A company has recently recovered from a security incident that required the restoration of Amazon EC2 instances from snapshots.
After performing a gap analysis of its disaster recovery procedures and backup strategies, the company is concerned that, next time, it will not be able to recover the EC2 instances if the AWS account was compromised and Amazon EBS snapshots were deleted.
All EBS snapshots are encrypted using an AWS KMS CMK. Which solution would solve this problem?

1. A. Create a new Amazon S3 bucke
2. B. Use EBS lifecycle policies to move EBS snapshots to the new S3 bucke
3. C. Move snapshots to Amazon S3 Glacier using lifecycle policies, and apply Glacier Vault Lock policies to prevent deletion.
4. D. Use AWS Systems Manager to distribute a configuration that performs local backups of all attached disks to Amazon S3.
5. E. Create a new AWS account with limited privilege
6. F. Allow the new account to access the AWS KMS key used to encrypt the EBS snapshots, and copy the encrypted snapshots to the new account on a recurring basis.
7. G. Use AWS Backup to copy EBS snapshots to Amazon S3.

Correct Answer: C
This answer is correct because creating a new AWS account with limited privileges would provide an isolated and secure backup destination for the EBS snapshots. Allowing the new account to access the AWS KMS key used to encrypt the EBS snapshots would enable cross-account snapshot sharing without requiring re-encryption. Copying the encrypted snapshots to the new account on a recurring basis would ensure that the backups are up-to-date and consistent.

A security team is using Amazon EC2 Image Builder to build a hardened AMI with forensic capabilities. An AWS Key Management Service (AWS KMS) key will encrypt the forensic AMI EC2 Image Builder successfully installs the required patches and packages in the security team's AWS account. The security team uses a federated IAM role m the same AWS account to sign in to the AWS Management Console and attempts to launch the forensic AMI. The EC2 instance launches and immediately terminates.
What should the security learn do lo launch the EC2 instance successfully

1. A. Update the policy that is associated with the federated IAM role to allow the ec2. Describelmages action for the forensic AMI.
2. B. Update the policy that is associated with the federated IAM role to allow the ec2 Start Instances action m the security team's AWS account.
3. C. Update the policy that is associated with the KMS key that is used to encrypt the forensic AM
4. D. Configure the policy to allow the km
5. E. Encrypt and kms Decrypt actions for the federated IAM role.
6. F. Update the policy that is associated with the federated IAM role to allow the km
7. G. DescribeKey action for the KMS key that is used to encrypt the forensic AMI.

Correct Answer: C
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/troubleshooting-launch.html#troubleshooting-launch-i

A security engineer needs to develop a process to investigate and respond to po-tential security events on a company's Amazon EC2 instances. All the EC2 in-stances are backed by Amazon Elastic Block Store (Amazon EBS). The company uses AWS Systems Manager to manage all the EC2 instances and has installed Systems Manager Agent (SSM Agent) on all the EC2 instances.
The process that the security engineer is developing must comply with AWS secu-rity best practices and must meet the following requirements:
• A compromised EC2 instance's volatile memory and non-volatile memory must be preserved for forensic purposes.
• A compromised EC2 instance's metadata must be updated with corresponding inci-dent ticket information.
• A compromised EC2 instance must remain online during the investigation but must be isolated to prevent the spread of malware.
• Any investigative activity during the collection of volatile data must be cap-tured as part of the process. Which combination of steps should the security engineer take to meet these re-quirements with the LEAST
operational overhead? (Select THREE.)

1. A. Gather any relevant metadata for the compromised EC2 instanc
2. B. Enable ter-mination protectio
3. C. Isolate the instance by updating the instance's secu-rity groups to restrict acces
4. D. Detach the instance from anyAuto Scaling groups that the instance is a member o
5. E. Deregister the instance from any Elastic Load Balancing (ELB) resources.
6. F. Gather any relevant metadata for the compromised EC2 instanc
7. G. Enable ter-mination protectio
8. H. Move the instance to an isolation subnet that denies all source and destination traffi
9. I. Associate the instance with the subnet to restrict acces
10. J. Detach the instance from any Auto Scaling groups that the instance is a member o
11. K. Deregister the instance from any Elastic Load Balancing (ELB) resources.
12. L. Use Systems Manager Run Command to invoke scripts that collect volatile data.
13. M. Establish a Linux SSH or Windows Remote Desktop Protocol (RDP) session to the compromised EC2 instance to invoke scripts that collect volatile data.
14. N. Create a snapshot of the compromised EC2 instance's EBS volume for follow-up investigation
15. O. Tag the instance with any relevant metadata and inci-dent ticket information.
16. P. Create a Systems Manager State Manager association to generate an EBS vol-ume snapshot of the compromised EC2 instanc
17. Q. Tag the instance with any relevant metadata and incident ticket information.

Correct Answer: ACE

While securing the connection between a company's VPC and its on-premises data center, a Security Engineer sent a ping command from an on-premises host
(IP address 203.0.113.12) to an Amazon EC2 instance (IP address 172.31.16.139).
The ping command did not return a response. The flow log in the VPC showed the following:
2 123456789010 eni-1235b8ca 203.0.113.12 172.31.16.139 0 0 1 4 336 1432917027 1432917142 ACCEPT OK
2 123456789010 eni-1235b8ca 172.31.16.139 203.0.113.12 0 0 1 4 336 1432917094 1432917142 REJECT OK
What action should be performed to allow the ping to work?

1. A. In the security group of the EC2 instance, allow inbound ICMP traffic.
2. B. In the security group of the EC2 instance, allow outbound ICMP traffic.
3. C. In the VPC's NACL, allow inbound ICMP traffic.
4. D. In the VPC's NACL, allow outbound ICMP traffic.

Correct Answer: D

A developer signed in to a new account within an IAM Organization organizational unit (OU) containing multiple accounts. Access to the Amazon $3 service is restricted with the following SCP.

How can the security engineer provide the developer with Amazon $3 access without affecting other account?

1. A. Move the SCP to the root OU of organization to remove the restriction to access Amazon $3.
2. B. Add an IAM policy for the developer, which grants $3 access.
3. C. Create a new OU without applying the SCP restricting $3 acces
4. D. Move the developer account to this new OU.
5. E. Add an allow list for the developer account for the $3 service.

Correct Answer: C