SCS-C01 Questions and Answers

Option A

Option B

Option C

Option D

Option E

Option F

It places too much emphasis on already implemented security controls.

The response plan is not implemented on a regular basis

The response plan does not cater to new services

The response plan is complete in its entirety

Enable VPC Flow Logs in all VPCs Create a scheduled IAM Lambda function that downloads and parses the logs, and sends an Amazon SNS notification for violations.

Use IAM CloudTrail to make a trail, and apply it to all Regions Specify an Amazon S3 bucket to receive all the CloudTrail log files

Add the following bucket policy to the company's IAM CloudTrail bucket to prevent log tampering

{

"Version": "2012-10-17-,

"Statement": {

"Effect": "Deny",

"Action": "s3:PutObject",

"Principal": "-",

"Resource": "arn:IAM:s3:::cloudtrail/IAMLogs/111122223333/*"

}

}

Create an Amazon S3 data event for an PutObject attempts, which sends notifications to an Amazon SNS topic.

Create a Security Auditor role with permissions to access Amazon CloudWatch Logs m all Regions Ship the logs to an Amazon S3 bucket and make a lifecycle policy to ship the logs to Amazon S3 Glacier.

Verify that Amazon GuardDuty is enabled in all Regions, and create an Amazon CloudWatch Events rule for Amazon GuardDuty findings Add an Amazon SNS topic as the rule's target

Use encrypted Amazon EBS volumes with Amazon default keys (IAM EBS)

Use server-side encryption with customer-provided keys (SSE-C)

Use server-side encryption with IAM KMS managed keys (SSE-KMS)

Use server-side encryption with Amazon S3 managed keys (SSE-S3)

Outbound SG configuration on database servers Inbound SG configuration on application servers inbound and outbound network ACL configuration on the database subnet Inbound and outbound network ACL configuration on the application server subnet

Inbound SG configuration on database servers

Outbound SG configuration on application servers

Inbound and outbound network ACL configuration on the database subnet

Inbound and outbound network ACL configuration on the application server subnet

Inbound and outbound SG configuration on database servers Inbound and outbound SG configuration on application servers Inbound network ACL configuration on the database subnet Outbound network ACL configuration on the application server subnet

Inbound SG configuration on database servers Outbound SG configuration on application servers Inbound network ACL configuration on the database subnet Outbound network ACL configuration on the application server subnet.

Move the Aurora database into a private subnet that has no internet access routes in the database's current VPC Configure the Lambda functions to use the Aurora

database's new private IP address to access the database Configure the Aurora databases security group to allow access from the private IP addresses of the Lambda functions

Establish a VPC endpoint between the two VPCs in the Aurora database's VPC configure a service VPC endpoint for Amazon RDS In the Lambda functions' VPC.

configure an interface VPC endpoint that uses the service endpoint in the Aurora database's VPC Configure the service endpoint to allow connections from the Lambda functions.

Establish an AWS Direct Connect interface between the VPCs Configure the Lambda functions to use a new route table that accesses the Aurora database through the Direct Connect interface Configure the Aurora database's security group to allow access from the Direct Connect interface IP address

Move the Lambda functions into a public subnet in their VPC Move the Aurora database into a private subnet in its VPC Configure the Lambda functions to use the Aurora database's new private IP address to access the database Configure the Aurora database to allow access from the public IP addresses of the Lambda functions

Create a new Customer Key using KMS and attach it to the existing volume

You cannot decrypt the data that was encrypted under the CMK, and the data is not recoverable.

Request IAM Support to recover the key

Use IAM Config to recover the key

Configure Amazon Macie to continuously check the configuration of all S3 buckets.

Enable IAM Config to check the configuration of each S3 bucket.

Set up IAM Systems Manager to monitor S3 bucket policies for public write access.

Configure an Amazon EC2 instance to have an IAM role and a cron job that checks the status of all S3 buckets.

Use IAM Config to monitor changes to the IAM Bucket

Use IAM Lambda function to change the bucket policy

Use IAM Trusted Advisor API to monitor the changes to the IAM Bucket

Use IAM Lambda function to change the bucket ACL

In the statement block that contains the Sid "Allow use of the key", under the "Condition" block, change StringEquals to StringLike.

In the policy document, remove the statement Dlock that contains the Sid "Enable IAM User Permissions". Add key management policies to the KMS policy.

In the statement block that contains the Sid "Allow use of the Key", under the "Condition" block, change the Kms:ViaService value to ec2.us-east-1 .amazonIAM com.

In the policy document, add a new statement block that grants the kms:Disable' permission to the security engineer's IAM role.

Ensure Cloudtrail for each region. Then enable for each future region.

Ensure one Cloudtrail trail is enabled for all regions.

Create a Cloudtrail for each region. Use Cloudformation to enable the trail for all future regions.

Create a Cloudtrail for each region. Use IAM Config to enable the trail for all future regions.

Add full Amazon Inspector IAM permissions to the Security Hub service role to allow it to perform the CIS compliance evaluation

Ensure that IAM Trusted Advisor Is enabled in the account and that the Security Hub service role has permissions to retrieve the Trusted Advisor security-related recommended actions

Ensure that IAM Config. is enabled in the account, and that the required IAM Config rules have been created for the CIS compliance evaluation

Ensure that the correct trail in IAM CloudTrail has been configured for monitoring by Security Hub and that the Security Hub service role has permissions to perform the GetObject operation on CloudTrails Amazon S3 bucket

The CMK that is used in the attempt does not exist.

The CMK that is used in the attempt needs to be rotated.

The CMK that is used in the attempt is using the CMK's key ID instead of the CMK ARN.

The CMK that is used in the attempt is not enabled.

The CMK that is used in the attempt is using an alias.

Configure S3 server-side encryption. Create an S3 bucket policy that has an explicit deny rule for all users for s3:DeleteObject and s3:PutObject API calls. Configure S3 Object Lock to use governance mode with a retention period of 7 years.

Configure S3 server-side encryption. Configure S3 Versioning on the S3 bucket. Configure S3 Object Lock to use compliance mode with a retention period of 7 years.

Configure S3 Versioning. Configure S3 Intelligent-Tiering on the S3 bucket to move the documents to S3 Glacier Deep Archive storage. Use S3 server-side encryption immediately. Expire the objects after 7 years.

Set up S3 Event Notifications and use S3 server-side encryption. Configure S3 Event Notifications to target an AWS Lambda function that will review any S3 API call to the S3 bucket and deny the s3:DeleteObject and s3:PutObject API calls. Remove the S3 event notification after 7 years.

Analyze an IAM Identity and Access Management (IAM) use report from IAM Trusted Advisor to see when the access key was last used.

Analyze Amazon CloudWatch Logs for activity by searching for the access key.

Analyze VPC flow logs for activity by searching for the access key

Analyze a credential report in IAM Identity and Access Management (IAM) to see when the access key was last used.

Enable Amazon GuardDuty to automatically monitor for malicious activity and block unauthorized access.

Subscribe to IAM Shield Advanced and reach out to IAM Support in the event of an attack.

Use VPC Flow Logs to monitor network: traffic and an IAM Lambda function to automatically block an attacker's IP using security groups.

Set up an Amazon CloudWatch Events rule to monitor the IAM CloudTrail events in real time use IAM Config rules to audit the configuration, and use IAM Systems Manager for remediation.

Use IAM WAF to create rules to respond to such attacks

Use Bucket policies

Use the Secure Token service

Use IAM user policies

Use IAM Access Keys

Move the SCP to the root OU of organization to remove the restriction to access Amazon $3.

Add an IAM policy for the developer, which grants $3 access.

Create a new OU without applying the SCP restricting $3 access. Move the developer account to this new OU.

Add an allow list for the developer account for the $3 service.

Specify “IAM:SecureTransport”: “true” within a condition in the S3 bucket policy.

Enable a security group for the S3 bucket that allows port 443, but not port 80.

Set up default encryption for the S3 bucket.

Enable Amazon CloudWatch Logs for the IAM account.

Enable API logging of data events for all S3 objects.

Enable S3 object versioning for the S3 bucket.

Turn on Cloud trail and carry out the penetration test

Turn on VPC Flow Logs and carry out the penetration test

Submit a request to IAM Support

Use a custom IAM Marketplace solution for conducting the penetration test

The external ID used by the Auditor is missing or incorrect.

The Auditor is using the incorrect password.

The Auditor has not been granted sts:AssumeRole for the role in the destination account.

The Amazon EC2 role used by the Auditor must be set to the destination account role.

The secret key used by the Auditor is missing or incorrect.

The role ARN used by the Auditor is missing or incorrect.

In the IAM Console, choose the IAM service and select “Users”. Review the “Access Key Age” column.

Define an IAM policy that denies access if the key age is more than three months and apply to all users.

Write a script that uses the GenerateCredentialReport, GetCredentialReport, and UpdateAccessKey APIs.

Create an Amazon CloudWatch alarm to detect aged access keys and use an IAM Lambda function to disable the keys older than 90 days.

IAM User name and password

Key pairs

IAM Access keys

IAM SDK keys

Configure an Amazon Route 53 routing policy to send all web traffic that does not include the required headers to a black hole.

Implement an IAM Lambda@Edge origin response function that inserts the required headers.

Migrate the legacy application to an Amazon S3 static website and front it with an Amazon CloudFront distribution.

Construct an IAM WAF rule to replace existing HTTP headers with the required security headers by using regular expressions.

Detach the elastic network interface from the EC2 instance.

Initiate an Amazon Elastic Block Store volume snapshot of all volumes on the EC2 instance.

Disable any Amazon Route 53 health checks associated with the EC2 instance.

De-register the EC2 instance from the ALB and detach it from the Auto Scaling group.

Attach a security group that has restrictive ingress and egress rules to the EC2 instance.

Add a rule to an IAM WAF to block access to the EC2 instance.

Server-side encryption with Amazon S3-managed keys (SSE-S3)

Server-side encryption with IAM KMS-managed keys (SSE-KMS)

Server-side encryption with customer-provided keys (SSE-C)

Client-side encryption with an IAM KMS-managed CMK

Change the key policy permissions associated with the KMS CMK for each application when it must access the data in Amazon S3.

Have each application assume an IAM role that provides permissions to use the IAM Certificate Manager CMK.

Have each application use a grant on the KMS CMK to add or remove specific access controls on the KMS CMK.

Have each application use an IAM policy in a user context to have specific access permissions on the KMS CMK.

Use KMS automatic key rotation to replace the master key, and use this new master key for future encryption operations without re-encrypting previously encrypted data.

Generate a new Customer Master Key (CMK), re-encrypt all existing data with the new CMK, and use it for all future encryption operations.

Change the CMK alias every 90 days, and update key-calling applications with the new key alias.

Change the CMK permissions to ensure that individuals who can provision keys are not the same individuals who can use the keys.

Use a VPC endpoint

Attach an Internet gateway to the subnet

Attach a VPN connection to the VPC

Use VPC Peering

Use IAM Config to detect whether an Internet Gateway is added and use an IAM Lambda function to provide auto-remediation.

Within the Amazon VPC configuration, mark the VPC as private and disable Elastic IP addresses.

Use IPv6 addressing exclusively on the EC2 hosts, as this prevents the hosts from being accessed from the internet.

Move the workload to a Dedicated Host, as this provides additional network security controls and monitoring.

The policy allows access for the IAM account 111122223333 to manage key access though IAM policies.

The policy allows all IAM users in account 111122223333 to have full access to the KMS key.

The policy allows the root user in account 111122223333 to have full access to the KMS key.

The policy allows the KMS service-linked role in account 111122223333 to have full access to the KMS key.

The policy allows all IAM roles in account 111122223333 to have full access to the KMS key.

Shutdown the instance

Remove the rule for incoming traffic on port 22 for the Security Group

Change the AMI for the instance

Change the Instance type for the instance

Configure a proxy solution on Amazon EC2 and route all outbound VPC traffic through it. Perform inspection within proxy software on the EC2 instance.

Configure the host-based agent on each EC2 instance within the VPC. Perform inspection within the host-based agent.

Enable VPC Flow Logs for all subnets in the VPC. Perform inspection from the Flow Log data within Amazon CloudWatch Logs.

Configure Elastic Load Balancing (ELB) access logs. Perform inspection from the log data within the ELB access log files.

Configure the CloudWatch Logs agent on each EC2 instance within the VPC. Perform inspection from the log data within CloudWatch Logs.

Use IAM Systems Manager to store the credentials as Secure Strings Parameters. Secure by using an IAM KMS key.

Use IAM Key Management System to store a master key, which is used to encrypt the credentials. The encrypted credentials are stored in an Amazon RDS instance.

Use IAM Secrets Manager to store the credentials.

Store the credentials in a JSON file on Amazon S3 with server-side encryption.

Log on to each EC2 instance, check and export the different software versions installed, and verify this against a list of current CVEs.

Install the Amazon Inspector agent on all development instances Build a custom rule package, and configure Inspector to perform a scan using this custom rule on all instances tagged as being in the development environment.

Install the Amazon Inspector agent on all development instances Configure Inspector to perform a scan using the CVE rule package on all instances tagged as being in the development environment.

Install the Amazon EC2 System Manager agent on all development instances Issue the Run command to EC2 System Manager to update all instances

Use IAM Trusted Advisor to check that all EC2 instances have been patched to the most recent version of operating system and installed software.

Change the volume encryption on the EBS volume to use a different encryption mechanism. Then, release the EBS volumes back to IAM.

Release the volumes back to IAM. IAM immediately wipes the disk after it is deprovisioned.

Delete the encryption key used to encrypt the EBS volume. Then, release the EBS volumes back to IAM.

Delete the data by using the operating system delete commands. Run Quick Format on the drive and then release the EBS volumes back to IAM.

Add the IAM:sourceVpce condition to the IAM KMS key policy referencing the company's VPC endpoint ID.

Remove the VPC internet gateway from the VPC and add a virtual private gateway to the VPC to prevent direct, public internet connectivity.

Create a VPC endpoint for IAM KMS with private DNS enabled.

Use the KMS Import Key feature to securely transfer the IAM KMS key over a VPN.

Add the following condition to the IAM KMS key policy: "IAM:SourceIp": "10.0.0.0/16".

Confirm that the EC2 instance's security group authorizes S3 access.

Verify that the KMS key policy allows decrypt access for the KMS key for this IAM principle.

Check the S3 bucket policy for statements that deny access to objects.

Confirm that the EC2 instance is using the correct key pair.

Confirm that the IAM role associated with the EC2 instance has the proper privileges.

Confirm that the instance and the S3 bucket are in the same Region.

Read the IAM Customer Agreement.

Use IAM Artifact to access IAM compliance reports.

Post the question on the IAM Discussion Forums.

Run IAM Config and evaluate the configuration outputs.

Create an S3 bucket in a dedicated log account and grant the other accounts write only access. Deliver all log files from every account to this S3 bucket.

Write a Lambda function that queries the Trusted Advisor Cloud Trail checks. Run the function every 10 minutes.

Enable CloudTrail log file integrity validation

Use Systems Manager Configuration Compliance to continually monitor the access policies of S3 buckets containing Cloud Trail logs.

Create a Security Group that blocks all traffic except calls from the CloudTrail service. Associate the security group with) all the Cloud Trail destination S3 buckets.

Add each employee’s home IP address to the security group for the application so that only those users can access the workload.

Create a virtual gateway for VPN connectivity for each employee, and restrict access to the workload from within the VPC.

Use a VPN appliance from the IAM Marketplace for users to connect to, and restrict workload access to traffic from that appliance.

Route all traffic to the workload through IAM WAF. Add each employee’s home IP address into an IAM WAF rule, and block all other traffic.

Use Cloudwatch metrics and logs to watch for errors

Use Cloudtrail to monitor for errors

Use the IAM Config service to monitor for errors

Use the IAM inspector service to monitor for errors

The S3 bucket policy does not explicitly allow the Security Engineer access to the objects in the bucket.

The object ACLs are not being updated to allow the users within the centralized account to access the objects

The Security Engineers IAM policy does not grant permissions to read objects in the S3 bucket

The s3:PutObject and s3:PutObjectAcl permissions should be applied at the S3 bucket level

wg-123 -Allow ports 80 and 443 from 0.0.0.0/0

db-345 - Allow port 1433 from wg-123

wg-123 - Allow port 1433 from wg-123

db-345 -Allow ports 1433 from 0.0.0.0/0

All principals from all IAM accounts to use the key.

Only the root user from account 111122223333 to use the key.

All principals from account 111122223333 to use the key but only on Amazon S3.

Only principals from account 111122223333 that have an IAM policy applied that grants access to this key to use the key.

Upload an SSL certificate to IAM, and configure Amazon CloudFront with the passphrase for the private key.

Call KMS.Encrypt() in the client, passing in the data file contents, and call KMS.Decrypt() server-side.

Use IAM Certificate Manager to provision a certificate on an Elastic Load Balancing in front of the web service’s servers.

Create a new VPC with an Amazon VPC VPN endpoint, and update the web service’s DNS record.

Enable IAM Trusted Advisor security checks in the IAM Console, and report all security incidents for all regions.

Enable IAM CloudTrail by creating individual trails for each region, and specify a single Amazon S3 bucket to receive log files for later analysis.

Enable IAM CloudTrail by creating a new trail and applying the trail to all regions. Specify a single Amazon S3 bucket as the storage location.

Enable Amazon CloudWatch logging for all IAM services across all regions, and aggregate them to a single Amazon S3 bucket for later analysis.

An IAM Managed Policy

An Inline Policy

A Bucket Policy

A bucket ACL

Amazon S3 static web hosting

Amazon CloudFront distribution

Application Load Balancer

Amazon Route 53

VPC Flow Logs

IAM managed Customer Master Key (CMK)

Customer managed CMK with IAM generated key material

Customer managed CMK with imported key material

IAM managed data key

In the security group of the EC2 instance, allow inbound ICMP traffic.

In the security group of the EC2 instance, allow outbound ICMP traffic.

In the VPC's NACL, allow inbound ICMP traffic.

In the VPC's NACL, allow outbound ICMP traffic.

Configure an IAM policy that allows the least permissive actions to communicate with the API Gateway Attach the policy to the role used by the legacy EC2 instances

Enable IAM WAF for API Gateway Configure rules to explicitly allow connections from the legacy EC2 instances

Create a VPC endpoint for API Gateway Attach an IAM resource policy that allows the role of the legacy EC2 instances to call specific APIs

Create a usage plan Generate a set of API keys for each application that needs to call the API.

Configure cross-origin resource sharing (CORS) in each API Share the CORS information with the applications that call the API.

Add an inbound rule to the security group associated with the logging server that allows requests from the web server

Add an outbound rule to the security group associated with the web server that allows requests to the logging server.

Add a route to the route table associated with the subnet that hosts the logging server that targets the peering connection

Add a route to the route table associated with the subnet that hosts the web server that targets the peering connection

Create a cron job that runs a script lo download the IAM IAM security credentials We. parse the file for account root user logins and email the Security team's distribution 1st

Run IAM CloudTrail logs through Amazon CloudWatch Events to detect account roo4 user logins and trigger an IAM Lambda function to send an Amazon SNS notification to the Security team's distribution list.

Save IAM CloudTrail logs to an Amazon S3 bucket in the Security team's account Process the CloudTrail logs with the Security Engineer's logging solution for account root user logins Send an Amazon SNS notification to the Security team upon encountering the account root user login events

Save VPC Plow Logs to an Amazon S3 bucket in the Security team's account and process the VPC Flow Logs with their logging solutions for account root user logins Send an Amazon SNS notification to the Security team upon encountering the account root user login events

Create an Amazon S3 lifecycle policy that archives IAM CloudTrail trail logs to Amazon S3 Glacier after 90 days. Configure Amazon Inspector to provide a notification when a policy change is made to resources.

Configure IAM Artifact to archive IAM CloudTrail logs Configure IAM Trusted Advisor to provide a notification when a policy change is made to resources.

Configure Amazon CloudWatch to export log groups to Amazon S3. Configure IAM CloudTrail to provide a notification when a policy change is made to resources.

Create an IAM CloudTrail trail that stores audit logs in Amazon S3. Configure an IAM Config rule to provide a notification when a policy change is made to resources.

Set up an S3 bucket policy with the IAMsecuretransport key Configure the CloudFront origin access identity (OAI) with the S3 bucket Configure CloudFront to use specific ciphers. Enforce the ALB with an HTTPS listener only and select the appropriate security policy for the ciphers Link the ALB with IAM WAF to allow access from the CloudFront IP ranges.

Set up an S3 bucket policy with the IAM:securetransport key. Configure the CloudFront origin access identity (OAI) with the S3 bucket. Enforce the ALB with an HTTPS listener only and select the appropriate security policy for the ciphers.

Modify the CloudFront distribution to use IAM WAF. Force HTTPS on the S3 bucket with specific ciphers in the bucket policy. Configure an HTTPS listener only for the ALB. Set up a security group to limit access to the ALB from the CloudFront IP ranges

Modify the CloudFront distribution to use the ALB as the origin. Enforce an HTTPS listener on the ALB. Create a path-based routing rule on the ALB with proxies that connect lo Amazon S3. Create a bucket policy to allow access from these proxies only.

The CMK specified in the application does not exist.

The CMK specified in the application is currently in use.

The CMK specified in the application is using the CMK KeyID instead of CMK Amazon Resource Name.

The CMK specified in the application is not enabled.

The CMK specified in the application is using an alias.

The SOS queue does not allow the SQS SendMessage action from the SNS topic

The SNS topic does not allow the SNS Publish action from Amazon S3

The SNS topic is not delivering raw messages to the SQS queue

The S3 bucket policy does not allow CloudTrail to perform the PutObject action

The IAM role used by the 5EM tool does not have permission to subscribe to the SNS topic

The IAM role used by the SEM tool does not allow the SQS DeleteMessage action.

Option A

Option B

Option C

Option D

The S3 ACL for the S3 bucket fails to explicitly grant access to the Application Developer

The IAM KMS key for the S3 bucket fails to list the Application Developer as an administrator

The S3 bucket policy fails to explicitly grant access to the Application Developer

The S3 bucket policy explicitly denies access to the Application Developer

Create an IAM Config rule defining the patch as a required configuration for EC2 instances.

Use the IAM Systems Manager Run Command to patch affected instances.

Use an IAM Systems Manager Patch Manager predefined baseline to patch affected instances.

Use IAM Systems Manager Session Manager to log in to each affected instance and apply the patch.

Use IAM Resource Access Manager (IAM RAM) to monitor the IAM CloudTrail configuration. Send notifications using Amazon SNS.

Create an Amazon CloudWatch Events rule to monitor Amazon GuardDuty findings. Send email notifications using Amazon SNS.

Update security contact details in IAM account settings for IAM Support to send alerts when suspicious activity is detected.

Use Amazon Inspector to automatically detect security issues. Send alerts using Amazon SNS.

Disable the EC2 instance metadata service.

Log all student SSH interactive session activity.

Implement ip tables-based restrictions on the instances.

Install the Amazon Inspector agent on the instances.

Remove the instance from the Auto Scaling group Place the instance within an isolation security group, detach the EBS volume launch an EC2 instance with a forensic toolkit and attach the E8S volume to investigate

Remove the instance from the Auto Scaling group and the Elastic Load Balancer Place the instance within an isolation security group, launch an EC2 instance with a forensic toolkit, and allow the forensic toolkit image to connect to the suspicious Instance to perform the Investigation.

Remove the instance from the Auto Scaling group Place the Instance within an isolation security group, launch an EC2 Instance with a forensic toolkit and use the forensic toolkit imago to deploy an ENI as a network span port to inspect all traffic coming from the suspicious instance.

Remove the instance from the Auto Scaling group and the Elastic Load Balancer Place the instance within an isolation security group, make a copy of the EBS volume from a new snapshot, launch an EC2 Instance with a forensic toolkit and attach the copy of the EBS volume to investigate.

Verify that the log file prefix is set to the name of the S3 bucket where the logs should go.

Verify that the S3 bucket policy allows access for CloudTrail from the production IAM account IDs.

Create a new CloudTrail configuration in the account, and configure it to log to the account’s S3 bucket.

Confirm in the CloudTrail Console that each trail is active and healthy.

Open the global CloudTrail configuration in the master account, and verify that the storage location is set to the correct S3 bucket.

Confirm in the CloudTrail Console that the S3 bucket name is set correctly.

One in the US West (Oregon) region and one in the US East (Virginia) region.

Two in the US West (Oregon) region and none in the US East (Virginia) region.

One in the US West (Oregon) region and none in the US East (Virginia) region.

Two in the US East (Virginia) region and none in the US West (Oregon) region.

Configure SSLTLS on the EC2 instances and configure the ALB target group to use HTTPS

Ensure that all resources are in the same VPC so the default encryption provided by the VPC is used to encrypt the traffic between the EC2 instances.

In the ALB. select the default encryption to encrypt the traffic between the ALB and the EC2 instances

In the code for the application, include a cryptography library and encrypt the data before sending it between the EC2 instances

Configure IAM Direct Connect to provide an encrypted tunnel between the EC2 instances

Move the SCP to the root OU of Organizations to remove the restriction to access Amazon S3.

Add an IAM policy for the Developer, which grants S3 access.

Create a new OU without applying the SCP restricting S3 access. Move the Developer account to this new OU.

Add an allow list for the Developer account for the S3 service.

Use IAM Secrets Manager and an IAM SDK to create a unique secret for the customer-specific data

Use IAM Key Management Service (IAM KMS) and the IAM Encryption SDK to generate and store a data encryption key for each customer.

Use IAM Key Management Service (IAM KMS) with service-managed keys to generate and store customer-specific data encryption keys

Use IAM Key Management Service (IAM KMS) and create an IAM CloudHSM custom key store Use CloudHSM to generate and store a new CMK for each customer.

Edit the existing VPC Flow Logs. Change the log format of the VPC Flow Logs from the Amazon default format to a custom format.

Delete and recreate the existing VPC Flow Logs. Change the log format of the VPC Flow Logs from the Amazon default format to a custom format.

Change the destination to Amazon CloudWatch Logs.

Include the pkt-srcaddr and pkt-dstaddr fields in the log format.

Include the subnet-id and instance-id fields in the log format.

Run an Amazon EMP cluster that uses a MapReduce job to be examine the CloudTrail trails.

Use the events history/feature of the CloudTrail console to query the CloudTrail trails.

Write an IAM Lambda function to query the CloudTrail trails Configure the Lambda function to be executed whenever a new file is created in the CloudTrail S3 bucket.

Create an Amazon Athena table that tools at the S3 bucket the CloudTrail trails are being written to Use Athena to run queries against the trails.

UseSCPs

Add a permissions boundary to deny access to Amazon S3 and attach it to all roles

Use an S3 bucket policy

Create a VPC endpoint for Amazon S3 and deny statements for access to Amazon S3

Launch the EC2 instances with an IAM role attached. Include a user data script that uses the IAM CLI to retrieve the list of bad IP addresses from IAM Secrets Manager and uploads it as a threat list in Amazon GuardDuty Use Amazon Inspector to scan the instances for known software vulnerabilities and CIS Benchmarks compliance

Launch the EC2 instances with an IAM role attached Include a user data script that uses the IAM CLl to create NACLs blocking ingress traffic from the known bad IP addresses in the EC2 instance's subnets Use IAM Systems Manager to scan the instances for known software vulnerabilities, and IAM Trusted Advisor to check instances for CIS Benchmarks compliance

Launch the EC2 instances with an IAM role attached Include a user data script that uses the IAM CLl to create and attach security groups that only allow an allow listed source IP address range inbound. Use Amazon Inspector to scan the instances for known software vulnerabilities, and IAM Trusted Advisor to check instances for CIS Benchmarks compliance

Launch the EC2 instances with an IAM role attached Include a user data script that creates a cron job to periodically retrieve the list of bad IP addresses from Amazon S3, and configures iptabies on the instances blocking the list of bad IP addresses Use Amazon inspector to scan the instances for known software vulnerabilities and CIS Benchmarks compliance.

Create a new CMK. Download a new wrapping key and a new import token to import the original key material

Create a new CMK Use the original wrapping key and import token to import the original key material.

Download a new wrapping key and a new import token Import the original key material into the existing CMK.

Use the original wrapping key and import token Import the original key material into the existing CMK

Use IAM WAF with an upgrade to the IAM Business support plan

Use IAM Certificate Manager with an Application Load Balancer configured with an origin access identity

Use IAM Shield Advanced

Use IAM WAF to protect IAM Lambda functions encrypted with IAM KMS and a NACL restricting all Ingress traffic

Add an origin custom header Set the viewer protocol policy to HTTP and HTTPS Set the origin protocol pokey to HTTPS only Update the application to validate the CloudFront custom header

Add an origin custom header Set the viewer protocol policy to HTTPS only Set the origin protocol policy to match viewer Update the application to validate the CloudFront custom header.

Add an origin custom header Set the viewer protocol policy to redirect HTTP to HTTPS Set the origin protocol policy to HTTP only Update the application to validate the CloudFront custom header.

Add an origin custom header Set the viewer protocol policy to redirect HTTP to HTTPS. Set the origin protocol policy to HTTPS only Update the application to validate the CloudFront custom header

Enable server access logging for the bucket

Enable Cloudwatch metrics for the bucket

Enable Cloudwatch logs for the bucket

Enable IAM Config for the S3 bucket