- (Exam Topic 3)
A corporation is preparing to acquire several companies. A Security Engineer must design a solution to ensure that newly acquired AWS accounts follow the corporation's security best practices. The solution should monitor each Amazon S3 bucket for unrestricted public write access and use AWS managed services.
What should the Security Engineer do to meet these requirements?

1. A. Configure Amazon Macie to continuously check the configuration of all S3 buckets.
2. B. Enable AWS Config to check the configuration of each S3 bucket.
3. C. Set up AWS Systems Manager to monitor S3 bucket policies for public write access.
4. D. Configure an Amazon EC2 instance to have an IAM role and a cron job that checks the status of all S3 buckets.

Correct Answer: C

- (Exam Topic 3)
A Security Engineer is troubleshooting an issue with a company's custom logging application. The application logs are written to an Amazon S3 bucket with event notifications enabled to send events lo an Amazon SNS topic. All logs are encrypted at rest using an AWS KMS CMK. The SNS topic is subscribed to an encrypted Amazon SQS queue. The logging application polls the queue for new messages that contain metadata about the S3 object. The application then reads the content of the object from the S3 bucket for indexing.
The Logging team reported that Amazon CloudWatch metrics for the number of messages sent or received is showing zero. No togs are being received.
What should the Security Engineer do to troubleshoot this issue?
A) Add the following statement to the AWS managed CMKs:

B)
Add the following statement to the CMK key policy:

C)
Add the following statement to the CMK key policy:

D)
Add the following statement to the CMK key policy:

1. A. Option A
2. B. Option B
3. C. Option C
4. D. Option D

Correct Answer: D

- (Exam Topic 3)
A company's AWS account consists of approximately 300 IAM users. Now there is a mandate that an access change is required for 100 IAM users to have unlimited privileges to S3.As a system administrator, how can you implement this effectively so that there is no need to apply the policy at the individual user level?
Please select:

1. A. Create a new role and add each user to the IAM role
2. B. Use the IAM groups and add users, based upon their role, to different groups and apply the policy to group
3. C. Create a policy and apply it to multiple users using a JSON script
4. D. Create an S3 bucket policy with unlimited access which includes each user's AWS account ID

Correct Answer: B
Option A is incorrect since you don't add a user to the IAM Role Option C is incorrect since you don't assign multiple users to a policy Option D is incorrect since this is not an ideal approach
An IAM group is used to collectively manage users who need the same set of permissions. By having groups, it becomes easier to manage permissions. So if you change the permissions on the group scale, it will affect all the users in that group
For more information on IAM Groups, just browse to the below URL: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_eroups.html
The correct answer is: Use the IAM groups and add users, based upon their role, to different groups and apply the policy to group
Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
A company maintains an open-source application that is hosted on a public GitHub repository. While creating a new commit to the repository, an engineer uploaded their AWS access key and secret access key. The engineer reported the mistake to a manager, and the manager immediately disabled the access key.
The company needs to assess the impact of the exposed access key. A security engineer must recommend a solution that requires the least possible managerial overhead.
Which solution meets these requirements?

1. A. Analyze an AWS Identity and Access Management (1AM) use report from AWS Trusted Advisor to see when the access key was last used.
2. B. Analyze Amazon CloudWatch Logs for activity by searching for the access key.
3. C. Analyze VPC flow logs for activity by searching for the access key
4. D. Analyze a credential report in AWS Identity and Access Management (1AM) to see when the access key was last used.

Correct Answer: A

- (Exam Topic 3)
A website currently runs on Amazon EC2, wan mostly statics content on the site. Recently the site was subjected to a DDoS attack a security engineer was (asked was redesigning the edge security to help
Mitigate this risk in the future.
What are some ways the engineer could achieve this (Select THREE)?

1. A. Use AWS X-Ray to inspect the trafc going to the EC2 instances.
2. B. Move the static content to Amazon S3, and front this with an Amazon Cloud Front distribution.
3. C. Change the security group conguration to block the source of the attack trafc
4. D. Use AWS WAF security rules to inspect the inbound trafc.
5. E. Use Amazon Inspector assessment templates to inspect the inbound traffic.
6. F. Use Amazon Route 53 to distribute trafc.

Correct Answer: BDF