A company has launched an Amazon EC2 instance with an Amazon Elastic Block Store (Amazon EBS) volume in the us-east-1 Region The volume is encrypted with an AWS Key Management Service (AWS KMS) customer managed key that the company's security team created The security team has created an 1AM key policy and has assigned the policy to the key The security team has also created an 1AM instance profile and has assigned the profile to the instance
The EC2 instance will not start and transitions from the pending state to the shutting-down state to the terminated state
Which combination of steps should a security engineer take to troubleshoot this issue? (Select TWO )

1. A. Verify that the KMS key policy specifies a deny statement that prevents access to the key by using the aws SourcelP condition key Check that the range includes the EC2 instance IP address that is associated with the EBS volume
2. B. Verify that the KMS key that is associated with the EBS volume is set to the Symmetric key type
3. C. Verify that the KMS key that is associated with the EBS volume is in the Enabled state
4. D. Verify that the EC2 role that is associated with the instance profile has the correct 1AM instance policy to launch an EC2 instance with the EBS volume
5. E. Verify that the key that is associated with the EBS volume has not expired and needs to be rotated

Correct Answer: CD
To troubleshoot the issue of an EC2 instance failing to start and transitioning to a terminated state when it has an EBS volume encrypted with an AWS KMS customer managed key, a security engineer should take the following steps:
* C. Verify that the KMS key that is associated with the EBS volume is in the Enabled state. If the key is not enabled, it will not function properly and could cause the EC2 instance to fail.
* D. Verify that the EC2 role that is associated with the instance profile has the correct IAM instance policy to launch an EC2 instance with the EBS volume. If the instance does not have the necessary permissions, it may not be able to mount the volume and could cause the instance to fail.
Therefore, options C and D are the correct answers.

A company’s public Application Load Balancer (ALB) recently experienced a DDoS attack. To mitigate this issue. the company deployed Amazon CloudFront in front of the ALB so that users would not directly access the Amazon EC2 instances behind the ALB.
The company discovers that some traffic is still coming directly into the ALB and is still being handled by the EC2 instances.
Which combination of steps should the company take to ensure that the EC2 instances will receive traffic only from CloudFront? (Choose two.)

1. A. Configure CloudFront to add a cache key policy to allow a custom HTTP header that CloudFront sends to the ALB.
2. B. Configure CloudFront to add a custom: HTTP header to requests that CloudFront sends to the ALB.
3. C. Configure the ALB to forward only requests that contain the custom HTTP header.
4. D. Configure the ALB and CloudFront to use the X-Forwarded-For header to check client IP addresses.
5. E. Configure the ALB and CloudFront to use the same X.509 certificate that is generated by AWS Certificate Manager (ACM).

Correct Answer: BC
To prevent users from directly accessing an Application Load Balancer and allow access only through CloudFront, complete these high-level steps: Configure CloudFront to add a custom HTTP header to requests that it sends to the Application Load Balancer. Configure the Application Load Balancer to only forward requests that contain the custom HTTP header. (Optional) Require HTTPS to improve the security of this solution.
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/restrict-access-to-load-balancer.html

A security engineer wants to use Amazon Simple Notification Service (Amazon SNS) to send email alerts to a company's security team for Amazon GuardDuty findings
that have a High severity level. The security engineer also wants to deliver these findings to a visualization tool for further examination.
Which solution will meet these requirements?

1. A. Set up GuardDuty to send notifications to an Amazon CloudWatch alarm with two targets in CloudWatc
2. B. From CloudWatch, stream the findings through Amazon Kinesis Data Streams into an Amazon OpenSearch Service domain as the first target for deliver
3. C. Use Amazon QuickSight to visualize the finding
4. D. Use OpenSearch queries for further analysi
5. E. Deliver email alerts to the security team by configuring an SNS topic as a second target for the CloudWatch alar
6. F. Use event pattern matching with an Amazon EventBridge event rule to send only High severity findings in the alerts.
7. G. Set up GuardDuty to send notifications to AWS CloudTrail with two targets in CloudTrai
8. H. From CloudTrail, stream the findings through Amazon Kinesis Data Firehose into an Amazon OpenSearch Service domain as the first target for deliver
9. I. Use OpenSearch Dashboards to visualize the finding
10. J. Use OpenSearch queries for further analysi
11. K. Deliver email alerts to the security team by configuring an SNS topic as a second target for CloudTrai
12. L. Use event pattern matching with a CloudTrail event rule to send only High severity findings in the alerts.
13. M. Set up GuardDuty to send notifications to Amazon EventBridge with two target
14. N. From EventBridge, stream the findings through Amazon Kinesis Data Firehose into an Amazon OpenSearch Service domain as the first target for deliver
15. O. Use OpenSearch Dashboards to visualize the finding
16. P. Use OpenSearch queries for further analysi
17. Q. Deliver email alerts to the security team by configuring an SNS topic as a second target for EventBridg
18. R. Use event pattern matching with an EventBridge event rule to send only High severity findings in the alerts.
19. S. Set up GuardDuty to send notifications to Amazon EventBridge with two target
20. T. From EventBridge, stream the findings through Amazon Kinesis Data Streams into an Amazon OpenSearch Service domain as the first target for deliver
21. . Use Amazon QuickSight to visualize the finding
22. . Use OpenSearch queries for further analysi
23. . Deliver email alerts to the security team by configuring an SNS topic as a second target for EventBridg
24. . Use event pattern matching with an EventBridge event rule to send only High severity findings in the alerts.

Correct Answer: C

A company is designing a multi-account structure for its development teams. The company is using AWS Organizations and AWS Single Sign-On (AWS SSO). The company must implement a solution so that the development teams can use only specific AWS Regions and so that each AWS account allows access to only specific AWS services.
Which solution will meet these requirements with the LEAST operational overhead?

1. A. Use AWS SSO to set up service-linked roles with IAM policy statements that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed.
2. B. Deactivate AWS Security Token Service (AWS STS) in Regions that the developers are not allowed to use.
3. C. Create SCPs that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed.
4. D. For each AWS account, create tailored identity-based policies for AWS SS
5. E. Use statements that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed.

Correct Answer: C
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_syntax.html#scp-eleme

A company is using IAM Organizations. The company wants to restrict IAM usage to the eu-west-1 Region for all accounts under an OU that is named "development." The solution must persist restrictions to existing and new IAM accounts under the development OU.

1. A. Option A
2. B. Option B
3. C. Option C
4. D. Option D

Correct Answer: A