A Developer is creating an AWS Lambda function that requires environment variables to store connection information and logging settings. The Developer is required to use an AWS KMS Customer Master Key (CMK) supplied by the Information Security department in order to adhere to company standards for securingLambda environment variables.
Which of the following are required for this configuration to work? (Choose two.)

A. The Developer must configure Lambda access to the VPC using the --vpc-config parameter.

B. The Lambda function execution role must have the kms:Decrypt permission added in the AWS IAM policy.

C. The KMS key policy must allow permissions for the Developer to use the KMS key.

D. The AWS IAM policy assigned to the Developer must have the kms:GenerateDataKey permission added.

E. The Lambda execution role must have the kms:Encrypt permission added in the AWS IAM policy.

A Developer signed in to a new account within an AWS Organizations organizational unit (OU) containing multiple accounts. Access to the Amazon S3 service is restricted with the following SCP:How can the Security Engineer provide the Developer with Amazon S3 access without affecting other accounts?

A. Move the SCP to the root OU of Organizations to remove the restriction to access Amazon S3.

B. Add an IAM policy for the Developer, which grants S3 access.

C. Create a new OU without applying the SCP restricting S3 access. Move the Developer account to this new OU.

D. Add an allow list for the Developer account for the S3 service.

A company has several workloads running on AWS. Employees are required to authenticate using on-premises ADFS and SSO to access the AWS ManagementConsole. Developers migrated an existing legacy web application to an Amazon EC2 instance. Employees need to access this application from anywhere on the internet, but currently, there is no authentication system built into the application.
How should the Security Engineer implement employee-only access to this system without changing the application?

A. Place the application behind an Application Load Balancer (ALB). Use Amazon Cognito as authentication for the ALB. Define a SAML-based Amazon Cognito user pool and connect it to ADFS.

B. Implement AWS SSO in the master account and link it to ADFS as an identity provider. Define the EC2 instance as a managed resource, then apply an IAM policy on the resource.

C. Define an Amazon Cognito identity pool, then install the connector on the Active Directory server. Use the Amazon Cognito SDK on the application instance to authenticate the employees using their Active Directory user names and passwords.

D. Create an AWS Lambda custom authorizer as the authenticator for a reverse proxy on Amazon EC2. Ensure the security group on Amazon EC2 only allows access from the Lambda function.

An Application Developer is using an AWS Lambda function that must use AWS KMS to perform encrypt and decrypt operations for API keys that are less than 2KB.
Which key policy would allow the application to do this while granting least privilege?

A.

B.

C.

D.

A company is migrating its legacy workloads to AWS. The current security information events management (SIEM) system that analyzes logs is aging, and different SIEM systems are being evaluated to replace it. The company wants to change SIEMs without re-architecture the solution.
What should the Security Engineer do to accomplish this with minimal operational impact?

A. Prepare an AMI with the SIEM log forwarder agent for each workload, and configure it to send logs to a centralized SIEM located in the Security team AWS account. Configure an Amazon EC2 instance base AMI to forward logs to its local log forwarder agent. Deploy an AMI in each workload.

B. Configure an Amazon EC2 base AMI with an Amazon Kinesis Agent, and configure it to send to Amazon Kinesis Data Streams in the Security team AWS account. Add an AWS Lambda function at Kinesis Data Streams to push streamed logs to the SIEM.

C. Configure an Amazon EC2 base AMI to send logs to a local AWS CloudTrail log file. Configure CloudTrail to send logs to Amazon CloudWatch. Set up a central SIEM in the Security team AWS account and configure a puller to get information on CloudWatch.

D. Select a pay-per-use SIEM in the AWS Marketplace. Deploy the AMI in each workload to provide elasticity when required. Use Amazon Athena to send real- time alerts.

An Application team has requested a new AWS KMS master key for use with Amazon S3, but the organizational security policy requires separate master keys for different AWS services to limit blast radius.
How can an AWS KMS customer master key (CMK) be constrained to work with only Amazon S3?

A. Configure the CMK key policy to allow only the Amazon S3 service to use the kms:Encrypt action.

B. Configure the CMK key policy to allow AWS KMS actions only when the kms:ViaService condition matches the Amazon S3 service name.

C. Configure the IAM user's policy to allow KMS to pass a role to Amazon S3.

D. Configure the IAM user's policy to allow only Amazon S3 operations when they are combined with the CMK.

A company is developing a highly resilient application to be hosted on multiple Amazon EC2 instances. The application will store highly sensitive user data in Amazon RDS tables.
The application must:
- Include migration to a different AWS Region in the application disaster recovery plan.
- Provide a full audit trail of encryption key administration events.
- Allow only company administrators to administer keys.
- Protect data at rest using application layer encryption.
A Security Engineer is evaluating options for encryption key management.
Why should the Security Engineer choose AWS CloudHSM over AWS KMS for encryption key management in this situation?

A. The key administration event logging generated by CloudHSM is significantly more extensive than AWS KMS.

B. CloudHSM ensures that only company support staff can administer encryption keys, whereas AWS KMS allows AWS staff to administer keys.

C. The ciphertext produced by CloudHSM provides more robust protection against brute force decryption attacks than the ciphertext produced by AWS KMS.

D. CloudHSM provides the ability to copy keys to a different Region, whereas AWS KMS does not.

A global company must mitigate and respond to DDoS attacks at Layers 3, 4 and 7. All of the company's AWS applications are serverless with static content hosted on Amazon S3 using Amazon CloudFront and Amazon Route 53.
Which solution will meet these requirements?

A. Use AWS WAF with an upgrade to the AWS Business support plan.

B. Use AWS Certificate Manager with an Application Load Balancer configured with an origin access identity.

C. Use AWS Shield Advanced.

D. Use AWS WAF to protect AWS Lambda functions encrypted with AWS KMS, and a NACL restricting all ingress traffic.

A Security Engineer signed in to the AWS Management Console as an IAM user and switched to the security role IAM role. To perform a maintenance operation, the Security Engineer needs to switch to the maintainer role IAM role, which lists the security role as a trusted entity. The Security Engineer attempts to switch to the maintainer role, but it fails.
What is the likely cause of the failure?

A. The security role and the maintainer role are not assigned to the IAM user that the Security Engineer used to sign in to the account.

B. The Security Engineer should have logged in as the AWS account root user, which is allowed to assume any role directly.

C. The maintainer role does not include the IAM user as a trusted entity.

D. The security role does not include a statement in its policy to allow an sts:AssumeRole action.

A company is configuring three Amazon EC2 instances with each instance in a separate Availability Zone. The EC2 instances will be used as transparent proxies for outbound internet traffic for ports 80 and 443 so the proxies can block traffic to certain internet destinations as required by the company's security policies. ASecurity Engineer completed the following:
Set up the proxy software on the EC2 instances.
- Modified the route tables on the private subnets to use the proxy EC2 instances as the default route.
- Created a security group rule opening inbound port 80 and 443 TCP protocols on the proxy EC2 instance security group.
However, the proxy EC2 instances are not successfully forwarding traffic to the internet.
What should the Security Engineer do to make the proxy EC2 instances route traffic to the internet?

A. Put all the proxy EC2 instances in a cluster placement group.

B. Disable source and destination checks on the proxy EC2 instances.

C. Open all inbound ports on the proxy EC2 instance security group.

D. Change the VPC's DHCP domain-name-servers options set to the IP addresses of proxy EC2 instances.