SCS-C02 AWS Certified Security - Specialty Questions and Answers

Ensure that the operations team configures default bucket encryption on the S3 bucket to use server-side encryption with Amazon S3 managed encryption keys (SSE-S3). Ensure that the security team creates an IAM policy that controls access to use the encryption keys.

Ensure that the operations team creates a bucket policy that requires requests to use server-side encryption with AWS KMS keys (SSE-KMS) that are customer managed. Ensure that the security team creates a key policy that controls access to the encryption keys.

Ensure that the operations team creates a bucket policy that requires requests to use server-side encryption with Amazon S3 managed keys (SSE-S3). Ensure that the security team creates an IAM policy that controls access to the encryption keys.

Ensure that the operations team creates a bucket policy that requires requests to use server-side encryption with customer-provided encryption keys (SSE-C). Ensure that the security team stores the customer-provided keys in AWS Key Management Service (AWS KMS). Ensure that the security team creates a key policy that controls access to the encryption keys.

The key administration event logging generated by CloudHSM is significantly moreextensive than IAM KMS.

CloudHSM ensures that only company support staff can administer encryption keys, whereas IAM KMS allows IAM staff to administer keys

The ciphertext produced by CloudHSM provides more robust protection against brute force decryption attacks than the ciphertext produced by IAM KMS

CloudHSM provides the ability to copy keys to a different Region, whereas IAM KMS does not

Use AD Connector to create users and groups for all employees that require access to IAM accounts. Assign AD Connector groups to IAM accounts and link to the IAM roles in accordance with the employees‘job functions and access requirements Instruct employees to access IAM accounts by using the IAM Directory Service user portal.

Use an IAM SSO default directory to create users and groups for all employees that require access to IAM accounts. Assign groups to IAM accounts and link to permission sets in accordance with the employees‘job functions and access requirements. Instruct employees to access IAM accounts by using the IAM SSO user portal.

Use an IAM SSO default directory to create users and groups for all employees that require access to IAM accounts. Link IAM SSO groups to the IAM users present in all accounts to inherit existing permissions. Instruct employees to access IAM accounts by using the IAM SSO user portal.

Use IAM Directory Service tor Microsoft Active Directory to create users and groups for all employees that require access to IAM accounts Enable IAM Management Console access in the created directory and specify IAM SSO as a source cl information tor integrated accounts and permission sets. Instruct employees to access IAM accounts by using the IAM Directory Service user portal.

Enable VPC flow logs for the VPC that hosts the EKS clusters.

Assign the CloudWatchEventsFullAccess AWS managed policy to the EKS clusters.

Ensure that the AmazonGuardDutyFullAccess AWS managed policy is attached to the GuardDuty service role.

Enable the control plane logs in Amazon EKS. Ensure that the logs are ingested into Amazon CloudWatch.

Create a dedicated AWS Key Management Service (AWS KMS) customer managed key for each retail store Use the S3 Put operation to upload the objects to Amazon S3 Specify server-side encryption with AWS KMS keys (SSE-KMS) and the key ID of the store's key

Create a new AWS Key Management Service (AWS KMS) customer managed key every day for each retail store Use the KMS Encrypt operation to encrypt objects Then upload the objects to Amazon S3

Run the AWS Key Management Service (AWS KMS) GenerateDataKey operation every day for each retail store Use the data key and client-side encryption to encrypt the objects Then upload the objects to Amazon S3

Use the AWS Key Management Service (AWS KMS) ImportKeyMaterial operation to import new key material to AWS KMS every day for each retail store Use a customer managed key and the KMS Encrypt operation to encrypt the objects Then upload the objects to Amazon S3

Configure the IAM policy in use by the IAM role to have access to the required cloudwatch: API actions thatwill publish logs.

Adjust the Amazon EC2 Auto Scaling service-linked role to have permissions to write to CloudWatch Logs.

Configure the IAM policy in use by the IAM role to have access to the required AWS logs: API actions that willpublish logs.

Add an interface VPC endpoint to provide a route to CloudWatch Logs.

Configure an S3 Lifecycle rule on the S3 bucket to delete objects after 45 days.

Create an AWS Lambda function to check the last-modified date of the S3 objects and delete objects that are older than 45 days. Create an S3 event notification to invoke the Lambda function for each PutObject operation.

Create an AWS Lambda function to check the last-modified date of the S3 objects and delete objects that are older than 45 days. Create an Amazon EventBridge rule to invoke the Lambda function each month.

Configure S3 Intelligent-Tiering on the S3 bucket to automatically transition objects to another storage class.

Replace the KSK with a zone-signing key (ZSK).

Deactivate and then activate the KSK.

Create a Delegation Signer (DS) record in the parent hosted zone.

Create a Delegation Signer (DS) record in the subdomain.

Create a new SCP in the marketing team's account. Configure the SCP to explicitly allow resource sharing.

Edit the existing SCP to add a Condition statement that excludes the marketing team's account.

Edit the existing SCP to include an Allow statement that specifies the marketing team's account.

Create an IAM permissions boundary policy to explicitly allow resource sharing. Attach the policy to IAM users in the marketing team's account.

Create a CloudWatch Logs account-wide data protection policy. Specify the appropriate data identifiers for the policy. Ensure that the developers do not have the logs:Unmask 1AM permission.

Export the CloudWatch Logs data to an Amazon S3 bucket. Set up automated discovery by using Amazon Macie on the S3 bucket. Create a custom data identifier for the sensitive data. Remove the developers' access to CloudWatch Logs. Grant permissions for the developers to view the exported log data in Amazon S3.

Export the CloudWatch Logs data to an Amazon S3 bucket. Set up automated discovery by using Amazon Macie on the S3 bucket. Specify the appropriate managed data identifiers. Remove the developers' access to CloudWatch Logs. Grant permissions for the developers to view the exported log data in Amazon S3.

Create a CloudWatch Logs data protection policy for each log group. Specify the appropriate data identifiers for the policy. Ensure that the developers do not have the logsiUnmask 1AM permission.

Add an outbound rule to the security group that is attached to the compromised EC2 instance to deny traffic to 0.0.0.0/0 and port 587.

Add an outbound rule to the network ACL for the subnet that contains the compromised EC2 instance to deny traffic to 0.0.0.0/0 and port 587.

Gather volatile memory from the compromised EC2 instance. Suspend the compromised EC2 instance from the Auto Scaling group. Then take a snapshot of the compromised EC2 instance. v

Take a snapshot of the compromised EC2 instance. Suspend the compromised EC2 instance from the Auto Scaling group. Then gather volatile memory from the compromised EC2 instance.

Move the compromised EC2 instance to an isolated subnet that has a network ACL that has no inbound rules or outbound rules.

Replace the existing security group that is attached to the compromised EC2 instance with a new security group that has no inbound rules or outbound rules.

Use AWS Systems Manager Patch Manager to view vulnerability identifiers for missing patches on the instances. Use Patch Manager also to automate the patching process.

Use AWS Shield Advanced to view vulnerability identifiers for missing patches on the instances. Use AWS Systems Manager Patch Manager to automate the patching process.

Use Amazon GuardDuty to view vulnerability identifiers for missing patches on the instances. Use Amazon Inspector to automate the patching process.

Use Amazon Inspector to view vulnerability identifiers for missing patches on the instances. Use Amazon Inspector also to automate the patching process.

Update the policy on the S3 gateway endpoint to allow the S3 actions CY11y if the values of the aws:ResourceOrglD and aws:PrincipalOrglD condition keys match the companys values.

Update the policy on the instance profile role to allow the S3 actions only if the value of the aws:ResourceOrglD condition key matches the company's value.

Add a network ACL rule to the subnet of the EC2 instances to block outgoing connections on port 443.

Apply an SCP on the AWS account to allow the $3 actions only if the values of the aws:ResourceOrglD and aws:PrincipalOrglD condition keys match the company's values.

Review the AWS CloudTrail logs in the account in the Production OU Search for any failed API calls from CloudFormation during the deployment attempt.

Remove all the SCPs that are attached to the Production OU Rerun the CloudFormation stack update to determine if the SCPs were preventing the CloudFormation API calls.

Confirm that the role used by CloudFormation has sufficient permissions to create update and delete the resources that are referenced in the CloudFormation template.

Make all the SCPs that are attached to the Production OU the same as the SCPs that are attached to the Testing OU.

Create new S3 buckets with S3 Object Lock enabled in compliance mode. Place objects in the S3 buckets.

Use S3 Glacier Vault Lock to attach a Vault Lock policy to new S3 buckets. Wait 24 hours to complete the Vault Lock process. Place objects in the S3 buckets.

Create new S3 buckets with S3 Object Lock enabled in governance mode. Place objects in the S3 buckets.

Create new S3 buckets with S3 Object Lock enabled in governance mode. Add a legal hold to the S3 buckets. Place objects in the S3 buckets.

The S3 bucket policy does not explicitly allow the Security Engineer access to the objects in the bucket.

The object ACLs are not being updated to allow the users within the centralized account to access the objects

The Security Engineers IAM policy does not grant permissions to read objects in the S3 bucket

The s3:PutObject and s3:PutObjectAcl permissions should be applied at the S3 bucket level

Create a set of 1AM roles and 1AM policies Configure the Cognito identity pool to assign users to the 1AM roles.

Create a policy store in Amazon Verified Permissions. Configure Cognito as the identity source Map Cognito access tokens to the Verified Permissions schema.

Create customer managed permissions by using AWS Resource Access Manager (AWS RAM) Configure the Cognito identity pool to assign users to the customer managed permissions

Create a set of 1AM users and 1AM policies. Configure the Cognito user pool to assign users to the 1AM users.

Allow port 22 from source 0.0.0.0/0.

Allow port 443 from source 0.0.0.0/0.

Allow port 22 from 192.168.100.0/24.

Allow port 22 from 10.0.1.0/24.

Allow port 443 from 10.0.1.0/24.

In each account, update the ECR registry to use Amazon Inspector instead of the default scanning service. Configure Amazon Inspector to forwardvulnerability findings to AWS Security Hub in a central security account. Provide access for the audit team to use Security Hub to review the findings.

In each account, configure AWS Config to monitor the configuration of the ECS containers and the ECR registry. Configure AWS Config conformance packs forvulnerability scanning. Create an AWS Config aggregator in a central account to collect configuration and compliance details from all accounts. Provide theaudit team with access to AWS Config in the account where the aggregator is configured.

In each account, configure AWS Audit Manager to scan the ECS containers and the ECR registry. Configure Audit Manager to forward vulnerability findings toAWS Security Hub in a central security account. Provide access for the audit team to use Security Hub to review the findings.

In each account, configure Amazon GuardDuty to scan the ECS containers and the ECR registry. Configure GuardDuty to forward vulnerability findings to AWS Security Hub in a central security account. Provide access for the audit team to use Security Hub to review the findings.

Provide new AMIs that have the required software pre-installed. Apply a tag to the AMIs to indicate that the AMIs have the required software. Configure an SCP that allows new EC2 instances to be launched only if the instances have the tagged AMIs. Tag all existing EC2 instances.

Configure a custom patch baseline in Systems Manager Patch Manager. Add the package name for the required software to the approved packages list. Associate the new patch baseline with all EC2 instances. Set up a maintenance window for software deployment.

Centrally enable AWS Config. Set up the ec2-managedinstance-applications-required AWS Config rule for all accounts Create an Amazon EventBridge rule that reacts to AWS Config events. Configure the EventBridge rule to invoke an AWS Lambda function that uses Systems Manager Run Command to install the required software.

Create a new Systems Manager Distributor package for the required software. Specify the download location. Select all EC2 instances in the different accounts. Install the software by using Systems Manager Run Command.

Download the data from the existing S3 bucket to a new EC2 instance. Then delete the data from the S3 bucket. Re-encrypt the data with a client-based key. Upload the data to a new S3 bucket.

Block access to the public range of S3 endpoint IP addresses by using a host-based firewall. Ensure that internet-bound traffic from the affected EC2 instance is routed through the host-based firewall.

Revoke the IAM role's active session permissions. Update the S3 bucket policy to deny access to the IAM role. Remove the IAM role from the EC2 instance profile.

Disable the current key. Create a new KMS key that the IAM role does not have access to, and re-encrypt all the data with the new key. Schedule the compromised key for deletion.

Analyze the logs by using Amazon OpenSearch Service. Search the logs from the OpenSearch API. Use OpenSearch Service Security Analytics to match logs with detection rules and to send alerts to the SNS topic.

Analyze the logs by using AWS Security Hub. Search the logs from the Findings page in Security Hub. Create custom actions to match logs with detection rules and to send alerts to the SNS topic.

Analyze the logs by using Amazon CloudWatch Logs. Use a subscription filter to match logs with detection rules and to send alerts to the SNS topic. Search the logs manually by using CloudWatch Logs Insights.

Analyze the logs by using Amazon QuickSight. Search the logs by listing the query results in a dashboard. Run queries to match logs with detection rules and to send alerts to the SNS topic.

Turn on IAM CloudTrail in each IAM account

Turn on CloudTrail in only the account that will be storing the logs

Update the bucket ACL of the bucket in the account that will be storing the logs so that other accounts can log to it

Create a service-based role for CloudTrail and associate it with CloudTrail in each account

Update the bucket policy of the bucket in the account that will be storing the logs so that other accounts can log to it

Import new key material into the key. Attach the EBS volume.

Restore the EBS volume from a snapshot that was taken before the deletion of the key material.

Reimport the same key material lhat originally was imported into the key. Attach the EBS volume.

Create a new key. Import new key material. Attach the EBS volume.

Provision a Direct Connect connection to an IAM region using a Direct Connect partner.

Create a VPN tunnel for private connectivity, which increases network consistency and reduces latency.

Create an iPSec tunnel for private connectivity, which increases network consistency and reduces latency.

Create a VPC peering connection between IAM and the Customer gateway.

Create an IAM Config rule to detect the creation of unencrypted RDS databases. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to trigger on the IAM Config rules compliance state change and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team.

Use IAM System Manager State Manager to detect RDS database encryption configuration drift. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to track state changes and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team.

Create a read replica for the existing unencrypted RDS database and enable replica encryption in the process. Once the replica becomes active, promote it into a standalone database instance and terminate the unencrypted database instance.

Take a snapshot of the unencrypted RDS database. Copy the snapshot and enable snapshot encryption in the process. Restore the database instance from the newly created encrypted snapshot. Terminate the unencrypted database instance.

Enable encryption for the identified unencrypted RDS instance by changing the configurations of the existing database

Option A

Option B

Option C

Option D

Use Amazon inspector to determine which systems do not have the latest patches applied, and after 30 days, redeploy those instances with the latest AMI version

Configure Amazon EC2 Systems Manager to report on instance patch compliance and enforce updates during the defined maintenance windows

Examine IAM CloudTrail togs to determine whether any instances have not restarted in the last 30 days, and redeploy those instances

Update the AMls with the latest approved patches and redeploy each instance during the defined maintenance window

Configure AWS Backup to perform cross-Region S3 backups. Select a backup vault in the secondary Region. Enable AWS Backup Vault Lock in governance mode for the backups in the secondary Region

Implement S3 Object Lock in compliance mode in the primary Region. Configure S3 replication to replicate the objects to an S3 bucket in the secondary Region.

Configure S3 replication to replicate the objects to an S3 bucket in the secondary Region. Create an S3 bucket policy to deny the s3:ReplicateDelete action on the S3 bucket in the secondary Region

Configure S3 replication to replicate the objects to an S3 bucket in the secondary Region. Configure S3 object versioning on the S3 bucket in the secondary Region.

The ACL in the bucket needs to be updated

The IAM policy does not allow the user to access the bucket

It takes a few minutes for a bucket policy to take effect

The allow permission is being overridden by the deny

Review the cross-account role permissions and the S3 bucket policy Verify that the Amazon S3 block public access option in the member account is deactivated.

Review the role permissions m the master account and ensure it has sufficient privileges to perform S3 operations

Filter IAM CloudTrail logs for the master account to find the original deny event and update the cross-account role m the member account accordingly Verify that the Amazon S3 block public access option in the master account is deactivated.

Evaluate the SCPs covering the member account and the permissions boundary of the role in the member account for missing permissions and explicit denies.

Ensure the S3 bucket policy explicitly allows the s3 PutBucketPublicAccess action for the role m the member account

B. A computer code with black text Description automatically generated

A computer code with black text Description automatically generated

A computer code with text Description automatically generated

Create an HTTPS listener that uses a certificate that is managed by IAM Certificate Manager (ACM).

Create an HTTPS listener that uses a security policy that uses a cipher suite with perfect toward secrecy (PFS).

Create an HTTPS listener that uses the Server Order Preference security feature.

Create a TCP listener that uses a custom security policy that allows only cipher suites with perfect forward secrecy (PFS).

Turn on VPC Flow Logs for all VPCs in the account.

Activate Amazon GuardDuty across all AWS Regions.

Activate Amazon Detective across all AWS Regions.

Create an Amazon Simple Notification Service (Amazon SNS) topic. Create an Amazon EventBridge rule that responds to findings and publishes the find-ings to the SNS topic.

Create an AWS Lambda function. Create an Amazon EventBridge rule that in-vokes the Lambda function to publish findings to Amazon Simple Email Ser-vice (Amazon SES).

Create an AWS WAF web ACL. Add the AWSManagedRulesACFPRuleSet rule group to the web ACL. Associate the web ACL with the CloudFront distribution.

Create an AWS WAF web ACL. Add a rate limit rule to the web ACL. Include a RateBasedStatement entry that has a SearchString value that points to /store/registration

Specify /store/registration as the registration page path Specify /store/newaccount as the account creation path

Enable AWS Shield Advanced for the account that hosts the CloudFront distribution Configure a DNS-specific custom mitigation that uses the Shield Response Team (SRT) for /store/newaccount.

Enable Amazon GuardOuty for the account that hosts the CloudFront distribution. Enable Lambda Protection for the Lambda functions that answer calls to /store/registration and /store/newaccount.

Place the RDS instance in a public subnet and an IAM Lambda function outside the VPC. Schedule the Lambda function to run every 3 months to rotate the secrets.

Place the RDS instance in a private subnet and an IAM Lambda function inside the VPC in the private subnet. Configure the private subnet to use a NAT gateway. Schedule the Lambda function to run every 3 months to rotate the secrets.

Place the RDS instance in a private subnet and an IAM Lambda function outside the VPC. Configure the private subnet to use an internet gateway. Schedule the Lambda function to run every 3 months lo rotate the secrets.

Place the RDS instance in a private subnet and an IAM Lambda function inside the VPC in the private subnet. Schedule the Lambda function to run quarterly to rotate the secrets.

Place the RDS instance in a private subnet and an IAM Lambda function inside the VPC in the private subnet. Configure a Secrets Manager interface endpoint. Schedule the Lambda function to run every 3 months to rotate the secrets.

Filter the event history on the exposed access key in the CloudTrail console Examine the data from the past 11 days.

Use the IAM CLI lo generate an IAM credential report Extract all the data from the past 11 days.

Use Amazon Athena to query the CloudTrail logs from Amazon S3 Retrieve the rows for the exposed access key tor the past 11 days.

Use the Access Advisor tab in the IAM console to view all of the access key activity for the past 11 days.

Deploy an AWS Config aggregator with organization-wide resource data aggregation. Create an AWS Lambda function that responds to AWS Config findings of noncompliant S3 buckets by deleting or reconfiguring the S3 buckets.

Deploy an AWS Config aggregator with organization-wide resource data aggregation. Create an SCP that contains a Deny statement that prevents the creation of new noncompliant S3 buckets. Apply the SCP to all OUs in the organization.

Deploy an AWS Config aggregator that scopes only the accounts and Regions that the company currently uses. Create an AWS Lambda function that responds to AWS Config findings of noncompliant S3 buckets by deleting or reconfiguring the S3 buckets.

Deploy an AWS Config aggregator that scopes only the accounts and Regions that the company currently uses. Create an SCP that contains a Deny statement that prevents the creation of new noncompliant S3 buckets. Apply the SCP to all OUs in the organization.

Create a public Application Load Balancer. Create two listeners one listener on port 80 and one listener on port 443. Create one target group. Create a rule to forward traffic from port 80 to the listener on port 443 Provision a public TLS certificate in AWS Certificate Manager (ACM). Attach the certificate to the listener on port 443.

Create a public Application Load Balancer. Create two listeners one listener on port 80 and one listener on port 443. Create one target group. Create a rule to forward traffic from port 80 to the listener on port 443 Provision a public TLS certificate in AWS Certificate Manager (ACM). Attach the certificate to the listener on port 80.

Create a public Network Load Balancer. Create two listeners one listener on port 80 and one listener on port 443. Create one target group. Create a rule to forward traffic from port 80 to the listener on port 443. Set the protocol for the listener on port 443 to TLS.

Create a public Network Load Balancer. Create a listener on port 443. Create one target group. Create a rule to forward traffic from port 443 to the target group. Set the protocol for the listener on port 443 to TLS.

Amazon Route 53

IAM Certificate Manager (ACM)

Amazon S3

IAM Shield

Elastic Load Balancer

Amazon GuardDuty

A. Configure and assign an MFA device to the role used by the instances.

B. Verify that the SQS resource policy does not explicitly deny access to the role used by the instances.

C. Verify that the access key attached to the role used by the instances is active.

D. Attach the AmazonSQSFullAccest. managed policy to the role used by the instances.

E Verify that the role attached to the instances contains policies that allow access to the queue

Create an Application Load Balancer with the existing EC2 instances as a target group. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the ALB. Test to ensure the vulnerability has been mitigated, then redirect the Route 53 records to point to the ALB. Update security groups on the EC2 instances to prevent direct access from the internet.

Create an Amazon CloudFront distribution specifying one EC2 instance as an origin. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the distribution. Test to ensure the vulnerability has been mitigated, then redirect the Route 53 records to point to CloudFront.

Obtain the latest source code for the platform and make the necessary updates. Test the updated code to ensure that the vulnerability has been mitigated, then deploy the patched version of the platform to the EC2 instances.

Update the security group that is attached to the EC2 instances, removing access from the internet to the TCP port used by the SQL database. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the EC2 instances. Test to ensure the vulnerability has been mitigated, then restore the security group to the original setting.

Create an 1AM policy that explicitly denies permission to the key Attach the policy to all EC2 instance profiles Create an 1AM policy that explicitly allows permission to the key Attach the policy to all Lambda function roles.

Create a custom key policy for the key. Use the kms: ViaService condition key to deny access to requests from Amazon EC2 and to allow access to requests from Lambda. Use the Lambda 1AM role as the principal.

Create a custom key policy tor the key Use the aws Sourcelp condition key to deny access to requests from Amazon EC2 Use the aws: Authorized Service condition key to allow access to requests from Lambda Use the Lambda 1AM role as the principal.

Create an SCP that explicitly denies permission to the key for Amazon EC2 and explicitly allows permission to the key for Lambda Attach the SCP to the AWS account.

Create an Amazon EventBridge rule that invokes an AWS Lambda function hourly. Program the Lambda function to download an AWS usage report from AWS Data Exports about usage of all services. Program the Lambda function to analyze the report and to send a notification when anomalies are detected.

Create a cost monitor in AWS Cost Anomaly Detection. Configure an individual alert to notify an Amazon Simple Notification Service (Amazon SNS) topic when the percentage above the expected cost exceeds a threshold.

Review AWS Cost Explorer daily to detect anomalies in cost from prior months Review the usage of any services that experience a significant cost increase from prior months.

Capture VPC flow logs from the VPC where the EC2 instances run. Use a third-party network analysis tool to analyze the flow logs and to detect anomalies in network traffic that might increase cost.

Edit the rules in the web ACL to include rules with Count actions. Review the logs to determine which rule is blocking the request. Modify the IAM policy of all AWS WAF administrators so that they cannot remove the log-ging configuration for any AWS WAF web ACLs.

Edit the rules in the web ACL to include rules with Count actions. Review the logs to determine which rule is blocking the request. Modify the AWS WAF resource policy so that AWS WAF administrators cannot remove the log-ging configuration for any AWS WAF web ACLs.

Edit the rules in the web ACL to include rules with Count and Challenge actions. Review the logs to determine which rule is blocking the request. Modify the AWS WAF resource policy so that AWS WAF administrators cannot remove the logging configuration for any AWS WAF web ACLs.

Edit the rules in the web ACL to include rules with Count and Challenge actions. Review the logs to determine which rule is blocking the request. Modify the IAM policy of all AWS WAF administrators so that they cannot remove the logging configuration for any AWS WAF web ACLs.

Configure cluster security groups for each application module to control access to database users that are required for read-only and read/write.

Configure a VPC endpoint for Amazon Redshift Configure an endpoint policy that maps database users to each application module, and allow access to the tables that are required for read-only and read/write

Configure an IAM poky for each module Specify the ARN of an Amazon Redshift database user that allows the GetClusterCredentials API call

Create focal database users for each module

Configure an IAM policy for each module Specify the ARN of an IAM user that allows the GetClusterCredentials API call

The logs:GetLogEvents permission is not granted in the role.

The security engineer does not have permission to assume the role.

The principal vpc-flow-logs.amazonaws.com does not have permission to assume the role.

The role does not have permission to tag a CloudWatch Logs stream.

Configure CloudTrail as the target of the EventBndge rule Set up an attribute filter on the IncommgBytes attribute and enable anomaly detection Create an Amazon Simple Notification Service (Amazon SNS) topic Configure a CloudTrail alarm that uses the SNS topic to send the notification.

Configure CloudTrail as the target of the EventBndge rule Set up an attribute filter on the IncommgBytes attribute and enable anomaly detection Create an Amazon Simple Queue Service (Amazon SQS) queue Configure a CloudTrail alarm that uses the SQS queue to send the notification.

Configure Amazon CloudWatch Logs as the target of the EventBndge rule Set up a metnc filter on the IncommgBytes metric and enable anomaly detection Create an AmazonSimple Notification Service (Amazon SNS) topic Configure a CloudWatch alarm that uses the SNS topic to send the notification.

Configure Amazon CloudWatch Logs as the target of the EventBndge rule Use CloudWatch Logs Insights query syntax to search for anomalous GetSecretValue API calls Create an Amazon Simple Queue Service (Amazon SQS) queue Configure a CloudWatch alarm that uses the SQS queue to send the notification.

Use IAM Systems Manager Parameter Store to store the database credentiais. Configureautomatic rotation of the credentials.

Use IAM Secrets Manager to store the database credentials. Configure automat* rotation of the credentials

Store the database credentials in an Amazon S3 bucket that is configured with server-side encryption with S3 managed encryption keys (SSE-S3) Rotate the credentials with IAM database authentication.

Store the database credentials m Amazon S3 Glacier, and use S3 Glacier Vault Lock Configure an IAM Lambda function to rotate the credentials on a scheduled basts

Use inbound rule 100 to allow traffic on TCP port 443. Use inbound rule 200 to deny traffic on TCP port 3306. Use outbound rule 100 to allow traffic on TCP port 443.

Use inbound rule 100 to deny traffic on TCP port 3306. Use inbound rule 200 to allow traffic on TCP port range 1024-65535. Use outbound rule 100 to allow traffic on TCP port 443.

Use inbound rule 100 to allow traffic on TCP port range 1024-65535. Use inbound rule 200 to deny traffic on TCP port 3306. Use outbound rule 100 to allow traffic on TCP port 443.

Use inbound rule 100 to deny traffic on TCP port 3306. Use inbound rule 200 to allow traffic on TCP port 443. Use outbound rule 100 to allow traffic on TCP port 443.

Configure the private ECR registry to use enhanced scanning with the scan on push option. Create an Amazon EventBridge rule that invokes an AWS Lambda function when a critical vulnerability is found. Program the Lambda function to block the image push.

Configure Amazon Inspector. Invoke the Amazon Inspector Scan API operation from the CI/CD pipeline. Create an Amazon EventBridge rule that invokes an AWS Lambda function when a critical vulnerability is found. Program the Lambda function to return a failed result to Amazon Inspector.

Create an Amazon Inspector custom CI/CD integration. Install and configure the Amazon Inspector Software Bill of Materials (SBOM) Generator (Sbomgen) binary. Generate an SBOM. Invoke the Amazon Inspector Scan API operation. In case of critical vulnerabilities, fail the CI/CD pipeline.

Enable ECR image scanning on the ECR repository. Configure the continuous scanning option. Set the scanning configuration setting for the private registry to basic scanning. In case of critical vulnerabilities, fail the CI/CD pipeline.

Create an IAM group for each application team. Associate policies with each IAM group. Provision IAM users for each application team member. Add the new IAM users to the appropriate IAM group by using role-based access control (RBAC).

Delegate application team leads to provision IAM rotes for each team. Conduct a quarterly review of the IAM rotes the team leads have provisioned. Ensure that the application team leads have the appropriate training to review IAM roles.

Put each AWS account in its own OU. Add an SCP to each OU to grant access to only the AWS services that the teams plan to use. Include conditions tn the AWS account of each team.

Create an SCP and a permissions boundary for IAM roles. Add the SCP to the root OU so that only roles that have the permissions boundary attached can create any new IAM roles.

Set up VPC peering between the central server VPC and each of the teams VPCs.

Set up IAM DirectConnect between the central server VPC and each of the teams VPCs.

Set up an IPSec Tunnel between the central server VPC and each of the teams VPCs.

None of the above options will work.

The target instance's security group does not allow traffic from the NLB.

The target instance's security group is not attached to the NLB.

The NLB's security group is not attached to the target instance.

The target instance's subnet network ACL does not allow traffic from the NLB.

The target instance's security group is not using IP addresses to allow traffic from the NLB.

The target network ACL is not attached to the NLB.

In the security account configure an IAM role for the new Lambda function. Attach an IAM policy that allows access to the KMS key in the security account.

In the development account configure an IAM role for the new Lambda function. Attach a key policy that allows access to the KMS key in the security account.

In the development account configure an IAM role for the new Lambda function. Attach an IAM policy that allows access to the KMS key in the security account.

Configure a key policy for the KMS key m the security account to allow access to the IAM role of the new Lambda function in the security account.

Configure a key policy for the KMS key in the security account to allow access to the IAM role of the new Lambda function in the development account.

Default AWS Certificate Manager certificate

Custom SSL certificate stored in AWS KMS

Default CloudFront certificate

Custom SSL certificate stored in AWS Certificate Manager

Default SSL certificate stored in AWS Secrets Manager

Custom SSL certificate stored in AWS IAM

Move the logs:CreateLogGroup action to the second Allow statement.

Add the logs:PutDestination action to the second Allow statement.

Add the logs:GetLogEvents action to the second Allow statement.

Add the logs:CreateLogStream action to the second Allow statement.

Install the Amazon Inspector agent on EC2 instances by using AWS Systems Manager Automation.

Enable Amazon GuardDuty in all AWS accounts.

Create VPC endpoints for Amazon EC2 and Amazon S3. Update VPC route tables to use only the secure VPC endpoints.

Configure AWS Certificate Manager (ACM). Configure the load balancers to use certificates from ACM.

Use AWS Key Management Service (AWS KMS) for key management. Create an S3 bucket policy to deny any PutObject command with a condition for x-amz-meta-side-encryption.

Use AWS Key Management Service (AWS KMS) for key management. Create an S3 bucket policy to deny any PutObject command with a condition for x-amz-server-side-encryption.

Enable Amazon GuardDuty to automatically monitor for malicious activity and block unauthorized access.

Subscribe to AWS Shield Advanced and reach out to AWS Support in the event of an attack.

Use VPC Flow Logs to monitor network traffic and an AWS Lambda function to automatically block an attacker's IP using security groups.

Set up an Amazon EventBridge rule to monitor the AWS CloudTrail events in real time, use AWS Config rules to audit the configuration, and use AWS Systems Manager for remediation.

Use AWS WAF to create rules to respond to such attacks.

Activate Amazon GuardDuty in each production account. In a dedicated logging account. aggregate all GuardDuty logs from each production account.Remediate incidents by configuring GuardDuty to directly invoke an AWS Lambda function. Configure the Lambda function to also publish notifications to the SNS topic.

Activate AWS security Hub in each production account. In a dedicated logging account. aggregate all security Hub findings from each production account. Remediate incidents by ustng AWS Config and AWS Systems Manager. Configure Systems Manager to also pub11Sh notifications to the SNS topic.

Activate Amazon GuardDuty in each production account. In a dedicated logging account. aggregate all GuardDuty logs from each production account Remediate incidents by using Amazon EventBridge to invoke a custom AWS Lambda function from the GuardDuty findings. Configure the Lambda function to also publish notifications to the SNS topic.

Activate AWS Security Hub in each production account. In a dedicated logging account. aggregate all Security Hub findings from each production account. Remediate incidents by using Amazon EventBridge to invoke a custom AWS Lambda function from the Security Hub findings. Configure the Lambda function to also publish notifications to the SNS topic.

Use Macie to detect an active DDoS event. Create Amazon CloudWatch alarms that respond to Macie findings.

Use Amazon Inspector to review resources and to invoke Amazon CloudWatch alarms for any resources that are vulnerable to DDoS attacks.

Create an Amazon CloudWatch alarm that monitors Firewall Manager metrics for an active DDoS event.

Create an Amazon CloudWatch alarm that monitors Shield Advanced metrics for an active DDoS event.

Add full Amazon Inspector IAM permissions to the Security Hub service role to allow it to perform the CIS compliance evaluation

Ensure that IAM Trusted Advisor Is enabled in the account and that the Security Hub service role has permissions to retrieve the Trusted Advisor security-related recommended actions

Ensure that IAM Config. is enabled in the account, and that the required IAM Config rules have been created for the CIS compliance evaluation

Ensure that the correct trail in IAM CloudTrail has been configured for monitoring by Security Hub and that the Security Hub service role has permissions to perform the GetObject operation on CloudTrails Amazon S3 bucket

Specify the deletion time of the key material during KMS key creation. Create a custom AWS Config rule to assess the key's scheduleddeletion. Configure the rule to trigger upon a configuration change. Send a message to an Amazon Simple Notification Service (Amazon SNS) topic if the key is scheduled for deletion.

Create an Amazon EventBridge rule to detect KMS API calls of DeleteAlias. Create an AWS Lambda function to send an Amazon Simple Notification Service (Amazon SNS) message to the company. Add the Lambda function as the target of the EventBridge rule.

Create an Amazon EventBridge rule to detect KMS API calls of DisableKey and ScheduleKeyDeletion. Create an AWS Lambda function to send an Amazon Simple Notification Service (Amazon SNS) message to the company. Add the Lambda function as the target of the EventBridge rule.

Create an Amazon Simple Notification Service (Amazon SNS) policy to detect KMS API calls of RevokeGrant and ScheduleKeyDeletion.Create an AWS Lambda function to generate the alarm and send the notification to the company. Add the Lambda function as the target of the SNS policy.

Create a key policy that allows the kms:Decrypt action only for Amazon S3 and DynamoDB. Create an SCP that denies the creation of S3 buckets and DynamoDB tables that are not encrypted with the key.

Create an 1AM policy that denies the kms:Decrypt action for the key. Create a Lambda function than runs on a schedule to attach the policy to any new roles. Create an AWS Config rule to send alerts for resources that are not encrypted with the key.

Create a key policy that allows the kms:Decrypt action only for Amazon S3, DynamoDB, Lambda, and Amazon EKS. Create an SCP that denies the creation of S3 buckets and DynamoDB tables that are not encrypted with the key.

Create a key policy that allows the kms:Decrypt action only for Amazon S3, DynamoDB, Lambda, and Amazon EKS. Create an AWS Config rule to send alerts for resources that are not encrypted with the key.

Create a verified identity for the third-party ticketing email system in Amazon Simple Email Service (Amazon SES). Create an Amazon EventBridge rule that includes an event pattern that matches High severity GuardDuty findings. Specify the SES identity as the target for the EventBridge rule.

Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the third-party ticketing email system to the SNS topic. Create an Amazon EventBridge rule that includes an event pattern that matches High severity GuardDuty findings. Specify the SNS topic as the target for the EventBridge rule.

Use the GuardDuty CreateFilter API operation to build a filter in GuardDuty to monitor for High severity findings. Export the results of the filter to an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the third-party ticketing email system to the SNS topic.

Use the GuardDuty CreateFilter API operation to build a filter in GuardDuty to monitor for High severity findings. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the third-party ticketing email system to the SNS topic. Create an Amazon EventBridge rule that includes an event pattern that matches GuardDuty findings that are selected by the filter. Specify the SNS topic as the target for the EventBridge rule.

Create a new security group that has no inbound rules or outbound rules Attach the new security group to the EC2 instance.

Configure the existing security group for the EC2 instance Remove all existing inbound rules and outbound rules from the security group.

Create a new network ACL that has a single Deny rule for inbound traffic and outbound traffic Associate the new network ACL with the subnet that contains the EC2 instance.

Create a new VPC for isolation Stop the EC2 instance Create a new AMI from the EC2 instance Use the new AMI to launch a new EC2 instance in the new VPC.

Turn on AWS Trusted Advisor. Configure security notifications as webhooks in the preferences section of the CI/CD pipeline.

Turn on AWS Config. Use the prebuilt rules or customized rules. Subscribe the CI/CD pipeline to an Amazon Simple Notification Service (Amazon SNS) topic that receives notifications from AWS Config.

Create rule sets in AWS CloudFormation Guard. Run validation checks for CloudFormation templates as a phase of the CI/CD process.

Create rule sets as SCPs. Integrate the SCPs as a part of validation control in a phase of the CI/CD process.

Configure S3 Versioning to expire object versions that have been in the S3 bucket for 72 hours.

Configure an S3 Lifecycle configuration rule on the S3 bucket to expire objects that have been in the S3 bucket for 72 hours.

Use the S3 Intelligent-Tiering storage class for all objects in the S3 bucket. Configure S3 Intelligent-Tiering to expire objects that have been in the S3 bucket for 72 hours.

Generate S3 presigned URLs for the vendor to use to download the objects. Expire the URLs after 72 hours.

Review the SAML IdP logs to identify errors. Check AWS CloudTrail to verify the API calls that the user made.

Review the SAML IdP logs to identify errors. Use the IAM policy simulator to validate access to the IAM roles.

Use IAM access advisor to review recent service access. Use the IAM policy simulator to validate access to the IAM roles.

Recreate the SAML IdP in a separate account to confirm the behavior that the user is experiencing.

Use a designated administration account to automatically set up member accounts.

Create the AWS Service Role ForSecurrty Hub service-linked rote for Security Hub.

Send an administration request from the member accounts.

Enable Security Hub for all member accounts.

Send invitations to accounts that are outside the company's organization from the Security Hub administrator account.

Add an inbound rule to the security group to allow traffic from 0.0.0.0/0 for all ports. Add an outbound rule to the security group to allow traffic to 0.0.0.0/0 for all ports. Then immediately delete these rules.

Remove the port 22 security group rule. Attach an instance role policy that allows AWS Systems Manager Session Manager connections so that the forensics team can access the target instance.

Create a network ACL that is associated with the target instance's subnet. Add a rule at the top of the inbound rule set to deny all traffic from 0.0.0.0/0. Add a rule at the top of the outbound rule set to deny all traffic to 0.0.0.0/0.

Create an AWS Systems Manager document that adds a host-level firewall rule to block all inbound traffic and outbound traffic. Run the document on the target instance.

The IAM policy needs to allow the kms:DescribeKey permission.

The S3 bucket has been changed to use the AWS managed key to encrypt objects at rest.

An S3 bucket policy needs to be added to allow the IAM user to access the objects.

The KMS key policy has been edited to remove the ability for the AWS account to have full access to the key.

Ask the developers to change their password and use a different web browser.

Ensure that developers are using multi-factor authentication (MFA) when they log in to their developer account as the developer role.

Modify the production account ReadS3 role policy to allow the PutBucketPolicy action onthe productionapp S3 bucket.

Update the trust relationship policy on the production account S3 role to allow the account number of the developer account.

Update the developer group permissions in the developer account to allow access to the productionapp S3 bucket.

The execution role for the Lambda function did not grant permissions to write log data to CloudWatch Logs.

The Lambda function was invoked by using Amazon API Gateway, so the logs are not stored in CloudWatch Logs.

The execution role for the Lambda function did not grant permissions to write to the Amazon S3 bucket where CloudWatch Logs stores the logs.

The version of the Lambda function that was invoked was not current.

Develop the application to use the CloudFront key pair to create signed URLs that users will use to access the content.

Develop the application to use the CloudFront key pair to set the signed cookies that users will use to access the content.

Develop the application to issue a security token that Lambda@Edge will receive to authenticate and authorize access to the content

Keep the CloudFront URL encrypted inside the application, and use AWS KMS to resolve the URL on-the-fly after the user is authenticated.

Update the key policies in eu-west-1. Point the application in eu-north-1 to use the same CMK as the application in eu-west-1.

Allocate a new CMK to eu-north-1 to be used by the application that is deployed in that Region.

Allocate a new CMK to eu-north-1. Create the same alias name for both keys. Configure the application deployment to use the key alias.

Allocate a new CMK to eu-north-1. Create an alias for eu-'-1. Change the application code to point to the alias for eu-'-1.

Configure server-side encryption with AWS KMS managed encryption keys (SSE-KMS)

Compress log file with secure gzip.

Create an Amazon EventBridge (Amazon CloudWatch Events) rule to notify the security team of any modifications on CloudTrail log files.

Implement least privilege access to the S3 bucket by configuring a bucket policy.

Configure CloudTrail log file integrity validation.

Configure Access Analyzer for S3.

Use KMS grants to manage key access. Programmatically create and revoke grants to manage vendor access.

Use an IAM role to manage key access. Programmatically update the IAM role policies to manage vendor access.

Use KMS key policies to manage key access. Programmatically update the KMS key policies to manage vendor access.

Use delegated access across AWS accounts by using IAM roles to manage key access. Programmatically update the IAM trust policy to manage cross-account vendor access.

Create one IAM user in the production account. Grant the appropriate permissions to the resources that are needed. Share the password only with the users that need access.

Create cross-account access with an IAM role in the developer account. Grant the appropriate permissions to this role. Allow users in the developer account to assume this role to access the production resources.

Create cross-account access with an IAM user account in the production account. Grant the appropriate permissions to this user account. Allow users in the developer account to use this user account to access the production resources.

Create cross-account access with an IAM role in the production account. Grant the appropriate permissions to this role. Allow users in the developer account to assume this role to access the production resources.

Review GuardDuty findings to find InstanceCredentialExfiltration events.

Review assessment reports in the Audit Manager console to find InstanceCredentialExfiltration events.

Review CloudTrail logs for GetSessionToken API calls to AWS Security Token Service (AWS STS) that come from an acount ID from outside the company.

Review CloudWatch logs for GetSessionToken API calls to AWS Security Token Service (AWS STS) that come from an account ID from outside the company.

Integrate the application with Amazon Cognito identity pools. Use the GetId API operation to obtain AWS credentials to make authenticated calls to the S3 API.

Integrate the application with Amazon Cognito identity pools. Use the AssumeRoleWithWebIdentity API operation to obtain AWS credentials to make authenticated calls to the S3 API.

Integrate the application with Amazon Cognito user pools. Use the ID token to obtain AWS credentials to make authenticated calls to the S3 API.

Integrate the application with Amazon Cognito user pools. Use the access token to obtain AWS credentials to make authenticated calls to the S3 API.

Use an interface VPC endpoint for Amazon SQS

Configure a connection to Amazon S3 through AWS Transit Gateway.

Use a gateway VPC endpoint for Amazon S3.

Modify the 1AM role applied to the EC2 instances in the Auto Scaling group to allow outbound traffic to the interface endpoints.

Modify the endpoint policies on all VPC endpoints. Specify the SQS and S3 resources that the application uses

Configure a connection to Amazon S3 through AWS Firewall Manager

Option

Option

Option

Option D

Create an AWS CloudFormation template that contains the 1 0 required AVVS Config rules. Deploy the template by using CloudFormation StackSets in the security-01 account.

Create a conformance pack that contains the 10 required AWS Config rules. Deploy the conformance pack from the security-01 account.

Create a conformance pack that contains the 10 required AWS Config rules. Deploy the conformance pack from the management-01 account.

Create an AWS CloudFormation template that will activate AWS Config. De-ploy the template by using CloudFormation StackSets in the security-01 ac-count.

Create an AWS CloudFormation template that will activate AWS Config. De-ploy the template by using CloudFormation StackSets in the management-01 account.

Create an AWS Config Custom Policy rule by using AWS CloudFormation Guard. Include the tag key of CostCenter and the approved values. Create an SCP that denies the creation of resources when the value of the aws:RequestTag/CostCenter condition key is not one of the three approved values.

Create an AWS CloudTrail trail. Create an Amazon EventBridge rule that includes a rule statement that matches the creation of new resources. Configure the EventBridge rule to invoke an AWS Lambda function that checks for the CostCenter tag. Program the Lambda function to block creation in case of a noncompliant value.

Enable tag policies for the organization. Create a tag policy that specifies a tag key of CostCenter and the approved values. Configure the policy to enforce noncompliant operations. Create an SCP that denies the creation of resources when the aws:RequestTag/CostCenter condition key has a null value.

Enable tag policies for the organization. Create a tag policy that specifies a tag key of CostCenter and the approved values. Create an Amazon EventBridge rule that invokes an AWS Lambda function when a noncompliant tag is created. Program the Lambda function to block changes to the tag.

Use lifecycle policies for the EBS volumes

Use EBS Snapshots

Use EBS volume replication

Use EBS volume encryption

Gather any relevant metadata for the compromised EC2 instance. Enable ter-mination protection. Isolate the instance by updating the instance's secu-rity groups to restrict access. Detach the instance from any Auto Scaling groups that the instance is a member of. Deregister the instance from any Elastic Load Balancing (ELB) resources.

Gather any relevant metadata for the compromised EC2 instance. Enable ter-mination protection. Move the instance to an isolation subnet that denies all source and destination traffic. Associate the instance with the subnet to restrict access. Detach the instance from any Auto Scaling groups that the instance is a member of. Deregister the instance from any Elastic Load Balancing (ELB) resources.

Use Systems Manager Run Command to invoke scripts that collect volatile data.

Establish a Linux SSH or Windows Remote Desktop Protocol (RDP) session to the compromised EC2 instance to invoke scripts that collect volatile data.

Create a snapshot of the compromised EC2 instance's EBS volume for follow-up investigations. Tag the instance with any relevant metadata and inci-dent ticket information.

Create a Systems Manager State Manager association to generate an EBS vol-ume snapshot of the compromised EC2 instance. Tag the instance with any relevant metadata and incident ticket information.

Configure AWS Directory Service with the external IdP Create 1AM policies and associate them with users from the external IdP

Enable AWS 1AM Identity Center and use the external IdP as the identity source. Create permission sets and account assignments by using 1AM Identity Center.

Configure AWS Identity and Access Management (1AM) to use the external IdP as an IdP Create 1AM policies and associate them with users from the externa IdP

Enable Amazon Cognito in the organization's management account. Create an identity pool and associate it with the external IdP Create 1AM roles and associate them with the identity pool.

Review AWS CloudTrail togs to identify authentication errors that relate to Cognito users.

Use AWS Identity and Access Management Access Analyzer to delete all unused 1AM roles and users

Review any recent changes in Cognito configuration, 1AM policies, and role trust policies to identify issues.

Write a script that uses CLI commands to reset all user passwords in the Cognito user pool.

Create a verified identity for the email address in Amazon Simple Email Service (Amazon SES) Create an Amazon EventBridge rule that has the SES verified identity as the target Specify GuardDuty as the event source Configure the EventBridge event pattern to match High seventy findings.

Create an Amazon Simple Notification Service (Amazon SNS) topic Subscribe the email address to the SNS topic. Create an Amazon EventBridge rule that has the SNS topic as the target Specify GuardDuty as the event source Configure the EventBridge event pattern to match High severity findings.

Create an Amazon Simple Notification Service (Amazon SNS) topic Subscribe the email address to the SNS topic. Enable AWS Security Hub Integrate Security Hub with GuardDuty. Use Security Hub automation rules to publish High severity GuardDuty findings to the SNS topic.

Enable AWS Security Hub Integrate Security Hub with GuardDuty. Use Secunty Hub automation rules to create a custom rule. Configure the custom rule to detect High seventy GuardDuty findings and to send a notification to the email address.

Archive the data to Amazon S3 and apply a restrictive bucket policy to deny the s3 DeleteOotect API

Archive the data to Amazon S3 Glacier and apply a Vault Lock policy

Archive the data to Amazon S3 and replicate it to a second bucket in a second IAM Region Choose the S3 Standard-Infrequent Access (S3 Standard-1A) storage class and apply a restrictive bucket policy to deny the s3 DeleteObject API

Migrate the log data to a 16 T8 Amazon Elastic Block Store (Amazon EBS) volume Create a snapshot of the EBS volume

Use AWS Backup to apply a 5-year retention tag to the RDS snapshots.

Enable versioning on the S3 bucket that AWS Backup uses for the RDS snapshots. Configure a 5-year retention period.

Create an S3 Lifecycle policy. Include a 5-year retention period for the S3 bucket that AWS Backup uses for the RDS snapshots.

Create a backup plan in AWS Backup. Configure a 5-year retention period.

Create an AWS CloudTrail trail with log file validation enabled. Enable data events. Specify Amazon S3 as the data event type.

Create a new S3 bucket for S3 server access logs. Configure the existing S3 buckets to send their S3 server access logs to the new S3 bucket.

Create an Amazon CloudWatch Logs log group. Configure the existing S3 buckets tosend their S3 server access logs to the log group.

Create a new S3 bucket for S3 server access logs with log file validation enabled. Enable data events. Specify Amazon S3 as the data event type.

Ensure that LambdaAuditRole has the sts:AssumeRole permission for Ac-meAuditFactoryRole.

Ensure that LambdaAuditRole has the AWSLambdaBasicExecutionRole managed policy attached.

Ensure that the trust policy for AcmeAuditFactoryRole allows the sts:AssumeRole action from LambdaAuditRole.

Ensure that the trust policy for LambdaAuditRole allows the sts:AssumeRole action from the lambda.amazonaws.com service.

Ensure that the sts:AssumeRole API call is being issued to the us-east-I Region endpoint.

Implement AWS 1AM Access Analyzer policy generation on the role.

Implement AWS 1AM Access Analyzer policy validation on the role.

Search CloudWatch logs to determine the actions the role invoked and to evaluate the permissions.

Use AWS Trusted Advisor to compare the policies assigned to the role against AWS best practices.

For each team, create an AM policy similar to the one that fellows Populate the ec2: ResourceTag/Team condition key with a proper team name Attach resulting policies to the corresponding IAM roles.

B. For each team create an IAM policy similar to the one that follows Populate the IAM TagKeys/Team condition key with a proper team name.Attach the resuming policies to the corresponding IAM roles.

C. Tag each IAM role with a Team lag key. and use the team name in the tag value. Create an IAM policy similar to the one that follows, and attach 4 to all the IAM roles used by developers.

D. Tag each IAM role with the Team key, and use the team name in the tag value. Create an IAM policy similar to the one that follows, and it to all the IAM roles used by developers.

Use Amazon Macie to scan the S3 bucket for sensitive data every 72 hours. Configure Macie to delete the objects that contain sensitive data when they are discovered.

Configure an S3 Lifecycle rule on the S3 bucket to expire objects that have been in the S3 bucket for 72 hours.

Create an Amazon EventBridge scheduled rule that invokes an AWS Lambda function every day. Program the Lambda function to remove any objects that have been in the S3 bucket for 72 hours.

Use the S3 Intelligent-Tiering storage class for all objects that are up-loaded to the S3 bucket. Use S3 Intelligent-Tiering to expire objects that have been in the S3 bucket for 72 hours.

Create a new trail and configure it to send CloudTrail logs to Amazon S3. Use Amazon EventBridge (Amazon CloudWatch Events) to send notification if a trail is deleted or stopped.

Deploy an IAM Lambda function in every account to check if there is an existing trail and create a new trail, if needed.

Edit the existing trail in the Organizations master account and apply it to the organization.

Create an SCP to deny the cloudtrail:Delete" and cloudtrail:Stop' actions. Apply the SCP to all accounts.

Enable Amazon GuardDuty Configure Matware Protection for EC2 Run an on-demand malware scan of the EC2 instances.

Enable Amazon GuardDuty Configure Runtime Monitoring Enable the automated agent configuration for the EC2 instances.

Enable Amazon Inspector Configure agentless scanning for the EC2 instances.

Enable Amazon Inspector Configure deep inspection of the EC2 instances Run an on-demand scan of the EC2 instances.

Check the Amazon S3 bucket policy. Verify that the policy allows the config.amazonaws.com service to write to the target bucket.

Verify that the IAM entity has the permissions necessary to perform the s3:GetBucketAcl and s3:PutObject* operations to write to the target bucket.

Verify that the Amazon S3 bucket policy has the permissions necessary to perform the s3:GetBucketAcl and s3:PutObject* operations to write to the target bucket.

Check the policy that is associated with the IAM entity. Verify that the policy allows the config.amazonaws.com service to write to the target bucket.

Verify that the AWS Config service role has permissions to invoke the BatchGetResourceConfig action instead of the GetResourceConfigHistory action and s3:PutObject* operation.

The principal's identity-based policy grants access to put objects into the S3 bucket with no conditions.

The principal's identity-based policy overrides the condition because the identity-based policy contains an explicit allow.

The S3 bucket's resource policy does not deny access to put objects.

The S3 bucket's resource policy cannot allow actions to the principal.

The bucket policy does not apply to principals in the same zone of trust.

Option A

Option B

Option C

Option D

Enable AWS Security Hub in the AWS account.

Enable Amazon GuardDuty in the AWS account.

Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the security team’s email distribution list to the topic.

Create an Amazon Simple Queue Service (Amazon SQS) queue. Subscribe the security team’s email distribution list to the queue.

Create an Amazon EventBridge (Amazon CloudWatch Events) rule for GuardDuty findings of high severity. Configure the rule to publish a message to the topic.

Create an Amazon EventBridge (Amazon CloudWatch Events) rule for Security Hub findings of high severity. Configure the rule to publish a message to the queue.

Use Amazon CloudWatch monitoring to capture Amazon EC2 and networking metrics Visualize metrics using Amazon CloudWatch dashboards.

Run the Amazon Kinesis Agent to write the status data to Amazon Kinesis Data Firehose Store the streaming data from Kinesis Data Firehose in Amazon Redshift. (hen run a script on the pool data and analyze the data in Amazon Redshift

Write the status data directly to a public Amazon S3 bucket from the health-checking component Configure S3 events to invoke an IAM Lambda function that analyzes the data

Generate events from the health-checking component and send them to Amazon CloudWatch Events. Include the status data as event payloads. Use CloudWatch Events rules to invoke an IAM Lambda function that analyzes the data.

Configure a centralized Amazon S3 bucket for the logs Enable VPC Flow Logs, AWS CloudTrail, and Amazon Route 53 logs in all accounts. Configure allaccounts to use the centralized S3 bucket. Configure AWS Glue crawlers to parse the log files Use Amazon Athena to query the log data.

Configure log streams in Amazon CloudWatch Logs for the sources that need monitoring. Create log subscription filters for each log stream. Forward themessages to Amazon OpenSearch Service for analysis.

Set up a delegated Amazon Security Lake administrator account in Organizations. Enable and configure Security Lake for the organization. Add the accountsthat need monitoring. Use Amazon Athena to query the log data.

Apply an SCP to configure all member accounts and services to deliver log files to a centralized Amazon S3 bucket. Use Amazon OpenSearch Service toquery the centralized S3 bucket for log entries.

Create an AWS Step Functions state machine that checks the resource type in the finding and adds an explicit Deny statement in the trust policy for the IAM role. Configure the state machine to publish a notification to an Amazon SimpleNotification Service (Amazon SNS) topic.

Create an AWS Batch job that forwards any resource type findings to an AWS Lambda function. Configure the Lambda function to add an explicit Denystatement in the trust policy for the IAM role. Configure the AWS Batch job to publish a notification to an Amazon Simple Notification Service (Amazon SNS) topic.

In Amazon EventBridge, create an event rule that matches active IAM Access Analyzer findings and invokes AWS Step Functions for resolution.

In Amazon CloudWatch, create a metric filter that matches active IAM Access Analyzer findings and invokes AWS Batch for resolution.

Create an Amazon Simple Queue Service (Amazon SQS) queue. Configure the queue to forward a notification to the security team that an external principal has been granted access to the specific IAM role and has been blocked.

Create an Amazon Simple Notification Service (Amazon SNS) topic for external or cross-account access notices. Subscribe the security team's email addresses to the topic.

Usethe --is-multi-region-trail option while running the create-trail command to ensure that logs are configured across all AWS Regions.

Create an SCP that includes a Deny rule tor the cloudtrail. StopLogging action Apply the SCP to all accounts in the OUs.

Create an SCP that includes an Allow rule for the cloudtrail. StopLogging action Apply the SCP to all accounts in the OUs.

Use AWS Systems Manager to ensure that CloudTrail is always turned on.

Enable AWS Security Hub for all accounts. In the Security Hub administrator account, enable the GuardDuty integration. Create automation rules to elevate findings for the production account and the S3 bucket.

Enable AWS Security Hub for all accounts. In the Security Hub administrator account, enable the GuardDuty integration. Use Amazon EventBridge to create a custom rule to elevate findings for the production account and the S3 bucket.

Use the GuardDuty administrator account to configure a threat list that includes the production account and the S3 bucket. Use Amazon EventBridge and Amazon Simple Notification Service (Amazon SNS) to elevate findings from the threat list.

Use the GuardDuty administrator account to enable S3 protection for the support account that contains the S3 bucket. Configure GuardDuty to elevate findings for the production account and the S3 bucket.

Add the file-system-id efs IAM-region amazonIAM com URL to the allow list for the data center firewall Install the IAM CLI on the data center-based servers to mount the EFS file system in the EFS security group add the data center IP range to the allow list Mount the EFS using the EFS file system name

Assign an Elastic IP address to Amazon EFS and add the Elastic IP address to the allow list for the data center firewall Install the IAM CLI on the data center-based servers to mount the EFS file system In the EFS security group, add the IP addresses of the data center servers to the allow list Mount the EFS using the Elastic IP address

Add the EFS file system mount target IP addresses to the allow list for the data center firewall In the EFS security group, add the data center server IP addresses to the allow list Use the Linux terminal to mount the EFS file system using the IP address of one of the mount targets

Assign a static range of IP addresses for the EFS file system by contacting IAM Support Inthe EFS security group add the data center server IP addresses to the allow list Use the Linux terminal to mount the EFS file system using one of the static IP addresses

Verify that a NAT gateway has been provisioned in the public subnet in each Availability Zone.

Verify that a NAT gateway has been provisioned in the private subnet in each Availability Zone.

Modify the route tables that are associated with each of the public subnets. Create a new route for local destinations to the VPC CIDR range.

Modify the route tables that are associated with each of the private subnets Create a new route for the destination 0.0.0.070. Specify the NAT gateway in the public subnet of the same Availability Zone as the target of the route.

Modify the route tables that are associated with each of the private subnets. Create a new route for the destination 0.0.0.0/0. Specify the internet gateway in the public subnet of the same Availability Zone as the target of the route.

Create new S3 buckets with S3 Object Lock enabled in compliance mode. Place objects in the S3 buckets.

Use S3 Glacier Vault Lock to attach a Vault Lock policy to new S3 buckets. Wait 24hours to complete the Vault Lock process. Place objects in the S3 buckets.

Create new S3 buckets with S3 Object Lock enabled in governance mode. Place objects in the S3 buckets.

Create new S3 buckets with S3 Object Lock enabled in governance mode. Add a legal hold to the S3 buckets. Place objects in the S3 buckets.

Instruct users to implement a retry mechanism every 2 minutes until the call succeeds.

Instruct the engineering team to consume a random grant token from users, and to call the CreateGrant operation, passing it the grant token. Instruct use to use that grant token in their call to encrypt.

Instruct the engineering team to create a random name for the grant when calling the CreateGrant operation. Return the name to the users and instruct them to provide the name asthe grant token in the call to encrypt.

Instruct the engineering team to pass the grant token returned in the CreateGrant response to users. Instruct users to use that grant token in their call to encrypt.

Use IAM X-Ray to inspect the traffic going to the EC2 instances.

Move the static content to Amazon S3, and front this with an Amazon Cloud Front distribution.

Change the security group configuration to block the source of the attack traffic

Use IAM WAF security rules to inspect the inbound traffic.

Use Amazon Inspector assessment templates to inspect the inbound traffic.

Use Amazon Route 53 to distribute traffic.

Create a resource based policy that allows Security Hub access to the ARN of the Lambda function.

Attach the AWSSecurityHubReedOnlyAccess AWS managed policy to the Lambda function's execution role.

Grant the Lambda function s execution role read-only permissions to access Amazon Inspector and Security Hub.

Create a custom 1AM policy that grants the Security Hub Get' List" Batch' and Desert*" permissions on the arn aws securityhub us-west-2 productaws/inspector' resource Anacn the policy to the Lambda function's execution role.

Create a Lambda@Edge function. Include code to add the X-Frame-Options header to the response. Configure the function to run in response to the CloudFront origin response event.

Create a Lambda@Edge function. Include code to add the X-Frame-Options header to the response. Configure the function to run in response to the CloudFront viewer request event.

Update the CloudFront distribution by adding X-Frame-Options to custom headers in the origin settings.

Customize the EC2 hosted application to add the X-Frame-Options header to the responses that are returned to CloudFront.

chmod 0040 ssh/my_private_key pern

chmod 0400 ssh/my_private_key pern

chmod 0004 ssh/my_private_key pern

chmod 0777 ssh/my_private_key pern

Create a local individual break glass IAM user for the security team. Create a trail in AWS CloudTrail that has Amazon CloudWatch Logs turned on. Use Amazon EventBridge to monitor local user activities.

Create a break glass EC2 key pair for the AWS account. Provide the key pair to the security team. Use AWS CloudTraiI to monitor key pair activity. Send notifications to the security team by using Amazon Simple Notification Service (Amazon SNS).

Create a break glass IAM role for the account. Allow security team members to perform the AssumeRoleWithSAML operation. Create an AWS Cloud Trail trail that has Amazon CloudWatch Logs turned on. Use Amazon EventBridge tomonitor security team activities.

Create a local individual break glass IAM user on the operating system level of each workload instance. Configure unrestricted security groups on the instances to grant access to the break glass IAM users.

Configure AWS Systems Manager Session Manager for Amazon EC2. Configure an AWS Cloud Trail filter based on Session Manager. Send the results to an Amazon Simple Notification Service (Amazon SNS) topic.

Configure Amazon CloudWatch Logs Insights

Create an Amazon CloudWatch dashboard

Configure AWS Security Hub integrations

Query the findings by using Amazon Athena

Store the API key value as a SecureString parameter in AWS Systems Manager Parameter Store. In the template, replace all references to the value with {{resolve:ssm:MySSMParameterName:I}}.

Store the API key value in AWS Secrets Manager. In the template, replace all references to the value with { {resolve:secretsmanager:MySecretId:SecretString}}.

Store the API key value in Amazon DynamoDB. In the template, replace all references to the value with {{resolve:dynamodb:MyTableName:MyPrimaryKey}}.

Store the API key value in a new Amazon S3 bucket. In the template, replace all references to the value with {

Configure S3 bucket policies to deny DELETE and PUT object permissions.

Configure S3 Object Lock in compliance mode with S3 bucket versioning enabled.

Change the encryption on the S3 bucket to use AWS Key Management Service (AWS KMS) customer managed keys.

Configure the S3 bucket with multi-factor authentication (MFA) delete protection.

Outbound SG configuration on database servers Inbound SG configuration on application servers inbound and outbound network ACL configuration on the database subnet Inbound and outbound network ACL configuration on the application server subnet

Inbound SG configuration on database serversOutbound SG configuration on application serversInbound and outbound network ACL configuration on the database subnetInbound and outbound network ACL configuration on the application server subnet

Inbound and outbound SG configuration on database servers Inbound and outbound SG configuration on application servers Inbound network ACL configuration on the database subnet Outbound network ACL configuration on the application server subnet

Inbound SG configuration on database servers Outbound SG configuration on application servers Inbound network ACL configuration on the database subnet Outbound network ACL configuration on the application server subnet.

Use the SimpleCORS managed response headers policy.

Use a Lambda@Edge function to add the Strict-Transport-Security response header.

Use the SecurityHeadersPolicy managed response headers policy.

Include the X-XSS-Protection header in a custom response headers policy.

Create an Amazon Simple Notification Service (Amazon SNS) topic to send messages to the application. Set a filter policy on the topic subscriptions to reject any messages that contain the product/aws/inspector string.

Update the Lambda function code to find pattern matches of events from Amazon Inspector and to suppress the findings.

Create a Security Hub custom action that automatically sends findings from all services except Amazon Inspector to the EventBridge event bus.

Modify the value of the ProductArn attribute in the event pattern of the EventBridge rule to "anything-but": ["arn:aws:securityhub:us-west-2::product/aws/inspector"].

Configure the Amazon inspector agent to use the CVE rule package

Configure the Amazon Inspector agent to use the CVE rule package Configure Security Hub to ingest from IAM inspector by writing a custom resource policy

Configure the Security Hub agent to use the CVE rule package Configure IAM Inspector lo ingest from Security Hub by writing a custom resource policy

Configure the Amazon Inspector agent to use the CVE rule package Install an additional Integration library Allow the Amazon Inspector agent to communicate with Security Hub

Specify Amazon Redshift as the destination for the access logs. Deploy the Amazon Athena Redshift connector. Use Athena to query the data from Amazon Redshift and to filter the logs by host.

Specify Amazon CloudWatch as the destination for the access logs. Use Amazon CloudWatch Logs Insights to design a query to filter the logs by host.

Specify Amazon CloudWatch as the destination for the access logs. Export the CloudWatch logs to an Amazon S3 bucket. Use Amazon Athena to query the logs and to filter the logs by host.

Specify Amazon CloudWatch as the destination for the access logs. Use Amazon Redshift Spectrum to query the logs and to filter the logs by host.

Modify the EventBridge event pattern by selecting Amazon S3. Select All Events as the event type.

Modify the EventBridge event pattern by selecting Amazon S3. Select Bucket Level Operations as the event type.

Enable CloudTrail Insights to identify unusual API activity.

Enable CloudTrail to monitor data events for read and write operations to S3 buckets.

Create an Inline IAM user policy that allows for Amazon EC2 access for the contractor's IAM user.

Create an IAM permissions boundary policy that allows Amazon EC2 access. Associate the contractor's IAM account with the IAM permissions boundary policy.

Create an IAM group with an attached policy that allows for Amazon EC2 access. Associate the contractor's IAM account with the IAM group.

Create an IAM role that allows for EC2 and explicitly denies all other services. Instruct the contractor to always assume this role.

Log in to the AWS account by using read-only credentials Review the GuardDuty finding for details about the 1AM credentials that were used. Use the 1AM console to add a DenyAII policy to the 1AM pnncipal.

Log in to the AWS account by using read-only credentials Review the GuardDuty finding to determine which API calls initiated the finding Use Amazon Detective to review the API calls in context.

Log in to the AWS account by using administrator credentials Review the GuardDuty finding for details about the 1AM credentials that were used Use the 1AM console to add a DenyAII policy to the 1AM principal.

Log in to the AWS account by using read-only credentials Review the GuardDuty finding to determine which API calls initiated the finding Use AWS CloudTrail Insights and AWS CloudTrail Lake to review the API calls in context.

Configure S3 Object Lock on the bucket with a retention penod of 10 years Specify governance mode as the retention mode. Create an S3 Lifecycle policy that will expire objects after 10 years.

Configure S3 Object Lock on the bucket with a retention period of 10 years Specify compliance mode as the retention mode. Create an S3 Lifecycle policy that will expire objects after 10 years.

Configure S3 Object Lock on the bucket with a retention penod of 10 years Place a legal hold on the objects. Create an S3 Lifecycle policy that will remove versionmg for the objects and expire objects after 10 years.

Configure S3 Object Lock on the bucket Specify compliance mode as the retention mode Place a legal hold on the objects. Create an S3 Lifecycle policy that will expire the objects after 10 years.

Revoke all versions of the signing profile assigned to the developer.

Examine the developer’s IAM roles. Remove all permissions that grant access to Signer.

Re-encrypt all source code with a new AWS Key Management Service (AWS KMS) key.

Use Amazon CodeGuru to profile all the code that the Lambda functions use.

Verify that the KMS key policy specifies a deny statement that prevents access to the key by using the aws SourcelP condition key Check that the range includes the EC2 instance IP address that is associated with the EBS volume

Verify that the KMS key that is associated with the EBS volume is set to the Symmetric key type

Verify that the KMS key that is associated with the EBS volume is in the Enabled state

Verify that the EC2 role that is associated with the instance profile has the correct 1AM instance policy to launch an EC2 instance with the EBS volume

Verify that the key that is associated with the EBS volume has not expired and needs to be rotated

Configure IAM KMS and use a custom key store. Create a customer managed CMK with no key material Import the company's keys and key material into the CMK

Configure IAM KMS and use the default Key store Create an IAM managed CMK with no key material Import the company's key material into the CMK

Configure IAM KMS and use the default key store Create a customer managed CMK with no key material import the company's key material into the CMK

Configure IAM KMS and use a custom key store. Create an IAM managed CMK with no key material. Import the company's key material into the CMK.

Enable Amazon RDS encryption to encrypt the database and snapshots. Enable Amazon Elastic Block Store (Amazon EBS) encryption on Amazon EC2 instances. Include the database credential in the EC2 user data field. Use an AWS Lambda function to rotate database credentials. Set up TLS for the connection to the database.

Install a database on an Amazon EC2 instance. Enable third-party disk encryption to encrypt Amazon Elastic Block Store (Amazon EBS) volume. Store the database credentials in AWS CloudHSM with automatic rotation. Set up TLS for the connection to the database.

Enable Amazon RDS encryption to encrypt the database and snapshots. Enable Amazon Elastic Block Store (Amazon EBS) encryption on Amazon EC2 instances. Store the database credentials in AWS Secrets Manager with automatic rotation. Set up TLS for the connection to the RDS hosted database.

Set up an AWS CloudHSM cluster with AWS Key Management Service (AWS KMS) to store KMS keys. Set up Amazon RDS encryption using AWS KSM to encrypt the database. Store the database credentials in AWS Systems Manager Parameter Store with automatic rotation. Set up TLS for the connection to the RDS hosted database.

Take an EBS volume snapshot of the instance and store the snapshot in an Amazon S3 bucket. Take a memory snapshot of the instance and store the snapshot in an S3 bucket. Detach the instance from the Auto Scaling group. Deregister the instance from the ALB. Stop the instance.

Take a memory snapshot of the instance and store the snapshot in an Amazon S3 bucket. Stop the instance. Take an EBS volume snapshot of the instanceand store the snapshot in an S3 bucket. Detach the instance from the Auto Scaling group. Deregister the instance from the ALB.

Detach the instance from the Auto Scaling group. Deregister the instance from the ALB. Take an EBS volume snapshot of the instance and store the snapshotin an Amazon S3 bucket. Take a memory snapshot of the instance and store the snapshot in an S3 bucket. Stop the instance

Detach the instance from the Auto Scaling group Deregister the instance from the ALB. Stop the instance. Take a memory snapshot of the instance and store the snapshot in an Amazon S3 bucket. Take an EBS volume snapshot of the instance and store the snapshot in an S3 bucket.