Correct Answer: D

https://IAM.amazon.com/blogs/IAM/cloudwatch-log-service/

Correct Answer: B

The IAM Documentation gives an example on such a case Inline policies are useful if you want to maintain a strict one-to-one relationship between a policy and the principal entity that if s applied to. For example, you want to be sure that the permissions in a policy are not inadvertently assigned to a principal entity other than the one they're intended for. When you use an inline policy, the permissions in the policy cannot be inadvertently attached to the wrong principal entity. In addition, when you use the IAM Management Console to delete that principal entit the policies embedded in the principal entity are deleted as well. That's because they are part of the principal entity. Option A is invalid because IAM Managed Polices are ok for a group of users, but for individual users, inline policies are better. Option C and D are invalid because they are specifically meant for access to S3 buckets For more information on policies, please visit the following URL: https://docs.IAM.amazon.com/IAM/latest/UserGuide/access managed-vs-inline The correct answer is: An Inline Policy Submit your Feedback/Queries to our Experts

Correct Answer: C

The IAM Inspector service can inspect EC2 Instances based on specific Rules. One of the rules packages is based on the guidelines set by the Center of Internet Security Center for Internet security (CIS) Benchmarks The CIS Security Benchmarks program provides well-defined, un-biased and consensus- based industry best practices to help organizations assess and improve their security. Amazon Web Services is a CIS Security Benchmarks Member company and the list of Amazon Inspector certifications can be viewed nere. Option A is invalid because this can be used to protect an instance but not give the list of vulnerabilities Options B and D are invalid because these services cannot give a list of vulnerabilities For more information on the guidelines, please visit the below URL:

* https://docs.IAM.amazon.com/inspector/latest/userguide/inspector_cis.html The correct answer is: Use IAM Inspector Submit your Feedback/Queries to our Experts

Correct Answer: CD

The CMK keys themselves can only be used for encrypting data that is maximum 4KB in size. Hence it can be used for encryptii information such as passwords and RSA keys. Option A and B are invalid because the actual CMK key can only be used to encrypt small amounts of data and not large amoui of data. You have to generate the data key from the CMK key in order to encrypt high amounts of data For more information on the concepts for KMS, please visit the following URL: https://docs.IAM.amazon.com/kms/latest/developereuide/concepts.htmll The correct answers are: Password, RSA Keys Submit your Feedback/Queries to our Experts

Correct Answer: C

The policy consists of 2 statements, one is the allow for the user mark to the bucket and the next is the deny policy for all other users. The deny permission will override the allow and hence all users will not have access to the bucket. Options A,B and D are all invalid because this policy is used to deny all access to the bucket mybucket For examples on S3 bucket policies, please refer to the below Link: http://docs.IAM.amazon.com/AmazonS3/latest/dev/example-bucket-policies.htmll The correct answer is: It will deny all access to the bucket mybucket Submit your FeedbacK/Quenes to our Experts

Correct Answer: AC

The IAM Documentation mentions the following Adding a Bucket Policy to Require MFA Amazon S3 supports MFA-protected API access, a feature that can enforce multi-factor authentication (MFA) for access to your Amazon S3 resources. Multi-factor authentication provides an extra level of security you can apply to your IAM environment. It is a security feature that requires users to prove physical possession of an MFA device by providing a valid MFA code. For more information, go to IAM Multi-Factor Authentication. You can require MFA authentication for any requests to access your Amazoi. S3 resources. You can enforce the MFA authentication requirement using the IAM:MultiFactorAuthAge key in a bucket policy. IAM users car access Amazon S3 resources by using temporary credentials issued by the IAM Security Token Service (STS). You provide the MFA code at the time of the STS request. When Amazon S3 receives a request with MFA authentication, the IAM:MultiFactorAuthAge key provides a numeric value indicating how long ago (in seconds) the temporary credential was created. If the temporary credential provided in the request was not created using an MFA device, this key value is null (absent). In a bucket policy, you can add a condition to check this value, as shown in the following example bucket policy. The policy denies any Amazon S3 operation on the /taxdocuments folder in the examplebucket bucket if the request is not MFA authenticated. To learn more about MFA authentication, see Using Multi-Factor Authentication (MFA) in IAM in the IAM User Guide.

Option B is invalid because just enabling bucket versioning will not guarantee replication of objects Option D is invalid because the condition for the bucket policy needs to be set accordingly For more information on example bucket policies, please visit the following URL: ?https://docs.IAM.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html Also versioning and Cross Region replication can ensure that objects will be available in the destination region in case the primary region fails. For more information on CRR, please visit the following URL: https://docs.IAM.amazon.com/AmazonS3/latest/dev/crr.html The correct answers are: Enable bucket versioning and also enable CRR, For the Bucket policy add a condition for {"Null": { "IAM:MultiFactorAuthAge": true}} Submit your Feedback/ Queries to our Experts

Correct Answer: BCE

Correct Answer: A

Correct Answer: C

Correct Answer: B

This answer is correct because AWS Secrets Manager is a service that helps you protect secrets that are needed to access your applications, services, and IT resources. You can store and manage secrets such as database credentials, API

keys, and other sensitive data in Secrets Manager. You can also use Secrets Manager to rotate, manage, and retrieve your secrets throughout their lifecycle1. Secrets Manager integrates with AWS CloudFormation, which allows you to

reference secrets from your templates using the {{resolve:secretsmanager:...}} syntax2. This way, you can avoid exposing your secrets in plaintext and still use them in your resources.

The other options are incorrect because:

A. Storing the API key value as a SecureString parameter in AWS Systems Manager Parameter Store is not a solution, because AWS CloudFormation does not support references to SecureString parameters. This means that you cannot use the {{resolve:ssm:...}} syntax to retrieve encrypted parameter values from Parameter Store3. You would have to use a custom resource or a Lambda function to decrypt the parameter value, which adds complexity and overhead to your template.

C. Storing the API key value in Amazon DynamoDB is not a solution, because AWS CloudFormation does not support references to DynamoDB items. This means that you cannot use the {{resolve:dynamodb:...}} syntax to retrieve item values from DynamoDB tables4. You would have to use a custom resource or a Lambda function to query the DynamoDB table, which adds complexity and overhead to your template. D. Storing the API key value in a new Amazon S3 bucket is not a solution, because AWS CloudFormation does not support references to S3 objects. This means that you cannot use the {{resolve:s3:...}} syntax to retrieve object values from S3 buckets5. You would have to use a custom resource or a Lambda function to download the object from S3, which adds complexity and overhead to your template.

References:

1: What is AWS Secrets Manager?

2: Referencing AWS Secrets Manager secrets from Parameter Store parameters

3: Using dynamic references to specify template values

4: Amazon DynamoDB 5: Amazon Simple Storage Service (S3)