- (Exam Topic 2)
The Accounting department at Example Corp. has made a decision to hire a third-party firm, AnyCompany, to monitor Example Corp.'s AWS account to help optimize costs.
The Security Engineer for Example Corp. has been tasked with providing AnyCompany with access to the required Example Corp. AWS resources. The Engineer has created an IAM role and granted permission to AnyCompany's AWS account to assume this role.
When customers contact AnyCompany, they provide their role ARN for validation. The Engineer is concerned that one of AnyCompany's other customers might deduce Example Corp.'s role ARN and potentially compromise the company's account.
What steps should the Engineer perform to prevent this outcome?

1. A. Create an IAM user and generate a set of long-term credential
2. B. Provide the credentials to AnyCompany.Monitor access in IAM access advisor and plan to rotate credentials on a recurring basis.
3. C. Request an external ID from AnyCompany and add a condition with sts:Externald to the role's trust policy.
4. D. Require two-factor authentication by adding a condition to the role's trust policy with aws:MultiFactorAuthPresent.
5. E. Request an IP range from AnyCompany and add a condition with aws:SourceIp to the role's trust policy.

Correct Answer: B

- (Exam Topic 3)
An Application team has requested a new AWS KMS master key for use with Amazon S3, but the organizational security policy requires separate master keys for different AWS services to limit blast radius.
How can an AWS KMS customer master key (CMK) be constrained to work with only Amazon S3?

1. A. Configure the CMK key policy to allow only the Amazon S3 service to use the kms Encrypt action
2. B. Configure the CMK key policy to allow AWS KMS actions only when the kms ViaService condition matches the Amazon S3 service name.
3. C. Configure the IAM user's policy lo allow KMS to pass a rote lo Amazon S3
4. D. Configure the IAM user's policy to allow only Amazon S3 operations when they are combined with the CMK

Correct Answer: B

- (Exam Topic 3)
Auditors tor a health care company have mandated mat all data volumes be encrypted at rest Infrastructure is deployed mainly via AWS CloudFormation however third-party frameworks and manual deployment are required on some legacy systems
What is the BEST way to monitor, on a recurring basis, whether all EBS volumes are encrypted?

1. A. On a recurring basis, update an IAM user policies to require that EC2 instances are created with an encrypted volume
2. B. Configure an AWS Config rule lo run on a recurring basis 'or volume encryption
3. C. Set up Amazon Inspector rules tor volume encryption to run on a recurring schedule
4. D. Use CloudWatch Logs to determine whether instances were created with an encrypted volume

Correct Answer: A

- (Exam Topic 1)
A company is setting up products to deploy in AWS Service Catalog. Management is concerned that when users launch products, elevated IAM privileges will be required to create resources. How should the company mitigate this concern?

1. A. Add a template constraint to each product in the portfolio.
2. B. Add a launch constraint to each product in the portfolio.
3. C. Define resource update constraints for each product in the portfolio.
4. D. Update the AWS CloudFormalion template backing the product to include a service role configuration.

Correct Answer: C

- (Exam Topic 3)
Your company has defined a set of S3 buckets in AWS. They need to monitor the S3 buckets and know the source IP address and the person who make requests to the S3 bucket. How can this be achieved?
Please select:

1. A. Enable VPC flow logs to know the source IP addresses
2. B. Monitor the S3 API calls by using Cloudtrail logging
3. C. Monitor the S3 API calls by using Cloudwatch logging
4. D. Enable AWS Inspector for the S3 bucket

Correct Answer: B
The AWS Documentation mentions the following
Amazon S3 is integrated with AWS CloudTrail. CloudTrail is a service that captures specific API calls made to Amazon S3 from your AWS account and delivers the log files to an Amazon S3 bucket that you specify. It captures API calls made from the Amazon S3 console or from the Amazon S3 API.
Using the information collected by CloudTrail, you can determine what request was made to Amazon S3, the source IP address from which the request was made, who made the request when it was made, and so on Options A,C and D are invalid because these services cannot be used to get the source IP address of the calls to S3 buckets
For more information on Cloudtrail logging, please refer to the below Link: https://docs.aws.amazon.com/AmazonS3/latest/dev/cloudtrail-logeins.htmll
The correct answer is: Monitor the S3 API calls by using Cloudtrail logging Submit your Feedback/Queries to our Experts