To allow cross-account access to a KMS key, the key policy of the KMS key must grant permission to the external account or principal, and the IAM policy of the external account or principal must delegate the key policy permission. In this case, the new Lambda function in the development account needs to use the KMS key in the security account, so the key policy of the KMS key must allow access to the IAM role of the new Lambda function in the development account (option E), and the IAM role of the new Lambda function in the development account must have an IAM policy that allows access to the KMS key in the security account (option C). Option A is incorrect because it creates an IAM role for the new Lambda function in the security account, not in the development account. Option B is incorrect because it attaches a key policy to an IAM role, which is not valid. Option D is incorrect because it allows access to the IAM role of the new Lambda function in the security account, not in the development account. Verified References:

• https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying-external-accounts.html
• https://docs.aws.amazon.com/autoscaling/ec2/userguide/key-policy-requirements-EBS-encryption.html

Although you can use a IAM policy to prevent users launching resources in other regions. The best practice is to use SCP when using AWS organizations. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_general.html#example-scp-deny-region

The AWS documentation states that you can deploy the Lambda functions inside the VPC and attach a security group to the Lambda functions. You can then provide outbound rule access to the VPC CIDR range only and update the DB instance security group to allow traffic from the Lambda security group. This method is the most secure way to meet the requirements.

References: : AWS Lambda Developer Guide

https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html

To get objects from an S3 bucket that are encrypted with a KMS customer managed key, the security team needs to have the following factors in place:

• The IAM instance profile that is attached to the EC2 instance must allow the s3:GetObject action to the S3 bucket or object in the AWS account. This permission is required to read the object from S3. Option A is incorrect because it specifies the s3:ListBucket action, which is only required to list the objects in the bucket, not to get them.
• The KMS key policy that encrypts the object in the S3 bucket must allow the kms:Decrypt action to the EC2 instance profile ARN. This permission is required to decrypt the object using the KMS key. Option D is correct.
• The security group that is attached to the EC2 instance must have an outbound rule to the S3 managed prefix list over port 443. This rule is required to allow HTTPS traffic from the EC2 instance to S3 within the AWS infrastructure. Option E is correct. Option B is incorrect because it specifies the s3:ListParts action, which is only required for multipart uploads, not for getting objects. Option C is incorrect because it specifies the kms:ListKeys action, which is not required for getting objects. Option F is incorrect because it specifies an inbound rule from the S3 managed prefix list, which is not required for getting objects. Verified References:
• https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html
• https://docs.aws.amazon.com/kms/latest/developerguide/control-access.html
• https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-s3.html

This solution ensures that the Lambda functions are deployed inside the VPC and can communicate with the Amazon RDS DB instance securely. The security group attached to the Lambda functions only allows outbound traffic to the VPC CIDR range, and the DB instance security group only allows traffic from the Lambda security group. This solution ensures that the Lambda functions can communicate with the DB instance securely and that the DB instance is not exposed to the public internet.

Option A is incorrect since you don't add a user to the IAM Role

Option C is incorrect since you don't assign multiple users to a policy

Option D is incorrect since this is not an ideal approach

An IAM group is used to collectively manage users who need the same set of permissions. By having groups, it becomes easier to manage permissions. So if you change the permissions on the group scale, it will affect all the users in that group

For more information on IAM Groups, just browse to the below URL:

https://docs.IAM.amazon.com/IAM/latest/UserGuide/id_eroups.html

The correct answer is: Use the IAM groups and add users, based upon their role, to different groups and apply the policy to group

Submit your Feedback/Queries to our Experts

To support answer B, use the reference https://d1. IAMstatic.com/whitepapers/IAM-security-whitepaper.pdf

"For example, IAM Config provides a managed IAM Config Rules to ensure that encryption is turned on for all EBS volumes in your account."

Since here the traffic needs to flow outbound from the Instance to a web service on Port 443, the outbound rules on both the Network and Security Groups need to allow outbound traffic. The Incoming traffic should be allowed on ephermal ports for the Operating System on the Instance to allow a connection to be established on any desired or available port.

Option A is invalid because this rule alone is not enough. You also need to ensure incoming traffic on ephemeral ports

Option C is invalid because need to ensure incoming traffic on ephemeral ports and not only port 443

Option E and F are invalid since here you are allowing additional ports on Security groups which are not required

For more information on VPC Security Groups, please visit the below URL:

https://docs.IAM.amazon.com/AmazonVPC/latest/UserGuideA/PC_SecurityGroups.htmll

The correct answers are: A network ACL with rules that allow outgoing traffic on port 443 and incoming traffic on ephemeral ports, A security group with a rule that allows outgoing traffic on port 443

Submit your Feedback/Queries to our Experts

amazon Glacier is a secure, durable, and extremely low-cost cloud storage service for data archiving and long-term backup. Customers can reliably store large or small amounts of data for as little as $0,004 per gigabyte per month, a significant savings compared to on-premises solutions.

With Amazon lifecycle policies you can create transition actions in which you define when objects transition to another Amazon S3 storage class. For example, you may choose to transition objects to the STANDARDJA (IA, for infrequent access) storage class 30 days after creation, or archive objects to the GLACIER storage class one year after creation.

Option B is invalid because lifecycle policies are not available for EBS volumes

Option C is invalid because IAM policies cannot be used to move data to Glacier

Option D is invalid because lifecycle policies is not used to move data to Redshif

For more information on S3 lifecycle policies, please visit the URL:

http://docs.IAM.amazon.com/AmazonS3/latest/dev/obiect-lifecycle-mgmt.html

The correct answer is: Upload data to S3 and use lifecycle policies to move the data into Glacier for long-term archiving.

Submit your Feedback/Queries to our Experts

The most easiest option is to enable encryption when the DynamoDB table is created.

The IAM Documentation mentions the following

Amazon DynamoDB offers fully managed encryption at rest. DynamoDB encryption at rest provides enhanced security by encrypting your data at rest using an IAM Key Management Service (IAM KMS) managed encryption key for DynamoDB. This functionality eliminates the operational burden and complexity involved in protecting sensitive data.

Option A is partially correct, you can use the IAM SDK to encrypt the data, but the easier option would be to encrypt the table before hand.

Option C is invalid because you cannot encrypt the table after it is created

Option D is invalid because encryption for S3 buckets is for the objects in S3 only.

For more information on securing data at rest for DynamoDB please refer to below URL:

https://docs.IAM.amazon.com/amazondynamodb/latest/developerguide/EncryptionAtRest.htmll

The correct answer is: Encrypt the DynamoDB table using KMS during its creation Submit your Feedback/Queries to our Experts

By default, keys created in KMS are created with the default key policy. When features are added to KMS, you need to explii update the default key policy for these keys.

Option B,C and D are invalid because the key policy is the main entity used to provide access to the keys

For more information on upgrading key policies please visit the following URL:

https://docs.IAM.ama20n.com/kms/latest/developerguide/key-policy-upgrading.html

(

The correct answer is: You have not explicitly given access via the key policy Submit your Feedback/Queries to our Experts

Option A and B are invalid because you will not add keys to either the backend distribution or the S3 bucket.

Option D is invalid because this is used for programmatic access to IAM resources

You can use Cloudfront key pairs to create a trusted pre-signed URL which can be distributed to users

Specifying the IAM Accounts That Can Create Signed URLs and Signed Cookies (Trusted Signers)

Topics

• Creating CloudFront Key Pairs for Your Trusted Signers

• Reformatting the CloudFront Private Key (.NET and Java Only)

• Adding Trusted Signers to Your Distribution

• Verifying that Trusted Signers Are Active (Optional) 1 Rotating CloudFront Key Pairs

To create signed URLs or signed cookies, you need at least one IAM account that has an active CloudFront key pair. This accou is known as a trusted signer. The trusted signer has two purposes:

• As soon as you add the IAM account ID for your trusted signer to your distribution, CloudFront starts to require that users us signed URLs or signed cookies to access your objects.

' When you create signed URLs or signed cookies, you use the private key from the trusted signer's key pair to sign a portion of the URL or the cookie. When someone requests a restricted object CloudFront compares the signed portion of the URL or cookie with the unsigned portion to verify that the URL or cookie hasn't been tampered with. CloudFront also verifies that the URL or cookie is valid, meaning, for example, that the expiration date and time hasn't passed.

For more information on Cloudfront private trusted content please visit the following URL:

• https://docs.IAM.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-s

The correct answer is: Create pre-signed URL's Submit your Feedback/Queries to our Experts

Option B is invalid because Roles are assumed and not IAM users

Option E is invalid because you should not give the account ID to the partner

Option F is invalid because you should not give the access keys to the partner

The below diagram from the IAM documentation showcases an example on this wherein an IAM role and external ID is us> access an IAM account resources

C:\Users\wk\Desktop\mudassar\Untitled.jpg

For more information on creating roles for external ID'S please visit the following URL:

The correct answers are: Ensure an IAM role is created which can be assumed by the partner account. Ensure the partner uses an external id when making the request Provide the ARN for the role to the partner account

Submit your Feedback/Queries to our Experts

The IAM Documentation mentions the following

A user pool is a user directory in Amazon Cognito. With a user pool, your users can sign in to your web or mobile app through Amazon Cognito. Your users can also sign in through social identity providers like Facebook or Amazon, and through SAML identity providers. Whether your users sign in directly or through a third party, all members of the user pool have a directory profile that you can access through an SDK.

User pools provide:

Sign-up and sign-in services.

A built-in, customizable web Ul to sign in users.

Social sign-in with Facebook, Google, and Login with Amazon, as well as sign-in with SAML identity providers from your user

pool.

User directory management and user profiles.

Security features such as multi-factor authentication (MFA), checks for compromised credentials, account takeover protection, and phone and email verification.

Customized workflows and user migration through IAM Lambda triggers.

Options A and B are invalid because these are not used to manage users

Option D is invalid because this would be a maintenance overhead

For more information on Cognito User Identity pools, please refer to the below Link:

https://docs.IAM.amazon.com/coenito/latest/developerguide/cognito-user-identity-pools.html

The correct answer is: Use IAM Cognito to manage the user profiles Submit your Feedback/Queries to our Experts

With VPC Flow logs you can get the list of IP addresses which are hitting the Instances in your VPC You can then use the information in the logs to see which external IP addresses are sending a flurry of requests which could be the potential threat foi a DDos attack.

Option B is incorrect Cloud Trail records IAM API calls for your account. VPC FLowlogs logs network traffic for VPC, subnets. Network interfaces etc.

As per IAM,

VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC where as IAM CloudTrail, is a service that captures API calls and delivers the log files to an Amazon S3 bucket that you specify.

Option C is invalid this is a config service and will not be able to get the IP addresses

Option D is invalid because this is a recommendation service and will not be able to get the IP addresses

For more information on VPC Flow Logs, please visit the following URL:

https://docs.IAM.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html

The correct answer is: Use VPC Flow logs to get the IP addresses accessing the EC2 Instances Submit your Feedback/Queries to our Experts

The IAM Documentation mentions the following about these services

IAM CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your IAM account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your IAM infrastructure. CloudTrail provides event history of your IAM account activity, including actions taken through the IAM Management Console, IAM SDKs, command line tools, and other IAM services. This event history simplifies security analysis, resource change tracking, and troubleshooting.

Option B is incorrect because VPC flow logs can only check for flow to instances in a VPC

Option C is incorrect because this can check for configuration changes only

For more information on Cloudtrail, please refer to below URL:

https://IAM.amazon.com/cloudtrail;

You can use Amazon CloudWatch Logs to monitor, store, and access your log files from Amazon Elastic Compute Cloud (Amazon EC2) instances, IAM CloudTrail, Amazon Route 53, and other sources. You can then retrieve the associated log data from CloudWatch Logs.

For more information on Cloudwatch logs, please refer to below URL:

http://docs.IAM.amazon.com/AmazonCloudWatch/latest/loes/WhatisCloudWatchLoES.htmll

The correct answers are: Amazon Cloudwatch Logs, Amazon Cloudtrail

To always ensure secure access to IAM resources from EC2 Instances, always ensure to assign a Role to the EC2 Instance Option B is invalid because KMS keys are not used as a mechanism for providing EC2 Instances access to IAM services. Option C is invalid Access keys is not a safe mechanism for providing EC2 Instances access to IAM services. Option D is invalid because there is no way access groups can be assigned to EC2 Instances. For more information on IAM Roles, please refer to the below URL:

https://docs.IAM.amazon.com/IAM/latest/UserGuide/id roles.html

The correct answer is: Use IAM Roles with permissions to interact with DynamoDB and assign it to the EC2 Instance Submit your Feedback/Queries to our Experts

Since this is required over a consistency low latency connection, you should use Direct Connect. For encryption, you can make use of a VPN

Option A is invalid because exposing an HTTPS endpoint will not help all traffic to flow between a VPC and the data center.

Option C is invalid because low latency is a key requirement

Option D is invalid because only Direct Connect will not suffice

For more information on the connection options please see the below Link:

https://IAM.amazon.com/answers/networking/IAM-multiple-vpc-vpn-connection-sharint

The correct answer is: A VPN between the VPC and the data center over a Direct Connect connection

Submit your Feedback/Queries to our Experts

The below table from IAM shows the security capabilities of IAM Cloudfront IAM Cloudfront is more prominent for DDoS attacks.

C:\Users\wk\Desktop\mudassar\Untitled.jpg

Options A,B and D are invalid because Cloudfront is specifically used to protect sites against DDoS attacks For more information on security with Cloudfront, please refer to the below Link:

https://d1.IAMstatic.com/whitepapers/Security/Secure content delivery with CloudFront whitepaper.pdi

The correct answer is: DDoS attacks

Submit your Feedback/Queries to our Experts

The IAM Documentation mentions the following on lifecycle policies

Lifecycle configuration enables you to specify the lifecycle management of objects in a bucket. The configuration is a set of one or more rules, where each rule defines an action for Amazon S3 to apply to a group of objects. These actions can be classified a« follows:

Transition actions - In which you define when objects transition to another . For example, you may choose to

transition objects to the STANDARDJA (IA, for infrequent access) storage class 30 days after creation, or archive objects to the GLACIER storage class one year after creation.

Expiration actions - In which you specify when the objects expire. Then Amazon S3 deletes the expired objects on your behalf.

Option A and C are invalid because neither bucket policies neither IAM policy's can control the purging of logs Option D is invalid CORS is used for accessing objects across domains and not for purging of logs For more information on IAM S3 Lifecycle policies, please visit the following URL:

com/AmazonS3/latest/d<

The correct answer is: Configuring lifecycle configuration rules on the S3 bucket. Submit your Feedback/Queries to our Experts

Your answer is incorrect

Answer -D

The IAM Documentation mentions the following on IAM WAF which can be used to protect Application Load Balancers and Cloud front

A web access control list (web ACL) gives you fine-grained control over the web requests that your Amazon CloudFront distributions or Application Load Balancers respond to. You can allow or block the following types of requests:

Originate from an IP address or a range of IP addresses

Originate from a specific country or countries

Contain a specified string or match a regular expression (regex) pattern in a particular part of requests

Exceed a specified length

Appear to contain malicious SQL code (known as SQL injection)

Appear to contain malicious scripts (known as cross-site scripting)

Option A is invalid because by default Security Groups have the Deny policy

Options B and C are invalid because these services cannot be used to block IP addresses

For information on IAM WAF, please visit the below URL:

https://docs.IAM.amazon.com/waf/latest/developerguide/web-acl.html

The correct answer is: Use IAM WAF to block the IP addresses

Submit your Feedback/Queries to our Experts

Create a Direct Connect connection so that corporate users can access the IAM account

Option B is incorrect because IAM policies are not directly mapped to group memberships in the corporate directory. It is IAM roles which are mapped.

Option C is incorrect because Lambda functions is an incorrect option to assign roles.

Option D is incorrect because IAM users are not directly mapped to employees' corporate identities.

For more information on Direct Connect, please refer to below URL:

' https://IAM.amazon.com/directconnect/

From the IAM Documentation, for federated access, you also need to ensure the right policy permissions are in place

Configure permissions in IAM for your federated users

The next step is to create an IAM role that establishes a trust relationship between IAM and your organization's IdP that identifies your IdP as a principal (trusted entity) for purposes of federation. The role also defines what users authenticated your organization's IdP are allowed to do in IAM. You can use the IAM console to create this role. When you create the trust policy that indicates who can assume the role, you specify the SAML provider that you created earlier in IAM along with one or more SAML attributes that a user must match to be allowed to assume the role. For example, you can specify that only users whose SAML eduPersonOrgDN value is ExampleOrg are allowed to sign in. The role wizard automatically adds a condition to test the saml:aud attribute to make sure that the role is assumed only for sign-in to the IAM Management Console. The trust policy for the role might look like this:

C:\Users\wk\Desktop\mudassar\Untitled.jpg

For more information on SAML federation, please refer to below URL:

https://docs.IAM.amazon.com/IAM/latest/UserGuide/id_roles_providers_enabli

Note:

What directories can I use with IAM SSO?

You can connect IAM SSO to Microsoft Active Directory, running either on-premises or in the IAM Cloud. IAM SSO supports IAM Directory Service for Microsoft Active Directory, also known as IAM Managed Microsoft AD, and AD Connector. IAM SSO does not support Simple AD. See IAM Directory Service Getting Started to learn more.

To connect to your on-premises directory with AD Connector, you need the following:

VPC

Set up a VPC with the following:

• At least two subnets. Each of the subnets must be in a different Availability Zone.

• The VPC must be connected to your on-premises network through a virtual private network (VPN) connection or IAM Direct

Connect.

• The VPC must have default hardware tenancy.

• https://IAM.amazon.com/single-sign-on/

• https://IAM.amazon.com/single-sign-on/faqs/

• https://IAM.amazon.com/bloj using-corporate-credentials/

• https://docs.IAM.amazon.com/directoryservice/latest/admin-

The correct answers are: Create a Direct Connect connection between on-premise network and IAM. Use an AD connector connecting IAM with on-premise active directory.. Create an IAM role that establishes a trust relationship between IAM and corporate directory identity provider (IdP)

Submit your Feedback/Queries to our Experts

Options A & B are invalid as default NACL rule will allow all inbound and outbound traffic.

The requirement is that the IT administrator should be able to access this EC2 instance from his workstation. For that we need to enable the Security Group of EC2 instance to allow traffic from the IT administrator's workstation. Hence option C is correct.

Option D is incorrect as we need to enable the Inbound SSH traffic on the EC2 instance Security Group since the traffic originate' , from the IT admin's workstation.

The correct answer is: Ensure that the security group allows Inbound SSH traffic from the IT Administrator's Workstation Submit your Feedback/Queries to our Experts

So definitely the case here is that the incident response plan is not catering to newly created services. IAM keeps on changing and adding new services and hence the response plan must cater to these new services.

Option A and B are invalid because we don't know this for a fact.

Option D is invalid because we know that the response plan is not complete, because it does not cater to new features of IAM

For more information on incident response plan please visit the following URL:

https://IAM.amazon.com/blogs/publicsector/buildins-a-cloud-specific-incident-response-plan;

The correct answer is: The response plan does not cater to new services Submit your Feedback/Queries to our Experts

This is mentioned clearly as a use case for S3 cross-region replication

You might configure cross-region replication on a bucket for various reasons, including the following:

• Compliance requirements - Although, by default Amazon S3 stores your data across multiple geographically distant Availability Zones, compliance requirements might dictate that you store data at even further distances. Cross-region replication allows you to replicate data between distant IAM Regions to satisfy these compliance requirements.

Option A is invalid because Multi-AZ cannot be used to S3 buckets

Option B is invalid because copying it to an EBS volume is not a recommended practice

Option C is invalid because creating snapshots is not possible in S3

For more information on S3 cross-region replication, please visit the following URL:

https://docs.IAM.amazon.com/AmazonS3/latest/dev/crr.htmll

The correct answer is: Enable Cross region replication for the S3 bucket

Submit your Feedback/Queries to our Experts

You need to ensure that UserB is given access via the Key policy for the Key

C:\Users\wk\Desktop\mudassar\Untitled.jpg

Option is invalid because you don't assign roles to IAM users

For more information on Key policies please visit the below Link:

https://docs.IAM.amazon.com/kms/latest/developerguide/key-poli

The correct answer is: Ensure that UserB is given the right permissions in the Key policy

The IAM Documentation mentions the following

Automatic key rotation is available for all customer managed CMKs with KMS-generated key material. It is not available for CMKs that have imported key material (the value of the Origin field is External), but you can rotate these CMKs manually.

Rotating Keys Manually

You might want to create a newCMKand use it in place of a current CMK instead of enabling automatic key rotation. When the new CMK has different cryptographic material than the current CMK, using the new CMK has the same effect as changing the backing key in an existing CMK. The process of replacing one CMK with another is known as manual key rotation.

When you begin using the new CMK, be sure to keep the original CMK enabled so that IAM KMS can decrypt data that the original CMK encrypted. When decrypting data, KMS identifies the CMK that was used to encrypt the data, and it uses the sam CMK to decrypt the data. As long as you keep both the original and new CMKs enabled, IAM KMS can decrypt any data that was encrypted by either CMK.

Option B is invalid because you also need to point the key alias to the new key

Option C is invalid because existing CMK keys cannot be rotated as they are

Option E is invalid because deleting existing keys will not guarantee the creation of a new default CMK key

For more information on Key rotation please see the below Link:

https://docs.IAM.amazon.com/kms/latest/developereuide/rotate-keys.html

The correct answers are: Enable automatic key rotation for a CMK, Import new key material to a new CMK; Point the key alias to the new CMK.

Submit your Feedback/Queries to our Experts

The IAM Security best practises mentions the following

Unique to IAM, security practitioners can use CloudFormation to quickly create a new, trusted environment in which to conduct deeper investigation. The CloudFormation template can pre-configure instances in an isolated environment that contains all the necessary tools forensic teams need to determine the cause of the incident This cuts down on the time it takes to gather necessary tools, isolates systems under examination, and ensures that the team is operating in a clean room.

Option A is incorrect since this is a logging service and cannot be used to provision a test environment

Option C is incorrect since this is an API logging service and cannot be used to provision a test environment

Option D is incorrect since this is a configuration service and cannot be used to provision a test environment

For more information on IAM Security best practises, please refer to below URL:

https://d1.IAMstatic.com/whitepapers/architecture/IAM-Security-Pillar.pd1

The correct answer is: IAM Cloudformation

Submit your Feedback/Queries to our Experts

One of the IAM Security blogs mentions the followinj

Versioning keeps multiple versions of an object in the same bucket. When you enable it on a bucket Amazon S3 automatically adds a unique version ID to every object stored in the bucket. At that point, a simple DELETE action does not permanently delete an object version; it merely associates a delete marker with the object. If you want to permanently delete an object version, you must specify its version ID in your DELETE request.

You can add another layer of protection by enabling MFA Delete on a versioned bucket. Once you do so, you must provide your IAM accounts access keys and a valid code from the account's MFA device in order to permanently delete an object version or suspend or reactivate versioning on the bucket.

Option B is invalid because enabling encryption does not guarantee risk of data deletion.

Option D is invalid because this option does not guarantee risk of data deletion.

For more information on IAM S3 versioning and MFA please refer to the below URL:

https://IAM.amazon.com/blogs/security/securing-access-to-IAM-using-mfa-part-3/

The correct answers are: Enable versioning on the S3 bucket Enable MFA Delete in the bucket policy Submit your Feedback/Queries to our Experts

The IAM Documentation mentions the following on IAM Inspector

Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on IAM. Amazon Inspector automatically assesses applications for vulnerabilities or deviations from best practices. After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity. These findings can be reviewed directly or as part of detailed assessment reports which are available via the Amazon Inspector console or API.

Option A is invalid because the IAM Config service is not used to check the vulnerabilities on servers

Option C is invalid because the IAM Inspector service is not used to patch servers

For more information on IAM Inspector, please visit the following URL:

https://IAM.amazon.com/inspector >

Once you understand the list of servers which require critical updates, you can rectify them by installing the required patches via the SSM tool.

For more information on the Systems Manager, please visit the following URL:

https://docs.IAM.amazon.com/systems-manager/latest/APIReference/Welcome.html

The correct answers are: Use IAM Inspector to ensure that the servers have no critical flIAM.. Use IAM SSM to patch the servers

(

The IAM Documentation mentions the following

To share log files between multiple IAM accounts, you must perform the following general steps. These steps are explained in detail later in this section.

Create an IAM role for each account that you want to share log files with.

For each of these IAM roles, create an access policy that grants read-only access to the account you want to share the log files with.

Have an IAM user in each account programmatically assume the appropriate role and retrieve the log files.

Options A and C are invalid because creating an IAM user and then sharing the IAM user credentials with the vendor is a direct 'NO' practise from a security perspective.

For more information on sharing cloudtrail logs files, please visit the following URL

https://docs.IAM.amazon.com/IAMcloudtrail/latest/userguide/cloudtrail-sharine-loes.htmll

The correct answers are: Create an IAM Role in the company account Ensure the IAM Role has access for read-only to the S3 buckets

Submit your Feedback/Queries to our Experts

Since the database should not be hosted on the cloud all other options are invalid.

The best option is to create a VPN connection for securing traffic as shown below.

C:\Users\wk\Desktop\mudassar\Untitled.jpg

Option B is invalid because this is the incorrect use of the Storage gateway Option C is invalid since this is the incorrect use of the NAT instance Option D is invalid since this is an incorrect configuration For more information on VPN connections, please visit the below URL

http://docs.IAM.amazon.com/AmazonVPC/latest/UserGuide/VPC_VPN.htmll

The correct answer is: Build the application server on a public subnet and the database at the client's data center. Connect them with a VPN connection which uses IPsec

Submit your Feedback/Queries to our Experts

The ideal setup is to ensure that the web server is hosted in the public subnet so that it can be accessed by users on the internet. The database server can be hosted in the private subnet.

The below diagram from the IAM Documentation shows how this can be setup

C:\Users\wk\Desktop\mudassar\Untitled.jpg

Option A and C are invalid because if you move the web server to a private subnet, then it cannot be accessed by users Option D is invalid because NAT instances should be present in the public subnet

For more information on public and private subnets in IAM, please visit the following url

com/AmazonVPC/latest/UserGuide/VPC Scenario2.

The correct answer is: Consider moving the database server to a private subnet Submit your Feedback/Queries to our Experts

You can optionally secure the content in your Amazon S3 bucket so users can access it through CloudFront but cannot access it directly by using Amazon S3 URLs. This prevents anyone from bypassing CloudFront and using the Amazon S3 URL to get content that you want to restrict access to. This step isn't required to use signed URLs, but we recommend it

To require that users access your content through CloudFront URLs, you perform the following tasks:

Create a special CloudFront user called an origin access identity.

Give the origin access identity permission to read the objects in your bucket.

Remove permission for anyone else to use Amazon S3 URLs to read the objects.

Option B,C and D are all automatically invalid, because the right way is to ensure to create Origin Access Identity (OAI) for CloudFront and grant access accordingly.

For more information on serving private content via Cloudfront, please visit the following URL:

https://docs.IAM.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.htmll

The correct answer is: Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket t that OAI.

You can optionally secure the content in your Amazon S3 bucket so users can access it through CloudFront but cannot access it directly by using Amazon S3 URLs. This prevents anyone from bypassing CloudFront and using the Amazon S3 URL to get content that you want to restrict access to. This step isn't required to use signed URLs, but we recommend it

To require that users access your content through CloudFront URLs, you perform the following tasks:

Create a special CloudFront user called an origin access identity.

Give the origin access identity permission to read the objects in your bucket.

Remove permission for anyone else to use Amazon S3 URLs to read the objects.

Option B,C and D are all automatically invalid, because the right way is to ensure to create Origin Access Identity (OAI) for CloudFront and grant access accordingly.

For more information on serving private content via Cloudfront, please visit the following URL:

https://docs.IAM.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.htmll

The correct answer is: Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket t that OAI.

Submit your Feedback/Queries to our Experts

Submit your Feedback/Queries to our Experts

The IAM Documentation mentions the following

You can use Amazon EC2 to create your key pair. Alternatively, you could use a third-party tool and then import the public key to Amazon EC2. Each key pair requires a name. Be sure to choose a name that is easy to remember. Amazon EC2 associates the public key with the name that you specify as the key name.

Amazon EC2 stores the public key only, and you store the private key. Anyone who possesses your private key can decrypt login information, so it's important that you store your private keys in a secure place.

Options A and D are incorrect since you should use key pairs for secure access to Ec2 Instances

For more information on EC2 key pairs, please refer to below URL:

https://docs.IAM.amazon.com/IAMEC2/latest/UserGuide/ec2-key-pairs.html

The correct answers are: Create a key pair using putty. Use the private key to log into the instance

Submit your Feedback/Queries to our Experts

A recommendation from the IAM Security Best practices highlights this as well

C:\Users\wk\Desktop\mudassar\Untitled.jpg

option A is partially valid, you can segregate resources, but a best practise is to have multiple accounts for this setup.

Options B and C are invalid because from a maintenance perspective this could become very difficult For more information on the Security Best practices, please visit the following URL:

https://dl.IAMstatic.com/whitepapers/Security/IAM_Security_Best_Practices.pdf

The correct answer is: Use separate IAM accounts for each of the environments Submit your Feedback/Queries to our Experts

The IAM Documentation mentions the foil

To track requests for access to your bucket you can enable access logging. Each access log record provides details about a single access request, such as the requester, bucket name, request time, request action, response status, and error code, if any.

Options B and C are incorrect Cloudwatch is used for metrics and logging and cannot be used to track access requests.

Option D is incorrect since this can be used for Configuration management but for not for tracking S3 bucket requests.

For more information on S3 server logs, please refer to below UF

https://docs.IAM.amazon.com/AmazonS3/latest/dev/ServerLoes.html

The correct answer is: Enable server access logging for the bucket Submit your Feedback/Queries to our Experts

The IAM Documentation mentions the following

"When you write such an app, you'll make requests to IAM services that must be signed with an IAM access key. However, we strongly recommend that you do not embed or distribute long-term IAM credentials with apps that a user downloads t device, even in an encrypted store. Instead, build your app so that it requests temporary IAM security credentials dynamica when needed using web identify federation. The supplied temporary credentials map to an IAM role that has only the permissioi needed to perform the tasks required by the mobile app".

Option A.B and C are all automatically incorrect because you need to use IAM Roles for Secure access to services For more information on web identity federation please refer to the below Link:

• http://docs.IAM.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html

The correct answer is: Use roles that allow a web identity federated user to assume a role that allows access to the RedShift table by providing temporary credentials.

Submit your Feedback/Queries to our Experts

This is mentioned in the IAM Documentation

Amazon Redshift uses a four-tier, key-based architecture for encryption. The architecture consists of data encryption keys, a database key, a cluster key, and a master key.

Data encryption keys encrypt data blocks in the cluster. Each data block is assigned a randomly-generated AES-256 key. These keys are encrypted by using the database key for the cluster.

The database key encrypts data encryption keys in the cluster. The database key is a randomly-generated AES-256 key. It is stored on disk in a separate network from the Amazon Redshift cluster and passed to the cluster across a secure channel.

The cluster key encrypts the database key for the Amazon Redshift cluster.

Option B is incorrect because the master key encrypts the cluster key and not the database key

Option C is incorrect because the master key encrypts the cluster key and not the data encryption keys

Option D is incorrect because the master key encrypts the cluster key only

For more information on how keys are used in Redshift, please visit the following URL:

https://docs.IAM.amazon.com/kms/latest/developereuide/services-redshift.html

The correct answer is: The master keys encrypts the cluster key. The cluster key encrypts the database key. The database key encrypts the data encryption keys.

Submit your Feedback/Queries to our Experts

The IAM Documentation mentions the following

You can quickly remediate patch and association compliance issues by using Systems Manager Run Command. You can tat either instance IDs or Amazon EC2 tags and execute the IAM-RefreshAssociation document or the IAM-RunPatchBaseline document. If refreshing the association or re-running the patch baseline fails to resolve the compliance issue, then you need to investigate your associations, patch baselines, or instance configurations to understand why the Run Command executions did not resolve the problem

Options A and B are invalid because even though this is possible, still from a maintenance perspective it would be difficult to maintain the Lambda functions

Option C is invalid because this service cannot be used to patch servers

For more information on using Systems Manager for compliance remediation please visit the below Link:

https://docs.IAM.amazon.com/systems-manaeer/latest/usereuide/sysman-compliance-fixing.html

The correct answer is: Use IAM Systems Manager to patch the servers Submit your Feedback/Queries to our Experts

The SSM Run command can be used to send OS specific commands to an Instance. Here you can check and see the running processes on an instance and then send the output to an S3 bucket.

Option A is invalid because this is used to record API activity and cannot be used to record running processes.

Option B is invalid because Cloudwatch is a logging and metric service and cannot be used to record running processes.

Option D is invalid because IAM Config is a configuration service and cannot be used to record running processes.

For more information on the Systems Manager Run command, please visit the following URL:

https://docs.IAM.amazon.com/systems-manaEer/latest/usereuide/execute-remote-commands.htmll

The correct answer is: Use the SSM Run command to send the list of running processes information to an S3 bucket. Submit your Feedback/Queries to our Experts

The IAM Documentation mentions the following

IAM Identity and Access Management (IAM) now makes it easier for you to control access to your IAM resources by using the IAM organization of IAM principals (users and roles). For some services, you grant permissions using resource-based policies to specify the accounts and principals that can access the resource and what actions they can perform on it. Now, you can use a new condition key, IAM:PrincipalOrglD, in these policies to require all principals accessing the resource to be from an account in the organization

Option B.C and D are invalid because the condition in the bucket policy has to mention IAM:PrincipalOrglD

For more information on controlling access via Organizations, please refer to the below Link:

https://IAM.amazon.com/blogs/security/control-access-to-IAM-resources-by-usins-the-IAM-organization-of-iam-principal

(

The correct answer is: Ensure the bucket policy has a condition which involves IAM:PrincipalOrglD Submit your Feedback/Queries to our Experts

The below diagram shows how the NAT instance works. To make EC2 instances very secure, they need to be in a private sub such as the database server shown below with no EIP and all traffic routed via the NAT.

C:\Users\wk\Desktop\mudassar\Untitled.jpg

Options A and B are invalid because the instances need to be in the private subnet

Option C is invalid because since the instance needs to be in the private subnet, you should not attach an EIP to the instance

For more information on NAT instance, please refer to the below Link:

http://docs.IAM.amazon.com/AmazonVPC/latest/UserGuideA/PC

lnstance.html!

The correct answer is: EC2 instances in our private subnet no EIPs, route outgoing traffic via the NAT Submit your Feedback/Queries to our Experts

anaging your own encryption keys, y

You can encrypt the object and send it across to S3

Option A is invalid because ideally you should use different encryption keys Option C is invalid because you can use you own encryption keys Option D is invalid because encryption works even if versioning is enabled For more information on client side encryption please visit the below Link:

""Keys.html

https://docs.IAM.ama2on.com/AmazonS3/latest/dev/UsingClientSideEncryption.html

The correct answer is: It is possible to have different encryption keys for different versions of the same object Submit your Feedback/Queries to our Experts

If you want to use CloudFront signed URLs or signed cookies to provide access to objects in your Amazon S3 bucket you probably also want to prevent users from accessing your Amazon S3 objects using Amazon S3 URLs. If users access your objects directly in Amazon S3, they bypass the controls provided by CloudFront signed URLs or signed cookies, for example, control over the date and time that a user can no longer access your content and control over which IP addresses can be used to access content. In addition, if user's access objects both through CloudFront and directly by using Amazon S3 URLs, CloudFront ace logs are less useful because they're incomplete.

Option A is invalid because you need to create a Origin Access Identity for Cloudfront and not an IAM user

Option C and D are invalid because using policies will not help fulfil the requirement

For more information on Origin Access Identity please see the below Link:

http://docs.IAM.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restrictine-access-to-s3.htmll

The correct answer is: Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket to that OAI.

(

Submit your Feedback/Queries to our Experts

The IAM Documentation mentions the following

You can create a load balancer that listens on both the HTTP (80) and HTTPS (443) ports. If you specify that the HTTPS listener sends requests to the instances on port 80, the load balancer terminates the requests and communication from the load balancer to the instances is not encrypted, if the HTTPS listener sends requests to the instances on port 443, communication from the load balancer to the instances is encrypted.

Option A is invalid because there is a need for secure traffic, so port 80 should not be used

Option D is invalid because for the HTTPS listener you need to use port 443

For more information on HTTPS with ELB, please refer to the below Link:

https://docs.IAM.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-load-balancer.htmll

The correct answers are: Ensure the load balancer listens on port 443, Ensure the HTTPS listener sends requests to the instances on port 443

Submit your Feedback/Queries to our Experts

One can send the log files to Cloudwatch Logs. Log files can also be sent from On-premise servers. You can then specify metrii to search the logs for any specific values. And then create alarms based on these metrics.

Option A is invalid because this will be just a long over drawn process to achieve this requirement

Option C is invalid because IAM Inspector cannot be used to monitor for security related messages.

Option D is invalid because files cannot be exported to IAM Cloudtrail

For more information on Cloudwatch logs agent please visit the below URL:

https://docs.IAM.amazon.com/AmazonCloudWatch/latest/logs/QuickStartEC2lnstance.hti

The correct answer is: Send the local text log files to Cloudwatch Logs and configure a Cloudwatch metric filter. Trigger cloudwatch alarms based on the metrics.

Submit your Feedback/Queries to our Experts

The direct ways that can be used to see how the key is being used is to see the current access permissions and cloudtrail logs

Option A is invalid because seeing how long ago the key was created would not determine the usage of the key

Option D is invalid because Cloudtrail Event is better for seeing for events generated by the key

This is also mentioned in the IAM Documentation

Examining CMK Permissions to Determine the Scope of Potential Usage

Determining who or what currently has access to a customer master key (CMK) might help you determine how widely the CM was used and whether it is still needed. To learn how to determine who or what currently has access to a CMK, go to Determining Access to an IAM KMS Customer Master Key.

Examining IAM CloudTrail Logs to Determine Actual Usage

IAM KMS is integrated with IAM CloudTrail, so all IAM KMS API activity is recorded in CloudTrail log files. If you have CloudTrail turned on in the region where your customer master key (CMK) is located, you can examine your CloudTrail log files to view a history of all IAM KMS API activity for a particular CMK, and thus its usage history. You might be able to use a CMK's usage history to help you determine whether or not you still need it

For more information on determining the usage of CMK keys, please visit the following URL:

• https://docs.IAM.amazon.com/kms/latest/developerguide/deleting-keys-determining-usage.html

The correct answers are: See who is assigned permissions to the master key. See Cloudtrail for usage of the key Submit your Feedback/Queries to our Experts

The best secure option is to place the database in a private subnet. The below diagram from the IAM Documentation shows this setup. Also ensure that access is not allowed from all sources but just from the web servers.

C:\Users\wk\Desktop\mudassar\Untitled.jpg

Option A is invalid because databases should not be placed in the public subnet

Option D is invalid because the database security group should not allow traffic from the internet For more information on this type of setup, please refer to the below URL:

https://docs.IAM.amazon.com/AmazonVPC/latest/UserGuideA/PC Scenario2.

The correct answers are: Place the EC2 Instance with the Oracle database in a separate private subnet Create a database security group and ensure the web security group to allowed incoming access

Submit your Feedback/Queries to our Experts

You can use a Lambda function to create a new key and then update the S3 bucket to use the new key. Remember not to delete the old key, else you will not be able to decrypt the documents stored in the S3 bucket using the older key.

Option B is incorrect because IAM KMS cannot rotate keys on a monthly basis

Option C is incorrect because deleting the old key means that you cannot access the older objects

Option D is incorrect because rotating key material is not possible.

For more information on IAM KMS keys, please refer to below URL:

https://docs.IAM.amazon.com/kms/latest/developereuide/concepts.htmll

The correct answer is: Trigger a Lambda function with a monthly CloudWatch event that creates a new CMK and updates the S3 bucket to use the new CMK.

Submit your Feedback/Queries to our Experts

The IAM Documentation mentions the following

If you experience problems executing commands using Run Command, there might be a problem with the SSM Agent. Use the following information to help you troubleshoot the agent

View Agent Logs

The SSM Agent logs information in the following files. The information in these files can help you troubleshoot problems.

On Windows

%PROGRAMDATA%\Amazon\SSM\Logs\amazon-ssm-agent.log

%PROGRAMDATA%\Amazon\SSM\Logs\error.log

The default filename of the seelog is seelog-xml.template. If you modify a seelog, you must rename the file to seelog.xml.

On Linux

/var/log/amazon/ssm/amazon-ssm-agentlog /var/log/amazon/ssm/errors.log

Option C is invalid because the right AMI has nothing to do with the issues. The agent which is used to execute run commands can run on a variety of AMI'S

Option D is invalid because security groups does not come into the picture with the communication between the agent and the SSM service

For more information on troubleshooting IAM SSM, please visit the following URL:

https://docs.IAM.amazon.com/systems-manaeer/latest/userguide/troubleshootine-remote-commands.htmll

The correct answers are: Ensure that the SSM agent is running on the target machine. Check the /var/log/amazon/ssm/errors.log file

Submit your Feedback/Queries to our Experts

Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/. In the navigation pane, choose Session Manager. Choose the Preferences tab, and then choose Edit. Select the check box next to Enable under S3 logging. (Recommended) Select the check box next to Allow only encrypted S3 buckets. With this option turned on, log data is encrypted using the server-side encryption key specified for the bucket. If you don 't want to encrypt the log data that is sent to Amazon S3, clear the check box. You must also clear the check box if encryption isn't allowed on the S3 bucket.

https://aws.amazon.com/blogs/aws/log-your-vpc-dns-queries-with-route-53-resolver-query-logs/

The IAM Documentation mentions the following

To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it you can use CloudTrail log file integrity validation. This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection. You can use the IAM CLI to validate the files in the location where CloudTrail delivered them

Validated log files are invaluable in security and forensic investigations. For example, a validated log file enables you to assert positively that the log file itself has not changed, or that particular user credentials performed specific API activity. The CloudTrail log file integrity validation process also lets you know if a log file has been deleted or changed, or assert positively that no log files were delivered to your account during a given period of time.

Options B.C and D is invalid because you need to check for log File Integrity Validation for cloudtrail logs

For more information on Cloudtrail log file validation, please visit the below URL:

http://docs.IAM.amazon.com/IAMcloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html

The correct answer is: Use CloudTrail Log File Integrity Validation.

omit your Feedback/Queries to our Expert

https:// IAM.amazon.com/premiumsupport/knowledge-center/cross-account-access-s3/

To configure end-to-end encryption between the Elastic Load Balancer and the EC2 instances with the least operational effort, the most appropriate solution would be to use Amazon issued AWS Certificate Manager (ACM) certificates on the EC2 instances and the Elastic Load Balancer to configure end-to-end encryption.

 AWS Certificate Manager - Amazon Web Services : Elastic Load Balancing - Amazon Web Services : Amazon Elastic Compute Cloud - Amazon Web Services : AWS Certificate Manager - Amazon Web Services

To create a process that will allow application teams to provision their own IAM roles, while limiting the scope of IAM roles and preventing privilege escalation, the following steps are required:

• Create a service control policy (SCP) that defines the maximum permissions that can be granted to any IAM role in the organization. An SCP is a type of policy that you can use with AWS Organizations to manage permissions for all accounts in your organization. SCPs restrict permissions for entities in member accounts, including each AWS account root user, IAM users, and roles. For more information, see Service control policies overview.
• Create a permissions boundary for IAM roles that matches the SCP. A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity. A permissions boundary allows an entity to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries. For more information, see Permissions boundaries for IAM entities.
• Add the SCP to the root organizational unit (OU) so that it applies to all accounts in the organization. This will ensure that no IAM role can exceed the permissions defined by the SCP, regardless of how it is created or modified.
• Instruct the application teams to attach the permissions boundary to any IAM role they create. This will prevent them from creating IAM roles that can escalate their own privileges or access resources they are not authorized to access.

This solution will meet the requirements with the least operational overhead, as it leverages AWS Organizations and IAM features to delegate and limit IAM role creation without requiring manual reviews or approvals.

The other options are incorrect because they either do not allow application teams to provision their own IAM roles (A), do not limit the scope of IAM roles or prevent privilege escalation (B), or do not take advantage of managed services whenever possible ©.

Verified References:

• https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html
• https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html

"If you copy an encrypted snapshot across Regions, you must specify a KMS key valid in the destination AWS Region. It can be a Region-specific KMS key, or a multi-Region key." https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-copy-snapshot.html#aurora-copy-snapshot.Encryption

To see Security Hub findings for accounts that are outside the organization that includes the Security Hub administrator account, the following steps are required:

• Send invitations to accounts that are outside the company’s organization from the Security Hub administrator account. This will allow the administrator account to view and manage findings from those accounts. The administrator account can send invitations by using the Security Hub console, API, or CLI. For more information, see Sending invitations to member accounts.
• Send an administration request from the member accounts. This will allow the member accounts to accept the invitation from the administrator account and establish a relationship with it. The member accounts can send administration requests by using the Security Hub console, API, or CLI. For more information, see Sending administration requests.

This solution will enable the company to see Security Hub findings for many AWS accounts and AWS Regions, including accounts that are outside its own organization.

The other options are incorrect because they either do not establish a relationship between the administrator and member accounts (A, B), do not enable Security Hub for all member accounts (D), or do not use a valid service for Security Hub (F).

Verified References:

• https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-member-accounts.html

To meet the requirement of changing the key material for new files whenever a potential key breach occurs, the most appropriate solution would be to create a new customer managed key, add a key rotation schedule to the key, and invoke the key rotation schedule every time the security team requests a key change.

References: : Rotating AWS KMS keys - AWS Key Management Service

To provide access to the three individuals who have IAM user accounts to access the Amazon Linux 2 Amazon EC2 instances that are using the same IAM instance profile, the most appropriate solution would be to assign an IAM policy to the instance profile to allow the EC2 instances to be managed by AWS Systems Manager, provide the IAM user accounts with permission to use Systems Manager, remove the SSH keys from the EC2 instances, and use Systems Manager Session Manager to select the EC2 instance and connect.

References: : AWS Systems Manager Session Manager - AWS Systems Manager : AWS Systems Manager - AWS Management Console : AWS Identity and Access Management - AWS Management Console : Amazon Elastic Compute Cloud - Amazon Web Services : Amazon Linux 2 - Amazon Web Services : AWS Systems Manager - AWS Management Console : AWS Systems Manager - AWS Management Console : AWS Systems Manager - AWS Management Console

The condition of "s3:x-amz-server-side-encryption":"IAM:kms" ensures that objects uploaded need to be encrypted.

Options B,C and D are invalid because you have to ensure the condition of ns3:x-amz-server-side-encryption":"IAM:kms" is present

For more information on IAM KMS best practices, just browse to the below URL:

https://dl. IAMstatic.com/whitepapers/IAM-kms-best-praaices.pdf

C:\Users\wk\Desktop\mudassar\Untitled.jpg

Submit your Feedback/Queries to our Expert

An Application Load Balancer (ALB) is a type of load balancer that operates at the application layer (layer 7) of the OSI model. It can distribute incoming traffic based on the content of the request, such as the host header, path, or query parameters. An ALB can also terminate TLS connections and decrypt requests from clients before sending them to the targets.

To implement TLS for incoming traffic to the application, the following steps are required:

• Create a public ALB in a public subnet and register the EC2 instances as targets in a target group.
• Create two listeners for the ALB, one on port 80 for HTTP traffic and one on port 443 for HTTPS traffic.
• Create a rule for the listener on port 80 to redirect HTTP requests to HTTPS using the same host, path, and query parameters.
• Provision a public TLS certificate in AWS Certificate Manager (ACM) for the domain name of the application. ACM is a service that lets you easily provision, manage, and deploy public and private SSL/TLS certificates for use with AWS services and your internal connected resources.
• Attach the certificate to the listener on port 443 and configure the security policy to negotiate secure connections between clients and the ALB.
• Configure the security groups for the ALB and the EC2 instances to allow inbound traffic on ports 80 and 443 from the internet and outbound traffic on any port to the EC2 instances.

This solution will meet the requirements of implementing TLS for incoming traffic without impacting performance or requiring end-to-end encryption. The ALB will handle the TLS termination and decryption, while forwarding unencrypted requests to the EC2 instances.

Verified References:

• https://docs.aws.amazon.com/elasticloadbalancing/latest/application/introduction.html
• https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html
• https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html

Data stored in Amazon EBS volumes is redundantly stored in multiple physical locations as part of normal operation of those services and at no additional charge. However, Amazon EBS replication is stored within the same availability zone, not across multiple zones; therefore, it is highly recommended that you conduct regular snapshots to Amazon S3 for long-term data durability Option A is invalid because there is no lifecycle policy for EBS volumes Option C is invalid because there is no EBS volume replication Option D is invalid because EBS volume encryption will not ensure business continuity For information on security for Compute Resources, please visit the below URL: https://d 1.awsstatic.com/whitepapers/Security/Security_Compute_Services_Whitepaper.pdf

https://github.com/ IAMlabs/aws-well-architected-labs/blob/master/Security/300_Incident_Response_with_IAM_Console_and_CLI/Lab_Guide.md

https://d1. IAMstatic.com/whitepapers/IAM_security_incident_response.pdf

Option A is invalid because this can be used to check for security issues in your account, but not verify as to why you cannot reach the home page for your application

Option C is invalid because this used to protect your app against application layer attacks, but not verify as to why you cannot reach the home page for your application

Option D is invalid because this used to protect your instance against attacks, but not verify as to why you cannot reach the home page for your application

The IAM Documentation mentions the following

VPC Flow Logs capture network flow information for a VPC, subnet or network interface and stores it in Amazon CloudWatch Logs. Flow log data can help customers troubleshoot network issues; for example, to diagnose why specific traffic is not reaching an instance, which might be a result of overly restrictive security group rules. Customers can also use flow logs as a security toi to monitor the traffic that reaches their instances, to profile network traffic, and to look for abnormal traffic behaviors.

For more information on IAM Security, please visit the following URL:

https://IAM.amazon.com/answers/networking/vpc-security-capabilities >

The correct answer is: Use VPC Flow logs to diagnose the traffic Submit your Feedback/Queries to our Experts

https://docs. IAM.amazon.com/vpc/latest/userguide/vpc-network-acls.html

Reference https://IAM.amazon.com/s3/faqs/

https://docs. IAM.amazon.com/IAMcloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.html

https://docs. IAM.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch-and-interface-VPC.html

We recommend that you use the following pattern to locally encrypt data: call the GenerateDataKey API, use the key returned in the Plaintext response field to locally encrypt data, and then erase the plaintext data key from memory. Store the encrypted data key (contained in the CiphertextBlob field) alongside of the locally encrypted data. The Decrypt API returns the plaintext key from the encrypted key. https://docs. IAM.amazon.com/sdkfornet/latest/apidocs/items/MKeyManagementServiceKeyManagementServiceGenerateDataKeyGenerateDataKeyRequestNET45.html

EC2 run command - can run scripts, install software, collect metrics and log files, manage patches and more. Bringing these two services together - can create CloudWatch Events rules that use EC2 Run Command to perform actions on EC2 instances or on-premises servers.

The Web security groups should allow access for ports 80 and 443 for HTTP and HTTPS traffic to all users from the internet.

The database security group should just allow access from the web security group from port 1433.

Option C is invalid because this is not a valid configuration

Option D is invalid because database security should not be allowed on the internet

For more information on Security Groups please visit the below URL:

https://docs.IAM.amazon.com/IAMEC2/latest/UserGuide/usins-network-security.htmll

The correct answers are: wg-123 - Allow ports 80 and 443 from 0.0.0.0/0, db-345 - Allow port 1433 from wg-123

Submit your Feedback/Queries to our Experts

"automatic key rotation has no effect on the data that the CMK protects. It does not rotate the data keys that the CMK generated or re-encrypt any data protected by the CMK, and it will not mitigate the effect of a compromised data key. You might decide to create a new CMK and use it in place of the original CMK. This has the same effect as rotating the key material in an existing CMK, so it's often thought of as manually rotating the key." https://docs.a ws.amazon.com/kms/latest/developerguide/rotate-keys.html

https://docs.IAM.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-manually for IAM standards

The ideal way is to create an IAM role which has the required permissions and then associate it with the Lambda function

The IAM Documentation additionally mentions the following

Each Lambda function has an IAM role (execution role) associated with it. You specify the IAM role when you create your Lambda function. Permissions you grant to this role determine what IAM Lambda can do when it assumes the role. There are two types of permissions that you grant to the IAM role:

If your Lambda function code accesses other IAM resources, such as to read an object from an S3 bucket or write logs to CloudWatch Logs, you need to grant permissions for relevant Amazon S3 and CloudWatch actions to the role.

If the event source is stream-based (Amazon Kinesis Data Streams and DynamoDB streams), IAM Lambda polls these streams on your behalf. IAM Lambda needs permissions to poll the stream and read new records on the stream so you need to grant the relevant permissions to this role.

Option A is invalid because the VPC endpoint allows access instances in a private subnet to access DynamoDB

Option B is invalid because resources policies are present for resources such as S3 and KMS, but not IAM Lambda

Option C is invalid because IAM Roles should be used and not IAM Users

For more information on the Lambda permission model, please visit the below URL:

https://docs.IAM.amazon.com/lambda/latest/dg/intro-permission-model.html

The correct answer is: Create an IAM service role with permissions to write to the DynamoDB table. Associate that role with the Lambda function.

Submit your Feedback/Queries to our Exp

IAM Region that You Request a Certificate In (for IAM Certificate Manager) If you want to require HTTPS between viewers and CloudFront, you must change the IAM region to US East (N. Virginia) in the IAM Certificate Manager console before you request or import a certificate. If you want to require HTTPS between CloudFront and your origin, and you're using an ELB load balancer as your origin, you can request or import a certificate in any region.

https://doc s.IAM.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.html

https://docs.IAM.amazon.com/AmazonS3/latest/dev/UsingMetadata.html https://IAM.amazon.com/blogs/database/best-practices-for-securing-sensitive-data-in-IAM-data-stores/

The IAM Inspector service can inspect EC2 Instances based on specific Rules. One of the rules packages is based on the guidelines set by the Center of Internet Security

Center for Internet security (CIS) Benchmarks

The CIS Security Benchmarks program provides well-defined, un-biased and consensus-based industry best practices to help organizations assess and improve their security. Amazon Web Services is a CIS Security Benchmarks Member company and the list of Amazon Inspector certifications can be viewed nere.

Option A is invalid because this can be used to protect an instance but not give the list of vulnerabilities

Options B and D are invalid because these services cannot give a list of vulnerabilities For more information on the guidelines, please visit the below URL:

* https://docs.IAM.amazon.com/inspector/latest/userguide/inspector_cis.html The correct answer is: Use IAM Inspector

Submit your Feedback/Queries to our Experts

https://docs.amazon IAM.cn/en_us/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Integrating.Authorizing.IAM.KMSCreatePolicy.html

One of the articles from IAM mentions what should be done in such a scenario

If you suspect that your account has been compromised, or if you have received a notification from IAM that the account has been compromised, perform the following tasks:

Change your IAM root account password and the passwords of any IAM users.

Delete or rotate all root and IAM Identity and Access Management (IAM) access keys.

Delete any resources on your account you didn't create, especially running EC2 instances, EC2 spot bids, or IAM users.

Respond to any notifications you received from IAM Support through the IAM Support Center.

Option C is invalid because there could be compromised instances or resources running on your environment. They should be shutdown or stopped immediately.

For more information on the article, please visit the below URL:

https://IAM.amazon.com/premiumsupport/knowledee-center/potential-account-compromise >

The correct answers are: Change the root account password. Rotate all IAM access keys. Change the password for all IAM users. Submit your Feedback/Queries to our Experts

Initiate the lock by attaching a vault lock policy to your vault, which sets the lock to an in-progress state and returns a lock ID. While in the in-progress state, you have 24 hours to validate your vault lock policy before the lock ID expires. Use the lock ID to complete the lock process. If the vault lock policy doesn't work as expected, you can abort the lock and restart from the beginning. For information on how to use the S3 Glacier API to lock a vault, see Locking a Vault by Using the Amazon S3 Glacier API. https://docs.IAM.amazon.com/amazonglacier/latest/dev/vault-lock-policy.html

https://docs. IAM.amazon.com/vpc/latest/userguide/vpc-dns.html

https://IAM.amazon.com/answers/networking/vpc-security-capabilities/ Security Group is stateful and hypervisor level.

You can use the IAMConfig history to see the history of a particular item.

The below snapshot shows an example configuration for a user in IAM Config

C:\Users\wk\Desktop\mudassar\Untitled.jpg

Option B,C and D are all invalid because these services cannot be used to see the history of a particular configuration item. This can only be accomplished by IAM Config.

For more information on tracking changes in IAM Config, please visit the below URL:

https://docs.IAM.amazon.com/AmazonCloudFront/latest/DeveloperGuide/TrackineChanees.htmll

The correct answer is: Use IAM Config to examine the employee's IAM permissions prior to the incident and compare them the employee's current IAM permissions.

Submit your Feedback/Queries to our Experts

Explanation

An IAM policy can deny access to KMS except through your VPC endpoint with the following condition statement:

"Condition": {

"StringNotEquals": {

"IAM:sourceVpce": "vpce-0295a3caf8414c94a"

}

}

If you select the Enable Private DNS Name option, the standard IAM KMS DNS hostname

(https://kms. <region>.amazonIAM.com) resolves to your VPC endpoint.

https://d 1.IAMstatic.com/whitepapers/IAM_security_incident_response.pdf

This concept is given in the IAM Documentation

How do I submit a penetration testing request for my IAM resources?

Issue

I want to run a penetration test or other simulated event on my IAM architecture. How do I get permission from IAM to do that?

Resolution

Before performing security testing on IAM resources, you must obtain approval from IAM. After you submit your request IAM will reply in about two business days.

IAM might have additional questions about your test which can extend the approval process, so plan accordingly and be sure that your initial request is as detailed as possible.

If your request is approved, you'll receive an authorization number.

Option A.B and D are all invalid because the first step is to get prior authorization from IAM for penetration tests

For more information on penetration testing, please visit the below URL

* https://IAM.amazon.com/security/penetration-testing/

* https://IAM.amazon.com/premiumsupport/knowledge-center/penetration-testing/

(

The correct answer is: Submit a request to IAM Support Submit your Feedback/Queries to our Experts

https:// IAM.amazon.com/blogs/IAM/cloudwatch-log-service/

MetricFilter:

Type: 'IAM::Logs::MetricFilter'

Properties:

LogGroupName: ''

FilterPattern: >-

{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName =

AuthorizeSecurityGroupEgress) || ($.eventName =

RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress)

|| ($.eventName = CreateSecurityGroup) || ($.eventName =

DeleteSecurityGroup) }

MetricTransformations:

- MetricValue: '1'

MetricNamespace: CloudTrailMetrics

MetricName: SecurityGroupEventCount

https://docs .IAM.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html

https:// IAM.amazon.com/blogs/compute/maintaining-transport-layer-security-all-the-way-to-your-container-using-the-network-load-balancer-with-amazon-ecs/

The IAM Documentation mentions the following

All objects by default are private. Only the object owner has permission to access these objects. However, the object owner can optionally share objects with others by creating a pre-signed URL using their own security credentials, to grant time-limited permission to download the objects.

Option A is invalid because this can be used to prevent accidental deletion of objects

Option C is invalid because timestamps are not possible for Roles

Option D is invalid because policies is not the right way to limit access based on time

For more information on pre-signed URL's, please visit the URL:

https://docs.IAM.ama2on.com/AmazonS3/latest/dev/ShareObiectPreSisnedURL.html

The correct answer is: Use Pre-signed URL's Submit your Feedback/Queries to our Experts

The IAM Documentation mentions the following

The IAM CloudHSM service helps you meet corporate, contractual and regulatory compliance requirements for data security by using dedicated Hardware Security Module (HSM) instances within the IAM cloud. IAM and IAM Marketplace partners offer a variety of solutions for protecting sensitive data within the IAM platform, but for some applications and data subject to contractual or regulatory mandates for managing cryptographic keys, additional protection may be necessary. CloudHSM complements existing data protection solutions and allows you to protect your encryption keys within HSMs that are desigr and validated to government standards for secure key management. CloudHSM allows you to securely generate, store and manage cryptographic keys used for data encryption in a way that keys are accessible only by you.

Option A.B and Care invalid because in all of these cases, the management of the key will be with IAM. Here the question specifically mentions that you want to have exclusive access over the keys. This can be achieved with Cloud HSM

For more information on CloudHSM, please visit the following URL:

https://IAM.amazon.com/cloudhsm/faq:

The correct answer is: Use Cloud HSM Submit your Feedback/Queries to our Experts

Explanation

A web access control list (web ACL) gives you fine-grained control over the web requests that your Amazon API Gateway API, Amazon CloudFront distribution or Application Load Balancer responds to.

https://docs. IAM.amazon.com/config/latest/developerguide/approved-amis-by-id.html

https://docs.IAM.amazon.com/whitepapers/latest/IAM-vpc-connectivity-options/IAM-direct-connect-plus-vpn-network-to-amazon.html

https://docs. IAM.amazon.com/IAMEC2/latest/UserGuide/troubleshooting-launch.html

https://docs. IAM.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html

Enabling server-side encryption encrypts the log files but not the digest files with SSE-KMS. Digest files are encrypted with Amazon S3-managed encryption keys (SSE-S3). https://docs. IAM.amazon.com/IAMcloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-IAM-kms.html

"To turn off access to instance metadata on an existing instance....." https://docs.IAM.amazon.com/IAMEC2/latest/UserGuide/configuring-instance-metadata-service.html You can disable the service for existing (running or stopped) ec2 instances. https://docs. IAM.amazon.com/cli/latest/reference/ec2/modify-instance-metadata-options.html

https://docs.IAM.amazon.com/IAMEC2/latest/UserGuide/using-eni.html

https://IAM.amazon.com/blogs/security/automatically-update-IAM-waf-ip-sets-with-IAM-ip-ranges/ to update CF ip range.

https://docs. IAM.amazon.com/IAMcloudtrail/latest/userguide/best-practices-security.html

"For an ongoing record of events in your IAM account, you must create a trail. Although CloudTrail provides 90 days of event history information for management events in the CloudTrail console without creating a trail, it is not a permanent record, and it does not provide information about all possible types of events. For an ongoing record, and for a record that contains all the event types you specify, you must create a trail, which delivers log files to an Amazon S3 bucket that you specify."

https:// IAM.amazon.com/blogs/security/how-to-record-and-govern-your-iam-resource-configurations-using-IAM-config/

https://docs. IAM.amazon.com/organizations/latest/APIReference/API_DetachPolicy.html

Every root, OU, and account must have at least one SCP attached. If you want to replace the default FullIAMAccess policy with an SCP that limits the permissions that can be delegated, you must attach the replacement SCP before you can remove the default SCP. This is the authorization strategy of an "allow list". If you instead attach a second SCP and leave the FullIAMAccess SCP still attached, and specify "Effect": "Deny" in the second SCP to override the "Effect": "Allow" in the FullIAMAccess policy (or any other attached SCP), you're using the authorization strategy of a "deny list".