A company uses a third-party application to store encrypted data in Amazon S3. The company uses another third-party application trial decrypts the data from Amazon S3 to ensure separation of duties Between the applications A Security Engineer warns to separate the permissions using IAM roles attached to Amazon EC2 instances. The company prefers to use native IAM services.
Which encryption method will meet these requirements?

1. A. Use encrypted Amazon EBS volumes with Amazon default keys (IAM EBS)
2. B. Use server-side encryption with customer-provided keys (SSE-C)
3. C. Use server-side encryption with IAM KMS managed keys (SSE-KMS)
4. D. Use server-side encryption with Amazon S3 managed keys (SSE-S3)

Correct Answer: C

A company has a group of Amazon EC2 instances in a single private subnet of a VPC with no internet gateway attached. A security engineer has installed the Amazon CloudWatch agent on all instances in that subnet to capture logs from a specific application. To ensure that the logs flow securely, the company's networking team has created VPC endpoints for CloudWatch monitoring and CloudWatch logs. The networking team has attached the endpoints to the VPC.
The application is generating logs. However, when the security engineer queries CloudWatch, the logs do not appear.
Which combination of steps should the security engineer take to troubleshoot this issue? (Choose three.)

1. A. Ensure that the EC2 instance profile that is attached to the EC2 instances has permissions to create log streams and write logs.
2. B. Create a metric filter on the logs so that they can be viewed in the AWS Management Console.
3. C. Check the CloudWatch agent configuration file on each EC2 instance to make sure that the CloudWatch agent is collecting the proper log files.
4. D. Check the VPC endpoint policies of both VPC endpoints to ensure that the EC2 instances have permissions to use them.
5. E. Create a NAT gateway in the subnet so that the EC2 instances can communicate with CloudWatch.
6. F. Ensure that the security groups allow all the EC2 instances to communicate with each other to aggregate logs before sending.

Correct Answer: ACD
The possible steps to troubleshoot this issue are:
A. Ensure that the EC2 instance profile that is attached to the EC2 instances has permissions to create log streams and write logs. This is a necessary step because the CloudWatch agent uses the credentials from the instance profile to communicate with CloudWatch1.
C. Check the CloudWatch agent configuration file on each EC2 instance to make sure that the CloudWatch agent is collecting the proper log files. This is a necessary step because the CloudWatch agent needs to know which log files to monitor and send to CloudWatch2.
D. Check the VPC endpoint policies of both VPC endpoints to ensure that the EC2 instances have permissions to use them. This is a necessary step because the VPC endpoint policies control which principals can access the AWS services through the endpoints3.
The other options are incorrect because:
B. Creating a metric filter on the logs is not a troubleshooting step, but a way to extract metric data from the logs. Metric filters do not affect the visibility of the logs in the AWS Management Console.
E. Creating a NAT gateway in the subnet is not a solution, because the EC2 instances do not need internet access to communicate with CloudWatch through the VPC endpoints. A NAT gateway would also incur additional costs.
F. Ensuring that the security groups allow all the EC2 instances to communicate with each other is not a necessary step, because the CloudWatch agent does not require log aggregation before sending. Each EC2 instance can send its own logs independently to CloudWatch.
References:
1: IAM Roles for Amazon EC2 2: CloudWatch Agent Configuration File: Logs Section 3: Using Amazon VPC Endpoints : Metric Filters : NAT Gateways : CloudWatch Agent Reference: Log Aggregation

A company recently had a security audit in which the auditors identified multiple potential threats. These potential threats can cause usage pattern changes such as DNS access peak, abnormal instance traffic, abnormal network interface traffic, and unusual Amazon S3 API calls. The threats can come from different sources and can occur at any time. The company needs to implement a solution to continuously monitor its system and identify all these incoming threats in near-real time.
Which solution will meet these requirements?

1. A. Enable AWS CloudTrail logs, VPC flow logs, and DNS log
2. B. Use Amazon CloudWatch Logs to manage these logs from a centralized account.
3. C. Enable AWS CloudTrail logs, VPC flow logs, and DNS log
4. D. Use Amazon Macie to monitor these logs from a centralized account.
5. E. Enable Amazon GuardDuty from a centralized accoun
6. F. Use GuardDuty to manage AWS CloudTrail logs, VPC flow logs, and DNS logs.
7. G. Enable Amazon Inspector from a centralized accoun
8. H. Use Amazon Inspector to manage AWS CloudTrail logs, VPC flow logs, and DNS logs.

Correct Answer: C
Q: Which data sources does GuardDuty analyze? GuardDuty analyzes CloudTrail management event logs, CloudTrail S3 data event logs, VPC Flow Logs, DNS query logs, and Amazon EKS audit logs. GuardDuty can also scan EBS volume data for possible malware when GuardDuty Malware Protection is enabled and identifies suspicious behavior indicative of malicious software in EC2 instance or container workloads. The service is optimized to consume large data volumes for near real-time processing of security detections. GuardDuty gives you access to built-in detection techniques developed and optimized for the cloud, which are maintained and continuously improved upon by GuardDuty engineering.

A company's security engineer wants to receive an email alert whenever Amazon GuardDuty, AWS Identity and Access Management Access Analyzer, or Amazon Made generate a high-severity security finding. The company uses AWS Control Tower to govern all of its accounts. The company also uses AWS Security Hub with all of the AWS service integrations turned on.
Which solution will meet these requirements with the LEAST operational overhead?

1. A. Set up separate AWS Lambda functions for GuardDuty, 1AM Access Analyzer, and Macie to call each service's public API to retrieve high-severity finding
2. B. Use Amazon Simple Notification Service (Amazon SNS) to send the email alert
3. C. Create an Amazon EventBridge rule to invoke the functions on a schedule.
4. D. Create an Amazon EventBridge rule with a pattern that matches Security Hub findings events with high severit
5. E. Configure the rule to send the findings to a target Amazon Simple Notification Service (Amazon SNS) topi
6. F. Subscribe the desired email addresses to the SNS topic.
7. G. Create an Amazon EventBridge rule with a pattern that matches AWS Control Tower events with high severit
8. H. Configure the rule to send the findings to a target Amazon Simple Notification Service (Amazon SNS) topi
9. I. Subscribe the desired email addresses to the SNS topic.
10. J. Host an application on Amazon EC2 to call the GuardDuty, 1AM Access Analyzer, and Macie APIs.Within the application, use the Amazon Simple Notification Service (Amazon SNS) API to retrieve high-severity findings and to send the findings to an SNS topi
11. K. Subscribe the desired email addresses to the SNS topic.

Correct Answer: B
The AWS documentation states that you can create an Amazon EventBridge rule with a pattern that matches Security Hub findings events with high severity. You can then configure the rule to send the findings to a target Amazon Simple Notification Service (Amazon SNS) topic. You can subscribe the desired email addresses to the SNS topic. This method is the least operational overhead way to meet the requirements.
References: : AWS Security Hub User Guide

A company's security engineer is developing an incident response plan to detect suspicious activity in an AWS account for VPC hosted resources. The security engineer needs to provide visibility for as many AWS Regions as possible.
Which combination of steps will meet these requirements MOST cost-effectively? (Select TWO.)

1. A. Turn on VPC Flow Logs for all VPCs in the account.
2. B. Activate Amazon GuardDuty across all AWS Regions.
3. C. Activate Amazon Detective across all AWS Regions.
4. D. Create an Amazon Simple Notification Service (Amazon SNS) topi
5. E. Create an Amazon EventBridge rule that responds to findings and publishes the find-ings to the SNS topic.
6. F. Create an AWS Lambda functio
7. G. Create an Amazon EventBridge rule that in-vokes the Lambda function to publish findings to Amazon Simple Email Ser-vice (Amazon SES).

Correct Answer: BD
To detect suspicious activity in an AWS account for VPC hosted resources, the security engineer needs to use a service that can monitor network traffic and API calls across all AWS Regions. Amazon GuardDuty is a threat detection service that can do this by analyzing VPC Flow Logs, AWS CloudTrail event logs, and DNS logs. By activating GuardDuty across all AWS Regions, the security engineer can provide visibility for as many regions as possible. GuardDuty generates findings that contain details about the potential threats detected in the account. To respond to these findings, the security engineer needs to create a mechanism that can notify the relevant stakeholders or take remedial actions. One way to do this is to use Amazon EventBridge, which is a serverless event bus service that can connect AWS services and third-party applications. By creating an EventBridge rule that responds to GuardDuty findings and publishes them to an Amazon Simple Notification Service (Amazon SNS) topic, the security engineer can enable subscribers of the topic to receive notifications via email, SMS, or other methods. This is a cost-effective solution that does not require any additional infrastructure or code.