A company’s Security Engineer has been tasked with restricting a contractor’s IAM account access to the company’s Amazon EC2 console without providing access to any other AWS services. The contractor’s IAM account must not be able to gain access to any other AWS service, even if the IAM account is assigned additional permissions based on IAM group membership.
What should the Security Engineer do to meet these requirements?

A. Create an Inline IAM user policy that allows for Amazon EC2 access for the contractor’s IAM user.
B. Create an IAM permissions boundary policy that allows Amazon EC2 access. Associate the contractor’s IAM account with the IAM permissions boundary policy.
C. Create an IAM group with an attached policy that allows for Amazon EC2 access. Associate the contractor’s IAM account with the IAM group.
D. Create an IAM role that allows for EC2 and explicitly denies all other services. Instruct the contractor to always assume this role.

A company wants to encrypt the private network between its on-premises environment and AWS. The company also wants a consistent network experience for its employees.
What should the company do to meet these requirements?

A. Establish an AWS Direct Connect connection with AWS and set up a Direct Connect gateway. In the Direct Connect gateway configuration, enable IPsec and BGP, and then leverage native AWS network encryption between Availability Zones and Regions.
B. Establish an AWS Direct Connect connection with AWS and set up a Direct Connect gateway. Using the Direct Connect gateway, create a private virtual interface and advertise the customer gateway private IP addresses. Create a VPN connection using the customer gateway and the virtual private gateway.
C. Establish a VPN connection with the AWS virtual private cloud over the Internet.
D. Establish an AWS Direct Connect connection with AWS and establish a public virtual interface. For prefixes that need to be advertised, enter the customer gateway public IP addresses. Create a VPN connection over Direct Connect using the customer gateway and the virtual private gateway.

A company uses Microsoft Active Directory for access management for on-premises resources, and wants to use the same mechanism for accessing its AWS accounts. Additionally, the Development team plans to launch a public facing application for which they need a separate authentication solution.
Which combination of the following would satisfy these requirements? (Choose two.)

A. Set up domain controllers on Amazon EC2 to extend the on-premises directory to AWS.
B. Establish network connectivity between on-premises and the user’s VPC.
C. Use Amazon Cognito user pools for application authentication.
D. Use AD Connector for application authentication.
E. Set up federated sign-in to AWS through ADFS and SAML.

An organizational must establish the ability to delete an AWS KMS Customer Master Key (CMK) within a 24-hour timeframe to keep it from being used for encrypt or decrypt operations.
Which of the following actions will address this requirement?

A. Manually rotate a key within KMS to create a new CMK immediately.
B. Use the KMS import key functionality to execute a delete key operation.
C. Use the schedule key deletion function within KMS to specify the minimum wait period for deletion.
D. Change the KMS CMK alias to immediately prevent any services from using the CMK.

A company requires that SSH commands used to access its AWS instance be traceable to the user who executed each command.
How should a Security Engineer accomplish this?

A. Allow inbound access on port 22 at the security group attached to the instance. Use AWS Systems Manager Session Manager for shell access to Amazon EC2 instances with the user tag defined. Enable Amazon CloudWatch logging for Systems Manager sessions.
B. Use Amazon S3 to securely store one Privacy Enhanced Mail Certificate (PEM file) for each user. Allow Amazon EC2 to read from Amazon S3 and import every user that wants to use SSH to access EC2 instance. Allow inbound access on port 22 at the security group attached to the instance. Install the Amazon CloudWatch agent on the EC2 instance and configure it to ingest audit logs for the instance.
C. Deny inbound access on port 22 at the security group attached to the instance. Use AWS Systems Manager Session Manager for shell access to Amazon EC2 instances with the user tag defined. Enable Amazon CloudWatch logging for Systems Manager sessions.
D. Use Amazon S3 to securely store one Privacy Enhanced Mail Certificate (PEM file) for each team or group. Allow Amazon EC2 to read from Amazon S3 and import every user that wants to use SSH to access EC2 instance. Allow inbound access on port 22 at the security group attached to the instance. Install the Amazon CloudWatch agent on the EC2 instance and configure it to ingest audit logs for the instance.

A company manages three separate AWS accounts for its production, development, and test environments. Each Developer is assigned a unique IAM user under the development account. A new application hosted on an Amazon EC2 instance in the development account requires read access to the archived documents stored in an Amazon S3 bucket in the production account.
How should access be granted?

A. Create an IAM role in the production account and allow EC2 instance in the development account to assume that role using the trust policy. Provide read access for the required S3 bucket to this role.
B. Use a custom identity broker to allow Developer IAM users to temporarily access the S3 bucket.
C. Create a temporary IAM user for the application to use in the production account.
D. Create a temporary IAM user in the production account and provide read access to Amazon S3. Generate the temporary IAM user’s access key and secret key and store these keys on the EC2 instance used by the application in the development account.

A Website currently runs on Amazon EC2 with mostly static content on the site. Recently, the site was subjected to a DDoS attack, and a Security Engineer was tasked with redesigning the edge security to help mitigate this risk in the future.
What are some ways the Engineer could archive this? (Choose three.)

A. Use AWS X-Ray to inspect the traffic going to the EC2 instances.
B. Move the static content to Amazon S3, and front this with Amazon CloudFront distribution.
C. Change the security group configuration to block the source of the attack traffic.
D. Use AWS WAF security rules to inspect the inbound traffic.
E. Use Amazon Inspector assessment templates to inspect the inbound traffic.
F. Use Amazon Route 53 to distribute traffic.

Example.com is hosted on Amazon EC2 instance behind an Application Load Balancer (ALB). Third-party host intrusion detection system (HIDS) agents that capture the traffic of the EC2 instance are running on each host. The company must ensure they are using privacy enhancing technologies for users, without losing the assurance the third-party solution offers.
What is the MOST secure way to meet these requirements?

A. Enable TLS pass through on the ALB, and handle decryption at the server using Elliptic Curve Diffie-Hellman (ECDHE) cipher suites.
B. Create a listener on the ALB that uses encrypted connections with Elliptic Curve Diffie-Hellman (ECDHE) cipher suites, and pass the traffic in the clear to the server.
C. Create a listener on the ALB that uses encrypted connections with Elliptic Curve Diffie-Hellman (ECDHE) cipher suites, and use encrypted connections to the servers that do not enable Perfect Forward Security (PRS).
D. Create a listener on the ALB that does not enable Perfect Forward Security (PFS) cipher suites, and use encrypted connections to the server using Elliptic Curve Diffie-Hellman (ECDHE) cipher suites.

A Development team has built an experimental environment to test a simple static web application. It has built an isolated VPC with a private and a public subnet. The public subnet holds only an Application Load Balancer, a NAT gateway, and an internet gateway. The private subnet holds all of the Amazon EC2 instances. There are 3 different types of servers. Each server type has its own Security Group that limits access to only required connectivity. The Security Groups have both inbound and outbound rules applied. Each subnet has both inbound and outbound network ACLs applied to limit access to only required connectivity.
Which of the following should the team check if a server cannot establish an outbound connection to the internet? (Choose three.)

A. The route tables and the outbound rules on the appropriate private subnet security group.
B. The outbound network ACL rules on the private subnet and the inbound network ACL rules on the public subnet.
C. The outbound network ACL rules on the private subnet and both the inbound and outbound rules on the public subnet.
D. The rules on any host-based firewall that may be applied on the Amazon EC2 instances.
E. The Security Group applied to the Application Load Balancer and NAT gateway.
F. That the 0.0.0.0/0 route in the private subnet route table points to the Internet gateway in the public subnet.

A company became aware that one of its access keys was exposed on a code sharing website 11 days ago. A Security Engineer must review all use of the exposed keys to determine the extent of the exposure. The company enabled AWS CloudTrail in all regions when it opened the account.
Which of the following will allow the Security Engineer to complete the task?

A. Filter the event history on the exposed access key in the CloudTrail console. Examine the data from the past 11 days.
B. Use the AWS CLI to generate an IAM credential report. Extract all the data from the past 11 days.
C. Use Amazon Athena to query the CloudTrail logs from Amazon S3. Retrieve the rows for the exposed access key for the past 11 days.
D. Use the Access Advisor tab in the IAM console to view all of the access key activity for the past 11 days.