Deck 8: AWS Certified Security - Specialty (SCS-C01)

A) Using Amazon Inspector, review all of the API calls and configure the inspector agent to leverage SNS topics to notify security of the change to AWS CloudTrail, and revoke the new API keys for the root user.
B) Using AWS Config, create a config rule that detects when AWS CloudTrail is disabled, as well as any calls to the root user create-api-key. Then use a Lambda function to re-enable CloudTrail logs and deactivate the root API keys.
C) Using Amazon CloudWatch, create a CloudWatch event that detects AWS CloudTrail deactivation and a separate Amazon Trusted Advisor check to automatically detect the creation of root API keys. Then use a Lambda function to enable AWS CloudTrail and deactivate the root API keys.
D) Using Amazon CloudTrail, create a new CloudTrail event that detects the deactivation of CloudTrail logs, and a separate CloudTrail event that detects the creation of root API keys. Then use a Lambda function to enable CloudTrail and deactivate the root API keys.

A) The Lambda function does not have permissions to start the Athena query execution.
B) The Security Engineer does not have permissions to start the Athena query execution.
C) The Athena service does not support invocation through Lambda.
D) The Lambda function does not have permissions to access the CloudTrail S3 bucket.

A) Store the database credentials in AWS Key Management Service (AWS KMS). Create an IAM role with access to AWS KMS by using the EC2 and Lambda service principals in the role's trust policy. Add the role to an EC2 instance profile. Attach the instance profile to the EC2 instances. Set up Lambda to use the new role for execution.
B) Store the database credentials in AWS KMS. Create an IAM role with access to KMS by using the EC2 and Lambda service principals in the role's trust policy. Add the role to an EC2 instance profile. Attach the instance profile to the EC2 instances and the Lambda function.
C) Store the database credentials in AWS Secrets Manager. Create an IAM role with access to Secrets Manager by using the EC2 and Lambda service principals in the role's trust policy. Add the role to an EC2 instance profile. Attach the instance profile to the EC2 instances and the Lambda function.
D) Store the database credentials in AWS Secrets Manager. Create an IAM role with access to Secrets Manager by using the EC2 and Lambda service principals in the role's trust policy. Add the role to an EC2 instance profile. Attach the instance profile to the EC2 instances. Set up Lambda to use the new role for execution.

A) Copy the application's AWS KMS CMK from the source region to the target region so that it can be used to decrypt the resource after it is copied to the target region.
B) Configure AWS KMS to automatically synchronize the CMK between regions so that it can be used to decrypt the resource in the target region.
C) Use AWS services that replicate data across regions, and re-wrap the data encryption key created in the source region by using the CMK in the target region so that the target region's CMK can decrypt the database encryption key.
D) Configure the target region's AWS service to communicate with the source region's AWS KMS so that it can decrypt the resource in the target region.

A) Use AWS Config to review the IAM policy assigned to users before and after the incident.
B) Run the GenerateCredentialReport via the AWS CLI, and copy the output to Amazon S3 daily for auditing purposes. Run the GenerateCredentialReport via the AWS CLI, and copy the output to Amazon S3 daily for auditing purposes.
C) Copy AWS CloudFormation templates to S3, and audit for changes from the template.
D) Use Amazon EC2 Systems Manager to deploy images, and review AWS CloudTrail logs for changes.

A) Associate an origin access identity with the CloudFront distribution.
B) Implement a "Principal": "cloudfront.amazonaws.com" condition in the S3 bucket policy. Implement a "Principal": "cloudfront.amazonaws.com" condition in the S3 bucket policy.
C) Modify the S3 bucket permissions so that only the origin access identity can access the bucket contents.
D) Implement security groups so that the S3 bucket can be accessed only by using the intended CloudFront distribution.
E) Configure the S3 bucket policy so that it is accessible only through VPC endpoints, and place the CloudFront distribution into the specified VPC.

A) Use AWS Systems Manager to store the credentials as Secure Strings Parameters. Secure by using an AWS KMS key.
B) Use AWS Key Management System to store a master key, which is used to encrypt the credentials. The encrypted credentials are stored in an Amazon RDS instance.
C) Use AWS Secrets Manager to store the credentials.
D) Store the credentials in a JSON file on Amazon S3 with server-side encryption.

A) Bypass the proxy and use an S3 VPC endpoint with a policy that whitelists only certain S3 buckets within Account 1.
B) Block outbound access to public S3 endpoints on the proxy server.
C) Configure Network ACLs on Server X to deny access to S3 endpoints.
D) Modify the S3 bucket policy for the legitimate bucket to allow access only from the public IP addresses associated with the application server.
E) Remove the IAM instance role from the application server and save API access keys in a trusted and encrypted application config file.

A) Upload an SSL certificate to IAM, and configure Amazon CloudFront with the passphrase for the private key.
B) Call KMS.Encrypt() in the client, passing in the data file contents, and call KMS.Decrypt() server-side. Call KMS.Encrypt() in the client, passing in the data file contents, and call KMS.Decrypt() server-side.
C) Use AWS Certificate Manager to provision a certificate on an Elastic Load Balancing in front of the web service's servers.
D) Create a new VPC with an Amazon VPC VPN endpoint, and update the web service's DNS record.

A) AWS managed Customer Master Key (CMK)
B) Customer managed CMK with AWS generated key material
C) Customer managed CMK with imported key material
D) AWS managed data key

A) Create a Customer Master Key (CMK) for each data classification type, and enable the rotation of it annually. For the "Restricted" CMK, define the MFA policy within the key policy. Use S3 SSE-KMS to encrypt the objects.
B) Create a CMK grant for each data classification type with EnableKeyRotation and MultiFactorAuthPresent set to true. S3 can then use the grants to encrypt each object with a unique CMK.
C) Create a CMK for each data classification type, and within the CMK policy, enable rotation of it annually, and define the MFA policy. S3 can then create DEK grants to uniquely encrypt each object within the S3 bucket.
D) Create a CMK with unique imported key material for each data classification type, and rotate them annually. For the "Restricted" key material, define the MFA policy in the key policy. Use S3 SSE-KMS to encrypt the objects.

A) Associate the instances to the same security groups.
B) Add 0.0.0.0/0 to the egress rules of the instance security groups.
C) Add the instance IDs to the ingress rules of the instance security groups.
D) Add the public IP addresses to the ingress rules of the instance security groups.

A) email.us-east-1.amazonaws.com over port 8080
B) email-pop3.us-east-1.amazonaws.com over port 995
C) email-smtp.us-east-1.amazonaws.com over port 587
D) email-imap.us-east-1.amazonaws.com over port 993

A) AWS IAM groups
B) AWS IAM users
C) AWS IAM roles
D) AWS IAM access keys

A) Enable AWS Trusted Advisor security checks in the AWS Console, and report all security incidents for all regions.
B) Enable AWS CloudTrail by creating individual trails for each region, and specify a single Amazon S3 bucket to receive log files for later analysis.
C) Enable AWS CloudTrail by creating a new trail and applying the trail to all regions. Specify a single Amazon S3 bucket as the storage location.
D) Enable Amazon CloudWatch logging for all AWS services across all regions, and aggregate them to a single Amazon S3 bucket for later analysis.

A) Configure the application's EC2 instances to use NAT gateways for all inbound traffic.
B) Move the web servers to private subnets without public IP addresses.
C) Configure AWS WAF to provide DDoS attack protection for the ALB.
D) Require all inbound network traffic to route through a bastion host in the private subnet.
E) Require all inbound and outbound network traffic to route through an AWS Direct Connect connection.

A) Set up an AWS Organizations hierarchy, and replace the FullAWSAccess policy with the following Service Control Policy for the governed organization units:
B) Create multiple IAM users for the regulated accounts, and attach the following policy statement to restrict services as required:
C) Set up an Organizations hierarchy, replace the global FullAWSAccess with the following Service Control Policy at the top level:
D) Set up all users in the Active Directory for federated access to all accounts in the company. Associate Active Directory groups with IAM groups, and attach the following policy statement to restrict services as required:

A) Configure a proxy solution on Amazon EC2 and route all outbound VPC traffic through it. Perform inspection within proxy software on the EC2 instance.
B) Configure the host-based agent on each EC2 instance within the VPC. Perform inspection within the host-based agent.
C) Enable VPC Flow Logs for all subnets in the VPC. Perform inspection from the Flow Log data within Amazon CloudWatch Logs.
D) Configure Elastic Load Balancing (ELB) access logs. Perform inspection from the log data within the ELB access log files.
E) Configure the CloudWatch Logs agent on each EC2 instance within the VPC. Perform inspection from the log data within CloudWatch Logs.

A) Configure AWS WAF rules to implement the required rules.
B) Use the operating system built-in, host-based firewall to implement the required rules.
C) Use a NAT gateway to control ingress and egress according to the requirements.
D) Launch an EC2-based firewall product from the AWS Marketplace, and implement the required rules in that product.

A) Create a scheduled process to copy the component's logs into Amazon S3. Use S3 events to trigger a Lambda function that updates Amazon CloudWatch metrics with the log data. Set up CloudWatch alerts based on the metrics.
B) Install and configure the Amazon CloudWatch Logs agent on the application's EC2 instance. Create a CloudWatch metric filter to monitor the application logs. Set up CloudWatch alerts based on the metrics.
C) Create a scheduled process to copy the application log files to AWS CloudTrail. Use S3 events to trigger Lambda functions that update CloudWatch metrics with the log data. Set up CloudWatch alerts based on the metrics.
D) Create a file watcher that copies data to Amazon Kinesis when the application writes to the log file. Have Kinesis trigger a Lambda function to update Amazon CloudWatch metrics with the log data. Set up CloudWatch alerts based on the metrics.

A) Deny access to the Amazon DNS IP within all security groups.
B) Add a rule to all network access control lists that deny access to the Amazon DNS IP.
C) Add a route to all route tables that black holes traffic to the Amazon DNS IP.
D) Disable DNS resolution within the VPC configuration.

A) Turn on VPC Flow Logs, send the logs to Amazon S3, and use Amazon Athena to query the logs.
B) Install an Amazon Inspector agent on each EC2 instance, send the logs to Amazon S3, and use Amazon EMR to query the logs.
C) Create an AWS Config rule for each network ACL and security group configuration, send the logs to Amazon S3, and use Amazon Athena to query the logs.
D) Turn on AWS CloudTrail, send the trails to Amazon S3, and use AWS Lambda to query the trails.

A) Specify "aws:SecureTransport": "true" within a condition in the S3 bucket policy. Specify "aws:SecureTransport": "true" within a condition in the S3 bucket policy.
B) Enable a security group for the S3 bucket that allows port 443, but not port 80.
C) Set up default encryption for the S3 bucket.
D) Enable Amazon CloudWatch Logs for the AWS account.
E) Enable API logging of data events for all S3 objects.
F) Enable S3 object versioning for the S3 bucket.

A) The outbound rules on the security group do not allow the response to be sent to the client on the ephemeral port range.
B) The outbound rules on the security group do not allow the response to be sent to the client on the HTTP port.
C) An outbound rule must be added to the network ACL to allow the response to be sent to the client on the ephemeral port range.
D) An outbound rule must be added to the network ACL to allow the response to be sent to the client on the HTTP port.

A) Use security groups to provide stateful firewalls for Amazon EC2 instances at the hypervisor level.
B) Use network ACLs to provide stateful firewalls at the VPC level to prevent access to any specific AWS resource.
C) Use AWS Direct Connect for secure trusted connections between EC2 instances within private subnets.
D) Design network security in a single layer within the perimeter network (also known as DMZ, demilitarized zone, and screened subnet) to facilitate quicker responses to threats.

A) VPN and a cached storage gateway
B) AWS Snowball Edge
C) VPN Gateway over AWS Direct Connect
D) AWS Direct Connect

A) The policy allows access for the AWS account 111122223333 to manage key access though IAM policies.
B) The policy allows all IAM users in account 111122223333 to have full access to the KMS key.
C) The policy allows the root user in account 111122223333 to have full access to the KMS key.
D) The policy allows the KMS service-linked role in account 111122223333 to have full access to the KMS key.
E) The policy allows all IAM roles in account 111122223333 to have full access to the KMS key.

A) Configure an AWS Managed Microsoft AD to manage the cloud resources.
B) Configure an additional on-premises Active Directory service to manage the cloud resources.
C) Establish a one-way trust relationship from the existing Active Directory to the new Active Directory service.
D) Establish a one-way trust relationship from the new Active Directory to the existing Active Directory service.
E) Establish a two-way trust between the new and existing Active Directory services.

A) Create IAM roles with permissions corresponding to each Active Directory group.
B) Create IAM groups with permissions corresponding to each Active Directory group.
C) Configure Amazon Cloud Directory to support a SAML provider.
D) Configure Active Directory to add relying party trust between Active Directory and AWS.
E) Configure Amazon Cognito to add relying party trust between Active Directory and AWS.

A) Create an IAM group for the finance users in the FinanceDept account, then attach the AWS managed ReadOnlyAccess IAM policy to the group.
B) Create an IAM group for the finance users in the MasterPayer account, then attach the AWS managed ReadOnlyAccess IAM policy to the group.
C) Create an AWS IAM role in the FinanceDept account with the ViewBilling permission, then grant the finance users in the MasterPayer account the permission to assume that role.
D) Create an AWS IAM role in the MasterPayer account with the ViewBilling permission, then grant the finance users in the FinanceDept account the permission to assume that role.

A) The CMK specified in the application does not exist.
B) The CMK specified in the application is currently in use.
C) The CMK specified in the application is using the CMK KeyID instead of CMK Amazon Resource Name.
D) The CMK specified in the application is not enabled.
E) The CMK specified in the application is using an alias.

A) Use AWS Artifact to capture an exact image of the state of each instance.
B) Create EBS Snapshots of each of the volumes attached to the compromised instances.
C) Capture a memory dump.
D) Log in to each instance with administrative credentials to restart the instance.
E) Revoke all network ingress and egress except for to/from a forensics workstation.
F) Run Auto Recovery for Amazon EC2.

A) Terminate all Amazon EC2 instances and relaunch them with approved AMIs.
B) Patch all running instances by using AWS Systems Manager.
C) Deploy AWS Config rules and check all running instances for compliance.
D) Define a metric filter in Amazon CloudWatch Logs to verify compliance.

A) Create an Amazon CloudWatch metric filter that looks for API call error codes and then implement an alarm based on that metric's rate.
B) Configure AWS CloudTrail to stream event data to Amazon Kinesis. Configure an AWS Lambda function on the stream to alarm when the threshold has been exceeded.
C) Run an Amazon Athena SQL query against CloudTrail log files. Use Amazon QuickSight to create an operational dashboard.
D) Use the Amazon Personal Health Dashboard to monitor the account's use of AWS services, and raise an alert if service error rates increase.

A) All principals from all AWS accounts to use the key.
B) Only the root user from account 111122223333 to use the key.
C) All principals from account 111122223333 to use the key but only on Amazon S3.
D) Only principals from account 111122223333 that have an IAM policy applied that grants access to this key to use the key.

A) One in the US West (Oregon) region and one in the US East (Virginia) region.
B) Two in the US West (Oregon) region and none in the US East (Virginia) region.
C) One in the US West (Oregon) region and none in the US East (Virginia) region.
D) Two in the US East (Virginia) region and none in the US West (Oregon) region.

A) Digitized files -> Amazon Kinesis Data Analytics
B) Digitized files -> Amazon Kinesis Data Firehose -> Amazon S3 -> Amazon Athena
C) Digitized files -> Amazon Kinesis Data Streams -> Kinesis Client Library consumer -> Amazon S3 -> Athena
D) Digitized files -> Amazon Kinesis Data Firehose -> Amazon Elasticsearch

A) Add a statement to the IAM policy used by the application to allow logs:putLogEvents and logs:createLogStream Add a statement to the IAM policy used by the application to allow logs:putLogEvents and logs:createLogStream
B) Modify the IAM role used by the application by adding the CloudWatchFullAccess managed policy. Modify the IAM role used by the application by adding the CloudWatchFullAccess managed policy.
C) Add a statement to the IAM policy used by the application to allow cloudwatch:putMetricData . Add a statement to the IAM policy used by the application to allow cloudwatch:putMetricData .
D) Add a trust relationship to the IAM role used by the application for cloudwatch.amazonaws.com . Add a trust relationship to the IAM role used by the application for cloudwatch.amazonaws.com

A) Verify that the 0.0.0.0/0 route in the route table for the web server subnet points to a NAT gateway.
B) Verify which Security Group is applied to the particular web server's elastic network interface (ENI).
C) Verify that the 0.0.0.0/0 route in the route table for the web server subnet points to the virtual security appliance.
D) Verify the registered targets in the ALB.
E) Verify that the 0.0.0.0/0 route in the public subnet points to a NAT gateway.

A) The account's CMK key policy must allow the account's IAM roles to perform KMS EnableKey.
B) Newly created CMKs must have a key policy that allows the root principal to perform all actions.
C) Newly created CMKs must allow the root principal to perform the kms CreateGrant API operation.
D) Newly created CMKs must mirror the IAM policy of the KMS key administrator.

A) Use AWS Certificate Manager to encrypt all traffic between the client and application servers.
B) Review the application security groups to ensure that only the necessary ports are open.
C) Use Elastic Load Balancing to offload Secure Sockets Layer encryption.
D) Use Amazon Inspector to periodically scan the backend instances.
E) Use AWS Key Management Services to encrypt all the traffic between the client and application servers.

A) Use AWS Config to detect whether an Internet Gateway is added and use an AWS Lambda function to provide auto-remediation.
B) Within the Amazon VPC configuration, mark the VPC as private and disable Elastic IP addresses.
C) Use IPv6 addressing exclusively on the EC2 hosts, as this prevents the hosts from being accessed from the internet.
D) Move the workload to a Dedicated Host, as this provides additional network security controls and monitoring.

A) Request KMS to provide the stored unencrypted data key and then use the retrieved data key to decrypt the data.
B) Keep the plaintext data key stored in Amazon DynamoDB protected with IAM policies. Query DynamoDB to retrieve the data key to decrypt the data
C) Use the Encrypt API to store an encrypted version of the data key with another customer managed key. Decrypt the data key and use it to decrypt the data when required.
D) Store the encrypted data key alongside the encrypted data. Use the Decrypt API to retrieve the data key to decrypt the data when required.

A) Add each employee's home IP address to the security group for the application so that only those users can access the workload.
B) Create a virtual gateway for VPN connectivity for each employee, and restrict access to the workload from within the VPC.
C) Use a VPN appliance from the AWS Marketplace for users to connect to, and restrict workload access to traffic from that appliance.
D) Route all traffic to the workload through AWS WAF. Add each employee's home IP address into an AWS WAF rule, and block all other traffic.

A) Change the "Resource" from "arn: aws:s3:::Bucket" to "arn:aws:s3:::Bucket/*".
B) Change the "Principal" from "*" to {AWS:"arn:aws:iam: : account-number: user / username"}
C) Change the "Version" from "2012-10-17" to the last revised date of the policy
D) Change the "Action" from ["s3:*"] to ["s3:GetObject", "s3:ListBucket"]

A) Ensure that CloudTrail and S3 bucket access logging is enabled for the Analyst's AWS account. B Verify that a metric filter was created and then mapped to an alarm. Check the alarm notification action.
B) Check the CloudWatch dashboards to ensure that there is a metric configured with an appropriate dimension for security group changes.
C) Verify that the Analyst's account is mapped to an IAM policy that includes permissions for cloudwatch: GetMetricStatistics and Cloudwatch: ListMetrics.

A) Create a rule in AWS WAF rules with conditions that block requests based on the presence of ExampleGame/1.22 in the User-Agent header
B) Create a geographic restriction on the CloudFront distribution to prevent access to the application from most geographic regions
C) Create a rate-based rule in AWS WAF to limit the total number of requests that the web application services.
D) Create an IP-based blacklist in AWS WAF to block the IP addresses that are originating from requests that contain ExampleGame/1.22 in the User-Agent header.

A) Configure and assign an MFA device to the role used by the instances.
B) Verify that the SQS resource policy does not explicitly deny access to the role used by the instances.
C) Verify that the access key attached to the role used by the instances is active.
D) Attach the AmazonSQSFullAccess managed policy to the role used by the instances.
E) Verify that the role attached to the instances contains policies that allow access to the queue.

A) Use the KMS direct encrypt function on the log data every time a CloudTrail log is generated.
B) Use the default Amazon S3 server-side encryption with S3-managed keys to encrypt and decrypt the CloudTrail logs.
C) Configure CloudTrail to use server-side encryption using KMS-managed keys to encrypt and decrypt CloudTrail logs.
D) Use encrypted API endpoints so that all AWS API calls generate encrypted CloudTrail log entries using the TLS certificate from the encrypted API call.

A) Remove the sensitive data from the object name, and store the sensitive data using S3 user-defined metadata.
B) Add an S3 bucket policy that denies the action s3:GetObject
C) Use a random and unique S3 object key, and create an S3 metadata index in Amazon DynamoDB using client-side encrypted attributes.
D) Store all sensitive objects in Binary Large Objects (BLOBS) in an encrypted Amazon RDS instance.

A) In CloudTrail, verify that the trail logging bucket has a log prefix configured.
B) In Amazon SNS, determine whether the "Account spend limit" has been reached for this alert.
C) In SNS, ensure that the subscription used by these alerts has not been deleted.
D) In CloudWatch, verify that the alarm threshold "consecutive periods" value is equal to, or greater than 1.

A) Amazon S3 with default encryption
B) AWS CloudHSM
C) Amazon DynamoDB with server-side encryption
D) AWS Systems Manager Parameter Store

A) Amazon Elasticsearch
B) Amazon Kinesis
C) Amazon SQS
D) Amazon CloudWatch
E) Amazon Athena

A) Move the bastion host to the VPC with VPN connectivity. Create a VPC peering relationship between the bastion host VPC and Aurora VPC.
B) Create a SSH port forwarding tunnel on the Developer's workstation to the bastion host to ensure that only authorized SSH clients can access the bastion host.
C) Move the bastion host to the VPC with VPN connectivity. Create a cross-account trust relationship between the bastion VPC and Aurora VPC, and update the Aurora security group for the relationship.
D) Create an AWS Direct Connect connection between the corporate network and the Aurora account, and adjust the Aurora security group for this connection.

A) Configure an Amazon Route 53 routing policy to send all web traffic that does not include the required headers to a black hole.
B) Implement an AWS Lambda@Edge origin response function that inserts the required headers.
C) Migrate the legacy application to an Amazon S3 static website and front it with an Amazon CloudFront distribution.
D) Construct an AWS WAF rule to replace existing HTTP headers with the required security headers by using regular expressions.

A) Change the S3 bucket/object permission so that only the bucket owner has access.
B) Set up a CloudFront origin access identity (OAI), and change the S3 bucket/object permission so that only the OAI has access.
C) Create IAM roles for CloudFront, and change the S3 bucket/object permission so that only the IAM role has access.
D) Redirect S3 bucket access to the corresponding CloudFront distribution.

A) Connect to the EC2 instances that are not sending the appropriate logs and verify that the CloudWatch Logs agent is running.
B) Log in to the AWS account and select CloudWatch Logs. Check for any monitored EC2 instances that are in the "Alerting" state and restart them using the EC2 console.
C) Verify that the EC2 instances have a route to the public AWS API endpoints.
D) Connect to the EC2 instances that are not sending logs. Use the command prompt to verify that the right permissions have been set for the Amazon SNS topic.
E) Verify that the network access control lists and security groups of the EC2 instances have the access to send logs over SNMP.

A) Create IAM roles with permissions corresponding to each Active Directory group.
B) Create IAM groups with permissions corresponding to each Active Directory group.
C) Create a SAML provider with IAM.
D) Create a SAML provider with Amazon Cloud Directory.
E) Configure AWS as a trusted relying party for the Active Directory
F) Configure IAM as a trusted relying party for Amazon Cloud Directory.

A) Install antivirus software and ensure that signatures are up-to-date. Configure Amazon CloudWatch alarms to send alerts for security events.
B) Install host-based IDS software to check for file integrity. Export the logs to Amazon CloudWatch Logs for monitoring and alerting.
C) Export system log files to Amazon S3. Parse the log files using an AWS Lambda function that will send alerts of any unauthorized system login attempts through Amazon SNS.
D) Use Amazon CloudWatch Logs to detect file system changes. If a change is detected, automatically terminate and recreate the instance from the most recent AMI. Use Amazon SNS to send notification of the event.

A) Create a NACL to allow access on TCP port 443 from the 1;500 subsidiary CIDR block ranges. Associate the NACL to both the NLB and EC2 instances
B) Create an AWS security group to allow access on TCP port 443 from the 1,500 subsidiary CIDR block ranges. Associate the security group to the NLB. Create a second security group for EC2 instances with access on TCP port 443 from the NLB security group.
C) Create an AWS PrivateLink endpoint service in the parent company account attached to the NLB. Create an AWS security group for the instances to allow access on TCP port 443 from the AWS PrivateLink endpoint. Use AWS PrivateLink interface endpoints in the 1,500 subsidiary AWS accounts to connect to the data processing application.
D) Create an AWS security group to allow access on TCP port 443 from the 1,500 subsidiary CIDR block ranges. Associate the security group with EC2 instances.

A) Obtain the list of instances by directly querying Amazon EC2 using: aws ec2 describe-instances --filters "Name=key-name,Values=KEYNAMEHERE" . Obtain the list of instances by directly querying Amazon EC2 using: aws ec2 describe-instances --filters "Name=key-name,Values=KEYNAMEHERE" .
B) Obtain the fingerprint for the key pair from the AWS Management Console, then search for the fingerprint in the Amazon Inspector logs.
C) Obtain the output from the EC2 instance metadata using: curl http: //169.254.169.254/latest/meta-data/public- keys/0/.
D) Obtain the fingerprint for the key pair from the AWS Management Console, then search for the fingerprint in Amazon CloudWatch Logs using: aws logs filter-log-events . Obtain the fingerprint for the key pair from the AWS Management Console, then search for the fingerprint in Amazon CloudWatch Logs using: aws logs filter-log-events

A) Create a new S3 bucket in a separate AWS account for centralized storage of CloudTrail logs, and enable "Log File Validation" on all trails.
B) Use an existing S3 bucket in one of the accounts, apply a bucket policy to the new centralized S3 bucket that permits the CloudTrail service to use the "s3: PutObject" action and the "s3 GetBucketACL" action, and specify the appropriate resource ARNs for the CloudTrail trails.
C) Apply a bucket policy to the new centralized S3 bucket that permits the CloudTrail service to use the "s3 PutObject" action and the "s3 GelBucketACL" action, and specify the appropriate resource ARNs for the CloudTrail trails.
D) Use unique log file prefixes for trails in each AWS account.
E) Configure CloudTrail in the centralized account to log all accounts to the new centralized S3 bucket.
F) Enable encryption of the log files by using AWS Key Management Service

A) Use a Network Load Balancer (NLB) to pass through traffic on port 443 from the internet to port 443 on the instances.
B) Purchase an external certificate, and upload it to the AWS Certificate Manager (for use with the ELB) and to the instances. Have the ELB decrypt traffic, and route and re-encrypt with the same certificate.
C) Generate an internal self-signed certificate and apply it to the instances. Use AWS Certificate Manager to generate a new external certificate for the ELB. Have the ELB decrypt traffic, and route and re-encrypt with the internal certificate.
D) Upload a new external certificate to the load balancer. Have the ELB decrypt the traffic and forward it on port 80 to the instances.

A) Amazon S3 static web hosting
B) Amazon CloudFront distribution
C) Application Load Balancer
D) Amazon Route 53
E) VPC Flow Logs

A) Enable AES-256 encryption using server-side encryption with Amazon S3-managed encryption keys (SSE-S3) on the S3 bucket.
B) Enable default encryption with server-side encryption with AWS KMS-managed keys (SSE-KMS) on the S3 bucket.
C) Add a bucket policy that includes a deny if a PutObject request does not include aws:SecureTransport . Add a bucket policy that includes a deny if a PutObject request does not include aws:SecureTransport .
D) Add a bucket policy with aws:SourceIp to Allow uploads and downloads from the corporate intranet only. Add a bucket policy with aws:SourceIp to Allow uploads and downloads from the corporate intranet only.
E) Add a bucket policy that includes a deny if a PutObject request does not include s3:x-amz-server-side-encryption: "aws:kms" . request does not include s3:x-amz-server-side-encryption: "aws:kms"
F) Enable Amazon Macie to monitor and act on changes to the data lake's S3 bucket.

A) Use AWS Certificate Manager to generate certificates from a public certificate authority and deploy them to all the containers.
B) Create a self-signed certificate in one container and use AWS Secrets Manager to distribute the certificate to the other containers to establish trust.
C) Use AWS Certificate Manager Private Certificate Authority (ACM PCA) to create a subordinate certificate authority, then create the private keys in the containers and sign them using the ACM PCA API.
D) Use AWS Certificate Manager Private Certificate Authority (ACM PCA) to create a subordinate certificate authority, then use AWS Certificate Manager to generate the private certificates and deploy them to all the containers.

A) Update the ssm.amazonaws.com principal in the KMS key policy to allow kms: Decrypt.
B) Update the Lambda configuration to launch the function in a VPC.
C) Add a policy to the role that the Lambda function uses, allowing kms: Decrypt for the KMS key.
D) Add lambda.amazonaws.com as a trusted entity on the IAM role that the Lambda function uses.

A) Store the scripts in the AMI and encrypt the sensitive data using AWS KMS Use the instance role profile to control access to the KMS keys needed to decrypt the data.
B) Store the sensitive data in AWS Systems Manager Parameter Store using the encrypted string parameter and assign the GetParameters permission to the EC2 instance role.
C) Externalize the bootstrap scripts in Amazon S3 and encrypt them using AWS KMS. Remove the scripts from the instance and clear the logs after the instance is configured.
D) Block user access of the EC2 instance's metadata service using IAM policies. Remove all scripts and clear the logs after execution.

A) Have a Database Administrator encrypt the credentials and store the ciphertext in Amazon S3. Grant permission to the instance role associated with the EC2 instance to read the object and decrypt the ciphertext.
B) Configure a scheduled job that updates the credential in AWS Systems Manager Parameter Store and notifies the Engineer that the application needs to be restarted.
C) Configure automatic rotation of credentials in AWS Secrets Manager.
D) Store the credential in an encrypted string parameter in AWS Systems Manager Parameter Store. Grant permission to the instance role associated with the EC2 instance to access the parameter and the AWS KMS key that is used to encrypt it.
E) Configure the Java application to catch a connection failure and make a call to AWS Secrets Manager to retrieve updated credentials when the password is rotated. Grant permission to the instance role associated with the EC2 instance to access Secrets Manager.

A) Ensure that the log file integrity validation mechanism is enabled.
B) Ensure that all log files are written to at least two separate Amazon S3 buckets in the same account.
C) Ensure that Systems Administrators and Developers can edit log files, but prevent any other access.
D) Ensure that Systems Administrators and Developers with job-related need-to-know requirements only are capable of viewing-but not modifying-the log files.
E) Ensure that all log files are stored on Amazon EC2 instances that allow SSH access from the internal corporate network only.

A) Create a new database field "suspended_status" and modify the application logic to validate that field when processing requests.
B) Add suspended customers to second Cognito user pool and update the application login flow to check both user pools.
C) Use Amazon Cognito Sync to push out a "suspension_status" parameter and split the IAM policy into normal users and suspended users.
D) Move suspended customers to a second Cognito group and define an appropriate IAM access policy for the group.

A) The CMK policy
B) The VPC endpoint policy
C) The S3 bucket policy
D) The S3 ACL
E) The IAM policy

A) Create a custom authorization service using AWS Lambda.
B) Configure a SAML identity provider in Amazon Cognito to map attributes to the Amazon Cognito user pool attributes.
C) Configure the SAML identity provider to add the Amazon Cognito user pool as a relying party.
D) Configure an Amazon Cognito identity pool to integrate with social login providers.
E) Update DynamoDB to store the user email addresses and passwords.
F) Update API Gateway to use a COGNITO_USER_POOLS authorizer. Update API Gateway to use a COGNITO_USER_POOLS authorizer.

A) Create an IAM user and generate a set of long-term credentials. Provide the credentials to AnyCompany. Monitor access in IAM access advisor and plan to rotate credentials on a recurring basis.
B) Request an external ID from AnyCompany and add a condition with sts:Externald to the role's trust policy. Request an external ID from AnyCompany and add a condition with sts:Externald to the role's trust policy.
C) Require two-factor authentication by adding a condition to the role's trust policy with aws:MultiFactorAuthPresent. Require two-factor authentication by adding a condition to the role's trust policy with aws:MultiFactorAuthPresent.
D) Request an IP range from AnyCompany and add a condition with aws:SourceIp to the role's trust policy. Request an IP range from AnyCompany and add a condition with aws:SourceIp

A) Update the IAM policy attached to the role in the identity account to be:
B) Update the trust policy on the role in the target account to be:
C) Update the trust policy on the role in the identity account to be:
D) Update the IAM policy attached to the role in the target account to be:

A) Use AWS KMS with AWS managed keys and the ScheduleKeyDeletion API with a PendingWindowInDays set to 0 to remove the keys if necessary.
B) Use KMS with AWS imported key material and then use the DeletelmportedKeyMaterial API to remove the key material if necessary.
C) Use AWS CloudHSM to store the keys and then use the CloudHSM API or the PKCS11 library to delete the keys if necessary.
D) Use the Systems Manager Parameter Store to store the keys and then use the service API operations to delete the key if necessary.

A)
B)
C)
D)

A) Create an AWS Lambda function that determines whether Flow Logs are enabled for a given VPC.
B) Create an AWS Config configuration item for each VPC in the company AWS account.
C) Create an AWS Config managed rule with a resource type of AWS:: Lambda:: Function.
D) Create an Amazon CloudWatch Event rule that triggers on events emitted by AWS Config.
E) Create an AWS Config custom rule, and associate it with an AWS Lambda function that contains the evaluating logic.

A) The execution role for the Lambda function did not grant permissions to write log data to CloudWatch Logs.
B) The Lambda function was executed by using Amazon API Gateway, so the logs are not stored in CloudWatch Logs.
C) The execution role for the Lambda function did not grant permissions to write to the Amazon S3 bucket where CloudWatch Logs stores the logs.
D) The version of the Lambda function that was executed was not current.