A. Create a user in an AWS SSO directory and assign a read-only permissions set. Assign all AWS accounts to be monitored to the new user. Provide the third-party monitoring solution with the user name and password.
B. Create an IAM role in the organization master account. Allow the AWS account of the third-party monitoring solution to assume the role.
C. Invite the AWS account of the third-party monitoring solution to join the organization. Enable all features.
D. Create an AWS CloudFormation template that defines a new IAM role for the third-party monitoring solution with the account of the third party listed in the trust policy. Create the IAM role across all linked AWS accounts by using a stack set.
Solution
Explanation
AWS CloudFormation StackSets can deploy the IAM role across multiple accounts with a single operation. A is incorrect because credentials supplied by AWS SSO are temporary, so the application would lose permissions and have to log in again. B would grant access to the master account only. C is incorrect because accounts belonging to an organization do not receive permissions in the other accounts.
References
1.
A. Change the SSH port to 2222 on the cluster instances with a user data script. Log in to each instance using SSH over port 2222.
B. Change the SSH port to 2222 on the cluster instances with a user data script. Use AWS Trusted Advisor to remotely manage the cluster instances over port 2222.
C. Launch the cluster instances with no SSH key pairs. Use the Amazon Systems Manager Run Command to remotely manage the cluster instances.
D. Launch the cluster instances with no SSH key pairs. Use AWS Trusted Advisor to remotely manage the cluster instances.
Solution
Explanation
The Systems Manager Run Command requires no inbound ports to be open; it operates entirely over outbound HTTPS (which is open by default for security groups). A and B are ruled out because the requirements clearly state that the only inbound port to be open is 443. D is ruled out because Trusted Advisor does perform management functions.
A. In the development account: Create a development IAM group with the ability to create and delete application infrastructure. Create an IAM user for each operator and developer and assign them to the development group. In the production account: Create an operations IAM group with the ability to create and delete application infrastructure. Create an IAM user for each operator and assign them to the operations group.
B. In the development account: Create a development IAM group with the ability to create and delete application infrastructure. Create an IAM user for each developer and assign them to the development group. Create an IAM user for each operator and assign them to the development group and the operations group in the production account. In the production account: Create an operations IAM group with the ability to create and delet application infrastructure.
C. In the development account: Create a shared IAM role with the ability to create and delete application infrastructure in the production account. Create a development IAM group with the ability to create and delete application infrastructure. Create an operations IAM group with the ability to assume the shared role. Create an IAM user for each developer and assign them to the development group. Create an IAM user for each operator and assign them to the development group and the operations group.
D. In the development account:Create a development IAM group with the ability to create and delete application infrastructure. Create an operations IAM group with the ability to assume the shared role in the production account. Create an IAM user for each developer and assign them to the development group. Create an IAM user for each operator and assign them to the development group and the operations group. In the production account: Create a shared IAM role with the ability to create and delete application infrastructure. Add the development account to the trust policy for the shared role.
Solution
Explanation
This is the only response that will work and meets the requirements. It follows the standard guidelines for granting cross-account access between two accounts that you control. A requires two sets of credentials for operators, which breaks the requirements. B will not work, as an IAM user cannot be added to an IAM group in a different account. C will not work, as a role cannot grant access to resources in another account; the shared role must be in the account with resources it manages.
References
1.
A. Create a new IAM role in the Development account with read access to the S3 bucket. Configure S3 to use this new role as its OAI. Modify the build pipeline to assume this role when uploading files from the Development Account.
B. Create a new cross-account IAM role in the Production account with write access to the S3 bucket. Modify the build pipeline to assume this role to upload the files to the Production Account.
C. Modify the S3 upload process in the Development account to set the object owner to the Production Account.
D. Modify the S3 upload process in the Development account to add the bucket-owner-full-control ACL to the objects at upload.
Solution
Explanation
To be able to access the bucket directly and upload objects, a new IAM role can be created in the Production account with the necessary permissions to access the bucket. The role can then be assumed by the build pipeline using cross-account access.
A. The IAM users are providing the time-based one-time password (TOTP) codes required for authenticated access.
B. The IAM roles created for the federated users or federated groups trust policy have set the SAML provider as the principal.
C. The companys IdP defines SAML assertions that properly map users or groups in the company to IAM roles with appropriate permissions.
D. The AWS STS service has the on-premises IdP configured as an event source for authentication requests.
E. The IAM users permissions policy has allowed the sts:AssumeRoleWithSAML API action allowed in their permissions policy.
F. The web portal calls the AWS STS AssumeRoleWithSAML API with the ARN of the SAML provider, the ARN of the IAM role, and the SAML assertion from IdP.
A. Use AWS GuardDuty to run the CVE assessment package on the EC2 instances launched from the approved AMIs
B. Use Amazon Inspector to run the CVE assessment package on the EC2 instances launched from the approved AMIs
C. Use AWS Lambda to write automatic approval rules. Store the approved AMI list in AWS Systems Manager Parameter Store. Use Amazon EventBridge to trigger an AWS Systems Manager Automation document on all EC2 instances every 30 days
D. Use AWS Lambda to write automatic approval rules. Store the approved AMI list in AWS Systems Manager Parameter Store. Use a managed AWS Config rule for continuous scanning on all EC2 instances and use AWS Systems Manager Automation documents for remediation.
E. Use the AWS Systems Manager EC2 agent to run the CVE assessment on the EC2 instances launched from the approved AMIs.
A. The company should create an IAM role and assign the required permissions to the IAM role. The customer should then use the IAM roles Amazon Resource Name (ARN) when requesting access to perform the required tasks.
B. The company should create an IAM role and assign the required permissions to the IAM role. The customer should then use the IAM roles Amazon Resource Name (ARN), including the external ID in the IAM roles trust policy, when requesting access to perform the required tasks.
C. The company should create an IAM user and assign the required permissions to the IAM user. The company should then provide the credentials to the customer to log in and perform the required tasks.
D. The company should provide the customer with their AWS account access keys to log in and perform the required tasks.
A. Use an Application Load Balancer (ALB) in front of the application instance. Use a friendly DNS entry in Amazon Route 53 pointing to the ALBs internet-facing fully qualified domain name (FQDN).
B. Enable AWS Shield Advanced on all public-facing resources.
C. Define an AWS WAF rule to explicitly drop non-UDP traffic and associate the rule with the load balancer.
D. Use a Network Load Balancer (NLB) in front of the application instance. Use a friendly DNS entry in Amazon Route 53 pointing to the NLBs Elastic IP address.
E. Use AWS Global Accelerator with an Elastic Load Balancer as an endpoint.
F. Configure a network ACL rule to block all non-UDP traffic. Associate the network ACL with the subnets that hold the load balancer instances.
A. Use a custom-built OpenID Connect-compatible solution with AWS SSO for authentication and authorization.
B. Use a custom-built SAML-compatible solution that uses LDAP for authentication and uses a SAML assertion to perform authorization to the IAM identity provider.
C. Use a custom-built OpenID Connect-compatible solution for authentication and use Amazon Cognito for authorization.
D. Use a custom-built SAML-compatible solution for authentication and use AWS SSO for authorization.
E. Create a custom-built LDAP connector using Amazon API Gateway and AWS Lambda for authentication. Use a token-based Lambda authorizer that uses JWT.
A. Create a new IAM role in the Development account with read access to the S3 bucket. Configure S3 to use this new role as its OAI. Modify the build pipeline to assume this role when uploading files from the Development Account.
B. Modify the S3 upload process in the Development account to set the object owner to the Production Account.
C. Create a new cross-account IAM role in the Production account with write access to the S3 bucket.
D. Modify the build pipeline to assume this role to upload the files to the Production Account.
E. Modify the S3 upload process in the Development account to add the bucket-owner-full-control ACL to the objects at upload.
A. Ensure that blocking all public access has not been enabled in the S3 bucket.
B. Verify that the IAM role has permission to decrypt the referenced KMS key.
C. Check that local firewall rules are not preventing access to the S3 endpoint.
D. Verify that the IAM role has the correct trust relationship configured.
A. Create a customer managed policy document for each project that requires access to AWS resources. Specify full control of the resources that belong to the project. Attach the project-specific policy document to an IAM group. Change the group membership when developers change projects. Update the policy document when the set of resources changes.
B. Create a policy document for each project with specific project tags and allow full control of the resources with a matching tag. Attach the project-specific policy document to the IAM role for that project. Change the role assigned to the developers IAM user when they change projects. Assign a specific project tag to new resources when they are created.
C. Create an IAM role for each project that requires access to AWS resources. Attach an inline policy document to the role that specifies the IAM users that are allowed to assume the role, with full control of the resources that belong to the project. Update the policy document when the set of resources changes, or developers change projects.
D. Create a customer managed policy document for each project that requires access to AWS resources. Specify full control of the resources that belong to the project. Attach the project-specific policy document to the developers IAM user when they change projects. Update the policy document when the set of resources changes.
Solution
Explanation
The correct answer follows the simple principle of using groups to assign permissions to users. A policy document specifying full control to resources for Developers in that group can be created. This represents the most administratively simple approach as group membership and policy updates are centralized to each group/policy document.
References
1.
A. Use Amazon CloudFront with Amazon S3 to host the web application. Use Amazon API Gateway to build the application APIs with AWS Lambda for the custom authorizer. Authorize data access by performing user lookup in AWS Managed Microsoft AD.
B. Use Amazon CloudFront with Amazon EC2 to host the web application. Use Amazon API Gateway to build the application APIs. Use AWS Lambda for custom authentication and authorization. Authorize data access by leveraging IAM roles.
C. Use Amazon CloudFront with Amazon S3 to host the web application. Use AWS AppSync to build the application APIs. Use Amazon Cognito groups for RBAC. Authorize data access by leveraging Cognito groups in AWS AppSync resolvers.
D. Use Amazon CloudFront with Amazon FSx to host the web application. Use AWS AppSync to build the application APIs. Use IAM groups for RBAC. Authorize data access by leveraging IAM groups in AWS AppSync resolvers.
A. Create user accounts in the Management account and use cross-account access to access resources.
B. Enable AWS CloudTrail and keep all CloudTrail trails and logs within each account.
C. Create user accounts in the Production and Development accounts.
D. Create all resources in the Management account and grant access to the Production and Development accounts.
E. Enable AWS CloudTrail and keep all CloudTrail trails and logs in the management account.
A. Configure a Multi-AZ Auto Scaling group using the applications AMI. Create an Application Load Balancer (ALB) and select the previously created Auto Scaling group as the target. Use Amazon Inspector to monitor traffic to the ALB and EC2 instances. Create a web ACL in WAF. Create an AWS WAF using the web ACL and ALB. Use an AWS Lambda function to frequently push the Amazon Inspector report to the third-party auditing application.
B. Configure an Application Load Balancer (ALB) and add the EC2 instances as targets. Create a web ACL in WAF. Create an AWS WAF using the web ACL and ALB name and enable logging with Amazon CloudWatch Logs. Use an AWS Lambda function to frequently push the logs to the third-party auditing application.
C. Configure an Application Load Balancer (ALB) along with a target group adding the EC2 instances as targets. Create an Amazon Kinesis Data Firehose with the destination of the third-party auditing application. Create a web ACL in WAF. Create an AWS WAF using the web ACL and ALB then enable logging by selecting the Kinesis Data Firehose as the destination. Subscribe to AWS Managed Rules in AWS Marketplace, choosing the WAF as the subscriber.
D. Configure a Multi-AZ Auto Scaling group using the applications AMI. Create an Application Load Balancer (ALB) and select the previously created Auto Scaling group as the target. Create an Amazon Kinesis Data Firehose with a destination of the third-party auditing application. Create a web ACL in WAF. Create an AWS WAF using the WebACL and ALB then enable logging by selecting the Kinesis Data Firehose as the destination. Subscribe to AWS Managed Rules in AWS Marketplace, choosing the WAF as the subscriber.
A. Create an AWS WAF web ACL with a rule to allow access from the IP addresses used by the companies. Associate the web ACL with the API. Create a usage plan with a request limit and associate it with the API. Create an API key and add it to the usage plan.
B. Create an AWS WAF web ACL with a rule to allow access to the IP addresses used by the companies. Associate the web ACL with the API. Create a resource policy with a request limit and associate it with the API. Configure the API to require an API key on the POST method.
C. Create an Amazon CloudFront distribution with the API as the origin. Create an AWS WAF web ACL with a rule to block clients that submit more than ten requests per day. Associate the web ACL with the CloudFront distribution. Add a custom header to the CloudFront distribution populated with an API key. Configure the API to require an API key on the GET method.
D. Create an Amazon CloudFront distribution with the API as the origin. Create an AWS WAF web ACL with a rule to block clients that submit more than ten requests per day. Associate the web ACL with the CloudFront distribution. Configure CloudFront with an origin access identity (OAI) and associate it with the distribution. Configure API Gateway to ensure only the OAI can execute the GET method.
Solution
Explanation
The rate-based rules associated with usage plans specify the number of web requests that are allowed by each client IP in a trailing, continuously updated, 5-minute period. The API key associated with the usage plan ensures that only clients who are using the API key in their requests are granted access. This solution requires that the IP addresses of clients are whitelisted and the API key is distributed to clients to use in their requests to the API.
References
1.
A. Configure a CodeCommit trigger to invoke an AWS Lambda function to scan new code submissions for credentials. If any credentials are found, disable them and notify the user.
B. Use AWS Trusted Advisor to check for unsecured AWS credentials. If any unsecured credentials are found, use AWS Secrets Manager to rotate the credentials.
C. Create an Amazon Macie job that scans AWS CodeCommit repositories for credentials. If any credentials are found an AWS Lambda function should be triggered that disables the credentials.
D. Run a cron job on an Amazon EC2 instance to check the CodeCommit repositories for unsecured credentials. If any unsecured credentials are found, generate new credentials and store them in AWS KMS.
A. Create a Lambda function to rotate the credentials every hour by deploying a new Lambda version with the updated credentials.
B. Configure Lambda to use the stored database credentials in AWS KMS and enabled automatic key rotation.
C. Store the Amazon RDS database credentials in AWS KMS using imported key material.
D. Create encrypted database credentials in AWS Secrets Manager for the Amazon RDS database.
E. Configure Lambda to use the stored database credentials in AWS Secrets Manager and enable automatic rotation.
A. Configure the S3 bucket policy to permit access using an aws:sourceVpce condition to match the S3 endpoint ID.
B. Configure the S3 bucket policy to permit access to the Amazon EMR cluster only.
C. Configure the EMR cluster to use an AWS CloudHSM appliance for at-rest encryption. Configure a gateway VPC endpoint for Amazon S3.
D. Configure the EMR cluster to use an AWS KMS CMK for at-rest encryption. Configure a gateway VPC endpoint for Amazon S3 and a NAT gateway to access AWS KMS.
E. Configure the EMR cluster to use an AWS KMS managed CMK for at-rest encryption. Configure a gateway VPC endpoint for Amazon S3 and an interface VPC endpoint for AWS KMS.
A. Create an IAM account for the new employee and add the account to the security team IAM group. Set a permissions boundary that grants access to manage Amazon DynamoDB, Amazon RDS, and Amazon CloudWatch. When the employee takes on new management responsibilities, add the additional services to the permissions boundary IAM policy.
B. Create an IAM account for the new employee. Create a new IAM group for the employee and add a permissions policy that grants access to manage Amazon DynamoDB, Amazon RDS, and Amazon CloudWatch. When the employee takes on new management responsibilities, add the additional services to the IAM policy.
C. Create an IAM account for the new employee and add the account to the security team IAM group. Use a Service Control Policy (SCP) to limit the maximum available permissions to Amazon DynamoDB, Amazon RDS, and Amazon CloudWatch. When the employee takes on new management responsibilities, remove the SCP.
D. Create an IAM account for the new employee in a dedicated account. Use cross-account access to manage resources. Limit the permissions on the cross-account access role to only allow management of Amazon DynamoDB, Amazon RDS, and Amazon CloudWatch. When the employee takes on new management responsibilities, add permissions to the cross-account access IAM role.
A. Create a separate AWS account for identities where IAM user accounts can be created. Create roles with appropriate permissions in the production and testing accounts. Add the identity account to the trust policies for the roles.
B. Create an AWS Organization that includes the production and testing accounts. Create IAM user accounts in the production and testing accounts and implement service control policies (SCPs) to centrally control permissions.
C. Create a separate AWS account for identities where IAM user accounts can be created. Create roles with appropriate permissions in the identity account and delegate access to the production and testing accounts.
D. Create all user accounts in the production account. Create roles for access in the production account and testing accounts. Grant cross-account access from the production account to the testing account.