- (Exam Topic 3)
Your development team is using access keys to develop an application that has access to S3 and DynamoDB. A new security policy has outlined that the credentials should not be older than 2 months, and should be rotated. How can you achieve this?
Please select:

1. A. Use the application to rotate the keys in every 2 months via the SDK
2. B. Use a script to query the creation date of the key
3. C. If older than 2 months, create new access key and update all applications to use it inactivate the old key and delete it.
4. D. Delete the user associated with the keys after every 2 month
5. E. Then recreate the user again.
6. F. Delete the IAM Role associated with the keys after every 2 month
7. G. Then recreate the IAM Role again.

Correct Answer: B
One can use the CLI command list-access-keys to get the access keys. This command also returns the "CreateDate" of the keys. If the CreateDate is older than 2 months, then the keys can be deleted.
The Returns list-access-keys CLI command returns information about the access key IDs associated with the specified IAM user. If there are none, the action returns an empty list
Option A is incorrect because you might as use a script for such maintenance activities Option C is incorrect because you would not rotate the users themselves
Option D is incorrect because you don't use IAM roles for such a purpose For more information on the CLI command, please refer to the below Link: http://docs.aws.amazon.com/cli/latest/reference/iam/list-access-keys.htmll
The correct answer is: Use a script to query the creation date of the keys. If older than 2 months, create new access key and update all applications to use it inactivate the old key and delete it.
Submit your Feedback/Queries to our Experts

- (Exam Topic 3)
Your developer is using the KMS service and an assigned key in their Java program. They get the below error when running the code arn:aws:iam::113745388712:user/UserB is not authorized to perform: kms:DescribeKey Which of the following could help resolve the issue?
Please select:

1. A. Ensure that UserB is given the right IAM role to access the key
2. B. Ensure that UserB is given the right permissions in the IAM policy
3. C. Ensure that UserB is given the right permissions in the Key policy
4. D. Ensure that UserB is given the right permissions in the Bucket policy

Correct Answer: C
You need to ensure that UserB is given access via the Key policy for the Key C:\Users\wk\Desktop\mudassar\Untitled.jpg

Option is invalid because you don't assign roles to IAM users
For more information on Key policies please visit the below Link: https://docs.aws.amazon.com/kms/latest/developerguide/key-poli
The correct answer is: Ensure that UserB is given the right permissions in the Key policy

- (Exam Topic 2)
An application has been written that publishes custom metrics to Amazon CloudWatch. Recently, IAM changes have been made on the account and the metrics are no longer being reported.
Which of the following is the LEAST permissive solution that will allow the metrics to be delivered?

1. A. Add a statement to the IAM policy used by the application to allow logs:putLogEvents and logs:createLogStream
2. B. Modify the IAM role used by the application by adding the CloudWatchFullAccess managed policy.
3. C. Add a statement to the IAM policy used by the application to allow cloudwatch:putMetricData.
4. D. Add a trust relationship to the IAM role used by the application for cloudwatch.amazonaws.com.

Correct Answer: C
https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/permissions-reference-cw.html

- (Exam Topic 3)
In your LAMP application, you have some developers that say they would like access to your logs. However, since you are using an AWS Auto Scaling group, your instances are constantly being re-created. What would you do to make sure that these developers can access these log files? Choose the correct answer from the options below
Please select:

1. A. Give only the necessary access to the Apache servers so that the developers can gain access to the log files.
2. B. Give root access to your Apache servers to the developers.
3. C. Give read-only access to your developers to the Apache servers.
4. D. Set up a central logging server that you can use to archive your logs; archive these logs to an S3 bucket for developer-access.

Correct Answer: D
One important security aspect is to never give access to actual servers, hence Option A.B and C are just totally wrong from a security perspective.
The best option is to have a central logging server that can be used to archive logs. These logs can then be stored in S3.
Options A,B and C are all invalid because you should not give access to the developers on the Apache se For more information on S3, please refer to the below link
https://aws.amazon.com/documentation/s3j
The correct answer is: Set up a central logging server that you can use to archive your logs; archive these logs to an S3 bucket for developer-access.
Submit vour Feedback/Queries to our Experts

- (Exam Topic 2)
A Security Engineer is working with the development team to design a supply chain application that stores sensitive inventory data in an Amazon S3 bucket. The application will use an AWS KMS customer master key (CMK) to encrypt the data on Amazon S3. The inventory data on Amazon S3 will be shared of vendors. All vendors will use AWS principals from their own AWS accounts to access the data on Amazon S3. The vendor list may change weekly, and the solution must support cross-account access.
What is the MOST efficient way to manage access control for the KMS CMK7?

1. A. Use KMS grants to manage key acces
2. B. Programmatically create and revoke grants to manage vendor access.
3. C. Use an IAM role to manage key acces
4. D. Programmatically update the IAM role policies to manage vendor access.
5. E. Use KMS key policies to manage key acces
6. F. Programmatically update the KMS key policies to manage vendor access.
7. G. Use delegated access across AWS accounts by using IAM roles to manage key access.Programmatically update the IAM trust policy to manage cross-account vendor access.

Correct Answer: A