A.  

Use the default AWS Key Management Service (AWS KMS) key to generate the snapshots. Create an AWS Lambda function that copies the KMS encryption key to the two accounts.

B.  

Use an AWS Key Management Service (AWS KMS) customer managed key to generate the snapshots. Create an AWS Lambda function that imports the KMS key in the two accounts.

C.  

Use the default AWS Key Management Service (AWS KMS) key to generate the snapshots. Share the KMS key with the two accounts by using an IAM principal that has the proper KMS permissions in each account.

D.  

Use an AWS Key Management Service (AWS KMS) customer managed key to generate the snapshots. Share the KMS key with the two accounts by using an IAM principal that has the proper KMS permissions in each account.

A.  

Verify that a NAT gateway has been provisioned in the public subnet in each Availability Zone.

B.  

Verify that a NAT gateway has been provisioned in the private subnet in each Availability Zone.

C.  

Modify the route tables for the public subnets to add a local route to the VPC CIDR range.

D.  

Modify the route tables for the private subnets to route 0.0.0.0/0 to the NAT gateway in the public subnet of the same Availability Zone.

E.  

Modify the route tables for the private subnets to route 0.0.0.0/0 to the internet gateway.

A.  

Enable Amazon GuardDuty. Configure Amazon ECR scanning and Lambda code scanning in GuardDuty.

B.  

Enable Amazon GuardDuty. Configure Runtime Monitoring and Lambda Protection in GuardDuty.

C.  

Enable Amazon Inspector. Configure Amazon ECR enhanced scanning and Lambda code scanning in Amazon Inspector.

D.  

Enable AWS Security Hub. Configure Runtime Monitoring and Lambda Protection in Security Hub.

A.  

Create an AWS WAF web ACL with an IP match condition to deny the countries ' IP ranges. Associate the web ACL with the CloudFront distribution.

B.  

Create an AWS WAF web ACL with a geo match condition to deny the specific countries. Associate the web ACL with the CloudFront distribution.

C.  

Use the geo restriction feature in CloudFront to deny the specific countries.

D.  

Use geolocation headers in CloudFront to deny the specific countries.

A.  

Use thes3-default-encryption-kmsAWS Config managed rule to identify unencrypted S3 buckets. Create an SCP to allow thes3:PutObjectaction only when the object is encrypted with AWS KMS.

B.  

Use thes3-default-encryption-kmsAWS Config managed rule to identify unencrypted S3 buckets. Create bucket policies for each S3 bucket to deny thes3:PutObjectaction only when the object has server-side encryption with S3 managed keys (SSE-S3).

C.  

Use thes3-bucket-ssl-requests-onlyAWS Config managed rule to identify unencrypted S3 buckets. Create an SCP to allow thes3:PutObjectaction only when the object is encrypted with AWS KMS.

D.  

Use thes3-bucket-ssl-requests-onlyAWS Config managed rule to identify unencrypted S3 buckets. Create bucket policies for each S3 bucket to allow thes3:PutObjectaction only when the object is encrypted with AWS KMS.

A.  

Export the KMS key material to an on-premises hardware security module (HSM). Give the application team access to the key material.

B.  

Edit the key policy that grants the security team access to the KMS keys by adding the application team as principals. Revert this change when the application team no longer needs access.

C.  

Create a key grant to allow the application team to use the KMS keys. Revoke the grant when the application team no longer needs access.

D.  

Create a new KMS key by generating key material on premises. Import the key material to AWS KMS whenever the application team needs access. Grant the application team permissions to use the key.

A.  

Track SSM Agent versions with AWS Config.

B.  

Configure Session Manager to deny external connections.

C.  

Store the script in Amazon S3 and grant read access.

D.  

Configure IAM permissions for the SSM Agent to run the script as a Systems Manager Run Command document.

A.  

Create a bastion host with port forwarding to connect to the machines.

B.  

Set up AWS Systems Manager Session Manager to allow temporary connections.

C.  

Use AWS CloudShell to create serverless connections.

D.  

Set up an interface VPC endpoint for each machine for private connection.

A.  

Disable all existing users and groups within IAM Identity Center that were part of the federation with the original IdP.

B.  

Modify the attribute mappings within the IAM Identity Center trust relationship to match information that the new IdP sends.

C.  

Reconfigure all existing IAM roles in the company ' s AWS accounts to explicitly trust the new IdP as the principal.

D.  

Confirm that the Network Time Protocol (NTP) clock skew is correctly set between IAM Identity Center and the new IdP endpoints.

A.  

Within the Auto Scaling lifecycle, add a hook to create and attach an Amazon Elastic Block Store (Amazon EBS) log volume each time an EC2 instance is created. When the instance is terminated, the EBS volume can be reattached to another instance for log review.

B.  

Create an Amazon Elastic File System (Amazon EFS) file system and add a command in the user data section of the Auto Scaling launch template to mount the EFS file system during EC2 instance creation. Configure a process on the instance to copy the logs once a day from an instance Amazon Elastic Block Store (Amazon EBS) volume to a directory in the EFS file system.

C.  

Add an Amazon CloudWatch agent into the AMI used in the Auto Scaling group. Configure the CloudWatch agent to send the logs to Amazon CloudWatch Logs for review.

D.  

Within the Auto Scaling lifecycle, add a lifecycle hook at the terminating state transition and alert the engineering team by using a lifecycle notification to Amazon Simple Notification Service (Amazon SNS). Configure the hook to remain in the Terminating:Wait state for 1 hour to allow manual review of the security logs prior to instance termination.

A.  

Send AWS WAF logs to AWS CloudTrail and analyze them with OpenSearch.

B.  

Send AWS WAF logs to Amazon S3 and query them directly with OpenSearch.

C.  

Send AWS WAF logs to Amazon S3. Create an Amazon Athena table with partition projection. Use Athena to query the logs.

D.  

Send AWS WAF logs to AWS CloudTrail and analyze them with Amazon Athena.

A.  

Log in to the AWS account by using read-only credentials. Review the GuardDuty finding for details about the IAM credentials that were used. Use the IAM console to add a DenyAll policy to the IAM principal.

B.  

Log in to the AWS account by using read-only credentials. Review the GuardDuty finding to determine which API calls initiated the finding. Use Amazon Detective to review the API calls in context.

C.  

Log in to the AWS account by using administrator credentials. Review the GuardDuty finding for details about the IAM credentials that were used. Use the IAM console to add a DenyAll policy to the IAM principal.

D.  

Log in to the AWS account by using read-only credentials. Review the GuardDuty finding to determine which API calls initiated the finding. Use AWS CloudTrail Insights and AWS CloudTrail Lake to review the API calls in context.

A.  

Use Amazon Detective to run investigations on the IAM roles and to visualize the findings.

B.  

Use Amazon Inspector to run investigations on the IAM roles and visualize the findings.

C.  

Export GuardDuty findings to Amazon S3 and analyze them with Amazon Athena.

D.  

Enable AWS Security Hub and use custom actions to investigate IAM roles.

A.  

In the statement block that contains the Sid " Allow use of the key " , under theConditionblock, change StringEquals to StringLike.

B.  

In the policy document, remove the statement block that contains the Sid " Enable IAM User Permissions " . Add key management policies to the KMS policy.

C.  

In the statement block that contains the Sid " Allow use of the key " , under theConditionblock, change the kms:ViaService value to ec2.us-east-1.amazonaws.com.

D.  

In the policy document, add a new statement block that grants the kms:Disable* permission to the security engineer ' s IAM role.

A.  

Add the remaining developer to the DevOps group in Directory Service.

B.  

Remove and then re-add the permissions set in the member account.

C.  

Add the service-linked role for organization to the member account.

D.  

Update the permissions set to allow console access for the remaining developer.

A.  

Disable the instance profile access keys by using AWS Lambda.

B.  

Remove the affected instance from the Auto Scaling group and isolate it with a restricted security group by using AWS Lambda.

C.  

Update the network ACL to block the detected traffic source.

D.  

Send GuardDuty findings to Amazon SNS for email notification.

A.  

Open the EC2 console and remove any security groups that allow inbound traffic from 0.0.0.0/0.

B.  

Install the AWS Systems Manager Agent on the EC2 instance and run an inventory report.

C.  

Install the Amazon Inspector agent on the host and run an assessment with the CVE rules package.

D.  

Open the IAM console and revoke all IAM sessions that are associated with the instance profile.

A.  

Analyze the logs by using Amazon OpenSearch Service. Search the logs from the OpenSearch API. Use OpenSearch Service Security Analytics to match logs with detection rules and to send alerts to the SNS topic.

B.  

Analyze the logs by using AWS Security Hub. Search the logs from the Findings page in Security Hub. Create custom actions to match logs with detection rules and to send alerts to the SNS topic.

C.  

Analyze the logs by using Amazon CloudWatch Logs. Use a subscription filter to match logs with detection rules and to send alerts to the SNS topic. Search the logs manually by using CloudWatch Logs Insights.

D.  

Analyze the logs by using Amazon QuickSight. Search the logs by listing the query results in a dashboard. Run queries to match logs with detection rules and to send alerts to the SNS topic.

A.  

Download the data from the existing S3 bucket to a new EC2 instance. Then delete the data from the S3 bucket. Re-encrypt the data with a client-based key. Upload the data to a new S3 bucket.

B.  

Block access to the public range of S3 endpoint IP addresses by using a host-based firewall. Ensure that internet-bound traffic from the affected EC2 instance is routed through the host-based firewall.

C.  

Revoke the IAM role’s active session permissions. Update the S3 bucket policy to deny access to the IAM role. Remove the IAM role from the EC2 instance profile.

D.  

Disable the current key. Create a new KMS key that the IAM role does not have access to, and re-encrypt all the data with the new key. Schedule the compromised key for deletion.

A.  

Enable AWS Config. Configure AWS Config to monitor for sensitive data in the S3 bucket and to send notifications to the SNS topic.

B.  

Create an AWS Lambda function to scan the S3 bucket for sensitive data that matches a pattern. Program the Lambda function to send notifications to the SNS topic.

C.  

Configure Amazon Macie to use managed data identifiers to identify and categorize sensitive data. Create an Amazon EventBridge rule to send notifications to the SNS topic.

D.  

Enable Amazon GuardDuty. Configure AWS CloudTrail S3 data events. Create an Amazon CloudWatch alarm that reacts to GuardDuty findings and sends notifications to the SNS topic.

A.  

Use a dynamic reference in the CloudFormation template to reference the database credentials in Secrets Manager.

B.  

Use encrypted parameters in the CloudFormation template.

C.  

Use SecureString parameters to reference Secrets Manager.

D.  

Use SecureString parameters encrypted by AWS KMS.

A.  

Log in to the suspicious instance and use the netstat command to identify remote connections. Use the IP addresses from these remote connections to create deny rules in the security group of the instance. Install diagnostic tools on the instance for investigation. Update the outbound network ACL for the subnet in us-east-1b to explicitly deny all connections as the first rule during the investigation of the instance.

B.  

Update the outbound network ACL for the subnet in us-east-1b to explicitly deny all connections as the first rule. Replace the security group with a new security group that allows connections only from a diagnostics security group. Update the outbound network ACL for the us-east-1b subnet to remove the deny all rule. Launch a new EC2 instance that has diagnostic tools. Assign the new security group to the new EC2 instance. Use the new EC2 i

C.  

Ensure that the Amazon Elastic Block Store (Amazon EBS) volumes that are attached to the suspicious EC2 instance will not delete upon termination. Terminate the instance. Launch a new EC2 instance in us-east-1a that has diagnostic tools. Mount the EBS volumes from the terminated instance for investigation.

D.  

Create an AWS WAF web ACL that denies traffic to and from the suspicious instance. Attach the AWS WAF web ACL to the instance to mitigate the attack. Log in to the instance and install diagnostic tools to investigate the instance.

A.  

Create a new customer managed key in AWS Key Management Service (AWS KMS).

B.  

Change the SSE-S3 configuration on the S3 bucket to server-side encryption with customer-provided keys (SSE-C).

C.  

Configure the PHP SDK to use the SSE-S3 key before upload.

D.  

Create an AWS managed key for Amazon S3 in AWS KMS.

E.  

Change the SSE-S3 configuration on the S3 bucket to server-side encryption with AWS KMS managed keys (SSE-KMS).

F.  

Change all the S3 objects in the bucket to use the new encryption key.

A.  

Enable Amazon GuardDuty to automatically monitor for malicious activity and block unauthorized access.

B.  

Subscribe to AWS Shield Advanced and reach out to AWS Support in the event of an attack.

C.  

Use VPC Flow Logs to monitor network traffic and an AWS Lambda function to automatically block an attacker’s IP using security groups.

D.  

Set up an Amazon EventBridge rule to monitor the AWS CloudTrail events in real time, use AWS Config rules to audit the configuration, and use AWS Systems Manager for remediation.

E.  

Use AWS WAF to create rules to respond to such attacks.

A.  

Use AWS PrivateLink with the ALB.

B.  

Replace the ALB with an internal AL

B.  

C.  

Restrict ALB listener rules to CloudFront IP ranges.

D.  

Require a custom header from CloudFront and validate it at the ALB.

A.  

In the dedicated security account, create an Amazon S3 bucket. Configure S3 Object Lock incompliance modewith a retention period of 2 years. Set the bucket policy to allow the organization’smanagement accountto write to the S3 bucket.

B.  

In the dedicated security account, create an Amazon S3 bucket. Configure S3 Object Lock incompliance modewith a retention period of 2 years. Set the bucket policy to allow the organization’smember accountsto write to the S3 bucket.

C.  

In the dedicated security account, create an Amazon S3 bucket with an S3 Lifecycle configuration that expires objects after 2 years. Allow member accounts to write to the bucket.

D.  

Create anAWS CloudTrail organization trail. Configure logs to be delivered to the Amazon S3 bucket in the dedicated security account.

E.  

Turn on AWS CloudTrail in each account and forward logs to the dedicated security account by using AWS Lambda and Amazon Data Firehose.

A.  

Configure the rule to use theCountaction.

B.  

Configure the rule to use theBlockaction.

C.  

Configure the rule to use theMonitoraction.

D.  

Configure the rule to use theAllowaction.

A.  

Update the key policies in eu-west-1. Point the application in eu-north-1 to use the same customer managed key as the application in eu-west-1.

B.  

Allocate a new customer managed key to eu-north-1 to be used by the application that is deployed in that Region.

C.  

Allocate a new customer managed key to eu-north-1. Create the same alias name for both keys. Configure the application deployment to use the key alias.

D.  

Allocate a new customer managed key to eu-north-1. Create an alias for eu--1. Change the application code to point to the alias for eu--1.

A.  

Use EventBridge to disable the instance profile access keys.

B.  

Use EventBridge to invoke a Lambda function that removes the affected instance from the Auto Scaling group and isolates it with a restricted security group.

C.  

Use Security Hub to update the subnet network ACL to block traffic.

D.  

Send GuardDuty findings to Amazon SNS for email notification.

A.  

When a new player signs up, use an AWS Lambda function to automatically create an IAM access key and a secret access key.

B.  

Migrate the player credentials from the Aurora database to AWS Secrets Manager.

C.  

Configure Amazon Cognito user pools to federate access to the game with third-party identity providers (IdPs), such as social IdPs. Migrate the game ' s authentication mechanism to Cognito.

D.  

Issue API keys to new and existing players and use Amazon API Gateway for authentication.

A.  

Use AWS Resource Access Manager (AWS RAM) to share the VPC subnet ID of the HSM that is hosted in the central account with the new dedicated account. Configure the CloudHSM security group to accept inbound traffic from the private IP addresses of client instances in the new dedicated account.

B.  

Use AWS Identity and Access Management (IAM) to create a cross-account role to access the CloudHSM cluster that is in the central account. Create a new IAM user in the new dedicated account. Assign the cross-account role to the new IAM user.

C.  

Use AWS IAM Identity Center to create an AWS Security Token Service (AWS STS) token to authenticate from the new dedicated account to the central account. Use the cross-account permissions that are assigned to the STS token to invoke an operation on the HSM in the central account.

D.  

Use AWS Resource Access Manager (AWS RAM) to share the ID of the HSM that is hosted in the central account with the new dedicated account. Configure the CloudHSM security group to accept inbound traffic from the private IP addresses of client instances in the new dedicated account.

A.  

Use Amazon Detective to investigate IAM roles and visualize findings.

B.  

Use Amazon Inspector and CloudWatch dashboards.

C.  

Export GuardDuty findings to S3 and analyze with Athena.

D.  

Use Security Hub custom actions to investigate IAM roles.

A.  

Restart the EC2 instance from either the AWS Management Console or the AWS CLI.

B.  

Add a new inbound rule that has a priority of 10 to the network ACL to deny TCP traffic on port 22 from 10.0.1.5.

C.  

Remove the security group rule that allows inbound TCP traffic on port 22 from 10.0.0.0/16.

D.  

Update the route table to remove the route to the internet gateway.

A.  

Enable AWS IAM Identity Center and set up Amazon Q Developer as an AWS managed application.

B.  

Enable Amazon Cognito and create a new identity pool for Amazon Q Developer.

C.  

Enable Amazon Cognito and set up Amazon Q Developer as an AWS managed application.

D.  

Enable AWS IAM Identity Center and create a new identity pool for Amazon Q Developer.

A.  

Use AWS WAF to implement a rate-based rule for all incoming requests.

B.  

Use AWS WAF to implement a geographical match rule to block all incoming traffic from the two countries.

C.  

Edit the ALB security group to include a geographical match rule to block all incoming traffic from the two countries.

D.  

Add deny rules to the ALB security group that prohibit incoming requests from the IP addresses.

A.  

Remove the Condition element. Change the Principal element to the following:{ " AWS " : " arn:aws:lambda:::function:MyLambdaFunction " }

B.  

Change the Action element to the following:[ " s3:GetObject* " , " s3:GetBucket* " ]

C.  

Change the Resource element to " arn:aws:s3:::DOC-EXAMPLE-BUCKET/* " .

D.  

Change the Resource element to " arn:aws:lambda:::function:MyLambdaFunction " . Change the Principal element to the following:{ " Service " : " s3.amazonaws.com " }

A.  

Use the AWS Trusted Advisor API and a scheduled Lambda function to detect AWS_ABUSE_DOS_REPORT notifications.

B.  

Create an Amazon EventBridge rule that uses AWS Health and identifies a specific event for AWS_ABUSE_DOS_REPORT. Configure the rule action to publish a message to the SNS topic.

C.  

Use the AWS Support API and a scheduled Lambda function to detect abuse report cases.

D.  

Use AWS CloudTrail logs with metric filters to detect AWS_ABUSE_DOS_REPORT events.

A.  

Use AWS WAF IP match rules.

B.  

Use AWS WAF geo match rules.

C.  

Use CloudFront geo restriction to deny the countries.

D.  

Use geolocation headers in CloudFront.

A.  

Create an AWS Config managed rule to detect unencrypted RDS storage. Configure an automatic remediation action to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic that includes an AWS Lambda function and an email delivery target as subscribers. Configure the Lambda function to delete the unencrypted resource.

B.  

Create an AWS Config managed rule to detect unencrypted RDS storage. Configure a manual remediation action to invoke an AWS Lambda function. Configure the Lambda function to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic and to delete the unencrypted resource.

C.  

Create an Amazon EventBridge rule that evaluates RDS event patterns and is initiated by the creation of DB instances or DB clusters. Configure the rule to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic that includes an AWS Lambda function and an email delivery target as subscribers. Configure the Lambda function to delete the unencrypted resource.

D.  

Create an Amazon EventBridge rule that evaluates RDS event patterns and is initiated by the creation of DB instances or DB clusters. Configure the rule to invoke an AWS Lambda function. Configure the Lambda function to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic and to delete the unencrypted resource.

A.  

In the delegated account, use Amazon CloudWatch Logs to search for events that match the user details for all successful attempts.

B.  

In each member account, use the IAM Identity Center console to search for events that match the user details for all attempts.

C.  

In the external IdP, use Amazon EventBridge to search for events that match the user details for all attempts.

D.  

In the organization ' s management account, use AWS CloudTrail to search for events that match the user details for all successful attempts.

A.  

Implement AWS IAM Access Analyzer policy generation on the role.

B.  

Implement AWS IAM Access Analyzer policy validation on the role.

C.  

Search CloudWatch logs to determine the actions the role invoked and to evaluate the permissions.

D.  

Use AWS Trusted Advisor to compare the policies assigned to the role against AWS best practices.

A.  

Enable AWS Audit Manager. Configure Audit Manager to use a custom framework that matches the security requirements. Create an assessment report to view the compliance state.

B.  

Enable AWS Config. Implement AWS Config managed rules that monitor all Aurora MySQL resources for the security requirements. View the compliance state in the AWS Config dashboard.

C.  

Enable AWS Security Hub. Create a configuration policy that includes the security requirements. Apply the configuration policy to all Aurora MySQL resources. View the compliance state in Security Hub.

D.  

Create an Amazon EventBridge rule that runs when an Aurora MySQL resource is created or modified. Create an AWS Lambda function to verify the security requirements and to send the compliance state to a CloudWatch custom metric.

A.  

Log in to the account by using the account root user credentials. Re-issue the deletion request for the KMS key with a waiting period of 7 days.

B.  

Identify the other Regions where the KMS key ID is present and schedule the key for deletion in 7 days.

C.  

Update the IAM principal to allow kms:* permissions on the KMS key ARN. Re-issue the deletion request for the KMS key with a waiting period of 7 days.

D.  

Disable the KMS key. Re-issue the deletion request for the KMS key in 30 days.

A.  

Configure CloudFront standard logging and CloudWatch Logs metric filters.

B.  

Configure VPC Flow Logs and CloudWatch Logs metric filters.

C.  

Configure an AWS WAF web ACL with an ASN match rule and CloudWatch alarms.

D.  

Configure an AWS WAF web ACL with a rate-based rule. Associate it with CloudFront. Create a CloudWatch alarm to notify SNS.

A.  

Configure a cron job on the instances to forward the log files to Amazon S3 periodically.

B.  

Configure AWS Glue and Amazon Athena to query the log files.

C.  

Configure the Amazon CloudWatch agent on the instances to forward the logs to Amazon CloudWatch Logs.

D.  

Configure Amazon CloudWatch Logs Insights to query the log files.

E.  

Configure the instances to write the logs to an Amazon Elastic File System (Amazon EFS) volume.

A.  

Poll Trusted Advisor for abuse notifications by using a Lambda function.

B.  

Create an Amazon EventBridge rule that matches AWS Health events for AWS_ABUSE_DOS_REPORT and publishes to SNS.

C.  

Poll the AWS Support API for abuse cases by using a Lambda function.

D.  

Detect abuse reports by using CloudTrail logs and CloudWatch alarms.

A.  

Add AWS CloudTrail to the trust policy of the EC2 instance. Send the custom logs to CloudTrail instead of CloudWatch.

B.  

Add Amazon S3 to the trust policy of the EC2 instance. Configure the application to write the custom logs to an S3 bucket that CloudWatch can use to ingest the logs.

C.  

Add Amazon Inspector to the trust policy of the EC2 instance. Use Amazon Inspector instead of the CloudWatch agent to collect the custom logs.

D.  

Attach the CloudWatchAgentServerPolicy AWS managed policy to the EC2 instance role.

A.  

Enable AWS Security Hub in the AWS account.

B.  

Enable Amazon GuardDuty in the AWS account.

C.  

Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the security team ' s email distribution list to the topic.

D.  

Create an Amazon Simple Queue Service (Amazon SQS) queue. Subscribe the security team ' s email distribution list to the queue.

E.  

Create an Amazon EventBridge rule for GuardDuty findings of high severity. Configure the rule to publish a message to the topic.

F.  

Create an Amazon EventBridge rule for Security Hub findings of high severity. Configure the rule to publish a message to the queue.

A.  

Configure the S3 Block Public Access feature for the AWS account.

B.  

Configure the S3 Block Public Access feature for all objects that are in the bucket.

C.  

Deactivate ACLs for objects that are in the bucket.

D.  

Use AWS PrivateLink for Amazon S3 to access the bucket.

A.  

Use AWS CloudTrail to detect the configuration changes by filtering API calls to monitor the changes. Use the most recent API call to indicate the cumulative impact of multiple calls.

B.  

Use AWS Config to detect the configuration changes and to record the latest configuration in case of multiple configuration changes.

C.  

Use Amazon CloudWatch to detect the configuration changes by filtering API calls to monitor the changes. Use the most recent API call to indicate the cumulative impact of multiple calls.

D.  

Use AWS Cloud Map to detect the configuration changes. Generate a report of configuration changes from AWS Cloud Map to track the latest state by using a sliding time window.

A.  

Enable Amazon S3 server access logging on the S3 bucket. Create a new S3 bucket to store the logs. Analyze the logs from the logging S3 bucket.

B.  

Enable AWS CloudTrail data event logging. Create a new S3 bucket to store the logs. Analyze the logs from the logging S3 bucket.

C.  

Configure AWS Config rules to log access to the objects stored in the S3 bucket.

D.  

Enable Amazon Macie to log access to the objects stored in the S3 bucket.

A.  

Use Amazon Detective.

B.  

Use EventBridge with CloudTrail events.

C.  

Use CloudWatch metric filters.

D.  

Use CloudWatch subscription filters.

A.  

Configure the EC2 instances to send application logs to a single Amazon CloudWatch Logs log group. Allow only specific users to access the log group. Use CloudWatch Logs Insights to query the log group.

B.  

Configure the EC2 instances to send application logs to a single Amazon S3 bucket. Allow only specific users to access the S3 bucket. Use Amazon CloudWatch Logs Insights to query the log files in the S3 bucket.

C.  

Configure each EC2 instance to send its application logs to its own specific Amazon CloudWatch Logs log group. Allow only specific users to access the log groups. Use Amazon Athena to query all the log groups.

D.  

Configure the EC2 instances to send application logs to a single Amazon CloudWatch Logs log group. Grant Amazon Detective access to the log group. Allow only specific users to use Detective to analyze the logs.