A.  

Store the customer managed key in AWS Secrets Manager in us-west-1.

B.  

Create a new customer managed key in us-west-1 and use it to encrypt the snapshot.

C.  

Create an IAM policy to allow access to the key in us-east-1 from us-west-1.

D.  

Create an IAM policy that allows RDS in us-west-1 to access the key in us-east-1.

A.  

Encrypt all AWS CloudTrail logs.

B.  

Turn on Amazon GuardDuty.

C.  

Change the password for all IAM users.

D.  

Rotate or delete all AWS access keys.

E.  

Take snapshots of all Amazon Elastic Block Store (Amazon EBS) volumes.

F.  

Delete any resources that are unrecognized or unauthorized.

A.  

Configure an S3 Lifecycle rule to delete objects after 45 days.

B.  

Create a Lambda function triggered on object upload to delete old data.

C.  

Create a scheduled Lambda function to delete old objects monthly.

D.  

Configure S3 Intelligent-Tiering.

A.  

Use Amazon Macie to detect an active DDoS event and create Amazon CloudWatch alarms that respond to Macie findings.

B.  

Use Amazon Inspector to review resources and invoke Amazon CloudWatch alarms for any resources that are vulnerable to DDoS attacks.

C.  

Create an Amazon CloudWatch alarm that monitors AWS Firewall Manager metrics for an active DDoS event.

D.  

Create an Amazon CloudWatch alarm that monitors AWS Shield Advanced metrics for an active DDoS event.

A.  

Create an AWS Config managed rule to detect unencrypted RDS storage. Configure an automatic remediation action to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic that includes an AWS Lambda function and an email delivery target as subscribers. Configure the Lambda function to delete the unencrypted resource.

B.  

Create an AWS Config managed rule to detect unencrypted RDS storage. Configure a manual remediation action to invoke an AWS Lambda function. Configure the Lambda function to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic and to delete the unencrypted resource.

C.  

Create an Amazon EventBridge rule that evaluates RDS event patterns and is initiated by the creation of DB instances or DB clusters. Configure the rule to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic that includes an AWS Lambda function and an email delivery target as subscribers. Configure the Lambda function to delete the unencrypted resource.

D.  

Create an Amazon EventBridge rule that evaluates RDS event patterns and is initiated by the creation of DB instances or DB clusters. Configure the rule to invoke an AWS Lambda function. Configure the Lambda function to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic and to delete the unencrypted resource.

A.  

Log in to the account by using the account root user credentials. Re-issue the deletion request for the KMS key with a waiting period of 7 days.

B.  

Identify the other Regions where the KMS key ID is present and schedule the key for deletion in 7 days.

C.  

Update the IAM principal to allow kms:* permissions on the KMS key ARN. Re-issue the deletion request for the KMS key with a waiting period of 7 days.

D.  

Disable the KMS key. Re-issue the deletion request for the KMS key in 30 days.

A.  

Delegate Amazon Macie and Security Hub administration.

B.  

Use Amazon Inspector with Security Hub.

C.  

Use Inspector with Trusted Advisor.

D.  

Use Macie with Trusted Advisor.

A.  

Create security groups and attach them to all SQS queues.

B.  

Modify network ACLs in all VPCs to restrict inbound traffic.

C.  

Create interface VPC endpoints for Amazon SQS. Restrict access using aws:SourceVpce and aws:PrincipalOrgId conditions.

D.  

Use a third-party cloud access security broker (CASB).

A.  

Use Amazon Macie.

B.  

Enable Amazon Inspector Lambda scanning.

C.  

Use GuardDuty and Security Hub.

D.  

Use GuardDuty Lambda Protection.

A.  

Enable AWS Config. Configure AWS Config to monitor for sensitive data in the S3 bucket and to send notifications to the SNS topic.

B.  

Create an AWS Lambda function to scan the S3 bucket for sensitive data that matches a pattern. Program the Lambda function to send notifications to the SNS topic.

C.  

Configure Amazon Macie to use managed data identifiers to identify and categorize sensitive data. Create an Amazon EventBridge rule to send notifications to the SNS topic.

D.  

Enable Amazon GuardDuty. Configure AWS CloudTrail S3 data events. Create an Amazon CloudWatch alarm that reacts to GuardDuty findings and sends notifications to the SNS topic.

A.  

Create an AWS PrivateLink endpoint. Specify the existing ALB as the target. Update the CloudFront distribution by setting the PrivateLink endpoint as the origin.

B.  

Create a new internal AL

B.  

B.  

B.  

C.  

Modify the listener rules for the existing ALB. Add a condition to forward only the requests that come from IP addresses in the CloudFront origin prefix list.

D.  

Update the CloudFront distribution by adding an X-Shared-Secret custom header for the origin. Modify the listener rules for the existing ALB to forward only the requests in which the X-Shared-Secret header has the correct value.

A.  

Configure the key policy to allow only Amazon S3 to perform the kms:Encrypt action.

B.  

Configure the key policy to allow KMS actions only when the value for the kms:ViaService condition key matches the Amazon S3 service name.

C.  

Configure the application’s IAM role policy to allow Amazon S3 to perform the iam:PassRole action.

D.  

Configure the application’s IAM role policy to allow only S3 operations when the operations are combined with the KMS customer managed key.

A.  

Implement AWS IAM Access Analyzer policy generation on the role.

B.  

Implement AWS IAM Access Analyzer policy validation on the role.

C.  

Search CloudWatch logs to determine the actions the role invoked and to evaluate the permissions.

D.  

Use AWS Trusted Advisor to compare the policies assigned to the role against AWS best practices.

A.  

Enforce KMS encryption and deny s3:GetObject by SCP.

B.  

Enable PublicAccessBlock and deny s3:GetObject by SCP.

C.  

Enable PublicAccessBlock and deny s3:PutPublicAccessBlock by SCP.

D.  

Enable Object Lock governance and deny s3:PutPublicAccessBlock by SCP.

A.  

Use EventBridge to disable the instance profile access keys.

B.  

Use EventBridge to invoke a Lambda function that removes the affected instance from the Auto Scaling group and isolates it with a restricted security group.

C.  

Use Security Hub to update the subnet network ACL to block traffic.

D.  

Send GuardDuty findings to Amazon SNS for email notification.

A.  

Use AWS Config organization-wide with the ec2-managedinstance-applications-required managed rule and specify the application name.

B.  

Use approved AMIs rule organization-wide.

C.  

Use Distributor package and review output.

D.  

Use Systems Manager Application Manager inventory filtering.

A.  

Use AWS WAF IP match rules.

B.  

Use AWS WAF geo match rules.

C.  

Use CloudFront geo restriction to deny the countries.

D.  

Use geolocation headers in CloudFront.

A.  

Disable the IAM user and query CloudTrail logs in Amazon S3 using Athena.

B.  

Remove IAM policies and query logs in Security Hub.

C.  

Remove permission sets and query logs using CloudWatch Logs Insights.

D.  

Disable the user in IAM Identity Center and query the organizational event data store.

A.  

Encrypt all AWS CloudTrail logs.

B.  

Turn on Amazon GuardDuty.

C.  

Change the password for all IAM users.

D.  

Rotate or delete all AWS access keys.

E.  

Take snapshots of all Amazon Elastic Block Store (Amazon EBS) volumes.

F.  

Delete any resources that are unrecognized or unauthorized.

A.  

Use an IP set match rule statement.

B.  

Use a geographic match rule statement.

C.  

Use a rate-based rule statement.

D.  

Use a string match rule statement on the user agent.

A.  

Deploy a custom virtual desktop infrastructure (VDI) solution with a restriction policy to allow access only from corporate devices.

B.  

Deploy a fleet of Amazon EC2 instances. Assign an instance to each employee with certificate-based device authentication that uses Windows Active Directory.

C.  

Deploy Amazon WorkSpaces. Set up a trusted device policy with IP blocking on the authentication gateway by using AWS Identity and Access Management (IAM).

D.  

Deploy Amazon WorkSpaces. Create client certificates, and deploy them to trusted devices. Enable restricted access at the directory level.

A.  

Create an Amazon S3 bucket with S3 Object Lock enabled. Create an AWS CloudTrail trail with log file validation enabled for KMS events. Store logs in the bucket and grant auditors access.

B.  

Log application events to Amazon CloudWatch Logs and export them.

C.  

Capture KMS API calls using EventBridge and store them in DynamoDB.

D.  

Track KMS usage with CloudWatch metrics and dashboards.

A.  

Enable AWS Trusted Advisor. Configure all the Trusted Advisor checks. Manually map the checks against the PCI DSS v4.0 standard to generate the report.

B.  

Enable and configure AWS Config. Deploy the Operational Best Practices for PCI DSS conformance pack in AWS Config. Use AWS Config to generate the report.

C.  

Enable AWS Security Hub. Enable the Security Hub PCI DSS security standard. Use the AWS Management Console to download the report from the security standard.

D.  

Create an AWS Audit Manager assessment that uses the AWS managed PCI DSS v4.0 standard framework. Add all evidence to the assessment. Generate the report in Audit Manager for download.

A.  

Update the key policies in eu-west-1. Point the application in eu-north-1 to use the same customer managed key as the application in eu-west-1.

B.  

Allocate a new customer managed key to eu-north-1 to be used by the application that is deployed in that Region.

C.  

Allocate a new customer managed key to eu-north-1. Create the same alias name for both keys. Configure the application deployment to use the key alias.

D.  

Allocate a new customer managed key to eu-north-1. Create an alias for eu--1. Change the application code to point to the alias for eu--1.

A.  

Designate an Amazon GuardDuty administrator account in the organization’s management account. Enable GuardDuty for all accounts. Enable EKS Protection and RDS Protection in the GuardDuty administrator account.

B.  

Designate a monitoring account. Share Amazon CloudWatch Logs from all accounts. Use Amazon Inspector to evaluate the logs.

C.  

Centralize CloudTrail logs in Amazon S3 and analyze them with Amazon Athena.

D.  

Stream CloudWatch Logs to Amazon Kinesis and analyze them with custom AWS Lambda functions.

A.  

Identify the Regional cluster ARN for the database. Use the ARN to restore the Regional cluster by using the restore to point in time feature. Set a target time 5 days ago at 3:14 PM.

B.  

Identify the Regional cluster ARN for the database. List snapshots that have been taken of the cluster. Restore the database by using the snapshot that has a creation time that is closest to 5 days ago at 3:14 PM.

C.  

List all snapshots that have been taken of all the company's RDS databases. Identify the snapshot that was taken closest to 5 days ago at 3:14 PM and restore it.

D.  

Identify the Regional cluster ARN for the database. Use the ARN to restore the Regional cluster by using the restore to point in time feature. Set a target time 14 days ago.

A.  

Configure VPC Flow Logs on the subnet where the ALB is located and stream the data to CloudWatch. Search for the new-user-creation.php occurrences in CloudWatch.

B.  

Configure the CloudWatch agent on the ALB and send application logs to CloudWatch Logs.

C.  

Configure the ALB to export access logs to an Amazon OpenSearch Service cluster and search for the new-user-creation.php occurrences.

D.  

Configure the web ACL to send logs to Amazon Data Firehose, which delivers the logs to an S3 bucket. Use Amazon Athena to query the logs and find the new-user-creation.php occurrences.

A.  

Enable Amazon Cognito threat protection.

B.  

Restrict access to authenticated users only.

C.  

Associate AWS WAF with the Cognito user pool.

D.  

Monitor requests with CloudWatch.

A.  

Enable Amazon GuardDuty. Configure Amazon ECR scanning and Lambda code scanning in GuardDuty.

B.  

Enable Amazon GuardDuty. Configure Runtime Monitoring and Lambda Protection in GuardDuty.

C.  

Enable Amazon Inspector. Configure Amazon ECR enhanced scanning and Lambda code scanning in Amazon Inspector.

D.  

Enable AWS Security Hub. Configure Runtime Monitoring and Lambda Protection in Security Hub.

A.  

Disable the instance profile access keys by using AWS Lambda.

B.  

Remove the affected instance from the Auto Scaling group and isolate it with a restricted security group by using AWS Lambda.

C.  

Update the network ACL to block the detected traffic source.

D.  

Send GuardDuty findings to Amazon SNS for email notification.

A.  

Create an AWS PrivateLink endpoint and set it as the CloudFront origin.

B.  

Create a new internal ALB and delete the internet-facing AL

B.  

C.  

Modify the ALB listener rules to allow only CloudFront IP ranges.

D.  

Add a custom X-Shared-Secret header in CloudFront and configure the ALB listener rules to allow requests only when the header value matches.

A.  

Update the EC2 instance security group to add a rule that allows outbound traffic on port 443 for 0.0.0.0/0.

B.  

Update the EC2 instance security group to add a rule that allows inbound traffic on port 443 to the VPC's CIDR range.

C.  

Create an EC2 key pair. Associate the key pair with the EC2 instance.

D.  

Create a VPC interface endpoint for Systems Manager in the VPC where the EC2 instance is located.

E.  

Attach a security group to the VPC interface endpoint. Allow inbound traffic on port 443 to the VPC's CIDR range.

F.  

Create a VPC interface endpoint for the EC2 instance in the VPC where the EC2 instance is located.

A.  

The execution role for the Lambda function did not grant permissions to write log data to CloudWatch Logs.

B.  

The Lambda function was invoked by using Amazon API Gateway, so the logs are not stored in CloudWatch Logs.

C.  

The execution role for the Lambda function did not grant permissions to write to the Amazon S3 bucket where CloudWatch Logs stores the logs.

D.  

The version of the Lambda function that was invoked was not current.

A.  

Configure a cron job on the instances to forward the log files to Amazon S3 periodically.

B.  

Configure AWS Glue and Amazon Athena to query the log files.

C.  

Configure the Amazon CloudWatch agent on the instances to forward the logs to Amazon CloudWatch Logs.

D.  

Configure Amazon CloudWatch Logs Insights to query the log files.

E.  

Configure the instances to write the logs to an Amazon Elastic File System (Amazon EFS) volume.

A.  

Create a CloudTrail Lake data store. Implement CloudTrail Lake dashboards to visualize and query the results.

B.  

Use the CloudTrail Event History feature in the AWS Management Console. Visualize and query the results in the console.

C.  

Send the CloudTrail logs to an Amazon S3 bucket. Provision a persistent Amazon EMR cluster that has access to the S3 bucket. Enable S3 Object Lock on the S3 bucket. Use Apache Spark to perform queries. Use Amazon QuickSight for visualizations.

D.  

Send the CloudTrail logs to a log group in Amazon CloudWatch Logs. Set the CloudWatch Logs stream to send the data to an Amazon OpenSearch Service domain. Enable cold storage for the OpenSearch Service domain. Use OpenSearch Dashboards for visualizations and queries.