SCS-C01 Exam Dumps - AWS Certified Security - Specialty

Use an IAM Key Management Service (IAM KMS) CMK. Encrypt the data at rest.

Use IAM Certificate Manager (ACM) Private Certificate Authority Encrypt the data in transit.

Use a DynamoDB encryption client. Use client-side encryption and sign the table items

Use the IAM Encryption SDK. Use client-side encryption and sign the table items.

The ACL in the bucket needs to be updated.

The IAM policy does not allow the user to access the bucket

It takes a few minutes for a bucket policy to take effect

The allow permission is being overridden by the deny.

Open inbound port 22 to 0 0.0.0/0 on all Linux servers.

Enable the advanced-instances tier in Systems Manager.

Create a managed-instance activation for the on-premises servers.

Reconfigure the Systems Manager Agent with the activation code and ID.

Assign an IAM role to all of the on-premises servers.

Initiate an inventory collection with Systems Manager on the on-premises servers

Enable AES-256 encryption using server-side encryption with Amazon S3-managed encryption keys (SSE-S3) on the S3 bucket

Enable default encryption with server-side encryption with IAM KMS-managed keys (SSE-KMS) on the S3 bucket.

Add a bucket policy that includes a deny if a PutObject request does not include IAMiSecureTcanspoct.

Add a bucket policy with ws: Sourcelpto Allow uploads and downloads from the corporate intranet only.

Add a bucket policy that includes a deny if a PutObject request does not include s3:x-amz-sairv9r-side-enctyption: "IAM: kms".

Enable Amazon Macie to monitor and act on changes to the data lake's S3 bucket.

Create a new CMK. Download a new wrapping key and a new import token to import the original key material

Create a new CMK Use the original wrapping key and import token to import the original key material.

Download a new wrapping key and a new import token Import the original key material into the existing CMK.

Use the original wrapping key and import token Import the original key material into the existing CMK

Store the credentials securely in a file in an Amazon S3 bucket with restricted access to the application team IAM role Ask the application team to read the credentials from the S3 object instead

Create an IAM Secrets Manager secret and specify the key/value pairs to be stored in this secret

Modify the application to pull credentials from the IAM Secrets Manager secret instead of the environment variables.

Add the following statement to the container instance IAM role policy

Add the following statement to the execution role policy.

Log in to the IAM Fargate instance, create a script to read the secret value from IAM Secret Manager, and inject the environment variables. Ask the application team to redeploy the application.

Move the account to a new OU and deny IAM:* permissions.

Add a Deny policy for all non-S3 services at the account level.

Change the policy to:

{

“Version”: “2012-10-17”,

“Statement”: [

{

“Sid”: “AllowS3”,

"Effect": "Allow",

"Action": "s3:*",

"Resource": "*/*»

}

]

}

Detach the default FullIAMAccess SCP

IAM managed Customer Master Key (CMK)

Customer managed CMK with IAM generated key material

Customer managed CMK with imported key material

IAM managed data key

Encrypt the data in Amazon S3 using server-side encryption with Amazon S3 managed encryption keys (SSE-S3)

Encrypt the data in Amazon S3 using server-side encryption with IAM KMS managed encryption keys (SSE-KMS)

Create a new Amazon S3 VPC endpoint and modify the VPC's routing tables to use the new endpoint

Use the Amazon S3 Block Public Access feature.

Configure the bucket policy to allow access from the application instances only

Use a NACL to filter traffic to Amazon S3

Create a customer managed CMK Copy the EBS snapshot encrypting the destination snapshot using the new CMK.

Allow forensics accounting principals to use the CMK by modifying its policy.

Create an Amazon EC2 instance. Attach the encrypted and suspicious EBS volume. Copy data from the suspicious volume to an unencrypted volume. Snapshot the unencrypted volume

Copy the EBS snapshot to the new decrypted snapshot

Restore a volume from the suspicious EBS snapshot. Create an unencrypted EBS volume of the same size.

Share the target EBS snapshot with the forensics account.

Set up domain controllers on Amazon EC2 to extend the on-premises directory to IAM

Establish network connectivity between on-premises and the user's VPC

Use Amazon Cognito user pools for application authentication

Use AD Connector tor application authentication.

Set up federated sign-in to IAM through ADFS and SAML.

Develop the application to use the CloudFront key pair to create signed URLs that users will use to access the content.

Develop the application to use the CloudFront key pair to set the signed cookies that users will use to access the content.

Develop the application to issue a security token that Lambda@Edge will receive to authenticate and authorize access to the content

Keep the CloudFront URL encrypted inside the application, and use IAM KMS to resolve the URL on-the-fly after the user is authenticated.

Enable IAM CloudTrail. Create a Lambda function that monitors the event history for privilege escalation events and notifies the security team.

Create a managed IAM policy for the permissions required. Reference the IAM policy as a permissions boundary within the development team's IAM role.

Enable IAM Organizations Create an SCP that allows the IAM CreateUser action but that has a condition that prevents API calls other than those required by the development team

Create an IAM policy with a deny on the IAMCreateUser action and assign the policy to the development team. Use a ticket system to allow the developers to request new IAM roles for their applications. The IAM roles will then be created by the security team.

Configure SSLTLS on the EC2 instances and configure the ALB target group to use HTTPS

Ensure that all resources are in the same VPC so the default encryption provided by the VPC is used to encrypt the traffic between the EC2 instances.

In the ALB. select the default encryption to encrypt the traffic between the ALB and the EC2 instances

In the code for the application, include a cryptography library and encrypt the data before sending it between the EC2 instances

Configure IAM Direct Connect to provide an encrypted tunnel between the EC2 instances

Configure an S3 bucket as the origin an origin access identity (OAI) for the CloudFront distribution Switch the DNS records from websites to point to the CloudFront distribution Enable Nock public access settings at the account level

Configure an S3 bucket as the origin with an origin access identity (OAI) for the CloudFront distribution Switch the ONS records tor the websites to point to the CloudFront disinfection Then, tor each S3 bucket enable block public access settings

Configure an S3 bucket as the origin with an origin access identity (OAI) for the CloudFront distribution Enable block public access settings at the account level

Configure an S3 bucket as the origin for me CloudFront distribution Configure the S3 bucket policy to accept connections from the CloudFront points of presence only Switch the DNS records for the websites to point to the CloudFront distribution Enable block public access settings at me account level

Create an Amazon S3 lifecycle policy that archives IAM CloudTrail trail logs to Amazon S3 Glacier after 90 days. Configure Amazon Inspector to provide a notification when a policy change is made to resources.

Configure IAM Artifact to archive IAM CloudTrail logs Configure IAM Trusted Advisor to provide a notification when a policy change is made to resources.

Configure Amazon CloudWatch to export log groups to Amazon S3. Configure IAM CloudTrail to provide a notification when a policy change is made to resources.

Create an IAM CloudTrail trail that stores audit logs in Amazon S3. Configure an IAM Config rule to provide a notification when a policy change is made to resources.

Tell the application teams to use two different S3 buckets with separate IAM Key Management Service (IAM KMS) IAM managed CMKs Limit the key process to allow encryption and decryption of the CMKs to their respective teams only. Force the teams to use encryption context to encrypt and decrypt

Tell the application teams to use two different S3 buckets with a single IAM Key Management Service (IAM KMS) IAM managed CMK Limit the key policy to allow encryption and decryption of the CMK only. Do not allow the teams to use encryption context to encrypt and decrypt

Tell the application teams to use two different S3 buckets with separate IAM Key Management Service (IAM KMS) customer managed CMKs Limit the key policies to allow encryption and decryption of the CMKs to their respective teams only Force the teams to use encryption context to encrypt and decrypt

Tell the application teams to use two different S3 buckets with a single IAM Key Management Service (IAM KMS) customer managed CMK Limit the key policy to allow encryption and decryption of the CMK only Do not allow the teams to use encryption context to encrypt and decrypt

Option A

Option B

Option C

Option D

Within the Auto Scaling lifecycle, add a hook to create and attach an Amazon Elastic Block Store (Amazon EBS) log volume each time an EC2 instance is created. When the instance is terminated, the EBS volume can be reattached to another instance for log review.

Create an Amazon Elastic File System (Amazon EFS) file system and add a command in the user data section of the Auto Scaling launch template to mount the EFS file system during EC2 instance creation Configure a process on the instance to copy the logs once a day from an instance Amazon Elastic Block Store (Amazon EBS) volume to a directory in the EFS file system.

Build the Amazon CloudWatch agent into the AMI used in the Auto Scaling group. Configure the CloudWatch agent to send the logs to Amazon CloudWatch Logs for review.

Within the Auto Scaling lifecycle, add a lifecycle hook at the terminating state transition and alert the engineering team by using a lifecycle notification to Amazon Simple Notification Service (Amazon SNS). Configure the hook to remain in the Terminating:Wait state for 1 hour to allow manual review of the security logs prior to instance termination.

In the security group of the EC2 instance, allow inbound ICMP traffic.

In the security group of the EC2 instance, allow outbound ICMP traffic.

In the VPC's NACL, allow inbound ICMP traffic.

In the VPC's NACL, allow outbound ICMP traffic.

Allow inbound access on port 22 at the security group attached to the instance Use IAM Systems Manager Session Manager for shell access to Amazon EC2 instances with the user tag defined Enable Amazon CloudWatch togging tor Systems Manager sessions

Use Amazon S3 to securely store one Privacy Enhanced Mail Certificate (PEM file) for each user Allow Amazon EC2 to read from Amazon S3 and import every user that wants to use SSH to access EC2 instances Allow inbound access on port 22 at the security group attached to the instance Install the Amazon CloudWatch agent on the EC2 instance and configure it to ingest audit logs for the instance

Deny inbound access on port 22 at the security group attached to the instance Use IAM Systems Manager Session Manager tor shell access to Amazon EC2 instances with the user tag defined Enable Amazon CloudWatch togging for Systems Manager sessions

Use Amazon S3 to securely store one Privacy Enhanced Mall Certificate (PEM fie) for each team or group Allow Amazon EC2 to read from Amazon S3 and import every user that wants to use SSH to access EC2 instances Allow inbound access on pod 22 at the security group attached to the instance Install the Amazon CloudWatch agent on the EC2 instance and configure it to ingest audit logs for the instance

Log in to each account four times a day and filter the IAM CloudTrail log data, then copy and paste the logs in to the Amazon S3 bucket in the destination account.

Set up Amazon CloudWatch to stream data to an Amazon S3 bucket in each source account. Set up bucket replication for each source account into a centralized bucket owned by the Security Engineer.

Set up an IAM Config aggregator to collect IAM configuration data from multiple sources.

Set up Amazon CloudWatch cross-account log data sharing with subscriptions in each account. Send the logs to Amazon Kinesis Data Firehose in the Security Engineer's account.

The developer must configure Lambda access to the VPC using the --vpc-config parameter.

The Lambda function execution role must have the kms:Decrypt- permission added in the IAM IAM policy.

The KMS key policy must allow permissions for the developer to use the KMS key.

The IAM IAM policy assigned to the developer must have the kmseGcnerate-DataKcy permission added.

The Lambda execution role must have the kms:Encrypt permission added in the IAM IAM policy.

Create an IAM Config rule defining the patch as a required configuration for EC2 instances.

Use the IAM Systems Manager Run Command to patch affected instances.

Use an IAM Systems Manager Patch Manager predefined baseline to patch affected instances.

Use IAM Systems Manager Session Manager to log in to each affected instance and apply the patch.

Configure an IAM Managed Microsoft AD to manage the cloud resources.

Configure an additional on-premises Active Directory service to manage the cloud resources.

Establish a one-way trust relationship from the existing Active Directory to the new Active Directory service.

Establish a one-way trust relationship from the new Active Directory to the existing Active Directory service.

Establish a two-way trust between the new and existing Active Directory services.

Create a cron job that runs a script lo download the IAM IAM security credentials We. parse the file for account root user logins and email the Security team's distribution 1st

Run IAM CloudTrail logs through Amazon CloudWatch Events to detect account roo4 user logins and trigger an IAM Lambda function to send an Amazon SNS notification to the Security team's distribution list.

Save IAM CloudTrail logs to an Amazon S3 bucket in the Security team's account Process the CloudTrail logs with the Security Engineer's logging solution for account root user logins Send an Amazon SNS notification to the Security team upon encountering the account root user login events

Save VPC Plow Logs to an Amazon S3 bucket in the Security team's account and process the VPC Flow Logs with their logging solutions for account root user logins Send an Amazon SNS notification to the Security team upon encountering the account root user login events

Default IAM Certificate Manager certificate

Custom SSL certificate stored in IAM KMS

Default CloudFront certificate

Custom SSL certificate stored in IAM Certificate Manager

Default SSL certificate stored in IAM Secrets Manager

Custom SSL certificate stored in IAM IAM

Associate the instances to the same security groups.

Add 0.0.0.0/0 to the egress rules of the instance security groups.

Add the instance IDs to the ingress rules of the instance security groups.

Add the public IP addresses to the ingress rules of the instance security groups.

Create a new CMK, and redirect the existing Key Alias to the new CMK

Select the option to auto-rotate the key

Upload new key material into the existing CMK.

Create a new CMK, and change the application to point to the new CMK

Use individual ACLs on each S3 object.

Use IAM groups tor sharing files between application social network users

Store each user's files in a separate S3 bucket and apery a bucket policy based on the user's sharing settings

Generate presigned UPLs for each file access

IAM CloudFormation

Amazon GuardDuty

Amazon Inspector

Amazon Macie

IAM Step Functions

Disable the EC2 instance metadata service.

Log all student SSH interactive session activity.

Implement ip tables-based restrictions on the instances.

Install the Amazon Inspector agent on the instances.

Delete the root access account

Create an Admin IAM user with the necessary permissions

Change the password for the root account.

Delete the root access keys

Create a Direct Connect connection between on-premise network and IAM. Use an AD connector for connecting IAM with on-premise active directory.

Create IAM policies that can be mapped to group memberships in the corporate directory.

Create a Lambda function to assign IAM roles to the temporary security tokens provided to the users.

Create IAM users that can be mapped to the employees' corporate identities

Create an IAM role that establishes a trust relationship between IAM and the corporate directory identity provider (IdP)

Use a third party tool to create the Key pair

Create a new key pair using the IAM CLI

Import the public key into EC2

Import the private key into EC2

It will allow all access to the bucket mybucket

It will allow the user mark from IAM account number 111111111 all access to the bucket but deny everyone else all access to the bucket

It will deny all access to the bucket mybucket

None of these

Create individual IAM users

Configure MFA on the root account and for privileged IAM users

Assign IAM users and groups configured with policies granting least privilege access

Ensure all users have been assigned and dre frequently rotating a password, access ID/secret key, and X.509 certificate

Trigger an IAM Config Rules evaluation of the restricted-common-ports rule against every EC2 instance.

Query the Trusted Advisor API for all best practice security checks and check for "action recommened" status.

Enable a GuardDuty threat detection analysis targeting the port configuration on every EC2 instance.

Run an Amazon inspector assessment using the Runtime Behavior Analysis rules package against every EC2 instance.

IAM Cognito

IAM SAML

IAM IAM

IAM Config

Generate pre-signed URLs for each user as they request access to protected S3 content

Create an IAM user for each subscribed user and assign the GetObject permission to each IAM user

Create an S3 bucket policy that limits access to your private content to only your subscribed users'credentials

Crpafp a Cloud Front Clriein Identity user for vnur suhsrrihprl users and assign the GptOhiprt oprmissinn to this user

IAM Config

IAM Trusted Advisor

IAM Inspector D.IAMGuardDuty

Use multiple VPCs in the account each VPC for each department

Use multiple IAM groups, each group for each department

Use multiple IAM roles, each group for each department

Use multiple IAM accounts, each account for each department

Ensure to create a strong password for logging into the EC2 Instance

Create a key pair using putty

Use the private key to log into the instance

Ensure the password is passed securely using SSL

Ensure the right match is in place for On-premise AD Groups and IAM Roles.

Ensure the right match is in place for On-premise AD Groups and IAM Groups.

Configure IAM as the relying party in Active Directory

Configure IAM as the relying party in Active Directory Federation services

Put the metadata as metadata for each object in the S3 bucket and then enable S3 Server side encryption.

Put the metadata as metadata for each object in the S3 bucket and then enable S3 Server KMS encryption.

Put the metadata in a DynamoDB table and ensure the table is encrypted during creation time.

Put thp metadata in thp S3 hurkpf itself.

Create a role that has the required permissions for the auditor.

Create an SNS notification that sends the CloudTrail log files to the auditor's email when CIoudTrail delivers the logs to S3, but do not allow the auditor access to the IAM environment.

The company should contact IAM as part of the shared responsibility model, and IAM will grant required access to th^ third-party auditor.

Enable CloudTrail logging and create an IAM user who has read-only permissions to the required IAM resources, including the bucket containing the CloudTrail logs.

Create a Service Control Policy that denies access to the services. Assemble all production accounts in an organizational unit. Apply the policy to that organizational unit.

Create a Service Control Policy that denies access to the services. Apply the policy to the root account.

Create an IAM policy that denies access to the services. Associate the policy with an IAM group and enlist all users and the root users in this group.

Create an IAM policy that denies access to the services. Create a Config Rule that checks that all users have the policy m assigned. Trigger a Lambda function that adds the policy when found missing.

Launch the test and production instances in separate regions and allow region wise access to the group

Define the IAM policy which allows access based on the instance ID

Create an IAM policy with a condition which allows access to only small instances

Define the tags on the test and production servers and add a condition to the IAM policy which allows access to specification tags

Use IAM Inspector to inspect all the EBS volumes

Use IAM Config to check for unencrypted EBS volumes

Use IAM Guard duty to check for the unencrypted EBS volumes

Use IAM Lambda to check for the unencrypted EBS volumes

Use IAM inspector to consciously inspect the instances for port scans

Use IAM Trusted Advisor to notify of any malicious port scans

Use IAM Config to notify of any malicious port scans

Use IAM Guard Duty to monitor any malicious port scans

Create IAM Lambda functions to download the updates and patch the servers.

Use IAM CLI commands to download the updates and patch the servers.

Use IAM inspector to patch the servers

Use IAM Systems Manager to patch the servers

Cross side scripting

SQL injection

DDoS attacks

Malware attacks

Add the keys to the backend distribution.

Add the keys to the S3 bucket

Create pre-signed URL's

Use IAM Access keys

Use Security Groups to block the IP addresses

Use VPC Flow Logs to block the IP addresses

Use IAM inspector to block the IP addresses

Use IAM WAF to block the IP addresses

Ensure the bucket policy has a condition which involves IAM:PrincipalOrglD

Ensure the bucket policy has a condition which involves IAM:AccountNumber

Ensure the bucket policy has a condition which involves IAM:PrincipaliD

Ensure the bucket policy has a condition which involves IAM:OrglD

IAM Cloudwatch

IAM EC2

IAM Trusted Advisor

IAM SNS

Ensure that UserB is given the right IAM role to access the key

Ensure that UserB is given the right permissions in the IAM policy

Ensure that UserB is given the right permissions in the Key policy

Ensure that UserB is given the right permissions in the Bucket policy

IAM KMS

IAM S3 Server side encryption

IAM Customer Keys

IAM Cloud HSM

Tag the instance with a production-identifying tag and add resource-level permissions to the employee user with an explicit deny on the terminate API call to instances with the production tag. <

Tag the instance with a production-identifying tag and modify the employees group to allow only start stop, and reboot API calls and not the terminate instance call.

Modify the IAM policy on the user to require MFA before deleting EC2 instances and disable MFA access to the employee

Modify the IAM policy on the user to require MFA before deleting EC2 instances

Apply Multi-AZ for the underlying 53 bucket

Copy the data to an EBS Volume in another Region

Create a snapshot of the S3 bucket and copy it to another region

Enable Cross region replication for the S3 bucket

Image Objects

Large files

Password

RSA Keys

Use IAM Cloudtrail to record the processes running on the server to an S3 bucket.

Use IAM Cloudwatch to record the processes running on the server

Use the SSM Run command to send the list of running processes information to an S3 bucket.

Use IAM Config to see the changed process information on the server

Adding a bucket policy on the S3 bucket.

Configuring lifecycle configuration rules on the S3 bucket.

Creating an IAM policy for the S3 bucket.

Enabling CORS on the S3 bucket.

When storing data in Amazon EBS, use only EBS-optimized Amazon EC2 instances.

When storing data in EBS, encrypt the volume by using IAM KMS.

When storing data in Amazon S3, use object versioning and MFA Delete.

When storing data in Amazon EC2 Instance Store, encrypt the volume by using KMS.

When storing data in S3, enable server-side encryption.

EC2 instances in our public subnet, no EIPs, route outgoing traffic via the IGW

EC2 instances in our public subnet, assigned EIPs, and route outgoing traffic via the NAT

EC2 instance in our private subnet, assigned EIPs, and route our outgoing traffic via our IGW

EC2 instances in our private subnet, no EIPs, route outgoing traffic via the NAT

Place the EC2 Instance with the Oracle database in the same public subnet as the Web server for faster communication

Place the EC2 Instance with the Oracle database in a separate private subnet

Create a database security group and ensure the web security group to allowed incoming access

Ensure the database security group allows incoming traffic from 0.0.0.0/0

Create a new CloudTrail trail with one new S3 bucket to store the logs and with the global services option selected. Use IAM roles S3 bucket policies and Mufti Factor Authentication (MFA) Delete on the S3 bucket that stores your logs.

Create a new CloudTrail with one new S3 bucket to store the logs. Configure SNS to send log file delivery notifications to your management system. Use IAM roles and S3 bucket policies on the S3 bucket that stores your logs.

Create a new CloudTrail trail with an existing S3 bucket to store the logs and with the global services option selected. Use S3 ACLsand Multi Factor Authentication (MFA) Delete on the S3 bucket that stores your logs.

Create three new CloudTrail trails with three new S3 buckets to store the logs one for the IAM Management console, one for IAM SDKs and one for command line tools. Use IAM roles and S3 bucket policies on the S3 buckets that store your logs.

Save the API credentials to your PHP files.

Don't save your API credentials, instead create a role in IAM and assign this role to an EC2 instance when you first create it.

Save your API credentials in a public Github repository.

Pass API credentials to the instance using instance userdata.

Use IAM Access keys to encrypt the data

Use SSL certificates to encrypt the data

Enable server side encryption on the S3 bucket

Enable MFA on the S3 bucket

The EC2 instance running your WAF software is placed between your private subnets and any NATed connections to the internet.

The EC2 instance running your WAF software is placed between your public subnets and your Internet Gateway.

The EC2 instance running your WAF software is placed between your public subnets and your private subnets.

The EC2 instance running your WAF software is included in an Auto Scaling group and placed in between two Elastic load balancers.

Expose the data with a public HTTPS endpoint.

A VPN between the VPC and the data center over a Direct Connect connection

A VPN between the VPC and the data center.

A Direct Connect connection between the VPC and data center

Build the application server on a public subnet and the database at the client's data center. Connect them with a VPN connection which uses IPsec.

Use the public subnet for the application server and use RDS with a storage gateway to access and synchronize the data securely from the local data center.

Build the application server on a public subnet and the database on a private subnet with a NAT instance between them.

Build the application server on a public subnet and build the database in a private subnet with a secure ssh connection to the private subnet from the client's data center.

End-to-end protection of data in transit

End-to-end Identity authentication

Data encryption across the internet

Protection of data in transit over the Internet

Peer identity authentication between VPN gateway and customer gateway

Data integrity protection across the Internet

Delete the keys since anyway there is a 7 day waiting period before deletion

Disable the keys

Set an alias for the key

Change the key material for the key

Use IAM Roles with permissions to interact with DynamoDB and assign it to the EC2 Instance

Use KMS keys with the right permissions to interact with DynamoDB and assign it to the EC2 Instance

Use IAM Access Keys with the right permissions to interact with DynamoDB and assign it to the EC2 Instance

Use IAM Access Groups with the right permissions to interact with DynamoDB and assign it to the EC2 Instance

Use the IAM access keys ensuring that they are frequently rotated.

Assign an IAM user to the application that has specific access to only that S3 bucket

Assign an IAM Role and assign it to the EC2 Instance

Assign an IAM group and assign it to the EC2 Instance

Run an Amazon EMP cluster that uses a MapReduce job to be examine the CloudTrail trails.

Use the events history/feature of the CloudTrail console to query the CloudTrail trails.

Write an IAM Lambda function to query the CloudTrail trails Configure the Lambda function to be executed whenever a new file is created in the CloudTrail S3 bucket.

Create an Amazon Athena table that tools at the S3 bucket the CloudTrail trails are being written to Use Athena to run queries against the trails.

Enable IAM Config and set it to record all resources in all Regions and global resources. Then enable IAM Security Hub and confirm that the CIS IAM Foundations compliance standard is enabled

Enable Amazon Inspector and configure it to scan all Regions for the CIS IAM Foundations Benchmarks. Then enable IAM Security Hub and configure it to ingest the

Amazon Inspector findings

Enable Amazon Inspector and configure it to scan all Regions for the CIS IAM Foundations Benchmarks. Then enable IAM Shield in all Regions to protect the account from DDoS attacks.

Enable IAM Config and set it to record all resources in all Regions and global resources Then enable Amazon Inspector and configure it to enforce CIS IAM Foundations Benchmarks using IAM Config rules.

Configure the application’s EC2 instances to use NAT gateways for all inbound traffic.

Move the web servers to private subnets without public IP addresses.

Configure IAM WAF to provide DDoS attack protection for the ALB.

Require all inbound network traffic to route through a bastion host in the private subnet.

Require all inbound and outbound network traffic to route through an IAM Direct Connect connection.

The EC2 instance role does not have decrypt permissions on the IAM Key Management Sen/ice (IAM KMS) key used to encrypt the secret

The EC2 instance role does not have read permissions to read the parameters In Parameter Store

Parameter Store does not have permission to use IAM Key Management Service (IAM KMS) to decrypt the parameter

The EC2 instance role does not have encrypt permissions on the IAM Key Management Service (IAM KMS) key associated with the secret

The EC2 instance does not have any tags associated.

Use Imported key material with CMK

Use an IAM KMS CMK

Use an IAM managed CMK.

Use an IAM KMS customer managed CMK

Put all the proxy EC2 instances in a cluster placement group.

Disable source and destination checks on the proxy EC2 instances.

Open all inbound ports on the proxy EC2 instance security group.

Change the VPC's DHCP domain-name-server’s options set to the IP addresses of proxy EC2 instances.

Update the password length policy In the on-premises Active Directory configuration.

Update the password length policy In the IAM configuration.

Enforce an IAM policy In Amazon Cognito and IAM IAM with a minimum password length condition.

Update the password length policy in the Amazon Cognito configuration.

Create an SCP with IAM Organizations that enforces a minimum password length for IAM IAM and Amazon Cognito.

Upload the third-party signing certificate's new private key to the IAM identity provider entity defined in IAM identity and Access Management (IAM) by using the IAM Management Console

Sign the identity provider's metadata file with the new public key Upload the signature to the IAM identity provider entity defined in IAM Identity and Access Management (IAM) by using the IAM CLI.

Download the updated SAML metadata tile from the identity service provider Update the file in the IAM identity provider entity defined in IAM Identity and Access Management (IAM) by using the IAM CLI

Configure the IAM identity provider entity defined in IAM Identity and Access Management (IAM) to synchronously fetch the new public key by using the IAM Management Console.

Configure the CMK key policy to allow only the Amazon S3 service to use the kms Encrypt action

Configure the CMK key policy to allow IAM KMS actions only when the kms ViaService condition matches the Amazon S3 service name.

Configure the IAM user's policy lo allow KMS to pass a rote lo Amazon S3

Configure the IAM user's policy to allow only Amazon S3 operations when they are combined with the CMK

Use IPv6 addresses that are configured for hostnames.

Configure external DNS resolvers as internal resolvers that are visible only to IAM.

Use IAM DNS resolvers for all EC2 instances.

Configure a third-party DNS resolver with logging for all EC2 instances.

Modify EBS default encryption settings in the target AWS Region to enable encryption. Use an Auto Scaling group instance refresh.

Modify the launch templates for the web layer and the backend layer to add AWS Certificate Manager (ACM) encryption for the attached EBS volumes. Use an Auto Scaling group instance refresh.

Create a new AWS Key Management Service (AWS KMS) encrypted DB cluster from a snapshot of the existing DB cluster.

Apply AWS Key Management Service (AWS KMS) encryption to the existing DB cluster.

Apply AWS Certificate Manager (ACM) encryption to the existing DB cluster.

Set the dnssec-enable option to yes in the BIND configuration. Create a zone-signing key (ZSK) and a key-signing key (KSK) Restart the BIND service.

Migrate the zone to Route 53 with DNSSEC signing enabled. Create a zone-signing key (ZSK) and a key-signing key (KSK) that are based on an AWS. Key Management Service (AWS KMS) customer managed key.

Set the dnssec-enable option to yes in the BIND configuration. Create a zone-signing key (ZSK) and a key-signing key (KSK). Run the dnssec-signzone command to generate a delegation signer (DS) record Use AWS. Key Management Service (AWS KMS) to secure the keys.

Migrate the zone to Route 53 with DNSSEC signing enabled. Create a key-signing key (KSK) that is based on an AWS Key Management Service (AWS KMS) customer managed key. Add a delegation signer (DS) record to the parent zone.

The CMK is used in the attempt does not exist.

The CMK is used in the attempt needs to be rotated.

The CMK is used in the attempt is using the CMKג€™s key ID instead of the CMK ARN.

The CMK is used in the attempt is not enabled.

The CMK is used in the attempt is using an alias.

Remove the existing NAT gateway. Create a new NAT gateway that only the application server subnets can use.

Configure the DB instanceג€™s inbound network ACL to deny traffic from the security group ID of the NAT gateway.

Modify the route tables of the DB instance subnets to remove the default route to the NAT gateway.

Configure the route table of the NAT gateway to deny connections to the DB instance subnets.

Use Amazon issued AWS Certificate Manager (ACM) certificates on the EC2 instances and the Elastic Load Balancer to configure end-to-end encryption

Import a third-party SSL certificate to AWS Certificate Manager (ACM) Install the third-party certificate on the EC2 instances Associate the ACM imported third-party certificate with the Elastic Load Balancer

Deploy AWS CloudHSM Import a third-party certificate Configure the EC2 instances and the Elastic Load Balancer to use the CloudHSM imported certificate

Import a third-party certificate bundle to AWS Certificate Manager (ACM) Install the third-party certificate on the EC2 instances Associate the ACM imported third-party certificate with the Elastic Load Balancer.

The S3 bucket policy does not explicitly allow the Security Engineer access to the objects in the bucket.

The object ACLs are not being updated to allow the users within the centralized account to access the objects

The Security Engineers IAM policy does not grant permissions to read objects in the S3 bucket

The s3:PutObject and s3:PutObjectAcl permissions should be applied at the S3 bucket level

Delete the key pair from the EC2 console. Create a new key pair.

Use the ModifylnstanceAttribute API operation to change the key on any EC2 instance that is using the key.

Restrict SSH access in the security group to only known corporate IP addresses.

Update the key pair in any AMI that is used to launch the EC2 instances. Restart the EC2 instances.

Assign an 1AM policy to the instance profile to allow the EC2 instances to be managed by AWS Systems Manager Provide the 1AM user accounts with permission to use Systems Manager Remove the SSH keys from the EC2 instances Use Systems Manager Inventory to select the EC2 instance and connect

Assign an 1AM policy to the 1AM user accounts to provide permission to use AWS Systems Manager Run Command Remove the SSH keys from the EC2 instances Use Run Command to open an SSH connection to the EC2 instance

Assign an 1AM policy to the instance profile to allow the EC2 instances to be managed by AWS Systems Manager Provide the 1AM user accounts with permission to use Systems Manager Remove the SSH keys from the EC2 instances Use Systems Manager Session Manager to select the EC2 instance and connect

Assign an 1AM policy to the 1AM user accounts to provide permission to use the EC2 service in the AWS Management Console Remove the SSH keys from the EC2 instances Connect to the EC2 instance as the ec2-user through the AWS Management Console's EC2 SSH client method

Create a key policy that allows the kms:Decrypt action only for Amazon S3 and DynamoDB. Create an SCP that denies the creation of S3 buckets and DynamoDB tables that are not encrypted with the key.

Create an 1AM policy that denies the kms:Decrypt action for the key. Create a Lambda function than runs on a schedule to attach the policy to any new roles. Create an AWS Config rule to send alerts for resources that are not encrypted with the key.

Create a key policy that allows the kms:Decrypt action only for Amazon S3, DynamoDB, Lambda, and Amazon EKS. Create an SCP that denies the creation of S3 buckets and DynamoDB tables that are not encrypted with the key.

Create a key policy that allows the kms:Decrypt action only for Amazon S3, DynamoDB, Lambda, and Amazon EKS. Create an AWS Config rule to send alerts for resources that are not encrypted with the key.

1 Put all users into an IAM group with an access policy granting access to the J bucket.

Have the account creation trigger an IAM Lambda function that manages the bucket policy, allowing access to accounts listed in the policy only.

Add an SCP to the Organizations master account, allowing all principals access to the bucket.

Specify the organization ID in the global key condition element of a bucket policy, allowing all principals access.

Configure the key policy for the customer managed key in the production account to allow access to the Lambda service.

Configure the key policy for the customer managed key in the production account to allow access to the IAM role of the Lambda function in the development account.

Configure a new IAM policy in the production account with permissions to use the customer managed key. Apply the IAM policy to the IAM role that the Lambda function in the development account uses.

Configure a new key policy in the development account with permissions to use the customer managed key. Apply the key policy to the IAM role that the Lambda function in the development account uses.

Configure the IAM role for the Lambda function in the development account by attaching an IAM policy that allows access to the customer managed key in the production account.

Attach a policy to the IAM user to allow the user to assume the role that was created in the top-level account. Specify the role's ARN in the policy.

Create an SCP that grants permissions to the top-level account.

Use the root account of the business unit account to assume the role that was created in the top-level account. Specify the role's ARN in the policy.

Forward the credentials of the IAM role in the top-level account to the IAM user in the business unit account.

C:\Users\wk\Desktop\mudassar\Untitled.jpg

C:\Users\wk\Desktop\mudassar\Untitled.jpg

C:\Users\wk\Desktop\mudassar\Untitled.jpg

C:\Users\wk\Desktop\mudassar\Untitled.jpg

Create a pre sign-up AWS Lambda trigger. Associate the Amazon Cognito function with the Amazon Cognito user pool.

Use a geographic match rule statement to configure an AWS WAF web ACL. Associate the web ACL with the Amazon Cognito user pool.

Configure an app client for the application's Amazon Cognito user pool. Use the app client ID to validate the requests in the hosted Ul.

Update the application's Amazon Cognito user pool to configure a geographic restriction setting.

Use Amazon Cognito to configure a social identity provider (IdP) to validate the requests on the hosted Ul.

Create a snapshot of the DB instance. Copy the snapshot to a new snapshot, and enable encryption for the copy process. Use the new snapshot to restore the DB instance.

Modify the configuration of the DB instance by enabling encryption. Create a snapshot of the DB instance. Use the snapshot to restore the DB instance.

Use IAM Key Management Service (IAM KMS) to create a new default IAM managed awa/rds key. Select this key as the encryption key for operations with Amazon RDS.

Use IAM Key Management Service (IAM KMS] to create a new CMK. Select this key as the encryption key for operations with Amazon RDS.

Create a snapshot of the DB instance. Enable encryption on the snapshoVUse the snapshot to restore the DB instance.

Use Amazon CloudWatch monitoring to capture Amazon EC2 and networking metrics Visualize metrics using Amazon CloudWatch dashboards.

Run the Amazon Kinesis Agent to write the status data to Amazon Kinesis Data Firehose Store the streaming data from Kinesis Data Firehose in Amazon Redshift. (hen run a script on the pool data and analyze the data in Amazon Redshift

Write the status data directly to a public Amazon S3 bucket from the health-checking component Configure S3 events to invoke an IAM Lambda function that analyzes the data

Generate events from the health-checking component and send them to Amazon CloudWatch Events. Include the status data as event payloads. Use CloudWatch Events rules to invoke an IAM Lambda function that analyzes the data.

Use AWS Systems Manager Patch Manager to view vulnerability identifiers for missing patches on the instances. Use Patch Manager also to automate the patching process.

Use AWS Shield Advanced to view vulnerability identifiers for missing patches on the instances. Use AWS Systems Manager Patch Manager to automate the patching process.

Use Amazon GuardDuty to view vulnerability identifiers for missing patches on the instances. Use Amazon Inspector to automate the patching process.

Use Amazon Inspector to view vulnerability identifiers for missing patches on the instances. Use Amazon Inspector also to automate the patching process.

The route tables and the outbound rules on the appropriate private subnet security group

The outbound network ACL rules on the private subnet and the Inbound network ACL rules on the public subnet

The outbound network ACL rules on the private subnet and both the inbound and outbound rules on the public subnet

The rules on any host-based firewall that may be applied on the Amazon EC2 instances

The Security Group applied to the Application Load Balancer and NAT gateway

That the 0.0.0./0 route in the private subnet route table points to the internet gateway in the public subnet

Provision a Direct Connect connection to an IAM region using a Direct Connect partner.

Create a VPN tunnel for private connectivity, which increases network consistency and reduces latency.

Create an iPSec tunnel for private connectivity, which increases network consistency and reduces latency.

Create a VPC peering connection between IAM and the Customer gateway.

Configure the S3 Block Public Access feature for the AWS account.

Configure the S3 Block Public Access feature for all objects that are in the bucket.

Deactivate ACLs for objects that are in the bucket.

Use AWS PrivateLink for Amazon S3 to access the bucket.

Create an IAM role in the production account and allow EC2 instances in the development account to assume that role using the trust policy. Provide read access for the required S3 bucket to this role.

Use a custom identity broker to allow Developer IAM users to temporarily access the S3 bucket.

Create a temporary IAM user for the application to use in the production account.

Create a temporary IAM user in the production account and provide read access to Amazon S3. Generate the temporary IAM user's access key and secret key and store these on the EC2 instance used by the application in the development account.

Amazon Route 53

IAM Certificate Manager (ACM)

Amazon S3

IAM Shield

Elastic Load Balancer

Amazon GuardDuty

Create an AD policy to modify the Windows Firewall settings on all hosts in the VPC to deny access from the IP Address block.

Modify the Network ACLs associated with all public subnets in the VPC to deny access from the IP Address block.

Add a rule to all of the VPC Security Groups to deny access from the IP Address block.

Modify the Windows Firewall settings on all AMI'S that your organization uses in that VPC to deny access from the IP address block.

Ensure CloudTrail log file validation is turned on

Configure an S3 lifecycle rule to periodically archive CloudTrail logs into Glacier for long-term storage

Use an S3 bucket with tight access controls that exists m a separate account

Use Amazon Inspector to monitor the file integrity of CloudTrail log files.

Request a certificate through ACM and use a generated certificate private key to encrypt CloudTrail log files

Encrypt the CloudTrail log files with server-side encryption with IAM KMS-managed keys (SSE-KMS)

Create a new customer managed key Add a key rotation schedule to the key Invoke the key rotation schedule every time the security team requests a key change

Create a new AWS managed key Add a key rotation schedule to the key Invoke the key rotation schedule every time the security team requests a key change

Create a key alias Create a new customer managed key every time the security team requests a key change Associate the alias with the new key

Create a key alias Create a new AWS managed key every time the security team requests a key change Associate the alias with the new key

Add an origin custom header Set the viewer protocol policy to HTTP and HTTPS Set the origin protocol pokey to HTTPS only Update the application to validate the CloudFront custom header

Add an origin custom header Set the viewer protocol policy to HTTPS only Set the origin protocol policy to match viewer Update the application to validate the CloudFront custom header.

Add an origin custom header Set the viewer protocol policy to redirect HTTP to HTTPS Set the origin protocol policy to HTTP only Update the application to validate the CloudFront custom header.

Add an origin custom header Set the viewer protocol policy to redirect HTTP to HTTPS. Set the origin protocol policy to HTTPS only Update the application to validate the CloudFront custom header

Enable Amazon GuardDuty in all Regions. Create alerts to detect unauthorized activity outside us-east-1 and us-west-2.

Use an organization in IAM Organizations. Attach an SCP that allows all actions when the IAM: Requested Region condition key is either us-east-1 or us-west-2. Delete the FullIAMAccess policy.

Provision EC2 resources by using IAM Cloud Formation templates through IAM CodePipeline. Allow only the values of us-east-1 and us-west-2 in the IAM CloudFormation template's parameters.

Create an IAM Config rule to prevent unauthorized activity outside us-east-1 and us-west-2.

Configure the DB instance to allow public access Update the DB instance security group to allow access from the Lambda public address space for the AWS Region

Deploy the Lambda functions inside the VPC Attach a network ACL to the Lambda subnet Provide outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic from 0.0.0.0/0

Deploy the Lambda functions inside the VPC Attach a security group to the Lambda functions Provide outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic from the Lambda security group

Peer the Lambda default VPC with the VPC that hosts the DB instance to allow direct network access without the need for security groups

In the statement block that contains the Sid "Allow use of the key", under the "Condition" block, change StringEquals to StringLike.

In the policy document, remove the statement Dlock that contains the Sid "Enable IAM User Permissions". Add key management policies to the KMS policy.

In the statement block that contains the Sid "Allow use of the Key", under the "Condition" block, change the Kms:ViaService value to ec2.us-east-1 .amazonIAM com.

In the policy document, add a new statement block that grants the kms:Disable' permission to the security engineer's IAM role.

Create an identity policy that allows the sts: AssumeRole action in the AWS account that contains the resources. Attach the identity policy to the IAM user.

Ensure that the sts: AssumeRole action is allowed by the SCPs of the organization that owns the resources that the IAM user needs to access.

Create a role in the AWS account that contains the resources. Create an entry in the role's trust policy that allows the IAM user to assume the role. Attach the trust policy to the role.

Establish a trust relationship between the IAM user and the AWS account that contains the resources.

Create a role in the IAM user's AWS account. Create an identity policy that allows the sts: AssumeRole action. Attach the identity policy to the role.

Use the --is-multi-region-trail option while running the create-trail command to ensure that logs are configured across all AWS Regions.

Create an SCP that includes a Deny rule tor the cloudtrail. StopLogging action Apply the SCP to all accounts in the OUs.

Create an SCP that includes an Allow rule for the cloudtrail. StopLogging action Apply the SCP to all accounts in the OUs.

Use AWS Systems Manager to ensure that CloudTrail is always turned on.

Request a certificate (torn ACM in the us-west-2 Region Add the domain names that the certificate will secure

Send an email message to the domain administrators to request vacation of the domains for ACM

Request validation of the domains for ACM through DNS Insert CNAME records into each domain's DNS zone

Create an Application Load Balancer for me caching solution Select the newly requested certificate from ACM to be used for secure connections

Create an Amazon CloudFront distribution for the caching solution Enter the main CNAME record as the Origin Name Enter the subdomain names or alternate names in the Alternate Domain Names Distribution Settings Select the newly requested certificate from ACM to be used for secure connections

Request a certificate from ACM in the us-east-1 Region Add the domain names that the certificate wil secure

Instruct users to implement a retry mechanism every 2 minutes until the call succeeds.

Instruct the engineering team to consume a random grant token from users, and to call the CreateGrant operation, passing it the grant token. Instruct use to use that grant token in their call to encrypt.

Instruct the engineering team to create a random name for the grant when calling the CreateGrant operation. Return the name to the users and instruct them to provide the name as the grant token in the call to encrypt.

Instruct the engineering team to pass the grant token returned in the CreateGrant response to users. Instruct users to use that grant token in their call to encrypt.

Create an Amazon Event Bridge (Amazon Cloud watch Events) event with an EC2 instance as the source and create volume as the event trigger. When the event is triggered invoke an IAM Lambda function to evaluate and notify the security engineer if the EBS volume that was created is not encrypted.

Use a customer managed IAM policy that will verify that the encryption flag of the Createvolume context is set to true. Apply this rule to all users.

Create an IAM Config rule to evaluate the configuration of each EC2 instance on creation or modification. Have the IAM Config rule trigger an IAM Lambdafunction to alert the security team and terminate the instance it the EBS volume is not encrypted. 5

Use the IAM Management Console or IAM CLi to enable encryption by default for EBS volumes in each IAM Region where the company operates.

In the security account configure an IAM role for the new Lambda function. Attach an IAM policy that allows access to the KMS key in the security account.

In the development account configure an IAM role for the new Lambda function. Attach a key policy that allows access to the KMS key in the security account.

In the development account configure an IAM role for the new Lambda function. Attach an IAM policy that allows access to the KMS key in the security account.

Configure a key policy for the KMS key m the security account to allow access to the IAM role of the new Lambda function in the security account.

Configure a key policy for the KMS key in the security account to allow access to the IAM role of the new Lambda function in the development account.

On a recurring basis, update an IAM user policies to require that EC2 instances are created with an encrypted volume

Configure an IAM Config rule lo run on a recurring basis 'or volume encryption

Set up Amazon Inspector rules tor volume encryption to run on a recurring schedule

Use CloudWatch Logs to determine whether instances were created with an encrypted volume

Turn on the awslogs log driver by specifying parameters for awslogs-group and awslogs-region m the LogConfiguration property

Download and configure the CloudWatch agent on the container instances

Set up Fluent Bit and FluentO as a DaemonSet to send logs to Amazon CloudWatch Logs

Configure an 1AM policy that includes the togs CreateLogGroup action Assign the policy to the container instances

Configure access logging for the required API stage.

Configure an AWS CloudTrail trail destination for API Gateway events. Configure filters on the userldentity, userAgent, and sourcelPAddress fields.

Configure an Amazon S3 destination for API Gateway logs. Run Amazon Athena queries to analyze API access information.

Use Amazon CloudWatch Logs Insights to analyze API access information.

Select the Enable Detailed CloudWatch Metrics option on the required API stage.

Option A

Option B

Enable VPC Flow Logs in all VPCs Create a scheduled IAM Lambda function that downloads and parses the logs, and sends an Amazon SNS notification for violations.

Use IAM CloudTrail to make a trail, and apply it to all Regions Specify an Amazon S3 bucket to receive all the CloudTrail log files

Add the following bucket policy to the company's IAM CloudTrail bucket to prevent log tampering

{

"Version": "2012-10-17-,

"Statement": {

"Effect": "Deny",

"Action": "s3:PutObject",

"Principal": "-",

"Resource": "arn:IAM:s3:::cloudtrail/IAMLogs/111122223333/*"

}

}

Create an Amazon S3 data event for an PutObject attempts, which sends notifications to an Amazon SNS topic.

Create a Security Auditor role with permissions to access Amazon CloudWatch Logs m all Regions Ship the logs to an Amazon S3 bucket and make a lifecycle policy to ship the logs to Amazon S3 Glacier.

Verify that Amazon GuardDuty is enabled in all Regions, and create an Amazon CloudWatch Events rule for Amazon GuardDuty findings Add an Amazon SNS topic as the rule's target

Enable automatic key rotation annually for the existing customer managed key

Use the AWS CLI to create an AWS Lambda function to rotate the existing customer managed key annually

Import new key material to the existing customer managed key Manually rotate the key

Create a new customer managed key Import new key material to the new key Point the key alias to the new key

An HTTPS listener that uses a certificate that is managed by Amazon Certification Manager.

An HTTPS listener that uses a custom security policy that allows only perfect forward secrecy cipher suites

An HTTPS listener that uses the latest IAM predefined ELBSecuntyPolicy-TLS-1 -2-2017-01 security policy

A TCP listener that uses a custom security policy that allows only perfect forward secrecy cipher suites.

wg-123 -Allow ports 80 and 443 from 0.0.0.0/0

db-345 - Allow port 1433 from wg-123

wg-123 - Allow port 1433 from wg-123

db-345 -Allow ports 1433 from 0.0.0.0/0

Deny access to the Amazon DNS IP within all security groups.

Add a rule to all network access control lists that deny access to the Amazon DNS IP.

Add a route to all route tables that black holes traffic to the Amazon DNS IP.

Disable DNS resolution within the VPC configuration.

Change the key policy permissions associated with the KMS CMK for each application when it must access the data in Amazon S3.

Have each application assume an IAM role that provides permissions to use the IAM Certificate Manager CMK.

Have each application use a grant on the KMS CMK to add or remove specific access controls on the KMS CMK.

Have each application use an IAM policy in a user context to have specific access permissions on the KMS CMK.

Create a Customer Master Key (CMK) for each data classification type, and enable the rotation of it annually. For the “Restricted” CMK, define the MFA policy within the key policy. Use S3 SSE-KMS to encrypt the objects.

Create a CMK grant for each data classification type with EnableKeyRotation and MultiFactorAuthPresent set to true. S3 can then use the grants to encrypt each object with a unique CMK.

Create a CMK for each data classification type, and within the CMK policy, enable rotation of it annually, and define the MFA policy. S3 can then create DEK grants to uniquely encrypt each object within the S3 bucket.

Create a CMK with unique imported key material for each data classification type, and rotate them annually. For the “Restricted” key material, define the MFA policy in the key policy. Use S3 SSE-KMS to encrypt the objects.

Bypass the proxy and use an S3 VPC endpoint with a policy that whitelists only certain S3 buckets within Account 1.

Block outbound access to public S3 endpoints on the proxy server.

Configure Network ACLs on Server X to deny access to S3 endpoints.

Modify the S3 bucket policy for the legitimate bucket to allow access only from the public IP addresses associated with the application server.

Remove the IAM instance role from the application server and save API access keys in a trusted and encrypted application config file.

Use IAM Config to review the IAM policy assigned to users before and after the incident.

Run the GenerateCredentialReport via the IAM CLI, and copy the output to Amazon S3 daily for auditing purposes.

Copy IAM CloudFormation templates to S3, and audit for changes from the template.

Use Amazon EC2 Systems Manager to deploy images, and review IAM CloudTrail logs for changes.

Create a new IAM user that has administrator permissions in the IAM account. Delete the password for the IAM account root user.

Create a new IAM user that has administrator permissions in the IAM account. Modify the permissions for the existing IAM users.

Replace the access key for the IAM account root user. Delete the password for the IAM account root user.

Create a new IAM user that has administrator permissions in the IAM account. Enable multi-factor authentication for the IAM account root user.

Add each employee’s home IP address to the security group for the application so that only those users can access the workload.

Create a virtual gateway for VPN connectivity for each employee, and restrict access to the workload from within the VPC.

Use a VPN appliance from the IAM Marketplace for users to connect to, and restrict workload access to traffic from that appliance.

Route all traffic to the workload through IAM WAF. Add each employee’s home IP address into an IAM WAF rule, and block all other traffic.

Move all the files to an Amazon S3 bucket. Have the web server serve the files from the S3 bucket.

Launch a second Amazon EC2 instance in a new subnet. Launch an Application Load Balancer in front of both instances.

Launch an Application Load Balancer in front of the EC2 instance. Create an Amazon CloudFront distribution in front of the Application Load Balancer.

Move all the files to an Amazon S3 bucket. Create a CloudFront distribution in front of the bucket and terminate the web server.

Move the bastion host to the VPC with VPN connectivity. Create a VPC peering relationship between the bastion host VPC and Aurora VPC.

Create a SSH port forwarding tunnel on the Developer’s workstation to the bastion host to ensure that only authorized SSH clients can access the bastion host.

Move the bastion host to the VPC with VPN connectivity. Create a cross-account trust relationship between the bastion VPC and Aurora VPC, and update the Aurora security group for the relationship.

Create an IAM Direct Connect connection between the corporate network and the Aurora account, and adjust the Aurora security group for this connection.

Use IAM Config to detect whether an Internet Gateway is added and use an IAM Lambda function to provide auto-remediation.

Within the Amazon VPC configuration, mark the VPC as private and disable Elastic IP addresses.

Use IPv6 addressing exclusively on the EC2 hosts, as this prevents the hosts from being accessed from the internet.

Move the workload to a Dedicated Host, as this provides additional network security controls and monitoring.

Deploy a pre-authorized scanning engine from the IAM Marketplace into VPC B, and use it to scan instances in all three VPCs. Do not complete the penetration test request form.

Deploy a pre-authorized scanning engine from the Marketplace into each VPC, and scan instances in each VPC from the scanning engine in that VPC. Do not complete the penetration test request form.

Create a VPN connection from the data center to VPC A. Use an on-premises scanning engine to scan the instances in all three VPCs. Complete the penetration test request form for all three VPCs.

Create a VPN connection from the data center to each of the three VPCs. Use an on-premises scanning engine to scan the instances in each VPC. Do not complete the penetration test request form.

Create a VPN connection from the data center to each of the three VPCs. Use an on-premises scanning engine to scan the instances in each VPC. Complete the penetration test request form for all three VPCs.

IAM User name and password

Key pairs

IAM Access keys

IAM SDK keys

Amazon Elasticsearch

Amazon Kinesis

Amazon SQS

Amazon CloudWatch

Amazon Athena

Option A

Option B

Option C

Option D

Configure a proxy solution on Amazon EC2 and route all outbound VPC traffic through it. Perform inspection within proxy software on the EC2 instance.

Configure the host-based agent on each EC2 instance within the VPC. Perform inspection within the host-based agent.

Enable VPC Flow Logs for all subnets in the VPC. Perform inspection from the Flow Log data within Amazon CloudWatch Logs.

Configure Elastic Load Balancing (ELB) access logs. Perform inspection from the log data within the ELB access log files.

Configure the CloudWatch Logs agent on each EC2 instance within the VPC. Perform inspection from the log data within CloudWatch Logs.

Option A

Option B

Option C

Option D

Port 443 coming from 0.0.0.0/0

Port 443 coming from 10.0.0.0/16

Port 22 coming from 0.0.0.0/0

Port 22 coming from 203.0.113.1/32

Use IAM KMS with IAM managed keys and the ScheduleKeyDeletion API with a PendingWindowInDays set to 0 to remove the keys if necessary.

Use KMS with IAM imported key material and then use the DeletelmportedKeyMaterial API to remove the key material if necessary.

Use IAM CloudHSM to store the keys and then use the CloudHSM API or the PKCS11 library to delete the keys if necessary.

Use the Systems Manager Parameter Store to store the keys and then use the service API operations to delete the key if necessary.

Remove the instance from the load balancer and terminate it.

Remove the instance from the load balancer, and shut down access to the instance by tightening the security group.

Reboot the instance and check for any Amazon CloudWatch alarms.

Stop the instance and make a snapshot of the root EBS volume.

Disable network ACLs.

Configure the security appliance's elastic network interface for promiscuous mode.

Disable the Network Source/Destination check on the security appliance's elastic network interface

Place the security appliance in the public subnet with the internet gateway

Upload an SSL certificate to IAM, and configure Amazon CloudFront with the passphrase for the private key.

Call KMS.Encrypt() in the client, passing in the data file contents, and call KMS.Decrypt() server-side.

Use IAM Certificate Manager to provision a certificate on an Elastic Load Balancing in front of the web service’s servers.

Create a new VPC with an Amazon VPC VPN endpoint, and update the web service’s DNS record.

Use KMS grants to manage key access. Programmatically create and revoke grants to manage vendor access.

Use an IAM role to manage key access. Programmatically update the IAM role policies to manage vendor access.

Use KMS key policies to manage key access. Programmatically update the KMS key policies to manage vendor access.

Use delegated access across IAM accounts by using IAM roles to manage key access. Programmatically update the IAM trust policy to manage cross-account vendor access.

Create IAM roles with permissions corresponding to each Active Directory group.

Create IAM groups with permissions corresponding to each Active Directory group.

Configure Amazon Cloud Directory to support a SAML provider.

Configure Active Directory to add relying party trust between Active Directory and IAM.

Configure Amazon Cognito to add relying party trust between Active Directory and IAM.

Using Amazon Inspector, review all of the API calls and configure the inspector agent to leverage SNS topics to notify security of the change to IAM CloudTrail, and revoke the new API keys for the root user.

Using IAM Config, create a config rule that detects when IAM CloudTrail is disabled, as well as any calls to the root user create-api-key. Then use a Lambda function to re-enable CloudTrail logs and deactivate the root API keys.

Using Amazon CloudWatch, create a CloudWatch event that detects IAM CloudTrail deactivation and a separate Amazon Trusted Advisor check to automatically detect the creation of root API keys. Then use a Lambda function to enable IAM CloudTrail and deactivate the root API keys.

Using Amazon CloudTrail, create a new CloudTrail event that detects the deactivation of CloudTrail logs, and a separate CloudTrail event that detects the creation of root API keys. Then use a Lambda function to enable CloudTrail and deactivate the root API keys.

Ensure that file permissions for monitored files that allow the CloudWatch Logs agent to read the file have not been modified.

Verify that the OS Log rotation rules are compatible with the configuration requirements for agent streaming.

Configure an Amazon Kinesis producer to first put the logs into Amazon Kinesis Streams.

Create a CloudWatch Logs metric to isolate a value that changes at least once during the period before logging stops.

Use IAM CloudFormation to dynamically create and maintain the configuration file for the CloudWatch Logs agent.

VPN and a cached storage gateway

IAM Snowball Edge

VPN Gateway over IAM Direct Connect

IAM Direct Connect

Disable the use of the root user account at the organizational root. Enable multi-factor authentication of the root user account for each organizational member account.

Configure IAM user policies to restrict root account capabilities for each Organizations member account.

Create an organizational unit (OU) in Organizations with a service control policy that controls usage of the root user. Add all operational accounts to the new OU.

Configure IAM CloudTrail to integrate with Amazon CloudWatch Logs and then create a metric filter for RootAccountUsage.

The CMK policy

The VPC endpoint policy

The S3 bucket policy

The S3 ACL

The IAM policy

Configure IAM WAF rules to implement the required rules.

Use the operating system built-in, host-based firewall to implement the required rules.

Use a NAT gateway to control ingress and egress according to the requirements.

Launch an EC2-based firewall product from the IAM Marketplace, and implement the required rules in that product.

Bucket1 only

Bucket2 only

Both bucket1 and bucket2

Neither bucket1 nor bucket2

Offload SSL termination onto an SSL listener on a Classic Load Balancer, and use a TCP connection between the load balancer and the EC2 instances.

Route all traffic through a TCP listener on a Classic Load Balancer, and terminate the TLS connection on the EC2 instances.

Create an HTTPS listener using an Application Load Balancer, and route all of the communication through that load balancer.

Offload SSL termination onto an SSL listener using an Application Load Balancer, and re-spawn and SSL connection between the load balancer and the EC2 instances.

All principals from all IAM accounts to use the key.

Only the root user from account 111122223333 to use the key.

All principals from account 111122223333 to use the key but only on Amazon S3.

Only principals from account 111122223333 that have an IAM policy applied that grants access to this key to use the key.

Enable SSL certificates for the Cloudtrail logs

There is no need to do anything since the logs will already be encrypted

Enable Server side encryption for the trail

Enable Server side encryption for the destination S3 bucket

Create an Amazon CloudWatch metric filter that looks for API call error codes and then implement an alarm based on that metric’s rate.

Configure IAM CloudTrail to stream event data to Amazon Kinesis. Configure an IAM Lambda function on the stream to alarm when the threshold has been exceeded.

Run an Amazon Athena SQL query against CloudTrail log files. Use Amazon QuickSight to create an operational dashboard.

Use the Amazon Personal Health Dashboard to monitor the account’s use of IAM services, and raise an alert if service error rates increase.

Create a scheduled process to copy the component’s logs into Amazon S3. Use S3 events to trigger a Lambda function that updates Amazon CloudWatch metrics with the log data. Set up CloudWatch alerts based on the metrics.

Install and configure the Amazon CloudWatch Logs agent on the application’s EC2 instance. Create a CloudWatch metric filter to monitor the application logs. Set up CloudWatch alerts based on the metrics.

Create a scheduled process to copy the application log files to IAM CloudTrail. Use S3 events to trigger Lambda functions that update CloudWatch metrics with the log data. Set up CloudWatch alerts based on the metrics.

Create a file watcher that copies data to Amazon Kinesis when the application writes to the log file. Have Kinesis trigger a Lambda function to update Amazon CloudWatch metrics with the log data. Set up CloudWatch alerts based on the metrics.

Use IAM Certificate Manager to generate certificates from a public certificate authority and deploy them to all the containers.

Create a self-signed certificate in one container and use IAM Secrets Manager to distribute the certificate to the other containers to establish trust.

Use IAM Certificate Manager Private Certificate Authority (ACM PCA) to create a subordinate certificate authority, then create the private keys in the containers and sign them using the ACM PCA API.

Use IAM Certificate Manager Private Certificate Authority (ACM PCA) to create a subordinate certificate authority, then use IAM Certificate Manager to generate the private certificates and deploy them to all the containers.

Create an S3 bucket in a dedicated log account and grant the other accounts write only access. Deliver all log files from every account to this S3 bucket.

Write a Lambda function that queries the Trusted Advisor Cloud Trail checks. Run the function every 10 minutes.

Enable CloudTrail log file integrity validation

Use Systems Manager Configuration Compliance to continually monitor the access policies of S3 buckets containing Cloud Trail logs.

Create a Security Group that blocks all traffic except calls from the CloudTrail service. Associate the security group with) all the Cloud Trail destination S3 buckets.

The Lambda function does not have permissions to start the Athena query execution.

The Security Engineer does not have permissions to start the Athena query execution.

The Athena service does not support invocation through Lambda.

The Lambda function does not have permissions to access the CloudTrail S3 bucket.

In the IAM Console, choose the IAM service and select “Users”. Review the “Access Key Age” column.

Define an IAM policy that denies access if the key age is more than three months and apply to all users.

Write a script that uses the GenerateCredentialReport, GetCredentialReport, and UpdateAccessKey APIs.

Create an Amazon CloudWatch alarm to detect aged access keys and use an IAM Lambda function to disable the keys older than 90 days.

Create a custom authorization service using IAM Lambda.

Configure a SAML identity provider in Amazon Cognito to map attributes to the Amazon Cognito user pool attributes.

Configure the SAML identity provider to add the Amazon Cognito user pool as a relying party.

Configure an Amazon Cognito identity pool to integrate with social login providers.

Update DynamoDB to store the user email addresses and passwords.

Update API Gateway to use a COGNITO_USER_POOLS authorizer.

IAM Trusted Advisor

IAM WAF

IAM Inspector

IAM Config

Pass databases credentials to EC2 by using CloudFormation stack parameters with the property set to true. Ensure that the instance is configured to log to Amazon CloudWatch Logs.

Store database passwords in IAM Systems Manager Parameter Store by using SecureString parameters. Set the IAM role for the EC2 instance profile to allow access to the parameters.

Create an IAM Lambda that ingests the database password and persists it to Amazon S3 with server-side encryption. Have the EC2 instances retrieve the S3 object on startup, and log all script invocations to syslog.

Write a script that is passed in as UserData so that it is executed upon launch of the EC2 instance. Ensure that the instance is configured to log to Amazon CloudWatch Logs.

Use IAM Shield to scan inbound traffic for web exploits. Use VPC Flow Logs and IAM Lambda to restrict egress traffic to specific whitelisted URLs.

Use IAM Shield to scan inbound traffic for web exploits. Use a third-party IAM Marketplace solution to restrict egress traffic to specific whitelisted URLs.

Use IAM WAF to scan inbound traffic for web exploits. Use VPC Flow Logs and IAM Lambda to restrict egress traffic to specific whitelisted URLs.

Use IAM WAF to scan inbound traffic for web exploits. Use a third-party IAM Marketplace solution to restrict egress traffic to specific whitelisted URLs.