SCS-C01 Practice Exam Questions with Answers AWS Certified Security - Specialty Certification

Digitized files -> Amazon Kinesis Data Analytics

Digitized files -> Amazon Kinesis Data Firehose -> Amazon S3 -> Amazon Athena

Digitized files -> Amazon Kinesis Data Streams -> Kinesis Client Library consumer -> Amazon S3 -> Athena

Digitized files -> Amazon Kinesis Data Firehose -> Amazon Elasticsearch

Enable automatic key rotation annually for the CMK.

Use IAM Command Line Interface to create an IAM Lambda function to rotate the existing CMK annually.

Import new key material to the existing CMK and manually rotate the CMK.

Create a new CMK, import new key material to it, and point the key alias to the new CMK.

Create a VPC endpoint for DynamoDB within a VPC. Configure the Lambda function to access resources in the VPC.

Create a resource policy that grants the Lambda function permissions to write to the DynamoDB table. Attach the poll to the DynamoDB table.

Create an IAM user with permissions to write to the DynamoDB table. Store an access key for that user in the Lambda environment variables.

Create an IAM service role with permissions to write to the DynamoDB table. Associate that role with the Lambda function.

Change the root account password.

Rotate all IAM access keys

Keep all resources running to avoid disruption

Change the password for all IAM users.

Copy the application’s IAM KMS CMK from the source region to the target region so that it can be used to decrypt the resource after it is copied to the target region.

Configure IAM KMS to automatically synchronize the CMK between regions so that it can be used to decrypt the resource in the target region.

Use IAM services that replicate data across regions, and re-wrap the data encryption key created in the source region by using the CMK in the target region so that the target region’s CMK can decrypt the database encryption key.

Configure the target region’s IAM service to communicate with the source region’s IAM KMS so that it can decrypt the resource in the target region.

Turn on Cloud trail and carry out the penetration test

Turn on VPC Flow Logs and carry out the penetration test

Submit a request to IAM Support

Use a custom IAM Marketplace solution for conducting the penetration test

Create a rule in IAM WAF rules with conditions that block requests based on the presence of ExampleGame/1.22 in the User-Agent header

Create a geographic restriction on the CloudFront distribution to prevent access to the application from most geographic regions

Create a rate-based rule in IAM WAF to limit the total number of requests that the web application services.

Create an IP-based blacklist in IAM WAF to block the IP addresses that are originating from requests that contain ExampleGame/1.22 in the User-Agent header.

Create a scheduled process to copy the component’s logs into Amazon S3. Use S3 events to trigger a Lambda function that updates Amazon CloudWatch metrics with the log data. Set up CloudWatch alerts based on the metrics.

Install and configure the Amazon CloudWatch Logs agent on the application’s EC2 instance. Create a CloudWatch metric filter to monitor the application logs. Set up CloudWatch alerts based on the metrics.

Create a scheduled process to copy the application log files to IAM CloudTrail. Use S3 events to trigger Lambda functions that update CloudWatch metrics with the log data. Set up CloudWatch alerts based on the metrics.

Create a file watcher that copies data to Amazon Kinesis when the application writes to the log file. Have Kinesis trigger a Lambda function to update Amazon CloudWatch metrics with the log data. Set up CloudWatch alerts based on the metrics.

Bypass the proxy and use an S3 VPC endpoint with a policy that whitelists only certain S3 buckets within Account 1.

Block outbound access to public S3 endpoints on the proxy server.

Configure Network ACLs on Server X to deny access to S3 endpoints.

Modify the S3 bucket policy for the legitimate bucket to allow access only from the public IP addresses associated with the application server.

Remove the IAM instance role from the application server and save API access keys in a trusted and encrypted application config file.

Add a statement to the IAM policy used by the application to allow logs:putLogEvents and logs:createLogStream

Modify the IAM role used by the application by adding the CloudWatchFullAccess managed policy.

Add a statement to the IAM policy used by the application to allow cloudwatch:putMetricData.

Add a trust relationship to the IAM role used by the application for cloudwatch.amazonIAM.com.

Conduct an audit on a yearly basis

Conduct an audit if application instances have been added to your account

Conduct an audit if you ever suspect that an unauthorized person might have accessed your account

Whenever there are changes in your organization

Application Load Balancers do not support older web browsers.

The Perfect Forward Secrecy settings are not configured correctly.

The intermediate certificate is installed within the Application Load Balancer.

The cipher suites on the Application Load Balancers are blocking connections.

Use security groups to provide stateful firewalls for Amazon EC2 instances at the hypervisor level.

Use network ACLs to provide stateful firewalls at the VPC level to prevent access to any specific IAM resource.

Use IAM Direct Connect for secure trusted connections between EC2 instances within private subnets.

Design network security in a single layer within the perimeter network (also known as DMZ, demilitarized zone, and screened subnet) to facilitate quicker responses to threats.

Stream the log files to a separate Cloudtrail trail

Stream the log files to a separate Cloudwatch Log group

Create an IAM policy that gives the desired level of access to the Cloudtrail trail

Create an IAM policy that gives the desired level of access to the Cloudwatch Log group

Server-side encryption with Amazon S3-managed keys (SSE-S3)

Server-side encryption with IAM KMS-managed keys (SSE-KMS)

Server-side encryption with customer-provided keys (SSE-C)

Client-side encryption with an IAM KMS-managed CMK

Disable the use of the root user account at the organizational root. Enable multi-factor authentication of the root user account for each organizational member account.

Configure IAM user policies to restrict root account capabilities for each Organizations member account.

Create an organizational unit (OU) in Organizations with a service control policy that controls usage of the root user. Add all operational accounts to the new OU.

Configure IAM CloudTrail to integrate with Amazon CloudWatch Logs and then create a metric filter for RootAccountUsage.

Create a new database field “suspended_status” and modify the application logic to validate that field when processing requests.

Add suspended customers to second Cognito user pool and update the application login flow to check both user pools.

Use Amazon Cognito Sync to push out a “suspension_status” parameter and split the lAM policy into normal users and suspended users.

Move suspended customers to a second Cognito group and define an appropriate IAM access policy for the group.

Amazon Cognito

AssumeRoleWithWebIdentity API

Amazon Cloud Directory

Active Directory (AD) Connector

Read the IAM Customer Agreement.

Use IAM Artifact to access IAM compliance reports.

Post the question on the IAM Discussion Forums.

Run IAM Config and evaluate the configuration outputs.

Use KMS grants to manage key access. Programmatically create and revoke grants to manage vendor access.

Use an IAM role to manage key access. Programmatically update the IAM role policies to manage vendor access.

Use KMS key policies to manage key access. Programmatically update the KMS key policies to manage vendor access.

Use delegated access across IAM accounts by using IAM roles to manage key access. Programmatically update the IAM trust policy to manage cross-account vendor access.

Create a new S3 bucket in a separate IAM account for centralized storage of CloudTrail logs, and enable “Log File Validation” on all trails.

Use an existing S3 bucket in one of the accounts, apply a bucket policy to the new centralized S3 bucket that permits the CloudTrail service to use the "s3: PutObject" action and the "s3 GetBucketACL" action, and specify the appropriate resource ARNs for the CloudTrail trails.

Apply a bucket policy to the new centralized S3 bucket that permits the CloudTrail service to use the "s3 PutObject" action and the "s3 GelBucketACL" action, and specify the appropriate resource ARNs for the CloudTrail trails.

Use unique log file prefixes for trails in each IAM account.

Configure CloudTrail in the centralized account to log all accounts to the new centralized S3 bucket.

Enable encryption of the log files by using IAM Key Management Service

Create an Amazon CloudWatch metric filter that looks for API call error codes and then implement an alarm based on that metric’s rate.

Configure IAM CloudTrail to stream event data to Amazon Kinesis. Configure an IAM Lambda function on the stream to alarm when the threshold has been exceeded.

Run an Amazon Athena SQL query against CloudTrail log files. Use Amazon QuickSight to create an operational dashboard.

Use the Amazon Personal Health Dashboard to monitor the account’s use of IAM services, and raise an alert if service error rates increase.

Use IAM Certificate Manager to request a certificate. Use that certificate to encrypt data prior to uploading it to DynamoDB.

Enable S3 server-side encryption with the customer-provided keys. Upload the data to Amazon S3, and then use S3Copy to move all data to DynamoDB

Create a KMS master key. Generate per-record data keys and use them to encrypt data prior to uploading it to DynamoDS. Dispose of the cleartext and encrypted data keys after encryption without storing.

Use the DynamoDB Java encryption client to encrypt data prior to uploading it to DynamoDB.

Use a filter in IAM CloudTrail to exclude the IP addresses of the Security team’s EC2 instances.

Add the Elastic IP addresses of the Security team’s EC2 instances to a trusted IP list in Amazon GuardDuty.

Install the Amazon Inspector agent on the EC2 instances that the Security team uses.

Grant the Security team’s EC2 instances a role with permissions to call Amazon GuardDuty API operations.

Ensure that file permissions for monitored files that allow the CloudWatch Logs agent to read the file have not been modified.

Verify that the OS Log rotation rules are compatible with the configuration requirements for agent streaming.

Configure an Amazon Kinesis producer to first put the logs into Amazon Kinesis Streams.

Create a CloudWatch Logs metric to isolate a value that changes at least once during the period before logging stops.

Use IAM CloudFormation to dynamically create and maintain the configuration file for the CloudWatch Logs agent.

All principals from all IAM accounts to use the key.

Only the root user from account 111122223333 to use the key.

All principals from account 111122223333 to use the key but only on Amazon S3.

Only principals from account 111122223333 that have an IAM policy applied that grants access to this key to use the key.

Move all the files to an Amazon S3 bucket. Have the web server serve the files from the S3 bucket.

Launch a second Amazon EC2 instance in a new subnet. Launch an Application Load Balancer in front of both instances.

Launch an Application Load Balancer in front of the EC2 instance. Create an Amazon CloudFront distribution in front of the Application Load Balancer.

Move all the files to an Amazon S3 bucket. Create a CloudFront distribution in front of the bucket and terminate the web server.

Call the abort-vault-lock operation, fix the typo, and call the initiate-vault-lock again.

Copy the vault data to Amazon S3, delete the vault, and create a new vault with the data.

Update the policy, keeping the vault lock in place.

Update the policy and call initiate-vault-lock again to apply the new policy.

Detach the elastic network interface from the EC2 instance.

Initiate an Amazon Elastic Block Store volume snapshot of all volumes on the EC2 instance.

Disable any Amazon Route 53 health checks associated with the EC2 instance.

De-register the EC2 instance from the ALB and detach it from the Auto Scaling group.

Attach a security group that has restrictive ingress and egress rules to the EC2 instance.

Add a rule to an IAM WAF to block access to the EC2 instance.

Delete the IAM keys for the root account

Create IAM Groups

Create IAM Roles

Restrict access using IAM policies

Update the key policies in eu-west-1. Point the application in eu-north-1 to use the same CMK as the application in eu-west-1.

Allocate a new CMK to eu-north-1 to be used by the application that is deployed in that Region.

Allocate a new CMK to eu-north-1. Create the same alias name for both keys. Configure the application deployment to use the key alias.

Allocate a new CMK to eu-north-1. Create an alias for eu-'-1. Change the application code to point to the alias for eu-'-1.

Configure the Amazon inspector agent to use the CVE rule package

Configure the Amazon Inspector agent to use the CVE rule package Configure Security Hub to ingest from IAM inspector by writing a custom resource policy

Configure the Security Hub agent to use the CVE rule package Configure IAM Inspector lo ingest from Security Hub by writing a custom resource policy

Configure the Amazon Inspector agent to use the CVE rule package Install an additional Integration library Allow the Amazon Inspector agent to communicate with Security Hub

Use Amazon issued AWS Certificate Manager (ACM) certificates on the EC2 instances and the Elastic Load Balancer to configure end-to-end encryption

Import a third-party SSL certificate to AWS Certificate Manager (ACM) Install the third-party certificate on the EC2 instances Associate the ACM imported third-party certificate with the Elastic Load Balancer

Deploy AWS CloudHSM Import a third-party certificate Configure the EC2 instances and the Elastic Load Balancer to use the CloudHSM imported certificate

Import a third-party certificate bundle to AWS Certificate Manager (ACM) Install the third-party certificate on the EC2 instances Associate the ACM imported third-party certificate with the Elastic Load Balancer.

Enable SSL certificates for the Cloudtrail logs

There is no need to do anything since the logs will already be encrypted

Enable Server side encryption for the trail

Enable Server side encryption for the destination S3 bucket

Create an mime IAM user policy that allows for Amazon EC2 access for the contractor's IAM user

Create an IAM permissions boundary policy that allows Amazon EC2 access Associate the contractor's IAM account with the IAM permissions boundary policy

Create an IAM group with an attached policy that allows for Amazon EC2 access Associate the contractor's IAM account with the IAM group

Create a IAM role that allows for EC2 and explicitly denies all other services Instruct the contractor to always assume this role

Enable Amazon GuardDuty in all Regions. Create alerts to detect unauthorized activity outside us-east-1 and us-west-2.

Use an organization in IAM Organizations. Attach an SCP that allows all actions when the IAM: Requested Region condition key is either us-east-1 or us-west-2. Delete the FullIAMAccess policy.

Provision EC2 resources by using IAM Cloud Formation templates through IAM CodePipeline. Allow only the values of us-east-1 and us-west-2 in the IAM CloudFormation template's parameters.

Create an IAM Config rule to prevent unauthorized activity outside us-east-1 and us-west-2.

Configure cluster security groups for each application module to control access to database users that are required for read-only and readwrite

Configure a VPC endpoint for Amazon Redshift Configure an endpoint policy that maps database users to each application module, and allow access to the tables that are required for read-only and read/write

Configure an 1AM policy for each module Specify the ARN of an Amazon Redshift database user that allows the GetClusterCredentials API call

Create local database users for each module

Configure an 1AM policy for each module Specify the ARN of an 1AM user that allows the GetClusterCredentials API call

Create a CodeCommit repository in the security account using IAM Key Management Service (IAM KMS) tor encryption Require the development team to migrate the Lambda source code to this repository

Store the API key in an Amazon S3 bucket in the security account using server-side encryption with Amazon S3 managed encryption keys (SSE-S3) to encrypt the key Create a resigned URL tor the S3 key. and specify the URL m a Lambda environmental variable in the IAM CloudFormation template Update the Lambda function code to retrieve the key using the URL and call the API

Create a secret in IAM Secrets Manager in the security account to store the API key using IAM Key Management Service (IAM KMS) tor encryption Grant access to the IAM role used by the Lambda function so that the function can retrieve the key from Secrets Manager and call the API

Create an encrypted environment variable for the Lambda function to store the API key using IAM Key Management Service (IAM KMS) tor encryption Grant access to the IAM role used by the Lambda function so that the function can decrypt the key at runtime

Enable Amazon Macie so that Secunty H jb will allow Detective to process findings from Macie.

Disable IAM Key Management Service (IAM KMS) encryption on CtoudTrail logs in every member account of the organization

Enable Amazon GuardDuty on all member accounts Try to enable Detective in 48 hours

Ensure that the principal that launches Detective has the organizations ListAccounts permission

Configure cluster security groups for each application module to control access to database users that are required for read-only and read/write.

Configure a VPC endpoint for Amazon Redshift Configure an endpoint policy that maps database users to each application module, and allow access to the tables that are required for read-only and read/write

Configure an IAM poky for each module Specify the ARN of an Amazon Redshift database user that allows the GetClusterCredentials API call

Create focal database users for each module

Configure an IAM policy for each module Specify the ARN of an IAM user that allows the GetClusterCredentials API call

Option A

Option B

Option C

Move the SCP to the root OU of organization to remove the restriction to access Amazon $3.

Add an IAM policy for the developer, which grants $3 access.

Create a new OU without applying the SCP restricting $3 access. Move the developer account to this new OU.

Add an allow list for the developer account for the $3 service.

The IAM rote does not have permission to use the KMS CreateKey operation.

The S3 bucket lacks a policy that allows access to the customer managed key that encrypts the objects.

The IAM rote does not have permission to use the customer managed key that encrypts the objects that are in the S3 bucket.

The ACL of the S3 objects does not allow read access for the objects when the objects ace encrypted at rest.

Use encrypted Amazon EBS volumes with Amazon default keys (IAM EBS)

Use server-side encryption with customer-provided keys (SSE-C)

Use server-side encryption with IAM KMS managed keys (SSE-KMS)

Use server-side encryption with Amazon S3 managed keys (SSE-S3)

Create a snapshot of the DB instance. Copy the snapshot to a new snapshot, and enable encryption for the copy process. Use the new snapshot to restore the DB instance.

Modify the configuration of the DB instance by enabling encryption. Create a snapshot of the DB instance. Use the snapshot to restore the DB instance.

Use IAM Key Management Service (IAM KMS) to create a new default IAM managed awa/rds key. Select this key as the encryption key for operations with Amazon RDS.

Use IAM Key Management Service (IAM KMS] to create a new CMK. Select this key as the encryption key for operations with Amazon RDS.

Create a snapshot of the DB instance. Enable encryption on the snapshoVUse the snapshot to restore the DB instance.

Ensure CloudTrail log file validation is turned on

Configure an S3 lifecycle rule to periodically archive CloudTrail logs into Glacier for long-term storage

Use an S3 bucket with tight access controls that exists m a separate account

Use Amazon Inspector to monitor the file integrity of CloudTrail log files.

Request a certificate through ACM and use a generated certificate private key to encrypt CloudTrail log files

Encrypt the CloudTrail log files with server-side encryption with IAM KMS-managed keys (SSE-KMS)

Add an outbound allow rule for 192.168.2.0/24 in the VPC's default network ACL.

Add an inbound allow rule for 192.168.2.0/24 in the VPC's default network ACL.

Add an outbound allow rule for 192.168.2.0/24 in subnet-2-NACL.

Add an inbound allow rule for 192.168.1.0/24 in subnet-2-NACL.

Add an outbound allow rule for 192.168.1.0/24 in subnet-2-NACL.

Create an IAM group for each application team. Associate policies with each IAM group. Provision IAM users for each application team member. Add the new IAM users to the appropriate IAM group by using role-based access control (RBAC).

Delegate application team leads to provision IAM rotes for each team. Conduct a quarterly review of the IAM rotes the team leads have provisioned. Ensure that the application team leads have the appropriate training to review IAM roles.

Put each AWS account in its own OU. Add an SCP to each OU to grant access to only the AWS services that the teams plan to use. Include conditions tn the AWS account of each team.

Create an SCP and a permissions boundary for IAM roles. Add the SCP to the root OU so that only roles that have the permissions boundary attached can create any new IAM roles.

Provision a Direct Connect connection to an IAM region using a Direct Connect partner.

Create a VPN tunnel for private connectivity, which increases network consistency and reduces latency.

Create an iPSec tunnel for private connectivity, which increases network consistency and reduces latency.

Create a VPC peering connection between IAM and the Customer gateway.

Add full Amazon Inspector IAM permissions to the Security Hub service role to allow it to perform the CIS compliance evaluation

Ensure that IAM Trusted Advisor Is enabled in the account and that the Security Hub service role has permissions to retrieve the Trusted Advisor security-related recommended actions

Ensure that IAM Config. is enabled in the account, and that the required IAM Config rules have been created for the CIS compliance evaluation

Ensure that the correct trail in IAM CloudTrail has been configured for monitoring by Security Hub and that the Security Hub service role has permissions to perform the GetObject operation on CloudTrails Amazon S3 bucket

Option A

Option B

Use AD Connector to create users and groups for all employees that require access to IAM accounts. Assign AD Connector groups to IAM accounts and link to the IAM roles in accordance with the employees‘job functions and access requirements Instruct employees to access IAM accounts by using the IAM Directory Service user portal.

Use an IAM SSO default directory to create users and groups for all employees that require access to IAM accounts. Assign groups to IAM accounts and link to permission sets in accordance with the employees‘job functions and access requirements. Instruct employees to access IAM accounts by using the IAM SSO user portal.

Use an IAM SSO default directory to create users and groups for all employees that require access to IAM accounts. Link IAM SSO groups to the IAM users present in all accounts to inherit existing permissions. Instruct employees to access IAM accounts by using the IAM SSO user portal.

Use IAM Directory Service tor Microsoft Active Directory to create users and groups for all employees that require access to IAM accounts Enable IAM Management Console access in the created directory and specify IAM SSO as a source cl information tor integrated accounts and permission sets. Instruct employees to access IAM accounts by using the IAM Directory Service user portal.

Use IAM Config with a managed rule to trigger the IAM-EnableCloudTrail remediation.

Create an Amazon EventBridge (Amazon CloudWatch Events) event with a cloudtrail.amazonIAM.com event source and a StartLogging event name to trigger an IAM Lambda function to call the StartLogging API.

Create an Amazon CloudWatch alarm with a cloudtrail.amazonIAM.com event source and a StopLogging event name to trigger an IAM Lambda function to call the StartLogging API.

Monitor IAM Trusted Advisor to ensure CloudTrail logging is enabled.

Use the application to rotate the keys in every 2 months via the SDK

Use a script to query the creation date of the keys. If older than 2 months, create new access key and update all applications to use it inactivate the old key and delete it.

Delete the user associated with the keys after every 2 months. Then recreate the user again.

Delete the IAM Role associated with the keys after every 2 months. Then recreate the IAM Role again.

An HTTPS listener that uses a certificate that is managed by Amazon Certification Manager.

An HTTPS listener that uses a custom security policy that allows only perfect forward secrecy cipher suites

An HTTPS listener that uses the latest IAM predefined ELBSecuntyPolicy-TLS-1 -2-2017-01 security policy

A TCP listener that uses a custom security policy that allows only perfect forward secrecy cipher suites.

Archive the data to Amazon S3 and apply a restrictive bucket policy to deny the s3 DeleteOotect API

Archive the data to Amazon S3 Glacier and apply a Vault Lock policy

Archive the data to Amazon S3 and replicate it to a second bucket in a second IAM Region Choose the S3 Standard-Infrequent Access (S3 Standard-1A) storage class and apply a restrictive bucket policy to deny the s3 DeleteObject API

Migrate the log data to a 16 T8 Amazon Elastic Block Store (Amazon EBS) volume Create a snapshot of the EBS volume

Configure the DB instance to allow public access Update the DB instance security group to allow access from the Lambda public address space for the AWS Region

Deploy the Lambda functions inside the VPC Attach a network ACL to the Lambda subnet Provide outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic from 0 0 0 0/0

Deploy the Lambda functions inside the VPC Attach a security group to the Lambda functions Provide outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic from the Lambda security group

Peer the Lambda default VPC with the VPC that hosts the DB instance to allow direct network access without the need for security groups

Configure S3 server-side encryption. Create an S3 bucket policy that has an explicit deny rule for all users for s3:DeleteObject and s3:PutObject API calls. Configure S3 Object Lock to use governance mode with a retention period of 7 years.

Configure S3 server-side encryption. Configure S3 Versioning on the S3 bucket. Configure S3 Object Lock to use compliance mode with a retention period of 7 years.

Configure S3 Versioning. Configure S3 Intelligent-Tiering on the S3 bucket to move the documents to S3 Glacier Deep Archive storage. Use S3 server-side encryption immediately. Expire the objects after 7 years.

Set up S3 Event Notifications and use S3 server-side encryption. Configure S3 Event Notifications to target an AWS Lambda function that will review any S3 API call to the S3 bucket and deny the s3:DeleteObject and s3:PutObject API calls. Remove the S3 event notification after 7 years.

In the security account configure an IAM role for the new Lambda function. Attach an IAM policy that allows access to the KMS key in the security account.

In the development account configure an IAM role for the new Lambda function. Attach a key policy that allows access to the KMS key in the security account.

In the development account configure an IAM role for the new Lambda function. Attach an IAM policy that allows access to the KMS key in the security account.

Configure a key policy for the KMS key m the security account to allow access to the IAM role of the new Lambda function in the security account.

Configure a key policy for the KMS key in the security account to allow access to the IAM role of the new Lambda function in the development account.

Configure the CMK key policy to allow only the Amazon S3 service to use the kms Encrypt action

Configure the CMK key policy to allow IAM KMS actions only when the kms ViaService condition matches the Amazon S3 service name.

Configure the IAM user's policy lo allow KMS to pass a rote lo Amazon S3

Configure the IAM user's policy to allow only Amazon S3 operations when they are combined with the CMK

The target instance's security group does not allow traffic from the NLB.

The target instance's security group is not attached to the NLB.

The NLB's security group is not attached to the target instance.

The target instance's subnet network ACL does not allow traffic from the NLB.

The target instance's security group is not using IP addresses to allow traffic from the NLB.

The target network ACL is not attached to the NLB.

Use the EC2 serial console Configure the EC2 serial console to save all commands that are entered to an Amazon S3 bucket. Provide the EC2 instances with an IAM role that allows the EC2 serial console to access Amazon S3. Configure an IAM account for the system administrator. Provide an IAM policy that allows the IAM account to use the EC2 serial console.

Use EC2 Instance Connect Configure EC2 Instance Connect to save all commands that are entered to Amazon CloudWatch Logs. Provide the EC2 instances with an IAM role that allows the EC2 instances to access CloudWatch Logs Configure an IAM account for the system administrator. Provide an IAM policy that allows the IAM account to use EC2 Instance Connect.

Use an EC2 key pair with an EC2 instance that needs SSH access Access the EC2 instance with this key pair by using SSH. Configure the EC2 instance to save all commands that are entered to Amazon CloudWatch Logs. Provide the EC2 instance with an IAM role that allows the EC2 instance to access Amazon S3 and CloudWatch Logs.

Use AWS Systems Manager Session Manager Configure Session Manager to save all commands that are entered in a session to an Amazon S3 bucket. Provide the EC2 instances with an IAM role that allows Systems Manager to manage the EC2 instances. Configure an IAM account for the system administrator Provide an IAM policy that allows the IAM account to use Session Manager.

Scan all the EC2 instances for noncompliance with IAM Config. Use Amazon Athena to query IAM CloudTrail logs for the framework installation

Scan all the EC2 instances with the Amazon Inspector Network Reachability rules package to identity instances running a web server with RecognizedPortWithListener findings

Scan all the EC2 instances with IAM Systems Manager to identify the vulnerable version of the web framework

Scan an the EC2 instances with IAM Resource Access Manager to identify the vulnerable version of the web framework

Configure the CloudFront distribution to use the Lambda@Edge feature. Create an IAM Lambda function that imposes a rate limit on CloudFront viewer requests. Block the request if the rate limit is exceeded.

Configure the IAM WAF web ACL so that the web ACL has more capacity units to process all IAM WAF rules faster.

Configure IAM WAF with a rate-based rule that imposes a rate limit that automatically blocks requests when the rate limit is exceeded.

Configure the CloudFront distribution to use IAM WAF as its origin instead of the ALB.

Option A

Option B

Option C

Option D

Store the database credentials in AWS Secrets Manager. Configure automatic credential rotation tor every 30 days.

Store the database credentials in AWS Systems Manager Parameter Store. Create an AWS Lambda function to rotate the credentials every 30 days.

Store the database credentials in an environment file or in a configuration file. Modify the credentials every 30 days.

Store the database credentials in an environment file or in a configuration file. Create an AWS Lambda function to rotate the credentials every 30 days.

Use short but complex password on the root account and any administrators.

Use IAM IAM Geo-Lock and disallow anyone from logging in except for in your city.

Use MFA on all users and accounts, especially on the root account.

Don't write down or remember the root account password after creating the IAM account.

Create a new customer managed key Add a key rotation schedule to the key Invoke the key rotation schedule every time the security team requests a key change

Create a new AWS managed key Add a key rotation schedule to the key Invoke the key rotation schedule every time the security team requests a key change

Create a key alias Create a new customer managed key every time the security team requests a key change Associate the alias with the new key

Create a key alias Create a new AWS managed key every time the security team requests a key change Associate the alias with the new key

Use IAM Control Tower. Modify the default Account Factory networking template to automatically associate new accounts with a centrally managed VPC through a VPC peering connection and to create a default route to the VPC peer in the default route table. Create an SCP that denies the CreatelnternetGateway action. Attach the SCP to all accounts except the security inspection account.

Create a centrally managed VPC in the security inspection account. Establish VPC peering connections between the security inspection account and other accounts. Instruct account owners to create default routes in their account route tables that point to the VPC peer. Create an SCP that denies the

Attach InternetGateway action. Attach the SCP to all accounts except the security inspection account.

Use IAM Control Tower. Modify the default Account Factory networking template to automatically associate new accounts with a centrally managed transit

gateway and to create a default route to the transit gateway in the default route table. Create an SCP that denies the AttachlnternetGateway action. Attach the SCP to all accounts except the security inspection account.

Enable IAM Resource Access Manager (IAM RAM) for IAM Organizations. Create a shared transit gateway, and make it available by using an IAM RAM resource share. Create an SCP that denies the CreatelnternetGateway action. Attach the SCP to all accounts except the security inspection account. Create routes in the route tables of all accounts that point to the shared transit gateway.

C:\Users\wk\Desktop\mudassar\Untitled.jpg

C:\Users\wk\Desktop\mudassar\Untitled.jpg

C:\Users\wk\Desktop\mudassar\Untitled.jpg

C:\Users\wk\Desktop\mudassar\Untitled.jpg

Create a pre sign-up AWS Lambda trigger. Associate the Amazon Cognito function with the Amazon Cognito user pool.

Use a geographic match rule statement to configure an AWS WAF web ACL. Associate the web ACL with the Amazon Cognito user pool.

Configure an app client for the application's Amazon Cognito user pool. Use the app client ID to validate the requests in the hosted Ul.

Update the application's Amazon Cognito user pool to configure a geographic restriction setting.

Use Amazon Cognito to configure a social identity provider (IdP) to validate the requests on the hosted Ul.

Create IAM roles with permissions corresponding to each Active Directory group.

Create IAM groups with permissions corresponding to each Active Directory group.

Create a SAML provider with IAM.

Create a SAML provider with Amazon Cloud Directory.

Configure IAM as a trusted relying party for the Active Directory

Configure IAM as a trusted relying party for Amazon Cloud Directory.

Use IAM Artifact to capture an exact image of the state of each instance.

Create EBS Snapshots of each of the volumes attached to the compromised instances.

Capture a memory dump.

Log in to each instance with administrative credentials to restart the instance.

Revoke all network ingress and egress except for to/from a forensics workstation.

Run Auto Recovery for Amazon EC2.

Use an EC2 run command to confirm that the “IAMlogs” service is running on all instances.

Verify that the permissions used by the agent allow creation of log groups/streams and to put log events.

Check whether any application log entries were rejected because of invalid time stamps by reviewing /var/cwlogs/rejects.log.

Check that the trust relationship grants the service “cwlogs.amazonIAM.com” permission to write objects to the Amazon S3 staging bucket.

Verify that the time zone on the application servers is in UTC.

IAM KMS API

IAM Certificate Manager

API Gateway with STS

IAM Access Key

Implement a “write-only” CloudTrail event filter to detect any modifications to the IAM account resources.

Configure Amazon Macie to classify and discover sensitive data in the Amazon S3 bucket that contains the CloudTrail audit logs.

Configure Amazon Athena to read from the CloudTrail S3 bucket and query the logs to examine account activities.

Enable Amazon S3 event notifications to trigger an IAM Lambda function that sends an email alarm when there are new CloudTrail API entries.

Update the ssm.amazonIAM.com principal in the KMS key policy to allow kms: Decrypt.

Update the Lambda configuration to launch the function in a VPC.

Add a policy to the role that the Lambda function uses, allowing kms: Decrypt for the KMS key.

Add lambda.amazonIAM.com as a trusted entity on the IAM role that the Lambda function uses.

IAM Trusted Advisor

IAM WAF

IAM Inspector

IAM Config

Confirm that the EC2 instance's security group authorizes S3 access.

Verify that the KMS key policy allows decrypt access for the KMS key for this IAM principle.

Check the S3 bucket policy for statements that deny access to objects.

Confirm that the EC2 instance is using the correct key pair.

Confirm that the IAM role associated with the EC2 instance has the proper privileges.

Confirm that the instance and the S3 bucket are in the same Region.

In CloudTrail, verify that the trail logging bucket has a log prefix configured.

In Amazon SNS, determine whether the “Account spend limit” has been reached for this alert.

In SNS, ensure that the subscription used by these alerts has not been deleted.

In CloudWatch, verify that the alarm threshold “consecutive periods” value is equal to, or greater than 1.

The Lambda function does not have permissions to start the Athena query execution.

The Security Engineer does not have permissions to start the Athena query execution.

The Athena service does not support invocation through Lambda.

The Lambda function does not have permissions to access the CloudTrail S3 bucket.

Change the IAM permissions by applying PutBucketPolicy permissions.

Verify that the policy has the same name as the bucket name. If not. make it the same.

Change the Resource section to "arn:IAM:s3:::appbucket/*'.

Create the bucket "appbucket" and then apply the policy.

Encrypt the EBS volumes of the underlying EC2 Instances

Use IAM KMS Customer Default master key

Use SSL/TLS for encrypting the data

Use S3 Encryption

Ensure the bucket policy has a condition which involves IAM:PrincipalOrglD

Ensure the bucket policy has a condition which involves IAM:AccountNumber

Ensure the bucket policy has a condition which involves IAM:PrincipaliD

Ensure the bucket policy has a condition which involves IAM:OrglD

Set up a CloudWatch event based on Trusted Advisor metrics

Trigger a Lambda function from a scheduled CloudWatch event that terminates non-compliant infrastructure.

Set up a CloudWatch event based on Amazon inspector findings

Monitor compliance with IAM Config Rules triggered by configuration changes

Trigger a CLI command from a CloudWatch event that terminates the infrastructure

It will allow all access to the bucket mybucket

It will allow the user mark from IAM account number 111111111 all access to the bucket but deny everyone else all access to the bucket

It will deny all access to the bucket mybucket

None of these

Access the data through an Internet Gateway.

Access the data through a VPN connection.

Access the data through a NAT Gateway.

Access the data through a VPC endpoint for Amazon S3

Ensure an IAM role is created which can be assumed by the partner account.

Ensure an IAM user is created which can be assumed by the partner account.

Ensure the partner uses an external id when making the request

Provide the ARN for the role to the partner account

Provide the Account Id to the partner account

Provide access keys for your account to the partner account

Place the EC2 Instance with the Oracle database in the same public subnet as the Web server for faster communication

Place the EC2 Instance with the Oracle database in a separate private subnet

Create a database security group and ensure the web security group to allowed incoming access

Ensure the database security group allows incoming traffic from 0.0.0.0/0

Use IAM Config to ensure that the servers have no critical flIAM.

Use IAM inspector to ensure that the servers have no critical flIAM.

Use IAM inspector to patch the servers

Use IAM SSM to patch the servers

Use IAM Config to check the state of the EC2 instance for any sort of security issues.

Use IAM Inspector API's in the pipeline for the EC2 Instances

Use IAM Trusted Advisor API's in the pipeline for the EC2 Instances

Use IAM Security Groups to ensure no vulnerabilities are present

Use the IAM SDK to encrypt the data before sending it to the DynamoDB table

Encrypt the DynamoDB table using KMS during its creation

Encrypt the table using IAM KMS after it is created

Use S3 buckets to encrypt the data before sending it to DynamoDB

IAM VPN

IAM VPC Peering

IAM NAT gateways

IAM Direct Connect

Since the ID is hashed, it ensures security of the underlying table.

The above command ensures data encryption at rest for the Customer table

The above command ensures data encryption in transit for the Customer table

The right throughput has been specified from a security perspective

Put the IAM Access keys in the Lambda function since the Lambda function by default is secure

Use an IAM role which has permissions to the DynamoDB table and attach it to the Lambda function.

Use the IAM Access keys which has access to DynamoDB and then place it in an S3 bucket.

Create a VPC endpoint for the DynamoDB table. Access the VPC endpoint from the Lambda function.

Upload data to S3 and use lifecycle policies to move the data into Glacier for long-term archiving.

Upload the data on EBS, use lifecycle policies to move EBS snapshots into S3 and later into Glacier for long-term archiving.

Use Direct Connect to upload data to S3 and use IAM policies to move the data into Glacier for long-term archiving.

Use Storage Gateway to store data to S3 and use lifecycle policies to move the data into Redshift for long-term archiving.

Change the existing DHCP options set

Create a new DHCP options set and replace the existing one.

Change the route table for the VPC

Change the subnet configuration to allow DNS requests from the new DNS Server

Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket to that OAl.

Add the CloudFront account security group "amazon-cf/amazon-cf-sg" to the appropriate S3 bucket policy.

Create an Identity and Access Management (IAM) User for CloudFront and grant access to the objects in your S3 bucket to that IAM User.

Create a S3 bucket policy that lists the CloudFront distribution ID as the Principal and the target bucket as the Amazon Resource Name (ARN).

Amazon Cloudwatch Logs

Amazon VPC Flow Logs

Amazon IAM Config

Amazon Cloudtrail

Give only the necessary access to the Apache servers so that the developers can gain access to the log files.

Give root access to your Apache servers to the developers.

Give read-only access to your developers to the Apache servers.

Set up a central logging server that you can use to archive your logs; archive these logs to an S3 bucket for developer-access.

Ensure the applications are hosted in a public subnet

Check to see if the VPC has an Internet gateway attached.

Check to see if the VPC has a NAT gateway attached.

Check the Route tables for the VPC's

A network ACL with a rule that allows outgoing traffic on port 443.

A network ACL with rules that allow outgoing traffic on port 443 and incoming traffic on ephemeral ports

A network ACL with rules that allow outgoing traffic on port 443 and incoming traffic on port 443.

A security group with a rule that allows outgoing traffic on port 443

A security group with rules that allow outgoing traffic on port 443 and incoming traffic on ephemeral ports.

A security group with rules that allow outgoing traffic on port 443 and incoming traffic on port 443.

Enable VPC flow logs to know the source IP addresses

Monitor the S3 API calls by using Cloudtrail logging

Monitor the S3 API calls by using Cloudwatch logging

Enable IAM Inspector for the S3 bucket

IAM KMS

IAM S3 Server side encryption

IAM Customer Keys

IAM Cloud HSM

EC2 instances in our public subnet, no EIPs, route outgoing traffic via the IGW

EC2 instances in our public subnet, assigned EIPs, and route outgoing traffic via the NAT

EC2 instance in our private subnet, assigned EIPs, and route our outgoing traffic via our IGW

EC2 instances in our private subnet, no EIPs, route outgoing traffic via the NAT

Tag the instance with a production-identifying tag and add resource-level permissions to the employee user with an explicit deny on the terminate API call to instances with the production tag. <

Tag the instance with a production-identifying tag and modify the employees group to allow only start stop, and reboot API calls and not the terminate instance call.

Modify the IAM policy on the user to require MFA before deleting EC2 instances and disable MFA access to the employee

Modify the IAM policy on the user to require MFA before deleting EC2 instances

Enable versioning on the S3 bucket

Enable data at rest for the objects in the bucket

Enable MFA Delete in the bucket policy

Enable data in transit for the objects in the bucket

When storing data in Amazon EBS, use only EBS-optimized Amazon EC2 instances.

When storing data in EBS, encrypt the volume by using IAM KMS.

When storing data in Amazon S3, use object versioning and MFA Delete.

When storing data in Amazon EC2 Instance Store, encrypt the volume by using KMS.

When storing data in S3, enable server-side encryption.

Create an Identity and Access Management (IAM) user for CloudFront and grant access to the objects in your S3 bucket to that IAM User.

Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket to that OAl.

Create individual policies for each bucket the documents are stored in and in that policy grant access to only CloudFront.

Create an S3 bucket policy that lists the CloudFront distribution ID as the Principal and the target bucket as the Amazon Resource Name (ARN).

Search the Cloud Watch logs to find for the suspicious activity which occurred 11 days ago

Search the Cloudtrail event history on the API events which occurred 11 days ago.

Search the Cloud Watch metrics to find for the suspicious activity which occurred 11 days ago

Use IAM Config to get the API calls which were made 11 days ago.

Create an OlDC identity provider in IAM

Create a SAML provider in IAM

Use IAM Cognito to manage the user profiles

Use IAM users to manage the user profiles

Ensure to create a strong password for logging into the EC2 Instance

Create a key pair using putty

Use the private key to log into the instance

Ensure the password is passed securely using SSL

Enable server access logging for the bucket

Enable Cloudwatch metrics for the bucket

Enable Cloudwatch logs for the bucket

Enable IAM Config for the S3 bucket

Use IAM Inspector to inspect all S3 buckets and enable logging for those where it is not enabled

Use IAM Config Rules to check whether logging is enabled for buckets

Use IAM Cloudwatch metrics to check whether logging is enabled for buckets

Use IAM Cloudwatch logs to check whether logging is enabled for buckets

"Effect": "Allow". "Action": ["Describe"], "Resource": "Billing"

"Effect": "Allow", "Action": ["AccountUsage], "Resource": "*"

"Effect': "Allow", "Action": ["IAM-portal:ViewUsage"," IAM-portal:ViewBilling"], "Resource": "*"

"Effect": "Allow", "Action": ["IAM-portal: ViewBilling"], "Resource": "*"

Ensure that there is a trust policy in place for the IAM Config service within the role

Ensure that there is a grant policy in place for the IAM Config service within the role

Ensure that there is a user policy in place for the IAM Config service within the role

Ensure that there is a group policy in place for the IAM Config service within the role

Ensure the Network Access Control Lists allow Inbound SSH traffic from the IT Administrator's Workstation

Ensure the Network Access Control Lists allow Outbound SSH traffic from the IT Administrator's Workstation

Ensure that the security group allows Inbound SSH traffic from the IT Administrator's Workstation

Ensure that the security group allows Outbound SSH traffic from the IT Administrator's Workstation

Get prior approval from IAM for conducting the test

Use a pre-approved penetration testing tool.

Work with an IAM partner and no need for prior approval request from IAM

Choose any of the IAM instance type

Add the keys to the backend distribution.

Add the keys to the S3 bucket

Create pre-signed URL's

Use IAM Access keys

Modify the security groups for the VPC to allow access to the 53 bucket

Modify the route tables to allow access for the VPC endpoint

Modify the IAM Policy for the bucket to allow access for the VPC endpoint

Modify the bucket Policy for the bucket to allow access for the VPC endpoint

IAM policies

Buckets ACL's

IAM users

Bucket policies

Enable cross region replication for the bucket

Write a script to copy the objects to another bucket in the destination region

Create an S3 snapshot in the destination region

Enable versioning which will copy the objects to the destination region

Apply Multi-AZ for the underlying 53 bucket

Copy the data to an EBS Volume in another Region

Create a snapshot of the S3 bucket and copy it to another region

Enable Cross region replication for the S3 bucket

Ensure that the on-premise servers are running on Hyper-V.

Ensure that an IAM service role is created

Ensure that an IAM User is created

Ensure that an IAM Group is created for the on-premise servers

Trigger a Lambda function with a monthly CloudWatch event that creates a new CMK and updates the S3 bucket to use the new CMK.

Configure the CMK to rotate the key material every month.

Trigger a Lambda function with a monthly CloudWatch event that creates a new CMK, updates the S3 bucket to use thfl new CMK, and deletes the old CMK.

Trigger a Lambda function with a monthly CloudWatch event that rotates the key material in the CMK.

Use the secure token service to manage the permissions for the different users

Use IAM Policies to create different policies for the different types of users.

Use the IAM Config tool to manage the permissions for the different users

Use IAM Access Keys to create sets of keys for the different types of users.

Place each file into a different S3 bucket. Set the default encryption of each bucket to use a different IAM KMS customer managed key.

Put all the files in the same S3 bucket. Using S3 events as a trigger, write an IAM Lambda function to encrypt each file as it is added using different IAM KMS data keys.

Use the S3 encryption client to encrypt each file individually using S3-generated data keys

Place all the files in the same S3 bucket. Use server-side encryption with IAM KMS-managed keys (SSE-KMS) to encrypt the data

The EC2 instance role does not have decrypt permissions on the IAM Key Management Sen/ice (IAM KMS) key used to encrypt the secret

The EC2 instance role does not have read permissions to read the parameters In Parameter Store

Parameter Store does not have permission to use IAM Key Management Service (IAM KMS) to decrypt the parameter

The EC2 instance role does not have encrypt permissions on the IAM Key Management Service (IAM KMS) key associated with the secret

The EC2 instance does not have any tags associated.

Update the password length policy In the on-premises Active Directory configuration.

Update the password length policy In the IAM configuration.

Enforce an IAM policy In Amazon Cognito and IAM IAM with a minimum password length condition.

Update the password length policy in the Amazon Cognito configuration.

Create an SCP with IAM Organizations that enforces a minimum password length for IAM IAM and Amazon Cognito.

Create an Application Load Balancer with the existing EC2 instances as a target group Create an IAM WAF web ACL containing rules mat protect the application from this attach. then apply it to the ALB Test to ensure me vulnerability has been mitigated, then redirect thee Route 53 records to point to the ALB Update security groups on the EC 2 instances to prevent direct access from the internet

Create an Amazon CloudFront distribution specifying one EC2 instance as an origin Create an IAM WAF web ACL containing rules that protect the application from this attack, then apply it to me distribution Test to ensure the vulnerability has mitigated, then redirect the Route 53 records to point to CloudFront

Obtain me latest source code for the platform and make ire necessary updates Test me updated code to ensure that the vulnerability has been irrigated, then deploy me patched version of the platform to the EC2 instances

Update the security group mat is attached to the EC2 instances, removing access from the internet to the TCP port used by the SQL database Create an IAM WAF web ACL containing rules mat protect me application from this attack, men apply it to the EC2 instances Test to ensure me vulnerability has been mitigated. then restore the security group to me onginal setting

Option A

Option B

Option C

Option D

In the GuardDuty console, select the CryptoCurrency:EC2/BitcoinTool B'DNS finding and use the suppress findings option

Create a custom IAM Lambda function to process newly detected GuardDuty alerts Process the CryptoCurrency EC2/BitcoinTool BIDNS alert and filter out

the high-severity finding types only.

When creating a new Amazon EC2 Instance, provide the instance with a specific tag that indicates it is performing mining operations Create a custom IAM Lambda function to process newly detected GuardDuty alerts and filter for the presence of this tag

When GuardDuty produces a cryptocurrency finding, process the finding with a custom IAM Lambda function to extract the instance ID from the finding Then use the IAM Systems Manager Run Command to check for a running process performing mining operations

Establish an IAM Direct Connect connection with IAM and set up a Direct Connect gateway. In the Direct Connect gateway configuration, enable IPsec and BGP, and then leverage native IAM network encryption between Availability Zones and Regions,

Establish an IAM Direct Connect connection with IAM and set up a Direct Connect gateway. Using the Direct Connect gateway, create a private virtual interface and advertise the customer gateway private IP addresses. Create a VPN connection using the customer gateway and the virtual private gateway

Establish a VPN connection with the IAM virtual private cloud over the internet

Establish an IAM Direct Connect connection with IAM and establish a public virtual interface. For prefixes that need to be advertised, enter the customer gateway public IP addresses. Create a VPN connection over Direct Connect using the customer gateway and the virtual private gateway.

Use client-side encryption with an IAM KMS customer-managed key implemented with the IAM Encryption SDK

Use IAM CloudHSM to store the keys and perform cryptographic operations Save the encrypted text in Amazon S3

Use an IAM KMS customer-managed key that is backed by a custom key store using IAM CloudHSM

Use an IAM KMS customer-managed key with the bring your own key (BYOK) feature to import a key stored in IAM CloudHSM

Configure an IAM Managed Microsoft AD to manage the cloud resources.

Configure an additional on-premises Active Directory service to manage the cloud resources.

Establish a one-way trust relationship from the existing Active Directory to the new Active Directory service.

Establish a one-way trust relationship from the new Active Directory to the existing Active Directory service.

Establish a two-way trust between the new and existing Active Directory services.

Use envelope encryption with the IAM-managed CMK IAM/s3.

Create a customer-managed CMK with a key policy granting “kms:Decrypt” based on the “${IAM:username}” variable.

Create a customer-managed CMK for each user. Add each user as a key user in their corresponding key policy.

Change the applicable IAM policy to grant S3 access to “Resource”: “arn:IAM:s3:::examplebucket/${IAM:username}/*”

Yes, the bucket policy makes the whole bucket publicly accessible despite now the S3 bucket ACL or object ACLs are configured.

Yes, none of the data in the bucket is publicity accessible, regardless of how the S3 bucket ACL and object ACLs are configured.

No, the IAM user policy would need to be examined first to determine whether any data is publicly accessible.

No, the S3 bucket ACL and object ACLs need to be examined first to determine whether any data is publicly accessible.

Configure an S3 bucket as the origin an origin access identity (OAI) for the CloudFront distribution Switch the DNS records from websites to point to the CloudFront distribution Enable Nock public access settings at the account level

Configure an S3 bucket as the origin with an origin access identity (OAI) for the CloudFront distribution Switch the ONS records tor the websites to point to the CloudFront disinfection Then, tor each S3 bucket enable block public access settings

Configure an S3 bucket as the origin with an origin access identity (OAI) for the CloudFront distribution Enable block public access settings at the account level

Configure an S3 bucket as the origin for me CloudFront distribution Configure the S3 bucket policy to accept connections from the CloudFront points of presence only Switch the DNS records for the websites to point to the CloudFront distribution Enable block public access settings at me account level

Remove the instance from the Auto Scaling group Place the instance within an isolation security group, detach the EBS volume launch an EC2 instance with a forensic toolkit and attach the E8S volume to investigate

Remove the instance from the Auto Scaling group and the Elastic Load Balancer Place the instance within an isolation security group, launch an EC2 instance with a forensic toolkit, and allow the forensic toolkit image to connect to the suspicious Instance to perform the Investigation.

Remove the instance from the Auto Scaling group Place the Instance within an isolation security group, launch an EC2 Instance with a forensic toolkit and use the forensic toolkit imago to deploy an ENI as a network span port to inspect all traffic coming from the suspicious instance.

Remove the instance from the Auto Scaling group and the Elastic Load Balancer Place the instance within an isolation security group, make a copy of the EBS volume from a new snapshot, launch an EC2 Instance with a forensic toolkit and attach the copy of the EBS volume to investigate.

One in the US West (Oregon) region and one in the US East (Virginia) region.

Two in the US West (Oregon) region and none in the US East (Virginia) region.

One in the US West (Oregon) region and none in the US East (Virginia) region.

Two in the US East (Virginia) region and none in the US West (Oregon) region.

Configure Amazon CloudWatch Events in the production accounts to send all S3 events to the security account event bus.

Enable Amazon GuardDuty in the security account. and join the production accounts as members.

Configure an Amazon CloudWatch Events rule in the security account to detect S3 bucket creation or modification events.

Enable IAM Trusted Advisor and activate email notifications for an email address assigned to the security contact.

Invoke an IAM Lambda function in the security account to analyze S3 bucket settings in response to S3 events, and send non-compliance notifications to the Security team.

Configure event notifications on S3 buckets for PUT; POST, and DELETE events.

Move the SCP to the root OU of Organizations to remove the restriction to access Amazon S3.

Add an IAM policy for the Developer, which grants S3 access.

Create a new OU without applying the SCP restricting S3 access. Move the Developer account to this new OU.

Add an allow list for the Developer account for the S3 service.

Create a new CMK, and redirect the existing Key Alias to the new CMK

Select the option to auto-rotate the key

Upload new key material into the existing CMK.

Create a new CMK, and change the application to point to the new CMK

IAM CloudFormation

Amazon GuardDuty

Amazon Inspector

Amazon Macie

IAM Step Functions

The IAM user launching those instances is missing ec2:Runinstances permission.

The AMI used as encrypted and the IAM does not have the required IAM KMS permissions.

The instance profile used with the EC2 instances in unable to query instance metadata.

IAM currently does not have sufficient capacity in the Region.

Configure a Network Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers

Configure an Application Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers

Configure a Network Load Balancer with a TCP listener to pass through TLS traffic to the containers

Configure Amazon Route 53 to use multivalue answer routing to send traffic to the containers

Option A

Option B

Option C

Option D

Tell the application teams to use two different S3 buckets with separate IAM Key Management Service (IAM KMS) IAM managed CMKs Limit the key process to allow encryption and decryption of the CMKs to their respective teams only. Force the teams to use encryption context to encrypt and decrypt

Tell the application teams to use two different S3 buckets with a single IAM Key Management Service (IAM KMS) IAM managed CMK Limit the key policy to allow encryption and decryption of the CMK only. Do not allow the teams to use encryption context to encrypt and decrypt

Tell the application teams to use two different S3 buckets with separate IAM Key Management Service (IAM KMS) customer managed CMKs Limit the key policies to allow encryption and decryption of the CMKs to their respective teams only Force the teams to use encryption context to encrypt and decrypt

Tell the application teams to use two different S3 buckets with a single IAM Key Management Service (IAM KMS) customer managed CMK Limit the key policy to allow encryption and decryption of the CMK only Do not allow the teams to use encryption context to encrypt and decrypt

Use IAM Resource Access Manager to create shared resources for each requited security group and apply an IAM policy that permits read-only access to the security groups only.

Create an IAM CloudFormation template that creates the required security groups Execute the template as part of configuring new accounts Enable Amazon Simple Notification Service (Amazon SNS) notifications when changes occur

Use IAM Firewall Manager to create a security group policy, enable the policy feature to identify and revert local changes, and enable automatic remediation

Use IAM Control Tower to edit the account factory template to enable the snare security groups option Apply an SCP to the OU or individual accounts that prohibits security group modifications from local account users

Enable Amazon GuardDuty and IAM Security Hub in all Regions and all accounts. Designate a master security account to receive all alerts from the child accounts. Set up specific rules within Amazon Even;Bridge to trigger an IAM Lambda function for remediation steps.

Ingest all IAM CloudTrail logs, VPC Flow Logs, and DNS logs into a single Amazon S3 bucket in a designated security account. Use the current on-premises SIEM to monitor the logs and send a notification to an Amazon SNS topic to alert the security team of remediation steps.

Ingest all IAM CloudTrail logs, VPC Flow Logs, and DNS logs into a single Amazon S3 bucket in a designated security account. Launch an Amazon EC2 instance and install the current SIEM to monitor the logs and send a notification to an Amazon SNS topic to alert the security team of remediation steps.

Enable Amazon GuardDuty and IAM Security Hub in all Regions and all accounts. Designate a master security account to receive all alerts from the child accounts. Create an IAM Organizations SCP that denies access to certain API calls that are on an ignore list.

Use Imported key material with CMK

Use an IAM KMS CMK

Use an IAM managed CMK.

Use an IAM KMS customer managed CMK

Disable the EC2 instance metadata service.

Log all student SSH interactive session activity.

Implement ip tables-based restrictions on the instances.

Install the Amazon Inspector agent on the instances.

Ensure the KMS policy allows the AppUser role to have permission to decrypt for the CMK

Ensure the S3 bucket policy allows the AppUser role to have permission to get objects for the S3 bucket

Ensure the CMK was created before the S3 bucket.

Ensure the S3 block public access feature is enabled for the S3 bucket.

Ensure that automatic key rotation is disabled for the CMK

Ensure the SCPs within Organizations allow access to the S3 bucket.

Add an inbound rule to the security group associated with the logging server that allows requests from the web server

Add an outbound rule to the security group associated with the web server that allows requests to the logging server.

Add a route to the route table associated with the subnet that hosts the logging server that targets the peering connection

Add a route to the route table associated with the subnet that hosts the web server that targets the peering connection

Use IAM Resource Access Manager (IAM RAM) to monitor the IAM CloudTrail configuration. Send notifications using Amazon SNS.

Create an Amazon CloudWatch Events rule to monitor Amazon GuardDuty findings. Send email notifications using Amazon SNS.

Update security contact details in IAM account settings for IAM Support to send alerts when suspicious activity is detected.

Use Amazon Inspector to automatically detect security issues. Send alerts using Amazon SNS.

The log files fail integrity validation and automatically are marked as unavailable.

The KMS key policy does not grant the Security Engineer's IAM user or role permissions to decrypt with it.

The bucket is set up to use server-side encryption with Amazon S3-managed keys (SSE-S3) as the default and does not allow SSE-KMS-encrypted files.

An IAM policy applicable to the Security Engineer’s IAM user or role denies access to the "CloudTrail/" prefix in the Amazon S3 bucket

Enable IAM Config and set it to record all resources in all Regions and global resources. Then enable IAM Security Hub and confirm that the CIS IAM Foundations compliance standard is enabled

Enable Amazon Inspector and configure it to scan all Regions for the CIS IAM Foundations Benchmarks. Then enable IAM Security Hub and configure it to ingest the

Amazon Inspector findings

Enable Amazon Inspector and configure it to scan all Regions for the CIS IAM Foundations Benchmarks. Then enable IAM Shield in all Regions to protect the account from DDoS attacks.

Enable IAM Config and set it to record all resources in all Regions and global resources Then enable Amazon Inspector and configure it to enforce CIS IAM Foundations Benchmarks using IAM Config rules.

Use an IAM Key Management Service (IAM KMS) CMK. Encrypt the data at rest.

Use IAM Certificate Manager (ACM) Private Certificate Authority Encrypt the data in transit.

Use a DynamoDB encryption client. Use client-side encryption and sign the table items

Use the IAM Encryption SDK. Use client-side encryption and sign the table items.

Set up domain controllers on Amazon EC2 to extend the on-premises directory to IAM

Establish network connectivity between on-premises and the user's VPC

Use Amazon Cognito user pools for application authentication

Use AD Connector tor application authentication.

Set up federated sign-in to IAM through ADFS and SAML.

Verify that the 0.0.0.0/0 route in the route table for the web server subnet points to a NAT gateway.

Verify which Security Group is applied to the particular web server’s elastic network interface (ENI).

Verify that the 0.0.0.0/0 route in the route table for the web server subnet points to the virtual security appliance.

Verify the registered targets in the ALB.

Verify that the 0.0.0.0/0 route in the public subnet points to a NAT gateway.

Remove me instance from the Auto Seating group Close me security group mm ingress only from a single forensic P address to perform an analysis.

Remove me instance from the Auto Seating group Change me network ACL rules to allow traffic only from a single forensic IP address to perform en analysis Add a rule to deny all other traffic.

Remove the instance from the Auto Scaling group Enable Amazon GuardDuty in that IAM account Install the Amazon Inspector agent cm the suspicious EC 2 instance to perform a scan.

Take a snapshot of the suspicious EC2 instance. Create a new EC2 instance from me snapshot in a closed security group with ingress only from a single forensic IP address to perform an analysis

Configure the application’s EC2 instances to use NAT gateways for all inbound traffic.

Move the web servers to private subnets without public IP addresses.

Configure IAM WAF to provide DDoS attack protection for the ALB.

Require all inbound network traffic to route through a bastion host in the private subnet.

Require all inbound and outbound network traffic to route through an IAM Direct Connect connection.

Use IAM Config to track configuration changes to Lambda functions, runtime environments, tags, handler names, code sizes, memory allocation, timeout settings, and concurrency settings, along with Lambda IAM execution role, subnet, and security group associations.

Use IAM CloudTrail to implement governance, compliance, operational, and risk auditing for Lambda.

Use Amazon Inspector to automatically monitor for vulnerabilities and perform governance, compliance, operational, and risk auditing for Lambda.

Use IAM Resource Access Manager to track configuration changes to Lambda functions, runtime environments, tags, handler names, code sizes, memory allocation, timeout settings, and concurrency settings, along with Lambda IAM execution role, subnet, and security group associations.

Use Amazon Macie to discover, classify, and protect sensitive data being executed inside the Lambda function.

Create an Amazon CloudWatch alarm for IAM CloudTrail Events Create a metric filter to send a notification when me same set of IAM credentials is used by multiple developer

Create a federation between IAM and the existing corporate IdP Leverage IAM roles to provide federated access to IAM resources

Create a VPN tunnel between the corporate premises and the VPC Allow permissions to all IAM services only if it originates from corporate premises.

Create multiple IAM rotes for each IAM user Ensure that users who use the same IAM credentials cannot assume the same IAM role at the same time.

Associate the instances to the same security groups.

Add 0.0.0.0/0 to the egress rules of the instance security groups.

Add the instance IDs to the ingress rules of the instance security groups.

Add the public IP addresses to the ingress rules of the instance security groups.

Put all the proxy EC2 instances in a cluster placement group.

Disable source and destination checks on the proxy EC2 instances.

Open all inbound ports on the proxy EC2 instance security group.

Change the VPC's DHCP domain-name-server’s options set to the IP addresses of proxy EC2 instances.

Call UploadServerCertificate with /cloudfront/dev/ in the path parameter.

Import the certificate with a 4,096-bit RSA public key.

Ensure that the certificate, private key, and certificate chain are PKCS #12-encoded.

Import the certificate in the us-east-1 (N. Virginia) Region.

Ensure that the certificate, private key, and certificate chain are PEM-encoded.

Use an IAM KMS customer managed key and store the key material in IAM with replication across Regions

Use an IAM customer managed key, import the key material into IAM KMS using in-house IAM CloudHSM. and store the key material securely in Amazon S3.

Use an IAM KMS custom key store backed by IAM CloudHSM clusters, and copy backups across Regions

Use IAM CloudHSM to generate the key material and backup keys across Regions Use the Java Cryptography Extension (JCE) and Public Key Cryptography Standards #11 (PKCS #11) encryption libraries to encrypt and decrypt the data.

Configure a web ACL rule for IAM WAF to block requests with a string match condition for the user agent of the loT device. Associate the v/eb ACL with the ALB.

Configure an Amazon CloudFront distribution to use the ALB as an origin. Configure a web ACL rule for IAM WAF to block requests with a string match condition for the user agent of the loT device. Associate the web ACL with the ALB Change the public DNS entry of the website to point to the CloudFront distribution.

Configure an Amazon CloudFront distribution to use a new ALB as an origin. Configure a web ACL rule for IAM WAF to block requests with a string match condition for the user agent of the loT device. Change the ALB security group to alow access from CloudFront IP address ranges only Change the public DNS entry of the website to point to the CloudFront distribution.

Activate IAM Shield Advanced to enable DDoS protection. Apply an IAM WAF ACL to the ALB. and configure a listener rule on the ALB to block loT devices based on the user agent.