Amazon Web Services SCS-C02 AWS Certified Security - Specialty Exam Practice Test

these are the steps that can meet the requirements in the most secure manner. CloudTrail is a service that records AWS API calls and delivers log files to an S3 bucket. Turning on CloudTrail in each IAM account can help capture all IAM API calls made within those accounts. Updating the bucket policy of the bucket in the account that will be storing the logs can help grant other accounts permission to write log files to that bucket. The other options are either unnecessary or insecure for logging and analyzing IAM API calls.

For a company using AWS Organizations that requires centralized management and automatic activation of Amazon GuardDuty across all current and future AWS accounts, setting up a delegated administrator account for GuardDuty is the optimal solution. By enabling GuardDuty in a new account and designating it as the delegated administrator, the company can centrally manage GuardDuty findings and automatically enroll new AWS accounts into GuardDuty as they are created within the organization. This approach ensures consistent threat detection and continuous monitoring across all accounts, aligning with best security practices.

The correct answer is D. Remove Amazon SES from the root SCP.

This answer is correct because the root SCP is the most restrictive policy that applies to all accounts in the organization. The root SCP explicitly denies access to Amazon SES by using the NotAction element, which means that any action that is not listed in the element is denied. Therefore, removing Amazon SES from the root SCP will allow the developers to access it, as long as there are no other SCPs or IAM policies that deny it.

The other options are incorrect because:

A.Adding a resource policy that allows each member of the group to access Amazon SES is not a solution, because resource policies are not supported by Amazon SES1.Resource policies are policies that are attached to AWS resources, suchas S3 buckets or SNS topics, to control access to those resources2. Amazon SES does not have any resources that can have resource policies attached to them.

B.Adding a resource policy that allows “Principal”: {“AWS”: “arn:aws:iam::account-number:group/Dev”} is not a solution, because resource policies do not support IAM groups asprincipals3.Principals are entities that can perform actions on AWS resources, such as IAM users, roles, or AWSaccounts4.IAM groups are not principals, but collections of IAM users that share the same permissions5.

C.Removing the AWS Control Tower control (guardrail) that restricts access to Amazon SES is not a solution, because AWS Control Tower does not have any guardrails that restrict access to Amazon SES6.Guardrails are high-level rules that govern the overall behavior of an organization’s accounts7.AWS Control Tower provides a set of predefined guardrails that cover security, compliance, and operations domains8.

To mitigate traffic volume from a specific IP address without entirely blocking it, AWS WAF’s rate-based rules are the appropriate solution. AWS WAF (Web Application Firewall) provides rate-based rules that allow a user to count and limit the rate of requests from individual IP addresses.

A rate-based rule tracks the number of requests that each originating IP makes in a rolling five-minute period. If the number of requests exceeds a specified threshold, WAF applies an action such as block or count.

This makes AWS WAF an ideal tool to throttle traffic rather than block it, which directly meets the use case described.

Reference from AWS Certified Security - Specialty Official Guide:

This capability is part of AWS WAF’s standard feature set, explicitly covered under the topics of Logging and Monitoring and Mitigating DDoS and Abnormal Behavior. Rate-based rules are discussed as a method for limiting the number of incoming requests based on request patterns without denying access outright.

The correct answer is B. Store the API key value in AWS Secrets Manager. In the template, replace all references to the value with {{resolve:secretsmanager:MySecretId:SecretString}}.

This answer is correct because AWS Secrets Manager is a service that helps you protect secrets that are needed to access your applications, services, and IT resources. You can store and manage secrets such as database credentials, API keys, and other sensitive data in Secrets Manager.You can also use Secrets Manager to rotate, manage, and retrieve your secrets throughout their lifecycle1.Secrets Manager integrates with AWS CloudFormation, which allows you to reference secrets fromyour templates using the {{resolve:secretsmanager:…}} syntax2. This way, you can avoid exposing your secrets in plaintext and still use them in your resources.

The other options are incorrect because:

A. Storing the API key value as a SecureString parameter in AWS Systems Manager Parameter Store is not a solution, because AWS CloudFormation does not support references to SecureString parameters.This means that you cannot use the {{resolve:ssm:…}} syntax to retrieve encrypted parameter values from Parameter Store3. You would have to use a custom resource or a Lambda function to decrypt the parameter value, which adds complexity and overhead to your template.

C. Storing the API key value in Amazon DynamoDB is not a solution, because AWS CloudFormation does not support references to DynamoDB items.This means that you cannot use the {{resolve:dynamodb:…}} syntax to retrieve item values fromDynamoDB tables4. You would have to use a custom resource or a Lambda function to query the DynamoDB table, which adds complexity and overhead to your template.

D. Storing the API key value in a new Amazon S3 bucket is not a solution, because AWS CloudFormation does not support references to S3 objects.This means that you cannot use the {{resolve:s3:…}} syntax to retrieve object values from S3 buckets5. You would have to use a custom resource or a Lambda functionto download the object from S3, which adds complexity and overhead to your template.

GuardDuty can trigger an EventBridge rule upon detecting a suspicious finding (e.g., unusual traffic volume). Using Lambda, the automation can:

Remove the affected instance from the Auto Scaling group to prevent it from being terminated and replaced.

Isolate the instance by applying a restrictive security group.

This approach aligns with AWS incident response best practices, which recommend isolation over termination to preserve forensic data while minimizing disruption to the application.

The most likely cause of the error is that the instance profile for the EC2 instance does not have the s3:PutObject permission for the S3 bucket. This permission is needed to upload logs to the bucket. Therefore, the security engineer should ensure that the instance profile has this permission.

One possible solution is to attach the AWSImageBuilderFullAccess policy to the instance profile for the EC2 instance. This policy grants full access to Image Builder resources and related AWS services, including the s3:PutObject permission for any bucket with “imagebuilder” in its name. However, this policy may grant more permissions than necessary, which violates the principle of least privilege.

Another possible solution is to create a custom policy that only grants the s3:PutObject permission for the specific S3 bucket that is used for logging. This policy can be attached to the instance profile along with the other policies that are required for Image Builder functionality: EC2InstanceProfileForImageBuilder, EC2InstanceProfileForImageBuilderECRContainerBuilds, and AmazonSSMManagedInstanceCore. This solution follows the principle of least privilege more closely than the previous one.

Ensure that the following policies are attached to the instance profile for the EC2 instance: EC2InstanceProfileForImageBuilder, EC2InstanceProfileForImageBuilderECRContainerBuilds, and AmazonSSMManagedInstanceCore.

Ensure that the instance profile for the EC2 instance has the s3:PutObject permission for the S3 bucket. This can be done by either attaching the AWSImageBuilderFullAccess policy or creating a custom policy with this permission.

1: Using managed policies for EC2 Image Builder - EC2 Image Builder 2: PutObject - Amazon Simple Storage Service 3: AWSImageBuilderFullAccess - AWS Managed Policy

Understanding the Requirements:

The Lambda functions need access to S3 for writing summaries.

All traffic to S3 must stay within the AWS network and not traverse the internet.

Deploy Lambda Functions in a Private Subnet:

Place the Lambda functions in a private subnet to ensure they do not directly access the internet.

Create an S3 Gateway Endpoint:

Set up a VPC gateway endpoint for Amazon S3.

The endpoint ensures all traffic to S3 stays within AWS's private network.

Update Route Table:

Modify the route table for the private subnet to include the gateway endpoint.

IAM Permissions for the Lambda Function:

Ensure the Lambda function's execution role has permissions to write to the specified S3 bucket.

Advantages:

Cost-Effective: Eliminates NAT gateway costs for S3 traffic.

Secure: Keeps all S3 traffic within AWS's private network.

VPC Endpoint for Amazon S3

Using Lambda in VPC

The error message indicates that the private key file permissions are too open, meaning that other users can read or write to the file. This is a security risk, as the private key should be accessible only by the owner of the file. To fix this error, the security administrator should use the chmod command to change the permissions of the private key file to 0400, which means that only the owner can read the file and no one else can read or write to it.

The chmod command takes a numeric argument that represents the permissions for the owner, group, and others in octal notation. Each digit corresponds to a set of permissions: read (4), write (2), and execute (1). The digits are added together to get the final permissions for each category. For example, 0400 means that the owner has read permission (4) and no other permissions (0), and the group and others have no permissions at all (0).

The other options are incorrect because they either do not change the permissions at all (D), or they give too much or too little permissions to the owner, group, or others (A, C).

Verified References:

Option A: This option meets the requirements of following security best practices and configuring sensitive database credentials in the CloudFormation template. A dynamic reference is a way to specify external values that are stored and managed in other services,such as Secrets Manager, in the stack templates1. When using a dynamic reference, CloudFormation retrieves the value of the specified reference when necessary during stack and change set operations1. Dynamic references can be used for certain resources that support them, such as AWS::RDS::DBInstance1. By using a dynamic reference to reference the database credentials in Secrets Manager, the company can leverage the existing integration between these services and avoid hardcoding the secret information in the template. Secrets Manager is a service that helps you protect secrets needed to access your applications, services, and IT resources2. Secrets Manager enables you to rotate, manage,and retrieve database credentials, API keys, and other secrets throughout theirlifecycle2.

To troubleshoot the issue of an EC2 instance failing to start and transitioning to a terminated state when it has an EBS volume encrypted with an AWS KMS customer managed key, a security engineer should take the following steps:

C. Verify that the KMS key that is associated with the EBS volume is in the Enabled state. If the key is not enabled, it will not function properly and could cause the EC2 instance to fail.

D. Verify that the EC2 role that is associated with the instance profile has the correct IAM instance policy to launch an EC2 instance with the EBS volume. If the instance does not have the necessary permissions, it may not be able to mount the volume and could cause the instance to fail.

Therefore, options C and D are the correct answers.

Option B: This option meets the requirements of scanning ECS containers and ECR registries for vulnerabilities, and providing a centralized view of the findings for the audit team. AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. AWS Config conformance packs are a collection of AWS Config rules and remediation actions that can be easily deployed as a single entity in an account and a Region or across an organization in AWS Organizations. Conformance packs can help you manage configuration compliance of your AWS resources at scale by using a common framework and packaging model. You can use prebuilt conformance packs for vulnerability scanning, such as CIS Operating System SecurityConfiguration Benchmarks or Amazon Inspector Rules for Linux Instances1. You can also create custom conformance packs to scan for vulnerabilities in programming language libraries. AWS Config aggregator is a feature that enables you to aggregate configuration and compliance data from multiple accounts and Regions into a single accountand Region2. You can provide access for the audit team to use AWS Config in the account where the aggregator is configured, and view the aggregated data in the AWS Config console or API.

To detect suspicious activity in an AWS account for VPC hosted resources, the security engineer needs to use a service that can monitor network traffic and API calls across all AWS Regions. Amazon GuardDuty is a threat detection service that can do this by analyzing VPC Flow Logs, AWS CloudTrail event logs, and DNS logs. By activating GuardDuty across all AWS Regions, the security engineer can provide visibility for as many regions as possible. GuardDuty generates findings that contain details about the potential threats detected in the account. To respond to these findings, the security engineer needs to create a mechanism that can notify the relevant stakeholders or take remedial actions. One way to do this is to use Amazon EventBridge, which is a serverless event bus service that can connect AWS services and third-party applications. By creating an EventBridge rule that responds to GuardDuty findings and publishes them to an Amazon Simple Notification Service (Amazon SNS) topic, the security engineer can enable subscribers of the topic to receive notifications via email, SMS, or other methods. This is a cost-effective solution that does not require any additional infrastructure or code.

The correct answer is D. Enable CloudTrail to monitor data events for read and write operations to S3 buckets.

According to the AWS documentation1, CloudTrail data events are the resource operations performed on or within a resource. These are also known as data plane operations. Data events are often high-volume activities. For example, Amazon S3 object-level API activity (such as GetObject, DeleteObject, and PutObject) is a data event.

By default, trails do not log data events. To record CloudTrail data events, you must explicitly add the supported resources or resource types for which you want to collect activity.For more information, see Logging data events in the Amazon S3 User Guide2.

In this case, the security team wants EventBridge to watch for the s3:PutObjectAcl API invocation logs from CloudTrail.This API uses the acl subresource to set the access control list (ACL) permissions for a new or existing object in an S3 bucket3. This is a data event that affects the S3 object resource type. Therefore, the security team must enable CloudTrail to monitor data events for read and write operations to S3 buckets in order to invoke an EventBridge event for this API call.

The other options are incorrect because:

A. Modifying the EventBridge event pattern by selecting Amazon S3 and All Events as the event type will not capture the s3:PutObjectAcl API call, because this is a data event and not a management event. Management events provide information about management operations that are performed on resources in your AWS account.These are also known as control plane operations4.

B. Modifying the EventBridge event pattern by selecting Amazon S3 and Bucket Level Operations as the event type will not capture the s3:PutObjectAcl API call, because this is a data event that affects the S3 object resource type and not the S3 bucket resource type.Bucket level operations are management events that affect the configuration or metadata of an S3 bucket5.

C. Enabling CloudTrail Insights to identify unusual API activity will not help the security team monitor new S3 objects or changes to any S3 bucket policy or setting that result in public access.CloudTrail Insights helps AWS users identify andrespond to unusual activity associated with API calls and API error rates by continuously analyzing CloudTrail management events6. It does not analyze data events or generate EventBridge events.

The correct answer is A because it meets the RPO of 1 hour by creating backups of the EC2 instances and S3 buckets every hour. It also uses AWS CloudFormation templates to replicate the existing architecture components and AWS CodeCommit to store the templates and the application configuration code. This way, the security engineer can quickly restore the environment in case of a ransomware attack.

The other options are incorrect because they do not meet the RPO of 1 hour or they do not provide a complete disaster recovery solution. Option B only creates backups of the EBS volumes and S3 objects every day, which is not frequent enough to meet the RPO. Option C does not create any backups of the EC2 instances or the S3 buckets, which are essentialfor the frontend services. Option D only creates EBS snapshots every 4 hours, which is also not frequent enough to meet the RPO. Additionally, option D relies on Amazon GuardDuty to detect and respond to ransomware attacks, which may not be effective if the attacker bypasses the preventive and detective controls.

To quickly identify other compute resources with the specific version of the web framework installed, the team should do the following:

Scan all the EC2 instances with AWS Systems Manager to identify the vulnerable version of the web framework. This allows the team to use AWS Systems Manager Inventory to collect and query information about the software installed on their EC2 instances, and to filter the results by software name and version.

To meet the requirements of importing their own key material, setting an expiration date on the keys, and deleting keys immediately, the security engineer should do the following:

Configure AWS KMS and use a custom key store. This allows the security engineer to use a key manager outside of AWS KMS that they own and manage, such as an AWS CloudHSM cluster or an external key manager.

Create a customer managed CMK with no key material. Import the company’s keys and key material into the CMK. This allows the security engineer to use their own key material for encryption and decryption operations, and to specify an expiration date for it.

To redesign the edge security to help mitigate the DDoS attack risk in the future, the engineer could do the following:

Move the static content to Amazon S3, and front this with an Amazon CloudFront distribution. This allows the engineer to use a global content delivery network that can cache static content at edge locations and reduce the load on the origin servers.

Use AWS WAF security rules to inspect the inbound traffic. This allows the engineer to use web application firewall rules that can filter malicious requests based on IP addresses, headers, body, or URI strings, and block them before they reach the web servers.

Use Amazon Route 53 to distribute traffic. This allows the engineer to use a scalable and highly available DNS service that can route traffic based on different policies, such as latency, geolocation, or health checks.

To improve the security at the edge of the solution to defend against a large, layer 7 DDoS attack, the security engineer should do the following:

Configure AWS WAF with a rate-based rule that imposes a rate limit that automatically blocks requests when the rate limit is exceeded. This allows the security engineer to use a rule that tracks the number of requests from a single IP address and blocks subsequent requests if they exceed a specified threshold within a specified time period.

The correct answer is C. Use AWS Resource Access Manager (AWS RAM) to share Account-A’s VPC subnets with the remaining member accounts. Configure the member accounts to use the shared subnets to launch workloads.

This answer is correct because AWS RAM is a service that helps you securely share your AWS resources across AWS accounts, within your organization or organizational units (OUs), and with IAM roles and users for supported resource types1.One of the supported resource types is VPC subnets2, which means you can share the subnets in Account-A’s VPC with the other member accounts using AWS RAM. This way, you can meet the requirements of using a centrally managed VPC, avoiding duplicate VPCs in each account, and launching workloads in shared subnets.You can also control the access to the shared subnets by using IAM policies and resource-based policies3, which can prevent one account from modifying another account’s resources.

The other options are incorrect because:

A.Using aCloudFormation template in the member accounts to launch workloads and using the Fn::ImportValue function to obtain the subnet ID values is not a solution, because Fn::ImportValue can only import values that have been exported by another stack within the same region4. This means that you cannot use Fn::ImportValue to reference the subnet IDs that are exported by Account-A’s CloudFormation template, unless all the member accounts are in the same region as Account-A. This option also does not avoid creating duplicate VPCs in each account, which is one of the requirements.

B. Using a transit gateway in the VPC within Account-A and configuring the member accounts to use the transit gateway to access the subnets in Account-A to launch workloads is not a solution, because a transit gateway does not allow you to launch workloads in another account’s subnets.A transit gateway is a network transit hub that enables you to route traffic between your VPCs and on-premises networks5, but it does not enable you to share subnets across accounts.

D. Creating a peering connection between Account-A and the remaining member accounts and configuring the member accounts to use the subnets in Account-A through the VPC peering connection to launch workloads is not a solution, because a VPC peering connection does not allow you to launch workloads in another account’s subnets.A VPC peering connection is a networking connection betweentwo VPCs that enables you to route traffic between them privately6, but it does not enable you to share subnets across accounts.

If you lose the private key for an EBS-backed instance, you can regain access to your instance. You must stop the instance, detach its root volume and attach it to another instance as a data volume, modify the authorized_keys file with a new public key, move the volume back to the original instance, and restart the

AWS KMS supports asymmetric KMS keys that represent a mathematically related RSA, elliptic curve (ECC), or SM2 (China Regions only) public and private key pair. These key pairs are generated in AWS KMS hardware security modules certified under the FIPS 140-2 Cryptographic Module Validation Program, except in the China (Beijing) and China (Ningxia) Regions. The private key never leaves the AWS KMS HSMs

The most operationally efficient solution to implement a near-real-time monitoring and alerting solution that will notify administrators of security group violations is to use the restricted-ssh AWS Config managed rule that is invoked by security group configuration changes that are not compliant. This rule checks whether security groups that are in use have inbound rules that allow unrestricted SSH traffic. If a violation is detected, AWS Config can use the remediation feature to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic.

Option A is incorrect because creating a recurring Amazon Inspector assessment run that uses the Network Reachability package is not operationally efficient, as it requires setting up an assessment target and template, running the assessment every day, and invoking a Lambda function to retrieve and evaluate the assessment report. It also does not provide near-real-time monitoring and alerting, as it depends on the frequency and duration of the assessment run.

Option C is incorrect because configuring VPC Flow Logs for the VPC and specifying an Amazon CloudWatch Logs group is not operationally efficient, as it requires creating a log group and stream, enabling VPC Flow Logs for each subnet or network interface, and subscribing a Lambda function to parse and analyze the log entries. It also does not provide proactive monitoring and alerting, as it only detects successful connections on port 22 after they have occurred.

Option D is incorrect because creating a recurring Amazon Inspector assessment run that uses the Security Best Practices package is not operationally efficient, for the same reasons as option A. It also does not provide specific monitoring and alerting for security group violations, as it covers a broader range of security issues. References:

[AWS Config Rules]

[AWS Config Remediation]

[Amazon Inspector]

[VPC Flow Logs]

Utilizing CloudFront signed cookies is the simplest and most effective way to protect HLS video content for paying subscribers. Signed cookies provide access control for multiple files, such as video chunks in HLS streaming, without the need to generate a signed URL for each video chunk. This method simplifies the process for long video events with thousands of chunks, enhancing user experience while ensuring content protection.

The correct answer is B. Configure CloudTrail to send events to Amazon CloudWatch Logs. Create a metric filter for the relevant log group. Create a filter pattern with eventName matching ConsoleLogin and errorMessage matching “Failed authentication”. Create a CloudWatch alarm with a threshold of 3 and a period of 5 minutes.

This answer is correct because it meets the requirements of sending an alert when three or more failed sign-in attempts to the AWS Management Console occur during a 5-minute period. By configuring CloudTrail to send events to CloudWatch Logs, the securityengineer can create a metric filter that matches the desired pattern of failed sign-in events.Then, by creating a CloudWatch alarm based on the metric filter, the security engineer can set a threshold of 3 and a period of 5 minutes, and choose an action such as sending an email or an Amazon Simple Notification Service (Amazon SNS) message when the alarm is triggered12.

The other options are incorrect because:

A. Turning on Insights events on the trail and configuring an alarm on the insight is not a solution, because Insights events are used to analyze unusual activity in management events, such as spikes in API call volume or error rates.Insights events do not capturefailed sign-in attempts to the AWS Management Console3.

C. Creating an Amazon Athena table from the CloudTrail events and running a query for failed sign-in events is not a solution, because it does not provide a mechanism to send an alert based on the query results.Amazon Athena is an interactive query service that allows analyzing data in Amazon S3 using standard SQL, but it does not support creating notifications or alarms from queries4.

D. Creating an analyzer in AWS Identity and Access Management Access Analyzer and configuring it to send an Amazon SNS notification when a failed sign-in event occurs 3 times for any IAM user within a period of 5 minutes is not a solution, because IAM Access Analyzer is not a service that monitors sign-in events, but a service that helps identify resources that are shared with external entities.IAM Access Analyzer does not generate findings for failed sign-in attempts to the AWS Management Console5.

Enable GuardDuty:

GuardDuty provides monitoring for EKS clusters by analyzing EKS audit logs.

Automatic Configuration:

No additional setup for the EKS deployment is needed. GuardDuty directly monitors API calls to detect suspicious or unauthenticated access.

Advantages:

Minimal Effort: No operational overhead for configuration.

Proactive Detection: Alerts for unauthorized or suspicious activity in near-real-time.

Amazon GuardDuty for EKS

EKS Audit Log Monitoring

Understand the Problem:

The EC2 instance profile role has the AWS managedReadOnlyAccesspolicy.

This policy does not include permissions forkms:Decrypt, which is required to decrypt the objects encrypted with a customer-managed KMS key.

Review S3 Bucket Policy and Object Permissions:

Verify that the S3 bucket policy allows access for the IAM role associated with the EC2 instance.

Ensure that there are no conflicting bucket or object ACLs.

Addkms:DecryptPermission:

Attach an inline policy to the EC2 instance IAM role.

This policy should grantkms:Decryptaccess for the specific KMS key used to encrypt the S3 objects.

Example Inline Policy:

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": "kms:Decrypt",

"Resource": "arn:aws:kms:::key/"

}

]

}

Test the Configuration:

Attempt to read the file from the encrypted S3 bucket to ensure that the issue is resolved.

AWS KMS Key Policies and Permissions

IAM Permissions for Using AWS KMS Keys

SAML IdP logs help identify issues in the SSO assertion, such as user attribute mismatches.

CloudTrail provides visibility into whether the user even reached AWS services, allowing you to verify API call attempts and failures.

This combination provides fast, direct insight and is operationally efficient as it avoids unnecessary simulation or re-creation.

The condition of "s3:x-amz-server-side-encryption":"IAM:kms" ensures that objects uploaded need to be encrypted.

Options B,C and D are invalid because you have to ensure the condition of ns3:x-amz-server-side-encryption":"IAM:kms" is present

This answer is correct because AWS Shield Advanced is a service that provides comprehensive protection against DDoS attacks of any size or duration. It also provides metrics and reports on the DDoS attack vectors, duration, and size. You can create an Amazon CloudWatch alarm that monitors Shield Advanced metrics such as DDoSAttackBitsPerSecond, DDoSAttackPacketsPerSecond, and DDoSAttackRequestsPerSecond to receive alerts if a DDoS attack occurs against your account.

For more information, see Monitoring AWS Shield Advanced with Amazon CloudWatch and AWS Shield Advanced metrics and alarms.

To ensure that IAM users in Account B can only assume a role in Account A if they are authenticated with Multi-Factor Authentication (MFA), the recommended solution is to add anaws:MultiFactorAuthPresentcondition to the role's trust policy in Account A. The trust policy defines which principals (users, applications, services) can assume the role and under what conditions. By adding theaws:MultiFactorAuthPresentcondition, the policy explicitly requires MFA to be present for the assume role action to succeed. This ensures that only authenticated users with MFA can assume the role, enhancing the security posture with minimal operational overhead and without modifying permissions or session policies, which could affect the role's intended capabilities.

Amazon EventBridge can directly monitor CloudTrail events, including root login attempts. By creating an EventBridge rule to trigger on a root sign-in event (ConsoleLogin with userIdentity.type as Root), you can immediately send alerts to SNS, fulfilling the requirement for real-time notifications.

This solution is low-maintenance and efficient, following best practices in real-time security event monitoring under the Logging and Monitoring domain.

The combination of the following actions should the Engineer take to enable users to be authenticated into the web application and call APIs are:

B. Configure a SAML identity provider in Amazon Cognito to map attributes to the Amazon Cognito user pool attributes.This is a necessary step to federate the existing users from the SAML identity provider to the Amazon Cognito user pool, which will be used for authentication and authorization1.

C. Configure the SAML identity provider to add the Amazon Cognito user pool as a relying party.This is a necessary step to establish a trust relationship between the SAML identity provider and the Amazon Cognito user pool, which will allow the users to sign in using their existing credentials2.

F. Update API Gateway to use a COGNITO_USER_POOLS authorizer.This is a necessary step to enable API Gateway to use the Amazon Cognito user pool as an authorizer for the RESTful services, which will validate the identity or access tokens that are issued by AmazonCognito when a user signs in successfully3.

The other options are incorrect because:

A.Creating a custom authorization service using AWS Lambda is not a necessary step, because Amazon Cognito user pools can provide built-in authorization features, such as scopes and groups, that can be used to control access toAPI resources4.

D.Configuring an Amazon Cognitoidentity pool to integrate with social login providers is not a necessary step, because the users already exist in a directory that is exposed through a SAML identity provider, and there is no requirement to support social login providers5.

E.Updating DynamoDB to store the user email addresses and passwords is not a necessary step, because the user credentials are already stored in the SAML identity provider, and there is no need to duplicate them in DynamoDB6.

The correct answer is B. Modify the network ACL that is associated with the CIDR range to allow outbound traffic to ephemeral ports.

This answer is correct because network ACLs are stateless, which means that they do not automatically allow return traffic for inbound connections. Therefore, the network ACL that is associated with the CIDR range of the new application must have outbound rules that allow traffic to ephemeral ports, which are the temporary ports used by the vendors’ machines to communicate with the application servers.Ephemeral ports are typically in the range of 1024-655351. If the network ACL does not have such rules, the vendors will not be able to connect to the application.

The other options are incorrect because:

A. Modifying the security group that is associated with the EC2 instances to have the same outbound rules as inbound rules is not a solution, because security groups are stateful, which means that they automatically allow return traffic for inbound connections.Therefore, there is no need to add outbound rules to the security group for the vendors to access the application2.

C. Modifying the inbound rules on the internet gateway to allow the required ports is not a solution, because internet gateways do not have inbound or outbound rules. Internet gateways are VPC components that enable communication between instances in a VPC and the internet.They do not filter traffic based on ports or protocols3.

D. Modifying the network ACL that is associated with the CIDR range to have the same outbound rules as inbound rules is not a solution, because it does not address the issue of ephemeral ports.The outbound rules of the network ACL must matchthe ephemeral port range of the vendors’ machines, not necessarily the inbound rules of the network ACL4.

To allow cross-account access to a KMS key, the key policy of the KMS key must grant permission to the external account or principal, and the IAM policy of the external account or principal must delegate the key policy permission. In this case, the new Lambda function in the development account needs to use the KMS key in the security account, so the key policy of the KMS key must allow access to the IAM role of the new Lambda function in the development account (option E), and the IAM role of the new Lambda function in the development account must have an IAM policy that allows access to the KMS key in the security account (option C). Option A is incorrect because it creates an IAM role for the new Lambda function in the security account, not in the development account. Option B is incorrect because it attaches a key policy to an IAM role, which is not valid. Option D is incorrect because it allows access to the IAM role of the new Lambda function in the security account, not in the development account.Verified References:

IAM Access Analyzer can be enabled at the organization level and configured to use the org as a zone of trust. It scans IAM policies and S3 bucket policies across accounts and identifies external principals (from other AWS accounts or public access) that have access to resources.

This is the most accurate and least operationally complex method for cross-account access visibility and is highlighted under IAM governance and security controls.

"When you create an Amazon GuardDuty filter, you choose specific filter criteria, name the filter and can enable the auto-archiving of findings that the filter matches. This allows you to further tune GuardDuty to your unique environment, without degrading the ability to identify threats. With auto-archive set, all findings are still generated by GuardDuty, so you have a complete and immutable history of all suspicious activity."

KMS grants are lightweight and efficient tools designed specifically for programmatic, temporary, or high-volume delegation of KMS key usage. They are ideal when access needs to be rotated or updated frequently—such as weekly changes in vendors.

KMS grants allow you to control access without changing the key policy itself. They can be easily created and revoked programmatically, which minimizes operational overhead compared to editing key or IAM policies.

This approach aligns with Identity and Access Management best practices in the AWS Certified Security – Specialty study guide for scalable cross-account key access management.

Amazon Athena is a service that enables you to analyze data in Amazon S3 using standard SQL1. You can use Athena to query the CloudTrail logs that are stored in S3 and filter them by the exposed access key and the date range2. The other options are not effective ways to review the use of the exposed access key.

Amazon Inspector offers automated, continuous vulnerability scanning for Amazon EC2 instances. The new version includes Malware Protection, which scans for malicious software as part of its inspection process.

This capability enables both detection of software vulnerabilities and malicious activity (like viruses or rootkits), thus covering both parts of the requirement: vulnerabilities and unintended network exposure.

This falls under Infrastructure Security and aligns with recommended practices for securing compute resources on AWS.

Adjusting the IAM policy attached to the IAM role used by EC2 instances to include the necessary AWS Logs API actions for publishing logs to CloudWatch Logs addresses the issue. This ensures that the EC2 instances have the required permissions to interact with CloudWatch Logs, facilitating the successful publication of logs from the instances.

The requirement is to remediate both existing and future noncompliant S3 buckets across multiple accounts and Regions in an AWS Organizations structure.

AWS Config Aggregator with organization-wide aggregation ensures that all accounts and Regions are continuously monitored for compliance.

By integrating a Lambda function with AWS Config rules, you can automatically remediate noncompliant resources (e.g., by applying encryption settings or blocking public access).

This solution provides both visibility and automated enforcement across the entire organization.

Options using SCPs (B and D) only prevent future actions and do not remediate existing noncompliant resources. Furthermore, scoping the aggregator to only some accounts/Regions (as in C and D) fails to meet the requirement for organization-wide remediation.

This approach aligns with Data Protection and Governance best practices in the AWS Certified Security – Specialty guidelines.

AWS Backup supports cross-Region backup copy to another backup vault in a different AWS Region. This is the simplest and most operationally efficient method to meet the requirement of geographic redundancy (i.e., data centers several hundred miles apart).

No custom scripting, Lambda, or EventBridge scheduling is required, minimizing operational overhead and aligning with Data Protection and Disaster Recovery best practices.

To avoid AccessDeniedExceptions when users first attempt to encrypt using the CMK, the security specialist should recommend the following solution:

Instruct the engineering team to pass the grant token returned in the CreateGrant response to users. This allows the engineering team to use the grant token as a form of temporary authorization for the grant.

Instruct users to use that grant token in their call to encrypt. This allows the users to use the grant token as a proof that they have permission to use the CMK, and to avoid any eventual consistency issues with the grant creation.

To ensure that the EC2 instances are logged, the security engineer should do the following:

Use AWS DNS resolvers for all EC2 instances. This allows the security engineer to use Amazon-provided DNS servers that resolve public DNS hostnames to private IP addresses within their VPC, and that log DNS queries in Amazon CloudWatch Logs.

To enable S3 Cross-Region Replication (CRR) for objects that are encrypted with SSE-KMS, the following steps are required:

Grant the IAM role the kms.Decrypt permission for the key in us-east-1 that encrypts source objects. This will allow the IAM role to decrypt the source objects before replicating them to the destination bucket. The kms.Decrypt permission must be granted in the key policy of the source KMS key or in an IAM policy attached to the IAM role.

Grant the IAM role the kms.Encrypt permission for the key in us-west-2 that encrypts objects that are in the destination S3 bucket. This will allow the IAM role to encrypt the replica objects with the destination KMS key before storing them in the destination bucket. The kms.Encrypt permission must be granted in the key policy of the destination KMS key or in an IAM policy attached to the IAM role.

This solution will remediate the issue of encrypted objects not being replicated to the destination bucket.

The other options are incorrect because they either do not grant the necessary permissions for CRR (A, C, D), or do not use a valid encryption method for CRR (E).

Verified References:

because these are the factors that could affect the outbound connection to the internet from a server in a private subnet. The outbound network ACL rules on the private subnet and both the inbound and outbound rules on the public subnet must allow the traffic to pass through8. The security group applied to the application load balancer and NAT gateway must also allow the traffic from the private subnet9. The 0.0.0.0/0 route in the private subnet route table must point to the NAT gateway in the public subnet, not the internet gateway10. The other options are either irrelevant or incorrect for troubleshooting the outbound connection issue.

The most operationally efficient solution is to modify the EventBridge rule's event pattern using the anything-but operator on the ProductArn attribute. This effectively filters out all findings generated by Amazon Inspector, allowing all other findings to trigger alerts as intended—without modifying Lambda code or managing additional services like SNS.

This technique aligns with Logging and Monitoring best practices to reduce noise from security alerts and improve response efficiency by filtering at the event rule level.

The correct answer is A. Configure an S3 Lifecycle rule on the S3 bucket to delete objects after 45 days.

The reason is that this is the simplest and most effective way to enforce the data retention policy.According to theAWS documentation1, “To manage your objects so that they are stored cost effectively throughout their lifecycle, configure their Amazon S3 Lifecycle. An S3 Lifecycle configuration is a set of rules that define actions that Amazon S3 applies to a group of objects.There are two types of actions: Transition actionsand Expiration actions.” The documentation1also states that “Expiration actions define when objects expire. Amazon S3 deletes expired objects on your behalf.” Therefore, by configuring an S3 Lifecycle rule on the S3 bucket to delete objects after 45 days, the security engineer can ensure that the data is removed from the S3 bucket according to the company’s policy.

The other options are incorrect because:

B. Create an AWS Lambda function to check the last-modified date of the S3 objects and delete objects that are older than 45 days. Create an S3 event notification to invoke the Lambda function for each PutObject operation. This option is not optimal because it requires deploying and maintaining a Lambda function, which adds complexity and cost. Moreover, it does not guarantee that the data is deleted exactly after 45 days, since the Lambda function is triggered only when a new object is put into the S3 bucket. If there are no new objects for a long period of time, the Lambda function will not run and the data will not be deleted.

C. Create an AWS Lambda function to check the last-modified date of the S3 objects and delete objects that are older than 45 days. Create an Amazon EventBridge rule to invoke the Lambda function each month. This option is not optimal because it requires deploying and maintaining a Lambda function, which adds complexity and cost. Moreover, it does not guarantee that the data is deleted exactly after 45 days, since the Lambda function is triggered only once a month. If the data is older than 45 days but less than a month, it will not be deleted until the next month.

D. Configure S3 Intelligent-Tiering on the S3 bucket to automatically transition objects to another storage class. This option is not sufficient to enforce the data retention policy, because it does not delete the data from the S3 bucket. It only moves the data to a less expensive storage class based on access patterns.According to the AWS documentation2, “S3 Intelligent-Tiering optimizes storage costs by automatically moving data between two access tiers, frequent access and infrequent access, when access patterns change.” However, this feature does not expire or delete the data after a certain period of time.

This SCP prevents users or roles in any affected account from disabling a CloudTrail log, either directly as a command or through the

Comprehensive Detailed Explanation with all AWS References

To provide a single management portal for access and integrate with an external IdP for SSO,AWS IAM Identity Center(formerly AWS Single Sign-On) is the best solution:

AWS IAM Identity Center:

IAM Identity Center enables centralized management of access to AWS accounts within an organization.

Supports external IdPs (e.g., Okta, Azure AD) using SAML 2.0 for workforce SSO.

because these are the steps that can ensure that the service-linked role can launch instances with encrypted volumes. A service-linked role is a type of IAM role that is linked to an AWS service and allows the service to perform actions on your behalf. A KMS grant is a mechanism that allows you to delegate permissions to use a customer master key (CMK) to a principal such as a service-linked role.A KMS grant specifies the actions that the principal can perform, such as encrypting and decrypting data. By creating a KMS grant for the service-linked role with the specified actions, you can allow the service-linked role to use the CMK in Account-2 to launch instances with encrypted volumes. By attaching an IAM policy to the role attached to the EC2 instances with KMS actions and then allowing Account-1 in the KMS key policy, you can also enable cross-account access to the CMK and allow the EC2 instances to use the encrypted volumes. The other options are either incorrect or unnecessary for meeting the requirement.

For seamless encryption of Amazon S3 objects without direct key management, AWS Key Management Service (KMS) with AWS managed keys offers a highly scalable and manageable solution. TheScheduleKeyDeletionAPI withPendingWindowInDaysset to 0 allows for immediate deletion of the keys, meeting the requirement for immediate key removal. This approach leverages the managed infrastructure of KMS, reducing the overhead of key management while ensuring scalability and security. The integration of KMS with S3 and the ability to schedule key deletion provides a balance between ease of use and security control.

The AWS Encryption SDK supports client-side encryption and cryptographic signing, enabling applications to protect and verify sensitive data before it is transmitted or stored. This allows end-to-end protection and helps detect unauthorized data changes using signatures.

While both AWS Encryption SDK and the DynamoDB Encryption Client provide similar functionalities, the AWS Encryption SDK is broader in scope and better supported for generalized end-to-end encryption patterns.

This solution ensures:

Data protection in transit and at rest

Integrity assurance through signing

Compliance with best practices under the Data Protection domain.

A bucket policy is a resource-based policy that defines permissions for a specific S3 bucket. It can be used to grant cross-account access to another AWS account or an IAM user or role in another account. A bucket policy can also specify which actions, resources, and conditions are allowed or denied.

A bucket ACL is an access control list that grants basic read or write permissions to predefined groups of users. It cannot be used to grant cross-account access to a specific IAM user or role in another account.

An object ACL is an access control list that grants basic read or write permissions to predefined groups of users for a specific object in an S3 bucket. It cannot be used to grant cross-account access to a specific IAM user or role in another account.

A user policy is an IAM policy that defines permissions for an IAM user or role in the same account. It cannot be used to grant cross-account access to another AWS account or an IAM user or role in another account.

For more information, see Provide cross-account access to objects in Amazon S3 buckets and Example 2: Bucket owner granting cross-account bucket permissions.

Requirement Analysis:

The application should only be accessible to subsidiary companies over TCP port 443.

Direct public internet access must be restricted.

Use AWS PrivateLink:

AWS PrivateLink allows secure access to services across accounts and VPCs without exposing them to the public internet.

Steps to Implement:

Parent Account:

Create aPrivateLink Endpoint Servicelinked to the Network Load Balancer (NLB).

Update the security group for the EC2 instances to allow traffic from the PrivateLink endpoint on TCP port 443.

Subsidiary Accounts:

CreateInterface Endpointsin the subsidiary VPCs. These endpoints securely route traffic to the parent company's application via PrivateLink.

Advantages of This Solution:

Compliance: Ensures secure communication without internet exposure.

Scalability: Easily supports all 1,500 subsidiaries.

Operational Simplicity: Centralized service in the parent account, while subsidiaries connect securely via endpoints.

AWS PrivateLink Documentation

Using Security Groups with AWS PrivateLink

To migrate the static website to AWS and meet the requirements, the following steps are required:

Migrate the website to Amazon S3, which is a highly scalable and durable object storage service that can host static websites. To do this, create an S3 bucket with the same name as the domain name of the website, enable static website hosting for the bucket, upload the website files to the bucket, and configure the bucket policy to allow public read access to the objects. For more information, see Hosting a static website on Amazon S3.

Import a public SSL certificate that is created by AWS Certificate Manager (ACM) to Amazon CloudFront, which is a global content delivery network (CDN) service that can improve the performance and security of web applications. To do this, request or import a public SSL certificate for the domain name of the website using ACM, create a CloudFront distribution with the S3 bucket as the origin, and associate the SSL certificate with the distribution. For more information, see Using alternate domain names and HTTPS.

Configure CloudFront to block traffic from outside the US, which is one of the requirements. To do this, create a CloudFront web ACL using AWS WAF, which is a web application firewall service that lets you control access to your web applications. In the web ACL, create a rule that uses a geo match condition to block requests that originate from countries other than the US. Associate the web ACL with the CloudFront distribution. For more information, see How AWS WAF works with Amazon CloudFront features.

Migrate DNS to Amazon Route 53, which is a highly available and scalable cloud DNS service that can route traffic to various AWS services. To do this, register or transfer your domain name to Route 53, create a hosted zone for your domain name, and create an alias record that points your domain name to your CloudFront distribution. For more information, see Routing traffic to an Amazon CloudFront web distribution by using your domain name.

The other options are incorrect because they either do not implement SSL/TLS encryption for the website (A), do not use managed services whenever possible (B), or do not block IP addresses from outside the US ©.

Verified References:

This solution ensures that the Lambda functions are deployed inside the VPC and can communicate with the Amazon RDS DB instance securely. The security group attached to the Lambda functions only allows outbound traffic to the VPC CIDR range, and the DB instance security group only allows traffic from the Lambda security group. This solution ensures that the Lambda functions can communicate with the DB instance securely and that the DB instance is not exposed to the public internet.

The correct answer is B because it checks the configuration of the CloudWatch alarm that is supposed to monitor the CloudTrail log events. The analyst should verify that a metric filter was created to extract the relevant information from the log events, such as the event name, source, and user identity. The analyst should also verify that the metric filter wasmapped to an alarm that triggers when a certain threshold is reached, and that the alarm notification action is set up correctly to send alerts to the analyst1.

The other options are incorrect because they do not address the issue of the CloudWatch alarm not working as expected. Option A is incorrect because CloudTrail and S3 bucket access logging are not related to the monitoring of security group changes. CloudTrail logs the API calls made to AWS services, and S3 bucket access logging records the requestsmade to thebucket2. OptionC is incorrect because CloudWatch dashboards are used to display metrics and alarms in a graphical way, but they do not affect the functionality of the alarm3. Option D is incorrect because the IAM policy permissions for cloudwatch:GetMetricStatistics and cloudwatch:ListMetrics are not required to monitor the CloudTrail log events. These permissions are used to retrieve the statistics and list of metrics for a given namespace4.

The best solution to meet the company's requirements of offering an alternative login method while securely protecting player credentials and reducing the burden of password resets is to use Amazon Cognito with user pools. Amazon Cognito provides a fully managed service that facilitates the authentication, authorization, and user management for web and mobile applications. By configuring Amazon Cognito user pools to federate access with third-party Identity Providers (IdPs), such as social media platforms or Google, the company can allow users to sign in through these external IdPs, thereby eliminating the need for traditional username and password logins. This not only enhances user convenience but also offloads the responsibility of managing user credentials and the associated challenges like password resets to Amazon Cognito, thereby reducing the burden on the company's customer service team. Additionally, Amazon Cognito integrates seamlessly with other AWS services and follows best practices for security and compliance, ensuring that the player's credentials are protected.

Understanding Gateway VPC Endpoint:

A gateway VPC endpoint allows traffic from the VPC to specific AWS services (e.g., Amazon S3) without traversing the public internet.

Key Configuration Points to Verify:

The route table is correctly configured to send traffic for Amazon S3 through the gateway VPC endpoint.

IAM permissions and bucket policies are correct and allow access to the specific S3 bucket.

Verify the Endpoint Policy:

Check the VPC endpoint policy to ensure it allows access to the S3 bucket. The policy might be restricting access to certain buckets, prefixes, or IAM principals.

Example VPC Endpoint Policy:

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Principal": "*",

"Action": "s3:*",

"Resource": [

"arn:aws:s3:::example-bucket",

"arn:aws:s3:::example-bucket/*"

]

}

]

}

Testing and Validation:

Modify the endpoint policy if required and test access again from the EC2 instance.

Gateway VPC Endpoints Documentation

VPC Endpoint Policies for Amazon S3

The possible steps to troubleshoot this issue are:

A. Ensure that the EC2 instance profile that is attached to the EC2 instances has permissions to create log streams and write logs.This is a necessary step because the CloudWatch agent uses the credentialsfrom the instance profile to communicate with CloudWatch1.

C. Check the CloudWatch agent configuration file on each EC2 instance to make sure that the CloudWatch agent is collecting the proper log files.This is a necessary step because the CloudWatch agent needs to know which logfiles to monitor and send to CloudWatch2.

D. Check the VPC endpoint policies of both VPC endpoints to ensure that the EC2 instances have permissions to use them.This is a necessary step because the VPC endpoint policies control which principals can access the AWS services through the endpoints3.

The other options are incorrect because:

B. Creating a metric filter on the logs is not a troubleshooting step, but a way to extract metric data from the logs. Metric filters do not affect the visibility of the logs in the AWS Management Console.

E. Creating a NAT gateway in the subnet is not a solution, because the EC2 instances do not need internet access to communicate with CloudWatch through the VPC endpoints.A NAT gateway would also incur additional costs.

F. Ensuring that the security groups allow all the EC2 instances to communicate with each other is not a necessary step, because the CloudWatch agent does not require log aggregation before sending. Each EC2 instance can send its own logs independently to CloudWatch.

This answer is correct because ensuring that the security groups allow bidirectional communication between the Lambda function and the EC2 instance will resolve the error. The error indicates that the Lambda function cannot connect to the database, which might be due to firewall rules blocking the traffic. By allowing outbound connections from the Lambda function and inbound connections to the EC2 instance, the security engineer can enable the rotation function to access and update the database credentials.

Verify File Permissions:

Ensure that the log files being monitored by the CloudWatch Logs agent are still accessible.

Check permissions to confirm that the agent's process can read the files.

Check Log Rotation Rules:

Operating systems may rotate logs periodically, causing the monitored file path to change.

Update the CloudWatch Logs agent configuration to handle rotated log files (e.g., wildcards or new file paths).

Diagnose with Agent Logs:

Review the agent logs in/var/log/amazon/or equivalent to identify potential issues.

Amazon CloudWatch Logs Agent Setup

Handling Log Rotation

The correct answer is D.

To stop the data exfiltration from the compromised EC2 instances, the security engineer needs to implement a solution that can deny access to any S3 bucket that is outside thecompany’s organization. The solution should also allow the EC2 instances to access the required S3 buckets within the company’s organization for the analysis process.

Option A is incorrect because updating the policy on the S3 gateway endpoint will not affect the access to S3 buckets that are outside the company’s organization. The S3 gateway endpoint only applies to S3 buckets that are in the same AWS Region as the VPC. The compromised EC2 instances can still access S3 buckets in other Regions or other AWS accounts through the internet gateway or NAT device.

Option B is incorrect because updating the policy on the instance profile role will not prevent the compromised EC2 instances from using other credentials or methods to access S3 buckets outside the company’s organization. The instance profile role only applies to requests that are made using the credentials of that role. The compromised EC2 instances can still use other IAM users, roles, or access keys to access S3 buckets outside the company’s organization.

Option C is incorrect because adding a network ACL rule to block outgoing connections on port 443 will also block legitimate connections to S3 buckets within the company’s organization. The network ACL rule will prevent the EC2 instances from accessing any S3 bucket through HTTPS, regardless of whether it is inside or outside the company’s organization.

Option D is correct because applying an SCP on the AWS account will effectively deny access to any S3 bucket that is outside the company’s organization. The SCP will apply to all IAM users, roles, and resources in the AWS account, regardless of how they access S3. The SCP will use the aws:ResourceOrgID and aws:PrincipalOrgID condition keys to check whether the S3 bucket and the principal belong to the same organization as the AWS account. If they do not match, the SCP will deny the S3 actions.

The correct combination of AWS solutions that will meet these requirements is A. AWS Site-to-Site VPN and B. AWS Direct Connect.

A. AWS Site-to-Site VPN is a service that allows you to securely connect your on-premises data center to your AWS VPC over the internet using IPsec encryption. This solution meets the requirement of encrypting the data in transit between the on-premises data center and AWS.

B. AWS Direct Connect is a service that allows you to establish a dedicated network connection between your on-premises data center and your AWS VPC. This solution meets the requirement of reducing network latency between the on-premises data center and AWS.

C. AWS VPN CloudHub is a service that allows you to connect multiple VPN connections from different locations to the same virtual private gateway in your AWS VPC. This solution is not relevant for this scenario, as there is only one on-premises data center involved.

D. VPC peering is a service that allows you to connect two or more VPCs in the same or different regions using private IP addresses. This solution does not meet the requirement of connecting an on-premises data center to AWS, as it only works for VPCs.

E. NAT gateway is a service that allows you to enable internet access for instances in a private subnet in your AWS VPC. This solution does not meet the requirement of connecting an on-premises data center to AWS, as it only works for outbound traffic from your VPC.

The correct answer is B and C.

B. Allow port 443 from source 0.0.0.0/0.

This is correct because port 443 is used for HTTPS traffic, which must be able to access the website from any source IP address.

C. Allow port 22 from 192.168.100.0/24.

This is correct because port 22 is used for SSH, which is the management protocol for the web server. The management subnet is 192.168.100.0/24, so only this subnet should be allowed to access port 22.

A. Allow port 22 from source 0.0.0.0/0.

This is incorrect because it would allow anyone to access port 22, which is a security risk. SSH should be restricted to the management subnet only.

D. Allow port 22 from 10.0.1.0/24.

This is incorrect because it would allow the website subnet to access port 22, which is unnecessary and a security risk. SSH should be restricted to the management subnet only.

E. Allow port 443 from 10.0.1.0/24.

This is incorrect because it would limit the HTTPS traffic to the website subnet only, which defeats the purpose of having a public website.

Comprehensive Detailed Explanation with all AWS References

To resolve AccessDenied errors:

IAM Policy Validation:

Use IAM Access Analyzer to ensure that the policy attached to the role allows the necessary S3 actions (e.g., s3:GetObject).

Validate that the role is correctly assumed by the application.

CloudHSM allows full control of your keys such including Symmetric (AES), Asymmetric (RSA), Sha-256, SHA 512, Hash Based, Digital Signatures (RSA). On the other hand, AWS Key Management Service is a multi-tenant key storage that is owned and managed byAWS1.

Amazon Security Lake, when configured with a delegated administrator account in AWS Organizations, provides a centralized solution for aggregating, organizing, and prioritizing security data from multiple sources including AWS services, AWS Marketplace solutions, and on-premises systems. By enabling Security Lake for the organization and adding the necessary AWS accounts, the solution centralizes the collection and analysis of log data. This setup leverages the organization's structure to streamline log aggregation and normalization, making it an efficient solution for the specified requirements. The use of Amazon Athena for querying the log data further enhances the ability to analyze and respond to security findings across the organization.

"If you copy an encrypted snapshot across Regions, you must specify a KMS key valid in the destination AWS Region. It can be a Region-specific KMS key, or a multi-Region key."

AWS Cost Anomaly Detection:

AWS Cost Anomaly Detection monitors cost and usage trends in near real-time to detect unexpected spikes or patterns.

It can send alerts as soon as anomalies are detected, offering the earliest possible detection of cost increases.

Steps to Implement:

Create an anomaly detection monitor for the affected services or linked accounts.

Define a threshold for expected cost variations.

Set up an Amazon SNS topic to receive anomaly alerts.

Advantages:

Real-Time Monitoring: Provides near-instantaneous detection of cost anomalies.

Customizable Thresholds: Tailors detection sensitivity to the company’s needs.

Other Options:

Option A (EventBridge and Lambda) is complex and has delays in processing.

Option C (Cost Explorer) is manual and retrospective.

Option D (Flow Logs) detects network activity, but it cannot directly link to cost increases.

AWS Cost Anomaly Detection Documentation

Creating SNS Alerts for Cost Anomalies

the kms:ViaService condition key can be used to restrict a CMK to work with only a specific AWS service6. By configuring the CMKkey policy to allow KMS actions only when the kms:ViaService condition matches the Amazon S3 service name, you can ensure that only Amazon S3 can use the CMK7. The other options are either incorrect or insufficient for constraining a CMK to work with only Amazon S3.

The correct answer is A, C, and F.

To automate a response for any newly created policies that are overly permissive, the security engineer needs to use a combination of services that can monitor, analyze, remediate, and notify the security incidents.

Option A is correct because creating an AWS Step Functions state machine that checks the resource type in the finding and adds an explicit Deny statement in the trust policy for the IAM role is a valid way to remediate external access. AWS Step Functions is a service that allows you to coordinate multiple AWS services into serverless workflows. You can use Step Functions to invoke AWS Lambda functions, which can modify the IAM policies programmatically. You can also use Step Functions to publish a notification to an Amazon SNS topic, which can send messages to subscribers such as email addresses.

Option B is incorrect because creating an AWS Batch job that forwards any resource type findings to an AWS Lambda function is not a suitable way to automate a response. AWS Batch is a service that enables you to run batch computing workloads on AWS. Batch is designed for large-scale and long-running jobs that can benefit from parallelization and dynamic provisioning of compute resources. Batch is not intended for event-driven and real-time workflows that require immediate response.

Option C is correct because creating an Amazon EventBridge event rule that matches active IAM Access Analyzer findings and invokes AWS Step Functions for resolution is a valid way to monitor and analyze the security incidents. Amazon EventBridge is a serverless event bus service that allows you to connect your applications with data from various sources. EventBridge can use rules to match events and route them to targets for processing. You can use EventBridge to invoke AWS Step Functions state machines from the IAM Access Analyzer findings.

Option D is incorrect because creating an Amazon CloudWatch metric filter that matches active IAM Access Analyzer findings and invokes AWS Batch for resolution is not a suitable way to monitor and analyze the security incidents. Amazon CloudWatch is a service that provides monitoring and observability for your AWS resources and applications. CloudWatch can collect metrics, logs, and events from various sources and perform actions based on alarms or filters. However, CloudWatch cannot directly invoke AWS Batch jobs from the IAM Access Analyzer findings. You would need to use another service such as EventBridge or SNS to trigger the Batch job.

Option E is incorrect because creating an Amazon SQS queue that forwards a notification to the security team that an external principal has been granted access to the specific IAM role and has been blocked is not a valid way to notify the security incidents. Amazon SQS is a fully managed message queue service that enables you to decouple and scale microservices, distributed systems, and serverless applications. SQS can deliver messages to consumers that poll the queue for messages. However, SQS cannot directlyforward a notification to the security team’s email addresses. You would need to use another service such as SNS or SES to send email notifications.

Option F is correct because creating an Amazon SNS topic for external or cross-account access notices and subscribing the security team’s email addresses to the topic is a valid way to notify the security incidents. Amazon SNS is a fully managed messaging service that enables you to decouple and scale microservices, distributed systems, and serverless applications. SNS can deliver messages to a variety of endpoints, such as email, SMS, or HTTP. You can use SNS to send email notifications to the security team when a critical security finding is detected.

To grant appropriate access to the application modules, the security engineer should do the following:

Configure an IAM policy for each module. Specify the ARN of an Amazon Redshift database user that allows the GetClusterCredentials API call. This allows the application modules to use temporary credentials to access the database with the permissions of the specified user.

Create local database users for each module. This allows the security engineer to create separate users for read/write and read-only functionality, and to assign them different privileges on the database tables.

To set up a CloudFront distribution for an S3 bucket that hosts a static website, and to allow only specified IP addresses to access the website, the following steps are required:

Create a CloudFront origin access identity (OAI), which is a special CloudFront user that you can associate with your distribution. An OAI allows you to restrict access to your S3 content by using signed URLs or signed cookies. For more information, see Using an origin access identity to restrict access to your Amazon S3 content.

Create the S3 bucket policy so that only the OAI has access. This will prevent users from accessing the website directly by using S3 URLs, as they will receive an Access Denied error. To do this, use the AWS Policy Generator to create a bucket policy that grants s3:GetObject permission to the OAI, and attach it to the S3 bucket. For more information, see Restricting access to Amazon S3 content by using an origin access identity.

Create an AWS WAF web ACL and add an IP set rule. AWS WAF is a web application firewall service that lets you control access to your web applications. An IP set is a condition that specifies a list of IP addresses or IP address ranges that requests originate from. You can use an IP set rule to allow or block requests based on the IP addresses of the requesters.For more information, see Working with IP match conditions.

Associate the web ACL with the CloudFront distribution. This will ensure that the web ACL filters all requests for your website before they reach your origin. You can do this by using the AWS WAF console, API, or CLI. For more information, see Associating or disassociating a web ACL with a CloudFront distribution.

This solution will meet the requirements of allowing only specified IP addresses to access the website and preventing direct access by using S3 URLs.

The other options are incorrect because they either do not create a CloudFront distribution for the S3 bucket (A), do not use an OAI to restrict access to the S3 bucket ©, or do not use AWS WAF to block traffic from outside the specified IP addresses (D).

Verified References:

When implementing DNSSEC for a subdomain in Amazon Route 53 and encountering a broken trust chain error, creating a Delegation Signer (DS) record in the parent hosted zone is the correct approach. The DS record is essential for establishing the trust chain between the parent and child zones by linking the DNSSEC-signed subdomain to its parentdomain. This step is crucial for DNS resolvers to validate the authenticity of DNS responses, thereby resolving the broken trust chain issue and ensuring the integrity and authenticity of the DNS data for the secured subdomain.

This answer is correct because creating a new AWS account with limited privileges would provide an isolated and secure backup destination for the EBS snapshots. Allowing the new account to access the AWS KMS key used to encrypt the EBS snapshots would enable cross-account snapshot sharing without requiring re-encryption. Copying the encrypted snapshots to the new account on a recurring basis would ensure that the backups are up-to-date and consistent.

To minimize downtime in response to DDoS attacks, the company should do the following:

Subscribe to AWS Shield Advanced and reach out to AWS Support in the event of an attack. This provides access to 24x7 support from the AWS DDoS Response Team (DRT), as well as advanced detection and mitigation capabilities for network and application layer attacks.

Use AWS WAF to create rules to respond to such attacks. This allows the company to filter web requests based on IP addresses, headers, body, or URI strings, and block malicious requests before they reach the web applications.

By disabling SSL termination, you are leaving an unsecure connection from the ELB to the back end instances. Hence this means that part of the data transit is not being encrypted.

Option B is incorrect because this would not guarantee complete encryption of data in transit

Option C and D are incorrect because these would not guarantee encryption

For more information on SSL Listeners for your load balancer, please visit the below URL:

The correct answer is: Use S3 SSE and use SSL for data in transit

Submit your Feedback/Queries to our Experts

this is a way to configure a Classic Load Balancer with perfect forward secrecy cipher suites. Perfect forward secrecy is a property of encryption protocols that ensures that past and current TLS traffic stays secure even if the certificate private key is leaked. Cipher suites are sets of algorithms that determine how encryption is performed. A custom security policy is a set of cipher suites and protocols that you can select for your load balancer to support. An HTTPS listener is a process that checks for connection requests using encrypted SSL/TLS protocol. By using an HTTPS listener that uses a custom security policy that allows only perfect forward secrecy cipher suites, you can ensure that your Classic Load Balancer meets the requirements. The other options are either invalid or insufficient for configuring a Classic Load Balancer with perfect forward secrecy cipher suites.

these are the recommended actions to take when you receive an abuse notice fromAWS8. You shouldreview the abuse notice to see what content or activity was reported and detach the internet gateway from the VPC to isolate the affected instances from the internet. You should also remove any rules that allow inbound traffic from 0.0.0.0/0 from the security groups and create a network access control list (NACL) rule to deny all traffic inbound from the internet. You should then delete the compromised instances and any associated resources that you did not create. The other options are either inappropriate or unnecessary for responding to the abuse notice.

To secure the images to limit their distribution, the company should take the following actions:

Update the S3 bucket policy to restrict access to a CloudFront origin access identity (OAI). This allows the company to use a special CloudFront user that can access objects in their S3 bucket, and prevent anyone else from accessing them directly.

Add a CloudFront geo restriction deny list of countries where the company lacks a license. This allows the company to use a feature that controls access to their content based on the geographic location of their viewers, and block requests from countries where they do not have a distribution license.

Enabling AWS CloudTrail with a trail applied to all regions and specifying a single S3 bucket for storage is the simplest method to record and retain API call activity for security analysis. This configuration ensures comprehensive coverage across all current and future AWS regions, centralizing log collection and simplification of log management.

The correct answer is A, C, and E because they provide the most secure and efficient way to implement private connectivity to AWS services. Using interface VPC endpoints for Amazon SQS and gateway VPC endpoints for Amazon S3 allows the application to access these services without using public IP addresses or internet gateways. Modifying the endpoint policies on all VPC endpoints enables the security engineer to specify the SQS and S3 resources that the application uses and restrict access to other resources.

The other options are incorrect because they do not provide private connectivity to AWS services or they introduce unnecessary complexity or cost. Option B is incorrect because AWS Transit Gateway is used to connect multiple VPCs and on-premises networks, not to connect to AWS services. Option D is incorrect because modifying the IAM role applied to the EC2 instances is not sufficient to allow outbound traffic to the interface endpoints. The security group and route table associated with the interface endpoints also need to be configured. Option F is incorrect because AWS Firewall Manager is used to centrally manage firewall rules across multiple accounts and resources, not to connect to AWS services.

This solution meets the requirement of receiving an email notification about critical findings in AWS Security Hub. Amazon EventBridge is a serverless event bus that can receive events from AWS services and third-party sources, and route them to targets based on rules and filters. Amazon SNS is a fully managed pub/sub service that can send messages to various endpoints, such as email, SMS, mobile push, and HTTP. By creating an EventBridge rule that detects critical Security Hub findings and sends them to an SNS topic, the company can leverage the existing integration between these services and avoid writing custom code or managing servers. By subscribing an email endpoint to the SNS topic, the company can receive published messages in their inbox.

Generate a Data Key:

Use theaws kms generate-data-keycommand to request a data key from AWS KMS.

The data key will include both a plaintext version and an encrypted version.

Example command:

bash

aws kms generate-data-key --key-id --key-spec AES_256

Encrypt the File:

Use the plaintext data key to encrypt the 2 KB file using standard encryption libraries or utilities (e.g., OpenSSL).

Secure the Encrypted Data Key:

Store the encrypted version of the data key alongside the encrypted file for future decryption.

Least Privilege Principle:

Ensure the EC2 instance role has the minimum necessary permissions to callkms:GenerateDataKeyandkms:Decrypt.

Testing and Validation:

Verify that the encrypted file can be successfully decrypted using the stored encrypted data key and the KMS key.

AWS KMS GenerateDataKey API

AWS KMS Best Practices

Encrypting Data with AWS KMS

 these are the strategies that can reduce the attack surface and enhance the security of the containers. Containers are a method of packaging and running applications in isolated environments. Using containers to automate security deployments can help ensure that security patches and updates are applied consistently and quickly across the container fleet. Segregating containers by host, function, and data classification can help limit the impact of a compromise and enforce the principle of least privilege. The other options are either irrelevant or risky for securing containers.

To resolve the issue of the Lambda function failing to create the report while adhering to the principle of least privilege, follow these steps:

Identify Required Permissions:

Determine the specific AWS Security Hub and Amazon Inspector actions the Lambda function needs to perform.

Common actions include:

securityhub:Get*

securityhub:List*

securityhub:Batch*

securityhub:Describe*

Create a Custom IAM Policy:

In the AWS Management Console, navigate to the IAM service.

Create a new policy with permissions tailored to the Lambda function's needs.

Define the policy to allow the necessary actions on the specific Security Hub resource.

For example:

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": [

"securityhub:Get*",

"securityhub:List*",

"securityhub:Batch*",

"securityhub:Describe*"

],

"Resource": "arn:aws:securityhub:us-west-2::product/aws/inspector"

}

]

}

This policy grants the Lambda function the necessary read-only permissions to interact with Security Hub and Amazon Inspector.

Attach the Policy to the Lambda Execution Role:

Identify the IAM role associated with your Lambda function.

Attach the newly created custom policy to this role.

This ensures the Lambda function has the required permissions when invoked.

Test the Lambda Function:

Invoke the Lambda function to verify it can successfully create the report without permission errors.

Monitor the function's execution to ensure it operates as expected.

Implement Least Privilege Principle:

Regularly review and adjust the permissions to ensure they remain aligned with the function's requirements.

Remove any unnecessary permissions to minimize security risks.

Defining Lambda function permissions with an execution role: This AWS documentation provides guidance on creating and managing execution roles for Lambda functions, emphasizing the importance of granting least privilege access.

AWS Documentation

Managing permissions in AWS Lambda: This resource offers insights into best practices for managing permissions, including the use of identity-based and resource-based policies to control access to Lambda resources.

AWS Documentation

Grant least privilege access: Part of the AWS Well-Architected Framework, this document discusses the principle of least privilege and provides strategies for implementing it effectively within AWS environments.

AWS Documentation

AWS managed policies for AWS Lambda: This page details the AWS managed policies available for Lambda, which can serve as a starting point for creating custom policies tailored to specific needs.

AWS Documentation

Applying the principles of least privilege in AWS Lambda: This guide explores how to apply the principle of least privilege in AWS Lambda functions, focusing on avoiding granting wildcard permissions in IAM policies.

Orchestra

By following these steps and utilizing the referenced AWS documentation, you can ensure that your Lambda function has the necessary permissions to create the report while adhering to the principle of least privilege.

The AWS documentation states that you can use the awslogs log driver to send log information to CloudWatch Logs. To use this method, you specify the parameters for awslogs-group and awslogs-region in the LogConfiguration property of the container definition. This method is the easiest way to send logs to CloudWatch Logs.

Note that the IP is known and the question wants us to deny access from that particular address and so we can use IP set match policy of WAF to block access.

Answer: C

Create an Account-Wide Data Protection Policy:

Use AWS CloudWatch Logs account-level data protection policies to prevent sensitive data exposure.

Define the policy with appropriate AWS managed data identifiers or custom identifiers specific to the company's sensitive data.

Apply the policy across all log groups in the account, ensuring coverage for both existing and future log groups.

Restrict Developer Access to Unmasked Data:

Explicitly deny thelogs:UnmaskIAM permission to developers. This prevents developers from accessing unmasked sensitive data in log entries.

Automatic Policy Application:

Account-wide data protection policies automatically apply to new log groups created in the future, ensuring scalability and compliance without manual intervention.

Testing and Verification:

Test the policy with sample log entries containing sensitive data to ensure proper masking.

Verify that developers can troubleshoot logs without exposing sensitive information.

AWS CloudWatch Logs Data Protection Documentation

AWS Identity and Access Management Permissions for CloudWatch Logs

You can use IAM CloudTrail to get a history of IAM API calls and related events for your account. This history includes calls made with the IAM Management Console, IAM Command Line Interface, IAM SDKs, and other IAM services.

Options A,B and D are invalid becau56se you need to ensure that you use the services of CloudTrail, IAM Config, IAM Credential Reports

For more information on Cloudtrail, please visit the below URL:

IAM Config is a service that enables you to assess, audit and evaluate the configurations of your IAM resources. Config continuously monitors and records your IAM resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. With Config, you can review changes in configurations and relationships between IAM resources, dive into detailed resource configuration histories, and determine your overall compliance against the configurations specified in your internal guidelines. This enables you to simplify compliance auditing, security analysis, char management and operational troubleshooting.

For more information on the config service, please visit the below URL

You can generate and download a credential report that lists all users in your account and the status of their various credentials, including passwords, access keys, and MFA devices. You can get a credential report from the IAM Management Console, the IAM SDKs and Command Line Tools, or the IAM API.

For more information on Credentials Report, please visit the below URL:

credentials_getting-report.html

The correct answer is: CloudTrail, IAM Config, IAM Credential Reports Submit your Feedback/Queries to our Experts