A security engineer is working with a company to design an ecommerce application. The application will run on Amazon EC2 instances that run in an Auto Scaling group behind an Application Load Balancer (ALB). The application will use an Amazon RDS DB instance for its database.
The only required connectivity from the internet is for HTTP and HTTPS traffic to the application. The application must communicate with an external payment provider that allows traffic only from a preconfigured allow list of IP addresses. The company must ensure that communications with the external payment provider are not interrupted as the environment scales.
Which combination of actions should the security engineer recommend to meet these requirements? (Select THREE.)

1. A. Deploy a NAT gateway in each private subnet for every Availability Zone that is in use.
2. B. Place the DB instance in a public subnet.
3. C. Place the DB instance in a private subnet.
4. D. Configure the Auto Scaling group to place the EC2 instances in a public subnet.
5. E. Configure the Auto Scaling group to place the EC2 instances in a private subnet.
6. F. Deploy the ALB in a private subnet.

Correct Answer: ACE

A security engineer needs to build a solution to turn IAM CloudTrail back on in multiple IAM Regions in case it is ever turned off.
What is the MOST efficient way to implement this solution?

1. A. Use IAM Config with a managed rule to trigger the IAM-EnableCloudTrail remediation.
2. B. Create an Amazon EventBridge (Amazon CloudWatch Events) event with a cloudtrail.amazonIAM.com event source and a StartLogging event name to trigger an IAM Lambda function to call the StartLogging API.
3. C. Create an Amazon CloudWatch alarm with a cloudtrail.amazonIAM.com event source and a StopLogging event name to trigger an IAM Lambda function to call the StartLogging API.
4. D. Monitor IAM Trusted Advisor to ensure CloudTrail logging is enabled.

Correct Answer: B

A company wants to ensure that its IAM resources can be launched only in the us-east-1 and us-west-2 Regions.
What is the MOST operationally efficient solution that will prevent developers from launching Amazon EC2 instances in other Regions?

1. A. Enable Amazon GuardDuty in all Region
2. B. Create alerts to detect unauthorized activity outside us-east-1 and us-west-2.
3. C. Use an organization in IAM Organization
4. D. Attach an SCP that allows all actions when the IAM: Requested Region condition key is either us-east-1 or us-west-2. Delete the FullIAMAccess policy.
5. E. Provision EC2 resources by using IAM Cloud Formation templates through IAM CodePipelin
6. F. Allow only the values of us-east-1 and us-west-2 in the IAM CloudFormation template's parameters.
7. G. Create an IAM Config rule to prevent unauthorized activity outside us-east-1 and us-west-2.

Correct Answer: C

Your company uses IAM to host its resources. They have the following requirements
1) Record all API calls and Transitions
2) Help in understanding what resources are there in the account
3) Facility to allow auditing credentials and logins
Which services would suffice the above requirements Please select:

1. A. IAM Inspector, CloudTrail, IAM Credential Reports
2. B. CloudTrai
3. C. IAM Credential Reports, IAM SNS
4. D. CloudTrail, IAM Config, IAM Credential Reports
5. E. IAM SQS, IAM Credential Reports, CloudTrail

Correct Answer: C
You can use IAM CloudTrail to get a history of IAM API calls and related events for your account. This history includes calls made with the IAM Management Console, IAM Command Line Interface, IAM SDKs, and other IAM services.
Options A,B and D are invalid because you need to ensure that you use the services of CloudTrail, IAM Config, IAM Credential Reports
For more information on Cloudtrail, please visit the below URL:
http://docs.IAM.amazon.com/IAMcloudtrail/latest/userguide/cloudtrail-user-guide.html
IAM Config is a service that enables you to assess, audit and evaluate the configurations of your IAM resources. Config continuously monitors and records your IAM resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. With Config, you can review changes in configurations and relationships between IAM resources, dive into detailed resource configuration histories, and determine your overall compliance against the configurations specified in your internal guidelines. This enables you to simplify compliance auditing, security analysis, char management and operational troubleshooting.
For more information on the config service, please visit the below URL https://IAM.amazon.com/config/
You can generate and download a credential report that lists all users in your account and the status of their various credentials, including passwords, access keys, and MFA devices. You can get a credential report from the IAM Management Console, the IAM SDKs and Command Line Tools, or the IAM API.
For more information on Credentials Report, please visit the below URL: http://docs.IAM.amazon.com/IAM/latest/UserGuide/id credentials_getting-report.html
The correct answer is: CloudTrail, IAM Config, IAM Credential Reports Submit your Feedback/Queries to our Experts

A company wants to monitor the deletion of AWS Key Management Service (AWS KMS) customer managed keys. A security engineer needs to create an alarm that will notify the company before a KMS key is deleted. The security engineer has configured the integration of AWS CloudTrail with Amazon CloudWatch.
What should the security engineer do next to meet these requirements?

1. A. Specify the deletion time of the key material during KMS key creatio
2. B. Create a custom AWS Config rule to assess the key's scheduleddeletio
3. C. Configure the rule to trigger upon a configuration chang
4. D. Send a message to an Amazon Simple Notification Service (Amazon SNS) topic if the key is scheduled for deletion.
5. E. Create an Amazon EventBridge rule to detect KMS API calls of DeleteAlia
6. F. Create an AWS Lambda function to send an Amazon Simple Notification Service (Amazon SNS) message to the compan
7. G. Add the Lambda function as the target of the EventBridge rule.
8. H. Create an Amazon EventBridge rule to detect KMS API calls of DisableKey and ScheduleKeyDeletion.Create an AWS Lambda function to send an Amazon Simple Notification Service (Amazon SNS) message to the compan
9. I. Add the Lambda function as the target of the EventBridge rule.
10. J. Create an Amazon Simple Notification Service (Amazon SNS) policy to detect KMS API calls of RevokeGrant and ScheduleKeyDeletion.Create an AWS Lambda function to generate the alarm and send the notification to the compan
11. K. Add the Lambda function as the target of the SNS policy.

Correct Answer: C
The AWS documentation states that you can create an Amazon EventBridge rule to detect KMS API calls of DisableKey and ScheduleKeyDeletion. You can then create an AWS Lambda function to send an Amazon Simple Notification Service (Amazon SNS) message to the company. You can add the Lambda function as the target of the EventBridge rule. This method will meet the requirements.
References: : AWS KMS Developer Guide