SCS-C01 AWS Certified Security - Specialty Questions and Answers

Use the IAM Systems Manager Parameter Store

Use the IAM Systems Manager Run Command

Use the IAM Inspector

Use IAM Config

Create an IAM user in the company account

Create an IAM Role in the company account

Ensure the IAM user has access for read-only to the S3 buckets

Ensure the IAM Role has access for read-only to the S3 buckets

Use the request parameters for authorization

Use a Lambda authorizer

Use the gateway authorizer

Use CORS on the API gateway

Transparent data encryption

SSL from your application

Data keys from IAM KMS

Data Keys from CloudHSM

Create one Cloudtrail log group for data events

Create one trail that logs data events to an S3 bucket

Create another trail that logs management events to another S3 bucket

Create another Cloudtrail log group for management events

Create a role that has the required permissions for the auditor.

Create an SNS notification that sends the CloudTrail log files to the auditor's email when CIoudTrail delivers the logs to S3, but do not allow the auditor access to the IAM environment.

The company should contact IAM as part of the shared responsibility model, and IAM will grant required access to th^ third-party auditor.

Enable CloudTrail logging and create an IAM user who has read-only permissions to the required IAM resources, including the bucket containing the CloudTrail logs.

The EC2 instance running your WAF software is placed between your private subnets and any NATed connections to the internet.

The EC2 instance running your WAF software is placed between your public subnets and your Internet Gateway.

The EC2 instance running your WAF software is placed between your public subnets and your private subnets.

The EC2 instance running your WAF software is included in an Auto Scaling group and placed in between two Elastic load balancers.

IAM policies

Buckets ACL's

IAM users

Bucket policies

Ensure the Network Access Control Lists allow Inbound SSH traffic from the IT Administrator's Workstation

Ensure the Network Access Control Lists allow Outbound SSH traffic from the IT Administrator's Workstation

Ensure that the security group allows Inbound SSH traffic from the IT Administrator's Workstation

Ensure that the security group allows Outbound SSH traffic from the IT Administrator's Workstation

Use IAM Config to ensure that the servers have no critical flIAM.

Use IAM inspector to ensure that the servers have no critical flIAM.

Use IAM inspector to patch the servers

Use IAM SSM to patch the servers

Use IAM Access keys to encrypt the data

Use SSL certificates to encrypt the data

Enable server side encryption on the S3 bucket

Enable MFA on the S3 bucket

Enable CloudTrail logging in all accounts into S3 buckets

Enable CloudTrail logging in all accounts into Amazon Glacier

Ensure a lifecycle policy is defined on the S3 bucket to move the data to EBS volumes after 6 months.

Ensure a lifecycle policy is defined on the S3 bucket to move the data to Amazon Glacier after 6 months.

Use IAM Cloudtrail to record the processes running on the server to an S3 bucket.

Use IAM Cloudwatch to record the processes running on the server

Use the SSM Run command to send the list of running processes information to an S3 bucket.

Use IAM Config to see the changed process information on the server

IAM Cloudwatch

IAM Cloudformation

IAM Cloudtrail

IAM Config

Filter IAM CloudTrail logs for KeyRotaton events

Monitor Amazon CloudWatcn Events for any IAM KMS CMK rotation events

Using the IAM CLI. run the IAM kms gel-key-relation-status operation with the --key-id parameter to check the CMK rotation date

Use Amazon Athena to query IAM CloudTrail logs saved in an S3 bucket to filter Generate New Key events

Ensure an IAM role is created which can be assumed by the partner account.

Ensure an IAM user is created which can be assumed by the partner account.

Ensure the partner uses an external id when making the request

Provide the ARN for the role to the partner account

Provide the Account Id to the partner account

Provide access keys for your account to the partner account

sgLB :allow port 80 and 443 traffic from 0.0.0.0/0

sgWeb :allow port 80 and 443 traffic from 0.0.0.0/0

sgDB :allow port 3306 traffic from sgWeb and sgBastion

sgBastion: allow port 22 traffic from the corporate IP address range

sgLB :aIlow port 80 and 443 traffic from 0.0.0.0/0

sgWeb :allow port 80 and 443 traffic from sgLB

sgDB :allow port 3306 traffic from sgWeb and sgLB

sgBastion: allow port 22 traffic from the VPC IP address range

sgLB :allow port 80 and 443 traffic from 0.0.0.0/0

sgWeb :allow port 80 and 443 traffic from sgLB

sgDB :allow port 3306 traffic from sgWeb and sgBastion

sgBastion: allow port 22 traffic from the VPC IP address range

sgLB :allow port 80 and 443 traffic from 0.0.0.0/0

sgWeb :allow port 80 and 443 traffic from sgLB

sgDB :allow port 3306 traffic from sgWeb and sgBastion

sgBastion: allow port 22 traffic from the corporate IP address range

Use IAM Config to monitor changes to the IAM Bucket

Use IAM Lambda function to change the bucket policy

Use IAM Trusted Advisor API to monitor the changes to the IAM Bucket

Use IAM Lambda function to change the bucket ACL

Use CloudTrail to see if any KMS API request has been issued against existing keys

Use Key policies to see the access level for the keys

Rotate the keys once before deletion to see if other services are using the keys

Change the IAM policy for the keys to see if other services are using the keys

Use the VPC Flow Logs.

Use a network monitoring tool provided by an IAM partner.

Use another instance. Setup a port to "promiscuous mode" and sniff the traffic to analyze the packets. -

Use Cloudwatch metric

Create an IAM policy with the security group and use that security group for IAM console login

Create an IAM policy with a condition which denies access when the IP address range is not from the organization

Configure the EC2 instance security group which allows traffic only from the organization's IP range

Create an IAM policy with VPC and allow a secure gateway between the organization and IAM Console

Enable bucket versioning and also enable CRR

Enable bucket versioning and enable Master Pays

For the Bucket policy add a condition for {"Null": {"IAM:MultiFactorAuthAge": true}} i

Enable the Bucket ACL and add a condition for {"Null": {"IAM:MultiFactorAuthAge": true}}

Check the Inbound security rules for the database security group Check the Outbound security rules for the application security group

Check the Outbound security rules for the database security group I Check the inbound security rules for the application security group

Check the both the Inbound and Outbound security rules for the database security group Check the inbound security rules for the application security group

Check the Outbound security rules for the database security group

Check the both the Inbound and Outbound security rules for the application security group

Apply Multi-AZ for the underlying 53 bucket

Copy the data to an EBS Volume in another Region

Create a snapshot of the S3 bucket and copy it to another region

Enable Cross region replication for the S3 bucket

Option A

Option B

Option C

Option D

Option E

The IAM instance profile that is attached to the EC2 instance does not allow the s3 ListBucket action to the S3: bucket in the AWS accounts.

The I AM instance profile that is attached to the EC2 instance does not allow the s3 ListParts action to the S3; bucket in the AWS accounts.

The KMS key policy that encrypts the object in the S3 bucket does not allow the kms; ListKeys action to the EC2 instance profile ARN.

The KMS key policy that encrypts the object in the S3 bucket does not allow the kms Decrypt action to the EC2 instance profile ARN.

The security group that is attached to the EC2 instance is missing an outbound rule to the S3 managed prefix list over port 443.

The security group that is attached to the EC2 instance is missing an inbound rule from the S3 managed prefix list over port 443.

Attach a policy to the IAM user to allow the user to assume the role that was created in the top-level account. Specify the role's ARN in the policy.

Create an SCP that grants permissions to the top-level account.

Use the root account of the business unit account to assume the role that was created in the top-level account. Specify the role's ARN in the policy.

Forward the credentials of the IAM role in the top-level account to the IAM user in the business unit account.

Use a designated administration account to automatically set up member accounts.

Create the AWS Service Role ForSecurrty Hub service-linked rote for Security Hub.

Send an administration request from the member accounts.

Enable Security Hub for all member accounts.

Send invitations to accounts that are outside the company's organization from the Security Hub administrator account.

Create a new customer managed key Add a key rotation schedule to the key Invoke the key rotation schedule every time the security team requests a key change

Create a new AWS managed key Add a key rotation schedule to the key Invoke the key rotation schedule every time the security team requests a key change

Create a key alias Create a new customer managed key every time the security team requests a key change Associate the alias with the new key

Create a key alias Create a new AWS managed key every time the security team requests a key change Associate the alias with the new key

Option A

Option B

Option C

Move the Aurora database into a private subnet that has no internet access routes in the database's current VPC Configure the Lambda functions to use the Aurora

database's new private IP address to access the database Configure the Aurora databases security group to allow access from the private IP addresses of the Lambda functions

Establish a VPC endpoint between the two VPCs in the Aurora database's VPC configure a service VPC endpoint for Amazon RDS In the Lambda functions' VPC.

configure an interface VPC endpoint that uses the service endpoint in the Aurora database's VPC Configure the service endpoint to allow connections from the Lambda functions.

Establish an AWS Direct Connect interface between the VPCs Configure the Lambda functions to use a new route table that accesses the Aurora database through the Direct Connect interface Configure the Aurora database's security group to allow access from the Direct Connect interface IP address

Move the Lambda functions into a public subnet in their VPC Move the Aurora database into a private subnet in its VPC Configure the Lambda functions to use the Aurora database's new private IP address to access the database Configure the Aurora database to allow access from the public IP addresses of the Lambda functions

Remove the role applied to the Ec2 Instance

Create a separate forensic instance

Ensure that the security groups only allow communication to this forensic instance

Terminate the instance

Instruct users to implement a retry mechanism every 2 minutes until the call succeeds.

Instruct the engineering team to consume a random grant token from users, and to call the CreateGrant operation, passing it the grant token. Instruct use to use that grant token in their call to encrypt.

Instruct the engineering team to create a random name for the grant when calling the CreateGrant operation. Return the name to the users and instruct them to provide the name as the grant token in the call to encrypt.

Instruct the engineering team to pass the grant token returned in the CreateGrant response to users. Instruct users to use that grant token in their call to encrypt.

1 Put all users into an IAM group with an access policy granting access to the J bucket.

Have the account creation trigger an IAM Lambda function that manages the bucket policy, allowing access to accounts listed in the policy only.

Add an SCP to the Organizations master account, allowing all principals access to the bucket.

Specify the organization ID in the global key condition element of a bucket policy, allowing all principals access.

Create an Amazon Event Bridge (Amazon Cloud watch Events) event with an EC2 instance as the source and create volume as the event trigger. When the event is triggered invoke an IAM Lambda function to evaluate and notify the security engineer if the EBS volume that was created is not encrypted.

Use a customer managed IAM policy that will verify that the encryption flag of the Createvolume context is set to true. Apply this rule to all users.

Create an IAM Config rule to evaluate the configuration of each EC2 instance on creation or modification. Have the IAM Config rule trigger an IAM Lambdafunction to alert the security team and terminate the instance it the EBS volume is not encrypted. 5

Use the IAM Management Console or IAM CLi to enable encryption by default for EBS volumes in each IAM Region where the company operates.

Option A

Option B

Option C

Modify EBS default encryption settings in the target AWS Region to enable encryption. Use an Auto Scaling group instance refresh.

Modify the launch templates for the web layer and the backend layer to add AWS Certificate Manager (ACM) encryption for the attached EBS volumes. Use an Auto Scaling group instance refresh.

Create a new AWS Key Management Service (AWS KMS) encrypted DB cluster from a snapshot of the existing DB cluster.

Apply AWS Key Management Service (AWS KMS) encryption to the existing DB cluster.

Apply AWS Certificate Manager (ACM) encryption to the existing DB cluster.

Migrate the website to Amazon S3 Import a public SSL certificate to an Application Load. Balancer with rules to block traffic from outside the US Migrate DNS to Amazon Route 53.

Migrate the website to Amazon EC2 Import a public SSL certificate that is created by AWS Certificate Manager (ACM) to an Application Load Balancer with rules to block traffic from outside the US Update DNS accordingly.

Migrate the website to Amazon S3. Import a public SSL certificate to Amazon CloudFront Use AWS WAF rules to block traffic from outside the US Update DNS.

accordingly

Migrate the website to Amazon S3 Import a public SSL certificate that is created by AWS Certificate Manager (ACM) to Amazon. CloudFront Configure CloudFront to block traffic from outside the US. Migrate DNS to Amazon Route 53.

Option

Option

Option

Set up VPC peering between the central server VPC and each of the teams VPCs.

Set up IAM DirectConnect between the central server VPC and each of the teams VPCs.

Set up an IPSec Tunnel between the central server VPC and each of the teams VPCs.

None of the above options will work.

Add full Amazon Inspector IAM permissions to the Security Hub service role to allow it to perform the CIS compliance evaluation

Ensure that IAM Trusted Advisor Is enabled in the account and that the Security Hub service role has permissions to retrieve the Trusted Advisor security-related recommended actions

Ensure that IAM Config. is enabled in the account, and that the required IAM Config rules have been created for the CIS compliance evaluation

Ensure that the correct trail in IAM CloudTrail has been configured for monitoring by Security Hub and that the Security Hub service role has permissions to perform the GetObject operation on CloudTrails Amazon S3 bucket

Turn on the awslogs log driver by specifying parameters for awslogs-group and awslogs-region m the LogConfiguration property

Download and configure the CloudWatch agent on the container instances

Set up Fluent Bit and FluentO as a DaemonSet to send logs to Amazon CloudWatch Logs

Configure an 1AM policy that includes the togs CreateLogGroup action Assign the policy to the container instances

Update the S3 bucket policy to restrict access to a CloudFront origin access identity (OAI).

Update the website DNS record to use an Amazon Route 53 geolocation record deny list of countries where the company lacks a license.

Add a CloudFront geo restriction deny list of countries where the company lacks a license.

Update the S3 bucket policy with a deny list of countries where the company lacks a license.

Enable the Restrict Viewer Access option in CloudFront to create a deny list of countries where the company lacks a license.

Request a certificate (torn ACM in the us-west-2 Region Add the domain names that the certificate will secure

Send an email message to the domain administrators to request vacation of the domains for ACM

Request validation of the domains for ACM through DNS Insert CNAME records into each domain's DNS zone

Create an Application Load Balancer for me caching solution Select the newly requested certificate from ACM to be used for secure connections

Create an Amazon CloudFront distribution for the caching solution Enter the main CNAME record as the Origin Name Enter the subdomain names or alternate names in the Alternate Domain Names Distribution Settings Select the newly requested certificate from ACM to be used for secure connections

Request a certificate from ACM in the us-east-1 Region Add the domain names that the certificate wil secure

There is a security group blocking outbound port 80 traffic that is preventing the agent from sending the logs

The IAM instance profile on the EC2 instance was not properly configured to allow the CloudWatch Logs agent to push the logs to CloudWatch

CloudWatch Logs status is set to ON versus SECURE, which prevents it from pulling in OS security event logs

The VPC requires that all traffic go through a proxy, and the CloudWatch Logs agent does not support a proxy configuration.

Enable server side encryption for the S3 bucket. This request will ensure that the data is encrypted first.

Use the IAM Encryption CLI to encrypt the data first

Use a Lambda function to encrypt the data before sending it to the S3 bucket.

Enable client encryption for the bucket

Create dedicated IAM users within each IAM account that employees can assume through federation based upon group membership in their existing identity provider

Use a centralized account with IAM roles that employees can assume through federation with their existing identity provider Use cross-account roles to allow the federated users to assume their target role in the resource accounts.

Configure the IAM Security Token Service to use Kerberos tokens so that users can use their existing corporate user names and passwords to access IAM resources directly

Configure the IAM trust policies within each account's role to set up a trust back to the corporation's existing identity provider allowing users to assume the role based off their SAML token

Create a key policy that allows the kms:Decrypt action only for Amazon S3 and DynamoDB. Create an SCP that denies the creation of S3 buckets and DynamoDB tables that are not encrypted with the key.

Create an 1AM policy that denies the kms:Decrypt action for the key. Create a Lambda function than runs on a schedule to attach the policy to any new roles. Create an AWS Config rule to send alerts for resources that are not encrypted with the key.

Create a key policy that allows the kms:Decrypt action only for Amazon S3, DynamoDB, Lambda, and Amazon EKS. Create an SCP that denies the creation of S3 buckets and DynamoDB tables that are not encrypted with the key.

Create a key policy that allows the kms:Decrypt action only for Amazon S3, DynamoDB, Lambda, and Amazon EKS. Create an AWS Config rule to send alerts for resources that are not encrypted with the key.

Outbound SG configuration on database servers Inbound SG configuration on application servers inbound and outbound network ACL configuration on the database subnet Inbound and outbound network ACL configuration on the application server subnet

Inbound SG configuration on database servers

Outbound SG configuration on application servers

Inbound and outbound network ACL configuration on the database subnet

Inbound and outbound network ACL configuration on the application server subnet

Inbound and outbound SG configuration on database servers Inbound and outbound SG configuration on application servers Inbound network ACL configuration on the database subnet Outbound network ACL configuration on the application server subnet

Inbound SG configuration on database servers Outbound SG configuration on application servers Inbound network ACL configuration on the database subnet Outbound network ACL configuration on the application server subnet.

Delete the key pair from the EC2 console. Create a new key pair.

Use the ModifylnstanceAttribute API operation to change the key on any EC2 instance that is using the key.

Restrict SSH access in the security group to only known corporate IP addresses.

Update the key pair in any AMI that is used to launch the EC2 instances. Restart the EC2 instances.

Enable Amazon GuardDuty in all Regions. Create alerts to detect unauthorized activity outside us-east-1 and us-west-2.

Use an organization in IAM Organizations. Attach an SCP that allows all actions when the IAM: Requested Region condition key is either us-east-1 or us-west-2. Delete the FullIAMAccess policy.

Provision EC2 resources by using IAM Cloud Formation templates through IAM CodePipeline. Allow only the values of us-east-1 and us-west-2 in the IAM CloudFormation template's parameters.

Create an IAM Config rule to prevent unauthorized activity outside us-east-1 and us-west-2.

Configure trusted access for AWS System Manager in Organizations Configure a bastion host from the management account Replace SSH and RDP by using Systems Manager Session Manager from the management account Configure Session Manager logging to Amazon CloudWatch Logs

Replace SSH and RDP with AWS Systems Manager Session Manager Install Systems Manager Agent (SSM Agent) on the instances Attach the

AmazonSSMManagedlnstanceCore role to the instances Configure session data streaming to Amazon CloudWatch Logs Create a separate logging account that has appropriate cross-account permissions to audit the log data

Install a bastion host in the management account Reconfigure all SSH and RDP to allow access only from the bastion host Install AWS Systems Manager Agent (SSM Agent) on the bastion host Attach the AmazonSSMManagedlnstanceCore role to the bastion host Configure session data streaming to Amazon CloudWatch Logs in a separate logging account to audit log data

Replace SSH and RDP with AWS Systems Manager State Manager Install Systems Manager Agent (SSM Agent) on the instances Attach the

AmazonSSMManagedlnstanceCore role to the instances Configure session data streaming to Amazon CloudTrail Use CloudTrail Insights to analyze the trail data

Configure S3 server-side encryption. Create an S3 bucket policy that has an explicit deny rule for all users for s3:DeleteObject and s3:PutObject API calls. Configure S3 Object Lock to use governance mode with a retention period of 7 years.

Configure S3 server-side encryption. Configure S3 Versioning on the S3 bucket. Configure S3 Object Lock to use compliance mode with a retention period of 7 years.

Configure S3 Versioning. Configure S3 Intelligent-Tiering on the S3 bucket to move the documents to S3 Glacier Deep Archive storage. Use S3 server-side encryption immediately. Expire the objects after 7 years.

Set up S3 Event Notifications and use S3 server-side encryption. Configure S3 Event Notifications to target an AWS Lambda function that will review any S3 API call to the S3 bucket and deny the s3:DeleteObject and s3:PutObject API calls. Remove the S3 event notification after 7 years.

An HTTPS listener that uses a certificate that is managed by Amazon Certification Manager.

An HTTPS listener that uses a custom security policy that allows only perfect forward secrecy cipher suites

An HTTPS listener that uses the latest IAM predefined ELBSecuntyPolicy-TLS-1 -2-2017-01 security policy

A TCP listener that uses a custom security policy that allows only perfect forward secrecy cipher suites.

Deploy a NAT gateway in each private subnet for every Availability Zone that is in use.

Place the DB instance in a public subnet.

Place the DB instance in a private subnet.

Configure the Auto Scaling group to place the EC2 instances in a public subnet.

Configure the Auto Scaling group to place the EC2 instances in a private subnet.

Deploy the ALB in a private subnet.

Use Amazon issued AWS Certificate Manager (ACM) certificates on the EC2 instances and the Elastic Load Balancer to configure end-to-end encryption

Import a third-party SSL certificate to AWS Certificate Manager (ACM) Install the third-party certificate on the EC2 instances Associate the ACM imported third-party certificate with the Elastic Load Balancer

Deploy AWS CloudHSM Import a third-party certificate Configure the EC2 instances and the Elastic Load Balancer to use the CloudHSM imported certificate

Import a third-party certificate bundle to AWS Certificate Manager (ACM) Install the third-party certificate on the EC2 instances Associate the ACM imported third-party certificate with the Elastic Load Balancer.

The target instance's security group does not allow traffic from the NLB.

The target instance's security group is not attached to the NLB.

The NLB's security group is not attached to the target instance.

The target instance's subnet network ACL does not allow traffic from the NLB.

The target instance's security group is not using IP addresses to allow traffic from the NLB.

The target network ACL is not attached to the NLB.

Create a pre sign-up AWS Lambda trigger. Associate the Amazon Cognito function with the Amazon Cognito user pool.

Use a geographic match rule statement to configure an AWS WAF web ACL. Associate the web ACL with the Amazon Cognito user pool.

Configure an app client for the application's Amazon Cognito user pool. Use the app client ID to validate the requests in the hosted Ul.

Update the application's Amazon Cognito user pool to configure a geographic restriction setting.

Use Amazon Cognito to configure a social identity provider (IdP) to validate the requests on the hosted Ul.

Configure cluster security groups for each application module to control access to database users that are required for read-only and readwrite

Configure a VPC endpoint for Amazon Redshift Configure an endpoint policy that maps database users to each application module, and allow access to the tables that are required for read-only and read/write

Configure an 1AM policy for each module Specify the ARN of an Amazon Redshift database user that allows the GetClusterCredentials API call

Create local database users for each module

Configure an 1AM policy for each module Specify the ARN of an 1AM user that allows the GetClusterCredentials API call

Amazon Athena

Amazon Kinesis

Amazon SQS

Amazon Elasticsearch

Amazon EMR

Amazon Route 53

IAM Certificate Manager (ACM)

Amazon S3

IAM Shield

Elastic Load Balancer

Amazon GuardDuty

Use Cloudwatch logs to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS for the notification.

Use Cloudwatch metrics to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS for the notification.

Use IAM inspector to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS f the notification.

Use Cloudwatch events to be triggered for any changes to the Security Groups. Configure the Lambda function for email notification as well.

Configure access logging for the required API stage.

Configure an AWS CloudTrail trail destination for API Gateway events. Configure filters on the userldentity, userAgent, and sourcelPAddress fields.

Configure an Amazon S3 destination for API Gateway logs. Run Amazon Athena queries to analyze API access information.

Use Amazon CloudWatch Logs Insights to analyze API access information.

Select the Enable Detailed CloudWatch Metrics option on the required API stage.

Store the database credentials in AWS Secrets Manager. Configure automatic credential rotation tor every 30 days.

Store the database credentials in AWS Systems Manager Parameter Store. Create an AWS Lambda function to rotate the credentials every 30 days.

Store the database credentials in an environment file or in a configuration file. Modify the credentials every 30 days.

Store the database credentials in an environment file or in a configuration file. Create an AWS Lambda function to rotate the credentials every 30 days.

Move the SCP to the root OU of organization to remove the restriction to access Amazon $3.

Add an IAM policy for the developer, which grants $3 access.

Create a new OU without applying the SCP restricting $3 access. Move the developer account to this new OU.

Add an allow list for the developer account for the $3 service.

The route tables and the outbound rules on the appropriate private subnet security group

The outbound network ACL rules on the private subnet and the Inbound network ACL rules on the public subnet

The outbound network ACL rules on the private subnet and both the inbound and outbound rules on the public subnet

The rules on any host-based firewall that may be applied on the Amazon EC2 instances

The Security Group applied to the Application Load Balancer and NAT gateway

That the 0.0.0./0 route in the private subnet route table points to the internet gateway in the public subnet

In the statement block that contains the Sid "Allow use of the key", under the "Condition" block, change StringEquals to StringLike.

In the policy document, remove the statement Dlock that contains the Sid "Enable IAM User Permissions". Add key management policies to the KMS policy.

In the statement block that contains the Sid "Allow use of the Key", under the "Condition" block, change the Kms:ViaService value to ec2.us-east-1 .amazonIAM com.

In the policy document, add a new statement block that grants the kms:Disable' permission to the security engineer's IAM role.

Enable Amazon GuardDuty to automatically monitor for malicious activity and block unauthorized access.

Subscribe to IAM Shield Advanced and reach out to IAM Support in the event of an attack.

Use VPC Flow Logs to monitor network: traffic and an IAM Lambda function to automatically block an attacker's IP using security groups.

Set up an Amazon CloudWatch Events rule to monitor the IAM CloudTrail events in real time use IAM Config rules to audit the configuration, and use IAM Systems Manager for remediation.

Use IAM WAF to create rules to respond to such attacks

Ensure a NAT gateway is present to download the updates

Use the Systems Manager to patch the instances

Ensure an internet gateway is present to download the updates

Use the IAM inspector to patch the updates

Enable cross region replication for the bucket

Write a script to copy the objects to another bucket in the destination region

Create an S3 snapshot in the destination region

Enable versioning which will copy the objects to the destination region

Associate the EC2 instances with a security group that blocks traffic from blacklisted IP addresses.

Use an ELB Application Load Balancer and Auto Scaling group to scale to absorb application layer traffic.

Use Amazon Inspector on the EC2 instances to examine incoming traffic and discard malicious traffic.

Use CloudFront and IAM WAF to prevent malicious traffic from reaching the application

Enable GuardDuty to block malicious traffic from reaching the application

Create a Lambda function that mounts the EBS volume with the logs and scans the logs for security incidents. Trigger the function every 5 minutes with a scheduled Cloudwatch event.

Send the local text log files to CloudWatch Logs and configure a CloudWatch metric filter. Trigger cloudwatch alarms based on the metrics.

Install the Amazon inspector agent on any EC2 instance running the legacy application. Generate CloudWatch alerts a based on any Amazon inspector findings.

Export the local text log files to CloudTrail. Create a Lambda function that queries the CloudTrail logs for security ' incidents using Athena.

Expose the data with a public HTTPS endpoint.

A VPN between the VPC and the data center over a Direct Connect connection

A VPN between the VPC and the data center.

A Direct Connect connection between the VPC and data center

Modify the security groups for the VPC to allow access to the 53 bucket

Modify the route tables to allow access for the VPC endpoint

Modify the IAM Policy for the bucket to allow access for the VPC endpoint

Modify the bucket Policy for the bucket to allow access for the VPC endpoint

Use IAM inspector to consciously inspect the instances for port scans

Use IAM Trusted Advisor to notify of any malicious port scans

Use IAM Config to notify of any malicious port scans

Use IAM Guard Duty to monitor any malicious port scans

Launch the test and production instances in separate regions and allow region wise access to the group

Define the IAM policy which allows access based on the instance ID

Create an IAM policy with a condition which allows access to only small instances

Define the tags on the test and production servers and add a condition to the IAM policy which allows access to specification tags

It places too much emphasis on already implemented security controls.

The response plan is not implemented on a regular basis

The response plan does not cater to new services

The response plan is complete in its entirety

Ensure that the SSM agent is running on the target machine

Check the /var/log/amazon/ssm/errors.log file

Ensure the right AMI is used for the Instance

Ensure the security groups allow outbound communication for the instance

Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket to that OAl.

Add the CloudFront account security group "amazon-cf/amazon-cf-sg" to the appropriate S3 bucket policy.

Create an Identity and Access Management (IAM) User for CloudFront and grant access to the objects in your S3 bucket to that IAM User.

Create a S3 bucket policy that lists the CloudFront distribution ID as the Principal and the target bucket as the Amazon Resource Name (ARN).

From the IAM Management Console, navigate to the Security Credentials page and retrieve the access and secret key for your account.

Create an IAM user within the enterprise account assign a user policy to the IAM user that allows only the actions required by the SaaS application. Create a new access and secret key for the user and provide these credentials to the SaaS provider.

Create an IAM role for cross-account access allows the SaaS provider's account to assume the role and assign it a policy that allows only the actions required by the SaaS application.

Create an IAM role for EC2 instances, assign it a policy that allows only the actions required tor the Saas application to work, provide the role ARN to the SaaS provider to use when launching their application instances.

Management of the Edge locations

Encryption of data at rest

Protection of data in transit

Decommissioning of old storage devices

Configure the CloudTrail service in each IAM account, and have the logs delivered to an IAM bucket on each account, while granting the auditor permissions to the bucket via roles in the secondary accounts and a single primary IAM account that can assume a read-only role in the secondary IAM accounts.

Configure the CloudTrail service in the primary IAM account and configure consolidated billing for all the secondary accounts. Then grant the auditor access to the S3 bucket that receives the CloudTrail log files.

Configure the CloudTrail service in each IAM account and enable consolidated logging inside of CloudTrail.

Configure the CloudTrail service in each IAM account and have the logs delivered to a single IAM bucket in the primary account and erant the auditor access to that single bucket in the orimarv account.

Give only the necessary access to the Apache servers so that the developers can gain access to the log files.

Give root access to your Apache servers to the developers.

Give read-only access to your developers to the Apache servers.

Set up a central logging server that you can use to archive your logs; archive these logs to an S3 bucket for developer-access.

End-to-end protection of data in transit

End-to-end Identity authentication

Data encryption across the internet

Protection of data in transit over the Internet

Peer identity authentication between VPN gateway and customer gateway

Data integrity protection across the Internet

Create an IAM user and generate encryption keys for that user. Create a policy for Redshift read-only access. Embed th keys in the application.

Create an HSM client certificate in Redshift and authenticate using this certificate.

Create a Redshift read-only access policy in IAM and embed those credentials in the application.

Use roles that allow a web identity federated user to assume a role that allows access to the Redshift table by providing temporary credentials.

Verify that the S3 bucket policy allow CloudTrail to write objects.

Verify that the IAM role used by CloudTrail has access to write to Amazon CloudWatch Logs.

Remove any lifecycle policies on the S3 bucket that are archiving objects to Amazon Glacier.

Verify that the S3 bucket defined in CloudTrail exists.

Verify that the log file prefix defined in CloudTrail exists in the S3 bucket.

Create an IAM Lambda function that determines whether Flow Logs are enabled for a given VPC.

Create an IAM Config configuration item for each VPC in the company IAM account.

Create an IAM Config managed rule with a resource type of IAM:: Lambda:: Function.

Create an Amazon CloudWatch Event rule that triggers on events emitted by IAM Config.

Create an IAM Config custom rule, and associate it with an IAM Lambda function that contains the evaluating logic.

Use IAM Systems Manager to store the credentials as Secure Strings Parameters. Secure by using an IAM KMS key.

Use IAM Key Management System to store a master key, which is used to encrypt the credentials. The encrypted credentials are stored in an Amazon RDS instance.

Use IAM Secrets Manager to store the credentials.

Store the credentials in a JSON file on Amazon S3 with server-side encryption.

Change the volume encryption on the EBS volume to use a different encryption mechanism. Then, release the EBS volumes back to IAM.

Release the volumes back to IAM. IAM immediately wipes the disk after it is deprovisioned.

Delete the encryption key used to encrypt the EBS volume. Then, release the EBS volumes back to IAM.

Delete the data by using the operating system delete commands. Run Quick Format on the drive and then release the EBS volumes back to IAM.

Store the scripts in the AMI and encrypt the sensitive data using IAM KMS Use the instance role profile to control access to the KMS keys needed to decrypt the data.

Store the sensitive data in IAM Systems Manager Parameter Store using the encrypted string parameter and assign the GetParameters permission to the EC2 instance role.

Externalize the bootstrap scripts in Amazon S3 and encrypt them using IAM KMS. Remove the scripts from the instance and clear the logs after the instance is configured.

Block user access of the EC2 instance's metadata service using IAM policies. Remove all scripts and clear the logs after execution.

Turn on VPC Flow Logs, send the logs to Amazon S3, and use Amazon Athena to query the logs.

Install an Amazon Inspector agent on each EC2 instance, send the logs to Amazon S3, and use Amazon EMR to query the logs.

Create an IAM Config rule for each network ACL and security group configuration, send the logs to Amazon S3, and use Amazon Athena to query the logs.

Turn on IAM CloudTrail, send the trails to Amazon S3, and use IAM Lambda to query the trails.

Use IAM Certificate Manager to generate certificates from a public certificate authority and deploy them to all the containers.

Create a self-signed certificate in one container and use IAM Secrets Manager to distribute the certificate to the other containers to establish trust.

Use IAM Certificate Manager Private Certificate Authority (ACM PCA) to create a subordinate certificate authority, then create the private keys in the containers and sign them using the ACM PCA API.

Use IAM Certificate Manager Private Certificate Authority (ACM PCA) to create a subordinate certificate authority, then use IAM Certificate Manager to generate the private certificates and deploy them to all the containers.

Add the EC2 instance role as a trusted service to the SSM service role.

Add permission to use the KMS key to decrypt to the SSM service role.

Add permission to read the SSM parameter to the EC2 instance role. .

Add permission to use the KMS key to decrypt to the EC2 instance role

Add the SSM service role as a trusted service to the EC2 instance role.

Install antivirus software and ensure that signatures are up-to-date. Configure Amazon CloudWatch alarms to send alerts for security events.

Install host-based IDS software to check for file integrity. Export the logs to Amazon CloudWatch Logs for monitoring and alerting.

Export system log files to Amazon S3. Parse the log files using an IAM Lambda function that will send alerts of any unauthorized system login attempts through Amazon SNS.

Use Amazon CloudWatch Logs to detect file system changes. If a change is detected, automatically terminate and recreate the instance from the most recent AMI. Use Amazon SNS to send notification of the event.

Use KMS grants to manage key access. Programmatically create and revoke grants to manage vendor access.

Use an IAM role to manage key access. Programmatically update the IAM role policies to manage vendor access.

Use KMS key policies to manage key access. Programmatically update the KMS key policies to manage vendor access.

Use delegated access across IAM accounts by using IAM roles to manage key access. Programmatically update the IAM trust policy to manage cross-account vendor access.

The account’s CMK key policy must allow the account’s IAM roles to perform KMS EnableKey.

Newly created CMKs must have a key policy that allows the root principal to perform all actions.

Newly created CMKs must allow the root principal to perform the kms CreateGrant API operation.

Newly created CMKs must mirror the IAM policy of the KMS key administrator.

Have a Database Administrator encrypt the credentials and store the ciphertext in Amazon S3. Grant permission to the instance role associated with the EC2 instance to read the object and decrypt the ciphertext.

Configure a scheduled job that updates the credential in IAM Systems Manager Parameter Store and notifies the Engineer that the application needs to be restarted.

Configure automatic rotation of credentials in IAM Secrets Manager.

Store the credential in an encrypted string parameter in IAM Systems Manager Parameter Store. Grant permission to the instance role associated with the EC2 instance to access the parameter and the IAM KMS key that is used to encrypt it.

Configure the Java application to catch a connection failure and make a call to IAM Secrets Manager to retrieve updated credentials when the password is rotated. Grant permission to the instance role associated with the EC2 instance to access Secrets Manager.

Use KMS automatic key rotation to replace the master key, and use this new master key for future encryption operations without re-encrypting previously encrypted data.

Generate a new Customer Master Key (CMK), re-encrypt all existing data with the new CMK, and use it for all future encryption operations.

Change the CMK alias every 90 days, and update key-calling applications with the new key alias.

Change the CMK permissions to ensure that individuals who can provision keys are not the same individuals who can use the keys.

Delete the internet gateway associated with the VPC.

Use network access control lists to block source IP addresses matching 0.0.0.0/0.

Use a host-based firewall to prevent access from all but the organization’s firewall IP.

Use IAM Config rules to detect 0.0.0.0/0 and invoke an IAM Lambda function to update the security group with the organization's firewall IP.

Confirm that the EC2 instance's security group authorizes S3 access.

Verify that the KMS key policy allows decrypt access for the KMS key for this IAM principle.

Check the S3 bucket policy for statements that deny access to objects.

Confirm that the EC2 instance is using the correct key pair.

Confirm that the IAM role associated with the EC2 instance has the proper privileges.

Confirm that the instance and the S3 bucket are in the same Region.

IAM Trusted Advisor

IAM WAF

IAM Inspector

IAM Config

Migrating the credential to RDS requires that all access come through requests to the Secrets Manager.

Enabling rotation in Secrets Manager causes the secret to rotate immediately, and the applications are using the earlier credential.

The Secrets Manager IAM policy does not allow access to the RDS database.

The Secrets Manager IAM policy does not allow access for the applications.

Use IAM KMS with IAM managed keys and the ScheduleKeyDeletion API with a PendingWindowInDays set to 0 to remove the keys if necessary.

Use KMS with IAM imported key material and then use the DeletelmportedKeyMaterial API to remove the key material if necessary.

Use IAM CloudHSM to store the keys and then use the CloudHSM API or the PKCS11 library to delete the keys if necessary.

Use the Systems Manager Parameter Store to store the keys and then use the service API operations to delete the key if necessary.

Use KMS and the normal KMS encryption keys

Use KMS and use an external key material

Use S3 Server Side encryption

Use Cloud HSM

Use a VPC endpoint

Attach an Internet gateway to the subnet

Attach a VPN connection to the VPC

Use VPC Peering

Use IAM Certificate Manager to request a certificate. Use that certificate to encrypt data prior to uploading it to DynamoDB.

Enable S3 server-side encryption with the customer-provided keys. Upload the data to Amazon S3, and then use S3Copy to move all data to DynamoDB

Create a KMS master key. Generate per-record data keys and use them to encrypt data prior to uploading it to DynamoDS. Dispose of the cleartext and encrypted data keys after encryption without storing.

Use the DynamoDB Java encryption client to encrypt data prior to uploading it to DynamoDB.

Write an IAM Lambda function that logs into the EC2 instance to pull the application logs from the EC2 instance and persists them into an Amazon S3 bucket.

Enable IAM CloudTrail logging for the IAM account, create a new Amazon S3 bucket, and then configure Amazon CloudWatch Logs to receive the application logs from CloudTrail.

Create a simple cron job on the EC2 instances that synchronizes the application logs to an Amazon S3 bucket by using rsync.

Install the Amazon CloudWatch Logs Agent on the EC2 instances, and configure it to send the application logs to CloudWatch Logs.

Use IAM Shield to scan inbound traffic for web exploits. Use VPC Flow Logs and IAM Lambda to restrict egress traffic to specific whitelisted URLs.

Use IAM Shield to scan inbound traffic for web exploits. Use a third-party IAM Marketplace solution to restrict egress traffic to specific whitelisted URLs.

Use IAM WAF to scan inbound traffic for web exploits. Use VPC Flow Logs and IAM Lambda to restrict egress traffic to specific whitelisted URLs.

Use IAM WAF to scan inbound traffic for web exploits. Use a third-party IAM Marketplace solution to restrict egress traffic to specific whitelisted URLs.

Enable IAM Guard Duty for the Instance

Use IAM Trusted Advisor

Use IAM inspector

UseIAMMacie

Create a new database field “suspended_status” and modify the application logic to validate that field when processing requests.

Add suspended customers to second Cognito user pool and update the application login flow to check both user pools.

Use Amazon Cognito Sync to push out a “suspension_status” parameter and split the lAM policy into normal users and suspended users.

Move suspended customers to a second Cognito group and define an appropriate IAM access policy for the group.

Change the root account password.

Rotate all IAM access keys

Keep all resources running to avoid disruption

Change the password for all IAM users.

Enable SSL certificates for the Cloudtrail logs

There is no need to do anything since the logs will already be encrypted

Enable Server side encryption for the trail

Enable Server side encryption for the destination S3 bucket

Disable network ACLs.

Configure the security appliance's elastic network interface for promiscuous mode.

Disable the Network Source/Destination check on the security appliance's elastic network interface

Place the security appliance in the public subnet with the internet gateway

Select server-side encryption with Amazon S3-managed keys (SSE-S3) and select an IAM-managed CMK.

Select Amazon S3-IAM KMS managed encryption keys (S3-KMS) and select a customer-managed CMK with key rotation enabled.

Select server-side encryption with Amazon S3-managed keys (SSE-S3) and select a customer-managed CMK that has imported key material.

Select server-side encryption with IAM KMS-managed keys (SSE-KMS) and select an alias to an IAM-managed CMK.

Create an IAM user and generate a set of long-term credentials. Provide the credentials to AnyCompany. Monitor access in IAM access advisor and plan to rotate credentials on a recurring basis.

Request an external ID from AnyCompany and add a condition with sts:Externald to the role's trust policy.

Require two-factor authentication by adding a condition to the role's trust policy with IAM:MultiFactorAuthPresent.

Request an IP range from AnyCompany and add a condition with IAM:SourceIp to the role's trust policy.

Associate an origin access identity with the CloudFront distribution.

Implement a “Principal”: “cloudfront.amazonIAM.com” condition in the S3 bucket policy.

Modify the S3 bucket permissions so that only the origin access identity can access the bucket contents.

Implement security groups so that the S3 bucket can be accessed only by using the intended CloudFront distribution.

Configure the S3 bucket policy so that it is accessible only through VPC endpoints, and place the CloudFront distribution into the specified VPC.

Create IAM roles with permissions corresponding to each Active Directory group.

Create IAM groups with permissions corresponding to each Active Directory group.

Create a SAML provider with IAM.

Create a SAML provider with Amazon Cloud Directory.

Configure IAM as a trusted relying party for the Active Directory

Configure IAM as a trusted relying party for Amazon Cloud Directory.

Application Load Balancers do not support older web browsers.

The Perfect Forward Secrecy settings are not configured correctly.

The intermediate certificate is installed within the Application Load Balancer.

The cipher suites on the Application Load Balancers are blocking connections.

Use a filter in IAM CloudTrail to exclude the IP addresses of the Security team’s EC2 instances.

Add the Elastic IP addresses of the Security team’s EC2 instances to a trusted IP list in Amazon GuardDuty.

Install the Amazon Inspector agent on the EC2 instances that the Security team uses.

Grant the Security team’s EC2 instances a role with permissions to call Amazon GuardDuty API operations.

Use the IAM account root user access keys instead of the IAM Management Console

Enable multi-factor authentication for the IAM IAM users with the AdministratorAccess managed policy attached to them

Enable multi-factor authentication for the IAM account root user

Use IAM KMS to encrypt all IAM account root user and IAM IAM access keys and set automatic rotation to 30 days

Do not create access keys for the IAM account root user; instead, create IAM IAM users

Move the bastion host to the VPC with VPN connectivity. Create a VPC peering relationship between the bastion host VPC and Aurora VPC.

Create a SSH port forwarding tunnel on the Developer’s workstation to the bastion host to ensure that only authorized SSH clients can access the bastion host.

Move the bastion host to the VPC with VPN connectivity. Create a cross-account trust relationship between the bastion VPC and Aurora VPC, and update the Aurora security group for the relationship.

Create an IAM Direct Connect connection between the corporate network and the Aurora account, and adjust the Aurora security group for this connection.

Consider using Windows Server 2016 Certificate Manager

Consider using IAM Certificate Manager

Consider using IAM Access keys to generate the certificates

Consider using IAM Trusted Advisor for managing the certificates

Bucket1 only

Bucket2 only

Both bucket1 and bucket2

Neither bucket1 nor bucket2

Create an Amazon CloudWatch metric filter that looks for API call error codes and then implement an alarm based on that metric’s rate.

Configure IAM CloudTrail to stream event data to Amazon Kinesis. Configure an IAM Lambda function on the stream to alarm when the threshold has been exceeded.

Run an Amazon Athena SQL query against CloudTrail log files. Use Amazon QuickSight to create an operational dashboard.

Use the Amazon Personal Health Dashboard to monitor the account’s use of IAM services, and raise an alert if service error rates increase.

Move all the files to an Amazon S3 bucket. Have the web server serve the files from the S3 bucket.

Launch a second Amazon EC2 instance in a new subnet. Launch an Application Load Balancer in front of both instances.

Launch an Application Load Balancer in front of the EC2 instance. Create an Amazon CloudFront distribution in front of the Application Load Balancer.

Move all the files to an Amazon S3 bucket. Create a CloudFront distribution in front of the bucket and terminate the web server.

Create a VPC endpoint for DynamoDB within a VPC. Configure the Lambda function to access resources in the VPC.

Create a resource policy that grants the Lambda function permissions to write to the DynamoDB table. Attach the poll to the DynamoDB table.

Create an IAM user with permissions to write to the DynamoDB table. Store an access key for that user in the Lambda environment variables.

Create an IAM service role with permissions to write to the DynamoDB table. Associate that role with the Lambda function.

Add the IAM:sourceVpce condition to the IAM KMS key policy referencing the company's VPC endpoint ID.

Remove the VPC internet gateway from the VPC and add a virtual private gateway to the VPC to prevent direct, public internet connectivity.

Create a VPC endpoint for IAM KMS with private DNS enabled.

Use the KMS Import Key feature to securely transfer the IAM KMS key over a VPN.

Add the following condition to the IAM KMS key policy: "IAM:SourceIp": "10.0.0.0/16".

Shutdown the instance

Remove the rule for incoming traffic on port 22 for the Security Group

Change the AMI for the instance

Change the Instance type for the instance

Change the “Resource” from “arn: IAM:s3:::Bucket” to “arn:IAM:s3:::Bucket/*”.

Change the “Principal” from “*” to {IAM:”arn:IAM:iam: : account-number: user/username”}

Change the “Version” from “2012-10-17” to the last revised date of the policy

Change the “Action” from [“s3:*”] to [“s3:GetObject”, “s3:ListBucket”]

Configure an S3 bucket as the origin an origin access identity (OAI) for the CloudFront distribution Switch the DNS records from websites to point to the CloudFront distribution Enable Nock public access settings at the account level

Configure an S3 bucket as the origin with an origin access identity (OAI) for the CloudFront distribution Switch the ONS records tor the websites to point to the CloudFront disinfection Then, tor each S3 bucket enable block public access settings

Configure an S3 bucket as the origin with an origin access identity (OAI) for the CloudFront distribution Enable block public access settings at the account level

Configure an S3 bucket as the origin for me CloudFront distribution Configure the S3 bucket policy to accept connections from the CloudFront points of presence only Switch the DNS records for the websites to point to the CloudFront distribution Enable block public access settings at me account level

implement Amazon Cognito identity pools with a role that uses a policy that denies the actions related to Amazon Cognito API management Allow the external company to federate through its identity provider

Federate IAM identity and Access Management (IAM) with the external company's identity provider Create an IAM role and attach a policy with the necessary permissions

Create an IAM group for me external company Add a policy to the group that denies IAM modifications Securely provide the credentials to the eternal company.

Use IAM SSO with the external company's identity provider. Create an IAM group to map to the identity provider user group, and attach a policy with the necessary permissions.

Add a template constraint to each product in the portfolio.

Add a launch constraint to each product in the portfolio.

Define resource update constraints for each product in the portfolio.

Update the IAM CloudFormalion template backing the product to include a service role configuration.

Configure Amazon CloudWatch Events in the production accounts to send all S3 events to the security account event bus.

Enable Amazon GuardDuty in the security account. and join the production accounts as members.

Configure an Amazon CloudWatch Events rule in the security account to detect S3 bucket creation or modification events.

Enable IAM Trusted Advisor and activate email notifications for an email address assigned to the security contact.

Invoke an IAM Lambda function in the security account to analyze S3 bucket settings in response to S3 events, and send non-compliance notifications to the Security team.

Configure event notifications on S3 buckets for PUT; POST, and DELETE events.

Within the Auto Scaling lifecycle, add a hook to create and attach an Amazon Elastic Block Store (Amazon EBS) log volume each time an EC2 instance is created. When the instance is terminated, the EBS volume can be reattached to another instance for log review.

Create an Amazon Elastic File System (Amazon EFS) file system and add a command in the user data section of the Auto Scaling launch template to mount the EFS file system during EC2 instance creation Configure a process on the instance to copy the logs once a day from an instance Amazon Elastic Block Store (Amazon EBS) volume to a directory in the EFS file system.

Build the Amazon CloudWatch agent into the AMI used in the Auto Scaling group. Configure the CloudWatch agent to send the logs to Amazon CloudWatch Logs for review.

Within the Auto Scaling lifecycle, add a lifecycle hook at the terminating state transition and alert the engineering team by using a lifecycle notification to Amazon Simple Notification Service (Amazon SNS). Configure the hook to remain in the Terminating:Wait state for 1 hour to allow manual review of the security logs prior to instance termination.

Set up an S3 bucket policy with the IAMsecuretransport key Configure the CloudFront origin access identity (OAI) with the S3 bucket Configure CloudFront to use specific ciphers. Enforce the ALB with an HTTPS listener only and select the appropriate security policy for the ciphers Link the ALB with IAM WAF to allow access from the CloudFront IP ranges.

Set up an S3 bucket policy with the IAM:securetransport key. Configure the CloudFront origin access identity (OAI) with the S3 bucket. Enforce the ALB with an HTTPS listener only and select the appropriate security policy for the ciphers.

Modify the CloudFront distribution to use IAM WAF. Force HTTPS on the S3 bucket with specific ciphers in the bucket policy. Configure an HTTPS listener only for the ALB. Set up a security group to limit access to the ALB from the CloudFront IP ranges

Modify the CloudFront distribution to use the ALB as the origin. Enforce an HTTPS listener on the ALB. Create a path-based routing rule on the ALB with proxies that connect lo Amazon S3. Create a bucket policy to allow access from these proxies only.

Use individual ACLs on each S3 object.

Use IAM groups tor sharing files between application social network users

Store each user's files in a separate S3 bucket and apery a bucket policy based on the user's sharing settings

Generate presigned UPLs for each file access

Put all the proxy EC2 instances in a cluster placement group.

Disable source and destination checks on the proxy EC2 instances.

Open all inbound ports on the proxy EC2 instance security group.

Change the VPC's DHCP domain-name-server’s options set to the IP addresses of proxy EC2 instances.

Download a new copy of the SAML metadata file from the identity provider Create a new IAM identity provider entity. Upload the new metadata file to the new IAM identity provider entity.

During the next certificate rotation period and before the current certificate expires, add a new certificate as the secondary to the identity provider. Generate a new metadata file and upload it to the IAM identity provider entity. Perform automated or manual rotation of the certificate when required.

Download a new copy of the SAML metadata file from the identity provider Upload the new metadata to the IAM identity provider entity configured for the SAML integration in question.

During the next certificate rotation period and before the current certificate expires, add a new certificate as the secondary to the identity provider. Generate a new copy of the metadata file and create a new IAM identity provider entity. Upload the metadata file to the new IAM identity provider entity. Perform automated or manual rotation of the certificate when required.

Download a new copy of the SAML metadata file from the identity provider Create a new IAM identity provider entity. Upload the new metadata file to the new IAM identity provider entity. Update the identity provider configurations to pass a new IAM identity provider entity name in the SAML assertion.

Allow inbound access on port 22 at the security group attached to the instance Use IAM Systems Manager Session Manager for shell access to Amazon EC2 instances with the user tag defined Enable Amazon CloudWatch togging tor Systems Manager sessions

Use Amazon S3 to securely store one Privacy Enhanced Mail Certificate (PEM file) for each user Allow Amazon EC2 to read from Amazon S3 and import every user that wants to use SSH to access EC2 instances Allow inbound access on port 22 at the security group attached to the instance Install the Amazon CloudWatch agent on the EC2 instance and configure it to ingest audit logs for the instance

Deny inbound access on port 22 at the security group attached to the instance Use IAM Systems Manager Session Manager tor shell access to Amazon EC2 instances with the user tag defined Enable Amazon CloudWatch togging for Systems Manager sessions

Use Amazon S3 to securely store one Privacy Enhanced Mall Certificate (PEM fie) for each team or group Allow Amazon EC2 to read from Amazon S3 and import every user that wants to use SSH to access EC2 instances Allow inbound access on pod 22 at the security group attached to the instance Install the Amazon CloudWatch agent on the EC2 instance and configure it to ingest audit logs for the instance

Use IAM Secrets Manager and an IAM SDK to create a unique secret for the customer-specific data

Use IAM Key Management Service (IAM KMS) and the IAM Encryption SDK to generate and store a data encryption key for each customer.

Use IAM Key Management Service (IAM KMS) with service-managed keys to generate and store customer-specific data encryption keys

Use IAM Key Management Service (IAM KMS) and create an IAM CloudHSM custom key store Use CloudHSM to generate and store a new CMK for each customer.

A customer managed CMK that uses customer provided key material

A customer managed CMK that uses IAM provided key material

An IAM managed CMK

Operating system-native encryption that uses GnuPG

The developer must configure Lambda access to the VPC using the --vpc-config parameter.

The Lambda function execution role must have the kms:Decrypt- permission added in the IAM IAM policy.

The KMS key policy must allow permissions for the developer to use the KMS key.

The IAM IAM policy assigned to the developer must have the kmseGcnerate-DataKcy permission added.

The Lambda execution role must have the kms:Encrypt permission added in the IAM IAM policy.

Associate the instances to the same security groups.

Add 0.0.0.0/0 to the egress rules of the instance security groups.

Add the instance IDs to the ingress rules of the instance security groups.

Add the public IP addresses to the ingress rules of the instance security groups.

Create a new CMK, and redirect the existing Key Alias to the new CMK

Select the option to auto-rotate the key

Upload new key material into the existing CMK.

Create a new CMK, and change the application to point to the new CMK

UseSCPs

Add a permissions boundary to deny access to Amazon S3 and attach it to all roles

Use an S3 bucket policy

Create a VPC endpoint for Amazon S3 and deny statements for access to Amazon S3

Place the application behind an Application Load Balancer (ALB). Use Amazon Cognito as authentication for the ALB. Define a SAML-based Amazon Cognito user pool and connect it to ADFS.

Implement IAM SSO in the master account and link it to ADFS as an identity provider. Define the EC2 instance as a managed resource, then apply an IAM policy on the resource.

Define an Amazon Cognito identity pool, then install the connector on the Active Directory server. Use the Amazon Cognito SDK on the application instance to authenticate the employees using their Active Directory user names and passwords.

Create an IAM Lambda custom authorizer as the authenticator for a reverse proxy on Amazon EC2. Ensure the security group on Amazon EC2 only allows access from the Lambda function.

Create an Amazon CloudWatch alarm for IAM CloudTrail Events Create a metric filter to send a notification when me same set of IAM credentials is used by multiple developer

Create a federation between IAM and the existing corporate IdP Leverage IAM roles to provide federated access to IAM resources

Create a VPN tunnel between the corporate premises and the VPC Allow permissions to all IAM services only if it originates from corporate premises.

Create multiple IAM rotes for each IAM user Ensure that users who use the same IAM credentials cannot assume the same IAM role at the same time.

Extract the subject (sub), audience (aud), and cognito:username from the ID token payload Manually check the subject and audience for the user name In the user pool

Search for the public key with a key ID that matches the key ID In the header of the token. Then use a JSON Web Token (JWT) library to validate the signature of the token and extract values, such as the expiry date

Verify that the token is not expired. Then use the token_use claim function In Amazon Cognito to validate the key IDs

Copy the JSON Web Token (JWT) as a JSON document Obtain the public JSON Web Key (JWK) and convert It to a pem file. Then use the file to validate the original JWT.

The S3 ACL for the S3 bucket fails to explicitly grant access to the Application Developer

The IAM KMS key for the S3 bucket fails to list the Application Developer as an administrator

The S3 bucket policy fails to explicitly grant access to the Application Developer

The S3 bucket policy explicitly denies access to the Application Developer

Configure the S3 bucket ACLs to allow IAM Config to record changes to the buckets.

Configure policies attached to S3 buckets to allow IAM Config to record changes to the buckets.

Attach the AmazonS3ReadOnryAccess managed policy to the IAM user.

Verify the security engineer's IAM user has an attached policy that allows all IAM Config actions.

Assign the IAMConfigRole managed policy to the IAM Config role

Disable the EC2 instance metadata service.

Log all student SSH interactive session activity.

Implement ip tables-based restrictions on the instances.

Install the Amazon Inspector agent on the instances.

One in the US West (Oregon) region and one in the US East (Virginia) region.

Two in the US West (Oregon) region and none in the US East (Virginia) region.

One in the US West (Oregon) region and none in the US East (Virginia) region.

Two in the US East (Virginia) region and none in the US West (Oregon) region.

Create a NACL to allow access on TCP port 443 from the 1;500 subsidiary CIDR block ranges. Associate the NACL to both the NLB and EC2 instances

Create an IAM security group to allow access on TCP port 443 from the 1,500 subsidiary CIDR block ranges. Associate the security group to the NLB. Create a second security group for EC2 instances with access on TCP port 443 from the NLB security group.

Create an IAM PrivateLink endpoint service in the parent company account attached to the NLB. Create an IAM security group for the instances to allow access on TCP port 443 from the IAM PrivateLink endpoint. Use IAM PrivateLink interface endpoints in the 1,500 subsidiary IAM accounts to connect to the data processing application.

Create an IAM security group to allow access on TCP port 443 from the 1,500 subsidiary CIDR block ranges. Associate the security group with EC2 instances.

Log in to each account four times a day and filter the IAM CloudTrail log data, then copy and paste the logs in to the Amazon S3 bucket in the destination account.

Set up Amazon CloudWatch to stream data to an Amazon S3 bucket in each source account. Set up bucket replication for each source account into a centralized bucket owned by the Security Engineer.

Set up an IAM Config aggregator to collect IAM configuration data from multiple sources.

Set up Amazon CloudWatch cross-account log data sharing with subscriptions in each account. Send the logs to Amazon Kinesis Data Firehose in the Security Engineer's account.

The EC2 instance role does not have decrypt permissions on the IAM Key Management Sen/ice (IAM KMS) key used to encrypt the secret

The EC2 instance role does not have read permissions to read the parameters In Parameter Store

Parameter Store does not have permission to use IAM Key Management Service (IAM KMS) to decrypt the parameter

The EC2 instance role does not have encrypt permissions on the IAM Key Management Service (IAM KMS) key associated with the secret

The EC2 instance does not have any tags associated.

Yes, the bucket policy makes the whole bucket publicly accessible despite now the S3 bucket ACL or object ACLs are configured.

Yes, none of the data in the bucket is publicity accessible, regardless of how the S3 bucket ACL and object ACLs are configured.

No, the IAM user policy would need to be examined first to determine whether any data is publicly accessible.

No, the S3 bucket ACL and object ACLs need to be examined first to determine whether any data is publicly accessible.

Create a new CMK. Download a new wrapping key and a new import token to import the original key material

Create a new CMK Use the original wrapping key and import token to import the original key material.

Download a new wrapping key and a new import token Import the original key material into the existing CMK.

Use the original wrapping key and import token Import the original key material into the existing CMK

Create an Amazon S3 lifecycle policy that archives IAM CloudTrail trail logs to Amazon S3 Glacier after 90 days. Configure Amazon Inspector to provide a notification when a policy change is made to resources.

Configure IAM Artifact to archive IAM CloudTrail logs Configure IAM Trusted Advisor to provide a notification when a policy change is made to resources.

Configure Amazon CloudWatch to export log groups to Amazon S3. Configure IAM CloudTrail to provide a notification when a policy change is made to resources.

Create an IAM CloudTrail trail that stores audit logs in Amazon S3. Configure an IAM Config rule to provide a notification when a policy change is made to resources.

Tell the application teams to use two different S3 buckets with separate IAM Key Management Service (IAM KMS) IAM managed CMKs Limit the key process to allow encryption and decryption of the CMKs to their respective teams only. Force the teams to use encryption context to encrypt and decrypt

Tell the application teams to use two different S3 buckets with a single IAM Key Management Service (IAM KMS) IAM managed CMK Limit the key policy to allow encryption and decryption of the CMK only. Do not allow the teams to use encryption context to encrypt and decrypt

Tell the application teams to use two different S3 buckets with separate IAM Key Management Service (IAM KMS) customer managed CMKs Limit the key policies to allow encryption and decryption of the CMKs to their respective teams only Force the teams to use encryption context to encrypt and decrypt

Tell the application teams to use two different S3 buckets with a single IAM Key Management Service (IAM KMS) customer managed CMK Limit the key policy to allow encryption and decryption of the CMK only Do not allow the teams to use encryption context to encrypt and decrypt

Create an Application Load Balancer with the existing EC2 instances as a target group Create an IAM WAF web ACL containing rules mat protect the application from this attach. then apply it to the ALB Test to ensure me vulnerability has been mitigated, then redirect thee Route 53 records to point to the ALB Update security groups on the EC 2 instances to prevent direct access from the internet

Create an Amazon CloudFront distribution specifying one EC2 instance as an origin Create an IAM WAF web ACL containing rules that protect the application from this attack, then apply it to me distribution Test to ensure the vulnerability has mitigated, then redirect the Route 53 records to point to CloudFront

Obtain me latest source code for the platform and make ire necessary updates Test me updated code to ensure that the vulnerability has been irrigated, then deploy me patched version of the platform to the EC2 instances

Update the security group mat is attached to the EC2 instances, removing access from the internet to the TCP port used by the SQL database Create an IAM WAF web ACL containing rules mat protect me application from this attack, men apply it to the EC2 instances Test to ensure me vulnerability has been mitigated. then restore the security group to me onginal setting

Create a new Amazon S3 bucket Use EBS lifecycle policies to move EBS snapshots to the new S3 bucket. Move snapshots to Amazon S3 Glacier using lifecycle policies, and apply Glacier Vault Lock policies to prevent deletion

Use IAM Systems Manager to distribute a configuration that performs local backups of all attached disks to Amazon S3.

Create a new IAM account with limited privileges. Allow the new account to access the IAM KMS key used to encrypt the EBS snapshots, and copy the encrypted snapshots to the new account on a recuning basis

Use IAM Backup to copy EBS snapshots to Amazon S3.

Open inbound port 22 to 0 0.0.0/0 on all Linux servers.

Enable the advanced-instances tier in Systems Manager.

Create a managed-instance activation for the on-premises servers.

Reconfigure the Systems Manager Agent with the activation code and ID.

Assign an IAM role to all of the on-premises servers.

Initiate an inventory collection with Systems Manager on the on-premises servers

Option A

Option B

Option C

Option D

Check that the role the Security Engineer uses grants permission to decrypt objects using the KMS CMK.

Check that the role the Security Engineer uses grants permission to decrypt objects using the KMS CMK and gives access to the S3 bucket and objects

Check that the role the EC2 instance profile uses grants permission lo decrypt objects using the KMS CMK and gives access to the S3 bucket and objects

Check that the role the EC2 instance profile uses grants permission to decrypt objects using the KMS CMK

Import IAM CloudTrail logs from Amazon S3 into an Amazon Elasticsearch Service cluster, and search through the combined logs for CreateRole events.

Create a table in Amazon Athena for IAM CloudTrail events. Query the table in Amazon Athena for CreateRole events.

Use IAM Config to look up the configuration timeline for the additional IAM roles and view the linked IAM CloudTrail event.

Download the credentials report from the IAM console to view the details for each IAM entity, including the creation dates.

Configure a web ACL rule for IAM WAF to block requests with a string match condition for the user agent of the loT device. Associate the v/eb ACL with the ALB.

Configure an Amazon CloudFront distribution to use the ALB as an origin. Configure a web ACL rule for IAM WAF to block requests with a string match condition for the user agent of the loT device. Associate the web ACL with the ALB Change the public DNS entry of the website to point to the CloudFront distribution.

Configure an Amazon CloudFront distribution to use a new ALB as an origin. Configure a web ACL rule for IAM WAF to block requests with a string match condition for the user agent of the loT device. Change the ALB security group to alow access from CloudFront IP address ranges only Change the public DNS entry of the website to point to the CloudFront distribution.

Activate IAM Shield Advanced to enable DDoS protection. Apply an IAM WAF ACL to the ALB. and configure a listener rule on the ALB to block loT devices based on the user agent.

Use envelope encryption with the IAM-managed CMK IAM/s3.

Create a customer-managed CMK with a key policy granting “kms:Decrypt” based on the “${IAM:username}” variable.

Create a customer-managed CMK for each user. Add each user as a key user in their corresponding key policy.

Change the applicable IAM policy to grant S3 access to “Resource”: “arn:IAM:s3:::examplebucket/${IAM:username}/*”

Default IAM Certificate Manager certificate

Custom SSL certificate stored in IAM KMS

Default CloudFront certificate

Custom SSL certificate stored in IAM Certificate Manager

Default SSL certificate stored in IAM Secrets Manager

Custom SSL certificate stored in IAM IAM

Launch a NAT instance in the public subnet Update the custom route table with a new route to the NAT instance

Remove the internet gateway, and add IAM PrivateLink to the VPC Then update the custom route table with a new route to IAM PrivateLink

Add a managed NAT gateway to the VPC Update the custom route table with a new route to the gateway

Add an egress-only internet gateway to the VPC. Update the custom route table with a new route to the gateway

Set up domain controllers on Amazon EC2 to extend the on-premises directory to IAM

Establish network connectivity between on-premises and the user's VPC

Use Amazon Cognito user pools for application authentication

Use AD Connector tor application authentication.

Set up federated sign-in to IAM through ADFS and SAML.

Remove me instance from the Auto Seating group Close me security group mm ingress only from a single forensic P address to perform an analysis.

Remove me instance from the Auto Seating group Change me network ACL rules to allow traffic only from a single forensic IP address to perform en analysis Add a rule to deny all other traffic.

Remove the instance from the Auto Scaling group Enable Amazon GuardDuty in that IAM account Install the Amazon Inspector agent cm the suspicious EC 2 instance to perform a scan.

Take a snapshot of the suspicious EC2 instance. Create a new EC2 instance from me snapshot in a closed security group with ingress only from a single forensic IP address to perform an analysis

Configure an IAM Managed Microsoft AD to manage the cloud resources.

Configure an additional on-premises Active Directory service to manage the cloud resources.

Establish a one-way trust relationship from the existing Active Directory to the new Active Directory service.

Establish a one-way trust relationship from the new Active Directory to the existing Active Directory service.

Establish a two-way trust between the new and existing Active Directory services.