SCS-C01 Sample Questions Answers

Build the application server on a public subnet and the database at the client's data center. Connect them with a VPN connection which uses IPsec.

Use the public subnet for the application server and use RDS with a storage gateway to access and synchronize the data securely from the local data center.

Build the application server on a public subnet and the database on a private subnet with a NAT instance between them.

Build the application server on a public subnet and build the database in a private subnet with a secure ssh connection to the private subnet from the client's data center.

Use the secure token service to manage the permissions for the different users

Use IAM Policies to create different policies for the different types of users.

Use the IAM Config tool to manage the permissions for the different users

Use IAM Access Keys to create sets of keys for the different types of users.

Launch the test and production instances in separate regions and allow region wise access to the group

Define the IAM policy which allows access based on the instance ID

Create an IAM policy with a condition which allows access to only small instances

Define the tags on the test and production servers and add a condition to the IAM policy which allows access to specification tags

IAM Cloudwatch

IAM Cloudformation

IAM Cloudtrail

IAM Config

Management of the Edge locations

Encryption of data at rest

Protection of data in transit

Decommissioning of old storage devices

Use an IAM policy that references the LDAP account identifiers and the IAM credentials.

Use SAML (Security Assertion Markup Language) to enable single sign-on between IAM and LDAP.

Use IAM Security Token Service from an identity broker to issue short-lived IAM credentials.

Use IAM roles to automatically rotate the IAM credentials when LDAP credentials are updated.

Create a customer managed CMK Copy the EBS snapshot encrypting the destination snapshot using the new CMK.

Allow forensics accounting principals to use the CMK by modifying its policy.

Create an Amazon EC2 instance. Attach the encrypted and suspicious EBS volume. Copy data from the suspicious volume to an unencrypted volume. Snapshot the unencrypted volume

Copy the EBS snapshot to the new decrypted snapshot

Restore a volume from the suspicious EBS snapshot. Create an unencrypted EBS volume of the same size.

Share the target EBS snapshot with the forensics account.

When storing data in Amazon EBS, use only EBS-optimized Amazon EC2 instances.

When storing data in EBS, encrypt the volume by using IAM KMS.

When storing data in Amazon S3, use object versioning and MFA Delete.

When storing data in Amazon EC2 Instance Store, encrypt the volume by using KMS.

When storing data in S3, enable server-side encryption.

Get prior approval from IAM for conducting the test

Use a pre-approved penetration testing tool.

Work with an IAM partner and no need for prior approval request from IAM

Choose any of the IAM instance type

Ensure an IAM role is created which can be assumed by the partner account.

Ensure an IAM user is created which can be assumed by the partner account.

Ensure the partner uses an external id when making the request

Provide the ARN for the role to the partner account

Provide the Account Id to the partner account

Provide access keys for your account to the partner account

Use Windows bit locker for EBS volumes on Windows instances

Use TrueEncrypt for EBS volumes on Linux instances

Use IAM Systems Manager to encrypt the existing EBS volumes

Boot EBS volume can be encrypted during launch without using custom AMI

Create a new Customer Key using KMS and attach it to the existing volume

You cannot decrypt the data that was encrypted under the CMK, and the data is not recoverable.

Request IAM Support to recover the key

Use IAM Config to recover the key

Use separate VPCs for each of the environments

Use separate IAM Roles for each of the environments

Use separate IAM Policies for each of the environments

Use separate IAM accounts for each of the environments

Create an IAM user and generate encryption keys for that user. Create a policy for Redshift read-only access. Embed th keys in the application.

Create an HSM client certificate in Redshift and authenticate using this certificate.

Create a Redshift read-only access policy in IAM and embed those credentials in the application.

Use roles that allow a web identity federated user to assume a role that allows access to the Redshift table by providing temporary credentials.

EC2 instances in our public subnet, no EIPs, route outgoing traffic via the IGW

EC2 instances in our public subnet, assigned EIPs, and route outgoing traffic via the NAT

EC2 instance in our private subnet, assigned EIPs, and route our outgoing traffic via our IGW

EC2 instances in our private subnet, no EIPs, route outgoing traffic via the NAT

Enable VPC flow logs to know the source IP addresses

Monitor the S3 API calls by using Cloudtrail logging

Monitor the S3 API calls by using Cloudwatch logging

Enable IAM Inspector for the S3 bucket

From the IAM Management Console, navigate to the Security Credentials page and retrieve the access and secret key for your account.

Create an IAM user within the enterprise account assign a user policy to the IAM user that allows only the actions required by the SaaS application. Create a new access and secret key for the user and provide these credentials to the SaaS provider.

Create an IAM role for cross-account access allows the SaaS provider's account to assume the role and assign it a policy that allows only the actions required by the SaaS application.

Create an IAM role for EC2 instances, assign it a policy that allows only the actions required tor the Saas application to work, provide the role ARN to the SaaS provider to use when launching their application instances.

Encrypt the EBS volumes of the underlying EC2 Instances

Use IAM KMS Customer Default master key

Use SSL/TLS for encrypting the data

Use S3 Encryption

Enable bucket versioning and also enable CRR

Enable bucket versioning and enable Master Pays

For the Bucket policy add a condition for {"Null": {"IAM:MultiFactorAuthAge": true}} i

Enable the Bucket ACL and add a condition for {"Null": {"IAM:MultiFactorAuthAge": true}}

Generate pre-signed URLs for each user as they request access to protected S3 content

Create an IAM user for each subscribed user and assign the GetObject permission to each IAM user

Create an S3 bucket policy that limits access to your private content to only your subscribed users'credentials

Crpafp a Cloud Front Clriein Identity user for vnur suhsrrihprl users and assign the GptOhiprt oprmissinn to this user

Trigger an IAM Config Rules evaluation of the restricted-common-ports rule against every EC2 instance.

Query the Trusted Advisor API for all best practice security checks and check for "action recommened" status.

Enable a GuardDuty threat detection analysis targeting the port configuration on every EC2 instance.

Run an Amazon inspector assessment using the Runtime Behavior Analysis rules package against every EC2 instance.

Modify the security groups for the VPC to allow access to the 53 bucket

Modify the route tables to allow access for the VPC endpoint

Modify the IAM Policy for the bucket to allow access for the VPC endpoint

Modify the bucket Policy for the bucket to allow access for the VPC endpoint

Tag the instance with a production-identifying tag and add resource-level permissions to the employee user with an explicit deny on the terminate API call to instances with the production tag. <

Tag the instance with a production-identifying tag and modify the employees group to allow only start stop, and reboot API calls and not the terminate instance call.

Modify the IAM policy on the user to require MFA before deleting EC2 instances and disable MFA access to the employee

Modify the IAM policy on the user to require MFA before deleting EC2 instances

It places too much emphasis on already implemented security controls.

The response plan is not implemented on a regular basis

The response plan does not cater to new services

The response plan is complete in its entirety

Ensure the applications are hosted in a public subnet

Check to see if the VPC has an Internet gateway attached.

Check to see if the VPC has a NAT gateway attached.

Check the Route tables for the VPC's

"Effect": "Allow". "Action": ["Describe"], "Resource": "Billing"

"Effect": "Allow", "Action": ["AccountUsage], "Resource": "*"

"Effect': "Allow", "Action": ["IAM-portal:ViewUsage"," IAM-portal:ViewBilling"], "Resource": "*"

"Effect": "Allow", "Action": ["IAM-portal: ViewBilling"], "Resource": "*"

Enable versioning on the S3 bucket

Enable data at rest for the objects in the bucket

Enable MFA Delete in the bucket policy

Enable data in transit for the objects in the bucket

Take a snapshot of the EBS volume

Isolate the machine from the network

Make sure that logs are stored securely for auditing and troubleshooting purpose

Ensure all passwords for all IAM users are changed

Ensure that all access kevs are rotated.

IAM Cognito

IAM SAML

IAM IAM

IAM Config

Verify that the 0.0.0.0/0 route in the route table for the web server subnet points to a NAT gateway.

Verify which Security Group is applied to the particular web server’s elastic network interface (ENI).

Verify that the 0.0.0.0/0 route in the route table for the web server subnet points to the virtual security appliance.

Verify the registered targets in the ALB.

Verify that the 0.0.0.0/0 route in the public subnet points to a NAT gateway.

Create a new CMK. Download a new wrapping key and a new import token to import the original key material

Create a new CMK Use the original wrapping key and import token to import the original key material.

Download a new wrapping key and a new import token Import the original key material into the existing CMK.

Use the original wrapping key and import token Import the original key material into the existing CMK

One in the US West (Oregon) region and one in the US East (Virginia) region.

Two in the US West (Oregon) region and none in the US East (Virginia) region.

One in the US West (Oregon) region and none in the US East (Virginia) region.

Two in the US East (Virginia) region and none in the US West (Oregon) region.

Add a template constraint to each product in the portfolio.

Add a launch constraint to each product in the portfolio.

Define resource update constraints for each product in the portfolio.

Update the IAM CloudFormalion template backing the product to include a service role configuration.

Use IAM X-Ray to inspect the traffic going 10 the EC2 instances

Move the state content to Amazon S3 and font this with an Amazon CloudFront distribution

Change the security group configuration to block the source of the attack traffic

Use IAM WAF security rules to inspect the inbound traffic

Use Amazon inspector assessment templates to inspect the inbound traffic

Use Amazon Route 53 to distribute traffic

Option A

Option B

Option C

Option D

Enable Amazon GuardDuty and IAM Security Hub in all Regions and all accounts. Designate a master security account to receive all alerts from the child accounts. Set up specific rules within Amazon Even;Bridge to trigger an IAM Lambda function for remediation steps.

Ingest all IAM CloudTrail logs, VPC Flow Logs, and DNS logs into a single Amazon S3 bucket in a designated security account. Use the current on-premises SIEM to monitor the logs and send a notification to an Amazon SNS topic to alert the security team of remediation steps.

Ingest all IAM CloudTrail logs, VPC Flow Logs, and DNS logs into a single Amazon S3 bucket in a designated security account. Launch an Amazon EC2 instance and install the current SIEM to monitor the logs and send a notification to an Amazon SNS topic to alert the security team of remediation steps.

Enable Amazon GuardDuty and IAM Security Hub in all Regions and all accounts. Designate a master security account to receive all alerts from the child accounts. Create an IAM Organizations SCP that denies access to certain API calls that are on an ignore list.

The SOS queue does not allow the SQS SendMessage action from the SNS topic

The SNS topic does not allow the SNS Publish action from Amazon S3

The SNS topic is not delivering raw messages to the SQS queue

The S3 bucket policy does not allow CloudTrail to perform the PutObject action

The IAM role used by the 5EM tool does not have permission to subscribe to the SNS topic

The IAM role used by the SEM tool does not allow the SQS DeleteMessage action.

Use IAM Inspector to inspect all S3 buckets and enable logging for those where it is not enabled

Use IAM Config Rules to check whether logging is enabled for buckets

Use IAM Cloudwatch metrics to check whether logging is enabled for buckets

Use IAM Cloudwatch logs to check whether logging is enabled for buckets

Change the access keys for all IAM users.

Delete all custom created IAM policies

Delete the access keys for the root account

Confirm MFAtoa secure device

Change the password for the root account

Change the password for all IAM users

Enable IAM Config and set it to record all resources in all Regions and global resources. Then enable IAM Security Hub and confirm that the CIS IAM Foundations compliance standard is enabled

Enable Amazon Inspector and configure it to scan all Regions for the CIS IAM Foundations Benchmarks. Then enable IAM Security Hub and configure it to ingest the

Amazon Inspector findings

Enable Amazon Inspector and configure it to scan all Regions for the CIS IAM Foundations Benchmarks. Then enable IAM Shield in all Regions to protect the account from DDoS attacks.

Enable IAM Config and set it to record all resources in all Regions and global resources Then enable Amazon Inspector and configure it to enforce CIS IAM Foundations Benchmarks using IAM Config rules.

Use Imported key material with CMK

Use an IAM KMS CMK

Use an IAM managed CMK.

Use an IAM KMS customer managed CMK

Create a new trail with the updated log file prefix, and then delete the original nail Update the existing bucket policy in the Amazon S3 console with the new log the prefix, and then update the log file prefix in the CloudTrail console

Update the existing bucket policy in the Amazon S3 console to allow the security engineers principal to perform PutBucketPolicy. and then update the log file prefix in the CloudTrail console

Update the existing bucket policy in the Amazon S3 console with the new log file prefix, and then update the log file prefix in the CloudTrail console.

Update the existing bucket policy in the Amazon S3 console to allow the security engineers principal to perform GetBucketPolicy, and then update the log file prefix in the CloudTrail console

Use individual ACLs on each S3 object.

Use IAM groups tor sharing files between application social network users

Store each user's files in a separate S3 bucket and apery a bucket policy based on the user's sharing settings

Generate presigned UPLs for each file access

The IAM user launching those instances is missing ec2:Runinstances permission.

The AMI used as encrypted and the IAM does not have the required IAM KMS permissions.

The instance profile used with the EC2 instances in unable to query instance metadata.

IAM currently does not have sufficient capacity in the Region.

Use Security Groups to block the IP addresses

Use VPC Flow Logs to block the IP addresses

Use IAM inspector to block the IP addresses

Use IAM WAF to block the IP addresses

Use IAM Organizations to limit IAM Config rules to the appropriate Regions, and then consolidate the Amazon CloudWatch dashboard into one IAM account.

Use IAM Config aggregation to consolidate the views into one IAM account, and provide role access to the security team.

Consolidate IAM Config rule results with an IAM Lambda function and push data to Amazon SQS. Use Amazon SNS to consolidate and alert when some metrics are triggered.

Use Amazon GuardDuty to load data results from the IAM Config rules compliance status, aggregate GuardDuty findings of all IAM accounts into one IAM account, and provide role access to the security team.

The CMK key policy does not allow CloudTrail to make encrypt and decrypt API calls against the key.

The CMK key policy does not allow CloudTrail to make GenerateDataKey API calls against the key.

The IAM role used by the CloudTrail trail does not have permissions to make PutObject API calls against a folder created for the Organizations trail.

The S3 bucket policy does not allow CloudTrail to make PutObject API calls against a folder created for the Organizations trail.

The CMK key policy does not allow the IAM role used by the CloudTrail trail to use the key for crypto graphicaI operations.

Use IAM Config to ensure that the servers have no critical flIAM.

Use IAM inspector to ensure that the servers have no critical flIAM.

Use IAM inspector to patch the servers

Use IAM SSM to patch the servers

Launch a NAT instance in the public subnet Update the custom route table with a new route to the NAT instance

Remove the internet gateway, and add IAM PrivateLink to the VPC Then update the custom route table with a new route to IAM PrivateLink

Add a managed NAT gateway to the VPC Update the custom route table with a new route to the gateway

Add an egress-only internet gateway to the VPC. Update the custom route table with a new route to the gateway

Edit the existing VPC Flow Logs. Change the log format of the VPC Flow Logs from the Amazon default format to a custom format.

Delete and recreate the existing VPC Flow Logs. Change the log format of the VPC Flow Logs from the Amazon default format to a custom format.

Change the destination to Amazon CloudWatch Logs.

Include the pkt-srcaddr and pkt-dstaddr fields in the log format.

Include the subnet-id and instance-id fields in the log format.

Launch the EC2 instances with an IAM role attached. Include a user data script that uses the IAM CLI to retrieve the list of bad IP addresses from IAM Secrets Manager and uploads it as a threat list in Amazon GuardDuty Use Amazon Inspector to scan the instances for known software vulnerabilities and CIS Benchmarks compliance

Launch the EC2 instances with an IAM role attached Include a user data script that uses the IAM CLl to create NACLs blocking ingress traffic from the known bad IP addresses in the EC2 instance's subnets Use IAM Systems Manager to scan the instances for known software vulnerabilities, and IAM Trusted Advisor to check instances for CIS Benchmarks compliance

Launch the EC2 instances with an IAM role attached Include a user data script that uses the IAM CLl to create and attach security groups that only allow an allow listed source IP address range inbound. Use Amazon Inspector to scan the instances for known software vulnerabilities, and IAM Trusted Advisor to check instances for CIS Benchmarks compliance

Launch the EC2 instances with an IAM role attached Include a user data script that creates a cron job to periodically retrieve the list of bad IP addresses from Amazon S3, and configures iptabies on the instances blocking the list of bad IP addresses Use Amazon inspector to scan the instances for known software vulnerabilities and CIS Benchmarks compliance.

Use IAM Resource Access Manager to create shared resources for each requited security group and apply an IAM policy that permits read-only access to the security groups only.

Create an IAM CloudFormation template that creates the required security groups Execute the template as part of configuring new accounts Enable Amazon Simple Notification Service (Amazon SNS) notifications when changes occur

Use IAM Firewall Manager to create a security group policy, enable the policy feature to identify and revert local changes, and enable automatic remediation

Use IAM Control Tower to edit the account factory template to enable the snare security groups option Apply an SCP to the OU or individual accounts that prohibits security group modifications from local account users

Log in to each account four times a day and filter the IAM CloudTrail log data, then copy and paste the logs in to the Amazon S3 bucket in the destination account.

Set up Amazon CloudWatch to stream data to an Amazon S3 bucket in each source account. Set up bucket replication for each source account into a centralized bucket owned by the Security Engineer.

Set up an IAM Config aggregator to collect IAM configuration data from multiple sources.

Set up Amazon CloudWatch cross-account log data sharing with subscriptions in each account. Send the logs to Amazon Kinesis Data Firehose in the Security Engineer's account.

in every IAM account, configure IAM Lambda to query me IAM Support API tor IAM Trusted Advisor security checks Send the results from Lambda to an Amazon SNS topic to send reports.

Configure Amazon GuardDuty in a master account and invite all other accounts to be managed by the master account Use GuardDuty's integration with Amazon SNS to report on findings

Use Amazon Athena and Amazon QuickSight to build reports off of IAM CloudTrail Create a daily Amazon CloudWatch trigger to run the report dally and email It using Amazon SNS

Use IAM Artifact's prebuilt reports and subscriptions Subscribe the Director of Information Security to the reports by adding the Director as the security alternate contact tor each account

Associate the instances to the same security groups.

Add 0.0.0.0/0 to the egress rules of the instance security groups.

Add the instance IDs to the ingress rules of the instance security groups.

Add the public IP addresses to the ingress rules of the instance security groups.

Establish an IAM Direct Connect connection with IAM and set up a Direct Connect gateway. In the Direct Connect gateway configuration, enable IPsec and BGP, and then leverage native IAM network encryption between Availability Zones and Regions,

Establish an IAM Direct Connect connection with IAM and set up a Direct Connect gateway. Using the Direct Connect gateway, create a private virtual interface and advertise the customer gateway private IP addresses. Create a VPN connection using the customer gateway and the virtual private gateway

Establish a VPN connection with the IAM virtual private cloud over the internet

Establish an IAM Direct Connect connection with IAM and establish a public virtual interface. For prefixes that need to be advertised, enter the customer gateway public IP addresses. Create a VPN connection over Direct Connect using the customer gateway and the virtual private gateway.

Create an Identity and Access Management (IAM) user for CloudFront and grant access to the objects in your S3 bucket to that IAM User.

Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket to that OAl.

Create individual policies for each bucket the documents are stored in and in that policy grant access to only CloudFront.

Create an S3 bucket policy that lists the CloudFront distribution ID as the Principal and the target bucket as the Amazon Resource Name (ARN).

Set up an Amazon CloudWatch Events rule that triggers an Amazon SNS notification.

Set up an Amazon CloudWatch Events rule that triggers an Amazon SNS notification logs from S3 and generate notifications using Amazon SNS.

Set up a rule in IAM config to trigger root user events. Trigger an IAM Lambda function and generate notifications using Amazon SNS.

Use Amazon Inspector to monitor the usage of the root user and generate notifications using Amazon SNS

The S3 ACL for the S3 bucket fails to explicitly grant access to the Application Developer

The IAM KMS key for the S3 bucket fails to list the Application Developer as an administrator

The S3 bucket policy fails to explicitly grant access to the Application Developer

The S3 bucket policy explicitly denies access to the Application Developer

Option A

Option B

Option C

Option D

The EC2 instance role does not have decrypt permissions on the IAM Key Management Sen/ice (IAM KMS) key used to encrypt the secret

The EC2 instance role does not have read permissions to read the parameters In Parameter Store

Parameter Store does not have permission to use IAM Key Management Service (IAM KMS) to decrypt the parameter

The EC2 instance role does not have encrypt permissions on the IAM Key Management Service (IAM KMS) key associated with the secret

The EC2 instance does not have any tags associated.

Use IAM Secrets Manager and an IAM SDK to create a unique secret for the customer-specific data

Use IAM Key Management Service (IAM KMS) and the IAM Encryption SDK to generate and store a data encryption key for each customer.

Use IAM Key Management Service (IAM KMS) with service-managed keys to generate and store customer-specific data encryption keys

Use IAM Key Management Service (IAM KMS) and create an IAM CloudHSM custom key store Use CloudHSM to generate and store a new CMK for each customer.

Change the value of IAM MultiFactorAuthPresent to true.

Instruct users to run the IAM sts get-session-token CLI command and pass the multi-factor authentication —serial-number and —token-code parameters. Use these resulting values to make API/CLI calls

Implement federated API/CLI access using SAML 2.0, then configure the identity provider to enforce multi-factor authentication.

Create a role and enforce multi-factor authentication in the role trust policy Instruct users to run the sts assume-role CLI command and pass --serial-number and —token-code parameters Store the resulting values in environment variables. Add sts:AssumeRole to NotAction in the policy.

Use IAM Config to track configuration changes to Lambda functions, runtime environments, tags, handler names, code sizes, memory allocation, timeout settings, and concurrency settings, along with Lambda IAM execution role, subnet, and security group associations.

Use IAM CloudTrail to implement governance, compliance, operational, and risk auditing for Lambda.

Use Amazon Inspector to automatically monitor for vulnerabilities and perform governance, compliance, operational, and risk auditing for Lambda.

Use IAM Resource Access Manager to track configuration changes to Lambda functions, runtime environments, tags, handler names, code sizes, memory allocation, timeout settings, and concurrency settings, along with Lambda IAM execution role, subnet, and security group associations.

Use Amazon Macie to discover, classify, and protect sensitive data being executed inside the Lambda function.

Remove the instance from the Auto Scaling group Place the instance within an isolation security group, detach the EBS volume launch an EC2 instance with a forensic toolkit and attach the E8S volume to investigate

Remove the instance from the Auto Scaling group and the Elastic Load Balancer Place the instance within an isolation security group, launch an EC2 instance with a forensic toolkit, and allow the forensic toolkit image to connect to the suspicious Instance to perform the Investigation.

Remove the instance from the Auto Scaling group Place the Instance within an isolation security group, launch an EC2 Instance with a forensic toolkit and use the forensic toolkit imago to deploy an ENI as a network span port to inspect all traffic coming from the suspicious instance.

Remove the instance from the Auto Scaling group and the Elastic Load Balancer Place the instance within an isolation security group, make a copy of the EBS volume from a new snapshot, launch an EC2 Instance with a forensic toolkit and attach the copy of the EBS volume to investigate.

Develop the application to use the CloudFront key pair to create signed URLs that users will use to access the content.

Develop the application to use the CloudFront key pair to set the signed cookies that users will use to access the content.

Develop the application to issue a security token that Lambda@Edge will receive to authenticate and authorize access to the content

Keep the CloudFront URL encrypted inside the application, and use IAM KMS to resolve the URL on-the-fly after the user is authenticated.

Extract the subject (sub), audience (aud), and cognito:username from the ID token payload Manually check the subject and audience for the user name In the user pool

Search for the public key with a key ID that matches the key ID In the header of the token. Then use a JSON Web Token (JWT) library to validate the signature of the token and extract values, such as the expiry date

Verify that the token is not expired. Then use the token_use claim function In Amazon Cognito to validate the key IDs

Copy the JSON Web Token (JWT) as a JSON document Obtain the public JSON Web Key (JWK) and convert It to a pem file. Then use the file to validate the original JWT.

Pass the key alias to IAM KMS when calling Encrypt and Decrypt API actions.

Use IAM policies to restrict access to Encrypt and Decrypt API actions.

Use kms:EncryptionContext as a condition when defining IAM policies for the CMK.

Use key policies to restrict access to the appropriate IAM groups.

Create a cron job that runs a script lo download the IAM IAM security credentials We. parse the file for account root user logins and email the Security team's distribution 1st

Run IAM CloudTrail logs through Amazon CloudWatch Events to detect account roo4 user logins and trigger an IAM Lambda function to send an Amazon SNS notification to the Security team's distribution list.

Save IAM CloudTrail logs to an Amazon S3 bucket in the Security team's account Process the CloudTrail logs with the Security Engineer's logging solution for account root user logins Send an Amazon SNS notification to the Security team upon encountering the account root user login events

Save VPC Plow Logs to an Amazon S3 bucket in the Security team's account and process the VPC Flow Logs with their logging solutions for account root user logins Send an Amazon SNS notification to the Security team upon encountering the account root user login events

The CMK specified in the application does not exist.

The CMK specified in the application is currently in use.

The CMK specified in the application is using the CMK KeyID instead of CMK Amazon Resource Name.

The CMK specified in the application is not enabled.

The CMK specified in the application is using an alias.

Verify that the log file prefix is set to the name of the S3 bucket where the logs should go.

Verify that the S3 bucket policy allows access for CloudTrail from the production IAM account IDs.

Create a new CloudTrail configuration in the account, and configure it to log to the account’s S3 bucket.

Confirm in the CloudTrail Console that each trail is active and healthy.

Open the global CloudTrail configuration in the master account, and verify that the storage location is set to the correct S3 bucket.

Confirm in the CloudTrail Console that the S3 bucket name is set correctly.

Create a new Amazon S3 bucket Use EBS lifecycle policies to move EBS snapshots to the new S3 bucket. Move snapshots to Amazon S3 Glacier using lifecycle policies, and apply Glacier Vault Lock policies to prevent deletion

Use IAM Systems Manager to distribute a configuration that performs local backups of all attached disks to Amazon S3.

Create a new IAM account with limited privileges. Allow the new account to access the IAM KMS key used to encrypt the EBS snapshots, and copy the encrypted snapshots to the new account on a recuning basis

Use IAM Backup to copy EBS snapshots to Amazon S3.

Open inbound port 22 to 0 0.0.0/0 on all Linux servers.

Enable the advanced-instances tier in Systems Manager.

Create a managed-instance activation for the on-premises servers.

Reconfigure the Systems Manager Agent with the activation code and ID.

Assign an IAM role to all of the on-premises servers.

Initiate an inventory collection with Systems Manager on the on-premises servers

Move the SCP to the root OU of Organizations to remove the restriction to access Amazon S3.

Add an IAM policy for the Developer, which grants S3 access.

Create a new OU without applying the SCP restricting S3 access. Move the Developer account to this new OU.

Add an allow list for the Developer account for the S3 service.

Within the Auto Scaling lifecycle, add a hook to create and attach an Amazon Elastic Block Store (Amazon EBS) log volume each time an EC2 instance is created. When the instance is terminated, the EBS volume can be reattached to another instance for log review.

Create an Amazon Elastic File System (Amazon EFS) file system and add a command in the user data section of the Auto Scaling launch template to mount the EFS file system during EC2 instance creation Configure a process on the instance to copy the logs once a day from an instance Amazon Elastic Block Store (Amazon EBS) volume to a directory in the EFS file system.

Build the Amazon CloudWatch agent into the AMI used in the Auto Scaling group. Configure the CloudWatch agent to send the logs to Amazon CloudWatch Logs for review.

Within the Auto Scaling lifecycle, add a lifecycle hook at the terminating state transition and alert the engineering team by using a lifecycle notification to Amazon Simple Notification Service (Amazon SNS). Configure the hook to remain in the Terminating:Wait state for 1 hour to allow manual review of the security logs prior to instance termination.

Use a host based intrusion detection system

Use a third party firewall installed on a central EC2 instance

Use VPC Flow logs

Use Network Access control lists logging

Create one Cloudtrail log group for data events

Create one trail that logs data events to an S3 bucket

Create another trail that logs management events to another S3 bucket

Create another Cloudtrail log group for management events

Change the existing DHCP options set

Create a new DHCP options set and replace the existing one.

Change the route table for the VPC

Change the subnet configuration to allow DNS requests from the new DNS Server

It will allow all access to the bucket mybucket

It will allow the user mark from IAM account number 111111111 all access to the bucket but deny everyone else all access to the bucket

It will deny all access to the bucket mybucket

None of these

Use an Application Load balancer and terminate the SSL connection at the ELB

Use a Classic Load balancer and terminate the SSL connection at the ELB

Use an Application Load balancer and terminate the SSL connection at the EC2 Instances

Use a Classic Load balancer and terminate the SSL connection at the EC2 Instances

Enable CloudTrail logging in all accounts into S3 buckets

Enable CloudTrail logging in all accounts into Amazon Glacier

Ensure a lifecycle policy is defined on the S3 bucket to move the data to EBS volumes after 6 months.

Ensure a lifecycle policy is defined on the S3 bucket to move the data to Amazon Glacier after 6 months.

Use the VPC Flow Logs.

Use a network monitoring tool provided by an IAM partner.

Use another instance. Setup a port to "promiscuous mode" and sniff the traffic to analyze the packets. -

Use Cloudwatch metric

Create a Lambda function that mounts the EBS volume with the logs and scans the logs for security incidents. Trigger the function every 5 minutes with a scheduled Cloudwatch event.

Send the local text log files to CloudWatch Logs and configure a CloudWatch metric filter. Trigger cloudwatch alarms based on the metrics.

Install the Amazon inspector agent on any EC2 instance running the legacy application. Generate CloudWatch alerts a based on any Amazon inspector findings.

Export the local text log files to CloudTrail. Create a Lambda function that queries the CloudTrail logs for security ' incidents using Athena.

Ensure to create a strong password for logging into the EC2 Instance

Create a key pair using putty

Use the private key to log into the instance

Ensure the password is passed securely using SSL

Amazon Route 53

IAM Certificate Manager (ACM)

Amazon S3

IAM Shield

Elastic Load Balancer

Amazon GuardDuty

Rotate the potentially compromised access key that the EC2 instance uses Create a new AM I without the potentially compromised credentials Perform an EC2 Auto Scaling instance refresh

Delete or deactivate the potentially compromised access key Create an EC2 Auto Scaling linked 1AM role that includes a custom policy that matches the potentially

compromised access key permission Associate the new 1AM role with the Auto Scaling group Perform an EC2 Auto Scaling instance refresh.

Delete or deactivate the potentially compromised access key Create a new AMI without the potentially compromised credentials Create an 1AM role that includes the correct permissions Create a launch template for the Auto Scaling group to reference the new AMI and 1AM role Perform an EC2 Auto Scaling instance refresh

Rotate the potentially compromised access key Create a new AMI without the potentially compromised access key Use a user data script to supply the new access key as environmental variables in the Auto Scaling group's launch configuration Perform an EC2 Auto Scaling instance refresh

In the statement block that contains the Sid "Allow use of the key", under the "Condition" block, change StringEquals to StringLike.

In the policy document, remove the statement Dlock that contains the Sid "Enable IAM User Permissions". Add key management policies to the KMS policy.

In the statement block that contains the Sid "Allow use of the Key", under the "Condition" block, change the Kms:ViaService value to ec2.us-east-1 .amazonIAM com.

In the policy document, add a new statement block that grants the kms:Disable' permission to the security engineer's IAM role.

Move the SCP to the root OU of organization to remove the restriction to access Amazon $3.

Add an IAM policy for the developer, which grants $3 access.

Create a new OU without applying the SCP restricting $3 access. Move the developer account to this new OU.

Add an allow list for the developer account for the $3 service.

Request a certificate (torn ACM in the us-west-2 Region Add the domain names that the certificate will secure

Send an email message to the domain administrators to request vacation of the domains for ACM

Request validation of the domains for ACM through DNS Insert CNAME records into each domain's DNS zone

Create an Application Load Balancer for me caching solution Select the newly requested certificate from ACM to be used for secure connections

Create an Amazon CloudFront distribution for the caching solution Enter the main CNAME record as the Origin Name Enter the subdomain names or alternate names in the Alternate Domain Names Distribution Settings Select the newly requested certificate from ACM to be used for secure connections

Request a certificate from ACM in the us-east-1 Region Add the domain names that the certificate wil secure

chmod 0040 ssh/my_private_key pern

chmod 0400 ssh/my_private_key pern

chmod 0004 ssh/my_private_key pern

chmod 0777 ssh/my_private_key pern

Use short but complex password on the root account and any administrators.

Use IAM IAM Geo-Lock and disallow anyone from logging in except for in your city.

Use MFA on all users and accounts, especially on the root account.

Don't write down or remember the root account password after creating the IAM account.

Modify EBS default encryption settings in the target AWS Region to enable encryption. Use an Auto Scaling group instance refresh.

Modify the launch templates for the web layer and the backend layer to add AWS Certificate Manager (ACM) encryption for the attached EBS volumes. Use an Auto Scaling group instance refresh.

Create a new AWS Key Management Service (AWS KMS) encrypted DB cluster from a snapshot of the existing DB cluster.

Apply AWS Key Management Service (AWS KMS) encryption to the existing DB cluster.

Apply AWS Certificate Manager (ACM) encryption to the existing DB cluster.

Create dedicated IAM users within each IAM account that employees can assume through federation based upon group membership in their existing identity provider

Use a centralized account with IAM roles that employees can assume through federation with their existing identity provider Use cross-account roles to allow the federated users to assume their target role in the resource accounts.

Configure the IAM Security Token Service to use Kerberos tokens so that users can use their existing corporate user names and passwords to access IAM resources directly

Configure the IAM trust policies within each account's role to set up a trust back to the corporation's existing identity provider allowing users to assume the role based off their SAML token

IAM Inspector, CloudTrail, IAM Credential Reports

CloudTrail. IAM Credential Reports, IAM SNS

CloudTrail, IAM Config, IAM Credential Reports

IAM SQS, IAM Credential Reports, CloudTrail

Manually rotate a key within KMS to create a new CMK immediately

Use the KMS import key functionality to execute a delete key operation

Use the schedule key deletion function within KMS to specify the minimum wait period for deletion

Change the KMS CMK alias to immediately prevent any services from using the CMK.

Create a pre sign-up AWS Lambda trigger. Associate the Amazon Cognito function with the Amazon Cognito user pool.

Use a geographic match rule statement to configure an AWS WAF web ACL. Associate the web ACL with the Amazon Cognito user pool.

Configure an app client for the application's Amazon Cognito user pool. Use the app client ID to validate the requests in the hosted Ul.

Update the application's Amazon Cognito user pool to configure a geographic restriction setting.

Use Amazon Cognito to configure a social identity provider (IdP) to validate the requests on the hosted Ul.

Use Amazon issued AWS Certificate Manager (ACM) certificates on the EC2 instances and the Elastic Load Balancer to configure end-to-end encryption

Import a third-party SSL certificate to AWS Certificate Manager (ACM) Install the third-party certificate on the EC2 instances Associate the ACM imported third-party certificate with the Elastic Load Balancer

Deploy AWS CloudHSM Import a third-party certificate Configure the EC2 instances and the Elastic Load Balancer to use the CloudHSM imported certificate

Import a third-party certificate bundle to AWS Certificate Manager (ACM) Install the third-party certificate on the EC2 instances Associate the ACM imported third-party certificate with the Elastic Load Balancer.

Use AWS CloudTrail to detect the configuration changes by filtering API calls to monitor the changes. Use the most recent API call to indicate the cumulative impact of multiple calls

Use AWS Config to detect the configuration changes and to record the latest configuration in case of multiple configuration changes.

Use Amazon CloudWatch to detect the configuration changes by filtering API calls to monitor the changes. Use the most recent API call to indicate the cumulative impact of multiple calls.

Use AWS Cloud Map to detect the configuration changes. Generate a report of configuration changes from AWS Cloud Map to track the latest state by using a sliding time window.

Use the EC2 serial console Configure the EC2 serial console to save all commands that are entered to an Amazon S3 bucket. Provide the EC2 instances with an IAM role that allows the EC2 serial console to access Amazon S3. Configure an IAM account for the system administrator. Provide an IAM policy that allows the IAM account to use the EC2 serial console.

Use EC2 Instance Connect Configure EC2 Instance Connect to save all commands that are entered to Amazon CloudWatch Logs. Provide the EC2 instances with an IAM role that allows the EC2 instances to access CloudWatch Logs Configure an IAM account for the system administrator. Provide an IAM policy that allows the IAM account to use EC2 Instance Connect.

Use an EC2 key pair with an EC2 instance that needs SSH access Access the EC2 instance with this key pair by using SSH. Configure the EC2 instance to save all commands that are entered to Amazon CloudWatch Logs. Provide the EC2 instance with an IAM role that allows the EC2 instance to access Amazon S3 and CloudWatch Logs.

Use AWS Systems Manager Session Manager Configure Session Manager to save all commands that are entered in a session to an Amazon S3 bucket. Provide the EC2 instances with an IAM role that allows Systems Manager to manage the EC2 instances. Configure an IAM account for the system administrator Provide an IAM policy that allows the IAM account to use Session Manager.

Review the IAM CloudTrail event history logs in an Amazon S3 bucket and look for the Terminatelnstances event to identify the federated user from the role session name.

Filter the IAM CloudTrail event history for the Terminatelnstances event and identify the assumed IAM role. Review the AssumeRoleWithSAML event call in CloudTrail to identify the corresponding username.

Search the IAM CloudTrail logs for the Terminatelnstances event and note the event time. Review the IAM Access Advisor tab for all federated roles. The last accessed time should match the time when the instance was terminated.

Use Amazon Athena to run a SQL query on the IAM CloudTrail logs stored in an Amazon S3 bucket and filter on the Terminatelnstances event. Identify the corresponding role and run another query to filter the AssumeRoleWithWebldentity event for the user name.

Option A

Option B

Option C

Option D

Outbound SG configuration on database servers Inbound SG configuration on application servers inbound and outbound network ACL configuration on the database subnet Inbound and outbound network ACL configuration on the application server subnet

Inbound SG configuration on database servers

Outbound SG configuration on application servers

Inbound and outbound network ACL configuration on the database subnet

Inbound and outbound network ACL configuration on the application server subnet

Inbound and outbound SG configuration on database servers Inbound and outbound SG configuration on application servers Inbound network ACL configuration on the database subnet Outbound network ACL configuration on the application server subnet

Inbound SG configuration on database servers Outbound SG configuration on application servers Inbound network ACL configuration on the database subnet Outbound network ACL configuration on the application server subnet.

Filter IAM CloudTrail logs for KeyRotaton events

Monitor Amazon CloudWatcn Events for any IAM KMS CMK rotation events

Using the IAM CLI. run the IAM kms gel-key-relation-status operation with the --key-id parameter to check the CMK rotation date

Use Amazon Athena to query IAM CloudTrail logs saved in an S3 bucket to filter Generate New Key events

Create an IAM role in the production account and allow EC2 instances in the development account to assume that role using the trust policy. Provide read access for the required S3 bucket to this role.

Use a custom identity broker to allow Developer IAM users to temporarily access the S3 bucket.

Create a temporary IAM user for the application to use in the production account.

Create a temporary IAM user in the production account and provide read access to Amazon S3. Generate the temporary IAM user's access key and secret key and store these on the EC2 instance used by the application in the development account.

There is a security group blocking outbound port 80 traffic that is preventing the agent from sending the logs

The IAM instance profile on the EC2 instance was not properly configured to allow the CloudWatch Logs agent to push the logs to CloudWatch

CloudWatch Logs status is set to ON versus SECURE, which prevents it from pulling in OS security event logs

The VPC requires that all traffic go through a proxy, and the CloudWatch Logs agent does not support a proxy configuration.

Provision a Direct Connect connection to an IAM region using a Direct Connect partner.

Create a VPN tunnel for private connectivity, which increases network consistency and reduces latency.

Create an iPSec tunnel for private connectivity, which increases network consistency and reduces latency.

Create a VPC peering connection between IAM and the Customer gateway.

Create an IAM group for each application team. Associate policies with each IAM group. Provision IAM users for each application team member. Add the new IAM users to the appropriate IAM group by using role-based access control (RBAC).

Delegate application team leads to provision IAM rotes for each team. Conduct a quarterly review of the IAM rotes the team leads have provisioned. Ensure that the application team leads have the appropriate training to review IAM roles.

Put each AWS account in its own OU. Add an SCP to each OU to grant access to only the AWS services that the teams plan to use. Include conditions tn the AWS account of each team.

Create an SCP and a permissions boundary for IAM roles. Add the SCP to the root OU so that only roles that have the permissions boundary attached can create any new IAM roles.

Enable VPC Flow Logs in all VPCs Create a scheduled IAM Lambda function that downloads and parses the logs, and sends an Amazon SNS notification for violations.

Use IAM CloudTrail to make a trail, and apply it to all Regions Specify an Amazon S3 bucket to receive all the CloudTrail log files

Add the following bucket policy to the company's IAM CloudTrail bucket to prevent log tampering

{

"Version": "2012-10-17-,

"Statement": {

"Effect": "Deny",

"Action": "s3:PutObject",

"Principal": "-",

"Resource": "arn:IAM:s3:::cloudtrail/IAMLogs/111122223333/*"

}

}

Create an Amazon S3 data event for an PutObject attempts, which sends notifications to an Amazon SNS topic.

Create a Security Auditor role with permissions to access Amazon CloudWatch Logs m all Regions Ship the logs to an Amazon S3 bucket and make a lifecycle policy to ship the logs to Amazon S3 Glacier.

Verify that Amazon GuardDuty is enabled in all Regions, and create an Amazon CloudWatch Events rule for Amazon GuardDuty findings Add an Amazon SNS topic as the rule's target

Update the CloudFront distribution. configuring it to optionally use HTTPS when connecting to origins on Amazon S3

Update the web application configuration on the web servers to use HTTPS instead of HTTP when connecting to DynamoDB

Update the CloudFront distribution to redirect HTTP corrections to HTTPS

Configure the web servers on the EC2 instances to listen using HTTPS using the public ACM TLS certificate Update the ALB to connect to the target group using HTTPS

Update the ALB listen to listen using HTTPS using the public ACM TLS certificate. Update the CloudFront distribution to connect to the HTTPS listener.

Create a TLS certificate Configure the web servers on the EC2 instances to use HTTPS only with that certificate. Update the ALB to connect to the target group using HTTPS.

Place the RDS instance in a public subnet and an IAM Lambda function outside the VPC. Schedule the Lambda function to run every 3 months to rotate the secrets.

Place the RDS instance in a private subnet and an IAM Lambda function inside the VPC in the private subnet. Configure the private subnet to use a NAT gateway. Schedule the Lambda function to run every 3 months to rotate the secrets.

Place the RDS instance in a private subnet and an IAM Lambda function outside the VPC. Configure the private subnet to use an internet gateway. Schedule the Lambda function to run every 3 months lo rotate the secrets.

Place the RDS instance in a private subnet and an IAM Lambda function inside the VPC in the private subnet. Schedule the Lambda function to run quarterly to rotate the secrets.

Place the RDS instance in a private subnet and an IAM Lambda function inside the VPC in the private subnet. Configure a Secrets Manager interface endpoint. Schedule the Lambda function to run every 3 months to rotate the secrets.

Create an identity policy that allows the sts: AssumeRole action in the AWS account that contains the resources. Attach the identity policy to the IAM user.

Ensure that the sts: AssumeRole action is allowed by the SCPs of the organization that owns the resources that the IAM user needs to access.

Create a role in the AWS account that contains the resources. Create an entry in the role's trust policy that allows the IAM user to assume the role. Attach the trust policy to the role.

Establish a trust relationship between the IAM user and the AWS account that contains the resources.

Create a role in the IAM user's AWS account. Create an identity policy that allows the sts: AssumeRole action. Attach the identity policy to the role.

Store the database credentials in AWS Secrets Manager. Configure automatic credential rotation tor every 30 days.

Store the database credentials in AWS Systems Manager Parameter Store. Create an AWS Lambda function to rotate the credentials every 30 days.

Store the database credentials in an environment file or in a configuration file. Modify the credentials every 30 days.

Store the database credentials in an environment file or in a configuration file. Create an AWS Lambda function to rotate the credentials every 30 days.

Ask the developers to change their password and use a different web browser.

Ensure that developers are using multi-factor authentication (MFA) when they log in to their developer account as the developer role.

Modify the production account ReadS3 role policy to allow the PutBucketPolicy action on the productionapp S3 bucket.

Update the trust relationship policy on the production account S3 role to allow the account number of the developer account.

Update the developer group permissions in the developer account to allow access to the productionapp S3 bucket.

Do not use SSH-RSA private keys during the launch of new instances. Implement AWS Systems Manager Session Manager.

Generate new SSH-RSA private keys for existing instances. Implement AWS Systems Manager Session Manager.

Do not use SSH-RSA private keys during the launch of new instances. Configure EC2 Instance Connect.

Generate new SSH-RSA private keys for existing instances. Configure EC2 Instance Connect.

Attach a policy to the IAM user to allow the user to assume the role that was created in the top-level account. Specify the role's ARN in the policy.

Create an SCP that grants permissions to the top-level account.

Use the root account of the business unit account to assume the role that was created in the top-level account. Specify the role's ARN in the policy.

Forward the credentials of the IAM role in the top-level account to the IAM user in the business unit account.

The IAM rote does not have permission to use the KMS CreateKey operation.

The S3 bucket lacks a policy that allows access to the customer managed key that encrypts the objects.

The IAM rote does not have permission to use the customer managed key that encrypts the objects that are in the S3 bucket.

The ACL of the S3 objects does not allow read access for the objects when the objects ace encrypted at rest.

Use Amazon inspector to determine which systems do not have the latest patches applied, and after 30 days, redeploy those instances with the latest AMI version

Configure Amazon EC2 Systems Manager to report on instance patch compliance and enforce updates during the defined maintenance windows

Examine IAM CloudTrail togs to determine whether any instances have not restarted in the last 30 days, and redeploy those instances

Update the AMls with the latest approved patches and redeploy each instance during the defined maintenance window

Use AWS Secrets Manager to store the customer managed key in us-west-1 as a secret Use this secret to encrypt the snapshot in us-west-1.

Create a new customer managed key in us-west-1. Use this new key to encrypt the snapshot in us-west-1.

Create an IAM policy that allows access to the customer managed key in us-east-1. Specify am aws kms us-west-1 " as the principal.

Create an IAM policy that allows access to the customer managed key in us-east-1. Specify arn aws rds us-west-1. * as the principal.

Allow Account-1 to access the KMS key in Account-2 using a key policy

Attach an IAM policy to the service-linked role in Account-1 that allows these actions CreateGrant. DescnbeKey, Encrypt, GenerateDataKey, Decrypt, and ReEncrypt

Create a KMS grant for the service-linked role with these actions CreateGrant, DescnbeKey Encrypt GenerateDataKey Decrypt, and ReEncrypt

Attach an IAM policy to the role attached to the EC2 instances with KMS actions and then allow Account-1 in the KMS key policy.

Attach an IAM policy to the user who is launching EC2 instances and allow the user to access the KMS key policy of Account-2.

Create a key policy that allows the kms:Decrypt action only for Amazon S3 and DynamoDB. Create an SCP that denies the creation of S3 buckets and DynamoDB tables that are not encrypted with the key.

Create an 1AM policy that denies the kms:Decrypt action for the key. Create a Lambda function than runs on a schedule to attach the policy to any new roles. Create an AWS Config rule to send alerts for resources that are not encrypted with the key.

Create a key policy that allows the kms:Decrypt action only for Amazon S3, DynamoDB, Lambda, and Amazon EKS. Create an SCP that denies the creation of S3 buckets and DynamoDB tables that are not encrypted with the key.

Create a key policy that allows the kms:Decrypt action only for Amazon S3, DynamoDB, Lambda, and Amazon EKS. Create an AWS Config rule to send alerts for resources that are not encrypted with the key.

In the security account configure an IAM role for the new Lambda function. Attach an IAM policy that allows access to the KMS key in the security account.

In the development account configure an IAM role for the new Lambda function. Attach a key policy that allows access to the KMS key in the security account.

In the development account configure an IAM role for the new Lambda function. Attach an IAM policy that allows access to the KMS key in the security account.

Configure a key policy for the KMS key m the security account to allow access to the IAM role of the new Lambda function in the security account.

Configure a key policy for the KMS key in the security account to allow access to the IAM role of the new Lambda function in the development account.

Create an IAM Config rule to detect the creation of unencrypted RDS databases. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to trigger on the IAM Config rules compliance state change and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team.

Use IAM System Manager State Manager to detect RDS database encryption configuration drift. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to track state changes and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team.

Create a read replica for the existing unencrypted RDS database and enable replica encryption in the process. Once the replica becomes active, promote it into a standalone database instance and terminate the unencrypted database instance.

Take a snapshot of the unencrypted RDS database. Copy the snapshot and enable snapshot encryption in the process. Restore the database instance from the newly created encrypted snapshot. Terminate the unencrypted database instance.

Enable encryption for the identified unencrypted RDS instance by changing the configurations of the existing database

Turn on the awslogs log driver by specifying parameters for awslogs-group and awslogs-region m the LogConfiguration property

Download and configure the CloudWatch agent on the container instances

Set up Fluent Bit and FluentO as a DaemonSet to send logs to Amazon CloudWatch Logs

Configure an 1AM policy that includes the togs CreateLogGroup action Assign the policy to the container instances

Use the SimpleCORS managed response headers policy.

Use a Lambda@Edge function to add the Strict-Transport-Security response header.

Use the SecurityHeadersPolicy managed response headers policy.

Include the X-XSS-Protection header in a custom response headers policy.

Enable server side encryption for the S3 bucket. This request will ensure that the data is encrypted first.

Use the IAM Encryption CLI to encrypt the data first

Use a Lambda function to encrypt the data before sending it to the S3 bucket.

Enable client encryption for the bucket

Option A

Option B

Option C

Option D

Option E

Option F

Use Amazon CloudWatch monitoring to capture Amazon EC2 and networking metrics Visualize metrics using Amazon CloudWatch dashboards.

Run the Amazon Kinesis Agent to write the status data to Amazon Kinesis Data Firehose Store the streaming data from Kinesis Data Firehose in Amazon Redshift. (hen run a script on the pool data and analyze the data in Amazon Redshift

Write the status data directly to a public Amazon S3 bucket from the health-checking component Configure S3 events to invoke an IAM Lambda function that analyzes the data

Generate events from the health-checking component and send them to Amazon CloudWatch Events. Include the status data as event payloads. Use CloudWatch Events rules to invoke an IAM Lambda function that analyzes the data.

Place the network interface in promiscuous mode to capture the traffic.

Configure VPC Flow Logs to send traffic to the monitoring EC2 instance using a Network Load Balancer.

Configure VPC traffic mirroring to send traffic to the monitoring EC2 instance using a Network Load Balancer.

Use Amazon Inspector to detect network-level attacks and trigger an IAM Lambda function to send the suspicious packets to the EC2 instance.

Use a Network Load Balancer (NLB) to pass through traffic on port 443 from the internet to port 443 on the instances.

Purchase an external certificate, and upload it to the IAM Certificate Manager (for use with the ELB) and to the instances. Have the ELB decrypt traffic, and route and re-encrypt with the same certificate.

Generate an internal self-signed certificate and apply it to the instances. Use IAM Certificate Manager to generate a new external certificate for the ELB. Have the ELB decrypt traffic, and route and re-encrypt with the internal certificate.

Upload a new external certificate to the load balancer. Have the ELB decrypt the traffic and forward it on port 80 to the instances.

Use the IAM Trusted Advisor to see what can be done.

Use VPC Flow logs to diagnose the traffic

Use IAM WAF to analyze the traffic

Use IAM Guard Duty to analyze the traffic

Deploy a pre-authorized scanning engine from the IAM Marketplace into VPC B, and use it to scan instances in all three VPCs. Do not complete the penetration test request form.

Deploy a pre-authorized scanning engine from the Marketplace into each VPC, and scan instances in each VPC from the scanning engine in that VPC. Do not complete the penetration test request form.

Create a VPN connection from the data center to VPC A. Use an on-premises scanning engine to scan the instances in all three VPCs. Complete the penetration test request form for all three VPCs.

Create a VPN connection from the data center to each of the three VPCs. Use an on-premises scanning engine to scan the instances in each VPC. Do not complete the penetration test request form.

Create a VPN connection from the data center to each of the three VPCs. Use an on-premises scanning engine to scan the instances in each VPC. Complete the penetration test request form for all three VPCs.

Create a Cloudwatch Events Rule s

Create a Cloudwatch Logs Rule

Use a Lambda function

Use Cloudtrail API call

In the IAM Console, choose the IAM service and select “Users”. Review the “Access Key Age” column.

Define an IAM policy that denies access if the key age is more than three months and apply to all users.

Write a script that uses the GenerateCredentialReport, GetCredentialReport, and UpdateAccessKey APIs.

Create an Amazon CloudWatch alarm to detect aged access keys and use an IAM Lambda function to disable the keys older than 90 days.

email.us-east-1.amazonIAM.com over port 8080

email-pop3.us-east-1.amazonIAM.com over port 995

email-smtp.us-east-1.amazonIAM.com over port 587

email-imap.us-east-1.amazonIAM.com over port 993

After 30 days

After 128 days

After 365 days

After 3 years

Delete the key-pair key from the EC2 console, then create a new key pair.

Use the modify-instance-attribute API to change the key on any EC2 instance that is using the key.

Use the EC2 RunCommand to modify the authorized_keys file on any EC2 instance that is using the key.

Update the key pair in any AMI used to launch the EC2 instances, then restart the EC2 instances.

Use custom route tables to prevent malicious traffic from routing to the instances.

Update security groups to deny traffic from the originating source IP addresses.

Use network ACLs.

Install intrusion prevention software (IPS) on each instance.

Use IAM KMS with IAM managed keys and the ScheduleKeyDeletion API with a PendingWindowInDays set to 0 to remove the keys if necessary.

Use KMS with IAM imported key material and then use the DeletelmportedKeyMaterial API to remove the key material if necessary.

Use IAM CloudHSM to store the keys and then use the CloudHSM API or the PKCS11 library to delete the keys if necessary.

Use the Systems Manager Parameter Store to store the keys and then use the service API operations to delete the key if necessary.

Delete the internet gateway associated with the VPC.

Use network access control lists to block source IP addresses matching 0.0.0.0/0.

Use a host-based firewall to prevent access from all but the organization’s firewall IP.

Use IAM Config rules to detect 0.0.0.0/0 and invoke an IAM Lambda function to update the security group with the organization's firewall IP.

Change the volume encryption on the EBS volume to use a different encryption mechanism. Then, release the EBS volumes back to IAM.

Release the volumes back to IAM. IAM immediately wipes the disk after it is deprovisioned.

Delete the encryption key used to encrypt the EBS volume. Then, release the EBS volumes back to IAM.

Delete the data by using the operating system delete commands. Run Quick Format on the drive and then release the EBS volumes back to IAM.

IAM IAM groups

IAM IAM users

IAM IAM roles

IAM IAM access keys

Enable logging on the KMS service

Enable a trail in Cloudtrail

Enable Cloudwatch logs

Use Cloudwatch metrics

Conduct an audit on a yearly basis

Conduct an audit if application instances have been added to your account

Conduct an audit if you ever suspect that an unauthorized person might have accessed your account

Whenever there are changes in your organization

Change the S3 bucket/object permission so that only the bucket owner has access.

Set up a CloudFront origin access identity (OAI), and change the S3 bucket/object permission so that only the OAI has access.

Create IAM roles for CloudFront, and change the S3 bucket/object permission so that only the IAM role has access.

Redirect S3 bucket access to the corresponding CloudFront distribution.

Change the key policy permissions associated with the KMS CMK for each application when it must access the data in Amazon S3.

Have each application assume an IAM role that provides permissions to use the IAM Certificate Manager CMK.

Have each application use a grant on the KMS CMK to add or remove specific access controls on the KMS CMK.

Have each application use an IAM policy in a user context to have specific access permissions on the KMS CMK.

The execution role for the Lambda function did not grant permissions to write log data to CloudWatch Logs.

The Lambda function was executed by using Amazon API Gateway, so the logs are not stored in CloudWatch Logs.

The execution role for the Lambda function did not grant permissions to write to the Amazon S3 bucket where CloudWatch Logs stores the logs.

The version of the Lambda function that was executed was not current.

The account’s CMK key policy must allow the account’s IAM roles to perform KMS EnableKey.

Newly created CMKs must have a key policy that allows the root principal to perform all actions.

Newly created CMKs must allow the root principal to perform the kms CreateGrant API operation.

Newly created CMKs must mirror the IAM policy of the KMS key administrator.

Use versioning and enable a timestamp for each version

Use Pre-signed URL's

Use IAM Roles with a timestamp to limit the access

Use IAM policies with a timestamp to limit the access

Request KMS to provide the stored unencrypted data key and then use the retrieved data key to decrypt the data.

Keep the plaintext data key stored in Amazon DynamoDB protected with IAM policies. Query DynamoDB to retrieve the data key to decrypt the data

Use the Encrypt API to store an encrypted version of the data key with another customer managed key. Decrypt the data key and use it to decrypt the data when required.

Store the encrypted data key alongside the encrypted data. Use the Decrypt API to retrieve the data key to decrypt the data when required.

Create a new S3 bucket in a separate IAM account for centralized storage of CloudTrail logs, and enable “Log File Validation” on all trails.

Use an existing S3 bucket in one of the accounts, apply a bucket policy to the new centralized S3 bucket that permits the CloudTrail service to use the "s3: PutObject" action and the "s3 GetBucketACL" action, and specify the appropriate resource ARNs for the CloudTrail trails.

Apply a bucket policy to the new centralized S3 bucket that permits the CloudTrail service to use the "s3 PutObject" action and the "s3 GelBucketACL" action, and specify the appropriate resource ARNs for the CloudTrail trails.

Use unique log file prefixes for trails in each IAM account.

Configure CloudTrail in the centralized account to log all accounts to the new centralized S3 bucket.

Enable encryption of the log files by using IAM Key Management Service

Install antivirus software and ensure that signatures are up-to-date. Configure Amazon CloudWatch alarms to send alerts for security events.

Install host-based IDS software to check for file integrity. Export the logs to Amazon CloudWatch Logs for monitoring and alerting.

Export system log files to Amazon S3. Parse the log files using an IAM Lambda function that will send alerts of any unauthorized system login attempts through Amazon SNS.

Use Amazon CloudWatch Logs to detect file system changes. If a change is detected, automatically terminate and recreate the instance from the most recent AMI. Use Amazon SNS to send notification of the event.

Create a VPC endpoint for DynamoDB within a VPC. Configure the Lambda function to access resources in the VPC.

Create a resource policy that grants the Lambda function permissions to write to the DynamoDB table. Attach the poll to the DynamoDB table.

Create an IAM user with permissions to write to the DynamoDB table. Store an access key for that user in the Lambda environment variables.

Create an IAM service role with permissions to write to the DynamoDB table. Associate that role with the Lambda function.

An IAM Managed Policy

An Inline Policy

A Bucket Policy

A bucket ACL

Add a statement to the IAM policy used by the application to allow logs:putLogEvents and logs:createLogStream

Modify the IAM role used by the application by adding the CloudWatchFullAccess managed policy.

Add a statement to the IAM policy used by the application to allow cloudwatch:putMetricData.

Add a trust relationship to the IAM role used by the application for cloudwatch.amazonIAM.com.

Amazon S3 with default encryption

IAM CloudHSM

Amazon DynamoDB with server-side encryption

IAM Systems Manager Parameter Store

Use a VPC endpoint

Attach an Internet gateway to the subnet

Attach a VPN connection to the VPC

Use VPC Peering

Ensure that file permissions for monitored files that allow the CloudWatch Logs agent to read the file have not been modified.

Verify that the OS Log rotation rules are compatible with the configuration requirements for agent streaming.

Configure an Amazon Kinesis producer to first put the logs into Amazon Kinesis Streams.

Create a CloudWatch Logs metric to isolate a value that changes at least once during the period before logging stops.

Use IAM CloudFormation to dynamically create and maintain the configuration file for the CloudWatch Logs agent.

Use KMS and the normal KMS encryption keys

Use KMS and use an external key material

Use S3 Server Side encryption

Use Cloud HSM

Develop an alerting mechanism based on processing IAM CloudTrail logs.

Monitor Amazon S3 Event Notifications for objects stored in buckets in unapproved regions.

Analyze Amazon CloudWatch Logs for activities in unapproved regions.

Use IAM Trusted Advisor to alert on all resources being created.

Connect to the EC2 instances that are not sending the appropriate logs and verify that the CloudWatch Logs agent is running.

Log in to the IAM account and select CloudWatch Logs. Check for any monitored EC2 instances that are in the “Alerting” state and restart them using the EC2 console.

Verify that the EC2 instances have a route to the public IAM API endpoints.

Connect to the EC2 instances that are not sending logs. Use the command prompt to verify that the right permissions have been set for the Amazon SNS topic.

Verify that the network access control lists and security groups of the EC2 instances have the access to send logs over SNMP.

Use IAM Config to examine the employee's IAM permissions prior to the incident and compare them to the employee's current IAM permissions.

Use Made to examine the employee's IAM permissions prior to the incident and compare them to the employee's A current IAM permissions.

Use CloudTrail to examine the employee's IAM permissions prior to the incident and compare them to the employee's current IAM permissions.

Use Trusted Advisor to examine the employee's IAM permissions prior to the incident and compare them to the employee's current IAM permissions.

Select server-side encryption with Amazon S3-managed keys (SSE-S3) and select an IAM-managed CMK.

Select Amazon S3-IAM KMS managed encryption keys (S3-KMS) and select a customer-managed CMK with key rotation enabled.

Select server-side encryption with Amazon S3-managed keys (SSE-S3) and select a customer-managed CMK that has imported key material.

Select server-side encryption with IAM KMS-managed keys (SSE-KMS) and select an alias to an IAM-managed CMK.

Use the IAM account root user access keys instead of the IAM Management Console

Enable multi-factor authentication for the IAM IAM users with the AdministratorAccess managed policy attached to them

Enable multi-factor authentication for the IAM account root user

Use IAM KMS to encrypt all IAM account root user and IAM IAM access keys and set automatic rotation to 30 days

Do not create access keys for the IAM account root user; instead, create IAM IAM users

Change the “Resource” from “arn: IAM:s3:::Bucket” to “arn:IAM:s3:::Bucket/*”.

Change the “Principal” from “*” to {IAM:”arn:IAM:iam: : account-number: user/username”}

Change the “Version” from “2012-10-17” to the last revised date of the policy

Change the “Action” from [“s3:*”] to [“s3:GetObject”, “s3:ListBucket”]

Upload an SSL certificate to IAM, and configure Amazon CloudFront with the passphrase for the private key.

Call KMS.Encrypt() in the client, passing in the data file contents, and call KMS.Decrypt() server-side.

Use IAM Certificate Manager to provision a certificate on an Elastic Load Balancing in front of the web service’s servers.

Create a new VPC with an Amazon VPC VPN endpoint, and update the web service’s DNS record.

Create a Customer Master Key (CMK) for each data classification type, and enable the rotation of it annually. For the “Restricted” CMK, define the MFA policy within the key policy. Use S3 SSE-KMS to encrypt the objects.

Create a CMK grant for each data classification type with EnableKeyRotation and MultiFactorAuthPresent set to true. S3 can then use the grants to encrypt each object with a unique CMK.

Create a CMK for each data classification type, and within the CMK policy, enable rotation of it annually, and define the MFA policy. S3 can then create DEK grants to uniquely encrypt each object within the S3 bucket.

Create a CMK with unique imported key material for each data classification type, and rotate them annually. For the “Restricted” key material, define the MFA policy in the key policy. Use S3 SSE-KMS to encrypt the objects.

Server-side encryption with Amazon S3-managed keys (SSE-S3)

Server-side encryption with IAM KMS-managed keys (SSE-KMS)

Server-side encryption with customer-provided keys (SSE-C)

Client-side encryption with an IAM KMS-managed CMK

Use a filter in IAM CloudTrail to exclude the IP addresses of the Security team’s EC2 instances.

Add the Elastic IP addresses of the Security team’s EC2 instances to a trusted IP list in Amazon GuardDuty.

Install the Amazon Inspector agent on the EC2 instances that the Security team uses.

Grant the Security team’s EC2 instances a role with permissions to call Amazon GuardDuty API operations.

Remove the sensitive data from the object name, and store the sensitive data using S3 user-defined metadata.

Add an S3 bucket policy that denies the action s3:GetObject

Use a random and unique S3 object key, and create an S3 metadata index in Amazon DynamoDB using client-side encrypted attributes.

Store all sensitive objects in Binary Large Objects (BLOBS) in an encrypted Amazon RDS instance.

Use IAM Certificate Manager to generate certificates from a public certificate authority and deploy them to all the containers.

Create a self-signed certificate in one container and use IAM Secrets Manager to distribute the certificate to the other containers to establish trust.

Use IAM Certificate Manager Private Certificate Authority (ACM PCA) to create a subordinate certificate authority, then create the private keys in the containers and sign them using the ACM PCA API.

Use IAM Certificate Manager Private Certificate Authority (ACM PCA) to create a subordinate certificate authority, then use IAM Certificate Manager to generate the private certificates and deploy them to all the containers.

Copy the data directly from the EBS encrypted volume before the volume is detached from the EC2 instance.

Recover the data from the EBS encrypted volume using an earlier version of the KMS backing key.

Make a request to IAM Support to recover the S3 encrypted data.

Make a request to IAM Support to restore the deleted CMK, and use it to recover the data.

Detach the elastic network interface from the EC2 instance.

Initiate an Amazon Elastic Block Store volume snapshot of all volumes on the EC2 instance.

Disable any Amazon Route 53 health checks associated with the EC2 instance.

De-register the EC2 instance from the ALB and detach it from the Auto Scaling group.

Attach a security group that has restrictive ingress and egress rules to the EC2 instance.

Add a rule to an IAM WAF to block access to the EC2 instance.