A company has multiple AWS accounts that are part of AWS Organizations. The company’s Security team wants to ensure that even those Administrators with full access to the company’s AWS accounts are unable to access the company’s Amazon S3 buckets.
How should this be accomplished?

A. Use SCPs.
B. Add a permissions boundary to deny access to Amazon S3 and attach it to all roles.
C. Use an S3 bucket policy.
D. Create a VPC endpoint for Amazon S3 and deny statements for access to Amazon S3.

An application running on Amazon EC2 instances generates log files in a folder on a Linux file system. The instances block access to the console and file transfer utilities, such as Secure Copy Protocol (SCP) and Secure File Transfer Protocol (SFTP). The Application Support team wants to automatically monitor the application log files so the team can set up notifications in the future.
A Security Engineer must design a solution that meets the following requirements:

• Make the log files available through an AWS managed service.
• Allow for automatic monitoring of the logs.
• Provide an interface for analyzing logs.
• Minimize effort.

Which approach meets these requirements?

A. Modify the application to use the AWS SDK. Write the application logs to an Amazon S3 bucket.
B. Install the unified Amazon CloudWatch agent on the instances. Configure the agent to collect the application log files on the EC2 file system and send them to Amazon CloudWatch Logs.
C. Install AWS Systems Manager Agent on the instances. Configure an automation document to copy the application log files to AWS DeepLens.
D. Install Amazon Kinesis Agent on the instances. Stream the application log files to Amazon Kinesis Data Firehose and set the destination to Amazon Elasticsearch Service.

A company’s Security Engineer is copying all application logs to centralized Amazon S3 buckets. Currently, each of the company’s application is in its own AWS account, and logs are pushed into S3 buckets associated with each account. The Engineer will deploy an AWS Lambda function into each account that copies the relevant log files to the centralized S3 bucket.
The Security Engineer is unable to access the log files in the centralized S3 bucket. The Engineer’s IAM user policy from the centralized account looks like this:

The centralized S3 bucket policy looks like this:

Why is the Security Engineer unable to access the log files?

A. The S3 bucket policy does not explicitly allow the Security Engineer access to the objects in the bucket.
B. The object ACLs are not being updated to allow the users within the centralized account to access the objects.
C. The Security Engineer’s IAM policy does not grant permissions to read objects in the S3 bucket.
D. The s3:PutObject and s3:PutObjectAcl permissions should be applied at the S3 bucket level.

A Security Engineer accidentally deleted the imported key material in an AWS KMS CMK.
What should the Security Engineer do to restore the deleted key material?

A. Create a new CMK. Download a new wrapping key and a new import token to import the original key material.
B. Create a new CMK. Use the original wrapping key and import token to import the original key material.
C. Download a new wrapping key and a new import token. Import the original key material into the existing CMK.
D. Use the original wrapping key and import token. Import the original key material into the existing CMK.

A Security Engineer is troubleshooting a connectivity issue between a web server that is writing log files to the logging server in another VPC. The Engineer has confirmed that a peering relationship exists between the two VPCs. VPC flow logs show that requests sent from the web server are accepted by the logging server, but the web server never receives a reply.
Which of the following actions could fix this issue?

A. Add an inbound rule to the security group associated with the logging server that allows requests from the web server.
B. Add an outbound rule to the security group associated with the web server that allows requests to the logging server.
C. Add a route to the route table associated with the subnet that hosts the logging server that targets the peering connection.
D. Add a route to the route table associated with the subnet that hosts the web server that targets the peering connection.

A company has hundreds of AWS accounts, and a centralized Amazon S3 bucket used to collect AWS CloudTrail logs for all of these accounts. A Security Engineer wants to create a solution that will enable the company to run ad hoc queries against its CloudTrail logs dating back 3 years from when the trails were first enabled in the company’s AWS account.
How should the company accomplish this with the least amount of administrative overhead?

A. Run an Amazon EMR cluster that uses a MapReduce job to examine the CloudTrail trails.
B. Use the events history feature of the CloudTrail console to query the CloudTrail trails.
C. Write an AWS Lambda function to query the CloudTrail trails. Configure the Lambda function to be executed whenever a new file is created in the CloudTrail S3 bucket.
D. Create an Amazon Athena table that looks at the S3 bucket the CloudTrail trails are being written to. Use Athena to run queries against the trails.

A company’s web application is hosted on Amazon EC2 instances running behind an Application Load Balancer (ALB) in an Auto Scaling group. An AWS WAF web ACL is associated with the ALB. AWS CloudTrail is enabled, and stores logs in Amazon S3 and Amazon CloudWatch Logs.
The Operations team has observed some EC2 instances reboot at random. After rebooting, all access logs on the instances have been deleted. During an investigation, the Operations team found that each reboot happened just after a PHP error occurred on the new-user-creation.php file. The Operations team needs to view log information to determine if the company is being attacked.
Which set of actions will identify the suspect attacker’s IP address for future occurrences?

A. Configure VPC Flow Logs on the subnet where the ALB is located, and stream the data CloudWatch. Search for the new-user-creation.php occurrences in CloudWatch.
B. Configure the CloudWatch agent on the ALB. Configure the agent to send application logs to CloudWatch. Update the instance role to allow CloudWatch Logs access. Export the logs to CloudWatch. Search for the new-user-creation.php occurrences in CloudWatch.
C. Configure the ALB to export access logs to an Amazon Elasticsearch Service cluster, and use the service to search for the new-user-creation.php occurrences.
D. Configure the web ACL to send logs to Amazon Kinesis Data Firehose, which delivers the logs to an S3 bucket. Use Amazon Athena to query the logs and find the new-user-creation.php occurrences.

A company uses HTTP Live Streaming (HLS) to stream live video content to paying subscribers by using Amazon CloudFront. HLS splits the video content into chunks so that the user can request the right chunk based on different conditions. Because the video events last for several hours, the total video is made up of thousands of chunks.
The origin URL is not disclosed, and every user is forced to access the CloudFront URL. The company has a web application that authenticates the paying users against an internal repository and a CloudFront key pair that is already issued.
What is the simplest and MOST effective way to protect the content?

A. Develop the application to use the CloudFront key pair to create signed URLs that users will use to access the content.
B. Develop the application to use the CloudFront key pair to set the signed cookies that users will use to access the content.
C. Develop the application to issue a security token that Lambda@Edge will receive to authenticate and authorize access to the content.
D. Keep the CloudFront URL encrypted inside the application, and use AWS KMS to resolve the URL on-the-fly after the user is authenticated.

An organization wants to log all AWS API calls made within all of its AWS accounts, and must have a central place to analyze these logs.
What steps should be taken to meet these requirements in the MOST secure manner? (Choose two.)

A. Turn on AWS CloudTrail in each AWS account.
B. Turn on CloudTrail in only the account that will be storing the logs.
C. Update the bucket ACL of the bucket in the account that will be storing the logs so that other accounts can log to it.
D. Create a service-based role for CloudTrail and associate it with CloudTrail in each account.
E. Update the bucket policy of the bucket in the account that will be storing the logs so that other accounts can log to it.

A company plans to use custom AMIs to launch Amazon EC2 instances across multiple AWS accounts in a single Region to perform security monitoring and analytics tasks. The EC2 instances are launched in EC2 Auto Scaling groups. To increase the security of the solution, a Security Engineer will manage the lifecycle of the custom AMIs in a centralized account and will encrypt them with a centrally managed AWS KMS CMK. The Security Engineer configured the KMS key policy to allow cross-account access. However, the EC2 instances are still not being properly launched by the EC2 Auto Scaling groups.
Which combination of configuration steps should the Security Engineer take to ensure the EC2 Auto Scaling groups have been granted the proper permissions to execute task?

A. Create a customer-managed CMK in the centralized account. Allow other applicable accounts to use that key for cryptographical operations by applying proper cross-account permissions in the key policy. Create an IAM role in all applicable accounts and configure its access policy to allow the use of the centrally managed CMK for cryptographical operations. Configure EC2 Auto Scaling groups within each applicable account to use the created IAM role to launch EC2 instances.
B. Create a customer-managed CMK in the centralized account. Allow other applicable accounts to use that key for cryptographical operations by applying proper cross-account permissions in the key policy. Create an IAM role in all applicable accounts and configure its access policy with permissions to create grants for the centrally managed CMK. Use this IAM role to create a grant for the centrally managed CMK with permissions to perform cryptographical operations and with the EC2 Auto Scaling service-linked role defined as the grantee principal.
C. Create a customer-managed CMK or an AWS managed CMK in the centralized account. Allow other applicable accounts to use that key for cryptographical operations by applying proper cross-account permissions in the key policy. Use the CMK administrator to create a CMK grant that includes permissions to perform cryptographical operations that define EC2 Auto Scaling service-linked roles from all other accounts as the grantee principal.
D. Create a customer-managed CMK or an AWS managed CMK in the centralized account. Allow other applicable accounts to use that key for cryptographical operations by applying proper cross-account permissions in the key policy. Modify the access policy for the EC2 Auto Scaling roles to perform cryptographical operations against the centrally managed CMK.