A company is using AWS Organizations to manage multiple AWS accounts. The company has an application that allows users to assume the AppUser IAM role to download files from an Amazon S3 bucket that is encrypted with an AWS KMS CMK However when users try to access the files in the S3 bucket they get an access denied error.

What should a Security Engineer do to troubleshoot this error? (Select THREE )

A. Ensure the KMS policy allows the AppUser role to have permission to decrypt for the CMK

B. Ensure the S3 bucket policy allows the AppUser role to have permission to get objects for the S3 bucket

C. Ensure the CMK was created before the S3 bucket.

D. Ensure the S3 block public access feature is enabled for the S3 bucket.

E. Ensure that automatic key rotation is disabled for the CMK

F. Ensure the SCPs within Organizations allow access to the S3 bucket.

A company has an encrypted Amazon S3 bucket. An Application Developer has an IAM policy that allows access to the S3 bucket, but the Application Developer is unable to access objects within the bucket. What is a possible cause of the issue?

A. The S3 ACL for the S3 bucket fails to explicitly grant access to the Application Developer

B. The AWS KMS key for the S3 bucket fails to list the Application Developer as an administrator

C. The S3 bucket policy fails to explicitly grant access to the Application Developer

D. The S3 bucket policy explicitly denies access to the Application Developer

The Accounting department at Example Corp. has made a decision to hire a third-party firm, AnyCompany, to monitor Example Corp.'s AWS account to help optimize costs.

The Security Engineer for Example Corp. has been tasked with providing AnyCompany with access to the required Example Corp. AWS resources. The Engineer has created an IAM role and granted permission to AnyCompany's AWS account to assume this role.

When customers contact AnyCompany, they provide their role ARN for validation. The Engineer is concerned that one of AnyCompany's other customers might deduce Example Corp.'s role ARN and potentially compromise the company's account.

What steps should the Engineer perform to prevent this outcome?

A. Create an IAM user and generate a set of long-term credentials. Provide the credentials to AnyCompany. Monitor access in IAM access advisor and plan to rotate credentials on a recurring basis.

B. Request an external ID from AnyCompany and add a condition with sts:Externald to the role's trust policy.

C. Require two-factor authentication by adding a condition to the role's trust policy with aws:MultiFactorAuthPresent.

D. Request an IP range from AnyCompany and add a condition with aws:SourceIp to the role's trust policy.

A security team must present a daily briefing to the CISO that includes a report of which of the company's thousands of EC2 instances and on-premises servers are missing the latest security patches. All instances/servers must be brought into compliance within 24 hours so they do not show up on the next day's report. How can the security team fulfill these requirements?

Please select:

A. Use Amazon QuickSight and Cloud Trail to generate the report of out of compliance instances/servers. Redeploy all out of compliance instances/servers using an AMI with the latest patches.

B. Use Systems Manger Patch Manger to generate the report of out of compliance instances/ servers. Use Systems Manager Patch Manger to install the missing patches.

C. Use Systems Manger Patch Manger to generate the report of out of compliance instances/ servers. Redeploy all out of1 compliance instances/servers using an AMI with the latest patches.

D. Use Trusted Advisor to generate the report of out of compliance instances/servers. Use Systems Manger Patch Manger to install the missing patches.

A Security Engineer receives alerts that an Amazon EC2 instance on a public subnet is under an SFTP brute force attack from a specific IP address, which is a known malicious bot. What should the Security Engineer do to block the malicious bot?

A. Add a deny rule to the public VPC security group to block the malicious IP

B. Add the malicious IP to AWS WAF backhsted IPs

C. Configure Linux iptables or Windows Firewall to block any traffic from the malicious IP

D. Modify the hosted zone in Amazon Route 53 and create a DNS sinkhole for the malicious IP

You work at a company that makes use of AWS resources. One of the key security policies is to ensure that all data i encrypted both at rest and in transit. Which of the following is one of the right ways to implement this.

Please select:

A. Use S3 SSE and use SSL for data in transit

B. SSL termination on the ELB

C. Enabling Proxy Protocol

D. Enabling sticky sessions on your load balancer

A Security Administrator has a website hosted in Amazon S3. The Administrator has been given the following requirements:

Users may access the website by using an Amazon CloudFront distribution. Users may not access the website directly by using an Amazon S3 URL.

Which configurations will support these requirements? (Choose two.)

A. Associate an origin access identity with the CloudFront distribution.

B. Implement a "Principal": "cloudfront.amazonaws.com" condition in the S3 bucket policy.

C. Modify the S3 bucket permissions so that only the origin access identity can access the bucket contents.

D. Implement security groups so that the S3 bucket can be accessed only by using the intended CloudFront distribution.

E. Configure the S3 bucket policy so that it is accessible only through VPC endpoints, and place the CloudFront distribution into the specified VPC.

A company's engineering team is developing a new application that creates AWS Key Management Service (AWS KMS) CMK grants for users. Immediately after a grant is created, users must be able to use the CMK to encrypt a 512-byte payload. During load testing, a bug appears intermittently where AccessDeniedExceptions are occasionally triggered when a user first attempts to encrypt using the CMK.

Which solution should the company's security specialist recommend?

A. Instruct users to implement a retry mechanism every 2 minutes until the call succeeds.

B. Instruct the engineering team to consume a random grant token from users, and to call the CreateGrant operation, passing it the grant token. Instruct users to use that grant token in their call to encrypt.

C. Instruct the engineering team to create a random name for the grant when calling the CreateGrant operation. Return the name to the users and instruct them to provide the name as the grant token in the call to encrypt.

D. Instruct the engineering team to pass the grant token returned in the CreateGrant response to users. Instruct users to use that grant token in their call to encrypt.

A company is running an application in The eu-west-1 Region. The application uses an IAM Key Management Service (IAM KMS) CMK to encrypt sensitive data. The company plans to deploy the application in the eu-north-1 Region.

A security engineer needs to implement a key management solution for the application deployment in the new Region. The security engineer must minimize changes to the application code.

Which change should the security engineer make to the IAM KMS configuration to meet these requirements?

A. Update the key policies in eu-west-1. Point the application in eu-north-1 to use the same CMK as the application in eu-west-1.

B. Allocate a new CMK to eu-north-1 to be used by the application that is deployed in that Region.

C. Allocate a new CMK to eu-north-1. Create the same alias name for both keys. Configure the application deployment to use the key alias.

D. Allocate a new CMK to eu-north-1. Create an alias for eu-'-1. Change the application code to point to the alias for eu-'-1.

A security engineer is developing automation that uses an AWS Lambda function to add tags to non-compliant IAM users and IAM roles. During testing, the function fails to perform the tagging action. When the security engineer attempts to look at the associated Amazon CloudWatch log group, no logs are being generated. After additional troubleshooting, the security engineer determines that the issue is related to the associated Lambda execution role.

Which statement should the security engineer add to the Lambda execution role to ensure functionality while following the principle of least privilege?

A. Option A

B. Option B

C. Option C

D. Option D