AWS Security Specialty Exam Flashcards

Question

Will deleting EC2 Key Pair in the console delete it from instance?

Answer 1

Take snaphot of the EC2 instance and deploy it as new instance (with new key pairs).

Answer 2

kms:ViaService

Answer 3

- Precrypto Officer (PRECO) - Crypto Officer (CO) - Crypto Users (CU) - Appliance User (AU)

Answer 4

- Create an IAM role for the Lambda function. Attach an IAM policy that allows access to the S3 bucket - Create an IAM role for the Lambda function. Attach a bucket policy to the S3 bucket to allow access. Specify the function's IAM role as the principal

Answer 5

Custom SSL certificate that is stored in AWS Certificate Manager (ACM)

Answer 6

- Gather any relevant metadata for the compromised EC2 instance. Enable termination protection. Isolate the instance by updating the instance's security groups to restrict access. Detach the instance from any Auto Scaling groups that the instance is a member of. Deregister the instance from any Elastic Load Balancing (ELB) resources. - Use Systems Manager Run Command to invoke scripts that collect volatile data - Create a snapshot of the compromised EC2 instance's EBS volume for follow-up investigations. Tag the instance with any relevant metadata and incident ticket information

Answer 7

Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the security team's email addresses to the SNS topic. Create custom rules in CloudFormation Guard for each resource configuration. In the CI/CD pipeline, before the build stage, configure a Docker image to run the cfn-guard command on the CloudFormation template. Configure the CI/CD pipeline to publish a notification to the SNS topic if any issues are found

Answer 8

Use the AWS CloudTrail console to search for user activity.

Answer 9

Call the abort-vault-lock operation. Update the policy. Call the initiate-vault-lock operation again.

Answer 10

AWS IAM roles

Answer 11

- The external ID used by the Auditor is missing or incorrect - The Auditor has not been granted sts:AssumeRole for the role in the destination account - The role ARN used by the Auditor is missing or incorrect

Answer 12

Route all traffic through a TCP listener on a Classic Load Balancer, and terminate the TLS connection on the EC2 instances.

Answer 13

- Move the web servers to private subnets without public IP addresses. - Configure AWS WAF to provide DDoS attack protection for the ALB

Answer 14

Create an organizational unit (OU) in Organizations with a service control policy that controls usage of the root user. Add all operational accounts to the new OU.

Answer 15

email-smtp.us-east-1.amazonaws.com over port 587

Answer 16

- AWS Site-to-Site VPN - AWS Direct Connect

Answer 17

- Use AWS Backup to create a backup plan. Add a backup rule that includes a retention period of 3 months. - Set the backup frequency by using a cron schedule expression. Assign each DynamoDB table to the backup plan.

Answer 18

Use an IAM Identity Center default directory to create users and groups for all employees that require access to AWS accounts. Assign groups to AWS accounts and link to permission sets in accordance with the employees’ job functions and access requirements. Instruct employees to access AWS accounts by using the IAM Identity Center user portal.

Answer 19

Enable AWS Security Hub to ingest GuardDuty findings and send the event to Amazon EventBridge. Deploy AWS Network Firewall. Process the event with an AWS Lambda function that adds a rule to a Network Firewall firewall policy to block traffic to and from the suspicious instance.

Answer 20

In Account B, create a bucket policy to allow the user from Account A to access the S3 bucket in Account B.

Answer 21

Create an Amazon EventBridge rule to detect critical Security Hub findings. Create an Amazon Simple Notification Service (Amazon SNS) topic as the target of the EventBridge rule. Subscribe an email endpoint to the SNS topic to receive published messages.

Answer 22

- Ensure that the Amazon CloudWatch agent is installed on all the EC2 instances that the Auto Scaling groups launch. Generate a CloudWatch agent configuration file to forward the required logs to Amazon CloudWatch Logs. - Set the log retention for desired log groups to 7 years. - Attach an IAM role to the launch configuration or launch template that the Auto Scaling groups use. Configure the role to provide the necessary permissions to forward logs to Amazon CloudWatch Logs.

Answer 23

Field-level encryption allows you to enable your users to securely upload sensitive information to your web servers. The sensitive information provided by your users is encrypted at the edge, close to the user, and remains encrypted throughout your entire application stack. This encryption ensures that only applications that need the data—and have the credentials to decrypt it—are able to do so

Answer 24

- "Bool": {"aws:MultiFactorAuthPresent": "true"} - "NumericLessThan": {"aws:MultiFactorAuthAge": "7200"}

Answer 25

Activate Amazon GuardDuty in each production account. In a dedicated logging account, aggregate all GuardDuty logs from each production account. Remediate incidents by using Amazon EventBridge to invoke a custom AWS Lambda function from the GuardDuty findings. Configure the Lambda function to also publish notifications to the SNS topic.

Answer 26

Create SCPs that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed

Answer 27

Use TLS certificates from AWS Certificate Manager (ACM) with an Application Load Balancer. Deploy self-signed certificates on the EC2 instances. Ensure that the database client software uses a TLS connection to Amazon RDS. Enable encryption of the RDS DB instance. Enable encryption on the Amazon Elastic Block Store (Amazon EBS) volumes that support the EC2 instances

Answer 28

Create an Amazon S3 bucket. Configure the load balancers to send logs to the S3 bucket. Use Amazon Athena to search the logs that are in the S3 bucket. Create Athena queries for the required metrics. Publish the metrics to Amazon CloudWatch.

Answer 29

- Use Amazon Athena to query the CloudTrail logs in DOC-EXAMPLE-BUCKET2 for any API calls that used the access key to access an object that contained PII - Configure Amazon Macie to identify any objects in DOC-EXAMPLE-BUCKET1 that contain PII and that were available to the access key.

Answer 30

The allow permission is being overridden by the deny. ## Footnote Explicit deny statements cannot be overridden by allow statements

Answer 31

Create an Amazon CloudWatch alarm that monitors Shield Advanced metrics for an active DDoS event

Answer 32

Use CloudWatch Logs Insights and a custom query syntax to analyze the CloudWatch logs for the specific IP address and the requested URLs.

Answer 33

Create an S3 Lifecycle policy to expire objects that are older than 30 days. Update the Lambda function to add the TTL attribute in the DynamoDB table. Enable TTL on the DynamoDB table to expire entries that are older than 30 days based on the TTL attribute

Answer 34

- Do not create access keys for the AWS account root user; instead, create AWS IAM users - Enable multi-factor authentication for the AWS account root user

Answer 35

Create an AWS Service Catalog portfolio in the organization's management account. Upload the CloudFormation template. Add the template to the portfolio's product list. Share the portfolio with the OU

Answer 36

- An inbound rule in WebAppSG allowing port 80 from source ALB-SG - An inbound rule in ALB-SG allowing port 80 from source 0.0.0.0/0 - An outbound rule in ALB-SG allowing port 80 to WebAppSG

Answer 37

The specified users are not denied S3 permissions but must be granted permissions through IAM user policies or ACLs

Answer 38

Establish an SCP and a permissions boundary for IAM roles. Apply the SCP to the root OU so that only roles with the attached permissions boundary can create any new IAM roles

Answer 39

- All inter-region traffic over the AWS global network is automatically encrypted - All traffic between Availability Zones is encrypted by default

Answer 40

Create a new KMS key and update the existing Key Alias to point to the new KMS key

Answer 41

- The EC2 instance security group does not allow inbound traffic from the NLB IP addresses - The network ACL associated with the instance subnets does not allow traffic from the NLB

Answer 42

- When using the ec2:runinstances API action set the “--metadata-options HttpTokens” option to “required” - Update existing instances using the “ec2 modify-instance-metadata-options” commands from the AWS CLI with the “HttpTokens required” option ## Footnote You can access instance metadata from a running instance using one of the following methods: Instance Metadata Service Version 1 (IMDSv1) – a request/response method Instance Metadata Service Version 2 (IMDSv2) – a session-oriented method By default, you can use either IMDSv1 or IMDSv2, or both. The instance metadata service distinguishes between IMDSv1 and IMDSv2 requests based on whether, for any given request, either the PUT or GET headers, which are unique to IMDSv2, are present in that request. You can configure the instance metadata service on each instance such that local code or users must use IMDSv2. When you specify that IMDSv2 must be used, IMDSv1 no longer works. IMDSv2 uses session-oriented requests. With session-oriented requests, you create a session token that defines the session duration, which can be a minimum of one second and a maximum of six hours.

Answer 43

Use Amazon Inspector and run the “Common vulnerabilities and exposures” assessment and the “Center for Internet Security (CIS) Benchmarks” assessment

Answer 44

AWS CloudTrail for the federated identity user name

Answer 45

Set up CloudWatch Logs subscription filters in each account. Use the subscription filters to stream the logs to an Amazon Kinesis Data Firehose stream in the central account, which then forwards the logs to the data processing system

Answer 46

- Invalidate any temporary security credentials - Delete the access key ID and secret access key

Answer 47

Revoke all versions of the signing profile assigned to the developer

Answer 48

Run the EC2Rescue CLI using the /offline mode and specify the device ID

Answer 49

Use Service Control Policies (SCPs) to limit root account permissions ## Footnote Service Control Policies (SCPs) can limit the maximum permission level for all AWS accounts in an organization, including the root user. By implementing SCPs, the university can prevent the root user in any account from exceeding the permissions defined in the SCP.

Answer 50

Use AWS Config to track configuration changes and AWS CloudTrail to record API calls and track access patterns in the AWS Cloud

Answer 51

Use the default key store and import the company’s keys into a customer managed KMS key

Answer 52

Disable the Network Source/Destination check on the security appliance's elastic network interface

Answer 53

In the Security Hub administrator account, create an Amazon EventBridge rule to react to AWS Inspector findings with a high priority level. Configure the rule to target an Amazon SNS topic and subscribe the security operations team's email addresses to the SNS topic

Answer 54

- Grant the IAM role the s3:GetObjectVersionForReplication permission for the objects in the source S3 bucket - Give the IAM role the kms:Decrypt permission for the eu-west-1 key encrypting the source objects - Assign the IAM role the kms:Encrypt permission for the key in the eu-central-1 region that encrypts objects in the destination S3 bucket

Answer 55

Scan all the EC2 instances with AWS Systems Manager to identify the vulnerable version of the web framework ## Footnote AWS Systems Manager Patch Manager can be used to scan systems and identify vulnerable versions of software and then install the patches on the systems. Patch Manager provides options to scan your instances and report compliance on a schedule, install available patches on a schedule, and patch or scan instances on demand whenever you need to.

Answer 56

Enable the option to automatically rotate each KMS key every year ## Footnote When you enable automatic key rotation for a customer managed key, AWS KMS generates new cryptographic material for the KMS key every year. You can enable or disable automatic key rotation for customer managed KMS keys at any time. You cannot modify the rotation configuration for AWS managed KMS keys which are automatically rotated every year. Key rotation changes only the KMS key's key material, which is the cryptographic material that is used in encryption operations. The KMS key is the same logical resource, regardless of whether or how many times its key material changes.

Answer 57

Configure a rate-based rule on AWS WAF that puts a temporary block on requests from IP addresses that send excessive requests

Answer 58

- Create an Amazon CloudFront distribution, configure the alternate domain name and subdomains, and select a certificate from AWS Certificate Manager (ACM) - Create a certificate in AWS Certificate Manager (ACM) and add the domain name and subdomains. Create Alias records for the distribution in Amazon Route 53

Answer 59

Create an egress-only internet gateway and update the route table in the private subnet

Answer 60

Implement encryption at rest for the Amazon EBS volumes attached to EC2 instances. Encrypt the RDS database and use a TLS secured connection. Store the database credentials in AWS Secrets Manager and configure automatic rotation

Answer 61

Enable the awslogs log driver by including awslogs-group and awslogs-region parameters in the LogConfiguration property ## Footnote The Fargate launch type supports the awslogs log driver. You need to specify the awslogs-group (CloudWatch log group name) and awslogs-region (AWS Region of the log group) parameters in the LogConfiguration property in the task definition for Amazon ECS.

Answer 62

Use AWS Systems Manager Session Manager to access the EC2 instances. Set up Amazon CloudWatch Logs for session logging. Choose the option to upload session logs and ensure that only encrypted CloudWatch Logs log groups are allowed

Answer 63

Setup a Virtual Private Gateway (VGW)

Answer 64

Create an organization trail in the management account and specify a central S3 bucket

Answer 65

Service Control Policies (SCPs)

Answer 66

Disable or delete the compromised IAM access key. Stop using static IAM access keys and instead, create a new IAM role for the Lambda automation process. Assign this role to the AWS Lambda functions. Respond to the AWS Trust and Safety team detailing the remediation actions

Answer 67

Connect to each EC2 instance and replace the public key information in the authorized_keys file

Answer 68

- Configure a password policy in Active Directory for the federation scenario - Configure an IAM password policy for the IAM user scenario - Configure a password policy in the Amazon Cognito user pool

Answer 69

Configure VPC traffic mirroring to send traffic to the intrusion detection EC2 instance using a Network Load Balancer

Answer 70

Call the AbortVaultLock operation. Update the policy. Call the initiate-vault-lock operation again

Answer 71

Create an Amazon EventBridge rule uses the “AWS API Call via CloudTrail” event source and the “s3:PutBucketPolicy” event pattern. Generate an alert using Amazon SNS

Answer 72

Create an AWS WAF rate-based rule to block this traffic when it exceeds a defined threshold

Answer 73

Modify the route table of the database subnets to remove the default route to the NAT gateway

Answer 74

Configure the key policy with a kms:ViaService condition key that limits use of the KMS key to the Amazon S3 service name

Answer 75

An explicit deny will always override an explicit allow. ## Footnote There is an explicit deny in the bucket policy that denies all users. Explicit denies will always override any explicit allow statements so the new update to the policy does not grant access to the forensic analyst

Answer 76

- Create an origin access identity (OAI) and associate it with the CloudFront distribution - Configure the S3 bucket permissions so that only the origin access identity can access the bucket contents

Answer 77

Specify '*' as the principal and aws:PrincipalOrgld as a condition. ## Footnote You can use a condition key, aws:PrincipalOrgID, in policies to require all principals accessing the resource to be from an account (including the master account) in the organization. To set this up for this scenario you must specify '*' as the principal, to allow any user access, and then restrict only to users within the AWS Organization using the condition key. The aws:PrincipalOrgId condition key should be used with the organization ID value specified.

Answer 78

Use imported key material with an AWS KMS key ## Footnote Cryptographic erasure is when the encryption material used to encrypt the data is deleted. This results in the data being unrecoverable as it cannot be decrypted. A security team may use this technique if the encryption keys used to encrypt data have been compromised. Of course, you would want to ensure that the key materials are backed up offline so you can perform a restore of the data. In this case the only option available that will meet the requirements is to import key material into an AWS KMS key. You cannot immediately delete a KMS key; you must schedule it for deletion with a waiting period of a minimum of 7 days. With imported key material you can speed up the process by deleting the key material which renders the KMS key unusable. This effect is immediate.

Answer 79

- Create a snapshot of unencrypted databases. Copy the unencrypted snapshots to created encrypted snapshots. Restore the databases from the encrypted snapshots - Use AWS Config to detect any existing and new unencrypted databases. Configure an Amazon SNS notification to alert the security team

Answer 80

- Migrate the static content to an Amazon S3 bucket and create an Amazon CloudFront distribution - Use the AWS Web Application Firewall (WAF) service to inspect and manage web requests

Answer 81

- The application lacks the kms:Encrypt permission for the custom-managed key - The state of the customer-managed key specified within the application is set to 'Disabled'

Answer 82

- Configure the trust policy on the IAM role AWS Config uses to allow “config.amazonaws.com” to assume the role - Configure the role policy on the IAM role AWS Config uses to allow write access to the Amazon S3 bucket - Configure the access policy for the Amazon SNS topic to allow “sns:publish” access to “config.amazonaws.com

Answer 83

Create a landing zone using AWS Control Tower. Integrate AWS Single Sign-On (SSO) with the company’s existing identity provider. Grant Active Directory users access to accounts and applications

Answer 84

- On the DBSG security group, create a custom TCP rule for TCP 3306 and configure the AppSG security group as the source - On the AppSG security group, create a custom TCP rule for TCP 1030 and configure the WebSG security group as the source

Answer 85

- Enable access logging for the appropriate API stage - Use Amazon CloudWatch Logs Insights for analyzing API usage data

Answer 86

Use the SecurityHeadersPolicy managed response headers policy

Answer 87

Modify the web ACL with an IP set match rule statement and a block action to deny incoming requests from the IP address range

Answer 88

Create a new customer-managed key in AWS KMS and import the new key material. Provide Amazon RDS permissions to use the key. Create a new RDS instance and choose the new key as the encryption key. Migrate the data into RDS

Answer 89

Create a second access key and modify applications to use the new key. Disable the old access key and check applications are working correctly before deleting the old access key

Answer 90

- Use AWS Signer to verify code integrity when code packages are deployed to Lambda - Use IAM policies to enforce that developers can only create functions that have code signing enabled

Answer 91

- Verify that the S3 bucket policy grants CloudTrail the s3:PutObject permission - Verify that the S3 bucket and prefix defined in CloudTrail exists

Answer 92

The S3 bucket ACL and object ACLs will need to be checked to determine if public access is possible

Answer 93

- The route table of the subnet is missing a route to the internet gateway - The network ACL denies outbound traffic on ephemeral ports - The host-based firewall of the instance operating system is denying traffic

Answer 94

Generate a credential report in each account in the Organization. Consolidate the reports and identify the users the access key IDs belong to. Rotate the access key IDs

Answer 95

Generate a new access key for the IAM user. Update the inventory management system to utilize the new access key. Subsequently, deactivate the compromised access key

Answer 96

Create an IAM account for the new employee and add the account to the security team IAM group. Set a permissions boundary that grants access to manage Amazon DynamoDB, Amazon RDS, and Amazon CloudWatch. When the employee takes on new management responsibilities, add the additional services to the permissions boundary IAM policy

Answer 97

Use AWS Secrets Manager to store the SSH key pairs. Create an AWS Lambda function that rotates the SSH keys every 90 days. Create an AWS CloudTrail trail that logs to an S3 bucket

Answer 98

Modify the configuration of AWS WAF to add an IP match condition to block the malicious IP address

Answer 99

Designate a delegated administrator for Amazon Inspector for the entire organization. Set up automatic scanning for all existing and new member accounts

Answer 100

Use the DynamoDB Encryption Client for client-side encryption and to digitally sign the table items

Answer 101

- AWS CloudFormation - AWS Step Functions

Answer 102

- The IAM role assigned to the EC2 instance profile does not have decrypt permissions on the AWS KMS key used to encrypt the parameter - The IAM role assigned to the EC2 instance profile does not have permissions to retrieve parameters in Systems Manager Parameter Store

Answer 103

- Amazon Route 53 - AWS Shield - Elastic Load Balancer

Answer 104

Use AWS Systems Manager Session Manager. Grant the IAM user accounts permissions to use Systems Manager Session Manager

Answer 105

- Create an interface VPC endpoint for Amazon SQS - Create a gateway VPC endpoint for Amazon DynamoDB - Modify the endpoint policies on all VPC endpoints. Specify the SQS and DynamoDB resources that the application uses

Answer 106

Trust policy

Answer 107

- Configure the Lambda function to connect to private subnets in an Amazon VPC - Configure a VPC endpoint for accessing the DynamoDB table using private addresses

Answer 108

Connect the Lambda function to a private subnet within the VPC. Attach a security group to the function that allows outbound access to the VPC CIDR block only. Update the DB instance security group to allow traffic from the Lambda security group

Answer 109

- Install the Systems Manager SSM Agent on the EC2 Linux instances and attach an IAM role that grants permissions - Create an IAM user policy for Session Manager access granting the SysOps team access to the EC2 Linux instances

Answer 110

- Add specific tags to the Amazon EC2 instances - Attach an IAM policy to the operations users that grants access to the instances with the specific tag using the Condition element

Answer 111

Update the trust policy on the role in the production account to allow the “sts: AssumeRole” API action for the IdPUsersRole principal in the identity account

Answer 112

- Configure Amazon CloudFront and set up a distribution for the S3 and EC2 origins to accelerate content delivery - Use an AWS Lambda function configured with CloudFront (Lambda@Edge) to add HTTP security headers on origin responses

Answer 113

Create an OU in AWS Organizations and add all the member accounts. Attach an SCP that controls the permissions available for the root user

Answer 114

- Configure CloudFront to add a custom HTTP header to requests that CloudFront sends to the ALB - Configure the ALB to deny requests that do not contain the custom HTTP header

Answer 115

Set up federated sign-in to AWS through ADFS and SAML

Answer 116

- Amazon Kinesis - Amazon OpenSearch

Answer 117

All users in member accounts will not be able to disable AWS SecurityHub or delete or modify the Amazon GuardDuty configuration. IAM policies defined in member accounts will not be overridden

Answer 118

Add an aws:MultiFactorAuthPresent : true condition to the role's trust policy

Answer 119

Configure a Pre Sign-Up AWS Lambda trigger and associate it with the Amazon Cognito user pool to execute custom validation during sign-up ## Footnote AWS Lambda triggers for Amazon Cognito can add custom validation to user pool workflows. A Pre sign-up Lambda trigger can perform custom validation during sign-up, such as checking the geographical origin of the registration request.

Answer 120

The KMS key policy does not grant the IAM role permissions to use the key for decryption

Answer 121

Add the Elastic IP addresses to the ingress rules of the instance security groups

Answer 122

Deploy an interface VPC endpoint for CodeBuild API operations

Answer 123

The KMS key specified is not enabled

Answer 124

Capture IP traffic using VPC Flow Logs and create a metric filter with an alarm that notifies the security team if connection attempts are made. Then, update NACLs to block the traffic

Answer 125

Use the AWS management console to revoke active sessions for the IAM role ## Footnote We can determine that the credentials were issued to a role rather than a user as users will use access keys rather than obtaining the credentials from AWS STS. When a role needs permissions to access an AWS service it must call the AWS STS service to obtain temporary security credentials.

Answer 126

Enables IAM policies in the 554422336677 account to allow access to the key ## Footnote By default, a policy statement like this one in this question is present in the key policy document when you create a new KMS key with the AWS Management Console. It is also present when you create a new KMS key programmatically but do not provide a key policy

Answer 127

Store the credentials in AWS Secrets Manager and choose an AWS KMS key. Enable automatic rotation every 60 days and configure the application to retrieve the secret programmatically

Answer 128

- Enable Amazon S3 server access logging to monitor and record detailed logs of the requests made to the S3 buckets - Use Amazon Athena to perform SQL queries on the server access logs in S3 and employ Amazon QuickSight for visualizing the analyzed data in an interactive dashboard

Answer 129

Remove the deny statement for Amazon RDS from the root SCP

Answer 130

- Create a metric filter and define a metric pattern that matches security group changes - Create an alarm that sends an Amazon SNS notification if security group changes are identified

Answer 131

Use KMS grants. Programmatically create and revoke grants to manage access

Answer 132

Store the environment variables in AWS Secrets Manager and access them at runtime. Use IAM permissions to restrict access to the secrets to only the Lambda functions that require access ## Footnote AWS Secrets Manager is well suited to this use case. Secrets can be stored with values up to 10KB in size and the maximum number of secrets within a Region is 500,000.

Answer 133

Create an HTTPS listener that uses a predefined security policy that supports forward secrecy (FS)

Answer 134

Enable federated access between the corporate IdP and the AWS account using IAM. Use IAM roles to provide access to AWS resources

Answer 135

Create an interface VPC endpoint for CloudWatch Logs. Configure the endpoint policy to allow the EC2 instances to use the endpoint

Answer 136

Create an interface VPC endpoint for Kinesis Data Streams. Configure the application to connect to the VPC endpoint ## Footnote Kinesis Data Streams uses TLS for all connections, so the data is encrypted in transit by default

Answer 137

- Add a condition to the S3 bucket policy that allows actions if the request meets the condition "aws:SecureTransport": "true" - Configure default encryption for the S3 bucket. Add a condition to the S3 bucket policy that denies PUT requests that don’t include the “x-amz-server-side-encryption” header

Answer 138

Update the relevant IAM policy to grant access to the resource "arn:aws:s3:::examplebucket/${aws:username}/*

Answer 139

The Lambda function execution role does not have permissions to write to CloudWatch Logs

Answer 140

Enable Amazon GuardDuty. After 48 hours, enable Amazon Detective ## Footnote When you try to enable Detective, Detective checks whether GuardDuty has been enabled for your account for at least 48 hours. If you are not a GuardDuty customer or have been a GuardDuty customer for less than 48 hours, you cannot enable Detective. You must either enable GuardDuty or wait for 48 hours. This allows GuardDuty to assess the data volume that your account produces.

Answer 141

The Lambda function does not have permissions to access the S3 bucket

Answer 142

Use AWS Config with the managed rule cloudtrail-enabled to check that CloudTrail is enabled. If the rule is NON_COMPLIANT use Systems Manager Automation to automatically remediate the issue"

Answer 143

Configure the host-based firewall within the operating system

Answer 144

Server-side encryption with AWS KMS-managed keys (SSE-KMS)

Answer 145

Use AWS KMS with AWS imported key material and then use the DeletelmportedKeyMaterial API to remove the key material

Answer 146

- Rotate and delete all root and IAM access keys - Delete any unauthorized IAM users - Delete any unauthorized resources

Answer 147

Use AWS WAF to create a rate-based rule

Answer 148

Create a custom key policy for the KMS key. Use the kms:ViaService condition key to allow the KMS key to be used only when the request comes from Amazon EC2 or Amazon RDS ## Footnote The kms:ViaService condition key limits use of an AWS KMS key to requests from specified AWS services. You can specify one or more services in each kms:ViaService condition key

Answer 149

Search CloudTrail event logs for the TerminateInstances event and identify the assumed IAM role ARN. Then, search CloudTrail event logs for the AssumeRoleWithSAML event that includes the role ARN and note the federated username

Answer 150

Add an HTTP listener with a rule that redirects HTTP requests to HTTPS. Add an HTTPS listener and choose an AWS Certificate Manager (ACM) certificate

Answer 151

Assign a distinct Lambda execution role with specific KMS key access permissions to each Lambda function

Answer 152

Utilize Service Control Policies (SCPs) in AWS Organizations to limit each team's access to only their assigned Regions and services

Answer 153

Create an IAM policy in each development account that has read-only access to Amazon EC2 resources. Assign the policy to a cross-account IAM role. Ask the security team members to assume the role from their account

Answer 154

Set up S3 bucket policies to allow access from a VPC endpoint

Answer 155

Use AWS CloudTrail. Enable forwarding to Amazon CloudWatch Logs. Create a CloudWatch Logs metric filter to match patterns indicating security group changes. Configure a CloudWatch alarm to send alerts to an Amazon SNS topic

Answer 156

Use Amazon GuardDuty to identify malicious traffic. Store the identified IP addresses in a DynamoDB table. Use Lambda to update the DynamoDB table and modify an AWS Network Firewall rule group to block the traffic ## Footnote Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity. It can identify potentially harmful behavior, such as traffic from a botnet. The suspicious IP addresses can be stored in a DynamoDB table. Lambda can be used to update the DynamoDB table and to automatically update an AWS Network Firewall rule group to block traffic from these IP addresses

Answer 157

Create an SCP that includes a Deny rule for the s3:DeleteBucket action. Apply this SCP to all the OUs in the organization

Answer 158

Implement an SCP that uses the "aws:RequestedRegion" condition to deny actions outside the approved region. Attach the SCP to the AWS account under AWS Organizations

Answer 159

- Security group TCP port 80 inbound and TCP port 80 outbound - Network ACL: TCP port 80 inbound and TCP ports 1024-65535 outbound

Answer 160

Deploy the AWS Systems Manager Agent on the EC2 instances. Access the EC2 instances using Session Manager restricting access to users with permission to manage the instances

Answer 161

Create a Web ACL with a string match condition that matches the value in the User-Agent header. Configure WAF to block requests that match the condition

Answer 162

Use AWS Config with Auto Remediation to remediate any changes to S3 bucket policies. Configure alerting with AWS Config and Amazon SNS

Answer 163

Configure the restricted-ssh managed rule in AWS Config. When the rule is NON_COMPLIANT, use the AWS Config remediation feature to publish a notification to an Amazon SNS topic

Answer 164

- Create an origin access identity (OAI) for the CloudFront distribution and update the S3 bucket policy to restrict access to the OAI - Update the distribution settings in CloudFront and configure restrictions based on the geography of the request

Answer 165

Disable source/destination checks on the EC2 proxy instances

Answer 166

Create an Amazon Athena table that uses the S3 bucket containing the access logs. Run SQL queries using Athena

Answer 167

Change the existing single-region trail to log all regions and capture API activity in a single central Amazon S3 bucket

Answer 168

Use AWS Secrets Manager and configure automatic rotation of the credentials

Answer 169

- Subscribe to AWS Shield Advanced and reach out to AWS Support in the event of an attack - Create rule statements in AWS WAF web ACLs to block matching requests relating to the attack traffic

Answer 170

Deploy the AWS Config rule “approved_ami_by_id” and specify the approved AMI IDs

Answer 171

Maintain the API endpoint type as PRIVATE. Attach a resource policy to the REST API permitting access from vpc-beta

Answer 172

- Check the SCPs set at the organizational units (OUs) - Check for the permissions boundaries set for the IAM user

Answer 173

Download the AWS-provided root certificates. Use the certificates when connecting to the RDS DB instance

Answer 174

- Check the configuration of the IAM role attached to the instance profile to ensure it has sufficient permissions - Check if an Amazon SQS policy explicitly denies access to the IAM role used by the instances

Answer 175

- Enable logging in AWS WAF settings, associate the web ACL with an Amazon Kinesis Data Firehose delivery stream - Create an Amazon Kinesis Data Firehose delivery stream in the same AWS Region as the web ACL. Specify the S3 bucket as the destination for the delivery stream

Answer 176

Create a new KMS key, import new key material, and point the key alias to the new KMS key

Answer 177

Install the unified Amazon CloudWatch agent on the EC2 instances. Configure the agent to collect the application log files and send them to Amazon CloudWatch Logs

Answer 178

Associate the Gateway VPC Endpoint with the route table of the private subnet, where the EC2 instance resides

Answer 179

Configure AWS WAF to send its log files directly to an Amazon S3 bucket for later analysis

Answer 180

Create an Amazon S3 bucket in the management account and create an Organization trail in the management account that logs to the S3 bucket

Answer 181

Use a tag-based approach by attaching a resource policy to the secret. Apply tags to the secret and the IAM principals. Use the aws:PrincipalTag and aws:ResourceTag IAM condition keys to control access.

Answer 182

Create an AWS WAF rate-based rule, and attach it to the ALB

Answer 183

The VPC where the EC2 instance was launched had the DHCP option configured for a custom OpenDNS resolver

Answer 184

Use Amazon Inspector. Create inclusion rules in Amazon ECR to match repositories that need to be scanned. Push Amazon Inspector findings to AWS Security Hub

Answer 185

- Enable Amazon GuardDuty in the AWS account. - Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the security team's email distribution list to the topic. - Create an Amazon EventBridge rule for GuardDuty findings of high severity. Configure the rule to publish a message to the topic.

Answer 186

Update the trust policy on the role in the target account to be:

Answer 187

Use an AWS Service Catalog portfolio that contains EC2 products with appropriate AMIs that include only approved software. Grant the developers permission to access only the Service Catalog portfolio to launch a product in the software development account.

Answer 188

Create a suppression rule in GuardDuty to filter findings by automatically archiving new findings that match the specified criteria. ## Footnote A suppression rule is a set of criteria, consisting of a filter attribute paired with a value, used to filter findings by automatically archiving new findings that match the specified criteria.

Answer 189

Recreate the ECR repositories with KMS encryption and ECR scanning enabled. Analyze the scan report after the next push of images.

Answer 190

Create an IAM permissions boundary policy that allows Amazon EC2 access. Associate the contractor's IAM account with the IAM permissions boundary policy.

Answer 191

Edit the existing trail in the Organizations management account and apply it to the organization

Answer 192

Enable Amazon GuardDuty from a centralized account. Use GuardDuty to manage AWS CloudTrail logs, VPC flow logs, and DNS logs.

Answer 193

Delete or rotate the user’s key, review the AWS CloudTrail logs in all regions, and delete any unrecognized or unauthorized resources.

Answer 194

- Create a VPC endpoint for AWS KMS with private DNS enabled - add the aws:sourceVpce condition to the AWS KMS key policy referencing the company's VPC endpoint ID

Answer 195

{ "Sid": "Logging-12345", "Resource": "*", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Effect": "Allow" }

Answer 196

- Enable default encryption with server-side encryption with AWS KMS-managed keys (SSE-KMS) on the S3 bucket. - Add a bucket policy that includes a deny if a PutObject request does not include aws:SecureTransport

Answer 197

Enable AWS CloudTrail logging across all accounts to a centralized Amazon S3 bucket. Set a lifecycle policy to move the data to Amazon Glacier after 90 days, and expire the data after 7 years

Answer 198

- Check the route tables for the application server subnets for routes to the VPC peering connection - Check the database security groups for rules that allow traffic from the application servers

Answer 199

To be alerted to unusual traffic entering and exiting your network as a potential security event

Answer 200

Modify the web ACL to deny requests from the IP addresses.

Answer 201

- the response plan doesn't cater to new services as the plan us not updated for 18 months

Answer 202

Use Systems Manager Run Command to run AWSSupprt-RunEC2RescueForWindowsTool command document.

Answer 203

Configure a VPC flow log with CloudWatch as the destination. Create a CloudWatch metric filter for destination port 22. Create a CloudWatch alarm trigger

Answer 204

Create an AWS Lambda function to perform the custom checks. Then configure a custom AWS Config rule to invoke the Lambda function.

Answer 205

- Create an IAM policy that gives the desired level of access to the CloudWatch Log group - Stream the log files to a separate CloudWatch group

Answer 206

Create an audit report to list all of the certificates that the private CA has issued or revoked. Download the JSON-formatted report from the S3 bucket.

Answer 207

- Use AWS lambda function to change the S3 bucket policy - Use AWS Config to monitor changes to the S3 bucket

Answer 208

- AWS VPN - AWS Direct Connect

Answer 209

- use AWS SSM to patch the servers - use AWS Inspector to ensure that the servers have no critical flaws

Answer 210

- check the instance status by using the Health API - check to see if the right role has been assigned to the EC2 instances - ensure that the agent is running on the instances

Answer 211

Download reports from the AWS Artifact console and provide them to the auditors

Answer 212

Enable EBS encryption during launch

Answer 213

- respond to any notifications you received from AWS Support - Change your AWS account root user password - rotate access keys if they were authorised and are still needed, otherwise delete them

Answer 214

Use the IAM Encryption CLI to encrypt the data first

Answer 215

Use AWS IAM Access Analyzer to analyze the polices. View the findings from policy validation checks.

Answer 216

Configure IAM WAF with a rate-based rule that imposes a rate limit that automatically blocks requests when the rate limit is exceeded.

Answer 217

Develop the application to use the CloudFront key pair to set the signed cookies that users will use to access the content. ## Footnote Utilizing CloudFront signed cookies is the simplest and most effective way to protect HLS video content for paying subscribers. Signed cookies provide access control for multiple files, such as video chunks in HLS streaming, without the need to generate a signed URL for each video chunk. This method simplifies the process for long video events with thousands of chunks, enhancing user experience while ensuring content protection.

Answer 218

Call the abort-vault-lock operation. Update the policy. Call the initiate-vault-lock operation again.

Answer 219

Implement S3 Object Lock in compliance mode in the primary Region. Configure S3 replication to replicate the objects to an S3 bucket in the secondary Region. ## Footnote Implementing S3 Object Lock in compliance mode on the primary Region and configuring S3 replication to a secondary Region ensures the immutability of S3 objects, preventing them from being deleted or altered. This setup meets the requirement of protecting critical data from permanent deletion, even by users with administrative access. The replicated objects in the secondary Region inherit the Object Lock from the primary, ensuring consistent protection across Regions and aligning with disaster recovery requirements.

Answer 220

Create a new AWS account in the organization. Enable GuardDuty in the new account. Designate the new account as the delegated administrator account for GuardDuty. Configure GuardDuty to add existing accounts as member accounts. Select the option to automatically add new AWS accounts to the organization

Answer 221

- Create a conformance pack that contains the 10 required AWS Config rules. Deploy the conformance pack from the security-01 account - Create an AWS CloudFormation template that will activate AWS Config. Deploy the template by using CloudFormation StackSets in the management-01 account

Answer 222

Create a new AWS account in the organization. Enable GuardDuty in the new account. Designate the new account as the delegated administrator account for GuardDuty. Configure GuardDuty to add existing accounts as member accounts. Select the option to automatically add new AWS accounts to the organization

Answer 223

Create an AWS WAF web ACL for the ALB. Create a custom rule that blocks requests that contain the user agent string of the device emulator. ## Footnote To mitigate a credential stuffing attack against a web-based application behind an Application Load Balancer (ALB), creating an AWS WAF web ACL with a custom rule to block requests containing the known malicious user agent string is an effective solution. This approach allows for precise targeting of the attack vector (the user agent string of the device emulator) without impacting legitimate users. AWS WAF provides the capability to inspect HTTP(S) requests and block those that match defined criteria, such as specific strings in the user agent header, thereby preventing malicious requests from reaching the application.

Answer 224

Store the client token as a SecureString parameter in AWS Systems Manager Parameter Store. Use the AWS SDK to retrieve the value of the SecureString parameter in the Lambda function.

Answer 225

Verify that a metric filter was created and then mapped to an alarm. Check the alarm notification action.

Answer 226

Search the Cloudtrail event history on the API events which occurred 11 days ago.

Answer 227

Opt for enhanced scanning and specify a filter for a scan on push ## Footnote With enhanced scanning, Amazon ECR integrates with Amazon Inspector to provide automated, continuous scanning of your repositories. Your container images are scanned for both operating systems and programming language package vulnerabilities. As new vulnerabilities appear, the scan results are updated and Amazon Inspector emits an event to EventBridge to notify you.

Answer 228

Enable CloudTrail to monitor data events for read and write operations for S3 buckets

Answer 229

Create an AWS Identity and Access Management (IAM) role for the Lambda function that also grants access to the S3 bucket. Configure the IAM role as the Lambda functions execution role. Verify that the S3 bucket policy doesn't explicitly deny access to your Lambda function or its execution role

Answer 230

- Enable trails and set up CloudTrail events to review and monitor management activities of all AWS accounts by logging these activities into CloudWatch Logs using a KMS key. Ensure that CloudTrail is enabled for all accounts as well as all available AWS services - Leverage Config rules to audit changes to AWS resources and monitor the compliance of the configuration by running the evaluations for the rule at a frequency that you choose. Develop AWS Config custom rules to establish a test-driven development approach by triggering the evaluation when any resource that matches the rule's scope changes in configuration

Answer 231

Add an inbound rule to the security group of the database instance in VPC1, with the source as the CIDR block of VPC2 (VPC for the instances launched by the Auto Scaling Group)

Answer 232

- Create an IAM role for the CI/CD pipeline to be used for deploying application resources - The security team should create a permissions boundary policy and attach it to the IAM role used by the CI/CD pipeline

Answer 233

Create an Amazon Simple Notification Service (Amazon SNS) topic and configure the users of the security team as subscribers to the topic. Create an Amazon EventBridge event rule to monitor userIdentity root logins from the AWS Management Console and trigger notifications to the SNS topic when root user login activity is detected

Answer 234

First create a secret with a password generated by Secrets Manager. Then use a dynamic reference in the CloudFormation template to retrieve the username and password from the secret to use as credentials for the new database created

Answer 235

- Resource-based policies that grant permissions to an IAM role ARN are limited by an implicit deny in a permissions boundary or session policy - If a resource-based policy grants permission directly to the IAM user or the session principal that is making the request, then an implicit deny in an identity-based policy, a permissions boundary, or a session policy does not impact the final decision

Answer 236

- The IAM identity that creates a KMS key is not considered to be the key owner. Like any other identity, the key creator needs to get permission through a key policy, IAM policy, or grant - AWS identities that have the kms:CreateKey permission can set the initial key policy and give themselves permission to use or manage the key ## Footnote KMS keys belong to the AWS account in which they were created. However, no identity or principal, including the AWS account root user, has permission to use or manage a KMS key unless that permission is explicitly provided in a key policy, IAM policy, or grant. The IAM identity that creates a KMS key is not considered to be the key owner and they don't automatically have permission to use or manage the KMS key that they created. Like any other identity, the key creator needs to get permission through a key policy, IAM policy, or grant.

Answer 237

Create a resource policy for your REST API that denies access to any IP address that isn't specifically allowed. In the resource policy, for aws:SourceIp, give the value of the specific public IP address ranges that you want to grant access to ## Footnote After the resource policy is attached to your REST API, users who call the API from specified IP addresses (allowed users) can access the API. Calls from any other IP address are denied access and receive an HTTP 403 Forbidden error. The aws:SourceIp condition value works only for public IP address ranges. **To allow access to private IP address ranges, use the condition value aws:VpcSourceIp and enter the private IP address of your HTTP client that's invoking your private API endpoint through the interface VPC endpoint. This configuration is not correct for public IPs.**

Answer 238

Configure a traffic mirror target for the monitoring appliance. Create a traffic mirror filter with a rule for outbound traffic to reject all packets that have a destination IP in the VPC CIDR block and accept all other outbound packets. Also, create another rule for inbound traffic to reject all packets that have a source IP in the VPC CIDR block and accept all other inbound packets

Answer 239

- Use Amazon Cognito to manage user identities in your mobile application. You can then use the Amazon Cognito credentials provider to manage credentials that your application uses to make requests to access AWS resources - Define an IAM role that has appropriate permissions for the application and launch the Amazon EC2 instance with this role associated with the instance - Use an IAM role to establish trust between accounts, and then grant users in one account limited permissions to access the trusted account

Answer 240

- Modify the bucket policy to allow root user access from the Amazon S3 console or the AWS CLI - If there is a bucket policy on the Amazon S3 bucket that doesn't specify the AWS account root user as a principal, the root user is denied access to that bucket

Answer 241

Leverage an AWS KMS custom key store backed by AWS CloudHSM clusters. Copy backups across Regions

Answer 242

- Configure AWS CloudTrail to send trail events to Amazon CloudWatch Logs. Create a metric filter for the relevant log group with a filter pattern having eventName as ConsoleLogin and errorMessage as Failed authentication - Create a CloudWatch alarm with the threshold parameter set to 3 and the period parameter set to 5 minutes. The alarm action is a notification sent to an Amazon Simple Notification Service (Amazon SNS) topic subscribed by the concerned manager(s)

Answer 243

- Verify that SSM Agent is installed on the instance - Create an AWS Identity and Access Management (IAM) instance profile for Systems Manager. Attach the IAM role to your private EC2 instance - Create three virtual private cloud (VPC) endpoints for Systems Manager with service names: com.amazonaws.[region].ssm, com.amazonaws.[region].ec2messages, com.amazonaws.[region].ssmmessages

Answer 244

Establish a Lambda execution role that provides access to the KMS key for each Lambda function

Answer 245

Create a CloudFront distribution with Origin Access Control (OAC). Make your S3 bucket private and configure access through Amazon CloudFront only by using signed requests to access the S3 bucket

Answer 246

Create an Amazon CloudWatch alarm that monitors AWS Shield Advanced CloudWatch metrics for an active DDoS event ## Footnote AWS Shield Advanced reports metrics to Amazon CloudWatch on an AWS resource more frequently during DDoS events than when no events are underway. Shield Advanced reports metrics once a minute during an event, and then once right after the event ends. While no events are underway, Shield Advanced reports metrics once a day, at a time assigned to the resource. This periodic report keeps the metrics active and available for use in custom CloudWatch alarms.

Answer 247

Create Service control policies (SCPs) that deny access to any operations outside of the designated AWS Regions. Apart from the Condition and Resource elements, configure the NotAction element to allow access to the required AWS services

Answer 248

- Set up a CloudWatch Events rule that is triggered on any API call from the root user - Using Amazon SNS as a target of the trigger that further notifies the security team

Answer 249

Use AWS CloudFormation Guard (cfn-guard), an open-source tool that helps you write compliance rules and validate the CloudFormation templates against those rules

Answer 250

Configure a single Amazon S3 bucket to hold all data. Use server-side encryption with Amazon S3 managed keys (SSE-S3) to encrypt the data

Answer 251

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:PutObject", "Resource": "*", "Condition": { "DateGreaterThan": {"aws:CurrentTime": "2023-04-01T00:00:00Z"}, "DateLessThan": {"aws:CurrentTime": "2023-04-30T23:59:59Z"} } } ] }

Answer 252

- Amazon Inspector - Amazon SNS

Answer 253

Enable AWS CloudTrail and configure the trail to send the logs to Amazon CloudWatch Logs. Configure a CloudWatch metric filter for the log group with a filter pattern on all security group changes. Create a CloudWatch alarm based on the log group-metric filter to publish notifications to an Amazon SNS topic

Answer 254

- AWS Security Hub sends the Amazon GuardDuty findings to Amazon Detective to visualize and investigate the findings - AWS Firewall Manager sends findings to Security Hub when AWS Shield Advanced is not protecting the resources

Answer 255

- Use suppression rules and create a rule that consists of two filter criteria. The first criterion is finding type, which should be UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS - The second filter criterion is API caller IPv4 address with the IP address or CIDR range of the on-premises internet gateway

Answer 256

- Ensure that the database client software uses a TLS connection to Amazon RDS. Enable encryption of the Amazon RDS DB instance - Enable encryption on the Amazon Elastic Block Store (Amazon EBS) volumes that support the Amazon EC2 instances - Use TLS certificates from AWS Certificate Manager (ACM) with an Application Load Balancer. Deploy self-signed certificates on the EC2 instances

Answer 257

Combine AWS Direct Connect with AWS Site-to-Site VPN

Answer 258

Use AWS Resource Access Manager (AWS RAM) to share the subnets in Account X's centrally managed VPC with the other member accounts. Configure the member accounts to use the shared subnets to launch workloads

Answer 259

{ "Statement": [ { "Principal": "*", "Action": [ "execute-api:Invoke" ], "Effect": "Allow", "Resource": [ "arn:aws:execute-api:us-east-1:123412341234:a1b2c3d4e5/*", "arn:aws:execute-api:us-east-1:123412341234:aaaaa11111/*" ] } ] }

Answer 260

Use Amazon Cognito with AWS SDKs for mobile development to create unique identities for the users

Answer 261

Add a VPC Interface Endpoint for Secrets Manager and configure the Lambda function's subnet to use it

Answer 262

- Implement an AWS CloudTrail trail as an organizational trail. Configure the trail to forward the trail data to an Amazon CloudWatch Logs log group - In CloudWatch Logs, set a metric filter for any user action event the company needs to track. Create an Amazon CloudWatch alarm against the metric. When triggered, the alarm sends notifications to the subscribed users through an Amazon Simple Notification Service (Amazon SNS) topic

Answer 263

Implement the KMS import key function to perform an immediate delete operation

Answer 264

Create a URI-specific rate-based WAF rule to prevent a single source IP address from connecting to the login page more than a defined threshold number of times, over a given period

Answer 265

The EC2 instance is in a private subnet and it does not have the com.amazonaws.us-east-1.ssmmessages VPC endpoint for Session Manager

Answer 266

Verify that kms:Decrypt permissions are specified in the key policy, otherwise, they need to be added to the policy ## Footnote The AWS CLI (aws s3 commands), AWS SDKs, and many third-party programs automatically perform a multipart upload when the file is large. To perform a multipart upload with encryption using an AWS KMS key, the requester must have kms:GenerateDataKey and kms:Decrypt permissions. The kms:GenerateDataKey permissions allow the requester to initiate the upload. With kms:Decrypt permissions, newly uploaded parts can be encrypted with the same key used for previous parts of the same object.

Answer 267

- When you activate private DNS for an interface VPC endpoint, you can no longer access API Gateway public APIs from your Amazon VPC - The security groups that you choose must have a rule that allows TCP Port 443 inbound HTTPS traffic from an IP address range in your Amazon VPC

Answer 268

- Use VPC security groups to control the network traffic to and from your file system - Use an IAM policy to control access for clients who can mount your file system with the required permissions

Answer 269

- When you enable both GuardDuty and Security Hub, the mutual integration is enabled automatically. GuardDuty immediately begins to send findings to Security Hub - AWS Config must be enabled as a pre-requisite for using Security Hub

Answer 270

Create an S3 bucket policy in the Audit account that allows access to the S3 bucket for the user from the Finance account

Answer 271

1. Inactivate the publicly exposed IAM access key 2. Create a new access key and secret access key pair for the IAM user 3. Update the application to use the new credentials 4. Revoke any temporary AWS Security Token Service (AWS STS) credentials associated with the IAM user 5. Delete AWS Management Console credentials associated with the IAM user

Answer 272

To view traffic passing through Route 53 resolver endpoints, configure Amazon Virtual Private Cloud (Amazon VPC) Traffic Mirroring ## Footnote Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an elastic network interface of type interface. You can then send the traffic to out-of-band security and monitoring appliances for content inspection, threat monitoring and troubleshooting.

Answer 273

Leverage geographic restrictions in CloudFront to deny traffic from a specific set of countries

Answer 274

- Enable object-level logging for S3. Set up an EventBridge event pattern when a PutObject API call with public-read permission is detected in the AWS CloudTrail logs and set the target as an SNS topic for downstream notifications - Configure a Lambda function as one of the SNS topic subscribers, which is invoked to secure the objects in the S3 bucket

Answer 275

Configure an S3 VPC endpoint and create an S3 bucket policy to allow access only from this VPC endpoint

Answer 276

Create an identity-based policy with the IAM aws:RequestedRegion condition key that denies access to all actions outside the specified Region, except for actions related to the global AWS services specified using NotAction. Attach the policy to the developers IAM group

Answer 277

Configure the DaysToExpiry CloudWatch metric to schedule a batch search of expiring ACM certificates and trigger an AWS Lambda function to send the certificates-to-be-expired notification to an SNS topic. This Lambda function can also be configured to log all the expiring certificates as findings in Security Hub

Answer 278

Turn on enhanced scanning for your Amazon ECR registry. By default, the duration of the scans is set to Lifetime. When enhanced scanning is turned on, Amazon ECR sends scan events to EventBridge which can be configured for further notifications to specified teams

Answer 279

- The target instance’s security group has rules that are not using the correct IP addresses to allow traffic from the NLB - The target instance’s security group has no rules that allow traffic from the NLB's IP Addresses - The target instance’s subnet network ACL does not allow traffic from the NLB's IP Addresses

Answer 280

Change the behavior of SES by using configuration sets. Set the TlsPolicy property for a configuration set to Require

Answer 281

Enable the AWS Config access-keys-rotated managed rule and configure the maxAccessKeyAge parameter to 30 days. Have AWS Config apply remediation using AWS Systems Manager Automation document for every non-compliant resource. The Automation document, in turn, publishes a customized message to an SNS topic

Answer 282

Have Security Hub ingest GuardDuty findings and send events to Kinesis Data Streams via EventBridge. Configure a Lambda function to process the data stream and block traffic to/from the suspicious instance by updating the security group so that it has no inbound and outbound rules

Answer 283

Use AWS Organizations to set a service control policy that denies the kms:Delete* and kms:ScheduleKeyDeletion actions for all accounts within the organization

Answer 284

Ensure that the Security Groups and Network Access Control Lists (NACLs) in both VPCs allow traffic

Answer 285

Remove the instance from the Auto Scaling group and deregister the instance from the Elastic Load Balancer. Place the instance within an isolation security group and snapshot the Amazon EBS data volumes that are attached to the EC2 instance. Launch an EC2 instance with a forensic toolkit and attach an EBS volume created from the snapshot of the suspicious EBS volume

Answer 286

Create an Amazon EventBridge rule that includes an event pattern that matches Medium/High severity GuardDuty findings. Set up an Amazon Simple Notification Service (Amazon SNS) topic. Configure the third-party ticketing email system as a subscriber to the SNS topic. Set the SNS topic as the target for the EventBridge rule

Answer 287

Create a TCP listener using a Network Load Balancer and implement mTLS on the target

Answer 288

Copy the data directly from the EBS encrypted volume before the volume is detached from the EC2 instance

Answer 289

- Create a Service Control Policy (SCP) that denies all requests that are not sent using SSL (TLS) and also prevents an account from leaving the organization. Apply the SCP to the root of the organization - The application team has to create an IAM role in Account A1, that the application running on the EC2 instance will use to get objects from the S3 bucket in Account A2. A resource-based policy has to be attached to the bucket in the data lake account (Account A2) that grants read access to the role in the application account (Account A1)

Answer 290

Create a cache policy. Then, associate the cache policy with the cache behavior that must forward the Authorization header

Answer 291

Configure SAML-based authentication tied to an IAM role that has the PowerUserAccess managed policy attached to it. Attach a customer-managed policy that denies access to RDS in any AWS Region except us-east-1

Answer 292

Configure AWS Web Application Firewall (AWS WAF) to feed logs to Amazon S3 bucket via Amazon Kinesis Data Firehose. Set up an AWS Glue crawler job and an Amazon Athena table to query for required data and create visualizations using Amazon QuickSight dashboards

Answer 293

If you use a custom DNS resolver, then GuardDuty cannot access and process data from this data source ## Footnote If you use AWS DNS resolvers for your Amazon EC2 instances (the default setting), then GuardDuty can access and process your request and response DNS logs through the internal AWS DNS resolvers. If you use another DNS resolver, such as OpenDNS or GoogleDNS, or if you set up your own DNS resolvers, then GuardDuty cannot access and process data from this data source.

Answer 294

Use the Amazon S3 console to update the prefix in the current bucket policy, and then use the CloudTrail console to specify the same prefix for the bucket in the trail

Answer 295

Configure the WAF web ACL to deliver logs to Amazon Kinesis Data Firehose, which should be configured to eventually store the logs in an Amazon S3 bucket. Use Athena to query the logs for errors and tracking

Answer 296

The aws:PrincipalOrgID global condition key can be used with the Principal element in a resource-based policy with AWS KMS. You need to specify the Organization ID in the Condition element

Answer 297

Use encryption context that you can use to verify the authenticity of AWS KMS API calls and the integrity of the ciphertext returned by the AWS Decrypt API ## Footnote All AWS KMS cryptographic operations with symmetric encryption KMS keys accept an encryption context, an optional set of key–value pairs that can contain additional contextual information about the data. AWS KMS uses the encryption context as additional authenticated data (AAD) to support authenticated encryption.

Answer 298

Apply a custom IAM policy to restrict the permissions of the IAM role for creating EC2 instances in a specified VPC with tags using the policy condition ec2:ResourceTags to limit control to instances

Answer 299

Add the logs:CreateLogStream action to the second Allow statement

Answer 300

- Create an AWS WAF ACL and use an IP match condition to allow traffic only from those IPs that are allowed in the EC2 security group. Associate this new WAF ACL with the CloudFront distribution - Configure an origin access identity (OAI) and associate it with the CloudFront distribution. Set up the permissions in the S3 bucket policy so that only the OAI can read the objects

Answer 301

- You can contact the AWS Support Center to get help with mitigations if you're a Shield Advanced customer - Create your own AWS WAF rules in your web ACL to mitigate the attack ## Footnote For application layer (layer 7) DDoS attacks, AWS attempts to detect and notify AWS Shield Advanced customers through CloudWatch alarms. By default, it doesn't automatically apply mitigations, to avoid inadvertently blocking valid user traffic. For application layer (layer 7) resources, you have the following options available for responding to an attack. 1. Provide your own mitigations – You can investigate and mitigate the attack on your own. To manually mitigate a potential application layer DDoS attack you can create your own AWS WAF rules in your web ACL to mitigate the attack. This is the only option available if you aren't a Shield Advanced customer.

Answer 302

- Ensure that IP addresses added in the trusted IP list are publicly routable IPv4 addresses - Ensure that the trusted IP lists are uploaded in the same AWS Region as your GuardDuty findings ## Footnote Trusted IP lists and threat lists are account and Region-specific. At any given time, you can have only one uploaded trusted IP list per AWS account per Region. Whereas, you can have up to six uploaded threat lists per AWS account per Region.

Answer 303

Configure the application security groups to ensure that only the necessary ports are open. Use Amazon Inspector to periodically scan the EC2 instances for vulnerabilities ## Footnote To scan for known vulnerabilities, use Amazon Inspector. Amazon Inspector is an automated vulnerability management service that continually scans Amazon Elastic Compute Cloud (EC2) and container workloads for software vulnerabilities and unintended network exposure. You can enable Amazon Inspector for your entire organization or an individual account with a few clicks in the AWS Management Console. Once enabled, Amazon Inspector automatically discovers running Amazon EC2 instances and Amazon ECR repositories and immediately starts continually scanning workloads for software vulnerabilities and unintended network exposure

Answer 304

- When the Owner uploaded the object, the upload event occurs in Owner's account and it matches the settings for Owner's trail. The trail processes and logs the event in Owner's account - When Bob uploaded the object, the upload event occurred in Bob's account and it matches the settings for Bob's trail. Bob's trail processes and logs the event. The Owner's trail settings also match the event, so the event is logged in Owner's trail too

Answer 305

- Rotate and delete all root and AWS Identity and Access Management (IAM) access keys - Check your AWS account bill to know the charged resources - Use AWS Git projects to scan for evidence of unauthorized use

Answer 306

- Use AWS CloudTrail Event history to review security group changes in your AWS account - Use AWS Config to view configuration history for security groups. You must have the AWS Config configuration recorder turned on - Create an AWS CloudTrail trail configured to log to an Amazon Simple Storage Service (Amazon S3) bucket. Use Athena to query CloudTrail Logs over the last 30-45 days

Answer 307

- The IP will be processed by the trusted IP list first, and will not generate a finding - Attach AmazonGuardDutyFullAccess managed policy to provide full access privileges to an identity to work with trusted IP lists and threat lists. You also need to add the following privileges { "Effect": "Allow", "Action": [ "iam:PutRolePolicy", "iam:DeleteRolePolicy" ], "Resource": "arn:aws:iam::123456789123:role/aws-service-role/guardduty.amazonaws.com/AWSServiceRoleForAmazonGuardDuty" }

Answer 308

- Implement local firewall rules using iptables based restrictions on the instances ## Footnote iptables is a command line interface used to set up and maintain tables for the Netfilter firewall for IPv4, included in the Linux kernel. The firewall matches packets with rules defined in these tables and then takes the specified action on a possible match.

Answer 309

Use AWS Config with a managed rule cloudtrail-enabled to trigger a remediation action to fix the non-compliant status using AWS Systems Manager Automation documents

Answer 310

Set up a new S3 bucket in the us-east-1 region with replication enabled from this new bucket into another bucket in us-west-1 region. Enable SSE-KMS encryption on the new bucket in us-east-1 region by using an AWS KMS multi-region key. Copy the existing data from the current S3 bucket in us-east-1 region into this new S3 bucket in us-east-1 region ## Footnote AWS KMS supports multi-region keys, which are AWS KMS keys in different AWS regions that can be used interchangeably – as though you had the same key in multiple regions. Each set of related multi-region keys has the same key material and key ID, so you can encrypt data in one AWS region and decrypt it in a different AWS region without re-encrypting or making a cross-region call to AWS KMS.

Answer 311

If auto remediate any non-compliant resources isn't turned on, then the Firewall Manager created web ACL won't be associated with in-scope resources

Answer 312

Use Amazon Detective in conjunction with Amazon GuardDuty to monitor malicious activity and unauthorized behavior on the AWS resources and quickly identify the root cause of potential security issues through linked datasets

Answer 313

Create a new CMK and import the new key material into it. Point the key alias of the older CMK to the new CMK created

Answer 314

Delete or rotate the user’s key. Review the AWS CloudTrail logs in all AWS regions and delete any unauthorized resources created or updated

Answer 315

- Create a new Amazon S3 bucket in the centralized account to store all the CloudTrail log files. Enable log file validation on all Trails in AWS accounts of all business units. Use unique log file prefixes for trails in each AWS account - Apply a bucket policy to the new centralized S3 bucket that permits the CloudTrail service to use the s3 PutObject action and the s3 GetBucketACL action, and specify the appropriate resource ARNs for the CloudTrail trails

Answer 316

- Specify an administrator account in GuardDuty and then use the administrator account to invite other AWS accounts to become member accounts. Add the threat list to the administrator account by referencing the S3 object that contains the threat list - Upload the threat list to an Amazon S3 bucket and share the access with the administrator account

Answer 317

Create a new AWS account with limited privileges. Allow the newly created account to access the AWS KMS CMK key used to encrypt the EBS snapshots. Copy the encrypted snapshots to the new account on a regular basis

Answer 318

Use S3 Object Lock ## Footnote Amazon S3 Object Lock is an Amazon S3 feature that allows you to store objects using a write once, read many (WORM) model. You can use WORM protection for scenarios where it is imperative that data is not changed or deleted after it has been written. Whether your business has a requirement to satisfy compliance regulations in the financial or healthcare sector, or you simply want to capture a golden copy of business records for later auditing and reconciliation, S3 Object Lock is the right tool for you. Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely.

Answer 319

Leverage the Amazon EC2 console to enable encryption of new EBS volumes by default. Leverage the Auto Scaling group's instance refresh feature to replace existing instances with new instances

Answer 320

Create an IAM group having the development team users. Add a customer-managed policy with Deny Effect to the group for all s3:*actions with the condition defined as "Condition" : { "BoolIfExists" : { "aws:MultiFactorAuthPresent" : "false" } } ## Footnote AWS recommends the use of BoolIfExists operator to check whether a request is authenticated using MFA. The aws:MultiFactorAuthPresent key is not present when an API or CLI command is called with long-term credentials, such as user access key pairs. Therefore AWS recommends that when you check for this key that you use the IfExists versions of the condition operators

Answer 321

- Launch a temporary instance and attach the volume to it as a secondary volume. Delete the .run-once file from the instance, located at %ProgramData%/Amazon/EC2Launch/state/.run-once - Verify that the EC2Launch v2 service is running. Detach the EBS root volume from the instance - Reattach the volume to the original instance as the root volume and connect to the instance using its key pair to retrieve the administrator password. Connect to the instance using its current public DNS name

Answer 322

Block requests that contain a specific User-Agent in the request using custom Rules. Block requests that don’t contain a User-Agent header using either AWS Managed Rules or custom rules

Answer 323

- The security group of the ALB should have an inbound rule from anywhere on port 443 - The security group of RDS should have an inbound rule from the security group of the EC2 instances in the ASG on port 5432 - The security group of the EC2 instances should have an inbound rule from the security group of the ALB on port 80

Answer 324

Add launch constraint(s) to each product in the service catalog portfolio ## Footnote A launch constraint specifies the AWS Identity and Access Management (IAM) role that Service Catalog assumes when an end user launches, updates, or terminates a product. An IAM role is a collection of permissions that an IAM user or AWS service can assume temporarily to use AWS services.

Answer 325

- The security groups assigned to Application Load Balancers should be configured to not use connection tracking - If you are subscribed to AWS Shield Advanced, you can register Elastic IP addresses as Protected Resources - When using Amazon CloudFront and AWS WAF with Amazon API Gateway, configure the cache behavior for your distributions to forward all headers to the API Gateway regional endpoint

Answer 326

- The cross-account access points don’t grant access to data until you are granted permissions from the bucket owner - You can't configure Cross-Region Replication to operate through an access point - You can only use access points to perform operations on objects. You can't use access points to perform Amazon S3 operations, such as modifying or deleting buckets

Answer 327

As the CMK was deleted a day ago, it must be in the 'pending deletion' status and hence you can just cancel the CMK deletion and recover the key

Answer 328

- Create a Lambda function that polls Config to detect non-compliant resources daily and send notifications via Amazon SNS - Create a Lambda function containing the logic to determine if a resource is compliant or non-compliant. Create a custom Config rule that uses this Lambda function as its source

Answer 329

Set up an AWS Web Application Firewall (WAF) web ACL. Create a rule to deny any requests that do not originate from the specified country. Attach the rule with the web ACL. Attach the web ACL with the ALB

Answer 330

- If a user or role has an IAM permission policy that grants access to an action that is either not allowed or explicitly denied by the applicable SCPs, the user or role can't perform that action - SCPs do not affect service-linked role - SCPs affect all users and roles in attached accounts, including the root user

Answer 331

When you change a security group rule, its tracked connections are not immediately interrupted. The tracked connections need to be configured to change to untracked connections and then apply the isolation security group to isolate the compromised instance

Answer 332

- Configure AWS Security Hub to have a central dashboard for higher visibility of the environment and remediate issues quickly - Use Amazon Athena to analyze data in Amazon Simple Storage Service (Amazon S3) to retrieve any amount of data from anywhere—using standard SQL - Store the data cost-effectively on Amazon S3 buckets and use Amazon Macie to automatically discover, classify and protect the highly sensitive data

Answer 333

Use the aggregator feature of AWS Config to provide access to AWS Config data to both accounts without the need to share the management account details ## Footnote An aggregator is an AWS Config resource type that collects AWS Config configuration and compliance data from multiple AWS accounts and Regions into a single account and Region to get a centralized view of your resource inventory and compliance.

Answer 334

- Use WAF IP set statement that specifies the IP addresses that you want to allow through - Use WAF geo match statement listing the countries that you want to block

Answer 335

You can use an Internet Gateway ID as the custom source for the inbound rule

Answer 336

Enable WAF comprehensive logs that are delivered through Amazon Kinesis Firehose to a destination of your choice ## Footnote AWS WAF supports full logging of all web requests inspected by the service. Customers can store these logs in Amazon S3 for compliance and auditing needs as well as use them for debugging and additional forensics. The logs will help customers understand why certain rules are triggered and why certain web requests are blocked. Customers can also integrate the logs with their SIEM and log analysis tools.

Answer 337

- Add the condition as { "Bool": { "kms:GrantIsForAWSResource": true } to the IAM user policy - Add the as kms:CreateGrant to the IAM user policy

Answer 338

Create an encrypted snapshot of the database, share the snapshot, and allow access to the AWS Key Management Service (AWS KMS) encryption key

Answer 339

kms:GenerateDataKey

Answer 340

Revoke all active sessions for the IAM role. Update the S3 bucket policy to deny access to the IAM role. Remove the IAM role from the EC2 instance profile

Answer 341

- If the requests are routed through a VPC endpoint, then check for any restrictions coming from the associated VPC endpoint policy - A session policy is in place and is causing an authorization issue

Answer 342

- Configure CloudWatch Event to filter GuardDuty findings when a malicious activity is suspected. Configure the CloudWatch Event to invoke a Lambda function to parse the GuardDuty finding and store it in the Amazon DynamoDB table, if required - After checking the existing entries in the Amazon DynamoDB table, AWS Lambda function creates a Rule inside AWS WAF and in a VPC NACL, and a notification email is sent via Amazon Simple Notification Service (SNS)

Answer 343

Set up a service control policy (SCP) that prohibits changes to CloudTrail, and attach it to the developer accounts

Answer 344

- In the IAM console, under the Permissions tab, look for a policy named AWSExposedCredentialPolicy_DO_NOT_REMOVE. If the user has this policy attached, then rotate the access keys for the user - Create new access keys and modify the application to use new ones. Deactivate the exposed account access keys immediately. Subsequently, delete the exposed keys only when you have verified the proper functioning of the application - If you must retain an EC2 instance for regulatory, compliance, or legal reasons, then create an Amazon EBS snapshot before terminating the instance

Answer 345

- Use an origin group with primary and secondary origins to configure CloudFront for high-availability and failover - CloudFront can route to multiple origins based on the content type - Use field-level encryption in CloudFront to protect sensitive data for specific content ## Footnote Field-level encryption allows you to enable your users to securely upload sensitive information to your web servers. The sensitive information provided by your users is encrypted at the edge, close to the user, and remains encrypted throughout your entire application stack. This encryption ensures that only applications that need the data—and have the credentials to decrypt it—can do so.

Answer 346

Review the abuse notice and reply explaining how you will prevent the abusive activity from recurring in the future

Answer 347

Check if the IAM user credentials are stored in the .aws/credentials file. Because these credentials have higher precedence over role credentials, IAM user credentials will be used to make the API calls. Delete the credentials file

Answer 348

The associated AWS Config managed rules are deleted. Any associated AWS WAF web access control lists (web ACLs) that don't contain any resources are deleted

Answer 349

Set up an Amazon CloudWatch alarm that monitors Shield Advanced metrics for an active DDoS event

Answer 350

Create an Amazon CloudWatch metric filter that processes CloudTrail logs having API call details and looks at any errors by factoring in all the error codes that need to be tracked. Create an alarm based on this metric's rate to send an SNS notification to the required team

Answer 351

Install and configure the unified CloudWatch agent on the application's EC2 instance. Create a CloudWatch metric filter to monitor the application logs. Configure CloudWatch alerts based on these metrics

Answer 352

- IAM user or IAM role policy should include the following IAM permissions: "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogStreams" - Creating an Amazon Machine Image (AMI) after the CloudWatch agent is installed can lead to errors in the CloudWatch agent ## Footnote It's a best practice to install the CloudWatch agent at launch using AWS CloudFormation, AWS Systems Manager Agent (SSM Agent), user data scripts, or the AWS CLI. It is also a best practice to create an AMI before installing the CloudWatch agent. AMIs typically capture unique information from the original instance. Metadata becomes out of sync, and this state can lead to the CloudWatch agent not working as intended. Out-of-sync metadata is the reason that many Windows instances require Sysprep when working with AMI.

Answer 353

CloudWatch alarm might be configured to treat a missing data point the same way as a breaching data point. Configure the alarm to evaluate missing data points as NOT BREACHING

Answer 354

- Use Amazon Route 53 to distribute traffic - Move the static content to Amazon S3, and front this with an Amazon CloudFront distribution. Configure another layer of protection by adding AWS Web Application Firewall (AWS WAF) to the CloudFront distribution

Answer 355

- An outbound rule must be added to the Network ACL (NACL) to allow the response to be sent to the client on the ephemeral port range ## Footnote Security groups are stateful, so allowing inbound traffic to the necessary ports enables the connection. Network ACLs are stateless, so you must allow both inbound and outbound traffic. By default, each custom Network ACL denies all inbound and outbound traffic until you add rules.

Answer 356

Use Patch Manager, a capability of AWS Systems Manager to automatically scan your instances and report compliance on a schedule, install available software updates on a schedule, and scan targets on demand

Answer 357

Configure an organizational trail with AWS CloudTrail, forwarding logs to CloudWatch Logs. Set a metric filter within CloudWatch Logs to catch specific actions and create a CloudWatch alarm to send messages to an SNS topic upon these actions

Answer 358

AWS CloudHSM

Answer 359

Share an encrypted snapshot, use a customer managed KMS key, and allow the Decrypt and CreateGrant actions for the target account in the key policy

Answer 360

- Deploy a NAT gateway in each private subnet for every Availability Zone that is in use - Place the DB instance in a private subnet - Configure the Auto Scaling group to place the EC2 instances in a private subnet

AWS Security Specialty Exam Flashcards

(385 cards)