Amazon Web Services SCS-C02 AWS Certified Security - Specialty Exam Practice Test

Use inbound rule 100 to allow traffic on TCP port 443 Use inbound rule 200 to deny traffic on TCP port 3306 Use outbound rule 100 to allow traffic on TCP port 443

Use inbound rule 100 to deny traffic on TCP port 3306. Use inbound rule 200 to allow trafficon TCP port range 1024-65535. Use outbound rule 100 to allow traffic on TCP port 443

Use inbound rule 100 to allow traffic on TCP port range 1024-65535 Use inbound rule 200 to deny traffic on TCP port 3306 Use outbound rule 100 to allow traffic on TCP port 443

Use inbound rule 100 to deny traffic on TCP port 3306 Use inbound rule 200 to allow traffic on TCP port 443 Use outbound rule 100 to allow traffic on TCP port 443

The S3 bucket policy does not explicitly allow the Security Engineer access to the objects in the bucket.

The object ACLs are not being updated to allow the users within the centralized account to access the objects

The Security Engineers IAM policy does not grant permissions to read objects in the S3 bucket

The s3:PutObject and s3:PutObjectAcl permissions should be applied at the S3 bucket level

Create a security group with a rule that denies Inbound connections from 0.0.0 0/0 on port 00. Attach this security group to the ALB to overwrite more permissive rules from the ALB's default securitygroup.

Create a network ACL that denies inbound connections from 0 0.0.0/0 on port 80 Associatethe network ACL with the VPC s internet gateway

Create a network ACL that allows outbound connections to the VPC IP range on port 443 only. Associate the network ACL with the VPC's internet gateway.

Create a security group with a single inbound rule that allows connections from 0.0.0 0/0 on port 443. Ensure this security group is the only one associated with the ALB

Create a pre sign-up AWS Lambda trigger. Associate the Amazon Cognito function with the Amazon Cognito user pool.

Use a geographic match rule statement to configure an AWS WAF web ACL. Associate the web ACL with the Amazon Cognito user pool.

Configure an app client for the application's Amazon Cognito user pool. Use the app client ID to validate the requests in the hosted Ul.

Update the application's Amazon Cognito user pool to configure a geographic restriction setting.

Use Amazon Cognito to configure a social identity provider (IdP) to validate the requests on the hosted Ul.

On a recurring basis, update an IAM user policies to require that EC2 instances are created with an encrypted volume

Configure an IAM Config rule lo run on a recurring basis 'or volume encryption

Set up Amazon Inspector rules tor volume encryption to run on a recurring schedule

Use CloudWatch Logs to determine whether instances were created with an encrypted volume

Create AWS Config custom rules by using Guard custom policy. Configure the AWS Config rules to detect when an EC2 instance queries a DNS domain name that is associated with cryptocurrency-related activity. Configure AWS Config to initiate alerts to the SNS topic.

Enable Amazon GuardDuty Create an Amazon EventBridge rule to send alerts to the SNS topic when GuardDuty creates a finding that is associated with cryptocurrency-related activity.

Enable Amazon Inspector. Create an Amazon EventBridge rule to send alerts to the SNS topic when Amazon Inspector creates a finding that is associated with cryptocurrency-related activity.

Enable VPC flow logs. Send the flow logs to an Amazon S3 bucket. Set up a query in Amazon Athena to detect when an EC2 instance queries a DNS domain name that is associated with cryptocurrency-related activity. Configure the Athena query to initiate alerts to the SNS topic.

Update the IAM WAF rules in the affected account and use IAM Firewall Manager to push updated IAM WAF rules across all other accounts.

Use GuardDuty centralized logging and Amazon SNS to set up alerts to notify all application teams of security incidents.

Use GuardDuty alerts to write an IAM Lambda function that updates all accounts by adding additional NACLs on the Amazon EC2 instances to block known malicious IP addresses.

Use IAM Shield Advanced to identify threats in each individual account and then apply the account-based protections to all other accounts through Organizations.

Create a Network Access Scope in Amazon VPC Network Access Analyzer. Use the Network Access Scope to identify EC2 instances that try to send traffic to TCP port 2905.

Enable VPC flow logs for the VPC where the affected EC2 instances are located Configure the flow logs to capture rejected traffic. In the flow logs, search for REJECT records that have a destination TCP port of 2905.

Enable Amazon GuardDuty Create a custom GuardDuty IP list to create a finding when an EC2 instance tries to communicate with one of the command and control hosts. Use Amazon Detective to identify the EC2 instances that initiate the communication.

Create a firewall in AWS Network Firewall. Attach the firewall to the subnet of the EC2 instances. Create a custom rule to identify and log traffic from the firewall on TCP port 2905. Create an Amazon CloudWatch Logs metric filter to identify firewall logs that reference traffic on TCP port 2905.

Make the following changes to NACL3:• Add a rule that allows inbound traffic on port 5432 from NACL2.• Add a rule that allows outbound traffic on ports 1024-65536 to NACL2.• Remove the default rules that allow all inbound and outbound traffic.

Make the following changes to NACL3:• Add a rule that allows inbound traffic on port 5432 from the CIDR blocks of the application instance subnets.• Add a rule that allows outbound traffic on ports 1024-65536 to the application instance subnets.• Remove the default rules that allow all inbound and outbound traffic.

Make the following changes to NACL2:• Add a rule that allows outbound traffic on port 5432 to the CIDR blocks of the RDS subnets.• Remove the default rules that allow all inbound and outbound traffic.

Make the following changes to NACL2:• Add a rule that allows inbound traffic on port 5432 from the CIDR blocks of the RDS subnets.• Add a rule that allows outbound traffic on port 5432 to the RDS subnets.

Install Amazon Kinesis Agent on the on-premises server to send the logs to Amazon DynamoDB. Configure an AWS Lambda trigger on DynamoDB streams to perform near real-time log analysis. Export the DynamoDB data to Amazon S3 periodically. Run Amazon Athena queries for pattern matching and substring search. Set up S3 Ufecycle policies to delete the log data after 365 days.

Install Amazon Managed Streaming for Apache Kafka (Amazon MSK) on the on-premises server. Create an MSK cluster to collect the streaming data and analyze the data in real time. Set the data retention period to 365 days to store the logs persistently for pattern matching and substring search.

Install Amazon Kinesis Agent on the on-premises server to send the logs to Amazon Data Firehose. Configure Amazon Managed Service for Apache Flink (previously known as Amazon Kinesis Data Analytics) as the destination for real-time processing. Store the logs in Amazon OpenSearch Service for pattern matching and substring search. Configure an OpenSearch Service Index State Management (ISM) policy to delete the data after 365 days.

Use Amazon API Gateway and AWS Lambda to write the logs from the on-premises server to Amazon DynamoDB. Configure a Lambda trigger on DynamoDB streams to perform near real-time log analysis. Run Amazon Athena federated queries on DynamoDB data for pattern matching and substring search. Set up TTL to delete data after 365 days.

Use the aws kms encrypt command to encrypt the file by using the existing KMS key.

Use the aws kms create-grant command to generate a grant for the existing KMS key.

Use the aws kms encrypt command to generate a data key. Use the plaintext data key to encrypt the file.

Use the aws kms generate-data-key command to generate a data key. Use the encrypted data key to encrypt the file.

Delete the key pair from the EC2 console. Create a new key pair.

Use the ModifylnstanceAttribute API operation to change the key on any EC2 instance that is using the key.

Restrict SSH access in the security group to only known corporate IP addresses.

Update the key pair in any AMI that is used to launch the EC2 instances. Restart the EC2 instances.

The IAM rote does not have permission to use the KMS CreateKey operation.

The S3 bucket lacks a policy that allows access to the customer managed key that encrypts the objects.

The IAM rote does not have permission to use the customer managed key that encrypts the objects that are in the S3 bucket.

The ACL of the S3 objects does not allow read access for the objects when the objects ace encrypted at rest.

Enable AWS Config. Create a proactive AWS Config Custom Policy rule. Create a Guard clause to evaluate the S3 bucket policies to check for a value of True for the aws:SecureTransport condition key. If the AWS Config rule evaluates to NON_COMPLIANT, block resource creation.

Enable AWS Config. Configure the s3-bucket-ssl-requests-only AWS Config managed rule and set the rule trigger type to Hybrid. Create an AWS Systems Manager Automation runbook that applies a bucket policy to deny requests when the value of the aws:SecureTransport condition key is False. Configure automatic remediation. Set the runbook as the target of the rule.

Enable Amazon Inspector. Create a custom AWS Lambda rule. Create a Lambda function that applies a bucket policy to deny requests when the value of the aws:SecureTransport condition key is False. Set the Lambda function as the target of the rule.

Create an AWS CloudTrail trail. Enable S3 data events on the trail. Create an AWS Lambda function that applies a bucket policy to deny requests when the value of the aws:SecureTransport condition key is False. Configure the CloudTrail trail to invoke the Lambda function.

Configure the DB instance to allow public access Update the DB instance security group to allow access from the Lambda public address space for the AWS Region

Deploy the Lambda functions inside the VPC Attach a network ACL to the Lambda subnet Provide outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic from 0 0 0 0/0

Deploy the Lambda functions inside the VPC Attach a security group to the Lambda functions Provide outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic from the Lambda security group

Peer the Lambda default VPC with the VPC that hosts the DB instance to allow direct network access without the need for security groups

In the software development account, create AMIS of preconfigured instanc-es that include only approved software. Include the AMI IDs in the condi-tion section of an AWS CloudFormation template to launch the appropriate AMI based on the AWS Region. Provide the developers with the CloudFor-mation template to launch EC2 instances in the software development ac-count.

Create an Amazon EventBridge rule that runs when any EC2 Runlnstances API event occurs in the software development account. Specify AWS Systems Man-ager Run Command as a target of the rule. Configure Run Command to run a script that will install all approved software onto the instances that the developers launch.

Use an AWS Service Catalog portfolio that contains EC2 products with ap-propriate AMIS that include only approved software. Grant the developers permission to portfolio access only the Service Catalog to launch a prod-uct in the software development account.

In the management account, create AMIS of preconfigured instances that in-clude only approved software. Use AWS CloudFormation StackSets to launch the AMIS across any AWS account in the organization. Grant the developers permission to launch the stack sets within the management account.

Configure S3 bucket policies to deny DELETE and PUT object permissions.

Configure S3 Object Lock in compliance mode with S3 bucket versioning enabled.

Change the encryption on the S3 bucket to use AWS Key Management Service (AWS KMS) customer managed keys.

Configure the S3 bucket with multi-factor authentication (MFA) delete protection.

Create a set of 1AM roles and 1AM policies Configure the Cognito identity pool to assign users to the 1AM roles.

Create a policy store in Amazon Verified Permissions. Configure Cognito as the identity source Map Cognito access tokens to the Verified Permissions schema.

Create customer managed permissions by using AWS Resource Access Manager (AWS RAM) Configure the Cognito identity pool to assign users to the customer managed permissions

Create a set of 1AM users and 1AM policies. Configure the Cognito user pool to assign users to the 1AM users.

Specify Amazon Redshift as the destination for the access logs. Deploy the Amazon Athena Redshift connector. Use Athena to query the data from Amazon Redshift and to filter the logs by host.

Specify Amazon CloudWatch as the destination for the access logs. Use Amazon CloudWatch Logs Insights to design a query to filter the logs by host.

Specify Amazon CloudWatch as the destination for the access logs. Export the CloudWatch logs to an Amazon S3 bucket. Use Amazon Athena to query the logs and to filter the logs by host.

Specify Amazon CloudWatch as the destination for the access logs. Use Amazon Redshift Spectrum to query the logs and to filter the logs by host.

Create a new CloudTrail trail. Select the new Regions where the company added resources.

Change the S3 bucket to receive notifications to track all actions from all Regions.

Create a new CloudTrail trail that applies to all Regions.

Change the existing CloudTrail trail so that it applies to all Regions.

Edit the ReadOnlyAccess policy to add kms:Decrypt actions.

Add the EC2 1AM role as the authorized Principal to the S3 bucket policy.

Attach an inline policy with kms Decrypt permissions to the 1AM role

Attach an inline policy with S3: * permissions to the 1AM role.

The CMK that is used in the attempt does not exist.

The CMK that is used in the attempt needs to be rotated.

The CMK that is used in the attempt is using the CMK's key ID instead of the CMK ARN.

The CMK that is used in the attempt is not enabled.

The CMK that is used in the attempt is using an alias.

B. A computer code with black text Description automatically generated

A computer code with black text Description automatically generated

A computer code with text Description automatically generated

Scan all the EC2 instances for noncompliance with IAM Config. Use Amazon Athena to queryIAM CloudTrail logs for the framework installation

Scan all the EC2 instances with the Amazon Inspector Network Reachability rules package to identity instances running a web server with RecognizedPortWithListener findings

Scan all the EC2 instances with IAM Systems Manager to identify the vulnerable version of the web framework

Scan an the EC2 instances with IAM Resource Access Manager to identify the vulnerable version of the web framework

In Account B, create a bucket ACL to allow the user from Account A to access the S3 bucket in Account B.

In Account B, create an object ACL to allow the user from Account A to access all the objects in the S3 bucket in Account B.

In Account B, create a bucket policy to allow the user from Account A to access the S3 bucket in Account B.

In Account B, create a user policy to allow the user from Account A to access the S3 bucket in Account B.

Review the SAML IdP logs to identify errors. Check AWS CloudTrail to verify the API calls that the user made.

Review the SAML IdP logs to identify errors. Use the IAM policy simulator to validate access to the IAM roles.

Use IAM access advisor to review recent service access. Use the IAM policy simulator to validate access to the IAM roles.

Recreate the SAML IdP in a separate account to confirm the behavior that the user is experiencing.

Create a snapshot of the DB instance. Copy the snapshot to a new snapshot, and enable encryption for the copy process. Use the new snapshot to restore the DB instance.

Modify the configuration of the DB instance by enabling encryption. Create a snapshot of the DB instance. Use the snapshot to restore the DB instance.

Use IAM Key Management Service (IAM KMS) to create a new default IAM managed awa/rds key. Select this key as the encryption key for operations with Amazon RDS.

Use IAM Key Management Service (IAM KMS] to create a new CMK. Select this key as the encryption key for operations with Amazon RDS.

Create a snapshot of the DB instance. Enable encryption on the snapshoVUse the snapshot to restore the DB instance.

Create an AWS Client VPN endpoint in the same Region as the B. VPCs. Configure access through an appropriate subnet and authorization rule.

Create a gateway VPC endpoint in the same Region as the VPCs. D. Configure access through an appropriate subnet and authorization rule.

Use IAM Control Tower. Modify the default Account Factory networking template to automatically associate new accounts with a centrally managed VPC through a VPC peering connection and to create a default route to the VPC peer in the default route table. Create an SCP that denies the CreatelnternetGateway action. Attach the SCP to all accounts except the security inspection account.

Create a centrally managed VPC in the security inspection account. Establish VPC peering connections between the security inspection account and other accounts. Instruct account owners to create default routes in their account route tables that point to the VPC peer. Create an SCP that denies theAttach InternetGateway action. Attach the SCP to all accounts except the security inspection account.

Use IAM Control Tower. Modify the default Account Factory networking template to automatically associate new accounts with a centrally managed transitgateway and to create a default route to the transit gateway in the default route table. Create an SCP that denies the AttachlnternetGateway action. Attach the SCP to all accounts except the security inspection account.

Enable IAM Resource Access Manager (IAM RAM) for IAM Organizations. Create a shared transit gateway, and make it available by using an IAM RAM resource share. Create an SCP that denies the CreatelnternetGateway action. Attach the SCP to all accounts except the security inspection account. Create routes in the route tables of all accounts that point to the shared transit gateway.

Create the customer managed policy in every account where the permission set is assigned. Give the customer managed policy the same name and same permissions in each account.

Remove either the AWS managed policy or the customer managed policy from the permission set. Create a second permission set that includes the removed policy. Apply the permission sets separately to the user.

Evaluate the logic of the AWS managed policy and the customer managed policy. Resolve any policy conflicts in the permission set before deployment.

Do not add the new permission set to the user. Instead, edit the user's existing permission set to include the AWS managed policy and the customer managed policy.

Install an Amazon EKS add-on from a security vendor.

Enable AWS Security Hub. Monitor the Kubernetes findings.

Monitor Amazon CloudWatch Container Insights metrics for Amazon EKS.

Enable Amazon GuardDuty. Use EKS Audit Log Monitoring.

Create dedicated IAM users within each IAM account that employees can assume through federation based upon group membership in their existing identity provider

Use a centralized account with IAM roles that employees can assume through federation with their existing identity provider Use cross-account roles to allow the federated users to assume their target role in the resource accounts.

Configure the IAM Security Token Service to use Kerberos tokens so that users can use their existing corporate user names and passwords to access IAM resources directly

Configure the IAM trust policies within each account's role to set up a trust back to the corporation's existing identity provider allowing users to assume the role based off their SAML token

Store the client token as a secret in AWS Secrets Manager. Use th^AWS SDK to retneve the secret in the Lambda function.

Configure a token-based Lambda authorizer in API Gateway.

Store the client token as a SecureString parameter in AWS Systems Manager Parameter Store. Use the AWS SDK to retrieve the value of the SecureString parameter in the Lambda function.

Use AWS Key Management Service (AWS KMS) to encrypt the client token. Pass the token to the Lambda function at runtime through an environment variable.

Use encrypted Amazon EBS volumes with Amazon default keys (IAM EBS)

Use server-side encryption with customer-provided keys (SSE-C)

Use server-side encryption with IAM KMS managed keys (SSE-KMS)

Use server-side encryption with Amazon S3 managed keys (SSE-S3)

Add an IAM managed policy for the user

Add a service policy for the user

Add an IAM role for the user

Add an inline policy for the user

Create an Amazon CloudFront distribution and configure the ALB as the origin

Block the malicious IPs with a network access list (NACL).

Create an IAM Web Application Firewall (WAF). and attach it to the ALB

Map the application domain name to use Route 53

Create a new Amazon-issued certificate in AWS Secrets Manager. Export the certificate from Secrets Manager. Import the certificate into the ALB and the EC2 instances.

Create a new Amazon-issued certificate in AWS Certificate Manager (ACM). Associate the certificate with the ALB. Export the certificate from ACM. Install the certificate on the EC2 instances.

Import a new third-party certificate into AWS Identity and Access Management (IAM). Export the certificate from IAM. Associate the certificate with the ALB and the EC2 instances.

Import a new third-party certificate into AWS Certificate Manager (ACM). Associate the certificate with the ALB. Install the certificate on the EC2 instances.

Create a CloudWatch Logs account-wide data protection policy. Specify the appropriate data identifiers for the policy. Ensure that the developers do not have the logs:Unmask 1AM permission.

Export the CloudWatch Logs data to an Amazon S3 bucket. Set up automated discovery by using Amazon Macie on the S3 bucket. Create a custom data identifier for the sensitive data. Remove the developers' access to CloudWatch Logs. Grant permissions for the developers to view the exported log data in Amazon S3.

Export the CloudWatch Logs data to an Amazon S3 bucket. Set up automated discovery by using Amazon Macie on the S3 bucket. Specify the appropriate managed data identifiers. Remove the developers' access to CloudWatch Logs. Grant permissions for the developers to view the exported log data in Amazon S3.

Create a CloudWatch Logs data protection policy for each log group. Specify the appropriate data identifiers for the policy. Ensure that the developers do not have the logsiUnmask 1AM permission.

Create an Amazon CloudWatch alarm that reacts to login attempts that contain the specified user agent string. Add an Amazon Simple Notification Service (Amazon SNS) topic to the alarm.

Modify the inbound security group on the ALB to deny traffic from the IP addresses that are involved in the attack.

Create an AWS WAF web ACL for the ALB. Create a custom rule that blocks requests that contain the user agent string of the device emulator.

Create an AWS WAF web ACL for the ALB Create a custom rule that allows requests from legitimate user agent strings

Create a new trail and configure it to send CloudTrail logs to Amazon S3. Use Amazon EventBridge (Amazon CloudWatch Events) to send notification if a trail is deleted or stopped.

Deploy an IAM Lambda function in every account to check if there is an existing trail and create a new trail, if needed.

Edit the existing trail in the Organizations master account and apply it to the organization.

Create an SCP to deny the cloudtrail:Delete" and cloudtrail:Stop' actions. Apply the SCP to all accounts.

Create an Amazon Event Bridge (Amazon Cloud watch Events) event with an EC2 instanceas the source and create volume as the event trigger. When the event is triggered invoke an IAM Lambda function to evaluate and notify the security engineer if the EBS volume that was created is not encrypted.

Use a customer managed IAM policy that will verify that the encryptionflag of the Createvolume context is set to true. Apply this rule to all users.

Create an IAM Config rule to evaluate the configuration of each EC2 instance on creation or modification. Have the IAM Config rule trigger an IAM Lambdafunction to alert the security team and terminate the instance it the EBS volume is not encrypted. 5

Use the IAM Management Console or IAM CLi to enable encryption by default for EBS volumes in each IAM Region where the company operates.

Migrate the website to Amazon S3 Import a public SSL certificate to an Application Load. Balancer with rules to block traffic from outside the US Migrate DNS to Amazon Route 53.

Migrate the website to Amazon EC2 Import a public SSL certificate that is created by AWS Certificate Manager (ACM) to an Application Load Balancer with rules to block traffic from outside the US Update DNS accordingly.

Migrate the website to Amazon S3. Import a public SSL certificate to Amazon CloudFront Use AWS WAF rules to block traffic from outside the US Update DNS.accordingly

Migrate the website to Amazon S3 Import a public SSL certificate that is created by AWS Certificate Manager (ACM) to Amazon. CloudFront Configure CloudFront to block traffic from outside the US. Migrate DNS to Amazon Route 53.

Enable VPC Flow Logs in all VPCs Create a scheduled IAM Lambda function that downloads and parses the logs, and sends an Amazon SNS notification for violations.

Use IAM CloudTrail to make a trail, and apply it to all Regions Specify an Amazon S3 bucket to receive all the CloudTrail log files

Add the following bucket policy to the company's IAM CloudTrail bucket to prevent log tampering{"Version": "2012-10-17-,"Statement": {"Effect": "Deny","Action": "s3:PutObject","Principal": "-","Resource": "arn:IAM:s3:::cloudtrail/IAMLogs/111122223333/*"}}Create an Amazon S3 data event for an PutObject attempts, which sends notifications to an Amazon SNS topic.

Create a Security Auditor role with permissions to access Amazon CloudWatch Logs m all Regions Ship the logs to an Amazon S3 bucket and make a lifecycle policy to ship the logs to Amazon S3 Glacier.

Verify that Amazon GuardDuty is enabled in all Regions, and create an Amazon CloudWatch Events rule for Amazon GuardDuty findings Add an Amazon SNS topic as the rule's target

Create an Application Load Balancer with the existing EC2 instances as a target group. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the ALB. Test to ensure the vulnerability has been mitigated, then redirect the Route 53 records to point to the ALB. Update security groups on the EC2 instances to prevent direct access from the internet.

Create an Amazon CloudFront distribution specifying one EC2 instance as an origin. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the distribution. Test to ensure the vulnerability has been mitigated, then redirect the Route 53 records to point to CloudFront.

Obtain the latest source code for the platform and make the necessary updates. Test the updated code to ensure that the vulnerability has been mitigated, then deploy the patched version of the platform to the EC2 instances.

Update the security group that is attached to the EC2 instances, removing access from the internet to the TCP port used by the SQL database. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the EC2 instances. Test to ensure the vulnerability has been mitigated, then restore the security group to the original setting.

Rotate the potentially compromised access key that the EC2 instance uses Create a new AM I without the potentially compromised credentials Perform an EC2 Auto Scaling instance refresh

Delete or deactivate the potentially compromised access key Create an EC2 Auto Scaling linked 1AM role that includes a custom policy that matches the potentiallycompromised access key permission Associate the new 1AM role with the Auto Scaling group Perform an EC2 Auto Scaling instance refresh.

Delete or deactivate the potentially compromised access key Create a new AMI without the potentially compromised credentials Create an 1AM role that includes the correct permissions Create a launch template for the Auto Scaling group to reference the new AMI and 1AM role Perform an EC2 Auto Scaling instance refresh

Rotate the potentially compromised access key Create a new AMI without the potentially compromised access key Use a user data script to supply the new access key as environmental variables in the Auto Scaling group's launch configuration Perform an EC2 Auto Scaling instance refresh

Move the logs:CreateLogGroup action to the second Allow statement.

Add the logs:PutDestination action to the second Allow statement.

Add the logs:GetLogEvents action to the second Allow statement.

Add the logs:CreateLogStream action to the second Allow statement.

In the local AWS CLI configuration file

As environment variables on the local workstation

As variables in the AWS CLI command line options

In the AWS shared configuration file

Use the IAM Systems Manager Parameter Store to generate database credentials. Use an IAM profile for ECS tasks to restrict access to database credentials to specific containers only.

Use IAM Secrets Manager to store database credentials. Use an IAM inline policy for ECS tasks to restrict access to database credentials to specific containers only.

Use the IAM Systems Manager Parameter Store to store database credentials. Use IAM rolesfor ECS tasks to restrict access to database credentials lo specific containers only

Use IAM Secrets Manager to store database credentials. Use IAM roles for ECS tasks to restrict access to database credentials to specific containers only.

Enable server side encryption for the S3 bucket. This request will ensure that the data is encrypted first.

Use the IAM Encryption CLI to encrypt the data first

Use a Lambda function to encrypt the data before sending it to the S3 bucket.

Enable client encryption for the bucket

Enable AWS Config for the entire organization. For all accounts, set up the ec2-managedinstance-applications-required AWS. Config managed rule and specify the application name.

Enable AWS Config for the entire organization Provide new AMIs that have the required software application pre-installed Set up the approved-amis-by-id AWS Config managed rule for all accounts.

Create a Systems Manager Distributor package for the required software application for the entire organization Install the Distributor package by using Systems Manager Run Command Review the output.

Configure Systems Manager Application Manager to collect a current list of installed software applications in the entire organization Filter for the required application by software status.

Use AWS Identity and Access Management Access Analyzer to identity the permissions that the developers need on each account. Configure 1AM Access Analyzer to automatically provision the correct access for each developer.

Create an Amazon Simple Workflow Service (Amazon SWF) workflow. Instruct the developers to use the workflow to request access to other accounts when additional access is necessary.

Create I AM roles in the testing account and production account. Add a policy that allows the sts:AssumeRole action to the roles. Create 1AM roles in the development account for the developers who have access to the testing and production accounts. Add these roles to the trust policy on the new roles in the testing and production accounts.

Create service accounts in the testing environment and production environment. Give the access keys for the service accounts to developers who require access to the testing account and the production account. Rotate the access keys for the service accounts periodically.

Create a new customer managed key Add a key rotation schedule to the key Invoke the key rotation schedule every time the security team requests a key change

Create a new AWS managed key Add a key rotation schedule to the key Invoke the key rotation schedule every time the security team requests a key change

Create a key alias Create a new customer managed key every time the security team requests a key change Associate the alias with the new key

Create a key alias Create a new AWS managed key every time the security team requests a key change Associate the alias with the new key

Add an inbound rule to the security group associated with the logging server that allows requests from the web server.

Add an outbound rule to the security group associated with the web server that allows requests to the logging server.

Add a route to the route table associated with the subnet that hosts the logging server that targets the peering connection.

Add a route to the route table associated with the subnet that hosts the web server that targets the peering connection.

Enable Amazon Detective. Run a Detective investigation for changes to IAM roles. Create an Amazon EventBridge rule that monitors the results of the Detective investigation. Set the SNS topic as the target of the EventBridge rule.

Create an Amazon EventBridge rule that monitors AWS API calls from CloudTrail. Scope the event pattern to monitor changes to IAM roles from the lam.amazonaws.com event source. Set the SNS topic as the target of the EventBridge rule.

Create a new CloudWatch log group. Configure the CloudTrail trail to send events to the new log group. Set up a CloudWatch metric to monitor changes to IAM roles from the lam.amazonaws.com event source. Create a subscription filter for the log group. Set the SNS topic as the target of the subscription filter.

Create a new CloudWatch log group. Configure the CloudTrail trail to send events to the new log group. Create a subscription filter that includes an event pattemn to monitor changes to IAM roles from the lam.amazonaws.com event source. Set the SNS topic as the target of the subscription filter.

Create an IAM role in the production account and allow EC2 instances in the development account to assume that role using the trust policy. Provide read access for the required S3 bucket to this role.

Use a custom identity broker to allow Developer IAM users to temporarily access the S3 bucket.

Create a temporary IAM user for the application to use in the production account.

Create a temporary IAM user in the production account and provide read access to Amazon S3. Generate the temporary IAM user's access key and secret key and store these on the EC2 instance used by the application in the development account.

Enable AWS Security Hub for all accounts. In the Security Hub administrator account, enable the GuardDuty integration. Create automation rules to elevate findings for the production account and the S3 bucket.

Enable AWS Security Hub for all accounts. In the Security Hub administrator account, enable the GuardDuty integration. Use Amazon EventBridge to create a custom rule to elevate findings for the production account and the S3 bucket.

Use the GuardDuty administrator account to configure a threat list that includes the production account and the S3 bucket. Use Amazon EventBridge and Amazon Simple Notification Service (Amazon SNS) to elevate findings from the threat list.

Use the GuardDuty administrator account to enable S3 protection for the support account that contains the S3 bucket. Configure GuardDuty to elevate findings for the production account and the S3 bucket.

Amazon Athena

Amazon Kinesis

Amazon SQS

Amazon Elasticsearch

Amazon EMR

Configure S3 Block Public Access for all S3 buckets.

Configure S3 Block Public Access for all AWS accounts.

Deploy an SCP that includes the "awsiResourceOrgPaths": "${aws:PrincipalOrgPaths}" condition.

Deploy an SCP that includes the "aws:ResourceOrglD": "${aws:PrincipalOrglD}" condition.

Use IAM Systems Manager Parameter Store to store the database credentiais. Configureautomatic rotation of the credentials.

Use IAM Secrets Manager to store the database credentials. Configure automat* rotation of the credentials

Store the database credentials in an Amazon S3 bucket that is configured with server-side encryption with S3 managed encryption keys (SSE-S3) Rotate the credentials with IAM database authentication.

Store the database credentials m Amazon S3 Glacier, and use S3 Glacier Vault Lock Configure an IAM Lambda function to rotate the credentials on a scheduled basts

Create a new security group that has no inbound rules or outbound rules Attach the new security group to the EC2 instance.

Configure the existing security group for the EC2 instance Remove all existing inbound rules and outbound rules from the security group.

Create a new network ACL that has a single Deny rule for inbound traffic and outbound traffic Associate the new network ACL with the subnet that contains the EC2 instance.

Create a new VPC for isolation Stop the EC2 instance Create a new AMI from the EC2 instance Use the new AMI to launch a new EC2 instance in the new VPC.

Ensure that the Amazon CloudWatch agent is installed on all the EC2 instances that the Auto Scaling groups launch. Generate a CloudWatch agent configuration file to forward the required logs to Amazon CloudWatch Logs.

Set the log retention for desired log groups to 7 years.

Attach an IAM role to the launch configuration or launch template that the Auto Scaling groups use. Configure the role to provide the necessary permissions to forward logs to Amazon CloudWatch Logs.

Attach an IAM role to the launch configuration or launch template that the Auto Scaling groups use. Configure the role to provide the necessary permissions to forward logs to Amazon S3.

Ensure that a log forwarding application is installed on all the EC2 instances that the Auto Scaling groups launch. Configure the log forwarding application to periodically bundle the logs and forward the logs to Amazon S3.

Configure an Amazon S3 Lifecycle policy on the target S3 bucket to expire objects after 7 years.

The route tables and the outbound rules on the appropriate private subnet security group

The outbound network ACL rules on the private subnet and the Inbound network ACL rules on the public subnet

The outbound network ACL rules on the private subnet and both the inbound and outbound rules on the public subnet

The rules on any host-based firewall that may be applied on the Amazon EC2 instances

The Security Group applied to the Application Load Balancer and NAT gateway

That the 0.0.0./0 route in the private subnet route table points to the internet gateway in the public subnet

Update the policy that is associated with the federated IAM role to allow the ec2. Describelmages action for the forensic AMI.

Update the policy that is associated with the federated IAM role to allow the ec2 Start Instances action m the security team's AWS account.

Update the policy that is associated with the KMS key that is used to encrypt the forensic AMI. Configure the policy to allow the kms. Encrypt and kms Decrypt actions for the federated IAM role.

Update the policy that is associated with the federated IAM role to allow the kms. DescribeKey action for the KMS key that is used to encrypt the forensic AMI.

There is a security group blocking outbound port 80 traffic that is preventing the agent from sending the logs

The IAM instance profile on the EC2 instance was not properly configured to allow the CloudWatch Logs agent to push the logs to CloudWatch

CloudWatch Logs status is set to ON versus SECURE, which prevents it from pulling in OS security event logs

The VPC requires that all traffic go through a proxy, and the CloudWatch Logs agent does not support a proxy configuration.

In the security account configure an IAM role for the new Lambda function. Attach an IAM policy that allows access to the KMS key in the security account.

In the development account configure an IAM role for the new Lambda function. Attach a key policy that allows access to the KMS key in the security account.

In the development account configure an IAM role for the new Lambda function. Attach an IAM policy that allows access to the KMS key in the security account.

Configure a key policy for the KMS key m the security account to allow access to the IAM role of the new Lambda function in the security account.

Configure a key policy for the KMS key in the security account to allow access to the IAM role of the new Lambda function in the development account.

Manually rotate a key within KMS to create a new CMK immediately

Use the KMS import key functionality to execute a delete key operation

Use the schedule key deletion function within KMS to specify the minimum wait period for deletion

Change the KMS CMK alias to immediately prevent any services from using the CMK.

Create an AWS WAF rate-based rule, and attach it to the ALB.

Update the security group that is attached to the ALB to block the attacking IP addresses.

Update the ALB subnet's network ACL to block the attacking client IP addresses.

Create a AWS WAF rate-based rule, and attach it to the security group of the EC2 instances.

B.  

C.  

D.   A screenshot of a computer code Description automatically generated

Configure a finding aggregation Region for Security Hub. Link the other Regions to the aggregation Region.

Create an AWS Lambda function that routes events from other Regions to the dedicated Security Hub account. Create an Amazon EventBridge rule to invokethe Lambda function.

Turn on the option to automatically enable accounts for Security Hub.

Create an SCP that denies the securityhub DisableSecurityHub permission. Attach the SCP to the organization’s root account.

Configure services in other Regions to write events to an AWS CloudTrail organization trail. Configure Security Hub to read events from the trail.

Ensure that the S3 bucket policy allows access to the service provider's role to decrypt objects.

Add a statement to the key policy to allow the service provider's role the kms: Decrypt action (or the key.

Add the AWSKeyManagementServicePowerUser AWS managed policy to the service provider's role.

Migrate the key to AWS Certificate Manager (ACM) to create a shared endpoint for access to the key.

Set the value of the aws SourceOrgID condition key to be the organization ID

Set the value of the aws SourceOrgPaths condition key to be the Organizations entity path of the production OU

Set the value of the aws ResourceOrgID condition key to be the organization ID

Set the value of the aws ResourceOrgPaths condition key to be the Organizations entity path of the production OU

Create a custom authorization service using AWS Lambda.

Configure a SAML identity provider in Amazon Cognito to map attributes to the Amazon Cognito user pool attributes.

Configure the SAML identity provider to add the Amazon Cognito user pool as a relying party.

Configure an Amazon Cognito identity pool to integrate with social login providers.

Update DynamoDB to store the user email addresses and passwords.

Update API Gateway to use a COGNITO_USER_POOLS authorizer.

Option A

Option B

Option C

Option D

Verify that a NAT gateway has been provisioned in the public subnet in each Availability Zone.

Verify that a NAT gateway has been provisioned in the private subnet in each Availability Zone.

Modify the route tables that are associated with each of the public subnets. Create a new route for local destinations to the VPC CIDR range.

Modify the route tables that are associated with each of the private subnets Create a new route for the destination 0.0.0.070. Specify the NAT gateway in the public subnet of the same Availability Zone as the target of the route.

Modify the route tables that are associated with each of the private subnets. Create a new route for the destination 0.0.0.0/0. Specify the internet gateway in the public subnet of the same Availability Zone as the target of the route.

Enable AWS Config for the entire organization. For all accounts, set up the ec2-managedinstance-applications-required AWS Config managed rule and specify the application name.

Enable AWS Config for the entire organization. Provide new AMIs that have the required software application pre-installed. Set up the approved-amis-by-id AWS Config managed rule for all accounts.

Create a Systems Manager Distributor package for the required software application for the entire organization. Install the Distributor package by using Systems Manager Run Command. Review the output.

Configure Systems Manager Application Manager to collect a current list of installed software applications in the entire organization. Filter for the required application by software status.

Use VPC Traffic Mirroring. Configure all relevant elastic network interfaces as the traffic source, include amazon-dns in the mirror filter, and set Amazon CloudWatch Logs as the mirror target. Use CloudWatch Insights on the mirror session logs to run queries on the source IP address and DNS name.

Configure VPC flow logs on all relevant VPCs. Send the logs to an Amazon S3 bucket. Use Amazon Athena to run SQL queries on the source IP address and DNS name.

Configure Route 53 Resolver query logging on all relevant VPCs. Send the logs to Amazon CloudWatch Logs. Use CloudWatch Insights to run queries on the source IP address and DNS name.

Modify the Route 53 Resolver rules on the authoritative domains that forward to the on-premises DNS servers. Send the logs to an Amazon S3 bucket. Use Amazon Athena to run SQL queries on the source IP address and DNS name.

Place the application behind an Application Load Balancer (ALB). Use Amazon Cognito as authentication for the ALB. Define a SAML-based Amazon Cognito user pool and connect it to ADFS.

Implement AWS SSO in the master account and link it to ADFS as an identity provider. Define the EC2 instance as a managed resource, then apply an IAM policy on the resource.

Define an Amazon Cognito identity pool, then install the connector on the Active Directory server. Use the Amazon Cognito SDK on the application instance to authenticate the employees using their Active Directory user names and passwords.

Create an AWS Lambda custom authorizer as the authenticator for a reverse proxy on Amazon EC2. Ensure the security group on Amazon EC2 only allows access from the Lambda function.

B. A screenshot of a computer code Description automatically generated

A screenshot of a computer code Description automatically generated

A screenshot of a computer code Description automatically generated

Create an IAM policy that prohibits changes to the specific CloudTrail trail and apply the policy to the IAM account root user.

Create an S3 bucket policy in the specified destination account for the CloudTrail trail that prohibits configuration changes from the IAM account root user in the source account.

Create an SCP that prohibits changes to the specific CloudTrail trail and apply the SCP to theappropriate organizational unit or account in Organizations.

Create an IAM policy that prohibits changes to the specific CloudTrail trail and apply the policy to a new IAM group. Have team members use individual IAM accounts that are members of the new IAM group.

Use the Amazon CloudWatch agent to collect operating system logs. Use Amazon EventBridge to configure an alarm based on a metric filter for failed login attempts. Send an alert to Amazon Simple Notification Service (Amazon SNS) when the defined threshold for the alarm is exceeded. Use Amazon EC2 instance tags to determine which SNS topics receive notifications.

Use AWS Systems Manager Agent to collect operating system logs. Use the Systems Manager Run Command AWS-ConfigureCloudWatch document to configure an Amazon EventBridge event based on a metric filter for failed login attempts. Send an alert to Amazon Simple Notification Service (Amazon SNS) when the defined threshold for the alarm is exceeded. Use SNS messaging filters to control who receives notifications.

Use the Amazon CloudWatch agent to collect operating system logs Create a CloudWatch alarm based on a metric filter for failed login attempts. Send an alert to Amazon Simple Notification Service (Amazon SNS) when the defined threshold for the alarm is exceeded. Use SNS messaging filters to control who receives notifications.

Use AWS Systems Manager Agent to collect operating system logs. Use the Systems Manager Run Command AWS-ConfigureCloudWatch document to configure an Amazon CloudWatch alarm based on a metric filter for failed login attempts. Send an alert to Amazon Simple Notification Service (Amazon SNS) when the defined threshold for the alarm is exceeded. Use EC2 instance tags to determine which SNS topics receive notifications.

The key administration event logging generated by CloudHSM is significantly moreextensive than IAM KMS.

CloudHSM ensures that only company support staff can administer encryption keys, whereas IAM KMS allows IAM staff to administer keys

The ciphertext produced by CloudHSM provides more robust protection against brute force decryption attacks than the ciphertext produced by IAM KMS

CloudHSM provides the ability to copy keys to a different Region, whereas IAM KMS does not

Add an outbound rule to the security group that is attached to the compromised EC2 instance to deny traffic to 0.0.0.0/0 and port 587.

Add an outbound rule to the network ACL for the subnet that contains the compromised EC2 instance to deny traffic to 0.0.0.0/0 and port 587.

Gather volatile memory from the compromised EC2 instance. Suspend the compromised EC2 instance from the Auto Scaling group. Then take a snapshot of the compromised EC2 instance. v

Take a snapshot of the compromised EC2 instance. Suspend the compromised EC2 instance from the Auto Scaling group. Then gather volatile memory from the compromised EC2 instance.

Move the compromised EC2 instance to an isolated subnet that has a network ACL that has no inbound rules or outbound rules.

Replace the existing security group that is attached to the compromised EC2 instance with a new security group that has no inbound rules or outbound rules.

Implement AWS 1AM Access Analyzer policy generation on the role.

Implement AWS 1AM Access Analyzer policy validation on the role.

Search CloudWatch logs to determine the actions the role invoked and to evaluate the permissions.

Use AWS Trusted Advisor to compare the policies assigned to the role against AWS best practices.

Create a Security Hub custom action to assess the log group retention period.

Create a data protection policy in CloudWatch Logs to assess the log group retention period.

Create a Security Hub automation rule Configure the automation rule to assess the log group retention period.

Use the AWS Config managed rule that assesses the log group retention period Ensure that AWS Config integration is enabled in Security Hub.

Create a verified identity for the email address in Amazon Simple Email Service (Amazon SES) Create an Amazon EventBridge rule that has the SES verified identity as the target Specify GuardDuty as the event source Configure the EventBridge event pattern to match High seventy findings.

Create an Amazon Simple Notification Service (Amazon SNS) topic Subscribe the email address to the SNS topic. Create an Amazon EventBridge rule that has the SNS topic as the target Specify GuardDuty as the event source Configure the EventBridge event pattern to match High severity findings.

Create an Amazon Simple Notification Service (Amazon SNS) topic Subscribe the email address to the SNS topic. Enable AWS Security Hub Integrate Security Hub with GuardDuty. Use Security Hub automation rules to publish High severity GuardDuty findings to the SNS topic.

Enable AWS Security Hub Integrate Security Hub with GuardDuty. Use Secunty Hub automation rules to create a custom rule. Configure the custom rule to detect High seventy GuardDuty findings and to send a notification to the email address.

Specify the deletion time of the key material during KMS key creation. Create a custom AWS Config rule to assess the key's scheduleddeletion. Configure the rule to trigger upon a configuration change. Send a message to an Amazon Simple Notification Service (Amazon SNS) topic if the key is scheduled for deletion.

Create an Amazon EventBridge rule to detect KMS API calls of DeleteAlias. Create an AWS Lambda function to send an Amazon Simple Notification Service (Amazon SNS) message to the company. Add the Lambda function as the target of the EventBridge rule.

Create an Amazon EventBridge rule to detect KMS API calls of DisableKey and ScheduleKeyDeletion. Create an AWS Lambda function to send an Amazon Simple Notification Service (Amazon SNS) message to the company. Add the Lambda function as the target of the EventBridge rule.

Create an Amazon Simple Notification Service (Amazon SNS) policy to detect KMS API calls of RevokeGrant and ScheduleKeyDeletion.Create an AWS Lambda function to generate the alarm and send the notification to the company. Add the Lambda function as the target of the SNS policy.

Use AWS Certificate Manager to encrypt all traffic between the client and application servers.

Review the application security groups to ensure that only the necessary ports are open.

Use Elastic Load Balancing to offload Secure Sockets Layer encryption.

Use Amazon Inspector to periodically scan the backend instances.

Use AWS Key Management Services to encrypt all the traffic between the client and application servers.

In the software development account, create AMIs of preconfigured instances that include only approved software. Include the AMI IDs in the condition section of an AWS CloudFormation template to launch the appropriate AMI based on the AWS Region. Provide the developers with the CloudFormation template to launch EC2 instances in the software development account.

Create an Amazon EventBridge rule that runs when any EC2 RunInstances API event occurs in the software development account. Specify AWS Systems Manager Run Command as a target of the rule. Configure Run Command to run a script that will install all approved software onto the instances that the developers launch.

Use an AWS Service Catalog portfolio that contains EC2 products with appropriate AMIs that include only approved software. Grant the developers permission to access only the Service Catalog portfolio to launch a product in the software development account.

In the management account, create AMIs of preconfigured instances that include only approved software. Use AWS CloudFormation StackSets to launch the AMIs across any AWS account in the organization. Grant the developers permission to launch the stack sets within the management account.

Configure server-side encryption with AWS KMS managed encryption keys (SSE-KMS)

Compress log file with secure gzip.

Create an Amazon EventBridge (Amazon CloudWatch Events) rule to notify the security team of any modifications on CloudTrail log files.

Implement least privilege access to the S3 bucket by configuring a bucket policy.

Configure CloudTrail log file integrity validation.

Configure Access Analyzer for S3.

The target instance's security group does not allow traffic from the NLB.

The target instance's security group is not attached to the NLB.

The NLB's security group is not attached to the target instance.

The target instance's subnet network ACL does not allow traffic from the NLB.

The target instance's security group is not using IP addresses to allow traffic from the NLB.

The target network ACL is not attached to the NLB.

Use the SimpleCORS managed response headers policy.

Use a Lambda@Edge function to add the Strict-Transport-Security response header.

Use the SecurityHeadersPolicy managed response headers policy.

Include the X-XSS-Protection header in a custom response headers policy.

Configure trusted access for AWS System Manager in Organizations Configure a bastion host from the management account Replace SSH and RDP by using Systems Manager Session Manager from the management account Configure Session Manager logging to Amazon CloudWatch Logs

Replace SSH and RDP with AWS Systems Manager Session Manager Install Systems Manager Agent (SSM Agent) on the instances Attach the

AmazonSSMManagedlnstanceCore role to the instances Configure session data streaming to Amazon CloudWatch Logs Create a separate logging account that has appropriate cross-account permissions to audit the log data

Install a bastion host in the management account Reconfigure all SSH and RDP to allow access only from the bastion host Install AWS Systems Manager Agent (SSM Agent) on the bastion host Attach the AmazonSSMManagedlnstanceCore role to the bastion host Configure session data streaming to Amazon CloudWatch Logs in a separate logging account to audit log data

Replace SSH and RDP with AWS Systems Manager State Manager Install Systems Manager Agent (SSM Agent) on the instances Attach theAmazonSSMManagedlnstanceCore role to the instances Configure session data streaming to Amazon CloudTrail Use CloudTrail Insights to analyze the trail data

Use Amazon Inspector. Set the scan mode to hybrid scanning.

Use Amazon GuardDuty. Enable the Malware Protection feature.

Use Amazon Inspector. Enable the Malware Protection feature.

Use Amazon GuardDuty. Enable the Runtime Monitoring feature.

Create a new role and add each user to the IAM role

Use the IAM groups and add users, based upon their role, to different groups and apply the policy to group

Create a policy and apply it to multiple users using a script

Create an S3 bucket policy with unlimited access which includes each user's IAM account ID

Create a verified identity for the third-party ticketing email system in Amazon Simple Email Service (Amazon SES). Create an Amazon EventBridge rule that includes an event pattern that matches High severity GuardDuty findings. Specify the SES identity as the target for the EventBridge rule.

Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the third-party ticketing email system to the SNS topic. Create an Amazon EventBridge rule that includes an event pattern that matches High severity GuardDuty findings. Specify the SNS topic as the target for the EventBridge rule.

Use the GuardDuty CreateFilter API operation to build a filter in GuardDuty to monitor for High severity findings. Export the results of the filter to an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the third-party ticketing email system to the SNS topic.

Use the GuardDuty CreateFilter API operation to build a filter in GuardDuty to monitor for High severity findings. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the third-party ticketing email system to the SNS topic. Create an Amazon EventBridge rule that includes an event pattern that matches GuardDuty findings that are selected by the filter. Specify the SNS topic as the target for the EventBridge rule.

Create an AWS Config Custom Policy rule by using AWS CloudFormation Guard. Include the tag key of CostCenter and the approved values. Create an SCP that denies the creation of resources when the value of the aws:RequestTag/CostCenter condition key is not one of the three approved values.

Create an AWS CloudTrail trail. Create an Amazon EventBridge rule that includes a rule statement that matches the creation of new resources. Configure the EventBridge rule to invoke an AWS Lambda function that checks for the CostCenter tag. Program the Lambda function to block creation in case of a noncompliant value.

Enable tag policies for the organization. Create a tag policy that specifies a tag key of CostCenter and the approved values. Configure the policy to enforce noncompliant operations. Create an SCP that denies the creation of resources when the aws:RequestTag/CostCenter condition key has a null value.

Enable tag policies for the organization. Create a tag policy that specifies a tag key of CostCenter and the approved values. Create an Amazon EventBridge rule that invokes an AWS Lambda function when a noncompliant tag is created. Program the Lambda function to block changes to the tag.

To create the keys use AWS Key Management Service (AWS KMS) and the custom key stores with the CloudHSM cluster. For auditing, use Amazon Athena

To create the keys use Amazon S3 and the custom key stores with the CloudHSM cluster. For auditing use AWS CloudTrail.

To create the keys use AWS Key Management Service (AWS KMS) and the custom key stores with the CloudHSM cluster. For auditing, use Amazon GuardDuty.

To create the keys use AWS Key Management Service (AWS KMS) and the custom key stores with the CloudHSM cluster. For auditing, use AWS CloudTrail.

Create an AWS Lambda function to identify critical Security Hub findings. Create an Amazon Simple Notification Service (Amazon SNS) topic as the target of the Lambda function. Subscribe an email endpoint to the SNS topic to receive published messages.

Create an Amazon Kinesis Data Firehose delivery stream. Integrate the delivery stream with Amazon EventBridge. Create an EventBridge rule that has a filter to detect critical Security Hub findings. Configure the delivery stream to send the findings to an email address.

Create an Amazon EventBridge rule to detect critical Security Hub findings. Create an Amazon Simple Notification Service (Amazon SNS) topic as the target of the EventBridge rule. Subscribe an email endpoint to the SNS topic to receive published messages.

Create an Amazon EventBridge rule to detect critical Security Hub findings. Create an Amazon Simple Email Service (Amazon SES) topic as the target of the EventBridge rule. Use the Amazon SES API to format the message. Choose an email address to be the recipient of the message.

Ensure CloudTrail log file validation is turned on

Configure an S3 lifecycle rule to periodically archive CloudTrail logs into Glacier for long-term storage

Use an S3 bucket with tight access controls that exists m a separate account

Use Amazon Inspector to monitor the file integrity of CloudTrail log files.

Request a certificate through ACM and use a generated certificate private key to encrypt CloudTrail log files

Encrypt the CloudTrail log files with server-side encryption with IAM KMS-managed keys (SSE-KMS)

Turn on AWS Trusted Advisor. Configure security notifications as webhooks in the preferences section of the CI/CD pipeline.

Turn on AWS Config. Use the prebuilt rules or customized rules. Subscribe the CI/CD pipeline to an Amazon Simple Notification Service (Amazon SNS) topic that receives notifications from AWS Config.

Create rule sets in AWS CloudFormation Guard. Run validation checks for CloudFormation templates as a phase of the CI/CD process.

Create rule sets as SCPs. Integrate the SCPs as a part of validation control in a phase of the CI/CD process.

Asymmetric AWS managed KMS keys with key material created by AWS KMS

Symmetric customer managed KMS keys with key material created by AWS KMS

Symmetric customer managed KMS keys with custom imported key material

Asymmetric AWS managed KMS keys with custom imported key material

Revoke all versions of the signing profile assigned to the developer.

Examine the developer’s IAM roles. Remove all permissions that grant access to Signer.

Re-encrypt all source code with a new AWS Key Management Service (AWS KMS) key.

Use Amazon CodeGuru to profile all the code that the Lambda functions use.

Use AWS Lambda to periodically query AWS CloudTrail for console login events and send alerts using Amazon Simple Notification Service (Amazon SNS).

Use Amazon EventBridge to monitor console logins and direct them to Amazon Simple Notification Service (Amazon SNS).

Use Amazon Athena to query AWS IAM Identity Center logs and send alerts using Amazon Simple Notification Service (Amazon SNS) for root login events.

Configure AWS Resource Access Manager to review the access logs and send alerts using Amazon Simple Notification Service (Amazon SNS).

Apply a user policy in the other accounts to allow IAM Glue and Athena lo access the .csv We.

Use S3 Select to restrict access to the .csv lie. In IAM Glue Data Catalog, use S3 Select as the source of the IAM Glue database.

Define an IAM Glue Data Catalog resource policy in IAM Glue to grant cross-account S3 object access to the .csv file.

Grant IAM Glue access to Amazon S3 in a resource-based policy that specifies the organization as the principal.

Option A

Option B

Option C

Option D

Update the Lambda function to add a TTL S3 flag to S3 objects. Create an S3 Lifecycle policy to expire objects that are older than 30 days by using the TTL S3 flag.

Create an S3 Lifecycle policy to expire objects that are older than 30 days. Update the Lambda function to add the TTL attribute in the DynamoDB table. Enable TTL on the DynamoDB table to expire entires that are older than 30 days based on the TTL attribute.

Create an S3 Lifecycle policy to expire objects that are older than 30 days and to add all prefixes to the S3 bucket. Update the Lambda function to delete entries that are older than 30 days.

Create an S3 Lifecycle policy to expire objects that are older than 30 days by using object tags. Update the Lambda function to delete entries that are older than 30 days.

Enable Amazon GuardDuty Configure Matware Protection for EC2 Run an on-demand malware scan of the EC2 instances.

Enable Amazon GuardDuty Configure Runtime Monitoring Enable the automated agent configuration for the EC2 instances.

Enable Amazon Inspector Configure agentless scanning for the EC2 instances.

Enable Amazon Inspector Configure deep inspection of the EC2 instances Run an on-demand scan of the EC2 instances.

Configure S3 Versioning to expire object versions that have been in the S3 bucket for 72 hours.

Configure an S3 Lifecycle configuration rule on the S3 bucket to expire objects that have been in the S3 bucket for 72 hours.

Use the S3 Intelligent-Tiering storage class for all objects in the S3 bucket. Configure S3 Intelligent-Tiering to expire objects that have been in the S3 bucket for 72 hours.

Generate S3 presigned URLs for the vendor to use to download the objects. Expire the URLs after 72 hours.

Create an AWS CloudFormation template that contains the 1 0 required AVVS Config rules. Deploy the template by using CloudFormation StackSets in the security-01 account.

Create a conformance pack that contains the 10 required AWS Config rules. Deploy the conformance pack from the security-01 account.

Create a conformance pack that contains the 10 required AWS Config rules. Deploy the conformance pack from the management-01 account.

Create an AWS CloudFormation template that will activate AWS Config. De-ploy the template by using CloudFormation StackSets in the security-01 ac-count.

Create an AWS CloudFormation template that will activate AWS Config. De-ploy the template by using CloudFormation StackSets in the management-01 account.

Use AWS SSO to set up service-linked roles with IAM policy statements that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed.

Deactivate AWS Security Token Service (AWS STS) in Regions that the developers are not allowed to use.

Create SCPs that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed.

For each AWS account, create tailored identity-based policies for AWS SSO. Use statements that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed.

The IAM credential report was generated within the past 4 hours.

The security engineer does not have the GenerateCredentialReport permission.

The security engineer does not have the GetCredentialReport permission.

The AWS Config rules have a MaximumExecutionFrequency value of 24 hours.

Verify that the EC2 instance's security group does not have an implicit inbound deny rule for Amazon S3.

Verify that the VPC endpoint's security group does not have an explicit inbound deny rule for the EC2 instance.

Verify that the internet gateway is allowing traffic to Amazon S3.

Verify that the VPC endpoint policy is allowing access to Amazon S3.

Use IAM Access Analyzer policy generation to generate a policy that allows the CloudFormation script to run and manage the stack. Attach the policy to a newIAM role. Modify the security engineer's IAM permissions to be able to pass the new role to CloudFormation.

Create an IAM policy that allows ec2:* and rds:* permissions. Attach the policy to a new IAM role. Modify the security engineer's IAM permissions to be able toassume the new role.

Use IAM Access Analyzer policy generation to generate a policy that allows the CloudFormation script to run and manage the stack. Modify the securityengineer's IAM permissions to be able to run the CloudFormation script.

Create an IAM policy that allows ec2:* and rds:* permissions. Attach the policy to a new IAM role. Use the IAM policy simulator to confirm that the policy allows the AWS API calls that are necessary to build the stack. Modify the security engineer's IAM permissions to be able to pass the new role to CloudFormation.

Use the containers to automate security deployments.

Limit resource consumption (CPU, memory), networking connections, ports, and unnecessary container libraries.

Segregate containers by host, function, and data classification.

Use Docker Notary framework to sign task definitions.

Enable container breakout at the host kernel.

The ACL in the bucket needs to be updated

The IAM policy does not allow the user to access the bucket

It takes a few minutes for a bucket policy to take effect

The allow permission is being overridden by the deny

Designate an Amazon GuardDuty administrator account in the organization's management account Enable GuardDuty for all accounts Enable EKS Protection and RDS Protection in the GuardDuty administrator account.

Designate a monitoring account Share Amazon CloudWatch logs from all accounts with the monitoring account Configure Aurora to publish all logs to CloudWatch Use Amazon Inspector in the monitoring account to evaluate the CloudWatch logs.

Create a central Amazon S3 bucket in the organization's management account Configure AWS CloudTrail in all AWS accounts to deliver CloudTrail logs to the S3 bucket Configure Aurora to publish all logs to CloudTrail Use Amazon Athena to query the CloudTrail logs in the S3 bucket for secunty issues.

Designate a monitoring account Share Amazon CloudWatch logs from all accounts with the monitoring account Subscnbe an Amazon Kinesis data stream to the CloudWatch logs Create AWS Lambda functions to process log records in the data stream to detect security issues.

Configure cluster security groups for each application module to control access to database users that are required for read-only and read/write.

Configure a VPC endpoint for Amazon Redshift Configure an endpoint policy that maps database users to each application module, and allow access to the tables that are required for read-only and read/write

Configure an IAM poky for each module Specify the ARN of an Amazon Redshift database user that allows the GetClusterCredentials API call

Create focal database users for each module

Configure an IAM policy for each module Specify the ARN of an IAM user that allows the GetClusterCredentials API call

The IAM instance profile that is attached to the EC2 instance does not allow the s3 ListBucket action to the S3: bucket in the AWS accounts.

The I AM instance profile that is attached to the EC2 instance does not allow the s3 ListParts action to the S3; bucket in the AWS accounts.

The KMS key policy that encrypts the object in the S3 bucket does not allow the kms; ListKeys action to the EC2 instance profile ARN.

The KMS key policy that encrypts the object in the S3 bucket does not allow the kms Decrypt action to the EC2 instance profile ARN.

The security group that is attached to the EC2 instance is missing an outbound rule to the S3 managed prefix list over port 443.

The security group that is attached to the EC2 instance is missing an inbound rule from the S3 managed prefix list over port 443.

Use AWS Backup to create legal holds for the recovery points.

Export the backup data to Amazon S3 Create S3 Object Lock legal holds for the recovery points.

Configure an AWS Backup Vault Lock in compliance mode.

Configure an AWS Backup Vault Lock in governance mode.

Log in to the AWS account by using read-only credentials Review the GuardDuty finding for details about the 1AM credentials that were used. Use the 1AM console to add a DenyAII policy to the 1AM pnncipal.

Log in to the AWS account by using read-only credentials Review the GuardDuty finding to determine which API calls initiated the finding Use Amazon Detective to review the API calls in context.

Log in to the AWS account by using administrator credentials Review the GuardDuty finding for details about the 1AM credentials that were used Use the 1AM console to add a DenyAII policy to the 1AM principal.

Log in to the AWS account by using read-only credentials Review the GuardDuty finding to determine which API calls initiated the finding Use AWS CloudTrail Insights and AWS CloudTrail Lake to review the API calls in context.

Activate Amazon GuardDuty in each production account. In a dedicated logging account. aggregate all GuardDuty logs from each production account.Remediate incidents by configuring GuardDuty to directly invoke an AWS Lambda function. Configure the Lambda function to also publish notifications to the SNS topic.

Activate AWS security Hub in each production account. In a dedicated logging account. aggregate all security Hub findings from each production account. Remediate incidents by ustng AWS Config and AWS Systems Manager. Configure Systems Manager to also pub11Sh notifications to the SNS topic.

Activate Amazon GuardDuty in each production account. In a dedicated logging account. aggregate all GuardDuty logs from each production account Remediate incidents by using Amazon EventBridge to invoke a custom AWS Lambda function from the GuardDuty findings. Configure the Lambda function to also publish notifications to the SNS topic.

Activate AWS Security Hub in each production account. In a dedicated logging account. aggregate all Security Hub findings from each production account. Remediate incidents by using Amazon EventBridge to invoke a custom AWS Lambda function from the Security Hub findings. Configure the Lambda function to also publish notifications to the SNS topic.

Enable Amazon Macie. Run an on-demand sensitive data discovery job that uses the PERSONALJNFORMATION managed data identifier.

Use AWS Glue with the Detect Pll transform to identify sensitive data and to mask the sensitive data.

Enable AWS Audit Manager. Create an assessment by using a supported framework.

Enable Amazon GuardDuty S3 Protection Document any findings that are related to suspicious access of S3 buckets.

Enable AWS Security Hub. Use the AWS Foundational Security Best Practices standard. Review the controls dashboard for evidence of failed S3 Block Public Access controls.

Enable AWS Config Set up the s3-bucket-public-write-prohibited AWS Config managed rule.

Create an Amazon CloudWatch Logs log group. Configure the load balancers to send logs to the log group. Use the CloudWatch Logs console to search the logs. Create CloudWatch Logs filters on the logs for the required met-rics.

Create an Amazon S3 bucket. Configure the load balancers to send logs to the S3 bucket. Use Amazon Athena to search the logs that are in the S3 bucket. Create Amazon CloudWatch filters on the S3 log files for the re-quired metrics.

Create an Amazon S3 bucket. Configure the load balancers to send logs to the S3 bucket. Use Amazon Athena to search the logs that are in the S3 bucket. Create Athena queries for the required metrics. Publish the metrics to Amazon CloudWatch.

Create an Amazon CloudWatch Logs log group. Configure the load balancers to send logs to the log group. Use the AWS Management Console to search the logs. Create Amazon Athena queries for the required metrics. Publish the metrics to Amazon CloudWatch.

Open a support case with the IAM Security team and ask them to remove the malicious code from the affected instance

Respond to the notification and list the actions that have been taken to address the incident

Delete all IAM users and resources in the account

Detach the internet gateway from the VPC remove aft rules that contain 0.0.0.0V0 from the security groups, and create a NACL rule to deny all traffic Inbound from the internet

Delete the identified compromised instances and delete any associated resources that the Security team did not create.

Update the key policies in eu-west-1. Point the application in eu-north-1 to use the same CMK as the application in eu-west-1.

Allocate a new CMK to eu-north-1 to be used by the application that is deployed in that Region.

Allocate a new CMK to eu-north-1. Create the same alias name for both keys. Configure the application deployment to use the key alias.

Allocate a new CMK to eu-north-1. Create an alias for eu-'-1. Change the application code to point to the alias for eu-'-1.

Filter IAM CloudTrail logs for KeyRotaton events

Monitor Amazon CloudWatcn Events for any IAM KMS CMK rotation events

Using the IAM CLI. run the IAM kms gel-key-relation-status operation with the --key-id parameter to check the CMK rotation date

Use Amazon Athena to query IAM CloudTrail logs saved in an S3 bucket to filter Generate New Key events

Review GuardDuty findings to find InstanceCredentialExfiltration events.

Review assessment reports in the Audit Manager console to find InstanceCredentialExfiltration events.

Review CloudTrail logs for GetSessionToken API calls to AWS Security Token Service (AWS STS) that come from an acount ID from outside the company.

Review CloudWatch logs for GetSessionToken API calls to AWS Security Token Service (AWS STS) that come from an account ID from outside the company.

Encrypt the secrets in us-east-1 by using an AWS managed KMS key. Replicate the secrets to us-west-1. Encrypt the secrets in us-west-1 by using a newAWS managed KMS key in us-west-1.

Encrypt the secrets in us-east-1 by using an AWS managed KMS key. Configure resources in us-west-1 to call the Secrets Manager endpoint in us-east-1.

Encrypt the secrets in us-east-1 by using a customer managed KMS key. Configure resources in us-west-1 to call the Secrets Manager endpoint in us-east-1.

Encrypt the secrets in us-east-1 by using a customer managed KMS key. Replicate the secrets to us-west-1. Encrypt the secrets in us-west-1 by using thecustomer managed KMS key from us-east-1.

Create a Security Hub automation rule Edit the rule to include the specific resource tag and the specific tag value as the criteria. Select the automated action to change the workflow status to SUPPRESSED.

Select each Security Hub control that needs to be suppressed. Add an exception to each control to suppress any findings that contain the specific tag value if the resource contains the specific resource tag.

Send each Security Hub finding to Amazon Detective Create an automated rule in Detective to suppress any findings that contain the specific resource tag and the specific tag value

Send each Security Hub finding to Amazon Inspector. Configure a suppression rule to suppress any findings that contain the specific resource tag and the specific tag value.

Host the database on Amazon RDS. Use Amazon Elastic Block Store (Amazon EBS) for encryption. Use an IAM Key Management Service (IAM KMS) custom key store that is backed by IAM CloudHSM for key management.

Host the database on Amazon RDS. Use Amazon Elastic Block Store (Amazon EBS) for encryption. Use an IAM managed CMK in IAM Key Management Service (IAM KMS) for key management.

Host the database on an Amazon EC2 instance. Use Amazon Elastic Block Store (Amazon EBS) for encryption. Use a customer managed CMK in IAM Key Management Service (IAM KMS) for key management.

Host the database on an Amazon EC2 instance. Use Transparent Data Encryption (TDE) for encryption and key management.

Add an inbound rule to the security group to allow traffic from 0.0.0.0/0 for all ports. Add an outbound rule to the security group to allow traffic to 0.0.0.0/0 for all ports. Then immediately delete these rules.

Remove the port 22 security group rule. Attach an instance role policy that allows AWS Systems Manager Session Manager connections so that the forensics team can access the target instance.

Create a network ACL that is associated with the target instance's subnet. Add a rule at the top of the inbound rule set to deny all traffic from 0.0.0.0/0. Add a rule at the top of the outbound rule set to deny all traffic to 0.0.0.0/0.

Create an AWS Systems Manager document that adds a host-level firewall rule to block all inbound traffic and outbound traffic. Run the document on the target instance.

Create an AWS CloudFormation template for the Lambda function and for the EventBridge Scheduler schedule. Create a CloudFormation stack set in the organization's management account. Specify all the existing accounts as the deployment targets. Add new accounts as a stack to the existing stack set when new accounts are created.

Configure an Organizations delegated administrator account for AWS CloudFormation. Create a CloudFormation template for the Lambda function and for the EventBridge Scheduler schedule. Create a CloudFormation stack set in the delegated administrator account. Specify the root of the organization as the deployment target. Activate automatic deployment for the stack set.

Enable AWS Systems Manager operations management capabilities. Configure a delegated administrator account for Systems Manager. Create a Systems Manager Automation custom runbook in the delegated administrator account. Use the runbook to deploy the Lambda function and the EventBridge Scheduler schedule. Specify the root of the organization as the target for Systems Manager Automation.

Create an AWS Systems Manager Automation custom runbook in the organization's management account. Use the runbook to deploy the Lambda function and the EventBridge Scheduler schedule. Share the runbook with target accounts. Specify all the existing accounts as targets for Systems Manager Automation. Add new accounts as targets when new accounts are created.

Create a new SCP in the marketing team's account. Configure the SCP to explicitly allow resource sharing.

Edit the existing SCP to add a Condition statement that excludes the marketing team's account.

Edit the existing SCP to include an Allow statement that specifies the marketing team's account.

Create an IAM permissions boundary policy to explicitly allow resource sharing. Attach the policy to IAM users in the marketing team's account.

Create a new security group in the database VPC and create an inbound rule that allows all traffic from the IP address range of the application VPC. Add a new network ACL rule on the database subnets. Configure the rule to TCP port 1521 from the IP address range of the application VPC. Attach the new security group to the database instances that the application instances need to access.

Create a new security group in the application VPC with an inbound rule that allows the IP address range of the database VPC over TCP port 1521. Create a new security group in the database VPC with an inbound rule that allows the IP address range of the application VPC over port 1521. Attach the new security group to the database instances and the application instances that need database access.

Create a new security group in the application VPC with no inbound rules. Create a new security group in the database VPC with an inbound rule that allows TCP port 1521 from the new application security group in the application VPC. Attach the application security group to the application instances that need database access, and attach the database security group tothe database instances.

Create a new security group in the application VPC with an inbound rule that allows the IP address range of the database VPC over TCP port 1521. Add a new network ACL rule on the database subnets. Configure the rule to allow all traffic from the IP address range of the application VPC. Attach the new security group to the application instances that need database access.

Modify the security group that is associated with the EC2 instances to have the same outbound rules as inbound rules.

Modify the network ACL that is associated with the CIDR range to allow outbound traffic to ephemeral ports.

Modify the inbound rules on the internet gateway to allow the required ports.

Modify the network ACL that is associated with the CIDR range to have the same outbound rules as inbound rules.

Configure S3 server-side encryption. Create an S3 bucket policy that has an explicit deny rule for all users for s3:DeleteObject and s3:PutObject API calls. Configure S3 Object Lock to use governance mode with a retention period of 7 years.

Configure S3 server-side encryption. Configure S3 Versioning on the S3 bucket. Configure S3 Object Lock to use compliance mode with a retention period of 7 years.

Configure S3 Versioning. Configure S3 Intelligent-Tiering on the S3 bucket to move the documents to S3 Glacier Deep Archive storage. Use S3 server-side encryption immediately. Expire the objects after 7 years.

Set up S3 Event Notifications and use S3 server-side encryption. Configure S3 Event Notifications to target an AWS Lambda function that will review any S3 API call to the S3 bucket and deny the s3:DeleteObject and s3:PutObject API calls. Remove the S3 eventnotification after 7 years.

Create an AD policy to modify the Windows Firewall settings on all hosts in the VPC to deny access from the IP Address block.

Modify the Network ACLs associated with all public subnets in the VPC to deny access from the IP Address block.

Add a rule to all of the VPC Security Groups to deny access from the IP Address block.

Modify the Windows Firewall settings on all AMI'S that your organization uses in that VPC to deny access from the IP address block.

Open the EC2 console and remove any security groups that allow inbound traffic from 0.0.0.0/0.

Install the AWS Systems Manager Agent on the EC2 instance and run an inventory report.

Install the Amazon Inspector agent on the host and run an assessment with the CVE rules package.

Open the IAM console and revoke all IAM sessions that are associated with the instance profile.

Develop the application to use the CloudFront key pair to create signed URLs that users will use to access the content.

Develop the application to use the CloudFront key pair to set the signed cookies that users will use to access the content.

Develop the application to issue a security token that Lambda@Edge will receive to authenticate and authorize access to the content

Keep the CloudFront URL encrypted inside the application, and use AWS KMS to resolve the URL on-the-fly after the user is authenticated.

There is no API operation to retrieve an S3 object in its encrypted form.

Encryption of S3 objects is performed within the secure boundary of the KMS service.

S3 uses KMS to generate a unique data key for each individual object.

Using a single master key to encrypt all data includes having a single place to perform audits and usage validation.

The KMS encryption envelope digitally signs the master key during encryption to prevent cryptographic wear-out