Amazon Web Services SCS-C02 AWS Certified Security - Specialty Exam Practice Test

Export the CloudWatch Logs group data to Amazon S3. Use Amazon Macie to query the logs for the specific IP address and the requested URLs.

Configure a CloudWatch Logs subscription to stream the log group to an Am-azon OpenSearch Service cluster. Use OpenSearch Service to analyze the logs for the specific IP address and the requested URLs.

Use CloudWatch Logs Insights and a custom query syntax to analyze the CloudWatch logs for the specific IP address and the requested URLs.

Export the CloudWatch Logs group data to Amazon S3. Use AWS Glue to crawl the S3 bucket for only the log entries that contain the specific IP ad-dress. Use AWS Glue to view the results.

Attach a resource policy to the S3 bucket to grant read access to the role.

Launch a new deployment of the application in a different AWS Region. Attach the role to the application.

Review the IAM policy by using AWS Identity and Access Management Access Analyzer to ensure that the policy grants the right permissions. Validate that the application is assuming the role correctly.

Ensure that the S3 Block Public Access feature is disabled on the S3 bucket. Review AWS CloudTrail logs to validate that the application is assuming the role correctly.

Use the application to rotate the keys in every 2 months via the SDK

Use a script to query the creation date of the keys. If older than 2 months, create new access key and update all applications to use it inactivate the old key and delete it.

Delete the user associated with the keys after every 2 months. Then recreate the user again.

Delete the IAM Role associated with the keys after every 2 months. Then recreate the IAM Role again.

Use TLS certificates from AWS Certificate Manager (ACM) with an Application Load Balancer. Deploy self-signed certificates on the EC2 instances. Ensure that the database client software uses a TLS connection to Amazon RDS. Enable encryption of the RDS DB instance. Enable encryption on the Amazon Elastic Block Store (Amazon EBS) volumes that support the EC2 instances.

Use TLS certificates from a third-party vendor with an Application Load Balancer. Install the same certificates on the EC2 instances. Ensure that the database client software uses a TLS connection to Amazon RDS. Use AWS Secrets Manager for client-side encryption of application data.

Use AWS CloudHSM to generate TLS certificates for the EC2 instances. Install the TLS certificates on the EC2 instances. Ensure that the database client software uses a TLS connection to Amazon RDS. Use the encryption keys form CloudHSM for client-side encryption of application data.

Use Amazon CloudFront with AWS WAF. Send HTTP connections to the origin EC2 instances. Ensure that the database client software uses a TLS connection to Amazon RDS. Use AWS Key Management Service (AWS KMS) for client-side encryption of application data before the data is stored in the RDS database.

Use AWS Backup to create backups of the EC2 instances and S3 buckets every hour. Create AWS CloudFormation templates that replicate existing architecture components. Use AWS CodeCommit to store the CloudFormation templates alongside application configuration code.

Use AWS Backup to create backups of the EBS volumes and S3 objects every day. Use Amazon Security Lake to create a centralized data lake for AWS CloudTrail logs and VPC flow logs. Use the logs for automated response.

Use Amazon Security Lake to create a centralized data lake for AWS CloudTrail logs and VPC flow logs. Use the logs for automated response Enable AWS Security Hub to establish a single location for recovery procedures. Create AWS CloudFormation templates that replicate existing architecture components. Use AWS CodeCommit to store the CloudFormation templates alongside application configuration code.

Create EBS snapshots every 4 hours Enable Amazon GuardDuty Malware Protection. Create automation to immediately restore the most recent snapshot for any EC2 instances that produce an Execution:EC2/MaliciousFile finding in GuardDuty.

Update the IAM WAF rules in the affected account and use IAM Firewall Manager to push updated IAM WAF rules across all other accounts.

Use GuardDuty centralized logging and Amazon SNS to set up alerts to notify all application teams of security incidents.

Use GuardDuty alerts to write an IAM Lambda function that updates all accounts by adding additional NACLs on the Amazon EC2 instances to block known malicious IP addresses.

Use IAM Shield Advanced to identify threats in each individual account and then apply the account-based protections to all other accounts through Organizations.

The principal's identity-based policy grants access to put objects into the S3 bucket with no conditions.

The principal's identity-based policy overrides the condition because the identity-based policy contains an explicit allow.

The S3 bucket's resource policy does not deny access to put objects.

The S3 bucket's resource policy cannot allow actions to the principal.

The bucket policy does not apply to principals in the same zone of trust.

In each account, update the ECR registry to use Amazon Inspector instead of the default scanning service. Configure Amazon Inspector to forwardvulnerability findings to AWS Security Hub in a central security account. Provide access for the audit team to use Security Hub to review the findings.

In each account, configure AWS Config to monitor the configuration of the ECS containers and the ECR registry. Configure AWS Config conformance packs forvulnerability scanning. Create an AWS Config aggregator in a central account to collect configuration and compliance details from all accounts. Provide theaudit team with access to AWS Config in the account where the aggregator is configured.

In each account, configure AWS Audit Manager to scan the ECS containers and the ECR registry. Configure Audit Manager to forward vulnerability findings toAWS Security Hub in a central security account. Provide access for the audit team to use Security Hub to review the findings.

In each account, configure Amazon GuardDuty to scan the ECS containers and the ECR registry. Configure GuardDuty to forward vulnerability findings to AWS Security Hub in a central security account. Provide access for the audit team to use Security Hub to review the findings.

IAM Inspector, CloudTrail, IAM Credential Reports

CloudTrail. IAM Credential Reports, IAM SNS

CloudTrail, IAM Config, IAM Credential Reports

IAM SQS, IAM Credential Reports, CloudTrail

Create a new SCP in the marketing team's account. Configure the SCP to explicitly allow resource sharing.

Edit the existing SCP to add a Condition statement that excludes the marketing team's account.

Edit the existing SCP to include an Allow statement that specifies the marketing team's account.

Create an IAM permissions boundary policy to explicitly allow resource sharing. Attach the policy to IAM users in the marketing team's account.

Remove the existing NAT gateway. Create a new NAT gateway that only the application server subnets can use.

Configure the DB instanceג€™s inbound network ACL to deny traffic from the security group ID of the NAT gateway.

Modify the route tables of the DB instance subnets to remove the default route to the NAT gateway.

Configure the route table of the NAT gateway to deny connections to the DB instance subnets.

Enable AWS Config. Configure AWS Config to monitor for sensitive data in the S3 bucket and to send notifications to the SNS topic.

Create an AWS Lambda function to scan the S3 bucket for sensitive data that matches a pattern. Program the Lambda function to send notifications to the SNS topic.

Configure Amazon Made to use managed data identifiers to identify and categorize sensitive data. Create an Amazon EventBndge rule to send notifications to the SNS topic.

Enable Amazon GuardDuty Configure AWS CloudTrail S3 data events Create an Amazon CloudWatch alarm that reacts to GuardDuty findings and sends notifications to the SNS topic.

Use an IP set match rule statement that includes the IP address for loT devices from the user agent.

Use a geographic match rule statement. Configure the statement to block countries that the loT devices are located in.

Use a rate-based rule statement. Set a rate limit that is equal to the number of requests that are coming from the loT devices.

Use a string match rule statement that includes details of the loT device brand from the user agent.

Create an Inline IAM user policy that allows for Amazon EC2 access for the contractor's IAM user.

Create an IAM permissions boundary policy that allows Amazon EC2 access. Associate the contractor's IAM account with the IAM permissions boundary policy.

Create an IAM group with an attached policy that allows for Amazon EC2 access. Associate the contractor's IAM account with the IAM group.

Create an IAM role that allows for EC2 and explicitly denies all other services. Instruct the contractor to always assume this role.

Amazon Athena

Amazon Kinesis

Amazon SQS

Amazon Elasticsearch

Amazon EMR

Ensure that the operations team configures default bucket encryption on the S3 bucket to use server-side encryption with Amazon S3 managed encryption keys (SSE-S3). Ensure that the security team creates an IAM policy that controls access to use the encryption keys.

Ensure that the operations team creates a bucket policy that requires requests to use server-side encryption with AWS KMS keys (SSE-KMS) that are customer managed. Ensure that the security team creates a key policy that controls access to the encryption keys.

Ensure that the operations team creates a bucket policy that requires requests to use server-side encryption with Amazon S3 managed keys (SSE-S3). Ensure that the security team creates an IAM policy that controls access to the encryption keys.

Ensure that the operations team creates a bucket policy that requires requests to use server-side encryption with customer-provided encryption keys (SSE-C). Ensure that the security team stores the customer-provided keys in AWS Key Management Service (AWS KMS). Ensure that the security team creates a key policy that controls access to the encryption keys.

Set up VPC peering between the central server VPC and each of the teams VPCs.

Set up IAM DirectConnect between the central server VPC and each of the teams VPCs.

Set up an IPSec Tunnel between the central server VPC and each of the teams VPCs.

None of the above options will work.

Create an AWS WAF web ACL. Add the AWSManagedRulesACFPRuleSet rule group to the web ACL. Associate the web ACL with the CloudFront distribution.

Create an AWS WAF web ACL. Add a rate limit rule to the web ACL. Include a RateBasedStatement entry that has a SearchString value that points to /store/registration

Specify /store/registration as the registration page path Specify /store/newaccount as the account creation path

Enable AWS Shield Advanced for the account that hosts the CloudFront distribution Configure a DNS-specific custom mitigation that uses the Shield Response Team (SRT) for /store/newaccount.

Enable Amazon GuardOuty for the account that hosts the CloudFront distribution. Enable Lambda Protection for the Lambda functions that answer calls to /store/registration and /store/newaccount.

Create a new SCP in the marketing team's account. Configure the SCP to explicitly allow resource sharing.

Edit the existing SCP to add a Condition statement that excludes the marketing team's account.

Edit the existing SCP to include an Allow statement that specifies the marketing team's account.

Create an IAM permissions boundary policy to explicitly allow resource sharing. Attach the policy to IAM users in the marketing team's account.

Configure Amazon EC2 to enable encryption in the EC2 network interface properties.

Configure Amazon EBS to enable volume encryption with AWS Key Management Service (AWS KMS) for data at rest.

Configure Amazon EBS to enable TLS encryption in the volume configuration properties.

Configure Amazon EC2 to enable TLS encryption with certificates that are stored in AWS Certificate Manager (ACM).

Create a new Amazon S3 bucket. Use EBS lifecycle policies to move EBS snapshots to the new S3 bucket. Move snapshots to Amazon S3 Glacier using lifecycle policies, and apply Glacier Vault Lock policies to prevent deletion.

Use AWS Systems Manager to distribute a configuration that performs local backups of all attached disks to Amazon S3.

Create a new AWS account with limited privileges. Allow the new account to access the AWS KMS key used to encrypt the EBS snapshots, and copy the encrypted snapshots to the new account on a recurring basis.

Use AWS Backup to copy EBS snapshots to Amazon S3.

Move the SCP to the root OU of organization to remove the restriction to access Amazon $3.

Add an IAM policy for the developer, which grants $3 access.

Create a new OU without applying the SCP restricting $3 access. Move the developer account to this new OU.

Add an allow list for the developer account for the $3 service.

Encrypt the secrets in us-east-1 by using an AWS managed KMS key. Replicate the secrets to us-west-1. Encrypt the secrets in us-west-1 by using a newAWS managed KMS key in us-west-1.

Encrypt the secrets in us-east-1 by using an AWS managed KMS key. Configure resources in us-west-1 to call the Secrets Manager endpoint in us-east-1.

Encrypt the secrets in us-east-1 by using a customer managed KMS key. Configure resources in us-west-1 to call the Secrets Manager endpoint in us-east-1.

Encrypt the secrets in us-east-1 by using a customer managed KMS key. Replicate the secrets to us-west-1. Encrypt the secrets in us-west-1 by using thecustomer managed KMS key from us-east-1.

Option A

Option B

Option C

Create an AWS Step Functions state machine that checks the resource type in the finding and adds an explicit Deny statement in the trust policy for the IAM role. Configure the state machine to publish a notification to an Amazon SNS topic.

Create an AWS Batch job that forwards any resource type findings to an AWS Lambda function. Configure the Lambda function to add an explicit Deny statement in the trust policy for the IAM role. Configure the AWS Batch job to publish a notification to an Amazon SNS topic.

In Amazon EventBridge, create an event rule that matches active IAM Access Analyzer findings and invokes AWS Step Functions for resolution.

In Amazon CloudWatch, create a metric filter that matches active IAM Access Analyzer findings and invokes AWS Batch for resolution.

Create an Amazon SQS queue. Configure the queue to forward a notification to the security team that an external principal has been granted access to the specific IAM role and has been blocked.

Create an Amazon SNS topic for external or cross-account access notices. Subscribe the security team's email addresses to the topic.

Create an Application Load Balancer with the existing EC2 instances as a target group. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the ALB. Test to ensure the vulnerability has been mitigated, then redirect the Route 53 records to point to the ALB. Update security groups on the EC2 instances to prevent direct access from the internet.

Create an Amazon CloudFront distribution specifying one EC2 instance as an origin. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the distribution. Test to ensure the vulnerability has been mitigated, then redirect the Route 53 records to point to CloudFront.

Obtain the latest source code for the platform and make the necessary updates. Test the updated code to ensure that the vulnerability has been mitigated, then deploy the patched version of the platform to the EC2 instances.

Update the security group that is attached to the EC2 instances, removing access from the internet to the TCP port used by the SQL database. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the EC2 instances. Test to ensure the vulnerability has been mitigated, then restore the security group to the original setting.

Move the Aurora database into a private subnet that has no internet access routes in the database's current VPC Configure the Lambda functions to use the Auroradatabase's new private IP address to access the database Configure the Aurora databases security group to allow access from the private IP addresses of the Lambda functions

Establish a VPC endpoint between the two VPCs in the Aurora database's VPC configure a service VPC endpoint for Amazon RDS In the Lambda functions' VPC.configure an interface VPC endpoint that uses the service endpoint in the Aurora database's VPC Configure the service endpoint to allow connections from the Lambda functions.

Establish an AWS Direct Connect interface between the VPCs Configure the Lambda functions to use a new route table that accesses the Aurora database through the Direct Connect interface Configure the Aurora database's security group to allow access from the Direct Connect interface IP address

Move the Lambda functions into a public subnet in their VPC Move the Aurora database into a private subnet in its VPC Configure the Lambda functions to use the Aurora database's new private IP address to access the database Configure the Aurora database to allow access from the public IP addresses of the Lambda functions

Create a new trail and configure it to send CloudTrail logs to Amazon S3. Use Amazon EventBridge (Amazon CloudWatch Events) to send notification if a trail is deleted or stopped.

Deploy an IAM Lambda function in every account to check if there is an existing trail and create a new trail, if needed.

Edit the existing trail in the Organizations master account and apply it to the organization.

Create an SCP to deny the cloudtrail:Delete" and cloudtrail:Stop' actions. Apply the SCP to all accounts.

Review the AWS CloudTrail logs in the account in the Production OU Search for any failed API calls from CloudFormation during the deployment attempt.

Remove all the SCPs that are attached to the Production OU Rerun the CloudFormation stack update to determine if the SCPs were preventing the CloudFormation API calls.

Confirm that the role used by CloudFormation has sufficient permissions to create update and delete the resources that are referenced in the CloudFormation template.

Make all the SCPs that are attached to the Production OU the same as the SCPs that are attached to the Testing OU.

Activate Amazon GuardDuty in ap-east-1. Designate the secunty account as the GuardDuty delegated administrator by using the console.

Activate Amazon GuardDuty in ap-east-1 with trusted access toAWS Organizations Designate the management account as the GuardDuty organization administrator.

Activate AWS Security Hub in ap-east-1 Designate the management account as the Security Hub delegated administrator by using the console.

Activate AWS Control Tower in ap-east-1 with trusted access to AWS Organizations Designate the security account as the organization administrator.

Import the key material into AWS Key Management Service (AWS KMS).

Manually upload the new host key to the AWS trusted host keys database.

Ensure that the AmazonSSMManagedInstanceCore policy is attached to the EC2 instance profile.

Create a new SSH key pair for the EC2 instance.

For each team, create an AM policy similar to the one that fellows Populate the ec2: ResourceTag/Team condition key with a proper team name Attach resulting policies to the corresponding IAM roles.

B. For each team create an IAM policy similar to the one that follows Populate the IAM TagKeys/Team condition key with a proper team name.Attach the resuming policies to the corresponding IAM roles.

C. Tag each IAM role with a Team lag key. and use the team name in the tag value. Create an IAM policy similar to the one that follows, and attach 4 to all the IAM roles used by developers.

D. Tag each IAM role with the Team key, and use the team name in the tag value. Create an IAM policy similar to the one that follows, and it to all the IAM roles used by developers.

Use AWS Identity and Access Management Access Analyzer to determine which resources the exposed credentials accessed and who used them.

Deactivate the exposed IAM access key from the user's IAM account.

Create a rule in Amazon GuardDuty to block the access key in the source code from being used.

Create a new IAM access key and secret key for the user whose credentials were exposed.

Generate an IAM credential report. Check the report to determine when the user that owns the access key last logged in.

Create an Amazon EventBridge rule to send Amazon Simple Notification Service (Amazon SNS) email notifications for Amazon GuardDutyUnauthorizedAccesslAMUser/lnstanceCredentialExfiltration OutsideAWS findings.

Change the AWS account contact information for the Operations type to a separate email address. Periodically poll this email address for notifications.

Create an Amazon EventBridge rule that reacts to AWS Health events that have a value of Risk for the service category Configure email notifications by usingAmazon Simple Notification Service (Amazon SNS).

Implement new anomaly detection software. Ingest AWS CloudTrail logs. Configure monitoring for ConsoleLogin events in the AWS Management Console.Configure email notifications from the anomaly detection software.

Enable VPC Flow Logs in all VPCs Create a scheduled IAM Lambda function that downloads and parses the logs, and sends an Amazon SNS notification for violations.

Use IAM CloudTrail to make a trail, and apply it to all Regions Specify an Amazon S3 bucket to receive all the CloudTrail log files

Add the following bucket policy to the company's IAM CloudTrail bucket to prevent log tampering{"Version": "2012-10-17-,"Statement": {"Effect": "Deny","Action": "s3:PutObject","Principal": "-","Resource": "arn:IAM:s3:::cloudtrail/IAMLogs/111122223333/*"}}Create an Amazon S3 data event for an PutObject attempts, which sends notifications to an Amazon SNS topic.

Create a Security Auditor role with permissions to access Amazon CloudWatch Logs m all Regions Ship the logs to an Amazon S3 bucket and make a lifecycle policy to ship the logs to Amazon S3 Glacier.

Verify that Amazon GuardDuty is enabled in all Regions, and create an Amazon CloudWatch Events rule for Amazon GuardDuty findings Add an Amazon SNS topic as the rule's target

Use AWS Identity and Access Management Access Analyzer to identity the permissions that the developers need on each account. Configure 1AM Access Analyzer to automatically provision the correct access for each developer.

Create an Amazon Simple Workflow Service (Amazon SWF) workflow. Instruct the developers to use the workflow to request access to other accounts when additional access is necessary.

Create I AM roles in the testing account and production account. Add a policy that allows the sts:AssumeRole action to the roles. Create 1AM roles in the development account for the developers who have access to the testing and production accounts. Add these roles to the trust policy on the new roles in the testing and production accounts.

Create service accounts in the testing environment and production environment. Give the access keys for the service accounts to developers who require access to the testing account and the production account. Rotate the access keys for the service accounts periodically.

Activate Amazon GuardDuty in each production account. In a dedicated logging account. aggregate all GuardDuty logs from each production account.Remediate incidents by configuring GuardDuty to directly invoke an AWS Lambda function. Configure the Lambda function to also publish notifications to the SNS topic.

Activate AWS security Hub in each production account. In a dedicated logging account. aggregate all security Hub findings from each production account. Remediate incidents by ustng AWS Config and AWS Systems Manager. Configure Systems Manager to also pub11Sh notifications to the SNS topic.

Activate Amazon GuardDuty in each production account. In a dedicated logging account. aggregate all GuardDuty logs from each production account Remediate incidents by using Amazon EventBridge to invoke a custom AWS Lambda function from the GuardDuty findings. Configure the Lambda function to also publish notifications to the SNS topic.

Activate AWS Security Hub in each production account. In a dedicated logging account. aggregate all Security Hub findings from each production account. Remediate incidents by using Amazon EventBridge to invoke a custom AWS Lambda function from the Security Hub findings. Configure the Lambda function to also publish notifications to the SNS topic.

Configure GuardDuty to send the event to an Amazon Kinesis data stream. Process the event with an Amazon Kinesis Data Analytics for Apache Flink application that sends a notification to the company through Amazon Simple Notification Service (Amazon SNS). Add rules to the network ACL to block traffic to and from the suspicious instance.

Configure GuardDuty to send the event to Amazon EventBridge (Amazon CloudWatch Events). Deploy an AWS WAF web ACL. Process the event with an AWS Lambda functionthat sends a notification to the company through Amazon Simple Notification Service (Amazon SNS) and adds a web ACL rule to block traffic to and from the suspicious instance.

Enable AWS Security Hub to ingest GuardDuty findings and send the event to Amazon EventBridge (Amazon CloudWatch Events). Deploy AWS Network Firewall. Process the event with an AWS Lambda function that adds a rule to a Network Firewall firewall policy to block traffic to and from the suspicious instance.

Enable AWS Security Hub to ingest GuardDuty findings. Configure an Amazon Kinesis data stream as an event destination for Security Hub. Process the event with an AWS Lambda function that replaces the security group of the suspicious instance with a security group that does not allow any connections.

Create an IAM Config rule to detect the creation of unencrypted RDS databases. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to trigger on the IAM Config rules compliance state change and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team.

Use IAM System Manager State Manager to detect RDS database encryption configuration drift. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to track state changes and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team.

Create a read replica for the existing unencrypted RDS database and enable replica encryption in the process. Once the replica becomes active, promote it into a standalone database instance and terminate the unencrypted database instance.

Take a snapshot of the unencrypted RDS database. Copy the snapshot and enable snapshot encryption in the process. Restore the database instance from the newly created encrypted snapshot. Terminate the unencrypted database instance.

Enable encryption for the identified unencrypted RDS instance by changing the configurations of the existing database

Option A

Option B

Option C

Option D

Create an Amazon CloudWatch Logs log group. Configure the load balancers to send logs to the log group. Use the CloudWatch Logs console to search the logs. Create CloudWatch Logs filters on the logs for the required met-rics.

Create an Amazon S3 bucket. Configure the load balancers to send logs to the S3 bucket. Use Amazon Athena to search the logs that are in the S3 bucket. Create Amazon CloudWatch filters on the S3 log files for the re-quired metrics.

Create an Amazon S3 bucket. Configure the load balancers to send logs to the S3 bucket. Use Amazon Athena to search the logs that are in the S3 bucket. Create Athena queries for the required metrics. Publish the metrics to Amazon CloudWatch.

Create an Amazon CloudWatch Logs log group. Configure the load balancers to send logs to the log group. Use the AWS Management Console to search the logs. Create Amazon Athena queries for the required metrics. Publish the metrics to Amazon CloudWatch.

Implement AWS 1AM Access Analyzer policy generation on the role.

Implement AWS 1AM Access Analyzer policy validation on the role.

Search CloudWatch logs to determine the actions the role invoked and to evaluate the permissions.

Use AWS Trusted Advisor to compare the policies assigned to the role against AWS best practices.

Use IAM Control Tower. Modify the default Account Factory networking template to automatically associate new accounts with a centrally managed VPC through a VPC peering connection and to create a default route to the VPC peer in the default route table. Create an SCP that denies the CreatelnternetGateway action. Attach the SCP to all accounts except the security inspection account.

Create a centrally managed VPC in the security inspection account. Establish VPC peering connections between the security inspection account and other accounts. Instruct account owners to create default routes in their account route tables that point to the VPC peer. Create an SCP that denies theAttach InternetGateway action. Attach the SCP to all accounts except the security inspection account.

Use IAM Control Tower. Modify the default Account Factory networking template to automatically associate new accounts with a centrally managed transitgateway and to create a default route to the transit gateway in the default route table. Create an SCP that denies the AttachlnternetGateway action. Attach the SCP to all accounts except the security inspection account.

Enable IAM Resource Access Manager (IAM RAM) for IAM Organizations. Create a shared transit gateway, and make it available by using an IAM RAM resource share. Create an SCP that denies the CreatelnternetGateway action. Attach the SCP to all accounts except the security inspection account. Create routes in the route tables of all accounts that point to the shared transit gateway.

Create an 1AM user Attach an 1AM policy to the 1AM user Use the AWS CLI to generate temporary credentials for the 1AM user Use the access key, secret key, and session token to authenticate to AWS from the workflow.

Enable AWS 1AM Identity Center and configure it to use a local directory. Create a new service user in the 1AM Identity Center directory. Use the AWS CLI to generate temporary credentials for the service user Use the user ID and session token to authenticate to AWS from the workflow.

Create an OpenID Connect (OIDC) identity provider (IdP) in 1AM Use GitHub as the provider. Create an 1AM role Attach the role to a trust policy that contains condition keys to restrict the GitHub repositones that will run the workflow. Use the role ARN to authenticate to AWS from the workflow.

Configure Amazon Cognito and create an identity pool. Configure the identity pool for a SAML identity provider (IdP) Use GitHub as the provider. Create an 1AM role Attach the role to a trust policy that allows the sts AssumeRole action for Cognito Configure the workflow in GitHub to authenticate against the SAML IdP.

Use AWS IAM Access Analyzer to analyze the policies. View the findings from policy validation checks.

Review AWS Trusted Advisor checks for all accounts in the organization.

Set up AWS Audit Manager. Run an assessment for all AWS Regions for all accounts.

Ensure that Amazon Inspector agents are installed on all Amazon EC2 in-stances in all accounts.

The IAM policy needs to allow the kms:DescribeKey permission.

The S3 bucket has been changed to use the AWS managed key to encrypt objects at rest.

An S3 bucket policy needs to be added to allow the IAM user to access the objects.

The KMS key policy has been edited to remove the ability for the AWS account to have full access to the key.

chmod 0040 ssh/my_private_key pern

chmod 0400 ssh/my_private_key pern

chmod 0004 ssh/my_private_key pern

chmod 0777 ssh/my_private_key pern

Use EC2 Dedicated Instances for the tokenization component of the application.

Place the EC2 instances that manage the tokenization process into a partition placement group.

Create a separate VPC. Deploy new EC2 instances into the separate VPC to support the data tokenization.

Deploy the tokenization code onto AWS Nitro Enclaves that are hosted on EC2 instances.

Custom SSL certificate that is stored in AWS Key Management Service (AWS KMS)

Default SSL certificate that is stored in Amazon CloudFront.

Custom SSL certificate that is stored in AWS Certificate Manager (ACM)

Default SSL certificate that is stored in Amazon S3

Configure Amazon CloudWatch Logs Insights

Create an Amazon CloudWatch dashboard

Configure AWS Security Hub integrations

Query the findings by using Amazon Athena

Create a Security Hub custom action to assess the log group retention period.

Create a data protection policy in CloudWatch Logs to assess the log group retention period.

Create a Security Hub automation rule Configure the automation rule to assess the log group retention period.

Use the AWS Config managed rule that assesses the log group retention period Ensure that AWS Config integration is enabled in Security Hub.

Create a Lambda@Edge function. Include code to add the X-Frame-Options header to the response. Configure the function to run in response to the CloudFront origin response event.

Create a Lambda@Edge function. Include code to add the X-Frame-Options header to the response. Configure the function to run in response to the CloudFront viewer request event.

Update the CloudFront distribution by adding X-Frame-Options to custom headers in the origin settings.

Customize the EC2 hosted application to add the X-Frame-Options header to the responses that are returned to CloudFront.

Ensure that the S3 bucket policy allows access to the service provider's role to decrypt objects.

Add a statement to the key policy to allow the service provider's role the kms: Decrypt action (or the key.

Add the AWSKeyManagementServicePowerUser AWS managed policy to the service provider's role.

Migrate the key to AWS Certificate Manager (ACM) to create a shared endpoint for access to the key.

Use Cloudwatch logs to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS for the notification.

Use Cloudwatch metrics to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS for the notification.

Use IAM inspector to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS f the notification.

Use Cloudwatch events to be triggered for any changes to the Security Groups. Configure the Lambda function for email notification as well.

Create a NACL to allow access on TCP port 443 (rom the 1.500 subsidiary CIDR block ranges Associate the NACL to both the NLB and EC2 instances.

Create an AWS security group to allow access on TCP port 443 from the 1,500 subsidiary CIDR block ranges Associate the security group to the NLB Create a second security group (or EC2 instances with access on TCP port 443 from the NLB security group.

Create an AWS PrivateLink endpoint service in the parent company account attached to the NLB. Create an AWS security group for the instances to allow access on TCP port 443 from the AWS PrivateLink endpoint Use AWS PrivateLink interface endpoints in the 1.500 subsidiary AWS accounts to connect to the data processing application.

Create an AWS security group to allow access on TCP port 443 from the 1.500 subsidiary CIDR block ranges. Associate the security group with EC2 instances.

Add a deny rule to the public VPC security group to block the malicious IP

Add the malicious IP to IAM WAF backhsted IPs

Configure Linux iptables or Windows Firewall to block any traffic from the malicious IP

Modify the hosted zone in Amazon Route 53 and create a DNS sinkhole for the malicious IP

Port scanning inside the company's VPC

Brute force test of the Amazon S3 bucket namespace

Use of a SQL injection tool on the company's web application against an Amazon RDS for PostgreSQL DB instance

Packet flooding of the company's web application

DNS zone walking through Amazon Route 53 hosted zones

Use AWS Backup to apply a 5-year retention tag to the RDS snapshots.

Enable versioning on the S3 bucket that AWS Backup uses for the RDS snapshots. Configure a 5-year retention period.

Create an S3 Lifecycle policy. Include a 5-year retention period for the S3 bucket that AWS Backup uses for the RDS snapshots.

Create a backup plan in AWS Backup. Configure a 5-year retention period.

Review the cross-account role permissions and the S3 bucket policy Verify that the Amazon S3 block public access option in the member account is deactivated.

Review the role permissions m the master account and ensure it has sufficient privileges to perform S3 operations

Filter IAM CloudTrail logs for the master account to find the original deny event and update the cross-account role m the member account accordingly Verify that the Amazon S3 block public access option in the master account is deactivated.

Evaluate the SCPs covering the member account and the permissions boundary of the role in the member account for missing permissions and explicit denies.

Ensure the S3 bucket policy explicitly allows the s3 PutBucketPublicAccess action for the role m the member account

Create a CloudWatch Logs account-wide data protection policy. Specify the appropriate data identifiers for the policy. Ensure that the developers do not have the logs:Unmask 1AM permission.

Export the CloudWatch Logs data to an Amazon S3 bucket. Set up automated discovery by using Amazon Macie on the S3 bucket. Create a custom data identifier for the sensitive data. Remove the developers' access to CloudWatch Logs. Grant permissions for the developers to view the exported log data in Amazon S3.

Export the CloudWatch Logs data to an Amazon S3 bucket. Set up automated discovery by using Amazon Macie on the S3 bucket. Specify the appropriate managed data identifiers. Remove the developers' access to CloudWatch Logs. Grant permissions for the developers to view the exported log data in Amazon S3.

Create a CloudWatch Logs data protection policy for each log group. Specify the appropriate data identifiers for the policy. Ensure that the developers do not have the logsiUnmask 1AM permission.

Create a new trail and configure it to send CloudTraiI logs to Amazon S3. Use Amazon EventBridge to send notification if a trail is deleted or stopped.

Deploy an AWS Lambda function in every account to check if there is an existing trail and create a new trail, if needed.

Edit the existing trail in the Organizations management account and apply it to the organization.

Create an SCP to deny the cloudtraiI:DeIete• and cloudtraiI:Stop• actbns. Apply the SCP to all accounts.

Use AWS KMS with AWS managed keys and the ScheduleKeyDeletion API with a PendingWindowInDays set to 0 to remove the keys if necessary.

Use KMS with AWS imported key material and then use the DeletelmportedKeyMaterial API to remove the key material if necessary.

Use AWS CloudHSM to store the keys and then use the CloudHSM API or the PKCS11 library to delete the keys if necessary.

Use the Systems Manager Parameter Store to store the keys and then use the service API operations to delete the keys if necessary.

Enable VPC flow logs for the VPC that hosts the EKS clusters.

Assign the CloudWatchEventsFullAccess AWS managed policy to the EKS clusters.

Ensure that the AmazonGuardDutyFullAccess AWS managed policy is attached to the GuardDuty service role.

Enable the control plane logs in Amazon EKS. Ensure that the logs are ingested into Amazon CloudWatch.

The IAM instance profile that is attached to the EC2 instance does not allow the s3 ListBucket action to the S3: bucket in the AWS accounts.

The I AM instance profile that is attached to the EC2 instance does not allow the s3 ListParts action to the S3; bucket in the AWS accounts.

The KMS key policy that encrypts the object in the S3 bucket does not allow the kms; ListKeys action to the EC2 instance profile ARN.

The KMS key policy that encrypts the object in the S3 bucket does not allow the kms Decrypt action to the EC2 instance profile ARN.

The security group that is attached to the EC2 instance is missing an outbound rule to the S3 managed prefix list over port 443.

The security group that is attached to the EC2 instance is missing an inbound rule from the S3 managed prefix list over port 443.

Use inbound rule 100 to allow traffic on TCP port 443 Use inbound rule 200 to deny traffic on TCP port 3306 Use outbound rule 100 to allow traffic on TCP port 443

Use inbound rule 100 to deny traffic on TCP port 3306. Use inbound rule 200 to allow trafficon TCP port range 1024-65535. Use outbound rule 100 to allow traffic on TCP port 443

Use inbound rule 100 to allow traffic on TCP port range 1024-65535 Use inbound rule 200 to deny traffic on TCP port 3306 Use outbound rule 100 to allow traffic on TCP port 443

Use inbound rule 100 to deny traffic on TCP port 3306 Use inbound rule 200 to allow traffic on TCP port 443 Use outbound rule 100 to allow traffic on TCP port 443

Manually rotate a key within KMS to create a new CMK immediately

Use the KMS import key functionality to execute a delete key operation

Use the schedule key deletion function within KMS to specify the minimum wait period for deletion

Change the KMS CMK alias to immediately prevent any services from using the CMK.

Option A

Option B

Option C

Option D

Create an IAM user that has only programmatic access. Create a new access key pair. Add environmental variables to the Lambda function with the ac-cess key ID and secret access key. Modify the Lambda function to use the environmental variables at run time during communication with Amazon S3.

Generate an Amazon EC2 key pair. Store the private key in AWS Secrets Man-ager. Modify the Lambda function to retrieve the private key from Secrets Manager and to use the private key during communication with Amazon S3.

Create an IAM role for the Lambda function. Attach an IAM policy that al-lows access to the S3 bucket.

Create an IAM role for the Lambda function. Attach a bucket policy to the S3 bucket to allow access. Specify the function's IAM role as the princi-pal.

Create a security group. Attach the security group to the Lambda function. Attach a bucket policy that allows access to the S3 bucket through the se-curity group ID.

Amazon Athena

Amazon Kinesis

Amazon SQS

Amazon Elasticsearch

Amazon EMR

Check the Amazon S3 bucket policy. Verify that the policy allows the config.amazonaws.com service to write to the target bucket.

Verify that the IAM entity has the permissions necessary to perform the s3:GetBucketAcl and s3:PutObject* operations to write to the target bucket.

Verify that the Amazon S3 bucket policy has the permissions necessary to perform the s3:GetBucketAcl and s3:PutObject* operations to write to the target bucket.

Check the policy that is associated with the IAM entity. Verify that the policy allows the config.amazonaws.com service to write to the target bucket.

Verify that the AWS Config service role has permissions to invoke the BatchGetResourceConfig action instead of the GetResourceConfigHistory action and s3:PutObject* operation.

Update the CloudFront distribution. configuring it to optionally use HTTPS when connecting to origins on Amazon S3

Update the web application configuration on the web servers to use HTTPS instead of HTTP when connecting to DynamoDB

Update the CloudFront distribution to redirect HTTP corrections to HTTPS

Configure the web servers on the EC2 instances to listen using HTTPS using the public ACM TLS certificate Update the ALB to connect to the target group using HTTPS

Update the ALB listen to listen using HTTPS using the public ACM TLS certificate. Update the CloudFront distribution to connect to the HTTPS listener.

Create a TLS certificate Configure the web servers on the EC2 instances to use HTTPS only with that certificate. Update the ALB to connect to the target group using HTTPS.

Configure S3 Block Public Access for all S3 buckets.

Configure S3 Block Public Access for all AWS accounts.

Deploy an SCP that includes the "awsiResourceOrgPaths": "${aws:PrincipalOrgPaths}" condition.

Deploy an SCP that includes the "aws:ResourceOrglD": "${aws:PrincipalOrglD}" condition.

Add full Amazon Inspector IAM permissions to the Security Hub service role to allow it to perform the CIS compliance evaluation

Ensure that IAM Trusted Advisor Is enabled in the account and that the Security Hub service role has permissions to retrieve the Trusted Advisor security-related recommended actions

Ensure that IAM Config. is enabled in the account, and that the required IAM Config rules have been created for the CIS compliance evaluation

Ensure that the correct trail in IAM CloudTrail has been configured for monitoring by Security Hub and that the Security Hub service role has permissions to perform the GetObject operation on CloudTrails Amazon S3 bucket

Configure S3 server-side encryption. Create an S3 bucket policy that has an explicit deny rule for all users for s3:DeleteObject and s3:PutObject API calls. Configure S3 Object Lock to use governance mode with a retention period of 7 years.

Configure S3 server-side encryption. Configure S3 Versioning on the S3 bucket. Configure S3 Object Lock to use compliance mode with a retention period of 7 years.

Configure S3 Versioning. Configure S3 Intelligent-Tiering on the S3 bucket to move the documents to S3 Glacier Deep Archive storage. Use S3 server-side encryption immediately. Expire the objects after 7 years.

Set up S3 Event Notifications and use S3 server-side encryption. Configure S3 Event Notifications to target an AWS Lambda function that will review any S3 API call to the S3 bucket and deny the s3:DeleteObject and s3:PutObject API calls. Remove the S3 eventnotification after 7 years.

Terminate SSL from clients on the existing ALB. Use HTTPS to connect from the ALB to the EC2 instances.

Replace the existing ALB with a Network Load Balancer (NLB) On the NLB, configure an SSL listener and TCP passthrough to receive client connections Terminate HTTPS traffic from the NLB on the EC2 instances.

Replace the existing ALB with a Network Load Balancer (NLB) On the NLB, configure TCP passthrough to receive client connections Terminate SSL from the NLB on the EC2 instances

Configure a Network Load Balancer (NLB) with TCP passthrough to receive client connections Terminate SSL on the existing ALB.

Configure a Network Load Balancer (NLB) with a TLS listener to receive client connections Configure TCP passthrough on the existing ALB so that the NLB can reach the EC2 instances Terminate SSL from the ALB on the EC2 instances.

Install the Amazon CloudWatch agent on each EC2 instance in the VPC. Use the CloudWatch agent to stream the DNS query logs to an Amazon CloudWatch Logs log group. Use CloudWatch metric filters to automatically generate metrics that list the most common ONS queries.

Install a BIND DNS server in the VPC. Create a bash script to list the DNS request number of common DNS queries from the BIND logs.

Create VPC flow logs for all subnets in the VPC. Stream the flow logs to an Amazon CloudWatch Logs log group. Use CloudWatch Logs Insights to list the most common DNS queries for the log group in a custom dashboard.

Configure Amazon Route 53 Resolver query logging. Add an Amazon CloudWatch Logs log group as the destination. Use Amazon CloudWatch Contributor Insights to analyze the data and create time series that display the most common DNS queries.

Configure the S3 bucket to use an AWS Key Management Service (AWS KMS) key. Encrypt all objects in the S3 bucket by creating a bucket policy that enforces encryption. Configure an SCP to deny the s3:GetObject action for the OU that contains the AWS account.

Enable the PublicAccessBlock configuration on the S3 bucket. Configure an SCP to deny the s3:GetObject action for the OU that contains the AWS account.

Enable the PublicAccessBlock configuration on the S3 bucket. Configure an SCP to deny the s3:PutPublicAccessBlock action for the OU that contains the AWS account.

Configure the S3 bucket to use S3 Object Lock in governance mode. Configure an SCP to deny the s3:PutPublicAccessBlock action for the OU that contains the AWS account.

Outbound SG configuration on database servers Inbound SG configuration on application servers inbound and outbound network ACL configuration on the database subnet Inbound and outbound network ACL configuration on the application server subnet

Inbound SG configuration on database serversOutbound SG configuration on application serversInbound and outbound network ACL configuration on the database subnetInbound and outbound network ACL configuration on the application server subnet

Inbound and outbound SG configuration on database servers Inbound and outbound SG configuration on application servers Inbound network ACL configuration on the database subnet Outbound network ACL configuration on the application server subnet

Inbound SG configuration on database servers Outbound SG configuration on application servers Inbound network ACL configuration on the database subnet Outbound network ACL configuration on the application server subnet.

Configure IAM KMS and use a custom key store. Create a customer managed CMK with no key material Import the company's keys and key material into the CMK

Configure IAM KMS and use the default Key store Create an IAM managed CMK with no key material Import the company's key material into the CMK

Configure IAM KMS and use the default key store Create a customer managed CMK with no key material import the company's key material into the CMK

Configure IAM KMS and use a custom key store. Create an IAM managed CMK with no key material. Import the company's key material into the CMK.

Enable AWS Config for the entire organization. For all accounts, set up the ec2-managedinstance-applications-required AWS Config managed rule and specify the application name.

Enable AWS Config for the entire organization. Provide new AMIs that have the required software application pre-installed. Set up the approved-amis-by-id AWS Config managed rule for all accounts.

Create a Systems Manager Distributor package for the required software application for the entire organization. Install the Distributor package by using Systems Manager Run Command. Review the output.

Configure Systems Manager Application Manager to collect a current list of installed software applications in the entire organization. Filter for the required application by software status.

Configure AWS Config to send its configuration snapshots to an Amazon S3 bucket. Create an AWS Lambda function to run on a PutEvent to the S3 bucket. Configure the Lambda function to parse the snapshot for a compliance change to the restricled-ssh managed rule. Configure the Lambda function to send a notification to an Amazon Simple Notification Service (Amazon SNS) topic if a change is discovered.

Configure an Amazon EventBridge event rule that is invoked by a compliance change event from AWS Config for the restricted-ssh managed rule. Configure the event rule to target an Amazon Simple Notification Service (Amazon SNS) topic that will provide a notification.

Configure AWS Config to push all its compliance notifications to Amazon CloudWatch Logs Configure a CloudWatch Logs metric filter on the AWS Config log group to look for a compliance notification change on the restricted-ssh managed rule. Create an Amazon CloudWatch alarm on the metric filter to send a notification to an Amazon Simple Notification Service (Amazon SNS) topic if the alarm is in the ALARM state.

Configure an Amazon CloudWatch alarm on (he CloudWatch metric for the restricted-ssh managed rule. Configure the CloudWatch alarm to send a notification to an Amazon Simple Notification Service (Amazon SNS) topic if the alarm is in the ALARM state.

Set up IAM policies from the Lambda console to hide access to the environment variables.

Use AWS Step Functions to store the environment variables. Access the environment variables at runtime. Use IAM permissions to restrict access to the environment variables to only the Lambda functions that require access.

Store the environment variables in AWS Secrets Manager, and access them at runtime. Use IAM permissions to restrict access to the secrets to only the Lambda functions that require access.

Store the environment variables in AWS Systems Manager Parameter Store as secure string parameters, and access them at runtime. Use IAM permissions to restrict access to the parameters to only the Lambda functions that require access.

B.  

C.  

D.   A screenshot of a computer code Description automatically generated

Configure S3 Object Lock on the bucket with a retention penod of 10 years Specify governance mode as the retention mode. Create an S3 Lifecycle policy that will expire objects after 10 years.

Configure S3 Object Lock on the bucket with a retention period of 10 years Specify compliance mode as the retention mode. Create an S3 Lifecycle policy that will expire objects after 10 years.

Configure S3 Object Lock on the bucket with a retention penod of 10 years Place a legal hold on the objects. Create an S3 Lifecycle policy that will remove versionmg for the objects and expire objects after 10 years.

Configure S3 Object Lock on the bucket Specify compliance mode as the retention mode Place a legal hold on the objects. Create an S3 Lifecycle policy that will expire the objects after 10 years.

The ACL in the bucket needs to be updated

The IAM policy does not allow the user to access the bucket

It takes a few minutes for a bucket policy to take effect

The allow permission is being overridden by the deny

Turn on AWS Trusted Advisor. Configure security notifications as webhooks in the preferences section of the CI/CD pipeline.

Turn on AWS Config. Use the prebuilt rules or customized rules. Subscribe the CI/CD pipeline to an Amazon Simple Notification Service (Amazon SNS) topic that receives notifications from AWS Config.

Create rule sets in AWS CloudFormation Guard. Run validation checks for CloudFormation templates as a phase of the CI/CD process.

Create rule sets as SCPs. Integrate the SCPs as a part of validation control in a phase of the CI/CD process.

Verify thattheS3 bucket policy allows CloudTrail to write objects.

Verify thatthe1AM role used by CloudTrail has access to write to Amazon CloudWatch Logs.

Remove any lifecycle policies on the S3 bucket that are archiving objects to S3 Glacier Flexible Retrieval.

Verify thattheS3 bucket defined in CloudTrail exists.

Verify that the log file prefix defined in CloudTrail exists in the S3 bucket.

Use a role-based approach by creating an IAM role with an inline permissions policy that allows access to the secret. Update the IAM principals in the role trust policy as required.

Deploy a VPC endpoint for Secrets Manager. Create and attach an endpoint policy that specifies the IAM principals that are allowed to access the secret. Update the list of IAM principals as required.

Use a tag-based approach by attaching a resource policy to the secret. Apply tags to the secret and the IAM principals. Use the aws:PrincipalTag and aws:ResourceTag IAM condition keys to control access.

Use a deny-by-default approach by using IAM policies to deny access to the secret explicitly. Attach the policies to an IAM group. Add all IAM principals to the IAM group. Remove principals from the group when they need access. Add the principals to the group again when access is no longer allowed.

Add an inbound rule to the security group associated with the logging server that allows requests from the web server.

Add an outbound rule to the security group associated with the web server that allows requests to the logging server.

Add a route to the route table associated with the subnet that hosts the logging server that targets the peering connection.

Add a route to the route table associated with the subnet that hosts the web server that targets the peering connection.

Create a CodeCommit repository in the security account using IAM Key Management Service (IAM KMS) tor encryption Require the development team to migrate the Lambda source code to this repository

Store the API key in an Amazon S3 bucket in the security account using server-side encryption with Amazon S3 managed encryption keys (SSE-S3) to encrypt the key Create a resigned URL tor the S3 key. and specify the URL m a Lambda environmental variable in the IAM CloudFormation template Update the Lambda function code to retrieve the key using the URL and call the API

Create a secret in IAM Secrets Manager in the security account to store the API key using IAM Key Management Service (IAM KMS) tor encryption Grant access to the IAM role used by the Lambda function so that the function can retrieve the key from Secrets Manager and call the API

Create an encrypted environment variable for the Lambda function to store the API key using IAM Key Management Service (IAM KMS) tor encryption Grant access to the IAM role used by the Lambda function so that the function can decrypt the key at runtime

Option A

Option B

Option C

Option D

Create new S3 buckets with S3 Object Lock enabled in compliance mode. Place objects in the S3 buckets.

Use S3 Glacier Vault Lock to attach a Vault Lock policy to new S3 buckets. Wait 24 hours to complete the Vault Lock process. Place objects in the S3 buckets.

Create new S3 buckets with S3 Object Lock enabled in governance mode. Place objects in the S3 buckets.

Create new S3 buckets with S3 Object Lock enabled in governance mode. Add a legal hold to the S3 buckets. Place objects in the S3 buckets.

Update the password length policy in the 1AM configuration

Update the password length policy in the Cognito configuration.

Update the password length policy in the on-premises Active Directory configuration.

Create an SCP in AWS Organizations. Configure the SCP to enforce a minimum password length for 1AM and Cognito.

Create an 1AM policy that includes a condition for minimum password length Enforce the policy for 1AM and Cognito

Create an AWS CloudTrail trail with log file validation enabled. Enable data events. Specify Amazon S3 as the data event type.

Create a new S3 bucket for S3 server access logs. Configure the existing S3 buckets to send their S3 server access logs to the new S3 bucket.

Create an Amazon CloudWatch Logs log group. Configure the existing S3 buckets tosend their S3 server access logs to the log group.

Create a new S3 bucket for S3 server access logs with log file validation enabled. Enable data events. Specify Amazon S3 as the data event type.

Analyze the logs by using Amazon OpenSearch Service. Search the logs from the OpenSearch API. Use OpenSearch Service Security Analytics to match logs with detection rules and to send alerts to the SNS topic.

Analyze the logs by using AWS Security Hub. Search the logs from the Findings page in Security Hub. Create custom actions to match logs with detection rules and to send alerts to the SNS topic.

Analyze the logs by using Amazon CloudWatch Logs. Use a subscription filter to match logs with detection rules and to send alerts to the SNS topic. Search the logs manually by using CloudWatch Logs Insights.

Analyze the logs by using Amazon QuickSight. Search the logs by listing the query results in a dashboard. Run queries to match logs with detection rules and to send alerts to the SNS topic.

Remove the Condition element. Change the Principal element to the following:{“AWS”: “arn "aws" ::: lambda ::: function:MyLambdaFunction”}

Change the Action element to the following:" s3:GetObject*"" s3:GetBucket*"

Change the Resource element to "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*".

Change the Resource element to "arn:aws:lambda:::function:MyLambdaFunction". Change the Principal element to the following:{“Service”: “s3.amazonaws.com”}

bucketl only

bucket2 only

Both bucketl and bucket2

Neither bucketl nor bucket2

Use a designated administration account to automatically set up member accounts.

Create the AWS Service Role ForSecurrty Hub service-linked rote for Security Hub.

Send an administration request from the member accounts.

Enable Security Hub for all member accounts.

Send invitations to accounts that are outside the company's organization from the Security Hub administrator account.

Enable AWS Security Hub in the AWS account.

Enable Amazon GuardDuty in the AWS account.

Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the security team’s email distribution list to the topic.

Create an Amazon Simple Queue Service (Amazon SQS) queue. Subscribe the security team’s email distribution list to the queue.

Create an Amazon EventBridge (Amazon CloudWatch Events) rule for GuardDuty findings of high severity. Configure the rule to publish a message to the topic.

Create an Amazon EventBridge (Amazon CloudWatch Events) rule for Security Hub findings of high severity. Configure the rule to publish a message to the queue.

Ensure that the EC2 instance profile that is attached to the EC2 instances has permissions to create log streams and write logs.

Create a metric filter on the logs so that they can be viewed in the AWS Management Console.

Check the CloudWatch agent configuration file on each EC2 instance to make sure that the CloudWatch agent is collecting the proper log files.

Check the VPC endpoint policies of both VPC endpoints to ensure that the EC2 instances have permissions to use them.

Create a NAT gateway in the subnet so that the EC2 instances can communicate with CloudWatch.

Ensure that the security groups allow all the EC2 instances to communicate with each other to aggregate logs before sending.

Enable Amazon RDS encryption to encrypt the database and snapshots. Enable Amazon Elastic Block Store (Amazon EBS) encryption on Amazon EC2 instances. Include the database credential in the EC2 user data field. Use an AWS Lambda function to rotate database credentials. Set up TLS for the connection to the database.

Install a database on an Amazon EC2 instance. Enable third-party disk encryption to encrypt Amazon Elastic Block Store (Amazon EBS) volume. Store the database credentials in AWS CloudHSM with automatic rotation. Set up TLS for the connection to the database.

Enable Amazon RDS encryption to encrypt the database and snapshots. Enable Amazon Elastic Block Store (Amazon EBS) encryption on Amazon EC2 instances. Store the database credentials in AWS Secrets Manager with automatic rotation. Set up TLS for the connection to the RDS hosted database.

Set up an AWS CloudHSM cluster with AWS Key Management Service (AWS KMS) to store KMS keys. Set up Amazon RDS encryption using AWS KSM to encrypt the database. Store the database credentials in AWS Systems Manager Parameter Store with automatic rotation. Set up TLS for the connection to the RDS hosted database.

Update the EC2 instance security group to add a rule that allows outbound traffic on port 443 for 0.0.0.0/0.

Update the EC2 instance security group to add a rule that allows inbound traffic on port 443 to the VPC's CIDR range.

Create an EC2 key pair. Associate the key pair with the EC2 instance.

Create a VPC interface endpoint for Systems Manager in the VPC where the EC2 instance islocated.

Attach a security group to the VPC interface endpoint. Allow inbound traffic on port 443 to the VPC's CIDR range.

Create a VPC interface endpoint for the EC2 instance in the VPC where the EC2 instance is located.

Use AWS Certificate Manager to encrypt all traffic between the client and application servers.

Review the application security groups to ensure that only the necessary ports are open.

Use Elastic Load Balancing to offload Secure Sockets Layer encryption.

Use Amazon Inspector to periodically scan the backend instances.

Use AWS Key Management Services to encrypt all the traffic between the client and application servers.

B. A computer code with black text Description automatically generated

A computer code with black text Description automatically generated

A computer code with text Description automatically generated

On a recurring basis, update an IAM user policies to require that EC2 instances are created with an encrypted volume

Configure an IAM Config rule lo run on a recurring basis 'or volume encryption

Set up Amazon Inspector rules tor volume encryption to run on a recurring schedule

Use CloudWatch Logs to determine whether instances were created with an encrypted volume

Use the AWS Management Console to edit the structure of the secret in Secrets Manager so that the secret automatically conforms with the struc-ture that the database requires.

Ensure that the security group that is attached to the Lambda function al-lows outbound connections to the EC2 instance. Ensure that the security group that is attached to the EC2 instance allows inbound connections from the security group that is attached to the Lambda function.

Use the Secrets Manager list-secrets command in the AWS CLI to list the secret. Identify the database credentials. Use the Secrets Manager rotate-secret command in the AWS CLI to force the immediate rotation of the secret.

Add an internet gateway to the VPC. Create a NAT gateway in a public sub-net. Update the VPC route tables so that traffic from the Lambda function and traffic from the EC2 instance can reach the Secrets Manager public endpoint.

Use Amazon Inspector. Create inclusion rules in Amazon ECR to match repos-itories that need to be scanned. Push Amazon Inspector findings to AWS Se-curity Hub.

Use ECR basic scanning of container images. Create inclusion rules in Ama-zon ECR to match repositories that need to be scanned. Push findings to AWS Security Hub.

Use ECR basic scanning of container images. Create inclusion rules in Ama-zon ECR to match repositories that need to be scanned. Push findings to Amazon Inspector.

Use Amazon Inspector. Create inclusion rules in Amazon Inspector to match repositories that need to be scanned. Push Amazon Inspector findings to AWS Config.

Gather any relevant metadata for the compromised EC2 instance. Enable ter-mination protection. Isolate the instance by updating the instance's secu-rity groups to restrict access. Detach the instance from any Auto Scaling groups that the instance is a member of. Deregister the instance from any Elastic Load Balancing (ELB) resources.

Gather any relevant metadata for the compromised EC2 instance. Enable ter-mination protection. Move the instance to an isolation subnet that denies all source and destination traffic. Associate the instance with the subnet to restrict access. Detach the instance from any Auto Scaling groups that the instance is a member of. Deregister the instance from any Elastic Load Balancing (ELB) resources.

Use Systems Manager Run Command to invoke scripts that collect volatile data.

Establish a Linux SSH or Windows Remote Desktop Protocol (RDP) session to the compromised EC2 instance to invoke scripts that collect volatile data.

Create a snapshot of the compromised EC2 instance's EBS volume for follow-up investigations. Tag the instance with any relevant metadata and inci-dent ticket information.

Create a Systems Manager State Manager association to generate an EBS vol-ume snapshot of the compromised EC2 instance. Tag the instance with any relevant metadata and incident ticket information.

Enable AWS Security Hub for all accounts. In the Security Hub administrator account, enable the GuardDuty integration. Create automation rules to elevate findings for the production account and the S3 bucket.

Enable AWS Security Hub for all accounts. In the Security Hub administrator account, enable the GuardDuty integration. Use Amazon EventBridge to create a custom rule to elevate findings for the production account and the S3 bucket.

Use the GuardDuty administrator account to configure a threat list that includes the production account and the S3 bucket. Use Amazon EventBridge and Amazon Simple Notification Service (Amazon SNS) to elevate findings from the threat list.

Use the GuardDuty administrator account to enable S3 protection for the support account that contains the S3 bucket. Configure GuardDuty to elevate findings for the production account and the S3 bucket.

A. Configure and assign an MFA device to the role used by the instances.

B. Verify that the SQS resource policy does not explicitly deny access to the role used by the instances.

C. Verify that the access key attached to the role used by the instances is active.

D. Attach the AmazonSQSFullAccest. managed policy to the role used by the instances.

E Verify that the role attached to the instances contains policies that allow access to the queue

Use AD Connector to create users and groups for all employees that require access to IAM accounts. Assign AD Connector groups to IAM accounts and link to the IAM roles in accordance with the employees‘job functions and access requirements Instruct employees to access IAM accounts by using the IAM Directory Service user portal.

Use an IAM SSO default directory to create users and groups for all employees that require access to IAM accounts. Assign groups to IAM accounts and link to permission sets in accordance with the employees‘job functions and access requirements. Instruct employees to access IAM accounts by using the IAM SSO user portal.

Use an IAM SSO default directory to create users and groups for all employees that require access to IAM accounts. Link IAM SSO groups to the IAM users present in all accounts to inherit existing permissions. Instruct employees to access IAM accounts by using the IAM SSO user portal.

Use IAM Directory Service tor Microsoft Active Directory to create users and groups for all employees that require access to IAM accounts Enable IAM Management Console access in the created directory and specify IAM SSO as a source cl information tor integrated accounts and permission sets. Instruct employees to access IAM accounts by using the IAM Directory Service user portal.

Analyze an IAM Identity and Access Management (IAM) use report from IAM Trusted Advisor to see when the access key was last used.

Analyze Amazon CloudWatch Logs for activity by searching for the access key.

Analyze VPC flow logs for activity by searching for the access key

Analyze a credential report in IAM Identity and Access Management (IAM) to see when the access key was last used.

Configure the S3 Block Public Access feature for the AWS account.

Configure the S3 Block Public Access feature for all objects that are in the bucket.

Deactivate ACLs for objects that are in the bucket.

Use AWS PrivateLink for Amazon S3 to access the bucket.

Modify the EventBridge event pattern by selecting Amazon S3. Select All Events as the event type.

Modify the EventBridge event pattern by selecting Amazon S3. Select Bucket Level Operations as the event type.

Enable CloudTrail Insights to identify unusual API activity.

Enable CloudTrail to monitor data events for read and write operations to S3 buckets.

Filter the event history on the exposed access key in the CloudTrail console Examine the data from the past 11 days.

Use the IAM CLI lo generate an IAM credential report Extract all the data from the past 11 days.

Use Amazon Athena to query the CloudTrail logs from Amazon S3 Retrieve the rows for the exposed access key tor the past 11 days.

Use the Access Advisor tab in the IAM console to view all of the access key activity for the past 11 days.

Option A

Option B

Option C

Option D

Create an Amazon S3 bucket. Configure the bucket to use S3 Object Lock in compliance mode. Upload the data to the bucket. Create a resource-based bucket policy that meets all the regulatory requirements.

Create an Amazon S3 bucket. Configure the bucket to use S3 Object Lock in governance mode. Upload the data to the bucket. Create a user-based IAM policy that meets all the regulatory requirements.

Create a vault in Amazon S3 Glacier. Create a Vault Lock policy in S3 Glacier that meets all the regulatory requirements. Upload the data to the vault.

Create an Amazon S3 bucket. Upload the data to the bucket. Use a lifecycle rule to transition the data to a vault in S3 Glacier. Create a Vault Lock policy that meets all the regulatory requirements.

Have a Database Administrator encrypt the credentials and store the ciphertext in Amazon S3. Grant permission to the instance role associated with the EC2 instance to read the object and decrypt the ciphertext.

Configure a scheduled job that updates the credential in AWS Systems Manager Parameter Store and notifies the Engineer that the application needs to be restarted.

Configure automatic rotation of credentials in AWS Secrets Manager.

Store the credential in an encrypted string parameter in AWS Systems Manager Parameter Store. Grant permission to the instance role associated with the EC2 instance to access the parameter and the AWS KMS key that is used to encrypt it.

Configure the Java application to catch a connection failure and make a call to AWS Secrets Manager to retrieve updated credentials when the password is rotated. Grant permission to the instance role associated with the EC2 instance to access Secrets Manager.

Update the key policies in eu-west-1. Point the application in eu-north-1 to use the same CMK as the application in eu-west-1.

Allocate a new CMK to eu-north-1 to be used by the application that is deployed in that Region.

Allocate a new CMK to eu-north-1. Create the same alias name for both keys. Configure the application deployment to use the key alias.

Allocate a new CMK to eu-north-1. Create an alias for eu-'-1. Change the application code to point to the alias for eu-'-1.

Configure the Amazon inspector agent to use the CVE rule package

Configure the Amazon Inspector agent to use the CVE rule package Configure Security Hub to ingest from IAM inspector by writing a custom resource policy

Configure the Security Hub agent to use the CVE rule package Configure IAM Inspector lo ingest from Security Hub by writing a custom resource policy

Configure the Amazon Inspector agent to use the CVE rule package Install an additional Integration library Allow the Amazon Inspector agent to communicate with Security Hub

Use IAM Systems Manager Parameter Store to store the database credentiais. Configureautomatic rotation of the credentials.

Use IAM Secrets Manager to store the database credentials. Configure automat* rotation of the credentials

Store the database credentials in an Amazon S3 bucket that is configured with server-side encryption with S3 managed encryption keys (SSE-S3) Rotate the credentials with IAM database authentication.

Store the database credentials m Amazon S3 Glacier, and use S3 Glacier Vault Lock Configure an IAM Lambda function to rotate the credentials on a scheduled basts

Create a verified identity for the third-party ticketing email system in Amazon Simple Email Service (Amazon SES). Create an Amazon EventBridge rule that includes an event pattern that matches High severity GuardDuty findings. Specify the SES identity as the target for the EventBridge rule.

Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the third-party ticketing email system to the SNS topic. Create an Amazon EventBridge rule that includes an event pattern that matches High severity GuardDuty findings. Specify the SNS topic as the target for the EventBridge rule.

Use the GuardDuty CreateFilter API operation to build a filter in GuardDuty to monitor for High severity findings. Export the results of the filter to an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the third-party ticketing email system to the SNS topic.

Use the GuardDuty CreateFilter API operation to build a filter in GuardDuty to monitor for High severity findings. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the third-party ticketing email system to the SNS topic. Create an Amazon EventBridge rule that includes an event pattern that matches GuardDuty findings that are selected by the filter. Specify the SNS topic as the target for the EventBridge rule.

Set the value of the aws SourceOrgID condition key to be the organization ID

Set the value of the aws SourceOrgPaths condition key to be the Organizations entity path of the production OU

Set the value of the aws ResourceOrgID condition key to be the organization ID

Set the value of the aws ResourceOrgPaths condition key to be the Organizations entity path of the production OU

Create the customer managed policy in every account where the permission set is assigned. Give the customer managed policy the same name and same permissions in each account.

Remove either the AWS managed policy or the customer managed policy from the permission set. Create a second permission set that includes the removed policy. Apply the permission sets separately to the user.

Evaluate the logic of the AWS managed policy and the customer managed policy. Resolve any policy conflicts in the permission set before deployment.

Do not add the new permission set to the user. Instead, edit the user's existing permission set to include the AWS managed policy and the customer managed policy.

Configure a finding aggregation Region for Security Hub. Link the other Regions to the aggregation Region.

Create an AWS Lambda function that routes events from other Regions to the dedicated Security Hub account. Create an Amazon EventBridge rule to invokethe Lambda function.

Turn on the option to automatically enable accounts for Security Hub.

Create an SCP that denies the securityhub DisableSecurityHub permission. Attach the SCP to the organization’s root account.

Configure services in other Regions to write events to an AWS CloudTrail organization trail. Configure Security Hub to read events from the trail.

Stop the instance. Detach the root volume. Generate a new key pair.

Keep the instance running. Detach the root volume. Generate a new key pair.

When the volume is detached from the original instance, attach the volume to another instance as a data volume. Modify the authorized_keys file with a new public key. Move the volume back to the original instance. Start the instance.

When the volume is detached from the original instance, attach the volume to another instance as a data volume. Modify the authorized_keys file with a new private key. Move the volume back to the original instance. Start the instance.

When the volume is detached from the original instance, attach the volume to another instance as a data volume. Modify the authorized_keys file with a new public key. Move the volume back to the original instance that is running.

Place the network interface in promiscuous mode to capture the traffic.

Configure VPC Flow Logs to send traffic to the monitoring EC2 instance using a Network Load Balancer.

Configure VPC traffic mirroring to send traffic to the monitoring EC2 instance using a Network Load Balancer.

Use Amazon Inspector to detect network-level attacks and trigger an IAM Lambda function to send the suspicious packets to the EC2 instance.

Install an Amazon EKS add-on from a security vendor.

Enable AWS Security Hub Monitor the Kubernetes findings

Monitor Amazon CloudWatch Container Insights metrics for Amazon EKS.

Enable Amazon GuardDuty Use EKS Audit Log Monitoring.

Configure S3 Versioning to expire object versions that have been in the S3 bucket for 72 hours.

Configure an S3 Lifecycle configuration rule on the S3 bucket to expire objects that have been in the S3 bucket for 72 hours.

Use the S3 Intelligent-Tiering storage class for all objects in the S3 bucket. Configure S3 Intelligent-Tiering to expire objects that have been in the S3 bucket for 72 hours.

Generate S3 presigned URLs for the vendor to use to download the objects. Expire the URLs after 72 hours.

In the local AWS CLI configuration file

As environment variables on the local workstation

As variables in the AWS CLI command line options

In the AWS shared configuration file

Allow Account-1 to access the KMS key in Account-2 using a key policy

Attach an IAM policy to the service-linked role in Account-1 that allows these actions CreateGrant. DescnbeKey, Encrypt, GenerateDataKey, Decrypt, and ReEncrypt

Create a KMS grant for the service-linked role with these actions CreateGrant, DescnbeKey Encrypt GenerateDataKey Decrypt, and ReEncrypt

Attach an IAM policy to the role attached to the EC2 instances with KMS actions and then allow Account-1 in the KMS key policy.

Attach an IAM policy to the user who is launching EC2 instances and allow the user to access the KMS key policy of Account-2.

Specify Amazon Redshift as the destination for the access logs. Deploy the Amazon Athena Redshift connector. Use Athena to query the data from Amazon Redshift and to filter the logs by host.

Specify Amazon CloudWatch as the destination for the access logs. Use Amazon CloudWatch Logs Insights to design a query to filter the logs by host.

Specify Amazon CloudWatch as the destination for the access logs. Export the CloudWatch logs to an Amazon S3 bucket. Use Amazon Athena to query the logs and to filter the logs by host.

Specify Amazon CloudWatch as the destination for the access logs. Use Amazon Redshift Spectrum to query the logs and to filter the logs by host.

Require the developers to configure all function URLs to support cross-origin resource sharing (CORS) when the functions are called from a different domain.

Use an AWS WAF delegated administrator account to view and block unauthenticated access to function URLs in production accounts, based on the OU of accounts that are using the functions.

Use SCPs to allow all lambda:CreateFunctionUrlConfig and lambda:UpdateFunctionUrlConfig actions that have a lambda:FunctionUrlAuthType condition key value of AWS_IAM.

Use SCPs to deny all lambda:CreateFunctionUrlConfig and lambda:UpdateFunctionUrlConfig actions that have a lambda:FunctionUrlAuthType condition key value of NONE.

Verify that a NAT gateway has been provisioned in the public subnet in each Availability Zone.

Verify that a NAT gateway has been provisioned in the private subnet in each Availability Zone.

Modify the route tables that are associated with each of the public subnets. Create a new route for local destinations to the VPC CIDR range.

Modify the route tables that are associated with each of the private subnets Create a new route for the destination 0.0.0.070. Specify the NAT gateway in the public subnet of the same Availability Zone as the target of the route.

Modify the route tables that are associated with each of the private subnets. Create a new route for the destination 0.0.0.0/0. Specify the internet gateway in the public subnet of the same Availability Zone as the target of the route.

The log flies fail integrity validation and automatically are marked as unavailable.

The KMS key policy does not grant the security engineer's 1AM user or rote permissions to decrypt with it.

The bucket is set up to use server-side encryption with Amazon S3-managed keys (SSE-S3) as the default and does not allow SSE-KMS-encrypted files.

An 1AM policy applicable to the security engineer's 1AM user or role denies access to the "CloudTraiir prefix in the Amazon S3 bucket.

Add users to groups that represent the teams. Create a policy for each team that allows the team to access its respective S3 buckets only. Attach the policy to the corresponding group.

Create an IAM role for each team. Create a policy for each team that allows the team to access its respective S3 buckets only. Attach the policy to the corresponding role.

Create IAM roles that are labeled with an access tag value of a team. Create one policy that allows dynamic access to S3 buckets with the same tag. Attach the policy to the IAM roles. Tag the S3 buckets accordingly.

Implement a role-based access control (RBAC) authorization model. Create the corresponding policies, and attach them to the IAM users.

Modify the IAM WAF web ACL with an IP set match rule statement to deny incoming requests from the IP address range.

Add a rule to all security groups to deny the incoming requests from the IP address range.

Modify the IAM WAF web ACL with a rate-based rule statement to deny the incoming requests from the IP address range.

Configure the IAM WAF web ACL with regex match conditions. Specify a pattern set to deny the incoming requests based on the match condition