A company became aware that one of its access keys was exposed on a code sharing website 11 days ago. A Security Engineer must review all use of the exposed access keys to determine the extent of the exposure. The company enabled IAM CloudTrail m an regions when it opened the account
Which of the following will allow (he Security Engineer 10 complete the task?

1. A. Filter the event history on the exposed access key in the CloudTrail console Examine the data from the past 11 days.
2. B. Use the IAM CLI lo generate an IAM credential report Extract all the data from the past 11 days.
3. C. Use Amazon Athena to query the CloudTrail logs from Amazon S3 Retrieve the rows for the exposed access key tor the past 11 days.
4. D. Use the Access Advisor tab in the IAM console to view all of the access key activity for the past 11 days.

Correct Answer: C
Amazon Athena is a service that enables you to analyze data in Amazon S3 using standard SQL1. You can use Athena to query the CloudTrail logs that are stored in S3 and filter them by the exposed access key and the date range2. The other options are not effective ways to review the use of the exposed access key.

A Security Engineer creates an Amazon S3 bucket policy that denies access to all users. A few days later, the Security Engineer adds an additional statement to the bucket policy to allow read-only access to one other employee. Even after updating the policy, the employee still receives an access denied message.
What is the likely cause of this access denial?

1. A. The ACL in the bucket needs to be updated
2. B. The IAM policy does not allow the user to access the bucket
3. C. It takes a few minutes for a bucket policy to take effect
4. D. The allow permission is being overridden by the deny

Correct Answer: D

Auditors for a health care company have mandated that all data volumes be encrypted at rest Infrastructure is deployed mainly via IAM CloudFormation however third-party frameworks and manual deployment are required on some legacy systems
What is the BEST way to monitor, on a recurring basis, whether all EBS volumes are encrypted?

1. A. On a recurring basis, update an IAM user policies to require that EC2 instances are created with an encrypted volume
2. B. Configure an IAM Config rule lo run on a recurring basis 'or volume encryption
3. C. Set up Amazon Inspector rules tor volume encryption to run on a recurring schedule
4. D. Use CloudWatch Logs to determine whether instances were created with an encrypted volume

Correct Answer: B
To support answer B, use the reference https://d1.IAMstatic.com/whitepapers/IAM-security-whitepaper.pdf "For example, IAM Config provides a managed IAM Config Rules to ensure that encryption is turned on for
all EBS volumes in your account."

During a manual review of system logs from an Amazon Linux EC2 instance, a Security Engineer noticed that there are sudo commands that were never properly alerted or reported on the Amazon CloudWatch Logs agent
Why were there no alerts on the sudo commands?

1. A. There is a security group blocking outbound port 80 traffic that is preventing the agent from sending the logs
2. B. The IAM instance profile on the EC2 instance was not properly configured to allow the CloudWatchLogs agent to push the logs to CloudWatch
3. C. CloudWatch Logs status is set to ON versus SECURE, which prevents it from pulling in OS security event logs
4. D. The VPC requires that all traffic go through a proxy, and the CloudWatch Logs agent does not support a proxy configuration.

Correct Answer: B
the reason why there were no alerts on the sudo commands. Sudo commands are commands that allow a user to execute commands as another user, usually the superuser or root. CloudWatch Logs agent is a software agent that can send log data from an EC2 instance to CloudWatch Logs, a service that monitors and stores log data. The CloudWatch Logs agent needs an IAM instance profile, which is a container for an IAM role that allows applications running on an EC2 instance to make API requests to AWS services. If the IAM instance profile on the EC2 instance was not properly configured to allow the CloudWatch Logs agent to push the logs to CloudWatch, then there would be no alerts on the sudo commands. The other options are either irrelevant or invalid for explaining why there were no alerts on the sudo commands.

A security engineer logs in to the AWS Lambda console with administrator permissions. The security engineer is trying to view logs in Amazon CloudWatch for a Lambda function that is named my Function.
When the security engineer chooses the option in the Lambda console to view logs in CloudWatch, an “error loading Log Streams" message appears.
The IAM policy for the Lambda function's execution role contains the following:

How should the security engineer correct the error?

1. A. Move the logs:CreateLogGroup action to the second Allow statement.
2. B. Add the logs:PutDestination action to the second Allow statement.
3. C. Add the logs:GetLogEvents action to the second Allow statement.
4. D. Add the logs:CreateLogStream action to the second Allow statement.

Correct Answer: D
CloudWatchLogsReadOnlyAccess doesn't include "logs:CreateLogStream" but it includes "logs:Get*" https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/iam-identity-based-access-control-cwl.html#:~:te