Free and Premium Amazon Web Services SCS-C01 Dumps Questions Answers

Create a public Application Load Balancer. Create two listeners one listener on port 80 and one listener on port 443. Create one target group. Create a rule to forward traffic from port 80 to the listener on port 443 Provision a public TLS certificate in AWS Certificate Manager (ACM). Attach the certificate to the listener on port 443.

Create a public Application Load Balancer. Create two listeners one listener on port 80 and one listener on port 443. Create one target group. Create a rule to forward traffic from port 80 to the listener on port 443 Provision a public TLS certificate in AWS Certificate Manager (ACM). Attach the certificate to the listener on port 80.

Create a public Network Load Balancer. Create two listeners one listener on port 80 and one listener on port 443. Create one target group. Create a rule to forward traffic from port 80 to the listener on port 443. Set the protocol for the listener on port 443 to TLS.

Create a public Network Load Balancer. Create a listener on port 443. Create one target group. Create a rule to forward traffic from port 443 to the target group. Set the protocol for the listener on port 443 to TLS.

Add the file-system-id efs IAM-region amazonIAM com URL to the allow list for the data center firewall Install the IAM CLI on the data center-based servers to mount the EFS file system in the EFS security group add the data center IP range to the allow list Mount the EFS using the EFS file system name

Assign an Elastic IP address to Amazon EFS and add the Elastic IP address to the allow list for the data center firewall Install the IAM CLI on the data center-based servers to mount the EFS file system In the EFS security group, add the IP addresses of the data center servers to the allow list Mount the EFS using the Elastic IP address

Add the EFS file system mount target IP addresses to the allow list for the data center firewall In the EFS security group, add the data center server IP addresses to the allow list Use the Linux terminal to mount the EFS file system using the IP address of one of the mount targets

Assign a static range of IP addresses for the EFS file system by contacting IAM Support In the EFS security group add the data center server IP addresses to the allow list Use the Linux terminal to mount the EFS file system using one of the static IP addresses

Option A

Option B

Option C

Option D

IAM Inspector, CloudTrail, IAM Credential Reports

CloudTrail. IAM Credential Reports, IAM SNS

CloudTrail, IAM Config, IAM Credential Reports

IAM SQS, IAM Credential Reports, CloudTrail

Analyze an IAM Identity and Access Management (IAM) use report from IAM Trusted Advisor to see when the access key was last used.

Analyze Amazon CloudWatch Logs for activity by searching for the access key.

Analyze VPC flow logs for activity by searching for the access key

Analyze a credential report in IAM Identity and Access Management (IAM) to see when the access key was last used.

Move the SCP to the root OU of organization to remove the restriction to access Amazon $3.

Add an IAM policy for the developer, which grants $3 access.

Create a new OU without applying the SCP restricting $3 access. Move the developer account to this new OU.

Add an allow list for the developer account for the $3 service.

Update the CloudFront distribution. configuring it to optionally use HTTPS when connecting to origins on Amazon S3

Update the web application configuration on the web servers to use HTTPS instead of HTTP when connecting to DynamoDB

Update the CloudFront distribution to redirect HTTP corrections to HTTPS

Configure the web servers on the EC2 instances to listen using HTTPS using the public ACM TLS certificate Update the ALB to connect to the target group using HTTPS

Update the ALB listen to listen using HTTPS using the public ACM TLS certificate. Update the CloudFront distribution to connect to the HTTPS listener.

Create a TLS certificate Configure the web servers on the EC2 instances to use HTTPS only with that certificate. Update the ALB to connect to the target group using HTTPS.

Review the cross-account role permissions and the S3 bucket policy Verify that the Amazon S3 block public access option in the member account is deactivated.

Review the role permissions m the master account and ensure it has sufficient privileges to perform S3 operations

Filter IAM CloudTrail logs for the master account to find the original deny event and update the cross-account role m the member account accordingly Verify that the Amazon S3 block public access option in the master account is deactivated.

Evaluate the SCPs covering the member account and the permissions boundary of the role in the member account for missing permissions and explicit denies.

Ensure the S3 bucket policy explicitly allows the s3 PutBucketPublicAccess action for the role m the member account

Delete the key pair from the EC2 console. Create a new key pair.

Use the ModifylnstanceAttribute API operation to change the key on any EC2 instance that is using the key.

Restrict SSH access in the security group to only known corporate IP addresses.

Update the key pair in any AMI that is used to launch the EC2 instances. Restart the EC2 instances.

Create a new trail and configure it to send CloudTrail logs to Amazon S3. Use Amazon EventBridge (Amazon CloudWatch Events) to send notification if a trail is deleted or stopped.

Deploy an IAM Lambda function in every account to check if there is an existing trail and create a new trail, if needed.

Edit the existing trail in the Organizations master account and apply it to the organization.

Create an SCP to deny the cloudtrail:Delete" and cloudtrail:Stop' actions. Apply the SCP to all accounts.

Create an AD policy to modify the Windows Firewall settings on all hosts in the VPC to deny access from the IP Address block.

Modify the Network ACLs associated with all public subnets in the VPC to deny access from the IP Address block.

Add a rule to all of the VPC Security Groups to deny access from the IP Address block.

Modify the Windows Firewall settings on all AMI'S that your organization uses in that VPC to deny access from the IP address block.

Disable termination protection for the EC2 instance if termination protection has not been disabled.

Enable termination protection for the EC2 instance if termination protection has not been enabled.

Take snapshots of the Amazon Elastic Block Store (Amazon EBS) data volumes that are attached to the EC2 instance.

Remove all snapshots of the Amazon Elastic Block Store (Amazon EBS) data volumes that are attached to the EC2 instance.

Capture the EC2 instance metadata, and then tag the EC2 instance as under quarantine.

Immediately remove any entries in the EC2 instance metadata that contain sensitive information.

Create a security group with a rule that denies Inbound connections from 0.0.0 0/0 on port 00. Attach this security group to the ALB to overwrite more permissive rules from the ALB's default security

group.

Create a network ACL that denies inbound connections from 0 0.0.0/0 on port 80 Associate the network ACL with the VPC s internet gateway

Create a network ACL that allows outbound connections to the VPC IP range on port 443 only. Associate the network ACL with the VPC's internet gateway.

Create a security group with a single inbound rule that allows connections from 0.0.0 0/0 on port 443. Ensure this security group is the only one associated with the ALB

Apply a user policy in the other accounts to allow IAM Glue and Athena lo access the .csv We.

Use S3 Select to restrict access to the .csv lie. In IAM Glue Data Catalog, use S3 Select as the source of the IAM Glue database.

Define an IAM Glue Data Catalog resource policy in IAM Glue to grant cross-account S3 object access to the .csv file.

Grant IAM Glue access to Amazon S3 in a resource-based policy that specifies the organization as the principal.

Create a new customer managed key Add a key rotation schedule to the key Invoke the key rotation schedule every time the security team requests a key change

Create a new AWS managed key Add a key rotation schedule to the key Invoke the key rotation schedule every time the security team requests a key change

Create a key alias Create a new customer managed key every time the security team requests a key change Associate the alias with the new key

Create a key alias Create a new AWS managed key every time the security team requests a key change Associate the alias with the new key

Option

Option

Option

Configure trusted access for AWS System Manager in Organizations Configure a bastion host from the management account Replace SSH and RDP by using Systems Manager Session Manager from the management account Configure Session Manager logging to Amazon CloudWatch Logs

Replace SSH and RDP with AWS Systems Manager Session Manager Install Systems Manager Agent (SSM Agent) on the instances Attach the

AmazonSSMManagedlnstanceCore role to the instances Configure session data streaming to Amazon CloudWatch Logs Create a separate logging account that has appropriate cross-account permissions to audit the log data

Install a bastion host in the management account Reconfigure all SSH and RDP to allow access only from the bastion host Install AWS Systems Manager Agent (SSM Agent) on the bastion host Attach the AmazonSSMManagedlnstanceCore role to the bastion host Configure session data streaming to Amazon CloudWatch Logs in a separate logging account to audit log data

Replace SSH and RDP with AWS Systems Manager State Manager Install Systems Manager Agent (SSM Agent) on the instances Attach the

AmazonSSMManagedlnstanceCore role to the instances Configure session data streaming to Amazon CloudTrail Use CloudTrail Insights to analyze the trail data

Place the RDS instance in a public subnet and an IAM Lambda function outside the VPC. Schedule the Lambda function to run every 3 months to rotate the secrets.

Place the RDS instance in a private subnet and an IAM Lambda function inside the VPC in the private subnet. Configure the private subnet to use a NAT gateway. Schedule the Lambda function to run every 3 months to rotate the secrets.

Place the RDS instance in a private subnet and an IAM Lambda function outside the VPC. Configure the private subnet to use an internet gateway. Schedule the Lambda function to run every 3 months lo rotate the secrets.

Place the RDS instance in a private subnet and an IAM Lambda function inside the VPC in the private subnet. Schedule the Lambda function to run quarterly to rotate the secrets.

Place the RDS instance in a private subnet and an IAM Lambda function inside the VPC in the private subnet. Configure a Secrets Manager interface endpoint. Schedule the Lambda function to run every 3 months to rotate the secrets.

Specify the deletion time of the key material during KMS key creation. Create a custom AWS Config rule to assess the key's scheduled

deletion. Configure the rule to trigger upon a configuration change. Send a message to an Amazon Simple Notification Service (Amazon SNS) topic if the key is scheduled for deletion.

Create an Amazon EventBridge rule to detect KMS API calls of DeleteAlias. Create an AWS Lambda function to send an Amazon Simple Notification Service (Amazon SNS) message to the company. Add the Lambda function as the target of the EventBridge rule.

Create an Amazon EventBridge rule to detect KMS API calls of DisableKey and ScheduleKeyDeletion. Create an AWS Lambda function to send an Amazon Simple Notification Service (Amazon SNS) message to the company. Add the Lambda function as the target of the EventBridge rule.

Create an Amazon Simple Notification Service (Amazon SNS) policy to detect KMS API calls of RevokeGrant and ScheduleKeyDeletion.

Create an AWS Lambda function to generate the alarm and send the notification to the company. Add the Lambda function as the target of the SNS policy.

The IAM instance profile that is attached to the EC2 instance does not allow the s3 ListBucket action to the S3: bucket in the AWS accounts.

The I AM instance profile that is attached to the EC2 instance does not allow the s3 ListParts action to the S3; bucket in the AWS accounts.

The KMS key policy that encrypts the object in the S3 bucket does not allow the kms; ListKeys action to the EC2 instance profile ARN.

The KMS key policy that encrypts the object in the S3 bucket does not allow the kms Decrypt action to the EC2 instance profile ARN.

The security group that is attached to the EC2 instance is missing an outbound rule to the S3 managed prefix list over port 443.

The security group that is attached to the EC2 instance is missing an inbound rule from the S3 managed prefix list over port 443.

Create an IAM group for each application team. Associate policies with each IAM group. Provision IAM users for each application team member. Add the new IAM users to the appropriate IAM group by using role-based access control (RBAC).

Delegate application team leads to provision IAM rotes for each team. Conduct a quarterly review of the IAM rotes the team leads have provisioned. Ensure that the application team leads have the appropriate training to review IAM roles.

Put each AWS account in its own OU. Add an SCP to each OU to grant access to only the AWS services that the teams plan to use. Include conditions tn the AWS account of each team.

Create an SCP and a permissions boundary for IAM roles. Add the SCP to the root OU so that only roles that have the permissions boundary attached can create any new IAM roles.

Create an AWS Config managed rule to detect unencrypted ROS storage. Configure an automatic remediation action to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic that includes an AWS Lambda function and an email delivery target as subscribers. Configure the Lambda function to delete the unencrypted resource.

Create an AWS Config managed rule to detect unencrypted RDS storage. Configure a manual remediation action to invoke an AWS Lambda function. Configure the Lambda function to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic and to delete the unencrypted resource.

Create an Amazon EventBridge rule that evaluates RDS event patterns and is initiated by the creation of DB instances or DB clusters Configure the rule to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic that includes an AWS Lambda function and an email delivery target as subscribers. Configure the Lambda function to delete the unencrypted resource.

Create an Amazon EventBridge rule that evaluates RDS event patterns and is initiated by the creation of DB instances or DB clusters. Configure the rule to invoke an AWS Lambda function. Configure the Lambda function to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic and to delete the unencrypted resource.

Create a pre sign-up AWS Lambda trigger. Associate the Amazon Cognito function with the Amazon Cognito user pool.

Use a geographic match rule statement to configure an AWS WAF web ACL. Associate the web ACL with the Amazon Cognito user pool.

Configure an app client for the application's Amazon Cognito user pool. Use the app client ID to validate the requests in the hosted Ul.

Update the application's Amazon Cognito user pool to configure a geographic restriction setting.

Use Amazon Cognito to configure a social identity provider (IdP) to validate the requests on the hosted Ul.

Configure the CMK key policy to allow only the Amazon S3 service to use the kms Encrypt action

Configure the CMK key policy to allow IAM KMS actions only when the kms ViaService condition matches the Amazon S3 service name.

Configure the IAM user's policy lo allow KMS to pass a rote lo Amazon S3

Configure the IAM user's policy to allow only Amazon S3 operations when they are combined with the CMK

Option A

Option B

Option C

Option D

Use the IAM Systems Manager Parameter Store to generate database credentials. Use an IAM profile for ECS tasks to restrict access to database credentials to specific containers only.

Use IAM Secrets Manager to store database credentials. Use an IAM inline policy for ECS tasks to restrict access to database credentials to specific containers only.

Use the IAM Systems Manager Parameter Store to store database credentials. Use IAM roles for ECS tasks to restrict access to database credentials lo specific containers only

Use IAM Secrets Manager to store database credentials. Use IAM roles for ECS tasks to restrict access to database credentials to specific containers only.

The IAM rote does not have permission to use the KMS CreateKey operation.

The S3 bucket lacks a policy that allows access to the customer managed key that encrypts the objects.

The IAM rote does not have permission to use the customer managed key that encrypts the objects that are in the S3 bucket.

The ACL of the S3 objects does not allow read access for the objects when the objects ace encrypted at rest.

Add an outbound allow rule for 192.168.2.0/24 in the VPC's default network ACL.

Add an inbound allow rule for 192.168.2.0/24 in the VPC's default network ACL.

Add an outbound allow rule for 192.168.2.0/24 in subnet-2-NACL.

Add an inbound allow rule for 192.168.1.0/24 in subnet-2-NACL.

Add an outbound allow rule for 192.168.1.0/24 in subnet-2-NACL.

Use Cloudwatch logs to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS for the notification.

Use Cloudwatch metrics to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS for the notification.

Use IAM inspector to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS f the notification.

Use Cloudwatch events to be triggered for any changes to the Security Groups. Configure the Lambda function for email notification as well.

Enable Amazon GuardDuty to automatically monitor for malicious activity and block unauthorized access.

Subscribe to IAM Shield Advanced and reach out to IAM Support in the event of an attack.

Use VPC Flow Logs to monitor network: traffic and an IAM Lambda function to automatically block an attacker's IP using security groups.

Set up an Amazon CloudWatch Events rule to monitor the IAM CloudTrail events in real time use IAM Config rules to audit the configuration, and use IAM Systems Manager for remediation.

Use IAM WAF to create rules to respond to such attacks

Configure the key policy for the customer managed key in the production account to allow access to the Lambda service.

Configure the key policy for the customer managed key in the production account to allow access to the IAM role of the Lambda function in the development account.

Configure a new IAM policy in the production account with permissions to use the customer managed key. Apply the IAM policy to the IAM role that the Lambda function in the development account uses.

Configure a new key policy in the development account with permissions to use the customer managed key. Apply the key policy to the IAM role that the Lambda function in the development account uses.

Configure the IAM role for the Lambda function in the development account by attaching an IAM policy that allows access to the customer managed key in the production account.

Archive the data to Amazon S3 and apply a restrictive bucket policy to deny the s3 DeleteOotect API

Archive the data to Amazon S3 Glacier and apply a Vault Lock policy

Archive the data to Amazon S3 and replicate it to a second bucket in a second IAM Region Choose the S3 Standard-Infrequent Access (S3 Standard-1A) storage class and apply a restrictive bucket policy to deny the s3 DeleteObject API

Migrate the log data to a 16 T8 Amazon Elastic Block Store (Amazon EBS) volume Create a snapshot of the EBS volume

Modify the IAM WAF web ACL with an IP set match rule statement to deny incoming requests from the IP address range.

Add a rule to all security groups to deny the incoming requests from the IP address range.

Modify the IAM WAF web ACL with a rate-based rule statement to deny the incoming requests from the IP address range.

Configure the IAM WAF web ACL with regex match conditions. Specify a pattern set to deny the incoming requests based on the match condition

Add full Amazon Inspector IAM permissions to the Security Hub service role to allow it to perform the CIS compliance evaluation

Ensure that IAM Trusted Advisor Is enabled in the account and that the Security Hub service role has permissions to retrieve the Trusted Advisor security-related recommended actions

Ensure that IAM Config. is enabled in the account, and that the required IAM Config rules have been created for the CIS compliance evaluation

Ensure that the correct trail in IAM CloudTrail has been configured for monitoring by Security Hub and that the Security Hub service role has permissions to perform the GetObject operation on CloudTrails Amazon S3 bucket

There is no API operation to retrieve an S3 object in its encrypted form.

Encryption of S3 objects is performed within the secure boundary of the KMS service.

S3 uses KMS to generate a unique data key for each individual object.

Using a single master key to encrypt all data includes having a single place to perform audits and usage validation.

The KMS encryption envelope digitally signs the master key during encryption to prevent cryptographic wear-out

Use AWS Systems Manager Patch Manager to view vulnerability identifiers for missing patches on the instances. Use Patch Manager also to automate the patching process.

Use AWS Shield Advanced to view vulnerability identifiers for missing patches on the instances. Use AWS Systems Manager Patch Manager to automate the patching process.

Use Amazon GuardDuty to view vulnerability identifiers for missing patches on the instances. Use Amazon Inspector to automate the patching process.

Use Amazon Inspector to view vulnerability identifiers for missing patches on the instances. Use Amazon Inspector also to automate the patching process.

Use encrypted Amazon EBS volumes with Amazon default keys (IAM EBS)

Use server-side encryption with customer-provided keys (SSE-C)

Use server-side encryption with IAM KMS managed keys (SSE-KMS)

Use server-side encryption with Amazon S3 managed keys (SSE-S3)

Create an IAM role in the production account and allow EC2 instances in the development account to assume that role using the trust policy. Provide read access for the required S3 bucket to this role.

Use a custom identity broker to allow Developer IAM users to temporarily access the S3 bucket.

Create a temporary IAM user for the application to use in the production account.

Create a temporary IAM user in the production account and provide read access to Amazon S3. Generate the temporary IAM user's access key and secret key and store these on the EC2 instance used by the application in the development account.

Import the key material into AWS Key Management Service (AWS KMS).

Manually upload the new host key to the AWS trusted host keys database.

Ensure that the AmazonSSMManagedInstanceCore policy is attached to the EC2 instance profile.

Create a new SSH key pair for the EC2 instance.

Configure cluster security groups for each application module to control access to database users that are required for read-only and readwrite

Configure a VPC endpoint for Amazon Redshift Configure an endpoint policy that maps database users to each application module, and allow access to the tables that are required for read-only and read/write

Configure an 1AM policy for each module Specify the ARN of an Amazon Redshift database user that allows the GetClusterCredentials API call

Create local database users for each module

Configure an 1AM policy for each module Specify the ARN of an 1AM user that allows the GetClusterCredentials API call

Create an HTTPS listener that uses a certificate that is managed by IAM Certificate Manager (ACM).

Create an HTTPS listener that uses a security policy that uses a cipher suite with perfect toward secrecy (PFS).

Create an HTTPS listener that uses the Server Order Preference security feature.

Create a TCP listener that uses a custom security policy that allows only cipher suites with perfect forward secrecy (PFS).

Use IAM Control Tower. Modify the default Account Factory networking template to automatically associate new accounts with a centrally managed VPC through a VPC peering connection and to create a default route to the VPC peer in the default route table. Create an SCP that denies the CreatelnternetGateway action. Attach the SCP to all accounts except the security inspection account.

Create a centrally managed VPC in the security inspection account. Establish VPC peering connections between the security inspection account and other accounts. Instruct account owners to create default routes in their account route tables that point to the VPC peer. Create an SCP that denies the

Attach InternetGateway action. Attach the SCP to all accounts except the security inspection account.

Use IAM Control Tower. Modify the default Account Factory networking template to automatically associate new accounts with a centrally managed transit

gateway and to create a default route to the transit gateway in the default route table. Create an SCP that denies the AttachlnternetGateway action. Attach the SCP to all accounts except the security inspection account.

Enable IAM Resource Access Manager (IAM RAM) for IAM Organizations. Create a shared transit gateway, and make it available by using an IAM RAM resource share. Create an SCP that denies the CreatelnternetGateway action. Attach the SCP to all accounts except the security inspection account. Create routes in the route tables of all accounts that point to the shared transit gateway.

Use Amazon inspector to determine which systems do not have the latest patches applied, and after 30 days, redeploy those instances with the latest AMI version

Configure Amazon EC2 Systems Manager to report on instance patch compliance and enforce updates during the defined maintenance windows

Examine IAM CloudTrail togs to determine whether any instances have not restarted in the last 30 days, and redeploy those instances

Update the AMls with the latest approved patches and redeploy each instance during the defined maintenance window

Use an IAM Key Management Service (IAM KMS) CMK. Encrypt the data at rest.

Use IAM Certificate Manager (ACM) Private Certificate Authority Encrypt the data in transit.

Use a DynamoDB encryption client. Use client-side encryption and sign the table items

Use the IAM Encryption SDK. Use client-side encryption and sign the table items.

Add a rule to the Application Load Balancer to route the traffic originating from the IP address in question and show a static webpage.

Implement a rate-based rule with IAM WAF

Use IAM Shield to limit the originating traffic hit rate.

Implement the GeoLocation feature in Amazon Route 53.

Within the Auto Scaling lifecycle, add a hook to create and attach an Amazon Elastic Block Store (Amazon EBS) log volume each time an EC2 instance is created. When the instance is terminated, the EBS volume can be reattached to another instance for log review.

Create an Amazon Elastic File System (Amazon EFS) file system and add a command in the user data section of the Auto Scaling launch template to mount the EFS file system during EC2 instance creation Configure a process on the instance to copy the logs once a day from an instance Amazon Elastic Block Store (Amazon EBS) volume to a directory in the EFS file system.

Build the Amazon CloudWatch agent into the AMI used in the Auto Scaling group. Configure the CloudWatch agent to send the logs to Amazon CloudWatch Logs for review.

Within the Auto Scaling lifecycle, add a lifecycle hook at the terminating state transition and alert the engineering team by using a lifecycle notification to Amazon Simple Notification Service (Amazon SNS). Configure the hook to remain in the Terminating:Wait state for 1 hour to allow manual review of the security logs prior to instance termination.

Create an Application Load Balancer (ALB) that uses public subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create an Amazon

CloudFront distribution that uses the ALB as its origin. Create appropriate IAM WAF ACLs and enable them on the CloudFront distribution.

Create an Application Load Balancer (ALB) that uses private subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create an Amazon CloudFront distribution that uses the ALB as its origin. Create appropriate IAM WAF ACLs and enable them on the CloudFront distribution.

Create an Application Load Balancer (ALB) that uses public subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create appropriate IAM WAF ACLs and enable them on the ALB.

Create an Application Load Balancer (ALB) that uses private subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create appropriate IAM WAF ACLs and enable them on the ALB.

Configure an IAM policy that allows the least permissive actions to communicate with the API Gateway Attach the policy to the role used by the legacy EC2 instances

Enable IAM WAF for API Gateway Configure rules to explicitly allow connections from the legacy EC2 instances

Create a VPC endpoint for API Gateway Attach an IAM resource policy that allows the role of the legacy EC2 instances to call specific APIs

Create a usage plan Generate a set of API keys for each application that needs to call the API.

Configure cross-origin resource sharing (CORS) in each API Share the CORS information with the applications that call the API.

Configure the S3 bucket ACLs to allow IAM Config to record changes to the buckets.

Configure policies attached to S3 buckets to allow IAM Config to record changes to the buckets.

Attach the AmazonS3ReadOnryAccess managed policy to the IAM user.

Verify the security engineer's IAM user has an attached policy that allows all IAM Config actions.

Assign the IAMConfigRole managed policy to the IAM Config role

The NAT gateway in the subnet where the EC2 instance is deployed has been misconfigured

The internet gateway of the VPC has been reconfigured

The security group denies outbound traffic on ephemeral ports

The route table is missing a route to the internet gateway

The NACL denies outbound traffic on ephemeral ports

The host-based firewall is denying SSH traffic

The S3 ACL for the S3 bucket fails to explicitly grant access to the Application Developer

The IAM KMS key for the S3 bucket fails to list the Application Developer as an administrator

The S3 bucket policy fails to explicitly grant access to the Application Developer

The S3 bucket policy explicitly denies access to the Application Developer

Deploy IAM WAF to block all unsecured web applications from accessing the internet.

Deploy an Intrusion Detection/Prevention System (IDS/IPS) to monitor or block unusual incoming network traffic.

Configure security groups to allow outgoing network traffic only from hosts that are protected with up-to-date antivirus software.

Create Amazon CloudFront distribution and configure IAM WAF rules to protect the web applications from malicious traffic.

Use the default Amazon VPC for externakfacing systems to allow IAM to actively block malicious network traffic affecting Amazon EC2 instances.

Create a new trail with the updated log file prefix, and then delete the original nail Update the existing bucket policy in the Amazon S3 console with the new log the prefix, and then update the log file prefix in the CloudTrail console

Update the existing bucket policy in the Amazon S3 console to allow the security engineers principal to perform PutBucketPolicy. and then update the log file prefix in the CloudTrail console

Update the existing bucket policy in the Amazon S3 console with the new log file prefix, and then update the log file prefix in the CloudTrail console.

Update the existing bucket policy in the Amazon S3 console to allow the security engineers principal to perform GetBucketPolicy, and then update the log file prefix in the CloudTrail console

Set up an S3 bucket policy with the IAMsecuretransport key Configure the CloudFront origin access identity (OAI) with the S3 bucket Configure CloudFront to use specific ciphers. Enforce the ALB with an HTTPS listener only and select the appropriate security policy for the ciphers Link the ALB with IAM WAF to allow access from the CloudFront IP ranges.

Set up an S3 bucket policy with the IAM:securetransport key. Configure the CloudFront origin access identity (OAI) with the S3 bucket. Enforce the ALB with an HTTPS listener only and select the appropriate security policy for the ciphers.

Modify the CloudFront distribution to use IAM WAF. Force HTTPS on the S3 bucket with specific ciphers in the bucket policy. Configure an HTTPS listener only for the ALB. Set up a security group to limit access to the ALB from the CloudFront IP ranges

Modify the CloudFront distribution to use the ALB as the origin. Enforce an HTTPS listener on the ALB. Create a path-based routing rule on the ALB with proxies that connect lo Amazon S3. Create a bucket policy to allow access from these proxies only.

Extract the subject (sub), audience (aud), and cognito:username from the ID token payload Manually check the subject and audience for the user name In the user pool

Search for the public key with a key ID that matches the key ID In the header of the token. Then use a JSON Web Token (JWT) library to validate the signature of the token and extract values, such as the expiry date

Verify that the token is not expired. Then use the token_use claim function In Amazon Cognito to validate the key IDs

Copy the JSON Web Token (JWT) as a JSON document Obtain the public JSON Web Key (JWK) and convert It to a pem file. Then use the file to validate the original JWT.

Set up domain controllers on Amazon EC2 to extend the on-premises directory to IAM

Establish network connectivity between on-premises and the user's VPC

Use Amazon Cognito user pools for application authentication

Use AD Connector tor application authentication.

Set up federated sign-in to IAM through ADFS and SAML.

A customer managed CMK that uses customer provided key material

A customer managed CMK that uses IAM provided key material

An IAM managed CMK

Operating system-native encryption that uses GnuPG

Enable Amazon GuardDuty and IAM Security Hub in all Regions and all accounts. Designate a master security account to receive all alerts from the child accounts. Set up specific rules within Amazon Even;Bridge to trigger an IAM Lambda function for remediation steps.

Ingest all IAM CloudTrail logs, VPC Flow Logs, and DNS logs into a single Amazon S3 bucket in a designated security account. Use the current on-premises SIEM to monitor the logs and send a notification to an Amazon SNS topic to alert the security team of remediation steps.

Ingest all IAM CloudTrail logs, VPC Flow Logs, and DNS logs into a single Amazon S3 bucket in a designated security account. Launch an Amazon EC2 instance and install the current SIEM to monitor the logs and send a notification to an Amazon SNS topic to alert the security team of remediation steps.

Enable Amazon GuardDuty and IAM Security Hub in all Regions and all accounts. Designate a master security account to receive all alerts from the child accounts. Create an IAM Organizations SCP that denies access to certain API calls that are on an ignore list.

Set up an Amazon CloudWatch Events rule that triggers an Amazon SNS notification.

Set up an Amazon CloudWatch Events rule that triggers an Amazon SNS notification logs from S3 and generate notifications using Amazon SNS.

Set up a rule in IAM config to trigger root user events. Trigger an IAM Lambda function and generate notifications using Amazon SNS.

Use Amazon Inspector to monitor the usage of the root user and generate notifications using Amazon SNS

Create a new CMK. Download a new wrapping key and a new import token to import the original key material

Create a new CMK Use the original wrapping key and import token to import the original key material.

Download a new wrapping key and a new import token Import the original key material into the existing CMK.

Use the original wrapping key and import token Import the original key material into the existing CMK

Configure a web ACL rule for IAM WAF to block requests with a string match condition for the user agent of the loT device. Associate the v/eb ACL with the ALB.

Configure an Amazon CloudFront distribution to use the ALB as an origin. Configure a web ACL rule for IAM WAF to block requests with a string match condition for the user agent of the loT device. Associate the web ACL with the ALB Change the public DNS entry of the website to point to the CloudFront distribution.

Configure an Amazon CloudFront distribution to use a new ALB as an origin. Configure a web ACL rule for IAM WAF to block requests with a string match condition for the user agent of the loT device. Change the ALB security group to alow access from CloudFront IP address ranges only Change the public DNS entry of the website to point to the CloudFront distribution.

Activate IAM Shield Advanced to enable DDoS protection. Apply an IAM WAF ACL to the ALB. and configure a listener rule on the ALB to block loT devices based on the user agent.

Associate the instances to the same security groups.

Add 0.0.0.0/0 to the egress rules of the instance security groups.

Add the instance IDs to the ingress rules of the instance security groups.

Add the public IP addresses to the ingress rules of the instance security groups.

Create an Amazon CloudWatch alarm for IAM CloudTrail Events Create a metric filter to send a notification when me same set of IAM credentials is used by multiple developer

Create a federation between IAM and the existing corporate IdP Leverage IAM roles to provide federated access to IAM resources

Create a VPN tunnel between the corporate premises and the VPC Allow permissions to all IAM services only if it originates from corporate premises.

Create multiple IAM rotes for each IAM user Ensure that users who use the same IAM credentials cannot assume the same IAM role at the same time.

Launch a NAT instance in the public subnet Update the custom route table with a new route to the NAT instance

Remove the internet gateway, and add IAM PrivateLink to the VPC Then update the custom route table with a new route to IAM PrivateLink

Add a managed NAT gateway to the VPC Update the custom route table with a new route to the gateway

Add an egress-only internet gateway to the VPC. Update the custom route table with a new route to the gateway

Download a new copy of the SAML metadata file from the identity provider Create a new IAM identity provider entity. Upload the new metadata file to the new IAM identity provider entity.

During the next certificate rotation period and before the current certificate expires, add a new certificate as the secondary to the identity provider. Generate a new metadata file and upload it to the IAM identity provider entity. Perform automated or manual rotation of the certificate when required.

Download a new copy of the SAML metadata file from the identity provider Upload the new metadata to the IAM identity provider entity configured for the SAML integration in question.

During the next certificate rotation period and before the current certificate expires, add a new certificate as the secondary to the identity provider. Generate a new copy of the metadata file and create a new IAM identity provider entity. Upload the metadata file to the new IAM identity provider entity. Perform automated or manual rotation of the certificate when required.

Download a new copy of the SAML metadata file from the identity provider Create a new IAM identity provider entity. Upload the new metadata file to the new IAM identity provider entity. Update the identity provider configurations to pass a new IAM identity provider entity name in the SAML assertion.

Create an IAM Config rule defining the patch as a required configuration for EC2 instances.

Use the IAM Systems Manager Run Command to patch affected instances.

Use an IAM Systems Manager Patch Manager predefined baseline to patch affected instances.

Use IAM Systems Manager Session Manager to log in to each affected instance and apply the patch.

Use an IAM KMS customer managed key and store the key material in IAM with replication across Regions

Use an IAM customer managed key, import the key material into IAM KMS using in-house IAM CloudHSM. and store the key material securely in Amazon S3.

Use an IAM KMS custom key store backed by IAM CloudHSM clusters, and copy backups across Regions

Use IAM CloudHSM to generate the key material and backup keys across Regions Use the Java Cryptography Extension (JCE) and Public Key Cryptography Standards #11 (PKCS #11) encryption libraries to encrypt and decrypt the data.

One in the US West (Oregon) region and one in the US East (Virginia) region.

Two in the US West (Oregon) region and none in the US East (Virginia) region.

One in the US West (Oregon) region and none in the US East (Virginia) region.

Two in the US East (Virginia) region and none in the US West (Oregon) region.

Configure the application’s EC2 instances to use NAT gateways for all inbound traffic.

Move the web servers to private subnets without public IP addresses.

Configure IAM WAF to provide DDoS attack protection for the ALB.

Require all inbound network traffic to route through a bastion host in the private subnet.

Require all inbound and outbound network traffic to route through an IAM Direct Connect connection.

Option A

Option B

Option C

Option D

IAM managed Customer Master Key (CMK)

Customer managed CMK with IAM generated key material

Customer managed CMK with imported key material

IAM managed data key

Call UploadServerCertificate with /cloudfront/dev/ in the path parameter.

Import the certificate with a 4,096-bit RSA public key.

Ensure that the certificate, private key, and certificate chain are PKCS #12-encoded.

Import the certificate in the us-east-1 (N. Virginia) Region.

Ensure that the certificate, private key, and certificate chain are PEM-encoded.

Remove me instance from the Auto Seating group Close me security group mm ingress only from a single forensic P address to perform an analysis.

Remove me instance from the Auto Seating group Change me network ACL rules to allow traffic only from a single forensic IP address to perform en analysis Add a rule to deny all other traffic.

Remove the instance from the Auto Scaling group Enable Amazon GuardDuty in that IAM account Install the Amazon Inspector agent cm the suspicious EC 2 instance to perform a scan.

Take a snapshot of the suspicious EC2 instance. Create a new EC2 instance from me snapshot in a closed security group with ingress only from a single forensic IP address to perform an analysis

Disable public access to the RDS database inside the VPC

Move all the Lambda functions inside the VPC.

Edit the IAM role used by Lambda to restrict internet access.

Create a VPC endpoint for Systems Manager. Store the credentials as a string parameter. Change the parameter type to an advanced parameter.

Edit the IAM role used by RDS to restrict internet access.

Create a VPC endpoint for Systems Manager. Store the credentials as a SecureString parameter.

The CMK specified in the application does not exist.

The CMK specified in the application is currently in use.

The CMK specified in the application is using the CMK KeyID instead of CMK Amazon Resource Name.

The CMK specified in the application is not enabled.

The CMK specified in the application is using an alias.

Create a new CMK, and redirect the existing Key Alias to the new CMK

Select the option to auto-rotate the key

Upload new key material into the existing CMK.

Create a new CMK, and change the application to point to the new CMK

Use client-side encryption with an IAM KMS customer-managed key implemented with the IAM Encryption SDK

Use IAM CloudHSM to store the keys and perform cryptographic operations Save the encrypted text in Amazon S3

Use an IAM KMS customer-managed key that is backed by a custom key store using IAM CloudHSM

Use an IAM KMS customer-managed key with the bring your own key (BYOK) feature to import a key stored in IAM CloudHSM

Enable IAM Config and set it to record all resources in all Regions and global resources. Then enable IAM Security Hub and confirm that the CIS IAM Foundations compliance standard is enabled

Enable Amazon Inspector and configure it to scan all Regions for the CIS IAM Foundations Benchmarks. Then enable IAM Security Hub and configure it to ingest the

Amazon Inspector findings

Enable Amazon Inspector and configure it to scan all Regions for the CIS IAM Foundations Benchmarks. Then enable IAM Shield in all Regions to protect the account from DDoS attacks.

Enable IAM Config and set it to record all resources in all Regions and global resources Then enable Amazon Inspector and configure it to enforce CIS IAM Foundations Benchmarks using IAM Config rules.

in every IAM account, configure IAM Lambda to query me IAM Support API tor IAM Trusted Advisor security checks Send the results from Lambda to an Amazon SNS topic to send reports.

Configure Amazon GuardDuty in a master account and invite all other accounts to be managed by the master account Use GuardDuty's integration with Amazon SNS to report on findings

Use Amazon Athena and Amazon QuickSight to build reports off of IAM CloudTrail Create a daily Amazon CloudWatch trigger to run the report dally and email It using Amazon SNS

Use IAM Artifact's prebuilt reports and subscriptions Subscribe the Director of Information Security to the reports by adding the Director as the security alternate contact tor each account

The EC2 instance role does not have decrypt permissions on the IAM Key Management Sen/ice (IAM KMS) key used to encrypt the secret

The EC2 instance role does not have read permissions to read the parameters In Parameter Store

Parameter Store does not have permission to use IAM Key Management Service (IAM KMS) to decrypt the parameter

The EC2 instance role does not have encrypt permissions on the IAM Key Management Service (IAM KMS) key associated with the secret

The EC2 instance does not have any tags associated.

Option A

Option B

Option C

Option D

Add a template constraint to each product in the portfolio.

Add a launch constraint to each product in the portfolio.

Define resource update constraints for each product in the portfolio.

Update the IAM CloudFormalion template backing the product to include a service role configuration.

Configuring IAM Organizations to monitor root user API calls on the paying account

Creating an Amazon CloudWatch Events rule that will trigger when any API call from the root user is reported

Configuring Amazon Inspector to scan the IAM account for any root user activity

Configuring IAM Trusted Advisor to send an email to the Security team when the root user logs in to the console

Using Amazon SNS to notify the target group

Update the password length policy In the on-premises Active Directory configuration.

Update the password length policy In the IAM configuration.

Enforce an IAM policy In Amazon Cognito and IAM IAM with a minimum password length condition.

Update the password length policy in the Amazon Cognito configuration.

Create an SCP with IAM Organizations that enforces a minimum password length for IAM IAM and Amazon Cognito.

Use IAM Resource Access Manager to create shared resources for each requited security group and apply an IAM policy that permits read-only access to the security groups only.

Create an IAM CloudFormation template that creates the required security groups Execute the template as part of configuring new accounts Enable Amazon Simple Notification Service (Amazon SNS) notifications when changes occur

Use IAM Firewall Manager to create a security group policy, enable the policy feature to identify and revert local changes, and enable automatic remediation

Use IAM Control Tower to edit the account factory template to enable the snare security groups option Apply an SCP to the OU or individual accounts that prohibits security group modifications from local account users

Analyze IAM CloudTrail for activity.

Analyze Amazon CloudWatch Logs for activity.

Download and analyze the IAM Use report from IAM Trusted Advisor.

Analyze the resource inventory in IAM Config for IAM user activity.

Download and analyze a credential report from IAM.

IAM CloudFormation

Amazon GuardDuty

Amazon Inspector

Amazon Macie

IAM Step Functions

Create one Cloudtrail log group for data events

Create one trail that logs data events to an S3 bucket

Create another trail that logs management events to another S3 bucket

Create another Cloudtrail log group for management events

Create an IAM user and generate encryption keys for that user. Create a policy for Redshift read-only access. Embed th keys in the application.

Create an HSM client certificate in Redshift and authenticate using this certificate.

Create a Redshift read-only access policy in IAM and embed those credentials in the application.

Use roles that allow a web identity federated user to assume a role that allows access to the Redshift table by providing temporary credentials.

Attach an IAM role to the bucket that grants the bucket owner full permissions to the object

Add a grant to the objects ACL giving full permissions to bucket owner.

Encrypt the object with a KMS key controlled by the company.

Add a bucket policy to the bucket that grants the bucket owner full permissions to the object

Upload the file to the company's S3 bucket

"Effect": "Allow". "Action": ["Describe"], "Resource": "Billing"

"Effect": "Allow", "Action": ["AccountUsage], "Resource": "*"

"Effect': "Allow", "Action": ["IAM-portal:ViewUsage"," IAM-portal:ViewBilling"], "Resource": "*"

"Effect": "Allow", "Action": ["IAM-portal: ViewBilling"], "Resource": "*"

Trigger an IAM Config Rules evaluation of the restricted-common-ports rule against every EC2 instance.

Query the Trusted Advisor API for all best practice security checks and check for "action recommened" status.

Enable a GuardDuty threat detection analysis targeting the port configuration on every EC2 instance.

Run an Amazon inspector assessment using the Runtime Behavior Analysis rules package against every EC2 instance.

Take a snapshot of the EBS volume

Isolate the machine from the network

Make sure that logs are stored securely for auditing and troubleshooting purpose

Ensure all passwords for all IAM users are changed

Ensure that all access kevs are rotated.

Set up a CloudWatch event based on Trusted Advisor metrics

Trigger a Lambda function from a scheduled CloudWatch event that terminates non-compliant infrastructure.

Set up a CloudWatch event based on Amazon inspector findings

Monitor compliance with IAM Config Rules triggered by configuration changes

Trigger a CLI command from a CloudWatch event that terminates the infrastructure

Use Security Groups to block the IP addresses

Use VPC Flow Logs to block the IP addresses

Use IAM inspector to block the IP addresses

Use IAM WAF to block the IP addresses

End-to-end protection of data in transit

End-to-end Identity authentication

Data encryption across the internet

Protection of data in transit over the Internet

Peer identity authentication between VPN gateway and customer gateway

Data integrity protection across the Internet

Enable server access logging for the bucket

Enable Cloudwatch metrics for the bucket

Enable Cloudwatch logs for the bucket

Enable IAM Config for the S3 bucket

Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket to that OAl.

Add the CloudFront account security group "amazon-cf/amazon-cf-sg" to the appropriate S3 bucket policy.

Create an Identity and Access Management (IAM) User for CloudFront and grant access to the objects in your S3 bucket to that IAM User.

Create a S3 bucket policy that lists the CloudFront distribution ID as the Principal and the target bucket as the Amazon Resource Name (ARN).

Use IAM Cloudtrail to record the processes running on the server to an S3 bucket.

Use IAM Cloudwatch to record the processes running on the server

Use the SSM Run command to send the list of running processes information to an S3 bucket.

Use IAM Config to see the changed process information on the server

Check the Inbound security rules for the database security group Check the Outbound security rules for the application security group

Check the Outbound security rules for the database security group I Check the inbound security rules for the application security group

Check the both the Inbound and Outbound security rules for the database security group Check the inbound security rules for the application security group

Check the Outbound security rules for the database security group

Check the both the Inbound and Outbound security rules for the application security group

The user should use the same encryption key for all versions of the same object

It is possible to have different encryption keys for different versions of the same object

IAM S3 does not allow the user to upload his own keys for server side encryption

The SSE-C does not work when versioning is enabled

Create a Lambda function that mounts the EBS volume with the logs and scans the logs for security incidents. Trigger the function every 5 minutes with a scheduled Cloudwatch event.

Send the local text log files to CloudWatch Logs and configure a CloudWatch metric filter. Trigger cloudwatch alarms based on the metrics.

Install the Amazon inspector agent on any EC2 instance running the legacy application. Generate CloudWatch alerts a based on any Amazon inspector findings.

Export the local text log files to CloudTrail. Create a Lambda function that queries the CloudTrail logs for security ' incidents using Athena.

Use VPC Flow logs to get the IP addresses accessing the EC2 Instances

Use IAM Cloud trail to get the IP addresses accessing the EC2 Instances

Use IAM Config to get the IP addresses accessing the EC2 Instances

Use IAM Trusted Advisor to get the IP addresses accessing the EC2 Instances

Enable versioning on the S3 bucket

Enable data at rest for the objects in the bucket

Enable MFA Delete in the bucket policy

Enable data in transit for the objects in the bucket

Expose the data with a public HTTPS endpoint.

A VPN between the VPC and the data center over a Direct Connect connection

A VPN between the VPC and the data center.

A Direct Connect connection between the VPC and data center

Enable cross region replication for the bucket

Write a script to copy the objects to another bucket in the destination region

Create an S3 snapshot in the destination region

Enable versioning which will copy the objects to the destination region

Use IAM Access keys to encrypt the data

Use SSL certificates to encrypt the data

Enable server side encryption on the S3 bucket

Enable MFA on the S3 bucket

Ensure the applications are hosted in a public subnet

Check to see if the VPC has an Internet gateway attached.

Check to see if the VPC has a NAT gateway attached.

Check the Route tables for the VPC's

Change the VPC peering connection to a VPN connection

Change the VPC peering connection to a Direct Connect connection

Ensure the security groups for the AD hosted subnet has the right rule for relevant subnets

Ensure that the AD is placed in a public subnet

Put the metadata as metadata for each object in the S3 bucket and then enable S3 Server side encryption.

Put the metadata as metadata for each object in the S3 bucket and then enable S3 Server KMS encryption.

Put the metadata in a DynamoDB table and ensure the table is encrypted during creation time.

Put thp metadata in thp S3 hurkpf itself.

Ensure the load balancer listens on port 80

Ensure the load balancer listens on port 443

Ensure the HTTPS listener sends requests to the instances on port 443

Ensure the HTTPS listener sends requests to the instances on port 80

Use the IAM SDK to encrypt the data before sending it to the DynamoDB table

Encrypt the DynamoDB table using KMS during its creation

Encrypt the table using IAM KMS after it is created

Use S3 buckets to encrypt the data before sending it to DynamoDB

The EC2 instance running your WAF software is placed between your private subnets and any NATed connections to the internet.

The EC2 instance running your WAF software is placed between your public subnets and your Internet Gateway.

The EC2 instance running your WAF software is placed between your public subnets and your private subnets.

The EC2 instance running your WAF software is included in an Auto Scaling group and placed in between two Elastic load balancers.

Don't do anything since CloudTrail logs are automatically encrypted.

Enable S3-SSE for the underlying bucket which receives the log files

Enable S3-KMS for the underlying bucket which receives the log files

Enable KMS encryption for the logs which are sent to Cloudwatch

Use an Application Load balancer and terminate the SSL connection at the ELB

Use a Classic Load balancer and terminate the SSL connection at the ELB

Use an Application Load balancer and terminate the SSL connection at the EC2 Instances

Use a Classic Load balancer and terminate the SSL connection at the EC2 Instances

Cross side scripting

SQL injection

DDoS attacks

Malware attacks

Create a new CloudTrail trail with one new S3 bucket to store the logs and with the global services option selected. Use IAM roles S3 bucket policies and Mufti Factor Authentication (MFA) Delete on the S3 bucket that stores your logs.

Create a new CloudTrail with one new S3 bucket to store the logs. Configure SNS to send log file delivery notifications to your management system. Use IAM roles and S3 bucket policies on the S3 bucket that stores your logs.

Create a new CloudTrail trail with an existing S3 bucket to store the logs and with the global services option selected. Use S3 ACLsand Multi Factor Authentication (MFA) Delete on the S3 bucket that stores your logs.

Create three new CloudTrail trails with three new S3 buckets to store the logs one for the IAM Management console, one for IAM SDKs and one for command line tools. Use IAM roles and S3 bucket policies on the S3 buckets that store your logs.

Upload data to S3 and use lifecycle policies to move the data into Glacier for long-term archiving.

Upload the data on EBS, use lifecycle policies to move EBS snapshots into S3 and later into Glacier for long-term archiving.

Use Direct Connect to upload data to S3 and use IAM policies to move the data into Glacier for long-term archiving.

Use Storage Gateway to store data to S3 and use lifecycle policies to move the data into Redshift for long-term archiving.

It will allow all access to the bucket mybucket

It will allow the user mark from IAM account number 111111111 all access to the bucket but deny everyone else all access to the bucket

It will deny all access to the bucket mybucket

None of these

Transparent data encryption

SSL from your application

Data keys from IAM KMS

Data Keys from CloudHSM

Grant public access for the bucket via the bucket policy

Use the IAM:Referer key in the condition clause for the bucket policy

Use the IAM:sites key in the condition clause for the bucket policy

Grant a role that can be assumed by the web site

Use a VPC endpoint to the DynamoDB table

Use a VPN connection from the VPC

Use a VPC gateway from the VPC

Use a VPC Peering connection to the DynamoDB table

Create an IAM policy that allows the key to be accessed by only the S3 service.

Create a bucket policy that allows the key to be accessed by only the S3 service.

Use the kms:ViaService condition in the Key policy

Define an IAM user, allocate the key and then assign the permissions to the required service

Ensure that there is a trust policy in place for the IAM Config service within the role

Ensure that there is a grant policy in place for the IAM Config service within the role

Ensure that there is a user policy in place for the IAM Config service within the role

Ensure that there is a group policy in place for the IAM Config service within the role

Use Windows bit locker for EBS volumes on Windows instances

Use TrueEncrypt for EBS volumes on Linux instances

Use IAM Systems Manager to encrypt the existing EBS volumes

Boot EBS volume can be encrypted during launch without using custom AMI

Add the keys to the backend distribution.

Add the keys to the S3 bucket

Create pre-signed URL's

Use IAM Access keys

The master keys encrypts the cluster key. The cluster key encrypts the database key. The database key encrypts the data encryption keys.

The master keys encrypts the database key. The database key encrypts the data encryption keys.

The master keys encrypts the data encryption keys. The data encryption keys encrypts the database key

The master keys encrypts the cluster key, database key and data encryption keys

Ensure to create a strong password for logging into the EC2 Instance

Create a key pair using putty

Use the private key to log into the instance

Ensure the password is passed securely using SSL

Create an IAM policy with the security group and use that security group for IAM console login

Create an IAM policy with a condition which denies access when the IP address range is not from the organization

Configure the EC2 instance security group which allows traffic only from the organization's IP range

Create an IAM policy with VPC and allow a secure gateway between the organization and IAM Console

You have not explicitly given access via the key policy

You have not explicitly given access via the IAM policy

You have not given access via the IAM roles

You have not explicitly given access via IAM users

Configure the CloudTrail service in each IAM account, and have the logs delivered to an IAM bucket on each account, while granting the auditor permissions to the bucket via roles in the secondary accounts and a single primary IAM account that can assume a read-only role in the secondary IAM accounts.

Configure the CloudTrail service in the primary IAM account and configure consolidated billing for all the secondary accounts. Then grant the auditor access to the S3 bucket that receives the CloudTrail log files.

Configure the CloudTrail service in each IAM account and enable consolidated logging inside of CloudTrail.

Configure the CloudTrail service in each IAM account and have the logs delivered to a single IAM bucket in the primary account and erant the auditor access to that single bucket in the orimarv account.

Create a new IAM user that has administrator permissions in the IAM account. Delete the password for the IAM account root user.

Create a new IAM user that has administrator permissions in the IAM account. Modify the permissions for the existing IAM users.

Replace the access key for the IAM account root user. Delete the password for the IAM account root user.

Create a new IAM user that has administrator permissions in the IAM account. Enable multi-factor authentication for the IAM account root user.

Server-side encryption with Amazon S3-managed keys (SSE-S3)

Server-side encryption with IAM KMS-managed keys (SSE-KMS)

Server-side encryption with customer-provided keys (SSE-C)

Client-side encryption with an IAM KMS-managed CMK

Create a new database field “suspended_status” and modify the application logic to validate that field when processing requests.

Add suspended customers to second Cognito user pool and update the application login flow to check both user pools.

Use Amazon Cognito Sync to push out a “suspension_status” parameter and split the lAM policy into normal users and suspended users.

Move suspended customers to a second Cognito group and define an appropriate IAM access policy for the group.

Use IAM Inspector to inspect all the security Groups

Use the IAM Trusted Advisor to see which security groups have compromised access.

Use IAM Config to see which security groups have compromised access.

Use the IAM CLI to query the security groups and then filter for the rules which have unrestricted accessd

Remove the sensitive data from the object name, and store the sensitive data using S3 user-defined metadata.

Add an S3 bucket policy that denies the action s3:GetObject

Use a random and unique S3 object key, and create an S3 metadata index in Amazon DynamoDB using client-side encrypted attributes.

Store all sensitive objects in Binary Large Objects (BLOBS) in an encrypted Amazon RDS instance.

kms:GenerateDataKey

kms:Decrypt

kms:CreateGrant

“Condition”: {“Bool”: {“kms:ViaService”: “ec2.us-west-2.amazonIAM.com”}}

“Condition”: {“Bool”: {“kms:GrantIsForIAMResource”: true}}

Verify that the S3 bucket policy allow CloudTrail to write objects.

Verify that the IAM role used by CloudTrail has access to write to Amazon CloudWatch Logs.

Remove any lifecycle policies on the S3 bucket that are archiving objects to Amazon Glacier.

Verify that the S3 bucket defined in CloudTrail exists.

Verify that the log file prefix defined in CloudTrail exists in the S3 bucket.

Specify “IAM:SecureTransport”: “true” within a condition in the S3 bucket policy.

Enable a security group for the S3 bucket that allows port 443, but not port 80.

Set up default encryption for the S3 bucket.

Enable Amazon CloudWatch Logs for the IAM account.

Enable API logging of data events for all S3 objects.

Enable S3 object versioning for the S3 bucket.

Disable network ACLs.

Configure the security appliance's elastic network interface for promiscuous mode.

Disable the Network Source/Destination check on the security appliance's elastic network interface

Place the security appliance in the public subnet with the internet gateway

Create a new S3 bucket in a separate IAM account for centralized storage of CloudTrail logs, and enable “Log File Validation” on all trails.

Use an existing S3 bucket in one of the accounts, apply a bucket policy to the new centralized S3 bucket that permits the CloudTrail service to use the "s3: PutObject" action and the "s3 GetBucketACL" action, and specify the appropriate resource ARNs for the CloudTrail trails.

Apply a bucket policy to the new centralized S3 bucket that permits the CloudTrail service to use the "s3 PutObject" action and the "s3 GelBucketACL" action, and specify the appropriate resource ARNs for the CloudTrail trails.

Use unique log file prefixes for trails in each IAM account.

Configure CloudTrail in the centralized account to log all accounts to the new centralized S3 bucket.

Enable encryption of the log files by using IAM Key Management Service

Use KMS grants to manage key access. Programmatically create and revoke grants to manage vendor access.

Use an IAM role to manage key access. Programmatically update the IAM role policies to manage vendor access.

Use KMS key policies to manage key access. Programmatically update the KMS key policies to manage vendor access.

Use delegated access across IAM accounts by using IAM roles to manage key access. Programmatically update the IAM trust policy to manage cross-account vendor access.

Amazon S3 static web hosting

Amazon CloudFront distribution

Application Load Balancer

Amazon Route 53

VPC Flow Logs

Deploy a pre-authorized scanning engine from the IAM Marketplace into VPC B, and use it to scan instances in all three VPCs. Do not complete the penetration test request form.

Deploy a pre-authorized scanning engine from the Marketplace into each VPC, and scan instances in each VPC from the scanning engine in that VPC. Do not complete the penetration test request form.

Create a VPN connection from the data center to VPC A. Use an on-premises scanning engine to scan the instances in all three VPCs. Complete the penetration test request form for all three VPCs.

Create a VPN connection from the data center to each of the three VPCs. Use an on-premises scanning engine to scan the instances in each VPC. Do not complete the penetration test request form.

Create a VPN connection from the data center to each of the three VPCs. Use an on-premises scanning engine to scan the instances in each VPC. Complete the penetration test request form for all three VPCs.

Associate an origin access identity with the CloudFront distribution.

Implement a “Principal”: “cloudfront.amazonIAM.com” condition in the S3 bucket policy.

Modify the S3 bucket permissions so that only the origin access identity can access the bucket contents.

Implement security groups so that the S3 bucket can be accessed only by using the intended CloudFront distribution.

Configure the S3 bucket policy so that it is accessible only through VPC endpoints, and place the CloudFront distribution into the specified VPC.

Enable IAM Trusted Advisor security checks in the IAM Console, and report all security incidents for all regions.

Enable IAM CloudTrail by creating individual trails for each region, and specify a single Amazon S3 bucket to receive log files for later analysis.

Enable IAM CloudTrail by creating a new trail and applying the trail to all regions. Specify a single Amazon S3 bucket as the storage location.

Enable Amazon CloudWatch logging for all IAM services across all regions, and aggregate them to a single Amazon S3 bucket for later analysis.

Change the volume encryption on the EBS volume to use a different encryption mechanism. Then, release the EBS volumes back to IAM.

Release the volumes back to IAM. IAM immediately wipes the disk after it is deprovisioned.

Delete the encryption key used to encrypt the EBS volume. Then, release the EBS volumes back to IAM.

Delete the data by using the operating system delete commands. Run Quick Format on the drive and then release the EBS volumes back to IAM.

Change the key policy permissions associated with the KMS CMK for each application when it must access the data in Amazon S3.

Have each application assume an IAM role that provides permissions to use the IAM Certificate Manager CMK.

Have each application use a grant on the KMS CMK to add or remove specific access controls on the KMS CMK.

Have each application use an IAM policy in a user context to have specific access permissions on the KMS CMK.

Install antivirus software and ensure that signatures are up-to-date. Configure Amazon CloudWatch alarms to send alerts for security events.

Install host-based IDS software to check for file integrity. Export the logs to Amazon CloudWatch Logs for monitoring and alerting.

Export system log files to Amazon S3. Parse the log files using an IAM Lambda function that will send alerts of any unauthorized system login attempts through Amazon SNS.

Use Amazon CloudWatch Logs to detect file system changes. If a change is detected, automatically terminate and recreate the instance from the most recent AMI. Use Amazon SNS to send notification of the event.

The Lambda function does not have permissions to start the Athena query execution.

The Security Engineer does not have permissions to start the Athena query execution.

The Athena service does not support invocation through Lambda.

The Lambda function does not have permissions to access the CloudTrail S3 bucket.

Shutdown the instance

Remove the rule for incoming traffic on port 22 for the Security Group

Change the AMI for the instance

Change the Instance type for the instance

Enable IAM Guard Duty for the Instance

Use IAM Trusted Advisor

Use IAM inspector

UseIAMMacie

Create an IAM group for the finance users in the FinanceDept account, then attach the IAM managed ReadOnlyAccess IAM policy to the group.

Create an IAM group for the finance users in the MasterPayer account, then attach the IAM managed ReadOnlyAccess IAM policy to the group.

Create an IAM IAM role in the FinanceDept account with the ViewBilling permission, then grant the finance users in the MasterPayer account the permission to assume that role.

Create an IAM IAM role in the MasterPayer account with the ViewBilling permission, then grant the finance users in the FinanceDept account the permission to assume that role.

Create a VPC endpoint for DynamoDB within a VPC. Configure the Lambda function to access resources in the VPC.

Create a resource policy that grants the Lambda function permissions to write to the DynamoDB table. Attach the poll to the DynamoDB table.

Create an IAM user with permissions to write to the DynamoDB table. Store an access key for that user in the Lambda environment variables.

Create an IAM service role with permissions to write to the DynamoDB table. Associate that role with the Lambda function.

Use Amazon QuickSight and Cloud Trail to generate the report of out of compliance instances/servers. Redeploy all out of compliance instances/servers using an AMI with the latest patches.

Use Systems Manger Patch Manger to generate the report of out of compliance instances/ servers. Use Systems Manager Patch Manger to install the missing patches.

Use Systems Manger Patch Manger to generate the report of out of compliance instances/ servers. Redeploy all out of1 compliance instances/servers using an AMI with the latest patches.

Use Trusted Advisor to generate the report of out of compliance instances/servers. Use Systems Manger Patch Manger to install the missing patches.

Use the IAM Trusted Advisor to see what can be done.

Use VPC Flow logs to diagnose the traffic

Use IAM WAF to analyze the traffic

Use IAM Guard Duty to analyze the traffic

Create a powershell script using the IAM CLI. Query for all resources with the tag of production.

Create a bash shell script with the IAM CLI. Query for all resources in all regions. Store the results in an S3 bucket.

Use Cloud Trail to get the list of all resources

Use IAM Config to get the list of all resources

The Amazon WorkMail and Amazon SES services have delegated KMS encrypt and decrypt permissions to the ExampleUser principal in the 111122223333 account.

The ExampleUser principal can transparently encrypt and decrypt email exchanges specifically between ExampleUser and IAM.

The CMK is to be used for encrypting and decrypting only when the principal is ExampleUser and the request comes from WorkMail or SES in the specified region.

The key policy allows WorkMail or SES to encrypt or decrypt on behalf of the user for any CMK in the account.

Conduct an audit on a yearly basis

Conduct an audit if application instances have been added to your account

Conduct an audit if you ever suspect that an unauthorized person might have accessed your account

Whenever there are changes in your organization

Change the “Resource” from “arn: IAM:s3:::Bucket” to “arn:IAM:s3:::Bucket/*”.

Change the “Principal” from “*” to {IAM:”arn:IAM:iam: : account-number: user/username”}

Change the “Version” from “2012-10-17” to the last revised date of the policy

Change the “Action” from [“s3:*”] to [“s3:GetObject”, “s3:ListBucket”]

Confirm that the EC2 instance's security group authorizes S3 access.

Verify that the KMS key policy allows decrypt access for the KMS key for this IAM principle.

Check the S3 bucket policy for statements that deny access to objects.

Confirm that the EC2 instance is using the correct key pair.

Confirm that the IAM role associated with the EC2 instance has the proper privileges.

Confirm that the instance and the S3 bucket are in the same Region.

Create a rule in IAM WAF rules with conditions that block requests based on the presence of ExampleGame/1.22 in the User-Agent header

Create a geographic restriction on the CloudFront distribution to prevent access to the application from most geographic regions

Create a rate-based rule in IAM WAF to limit the total number of requests that the web application services.

Create an IP-based blacklist in IAM WAF to block the IP addresses that are originating from requests that contain ExampleGame/1.22 in the User-Agent header.

Consider using Windows Server 2016 Certificate Manager

Consider using IAM Certificate Manager

Consider using IAM Access keys to generate the certificates

Consider using IAM Trusted Advisor for managing the certificates

The outbound rules on the security group do not allow the response to be sent to the client on the ephemeral port range.

The outbound rules on the security group do not allow the response to be sent to the client on the HTTP port.

An outbound rule must be added to the network ACL to allow the response to be sent to the client on the ephemeral port range.

An outbound rule must be added to the network ACL to allow the response to be sent to the client on the HTTP port.

Use IAM Shield to scan inbound traffic for web exploits. Use VPC Flow Logs and IAM Lambda to restrict egress traffic to specific whitelisted URLs.

Use IAM Shield to scan inbound traffic for web exploits. Use a third-party IAM Marketplace solution to restrict egress traffic to specific whitelisted URLs.

Use IAM WAF to scan inbound traffic for web exploits. Use VPC Flow Logs and IAM Lambda to restrict egress traffic to specific whitelisted URLs.

Use IAM WAF to scan inbound traffic for web exploits. Use a third-party IAM Marketplace solution to restrict egress traffic to specific whitelisted URLs.

Create IAM roles with permissions corresponding to each Active Directory group.

Create IAM groups with permissions corresponding to each Active Directory group.

Configure Amazon Cloud Directory to support a SAML provider.

Configure Active Directory to add relying party trust between Active Directory and IAM.

Configure Amazon Cognito to add relying party trust between Active Directory and IAM.

VPN and a cached storage gateway

IAM Snowball Edge

VPN Gateway over IAM Direct Connect

IAM Direct Connect

Add the IAM:sourceVpce condition to the IAM KMS key policy referencing the company's VPC endpoint ID.

Remove the VPC internet gateway from the VPC and add a virtual private gateway to the VPC to prevent direct, public internet connectivity.

Create a VPC endpoint for IAM KMS with private DNS enabled.

Use the KMS Import Key feature to securely transfer the IAM KMS key over a VPN.

Add the following condition to the IAM KMS key policy: "IAM:SourceIp": "10.0.0.0/16".

Bucket1 only

Bucket2 only

Both bucket1 and bucket2

Neither bucket1 nor bucket2

The execution role for the Lambda function did not grant permissions to write log data to CloudWatch Logs.

The Lambda function was executed by using Amazon API Gateway, so the logs are not stored in CloudWatch Logs.

The execution role for the Lambda function did not grant permissions to write to the Amazon S3 bucket where CloudWatch Logs stores the logs.

The version of the Lambda function that was executed was not current.

Use IAM Artifact to capture an exact image of the state of each instance.

Create EBS Snapshots of each of the volumes attached to the compromised instances.

Capture a memory dump.

Log in to each instance with administrative credentials to restart the instance.

Revoke all network ingress and egress except for to/from a forensics workstation.

Run Auto Recovery for Amazon EC2.

Implement a “write-only” CloudTrail event filter to detect any modifications to the IAM account resources.

Configure Amazon Macie to classify and discover sensitive data in the Amazon S3 bucket that contains the CloudTrail audit logs.

Configure Amazon Athena to read from the CloudTrail S3 bucket and query the logs to examine account activities.

Enable Amazon S3 event notifications to trigger an IAM Lambda function that sends an email alarm when there are new CloudTrail API entries.

Using Amazon Inspector, review all of the API calls and configure the inspector agent to leverage SNS topics to notify security of the change to IAM CloudTrail, and revoke the new API keys for the root user.

Using IAM Config, create a config rule that detects when IAM CloudTrail is disabled, as well as any calls to the root user create-api-key. Then use a Lambda function to re-enable CloudTrail logs and deactivate the root API keys.

Using Amazon CloudWatch, create a CloudWatch event that detects IAM CloudTrail deactivation and a separate Amazon Trusted Advisor check to automatically detect the creation of root API keys. Then use a Lambda function to enable IAM CloudTrail and deactivate the root API keys.

Using Amazon CloudTrail, create a new CloudTrail event that detects the deactivation of CloudTrail logs, and a separate CloudTrail event that detects the creation of root API keys. Then use a Lambda function to enable CloudTrail and deactivate the root API keys.

email.us-east-1.amazonIAM.com over port 8080

email-pop3.us-east-1.amazonIAM.com over port 995

email-smtp.us-east-1.amazonIAM.com over port 587

email-imap.us-east-1.amazonIAM.com over port 993

Use the KMS direct encrypt function on the log data every time a CloudTrail log is generated.

Use the default Amazon S3 server-side encryption with S3-managed keys to encrypt and decrypt the CloudTrail logs.

Configure CloudTrail to use server-side encryption using KMS-managed keys to encrypt and decrypt CloudTrail logs.

Use encrypted API endpoints so that all IAM API calls generate encrypted CloudTrail log entries using the TLS certificate from the encrypted API call.