- (Exam Topic 2)
A Security Administrator is configuring an Amazon S3 bucket and must meet the following security requirements:
Encryption in transit
Encryption at rest
Logging of all object retrievals in AWS CloudTrail
Which of the following meet these security requirements? (Choose three.)

1. A. Specify “aws:SecureTransport”: “true” within a condition in the S3 bucket policy.
2. B. Enable a security group for the S3 bucket that allows port 443, but not port 80.
3. C. Set up default encryption for the S3 bucket.
4. D. Enable Amazon CloudWatch Logs for the AWS account.
5. E. Enable API logging of data events for all S3 objects.
6. F. Enable S3 object versioning for the S3 bucket.

Correct Answer: ACE

- (Exam Topic 2)
A company has a forensic logging use case whereby several hundred applications running on Docker on EC2 need to send logs to a central location. The Security Engineer must create a logging solution that is able to perform real-time analytics on the log files, grants the ability to replay events, and persists data.
Which AWS Services, together, can satisfy this use case? (Select two.)

1. A. Amazon Elasticsearch
2. B. Amazon Kinesis
3. C. Amazon SQS
4. D. Amazon CloudWatch
5. E. Amazon Athena

Correct Answer: AB
https://docs.aws.amazon.com/whitepapers/latest/aws-overview/analytics.html#amazon-athena

- (Exam Topic 3)
A developer signed in to a new account within an AWS Organization organizational unit (OU) containing multiple accounts. Access to the Amazon $3 service is restricted with the following SCP.

How can the security engineer provide the developer with Amazon $3 access without affecting other account?

1. A. Move the SCP to the root OU of organization to remove the restriction to access Amazon $3.
2. B. Add an IAM policy for the developer, which grants $3 access.
3. C. Create a new OU without applying the SCP restricting $3 acces
4. D. Move the developer account to this new OU.
5. E. Add an allow list for the developer account for the $3 service.

Correct Answer: C

- (Exam Topic 1)
A security engineer is responsible for providing secure access to AWS resources for thousands of developer in a company’s corporate identity provider (idp). The developers access a set of AWS services from the corporate premises using IAM credential. Due to the velum of require for provisioning new IAM users, it is taking a long time to grant access permissions. The security engineer receives reports that developer are sharing their IAM credentials with others to avoid provisioning delays. The causes concern about overall security for the security engineer.
Which actions will meet the program requirements that address security?

1. A. Create an Amazon CloudWatch alarm for AWS CloudTrail Events Create a metric filter to send a notification when me same set of IAM credentials is used by multiple developer
2. B. Create a federation between AWS and the existing corporate IdP Leverage IAM roles to provide federated access to AWS resources
3. C. Create a VPN tunnel between the corporate premises and the VPC Allow permissions to all AWS services only if it originates from corporate premises.
4. D. Create multiple IAM rotes for each IAM user Ensure that users who use the same IAM credentials cannot assume the same IAM role at the same time.

Correct Answer: B

- (Exam Topic 2)
A company plans to migrate a sensitive dataset to Amazon S3. A Security Engineer must ensure that the data is encrypted at rest. The encryption solution must enable the company to generate its own keys without needing to manage key storage or the encryption process.
What should the Security Engineer use to accomplish this?

1. A. Server-side encryption with Amazon S3-managed keys (SSE-S3)
2. B. Server-side encryption with AWS KMS-managed keys (SSE-KMS)
3. C. Server-side encryption with customer-provided keys (SSE-C)
4. D. Client-side encryption with an AWS KMS-managed CMK

Correct Answer: B
Reference https://aws.amazon.com/s3/faqs/