- (Exam Topic 3)
Your company has many AWS accounts defined and all are managed via AWS Organizations. One AWS account has a S3 bucket that has critical data. How can we ensure that all the users in the AWS organisation have access to this bucket?
Please select:

1. A. Ensure the bucket policy has a condition which involves aws:PrincipalOrglD
2. B. Ensure the bucket policy has a condition which involves aws:AccountNumber
3. C. Ensure the bucket policy has a condition which involves aws:PrincipaliD
4. D. Ensure the bucket policy has a condition which involves aws:OrglD

Correct Answer: A
The AWS Documentation mentions the following
AWS Identity and Access Management (IAM) now makes it easier for you to control access to your AWS resources by using the AWS organization of IAM principals (users and roles). For some services, you grant permissions using resource-based policies to specify the accounts and principals that can access the resource and what actions they can perform on it. Now, you can use a new condition key, aws:PrincipalOrglD, in these policies to require all principals accessing the resource to be from an account in the organization
Option B.C and D are invalid because the condition in the bucket policy has to mention aws:PrincipalOrglD For more information on controlling access via Organizations, please refer to the below Link:
https://aws.amazon.com/blogs/security/control-access-to-aws-resources-by-usins-the-aws-organization-of-iam-p (
The correct answer is: Ensure the bucket policy has a condition which involves aws:PrincipalOrglD Submit your Feedback/Queries to our Experts

- (Exam Topic 1)
A company is running an application on Amazon EC2 instances in an Auto Scaling group. The application stores logs locally A security engineer noticed that logs were lost after a scale-in event. The security engineer needs to recommend a solution to ensure the durability and availability of log data All logs must be kept for a minimum of 1 year for auditing purposes
What should the security engineer recommend?

1. A. Within the Auto Scaling lifecycle, add a hook to create and attach an Amazon Elastic Block Store (Amazon EBS) log volume each time an EC2 instance is create
2. B. When the instance is terminated, the EBS volume can be reattached to another instance for log review.
3. C. Create an Amazon Elastic File System (Amazon EFS) file system and add a command in the user data section of the Auto Scaling launch template to mount the EFS file system during EC2 instance creation Configure a process on the instance to copy the logs once a day from an instance Amazon Elastic Block Store (Amazon EBS) volume to a directory in the EFS file system.
4. D. Build the Amazon CloudWatch agent into the AMI used in the Auto Scaling grou
5. E. Configure the CloudWatch agent to send the logs to Amazon CloudWatch Logs for review.
6. F. Within the Auto Scaling lifecycle, add a lifecycle hook at the terminating state transition and alert the engineering team by using a lifecycle notification to Amazon Simple Notification Service (Amazon SNS). Configure the hook to remain in the Terminating:Wait state for 1 hour to allow manual review of the security logs prior to instance termination.

Correct Answer: B

- (Exam Topic 3)
Your developer is using the KMS service and an assigned key in their Java program. They get the below error when running the code arn:aws:iam::113745388712:user/UserB is not authorized to perform: kms:DescribeKey Which of the following could help resolve the issue?
Please select:

1. A. Ensure that UserB is given the right IAM role to access the key
2. B. Ensure that UserB is given the right permissions in the IAM policy
3. C. Ensure that UserB is given the right permissions in the Key policy
4. D. Ensure that UserB is given the right permissions in the Bucket policy

Correct Answer: C
You need to ensure that UserB is given access via the Key policy for the Key C:\Users\wk\Desktop\mudassar\Untitled.jpg

Option is invalid because you don't assign roles to IAM users
For more information on Key policies please visit the below Link: https://docs.aws.amazon.com/kms/latest/developerguide/key-poli
The correct answer is: Ensure that UserB is given the right permissions in the Key policy

- (Exam Topic 2)
A Security Engineer received an AWS Abuse Notice listing EC2 instance IDs that are reportedly abusing other hosts.
Which action should the Engineer take based on this situation? (Choose three.)

1. A. Use AWS Artifact to capture an exact image of the state of each instance.
2. B. Create EBS Snapshots of each of the volumes attached to the compromised instances.
3. C. Capture a memory dump.
4. D. Log in to each instance with administrative credentials to restart the instance.
5. E. Revoke all network ingress and egress except for to/from a forensics workstation.
6. F. Run Auto Recovery for Amazon EC2.

Correct Answer: BEF

- (Exam Topic 2)
AWS CloudTrail is being used to monitor API calls in an organization. An audit revealed that CloudTrail is failing to deliver events to Amazon S3 as expected.
What initial actions should be taken to allow delivery of CloudTrail events to S3? (Select two.)

1. A. Verify that the S3 bucket policy allow CloudTrail to write objects.
2. B. Verify that the IAM role used by CloudTrail has access to write to Amazon CloudWatch Logs.
3. C. Remove any lifecycle policies on the S3 bucket that are archiving objects to Amazon Glacier.
4. D. Verify that the S3 bucket defined in CloudTrail exists.
5. E. Verify that the log file prefix defined in CloudTrail exists in the S3 bucket.

Correct Answer: BD
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.html