A company's security engineer is designing an isolation procedure for Amazon EC2 instances as part of an incident response plan. The security engineer needs to isolate a target instance to block any traffic to and from the target instance, except for traffic from the company's forensics team. Each of the company's EC2 instances has its own dedicated security group. The EC2 instances are deployed in subnets of a VPC. A subnet can contain multiple instances.
The security engineer is testing the procedure for EC2 isolation and opens an SSH session to the target instance. The procedure starts to simulate access to the target instance by an attacker. The security engineer removes the existing security group rules and adds security group rules to give the forensics team access to the target instance on port 22.
After these changes, the security engineer notices that the SSH connection is still active and usable. When the security engineer runs a ping command to the public IP address of the target instance, the ping command is blocked.
What should the security engineer do to isolate the target instance?

1. A. Add an inbound rule to the security group to allow traffic from 0.0.0.0/0 for all port
2. B. Add an outbound rule to the security group to allow traffic to 0.0.0.0/0 for all port
3. C. Then immediately delete these rules.
4. D. Remove the port 22 security group rul
5. E. Attach an instance role policy that allows AWS Systems Manager Session Manager connections so that the forensics team can access the target instance.
6. F. Create a network ACL that is associated with the target instance's subne
7. G. Add a rule at the top of the inbound rule set to deny all traffic from 0.0.0.0/0. Add a rule at the top of the outbound rule set to deny all traffic to 0.0.0.0/0.
8. H. Create an AWS Systems Manager document that adds a host-level firewall rule to block all inbound traffic and outbound traffi
9. I. Run the document on the target instance.

Correct Answer: C

A company's Security Engineer has been tasked with restricting a contractor's IAM account access to the company's Amazon EC2 console without providing access to any other AWS services. The contractor's IAM account must not be able to gain access to any other AWS service, even if the IAM account is assigned additional permissions based on IAM group membership.
What should the Security Engineer do to meet these requirements?

1. A. Create an Inline IAM user policy that allows for Amazon EC2 access for the contractor's IAM user.
2. B. Create an IAM permissions boundary policy that allows Amazon EC2 acces
3. C. Associate the contractor's IAM account with the IAM permissions boundary policy.
4. D. Create an IAM group with an attached policy that allows for Amazon EC2 acces
5. E. Associate the contractor's IAM account with the IAM group.
6. F. Create an IAM role that allows for EC2 and explicitly denies all other service
7. G. Instruct the contractor to always assume this role.

Correct Answer: B

A company has thousands of AWS Lambda functions. While reviewing the Lambda functions, a security engineer discovers that sensitive information is being stored in environment variables and is viewable as plaintext in the Lambda console. The values of the sensitive information are only a few characters long.
What is the MOST cost-effective way to address this security issue?

1. A. Set up IAM policies from the Lambda console to hide access to the environment variables.
2. B. Use AWS Step Functions to store the environment variable
3. C. Access the environment variables at runtim
4. D. Use IAM permissions to restrict access to the environment variables to only the Lambda functions that require access.
5. E. Store the environment variables in AWS Secrets Manager, and access them at runtim
6. F. Use IAM permissions to restrict access to the secrets to only the Lambda functions that require access.
7. G. Store the environment variables in AWS Systems Manager Parameter Store as secure string parameters, and access them at runtim
8. H. Use IAM permissions to restrict access to the parameters to only the Lambda functions that require access.

Correct Answer: D
Storing sensitive information in environment variables is not a secure practice, as anyone who has access to the Lambda console or the Lambda function code can view them as plaintext. To address this security issue, the security engineer needs to use a service that can store and encrypt the environment variables, and access them at runtime using IAM permissions. The most cost-effective way to do this is to use AWS Systems Manager Parameter Store, which is a service that provides secure, hierarchical storage for configuration data management and secrets management. Parameter Store allows you to store values as standard parameters (plaintext) or secure string parameters (encrypted). Secure string parameters use a AWS Key Management Service (AWS KMS) customer master key (CMK) to encrypt the parameter value. To access the parameter value at runtime, the Lambda function needs to have IAM permissions to decrypt the parameter using the KMS CMK.
The other options are incorrect because:
Option A is incorrect because setting up IAM policies from the Lambda console to hide access to the environment variables will not prevent someone who has access to the Lambda function code from viewing them as plaintext. IAM policies can only control who can perform actions on AWS resources, not what they can see in the code or the console.
Option B is incorrect because using AWS Step Functions to store the environment variables is not a secure or cost-effective solution. AWS Step Functions is a service that lets you coordinate multiple AWS services into serverless workflows. Step Functions does not provide any encryption or secrets management capabilities, and it will incur additional charges for each state transition in the workflow. Moreover, storing environment variables in Step Functions will make them visible in the execution history of the workflow, which can be accessed by anyone who has permission to view the Step Functions console or API.
Option C is incorrect because storing the environment variables in AWS Secrets Manager and accessing them at runtime is not a cost-effective solution. AWS Secrets Manager is a service that helps you protect secrets needed to access your applications, services, and IT resources. Secrets Manager enables you to rotate, manage, and retrieve secrets throughout their lifecycle. While Secrets Manager can securely store and encrypt environment variables using KMS CMKs, it will incur higher charges than Parameter Store for storing and retrieving secrets. Unless the security engineer needs the advanced features of Secrets Manager, such as automatic rotation of secrets or integration with other AWS services, Parameter Store is a cheaper and simpler option.

A corporation is preparing to acquire several companies. A Security Engineer must design a solution to ensure that newly acquired IAM accounts follow the corporation's security best practices. The solution should monitor each Amazon S3 bucket for unrestricted public write access and use IAM managed services.
What should the Security Engineer do to meet these requirements?

1. A. Configure Amazon Macie to continuously check the configuration of all S3 buckets.
2. B. Enable IAM Config to check the configuration of each S3 bucket.
3. C. Set up IAM Systems Manager to monitor S3 bucket policies for public write access.
4. D. Configure an Amazon EC2 instance to have an IAM role and a cron job that checks the status of all S3 buckets.

Correct Answer: C
because this is a solution that can monitor each S3 bucket for unrestricted public write access and use IAM managed services. S3 is a service that provides object storage in the cloud. Systems Manager is a service that helps you automate and manage your AWS resources. You can use Systems Manager to monitor S3 bucket policies for public write access by using a State Manager association that runs a predefined document called AWS-FindS3BucketWithPublicWriteAccess. This document checks each S3 bucket in an account and reports any bucket that has public write access enabled. The other options are either not suitable or not feasible for meeting the requirements.

A company needs a security engineer to implement a scalable solution for multi-account authentication and authorization. The solution should not introduce additional user-managed architectural components. Native IAM features should be used as much as possible The security engineer has set up IAM Organizations w1th all features activated and IAM SSO enabled.
Which additional steps should the security engineer take to complete the task?

1. A. Use AD Connector to create users and groups for all employees that require access to IAM accounts.Assign AD Connector groups to IAM accounts and link to the IAM roles in accordance with the employees‘job functions and access requirements Instruct employees to access IAM accounts by using the IAM Directory Service user portal.
2. B. Use an IAM SSO default directory to create users and groups for all employees that require access to IAM account
3. C. Assign groups to IAM accounts and link to permission sets in accordance with the employees‘job functions and access requirement
4. D. Instruct employees to access IAM accounts by using the IAM SSO user portal.
5. E. Use an IAM SSO default directory to create users and groups for all employees that require access to IAM account
6. F. Link IAM SSO groups to the IAM users present in all accounts to inherit existing permission
7. G. Instruct employees to access IAM accounts by using the IAM SSO user portal.
8. H. Use IAM Directory Service tor Microsoft Active Directory to create users and groups for all employees that require access to IAM accounts Enable IAM Management Console access in the created directory and specify IAM SSO as a source cl information tor integrated accounts and permission set
9. I. Instruct employees to access IAM accounts by using the IAM Directory Service user portal.

Correct Answer: B