A company wants to receive an email notification about critical findings in AWS Security Hub. The company does not have an existing architecture that supports this functionality.
Which solution will meet the requirement?

1. A. Create an AWS Lambda function to identify critical Security Hub finding
2. B. Create an Amazon Simple Notification Service (Amazon SNS) topic as the target of the Lambda functio
3. C. Subscribe an email endpoint to the SNS topic to receive published messages.
4. D. Create an Amazon Kinesis Data Firehose delivery strea
5. E. Integrate the delivery stream with Amazon EventBridg
6. F. Create an EventBridge rule that has a filter to detect critical Security Hub finding
7. G. Configure the delivery stream to send the findings to an email address.
8. H. Create an Amazon EventBridge rule to detect critical Security Hub finding
9. I. Create an Amazon Simple Notification Service (Amazon SNS) topic as the target of the EventBridge rul
10. J. Subscribe an email endpoint to the SNS topic to receive published messages.
11. K. Create an Amazon EventBridge rule to detect critical Security Hub finding
12. L. Create an Amazon Simple Email Service (Amazon SES) topic as the target of the EventBridge rul
13. M. Use the Amazon SES API to format the messag
14. N. Choose an email address to be the recipient of the message.

Correct Answer: C
This solution meets the requirement of receiving an email notification about critical findings in AWS Security Hub. Amazon EventBridge is a serverless event bus that can receive events from AWS services and third-party sources, and route them to targets based on rules and filters. Amazon SNS is a fully managed pub/sub service that can send messages to various endpoints, such as email, SMS, mobile push, and HTTP. By creating an EventBridge rule that detects critical Security Hub findings and sends them to an SNS topic, the company can leverage the existing integration between these services and avoid writing custom code or managing servers. By subscribing an email endpoint to the SNS topic, the company can receive published messages in their inbox.

A security engineer needs to implement a solution to create and control the keys that a company uses for cryptographic operations. The security engineer must create symmetric keys in which the key material is generated and used within a custom key store that is backed by an AWS CloudHSM cluster.
The security engineer will use symmetric and asymmetric data key pairs for local use within applications. The security engineer also must audit the use of the keys.
How can the security engineer meet these requirements?

1. A. To create the keys use AWS Key Management Service (AWS KMS) and the custom key stores with the CloudHSM cluste
2. B. For auditing, use Amazon Athena
3. C. To create the keys use Amazon S3 and the custom key stores with the CloudHSM cluste
4. D. For auditing use AWS CloudTrail.
5. E. To create the keys use AWS Key Management Service (AWS KMS) and the custom key stores with the CloudHSM cluste
6. F. For auditing, use Amazon GuardDuty.
7. G. To create the keys use AWS Key Management Service (AWS KMS) and the custom key stores with the CloudHSM cluste
8. H. For auditing, use AWS CloudTrail.

Correct Answer: D
AWS KMS supports asymmetric KMS keys that represent a mathematically related RSA, elliptic curve (ECC), or SM2 (China Regions only) public and private key pair. These key pairs are generated in AWS KMS hardware security modules certified under the FIPS 140-2 Cryptographic Module Validation Program, except in the China (Beijing) and China (Ningxia) Regions. The private key never leaves the AWS KMS HSMs unencrypted. https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html

Company A has an AWS account that is named Account A. Company A recently acquired Company B, which has an AWS account that is named Account B. Company B stores its files in an Amazon S3 bucket.
The administrators need to give a user from Account A full access to the S3 bucket in Account B.
After the administrators adjust the IAM permissions for the user in AccountA to access the S3 bucket in Account B, the user still cannot access any files in the S3 bucket.
Which solution will resolve this issue?

1. A. In Account B, create a bucket ACL to allow the user from Account A to access the S3 bucket in Account B.
2. B. In Account B, create an object ACL to allow the user from Account A to access all the objects in the S3 bucket in Account B.
3. C. In Account B, create a bucket policy to allow the user from Account A to access the S3 bucket in Account B.
4. D. In Account B, create a user policy to allow the user from Account A to access the S3 bucket in Account B.

Correct Answer: C
A bucket policy is a resource-based policy that defines permissions for a specific S3 bucket. It can be used to grant cross-account access to another AWS account or an IAM user or role in another account. A bucket policy can also specify which actions, resources, and conditions are allowed or denied.
A bucket ACL is an access control list that grants basic read or write permissions to predefined groups of users. It cannot be used to grant cross-account access to a specific IAM user or role in another account.
An object ACL is an access control list that grants basic read or write permissions to predefined groups of users for a specific object in an S3 bucket. It cannot be used to grant cross-account access to a specific IAM user or role in another account.
A user policy is an IAM policy that defines permissions for an IAM user or role in the same account. It cannot be used to grant cross-account access to another AWS account or an IAM user or role in another account.
For more information, see Provide cross-account access to objects in Amazon S3 buckets and Example 2: Bucket owner granting cross-account bucket permissions.

You need to create a policy and apply it for just an individual user. How could you accomplish this in the right way?
Please select:

1. A. Add an IAM managed policy for the user
2. B. Add a service policy for the user
3. C. Add an IAM role for the user
4. D. Add an inline policy for the user

Correct Answer: D
Options A and B are incorrect since you need to add an inline policy just for the user Option C is invalid because you don't assign an IAM role to a user
The IAM Documentation mentions the following
An inline policy is a policy that's embedded in a principal entity (a user, group, or role)—that is, the policy is an inherent part of the principal entity. You can create a policy and embed it in a principal entity, either when you create the principal entity or later.
For more information on IAM Access and Inline policies, just browse to the below URL: https://docs.IAM.amazon.com/IAM/latest/UserGuide/access
The correct answer is: Add an inline policy for the user Submit your Feedback/Queries to our Experts

A security engineer must troubleshoot an administrator's inability to make an existing Amazon S3 bucket public in an account that is part of an organization n IAM Organizations. The administrator switched the role from the master account to a member account and then attempted to make one S3 bucket public. This action was immediately denied
Which actions should the security engineer take to troubleshoot the permissions issue? (Select TWO.)

1. A. Review the cross-account role permissions and the S3 bucket policy Verify that the Amazon S3 block public access option in the member account is deactivated.
2. B. Review the role permissions m the master account and ensure it has sufficient privileges to perform S3 operations
3. C. Filter IAM CloudTrail logs for the master account to find the original deny event and update the cross-account role m the member account accordingly Verify that the Amazon S3 block public access option in the master account is deactivated.
4. D. Evaluate the SCPs covering the member account and the permissions boundary of the role in the member account for missing permissions and explicit denies.
5. E. Ensure the S3 bucket policy explicitly allows the s3 PutBucketPublicAccess action for the role m the member account

Correct Answer: DE
A is incorrect because reviewing the cross-account role permissions and the S3 bucket policy is not enough to troubleshoot the permissions issue. You also need to verify that the Amazon S3 block public access option in the member account is deactivated, as well as the permissions boundary and the SCPs of the role in the member account.
D is correct because evaluating the SCPs and the permissions boundary of the role in the member account can help you identify any missing permissions or explicit denies that could prevent the administrator from making the S3 bucket public.
E is correct because ensuring that the S3 bucket policy explicitly allows the s3 PutBucketPublicAccess action for the role in the member account can help you override any block public access settings that could prevent the administrator from making the S3 bucket public.