A company is developing an ecommerce application. The application uses Amazon EC2 instances and an Amazon RDS MySQL database. For compliance reasons, data must be secured in transit and at rest. The company needs a solution that minimizes operational overhead and minimizes cost.
Which solution meets these requirements?

1. A. Use TLS certificates from AWS Certificate Manager (ACM) with an Application Load Balancer.Deploy self-signed certificates on the EC2 instance
2. B. Ensure that the database client software uses a TLS connection to Amazon RD
3. C. Enable encryption of the RDS DB instanc
4. D. Enable encryption on the Amazon Elastic Block Store (Amazon EBS) volumes that support the EC2 instances.
5. E. Use TLS certificates from a third-party vendor with an Application Load Balance
6. F. Install the same certificates on the EC2 instance
7. G. Ensure that the database client software uses a TLS connection to Amazon RD
8. H. Use AWS Secrets Manager for client-side encryption of application data.
9. I. Use AWS CloudHSM to generate TLS certificates for the EC2 instance
10. J. Install the TLS certificates on the EC2 instance
11. K. Ensure that the database client software uses a TLS connection to Amazon RD
12. L. Use the encryption keys form CloudHSM for client-side encryption of application data.
13. M. Use Amazon CloudFront with AWS WA
14. N. Send HTTP connections to the origin EC2 instance
15. O. Ensure that the database client software uses a TLS connection to Amazon RD
16. P. Use AWS Key Management Service (AWS KMS) for client-side encryption of application data before the data is stored in the RDS database.

Correct Answer: A

A company uses AWS Organizations to manage a small number of AWS accounts. However, the company plans to add 1 000 more accounts soon. The company allows only a centralized security team to create IAM roles for all AWS accounts and teams. Application teams submit requests for IAM roles to the security team. The security team has a backlog of IAM role requests and cannot review and provision the IAM roles quickly.
The security team must create a process that will allow application teams to provision their own IAM roles. The process must also limit the scope of IAM roles and prevent privilege escalation.
Which solution will meet these requirements with the LEAST operational overhead?

1. A. Create an IAM group for each application tea
2. B. Associate policies with each IAM grou
3. C. Provision IAM users for each application team membe
4. D. Add the new IAM users to the appropriate IAM group by using role-based access control (RBAC).
5. E. Delegate application team leads to provision IAM rotes for each tea
6. F. Conduct a quarterly review of the IAM rotes the team leads have provisione
7. G. Ensure that the application team leads have the appropriate training to review IAM roles.
8. H. Put each AWS account in its own O
9. I. Add an SCP to each OU to grant access to only the AWS services that the teams plan to us
10. J. Include conditions tn the AWS account of each team.
11. K. Create an SCP and a permissions boundary for IAM role
12. L. Add the SCP to the root OU so that only roles that have the permissions boundary attached can create any new IAM roles.

Correct Answer: D
To create a process that will allow application teams to provision their own IAM roles, while limiting the scope of IAM roles and preventing privilege escalation, the following steps are required:
Create a service control policy (SCP) that defines the maximum permissions that can be granted to any IAM role in the organization. An SCP is a type of policy that you can use with AWS Organizations to manage permissions for all accounts in your organization. SCPs restrict permissions for entities in member accounts, including each AWS account root user, IAM users, and roles. For more information, see Service control policies overview.
Create a permissions boundary for IAM roles that matches the SCP. A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity. A permissions boundary allows an entity to perform only the actions
that are allowed by both its identity-based policies and its permissions boundaries. For more information, see Permissions boundaries for IAM entities.
Add the SCP to the root organizational unit (OU) so that it applies to all accounts in the organization.
This will ensure that no IAM role can exceed the permissions defined by the SCP, regardless of how it is created or modified.
Instruct the application teams to attach the permissions boundary to any IAM role they create. This will prevent them from creating IAM roles that can escalate their own privileges or access resources they are not authorized to access.
This solution will meet the requirements with the least operational overhead, as it leverages AWS Organizations and IAM features to delegate and limit IAM role creation without requiring manual reviews or approvals.
The other options are incorrect because they either do not allow application teams to provision their own IAM roles (A), do not limit the scope of IAM roles or prevent privilege escalation (B), or do not take advantage of managed services whenever possible ©.
Verified References:
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html

A systems engineer deployed containers from several custom-built images that an application team provided through a QA workflow The systems engineer used Amazon Elastic Container Service (Amazon ECS) with the Fargate launch type as the target platform The system engineer now needs to collect logs from all containers into an existing Amazon CloudWatch log group
Which solution will meet this requirement?

1. A. Turn on the awslogs log driver by specifying parameters for awslogs-group and awslogs-region m the LogConfiguration property
2. B. Download and configure the CloudWatch agent on the container instances
3. C. Set up Fluent Bit and FluentO as a DaemonSet to send logs to Amazon CloudWatch Logs
4. D. Configure an 1AM policy that includes the togs CreateLogGroup action Assign the policy to the container instances

Correct Answer: A
The AWS documentation states that you can use the awslogs log driver to send log information to CloudWatch Logs. To use this method, you specify the parameters for awslogs-group and awslogs-region in the LogConfiguration property of the container definition. This method is the easiest way to send logs to CloudWatch Logs.
References: : Amazon Elastic Container Service Developer Guide

A company uses AWS Organizations. The company wants to implement short-term cre-dentials for third-party AWS accounts to use to access accounts within the com-pany's organization. Access is for the AWS Management Console and third-party software-as-a-service (SaaS) applications. Trust must be enhanced to prevent two external accounts from using the same credentials. The solution must require the least possible operational effort.
Which solution will meet these requirements?

1. A. Use a bearer token authentication with OAuth or SAML to manage and share a central Amazon Cognito user pool across multiple Amazon API Gateway APIs.
2. B. Implement AWS IAM Identity Center (AWS Single Sign-On), and use an identi-ty source of choice.Grant access to users and groups from other accounts by using permission sets that are assigned by account.
3. C. Create a unique IAM role for each external accoun
4. D. Create a trust polic
5. E. Use AWS Secrets Manager to create a random external key.
6. F. Create a unique IAM role for each external accoun
7. G. Create a trust policy that includes a condition that uses the sts:Externalld condition key.

Correct Answer: D
The correct answer is D.
To implement short-term credentials for third-party AWS accounts, you can use IAM roles and trust policies. A trust policy is a JSON policy document that defines who can assume the role. You can specify the AWS account ID of the third-party account as a principal in the trust policy, and use the sts:ExternalId condition key to enhance the security of the role. The sts:ExternalId condition key is a unique identifier that is agreed upon by both parties and included in the AssumeRole request. This way, you can prevent the “confused deputy” problem, where an unauthorized party can use the same role as a legitimate party.
Option A is incorrect because bearer token authentication with OAuth or SAML is not suitable for granting access to AWS accounts and resources. Amazon Cognito and API Gateway are used for building web and mobile applications that require user authentication and authorization.
Option B is incorrect because AWS IAM Identity Center (AWS Single Sign-On) is a service that simplifies the management of access to multiple AWS accounts and cloud applications for your workforce users. It does not support granting access to third-party AWS accounts.
Option C is incorrect because using AWS Secrets Manager to create a random external key is not necessary and adds operational complexity. You can use the sts:ExternalId condition key instead to provide a unique identifier for each external account.

A security team is using Amazon EC2 Image Builder to build a hardened AMI with forensic capabilities. An AWS Key Management Service (AWS KMS) key will encrypt the forensic AMI EC2 Image Builder successfully installs the required patches and packages in the security team's AWS account. The security team uses a federated IAM role m the same AWS account to sign in to the AWS Management Console and attempts to launch the forensic AMI. The EC2 instance launches and immediately terminates.
What should the security learn do lo launch the EC2 instance successfully

1. A. Update the policy that is associated with the federated IAM role to allow the ec2. Describelmages action for the forensic AMI.
2. B. Update the policy that is associated with the federated IAM role to allow the ec2 Start Instances action m the security team's AWS account.
3. C. Update the policy that is associated with the KMS key that is used to encrypt the forensic AM
4. D. Configure the policy to allow the km
5. E. Encrypt and kms Decrypt actions for the federated IAM role.
6. F. Update the policy that is associated with the federated IAM role to allow the km
7. G. DescribeKey action for the KMS key that is used to encrypt the forensic AMI.

Correct Answer: C
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/troubleshooting-launch.html#troubleshooting-launch-i