A company has multiple AWS accounts. The company uses AWS IAM Identity Center (AWS Single
Sign-On) that is integrated with AWS Toolkit for Microsoft Azure DevOps. The attributes for access control feature is enabled in IAM Identity Center.
The attribute mapping list contains two entries. The department key is mapped to
${path:enterprise.department}. The costCenter key is mapped to ${path:enterprise.costCenter}.
All existing Amazon EC2 instances have a department tag that corresponds to three company departments (d1, d2, d3). A DevOps engineer must create policies based on the matching attributes. The policies must minimize administrative effort and must grant each Azure AD user access to only the EC2 instances that are tagged with the user’s respective department name.
Which condition key should the DevOps engineer include in the custom permissions policies to meet these requirements?

1. A.
2. B.
3. C.
4. D.

Correct Answer: C
https://docs.aws.amazon.com/singlesignon/latest/userguide/configure-abac.html

A company has multiple accounts in an organization in AWS Organizations. The company's SecOps team needs to receive an Amazon Simple Notification Service (Amazon SNS) notification if any account in the organization turns off the Block Public Access feature on an Amazon S3 bucket. A DevOps engineer must implement this change without affecting the operation of any AWS accounts. The implementation must ensure that individual member accounts in the organization cannot turn off the notification.
Which solution will meet these requirements?

1. A. Designate an account to be the delegated Amazon GuardDuty administrator accoun
2. B. Turn on GuardDuty for all accounts across the organizatio
3. C. In the GuardDuty administrator account, create an SNS topi
4. D. Subscribe the SecOps team's email address to the SNS topi
5. E. In the same account, create an Amazon EventBridge rule that uses an event pattern for GuardDuty findings and a target of the SNS topic.
6. F. Create an AWS CloudFormation template that creates an SNS topic and subscribes the SecOps team’s email address to the SNS topi
7. G. In the template, include an Amazon EventBridge rule that uses an event pattern of CloudTrail activity for s3:PutBucketPublicAccessBlock and a target of the SNS topi
8. H. Deploy the stack to every account in the organization by using CloudFormation StackSets.
9. I. Turn on AWS Config across the organizatio
10. J. In the delegated administrator account, create an SNS topi
11. K. Subscribe the SecOps team's email address to the SNS topi
12. L. Deploy a conformance pack that uses the s3-bucket-level-public-access-prohibited AWS Config managed rule in each account and uses an AWS Systems Manager document to publish an event to the SNS topic to notify the SecOps team.
13. M. Turn on Amazon Inspector across the organizatio
14. N. In the Amazon Inspector delegated administrator account, create an SNS topi
15. O. Subscribe the SecOps team’s email address to the SNS topi
16. P. In the same account, create an Amazon EventBridge rule that uses an event pattern for public network exposure of the S3 bucket and publishes an event to the SNS topic to notify the SecOps team.

Correct Answer: C
Amazon GuardDuty is primarily on threat detection and response, not configuration monitoring A conformance pack is a collection of AWS Config rules and remediation actions that can be easily deployed as a single entity in an account and a Region or across an organization in AWS Organizations. https://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html
https://docs.aws.amazon.com/config/latest/developerguide/s3-account-level-public-access-blocks.html

A company recently created a new AWS Control Tower landing zone in a new organization in AWS Organizations. The landing zone must be able to demonstrate compliance with the Center tor Internet Security (CIS) Benchmarks tor AWS Foundations.
The company's security team wants to use AWS Security Hub to view compliance across all accounts Only the security team can be allowed to view aggregated Security Hub Findings. In addition specific users must be able to view findings from their own accounts within the organization All accounts must be enrolled m Security Hub after the accounts are created.
Which combination of steps will meet these requirements in the MOST automated way? (Select THREE.)

1. A. Turn on trusted access for Security Hub in the organization's management accoun
2. B. Create a new security account by using AWS Control Tower Configure the new security account as the delegated administrator account for Security Hu
3. C. In the new security account provid
4. D. Security Hub with the CIS Benchmarks for AWS Foundations standards.
5. E. Turn on trusted access for Security Hub in the organ ration's management accoun
6. F. From the management account, provide Security Hub with the CIS Benchmarks for AWS Foundations standards.
7. G. Create an AWS IAM identity Center (AWS Single Sign-On) permission set that includes the required permissions Use the CreateAccountAssignment API operation to associate the security team users with the permission set and with the delegated security account.
8. H. Create an SCP that explicitly denies any user who is not on the security team from accessing Security Hub.
9. I. In Security Hub, turn on automatic enablement.
10. J. In the organization's management account create an Amazon EventBridge rule that reacts to the CreateManagedAccount event Create an AWS Lambda function that uses the Security Hub CreateMembers API operation to add new accounts to Security Hu
11. K. Configure the EventBridge rule to invoke the Lambda function.

Correct Answer: ACE
https://docs.aws.amazon.com/securityhub/latest/userguide/accounts-orgs-auto-enable.html

An ecommerce company has chosen AWS to host its new platform. The company's DevOps team has started building an AWS Control Tower landing zone. The DevOps team has set the identity store within AWS IAM Identity Center (AWS Single Sign-On) to external identity provider (IdP) and has configured SAML 2.0.
The DevOps team wants a robust permission model that applies the principle of least privilege. The model must allow the team to build and manage only the team's own resources.
Which combination of steps will meet these requirements? (Choose three.)

1. A. Create IAM policies that include the required permission
2. B. Include the aws:PrincipalTag condition key.
3. C. Create permission set
4. D. Attach an inline policy that includes the required permissions and uses the aws:PrincipalTag condition key to scope the permissions.
5. E. Create a group in the Id
6. F. Place users in the grou
7. G. Assign the group to accounts and the permission sets in IAM Identity Center.
8. H. Create a group in the Id
9. I. Place users in the grou
10. J. Assign the group to OUs and IAM policies.
11. K. Enable attributes for access control in IAM Identity Cente
12. L. Apply tags to user
13. M. Map the tags as key-value pairs.
14. N. Enable attributes for access control in IAM Identity Cente
15. O. Map attributes from the IdP as key-value pairs.

Correct Answer: BCF
Using the principalTag in the Permission Set inline policy a logged in user belonging to a specific AD group in the IDP can be permitted access to perform operations on certain resources if their group matches the group used in the PrincipleTag. Basically you are narrowing the scope of privileges assigned via Permission policies conditionally based on whether the logged in user belongs to a specific AD Group in IDP. The mapping of the AD group to the request attributes can be done using SSO attributes where we can pass other attributes like the SAML token as well.
https://docs.aws.amazon.com/singlesignon/latest/userguide/abac.html

A business has an application that consists of five independent AWS Lambda functions.
The DevOps engineer has built a CI/CD pipeline using AWS CodePipeline and AWS CodeBuild that builds tests packages and deploys each Lambda function in sequence. The pipeline uses an Amazon EventBridge rule to ensure the pipeline starts as quickly as possible after a change is made to the application source code.
After working with the pipeline for a few months the DevOps engineer has noticed the pipeline takes too long to complete.
What should the DevOps engineer implement to BEST improve the speed of the pipeline?

1. A. Modify the CodeBuild projects within the pipeline to use a compute type with more available networkthroughput.
2. B. Create a custom CodeBuild execution environment that includes a symmetric multiprocessing configuration to run the builds in parallel.
3. C. Modify the CodePipeline configuration to run actions for each Lambda function in parallel by specifying the same runorder.
4. D. Modify each CodeBuild protect to run within a VPC and use dedicated instances to increase throughput.

Correct Answer: C
https://docs.aws.amazon.com/codepipeline/latest/userguide/reference-pipeline-structure.html
AWS doc: "To specify parallel actions, use the same integer for each action you want to run in parallel. For example, if you want three actions to run in sequence in a stage, you would give the first action the runOrder value of 1, the second action the runOrder value of 2, and the third the runOrder value of 3. However, if you want the second and third actions to run in parallel, you would give the first action the runOrder value of 1 and both the second and third actions the runOrder value of 2."