Logs.

D.  

Attach an IAM role to the launch configuration or launch template that the Auto Scaling groups use. Configure the role to provide the necessary permissions to forward logs to Amazon S3.

E.  

Ensure that a log forwarding application is installed on all the EC2 instances that the Auto Scaling groups launch. Configure the log forwarding application to periodically bundle the logs and forward the logs to Amazon S3.

F.  

Configure an Amazon S3 Lifecycle policy on the target S3 bucket to expire objects after 7 years.

A.  

Use the AWS Management Console to edit the structure of the secret in Secrets Manager so that the secret automatically conforms with the struc-ture that the database requires.

B.  

Ensure that the security group that is attached to the Lambda function al-lows outbound connections to the EC2 instance. Ensure that the security group that is attached to the EC2 instance allows inbound connections from the security group that is attached to the Lambda function.

C.  

Use the Secrets Manager list-secrets command in the AWS CLI to list the secret. Identify the database credentials. Use the Secrets Manager rotate-secret command in the AWS CLI to force the immediate rotation of the secret.

D.  

Add an internet gateway to the VPC. Create a NAT gateway in a public sub-net. Update the VPC route tables so that traffic from the Lambda function and traffic from the EC2 instance can reach the Secrets Manager public endpoint.

A.  

Enable Amazon Macie so that Secunty H jb will allow Detective to process findings from Macie.

B.  

Disable IAM Key Management Service (IAM KMS) encryption on CtoudTrail logs in every member account of the organization

C.  

Enable Amazon GuardDuty on all member accounts Try to enable Detective in 48 hours

D.  

Ensure that the principal that launches Detective has the organizations ListAccounts permission

A.  

Create an Amazon CloudWatch alarm that reacts to login attempts that contain the specified user agent string. Add an Amazon Simple Notification Service (Amazon SNS) topic to the alarm.

B.  

Modify the inbound security group on the ALB to deny traffic from the IP addresses that are involved in the attack.

C.  

Create an AWS WAF web ACL for the ALB. Create a custom rule that blocks requests that contain the user agent string of the device emulator.

D.  

Create an AWS WAF web ACL for the ALB Create a custom rule that allows requests from legitimate user agent strings

A.  

The IAM rote does not have permission to use the KMS CreateKey operation.

B.  

The S3 bucket lacks a policy that allows access to the customer managed key that encrypts the objects.

C.  

The IAM rote does not have permission to use the customer managed key that encrypts the objects that are in the S3 bucket.

D.  

The ACL of the S3 objects does not allow read access for the objects when the objects ace encrypted at rest.

A.  

Change the replication configuration to use the key in us-east-1 to encrypt the objects that are in the destination S3 bucket.

B.  

Grant the IAM role the kms. Encrypt permission for the key in us-east-1 that encrypts source objects.

C.  

Grant the IAM role the s3 GetObjectVersionForReplication permission for objects that are in the source S3 bucket.

D.  

Grant the IAM role the kms. Decrypt permission for the key in us-east-1 that encrypts source objects.

E.  

Change the key policy of the key in us-east-1 to grant the kms. Decrypt permission to the security engineer's IAM account.

F.  

Grant the IAM role the kms Encrypt permission for the key in us-west-2 that encrypts objects that are in the destination S3 bucket.

A.  

Verify that the EC2 instance's security group does not have an implicit inbound deny rule for Amazon S3.

B.  

Verify that the VPC endpoint's security group does not have an explicit inbound deny rule for the EC2 instance.

C.  

Verify that the internet gateway is allowing traffic to Amazon S3.

D.  

Verify that the VPC endpoint policy is allowing access to Amazon S3.

A.  

Set up an Amazon EventBridge rule that reacts to new Security Hub find-ings. Configure an AWS Lambda function as the target for the rule to reme-diate the findings.

B.  

Set up a custom action in Security Hub. Configure the custom action to call AWS Systems Manager Automation runbooks to remediate the findings.

C.  

Set up a custom action in Security Hub. Configure an AWS Lambda function as the target for the custom action to remediate the findings.

D.  

Set up AWS Config rules to use AWS Systems Manager Automation runbooks to remediate the findings.

A.  

Require the developers to configure all function URLs to support cross-origin resource sharing (CORS) when the functions are called from a different domain.

B.  

Use an AWS WAF delegated administrator account to view and block unauthenticated access to function URLs in production accounts, based on the OU of accounts that are using the functions.

C.  

Use SCPs to allow all lambda:CreateFunctionUrlConfig and lambda:UpdateFunctionUrlConfig actions that have a lambda:FunctionUrlAuthType condition key value of AWS_IAM.

D.  

Use SCPs to deny all lambda:CreateFunctionUrlConfig and lambda:UpdateFunctionUrlConfig actions that have a lambda:FunctionUrlAuthType condition key value of NONE.

A.  

Enable AWS Security Hub in the organization’s management account. Configure GuardDuty within the management account to send all GuardDuty findings toSecurity Hub.

B.  

Create a new AWS account in the organization. Enable GuardDuty in the new account. Designate the new account as the delegated administrator account forGuardDuty. Configure GuardDuty to add existing accounts as member accounts. Select the option to automatically add new AWS accounts to the organization

C.  

Create a new AWS account in the organization. Enable GuardDuty in the new account. Enable AWS Security Hub in each account. Select the option toautomatically add new AWS accounts to the organization.

D.  

Enable AWS Security Hub in the organization's management account. Designate the management account as the delegated administrator account for SecurityHub. Add existing accounts as member accounts. Select the option to automatically add new AWS accounts to the organization. Send all Security Hub findingsto the organization's GuardDuty account.

A.  

Generate an S3 bucket policy. Specify cloudfront amazonaws com as the principal. Use the aws Sourcelp condition key to allow access only if the request conies from the specified IP addresses.

B.  

Create a CloudFront origin access identity (OAl). Create the S3 bucket policy so that only the OAl has access. Create an AWS WAF web ACL and add an IP set rule. Associate the web ACL with the CloudFront distribution.

C.  

Implement security groups to allow only the specified IP addresses access and to restrict S3 bucket access by using the CloudFront distribution.

D.  

Create an S3 bucket access point to allow access from only the CloudFront distribution. Create an AWS WAF web ACL and add an IP set rule. Associate the web ACL with the CloudFront distribution.

A.  

Configure the DB instance to allow public access Update the DB instance security group to allow access from the Lambda public address space for the AWS Region

B.  

Deploy the Lambda functions inside the VPC Attach a network ACL to the Lambda subnet Provide outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic from 0 0 0 0/0

C.  

Deploy the Lambda functions inside the VPC Attach a security group to the Lambda functions Provide outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic from the Lambda security group

D.  

Peer the Lambda default VPC with the VPC that hosts the DB instance to allow direct network access without the need for security groups

A.  

Create a recurring Amazon Inspector assessment run that runs every day and uses the Network Reachability package. Create an Amazon CloudWatch rule that invokes an IAM Lambda function when an assessment run starts. Configure the Lambda function to retrieve and evaluate the assessment run report when it completes. Configure the Lambda function also to publish an Amazon Simple Notification Service (Amazon SNS) notification if there are any vio

B.  

Use the restricted-ssh IAM Config managed rule that is invoked by security group configuration changes that are not compliant. Use the IAM Config remediation feature to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic.

C.  

Configure VPC Flow Logs for the VP

C.  

D.  

Create a recurring Amazon Inspector assessment run that runs every day and uses the Security Best Practices package. Create an Amazon CloudWatch rule that invokes an IAM Lambda function when an assessment run starts. Configure the Lambda function to retrieve and evaluate the assessment run report when it completes. Configure the Lambda function also to publish an Amazon Simple Notification Service (Amazon SNS) notification if there are any

A.  

Create a security group with a rule that denies Inbound connections from 0.0.0 0/0 on port 00. Attach this security group to the ALB to overwrite more permissive rules from the ALB's default securitygroup.

B.  

Create a network ACL that denies inbound connections from 0 0.0.0/0 on port 80 Associatethe network ACL with the VPC s internet gateway

C.  

Create a network ACL that allows outbound connections to the VPC IP range on port 443 only. Associate the network ACL with the VPC's internet gateway.

D.  

Create a security group with a single inbound rule that allows connections from 0.0.0 0/0 on port 443. Ensure this security group is the only one associated with the ALB

A.  

Import the key material into AWS Key Management Service (AWS KMS).

B.  

Manually upload the new host key to the AWS trusted host keys database.

C.  

Ensure that the AmazonSSMManagedInstanceCore policy is attached to the EC2 instance profile.

D.  

Create a new SSH key pair for the EC2 instance.

A.  

Provide new AMIs that have the required software pre-installed. Apply a tag to the AMIs to indicate that the AMIs have the required software. Configure an SCP that allows new EC2 instances to be launched only if the instances have the tagged AMIs. Tag all existing EC2 instances.

B.  

Configure a custom patch baseline in Systems Manager Patch Manager. Add the package name for the required software to the approved packages list. Associate the new patch baseline with all EC2 instances. Set up a maintenance window for software deployment.

C.  

Centrally enable AWS Config. Set up the ec2-managedinstance-applications-required AWS Config rule for all accounts Create an Amazon EventBridge rule that reacts to AWS Config events. Configure the EventBridge rule to invoke an AWS Lambda function that uses Systems Manager Run Command to install the required software.

D.  

Create a new Systems Manager Distributor package for the required software. Specify the download location. Select all EC2 instances in the different accounts. Install the software by using Systems Manager Run Command.

A.  

In AWS CloudTrail, create a trail for management events. Run the script with the existing AWS managed IAM policies. Use IAM Access Analyzer to generate a new IAM policy that is based on access activity in the trail. Replace the existing AWS managed IAM policies with the generated IAM poli-cy for the role.

B.  

Remove the existing AWS managed IAM policies from the role. Attach the IAM Access Analyzer Role Policy Generator to the role. Run the script. Return to IAM Access Analyzer and generate a least privilege IAM policy. Attach the new IAM policy to the role.

C.  

Create an account analyzer in IAM Access Analyzer. Create an archive rule that has a filter that checks whether the PrincipalArn value matches the ARN of the role. Run the script. Remove the existing AWS managed IAM poli-cies from the role.

D.  

In AWS CloudTrail, create a trail for management events. Remove the exist-ing AWS managed IAM policies from the role. Run the script. Find the au-thorization failure in the trail event that is associated with the script. Create a new IAM policy that includes the action and resource that caused the authorization failure. Repeat the process until the script succeeds. Attach the new IAM policy to the role.

A.  

Use AWS Backup to create legal holds for the recovery points.

B.  

Export the backup data to Amazon S3 Create S3 Object Lock legal holds for the recovery points.

C.  

Configure an AWS Backup Vault Lock in compliance mode.

D.  

Configure an AWS Backup Vault Lock in governance mode.

A.  

Create a set of 1AM roles and 1AM policies Configure the Cognito identity pool to assign users to the 1AM roles.

B.  

Create a policy store in Amazon Verified Permissions. Configure Cognito as the identity source Map Cognito access tokens to the Verified Permissions schema.

C.  

Create customer managed permissions by using AWS Resource Access Manager (AWS RAM) Configure the Cognito identity pool to assign users to the customer managed permissions

D.  

Create a set of 1AM users and 1AM policies. Configure the Cognito user pool to assign users to the 1AM users.

A.  

Review the cross-account role permissions and the S3 bucket policy Verify that the Amazon S3 block public access option in the member account is deactivated.

B.  

Review the role permissions m the master account and ensure it has sufficient privileges to perform S3 operations

C.  

Filter IAM CloudTrail logs for the master account to find the original deny event and update the cross-account role m the member account accordingly Verify that the Amazon S3 block public access option in the master account is deactivated.

D.  

Evaluate the SCPs covering the member account and the permissions boundary of the role in the member account for missing permissions and explicit denies.

E.  

Ensure the S3 bucket policy explicitly allows the s3 PutBucketPublicAccess action for the role m the member account

A.  

Add a rule to the Application Load Balancer to route the traffic originating from the IP address in question and show a static webpage.

B.  

Implement a rate-based rule with AWS WAF.

C.  

Use AWS Shield to limit the originating traffic hit rate.

D.  

Implement the GeoLocation feature in Amazon Route 53.

A.  

Create a new security group in the database VPC and create an inbound rule that allows all traffic from the IP address range of the application VPC. Add a new network ACL rule on the database subnets. Configure the rule to TCP port 1521 from the IP address range of the application VPC. Attach the new security group to the database instances that the application instances need to access.

B.  

Create a new security group in the application VPC with an inbound rule that allows the IP address range of the database VPC over TCP port 1521. Create a new security group in the database VPC with an inbound rule that allows the IP address range of the application VPC over port 1521. Attach the new security group to the database instances and the application instances that need database access.

C.  

Create a new security group in the application VPC with no inbound rules. Create a new security group in the database VPC with an inbound rule that allows TCP port 1521 from the new application security group in the application VP

C.  

D.  

Create a new security group in the application VPC with an inbound rule that allows the IP address range of the database VPC over TCP port 1521. Add a new network ACL rule on the database subnets. Configure the rule to allow all traffic from the IP address range of the application VPC. Attach the new security group to the application instances that need database access.

A.  

Use AWS Backup to create backups of the EC2 instances and S3 buckets every hour. Create AWS CloudFormation templates that replicate existing architecture components. Use AWS CodeCommit to store the CloudFormation templates alongside application configuration code.

B.  

Use AWS Backup to create backups of the EBS volumes and S3 objects every day. Use Amazon Security Lake to create a centralized data lake for AWS CloudTrail logs and VPC flow logs. Use the logs for automated response.

C.  

Use Amazon Security Lake to create a centralized data lake for AWS CloudTrail logs and VPC flow logs. Use the logs for automated response Enable AWS Security Hub to establish a single location for recovery procedures. Create AWS CloudFormation templates that replicate existing architecture components. Use AWS CodeCommit to store the CloudFormation templates alongside application configuration code.

D.  

Create EBS snapshots every 4 hours Enable Amazon GuardDuty Malware Protection. Create automation to immediately restore the most recent snapshot for any EC2 instances that produce an Execution:EC2/MaliciousFile finding in GuardDuty.

A.  

Create a new Amazon S3 bucket. Use EBS lifecycle policies to move EBS snapshots to the new S3 bucket. Use lifecycle policies to move snapshots to the S3Glacier Instant Retrieval storage class. Use S3 Object Lock to prevent deletion of the snapshots.

B.  

Use AWS Systems Manager to distribute a configuration that backs up all attached disks to Amazon S3.

C.  

Create a new AWS account that has limited privileges. Allow the new account to access the KMS key that encrypts the EBS snapshots. Copy the encryptedsnapshots to the new account on a recurring basis.

D.  

Use AWS Backup to copy EBS snapshots to Amazon S3. Use S3 Object Lock to prevent deletion of the snapshots.

A.  

Use the aws kms encrypt command to encrypt the file by using the existing KMS key.

B.  

Use the aws kms create-grant command to generate a grant for the existing KMS key.

C.  

Use the aws kms encrypt command to generate a data key. Use the plaintext data key to encrypt the file.

D.  

Use the aws kms generate-data-key command to generate a data key. Use the encrypted data key to encrypt the file.

A.  

Update the CloudFront distribution. configuring it to optionally use HTTPS when connecting to origins on Amazon S3

B.  

Update the web application configuration on the web servers to use HTTPS instead of HTTP when connecting to DynamoDB

C.  

Update the CloudFront distribution to redirect HTTP corrections to HTTPS

D.  

Configure the web servers on the EC2 instances to listen using HTTPS using the public ACM TLS certificate Update the ALB to connect to the target group using HTTPS

E.  

Update the ALB listen to listen using HTTPS using the public ACM TLS certificate. Update the CloudFront distribution to connect to the HTTPS listener.

F.  

Create a TLS certificate Configure the web servers on the EC2 instances to use HTTPS only with that certificate. Update the ALB to connect to the target group using HTTPS.

A.  

Use IAM Control Tower. Modify the default Account Factory networking template to automatically associate new accounts with a centrally managed VPC through a VPC peering connection and to create a default route to the VPC peer in the default route table. Create an SCP that denies the CreatelnternetGateway action. Attach the SCP to all accounts except the security inspection account.

B.  

Create a centrally managed VPC in the security inspection account. Establish VPC peering connections between the security inspection account and other accounts. Instruct account owners to create default routes in their account route tables that point to the VPC peer. Create an SCP that denies theAttach InternetGateway action. Attach the SCP to all accounts except the security inspection account.

C.  

Use IAM Control Tower. Modify the default Account Factory networking template to automatically associate new accounts with a centrally managed transitgateway and to create a default route to the transit gateway in the default route table. Create an SCP that denies the AttachlnternetGateway action. Attach the SCP to all accounts except the security inspection account.

D.  

Enable IAM Resource Access Manager (IAM RAM) for IAM Organizations. Create a shared transit gateway, and make it available by using an IAM RAM resource share. Create an SCP that denies the CreatelnternetGateway action. Attach the SCP to all accounts except the security inspection account. Create routes in the route tables of all accounts that point to the shared transit gateway.

A.  

Deploy AWS CloudTrail centralized logging for the organization from the AWS Control Tower management account. Enable Amazon GuardDuty. Enable the GuardDuty AWS Foundational Security Best Practices standard.

B.  

Automatically deploy the AWS Foundational Security Best Practices standard by configuring a delegated administrator for Amazon GuardDuty from the AWS Control Tower audit account.

C.  

Configure a delegated administrator for AWS Security Hub from the AWS Control Tower management account. Enable the Security Hub AWS Foundational Security Best Practices standard in the AWS Control Tower audit account.

D.  

Deploy AWS CloudTrail centralized logging for the organization from the AWS Control Tower log archive account. Enable AWS Security Hub. Enable the Security Hub AWS Foundational Security Best Practices standard.

A.  

In the local AWS CLI configuration file

B.  

As environment variables on the local workstation

C.  

As variables in the AWS CLI command line options

D.  

In the AWS shared configuration file

A.  

Attach a policy to the IAM user to allow the user to assume the role that was created in the top-level account. Specify the role's ARN in the policy.

B.  

Create an SCP that grants permissions to the top-level account.

C.  

Use the root account of the business unit account to assume the role that was created in the top-level account. Specify the role'sARNin the policy.

D.  

Forward the credentials of the IAM role in the top-level account to the IAM user in the business unit account.

A.  

Designate a delegated Amazon GuardDuty administrator account in the organization's management account. Use the GuardDuty Summary dashboard to obtain an overview of Lambda functions that have vulnerabilities.

B.  

Designate a delegated Amazon Inspector administrator account in the organization's management account. Use the Amazon Inspector dashboard to obtain an overview of Lambda functions that have vulnerabilities.

C.  

Apply tags of "test" or "development" to all Lambda functions that are in testing or development. Use a suppression filter that suppresses findings that contain these tags.

D.  

Enable AWS Shield Advanced in the organization's management account. Use Amazon CloudWatch to build a dashboard for Lambda functions that have vulnerabilities.

E.  

Enable Lambda Protection in GuardDuty for all accounts. Auto-enable Lambda Protection for new accounts. Apply a tag to the Lambda functions that are in testing or development. Use GuardDutyExclusion as the tag key and LambdaStandardScanning as the tag value.

A.  

Use AWS Lambda to periodically query AWS CloudTrail for console login events and send alerts using Amazon Simple Notification Service (Amazon SNS).

B.  

Use Amazon EventBridge to monitor console logins and direct them to Amazon Simple Notification Service (Amazon SNS).

C.  

Use Amazon Athena to query AWS IAM Identity Center logs and send alerts using Amazon Simple Notification Service (Amazon SNS) for root login events.

D.  

Configure AWS Resource Access Manager to review the access logs and send alerts using Amazon Simple Notification Service (Amazon SNS).

A.  

Instruct users to implement a retry mechanism every 2 minutes until the call succeeds.

B.  

Instruct the engineering team to consume a random grant token from users, and to call the CreateGrant operation, passing it the grant token. Instruct use to use that grant token in their call to encrypt.

C.  

Instruct the engineering team to create a random name for the grant when calling the CreateGrant operation. Return the name to the users and instruct them to provide the name asthe grant token in the call to encrypt.

D.  

Instruct the engineering team to pass the grant token returned in the CreateGrant response to users. Instruct users to use that grant token in their call to encrypt.

A.  

Configure IAM KMS and use a custom key store. Create a customer managed CMK with no key material Import the company's keys and key material into the CMK

B.  

Configure IAM KMS and use the default Key store Create an IAM managed CMK with no key material Import the company's key material into the CMK

C.  

Configure IAM KMS and use the default key store Create a customer managed CMK with no key material import the company's key material into the CMK

D.  

Configure IAM KMS and use a custom key store. Create an IAM managed CMK with no key material. Import the company's key material into the CMK.

A.  

Designate an AWS account as a delegated administrator for Security Hub. Publish events to Amazon CloudWatch from the delegated administrator account,all member accounts, and required Regions that are enabled for Security Hub findings.

B.  

Designate an AWS account in an organization in AWS Organizations as a delegated administrator for Security Hub. Publish events to Amazon EventBridgefrom the delegated administrator account, all member accounts, and required Regions that are enabled for Security Hub findings.

C.  

In each Region, create an Amazon EventBridge rule to deliver findings to an Amazon Kinesis data stream. Configure the Kinesis data streams to output thelogs to a single Amazon S3 bucket.

D.  

In each Region, create an Amazon EventBridge rule to deliver findings to an Amazon Kinesis Data Firehose delivery stream. Configure the Kinesis DataFirehose delivery streams to deliver the logs to a single Amazon S3 bucket.

E.  

Use AWS Glue DataBrew to crawl the Amazon S3 bucket and build the schema. Use AWS Glue Data Catalog to query the data and create views to flattennested attributes. Build Amazon QuickSight dashboards by using Amazon Athena.

F.  

Partition the Amazon S3 data. Use AWS Glue to crawl the S3 bucket and build the schema. Use Amazon Athena to query the data and create views toflatten nested attributes. Build Amazon QuickSight dashboards that use the Athena views.

A.  

Option A

B.  

Option B

C.  

Option C

A.  

Verify that the KMS key policy specifies a deny statement that prevents access to the key by using the aws SourcelP condition key Check that the range includes the EC2 instance IP address that is associated with the EBS volume

B.  

Verify that the KMS key that is associated with the EBS volume is set to the Symmetric key type

C.  

Verify that the KMS key that is associated with the EBS volume is in the Enabled state

D.  

Verify that the EC2 role that is associated with the instance profile has the correct 1AM instance policy to launch an EC2 instance with the EBS volume

E.  

Verify that the key that is associated with the EBS volume has not expired and needs to be rotated

A.  

Enable CloudTrail log file integrity validation from the organization's management account.

B.  

Enable server-side encryption with AWS KMS keys (SSE-KMS) for CloudTrail logs. Create a KMS key Attach a policy to the key to prevent decryption of the logs

C.  

Create an SCP that includes an explicit Deny rule for the StopLogging action and the DeleteTrail action. Attach the SCP to the root OU.

D.  

Create 1AM policies for all the company's users to prevent the users from performing the DescribeTrails action and the GetTrailStatus action.

A.  

B.  

B.  

C.  

C.  

D.  

D.  

E.  

E.  

F.  

Option B

G.  

Option C

A.  

Create a new trail and configure it to send CloudTrail logs to Amazon S3. Use Amazon EventBridge (Amazon CloudWatch Events) to send notification if a trail is deleted or stopped.

B.  

Deploy an IAM Lambda function in every account to check if there is an existing trail and create a new trail, if needed.

C.  

Edit the existing trail in the Organizations master account and apply it to the organization.

D.  

Create an SCP to deny the cloudtrail:Delete" and cloudtrail:Stop' actions. Apply the SCP to all accounts.

A.  

Rotate the potentially compromised access key that the EC2 instance uses Create a new AM I without the potentially compromised credentials Perform an EC2 Auto Scaling instance refresh

B.  

Delete or deactivate the potentially compromised access key Create an EC2 Auto Scaling linked 1AM role that includes a custom policy that matches the potentiallycompromised access key permission Associate the new 1AM role with the Auto Scaling group Perform an EC2 Auto Scaling instance refresh.

C.  

Delete or deactivate the potentially compromised access key Create a new AMI without the potentially compromised credentials Create an 1AM role that includes the correct permissions Create a launch template for the Auto Scaling group to reference the new AMI and 1AM role Perform an EC2 Auto Scaling instance refresh

D.  

Rotate the potentially compromised access key Create a new AMI without the potentially compromised access key Use a user data script to supply the new access key as environmental variables in the Auto Scaling group's launch configuration Perform an EC2 Auto Scaling instance refresh

A.  

Use the aws kms encrypt command to encrypt the file by using the existing KMS key.

B.  

Use the aws kms create-grant command to generate a grant for the existing KMS key.

C.  

Use the aws kms encrypt command to generate a data key. Use the plaintext data key to encrypt the file.

D.  

Use the aws kms generate-data-key command to generate a data key. Use the encrypted data key to encrypt the file.

A.  

Use AWS Secrets Manager to store the customer managed key in us-west-1 as a secret Use this secret to encrypt the snapshot in us-west-1.

B.  

Create a new customer managed key in us-west-1. Use this new key to encrypt the snapshot in us-west-1.

C.  

Create an IAM policy that allows access to the customer managed key in us-east-1. Specify am aws kms us-west-1 " as the principal.

D.  

Create an IAM policy that allows access to the customer managed key in us-east-1. Specify arn aws rds us-west-1. * as the principal.

A.  

Create a Lambda@Edge function. Include code to add the X-Frame-Options header to the response. Configure the function to run in response to the CloudFront origin response event.

B.  

Create a Lambda@Edge function. Include code to add the X-Frame-Options header to the response. Configure the function to run in response to the CloudFront viewer request event.

C.  

Update the CloudFront distribution by adding X-Frame-Options to custom headers in the origin settings.

D.  

Customize the EC2 hosted application to add the X-Frame-Options header to the responses that are returned to CloudFront.

A.  

Set up VPC peering between the central server VPC and each of the teams VPCs.

B.  

Set up IAM DirectConnect between the central server VPC and each of the teams VPCs.

C.  

Set up an IPSec Tunnel between the central server VPC and each of the teams VPCs.

D.  

None of the above options will work.

A.  

Configure the DB instance to allow public access Update the DB instance security group to allow access from the Lambda public address space for the AWS Region

B.  

Deploy the Lambda functions inside the VPC Attach a network ACL to the Lambda subnet Provide outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic from 0.0.0.0/0

C.  

Deploy the Lambda functions inside the VPC Attach a security group to the Lambda functions Provide outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic from the Lambda security group

D.  

Peer the Lambda default VPC with the VPC that hosts the DB instance to allow direct network access without the need for security groups

A.  

Create a snapshot of the DB instance. Copy the snapshot to a new snapshot, and enable encryption for the copy process. Use the new snapshot to restore the DB instance.

B.  

Modify the configuration of the DB instance by enabling encryption. Create a snapshot of the DB instance. Use the snapshot to restore the DB instance.

C.  

Use IAM Key Management Service (IAM KMS) to create a new default IAM managed awa/rds key. Select this key as the encryption key for operations with Amazon RDS.

D.  

Use IAM Key Management Service (IAM KMS] to create a new CMK. Select this key as the encryption key for operations with Amazon RDS.

E.  

Create a snapshot of the DB instance. Enable encryption on the snapshoVUse the snapshot to restore the DB instance.

A.  

Create an IAM policy that has an aws RequestedRegion condition that allows actions only in the designated Region Attach the policy to all users.

B.  

Create an I AM policy that has an aws RequestedRegion condition that denies actions that are not in the designated Region Attach the policy to the AWS account in AWS Organizations.

C.  

Create an IAM policy that has an aws RequestedRegion condition that allows the desired actions Attach the policy only to the users who are in the designated Region.

D.  

Create an SCP that has an aws RequestedRegion condition that denies actions that are not in the designated Region. Attach the SCP to the AWS account in AWS Organizations.

A.  

Create an AWS Step Functions state machine that checks the resource type in the finding and adds an explicit Deny statement in the trust policy for the IAM role. Configure the state machine to publish a notification to an Amazon SimpleNotification Service (Amazon SNS) topic.

B.  

Create an AWS Batch job that forwards any resource type findings to an AWS Lambda function. Configure the Lambda function to add an explicit Denystatement in the trust policy for the IAM role. Configure the AWS Batch job to publish a notification to an Amazon Simple Notification Service (Amazon SNS) topic.

C.  

In Amazon EventBridge, create an event rule that matches active IAM Access Analyzer findings and invokes AWS Step Functions for resolution.

D.  

In Amazon CloudWatch, create a metric filter that matches active IAM Access Analyzer findings and invokes AWS Batch for resolution.

E.  

Create an Amazon Simple Queue Service (Amazon SQS) queue. Configure the queue to forward a notification to the security team that an external principal has been granted access to the specific IAM role and has been blocked.

F.  

Create an Amazon Simple Notification Service (Amazon SNS) topic for external or cross-account access notices. Subscribe the security team's email addresses to the topic.

A.  

Delete the key pair from the EC2 console. Create a new key pair.

B.  

Use the ModifylnstanceAttribute API operation to change the key on any EC2 instance that is using the key.

C.  

Restrict SSH access in the security group to only known corporate IP addresses.

D.  

Update the key pair in any AMI that is used to launch the EC2 instances. Restart the EC2 instances.

A.  

Update the S3 bucket policy to restrict access to a CloudFront origin access identity (OAI).

B.  

Update the website DNS record to use an Amazon Route 53 geolocation record deny list of countries where the company lacks a license.

C.  

Add a CloudFront geo restriction deny list of countries where the company lacks a license.

D.  

Update the S3 bucket policy with a deny list of countries where the company lacks a license.

E.  

Enable the Restrict Viewer Access option in CloudFront to create a deny list of countries where the company lacks a license.

A.  

Create a Network Access Scope in Amazon VPC Network Access Analyzer. Use the Network Access Scope to identify EC2 instances that try to send traffic to TCP port 2905.

B.  

Enable VPC flow logs for the VPC where the affected EC2 instances are located Configure the flow logs to capture rejected traffic. In the flow logs, search for REJECT records that have a destination TCP port of 2905.

C.  

Enable Amazon GuardDuty Create a custom GuardDuty IP list to create a finding when an EC2 instance tries to communicate with one of the command and control hosts. Use Amazon Detective to identify the EC2 instances that initiate the communication.

D.  

Create a firewall in AWS Network Firewall. Attach the firewall to the subnet of the EC2 instances. Create a custom rule to identify and log traffic from the firewall on TCP port 2905. Create an Amazon CloudWatch Logs metric filter to identify firewall logs that reference traffic on TCP port 2905.

A.  

Use IAM Config with a managed rule to trigger the IAM-EnableCloudTrail remediation.

B.  

Create an Amazon EventBridge (Amazon CloudWatch Events) event with a cloudtrail.amazonIAM.com event source and a StartLogging event name to trigger an IAM Lambda function to call the StartLogging API.

C.  

Create an Amazon CloudWatch alarm with a cloudtrail.amazonIAM.com event source and a StopLogging event name to trigger an IAM Lambda function to call the StartLogging API.

D.  

Monitor IAM Trusted Advisor to ensure CloudTrail logging is enabled.

A.  

Create a new role and add each user to the IAM role

B.  

Use the IAM groups and add users, based upon their role, to different groups and apply the policy to group

C.  

Create a policy and apply it to multiple users using a script

D.  

Create an S3 bucket policy with unlimited access which includes each user's IAM account ID

A.  

Create a pre sign-up AWS Lambda trigger. Associate the Amazon Cognito function with the Amazon Cognito user pool.

B.  

Use a geographic match rule statement to configure an AWS WAF web ACL. Associate the web ACL with the Amazon Cognito user pool.

C.  

Configure an app client for the application's Amazon Cognito user pool. Use the app client ID to validate the requests in the hosted Ul.

D.  

Update the application's Amazon Cognito user pool to configure a geographic restriction setting.

E.  

Use Amazon Cognito to configure a social identity provider (IdP) to validate the requests on the hosted Ul.

A.  

In the software development account, create AMIs of preconfigured instances that include only approved software. Include the AMI IDs in the condition section of an AWS CloudFormation template to launch the appropriate AMI based on the AWS Region. Provide the developers with the CloudFormation template to launch EC2 instances in the software development account.

B.  

Create an Amazon EventBridge rule that runs when any EC2 RunInstances API event occurs in the software development account. Specify AWS Systems Manager Run Command as a target of the rule. Configure Run Command to run a script that will install all approved software onto the instances that the developers launch.

C.  

Use an AWS Service Catalog portfolio that contains EC2 products with appropriate AMIs that include only approved software. Grant the developers permission to access only the Service Catalog portfolio to launch a product in the software development account.

D.  

In the management account, create AMIs of preconfigured instances that include only approved software. Use AWS CloudFormation StackSets to launch the AMIs across any AWS account in the organization. Grant the developers permission to launch the stack sets within the management account.

A.  

Add an outbound rule to the security group that is attached to the compromised EC2 instance to deny traffic to 0.0.0.0/0 and port 587.

B.  

Add an outbound rule to the network ACL for the subnet that contains the compromised EC2 instance to deny traffic to 0.0.0.0/0 and port 587.

C.  

Gather volatile memory from the compromised EC2 instance. Suspend the compromised EC2 instance from the Auto Scaling group. Then take a snapshot of the compromised EC2 instance. v

D.  

Take a snapshot of the compromised EC2 instance. Suspend the compromised EC2 instance from the Auto Scaling group. Then gather volatile memory from the compromised EC2 instance.

E.  

Move the compromised EC2 instance to an isolated subnet that has a network ACL that has no inbound rules or outbound rules.

F.  

Replace the existing security group that is attached to the compromised EC2 instance with a new security group that has no inbound rules or outbound rules.

A.  

Use the SimpleCORS managed response headers policy.

B.  

Use a Lambda@Edge function to add the Strict-Transport-Security response header.

C.  

Use the SecurityHeadersPolicy managed response headers policy.

D.  

Include the X-XSS-Protection header in a custom response headers policy.

A.  

Create an AWS CloudFormation template for the Lambda function and for the EventBridge Scheduler schedule. Create a CloudFormation stack set in the organization's management account. Specify all the existing accounts as the deployment targets. Add new accounts as a stack to the existing stack set when new accounts are created.

B.  

Configure an Organizations delegated administrator account for AWS CloudFormation. Create a CloudFormation template for the Lambda function and for the EventBridge Scheduler schedule. Create a CloudFormation stack set in the delegated administrator account. Specify the root of the organization as the deployment target. Activate automatic deployment for the stack set.

C.  

Enable AWS Systems Manager operations management capabilities. Configure a delegated administrator account for Systems Manager. Create a Systems Manager Automation custom runbook in the delegated administrator account. Use the runbook to deploy the Lambda function and the EventBridge Scheduler schedule. Specify the root of the organization as the target for Systems Manager Automation.

D.  

Create an AWS Systems Manager Automation custom runbook in the organization's management account. Use the runbook to deploy the Lambda function and the EventBridge Scheduler schedule. Share the runbook with target accounts. Specify all the existing accounts as targets for Systems Manager Automation. Add new accounts as targets when new accounts are created.

A.  

Modify EBS default encryption settings in the target AWS Region to enable encryption. Use an Auto Scaling group instance refresh.

B.  

Modify the launch templates for the web layer and the backend layer to add AWS Certificate Manager (ACM) encryption for the attached EBS volumes. Use an Auto Scaling group instance refresh.

C.  

Create a new AWS Key Management Service (AWS KMS) encrypted DB cluster from a snapshot of the existing DB cluster.

D.  

Apply AWS Key Management Service (AWS KMS) encryption to the existing DB cluster.

E.  

Apply AWS Certificate Manager (ACM) encryption to the existing DB cluster.

A.  

Use AWS Backup to apply a 5-year retention tag to the RDS snapshots.

B.  

Enable versioning on the S3 bucket that AWS Backup uses for the RDS snapshots. Configure a 5-year retention period.

C.  

Create an S3 Lifecycle policy. Include a 5-year retention period for the S3 bucket that AWS Backup uses for the RDS snapshots.

D.  

Create a backup plan in AWS Backup. Configure a 5-year retention period.

A.  

Place the RDS instance in a public subnet and an IAM Lambda function outside the VPC. Schedule the Lambda function to run every 3 months to rotate the secrets.

B.  

Place the RDS instance in a private subnet and an IAM Lambda function inside the VPC in the private subnet. Configure the private subnet to use a NAT gateway. Schedule the Lambda function to run every 3 months to rotate the secrets.

C.  

Place the RDS instance in a private subnet and an IAM Lambda function outside the VP

C.  

D.  

Place the RDS instance in a private subnet and an IAM Lambda function inside the VPC in the private subnet. Schedule the Lambda function to run quarterly to rotate the secrets.

E.  

Place the RDS instance in a private subnet and an IAM Lambda function inside the VPC in the private subnet. Configure a Secrets Manager interface endpoint. Schedule the Lambda function to run every 3 months to rotate the secrets.

A.  

Select "Restrict Bucket Access" in the origin settings of the CloudFront distribution

B.  

Create an origin access identity (OAI) for the S3 origin

C.  

Update the S3 bucket policy to allow s3 GetObject with a condition that the IAM Referer key matches the secret value Deny all other requests

D.  

Configure the S3 bucket poky so that only the origin access identity (OAI) has read permission for objects in the bucket

E.  

Add an origin custom header that has the name Referer to the CloudFront distribution Give the header a secret value.

A.  

Create the customer managed policy in every account where the permission set is assigned. Give the customer managed policy the same name and same permissions in each account.

B.  

Remove either the AWS managed policy or the customer managed policy from the permission set. Create a second permission set that includes the removed policy. Apply the permission sets separately to the user.

C.  

Evaluate the logic of the AWS managed policy and the customer managed policy. Resolve any policy conflicts in the permission set before deployment.

D.  

Do not add the new permission set to the user. Instead, edit the user's existing permission set to include the AWS managed policy and the customer managed policy.

A.  

Enable Amazon GuardDuty Configure Matware Protection for EC2 Run an on-demand malware scan of the EC2 instances.

B.  

Enable Amazon GuardDuty Configure Runtime Monitoring Enable the automated agent configuration for the EC2 instances.

C.  

Enable Amazon Inspector Configure agentless scanning for the EC2 instances.

D.  

Enable Amazon Inspector Configure deep inspection of the EC2 instances Run an on-demand scan of the EC2 instances.

A.  

Manually rotate a key within KMS to create a new CMK immediately

B.  

Use the KMS import key functionality to execute a delete key operation

C.  

Use the schedule key deletion function within KMS to specify the minimum wait period for deletion

D.  

Change the KMS CMK alias to immediately prevent any services from using the CMK.

A.  

There is a security group blocking outbound port 80 traffic that is preventing the agent from sending the logs

B.  

The IAM instance profile on the EC2 instance was not properly configured to allow the CloudWatch Logs agent to push the logs to CloudWatch

C.  

CloudWatch Logs status is set to ON versus SECURE, which prevents it from pulling in OS security event logs

D.  

The VPC requires that all traffic go through a proxy, and the CloudWatch Logs agent does not support a proxy configuration.

A.  

Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the security team's email addresses to the SNS topic. Create a custom AWS Lambda function that will run the aws cloudformation validate-template AWS CLI command on all CloudFormation templates before the build stage in the CI/CD pipeline. Configure the CI/CD pipeline to publish a notification to the SNS topic if any issues are found.

B.  

Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the security team's email addresses to the SNS topic. Create custom rules in CloudFormation Guard for each resource configuration. In the CllCD pipeline, before the build stage, configure a Docker image to run the cfn-guard command on the CloudFormation template. Configure the CI/CD pipeline to publish a notification to the SNS topic if any issues are found.

C.  

Create an Amazon Simple Notification Service (Amazon SNS) topic and an Am-azon Simple Queue Service (Amazon SQS) queue. Subscribe the security team's email addresses to the SNS topic. Create an Amazon S3 bucket in the shared services AWS account. Include an event notification to publish to the SQS queue when new objects are added to the S3 bucket. Require the de-velopers to put their CloudFormation templates in the S3 bucket. Launch EC2 ins

D.  

Create a centralized CloudFormation stack set that includes a standard set of resources that the developers can deploy in each AWS account. Configure each CloudFormation template to meet the security requirements. For any new resources or configurations, update the CloudFormation template and send the template to the security team for review. When the review is com-pleted, add the new CloudFormation stack to the repository for the devel-ope

A.  

Change the value of aws:MultiFactorAuthPresent to true.

B.  

Instruct users to run the aws sts get-session-token CLI command and pass the multi-factor authentication --serial-number and --token-code parameters. Use these resulting values to make API/CLI calls.

C.  

Implement federated API/CLI access using SAML 2.0, then configure the identity provider to enforce multi-factor authentication.

D.  

Create a role and enforce multi-factor authentication in the role trust policy. Instruct users to run the sts assume-role CLI command and pass --serial-number and --token-code parameters. Store the resulting values in environment variables. Add sts:AssumeRole to NotAction in the policy.

A.  

Configure CloudFront to add a cache key policy to allow a custom HTTP header that CloudFront sends to the ALB.

B.  

Configure CloudFront to add a custom: HTTP header to requests that CloudFront sends to the AL

B.  

C.  

Configure the ALB to forward only requests that contain the custom HTTP header.

D.  

Configure the ALB and CloudFront to use the X-Forwarded-For header to check client IP addresses.

E.  

Configure the ALB and CloudFront to use the same X.509 certificate that is generated by AWS Certificate Manager (ACM).

A.  

Use IAM Systems Manager Parameter Store to store the database credentiais. Configureautomatic rotation of the credentials.

B.  

Use IAM Secrets Manager to store the database credentials. Configure automat* rotation of the credentials

C.  

Store the database credentials in an Amazon S3 bucket that is configured with server-side encryption with S3 managed encryption keys (SSE-S3) Rotate the credentials with IAM database authentication.

D.  

Store the database credentials m Amazon S3 Glacier, and use S3 Glacier Vault Lock Configure an IAM Lambda function to rotate the credentials on a scheduled basts

A.  

Set up separate AWS Lambda functions for GuardDuty, 1AM Access Analyzer, and Macie to call each service's public API to retrieve high-severity findings. Use Amazon Simple Notification Service (Amazon SNS) to send the email alerts. Create an Amazon EventBridge rule to invoke the functions on a schedule.

B.  

Create an Amazon EventBridge rule with a pattern that matches Security Hub findings events with high severity. Configure the rule to send the findings to a target Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the desired email addresses to the SNS topic.

C.  

Create an Amazon EventBridge rule with a pattern that matches AWS Control Tower events with high severity. Configure the rule to send the findings to a target Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the desired email addresses to the SNS topic.

D.  

Host an application on Amazon EC2 to call the GuardDuty, 1AM Access Analyzer, and Macie APIs. Within the application, use the Amazon Simple Notification Service (Amazon SNS) API to retrieve high-severity findings and to send the findings to an SNS topic. Subscribe the desired email addresses to the SNS topic.

A.  

Configure VPC Flow Logs and CloudTrail to send the log data directly to Amazon CloudWatch Logs Query the log data by using a metric filter.

B.  

Configure VPC Flow Logs and CloudTrail to send the log data directly to Amazon CloudWatch Logs Query the log data by using a subscription filter.

C.  

Configure VPC Flow Logs and CloudTrail to send the log data directly to Amazon DynamoDB Use the DynamoDB Query API operation to query items based on their primary key values.

D.  

Configure VPC Flow Logs and CloudTrail to send the log data directly to an Amazon S3 bucket Use Amazon Athena to query the log data.

A.  

Configure S3 bucket policies to deny DELETE and PUT object permissions.

B.  

Configure S3 Object Lock in compliance mode with S3 bucket versioning enabled.

C.  

Change the encryption on the S3 bucket to use AWS Key Management Service (AWS KMS) customer managed keys.

D.  

Configure the S3 bucket with multi-factor authentication (MFA) delete protection.

A.  

Custom SSL certificate that is stored in AWS Key Management Service (AWS KMS)

B.  

Default SSL certificate that is stored in Amazon CloudFront.

C.  

Custom SSL certificate that is stored in AWS Certificate Manager (ACM)

D.  

Default SSL certificate that is stored in Amazon S3

A.  

Log in to the suspicious instance and use the netstat command to identify remote connections Use the IP addresses from these remote connections to create deny rules in the security group of the instance Install diagnostic tools on the instance for investigation Update the outbound network ACL for the subnet in us-east- lb to explicitly deny all connections as the first rule during the investigation of the instance

B.  

Update the outbound network ACL for the subnet in us-east-1b to explicitly deny all connections as the first rule Replace the security group with a new security group that allows connections only from a diagnostics security group Update the outbound network ACL for the us-east-1b subnet to remove the deny all rule Launch a new EC2 instance that has diagnostic tools Assign the new security group to the new EC2 instance Use the new EC2 instan

C.  

Ensure that the Amazon Elastic Block Store (Amazon EBS) volumes that are attached to the suspicious EC2 instance will not delete upon termination Terminate the instance Launch a new EC2 instance in us-east-1a that has diagnostic tools Mount the EBS volumes from the terminated instance for investigation

D.  

Create an AWS WAF web ACL that denies traffic to and from the suspicious instance Attach the AWS WAF web ACL to the instance to mitigate the attack Log in to the instance and install diagnostic tools to investigate the instance

A.  

Create a new Amazon-issued certificate in AWS Secrets Manager. Export the certificate from Secrets Manager. Import the certificate into the ALB and the EC2 instances.

B.  

Create a new Amazon-issued certificate in AWS Certificate Manager (ACM). Associate the certificate with the AL

B.  

C.  

Import a new third-party certificate into AWS Identity and Access Management (IAM). Export the certificate from IAM. Associate the certificate with the ALB and the EC2 instances.

D.  

Import a new third-party certificate into AWS Certificate Manager (ACM). Associate the certificate with the ALB. Install the certificate on the EC2 instances.

A.  

Move the Aurora database into a private subnet that has no internet access routes in the database's current VPC Configure the Lambda functions to use the Auroradatabase's new private IP address to access the database Configure the Aurora databases security group to allow access from the private IP addresses of the Lambda functions

B.  

Establish a VPC endpoint between the two VPCs in the Aurora database's VPC configure a service VPC endpoint for Amazon RDS In the Lambda functions' VPC.configure an interface VPC endpoint that uses the service endpoint in the Aurora database's VPC Configure the service endpoint to allow connections from the Lambda functions.

C.  

Establish an AWS Direct Connect interface between the VPCs Configure the Lambda functions to use a new route table that accesses the Aurora database through the Direct Connect interface Configure the Aurora database's security group to allow access from the Direct Connect interface IP address

D.  

Move the Lambda functions into a public subnet in their VPC Move the Aurora database into a private subnet in its VPC Configure the Lambda functions to use the Aurora database's new private IP address to access the database Configure the Aurora database to allow access from the public IP addresses of the Lambda functions

A.  

Use Amazon Macie to scan the S3 bucket for sensitive data every 72 hours. Configure Macie to delete the objects that contain sensitive data when they are discovered.

B.  

Configure an S3 Lifecycle rule on the S3 bucket to expire objects that have been in the S3 bucket for 72 hours.

C.  

Create an Amazon EventBridge scheduled rule that invokes an AWS Lambda function every day. Program the Lambda function to remove any objects that have been in the S3 bucket for 72 hours.

D.  

Use the S3 Intelligent-Tiering storage class for all objects that are up-loaded to the S3 bucket. Use S3 Intelligent-Tiering to expire objects that have been in the S3 bucket for 72 hours.

A.  

Use lifecycle policies for the EBS volumes

B.  

Use EBS Snapshots

C.  

Use EBS volume replication

D.  

Use EBS volume encryption

A.  

The target instance's security group does not allow traffic from the NLB.

B.  

The target instance's security group is not attached to the NL

B.  

C.  

The NLB's security group is not attached to the target instance.

D.  

The target instance's subnet network ACL does not allow traffic from the NLB.

E.  

The target instance's security group is not using IP addresses to allow traffic from the NLB.

F.  

The target network ACL is not attached to the NLB.

A.  

Option A

B.  

Option B

C.  

Option C

D.  

Option D

E.  

Option E

A.  

Create an Amazon CloudFront distribution and configure the ALB as the origin

B.  

Block the malicious IPs with a network access list (NACL).

C.  

Create an IAM Web Application Firewall (WAF). and attach it to the ALB

D.  

Map the application domain name to use Route 53

A.  

Create an HTTPS listener that uses a certificate that is managed by IAM Certificate Manager (ACM).

B.  

Create an HTTPS listener that uses a security policy that uses a cipher suite with perfect toward secrecy (PFS).

C.  

Create an HTTPS listener that uses the Server Order Preference security feature.

D.  

Create a TCP listener that uses a custom security policy that allows only cipher suites with perfect forward secrecy (PFS).

A.  

Create an Application Load Balancer with the existing EC2 instances as a target group. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the ALB. Test to ensure the vulnerability has been mitigated, then redirect the Route 53 records to point to the ALB. Update security groups on the EC2 instances to prevent direct access from the internet.

B.  

Create an Amazon CloudFront distribution specifying one EC2 instance as an origin. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the distribution. Test to ensure the vulnerability has been mitigated, then redirect the Route 53 records to point to CloudFront.

C.  

Obtain the latest source code for the platform and make the necessary updates. Test the updated code to ensure that the vulnerability has been mitigated, then deploy the patched version of the platform to the EC2 instances.

D.  

Update the security group that is attached to the EC2 instances, removing access from the internet to the TCP port used by the SQL database. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the EC2 instances. Test to ensure the vulnerability has been mitigated, then restore the security group to the original setting.

A.  

Create an Amazon EventBridge rule to send Amazon Simple Notification Service (Amazon SNS) email notifications for Amazon GuardDutyUnauthorizedAccesslAMUser/lnstanceCredentialExfiltration OutsideAWS findings.

B.  

Change the AWS account contact information for the Operations type to a separate email address. Periodically poll this email address for notifications.

C.  

Create an Amazon EventBridge rule that reacts to AWS Health events that have a value of Risk for the service category Configure email notifications by usingAmazon Simple Notification Service (Amazon SNS).

D.  

Implement new anomaly detection software. Ingest AWS CloudTrail logs. Configure monitoring for ConsoleLogin events in the AWS Management Console.Configure email notifications from the anomaly detection software.

A.  

The CMK is used in the attempt does not exist.

B.  

The CMK is used in the attempt needs to be rotated.

C.  

The CMK is used in the attempt is using the CMKג€™s key ID instead of the CMK ARN.

D.  

The CMK is used in the attempt is not enabled.

E.  

The CMK is used in the attempt is using an alias.

A.  

Have a Database Administrator encrypt the credentials and store the ciphertext in Amazon S3. Grant permission to the instance role associated with the EC2 instance to read the object and decrypt the ciphertext.

B.  

Configure a scheduled job that updates the credential in AWS Systems Manager Parameter Store and notifies the Engineer that the application needs to be restarted.

C.  

Configure automatic rotation of credentials in AWS Secrets Manager.

D.  

Store the credential in an encrypted string parameter in AWS Systems Manager Parameter Store. Grant permission to the instance role associated with the EC2 instance to access the parameter and the AWS KMS key that is used to encrypt it.

E.  

Configure the Java application to catch a connection failure and make a call to AWS Secrets Manager to retrieve updated credentials when the password is rotated. Grant permission to the instance role associated with the EC2 instance to access Secrets Manager.

A.  

Use a role-based approach by creating an IAM role with an inline permissions policy that allows access to the secret. Update the IAM principals in the role trust policy as required.

B.  

Deploy a VPC endpoint for Secrets Manager. Create and attach an endpoint policy that specifies the IAM principals that are allowed to access the secret. Update the list of IAM principals as required.

C.  

Use a tag-based approach by attaching a resource policy to the secret. Apply tags to the secret and the IAM principals. Use the aws:PrincipalTag and aws:ResourceTag IAM condition keys to control access.

D.  

Use a deny-by-default approach by using IAM policies to deny access to the secret explicitly. Attach the policies to an IAM group. Add all IAM principals to the IAM group. Remove principals from the group when they need access. Add the principals to the group again when access is no longer allowed.

A.  

Create a verified identity for the email address in Amazon Simple Email Service (Amazon SES) Create an Amazon EventBridge rule that has the SES verified identity as the target Specify GuardDuty as the event source Configure the EventBridge event pattern to match High seventy findings.

B.  

Create an Amazon Simple Notification Service (Amazon SNS) topic Subscribe the email address to the SNS topic. Create an Amazon EventBridge rule that has the SNS topic as the target Specify GuardDuty as the event source Configure the EventBridge event pattern to match High severity findings.

C.  

Create an Amazon Simple Notification Service (Amazon SNS) topic Subscribe the email address to the SNS topic. Enable AWS Security Hub Integrate Security Hub with GuardDuty. Use Security Hub automation rules to publish High severity GuardDuty findings to the SNS topic.

D.  

Enable AWS Security Hub Integrate Security Hub with GuardDuty. Use Secunty Hub automation rules to create a custom rule. Configure the custom rule to detect High seventy GuardDuty findings and to send a notification to the email address.

A.  

Amazon Athena

B.  

Amazon Kinesis

C.  

Amazon SQS

D.  

Amazon Elasticsearch

E.  

Amazon EMR

A.  

Review the IAM CloudTrail event history logs in an Amazon S3 bucket and look for the Terminatelnstances event to identify the federated user from the role session name.

B.  

Filter the IAM CloudTrail event history for the Terminatelnstances event and identify the assumed IAM role. Review the AssumeRoleWithSAML event call in CloudTrail to identify the corresponding username.

C.  

Search the IAM CloudTrail logs for the Terminatelnstances event and note the event time. Review the IAM Access Advisor tab for all federated roles. The last accessed time should match the time when the instance was terminated.

D.  

Use Amazon Athena to run a SQL query on the IAM CloudTrail logs stored in an Amazon S3 bucket and filter on the Terminatelnstances event. Identify the corresponding role and run another query to filter the AssumeRoleWithWebldentity event for the user name.

A.  

Archive the data to Amazon S3 and apply a restrictive bucket policy to deny the s3 DeleteOotect API

B.  

Archive the data to Amazon S3 Glacier and apply a Vault Lock policy

C.  

Archive the data to Amazon S3 and replicate it to a second bucket in a second IAM Region Choose the S3 Standard-Infrequent Access (S3 Standard-1A) storage class and apply a restrictive bucket policy to deny the s3 DeleteObject API

D.  

Migrate the log data to a 16 T8 Amazon Elastic Block Store (Amazon EBS) volume Create a snapshot of the EBS volume

A.  

When a new player signs up, use an AWS Lambda function to automatically create an 1AM access key and a secret access key. Program the Lambda function to store the credentials on the player's device. Create 1AM keys for existing players.B Migrate the player credentials from the Aurora database to AWS Secrets Manager. When a new player signs up. create a key-value pair in Secrets Manager for the player's user ID and password.

B.  

Configure Amazon Cognito user pools to federate access to the game with third-party identity providers (IdPs), such as social IdPs Migrate the game's authentication mechanism to Cognito.

C.  

Instead of using usernames and passwords for authentication, issue API keys to new and existing players. Create an Amazon API Gateway API to give the game client access to the game's functionality.

A.  

Enable Amazon GuardDuty in all Regions. Create alerts to detect unauthorized activity outside us-east-1 and us-west-2.

B.  

Use an organization in IAM Organizations. Attach an SCP that allows all actions when the IAM: Requested Region condition key is either us-east-1 or us-west-2. Delete the FullIAMAccess policy.

C.  

Provision EC2 resources by using IAM Cloud Formation templates through IAM CodePipeline. Allow only the values of us-east-1 and us-west-2 in the IAM CloudFormation template's parameters.

D.  

Create an IAM Config rule to prevent unauthorized activity outside us-east-1 and us-west-2.

A.  

On a recurring basis, update an IAM user policies to require that EC2 instances are created with an encrypted volume

B.  

Configure an IAM Config rule lo run on a recurring basis 'or volume encryption

C.  

Set up Amazon Inspector rules tor volume encryption to run on a recurring schedule

D.  

Use CloudWatch Logs to determine whether instances were created with an encrypted volume

A.  

Create an IAM role in the production account and allow EC2 instances in the development account to assume that role using the trust policy. Provide read access for the required S3 bucket to this role.

B.  

Use a custom identity broker to allow Developer IAM users to temporarily access the S3 bucket.

C.  

Create a temporary IAM user for the application to use in the production account.

D.  

Create a temporary IAM user in the production account and provide read access to Amazon S3. Generate the temporary IAM user's access key and secret key and store these on the EC2 instance used by the application in the development account.

A.  

Deploy an SCP that includes the S3: * action with the "awsSourceVpc": "S {aws: Ec2lnstanceSourceVpc}" condition.

B.  

Edit the VPC endpoints to include the S3:' action with the "aws: Ec2lnstanceSourcePrivatelPv4": "${aws:VpcSourcelp}" condition.

C.  

Limit all actions in the S3 bucket policies by using the aws:SourceVpce condition key with the value of the allowed VPC endpoint.

D.  

Limit all actions in the S3 bucket policies by using the aws:SourceVpc condition key with the value to the allowed VPC I

D.  

A.  

Remove the existing NAT gateway. Create a new NAT gateway that only the application server subnets can use.

B.  

Configure the DB instanceג€™s inbound network ACL to deny traffic from the security group ID of the NAT gateway.

C.  

Modify the route tables of the DB instance subnets to remove the default route to the NAT gateway.

D.  

Configure the route table of the NAT gateway to deny connections to the DB instance subnets.

A.  

Analyze the logs by using Amazon OpenSearch Service. Search the logs from the OpenSearch API. Use OpenSearch Service Security Analytics to match logs with detection rules and to send alerts to the SNS topic.

B.  

Analyze the logs by using AWS Security Hub. Search the logs from the Findings page in Security Hub. Create custom actions to match logs with detection rules and to send alerts to the SNS topic.

C.  

Analyze the logs by using Amazon CloudWatch Logs. Use a subscription filter to match logs with detection rules and to send alerts to the SNS topic. Search the logs manually by using CloudWatch Logs Insights.

D.  

Analyze the logs by using Amazon QuickSight. Search the logs by listing the query results in a dashboard. Run queries to match logs with detection rules and to send alerts to the SNS topic.

A.  

Use short but complex password on the root account and any administrators.

B.  

Use IAM IAM Geo-Lock and disallow anyone from logging in except for in your city.

C.  

Use MFA on all users and accounts, especially on the root account.

D.  

Don't write down or remember the root account password after creating the IAM account.

A.  

Enable AWS Trusted Advisor security checks in the AWS Console, tsnd report all security incidents for all regions.

B.  

Enable AWS CloudTrail by creating individual trails for each region, and specify a single Amazon S3 bucket to receive log files for later analysis.

C.  

Enable AWS CloudTrail by creating a new trail and applying the trail to all regions. Specify a single Amazon S3 bucket as the storage location.

D.  

Enable Amazon CloudWatch logging for all AWS services across all regions, and aggregate them to a single Amazon S3 bucket for later analysis.

A.  

Create a key policy that allows the kms:Decrypt action only for Amazon S3 and DynamoDB. Create an SCP that denies the creation of S3 buckets and DynamoDB tables that are not encrypted with the key.

B.  

Create an 1AM policy that denies the kms:Decrypt action for the key. Create a Lambda function than runs on a schedule to attach the policy to any new roles. Create an AWS Config rule to send alerts for resources that are not encrypted with the key.

C.  

Create a key policy that allows the kms:Decrypt action only for Amazon S3, DynamoDB, Lambda, and Amazon EKS. Create an SCP that denies the creation of S3 buckets and DynamoDB tables that are not encrypted with the key.

D.  

Create a key policy that allows the kms:Decrypt action only for Amazon S3, DynamoDB, Lambda, and Amazon EKS. Create an AWS Config rule to send alerts for resources that are not encrypted with the key.

A.  

Configure the private ECR registry to use enhanced scanning with the scan on push option. Create an Amazon EventBridge rule that invokes an AWS Lambda function when a critical vulnerability is found. Program the Lambda function to block the image push.

B.  

Configure Amazon Inspector. Invoke the Amazon Inspector Scan API operation from the CI/CD pipeline. Create an Amazon EventBridge rule that invokes an AWS Lambda function when a critical vulnerability is found. Program the Lambda function to return a failed result to Amazon Inspector.

C.  

Create an Amazon Inspector custom CI/CD integration. Install and configure the Amazon Inspector Software Bill of Materials (SBOM) Generator (Sbomgen) binary. Generate an SBOM. Invoke the Amazon Inspector Scan API operation. In case of critical vulnerabilities, fail the CI/CD pipeline.

D.  

Enable ECR image scanning on the ECR repository. Configure the continuous scanning option. Set the scanning configuration setting for the private registry to basic scanning. In case of critical vulnerabilities, fail the CI/CD pipeline.

A.  

B.  

C.  

D.  

A.  

Create a custom authorization service using AWS Lambda.

B.  

Configure a SAML identity provider in Amazon Cognito to map attributes to the Amazon Cognito user pool attributes.

C.  

Configure the SAML identity provider to add the Amazon Cognito user pool as a relying party.

D.  

Configure an Amazon Cognito identity pool to integrate with social login providers.

E.  

Update DynamoDB to store the user email addresses and passwords.

F.  

Update API Gateway to use a COGNITO_USER_POOLS authorizer.

A.  

Enable AWS Identity and Access Management Access Analyzer for the organization. Configure the organization as a zone of trust. Filter findings by AWS account ID.

B.  

Create a custom AWS Config rule to monitor IAM roles in each account. Deploy an AWS Config aggregator to a central account. Filter findings by AWS account ID.

C.  

Activate Amazon Inspector. Integrate Amazon Inspector with AWS Security Hub. Filter findings by AWS account ID for the last role resource type and the S3 bucket policy resource type.

D.  

Configure the organization to use Amazon GuardDuty. Filter findings by AWS account ID for the Discovery:IAMUser/AnomalousBehavior finding type.

A.  

Deploy an AWS Config aggregator with organization-wide resource data aggregation. Create an AWS Lambda function that responds to AWS Config findings of noncompliant S3 buckets by deleting or reconfiguring the S3 buckets.

B.  

Deploy an AWS Config aggregator with organization-wide resource data aggregation. Create an SCP that contains a Deny statement that prevents the creation of new noncompliant S3 buckets. Apply the SCP to all OUs in the organization.

C.  

Deploy an AWS Config aggregator that scopes only the accounts and Regions that the company currently uses. Create an AWS Lambda function that responds to AWS Config findings of noncompliant S3 buckets by deleting or reconfiguring the S3 buckets.

D.  

Deploy an AWS Config aggregator that scopes only the accounts and Regions that the company currently uses. Create an SCP that contains a Deny statement that prevents the creation of new noncompliant S3 buckets. Apply the SCP to all OUs in the organization.

A.  

For each team, create an AM policy similar to the one that fellows Populate the ec2: ResourceTag/Team condition key with a proper team name Attach resulting policies to the corresponding IAM roles.

B.  

B.  

C.  

C.  

D.  

D.