A company that uses AWS Organizations is using AWS 1AM Identity Center (AWS Single Sign-On) to administer access to AWS accounts. A security engineer is creating a custom permission set in 1AM Identity Center. The company will use the permission set across multiple accounts. An AWS managed policy and a customer managed policy are attached to the permission set. The security engineer has full administrative permissions and is operating in the management account. When the security engineer attempts to assign the permission set to an 1AM Identity Center user who has access to multiple accounts, the assignment fails. What should the security engineer do to resolve this failure?
A. Create the customer managed policy in every account where the permission set isassigned. Give the customer managed policy the same name and same permissions ineach account.
B. Remove either the AWS managed policy or the customer managed policy from thepermission set. Create a second permission set that includes the removed policy. Apply thepermission sets separately to the user.
C. Evaluate the logic of the AWS managed policy and the customer managed policy.Resolve any policy conflicts in the permission set before deployment.
D. Do not add the new permission set to the user. Instead, edit the user's existingpermission set to include the AWS managed policy and the customer managed policy.
A company suspects that an attacker has exploited an overly permissive role to export credentials from Amazon EC2 instance metadata. The company uses Amazon GuardDuty and AWS Audit Manager. The company has enabled AWS CloudTrail logging and Amazon CloudWatch logging for all of its AWS accounts. A security engineer must determine if the credentials were used to access the company's resources from an external account. Which solution will provide this information?
A. Review GuardDuty findings to find InstanceCredentialExfiltration events.
B. Review assessment reports in the Audit Manager console to findInstanceCredentialExfiltration events.
C. Review CloudTrail logs for GetSessionToken API calls to AWS Security Token Service(AWS STS) that come from an acount ID from outside the company.
D. Review CloudWatch logs for GetSessionToken API calls to AWS Security TokenService (AWS STS) that come from an account ID from outside the company.
A security team is working on a solution that will use Amazon EventBridge (Amazon CloudWatch Events) to monitor new Amazon S3 objects. The solution will monitor for public access and for changes to any S3 bucket policy or setting that result in public access. The security team configures EventBridge to watch for specific API calls that are logged from AWS CloudTrail. EventBridge has an action to send an email notification through Amazon Simple Notification Service (Amazon SNS) to the security team immediately with details of the API call. Specifically, the security team wants EventBridge to watch for the s3:PutObjectAcl, s3:DeleteBucketPolicy, and s3:PutBucketPolicy API invocation logs from CloudTrail. While developing the solution in a single account, the security team discovers that the s3:PutObjectAcl API call does not invoke an EventBridge event. However, the s3:DeleteBucketPolicy API call and the s3:PutBucketPolicy API call do invoke an event. The security team has enabled CloudTrail for AWS management events with a basic configuration in the AWS Region in which EventBridge is being tested. Verification of the EventBridge event pattern indicates that the pattern is set up correctly. The security team must implement a solution so that the s3:PutObjectAcl API call will invoke an EventBridge event. The solution must not generate false notifications. Which solution will meet these requirements?
A. Modify the EventBridge event pattern by selecting Amazon S3. Select All Events as theevent type.
B. Modify the EventBridge event pattern by selecting Amazon S3. Select Bucket LevelOperations as the event type.
C. Enable CloudTrail Insights to identify unusual API activity.
D. Enable CloudTrail to monitor data events for read and write operations to S3 buckets.
A company runs an online game on AWS. When players sign up for the game, their username and password credentials are stored in an Amazon Aurora database. The number of users has grown to hundreds of thousands of players. The number of requests for password resets and login assistance has become a burden for the company’s customer service team. The company needs to implement a solution to give players another way to log in to the game. The solution must remove the burden of password resets and login assistance while securely protecting each player's credentials. Which solution will meet these requirements?
A. When a new player signs up, use an AWS Lambda function to automatically create an1AM access key and a secret access key. Program the Lambda function to store thecredentials on the player's device. Create 1AM keys for existing players. B Migrate the player credentials from the Aurora database to AWS Secrets Manager. Whena new player signs up. create a key-value pair in Secrets Manager for the player's user IDand password.
B. Configure Amazon Cognito user pools to federate access to the game with third-partyidentity providers (IdPs), such as social IdPs Migrate the game's authentication mechanismto Cognito.
C. Instead of using usernames and passwords for authentication, issue API keys to newand existing players. Create an Amazon API Gateway API to give the game client accessto the game's functionality.
A company wants to receive automated email notifications when AWS access keys from developer AWS accounts are detected on code repository sites. Which solution will provide the required email notifications?
A. Create an Amazon EventBridge rule to send Amazon Simple Notification Service(Amazon SNS) email notifications for Amazon GuardDutyUnauthorizedAccesslAMUser/lnstanceCredentialExfiltration OutsideAWS findings.
B. Change the AWS account contact information for the Operations type to a separateemail address. Periodically poll this email address for notifications.
C. Create an Amazon EventBridge rule that reacts to AWS Health events that have a valueof Risk for the service category Configure email notifications by using Amazon SimpleNotification Service (Amazon SNS).
D. D. Implement new anomaly detection software. Ingest AWS CloudTrail logs. Configuremonitoring for ConsoleLogin events in the AWS Management Console. Configure emailnotifications from the anomaly detection software.
A company’s security team needs to receive a notification whenever an AWS access key has not been rotated in 90 or more days. A security engineer must develop a solution that provides these notifications automatically. Which solution will meet these requirements with the LEAST amount of effort?
A. Deploy an AWS Config managed rule to run on a periodic basis of 24 hours. Select theaccess-keys-rotated managed rule, and set the maxAccessKeyAge parameter to 90 days.Create an Amazon EventBridge (Amazon CloudWatch Events) rule with an event patternthat matches the compliance type of NON_COMPLIANT from AWS Config for themanaged rule. Configure EventBridge (CloudWatch Events) to send an Amazon SimpleNotification Service (Amazon SNS) notification to the security team.
B. Create a script to export a .csv file from the AWS Trusted Advisor check for IAM accesskey rotation. Load the script into an AWS Lambda function that will upload the .csv file toan Amazon S3 bucket. Create an Amazon Athena table query that runs when the .csv fileis uploaded to the S3 bucket. Publish the results for any keys older than 90 days by usingan invocation of an Amazon Simple Notification Service (Amazon SNS) notification to thesecurity team.
C. Create a script to download the IAM credentials report on a periodic basis. Load thescript into an AWS Lambda function that will run on a schedule through AmazonEventBridge (Amazon CloudWatch Events). Configure the Lambda script to load the reportinto memory and to filter the report for records in which the key was last rotated at least 90days ago. If any records are detected, send an Amazon Simple Notification Service(Amazon SNS) notification to the security team.
D. Create an AWS Lambda function that queries the IAM API to list all the users. Iteratethrough the users by using the ListAccessKeys operation. Verify that the value in the CreateDate field is not at least 90 days old. Send an Amazon Simple Notification Service(Amazon SNS) notification to the security team if the value is at least 90 days old. Createan Amazon EventBridge (Amazon CloudWatch Events) rule to schedule the Lambdafunction to run each day.
A company has an application that runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances are in an Amazon EC2 Auto Scaling group and are attached to Amazon Elastic Blodfc Store (Amazon EBS) volumes. A security engineer needs to preserve all forensic evidence from one of the instances. Which order of steps should the security engineer use to meet this requirement?
A. Take an EBS volume snapshot of the instance and store the snapshot in an Amazon S3bucket. Take a memory snapshot of the instance and store the snapshot in an S3 bucket.Detach the instance from the Auto Scaling group. Deregister the instance from the ALB.Stop the instance.
B. Take a memory snapshot of the instance and store the snapshot in an Amazon S3bucket. Stop the instance. Take an EBS volume snapshot of the instanceand store the snapshot in an S3 bucket. Detach the instance from the Auto Scaling group.Deregister the instance from the ALB.
C. Detach the instance from the Auto Scaling group. Deregister the instance from the ALB.Take an EBS volume snapshot of the instance and store the snapshotin an Amazon S3 bucket. Take a memory snapshot of the instance and store the snapshotin an S3 bucket. Stop the instance
D. Detach the instance from the Auto Scaling group Deregister the instance from the ALB.Stop the instance. Take a memory snapshot of the instance and store the snapshot in anAmazon S3 bucket. Take an EBS volume snapshot of the instance and store the snapshotin an S3 bucket.
A company manages multiple AWS accounts using AWS Organizations. The company's security team notices that some member accounts are not sending AWS CloudTrail logs to a centralized Amazon S3 logging bucket. The security team wants to ensure there is at least one trail configured for all existing accounts and for any account that is created in the future. Which set of actions should the security team implement to accomplish this?
A. Create a new trail and configure it to send CloudTraiI logs to Amazon S3. Use AmazonEventBridge to send notification if a trail is deleted or stopped.
B. Deploy an AWS Lambda function in every account to check if there is an existing trailand create a new trail, if needed.
C. Edit the existing trail in the Organizations management account and apply it to theorganization.
D. Create an SCP to deny the cloudtraiI:DeIete• and cloudtraiI:Stop• actbns. Apply the SCPto all accounts.
A security engineer is implementing a solution to allow users to seamlessly encrypt Amazon S3 objects without having to touch the keys directly. The solution must be highly scalable without requiring continual management. Additionally, the organization must be able to immediately delete the encryption keys. Which solution meets these requirements?
A. Use AWS KMS with AWS managed keys and the ScheduleKeyDeletion API with aPendingWindowInDays set to 0 to remove the keys if necessary.
B. B. Use KMS with AWS imported key material and then use theDeletelmportedKeyMaterial API to remove the key material if necessary.
C. Use AWS CloudHSM to store the keys and then use the CloudHSM API or the PKCS11library to delete the keys if necessary.
D. Use the Systems Manager Parameter Store to store the keys and then use the serviceAPI operations to delete the keys if necessary.
A company needs to implement DNS Security Extensions (DNSSEC) for a specific subdomain. The subdomain is already registered with Amazon Route 53. A security engineer has enabled DNSSEC signing and has created a key-signing key (KSK). When the security engineer tries to test the configuration, the security engineer receives an error for a broken trust chain. What should the security engineer do to resolve this error?
A. Replace the KSK with a zone-signing key (ZSK).
B. Deactivate and then activate the KSK.
C. Create a Delegation Signer (DS) record in the parent hosted zone.
D. Create a Delegation Signer (DS) record in the subdomain.