- (Exam Topic 2)
You want to get a list of vulnerabilities for an EC2 Instance as per the guidelines set by the Center of Internet Security. How can you go about doing this?
Please select:

1. A. Enable AWS Guard Duty for the Instance
2. B. Use AWS Trusted Advisor
3. C. Use AWS inspector
4. D. UseAWSMacie

Correct Answer: C
The AWS Inspector service can inspect EC2 Instances based on specific Rules. One of the rules packages is based on the guidelines set by the Center of Internet Security
Center for Internet security (CIS) Benchmarks
The CIS Security Benchmarks program provides well-defined, un-biased and consensus-based industry best practices to help organizations assess and improve their security. Amazon Web Services is a CIS Security Benchmarks Member company and the list of Amazon Inspector certifications can be viewed nere.
Option A is invalid because this can be used to protect an instance but not give the list of vulnerabilities Options B and D are invalid because these services cannot give a list of vulnerabilities For more information
on the guidelines, please visit the below URL:
* https://docs.aws.amazon.com/inspector/latest/userguide/inspector_cis.html The correct answer is: Use AWS Inspector
Submit your Feedback/Queries to our Experts

- (Exam Topic 1)
Unapproved changes were previously made to a company's Amazon S3 bucket. A security engineer configured AWS Config to record configuration changes made to the company's S3 buckets. The engineer discovers there are S3 configuration changes being made, but no Amazon SNS notifications are being sent. The engineer has already checked the configuration of the SNS topic and has confirmed the configuration is valid.
Which combination of steps should the security engineer take to resolve the issue? (Select TWO.)

1. A. Configure the S3 bucket ACLs to allow AWS Config to record changes to the buckets.
2. B. Configure policies attached to S3 buckets to allow AWS Config to record changes to the buckets.
3. C. Attach the AmazonS3ReadOnryAccess managed policy to the IAM user.
4. D. Verify the security engineer's IAM user has an attached policy that allows all AWS Config actions.
5. E. Assign the AWSConfigRole managed policy to the AWS Config role

Correct Answer: BE

- (Exam Topic 2)
A company has a customer master key (CMK) with imported key materials. Company policy requires that all encryption keys must be rotated every year.
What can be done to implement the above policy?

1. A. Enable automatic key rotation annually for the CMK.
2. B. Use AWS Command Line Interface to create an AWS Lambda function to rotate the existing CMK annually.
3. C. Import new key material to the existing CMK and manually rotate the CMK.
4. D. Create a new CMK, import new key material to it, and point the key alias to the new CMK.

Correct Answer: D
https://docs.aws.amazon.com/en_pv/kms/latest/developerguide/rotate-keys.html#rotate-keys-manually
"You might prefer to rotate keys manually so you can control the rotation frequency. It's also a good solution for CMKs that are not eligible for automatic key rotation, such as asymmetric CMKs, CMKs in custom key stores and CMKs with imported key material. Because the new CMK is a different resource from the current CMK, it has a different key ID and ARN. When you change CMKs, you need to update references to the CMK ID or ARN in your applications. Aliases, which associate a friendly name with a CMK, make this process easier. Use an alias to refer to a CMK in your applications. Then, when you want to change the CMK that the application uses, change the target CMK of the alias. To update the target CMK of an alias, use UpdateAlias operation in the AWS KMS API. "

- (Exam Topic 3)
You have a requirement to serve up private content using the keys available with Cloudfront. How can this be achieved?
Please select:

1. A. Add the keys to the backend distribution.
2. B. Add the keys to the S3 bucket
3. C. Create pre-signed URL's
4. D. Use AWS Access keys

Correct Answer: C
Option A and B are invalid because you will not add keys to either the backend distribution or the S3 bucket. Option D is invalid because this is used for programmatic access to AWS resources
You can use Cloudfront key pairs to create a trusted pre-signed URL which can be distributed to users Specifying the AWS Accounts That Can Create Signed URLs and Signed Cookies (Trusted Signers) Topics
• Creating CloudFront Key Pairs for Your Trusted Signers
• Reformatting the CloudFront Private Key (.NET and Java Only)
• Adding Trusted Signers to Your Distribution
• Verifying that Trusted Signers Are Active (Optional) 1 Rotating CloudFront Key Pairs
To create signed URLs or signed cookies, you need at least one AWS account that has an active CloudFront key pair. This accou is known as a trusted signer. The trusted signer has two purposes:
• As soon as you add the AWS account ID for your trusted signer to your distribution, CloudFront starts to require that users us signed URLs or signed cookies to access your objects.
' When you create signed URLs or signed cookies, you use the private key from the trusted signer's key pair to sign a portion of the URL or the cookie. When someone requests a restricted object CloudFront compares the signed portion of the URL or cookie with the unsigned portion to verify that the URL or cookie hasn't been tampered with. CloudFront also verifies that the URL or cookie is valid, meaning, for example, that the expiration date and time hasn't passed.
For more information on Cloudfront private trusted content please visit the following URL:
• https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-s The correct answer is: Create pre-signed URL's Submit your Feedback/Queries to our Experts

- (Exam Topic 2)
A Security Engineer has been asked to create an automated process to disable IAM user access keys that are more than three months old.
Which of the following options should the Security Engineer use?

1. A. In the AWS Console, choose the IAM service and select “Users”. Review the “Access Key Age” column.
2. B. Define an IAM policy that denies access if the key age is more than three months and apply to all users.
3. C. Write a script that uses the GenerateCredentialReport, GetCredentialReport, and UpdateAccessKey APIs.
4. D. Create an Amazon CloudWatch alarm to detect aged access keys and use an AWS Lambda function to disable the keys older than 90 days.

Correct Answer: C
https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateAccessKey.html https://docs.aws.amazon.com/IAM/latest/APIReference/API_GenerateCredentialReport.html https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetCredentialReport.html