Spring Sale Special - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: sntaclus

examout.co

A security team manages a company’s AWS Key Management Service (AWS KMS) customer managed keys. Only members of the security team can administer the KMS keys. The company's application team has a software process that needs temporary access to the keys occasionally. The security team needs to provide the application team's software process with access to the keys.

Which solution will meet these requirements with the LEAST operational overhead?

A.

Export the KMS key material to an on-premises hardware security module (HSM). Give the application team access to the key material.

B.

Edit the key policy that grants the security team access to the KMS keys by adding the application team as principals. Revert this change when the application team no longer needs access.

C.

Create a key grant to allow the application team to use the KMS keys. Revoke the grant when the application team no longer needs access.

D.

Create a new KMS key by generating key material on premises. Import the key material to AWS KMS whenever the application team needs access. Grant the application team permissions to use the key.

A company's security engineer receives an abuse notification from AWS indicating that malware is being hosted from the company’s AWS account. The security engineer discovers that an IAM user created a new Amazon S3 bucket without authorization.

Which combination of steps should the security engineer take to MINIMIZE the consequences of this compromise? (Select THREE.)

A.

Encrypt all AWS CloudTrail logs.

B.

Turn on Amazon GuardDuty.

C.

Change the password for all IAM users.

D.

Rotate or delete all AWS access keys.

E.

Take snapshots of all Amazon Elastic Block Store (Amazon EBS) volumes.

F.

Delete any resources that are unrecognized or unauthorized.

A company uses several AWS CloudFormation stacks to handle the deployment of a suite of applications. The leader of the company's application development team notices that the stack deployments fail with permission errors when some team members try to deploy the stacks. However, other team members can deploy the stacks successfully.

The team members access the account by assuming a role that has a specific set of permissions. All team members have permissions to perform operations on the stacks.

Which combination of steps will ensure consistent deployment of the stacks MOST securely? (Select THREE.)

A.

Create a service role that has a composite principal that contains each service that needs the necessary permissions.

B.

Create a service role that has cloudformation.amazonaws.com as the service principal.

C.

Add policies that reference each CloudFormation stack ARN.

D.

Add policies that reference the ARNs of each AWS service that requires permissions.

E.

Update each stack to use the service role.

F.

Add a policy to each member role to allow the iam:PassRole action for the service role.

A company is expanding its group of stores. On the day that each new store opens, the company wants to launch a customized web application for that store. Each store's application will have a non-production environment and a production environment. Each environment will be deployed in a separate AWS account. The company uses AWS Organizations and has an OU that is used only for these accounts.

The company distributes most of the development work to third-party development teams. A security engineer needs to ensure that each team follows the company's deployment plan for AWS resources. The security engineer also must limit access to the deployment plan to only the developers who need access. The security engineer already has created an AWS CloudFormation template that implements the deployment plan.

What should the security engineer do next to meet the requirements in the MOST secure way?

A.

Create an AWS Service Catalog portfolio in the organization's management account. Upload the CloudFormation template. Add the template to the portfolio's product list. Share the portfolio with the OU.

B.

Use the CloudFormation CLI to create a module from the CloudFormation template. Register the module as a private extension in the CloudFormation registry. Publish the extension. Create an SCP that allows access to the extension.

C.

Create an AWS Service Catalog portfolio and create an IAM role for cross-account access. Attach the AWSServiceCatalogEndUserFullAccess managed policy to the role.

D.

Use the CloudFormation CLI to create a module and share the extension directly with the OU.

A company needs the ability to identify the root cause of security findings in an AWS account. The company has enabled VPC Flow Logs, Amazon GuardDuty, and AWS CloudTrail. The company must investigate any IAM roles that are involved in the security findings and must visualize the findings.

Which solution will meet these requirements?

A.

Use Amazon Detective to run investigations on the IAM roles and to visualize the findings.

B.

Use Amazon Inspector to run investigations on the IAM roles and visualize the findings.

C.

Export GuardDuty findings to Amazon S3 and analyze them with Amazon Athena.

D.

Enable AWS Security Hub and use custom actions to investigate IAM roles.

A company uses AWS Organizations and has an SCP at the root that prevents sharing resources with external accounts. The company now needs to allow only the marketing account to share resources externally while preventing all other accounts from doing so. All accounts are in the same OU.

Which solution will meet these requirements?

A.

Create a new SCP in the marketing account to explicitly allow sharing.

B.

Edit the existing SCP to add a condition that excludes the marketing account.

C.

Edit the SCP to include an Allow statement for the marketing account.

D.

Use a permissions boundary in the marketing account.

AWS Config cannot deliver configuration snapshots to Amazon S3.

Which TWO actions will remediate this issue?

A.

Verify the S3 bucket policy allows config.amazonaws.com.

B.

Verify the IAM role has s3:GetBucketAcl and s3:PutObject permissions.

C.

Verify the S3 bucket can assume the IAM role.

D.

Verify IAM policy allows AWS Config to write logs.

E.

Modify AWS Config API permissions.

A company must immediately disable compromised IAM users across all AWS accounts and collect all actions performed by the user in the last 7 days.

Which solution will meet these requirements?

A.

Disable the IAM user and query CloudTrail logs in Amazon S3 using Athena.

B.

Remove IAM policies and query logs in Security Hub.

C.

Remove permission sets and query logs using CloudWatch Logs Insights.

D.

Disable the user in IAM Identity Center and query the organizational event data store.

A company is running a containerized application on an Amazon Elastic Container Service (Amazon ECS) cluster that uses AWS Fargate. The application runs as several ECS services.

The ECS services are in individual target groups for an internet-facing Application Load Balancer (ALB). The ALB is the origin for an Amazon CloudFront distribution. An AWS WAF web ACL is associated with the CloudFront distribution.

Web clients access the ECS services through the CloudFront distribution. The company learns that the web clients can bypass the web ACL and can access the ALB directly.

Which solution will prevent the web clients from directly accessing the ALB?

A.

Create an AWS PrivateLink endpoint and set it as the CloudFront origin.

B.

Create a new internal ALB and delete the internet-facing ALB.

C.

Modify the ALB listener rules to allow only CloudFront IP ranges.

D.

Add a custom X-Shared-Secret header in CloudFront and configure the ALB listener rules to allow requests only when the header value matches.

A security engineer for a company needs to design an incident response plan that addresses compromised IAM user account credentials. The company uses an organization in AWS Organizations and AWS IAM Identity Center to manage user access. The company uses a delegated administrator account to implement AWS Security Hub. The delegated administrator account contains an organizational trail in AWS CloudTrail that logs all events to an Amazon S3 bucket. The company has also configured an organizational event data store that captures all events from the trail.

The incident response plan must provide steps that the security engineer can take to immediately disable any compromised IAM user when the security engineer receives a notification of a security incident. The plan must prevent the IAM user from being used in any AWS account. The plan must also collect all AWS actions that the compromised IAM user performed across all accounts in the previous 7 days.

Which solution will meet these requirements?

A.

Disable the compromised IAM user in the organization management account. Use Amazon Athena to query the organizational CloudTrail logs in the S3 bucket for actions that the IAM user performed in the previous 7 days.

B.

Remove all IAM policies that are attached to the IAM user in the organization management account. Use AWS Security Hub to query the CloudTrail logs for actions that the IAM user performed in the previous 7 days.

C.

Remove any permission sets that are assigned to the IAM user in IAM Identity Center. Use Amazon CloudWatch Logs Insights to query the CloudTrail logs in the S3 bucket for actions that the IAM user performed in the previous 7 days.

D.

Disable the IAM user’s access in IAM Identity Center. Use AWS CloudTrail to query the organizational event data store for actions that the IAM user performed in the previous 7 days.