- (Exam Topic 2)
A Development team has asked for help configuring the IAM roles and policies in a new AWS account. The team using the account expects to have hundreds of master keys and therefore does not want to manage access control for customer master keys (CMKs).
Which of the following will allow the team to manage AWS KMS permissions in IAM without the complexity of editing individual key policies?

1. A. The account’s CMK key policy must allow the account’s IAM roles to perform KMS EnableKey.
2. B. Newly created CMKs must have a key policy that allows the root principal to perform all actions.
3. C. Newly created CMKs must allow the root principal to perform the kms CreateGrant API operation.
4. D. Newly created CMKs must mirror the IAM policy of the KMS key administrator.

Correct Answer: B
https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable

- (Exam Topic 1)
A company requires that SSH commands used to access its AWS instance be traceable to the user who executed each command.
How should a Security Engineer accomplish this?

1. A. Allow inbound access on port 22 at the security group attached to the instance Use AWS Systems Manager Session Manager for shell access to Amazon EC2 instances with the user tag defined Enable Amazon CloudWatch togging tor Systems Manager sessions
2. B. Use Amazon S3 to securely store one Privacy Enhanced Mail Certificate (PEM file) for each user Allow Amazon EC2 to read from Amazon S3 and import every user that wants to use SSH to access EC2 instances Allow inbound access on port 22 at the security group attached to the instance Install the Amazon CloudWatch agent on the EC2 instance and configure it to ingest audit logs for the instance
3. C. Deny inbound access on port 22 at the security group attached to the instance Use AWS Systems Manager Session Manager tor shell access to Amazon EC2 instances with the user tag defined Enable Amazon CloudWatch togging for Systems Manager sessions
4. D. Use Amazon S3 to securely store one Privacy Enhanced Mall Certificate (PEM fie) for each team or group Allow Amazon EC2 to read from Amazon S3 and import every user that wants to use SSH to access EC2 instances Allow inbound access on pod 22 at the security group attached to the instance Install the Amazon CloudWatch agent on the EC2 instance and configure it to ingest audit logs for the instance

Correct Answer: C

- (Exam Topic 3)
A company needs to encrypt all of its data stored in Amazon S3. The company wants to use AWS Key Management Service (AWS KMS) to create and manage its encryption keys. The company's security policies require the ability to Import the company's own key material for the keys, set an expiration date on the keys, and delete keys immediately, if needed.
How should a security engineer set up AWS KMS to meet these requirements?

1. A. Configure AWS KMS and use a custom key stor
2. B. Create a customer managed CMK with no key material Import the company's keys and key material into the CMK
3. C. Configure AWS KMS and use the default Key store Create an AWS managed CMK with no key material Import the company's key material into the CMK
4. D. Configure AWS KMS and use the default key store Create a customer managed CMK with no key material import the company's key material into the CMK
5. E. Configure AWS KMS and use a custom key stor
6. F. Create an AWS managed CMK with no key material.Import the company's key material into the CMK.

Correct Answer: A

- (Exam Topic 2)
An organization wants to be alerted when an unauthorized Amazon EC2 instance in its VPC performs a network port scan against other instances in the VPC. When the Security team performs its own internal tests in a separate account by using pre-approved third-party scanners from the AWS Marketplace, the Security team also then receives multiple Amazon GuardDuty events from Amazon CloudWatch alerting on its test activities.
How can the Security team suppress alerts about authorized security tests while still receiving alerts about the unauthorized activity?

1. A. Use a filter in AWS CloudTrail to exclude the IP addresses of the Security team’s EC2 instances.
2. B. Add the Elastic IP addresses of the Security team’s EC2 instances to a trusted IP list in Amazon GuardDuty.
3. C. Install the Amazon Inspector agent on the EC2 instances that the Security team uses.
4. D. Grant the Security team’s EC2 instances a role with permissions to call Amazon GuardDuty API operations.

Correct Answer: B
Trusted IP lists consist of IP addresses that you have whitelisted for secure communication with your AWS infrastructure and applications. GuardDuty does not generate findings for IP addresses on trusted IP lists. At any given time, you can have only one uploaded trusted IP list per AWS account per region. Threat lists consist of known malicious IP addresses. GuardDuty generates findings based on threat lists. At any given time, you can have up to six uploaded threat lists per AWS account per region. https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload_lists.html

- (Exam Topic 2)
A Security Administrator is restricting the capabilities of company root user accounts. The company uses AWS Organizations and has enabled it for all feature sets, including consolidated billing. The top-level account is used for billing and administrative purposes, not for operational AWS resource purposes.
How can the Administrator restrict usage of member root user accounts across the organization?

1. A. Disable the use of the root user account at the organizational roo
2. B. Enable multi-factor authentication of the root user account for each organizational member account.
3. C. Configure IAM user policies to restrict root account capabilities for each Organizations member account.
4. D. Create an organizational unit (OU) in Organizations with a service control policy that controls usage of the root use
5. E. Add all operational accounts to the new OU.
6. F. Configure AWS CloudTrail to integrate with Amazon CloudWatch Logs and then create a metric filter for RootAccountUsage.

Correct Answer: C
Applying a "Control Policy" in your organization. A policy applied to: 1) root applies to all accounts in the organization 2) OU applies to all accounts in the OU and to any child OUs 3) account applies to one account only Note- this requires that Acquirements: -all features are enabled for the organization in AWS Organizations -Only service control policy (SCP) are supported https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html