A company uses SAML federation to grant users access to AWS accounts. A company workload that is in an isolated AWS account runs on immutable infrastructure with no human access to Amazon EC2. The company requires a specialized user known as a break glass user to have access to the workload AWS account and instances in the case of SAML errors. A recent audit discovered that the company did not create the break glass user for the AWS account that contains the workload.
The company must create the break glass user. The company must log any activities of the break glass user and send the logs to a security team.
Which combination of solutions will meet these requirements? (Select TWO.)

1. A. Create a local individual break glass IAM user for the security tea
2. B. Create a trail in AWS CloudTrail that has Amazon CloudWatch Logs turned o
3. C. Use Amazon EventBridge to monitor local user activities.
4. D. Create a break glass EC2 key pair for the AWS accoun
5. E. Provide the key pair to the security tea
6. F. Use AWS CloudTraiI to monitor key pair activit
7. G. Send notifications to the security team by using Amazon Simple Notification Service (Amazon SNS).
8. H. Create a break glass IAM role for the accoun
9. I. Allow security team members to perform the AssumeRoleWithSAML operatio
10. J. Create an AWS Cloud Trail trail that has Amazon CloudWatch Logs turned o
11. K. Use Amazon EventBridge to monitor security team activities.
12. L. Create a local individual break glass IAM user on the operating system level of each workload instance.Configure unrestricted security groups on the instances to grant access to the break glass IAM users.
13. M. Configure AWS Systems Manager Session Manager for Amazon EC2. Configure an AWS Cloud Trail filter based on Session Manage
14. N. Send the results to an Amazon Simple Notification Service (Amazon SNS) topic.

Correct Answer: AE
The combination of solutions that will meet the requirements are:
A. Create a local individual break glass IAM user for the security team. Create a trail in AWS CloudTrail that has Amazon CloudWatch Logs turned on. Use Amazon EventBridge to monitor local user activities. This is a valid solution because it allows the security team to access the workload AWS account and instances using a local IAM user that does not depend on SAML federation. It also enables logging and monitoring of the break glass user activities using AWS CloudTrail, Amazon CloudWatch Logs, and Amazon EventBridge123.
E. Configure AWS Systems Manager Session Manager for Amazon EC2. Configure an AWS CloudTrail filter based on Session Manager. Send the results to an Amazon Simple Notification Service (Amazon SNS) topic. This is a valid solution because it allows the security team to access the workload instances without opening any inbound ports or managing SSH keys or bastion hosts. It also enables logging and notification of the break glass user activities using AWS CloudTrail, Session Manager, and Amazon SNS456.
The other options are incorrect because:
B. Creating a break glass EC2 key pair for the AWS account and providing it to the security team is not a valid solution, because it requires opening inbound ports on the instances and managing SSH keys, which increases the security risk and complexity7.
C. Creating a break glass IAM role for the account and allowing security team members to perform the AssumeRoleWithSAML operation is not a valid solution, because it still depends on SAML federation, which might not work in case of SAML errors8.
D. Creating a local individual break glass IAM user on the operating system level of each workload instance and configuring unrestricted security groups on the instances to grant access to the break glass IAM users is not a valid solution, because it requires opening inbound ports on the instances and managing multiple local users, which increases the security risk and complexity9.
References:
1: Creating an IAM User in Your AWS Account 2: Creating a Trail - AWS CloudTrail 3: Using Amazon EventBridge with AWS CloudTrail 4: Setting up Session Manager - AWS Systems Manager 5: Logging Session Manager sessions - AWS Systems Manager 6: Amazon Simple Notification Service 7: Connecting to your Linux instance using SSH - Amazon Elastic Compute Cloud 8: AssumeRoleWithSAML - AWS Security Token Service 9: IAM Users - AWS Identity and Access Management

A company's security engineer has been tasked with restricting a contractor's IAM account access to the company's Amazon EC2 console without providing access to any other IAM services The contractors IAM account must not be able to gain access to any other IAM service, even it the IAM account rs assigned
additional permissions based on IAM group membership
What should the security engineer do to meet these requirements''

1. A. Create an mime IAM user policy that allows for Amazon EC2 access for the contractor's IAM user
2. B. Create an IAM permissions boundary policy that allows Amazon EC2 access Associate the contractor's IAM account with the IAM permissions boundary policy
3. C. Create an IAM group with an attached policy that allows for Amazon EC2 access Associate the contractor's IAM account with the IAM group
4. D. Create a IAM role that allows for EC2 and explicitly denies all other services Instruct the contractor to always assume this role

Correct Answer: B
To restrict the contractor’s IAM account access to the EC2 console without providing access to any other AWS services, the security engineer should do the following:
Create an IAM permissions boundary policy that allows EC2 access. This is a policy that defines the maximum permissions that an IAM entity can have.
Associate the contractor’s IAM account with the IAM permissions boundary policy. This means that even if the contractor’s IAM account is assigned additional permissions based on IAM group membership, those permissions are limited by the permissions boundary policy.

A company needs to retain tog data archives for several years to be compliant with regulations. The tog data is no longer used but It must be retained
What Is the MOST secure and cost-effective solution to meet these requirements?

1. A. Archive the data to Amazon S3 and apply a restrictive bucket policy to deny the s3 DeleteOotect API
2. B. Archive the data to Amazon S3 Glacier and apply a Vault Lock policy
3. C. Archive the data to Amazon S3 and replicate it to a second bucket in a second IAM Region Choose the S3 Standard-Infrequent Access (S3 Standard-1A) storage class and apply a restrictive bucket policy to deny the s3 DeleteObject API
4. D. Migrate the log data to a 16 T8 Amazon Elastic Block Store (Amazon EBS) volume Create a snapshot of the EBS volume

Correct Answer: B
To securely and cost-effectively retain log data archives for several years, the company should do the following:
Archive the data to Amazon S3 Glacier and apply a Vault Lock policy. This allows the company to use a low-cost storage class that is designed for long-term archival of data that is rarely accessed. It also allows the company to enforce compliance controls on their S3 Glacier vault by locking a vault access policy that cannot be changed.

An application is running on an Amazon EC2 instance that has an IAM role attached. The IAM role provides access to an AWS Key Management Service (AWS KMS) customer managed key and an Amazon S3 bucket. The key is used to access 2 TB of sensitive data that is stored in the S3 bucket.
A security engineer discovers a potential vulnerability on the EC2 instance that could result in the compromise of the sensitive data. Due to other critical operations, the security engineer cannot immediately shut down the EC2 instance for vulnerability patching.
What is the FASTEST way to prevent the sensitive data from being exposed?

1. A. Download the data from the existing S3 bucket to a new EC2 instanc
2. B. Then delete the data from the S3 bucke
3. C. Re-encrypt the data with a client-based ke
4. D. Upload the data to a new S3 bucket.
5. E. Block access to the public range of S3 endpoint IP addresses by using a host-based firewal
6. F. Ensure that internet-bound traffic from the affected EC2 instance is routed through the host-based firewall.
7. G. Revoke the IAM role's active session permission
8. H. Update the S3 bucket policy to deny access to the IAM rol
9. I. Remove the IAM role from the EC2 instance profile.
10. J. Disable the current ke
11. K. Create a new KMS key that the IAM role does not have access to, and re-encrypt all the data with the new ke
12. L. Schedule the compromised key for deletion.

Correct Answer: D

A security engineer recently rotated the host keys for an Amazon EC2 instance. The security engineer is trying to access the EC2 instance by using the EC2 Instance. Connect feature. However, the security engineer receives an error (or failed host key validation. Before the rotation of the host keys EC2 Instance Connect worked correctly with this EC2 instance.
What should the security engineer do to resolve this error?

1. A. Import the key material into AWS Key Management Service (AWS KMS).
2. B. Manually upload the new host key to the AWS trusted host keys database.
3. C. Ensure that the AmazonSSMManagedInstanceCore policy is attached to the EC2 instance profile.
4. D. Create a new SSH key pair for the EC2 instance.

Correct Answer: B
To set up a CloudFront distribution for an S3 bucket that hosts a static website, and to allow only specified IP addresses to access the website, the following steps are required:
Create a CloudFront origin access identity (OAI), which is a special CloudFront user that you can associate with your distribution. An OAI allows you to restrict access to your S3 content by using signed URLs or signed cookies. For more information, see Using an origin access identity to restrict access to your Amazon S3 content.
Create the S3 bucket policy so that only the OAI has access. This will prevent users from accessing the website directly by using S3 URLs, as they will receive an Access Denied error. To do this, use the AWS Policy Generator to create a bucket policy that grants s3:GetObject permission to the OAI, and attach it to the S3 bucket. For more information, see Restricting access to Amazon S3 content by using an origin access identity.
Create an AWS WAF web ACL and add an IP set rule. AWS WAF is a web application firewall service that lets you control access to your web applications. An IP set is a condition that specifies a list of IP addresses or IP address ranges that requests originate from. You can use an IP set rule to allow or block
requests based on the IP addresses of the requesters. For more information, see Working with IP match conditions.
Associate the web ACL with the CloudFront distribution. This will ensure that the web ACL filters all requests for your website before they reach your origin. You can do this by using the AWS WAF console, API, or CLI. For more information, see Associating or disassociating a web ACL with a CloudFront distribution.
This solution will meet the requirements of allowing only specified IP addresses to access the website and preventing direct access by using S3 URLs.
The other options are incorrect because they either do not create a CloudFront distribution for the S3 bucket (A), do not use an OAI to restrict access to the S3 bucket ©, or do not use AWS WAF to block traffic from outside the specified IP addresses (D).
Verified References:
https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-ip-conditions.html