SCS-C02 Questions and Answers

Configure Amazon EC2 to enable encryption in the EC2 network interface properties.

Configure Amazon EBS to enable volume encryption with AWS Key Management Service (AWS KMS) for data at rest.

Configure Amazon EBS to enable TLS encryption in the volume configuration properties.

Configure Amazon EC2 to enable TLS encryption with certificates that are stored in AWS Certificate Manager (ACM).

Copy all the Lambda code into Amazon S3. Use Amazon Macie to scan the code.

Enable Amazon Inspector. Activate Lambda standard scanning and Lambda code scanning in Amazon Inspector.

Enable Amazon GuardDuty and AWS Security Hub. Review the findings in Security Hub that are labeled as critical.

Enable Amazon GuardDuty. Enable Lambda Protection in GuardDuty.

Use Amazon Inspector. Create inclusion rules in Amazon ECR to match repos-itories that need to be scanned. Push Amazon Inspector findings to AWS Se-curity Hub.

Use ECR basic scanning of container images. Create inclusion rules in Ama-zon ECR to match repositories that need to be scanned. Push findings to AWS Security Hub.

Use ECR basic scanning of container images. Create inclusion rules in Ama-zon ECR to match repositories that need to be scanned. Push findings to Amazon Inspector.

Use Amazon Inspector. Create inclusion rules in Amazon Inspector to match repositories that need to be scanned. Push Amazon Inspector findings to AWS Config.

Use the aws kms encrypt command to encrypt the file by using the existing KMS key.

Use the aws kms create-grant command to generate a grant for the existing KMS key.

Use the aws kms encrypt command to generate a data key. Use the plaintext data key to encrypt the file.

Use the aws kms generate-data-key command to generate a data key. Use the encrypted data key to encrypt the file.

Enable AWS Identity and Access Management Access Analyzer for the organization. Configure the organization as a zone of trust. Filter findings by AWS account ID.

Create a custom AWS Config rule to monitor IAM roles in each account. Deploy an AWS Config aggregator to a central account. Filter findings by AWS account ID.

Activate Amazon Inspector. Integrate Amazon Inspector with AWS Security Hub. Filter findings by AWS account ID for the last role resource type and the S3 bucket policy resource type.

Configure the organization to use Amazon GuardDuty. Filter findings by AWS account ID for the Discovery:IAMUser/AnomalousBehavior finding type.

Option A

Option B

Option C

Option D

Asymmetric AWS managed KMS keys with key material created by AWS KMS

Symmetric customer managed KMS keys with key material created by AWS KMS

Symmetric customer managed KMS keys with custom imported key material

Asymmetric AWS managed KMS keys with custom imported key material

Use the Amazon CloudWatch agent to collect operating system logs. Use Amazon EventBridge to configure an alarm based on a metric filter for failed login attempts. Send an alert to Amazon Simple Notification Service (Amazon SNS) when the defined threshold for the alarm is exceeded. Use Amazon EC2 instance tags to determine which SNS topics receive notifications.

Use AWS Systems Manager Agent to collect operating system logs. Use the Systems Manager Run Command AWS-ConfigureCloudWatch document to configure an Amazon EventBridge event based on a metric filter for failed login attempts. Send an alert to Amazon Simple Notification Service (Amazon SNS) when the defined threshold for the alarm is exceeded. Use SNS messaging filters to control who receives notifications.

Use the Amazon CloudWatch agent to collect operating system logs Create a CloudWatch alarm based on a metric filter for failed login attempts. Send an alert to Amazon Simple Notification Service (Amazon SNS) when the defined threshold for the alarm is exceeded. Use SNS messaging filters to control who receives notifications.

Use AWS Systems Manager Agent to collect operating system logs. Use the Systems Manager Run Command AWS-ConfigureCloudWatch document to configure an Amazon CloudWatch alarm based on a metric filter for failed login attempts. Send an alert to Amazon Simple Notification Service (Amazon SNS) when the defined threshold for the alarm is exceeded. Use EC2 instance tags to determine which SNS topics receive notifications.

Create an AWS Client VPN endpoint in the same Region as the B. VPCs. Configure access through an appropriate subnet and authorization rule.

Create a gateway VPC endpoint in the same Region as the VPCs. D. Configure access through an appropriate subnet and authorization rule.

Configure a centralized Amazon S3 bucket for the logs Enable VPC Flow Logs, AWS CloudTrail, and Amazon Route 53 logs in all accounts. Configure allaccounts to use the centralized S3 bucket. Configure AWS Glue crawlers to parse the log files Use Amazon Athena to query the log data.

Configure log streams in Amazon CloudWatch Logs for the sources that need monitoring. Create log subscription filters for each log stream. Forward themessages to Amazon OpenSearch Service for analysis.

Set up a delegated Amazon Security Lake administrator account in Organizations. Enable and configure Security Lake for the organization. Add the accountsthat need monitoring. Use Amazon Athena to query the log data.

Apply an SCP to configure all member accounts and services to deliver log files to a centralized Amazon S3 bucket. Use Amazon OpenSearch Service toquery the centralized S3 bucket for log entries.

Use inbound rule 100 to allow traffic on TCP port 443. Use inbound rule 200 to deny traffic on TCP port 3306. Use outbound rule 100 to allow traffic on TCP port 443.

Use inbound rule 100 to deny traffic on TCP port 3306. Use inbound rule 200 to allow traffic on TCP port range 1024-65535. Use outbound rule 100 to allow traffic on TCP port 443.

Use inbound rule 100 to allow traffic on TCP port range 1024-65535. Use inbound rule 200 to deny traffic on TCP port 3306. Use outbound rule 100 to allow traffic on TCP port 443.

Use inbound rule 100 to deny traffic on TCP port 3306. Use inbound rule 200 to allow traffic on TCP port 443. Use outbound rule 100 to allow traffic on TCP port 443.

Enable Amazon RDS encryption to encrypt the database and snapshots. Enable Amazon Elastic Block Store (Amazon EBS) encryption on Amazon EC2 instances. Include the database credential in the EC2 user data field. Use an AWS Lambda function to rotate database credentials. Set up TLS for the connection to the database.

Install a database on an Amazon EC2 instance. Enable third-party disk encryption to encrypt Amazon Elastic Block Store (Amazon EBS) volume. Store the database credentials in AWS CloudHSM with automatic rotation. Set up TLS for the connection to the database.

Enable Amazon RDS encryption to encrypt the database and snapshots. Enable Amazon Elastic Block Store (Amazon EBS) encryption on Amazon EC2 instances. Store the database credentials in AWS Secrets Manager with automatic rotation. Set up TLS for the connection to the RDS hosted database.

Set up an AWS CloudHSM cluster with AWS Key Management Service (AWS KMS) to store KMS keys. Set up Amazon RDS encryption using AWS KSM to encrypt the database. Store the database credentials in AWS Systems Manager Parameter Store with automatic rotation. Set up TLS for the connection to the RDS hosted database.

Use AWS Secrets Manager to store the customer managed key in us-west-1 as a secret Use this secret to encrypt the snapshot in us-west-1.

Create a new customer managed key in us-west-1. Use this new key to encrypt the snapshot in us-west-1.

Create an IAM policy that allows access to the customer managed key in us-east-1. Specify am aws kms us-west-1 " as the principal.

Create an IAM policy that allows access to the customer managed key in us-east-1. Specify arn aws rds us-west-1. * as the principal.

The IAM rote does not have permission to use the KMS CreateKey operation.

The S3 bucket lacks a policy that allows access to the customer managed key that encrypts the objects.

The IAM rote does not have permission to use the customer managed key that encrypts the objects that are in the S3 bucket.

The ACL of the S3 objects does not allow read access for the objects when the objects ace encrypted at rest.

Create an Amazon CloudFront distribution and configure the ALB as the origin

Block the malicious IPs with a network access list (NACL).

Create an IAM Web Application Firewall (WAF). and attach it to the ALB

Map the application domain name to use Route 53

B.

C.

D.

Configure trusted access for AWS System Manager in Organizations Configure a bastion host from the management account Replace SSH and RDP by using Systems Manager Session Manager from the management account Configure Session Manager logging to Amazon CloudWatch Logs

Replace SSH and RDP with AWS Systems Manager Session Manager Install Systems Manager Agent (SSM Agent) on the instances Attach the

AmazonSSMManagedlnstanceCore role to the instances Configure session data streaming to Amazon CloudWatch Logs Create a separate logging account that has appropriate cross-account permissions to audit the log data

Install a bastion host in the management account Reconfigure all SSH and RDP to allow access only from the bastion host Install AWS Systems Manager Agent (SSM Agent) on the bastion host Attach the AmazonSSMManagedlnstanceCore role to the bastion host Configure session data streaming to Amazon CloudWatch Logs in a separate logging account to audit log data

Replace SSH and RDP with AWS Systems Manager State Manager Install Systems Manager Agent (SSM Agent) on the instances Attach theAmazonSSMManagedlnstanceCore role to the instances Configure session data streaming to Amazon CloudTrail Use CloudTrail Insights to analyze the trail data

In AWS Cost Explorer, filter chart data to display results from the past 30 days. Export the results to a data table. Group the data table by re-source.

Use AWS Cost Anomaly Detection to create a cost monitor. Access the detec-tion history. Set the time frame to Last 30 days. In the search area, choose the service category.

In AWS CloudTrail, filter the event history to display results from the past 30 days. Create an Amazon Athena table that contains the data. Parti-tion the table by event source.

Use AWS Audit Manager to create an assessment for the past 30 days. Apply a usage-based framework to the assessment. Configure the assessment to as-sess by resource.

Amazon Route 53

IAM Certificate Manager (ACM)

Amazon S3

IAM Shield

Elastic Load Balancer

Amazon GuardDuty

"Bool " : " aws : Multi FactorAuthPresent": "true" }

"B001 " : " aws : MultiFactorAuthPresent": "false" }

"NumericLessThan" : { " aws : Multi FactorAuthAge" : "7200"}

"NumericGreaterThan" : { " aws : MultiFactorAuthAge " : "7200"

"NumericLessThan" : { "MaxSessionDuration " : "7200"}

Log in to the AWS account by using read-only credentials Review the GuardDuty finding for details about the 1AM credentials that were used. Use the 1AM console to add a DenyAII policy to the 1AM pnncipal.

Log in to the AWS account by using read-only credentials Review the GuardDuty finding to determine which API calls initiated the finding Use Amazon Detective to review the API calls in context.

Log in to the AWS account by using administrator credentials Review the GuardDuty finding for details about the 1AM credentials that were used Use the 1AM console to add a DenyAII policy to the 1AM principal.

Log in to the AWS account by using read-only credentials Review the GuardDuty finding to determine which API calls initiated the finding Use AWS CloudTrail Insights and AWS CloudTrail Lake to review the API calls in context.

Update the CloudFront distribution. configuring it to optionally use HTTPS when connecting to origins on Amazon S3

Update the web application configuration on the web servers to use HTTPS instead of HTTP when connecting to DynamoDB

Update the CloudFront distribution to redirect HTTP corrections to HTTPS

Configure the web servers on the EC2 instances to listen using HTTPS using the public ACM TLS certificate Update the ALB to connect to the target group using HTTPS

Update the ALB listen to listen using HTTPS using the public ACM TLS certificate. Update the CloudFront distribution to connect to the HTTPS listener.

Create a TLS certificate Configure the web servers on the EC2 instances to use HTTPS only with that certificate. Update the ALB to connect to the target group using HTTPS.

In CloudTrail, turn on Insights events on the trail. Configure an alarm on the insight with eventName matching ConsoleLogin and errorMessage matching “Failed authentication”. Configure a threshold of 3 and a period of 5 minutes.

Configure CloudTrail to send events to Amazon CloudWatch Logs. Create a metric filter for the relevant log group. Create a filter pattern with eventName matching ConsoleLogin and errorMessage matching “Failed authentication”. Create a CloudWatch alarm with a threshold of 3 and a period of 5 minutes.

Create an Amazon Athena table from the CloudTrail events. Run a query for eventName matching ConsoleLogin and for errorMessage matching “Failed authentication”. Create a notification action from the query to send an Amazon Simple Notification Service (Amazon SNS) notification when the count equals 3 within a period of 5 minutes.

In AWS Identity and Access Management Access Analyzer, create a new analyzer. Configure the analyzer to send an Amazon Simple Notification Service (Amazon SNS) notification when a failed sign-in event occurs 3 times for any IAM user within a period of 5 minutes.

Remove the existing NAT gateway. Create a new NAT gateway that only the application server subnets can use.

Configure the DB instanceג€™s inbound network ACL to deny traffic from the security group ID of the NAT gateway.

Modify the route tables of the DB instance subnets to remove the default route to the NAT gateway.

Configure the route table of the NAT gateway to deny connections to the DB instance subnets.

Enable AWS Trusted Advisor security checks in the AWS Console, tsnd report all security incidents for all regions.

Enable AWS CloudTrail by creating individual trails for each region, and specify a single Amazon S3 bucket to receive log files for later analysis.

Enable AWS CloudTrail by creating a new trail and applying the trail to all regions. Specify a single Amazon S3 bucket as the storage location.

Enable Amazon CloudWatch logging for all AWS services across all regions, and aggregate them to a single Amazon S3 bucket for later analysis.

Create a public Application Load Balancer. Create two listeners one listener on port 80 and one listener on port 443. Create one target group. Create a rule to forward traffic from port 80 to the listener on port 443 Provision a public TLS certificate in AWS Certificate Manager (ACM). Attach the certificate to the listener on port 443.

Create a public Application Load Balancer. Create two listeners one listener on port 80 and one listener on port 443. Create one target group. Create a rule to forward traffic from port 80 to the listener on port 443 Provision a public TLS certificate in AWS Certificate Manager (ACM). Attach the certificate to the listener on port 80.

Create a public Network Load Balancer. Create two listeners one listener on port 80 and one listener on port 443. Create one target group. Create a rule to forward traffic from port 80 to the listener on port 443. Set the protocol for the listener on port 443 to TLS.

Create a public Network Load Balancer. Create a listener on port 443. Create one target group. Create a rule to forward traffic from port 443 to the target group. Set the protocol for the listener on port 443 to TLS.

Add an IAM managed policy for the user

Add a service policy for the user

Add an IAM role for the user

Add an inline policy for the user

Configure the S3 Block Public Access feature for the AWS account.

Configure the S3 Block Public Access feature for all objects that are in the bucket.

Deactivate ACLs for objects that are in the bucket.

Use AWS PrivateLink for Amazon S3 to access the bucket.

Enable CloudTrail log file integrity validation from the organization's management account.

Enable server-side encryption with AWS KMS keys (SSE-KMS) for CloudTrail logs. Create a KMS key Attach a policy to the key to prevent decryption of the logs

Create an SCP that includes an explicit Deny rule for the StopLogging action and the DeleteTrail action. Attach the SCP to the root OU.

Create 1AM policies for all the company's users to prevent the users from performing the DescribeTrails action and the GetTrailStatus action.

Set up GuardDuty to send notifications to an Amazon CloudWatch alarm with two targets in CloudWatch. From CloudWatch, stream the findings throughAmazon Kinesis Data Streams into an Amazon OpenSearch Service domain as the first target for delivery. Use Amazon QuickSight to visualize the findings.Use OpenSearch queries for further analysis. Deliver email alerts to the security team by configuring an SNS topic as a second target for the CloudW

Set up GuardDuty to send notifications to AWS CloudTrail with two targets in CloudTrail. From CloudTrail, stream the findings through Amazon Kinesis DataFirehose into an Amazon OpenSearch Service domain as the first target for delivery. Use OpenSearch Dashboards to visualize the findings. UseOpenSearch queries for further analysis. Deliver email alerts to the security team by configuring an SNS topic as a second target for CloudTraiI. Use e

Set up GuardDuty to send notifications to Amazon EventBridge with two targets. From EventBridge, stream the findings through Amazon Kinesis DataFirehose into an Amazon OpenSearch Service domain as the first target for delivery. Use OpenSearch Dashboards to visualize the findings. UseOpenSearch queries for further analysis. Deliver email alerts to the security team by configuring an SNS topic as a second target for EventBridge. Use eventpatt

Set up GuardDuty to send notifications to Amazon EventBridge with two targets. From EventBridge, stream the findings through Amazon Kinesis DataStreams into an Amazon OpenSearch Service domain as the first target for delivery. Use Amazon QuickSight to visualize the findings. Use OpenSearchqueries for further analysis. Deliver email alerts to the security team by configuring an SNS topic as a second target for EventBridge. Use event patternm

Use the AWS account root user access keys instead of the AWS Management Console.

Enable multi-factor authentication for the AWS IAM users with the Adminis-tratorAccess managed policy attached to them.

Enable multi-factor authentication for the AWS account root user.

Use AWS KMS to encrypt all AWS account root user and AWS IAM access keys and set automatic rotation to 30 days.

Do not create access keys for the AWS account root user; instead, create AWS IAM users.

Enable AWS Config Create a proactive AWS. Config Custom Policy rule Create a Guard clause to evaluate the S3 bucket policies to check for a value of True for the aws SecureTransport condition key. If the AWS Config rule evaluates to NON_COMPLIANT, block resource creation.

Enable AWS Config Configure the s3-bucket-ssl-requests-only AWS Config managed rule and set the rule trigger type to Hybrid Create an AWS Systems Manager.

Automation runbook that applies a bucket policy to deny requests when the value of the aws SecureTransport condition key is False Configure automatic remediation Set the runbook as the target of the rule.

Enable Amazon Inspector Create a custom AWS Lambda rule. Create a Lambda function that applies a bucket policy to deny requests when the value of the aws SecureTransport condition key is False Set the Lambda function as the target of the rule.

Create an AWS CloudTrail trail Enable S3 data events on the trail. Create an AWS Lambda function that applies a bucket policy to deny requests when the value of the aws SecureTransport condition key is False. Configure the CloudTrail trail to invoke the Lambda function.

Use IAM Systems Manager Parameter Store to store the database credentiais. Configureautomatic rotation of the credentials.

Use IAM Secrets Manager to store the database credentials. Configure automat* rotation of the credentials

Store the database credentials in an Amazon S3 bucket that is configured with server-side encryption with S3 managed encryption keys (SSE-S3) Rotate the credentials with IAM database authentication.

Store the database credentials m Amazon S3 Glacier, and use S3 Glacier Vault Lock Configure an IAM Lambda function to rotate the credentials on a scheduled basts

Create a dedicated AWS Key Management Service (AWS KMS) customer managed key for each retail store Use the S3 Put operation to upload the objects to Amazon S3 Specify server-side encryption with AWS KMS keys (SSE-KMS) and the key ID of the store's key

Create a new AWS Key Management Service (AWS KMS) customer managed key every day for each retail store Use the KMS Encrypt operation to encrypt objects Then upload the objects to Amazon S3

Run the AWS Key Management Service (AWS KMS) GenerateDataKey operation every day for each retail store Use the data key and client-side encryption to encrypt the objects Then upload the objects to Amazon S3

Use the AWS Key Management Service (AWS KMS) ImportKeyMaterial operation to import new key material to AWS KMS every day for each retail store Use a customer managed key and the KMS Encrypt operation to encrypt the objects Then upload the objects to Amazon S3

Enable AWS CloudTrail logs, VPC flow logs, and DNS logs. Use Amazon CloudWatch Logs to manage these logs from a centralized account.

Enable AWS CloudTrail logs, VPC flow logs, and DNS logs. Use Amazon Macie to monitor these logs from a centralized account.

Enable Amazon GuardDuty from a centralized account. Use GuardDuty to manage AWS CloudTrail logs, VPC flow logs, and DNS logs.

Enable Amazon Inspector from a centralized account. Use Amazon Inspector to manage AWS CloudTrail logs, VPC flow logs, and DNS logs.

Create an 1AM policy that explicitly denies permission to the key Attach the policy to all EC2 instance profiles Create an 1AM policy that explicitly allows permission to the key Attach the policy to all Lambda function roles.

Create a custom key policy for the key. Use the kms: ViaService condition key to deny access to requests from Amazon EC2 and to allow access to requests from Lambda. Use the Lambda 1AM role as the principal.

Create a custom key policy tor the key Use the aws Sourcelp condition key to deny access to requests from Amazon EC2 Use the aws: Authorized Service condition key to allow access to requests from Lambda Use the Lambda 1AM role as the principal.

Create an SCP that explicitly denies permission to the key for Amazon EC2 and explicitly allows permission to the key for Lambda Attach the SCP to the AWS account.

Enable AWS Config. Create a proactive AWS Config Custom Policy rule. Create a Guard clause to evaluate the S3 bucket policies to check for a value of True for the aws:SecureTransport condition key. If the AWS Config rule evaluates to NON_COMPLIANT, block resource creation.

Enable AWS Config. Configure the s3-bucket-ssl-requests-only AWS Config managed rule and set the rule trigger type to Hybrid. Create an AWS Systems Manager Automation runbook that applies a bucket policy to deny requests when the value of the aws:SecureTransport condition key is False. Configure automatic remediation. Set the runbook as the target of the rule.

Enable Amazon Inspector. Create a custom AWS Lambda rule. Create a Lambda function that applies a bucket policy to deny requests when the value of the aws:SecureTransport condition key is False. Set the Lambda function as the target of the rule.

Create an AWS CloudTrail trail. Enable S3 data events on the trail. Create an AWS Lambda function that applies a bucket policy to deny requests when the value of the aws:SecureTransport condition key is False. Configure the CloudTrail trail to invoke the Lambda function.

Scan the EC2 instances by using Amazon Inspector. Apply security patches and updates by using AWS Systems Manager Patch Manager.

Install host-based firewall and antivirus software on each EC2 instance. Use AWS Systems Manager Run Command to update the firewall and antivirus software.

Install the Amazon CloudWatch agent on the EC2 instances. Enable detailed logging. Use Amazon EventBridge to review the software logs for anomalies.

Scan the EC2 instances by using Amazon GuardDuty Malware Protection. Apply security patches and updates by using AWS Systems Manager Patch Manager.

Provide new AMIs that have the required software pre-installed. Apply a tag to the AMIs to indicate that the AMIs have the required software. Configure an SCP that allows new EC2 instances to be launched only if the instances have the tagged AMIs. Tag all existing EC2 instances.

Configure a custom patch baseline in Systems Manager Patch Manager. Add the package name for the required software to the approved packages list. Associate the new patch baseline with all EC2 instances. Set up a maintenance window for software deployment.

Centrally enable AWS Config. Set up the ec2-managedinstance-applications-required AWS Config rule for all accounts Create an Amazon EventBridge rule that reacts to AWS Config events. Configure the EventBridge rule to invoke an AWS Lambda function that uses Systems Manager Run Command to install the required software.

Create a new Systems Manager Distributor package for the required software. Specify the download location. Select all EC2 instances in the different accounts. Install the software by using Systems Manager Run Command.

Create an Application Load Balancer with the existing EC2 instances as a target group. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the ALB. Test to ensure the vulnerability has been mitigated, then redirect the Route 53 records to point to the ALB. Update security groups on the EC2 instances to prevent direct access from the internet.

Create an Amazon CloudFront distribution specifying one EC2 instance as an origin. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the distribution. Test to ensure the vulnerability has been mitigated, then redirect the Route 53 records to point to CloudFront.

Obtain the latest source code for the platform and make the necessary updates. Test the updated code to ensure that the vulnerability has been mitigated, then deploy the patched version of the platform to the EC2 instances.

Update the security group that is attached to the EC2 instances, removing access from the internet to the TCP port used by the SQL database. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the EC2 instances. Test to ensure the vulnerability has been mitigated, then restore the security group to the original setting.

Update the Lambda function to add a TTL S3 flag to S3 objects. Create an S3 Lifecycle policy to expire objects that are older than 30 days by using the TTL S3 flag.

Create an S3 Lifecycle policy to expire objects that are older than 30 days. Update the Lambda function to add the TTL attribute in the DynamoDB table. Enable TTL on the DynamoDB table to expire entires that are older than 30 days based on the TTL attribute.

Create an S3 Lifecycle policy to expire objects that are older than 30 days and to add all prefixes to the S3 bucket. Update the Lambda function to delete entries that are older than 30 days.

Create an S3 Lifecycle policy to expire objects that are older than 30 days by using object tags. Update the Lambda function to delete entries that are older than 30 days.

The principal's identity-based policy grants access to put objects into the S3 bucket with no conditions.

The principal's identity-based policy overrides the condition because the identity-based policy contains an explicit allow.

The S3 bucket's resource policy does not deny access to put objects.

The S3 bucket's resource policy cannot allow actions to the principal.

The bucket policy does not apply to principals in the same zone of trust.

Configure Amazon CloudWatch Container Insights to collect and aggregate EKS application logs. Create a CloudWatch alarm to monitor for anomalies. Configure the alarm to launch an AWS Lambda function to alert the security team when anomalies are detected.

Configure Amazon EKS to send application logs to Amazon CloudWatch. Create a CloudWatch alarm based on a log group metric filter. Specify anomaly detection as the threshold type. Configure the alarm to use Amazon Simple Notification Service (Amazon SNS) to alert the security team.

Configure Amazon EKS to export logs to Amazon S3. Use Amazon Athena queries to analyze the logs for anomalies. Use Amazon QuickSight to visualize and monitor user access requests for anomalies. Configure Amazon Simple Notification Service (Amazon SNS) notifications to alert the security team.

Configure AWS App Mesh to monitor the traffic to the microservices in Amazon EKS. Integrate App Mesh with AWS CloudTrail for logging. Use Amazon Detective to analyze the logs for anomalies and to alert the security team when anomalies are detected.

Create a CloudWatch Logs account-wide data protection policy. Specify the appropriate data identifiers for the policy. Ensure that the developers do not have the logs:Unmask 1AM permission.

Export the CloudWatch Logs data to an Amazon S3 bucket. Set up automated discovery by using Amazon Macie on the S3 bucket. Create a custom data identifier for the sensitive data. Remove the developers' access to CloudWatch Logs. Grant permissions for the developers to view the exported log data in Amazon S3.

Export the CloudWatch Logs data to an Amazon S3 bucket. Set up automated discovery by using Amazon Macie on the S3 bucket. Specify the appropriate managed data identifiers. Remove the developers' access to CloudWatch Logs. Grant permissions for the developers to view the exported log data in Amazon S3.

Create a CloudWatch Logs data protection policy for each log group. Specify the appropriate data identifiers for the policy. Ensure that the developers do not have the logsiUnmask 1AM permission.

Verify thattheS3 bucket policy allows CloudTrail to write objects.

Verify thatthe1AM role used by CloudTrail has access to write to Amazon CloudWatch Logs.

Remove any lifecycle policies on the S3 bucket that are archiving objects to S3 Glacier Flexible Retrieval.

Verify thattheS3 bucket defined in CloudTrail exists.

Verify that the log file prefix defined in CloudTrail exists in the S3 bucket.

Export the CloudWatch Logs group data to Amazon S3. Use Amazon Macie to query the logs for the specific IP address and the requested URLs.

Configure a CloudWatch Logs subscription to stream the log group to an Amazon OpenSearch Service cluster. Use OpenSearch Service to analyze the logs for the specific IP address and the requested URLs.

Use CloudWatch Logs Insights and a custom query syntax to analyze the CloudWatch logs for the specific IP address and the requested URLs.

Export the CloudWatch Log group data to Amazon S3. Use AWS Glue to crawl the S3 bucket for only the log entries that contain the specific IP address. Use AWS Glue to view the results.

Configure the DB instance to allow public access Update the DB instance security group to allow access from the Lambda public address space for the AWS Region

Deploy the Lambda functions inside the VPC Attach a network ACL to the Lambda subnet Provide outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic from 0 0 0 0/0

Deploy the Lambda functions inside the VPC Attach a security group to the Lambda functions Provide outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic from the Lambda security group

Peer the Lambda default VPC with the VPC that hosts the DB instance to allow direct network access without the need for security groups

Deploy the Lambda functions to a private subnet in the VPC. Configure the Lambda functions to access the S3 service through the NAT gateway.

Deploy the Lambda functions to a private subnet in the VPC. Create an S3 gateway endpoint to access the S3 service.

Deploy the S3 bucket and the Lambda functions in the same private subnet. Configure the Lambda functions to use the default endpoint for the S3 service.

Deploy an Amazon Simple Queue Service (Amazon SOS) queue and the Lambda functions in the same private subnet. Configure the Lambda functions to send data to the SQS queue. Configure the SOS queue to send data to the S3 bucket.

Option A

Option B

Use SCPs to configure scanning of EC2 instances and ECR containers for all accounts in the organization.

Configure a delegated administrator for Amazon GuardDuty for the organization. Create an Amazon EventBridge rule to initiate analysis of ECR containers

Configure a delegated administrator for Amazon Inspector for the organization. Configure automatic scanning for new member accounts.

Configure a delegated administrator for Amazon Inspector for the organization. Create an AWS Config rule to initiate analysis of ECR containers

Delete the access keys for the account root user in every account.

Create an admin IAM user with administrative privileges and delete the account root user in every account.

Implement a strong password to help protect account-level access to the IAM Management Console by the account root user.

Enable multi-factor authentication (MFA) on every account root user in all accounts.

Create a custom IAM policy to limit permissions to required actions for the account root user and attach the policy to the account root user.

Attach an IAM role to the account root user to make use of the automated credential rotation in IAM STS.

Deploy AWS CloudTrail centralized logging for the organization from the AWS Control Tower management account. Enable Amazon GuardDuty. Enable the GuardDuty AWS Foundational Security Best Practices standard.

Automatically deploy the AWS Foundational Security Best Practices standard by configuring a delegated administrator for Amazon GuardDuty from the AWS Control Tower audit account.

Configure a delegated administrator for AWS Security Hub from the AWS Control Tower management account. Enable the Security Hub AWS Foundational Security Best Practices standard in the AWS Control Tower audit account.

Deploy AWS CloudTrail centralized logging for the organization from the AWS Control Tower log archive account. Enable AWS Security Hub. Enable the Security Hub AWS Foundational Security Best Practices standard.

Use AWS Control Tower to connect to the EC2 instances. Configure Amazon CloudWatch logging for the sessions. Select the upload session logs option and allow only encrypted CloudWatch Logs log groups.

Use AWS Security Hub to connect to the EC2 instances. Configure Amazon CloudWatch logging for the sessions. Select the upload session logs option and allow only encrypted CloudWatch Logs log groups.

Use AWS Systems Manager Session Manager to connect to the EC2 instances. Configure Amazon CloudWatch monitoring to record the sessions. Select the store session logs option for the desired CloudWatch Logs log groups.

Use AWS Systems Manager Session Manager to connect to the EC2 instances. Configure Amazon CloudWatch logging. Select the upload session logs option and allow only encrypted CloudWatch Logs log groups.

Configure S3 Versioning to expire object versions that have been in the S3 bucket for 72 hours.

Configure an S3 Lifecycle configuration rule on the S3 bucket to expire objects that have been in the S3 bucket for 72 hours.

Use the S3 Intelligent-Tiering storage class for all objects in the S3 bucket. Configure S3 Intelligent-Tiering to expire objects that have been in the S3 bucket for 72 hours.

Generate S3 presigned URLs for the vendor to use to download the objects. Expire the URLs after 72 hours.

Use EC2 Dedicated Instances for the tokenization component of the application.

Place the EC2 instances that manage the tokenization process into a partition placement group.

Create a separate VPC. Deploy new EC2 instances into the separate VPC to support the data tokenization.

Deploy the tokenization code onto AWS Nitro Enclaves that are hosted on EC2 instances.

Custom SSL certificate that is stored in AWS Key Management Service (AWS KMS)

Default SSL certificate that is stored in Amazon CloudFront.

Custom SSL certificate that is stored in AWS Certificate Manager (ACM)

Default SSL certificate that is stored in Amazon S3

Configure the DB instance to allow public access Update the DB instance security group to allow access from the Lambda public address space for the AWS Region

Deploy the Lambda functions inside the VPC Attach a network ACL to the Lambda subnet Provide outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic from 0.0.0.0/0

Deploy the Lambda functions inside the VPC Attach a security group to the Lambda functions Provide outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic from the Lambda security group

Peer the Lambda default VPC with the VPC that hosts the DB instance to allow direct network access without the need for security groups

Upload the third-party signing certificate's new private key to the AWS identity provider entity defined in AWS Identity and Access Management (IAM) by using the AWS Management Console.

Sign the identity provider's metadata file with the new public key. Upload the signature to the AWS identity provider entity defined in AWS Identity and Access Management (IAM) by using the AWS CU.

Download the updated SAML metadata file from the identity service provid-er. Update the file in the AWS identity provider entity defined in AWS Identity and Access Management (IAM) by using the AWS CLI.

Configure the AWS identity provider entity defined in AWS Identity and Ac-cess Management (IAM) to synchronously fetch the new public key by using the AWS Management Console.

Select "Restrict Bucket Access" in the origin settings of the CloudFront distribution

Create an origin access identity (OAI) for the S3 origin

Update the S3 bucket policy to allow s3 GetObject with a condition that the IAM Referer key matches the secret value Deny all other requests

Configure the S3 bucket poky so that only the origin access identity (OAI) has read permission for objects in the bucket

Add an origin custom header that has the name Referer to the CloudFront distribution Give the header a secret value.

Use the AWS Management Console to edit the structure of the secret in Secrets Manager so that the secret automatically conforms with the struc-ture that the database requires.

Ensure that the security group that is attached to the Lambda function al-lows outbound connections to the EC2 instance. Ensure that the security group that is attached to the EC2 instance allows inbound connections from the security group that is attached to the Lambda function.

Use the Secrets Manager list-secrets command in the AWS CLI to list the secret. Identify the database credentials. Use the Secrets Manager rotate-secret command in the AWS CLI to force the immediate rotation of the secret.

Add an internet gateway to the VPC. Create a NAT gateway in a public sub-net. Update the VPC route tables so that traffic from the Lambda function and traffic from the EC2 instance can reach the Secrets Manager public endpoint.

Create a new trail and configure it to send CloudTrail logs to Amazon S3. Use Amazon EventBridge (Amazon CloudWatch Events) to send notification if a trail is deleted or stopped.

Deploy an IAM Lambda function in every account to check if there is an existing trail and create a new trail, if needed.

Edit the existing trail in the Organizations master account and apply it to the organization.

Create an SCP to deny the cloudtrail:Delete" and cloudtrail:Stop' actions. Apply the SCP to all accounts.

Configure AWS Config to send its configuration snapshots to an Amazon S3 bucket. Create an AWS Lambda function to run on a PutEvent to the S3 bucket. Configure the Lambda function to parse the snapshot for a compliance change to the restricled-ssh managed rule. Configure the Lambda function to send a notification to an Amazon Simple Notification Service (Amazon SNS) topic if a change is discovered.

Configure an Amazon EventBridge event rule that is invoked by a compliance change event from AWS Config for the restricted-ssh managed rule. Configure the event rule to target an Amazon Simple Notification Service (Amazon SNS) topic that will provide a notification.

Configure AWS Config to push all its compliance notifications to Amazon CloudWatch Logs Configure a CloudWatch Logs metric filter on the AWS Config log group to look for a compliance notification change on the restricted-ssh managed rule. Create an Amazon CloudWatch alarm on the metric filter to send a notification to an Amazon Simple Notification Service (Amazon SNS) topic if the alarm is in the ALARM state.

Configure an Amazon CloudWatch alarm on (he CloudWatch metric for the restricted-ssh managed rule. Configure the CloudWatch alarm to send a notification to an Amazon Simple Notification Service (Amazon SNS) topic if the alarm is in the ALARM state.

The ACL in the bucket needs to be updated

The IAM policy does not allow the user to access the bucket

It takes a few minutes for a bucket policy to take effect

The allow permission is being overridden by the deny

A Bastion host should be on a private subnet and never a public subnet due to security concerns

A Bastion host sits on the outside of an internal network and is used as a gateway into the private network and is considered the critical strong point of the network

Bastion hosts allow users to log in using RDP or SSH and use that session to S5H into internal network to access private subnet resources.

A Bastion host should maintain extremely tight security and monitoring as it is available to the public

Use AWS Certificate Manager to encrypt all traffic between the client and application servers.

Review the application security groups to ensure that only the necessary ports are open.

Use Elastic Load Balancing to offload Secure Sockets Layer encryption.

Use Amazon Inspector to periodically scan the backend instances.

Use AWS Key Management Services to encrypt all the traffic between the client and application servers.

Designate an AWS account as a delegated administrator for Security Hub. Publish events to Amazon CloudWatch from the delegated administrator account,all member accounts, and required Regions that are enabled for Security Hub findings.

Designate an AWS account in an organization in AWS Organizations as a delegated administrator for Security Hub. Publish events to Amazon EventBridgefrom the delegated administrator account, all member accounts, and required Regions that are enabled for Security Hub findings.

In each Region, create an Amazon EventBridge rule to deliver findings to an Amazon Kinesis data stream. Configure the Kinesis data streams to output thelogs to a single Amazon S3 bucket.

In each Region, create an Amazon EventBridge rule to deliver findings to an Amazon Kinesis Data Firehose delivery stream. Configure the Kinesis DataFirehose delivery streams to deliver the logs to a single Amazon S3 bucket.

Use AWS Glue DataBrew to crawl the Amazon S3 bucket and build the schema. Use AWS Glue Data Catalog to query the data and create views to flattennested attributes. Build Amazon QuickSight dashboards by using Amazon Athena.

Partition the Amazon S3 data. Use AWS Glue to crawl the S3 bucket and build the schema. Use Amazon Athena to query the data and create views toflatten nested attributes. Build Amazon QuickSight dashboards that use the Athena views.

Call the abort-vault-lock operation. Update the policy. Call the initiate-vault-lock operation again.

Copy the vault data to a new S3 bucket. Delete the vault. Create a new vault with the data.

Update the policy to keep the vault lock in place

Update the policy. Call the initiate-vault-lock operation again to apply the new policy.

Change the replication configuration to use the key in us-east-1 to encrypt the objects that are in the destination S3 bucket.

Grant the IAM role the kms. Encrypt permission for the key in us-east-1 that encrypts source objects.

Grant the IAM role the s3 GetObjectVersionForReplication permission for objects that are in the source S3 bucket.

Grant the IAM role the kms. Decrypt permission for the key in us-east-1 that encrypts source objects.

Change the key policy of the key in us-east-1 to grant the kms. Decrypt permission to the security engineer's IAM account.

Grant the IAM role the kms Encrypt permission for the key in us-west-2 that encrypts objects that are in the destination S3 bucket.

Create a snapshot of the DB instance. Copy the snapshot to a new snapshot, and enable encryption for the copy process. Use the new snapshot to restore the DB instance.

Modify the configuration of the DB instance by enabling encryption. Create a snapshot of the DB instance. Use the snapshot to restore the DB instance.

Use IAM Key Management Service (IAM KMS) to create a new default IAM managed awa/rds key. Select this key as the encryption key for operations with Amazon RDS.

Use IAM Key Management Service (IAM KMS] to create a new CMK. Select this key as the encryption key for operations with Amazon RDS.

Create a snapshot of the DB instance. Enable encryption on the snapshoVUse the snapshot to restore the DB instance.

Configure CloudFront to add a cache key policy to allow a custom HTTP header that CloudFront sends to the ALB.

Configure CloudFront to add a custom: HTTP header to requests that CloudFront sends to the ALB.

Configure the ALB to forward only requests that contain the custom HTTP header.

Configure the ALB and CloudFront to use the X-Forwarded-For header to check client IP addresses.

Configure the ALB and CloudFront to use the same X.509 certificate that is generated by AWS Certificate Manager (ACM).

Use lifecycle policies for the EBS volumes

Use EBS Snapshots

Use EBS volume replication

Use EBS volume encryption

Open the EC2 console and remove any security groups that allow inbound traffic from 0.0.0.0/0.

Install the AWS Systems Manager Agent on the EC2 instance and run an inventory report.

Install the Amazon Inspector agent on the host and run an assessment with the CVE rules package.

Open the IAM console and revoke all IAM sessions that are associated with the instance profile.

Create an AWS WAF web ACL. Add the AWSManagedRulesACFPRuleSet rule group to the web ACL. Associate the web ACL with the CloudFront distribution.

Create an AWS WAF web ACL. Add a rate limit rule to the web ACL. Include a RateBasedStatement entry that has a SearchString value that points to /store/registration

Specify /store/registration as the registration page path Specify /store/newaccount as the account creation path

Enable AWS Shield Advanced for the account that hosts the CloudFront distribution Configure a DNS-specific custom mitigation that uses the Shield Response Team (SRT) for /store/newaccount.

Enable Amazon GuardOuty for the account that hosts the CloudFront distribution. Enable Lambda Protection for the Lambda functions that answer calls to /store/registration and /store/newaccount.

Enable VPC Flow Logs in all VPCs Create a scheduled IAM Lambda function that downloads and parses the logs, and sends an Amazon SNS notification for violations.

Use IAM CloudTrail to make a trail, and apply it to all Regions Specify an Amazon S3 bucket to receive all the CloudTrail log files

Add the following bucket policy to the company's IAM CloudTrail bucket to prevent log tampering{"Version": "2012-10-17-,"Statement": {"Effect": "Deny","Action": "s3:PutObject","Principal": "-","Resource": "arn:IAM:s3:::cloudtrail/IAMLogs/111122223333/*"}}Create an Amazon S3 data event for an PutObject attempts, which sends notifications to an Amazon SNS topic.

Create a Security Auditor role with permissions to access Amazon CloudWatch Logs m all Regions Ship the logs to an Amazon S3 bucket and make a lifecycle policy to ship the logs to Amazon S3 Glacier.

Verify that Amazon GuardDuty is enabled in all Regions, and create an Amazon CloudWatch Events rule for Amazon GuardDuty findings Add an Amazon SNS topic as the rule's target

Create an Amazon Event Bridge (Amazon Cloud watch Events) event with an EC2 instanceas the source and create volume as the event trigger. When the event is triggered invoke an IAM Lambda function to evaluate and notify the security engineer if the EBS volume that was created is not encrypted.

Use a customer managed IAM policy that will verify that the encryptionflag of the Createvolume context is set to true. Apply this rule to all users.

Create an IAM Config rule to evaluate the configuration of each EC2 instance on creation or modification. Have the IAM Config rule trigger an IAM Lambdafunction to alert the security team and terminate the instance it the EBS volume is not encrypted. 5

Use the IAM Management Console or IAM CLi to enable encryption by default for EBS volumes in each IAM Region where the company operates.

Filter the event history on the exposed access key in the CloudTrail console Examine the data from the past 11 days.

Use the IAM CLI lo generate an IAM credential report Extract all the data from the past 11 days.

Use Amazon Athena to query the CloudTrail logs from Amazon S3 Retrieve the rows for the exposed access key tor the past 11 days.

Use the Access Advisor tab in the IAM console to view all of the access key activity for the past 11 days.

Create an AWS WAF rate-based rule, and attach it to the ALB.

Update the security group that is attached to the ALB to block the attacking IP addresses.

Update the ALB subnet's network ACL to block the attacking client IP addresses.

Create a AWS WAF rate-based rule, and attach it to the security group of the EC2 instances.

Deploy a NAT gateway in each private subnet for every Availability Zone that is in use.

Place the DB instance in a public subnet.

Place the DB instance in a private subnet.

Configure the Auto Scaling group to place the EC2 instances in a public subnet.

Configure the Auto Scaling group to place the EC2 instances in a private subnet.

Deploy the ALB in a private subnet.

Enable VPC flow logs for the VPC that hosts the EKS clusters.

Assign the CloudWatchEventsFullAccess AWS managed policy to the EKS clusters.

Ensure that the AmazonGuardDutyFullAccess AWS managed policy is attached to the GuardDuty service role.

Enable the control plane logs in Amazon EKS. Ensure that the logs are ingested into Amazon CloudWatch.

Configure S3 server-side encryption. Create an S3 bucket policy that has an explicit deny rule for all users for s3:DeleteObject and s3:PutObject API calls. Configure S3 Object Lock to use governance mode with a retention period of 7 years.

Configure S3 server-side encryption. Configure S3 Versioning on the S3 bucket. Configure S3 Object Lock to use compliance mode with a retention period of 7 years.

Configure S3 Versioning. Configure S3 Intelligent-Tiering on the S3 bucket to move the documents to S3 Glacier Deep Archive storage. Use S3 server-side encryption immediately. Expire the objects after 7 years.

Set up S3 Event Notifications and use S3 server-side encryption. Configure S3 Event Notifications to target an AWS Lambda function that will review any S3 API call to the S3 bucket and deny the s3:DeleteObject and s3:PutObject API calls. Remove the S3 eventnotification after 7 years.

Create a Security Hub custom action to assess the log group retention period.

Create a data protection policy in CloudWatch Logs to assess the log group retention period.

Create a Security Hub automation rule Configure the automation rule to assess the log group retention period.

Use the AWS Config managed rule that assesses the log group retention period Ensure that AWS Config integration is enabled in Security Hub.

Use AWS Systems Manager Patch Manager to view vulnerability identifiers for missing patches on the instances. Use Patch Manager also to automate the patching process.

Use AWS Shield Advanced to view vulnerability identifiers for missing patches on the instances. Use AWS Systems Manager Patch Manager to automate the patching process.

Use Amazon GuardDuty to view vulnerability identifiers for missing patches on the instances. Use Amazon Inspector to automate the patching process.

Use Amazon Inspector to view vulnerability identifiers for missing patches on the instances. Use Amazon Inspector also to automate the patching process.

Check the Amazon S3 bucket policy. Verify that the policy allows the config.amazonaws.com service to write to the target bucket.

Verify that the IAM entity has the permissions necessary to perform the s3:GetBucketAcl and s3:PutObject* operations to write to the target bucket.

Verify that the Amazon S3 bucket policy has the permissions necessary to perform the s3:GetBucketAcl and s3:PutObject* operations to write to the target bucket.

Check the policy that is associated with the IAM entity. Verify that the policy allows the config.amazonaws.com service to write to the target bucket.

Verify that the AWS Config service role has permissions to invoke the BatchGetResourceConfig action instead of the GetResourceConfigHistory action and s3:PutObject* operation.

Use a role-based approach by creating an IAM role with an inline permissions policy that allows access to the secret. Update the IAM principals in the role trust policy as required.

Deploy a VPC endpoint for Secrets Manager. Create and attach an endpoint policy that specifies the IAM principals that are allowed to access the secret. Update the list of IAM principals as required.

Use a tag-based approach by attaching a resource policy to the secret. Apply tags to the secret and the IAM principals. Use the aws:PrincipalTag and aws:ResourceTag IAM condition keys to control access.

Use a deny-by-default approach by using IAM policies to deny access to the secret explicitly. Attach the policies to an IAM group. Add all IAM principals to the IAM group. Remove principals from the group when they need access. Add the principals to the group again when access is no longer allowed.

Configure the permissions on the individual files in the S3 bucket so that only the CloudFront distribution has access to them.

Create an origin access identity (OAI). Associate the OAI with the CloudFront distribution. Configure the S3 bucket permissions so that only the OAI can access the files in the S3 bucket.

Create an S3 role in AWS Identity and Access Management (IAM). Allow only the CloudFront distribution to assume the role to access the files in the S3 bucket.

Create an S3 bucket policy that uses only the CloudFront distribution ID as the principal and the Amazon Resource Name (ARN) as the target.

A. Configure and assign an MFA device to the role used by the instances.

B. Verify that the SQS resource policy does not explicitly deny access to the role used by the instances.

C. Verify that the access key attached to the role used by the instances is active.

D. Attach the AmazonSQSFullAccest. managed policy to the role used by the instances.

E Verify that the role attached to the instances contains policies that allow access to the queue

Disable termination protection for the EC2 instance if termination protection has not been disabled.

Enable termination protection for the EC2 instance if termination protection has not been enabled.

Take snapshots of the Amazon Elastic Block Store (Amazon EBS) data volumes that are attached to theEC2 instance.

Remove all snapshots of the Amazon Elastic Block Store (Amazon EBS) data volumes that are attached to the EC2 instance.

Capture the EC2 instance metadata, and then tag the EC2 instance as under quarantine.

Immediately remove any entries in the EC2 instance metadata that contain sensitive information.

Enable AWS Security Hub for all accounts. In the Security Hub administrator account, enable the GuardDuty integration. Create automation rules to elevate findings for the production account and the S3 bucket.

Enable AWS Security Hub for all accounts. In the Security Hub administrator account, enable the GuardDuty integration. Use Amazon EventBridge to create a custom rule to elevate findings for the production account and the S3 bucket.

Use the GuardDuty administrator account to configure a threat list that includes the production account and the S3 bucket. Use Amazon EventBridge and Amazon Simple Notification Service (Amazon SNS) to elevate findings from the threat list.

Use the GuardDuty administrator account to enable S3 protection for the support account that contains the S3 bucket. Configure GuardDuty to elevate findings for the production account and the S3 bucket.

Allow port 22 from source 0.0.0.0/0.

Allow port 443 from source 0.0.0.0/0.

Allow port 22 from 192.168.100.0/24.

Allow port 22 from 10.0.1.0/24.

Allow port 443 from 10.0.1.0/24.

Update the policy that is associated with the federated IAM role to allow the ec2. Describelmages action for the forensic AMI.

Update the policy that is associated with the federated IAM role to allow the ec2 Start Instances action m the security team's AWS account.

Update the policy that is associated with the KMS key that is used to encrypt the forensic AMI. Configure the policy to allow the kms. Encrypt and kms Decrypt actions for the federated IAM role.

Update the policy that is associated with the federated IAM role to allow the kms. DescribeKey action for the KMS key that is used to encrypt the forensic AMI.

Store the database credentials in AWS Secrets Manager. Configure automatic credential rotation tor every 30 days.

Store the database credentials in AWS Systems Manager Parameter Store. Create an AWS Lambda function to rotate the credentials every 30 days.

Store the database credentials in an environment file or in a configuration file. Modify the credentials every 30 days.

Store the database credentials in an environment file or in a configuration file. Create an AWS Lambda function to rotate the credentials every 30 days.

Create a resource based policy that allows Security Hub access to the ARN of the Lambda function.

Attach the AWSSecurityHubReedOnlyAccess AWS managed policy to the Lambda function's execution role.

Grant the Lambda function s execution role read-only permissions to access Amazon Inspector and Security Hub.

Create a custom 1AM policy that grants the Security Hub Get' List" Batch' and Desert*" permissions on the arn aws securityhub us-west-2 productaws/inspector' resource Anacn the policy to the Lambda function's execution role.

Terminate SSL from clients on the existing ALB. Use HTTPS to connect from the ALB to the EC2 instances.

Replace the existing ALB with a Network Load Balancer (NLB) On the NLB, configure an SSL listener and TCP passthrough to receive client connections Terminate HTTPS traffic from the NLB on the EC2 instances.

Replace the existing ALB with a Network Load Balancer (NLB) On the NLB, configure TCP passthrough to receive client connections Terminate SSL from the NLB on the EC2 instances

Configure a Network Load Balancer (NLB) with TCP passthrough to receive client connections Terminate SSL on the existing ALB.

Configure a Network Load Balancer (NLB) with a TLS listener to receive client connections Configure TCP passthrough on the existing ALB so that the NLB can reach the EC2 instances Terminate SSL from the ALB on the EC2 instances.

Configure a finding aggregation Region for Security Hub. Link the other Regions to the aggregation Region.

Create an AWS Lambda function that routes events from other Regions to the dedicated Security Hub account. Create an Amazon EventBridge rule to invokethe Lambda function.

Turn on the option to automatically enable accounts for Security Hub.

Create an SCP that denies the securityhub DisableSecurityHub permission. Attach the SCP to the organization’s root account.

Configure services in other Regions to write events to an AWS CloudTrail organization trail. Configure Security Hub to read events from the trail.

Add a resource policy that allows each member of the group to access Amazon SES.

Add a resource policy that allows "Principal": {"AWS": "arn:aws:iam::account-number:group/Dev"}.

Remove the AWS Control Tower control (guardrail) that restricts access to Amazon SES.

Remove Amazon SES from the root SCP.

Export the CloudWatch Logs group data to Amazon S3. Use Amazon Macie to query the logs for the specific IP address and the requested URLs.

Configure a CloudWatch Logs subscription to stream the log group to an Am-azon OpenSearch Service cluster. Use OpenSearch Service to analyze the logs for the specific IP address and the requested URLs.

Use CloudWatch Logs Insights and a custom query syntax to analyze the CloudWatch logs for the specific IP address and the requested URLs.

Export the CloudWatch Logs group data to Amazon S3. Use AWS Glue to crawl the S3 bucket for only the log entries that contain the specific IP ad-dress. Use AWS Glue to view the results.

Create a Security Hub automation rule Edit the rule to include the specific resource tag and the specific tag value as the criteria. Select the automated action to change the workflow status to SUPPRESSED.

Select each Security Hub control that needs to be suppressed. Add an exception to each control to suppress any findings that contain the specific tag value if the resource contains the specific resource tag.

Send each Security Hub finding to Amazon Detective Create an automated rule in Detective to suppress any findings that contain the specific resource tag and the specific tag value

Send each Security Hub finding to Amazon Inspector. Configure a suppression rule to suppress any findings that contain the specific resource tag and the specific tag value.

Enable Amazon Inspector. Set the scan mode to hybrid scanning. Enable the integration for Amazon Inspector in Security Hub.

Use Security Hub to enable the AWS Foundational Security Best Practices standard.Wait for Security Hub to generate the findings.

Enable Amazon GuardDuty. Initiate on-demand malware scans by using GuardDuty Malware Protection. Enable the integration for GuardDuty in Security Hub.

Use AWS Config managed rules to detect EC2 software vulnerabilities. Ensure that Security Hub has the AWS Config integration enabled.

Create an AWS Service Catalog portfolio in the organization's management account. Upload the CloudFormation template. Add the template to theportfolio's product list. Share the portfolio with the OIJ.

Use the CloudFormation CLI to create a module from the CloudFormation template. Register the module as a private extension in the CloudFormationregistry. Publish the extension. In the OU, create an SCP that allows access to the extension.

Create an AWS Service Catalog portfolio in the organization's management account. Upload the CloudFormation template. Add the template to theportfolio's product list. Create an IAM role that has a trust policy that allows cross-account access to the portfolio for users in the OU accounts. Attach theAWSServiceCatalogEndUserFullAccess managed policy to the role.

Use the CloudFormation CLI to create a module from the CloudFormation template. Register the module as a private extension in the CloudFormationregistry. Publish the extension. Share the extension with the OU

The CMK is used in the attempt does not exist.

The CMK is used in the attempt needs to be rotated.

The CMK is used in the attempt is using the CMKג€™s key ID instead of the CMK ARN.

The CMK is used in the attempt is not enabled.

The CMK is used in the attempt is using an alias.

Option A

Option B

Option C

Option D

Deploy an SCP that includes the S3: * action with the "awsSourceVpc": "S {aws: Ec2lnstanceSourceVpc}" condition.

Edit the VPC endpoints to include the S3:' action with the "aws: Ec2lnstanceSourcePrivatelPv4": "${aws:VpcSourcelp}" condition.

Limit all actions in the S3 bucket policies by using the aws:SourceVpce condition key with the value of the allowed VPC endpoint.

Limit all actions in the S3 bucket policies by using the aws:SourceVpc condition key with the value to the allowed VPC ID.

Deploy an AWS Config managed rule to run on a periodic basis of 24 hours. Select the access-keys-rotated managed rule, and set the maxAccessKeyAge parameter to 90 days. Create an Amazon EventBridge (Amazon CloudWatch Events) rule with an event pattern that matches the compliance type of NON_COMPLIANT from AWS Config for the managed rule. Configure EventBridge (CloudWatch Events) to send an Amazon Simple Notification Service (Amazon SNS) not

Create a script to export a .csv file from the AWS Trusted Advisor check for IAM access key rotation. Load the script into an AWS Lambda function that will upload the .csv file to an Amazon S3 bucket. Create an Amazon Athena table query that runs when the .csv file is uploaded to the S3 bucket. Publish the results for any keys older than 90 days by using an invocation of an Amazon Simple Notification Service (Amazon SNS) notification to the

Create a script to download the IAM credentials report on a periodic basis. Load the script into an AWS Lambda function that will run on a schedule through Amazon EventBridge (Amazon CloudWatch Events). Configure the Lambda script to load the report into memory and to filter the report for records in which the key was last rotated at least 90 days ago. If any records are detected, send an Amazon Simple Notification Service (Amazon SNS) noti

Create an AWS Lambda function that queries the IAM API to list all the users. Iterate through the users by using the ListAccessKeys operation. Verify that the value in the CreateDate field is not at least 90 days old. Send an Amazon Simple Notification Service (Amazon SNS) notification to the security team if the value is at least 90 days old. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to schedule the Lambda function to ru

Use a designated administration account to automatically set up member accounts.

Create the AWS Service Role ForSecurrty Hub service-linked rote for Security Hub.

Send an administration request from the member accounts.

Enable Security Hub for all member accounts.

Send invitations to accounts that are outside the company's organization from the Security Hub administrator account.

Option A

Option B

Option C

Option D

Remove the Condition element. Change the Principal element to the following:{“AWS”: “arn "aws" ::: lambda ::: function:MyLambdaFunction”}

Change the Action element to the following:" s3:GetObject*"" s3:GetBucket*"

Change the Resource element to "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*".

Change the Resource element to "arn:aws:lambda:::function:MyLambdaFunction". Change the Principal element to the following:{“Service”: “s3.amazonaws.com”}

Enable KMS encryption on the existing ECR repositories. Install Amazon Inspector Agent from the ECS container instances’ user data. Run an assessment with the CVE rules.

Recreate the ECR repositories with KMS encryption and ECR scanning enabled. Analyze the scan report after the next push of images.

Recreate the ECR repositories with KMS encryption and ECR scanning enabled. Install AWS Systems Manager Agent on the ECS container instances. Run an inventory report.

Enable KMS encryption on the existing ECR repositories. Use AWS Trusted Advisor to check the ECS container instances and to verily the findings against a list of current CVEs.

Use AWS Resource Access Manager (AWS RAM) to share the VPC subnet ID of the HSM that is hosted in the central account with the new dedicated account. Configure the CloudHSM security group to accept inbound traffic from the private IP addresses of client instances in the new dedicated account.

Use AWS Identity and Access Management (IAM) to create a cross-account rote to access the CloudHSM cluster that is in the central account Create a new IAM user in the new dedicated account Assign the cross-account rote to the new IAM user.

Use AWS 1AM Identity Center (AWS Single Sign-On) to create an AWS Security Token Service (AWS STS) token to authenticate from the new dedicated account to the central account. Use the cross-account permissions that are assigned to the STS token to invoke an operation on the HSM in the central account.

Use AWS Resource Access Manager (AWS RAM) to share the ID of the HSM that is hosted in the central account with the new dedicated account. Configure the CloudHSM security group to accept inbound traffic from the private IP addresses of client instances in the new dedicated account.

B.  

C.  

D.   A screenshot of a computer code Description automatically generated

Create an 1AM user Attach an 1AM policy to the 1AM user Use the AWS CLI to generate temporary credentials for the 1AM user Use the access key, secret key, and session token to authenticate to AWS from the workflow.

Enable AWS 1AM Identity Center and configure it to use a local directory. Create a new service user in the 1AM Identity Center directory. Use the AWS CLI to generate temporary credentials for the service user Use the user ID and session token to authenticate to AWS from the workflow.

Create an OpenID Connect (OIDC) identity provider (IdP) in 1AM Use GitHub as the provider. Create an 1AM role Attach the role to a trust policy that contains condition keys to restrict the GitHub repositones that will run the workflow. Use the role ARN to authenticate to AWS from the workflow.

Configure Amazon Cognito and create an identity pool. Configure the identity pool for a SAML identity provider (IdP) Use GitHub as the provider. Create an 1AM role Attach the role to a trust policy that allows the sts AssumeRole action for Cognito Configure the workflow in GitHub to authenticate against the SAML IdP.

Enable TLS pass through on the ALB, and handle decryption at the server using Elliptic Curve Diffie-Hellman (ECDHE) cipher suites.

Create a listener on the ALB that uses encrypted connections with Elliptic Curve Diffie-Hellman (ECDHE) cipher suites, and pass the traffic in the clear to the server.

Create a listener on the ALB that uses encrypted connections with Elliptic Curve Diffie-Hellman (ECDHE) cipher suites, and use encrypted connections to the servers that do not enable Perfect Forward Secrecy (PFS).

Create a listener on the ALB that does not enable Perfect Forward Secrecy (PFS) cipher suites, and use encrypted connections to the servers using Elliptic Curve Diffie-Hellman (ECDHE) cipher suites.

Configure Amazon CloudWatch Logs Insights

Create an Amazon CloudWatch dashboard

Configure AWS Security Hub integrations

Query the findings by using Amazon Athena

The external ID used by the Auditor is missing or incorrect.

The Auditor is using the incorrect password.

The Auditor has not been granted sts:AssumeRole for the role in the destination account.

The Amazon EC2 role used by the Auditor must be set to the destination account role.

The secret key used by the Auditor is missing or incorrect.

The role ARN used by the Auditor is missing or incorrect.

Use the aws kms encrypt command to encrypt the file by using the existing KMS key.

Use the aws kms create-grant command to generate a grant for the existing KMS key.

Use the aws kms encrypt command to generate a data key. Use the plaintext data key to encrypt the file.

Use the aws kms generate-data-key command to generate a data key. Use the encrypted data key to encrypt the file.

Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the security team's email addresses to the SNS topic. Create a custom AWS Lambda function that will run the aws cloudformation validate-template AWS CLI command on all CloudFormation templates before the build stage in the CI/CD pipeline. Configure the CI/CD pipeline to publish a notification to the SNS topic if any issues are found.

Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the security team's email addresses to the SNS topic. Create custom rules in CloudFormation Guard for each resource configuration. In the CllCD pipeline, before the build stage, configure a Docker image to run the cfn-guard command on the CloudFormation template. Configure the CI/CD pipeline to publish a notification to the SNS topic if any issues are found.

Create an Amazon Simple Notification Service (Amazon SNS) topic and an Am-azon Simple Queue Service (Amazon SQS) queue. Subscribe the security team's email addresses to the SNS topic. Create an Amazon S3 bucket in the shared services AWS account. Include an event notification to publish to the SQS queue when new objects are added to the S3 bucket. Require the de-velopers to put their CloudFormation templates in the S3 bucket. Launch EC2 ins

Create a centralized CloudFormation stack set that includes a standard set of resources that the developers can deploy in each AWS account. Configure each CloudFormation template to meet the security requirements. For any new resources or configurations, update the CloudFormation template and send the template to the security team for review. When the review is com-pleted, add the new CloudFormation stack to the repository for the devel-ope

Ensure that the operations team configures default bucket encryption on the S3 bucket to use server-side encryption with Amazon S3 managed encryption keys (SSE-S3). Ensure that the security team creates an IAM policy that controls access to use the encryption keys.

Ensure that the operations team creates a bucket policy that requires requests to use server-side encryption with AWS KMS keys (SSE-KMS) that are customer managed. Ensure that the security team creates a key policy that controls access to the encryption keys.

Ensure that the operations team creates a bucket policy that requires requests to use server-side encryption with Amazon S3 managed keys (SSE-S3). Ensure that the security team creates an IAM policy that controls access to the encryption keys.

Ensure that the operations team creates a bucket policy that requires requests to use server-side encryption with customer-provided encryption keys (SSE-C). Ensure that the security team stores the customer-provided keys in AWS Key Management Service (AWS KMS). Ensure that the security team creates a key policy that controls access to the encryption keys.

Configure VPC Flow Logs and CloudTrail to send the log data directly to Amazon CloudWatch Logs Query the log data by using a metric filter.

Configure VPC Flow Logs and CloudTrail to send the log data directly to Amazon CloudWatch Logs Query the log data by using a subscription filter.

Configure VPC Flow Logs and CloudTrail to send the log data directly to Amazon DynamoDB Use the DynamoDB Query API operation to query items based on their primary key values.

Configure VPC Flow Logs and CloudTrail to send the log data directly to an Amazon S3 bucket Use Amazon Athena to query the log data.

Stop the instance. Detach the root volume. Generate a new key pair.

Keep the instance running. Detach the root volume. Generate a new key pair.

When the volume is detached from the original instance, attach the volume to another instance as a data volume. Modify the authorized_keys file with a new public key. Move the volume back to the original instance. Start the instance.

When the volume is detached from the original instance, attach the volume to another instance as a data volume. Modify the authorized_keys file with a new private key. Move the volume back to the original instance. Start the instance.

When the volume is detached from the original instance, attach the volume to another instance as a data volume. Modify the authorized_keys file with a new public key. Move the volume back to the original instance that is running.

Use AWS Backup to create legal holds for the recovery points.

Export the backup data to Amazon S3 Create S3 Object Lock legal holds for the recovery points.

Configure an AWS Backup Vault Lock in compliance mode.

Configure an AWS Backup Vault Lock in governance mode.

Create a VPC endpoint tor Kinesis Data Firehose. Configure the application to connect to theVPC endpoint.

Configure an IAM policy to restrict access to Kinesis Data Firehose using a source IP condition. Configure the application to connect to the existing Firehose delivery stream.

Create a new TLS certificate in IAM Certificate Manager (ACM). Create a public-facing Network Load Balancer (NLB) and select the newly created TLS certificate. Configure the NLB to forward all traffic to Kinesis Data Firehose. Configure the application to connect to the NLB.

Peer the on-premises network with the Kinesis Data Firehose VPC using Direct Connect. Configure the application to connect to the existing Firehose delivery stream.

Configure S3 bucket policies to deny DELETE and PUT object permissions.

Configure S3 Object Lock in compliance mode with S3 bucket versioning enabled.

Change the encryption on the S3 bucket to use AWS Key Management Service (AWS KMS) customer managed keys.

Configure the S3 bucket with multi-factor authentication (MFA) delete protection.

Add AWS CloudTrail to the trust policy of the EC2 instance. Send the custom logs to CloudTrail instead of CloudWatch.

Add Amazon S3 to the trust policy of the EC2 instance. Configure the application to write the custom logs to an S3 bucket that CloudWatch can use to ingest the logs.

Add Amazon Inspector to the trust policy of the EC2 instance. Use Amazon Inspector instead of the CloudWatch agent to collect the custom logs.

Attach the CloudWatchAgentServerPolicy AWS managed policy to the EC2 instance role.

Create an Inline IAM user policy that allows for Amazon EC2 access for the contractor's IAM user.

Create an IAM permissions boundary policy that allows Amazon EC2 access. Associate the contractor's IAM account with the IAM permissions boundary policy.

Create an IAM group with an attached policy that allows for Amazon EC2 access. Associate the contractor's IAM account with the IAM group.

Create an IAM role that allows for EC2 and explicitly denies all other services. Instruct the contractor to always assume this role.

Create an IAM group for each application team. Associate policies with each IAM group. Provision IAM users for each application team member. Add the new IAM users to the appropriate IAM group by using role-based access control (RBAC).

Delegate application team leads to provision IAM rotes for each team. Conduct a quarterly review of the IAM rotes the team leads have provisioned. Ensure that the application team leads have the appropriate training to review IAM roles.

Put each AWS account in its own OU. Add an SCP to each OU to grant access to only the AWS services that the teams plan to use. Include conditions tn the AWS account of each team.

Create an SCP and a permissions boundary for IAM roles. Add the SCP to the root OU so that only roles that have the permissions boundary attached can create any new IAM roles.

Create an AWS Config Custom Policy rule by using AWS CloudFormation Guard. Include the tag key of CostCenter and the approved values. Create an SCP that denies the creation of resources when the value of the aws:RequestTag/CostCenter condition key is not one of the three approved values.

Create an AWS CloudTrail trail. Create an Amazon EventBridge rule that includes a rule statement that matches the creation of new resources. Configure the EventBridge rule to invoke an AWS Lambda function that checks for the CostCenter tag. Program the Lambda function to block creation in case of a noncompliant value.

Enable tag policies for the organization. Create a tag policy that specifies a tag key of CostCenter and the approved values. Configure the policy to enforce noncompliant operations. Create an SCP that denies the creation of resources when the aws:RequestTag/CostCenter condition key has a null value.

Enable tag policies for the organization. Create a tag policy that specifies a tag key of CostCenter and the approved values. Create an Amazon EventBridge rule that invokes an AWS Lambda function when a noncompliant tag is created. Program the Lambda function to block changes to the tag.

Configure the CloudFront distribution to use the Lambda@Edge feature. Create an IAM Lambda function that imposes a rate limit on CloudFront viewer requests. Block the request if the rate limit is exceeded.

Configure the IAM WAF web ACL so that the web ACL has more capacity units to process all IAM WAF rules faster.

Configure IAM WAF with a rate-based rule that imposes a rate limit that automatically blocks requests when the rate limit is exceeded.

Configure the CloudFront distribution to use IAM WAF as its origin instead of the ALB.

Review the cross-account role permissions and the S3 bucket policy Verify that the Amazon S3 block public access option in the member account is deactivated.

Review the role permissions m the master account and ensure it has sufficient privileges to perform S3 operations

Filter IAM CloudTrail logs for the master account to find the original deny event and update the cross-account role m the member account accordingly Verify that the Amazon S3 block public access option in the master account is deactivated.

Evaluate the SCPs covering the member account and the permissions boundary of the role in the member account for missing permissions and explicit denies.

Ensure the S3 bucket policy explicitly allows the s3 PutBucketPublicAccess action for the role m the member account

There is no API operation to retrieve an S3 object in its encrypted form.

Encryption of S3 objects is performed within the secure boundary of the KMS service.

S3 uses KMS to generate a unique data key for each individual object.

Using a single master key to encrypt all data includes having a single place to perform audits and usage validation.

The KMS encryption envelope digitally signs the master key during encryption to prevent cryptographic wear-out

Create new S3 buckets with S3 Object Lock enabled in compliance mode. Place objects in the S3 buckets.

Use S3 Glacier Vault Lock to attach a Vault Lock policy to new S3 buckets. Wait 24hours to complete the Vault Lock process. Place objects in the S3 buckets.

Create new S3 buckets with S3 Object Lock enabled in governance mode. Place objects in the S3 buckets.

Create new S3 buckets with S3 Object Lock enabled in governance mode. Add a legal hold to the S3 buckets. Place objects in the S3 buckets.

Create dedicated IAM users within each IAM account that employees can assume through federation based upon group membership in their existing identity provider

Use a centralized account with IAM roles that employees can assume through federation with their existing identity provider Use cross-account roles to allow the federated users to assume their target role in the resource accounts.

Configure the IAM Security Token Service to use Kerberos tokens so that users can use their existing corporate user names and passwords to access IAM resources directly

Configure the IAM trust policies within each account's role to set up a trust back to the corporation's existing identity provider allowing users to assume the role based off their SAML token

Amazon Athena

Amazon Kinesis

Amazon SQS

Amazon Elasticsearch

Amazon EMR

Option A

Option B

Option C

Make the following changes to NACL3:• Add a rule that allows inbound traffic on port 5432 from NACL2.• Add a rule that allows outbound traffic on ports 1024-65536 to NACL2.• Remove the default rules that allow all inbound and outbound traffic.

Make the following changes to NACL3:• Add a rule that allows inbound traffic on port 5432 from the CIDR blocks of the application instance subnets.• Add a rule that allows outbound traffic on ports 1024-65536 to the application instance subnets.• Remove the default rules that allow all inbound and outbound traffic.

Make the following changes to NACL2:• Add a rule that allows outbound traffic on port 5432 to the CIDR blocks of the RDS subnets.• Remove the default rules that allow all inbound and outbound traffic.

Make the following changes to NACL2:• Add a rule that allows inbound traffic on port 5432 from the CIDR blocks of the RDS subnets.• Add a rule that allows outbound traffic on port 5432 to the RDS subnets.

Change the value of aws:MultiFactorAuthPresent to true.

Instruct users to run the aws sts get-session-token CLI command and pass the multi-factor authentication --serial-number and --token-code parameters. Use these resulting values to make API/CLI calls.

Implement federated API/CLI access using SAML 2.0, then configure the identity provider to enforce multi-factor authentication.

Create a role and enforce multi-factor authentication in the role trust policy. Instruct users to run the sts assume-role CLI command and pass --serial-number and --token-code parameters. Store the resulting values in environment variables. Add sts:AssumeRole to NotAction in the policy.