A company's IAM account consists of approximately 300 IAM users. Now there is a mandate that an access change is required for 100 IAM users to have unlimited privileges to S3.As a system administrator, how can you implement this effectively so that there is no need to apply the policy at the individual user level? Please select:
A. Create a new role and add each user to the IAM role
B. Use the IAM groups and add users, based upon their role, to different groups and applythe policy to group
C. Create a policy and apply it to multiple users using a JSON script
D. Create an S3 bucket policy with unlimited access which includes each user's IAMaccount ID
A company needs to encrypt all of its data stored in Amazon S3. The company wants to use IAM Key Management Service (IAM KMS) to create and manage its encryption keys. The company's security policies require the ability to Import the company's own key material for the keys, set an expiration date on the keys, and delete keys immediately, if needed. How should a security engineer set up IAM KMS to meet these requirements?
A. Configure IAM KMS and use a custom key store. Create a customer managed CMK withno key material Import the company's keys and key material into the CMK
B. Configure IAM KMS and use the default Key store Create an IAM managed CMK withno key material Import the company's key material into the CMK
C. Configure IAM KMS and use the default key store Create a customer managed CMKwith no key material import the company's key material into the CMK
D. Configure IAM KMS and use a custom key store. Create an IAM managed CMK with nokey material. Import the company's key material into the CMK.
A company has an organization in AWS Organizations. The company wants to use AWS CloudFormation StackSets in the organization to deploy various AWS design patterns into environments. These patterns consist of Amazon EC2 instances, Elastic Load Balancing (ELB) load balancers, Amazon RDS databases, and Amazon Elastic Kubernetes Service (Amazon EKS) clusters or Amazon Elastic Container Service (Amazon ECS) clusters. Currently, the company's developers can create their own CloudFormation stacks to increase the overall speed of delivery. A centralized CI/CD pipeline in a shared services AWS account deploys each CloudFormation stack. The company's security team has already provided requirements for each service in accordance with internal standards. If there are any resources that do not comply with the internal standards, the security team must receive notification to take appropriate action. The security team must implement a notification solution that gives developers the ability to maintain the same overall delivery speed that they currently have. Which solution will meet these requirements in the MOST operationally efficient way?
A. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe thesecurity team's email addresses to the SNS topic. Create a custom AWS Lambda functionthat will run the aws cloudformation validate-template AWS CLI command on all CloudFormation templates before the build stage in the CI/CD pipeline. Configure theCI/CD pipeline to publish a notification to the SNS topic if any issues are found.
B. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe thesecurity team's email addresses to the SNS topic. Create custom rules in CloudFormationGuard for each resource configuration. In the CllCD pipeline, before the build stage,configure a Docker image to run the cfn-guard command on the CloudFormation template.Configure the CI/CD pipeline to publish a notification to the SNS topic if any issues arefound.
C. Create an Amazon Simple Notification Service (Amazon SNS) topic and an Am-azonSimple Queue Service (Amazon SQS) queue. Subscribe the security team's emailaddresses to the SNS topic. Create an Amazon S3 bucket in the shared services AWSaccount. Include an event notification to publish to the SQS queue when new objects areadded to the S3 bucket. Require the de-velopers to put their CloudFormation templates inthe S3 bucket. Launch EC2 instances that automatically scale based on the SQS queuedepth. Con-figure the EC2 instances to use CloudFormation Guard to scan the templatesand deploy the templates if there are no issues. Configure the CllCD pipe-line to publish anotification to the SNS topic if any issues are found.
D. Create a centralized CloudFormation stack set that includes a standard set of resourcesthat the developers can deploy in each AWS account. Configure each CloudFormationtemplate to meet the security requirements. For any new resources or configurations,update the CloudFormation template and send the template to the security team for review.When the review is com-pleted, add the new CloudFormation stack to the repository for thedevel-opers to use.
A company's policy requires that all API keys be encrypted and stored separately from source code in a centralized security account. This security account is managed by the company's security team However, an audit revealed that an API key is steed with the source code of an IAM Lambda function m an IAM CodeCommit repository in the DevOps account How should the security learn securely store the API key?
A. Create a CodeCommit repository in the security account using IAM Key ManagementService (IAM KMS) tor encryption Require the development team to migrate the Lambdasource code to this repository
B. Store the API key in an Amazon S3 bucket in the security account using server-sideencryption with Amazon S3 managed encryption keys (SSE-S3) to encrypt the key Createa resigned URL tor the S3 key. and specify the URL m a Lambda environmental variable inthe IAM CloudFormation template Update the Lambda function code to retrieve the keyusing the URL and call the API
C. Create a secret in IAM Secrets Manager in the security account to store the API keyusing IAM Key Management Service (IAM KMS) tor encryption Grant access to the IAMrole used by the Lambda function so that the function can retrieve the key from Secrets Manager and call the API
D. Create an encrypted environment variable for the Lambda function to store the API keyusing IAM Key Management Service (IAM KMS) tor encryption Grant access to the IAMrole used by the Lambda function so that the function can decrypt the key at runtime
Example.com is hosted on Amazon EC2 instances behind an Application Load Balancer (ALB). Third-party host intrusion detection system (HIDS) agents that capture the traffic of the EC2 instance are running on each host. The company must ensure they are using privacy enhancing technologies for users, without losing the assurance the third-party solution offers. What is the MOST secure way to meet these requirements?
A. Enable TLS pass through on the ALB, and handle decryption at the server using EllipticCurve Diffie-Hellman (ECDHE) cipher suites.
B. Create a listener on the ALB that uses encrypted connections with Elliptic Curve Diffie-Hellman (ECDHE) cipher suites, and pass the traffic in the clear to the server.
C. Create a listener on the ALB that uses encrypted connections with Elliptic Curve Diffie- Hellman (ECDHE) cipher suites, and use encrypted connections to the servers that do notenable Perfect Forward Secrecy (PFS).
D. Create a listener on the ALB that does not enable Perfect Forward Secrecy (PFS) ciphersuites, and use encrypted connections to the servers using Elliptic Curve Diffie-Hellman(ECDHE) cipher suites.
A company wants to receive an email notification about critical findings in AWS Security Hub. The company does not have an existing architecture that supports this functionality. Which solution will meet the requirement?
A. Create an AWS Lambda function to identify critical Security Hub findings. Create anAmazon Simple Notification Service (Amazon SNS) topic as the target of the Lambdafunction. Subscribe an email endpoint to the SNS topic to receive published messages.
B. Create an Amazon Kinesis Data Firehose delivery stream. Integrate the delivery stream with Amazon EventBridge. Create an EventBridge rule that has a filter to detect criticalSecurity Hub findings. Configure the delivery stream to send the findings to an emailaddress.
C. Create an Amazon EventBridge rule to detect critical Security Hub findings. Create anAmazon Simple Notification Service (Amazon SNS) topic as the target of the EventBridgerule. Subscribe an email endpoint to the SNS topic to receive published messages.
D. Create an Amazon EventBridge rule to detect critical Security Hub findings. Create anAmazon Simple Email Service (Amazon SES) topic as the target of the EventBridge rule.Use the Amazon SES API to format the message. Choose an email address to be therecipient of the message.
A company has recently recovered from a security incident that required the restoration of Amazon EC2 instances from snapshots. After performing a gap analysis of its disaster recovery procedures and backup strategies, the company is concerned that, next time, it will not be able to recover the EC2 instances if the AWS account was compromised and Amazon EBS snapshots were deleted. All EBS snapshots are encrypted using an AWS KMS CMK. Which solution would solve this problem?
A. Create a new Amazon S3 bucket. Use EBS lifecycle policies to move EBS snapshots tothe new S3 bucket. Move snapshots to Amazon S3 Glacier using lifecycle policies, andapply Glacier Vault Lock policies to prevent deletion.
B. Use AWS Systems Manager to distribute a configuration that performs local backups ofall attached disks to Amazon S3.
C. Create a new AWS account with limited privileges. Allow the new account to access theAWS KMS key used to encrypt the EBS snapshots, and copy the encrypted snapshots tothe new account on a recurring basis.stent.
D. Use AWS Backup to copy EBS snapshots to Amazon S3.
A company uses AWS Organizations to manage a multi-accountAWS environment in a single AWS Region. The organization's management account is named management-01. The company has turned on AWS Config in all accounts in the organization. The company has designated an account named security-01 as the delegated administra-tor for AWS Config. All accounts report the compliance status of each account's rules to the AWS Config delegated administrator account by using an AWS Config aggregator. Each account administrator can configure and manage the account's own AWS Config rules to handle each account's unique compliance requirements. A security engineer needs to implement a solution to automatically deploy a set of 10 AWS Config rules to all existing and future AWS accounts in the organiza-tion. The solution must turn on AWS Config automatically during account crea-tion. Which combination of steps will meet these requirements? (Select TWO.)
A. Create an AWS CloudFormation template that contains the 1 0 required AVVS Configrules. Deploy the template by using CloudFormation StackSets in the security-01 account.
B. Create a conformance pack that contains the 10 required AWS Config rules. Deploy theconformance pack from the security-01 account.
C. Create a conformance pack that contains the 10 required AWS Config rules. Deploy theconformance pack from the management-01 account.
D. Create an AWS CloudFormation template that will activate AWS Config. De-ploy thetemplate by using CloudFormation StackSets in the security-01 ac-count.
E. Create an AWS CloudFormation template that will activate AWS Config. De-ploy thetemplate by using CloudFormation StackSets in the management-01 account.
A company uses an external identity provider to allow federation into different IAM accounts. A security engineer for the company needs to identify the federated user that terminated a production Amazon EC2 instance a week ago. What is the FASTEST way for the security engineer to identify the federated user?
A. Review the IAM CloudTrail event history logs in an Amazon S3 bucket and look for theTerminatelnstances event to identify the federated user from the role session name.
B. Filter the IAM CloudTrail event history for the Terminatelnstances event and identify theassumed IAM role. Review the AssumeRoleWithSAML event call in CloudTrail to identifythe corresponding username.
C. Search the IAM CloudTrail logs for the Terminatelnstances event and note the eventtime. Review the IAM Access Advisor tab for all federated roles. The last accessed timeshould match the time when the instance was terminated.
D. Use Amazon Athena to run a SQL query on the IAM CloudTrail logs stored in anAmazon S3 bucket and filter on the Terminatelnstances event. Identify the correspondingrole and run another query to filter the AssumeRoleWithWebldentity event for the username.
A company is using an AWS Key Management Service (AWS KMS) AWS owned key in its application to encrypt files in an AWS account The company's security team wants the ability to change to new key material for new files whenever a potential key breach occurs A security engineer must implement a solution that gives the security team the ability to change the key whenever the team wants to do so Which solution will meet these requirements?
A. Create a new customer managed key Add a key rotation schedule to the key Invoke thekey rotation schedule every time the security team requests a key change
B. Create a new AWS managed key Add a key rotation schedule to the key Invoke the keyrotation schedule every time the security team requests a key change
C. Create a key alias Create a new customer managed key every time the security teamrequests a key change Associate the alias with the new key
D. Create a key alias Create a new AWS managed key every time the security teamrequests a key change Associate the alias with the new key